#### Transient Execution Attacks: Lessons from Spectre, Meltdown, and Foreshadow

Jo Van Bulck

ℰ imec-DistriNet, KU Leuven ● ☑ jo.vanbulck@cs.kuleuven.be ● ♥ jovanbulck



ISSE Brussels, November 6, 2018

Secure program: convert all input to expected output



Buffer overflow vulnerabilities: trigger unexpected behavior



Safe languages & formal verification: preserve *expected behavior* 



Side-channels: observe side-effects of the computation







#### Evolution of "side-channel attack" occurrences in Google Scholar



Based on github.com/Pold87/academic-keyword-occurrence and xkcd.com/1938/

# Cache principle: CPU speed $\gg$ DRAM latency $\rightarrow$ cache code/data



#### CPU cache timing side-channel



Cache miss: Request data from (slow) DRAM upon first use



CPU cache timing side-channel













A primer on software security (revisited)

Side-channels: observe *side-effects* of the computation



A primer on software security (revisited)

**Constant-time code:** eliminate *secret-dependent* side-effects



# A primer on software security (revisited)

Transient execution: HW optimizations do not respect SW abstractions (!)



# WHAT IF I TOLD YOU

# **YOU CAN CHANGE RULES MID-GAME**

## Out-of-order and speculative execution



#### Key discrepancy:

• Programmers write sequential instructions

```
int area(int h, int w)
{
    int triangle = (w*h)/2;
    int square = (w*w);
    return triangle + square;
```

## Out-of-order and speculative execution



#### Key discrepancy:

- Programmers write sequential instructions
- Modern CPUs are inherently parallel

 $\Rightarrow$  Speculatively execute instructions ahead of time



## Out-of-order and speculative execution



#### Key discrepancy:

- Programmers write sequential instructions
- Modern CPUs are inherently parallel

 $\Rightarrow$  Speculatively execute instructions ahead of time

Best-effort: What if triangle fails?

- $\rightarrow\,$  Commit in-order, roll-back square
- ... But side-channels may leave traces (!)

Transient execution attacks: Welcome to the world of fun!

CPU executes ahead of time in transient world

- Success ightarrow commit results to normal world  $\ensuremath{\textcircled{\sc on}}$
- Fail ightarrow discard results, compute again in normal world  $\ensuremath{\mathfrak{S}}$



Transient execution attacks: Welcome to the world of fun!

CPU executes ahead of time in transient world

- Success  $\rightarrow$  *commit* results to normal world  $\bigcirc$
- Fail ightarrow discard results, compute again in normal world  $\ensuremath{\mathfrak{S}}$

Transient world (microarchitecture) may temp bypass architectural software intentions:



Delayed permission checks



Mispredict control flow

Transient execution attacks: Welcome to the world of fun!

Key finding of 2018

 $\Rightarrow$  transmit secrets from transient to normal world



Transient world (microarchitecture) may temp bypass architectural software intentions:



Delayed permission checks



Mispredict control flow







inside<sup>™</sup>



inside<sup>™</sup>



#### **Unauthorized access**

|   | Listing 1: x86 assembly |   | Listing 2: C code.                  |  |
|---|-------------------------|---|-------------------------------------|--|
| 1 | meltdown :              | 1 | void meltdown(                      |  |
| 2 | // %rdi: oracle         | 2 | uint8_t *oracle,                    |  |
| 3 | // %rsi: secret_ptr     | 3 | uint8_t *secret_ptr)                |  |
| 4 |                         | 4 | {                                   |  |
| 5 | movb (%rsi), %al        | 5 | <pre>uint8_t v = *secret_ptr;</pre> |  |
| 6 | shl \$0xc, %rax         | 6 | $v = v * 0 \times 1000;$            |  |
| 7 | movq (%rdi, %rax), %rdi | 7 | $uint64_t o = oracle[v];$           |  |
| 8 | retq                    | 8 | }                                   |  |



Unauthorized access

#### **Transient out-of-order window**

|   | Listing 1: x86 assembly. | Listing 2: C code.                   |                |
|---|--------------------------|--------------------------------------|----------------|
| 1 | meltdown :               | 1 void meltdown(                     | 🦯 oracle array |
| 2 | // %rdi: oracle          | 2 uint8_t *oracle,                   |                |
| 3 | // %rsi: secret_ptr      | <pre>3 uint8_t *secret_ptr)</pre>    |                |
| 4 |                          | 4 {                                  | et             |
| 5 | movb (%rsi), %al         | 5 uint8_t v = *secret_ptr;           |                |
| 6 | shl \$0xc, %rax          | $6 v = v * 0 \times 1000;$           |                |
| 7 | movq (%rdi, %rax), %rdi  | <pre>7 uint64_t o = oracle[v];</pre> | · · · · ·      |
| 8 | retq                     | 8 }                                  |                |





Unauthorized access

Transient out-of-order window

**Exception** (discard architectural state)

| Listing 1: $\times 86$ assembly. |                         |   | Listing 2: C code.       |  |
|----------------------------------|-------------------------|---|--------------------------|--|
| 1                                | meltdown :              | 1 | void meltdown(           |  |
| 2                                | // %rdi: oracle         | 2 | uint8_t *oracle,         |  |
| 3                                | // %rsi: secret_ptr     | 3 | uint8_t *secret_ptr)     |  |
| 4                                |                         | 4 | {                        |  |
| 5                                | movb (%rsi), %al        | 5 | uint8_t v = *secret_ptr; |  |
| 6                                | shl \$0×c, %ra×         | 6 | v = v * 0 	imes 1000 ;   |  |
| 7                                | movq (%rdi, %rax), %rdi | 7 | uint64_t o = oracle[v];  |  |
| 8                                | retq                    | 8 | }                        |  |
| -                                |                         |   |                          |  |







Unauthorized access

Transient out-of-order window

#### **Exception handler**

|        | Listing 1: x86 assembly.            | Listing 2: C code.                     |              |
|--------|-------------------------------------|----------------------------------------|--------------|
|        | meltdown:<br>// %rdi: oracle        | 1 void meltdown(<br>2 uint8_t *oracle, | oracle array |
| 3<br>4 | // %rsi: secret_ptr                 | 3       uint8_t  *secret_ptr)<br>4  {  |              |
| 5<br>6 | movb (%rsi), %al<br>shl \$0xc, %rax | <pre>5</pre>                           | cache hit    |
| 7<br>8 | movq (%rdi, %rax), %rdi<br>retq     | 7 uint64_t o = oracle[v];<br>8 }       |              |

## Mitigating Meltdown: Unmap kernel addresses from user space





- OS software fix for faulty hardware ( $\leftrightarrow$  future CPUs)
- Unmap kernel from user virtual address space
- $\rightarrow$  Unauthorized physical addresses out-of-reach (~cookie jar)





inside<sup>™</sup>



inside<sup>™</sup>

Rumors: Meltdown immunity for SGX enclaves?

# Meltdown melted down everything, except for one thing

"[enclaves] remain protected and completely secure"

— International Business Times, February 2018

#### ANJUNA'S SECURE-RUNTIME CAN PROTECT CRITICAL APPLICATIONS AGAINST THE MELTDOWN ATTACK USING ENCLAVES

"[enclave memory accesses] redirected to an abort page, which has no value" — Anjuna Security, Inc., March 2018

#### Rumors: Meltdown immunity for SGX enclaves?



LILY HAY NEWMAN SECURITY 08.14.18 01:00 PM

# SPECTRE-LIKE FLAW UNDERMINES INTEL PROCESSORS' MOST SECURE ELEMENT

I'M SURE THIS WON'T BE THE LAST SUCH PROBLEM —

# Intel's SGX blown wide open by, you guessed it, a speculative execution attack

Speculative execution attacks truly are the gift that keeps on giving.

https://wired.com and https://arstechnica.com

#### **Building Foreshadow**







1. Cache secrets in L1

2. Unmap page table entry

3. Execute Meltdown

### **Building Foreshadow**



Foreshadow can read unmapped physical addresses from the cache (!)

## Foreshadow: Breaking the virtual memory abstraction



Arbitrary L1 cache read  $\rightarrow$  bypass OS/hypervisor/enclave protection







1. Cache secrets in L1

2. Unmap page table entry

3. Execute Meltdown







Future CPUs (silicon-based changes)

1. Cache secrets in L1

2. Unmap page table entry

https://newsroom.intel.com/editorials/advancing-security-silicon-level/



OS kernel updates (sanitize page frame bits)

https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/L1TF



 $\Rightarrow$  Flush L1 cache on enclave/VMM exit + disable HyperThreading

https://software.intel.com/security-software-guidance/software-guidance/l1-terminal-fault

## Mitigating Foreshadow/L1TF: Hardware-software cooperation

jo@gropius:~\$ uname -svp Linux #41~16.04.1-Ubuntu SMP Wed Oct 10 20:16:04 UTC 2018 x86\_64

jo@gropius:~\$ cat /proc/cpuinfo | grep "model name" -m1
model name : Intel(R) Core(TM) i7-6500U CPU @ 2.50GHz



jo@gropius:~\$ cat /proc/cpuinfo | egrep "meltdown|lltf" -m1
bugs : cpu\_meltdown spectre\_v1 spectre\_v2 spec\_store\_bypass lltf

jo@gropius:~\$ cat /sys/devices/system/cpu/vulnerabilities/meltdown | grep "Mitigation"
Mitigation: PTI

jo@gropius:~\$ cat /sys/devices/system/cpu/vulnerabilities/lltf | grep "Mitigation" Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT vulnerable

jo@gropius:~\$



# inside<sup>™</sup>



# inside<sup>™</sup>



inside<sup>™</sup>

## Spectre v1: Speculative buffer over-read



• Programmer *intention*: never access out-of-bounds memory

## Spectre v1: Speculative buffer over-read



- Programmer *intention:* never access out-of-bounds memory
- Branch can be mistrained to speculatively (i.e., ahead of time) execute with *idx* ≥ *LEN* in the transient world

## Spectre v1: Speculative buffer over-read



- Programmer *intention:* never access out-of-bounds memory
- Branch can be mistrained to speculatively (i.e., ahead of time) execute with *idx* ≥ *LEN* in the transient world
- Side-channels leak out-of-bounds secrets to the real world

## Mitigating Spectre v1: Inserting speculation barriers



• Programmer intention: never access out-of-bounds memory

## Mitigating Spectre v1: Inserting speculation barriers



- Programmer *intention:* never access out-of-bounds memory
- Insert speculation barrier to tell the CPU to halt the transient world until *idx* got evaluated ↔ performance ☺

## Mitigating Spectre v1: Inserting speculation barriers



- Programmer *intention:* never access out-of-bounds memory
- Insert speculation barrier to tell the CPU to halt the transient world until *idx* got evaluated ↔ performance ☺
- Huge error-prone **manual effort**, no reliable automated compiler approaches yet. . .



## index : kernel/git/torvalds/linux.git

Linux kernel source tree

| about sur  | nmary refs           | log tree                       | commit          | diff      | stats                     | log msg 🗸 Spectre     | <b>v1</b> | search    |
|------------|----------------------|--------------------------------|-----------------|-----------|---------------------------|-----------------------|-----------|-----------|
|            |                      |                                |                 |           |                           |                       |           |           |
| Age        | Commit mess          | age (Expand)                   |                 |           |                           | Author                | Files     | Lines     |
| 3 days     | Merge git://git.k    | ernel.org/pub/s                | cm/linux/ker    | nel/git/o | lavem/net                 | 🅅 Linus Torvalds      | 56        | -274/+793 |
| 4 days     | vhost: Fix Spect     | re V1 vulnerabi                | lity            |           |                           | 🔛 Jason Wang          | 1         | -0/+2     |
| 2018-10-19 | Merge tag 'usb-4     | 4.19-final' of gi              | t://git.kernel. | org/pub   | /scm/linux/kernel/git/g   | 🏶 Greg Kroah-Hartman  | 7         | -27/+65   |
| 2018-10-19 | Merge git://git.k    | ernel.org/pub/s                | cm/linux/ker    | nel/git/a | lavem/net                 | 🏶 Greg Kroah-Hartman  | 57        | -187/+253 |
| 2018-10-19 | Merge tag 'for-g     | kh' of git://git.k             | ernel.org/pu    | b/scm/li  | inux/kernel/git/rdma/rdma | 🏶 Greg Kroah-Hartman  | 2         | -0/+6     |
| 2018-10-17 | ptp: fix Spectre     | v1 vulnerability               | 1               |           |                           | 💷 Gustavo A. R. Silva | 1         | -0/+4     |
| 2018-10-17 | usb: gadget: sto     | orage: Fix <mark>Spect</mark>  | re v1 vulnera   | ability   |                           | 💷 Gustavo A. R. Silva | 1         | -0/+3     |
| 2018-10-16 | RDMA/ucma: Fix       | k <mark>Spectre v1</mark> vu   | Inerability     |           |                           | 💷 Gustavo A. R. Silva | 1         | -0/+3     |
| 2018-10-16 | IB/ucm: Fix Spec     | <mark>ctre v1</mark> vulneral  | bility          |           |                           | 💷 Gustavo A. R. Silva | 1         | -0/+3     |
| 2018-09-25 | Merge tag 'tty-4     | 4.19-rc6' of git:/             | /git.kernel.or  | g/pub/s   | cm/linux/kernel/git/gre   | 🏶 Greg Kroah-Hartman  | 6         | -7/+30    |
| 2018-09-18 | tty: vt_ioctl: fix p | potential Spect                | re v1           |           |                           | 💷 Gustavo A. R. Silva | 1         | -0/+4     |
| 2018-09-14 | Merge tag 'char-     | -misc-4.19-rc4'                | of git://git.ke | ernel.or  | g/pub/scm/linux/kernel/g  | 💷 Linus Torvalds      | 10        | -34/+73   |
| 2018-09-12 | Merge tag 'pci-v     | /4.19-fixes-1' of              | f git://git.ken | nel.org/  | pub/scm/linux/kernel/gi   | 🅅 Linus Torvalds      | 8         | -25/+41   |
| 2018-09-12 | misc: hmc6352:       | : fix potential <mark>S</mark> | pectre v1       |           |                           | 💷 Gustavo A. R. Silva | 1         | -0/+2     |
| 2018-09-11 | switchtec: Fix S     | pectre v1 vulne                | rability        |           |                           | 💷 Gustavo A. R. Silva | 1         | -0/+4     |
| 2018-08-29 | Merge tag 'hwm       | non-for-linus-v4               | .19-rc2' of gi  | t://git.k | ernel.org/pub/scm/linux/k | Linus Torvalds        | 5         | -12/+32   |
| 2018-08-26 | hwmon: (nct677       | 75) Fix potentia               | Spectre v1      |           |                           | 💷 Gustavo A. R. Silva | 1         | -0/+2     |
| 2018-08-17 | Merge tag 'drm-      | -next-2018-08-1                | L7' of git://an | ongit.fr  | eedesktop.org/drm/drm     | Linus Torvalds        | 44        | -156/+346 |

master 🗸

switch

Linus To

## Conclusions and take-away

Hardware + software patches

Opdate your systems! (+ disable HyperThreading)

## Conclusions and take-away

https://foreshadowattack.eu/

Hardware + software patches

**Opdate** your systems! (+ disable HyperThreading)

- $\Rightarrow$  New class of **transient execution** attacks
- ⇒ Security cross-cuts the system stack: hardware, hypervisor, kernel, compiler, application
- $\Rightarrow$  Importance of fundamental side-channel research



### References I

| P. Kocher, J. Horn, A. Fogh, , D. Genkin, D. Gruss, W. Haas, M. Hamburg, M. Lipp, S. Mangard, T. Prescher, M. Schwarz, and Y. Yarom.<br>Spectre attacks: Exploiting speculative execution.<br>In Proceedings of the 40th IEEE Symposium on Security and Privacy (S&P'19), 2019.                                                       |
|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| M. Lipp, M. Schwarz, D. Gruss, T. Prescher, W. Haas, A. Fogh, J. Horn, S. Mangard, P. Kocher, D. Genkin, Y. Yarom, and M. Hamburg.<br>Meltdown: Reading kernel memory from user space.<br>In Proceedings of the 27th USENIX Security Symposium (USENIX Security 18), 2018.                                                            |
| J. Van Bulck, M. Minkin, O. Weisse, D. Genkin, B. Kasikci, F. Piessens, M. Silberstein, T. F. Wenisch, Y. Yarom, and R. Strackx.<br>Foreshadow: Extracting the keys to the Intel SGX kingdom with transient out-of-order execution.<br>In <i>Proceedings of the 27th USENIX Security Symposium</i> . USENIX Association, August 2018. |
| J. Van Bulck, F. Piessens, and R. Strackx.<br>Nemesis: Studying microarchitectural timing leaks in rudimentary CPU interrupt logic.<br>In Proceedings of the 25th ACM Conference on Computer and Communications Security (CCS'18). ACM, October 2018.                                                                                 |
| O. Weisse, J. Van Bulck, M. Minkin, D. Genkin, B. Kasikci, F. Piessens, M. Silberstein, R. Strackx, T. F. Wenisch, and Y. Yarom.<br>Foreshadow-NG: Breaking the virtual memory abstraction with transient out-of-order execution.<br>Technical Report https://foreshadowattack.ew/, 2018.                                             |
| Y. Yarom and K. Falkner.<br>Flush+reload: A high resolution, low noise, L3 cache side-channel attack.                                                                                                                                                                                                                                 |

In Proceedings of the 23rd USENIX Security Symposium, pp. 719–732. USENIX Association, 2014.

Appendix: Intel SGX promise: Hardware-level isolation and attestation



Appendix: Intel SGX promise: Hardware-level isolation and attestation



## Appendix: Challenge #1: Intel SGX abort page semantics





### Untrusted world view

• Enclaved memory reads 0xFF

### Intra-enclave view

• Access enclaved + unprotected memory

## Appendix: Challenge #1: Intel SGX abort page semantics





### Untrusted world view

• Enclaved memory reads 0xFF

### Intra-enclave view

- Access enclaved + unprotected memory
- SGXpectre in-enclave code abuse

## Appendix: Challenge #1: Intel SGX abort page semantics





### Untrusted world view

- Enclaved memory reads 0xFF
- Meltdown "bounces back" ( $\sim$  mirror)

### Intra-enclave view

- Access enclaved + unprotected memory
- SGXpectre in-enclave code abuse