# 

## Microarchitectural Side-Channel Attacks for Privileged Software Adversaries

Jo Van Bulck

Public PhD defense, September 14, 2020

☆ imec-DistriNet, KU Leuven ☑ jo.vanbulck@cs.kuleuven.be







## SOCIAL DISTANCING STOP COVID-19





#### Bitdefender CYBERTHREAT REAL-TIME MAP



|                          | TIME                  |                            |                 | TARGET COUNTRY | UKRAINE            |  |
|--------------------------|-----------------------|----------------------------|-----------------|----------------|--------------------|--|
|                          |                       |                            |                 |                | UNITED STATES      |  |
|                          |                       |                            |                 |                | BRAZIL             |  |
| INFECTIONS               |                       |                            |                 |                | GERMANY            |  |
|                          |                       |                            |                 |                | FRANCE             |  |
| <ul> <li>SPAM</li> </ul> |                       |                            |                 |                | CANADA             |  |
|                          |                       |                            |                 |                | ITALY              |  |
|                          | MON 31 AUG 6:00:01 PM | #CBBULK LOAD.EXE:0000F001. | UNT/TED KINGDOM |                | <br>UNITED KINGDOM |  |

#### https://threatmap.bitdefender.com/

#### What do corona and computer viruses have in common?



1. No vaccine: adapt to a new reality...

#### What do corona and computer viruses have in common?



- 1. No vaccine: adapt to a new reality...
- 2. Need for physical distancing  $\rightarrow$  software isolation

#### What do corona and computer viruses have in common?



- 1. No vaccine: adapt to a new reality...
- 2. Need for physical distancing  $\rightarrow$  software isolation
- 3. Need for testing  $\rightarrow$  software attestation



#### A crash course on computer architecture



### Frank Piessens

ACCOUNT

Computerwetenschapper KULeuven

17

Fout computerchips Intel

#### Processor security: Hardware isolation mechanisms



• Different software protection domains: applications, virtual machines, enclaves

#### Processor security: Hardware isolation mechanisms



- Different software protection domains: applications, virtual machines, enclaves
- CPU builds "walls" for memory isolation between applications and privilege levels





https://informationisbeautiful.net/visualizations/million-lines-of-code/



#### Enclaved execution: Reducing the bubble



Traditional layered designs: large trusted computing base

#### Enclaved execution: Reducing the bubble



Intel SGX promise: hardware-level isolation and attestation

#### **Overview:** Processor enclaves for self-quarantining



- $\approx~$  Vault for sensitive code and data
- $\rightarrow$  Trusted "bubble" in untrusted world
- 2008-2014: Research prototypes (e.g., Sancus)

### **Overview:** Processor enclaves for self-quarantining



- $\approx~$  Vault for sensitive code and data
- $\rightarrow$  Trusted "bubble" in untrusted world
- 2008-2014: Research prototypes (e.g., Sancus)
- 2015: Intel Software Guard Extensions (SGX)



Intel alters design of 'Skylake' processors to enhance security

🛔 Anton Shilov 🛛 October 3, 2015 🛛 🖿 APU, CPU



#### Intel to begin shipping Skylake CPUs with SGX enabled

BY BEN FUNK / 8:08 AM, OCTOBER 5, 2015 / 0 COMMENTS





#### Evolution of "side-channel attack" research



Based on github.com/Pold87/academic-keyword-occurrence and xkcd.com/1938/

#### Evolution of "side-channel attack" research



Based on github.com/Pold87/academic-keyword-occurrence and xkcd.com/1938/

#### Side-channel attacks and trusted computing (focus of this PhD)



Based on github.com/Pold87/academic-keyword-occurrence and xkcd.com/1938/





#### Enclave adversary model



Abuse privileged operating system powers

 $\rightarrow$  unexpected "bottom-up" attack vectors






















#### Case study: Comparing a secret password





#### Case study: Comparing a secret password





#### Case study: Comparing a secret password



Overall execution time reveals correctness of individual password bytes!

#### Building the side-channel oracle with execution timing?



#### Building the side-channel oracle with execution timing?





#### Analogy: Studying galloping horse dynamics



https://en.wikipedia.org/wiki/Sallie\_Gardner\_at\_a\_Gallop



Copyright, 1878, by MUYBRIDGE.

MORSE'S Gallery, 417 Montgomery St., San Francisco.

THE HORSE IN MOTION.

Illustrated by MUYBRIDGE.

AUTOMATIC ELECTRO-PHOTOGRAPH.

"SALLE GARDNER," owned by LELAND STANFORD; running at a 1.40 gait over the Palo Alto track, 19th June, 1878.







https://github.com/jovanbulck/sgx-step

Watch 22 ☆ Star 245 % Fork 52













#### Building a deterministic password oracle with SGX-Step

[main.c] all done: counted 2260/2183 IROs (AEP/IDT)

io@breuer:~/sgx-step-demo\$

```
[idt.c] DTR.base=0xfffffe000000000/size=4095 (256 entries)
[idt.c] established user space IDT mapping at 0x7f7ff8e9a000
[idt.c] installed asm IRO handler at 10:0x56312d19b000
[idt.c] IDT[ 45] @0x7f7ff8e9a2d0 = 0x56312d19b000 (seg sel 0x10): p=1: dpl=3: type=14: ist=0
[file.c] reading buffer from '/dev/cpu/1/msr' (size=8)
[apic.c] established local memory mapping for APIC BASE=0xfee00000 at 0x7f7ff8e99000
[apic.c] APIC ID=2000000: LVTT=400ec: TDCR=0
[apic.c] APIC timer one-shot mode with division 2 (lvtt=2d/tdcr=0)
[main.c] recovering password length
[attacker] steps=15: guess='******
[attacker] found pwd len = 6
[main.c] recovering password bytes
                         _____
[attacker] steps=35; guess='SECRET' --> SUCCESS
[apic.c] Restored APIC LVTT=400ec/TDCR=0)
[file.c] writing buffer to '/dev/cpu/1/msr' (size=8)
```

#### From architecture...



#### From architecture... to microarchitecture



#### Back to basics: Fetch decode execute CPU operation



#### Back to basics: Fetch decode execute CPU operation



#### Back to basics: Fetch decode execute CPU operation



#### Wait a cycle: Interrupt latency as a side channel



## **TIMING LEAKS**

EVERYWHERE

imgflip.com

#### Nemesis attack: Inferring key strokes from Sancus enclaves





#### Nemesis attack: Inferring key strokes from Sancus enclaves





#### Nemesis attack: Inferring key strokes from Sancus enclaves



#### Intel SGX microbenchmarks: Measuring x86 cache misses



#### Single-stepping Intel SGX enclaves in practice





Instruction (interrupt number)

#### Single-stepping Intel SGX enclaves in practice





Instruction (interrupt number)

#### De-anonymizing SGX enclave lookups with interrupt latency

Adversary: Infer secret lookup in known sequence (e.g., DNA)



#### De-anonymizing SGX enclave lookups with interrupt latency



#### Thesis outline: Privileged side-channel attacks



#### Thesis outline: Transient-execution attacks



# WHAT IF I TOLD YOU

### **YOU CAN CHANGE RULES MID-GAME**

#### Out-of-order and speculative execution



#### Key discrepancy:

 $\rightarrow$  Programmers write sequential instructions

```
int area(int h, int w)
{
    int triangle = (w*h)/2;
    int square = (w*w);
    return triangle + square;
}
```
#### Out-of-order and speculative execution



#### Key discrepancy:

- $\rightarrow$  Programmers write sequential instructions
- $\leftrightarrow \text{ Modern CPUs are inherently parallel}$
- ⇒ Execute instructions ahead of time

```
int area(int h, int w)
{
    int triangle = (w*h)/2;
    int square = (w*w);
    return triangle + square;
}
```

## Out-of-order and speculative execution



#### Key discrepancy:

- → Programmers write sequential instructions
- $\leftrightarrow \text{ Modern CPUs are inherently parallel}$
- ⇒ Execute instructions ahead of time



Best effort: What if triangle fails?

| $\rightarrow$ | Commit | in-order, | roll-back | square |
|---------------|--------|-----------|-----------|--------|
|---------------|--------|-----------|-----------|--------|



#### Transient-execution attacks: Welcome to the world of fun!



#### The transient-execution zoo

#### https://transient.fail













inside<sup>™</sup>

inside<sup>™</sup>



#### **Unauthorized access**

|   | Listing 1: ×86 assembly |   | Listing 2: C code.                  |
|---|-------------------------|---|-------------------------------------|
| 1 | meltdown :              | 1 | void meltdown(                      |
| 2 | // %rdi: oracle         | 2 | uint8_t *oracle,                    |
| 3 | // %rsi: secret_ptr     | 3 | uint8_t *secret_ptr)                |
| 4 |                         | 4 | {                                   |
| 5 | movb (%rsi), %al        | 5 | <pre>uint8_t v = *secret_ptr;</pre> |
| 6 | shl \$0×c, %rax         | 6 | $v = v * 0 \times 1000;$            |
| 7 | movq (%rdi, %rax), %rdi | 7 | uint64_t o = oracle[v];             |
| 8 | retq                    | 8 | }                                   |





Unauthorized access

#### **Transient out-of-order window**









Unauthorized access

Transient out-of-order window

Exception (discard architectural state)

|   | Listing 1: ×86 assembly. |   | Listing 2: C code.       |
|---|--------------------------|---|--------------------------|
| 1 | meltdown :               | 1 | void meltdown(           |
| 2 | // %rdi: oracle          | 2 | uint8_t *oracle,         |
| 3 | // %rsi: secret_ptr      | 3 | uint8_t *secret_ptr)     |
| 4 |                          | 4 | ÷ {                      |
| 5 | movb (%rsi), %al         | 5 | uint8_t v = *secret_ptr; |
| 6 | shl \$0×c, %ra×          | 6 | $v = v * 0 \times 1000;$ |
| 7 | movq (%rdi, %rax), %rdi  | 7 | uint64_t o = oracle[v];  |
| 8 | retq                     | 8 | }                        |
| _ |                          |   |                          |







Unauthorized access

Transient out-of-order window

**Exception handler** 

|   | Listing 1: x86 assembly. |   | Listing 2: C code.       |              |
|---|--------------------------|---|--------------------------|--------------|
| 1 | meltdown :               | 1 | void meltdown(           | oracle array |
| 2 | // %rdi: oracle          | 2 | uint8_t *oracle,         | · 👗          |
| 3 | // %rsi: secret_ptr      | 3 | uint8_t *secret_ptr)     |              |
| 4 |                          | 4 | {                        |              |
| 5 | movb (%rsi), %al         | 5 | uint8_t v = *secret_ptr; |              |
| 6 | shl \$0xc, %rax          | 6 | $v = v * 0 \times 1000;$ |              |
| 7 | movq (%rdi, %rax), %rdi  | 7 | uint64_t o = oracle[v];  | · cache hit  |
| 8 | retq                     | 8 | }                        |              |







# inside<sup>™</sup>

# inside<sup>™</sup>

inside<sup>™</sup>

### Rumors: Meltdown immunity for SGX enclaves?

# Meltdown melted down everything, except for one thing

"[enclaves] remain protected and completely secure"

— International Business Times, February 2018

ANJUNA'S SECURE-RUNTIME CAN PROTECT CRITICAL APPLICATIONS AGAINST THE MELTDOWN ATTACK USING ENCLAVES

"[enclave memory accesses] redirected to an abort page, which has no value" — Anjuna Security, Inc., March 2018

#### Rumors: Meltdown immunity for SGX enclaves?



LILY HAY NEWMAN SECURITY 08.14.18 01:00 PM

# SPECTRE-LIKE FLAW UNDERMINES INTEL PROCESSORS' MOST SECURE ELEMENT

I'M SURE THIS WON'T BE THE LAST SUCH PROBLEM —

# Intel's SGX blown wide open by, you guessed it, a speculative execution attack

Speculative execution attacks truly are the gift that keeps on giving.

https://wired.com and https://arstechnica.com





#### Building Foreshadow: Evade SGX abort page semantics



#### Building Foreshadow: Evade SGX abort page semantics



#### Building Foreshadow: Evade SGX abort page semantics



#### Foreshadow-SGX: Breaking enclave isolation



#### Foreshadow-NG: Breaking virtual machine isolation





## Mitigating Foreshadow: Flush CPU microarchitecture



#### Mitigating Foreshadow: Flush CPU microarchitecture

| 10BH | 267       | (A32_FLUSH_CMD) | Flush Command (WO)<br>Gives software a way to invalidate<br>structures with finer granularity than other<br>architectural methods. | If any one of the<br>enumeration conditions for<br>defined bit field positions<br>holds. |
|------|-----------|-----------------|------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------|
|      | 0<br>63:1 | 0               | L1D_FLUSH: Writeback and invalidate the L1 data cache.                                                                             | If CPUID.(EAX=07H,<br>ECX=0):EDX[28]=1                                                   |
|      |           | 63:1            | Reserved                                                                                                                           |                                                                                          |









inside<sup>™</sup>



# inside<sup>™</sup>

THE WHITE HOUSE 6:14 PM

# WHITE HOUSE WASHINGTON

# **BREAKING NEWS**

PRES. TRUMP UPDATES PUBLIC ON FEDERAL RESPONSE TO VIRUS



## Idea: Can we turn Foreshadow around?



#### Outside view

- Meltdown: out-of-reach
- Foreshadow: cache emptied



#### Intra-enclave view

• Access enclave + outside memory

## Idea: Can we turn Foreshadow around?



#### Outside view

- Meltdown: out-of-reach
- Foreshadow: cache emptied



#### Intra-enclave view

- Access enclave + outside memory
- → Abuse in-enclave code gadgets!

# Reviving Foreshadow with Load Value Injection (LVI)



# Reviving Foreshadow with Load Value Injection (LVI)





#### Mitigating LVI: Fencing vulnerable load instructions



## Mitigating LVI: Fencing vulnerable load instructions



#### Intel architectural enclaves: lfence counts

libsgx\_qe.signed.so



# 23 fences

October 2019—"surgical precision"

#### Intel architectural enclaves: lfence counts

libsgx\_qe.signed.so



# 23 fences

October 2019—"surgical precision"

March 2020—"big hammer"



#### <mark>GNU Assembler</mark> Adds New Options For Mitigating Load Value Injection Attack

Written by Michael Larabel in GNU on 11 March 2020 at 02:55 PM EDT. 14 Comments

#### The <mark>Brutal Performance Impact</mark> From Mitigating The LVI Vulnerability

Written by Michael Larabel in Software on 12 March 2020. Page 1 of 6. 76 Comments

#### LLVM Lands <mark>Performance-Hitting Mitigation</mark> For Intel LVI Vulnerability

Written by Michael Larabel in Software on 3 April 2020. Page 1 of 3. 20 Comments

#### Looking At The <mark>LVI Mitigation Impact</mark> On Intel Cascade Lake Refresh

Written by Michael Larabel in Software on 5 April 2020. Page 1 of 5. 10 Comments
- ⇒ **Trusted execution** environments (Intel SGX) ≠ perfect(!)
- ⇒ Importance of fundamental side-channel research; no silver-bullet defenses
- $\Rightarrow$  Security **cross-cuts** the system stack: hardware, OS, compiler, application



