

# **Microarchitectural Inception**

#### Jo Van Bulck, Michael Schwarz, Daniel Gruss, Moritz Lipp

rC3 — Remote Chaos Experience, December 2020



#### check in obs that picture looks pretty much the same



... Oh, we already started. My name is JVB and I welcome you to our talk: Load Value Injection. Before we start there's something you should know about me. I specializ

#### Processor security: Hardware isolation mechanisms





Daniel/Michael: well, have you thought about the uarch foundation under your nice arch walls?

































#### Cache Hits



#### Cache Hits Cache Misses





We can communicate across protection walls using microarchitectural side channels!

#### Leaky processors: Jumping over protection walls with side-channels







check in obs that picture looks pretty much the same



Jo: "I have a test for you" Michael: "You're not gonna tell me anything about this first?" Jo: "Before I describe the project, I have to know you can do it" Michael: "Why?





check in obs that picture looks pretty much the same



XYZ

| Jser Memory |              |              |              |   | char | valuo | _ | kernel[ <mark>0</mark> ] |
|-------------|--------------|--------------|--------------|---|------|-------|---|--------------------------|
|             |              | A            | $\mathbb{B}$ |   | Char | vatue | - | Kernet[0]                |
|             | $\mathbb{C}$ | $\mathbb{D}$ | E            |   |      |       |   |                          |
|             | $\mathbb{F}$ | G            | $\mathbb{H}$ |   |      |       |   |                          |
|             | I            | J            | $\mathbb{K}$ | 1 |      |       |   |                          |
|             | $\mathbb{L}$ | $\mathbb{M}$ | $\mathbb{N}$ | 1 |      |       |   |                          |
|             | $\mathbb{O}$ | $\mathbb{P}$ | $\mathbb{Q}$ |   |      |       |   |                          |
|             | $\mathbb R$  | S            | T            |   |      |       |   | F                        |
|             | $\mathbb{U}$ | $\mathbb{V}$ | $\mathbb{W}$ |   |      |       |   | F                        |







#### Meltdown variants: The transient-execution zoo

#### https://transient.fail





#### **Meltdown variants: Address dependencies**



#### **Meltdown variants: Address dependencies**



#### Meltdown variants: Address dependencies



# Meltdown variants: Microarchitectural buffers



#### Meltdown variants: Microarchitectural buffers



#### Meltdown take-away

# **Faulting** (or assisted) loads transiently forward **unrelated data** from various <u>microarchitectural buffers</u>







If we take a look at these transient execution attacks we have basically a figure like this (show 4 empty squares - explain and build up the figure except the LVI square

#### Load Value Injection (LVI): Turning Meltdown around



#### Load Value Injection (LVI): Turning Meltdown around





Then you break in and leak it Then you break in a leak it. Well it's not, strictly speaking, leaking. After all: it's called load value \*injection\*. (exactly as in the trailer XD)



check in obs that picture looks pretty much the same

























Jo: "Load Value Injection" Michael's glass stops halfway to his mouth. Jo: "Don't bother telling me it's impossible." Michael: "It's perfectly possible. Just bloody difficult.



check in obs that picture looks pretty much the same



Jo records himself on this slide





Michael on this slide

LVI: Bringing the victim into the dream

## Vulnerable platforms: Intel Software Guard **Extensions (SGX)**













#### Enclaves to the rescue!



Intel SGX promise: hardware-level isolation and attestation



• SGX machinery protects against direct address remapping attacks



- SGX machinery protects against direct address remapping attacks
- ... but untrusted address translation may fault during enclaved execution (!)



We can arbitrarily provoke page faults for trusted enclave loads!

### LVI toy example: Hijacking transient data flow



#### LVI toy example: Recovering arbitrary secrets



#### Taxonomy of LVI variants: Many buffers, many faults...





1. Victim fills  $\mu$ -arch buffer with attacker-controlled data



- 1. Victim fills  $\mu$ -arch buffer with attacker-controlled data
- Victim executes <u>indirect branch</u> (JMP/CALL/RET)



- 1. Victim fills  $\mu$ -arch buffer with attacker-controlled data
- Victim executes <u>indirect branch</u> (JMP/CALL/RET)
- 3. Faulting load  $\rightarrow$  inject incorrect attacker values(!)



- 1. Victim fills  $\mu$ -arch buffer with attacker-controlled data
- Victim executes <u>indirect branch</u> (JMP/CALL/RET)
- 3. Faulting load  $\rightarrow$  inject incorrect attacker values(!)
- 4. Redirect transient control flow

```
asm.S (~/sox-step-fresh/app/lvi/Enclave) - VIM
E/asm.S main.c
28
        .global ecall lvi sb rop
       # %rdi store pt
       # %rsi oracle pt
30
31 ecall lvi sb rop:
       mov %rsp, rsp backup(%rip)
       lea page b(%rip), %rsp
       add $0FFSET %rsp
       /* transient delay */
       clflush dummy(%rip)
       mov dummy(%rip), %rax
39
       /* STORE TO USER ADRS */
       movg $'R', (%rdi)
       lea ret gadget(%rip), %rax
       movg %rax, 8(%rdi)
       /* HIJACK TRUSTED LOAD FROM ENCLAVE STACK */
       /* should go to do real ret: will transiently go to ret gadget if we fault on the stack loads */
       pop %rax
48 #if LFENCE
49
       notq (%rsp)
       nota (%rsp)
       lfence
53 #else
55 #endif
57 1: imp 1b
       mfence
60 do real ret:
       mov rsp backup(%rip), %rsp
63
Enclave/asm.S
                                                                                                                             39.0-1
                                                                                                                                            84%
```

1 ; %rbx: user-controlled argument ptr (outside enclave) 2 sgx\_my\_sum\_bridge:

3 . . .

8 9

- 4
- mov %rax.(%rbx) 5
- xor %eax.%eax 6
- pop %rbx 7 ret
- **call** my\_sum ; compute ox10(%rbx) + ox8(%rbx)
  - : P1: store sum to user address

; P2: load from trusted stack

1 ; %rbx: user-controlled argument ptr (outside enclave)
2 sgx\_my\_sum\_bridge:

3 ...

8

- 4 **call** my\_sum
- 5 mov %rax,(%rbx)
- 6 xor %eax,%eax
- 7 pop %rbx

- ; compute ox10(%rbx) + ox8(%rbx)
- ; P1: store sum to user address

; P2: load from trusted stack

We can setup a <u>fake transient stack</u> in the store buffer or L1D!

```
1 __intel_avx_rep_memcpy: ; libirc_2.4/efi2/libirc.a
2 ... ; P1: store to user address
3 vmovups %xmmo,-ox10(%rdi,%rcx,1)
4 ...
5 pop %r12 ; P2: load from trusted stack
6 ret
7
```





Daniel: "Instead of actual data values, it should be safe to just return o values, right?" Jo: "I wouldn't do that if I were a CPU manufacturer. I believe an attacker coul







#### LVI-NULL: Why 0x00 is not a safe value



• Recent Intel CPUs forward **0x00 dummy values** for faulting loads

### LVI-NULL: Why 0x00 is not a safe value



- Recent Intel CPUs forward **0x00 dummy values** for faulting loads
- ... but NULL is a valid virtual memory address, under attacker control

### LVI-NULL: Why 0x00 is not a safe value



- Recent Intel CPUs forward **0x00 dummy values** for faulting loads
- ... but NULL is a valid virtual memory address, under attacker control
- ... hijack pointer values (e.g., function pointer-to-pointer)

#### 1 asm\_oret: ; (linux-sgx/sdk/trts/linux/trts\_pic.S#L454)

| 2 | ••• |                 |                     |
|---|-----|-----------------|---------------------|
| 3 | mov | 0x58(%rsp),%rbp | ; %rbp <- NULL      |
| 4 |     |                 |                     |
| 5 | mov | %rbp,%rsp       | ; %rsp <- NULL      |
| 6 | рор | %rbp            | ; %rbp <- *(NULL)   |
| 7 | ret |                 | ; %rip <- *(NULL+8) |
| 8 |     |                 |                     |





Michael on this slide! Michael: "What's the mitigation against LVI?" Jo: "Vendors might say that's none of our concern" Michael: "Yeah, but this isn't the usual sid



check in obs that picture looks pretty much the same



Jo on this slide







Moritz on this slide

# Mitigation idea: Fencing vulnerable load instructions



# Mitigation idea: Fencing vulnerable load instructions



# Mitigating LVI: Compiler and assembler support



-mlfence-after-load



-mlvi-hardening



-Qspectre-load

#### <mark>GNU Assembler</mark> Adds New Options For Mitigating Load Value Injection Attack

Written by Michael Larabel in GNU on 11 March 2020 at 02:55 PM EDT. 14 Comments

#### LLVM Lands <mark>Performance-Hitting Mitigation</mark> For Intel LVI Vulnerability

Written by Michael Larabel in Software on 3 April 2020. Page 1 of 3. 20 Comments

# More Spectre Mitigations in MSVC

March 13th, 2020

# LVI $\leftrightarrow$ Spectre: no control-flow prediction; every load can be hijacked

| Instruction | Possible emulation                             | <b>Clobber-free</b> |
|-------------|------------------------------------------------|---------------------|
| ret         | pop %reg; lfence; jmp *%reg                    | ×                   |
| ret         | <pre>not (%rsp); not (%rsp); lfence; ret</pre> | 1                   |
| jmp (mem)   | <pre>mov (mem),%reg; lfence; jmp *%reg</pre>   | ×                   |
| call (mem)  | <pre>mov (mem),%reg; lfence; call *%reg</pre>  | ×                   |

libsgx\_qe.signed.so



# 23 fences

October 2019—"surgical precision"

#### Intel architectural enclaves: lfence counts

libsgx\_qe.signed.so



precision"



#### Performance overheads: OpenSSL (our prototype mitigation)



#### Performance overheads: OpenSSL (Intel's mitigation)



#### Performance overheads: SPEC (Intel's mitigation)



#### <mark>GNU Assembler</mark> Adds New Options For Mitigating Load Value Injection Attack

Written by Michael Larabel in GNU on 11 March 2020 at 02:55 PM EDT. 14 Comments

#### The <mark>Brutal Performance Impact</mark> From Mitigating The LVI Vulnerability

Written by Michael Larabel in Software on 12 March 2020. Page 1 of 6. 76 Comments

#### LLVM Lands Performance-Hitting Mitigation For Intel LVI Vulnerability

Written by Michael Larabel in Software on 3 April 2020. Page 1 of 3. 20 Comments

#### Looking At The <mark>LVI Mitigation Impact</mark> On Intel Cascade Lake Refresh

Written by Michael Larabel in Software on 5 April 2020. Page 1 of 5. 10 Comments

- $\Rightarrow$  LVI **gadgets** reversely exploit Meltdown-type effects
- ⇒ **Short-term:** extensive lfence compiler mitigations for Intel SGX enclaves
- ⇒ **Long-term:** improved silicon patches in new CPUs





# **Microarchitectural Inception**

#### Jo Van Bulck, Michael Schwarz, Daniel Gruss, Moritz Lipp

rC3 — Remote Chaos Experience, December 2020

