

### Microarchitectural Side-Channel Attacks

for Privileged Software Adversaries

Jo Van Bulck

DistriNet reunion, February 5, 2020

A imec-DistriNet, KU Leuven ⊠ jo.vanbulck@cs.kuleuven.be ¥ jovanbulck



#### Processor security: Hardware isolation mechanisms



• Different software protection domains: user processes, virtual machines, enclaves

#### Processor security: Hardware isolation mechanisms



- Different software protection domains: user processes, virtual machines, enclaves
- CPU builds "walls" for memory isolation between applications and privilege levels

#### Processor security: Hardware isolation mechanisms



- Different software protection domains: user processes, virtual machines, enclaves
- CPU builds "walls" for memory isolation between applications and privilege levels
- ↔ Architectural protection walls permeate microarchitectural side-channels!

Secure program: convert all input to expected output



Buffer overflow vulnerabilities: trigger unexpected behavior



Safe languages & formal verification: preserve expected behavior



Side-channels: observe side-effects of the computation



Constant-time code: eliminate secret-dependent side-effects







#### A vulnerable example program and its constant-time equivalent

```
1 void check_pwd(char *input)
2 {
3    for (int i=0; i < PWD_LEN; i++)
4         if (input[i] != pwd[i])
5             return 0;
6
7         return 1;
8 }</pre>
```



#### Overall execution time reveals correctness of individual password bytes!

 $\rightarrow$  reduce brute-force attack from an exponential to a linear effort. . .

#### A vulnerable example program and its constant-time equivalent

```
1 void check_pwd(char *input)
2 {
3     for (int i=0; i < PWD_LEN; i++)
4         if (input[i] != pwd[i])
5             return 0;
6
7         return 1;
8 }</pre>
```

```
1void check_pwd(char *input)
2{
3     int rv = 0x0;
4     for (int i=0; i < PWD_LEN; i++)
5         rv |= input[i] ^ pwd[i];
6
7     return (result == 0);
8}</pre>
```

#### Rewrite program such that execution time does not depend on secrets

 $\rightarrow$  manual, error-prone solution; side-channels are likely here to stay...



## What's inside the black box?



#### Enclaved execution: Reducing attack surface



Traditional layered designs: large trusted computing base

#### Enclaved execution: Reducing attack surface



Intel SGX promise: hardware-level isolation and attestation



**Game-changer:** Untrusted OS  $\rightarrow$  new class of powerful side-channels



**Game-changer:** Untrusted OS  $\rightarrow$  new class of powerful side-channels

Xu et al. "Controlled-channel attacks: Deterministic side-channels for untrusted operating systems", IEEE S&P 2015



**Game-changer:** Untrusted OS  $\rightarrow$  new class of powerful side-channels

Van Bulck et al. "Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic", CCS 2018



**Game-changer:** Untrusted OS  $\rightarrow$  new class of powerful side-channels

Van Bulck et al. "Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic", CCS 2018





We can communicate across protection walls using microarchitectural side-channels!

#### Leaky processors: Jumping over protection walls with side-channels



## SHARING IS NOT CARING

## **SHARING IS LOSING YOUR STUFF TO OTHERS**

imgflip.com



# Can we do better? Can we demolish architectural protection walls instead of just peaking over?





Untrusted OS  $\rightarrow$  new class of powerful side-channels

Van Bulck et al. "Foreshadow: Extracting the Keys to the Intel SGX Kingdom with Transient Out-of-Order Execution", USENIX 2018

#### **Enclaved execution: Transient-execution attacks**



#### Trusted CPU $\rightarrow$ exploit microarchitectural bugs/design flaws

Van Bulck et al. "Foreshadow: Extracting the Keys to the Intel SGX Kingdom with Transient Out-of-Order Execution", USENIX 2018





• Meltdown breaks user/kernel isolation



- Meltdown breaks user/kernel isolation
- Foreshadow breaks SGX enclave and virtual machine isolation



- Meltdown breaks user/kernel isolation
- Foreshadow breaks SGX enclave and virtual machine isolation
- Spectre breaks software-defined isolation on various levels



- Meltdown breaks user/kernel isolation
- Foreshadow breaks SGX enclave and virtual machine isolation
- Spectre breaks software-defined isolation on various levels
- ... many more but all exploit the same underlying insights!

# WHAT IF I TOLD YOU

# **YOU CAN CHANGE RULES MID-GAME**

#### Out-of-order and speculative execution



#### Key discrepancy:

• Programmers write sequential instructions

```
int area(int h, int w)
{
    int triangle = (w*h)/2;
    int square = (w*w);
    return triangle + square;
}
```

#### Out-of-order and speculative execution



#### Key discrepancy:

- Programmers write sequential instructions
- Modern CPUs are inherently parallel
- ⇒ Execute instructions ahead of time



# Out-of-order and speculative execution



### Key discrepancy:

- Programmers write sequential instructions
- Modern CPUs are inherently parallel
- $\Rightarrow$  Execute instructions ahead of time

Best-effort: What if triangle fails?

- → Commit in-order, roll-back square
- ... But side-channels may leave traces (!)

# Transient-execution attacks: Welcome to the world of fun!



# Transient-execution attacks: Welcome to the world of fun!



⇒ Transmit secrets from transient to normal world



Key finding of 2018

⇒ Transmit secrets from transient to normal world



Transient world (microarchitecture) may temp bypass architectural software intentions:



Delayed exception handling



Control flow prediction

Key finding of 2018

 $\Rightarrow$  Transmit secrets from transient to normal world



Transient world (microarchitecture) may temp bypass architectural software intentions:





CPU access control bypass

Speculative buffer overflow/ROP

# The transient-execution zoo

#### https://transient.fail









#### **Unauthorized access**

|   | Listing 1: x86 assembly |   | Listing 2: C code.                  |
|---|-------------------------|---|-------------------------------------|
| 1 | meltdown :              | 1 | void meltdown(                      |
| 2 | // %rdi: oracle         | 2 | uint8_t *oracle,                    |
| 3 | // %rsi: secret_ptr     | 3 | uint8_t *secret_ptr)                |
| 4 |                         | 4 | {                                   |
| 5 | movb (%rsi), %al        | 5 | <pre>uint8_t v = *secret_ptr;</pre> |
| 6 | shl \$0×c, %rax         | 6 | $v = v * 0 \times 1000;$            |
| 7 | movq (%rdi, %rax), %rdi | 7 | uint64_t o = oracle[v];             |
| 8 | retq                    | 8 | }                                   |



Unauthorized access

#### **Transient out-of-order window**









Unauthorized access

Transient out-of-order window

Exception (discard architectural state)

| Listing 1: $\times 86$ assembly.                               | Listing 2: C code.                                                            |
|----------------------------------------------------------------|-------------------------------------------------------------------------------|
| 1 meltdown:<br>2 // %rdi: oracle<br>3 // %rsi: secret_ptr<br>4 | <pre>void meltdown(     uint8_t *oracle,     uint8_t *secret_ptr)     {</pre> |
| 5 movb (%rsi), %al                                             | 5 uint8_t v = *secret_ptr;                                                    |
| 6 shl \$0xc, %rax<br>7 movq (%rdi, %rax), %rdi<br>8 retq       | <pre>6  v = v * 0×1000;<br/>i 7  uint64_t o = oracle[v];<br/>8 }</pre>        |







Unauthorized access

Transient out-of-order window

#### **Exception handler**









### Building Foreshadow: Evade the abort page

Straw man: (Speculative) accesses in non-enclave mode are dropped



### Building Foreshadow: Evade the abort page

Stone man: Bypass abort page via untrusted page table



# Building Foreshadow: Evade the abort page

Stone man: Bypass abort page via *untrusted* page table



#### Foreshadow-NG: Breaking the virtual memory abstraction

L1-Terminal Fault: match unmapped physical address (!)



- $\Rightarrow$  New emerging and powerful class of **transient-execution** attacks
- ⇒ Importance of fundamental side-channel research; no silver-bullet defenses
- $\Rightarrow$  Security **cross-cuts** the system stack: hardware, OS, VMM, compiler, application



# Appendix

# References i

C. Canella, J. Van Bulck, M. Schwarz, M. Lipp, B. von Berg, P. Ortner,
 F. Piessens, D. Evtyushkin, and D. Gruss.

A Systematic Evaluation of Transient Execution Attacks and Defenses. In Proceedings of the 28th USENIX Security Symposium, 2019.

 J. Van Bulck, M. Minkin, O. Weisse, D. Genkin, B. Kasikci, F. Piessens, M. Silberstein, T. F. Wenisch, Y. Yarom, and R. Strackx.
 Foreshadow: Extracting the keys to the Intel SGX kingdom with transient out-of-order execution.

In *Proceedings of the 27th USENIX Security Symposium*. USENIX Association, August 2018.

# References ii

J. Van Bulck, F. Piessens, and R. Strackx. **SGX-Step: A practical attack framework for precise enclave execution control.** 

In *Proceedings of the 2nd Workshop on System Software for Trusted Execution*, SysTEX'17, pp. 4:1–4:6. ACM, 2017.

J. Van Bulck, F. Piessens, and R. Strackx.

Nemesis: Studying microarchitectural timing leaks in rudimentary CPU interrupt logic.

In Proceedings of the 25th ACM Conference on Computer and Communications Security (CCS'18). ACM, October 2018.

J. Van Bulck, N. Weichbrodt, R. Kapitza, F. Piessens, and R. Strackx. Telling your secrets without page faults: Stealthy page table-based attacks on enclaved execution.

In *Proceedings of the 26th USENIX Security Symposium*. USENIX Association, August 2017.

### SGX-Step: Executing enclaves one instruction at a time



# SGX-Step: Executing enclaves one instruction at a time



https://github.com/jovanbulck/sgx-step







1. Cache secrets in L1

2. Unmap page table entry

3. Execute Meltdown





1. Cache secrets in L1

2. Unmap page table entry



Future CPUs (silicon-based changes)



1. Cache secrets in L1





3. Execute Meltdown

OS kernel updates (sanitize page frame bits)



#### $\Rightarrow$ Flush L1 cache on enclave/VMM exit + disable HyperThreading

https://software.intel.com/security-software-guidance/software-guidance/l1-terminal-fault



• Programmer *intention:* never access out-of-bounds memory



- Programmer *intention:* never access out-of-bounds memory
- Branch can be mistrained to speculatively (i.e., ahead of time) execute with *idx* ≥ *LEN* in the transient world



- Programmer *intention:* never access out-of-bounds memory
- Branch can be mistrained to speculatively (i.e., ahead of time) execute with *idx* ≥ *LEN* in the transient world
- Insert explicit **speculation barriers** to tell the CPU to halt the transient world...



- Programmer *intention:* never access out-of-bounds memory
- Branch can be mistrained to speculatively (i.e., ahead of time) execute with *idx* ≥ *LEN* in the **transient world**
- Insert explicit **speculation barriers** to tell the CPU to halt the transient world...
- Huge manual, error-prone effort...