Presentation is loading. Please wait.

Presentation is loading. Please wait.

MicroScope: Enabling Microarchitectural Replay Attacks

Published byHandoko Johan Modified over 5 years ago

Similar presentations

Presentation on theme: "MicroScope: Enabling Microarchitectural Replay Attacks"— Presentation transcript:

1 MicroScope: Enabling Microarchitectural Replay Attacks
Dimitrios Skarlatos, Mengjia Yan, Bhargava Gopireddy, Read Sprabery, Josep Torrellas, and Christopher W. Fletcher University of Illinois at Urbana-Champaign

2 Overview

3 The Era of Side-Channels
Processor Main Memory L2 L3 L2 Core L2 Scheduler Port 0 Port 1 PortSmash’18 Port 2 Port 3 Non-Inclusive LLC’19 Spectre’18 TLBLeed’18 ROB TLB Branch ALU Branch Predictors’16 SGX Prime+Probe[13] LSQ D-L1 I-L1 FPU TLB Contention’13 Subnormal FPU’15 4K-Alliasing’18 DRAMA’16

4 How much can leak over side channels?
Victim: if (secret) use resource else don’t use resource Attacker: for .. t1 = time() use resource t2 = time() Need repeated measurements to be confident  Denoise However, many applications run only once  Attacker gets 1 measurement Can attackers really extract secrets?

5 Contribution: Microarchitectural Replay Attacks
Attacker leverages speculative execution To repeatedly replay a snippet of victim code That runs only once } Primitive to denoise arbitrary side channels Victim: Memory operation that will cause a squash and re-execute ld addr // “replay handle” ld secret // secret the attacker tries to leak

6 Contribution: Microarchitectural Replay Attacks
Time Issue Replay Handle Long Latency Event ld addr:

7 Contribution: Microarchitectural Replay Attacks
Time Issue Replay Handle Long Latency Event ld addr: Speculative Execution of Secret ld secret:

8 Contribution: Microarchitectural Replay Attacks
Time Issue Replay Handle Long Latency Event Squash Event Clear State ld addr: ld secret: Speculative Execution of Secret Squash

9 Contribution: Microarchitectural Replay Attacks
Issue Replay Handle Long Latency Event Squash Event Clear State ld addr: ld secret: Speculative Execution of Secret Squash Replay!! Cause Shared Resource Contention & Monitor

10 Background

11 Page Tables Background
Page tables stored in memory On a TLB Miss  “page walk” = memory accesses Each step of page walk = cache hit/miss. Page walk cache (PWC): hardware cache of translations If Present bit in pte_t is cleared  Page Fault, invoke OS Virtual Address 47 … 39 38 … 30 29 … 21 20 … 12 11 … 0 9-bits Page Offset Address A pgd_t CR3 + pud_t + pmd_t + pte_t + TLB Entry PGD PUD PMD PTE

12 Trusted Computing with SGX
Designed to run sensitive applications in the cloud Do not trust OS/Hypervisor OS/Hypervisor cannot introspect/tamper enclave Unfortunately, OS/Hypervisor still manages demand paging Attack Surface With Enclaves App App App Operating System Hypervisor Hardware Attack Surface

13 Threat Model

14 Threat Model In SGX the OS is responsible Demand paging
Attacker (OS) can: Evict TLB entries Evict page walk cache entries Monitor side channels

15 MicroScope: A framework to exploit microarchitectural replay attacks

16 Attack Examples Victim Code Loop Victim Code: for i in ...
handle(pub_addrA); ... transmit(secret[i]); memOp(pub_addrB); //public address handle(pub_addr); ... transmit(secret);

17 Terminology Victim Code Replay handle: Transmitter:
Load to a public address (known to OS) //public address handle(pub_addr); ... transmit(secret); Transmitter: Any instruction(s) whose execution reveals secret through some side channel Occurs < ROB length from Replay Handle

18 Timeline of a MicroScope Attack - Setup
Attacker Victim

19 Timeline of a MicroScope Attack - Setup
Clear PTE Present Bit of Replay Handle Attack Setup Time Attacker Victim

20 Timeline of a MicroScope Attack - Setup
Clear PTE Present Bit of Replay Handle Flush Replay Handle Page Table Entries Attack Setup Time Attacker Victim

21 Timeline of a MicroScope Attack - Setup
Clear PTE Present Bit of Replay Handle Flush Replay Handle Page Table Entries Flush Replay Handle TLB Entry Attack Setup Time Attacker Victim

22 Timeline of a MicroScope Attack
Setup Time Issue Replay Handle handle(pub_addr): Attacker Victim

23 Timeline of a MicroScope Attack
Setup Time Issue Replay Handle L1 TLB Miss handle(pub_addr): Attacker Victim

24 Timeline of a MicroScope Attack
Setup Time Issue Replay Handle L1 TLB Miss L2 TLB Miss handle(pub_addr): Speculative Execution of Transmitter transmit(secret): Attacker Victim

25 Timeline of a MicroScope Attack
Setup Time Issue Replay Handle L1 TLB Miss L2 TLB Miss PWC Miss handle(pub_addr): Speculative Execution of Transmitter transmit(secret): Attacker Victim

26 Timeline of a MicroScope Attack
Setup Time Issue Replay Handle L1 TLB Miss L2 TLB Miss PWC Miss PGD Walk PUD Walk PMD Walk PTE Walk handle(pub_addr): Speculative Execution of Transmitter transmit(secret): Attacker Victim

27 Timeline of a MicroScope Attack
Tune speculative execution duration with: Cache Hit or Miss Attack Setup Time Issue Replay Handle L1 TLB Miss L2 TLB Miss PWC Miss PGD Walk PUD Walk PMD Walk PTE Walk handle(pub_addr): Speculative Execution of Transmitter transmit(secret): Attacker Victim

28 Timeline of a MicroScope Attack
Setup Time Issue Replay Handle L1 TLB Miss L2 TLB Miss PWC Miss PGD Walk PUD Walk PMD Walk PTE Walk Page Fault handle(pub_addr): Speculative Execution of Transmitter transmit(secret): Attacker Victim

29 Timeline of a MicroScope Attack
Setup Time Issue Replay Handle L1 TLB Miss L2 TLB Miss PWC Miss PGD Walk PUD Walk PMD Walk PTE Walk Page Fault handle(pub_addr): Speculative Execution of Transmitter Squash transmit(secret): Attacker Victim

30 Timeline of a MicroScope Attack
Setup Time Issue Replay Handle L1 TLB Miss L2 TLB Miss PWC Miss PGD Walk PUD Walk PMD Walk PTE Walk Page Fault OS Invocation handle(pub_addr): Speculative Execution of Transmitter Squash transmit(secret): Attacker Victim

31 Timeline of a MicroScope Attack
Setup Page Fault Handler Issue Replay Handle L1 TLB Miss L2 TLB Miss PWC Miss PGD Walk PUD Walk PMD Walk PTE Walk Page Fault OS Invocation handle(pub_addr): Speculative Execution of Transmitter Squash transmit(secret): Attacker Victim

32 Timeline of a MicroScope Attack
Setup Page Fault Handler Flush Replay Handle Page Table Entries Issue Replay Handle L1 TLB Miss L2 TLB Miss PWC Miss PGD Walk PUD Walk PMD Walk PTE Walk Page Fault OS Invocation handle(pub_addr): Speculative Execution of Transmitter Squash transmit(secret): Attacker Victim

33 Timeline of a MicroScope Attack
Setup Issue Replay Handle L1 TLB Miss L2 TLB Miss PWC Miss PGD Walk PUD Walk PMD Walk PTE Walk Page Fault OS Invocation handle(pub_addr): Speculative Execution of Transmitter Squash transmit(secret): Replay!! Attacker Victim

34 Timeline of a MicroScope Attack
Setup Issue Replay Handle L1 TLB Miss L2 TLB Miss PWC Miss PGD Walk PUD Walk PMD Walk PTE Walk Page Fault OS Invocation handle(pub_addr): Squash Speculative Execution of Transmitter transmit(secret): Attacker Victim

35 Timeline of a MicroScope Attack
Setup Issue Replay Handle L1 TLB Miss L2 TLB Miss PWC Miss PGD Walk PUD Walk PMD Walk PTE Walk Page Fault OS Invocation handle(pub_addr): Squash Speculative Execution of Transmitter transmit(secret): Attacker Victim

36 Timeline of a MicroScope Attack
Setup Issue Replay Handle L1 TLB Miss L2 TLB Miss PWC Miss PGD Walk PUD Walk PMD Walk PTE Walk Page Fault OS Invocation handle(pub_addr): Speculative Execution of Transmitter Squash transmit(secret): Replay!! Cause Shared Resource Contention & Monitor Attacker Victim Attacker Monitor/Contention thread

37 Loop Example

38 Loop Example Goal: Challenge: Victim: Leak secret in every iteration
for i in ... handle(pub_addrA); ... transmit(secret[i]); memOp(pub_addrB); Goal: Leak secret in every iteration Challenge: Monitor window of a replay handle < ROB length

39 Instruction used to pivot around transmit instructions
Loop Example Victim: for i in ... handle(pub_addrA); ... transmit(secret[i]); pivot(pub_addrB); Instruction used to pivot around transmit instructions Replay Handle Transmit Code Pivot Instruction

40 In a Loop Dynamic code Static Code Iteration i=0 Monitor window
handle(pub_addrA); ... transmit(secret[0]); pivot(pub_addrB); transmit(secret[1]); for i in ... handle(pub_addrA); ... transmit(secret[i]); pivot(pub_addrB); Iteration i=0 Monitor window Iteration i=1 Replay Handle Transmit Code Pivot Instruction

41 In a Loop Dynamic code Static Code Pivot page fault handle(pub_addrA);
... transmit(secret[0]); pivot(pub_addrB); transmit(secret[1]); Pivot page fault for i in ... handle(pub_addrA); ... transmit(secret[i]); pivot(pub_addrB); Replay Handle Transmit Code Pivot Instruction

42 In a Loop Dynamic code Static Code Retired instructions
handle(pub_addrA); ... transmit(secret[0]); pivot(pub_addrB); transmit(secret[1]); Retired instructions for i in ... handle(pub_addrA); ... transmit(secret[i]); pivot(pub_addrB); Cause page fault on pivot Replay Handle Transmit Code Pivot Instruction

43 In a Loop Dynamic code Static Code Retired instructions
handle(pub_addrA); ... transmit(secret[0]); pivot(pub_addrB); transmit(secret[1]); Retired instructions for i in ... handle(pub_addrA); ... transmit(secret[i]); pivot(pub_addrB); Cause page fault in new replay handle Replay Handle Transmit Code Pivot Instruction

44 In a Loop Use this idea to denoise side channels on AES (see paper)
Dynamic code Static Code handle(pub_addrA); ... transmit(secret[0]); pivot(pub_addrB); transmit(secret[1]); Retired Instructions for i in ... handle(pub_addrA); ... transmit(secret[i]); pivot(pub_addrB); New Monitor Window Use this idea to denoise side channels on AES (see paper) Replay Handle Transmit Code Pivot Instruction

45 Port Contention Attack

46 Port Contention Attack with MicroScope
Victim: Attacker: Setup replay attack for … t1 = time() attacker_div() t2 =time() } handle(pub_addrA); if (secret) victim_mul() else victim_div() No Loop! Replay Handle Transmit Code Attacker Code

47 Port Contention Attack with MicroScope
Victim Thread Attacker Thread Decode Victim: Attacker: Setup replay attack for … t1 = time() attacker_div() t2 =time() } handle(pub_addrA); if (secret) victim_mul() else victim_div() INT ALU FP DIV Replay Handle Transmit Code Attacker Code

48 Port Contention Attack with MicroScope
Victim Thread Victim Thread Attacker Thread Attacker Thread Decode Victim: Attacker: Setup replay attack for … t1 = time() attacker_div() t2 =time() } handle(pub_addrA); if (secret) victim_mul() else victim_div() INT ALU FP DIV Replay Handle Transmit Code Attacker Code

49 Port Contention Attack with MicroScope
Victim Thread Victim Thread Attacker Thread Attacker Thread Decode Victim: Attacker: Setup replay attack for … t1 = time() attacker_div() t2 =time() } handle(pub_addrA); if (secret) victim_mul() else victim_div() INT ALU FP DIV FP DIV 10,000  1 Replay Handle Transmit Code Attacker Code

50 Port Contention Results
Victim and attacker run on adjacent SMT contexts of same core Attacker performs divisions in a loop and measures time Victim performs two multiplications without a loop Victim performs two divisions without a loop

51 Generalizing Microarchitectural Replay Attacks

52 Microarchitectural Replay Attacks
Attacker Victim 1 Trigger Replay? 4 Strategy Replay Handle Secret 2 Replayed Code Window Side Channels? Measure 3 This work: 1 Replay Handle  Page fault-inducing load Replayed Code 2  Leaky instruction Changing each can result in different attacks!! Side Channel 3  uarch structures 4 Attacker strategy  Page fault until denoise

53 More On the Paper Other attack examples
MicroScope framework implementation Attacks on AES Countermeasures discussion

54 Open source! MicroScope Framework
Denoise nearly arbitrary microarchitectural side channels using page faults Only a single run of the victim Demonstrate attacks on notoriously noisy side channels Detect the presence or absence of two divide instructions Single-step and denoise cache-based attacks on AES

55 Microarchitectural Replay Attacks
Takeaways Microarchitectural Replay Attacks  New class of attacks Opens large new attack surface (noisy side channels) Implications for integrity, TSX, physical side channels Exploits core microarchitectural feature Dynamic instructions can be replayed through controlled squashes! We need new security properties to mitigate these attacks!

Download ppt "MicroScope: Enabling Microarchitectural Replay Attacks"

Similar presentations

Computer Organization CS224 Fall 2012 Lesson 44. Virtual Memory  Use main memory as a “cache” for secondary (disk) storage l Managed jointly by CPU hardware.

Computer Organization CS224 Fall 2012 Lesson 44. Virtual Memory  Use main memory as a “cache” for secondary (disk) storage l Managed jointly by CPU hardware.
Virtual to Physical Address Translation Effective Address TLB Lookup Page Table Walk Update TLBPage Fault OS Table Walk Protection Check Physical Address.

Virtual to Physical Address Translation Effective Address TLB Lookup Page Table Walk Update TLBPage Fault OS Table Walk Protection Check Physical Address.
Computer Architecture 2011 – Out-Of-Order Execution 1 Computer Architecture Out-Of-Order Execution Lihu Rappoport and Adi Yoaz.

Computer Architecture 2011 – Out-Of-Order Execution 1 Computer Architecture Out-Of-Order Execution Lihu Rappoport and Adi Yoaz.
Yuanzhong Xu, Weidong Cui, Marcus Peinado

Yuanzhong Xu, Weidong Cui, Marcus Peinado
Memory Management (II)

Memory Management (II)
15-447 Computer ArchitectureFall 2007 © November 21, 2007 Karem A. Sakallah Lecture 23 Virtual Memory (2) CS 15-447: Computer Architecture.

Computer ArchitectureFall 2007 © November 21, 2007 Karem A. Sakallah Lecture 23 Virtual Memory (2) CS : Computer Architecture.
CS 300 – Lecture 22 Intro to Computer Architecture / Assembly Language Virtual Memory.

CS 300 – Lecture 22 Intro to Computer Architecture / Assembly Language Virtual Memory.
Virtual Memory. Why do we need VM? Program address space: 0 – 2^32 bytes –4GB of space Physical memory available –256MB or so Multiprogramming systems.

Virtual Memory. Why do we need VM? Program address space: 0 – 2^32 bytes –4GB of space Physical memory available –256MB or so Multiprogramming systems.
Virtual Memory and Paging J. Nelson Amaral. Large Data Sets Size of address space: – 32-bit machines: 2 32 = 4 GB – 64-bit machines: 2 64 = a huge number.

Virtual Memory and Paging J. Nelson Amaral. Large Data Sets Size of address space: – 32-bit machines: 2 32 = 4 GB – 64-bit machines: 2 64 = a huge number.
1 1999 ©UCB CS 162 Ch 7: Virtual Memory LECTURE 13 Instructor: L.N. Bhuyan www.cs.ucr.edu/~bhuyan.

©UCB CS 162 Ch 7: Virtual Memory LECTURE 13 Instructor: L.N. Bhuyan
Computer Organization and Architecture

Computer Organization and Architecture
Revisiting Hardware-Assisted Page Walks for Virtualized Systems

Revisiting Hardware-Assisted Page Walks for Virtualized Systems
Virtual Memory Expanding Memory Multiple Concurrent Processes.

Virtual Memory Expanding Memory Multiple Concurrent Processes.
1 Vulnerabilities on high-end processors André Seznec IRISA/INRIA CAPS project-team.

1 Vulnerabilities on high-end processors André Seznec IRISA/INRIA CAPS project-team.
Virtual Memory 1 1.

Virtual Memory 1 1.
Lecture Topics: 11/24 Sharing Pages Demand Paging (and alternative) Page Replacement –optimal algorithm –implementable algorithms.

Lecture Topics: 11/24 Sharing Pages Demand Paging (and alternative) Page Replacement –optimal algorithm –implementable algorithms.
Operating Systems ECE344 Ashvin Goel ECE University of Toronto Demand Paging.

Operating Systems ECE344 Ashvin Goel ECE University of Toronto Demand Paging.
Processes and Virtual Memory

Processes and Virtual Memory
Virtual Memory Review Goal: give illusion of a large memory Allow many processes to share single memory Strategy Break physical memory up into blocks (pages)

Virtual Memory Review Goal: give illusion of a large memory Allow many processes to share single memory Strategy Break physical memory up into blocks (pages)
Virtual Memory 1 Computer Organization II ©2005-2015 McQuain Virtual Memory Use main memory as a “cache” for secondary (disk) storage – Managed jointly.

Virtual Memory 1 Computer Organization II © McQuain Virtual Memory Use main memory as a “cache” for secondary (disk) storage – Managed jointly.

Similar presentations

Ads by Google