A classic locked-room mystery. Eve was in the false branch of a conditional the whole time, how could she do it ? Creative Commons Attribution-ShareAlike 4.0 Mozilla Research | DePaul University | U. California San Diego
3 January 2018 The Code That Never Ran Craig Disselkoen, Radha Jagadeesan, Alan Jeffrey, James Riely Introduction Spectre Optimizations Simplified Spectre Results Experiments A day out at the Tate Modern Conclusions
3 January 2018 The Code That Never Ran Craig Disselkoen, Radha Jagadeesan, Alan Jeffrey, James Riely Introduction Spectre Optimizations Simplified Spectre Results Experiments A day out at the Tate Modern Conclusions
3 January 2018 The Code That Never Ran Craig Disselkoen, Radha Jagadeesan, Alan Jeffrey, James Riely Introduction Spectre Optimizations Simplified Spectre Results Experiments A day out at the Tate Modern Conclusions
Spectre The Code That Never Ran Craig Disselkoen, Radha Jagadeesan, Alan Jeffrey, James Riely Introduction Spectre Optimizations Simplified Spectre Attacks bypass run-time security checks. Results Experiments Can bypass array bounds checks, Conclusions and read whole process memory. Can be exploited from JS, so evil.ad.com can read your bank.com data. Attacks speculative evaluation hardware optimization.
Optimizations in hardware The Code That Never Ran Craig Disselkoen, Radha Jagadeesan, Alan Jeffrey, James Riely A lie we tell programmers: Introduction “computers execute instructions one after the other.” Spectre Optimizations x := x + 1; y := 1 Simplified Spectre has execution: Results Experiments Conclusions R x 1 W x 2 W y 1
Optimizations in hardware The Code That Never Ran Craig Disselkoen, Radha Jagadeesan, Alan Jeffrey, James Riely A lie we tell programmers: Introduction “computers execute instructions one after the other.” Spectre Optimizations x := x + 1; y := 1 Simplified Spectre has execution where W y 1 might happen first: Results Experiments Conclusions R x 1 W x 2 W y 1
Optimizations in hardware The Code That Never Ran Craig Disselkoen, Radha Jagadeesan, Alan Jeffrey, James Riely A lie we tell programmers: Introduction “computers execute instructions one after the other.” Spectre Optimizations x := x + 1; y := 1 Simplified Spectre has execution: Results Experiments Conclusions R x 1 W x 2 W y 1 Shared-memory concurrency leaks the abstraction
Optimizations in hardware The Code That Never Ran Craig Disselkoen, Radha Jagadeesan, Alan Jeffrey, James Riely A lie we tell programmers: Introduction “computers execute instructions one after the other.” Spectre Optimizations x := x + 1; y := 1 Simplified Spectre has execution: Results Experiments Conclusions R x 1 W x 2 W y 1 Shared-memory concurrency leaks the abstraction Resulted in entire research area: weak memory models (e.g. Pugh et al. ; C11)
Optimizations in hardware The Code That Never Ran Craig Disselkoen, Radha Jagadeesan, Another lie we tell programmers: Alan Jeffrey, James Riely “only one branch of an if is executed.” Introduction Spectre if ( x ) { y := 1; z := 1 } else { y := 2; z := 1 } Optimizations has execution: Simplified Spectre Results Experiments R x 1 W y 1 W z 1 Conclusions
Optimizations in hardware The Code That Never Ran Craig Disselkoen, Radha Jagadeesan, Another lie we tell programmers: Alan Jeffrey, James Riely “only one branch of an if is executed.” Introduction Spectre if ( x ) { y := 1; z := 1 } else { y := 2; z := 1 } Optimizations has execution where W z 1 might happen before W y 1: Simplified Spectre Results Experiments R x 1 W y 1 W z 1 Conclusions
Optimizations in hardware The Code That Never Ran Craig Disselkoen, Radha Jagadeesan, Another lie we tell programmers: Alan Jeffrey, James Riely “only one branch of an if is executed.” Introduction Spectre if ( x ) { y := 1; z := 1 } else { y := 2; z := 1 } Optimizations has execution where W y 2 might happen, then get rolled back: Simplified Spectre Results Experiments R x 1 W y 1 W z 1 Conclusions W y 2 W z 1
Optimizations in hardware and compilers The Code That Never Ran Craig Disselkoen, Radha Jagadeesan, Another lie we tell programmers: Alan Jeffrey, James Riely “only one branch of an if is executed.” Introduction Spectre if ( x ) { y := 1; z := 1 } else { y := 2; z := 1 } Optimizations has execution where W z 1 might happen first: Simplified Spectre Results Experiments R x 1 W y 1 W z 1 Conclusions W y 2
Optimizations in hardware and compilers The Code That Never Ran Craig Disselkoen, Radha Jagadeesan, Another lie we tell programmers: Alan Jeffrey, James Riely “only one branch of an if is executed.” Introduction Spectre if ( x ) { y := 1; z := 1 } else { y := 2; z := 1 } Optimizations has execution: Simplified Spectre Results Experiments R x 1 W y 1 W z 1 Conclusions W y 2 No language-level model for this! As weak memory models are to OOO, so what is to speculation?
Simplified Spectre The Code That Never Ran Craig Disselkoen, Radha Jagadeesan, Alan Jeffrey, Imagine a SECRET, protected by a run-time security check: James Riely Introduction if canRead ( SECRET ) { . . . use SECRET . . . } else { . . . } Spectre Optimizations For attacker code canRead ( SECRET ) is always false Simplified Spectre Results Experiments Conclusions
Simplified Spectre The Code That Never Ran Craig Disselkoen, Radha Jagadeesan, Alan Jeffrey, Imagine a SECRET, protected by a run-time security check: James Riely Introduction if canRead ( SECRET ) { . . . use SECRET . . . } else { . . . } Spectre Optimizations For attacker code canRead ( SECRET ) is always false, e.g. Simplified Spectre Results R y 1 W x 2 Experiments Conclusions R SECRET 1 W x 1 is an execution of if y { if canRead ( SECRET ) { x := SECRET } else { x := 2 } } .
Simplified Spectre The Code That Never Ran Craig Disselkoen, Radha Jagadeesan, Alan Jeffrey, Imagine a SECRET, protected by a run-time security check: James Riely Introduction if canRead ( SECRET ) { . . . use SECRET . . . } else { . . . } Spectre Optimizations For attacker code canRead ( SECRET ) is always false, e.g. Simplified Spectre Results R y 1 W x 2 Experiments Conclusions R SECRET 1 W x 1 is an execution of if y { if canRead ( SECRET ) { x := SECRET } else { x := 2 } } . Attacker goal: learn if SECRET is 0 or 1.
Simplified Spectre The Code That Never Ran Craig Disselkoen, Radha Jagadeesan, A very simplified Spectre attack: Alan Jeffrey, James Riely if canRead ( SECRET ) { a [ SECRET ] := 1 } Introduction else if touched ( a [ 0 ]) { x := 0 } Spectre else if touched ( a [ 1 ]) { x := 1 } Optimizations Simplified Spectre with execution Results Experiments Conclusions R SECRET 1 W a [ 1 ] 1 magic ! W x 1 Information flow from SECRET to x , if there’s an implementation of “magic”.
Simplified Spectre The Code That Never Ran Craig Disselkoen, Radha Jagadeesan, A very simplified Spectre attack: Alan Jeffrey, James Riely if canRead ( SECRET ) { a [ SECRET ] := 1 } Introduction else if touched ( a [ 0 ]) { x := 0 } Spectre else if touched ( a [ 1 ]) { x := 1 } Optimizations Simplified Spectre with execution Results Experiments Conclusions R SECRET 1 W a [ 1 ] 1 magic ! W x 1 Information flow from SECRET to x , if there’s an implementation of “magic”. Narrator : there was one.
Results The Code That Never Ran Craig Disselkoen, Radha Jagadeesan, Alan Jeffrey, James Riely Introduction Formalization of pretty pictures as partially ordered multisets (Gisher, 1988). Spectre Optimizations Compositional semantics based on weak memory models (e.g. C11). Simplified Spectre Results Examples modeling Spectre, Spectre mitigations, Experiments PRIME+ABORT attack on transactional memory. . . Conclusions
Results The Code That Never Ran Craig Disselkoen, Radha Jagadeesan, Alan Jeffrey, James Riely Introduction Formalization of pretty pictures as partially ordered multisets (Gisher, 1988). Spectre Optimizations Compositional semantics based on weak memory models (e.g. C11). Simplified Spectre Results Examples modeling Spectre, Spectre mitigations, Experiments PRIME+ABORT attack on transactional memory. . . Conclusions and a new family of attacks on compiler optimizations.
Modeling an attack on compiler optimizations The Code That Never Ran An attacker running two threads (initially x = y = 0): Craig Disselkoen, Radha Jagadeesan, Alan Jeffrey, y := x || if ( y == 0 ) { x := 1 } James Riely else if ( canRead ( SECRET )) { x := SECRET } Introduction else { x := 1; z := 1 } Spectre Optimizations If SECRET is 1, there is an execution: Simplified Spectre R x 1 W x 1 Results Experiments Conclusions W y 1 R y 1 W z 1 If SECRET is 2, there is no execution (due to cyclic dependency): R x 1 W x 1 W x 2 W y 1 R y 1 W z 1
Implementing attacks on compiler optimizations The Code That Never Ran Craig Disselkoen, Radha Jagadeesan, Alan Jeffrey, James Riely Introduction Spectre and Prime+Abort are implemented. Spectre Optimizations Can we implement the attacks on compiler optimizations? Simplified Spectre Results Experiments Conclusions
Recommend
More recommend