ATTACK AGAINST CONSTANT-TIME CRYPTO IMPLEMENTATIONS IN SGX Daniel - - PowerPoint PPT Presentation

SESSION ID: #RSAC

Daniel Moghimi

MEMJAM: A FALSE DEPENDENCY ATTACK AGAINST CONSTANT-TIME CRYPTO IMPLEMENTATIONS IN SGX

CRYP-T07

Ph.D. Student Worcester Polytechnic Institute @danielmgmi

MemJam: A False Dependency Attack against Constant-Time Crypto Implementations in SGX

Ahmad “Daniel” Moghimi Thomas Eisenbarth Berk Sunar April 17, 2018 CT-RSA 2018 - San Francisco, CA

Data Dependency

• Data dependency: Instruction  Data of a preceding instruction

add %ebx, %eax sub %eax, %edx xor %ecx, %ecx add %eax, %edi sub %ecx, %edi

1 2 3 4 5 3

Data Dependency – Pipelined Execution

• Data dependency: Instruction  Data of a preceding instruction

add %ebx, %eax sub %eax, %edx xor %ecx, %ecx add %eax, %edi sub %ecx, %edi

1 2 3 4 5 IF ID EX WB

Instruction Fetch Instruction Decode Execute Write Back

4

Data Dependency – Pipelined Execution

• Data dependency: Instruction  Data of a preceding instruction

add %ebx, %eax sub %eax, %edx xor %ecx, %ecx add %eax, %edi sub %ecx, %edi

1 2 3 4 5 IF ID EX WB

Instruction Fetch Instruction Decode Execute Write Back

IF 5

Data Dependency – Pipelined Execution

• Data dependency: Instruction  Data of a preceding instruction

add %ebx, %eax sub %eax, %edx xor %ecx, %ecx add %eax, %edi sub %ecx, %edi

1 2 3 4 5 IF ID EX WB

Instruction Fetch Instruction Decode Execute Write Back

IF IF ID 6

Data Dependency – Pipelined Execution

• Data dependency: Instruction  Data of a preceding instruction

add %ebx, %eax sub %eax, %edx xor %ecx, %ecx add %eax, %edi sub %ecx, %edi

1 2 3 4 5 IF ID EX WB

Instruction Fetch Instruction Decode Execute Write Back

IF IF ID EX ID IF 7

Data Dependency – Pipelined Execution

• Data dependency: Instruction  Data of a preceding instruction

add %ebx, %eax sub %eax, %edx xor %ecx, %ecx add %eax, %edi sub %ecx, %edi

1 2 3 4 5 IF ID EX WB

Instruction Fetch Instruction Decode Execute Write Back

IF IF ID EX ID IF WB EX ID IF 8

Data Dependency – Pipelined Execution

• Data dependency: Instruction  Data of a preceding instruction

add %ebx, %eax sub %eax, %edx xor %ecx, %ecx add %eax, %edi sub %ecx, %edi

1 2 3 4 5 IF ID EX WB

Instruction Fetch Instruction Decode Execute Write Back

IF IF ID EX ID IF WB EX ID IF EX EX ID IF WB ID WB EX EX WB WB 9

Data False Dependency

• Pipeline stalls without true dependency.
• Reasons:
• Register Reuse
• Limited Address Space

add %ebx, %eax xor %ecx, %ecx sub %eax, %edx mov $100, %edx sub %edx, %ecx

1 2 3 4 5

FD

10

Data False Dependency – Register Renaming

• Pipeline stalls without true dependency.
• Reasons:
• Register Reuse
• Limited Address Space

add %ebx, %eax xor %ecx, %ecx sub %eax, %edx mov $100, %edx sub %edx, %ecx

1 2 3 4 5

FD

add %ebx, %eax xor %ecx, %ecx sub %eax, %edx mov $100, %bat sub %bat, %ecx

1 2 3 4 5

Register Renaming

11

Memory ry False Dependency – 4K Aliasing

• Memory loads/stores are executed out of order and speculatively.
• The dependency is verified after the execution!
• 4K Aliasing: Addresses that are 4K apart are assumed dependent.
• Re-execute the load and corresponding instructions due to false dependency.
• Virtual-to-physical address translation  Memory disambiguation

mov %eax, (%ebx) mov (%ecx), %edx

Load Store

Execute

Load

Execute

Store

Dependent?

Yes

12

4K Aliasing – Hyperthreading

Core HT – Thread A HT – Thread B Load 0xFECD1

13

4K Aliasing – Hyperthreading

Core HT – Thread A HT – Thread B Load 0xFECD1 Load 0xFECD2 Load 0xFECD3 Load 0xFECD4 Load 0xFECD5 Load 0xFECD6 Load 0xFECD7 Load 0xFECD8

14

4K Aliasing – Hyperthreading

Core HT – Thread A HT – Thread B Load 0xFECD1 Load 0xFECD2 Load 0xFECD3 Load 0xFECD4 Load 0xFECD5 Load 0xFECD6 Load 0xFECD7 Load 0xFECD8 Execute & Time

15

4K Aliasing – Hyperthreading

Core HT – Thread A HT – Thread B Load 0xFECD1 Load 0xFECD2 Load 0xFECD3 Load 0xFECD4 Load 0xFECD5 Load 0xFECD6 Load 0xFECD7 Load 0xFECD8 Execute & Time Store 0x12ABCDEF Store 0x12ABCDEF Store 0x12ABCDEF Store 0x12ABCDEF Store 0x12ABCDEF Store 0x12ABCDEF Store 0x12ABCDEF Store 0x12ABCDEF Store 0x12ABCDEF Store 0x12ABCDEF

16

4K Aliasing – Hyperthreading

Core HT – Thread A HT – Thread B Load 0xFECD1 Load 0xFECD2 Load 0xFECD3 Load 0xFECD4 Load 0xFECD5 Load 0xFECD6 Load 0xFECD7 Load 0xFECD8 Execute & Time Store 0x12ABC200 Store 0x12ABC200 Store 0x12ABC200 Store 0x12ABC200 Store 0x12ABC200 Store 0x12ABC200 Store 0x12ABC200 Store 0x12ABC200 Store 0x12ABC200 Store 0x12ABC200

17

4K Aliasing – Hyperthreading

Core HT – Thread A HT – Thread B Load 0xFECD1 Load 0xFECD2 Load 0xFECD3 Load 0xFECD4 Load 0xFECD5 Load 0xFECD6 Load 0xFECD7 Load 0xFECD8 Execute & Time Store 0x12ABC Store 0x12ABC Store 0x12ABC Store 0x12ABC Store 0x12ABC Store 0x12ABC Store 0x12ABC Store 0x12ABC Store 0x12ABC Store 0x12ABC

18

MemJam – In

Intra Cache Lin ine Resolution

19

Least 12 bits (Virtual Address = Physical Address) Rest of the bits (Virtual != Physical)

MemJam – In

Intra Cache Lin ine Resolution

20

Least 12 bits (Virtual Address = Physical Address) Rest of the bits (Virtual != Physical) L1 Cache Attacks

MemJam – In

Intra Cache Lin ine Resolution

21

Least 12 bits (Virtual Address = Physical Address) Rest of the bits (Virtual != Physical) L1 Cache Attacks L2/LLC Cache Attacks

MemJam – In

Intra Cache Lin ine Resolution

22

Least 12 bits (Virtual Address = Physical Address) Rest of the bits (Virtual != Physical) L1 Cache Attacks L2/LLC Cache Attacks

2015 – Irazoqui – S $ A 2014 – Yarom – Flush+Reload

2005 – Percival – Cache Missing for Fun 2006 – Osvik – Cache attacks

MemJam – In

Intra Cache Lin ine Resolution

23

Least 12 bits (Virtual Address = Physical Address) Rest of the bits (Virtual != Physical) L1 Cache Attacks L2/LLC Cache Attacks

• Intra-cache line Leakage (4-byte granularity)
• Higher time correlates Memory accesses with the same bit 3 to 12
• 4 bits of intra-cache level leakage

MemJam Attack

CPU

Core HT HT Core HT HT Encryption Service

24

MemJam Attack

CPU

Core HT HT Core HT HT Encryption Service

25

MemJam Attack

CPU

Core HT HT Core HT HT Encryption Service

26

MemJam Attack

CPU

Core HT HT Core HT HT Encryption Service

load compute load load compute load compute load load

Execute

27

MemJam Attack

CPU

Core HT HT Core HT HT Encryption Service

load compute load load compute load compute load load

Execute

28

MemJam Attack

CPU

Core HT HT Core HT HT Encryption Service

load compute load load compute load compute load load

Execute Execute Again

29

MemJam Attack

CPU

Core HT HT Core HT HT Encryption Service

load compute load load compute load compute load load

Execute Execute Again

30

MemJam Attack

CPU

Core HT HT Core HT HT Encryption Service

load compute load load compute load compute load load

Execute Execute Again Higher time if there are more number of 4K conflicts

31

Constant tim ime AES – Safe2Encry rypt_RIJ128

• Scatter-gather implementation of AES
• 256 S-Box – 4 Cache Line
• Cache independent access pattern
• Implemented and distributed as part of Intel products
• Intel SGX Linux Software Development Kit (SDK)
• Intel IPP Cryptography Library

32

LINE 2 A LINE 2 B LINE 2 C LINE 2 D 64 Bytes 4 Cache Lines S-Box Lookup

Constant tim ime AES – Safe2Encry rypt_RIJ128

• Scatter-gather implementation of AES
• 256 S-Box – 4 Cache Line
• Cache independent access pattern
• Implemented and distributed as part of Intel products
• Intel SGX Linux Software Development Kit (SDK)
• Intel IPP Cryptography Library

33

LINE 2 A LINE 2 B LINE 2 C LINE 2 D 64 Bytes 4 Cache Lines S-Box Lookup A B C

Local Buffer

D

Constant tim ime AES – Safe2Encry rypt_RIJ128

• Scatter-gather implementation of AES
• 256 S-Box – 4 Cache Line
• Cache independent access pattern
• Implemented and distributed as part of Intel products
• Intel SGX Linux Software Development Kit (SDK)
• Intel IPP Cryptography Library

34

LINE 2 A LINE 2 B LINE 2 C LINE 2 D 64 Bytes 4 Cache Lines S-Box Lookup A B C

Local Buffer

D B

MemJam Attack on AES

35

LINE 2 LINE 2 LINE 2 LINE 2 64 Bytes 4 Cache Lines

MemJam Attack on AES

36

LINE 2 LINE 2 LINE 2 LINE 2 64 Bytes 4 Cache Lines

MemJam Attack on AES

37

LINE 2 LINE 2 LINE 2 LINE 2 64 Bytes 4 Cache Lines

MemJam Attack on AES

38

LINE 2 64 Bytes 4 Cache Lines

MemJam Attack on AES

39

LINE 2 64 Bytes 4 Cache Lines

AES Key Recovery ry

40

AES Key Recovery ry

41

SM4 Blo lock cip ipher – cpSMS4_Cipher

• Standard Cipher support by Intel
• Chinese National Standard for Wireless LAN WAPI
• S-Box + Unbalanced Feistel Structure
• Protected by Cache State Normalization
• Recursive attack  Full key recovery with 40K observations

42

CPU

Intel SGX Enclave

MemJaming In Intel SGX Secure Enclave

Core HT HT Core HT HT Encryption Service

load compute load load compute load compute load load

Execute Execute Again Higher time if there are more number of 4K conflicts

43

In Intel SGX – AES Key Recovery ry

44

Conclusion

45

• New Side-Channel Attack Applicable to all Intel Processors
• Intel SGX extensions
• Bypass of Constant-Time Implementations Techniques
• Scatter-Gather
• Cache State Normalization
• Agnostic to other Cache Attack Defense Mechanism
• Intel Trilogy
• Intel Hardware
• Intel Trusted Execution Environment
• Intel Hardened Crypto Implementation

Responsible Dis isclosure

46

Date Progress 08/02/2017 Reported 08/04/2017 Acknowledged 11/07/2017 Safe2Encrypt_RIJ128 got removed from SGX SDK. 11/17/2017 CVE-2017-5737 Assigned work-in-progress Patch

Questions?!

Vernam Group v.wpi.edu @VernamGroup @danielmgmi

47

48

49