CPU Side-Channel Attacks the Meltdown Attack Heechul Yun 1 This - PowerPoint PPT Presentation

CPU Side-Channel Attacks the Meltdown Attack Heechul Yun 1

This Week: Hardware Security • Introduction – Meltdown • Papers – Spectre Attacks: Exploiting Speculative Execution, IEEE Security and Privacy (S&P), 2019 (Dustin) – SpectreGuard: An Efficient Data-centric Defense Mechanism against Spectre Attacks, DAC, 2019 (Jacob) 2

Meltdown • What is it? – An attack that exploits Intel CPU’s flaw that allows any user-level process to read the content of the kernel- only accessible memory---usually the entire dram • What’s the impact? – An attacker can dump the entire memory, including password and other confidential information • Which CPUs are affected? – Almost all Intel CPUs that do Out-of-Order Execution to improve performance 3

Meltdown • Is there any solution to address the issue? – Yes. Major OS vendors already provide a solution. – But it comes at a performance cost of a varying degree. (we will see why later) • What’s the technical details? – Meltdown paper • Meltdown, Moritz Lipp, Michael Schwarz, Daniel Gruss, Thomas Prescher, Werner Haas, Stefan Mangard, Paul Kocher, Daniel Genkin, Yuval Yarom, Mike Hamburg, arXiv preprint (Submitted on 3 Jan 2018) 4

Outline • Background – Virtual Memory – Out-of-Order Execution – Cache Side-Channel • Meltdown Attack • Meltdown Defense • Other Side-Channel Attacks 5

Virtual Memory • Abstraction – A large (e.g., 4GB) linear address space for each process • Reality – A limited (e.g., 1GB) amount of actual physical memory shared with many other processes • How? 6

MMU Process A Process C Process B Virtual address MMU physical address 7 Physical Memory

Page Table • OS managed table that describe virtual to physical address mapping. 8

Properties of Virtual Memory • Memory isolation among different processes – E.g., Process A cannot see process B’s memory (vice versa.) • What about memory isolation between kernel and user ? – Q1. how does kernel map its own private memory? – Q2. how to prevent user processes from accessing the kernel mapped memory? 9

Kernel/User Virtual Memory 0xFFFFFFFF • Kernel memory – Kernel code, data Kernel – Identical to all address spaces 0xC0000000 – Fixed 1-1 mapping of physical memory • User memory User – Process code, data, heap, stack,... – Unique to each address space – On-demand mapping (page fault) 0x00000000 10

Kernel/User Virtual Memory 0xFFFFFFFF • Every user-process has mappings to kernel memory Kernel • But the kernel memory is only accessible at the kernel mode 0xC0000000 – when you execute system calls or interrupt handlers. • Benefits of this design: Performance User – Kernel can move data between user memory and kernel memory easily w/o changing the address space. 0x00000000 11

ARM Page Table 12

Kernel/User Virtual Memory 0xFFFFFFFF • Meltdown tricks the CPU so that the user can access its kernel Kernel memory 0xC0000000 • How? – By exploiting weaknesses in Intel’s out - User of-order execution engine 0x00000000 13

Out-of-Order Execution • Background • A cache-miss can take ~100 cycles • Idling CPU while waiting data from memory is bad • Out-of-order execution – A technique to minimize data waiting time by executing future instructions – Introduced in 1967 (Tomasulo algorithm) • Most (all) high-performance CPUs use OoOE – Intel, AMD, ARM, …. 14

Out-of-Order Execution • Instructions are fetched into a queue • Any instructions whose data (operands) are ready are executed out-of-order (subject to data dependency) • Results are “retired” in-order. 15

Speculative Execution • Guess which branch to If (condition) take. { • Speculatively execute Do something A1 instructions in the Do something A2 likely branch. Do something A3 } else { • If guessed wrong, Do something B1 squash the results Do something B2 • But the side-effect Do something B3 (cache state change) } remain 16

Cache Side-Channel Attack • Side-effect of memory access is changes in micro-architectural state (cache state change) • By measuring access timing differences of a memory location, an attacker can determine whether the memory is cached or not. • This can be used to leak secret information • Methods: Flush + Reload, Prime + Probe, etc. 17

Flush+Reload Attack • Flush the shared cache-lines • Let the victim execute • Measure access timing of each cache-line – Fast: accessed by the victim, Slow: not-accessed Image credit: “Cache Side Channels: State of the Art and Research Opportunities” by Prof. Yinqian Zhang at OSU 18

Prime+Probe Attack • The attacker prime the cache sets • The victim runs and evicts attacker’s cache -lines • The attacker measure access timing of each set – Slow: victim accessed, fast: victim not accessed Image credit: “Cache Side Channels: State of the Art and Research Opportunities” by Prof. Yinqian Zhang at OSU 19

Outline • Background • Meltdown Attack • Meltdown Defense • Other Side-Channel Attacks 20

Meltdown • An exploit of Out-of-Order Execution, which change the microarchitectural state in a way that leaks information 21

Toy Example • Line 1 diverts execution flow to the exception handler. • So, line 3 should not be reached. 22

Toy Example • But due to OoOE, Line 3 may have already been executed, before raising the exception. • The OoOE results will be squashed, but the side- effect (cache state change) remains. 23

Toy Example • By measuring access timings, you can uncover the value of ‘data’ 24

Meltdown • This is it. 25

Meltdown • Step 1: load an attacker chosen kernel address into a register. This would raise an exception but it may take some time. 26

Meltdown • Step 2: access memory based on the secret content of the rax register. This access will be in the cache. 27

Meltdown • Step 3: measure the access timing of the probe array (one per page) to determine which is in the cache. Which in turn tell what was the content of the kernel address [ rcx ] 28

Meltdown Kernel Process address space Physical Memory User • Entire physical memory is 1-to-1 mapped into part of kernel memory. So, you can dump it. 29

Outline • Background • Meltdown Attack • Meltdown Defense – KAISER/KPTI • Other Side-Channel Attacks 30

KAISER/KPTI • OS solution to mitigate the meltdown attack. • Idea: Do not map kernel in each process’s address space. Instead kernel has its own address space. • If kernel is not mapped in user process’s address space, there’s no way to access kernel memory, thus preventing meltdown. • But, to enter the kernel (system call or interrupt), you have to first make a context switch it. • There’s direct/indirect overhead of a context -switch. • I/O intensive workloads are especially affected by this. 31

KAISER/KPTI • Hide kernel from user’s address space. • Switch to kernel’s address space to enter kernel (i.e., system calls, interrupt handling) 32

KAISER/KPTI • Just the top-level table (PML4) needs to have two distinct copies. Memory overhead is low. • Benefits: kernel address is not mapped in the user’s space. So, no speculative reads can happen. 33

KAISER/KPTI: Overhead • Flush TLB on context-switch between user/kernel – PCID (or ASID) supporting CPUs don’t need to flush TLB. • Page table swapping (CR3 update): ~hundreds cycles • The overhead is incurred for every single system- call/interrupt.  noticeable performance hit (5-30%) 34

Summary • OoOE introduces side-effect, which can be exploited in a way to leak information. • Meltdown is such an attack, exploiting weakness in Intel CPU’s OoOE implementation. It can dump entire kernel memory. • KAISER/KPTI mitigates the issue by completely separating kernel from user process’s address space. • But the cost can be quite high for OS intensive workloads. 35

References • M. Lipp et al., Meltdown , arXiv preprint, 2018 • D. Gruss et al., KASLR is Dead: Long Live KASLR, 2017 • https://lwn.net/Articles/738975/ 36

Reliability Side-Channel • Disturbance errors in DRAM (*) • a.k.a. Row Hammer Bug • Repeated opening/closing a DRAM row can cause bit flips in adjacent rows. • In more than 80% DRAM modules between 2010 -2013 • Google demonstrated successful hacking method utilizing the bug (**) – manipulate page tables at the user-level (*) Yoongu Kim et al, “ Flipping Bits in Memory Without Accessing Them: An Experimental Study of DRAM Disturbance Errors, ” ISCA’14 37 (**) Google Project Zero. Exploiting the DRAM rowhammer bug to gain kernel privileges, 2015

DRAM Chip Wordline Row of Cells Row Victim Row V LOW V HIGH Aggressor Row Row Opened Closed Victim Row Row Row Repeatedly opening and closing a row induces disturbance errors in adjacent rows This slide is from the Dr. Yoongu Kim’s ISCA 2014 presentation 38

RowHammer 39

References • Flipping Bits in Memory Without Accessing Them: An Experimental Study of DRAM Disturbance Errors. ISCA, 2014 • Drammer: Deterministic Rowhammer Attacks on Mobile Platforms, CCS'16 [blog] (optional) 40