exploiting out of order execution
play

Exploiting Out-of-Order-Execution Processor Side Channels to Enable - PowerPoint PPT Presentation

Aug 24, 2023 •31 likes •491 views

Exploiting Out-of-Order-Execution Processor Side Channels to Enable Cross VM Code Execution Sophia DAntoine REcon 2015 The Cloud 06/19/2015 Exploiting Out-of-Order-Execution 2/46 Cloud Computing (IaaS) Virtual instances Hypervisors

  1. Exploiting Out-of-Order-Execution Processor Side Channels to Enable Cross VM Code Execution Sophia D’Antoine REcon 2015

  2. The Cloud 06/19/2015 Exploiting Out-of-Order-Execution 2/46

  3. Cloud Computing (IaaS) • Virtual instances • Hypervisors Dynamic allocation => Reduces cost 06/19/2015 Exploiting Out-of-Order-Execution 3/46

  4. Everyone’s Happy 06/19/2015 Exploiting Out-of-Order-Execution 4/46

  5. Problems with the Cloud Security issues with cloud computing • Sensitive data stored remotely • Vulnerable host • Untrusted host • Co-located with foreign VM’s 06/19/2015 Exploiting Out-of-Order-Execution 5/46

  6. Physical co-location leads to side channel vulnerabilities. wat 06/19/2015 Exploiting Out-of-Order-Execution 6/46

  7. Cloud Hardware 06/19/2015 Exploiting Out-of-Order-Execution 7/46

  8. Universal Vulnerabilities 1) Translation between physical and virtual hardware based on need 2) Allocation causes contention 3) Private VM activities not opaque to aaco-residents 06/19/2015 Exploiting Out-of-Order-Execution 8/46

  9. Overview 1. Introduction 2. Cloud exploitation techniques 3. Targeting the processor 4. Importance of memory models 5. Design of an Out-of-Order-Execution channel 6. Demo 7. Conclusion 06/19/2015 Exploiting Out-of-Order-Execution 9/46

  10. Side Channel Attack “In cryptography, a side- Cloud Computing channel attack is any attack • Hardware side based on information gained channel from the physical • Cross virtual implementation of a machine cryptosystem” • Information gained through recordable changes in the system 06/19/2015 Exploiting Out-of-Order-Execution 10/46

  11. Classification S/R Model • Hardware agnostic • Two methods of interacting – Transmit – Receive transmit: receive: force record artifacts artifacts Hardware 06/19/2015 Exploiting Out-of-Order-Execution 11/46

  12. Possible Exploits • Receive (exfiltrate) 1. crypto key theft 2. process monitoring 3. environment keying 4. broadcast signal • Transmit (infiltrate) 1. DoS 2. co-residency • Transmit & Receive (network) 1. communication (C&C) 06/19/2015 Exploiting Out-of-Order-Execution 12/46

  13. Communication Virtual VM1 VM2 Client Master VM Allocations S R S R S R Shared Communication Medium Hardware 06/19/2015 Exploiting Out-of-Order-Execution 13/46

  14. Cache Side Channel Example [3] Flush+Reload targets the L3 Cache Tier • Receiving Mechanism (Adversary) – Flushes & queries • Transmitting Mechanism (Victim) – Accesses same L3 line • Leaked GnuPG Private Key sophia.re/cache.pdf 06/19/2015 Exploiting Out-of-Order-Execution 14/46

  15. Pipeline vs Cache Channel Benefits: • Quiet, covert channel • Not affected by cache misses, etc. • Channel & noise amplifies in a crowded cloud environment 06/19/2015 Exploiting Out-of-Order-Execution 15/46

  16. Overview 1. Introduction 2. Cloud exploitation techniques 3. Targeting the pipeline 4. Importance of memory models 5. Design of an Out-of-Order-Execution channel 6. Demo 7. Conclusion 06/19/2015 Exploiting Out-of-Order-Execution 16/46

  17. The Attack Vector Side Channels which Exploit Hardware Vulnerabilities Inherent to Modern Cloud Computing Systems Requirements: • Shared hardware • Dynamically allocated hardware resources • Co-Location with adversarial VMs or infected VMs 06/19/2015 Exploiting Out-of-Order-Execution 17/46

  18. Pipeline Side Channel We chose to target the processor as the hardware medium. => CPU’s pipeline => System artifacts queried dynamically • Instruction order • Results from instruction sets 06/19/2015 Exploiting Out-of-Order-Execution 18/46

  19. Out-of-Order-Execution 06/19/2015 Exploiting Out-of-Order-Execution 19/46

  20. Processor Pipeline Contention VM VM VM VM Process01 Process02 Process03 Process04 SMT Pipeline Core01 Core02 Optimizes Executing Shared Instructions Processor Hardware From Foreign Applications 06/19/2015 Exploiting Out-of-Order-Execution 20/46

  21. RECEIVER 06/19/2015 Exploiting Out-of-Order-Execution 21/46

  22. Record Out of Order Execution [6] 06/19/2015 Exploiting Out-of-Order-Execution 22/46

  23. Record Out of Order Execution THREAD 1 THREAD 2 => Synched store [X], 1 store [Y], 1 r1 = r2 = 1 load r1, [Y] load r2, [X] => Asynched store [X], 1 r1 = 0 r2 = 1 load r1, [Y] store [Y], 1 load r2, [X] => Out of load r1, [Y] load r2, [X] r1 = r2 = 0 Order store [X], 1 store [Y], 1 Execution 06/19/2015 Exploiting Out-of-Order-Execution 23/46

  24. Record Out of Order Execution int X,Y,count_OoOE; ….initialize semaphores Sema1 & Sema2… pthread_t thread1, thread2; pthread_create(&threadN, NULL, threadNFunc, NULL); for (int iterations = 1; ; iterations++) X,Y = 0; Averages matter sem_post(beginSema1 & beginSema2); sem_wait(endSema1 & endSema2); if (r1 == 0 && r2 == 0) count_OoOE ++; 06/19/2015 Exploiting Out-of-Order-Execution 24/46

  25. TRANSMITTER 06/19/2015 Exploiting Out-of-Order-Execution 25/46

  26. Force Out of Order Execution Mfence: ● x86 instruction full memory barrier prevents memory reordering of any kind ● order of 100 cycles per operation ● … mov dword ptr [_spin1], 0 … mfence … mov dword ptr [_spin2], 0 … mfence 06/19/2015 Exploiting Out-of-Order-Execution 26/46

  27. Force Out of Order Execution THE PIPELINE ….. ….. NOP Store [X], 1 mfence Load r1, [X] NOP Exploiting Out-of-Order-Execution 27/46

  28. Overview 1. Introduction 2. Cloud exploitation techniques 3. Targeting the processor 4. Importance of memory models 5. Design of an Out-of-Order-Execution channel 6. Demo 7. Conclusion 06/19/2015 Exploiting Out-of-Order-Execution 28/46

  29. Types of Memory Reordering Memory Reordering Processor Compilation (Run) Time Time GCC OoOE Execution Multithreaded MultiCored Programs (MultiExecution Processors) Computers 06/19/2015 Exploiting Out-of-Order-Execution 29/46 Categorize Out of Order Execution

  30. Types of Memory Reordering Dynamic side channel artifacts Processor (Run) Time OoOE Execution MultiCored (MultiExecution Processors) Computers 06/19/2015 Exploiting Out-of-Order-Execution 30/46 Categorize Out of Order Execution

  31. [7] 06/19/2015 Exploiting Out-of-Order-Execution 31/46

  32. Types of Memory Reordering [4, 5] - Instruction A visible to all processes before B occurs - #StoreLoad most expensive operation 06/19/2015 Exploiting Out-of-Order-Execution 32/46 Categorize Out of Order Execution

  33. Force Out of Order Execution Memory Barrier ● ‘Lock-free programming’ on SMT multiprocessors ● #StoreLoad unique prevents r1=r2=0 ● x86: mfence ( effects the pipeline ) 06/19/2015 Exploiting Out-of-Order-Execution 33/46

  34. • Out-of-Order-Execution • 06/19/2015 Exploiting Out-of-Order-Execution 34/46

  35. Overview 1. Introduction 2. Cloud exploitation techniques 3. Targeting the processor 4. Importance of memory models 5. Design of an Out of Order Execution channel 6. Demo 7. Conclusion 06/19/2015 Exploiting Out-of-Order-Execution 35/46

  36. Lab Model Scheduler Xen hypervisor ● Popular commercial IaaS platforms Xeon Processors Shared multi-core/ multi-processor hardware ● 8 logical CPU’s/ 4 cores ● 6 virtual machines (VM’s) ● Parallel Processing/ Simultaneous Multi-Threading On (SMT) 06/19/2015 Exploiting Out-of-Order-Execution 36/46

  37. Virtual Machines • 6 Windows 7 VM’s VM1 VM2 VM3 VM4 VM5 VM6 P1 P2 P3 P4 CPU1 CPU1 06/19/2015 Exploiting Out-of-Order-Execution 37/46

  38. Virtual Machine S/R 06/19/2015 Exploiting Out-of-Order-Execution 38/46

  39. Overview 1. Introduction 2. Cloud exploitation techniques 3. Targeting the processor 4. Importance of memory models 5. Design of an Out-of-Order-Execution channel 6. Demo 7. Conclusion 06/19/2015 Exploiting Out-of-Order-Execution 39/46

  40. Demo Links sophia.re/sender.py sophia.re/receiver.py 06/19/2015 Exploiting Out-of-Order-Execution 40/46

  41. Overview 1. Introduction 2. Cloud exploitation techniques 3. Targeting the processor 4. Importance of memory models 5. Design of an Out-of-Order-Execution channel 6. Demo 7. Conclusion 06/19/2015 Exploiting Out-of-Order-Execution 41/46

  42. Potential Channel Mitigation Protected Resource Ownership ● Isolating VM’s ● Turn off hyperthreading ● Blacklisting resources for concurrent threads ● Downside: cloud benefits 06/19/2015 Exploiting Out-of-Order-Execution 42/46

  43. In Conclusion... Contribution: We demonstrate a novel Out of Order Execution side channel. • Dynamic querying/ forcing method • Application to cloud computing • Mitigation techniques 06/19/2015 Exploiting Out-of-Order-Execution 43/46

  44. Acknowledgements - Jeremy Blackthorne - RPISEC - Trail of Bits 06/19/2015 Exploiting Out-of-Order-Execution 44/46

  45. Any Questions? IRC: quend (#rpisec, #pwning) email: sophia@trailofbits.com thesis link: sophia.re/thesis.pdf 06/19/2015 Exploiting Out-of-Order-Execution 45/46

Recommend

The Bad Neighbor Out-of-Order Execution and Its Applications Sophia dAntoine November 7th,

The Bad Neighbor Out-of-Order Execution and Its Applications Sophia dAntoine November 7th,

The Bad Neighbor Out-of-Order Execution and Its Applications Sophia dAntoine November 7th, 2017 1 whoami Masters in CS from RPI - Exploiting Intels CPU pipelines Work at Trail of Bits - Senior Security Researcher - Program

1.83k views • 126 slides
Order Is A Lie Are you sure you know how your code runs ? Order in code is not respected by

Order Is A Lie Are you sure you know how your code runs ? Order in code is not respected by

Order Is A Lie Are you sure you know how your code runs ? Order in code is not respected by Compilers Processors ( out-of-order execution) SMP Cache Management Understanding execution order in a multithreaded context is out of reach

600 views • 48 slides
Precise Exceptions and Out-of-Order Execution Samira Khan Multi-Cycle Execution Not all

Precise Exceptions and Out-of-Order Execution Samira Khan Multi-Cycle Execution Not all

Precise Exceptions and Out-of-Order Execution Samira Khan Multi-Cycle Execution Not all instructions take the same amount of time for execution Idea: Have multiple different functional units that take different number of cycles

749 views • 39 slides
Out-of-Order Execution Several implementations out-of-order completion CDC 6600 with

Out-of-Order Execution Several implementations out-of-order completion CDC 6600 with

Out-of-Order Execution Several implementations out-of-order completion CDC 6600 with scoreboarding IBM 360/91 with Tomasulo s algorithm & reservation stations out-of-order completion leads to: imprecise interrupts

356 views • 22 slides
Boomerang: Exploiting the Semantic Gap in Trusted Execution Environments Aravind Machiry , Eric

Boomerang: Exploiting the Semantic Gap in Trusted Execution Environments Aravind Machiry , Eric

Boomerang: Exploiting the Semantic Gap in Trusted Execution Environments Aravind Machiry , Eric Gustafson, Chad Spensky, Chris Salls, Nick Stephens, Ruoyu Wang, Antonio Bianchi, Yung Ryn Choe, Christopher Kruegel, and Giovanni Vigna Sandia

1.1k views • 51 slides
Spectre Attacks: Exploiting Speculative Execution IEEE Security & Privacy (May 20, 2019) Paul

Spectre Attacks: Exploiting Speculative Execution IEEE Security & Privacy (May 20, 2019) Paul

Spectre Attacks: Exploiting Speculative Execution IEEE Security & Privacy (May 20, 2019) Paul Kocher 1 , Jann Horn 2 , Anders Fogh 3 , Daniel Genkin 4 , Daniel Gruss 5 , Werner Haas 6 , Mike Hamburg 7 , Mortiz Lipp 5 , Stefan Mangard 5 ,

410 views • 13 slides
Support Vector Regression with a Priori Knowledge Used in Order Execution Strategies Based on

Support Vector Regression with a Priori Knowledge Used in Order Execution Strategies Based on

Agenda Order Execution Support Vector Machines Support Vector Regression with a Priori Knowledge Used in Order Execution Strategies Based on VWAP Marcin Orchel AGH University of Science and Technology in Poland Supervisor: prof. Witold

303 views • 11 slides
Implementing out-of-order execution processors IBM 360/91 High performance substrate CSE240A:

Implementing out-of-order execution processors IBM 360/91 High performance substrate CSE240A:

Implementing out-of-order execution processors IBM 360/91 High performance substrate CSE240A: Neha Chachra and Bryan S. Kim Feb. 11, 2010 1 Historical perspective Pipeline RISC Superscalar Out-of-order VLIW SMT 1960 1970 1980 1990

1.01k views • 45 slides
Precise Exceptions and Idea: Have multiple different functional units that take Out-of-Order

Precise Exceptions and Idea: Have multiple different functional units that take Out-of-Order

3/16/17 Multi-Cycle Execution Not all instructions take the same amount of time for execution Precise Exceptions and Idea: Have multiple different functional units that take Out-of-Order Execution different number of cycles

329 views • 10 slides
Exploiting Order Independence for Scalable and Expressive Packet Classification Author: Kirill

Exploiting Order Independence for Scalable and Expressive Packet Classification Author: Kirill

Exploiting Order Independence for Scalable and Expressive Packet Classification Author: Kirill Kogan, Sergey I. Nikolenko, Ori Rottenstreich, William Culhane, and Patrick Eugster Presenter: Qing Lyu 2017/04/12 IEEE/ACM TRANSACTIONS ON

787 views • 64 slides
Exploiting Phase Inter-Dependencies for Faster Iterative Compiler Optimization Phase Order

Exploiting Phase Inter-Dependencies for Faster Iterative Compiler Optimization Phase Order

Exploiting Phase Inter-Dependencies for Faster Iterative Compiler Optimization Phase Order Searches Exploiting Phase Inter-Dependencies for Faster Iterative Compiler Optimization Phase Order Searches Michael R. Jantz Prasad A. Kulkarni

442 views • 26 slides
1 The problem Address the problem of stopping determined attackers from exploiting our

1 The problem Address the problem of stopping determined attackers from exploiting our

1 The problem Address the problem of stopping determined attackers from exploiting our software Interest in Control Flow Integrity(CFI) Data execution prevention (DEP), stack smashing protection (SSP), address space layout

673 views • 34 slides
Exploiting the Commutativity Lattice Donald Nguyen, Dimitrios Milind Kulkarni Prountzos, Xin

Exploiting the Commutativity Lattice Donald Nguyen, Dimitrios Milind Kulkarni Prountzos, Xin

Exploiting the Commutativity Lattice Donald Nguyen, Dimitrios Milind Kulkarni Prountzos, Xin Sui and Keshav Pingali Wednesday, July 20, 2011 Exploiting semantics in transactional execution Set S: X Y Z 2 Wednesday, July 20, 2011

1.04k views • 67 slides
Order Cancellations, Fees, and Execution Quality in U.S. Equity Options Todd Griffith University

Order Cancellations, Fees, and Execution Quality in U.S. Equity Options Todd Griffith University

Order Cancellations, Fees, and Execution Quality in U.S. Equity Options Todd Griffith University of Mississippi Dissertation: Essay 1 Abstract Excessive limit order cancellation activity in equity options markets has forced exchange officials

955 views • 58 slides
Caches Out-of-order execution Data flow model Samira Khan Superscalar processor March

Caches Out-of-order execution Data flow model Samira Khan Superscalar processor March

3/21/17 Agenda Logistics Review from last lecture Caches Out-of-order execution Data flow model Samira Khan Superscalar processor March 21, 2017 Caches Final Exam AN AN IN-OR ORDER PIPELINE Integer add Combined

310 views • 13 slides
Foreshadow: Extracting the Keys to the Intel SGX Kingdom with Transient Out-of-Order Execution Jo

Foreshadow: Extracting the Keys to the Intel SGX Kingdom with Transient Out-of-Order Execution Jo

Foreshadow: Extracting the Keys to the Intel SGX Kingdom with Transient Out-of-Order Execution Jo Van Bulck 1 Marina Minkin 2 Ofir Weisse 3 Daniel Genkin 3 Baris Kasikci 3 Frank Piessens 1 Mark Silberstein 2 Thomas F. Wenisch 3 Yuval Yarom 4 Raoul

601 views • 56 slides
Out- -of of- -Order Order Out Tomasulos Algorithm Superscalar CPU Superscalar CPU -

Out- -of of- -Order Order Out Tomasulos Algorithm Superscalar CPU Superscalar CPU -

The Basis of Our Design Out- -of of- -Order Order Out Tomasulos Algorithm Superscalar CPU Superscalar CPU - Allows out-of-order execution - Instructions wait in Reservation Stations - Execute instructions once operands have been

405 views • 7 slides
Register Renaming & Out-of-Order Execution Nima Honarmand Spring 2016 :: CSE 502

Register Renaming & Out-of-Order Execution Nima Honarmand Spring 2016 :: CSE 502

Spring 2016 :: CSE 502 Computer Architecture Register Renaming & Out-of-Order Execution Nima Honarmand Spring 2016 :: CSE 502 Computer Architecture OoO Execution (1/3) Dynamic scheduling Totally in the hardware Also

681 views • 37 slides
Out- -of of- -Order Order Out Superscalar CPU Superscalar CPU Cliff Frey and Vicky Liu May

Out- -of of- -Order Order Out Superscalar CPU Superscalar CPU Cliff Frey and Vicky Liu May

Out- -of of- -Order Order Out Superscalar CPU Superscalar CPU Cliff Frey and Vicky Liu May 6 th , 2005 May 6 th , 2005 6.884 Final Project Presentation The Basis of Our Design Tomasulos Algorithm - Allows out-of-order execution -

651 views • 25 slides
LECTURE 12 Out-of-order execution: Pentium Pro/II/III EXECUTING IA32/IA64 INSTRUCTIONS FAST

LECTURE 12 Out-of-order execution: Pentium Pro/II/III EXECUTING IA32/IA64 INSTRUCTIONS FAST

LECTURE 12 Out-of-order execution: Pentium Pro/II/III EXECUTING IA32/IA64 INSTRUCTIONS FAST Problem: Complex instruction set Solution: Break instructions up into RISC-like micro operations Lengthens decode stage; simplifies execute

1.3k views • 28 slides
Lecture 19: Cache Basics Todays topics: Out-of-order execution Cache hierarchies

Lecture 19: Cache Basics Todays topics: Out-of-order execution Cache hierarchies

Lecture 19: Cache Basics Todays topics: Out-of-order execution Cache hierarchies Reminder: Assignment 7 due on Thursday 1 Multicycle Instructions Multiple parallel pipelines each pipeline can have a different

538 views • 17 slides
Register Renaming & Out-of-Order Execution Instructor: Nima Honarmand Spring 2015 :: CSE 502

Register Renaming & Out-of-Order Execution Instructor: Nima Honarmand Spring 2015 :: CSE 502

Spring 2015 :: CSE 502 Computer Architecture Register Renaming & Out-of-Order Execution Instructor: Nima Honarmand Spring 2015 :: CSE 502 Computer Architecture OoO Execution (1/3) Dynamic scheduling Totally in the hardware

551 views • 37 slides
Chapter 8 Applying Thread Pools Magnus Andersson Execution policies Not all task are

Chapter 8 Applying Thread Pools Magnus Andersson Execution policies Not all task are

Chapter 8 Applying Thread Pools Magnus Andersson Execution policies Not all task are suitable for all execution policies Dependent task Task exploiting thread confinement Response time sensitive tasks ThreadLocal tasks

358 views • 32 slides
OUT-OF-ORDER EXECUTION Mahdi Nazm Bojnordi Assistant Professor School of Computing University

OUT-OF-ORDER EXECUTION Mahdi Nazm Bojnordi Assistant Professor School of Computing University

OUT-OF-ORDER EXECUTION Mahdi Nazm Bojnordi Assistant Professor School of Computing University of Utah CS/ECE 6810: Computer Architecture Overview Announcement Homework 3 submission deadline: Feb. 25 th This lecture Tomasulo

535 views • 27 slides

More recommend