foreshadow speculative attacks on sgx and beyond mark
play

Foreshadow: speculative attacks on SGX and beyond Mark Silberstein - PowerPoint PPT Presentation

Dec 09, 2022 •351 likes •1.07k views

Foreshadow: speculative attacks on SGX and beyond Mark Silberstein Joint work with Jo Van Bulck, Marina Minkin , Ofir Weisse, Daniel Genkin, Baris Kasikci, Frank Piessens, Thomas F. Wenisch, Yuval Yarom, and Raoul Strackx March 2019 Mark

  1. Foreshadow: speculative attacks on SGX and beyond Mark Silberstein Joint work with Jo Van Bulck, Marina Minkin , Ofir Weisse, Daniel Genkin, Baris Kasikci, Frank Piessens, Thomas F. Wenisch, Yuval Yarom, and Raoul Strackx March 2019 Mark Silberstein, Technion 1

  2. Big picture in one slide ● Where do CPUs loose performance? – Branches, Memory translation – Technology scaling does not help March 2019 Mark Silberstein, Technion 2

  3. Big picture in one slide ● Where do CPUs loose performance? – Branches, Memory translation – Technology scaling does not help ● Speculative execution for latency hiding – CPU speculates the outcome of slow operations – Continues execution assuming speculation is correct – Rolls back the modified architectural state otherwise March 2019 Mark Silberstein, Technion 3

  4. Speculative execution attacks exploit Speculation past illegal memory accesses Inability to fully roll back μarch state Covert/side channels to leak the state March 2019 Mark Silberstein, Technion 4

  5. Today ● Background ● From Meltdown to Foreshadow ● SGX: Collateral damage ● Foreshadow-NG (L1TF) ● Discussion March 2019 Mark Silberstein, Technion 5

  6. Speculative execution 101 Instruction stream Completed instructions CPU 1 2 Slow instruction 3 Execute Retire (commit results) 4 5 6 Depend on 3 March 2019 Mark Silberstein, Technion 6

  7. Speculative execution 101 Instruction stream Completed instructions CPU 2 1 3 Execute Retire (commit results) 4 5 6 March 2019 Mark Silberstein, Technion 7

  8. Speculative execution 101 Instruction stream Completed instructions CPU 1 2 3 Execute Retire (commit results) 4 5 6 March 2019 Mark Silberstein, Technion 8

  9. Speculative execution 101 Instruction stream Completed instructions Slow CPU 1 T slow 2 3 Execute Retire (commit results) 4 5 6 March 2019 Mark Silberstein, Technion 9

  10. Speculative execution 101 Instruction stream Completed instructions Slow CPU 1 T slow 2 3 Execute Retire 4 5 Executed speculatively 6 March 2019 Mark Silberstein, Technion 10

  11. Speculative execution 101 Instruction stream Completed instructions CPU 1 T slow 2 3 Execute Retire 5 4 Not committed yet! 6 March 2019 Mark Silberstein, Technion 11

  12. Speculative execution 101 Instruction stream Completed instructions CPU 1 T slow 2 3 Execute Retire 5 4 T speculative 6 Only 2 transiently executed instructions fit in the speculation window March 2019 Mark Silberstein, Technion 12

  13. Speculative execution 101 Instruction stream Completed instructions CPU Completed, speculation 1 was right 2 3 Execute Retire 5 4 6 March 2019 Mark Silberstein, Technion 13

  14. Speculative execution 101 Instruction stream Completed instructions CPU 1 2 Execute Retire 3 6 4 5 Commit all pending instructions March 2019 Mark Silberstein, Technion 14

  15. Speculative execution 101 Instruction stream Completed instructions CPU Completed, speculation 1 was wrong 2 3 Execute Retire 5 4 6 March 2019 Mark Silberstein, Technion 15

  16. Speculative execution 101 Instruction stream Completed instructions CPU 1 2 Execute Retire 3 4 5 6 6 Roll back architectural speculative state and continue execution March 2019 Mark Silberstein, Technion 16

  17. Prerequisites to speculative execution attack ● CPU speculates insecurely ● Speculative state cannot be rolled back: data leak ● Race condition: roll back vs. leaking logic – Attack succeeds only if T speculative <T slow access March 2019 Mark Silberstein, Technion 17

  18. Complete example (Rogue cache read – aka Meltdown) Instruction stream Access generates Transient exception instructions movb (kernel secret), %al 3 4 leak( %al) March 2019 Mark Silberstein, Technion 18

  19. Complete example (Rogue cache read – aka Meltdown) Instruction stream Slow: illegal access to an inaccessible address triggers exception that requires long time to resolve movb (secret),%al Execute Retire leak ( %al) March 2019 Mark Silberstein, Technion 19

  20. Complete example (Rogue cache read – aka Meltdown) Instruction stream movb (secret),%al Execute Retire leak(%al) (secret) is insecurely speculated: read from cache or DRAM ignoring page protection March 2019 Mark Silberstein, Technion 20

  21. Complete example (Rogue cache read – aka Meltdown) Instruction stream movb (secret),%al Execute Retire leak(%al) Need to be fast to finish before the exception is resolved March 2019 Mark Silberstein, Technion 21

  22. Complete example (Rogue cache read – aka Meltdown) Instruction stream Exception movb (secret),%al Execute Retire leak ( %al) Speculative state is cleaned except for the one leaked March 2019 Mark Silberstein, Technion 22

  23. Recipe: Speculative read attacks ● P rovoke insecure speculation ● W in the race ● N otify the attacker March 2019 Mark Silberstein, Technion 23

  24. Question 1: where does insecure speculation occur? ● Meltdown: exception due to access to a page with Supervisor bit March 2019 Mark Silberstein, Technion 24

  25. Question 1: where does insecure speculation occur? ● Meltdown: exception due to access to a page with Supervisor bit ● Spectre V1: mis-speculated branch March 2019 Mark Silberstein, Technion 25

  26. Question 1: where does insecure speculation occur? ● Meltdown: exception due to access to a page with Supervisor bit ● Spectre V1: mis-speculated branch ● Foreshadow/L1TF: exception due to access to a non-present page , or via an incorrect mapping March 2019 Mark Silberstein, Technion 26

  27. Question 1: where does insecure speculation occur? ● Meltdown: exception due to access to a page with Supervisor bit ● Spectre V1: mis-speculated branch ● Foreshadow/L1TF: exception due to access to a non-present page , or via an incorrect mapping The data is speculatively fetched from cache/memory violating protection guarantees (OS/program) March 2019 Mark Silberstein, Technion 27

  28. Question 2: How to avoid misspeculation rollback? ● Not all μarch state can be rolled back ● μarch state becomes architecturally visible! – Caches – Branch predictors – Performance counters – Contention on shared resources ● Simplest: cache covert channel (Metldown/Spectre) March 2019 Mark Silberstein, Technion 28

  29. Flush-Reload covert channel ● Flush the cache before the attack ● Sender/receiver: declare char leak_array[4K*256] ● Sender: void leak_byte(char secret) { leak_array[4K*secret]=1; } ● Receiver: probe the array to identify cached values – argmin (access_time(leak_array[4K*i])) March 2019 Mark Silberstein, Technion 29

  30. Question 3: How to win the leak-to-rollback race condition ● Access to leak_array must be fast (in TLB) ● Access to secrets must be fast (in cache) ● Try many times – suppress the exception bailout ● Unsuccessful attempts are zero-biased March 2019 Mark Silberstein, Technion 30

  31. Question 3: How to win the leak-to-rollback race condition ● Access to leak_array must be fast (in TLB) ● Access to secrets must be fast (in cache) ● Try many times – suppress the exception bailout ● Unsuccessful attempts are zero-biased Plus some secret sauce that nobody really Plus some secret sauce that nobody really understands why it works understands why it works March 2019 Mark Silberstein, Technion 31

  32. Agenda ● Background on SGX ● Foreshadow ● Collateral damage on SGX ● Foreshadow-NG /L1TF ● Discussion March 2019 Mark Silberstein, Technion 32

  33. Background: SGX ● Enclave: reversed sandbox ● Private code & data Application – Confidentiality Enclave Enclave – Integrity – Freshness ● Defends against privileged SW! Operating system ● HW acceleration ● Scales with CPU scaling March 2019 Mark Silberstein, Technion 33

  34. Background: SGX memory DRAM encrypted, cache in plain text System memory CPU secret_foo(): ... SGX *p = 1; memory Enclave CPU Plain text data Cache Enclave Page Cache (EPC) March 2019 Mark Silberstein, Technion 34

  35. Background: Address translation in enclaves Enclave System memory secret_foo(): ... *p = 1; EPC Hardware Address translation Page table OS March 2019 Mark Silberstein, Technion 35

  36. Background: SGX abort page semantics Process System memory foo(): ... printf(*p) ; EPC Hardware Address translation Page table OS March 2019 Mark Silberstein, Technion 36

  37. Background: SGX abort page semantics Process System memory foo(): ... printf(*p) ; EPC Hardware Address translation read 0xFF Page table OS March 2019 Mark Silberstein, Technion 37

  38. Process System memory foo(): ... printf(*p) ; EPC Hardware Address translation Page table Foreshadow uses speculative execution to leak secrets from OS SGX secure memory (EPC) March 2019 Mark Silberstein, Technion 38

  39. Agenda ● Foreshadow ● Collateral damage on SGX ● Foreshadow-NG /L1TF ● Discussion March 2019 Mark Silberstein, Technion 39

  40. Reminder: Speculative read attacks ● P rovoke insecure speculation ● W in the race ● N otify the attacker March 2019 Mark Silberstein, Technion 40

Recommend

Transient Execution Attacks: Lessons from Spectre, Meltdown, and Foreshadow Jo Van Bulck

Transient Execution Attacks: Lessons from Spectre, Meltdown, and Foreshadow Jo Van Bulck

Transient Execution Attacks: Lessons from Spectre, Meltdown, and Foreshadow Jo Van Bulck imec-DistriNet, KU Leuven jo.vanbulck@cs.kuleuven.be jovanbulck ISSE Brussels, November 6, 2018 A primer on software security Secure

897 views • 58 slides
Harmonizing Speculative and Non-Speculative Execution in Architectures for Ordered Parallelism

Harmonizing Speculative and Non-Speculative Execution in Architectures for Ordered Parallelism

Harmonizing Speculative and Non-Speculative Execution in Architectures for Ordered Parallelism MA MARK C. JEFFR FFREY , VICTOR A. YING, SUVINAY SUBRAMANIAN, HYUN RYONG LEE, JOEL EMER, DANIEL SANCHEZ MI MICRO 2018 There is a (false)

1.48k views • 130 slides
Foreshadow: Extracting the Keys to the Intel SGX Kingdom with Transient Out-of-Order Execution Jo

Foreshadow: Extracting the Keys to the Intel SGX Kingdom with Transient Out-of-Order Execution Jo

Foreshadow: Extracting the Keys to the Intel SGX Kingdom with Transient Out-of-Order Execution Jo Van Bulck 1 Marina Minkin 2 Ofir Weisse 3 Daniel Genkin 3 Baris Kasikci 3 Frank Piessens 1 Mark Silberstein 2 Thomas F. Wenisch 3 Yuval Yarom 4 Raoul

601 views • 56 slides
Data-Centric Execution of Speculative Parallel Programs MA MARK JEFFREY, SUVINAY SUBRAMANIAN,

Data-Centric Execution of Speculative Parallel Programs MA MARK JEFFREY, SUVINAY SUBRAMANIAN,

Data-Centric Execution of Speculative Parallel Programs MA MARK JEFFREY, SUVINAY SUBRAMANIAN, MALEEN ABEYDEERA, JOEL EMER, DANIEL SANCHEZ MI MICRO 2016 Executive summary Many-cores must exploit cache locality to scale Current speculative

635 views • 49 slides
Data-Centric Execution of Speculative Parallel Programs MARK JEFFREY, SUVINAY SUBRAMANIAN,

Data-Centric Execution of Speculative Parallel Programs MARK JEFFREY, SUVINAY SUBRAMANIAN,

Data-Centric Execution of Speculative Parallel Programs MARK JEFFREY, SUVINAY SUBRAMANIAN, MALEEN ABEYDEERA, JOEL EMER, DANIEL SANCHEZ MICRO 2016 Executive summary Many-cores must exploit cache locality to scale Current speculative systems,

495 views • 27 slides
Spectre Attacks: Exploiting Speculative Execution IEEE Security &amp; Privacy (May 20, 2019) Paul

Spectre Attacks: Exploiting Speculative Execution IEEE Security &amp; Privacy (May 20, 2019) Paul

Spectre Attacks: Exploiting Speculative Execution IEEE Security &amp; Privacy (May 20, 2019) Paul Kocher 1 , Jann Horn 2 , Anders Fogh 3 , Daniel Genkin 4 , Daniel Gruss 5 , Werner Haas 6 , Mike Hamburg 7 , Mortiz Lipp 5 , Stefan Mangard 5 ,

410 views • 13 slides
S POILER : Speculative Load Hazards Boost Rowhammer and Cache Attacks Saad Islam, Daniel

S POILER : Speculative Load Hazards Boost Rowhammer and Cache Attacks Saad Islam, Daniel

S POILER : Speculative Load Hazards Boost Rowhammer and Cache Attacks Saad Islam, Daniel el Mogh ghimi (@danielmgmi), Ida Bruhns, Moritz Krebbel, Berk Gulmezoglu, Thomas Eisenbarth, Berk Sunar Worcest ster Polytechnic

999 views • 51 slides
DAWG : A Defense Against Cache Timing Attacks in Speculative Execution Processors Vladimir

DAWG : A Defense Against Cache Timing Attacks in Speculative Execution Processors Vladimir

DAWG : A Defense Against Cache Timing Attacks in Speculative Execution Processors Vladimir Kiriansky, Ilia Lebedev, Saman Amarasinghe, Srinivas Devadas, Joel Emer {vlk, ilebedev, saman, devadas, emer}@csail.mit.edu MICRO'18

949 views • 78 slides
SAM: Optimizing Multithreaded Cores for Speculative Parallelism MALEEN ABEYDEERA, SUVINAY

SAM: Optimizing Multithreaded Cores for Speculative Parallelism MALEEN ABEYDEERA, SUVINAY

SAM: Optimizing Multithreaded Cores for Speculative Parallelism MALEEN ABEYDEERA, SUVINAY SUBRAMANIAN, MARK JEFFREY, JOEL EMER, DANIEL SANCHEZ PACT 2017 Executive Summary Analyzes the interplay between hardware multithreading and speculative

370 views • 21 slides
FRACTAL AN EXECUTION MODEL FOR FINE-GRAIN NESTED SPECULATIVE PARALLELISM SU SUVINAY Y SU

FRACTAL AN EXECUTION MODEL FOR FINE-GRAIN NESTED SPECULATIVE PARALLELISM SU SUVINAY Y SU

FRACTAL AN EXECUTION MODEL FOR FINE-GRAIN NESTED SPECULATIVE PARALLELISM SU SUVINAY Y SU SUBRAMANIAN , MARK C. JEFFREY, MALEEN ABEYDEERA, HYUN RYONG LEE, VICTOR A. YING, JOEL EMER, DANIEL SANCHEZ IS ISCA 2017 Current speculative systems

984 views • 47 slides
Defense Mechanism against Spectre Attacks Jacob Fustos, Farzad Farshchi, Heechul Yun University

Defense Mechanism against Spectre Attacks Jacob Fustos, Farzad Farshchi, Heechul Yun University

SpectreGuard: An Efficient Data-centric Defense Mechanism against Spectre Attacks Jacob Fustos, Farzad Farshchi, Heechul Yun University of Kansas 1 Speculative Execution Attacks Attacks exploiting microarchitectural side-effects of

499 views • 21 slides
Speculative Defragmentation Speculative Defragmentation A Technique to Improve the

Speculative Defragmentation Speculative Defragmentation A Technique to Improve the

Ninth IEEE International Symposium on High Performance Distributed Computing, Pittsburgh, Pennsylvania, August 1-4, 2000 Speculative Defragmentation Speculative Defragmentation A Technique to Improve the Communication A Technique to

237 views • 22 slides
Microarchitectural Attacks and Heterogenous Cloud Computing By Daniel Moghimi PhD Candidate

Microarchitectural Attacks and Heterogenous Cloud Computing By Daniel Moghimi PhD Candidate

Microarchitectural Attacks and Heterogenous Cloud Computing By Daniel Moghimi PhD Candidate Worcester Polytechnic Institute (WPI) @danielmgmi Outline Data Dependency SPOILER: Speculative Load Hazards Boost Rowhammer and Cache Attacks

663 views • 28 slides
for Effective Speculative Parallelization in Hardware VICTOR A. YING MARK C. JEFFREY* DANIEL

for Effective Speculative Parallelization in Hardware VICTOR A. YING MARK C. JEFFREY* DANIEL

T4: Compiling Sequential Code for Effective Speculative Parallelization in Hardware VICTOR A. YING MARK C. JEFFREY* DANIEL SANCHEZ *University of Toronto starting Fall 2020 ISCA 2020 Parallelization: Gap between programmers and hardware

458 views • 27 slides
CPU Side-Channel Attacks the Meltdown Attack Heechul Yun 1 This Week: Hardware Security

CPU Side-Channel Attacks the Meltdown Attack Heechul Yun 1 This Week: Hardware Security

CPU Side-Channel Attacks the Meltdown Attack Heechul Yun 1 This Week: Hardware Security Introduction Meltdown Papers Spectre Attacks: Exploiting Speculative Execution, IEEE Security and Privacy (S&amp;P), 2019 (Dustin)

726 views • 44 slides
Speculative Taint Tracking Lindsey McAllister 6.888 Fall 2020 Whats the Point? A system that

Speculative Taint Tracking Lindsey McAllister 6.888 Fall 2020 Whats the Point? A system that

Speculative Taint Tracking Lindsey McAllister 6.888 Fall 2020 Whats the Point? A system that efficiently protects against transient side-channel attacks by executing and selectively forwarding an instruction if it cannot forward a covert

411 views • 21 slides
Leaky Processors: Stealing Your Secrets with Foreshadow Jo Van Bulck imec-DistriNet, KU Leuven

Leaky Processors: Stealing Your Secrets with Foreshadow Jo Van Bulck imec-DistriNet, KU Leuven

Leaky Processors: Stealing Your Secrets with Foreshadow Jo Van Bulck imec-DistriNet, KU Leuven jo.vanbulck@cs.kuleuven.be jovanbulck OWASP BeNeLux-Days, November 30, 2018 A primer on software security Secure program: convert all input

1.27k views • 77 slides
SAM: Optimizing Multithreaded Cores for Speculative Parallelism MA MALEEN ABEYDEERA, SUVINAY

SAM: Optimizing Multithreaded Cores for Speculative Parallelism MA MALEEN ABEYDEERA, SUVINAY

SAM: Optimizing Multithreaded Cores for Speculative Parallelism MA MALEEN ABEYDEERA, SUVINAY SUBRAMANIAN, MARK JEFFREY, JOEL EMER, DANIEL SANCHEZ PA PACT 2017 Executive Summary Analyzes the interplay between hardware multithreading and

931 views • 53 slides
Risk 13: Impact of an increase in unplanned and speculative local developments to address the

Risk 13: Impact of an increase in unplanned and speculative local developments to address the

Risk 13: Impact of an increase in unplanned and speculative local developments to address the shortfall in the 5 year housing supply Joanne Eynon Environment and Transport What are the issues? Increased pressure from speculative

218 views • 8 slides
SpeechMiner: A Framework for Investigating and Measuring Speculative Execution Vulnerabilities

SpeechMiner: A Framework for Investigating and Measuring Speculative Execution Vulnerabilities

SpeechMiner: A Framework for Investigating and Measuring Speculative Execution Vulnerabilities Yuan Xiao, Yinqian Zhang, Radu Teodorescu The Ohio State University SPEculative Execution side Channel Hardware (SPEECH) Vulnerabilities Leverage

512 views • 24 slides
Should the IETF do anything about DDoS attacks? Mark Handley The Problem The Internet

Should the IETF do anything about DDoS attacks? Mark Handley The Problem The Internet

Should the IETF do anything about DDoS attacks? Mark Handley The Problem The Internet architecture was designed to delivery packets to the destination efficiently. Even if the destination does not want them. Congestion control and

391 views • 28 slides
Mark Shtern DDoS Attacks http://en.wikipedia.org/wiki/Operation_Pa yback

Mark Shtern DDoS Attacks http://en.wikipedia.org/wiki/Operation_Pa yback

Mark Shtern DDoS Attacks http://en.wikipedia.org/wiki/Operation_Pa yback http://www.betterhostreview.com/wp-content/uploads/2013/08/ddos-attack.gif 2 DDoS Attacks http://blog.rivalhost.com/wp- http://en.wikipedia.org/wiki/Low

800 views • 36 slides
Quantifying the Speculative Component in the Real Price of Oil: A Review of Recent Results Lutz

Quantifying the Speculative Component in the Real Price of Oil: A Review of Recent Results Lutz

Quantifying the Speculative Component in the Real Price of Oil: A Review of Recent Results Lutz Kilian University of Michigan CEPR Expectations and Speculative Oil Demand A natural economic definition of a speculator in the physical

581 views • 21 slides
Shaping Signals Preparing for the Future through Speculative Design Phil Balagtas Design

Shaping Signals Preparing for the Future through Speculative Design Phil Balagtas Design

Shaping Signals Preparing for the Future through Speculative Design Phil Balagtas Design Director, GE Aviation Digital Solutions Founder, Speculative Futures San Francisco @neshacom1 contact.phil@gmail.com 99% Invisible - 10,000 years

765 views • 72 slides

More recommend