leaky processors and the rise of hardware based trusted
play

Leaky Processors and the RISE of Hardware-Based Trusted Computing Jo - PowerPoint PPT Presentation

Leaky Processors and the RISE of Hardware-Based Trusted Computing Jo Van Bulck imec-DistriNet, KU Leuven jo.vanbulck@cs.kuleuven.be jovanbulck 1st RISE Annual Conference, November 14, 2018 A primer on software security Secure program:


  1. Leaky Processors and the RISE of Hardware-Based Trusted Computing Jo Van Bulck ↸ imec-DistriNet, KU Leuven � jo.vanbulck@cs.kuleuven.be � jovanbulck 1st RISE Annual Conference, November 14, 2018

  2. A primer on software security Secure program: convert all input to expected output INPUT OUTPUT 1 / 21

  3. A primer on software security Buffer overflow vulnerabilities: trigger unexpected behavior INPUT OUTPUT 1 / 21

  4. A primer on software security Safe languages & formal verification: preserve expected behavior INPUT OUTPUT 1 / 21

  5. A primer on software security Side-channels: observe side-effects of the computation INPUT OUTPUT 1 / 21

  6. A primer on software security Constant-time code: eliminate secret-dependent side-effects INPUT OUTPUT 1 / 21

  7. A primer on software security Transient execution: HW optimizations do not respect SW abstractions (!) INPUT OUTPUT 1 / 21

  8. Evolution of “side-channel attack” occurrences in Google Scholar 4000 3000 2000 DO WE JUST SUCK AT... COMPUTERS? YUP. ESPECIALLY SHARED ONES. 1000 1990 1994 1998 2002 2006 2010 2014 2018 Based on github.com/Pold87/academic-keyword-occurrence and xkcd.com/1938/ 2 / 21

  9. Evolution of “side-channel attack” occurrences in Google Scholar 4000 3000 2000 DO WE JUST SUCK AT... COMPUTERS? YUP. ESPECIALLY SHARED ONES. 1000 1990 1994 1998 2002 2006 2010 2014 2018 Based on github.com/Pold87/academic-keyword-occurrence and xkcd.com/1938/ 2 / 21

  10. The bigger picture: The RISE of hardware-based trusted computing 25000 "trusted computing" evolution 15000 "side-channel attack" evolution 5000 1990 1994 1998 2002 2006 2010 2014 2018 Based on github.com/Pold87/academic-keyword-occurrence 3 / 21

  11. The bigger picture: The RISE of hardware-based trusted computing Intel SGX 25000 CHERI TrustLite Sancus "trusted computing" evolution TPM 15000 Flicker ARM TrustZone "side-channel attack" evolution 5000 1990 1994 1998 2002 2006 2010 2014 2018 Based on github.com/Pold87/academic-keyword-occurrence 3 / 21

  12. The bigger picture: The RISE of hardware-based trusted computing Intel SGX 25000 CHERI TrustLite Sancus "trusted computing" evolution TPM 15000 Flicker ARM TrustZone "side-channel attack" evolution 5000 1990 1994 1998 2002 2006 2010 2014 2018 Based on github.com/Pold87/academic-keyword-occurrence 3 / 21

  13. Enclaved execution attack surface: TCB reduction https://informationisbeautiful.net/visualizations/million-lines-of-code/ 4 / 21

  14. Enclaved execution attack surface: TCB reduction App App Enclave app OS kernel Hypervisor TPM CPU Mem HDD Intel SGX promise: hardware-level isolation and attestation 4 / 21

  15. Enclaved execution attack surface: Privileged side-channel attacks App App Enclave app OS kernel Hypervisor TPM CPU Mem HDD Untrusted OS → new class of powerful side-channels 4 / 21

  16. Enclaved execution attack surface: Privileged side-channel attacks App App Enclave app OS kernel Hypervisor TPM CPU Mem HDD Untrusted OS → new class of powerful side-channels Xu et al. “Controlled-channel attacks: Deterministic side-channels for untrusted operating systems”, IEEE S&P 2015 [XCP15] 4 / 21

  17. Enclaved execution attack surface: Privileged side-channel attacks App App Enclave app OS kernel 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 IRQ latency Hypervisor Instruction (interrupt number) TPM CPU Mem HDD Untrusted OS → new class of powerful side-channels Van Bulck et al. “Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic”, CCS 2018 [VBPS18] 4 / 21

  18. Enclaved execution attack surface: Transient execution attacks App App Enclave app OS kernel Hypervisor TPM CPU Mem HDD Trusted CPU → exploit microarchitectural bugs/design flaws Van Bulck et al. “Foreshadow: Extracting the Keys to the Intel SGX Kingdom with Transient Out-of-Order Execution”, USENIX 2018 [VBMW + 18] 4 / 21

  19. Out-of-order and speculative execution Key discrepancy: Programmers write sequential instructions 5 / 21

  20. Out-of-order and speculative execution Key discrepancy: Programmers write sequential instructions Modern CPUs are inherently parallel ⇒ Speculatively execute instructions ahead of time 5 / 21

  21. Out-of-order and speculative execution Key discrepancy: Programmers write sequential instructions Modern CPUs are inherently parallel Over fl ow ⇒ Speculatively execute instructions ahead of time Roll-back exception Best-effort: What if triangle fails? → Commit in-order, roll-back square . . . But side-channels may leave traces (!) 5 / 21

  22. Transient execution attacks: Welcome to the world of fun! CPU executes ahead of time in transient world Success → commit results to normal world � Fail → discard results, compute again in normal world � 6 / 21

  23. Transient execution attacks: Welcome to the world of fun! CPU executes ahead of time in transient world Success → commit results to normal world � Fail → discard results, compute again in normal world � Transient world (microarchitecture) may temp bypass architectural software intentions: Control flow prediction Delayed exception handling 6 / 21

  24. Transient execution attacks: Welcome to the world of fun! Key finding of 2018 ⇒ Transmit secrets from transient to normal world Transient world (microarchitecture) may temp bypass architectural software intentions: Control flow prediction Delayed exception handling 6 / 21

  25. Transient execution attacks: Welcome to the world of fun! Key finding of 2018 ⇒ Transmit secrets from transient to normal world Transient world (microarchitecture) may temp bypass architectural software intentions: Speculative buffer overflow/ROP CPU access control bypass 6 / 21

  26. Meltdown: Transiently encoding unauthorized memory Unauthorized access 7 / 21

  27. Meltdown: Transiently encoding unauthorized memory Unauthorized access Transient out-of-order window oracle array secret idx 7 / 21

  28. Meltdown: Transiently encoding unauthorized memory Unauthorized access Transient out-of-order window Exception (discard architectural state) 7 / 21

  29. Meltdown: Transiently encoding unauthorized memory Unauthorized access Transient out-of-order window Exception handler oracle array cache hit 7 / 21

  30. Mitigating Meltdown: Unmap kernel addresses from user space OS software fix for faulty hardware ( ↔ future CPUs) 8 / 21

  31. Mitigating Meltdown: Unmap kernel addresses from user space OS software fix for faulty hardware ( ↔ future CPUs) Unmap kernel from user virtual address space → Unauthorized physical addresses out-of-reach (˜cookie jar) user unmapped context switch user switch address space kernel context switch SMAP+SMEP kernel Gruss et al. “KASLR is dead: Long live KASLR”, ESSoS 2017 [GLS + 17] 8 / 21

  32. Rumors: Meltdown immunity for SGX enclaves? “[enclaves] remain protected and completely secure” — International Business Times, February 2018 “[enclave memory accesses] redirected to an abort page, which has no value” — Anjuna Security, Inc., March 2018 9 / 21

  33. Rumors: Meltdown immunity for SGX enclaves? https://wired.com and https://arstechnica.com 9 / 21

  34. Building Foreshadow 10 / 21

  35. Building Foreshadow L1 terminal fault challenges Foreshadow can read unmapped physical addresses from the cache (!) 10 / 21

  36. Challenge: Reading unmapped secrets with Foreshadow Untrusted world view Intra-enclave view Enclaved memory reads 0xFF Access enclaved + unprotected memory 11 / 21

  37. Challenge: Reading unmapped secrets with Foreshadow Untrusted world view Intra-enclave view Enclaved memory reads 0xFF Access enclaved + unprotected memory SGXpectre in-enclave code abuse 11 / 21

  38. Challenge: Reading unmapped secrets with Foreshadow Untrusted world view Intra-enclave view Enclaved memory reads 0xFF Access enclaved + unprotected memory Meltdown “bounces back” ( ∼ mirror) SGXpectre in-enclave code abuse 11 / 21

  39. Building Foreshadow: Evade SGX abort page semantics Note: SGX MMU sanitizes untrusted address translation SGX? Abort page semantics: An attempt to read from a non-existent or disallowed resource returns all ones for data (abort page). An attempt to write to a non-existent or disallowed physical resource is dropped. This behavior is unrelated to exception type abort (the others being Fault and Trap). https://software.intel.com/en-us/sgx-sdk-dev-reference-enclave-development-basics 12 / 21

  40. Building Foreshadow: Evade SGX abort page semantics Straw man: (Transient) accesses in non-enclave mode are dropped SGX? Abort page semantics: An attempt to read from a non-existent or disallowed resource returns all ones for data (abort page). An attempt to write to a non-existent or disallowed physical resource is dropped. This behavior is unrelated to exception type abort (the others being Fault and Trap). https://software.intel.com/en-us/sgx-sdk-dev-reference-enclave-development-basics 12 / 21

Recommend


More recommend