microarchitectural cryptanalysis
play

Microarchitectural Cryptanalysis Daniel Moghimi Worcester - PowerPoint PPT Presentation

Revisiting Isolated and Trusted Execution via Microarchitectural Cryptanalysis Daniel Moghimi Worcester Polytechnic Institute Committee Members: Prof. Donald R. Brown (Department Head) Prof. Thomas Eisenbarth (Co-advisor) Prof.


  1. MemJam – Attacking So-Called Constant Time AES • Scatter-gather implementation of AES • Intel SGX Software Development Kit (SDK) and IPP Cryptography Library • 256 S-Box – 4 Cache Line • Cache independent access pattern 64 Bytes A LINE 2 4 Cache Lines B LINE 2 C LINE 2 D LINE 2 A B D C B S-Box Lookup 35

  2. MemJam – Attacking So-Called Constant Time AES 64 Bytes LINE 2 4 Cache Lines 36

  3. AES Key Recovery 37

  4. US 7,603,527 B2 RESOLVING FALSE DEPENDENCIES OF SPECULATIVE LOAD INSTRUCTIONS “an operation X may determine whether the lower portion of the virtual address of a speculative load instruction matches the lower portion of virtual addresses of older store operations” Loosnet Check …. “in an embodiment, the load instruction may have its input data forwarded from the store operation from which the load instruction depends at operation” Store Forwarding SPOILER Attack “If there is a hit at operation X and a miss at operation Y , … the physical addresses of the load and the store may be compared at an operation Z” “In one embodiment, if there is a hit at operation X and the physical Dependency Resolution address of the load or the store operations is not valid, the physical address check at operation Z may be considered as a hit” “In some embodiments, the physical address check at operation Z may use a partial physical address , e.g., base on data stored in the SAB. This makes the checking at operation Z conservative. Accordingly, in some embodiments, a match may occur on a partial address and block …” Finenet Check 38

  5. Spoiler: Finding Undocumented Aliasing … Virtual Pages Memory Subsystem 64 pages L1 Store Buffer DATA PFN [8:0] VFN Offset DTLB DATA PFN [8:0] VFN Offset … …. … … DATA PFN [8:0] VFN Offset Load Buffer DATA PFN [8:0] VFN Offset DATA PFN VFN Offset DATA PFN [8:0] VFN Offset DATA PFN VFN Offset DATA PFN [8:0] VFN Offset … …. … … Offset DATA PFN [8:0] VFN Offset DATA PFN VFN 39

  6. Spoiler: Finding Undocumented Aliasing … Virtual Pages Memory Subsystem 64 pages L1 Store Buffer 0 x 4 0 0 F E 1 0 C 0 DATA PFN [8:0] VFN 0C0 0 x 4 0 0 F E 2 0 C 0 Stores DTLB DATA PFN [8:0] VFN 0C0 … … … …. … … 0 x 4 0 1 0 2 0 0 C 0 DATA PFN [8:0] VFN 0C0 Load Buffer DATA PFN [8:0] VFN 0C0 DATA PFN VFN Offset DATA PFN [8:0] VFN 0C0 0 x 4 F 1 2 3 4 0 C 0 DATA PFN VFN 0C0 Load DATA PFN [8:0] VFN 0C0 … …. … … Offset DATA PFN [8:0] VFN 0C0 DATA PFN VFN 40

  7. Spoiler: Finding Undocumented Aliasing … Virtual Pages Memory Subsystem L1 Store Buffer 0 x 4 0 0 F E 2 0 C 0 DATA PFN [8:0] VFN 0C0 0 x 4 0 0 F E 3 0 C 0 Stores DTLB DATA PFN [8:0] VFN 0C0 … … … …. … … 0 x 4 0 1 0 2 1 0 C 0 DATA PFN [8:0] VFN 0C0 Load Buffer DATA PFN [8:0] VFN 0C0 DATA PFN VFN Offset DATA PFN [8:0] VFN 0C0 0 x 4 F 1 2 3 4 0 C 0 DATA PFN VFN 0C0 Load DATA PFN [8:0] VFN 0C0 … …. … … Offset DATA PFN [8:0] VFN 0C0 DATA PFN VFN 41

  8. Spoiler: Finding Undocumented Aliasing … Virtual Pages Memory Subsystem L1 Store Buffer 0 x 4 0 0 F E 3 0 C 0 DATA PFN [8:0] VFN 0C0 0 x 4 0 0 F E 4 0 C 0 Stores DTLB DATA PFN [8:0] VFN 0C0 … … … …. … … 0 x 4 0 1 0 2 2 0 C 0 DATA PFN [8:0] VFN 0C0 Load Buffer DATA PFN [8:0] VFN 0C0 DATA PFN VFN Offset DATA PFN [8:0] VFN 0C0 0 x 4 F 1 2 3 4 0 C 0 DATA PFN VFN 0C0 Load DATA PFN [8:0] VFN 0C0 … …. … … Offset DATA PFN [8:0] VFN 0C0 DATA PFN VFN 42

  9. Spoiler: Finding Undocumented Aliasing … Virtual Pages Memory Subsystem L1 Store Buffer 0 x 4 0 0 F E 4 0 C 0 DATA PFN [8:0] VFN 0C0 Physical Addresses 0 x 4 0 0 F E 5 0 C 0 DTLB DATA PFN [8:0] VFN 0C0 … … 0 x 6 5 F 3 2 X X 0 C 0 … …. … … 0 x 4 0 1 0 2 3 0 C 0 DATA PFN [8:0] VFN 0C0 Load Buffer 0 x 3 2 A C 2 X X 0 C 0 DATA PFN [8:0] VFN 0C0 DATA PFN VFN Offset DATA PFN [8:0] VFN 0C0 0 x 4 F 1 2 3 4 0 C 0 DATA PFN VFN 0C0 DATA PFN [8:0] VFN 0C0 … …. … … Offset DATA PFN [8:0] VFN 0C0 DATA PFN VFN 43

  10. Spoiler: Finding Undocumented Aliasing … Virtual Pages Memory Subsystem L1 Store Buffer DATA PFN [8:0] VFN 0C0 DTLB DATA PFN [8:0] VFN 0C0 … …. … … DATA PFN [8:0] VFN 0C0 Load Buffer DATA PFN [8:0] VFN 0C0 DATA PFN VFN Offset DATA PFN [8:0] VFN 0C0 DATA PFN VFN 0C0 DATA PFN [8:0] VFN 0C0 … …. … … Offset DATA PFN [8:0] VFN 0C0 DATA PFN VFN 44

  11. Spoiler: Finding Undocumented Aliasing … Virtual Pages 45

  12. Spoiler: Learning on Physical Address Bits Least 12 bits (Virtual Address = Physical Address) Rest of the bits (Virtual != Physical) MemJam L1 Cache Attacks L2/L3 Cache Attacks 46

  13. Spoiler: Learning on Physical Address Bits Least 12 bits (Virtual Address = Physical Address) VFN MemJam L1 Cache Attacks PFN MemJam 47 L2/L3 Cache Attacks

  14. Spoiler: Learning on Physical Address Bits Least 12 bits (Virtual Address = Physical Address) VFN MemJam L1 Cache Attacks Pime+Probe on Cache, Eviction Sets, Rowhammer PFN MemJam 48 L2/L3 Cache Attacks

  15. Spoiler: Learning on Physical Address Bits Least 12 bits (Virtual Address = Physical Address) VFN MemJam L1 Cache Attacks Pime+Probe on Cache, Eviction Sets, Rowhammer PFN Spoiler MemJam 49 L2/L3 Cache Attacks

  16. 2. Data Leakage via Automated Synthesis 50

  17. Transient Execution Attacks • Date leakage as oppose to access pattern leakage • Spectre • Due to the CPU’s branch Predictor. • Meltdown • Due the speculative behavior of the CPU’s memory subsystem • Data leakage wo/ any assumption about the victim software 51

  18. Meltdown 52

  19. Meltdown Attack Steps Step 1: Step 2: ‘ P ’ = 0x50 Step 3: 256 different CPU Cache Line 53

  20. Microarchitecture Data Sampling (MDS) • Meltdown is fixed but we could steal leak data on the fixed CPU. whatever APP APP OS Hypervisor 54

  21. Microarchitecture Data Sampling (MDS) • Meltdown is fixed but we could steal leak data on the fixed CPU. whatever • Threat Model: Local adversary • Exploiting other threads (simultaneous multithreading) APP APP OS SMT Hypervisor • Exploiting previous process context Context Context Context Victim Attacker Victim Attacker Switch Switch Switch Process Process Process Process 55

  22. CPU Memory Subsystem – Leaky Buffers Memory Subsystem MSBDS Store Buffer DATA PFN [8:0] VFN Offset (Fallout) DATA PFN [8:0] VFN Offset … …. … … DATA PFN [8:0] VFN Offset L1 Fill Buffer MLPDS Load Buffer DATA PFN VFN Offset DATA PFN VFN Offset DTLB … …. … … VFN Offset DATA PFN MFBDS (ZombieLoad) L2 L3 DRAM L1TF 56

  23. Microarchitecture Data Sampling (MDS) • Meltdown is fixed but we could steal leak data on the fixed CPU. whatever • Threat Model: Local adversary • Exploiting other threads (simultaneous multithreading) APP APP SMT OS • Exploiting previous process context Hypervisor Context Context Context Victim Attacker Victim Attacker Switch Switch Switch Process Process Process Process • Which part of the CPU leak the data?! • Store Buffer (Fallout) • Line Fill Buffer (ZombieLoad) 57

  24. Challenges with MDS Testing? • Reproducing attacks is not reliable. • No public tool to find new variants or to verify hardware patches. • Impossible to quantify the impact of leakage. Y Y Y Y Memory TL Perm Presen Canonical Accessed Access B . t Set A PMH Y #GP #PF Bit Y Y Y Y TSX False Cache Aligned Cached Failure Store Dep. Aligned Vector Split #RTM Hazard Cache Miss #GP Virtual Address Recovery Handler Cache VFN Offset PTE R Physical Page Number P US … A … … W 58

  25. Transynther (Fuzzing-based Random MDS Testing) Step 1: Step 2: ‘ P ’ = 0x50 Step 3: 256 different CPU Cache Line 59

  26. Transynther (Fuzzing-based Random MDS Testing) TLB Canonical Cache Aligned Cached Aligned Vector Perm. Step 1: False Store Dep. Present Accessed TSX Failure Step 2: ‘ P ’ = 0x50 Step 3: 256 different CPU Cache Line 60

  27. Transynther (Fuzzing-based Random MDS Testing) Step 0: Stores Hyper Stores Same Loads Same Thread: Loads Hyper thread Thread: Thread: 0x61626364 Buffer Thread: 0x41424344 0x51525354 0x71727374 Grooming TLB Canonical Cache Aligned Cached Aligned Vector Step 1: Perm. False Store Dep. Present Accessed TSX Failure Step 2: ‘ P ’ = 0x50 Step 3: 256 different CPU Cache Line 61

  28. Transynther (Fuzzing-based Random MDS Testing) Step 0: Stores Hyper Stores Same Loads Same Thread: Loads Hyper thread Thread: Thread: 0x61626364 Buffer Thread: 0x41424344 0x51525354 0x71727374 Grooming TLB Canonical Cache Aligned Cached Aligned Vector Step 1: Perm. False Store Dep. Present Accessed TSX Failure Step 2: ‘ P ’ = 0x50 Step 3: 256 different CPU Cache Line 62

  29. Transynther (Fuzzing-based MDS Testing) 63

  30. Transynther (Fuzzing-based MDS Testing) 64

  31. Transynther (Fuzzing-based MDS Testing) 65

  32. 66

  33. Medusa Attack • Medusa only leaks the write combining data. • Implicit WC, i.e., ‘rep mov’, ‘rep sto ’, can be leaked. • Memory Copy Routines • File IO • Served by a Write Combining Buffer (or just the Fill Buffer). • Three variants • Based on different ways of massaging the microarchitecture 67

  34. OpenSSL RSA Key Recovery • OpenSSL Base64 Decoder uses inline Memcpy(-oS) • Triggered during the RSA Key Decoding from the PEM format: -----BEGIN RSA PRIVATE KEY----- MIICXQIBAAKBgQDmTvQjjtGtnIqMwmmaLW+YjbYTsNR8PGKXr78iYwrMV5Ye4VGy BwS6qLD4s/EzCzGIDwkWCVx+gVHvh2wGW15Ddof0gVAtAMkR6gRABy4TkK+6YFSK AyjmHvKCfFHvc9loeFGDyjmwFFkfdwzppXnH1Wwt0OlnyCU1GbQ1w7AHuwIDAQAB AoGBAMyDri7pQ29NBIfMmGQuFtw8c0R3EamlIdQbX7qUguFEoe2YHqjdrKho5oZj nDu8o+Zzm5jzBSzdf7oZ4qaeekv0fO+ZSz6CKYLbuzG2IXUB8nHJ7NuH3lacfivD V4Cfg0yFnTK+MDG/xTVqywrCTsslkTCYC/XZOXU5Xt5z32FZAkEA/nLWQhMC4YPM 0LqMtgKzfgQdJ7vbr43WVVNpC/dN/ibUASI/3YwY0uUtqSjilIghIY7pRohrPJ6W ntSJw0UAhQJBAOe2b9cfiOTFKXxyU4j315VkulFfTyL6GwXi/7mvpcDCixDLNRyk uRigmdKjtIUrAX0pwjgXa6niqJ691jExez8CQQCcMZZAvTbZhHSn9LwHxqS0SIY1 K+ZxX5ogirFDPS5NQzyE7adSsntSioh6/LQKBX6BAR9FwtxBPACtwz5F9geZAkA8 a3z0SlvG04aC1cjkgUPsx6wxxbl79F2RhmSKRbvh7JiYk3RQ+L7vJgmWPGu5AcLM oVPsjmbbkKfJZNTyVOW/AkABepEi++ZQQW0FXJWZ3nM+2CNcXYCtTgi4bGkvnZPp /1pAy9rjeVJYhb8acTRnt+dU+uZ74CTtfuzUTZLOIuVe -----END RSA PRIVATE KEY----- 68

  35. OpenSSL RSA Key Recovery • OpenSSL Base64 Decoder uses inline Memcpy(-oS) • Triggered during the RSA Key Decoding from the PEM format: -----BEGIN RSA PRIVATE KEY----- MIICXQIBAAKBgQDmTvQjjtGtnIqMwmmaLW+YjbYTsNR8PGKXr78iYwrMV5Ye4VGy BwS6qLD4s/EzCzGIDwkWCVx+gVHvh2wGW15Ddof0gVAtAMkR6gRABy4TkK+6YFSK AyjmHvKCfFHvc9loeFGDyjmwFFkfdwzppXnH1Wwt0OlnyCU1GbQ1w7AHuwIDAQAB AoGBAMyDri7pQ29NBIfMmGQuFtw8c0R3EamlIdQbX7qUguFEoe2YHqjdrKho5oZj nDu8o+Zzm5jzBSzdf7oZ4qaeekv0fO+ZSz6CKYLbuzG2IXUB8nHJ7NuH3lacfivD V4Cfg0yFnTK+MDG/xTVqywrCTsslkTCYC/XZOXU5Xt5z32FZAkEA/nLWQhMC4YPM 0LqMtgKzfgQdJ7vbr43WVVNpC/dN/ibUASI/3YwY0uUtqSjilIghIY7pRohrPJ6W ntSJw0UAhQJBAOe2b9cfiOTFKXxyU4j315VkulFfTyL6GwXi/7mvpcDCixDLNRyk uRigmdKjtIUrAX0pwjgXa6niqJ691jExez8CQQCcMZZAvTbZhHSn9LwHxqS0SIY1 K+ZxX5ogirFDPS5NQzyE7adSsntSioh6/LQKBX6BAR9FwtxBPACtwz5F9geZAkA8 a3z0SlvG04aC1cjkgUPsx6wxxbl79F2RhmSKRbvh7JiYk3RQ+L7vJgmWPGu5AcLM oVPsjmbbkKfJZNTyVOW/AkABepEi++ZQQW0FXJWZ3nM+2CNcXYCtTgi4bGkvnZPp /1pAy9rjeVJYhb8acTRnt+dU+uZ74CTtfuzUTZLOIuVe -----END RSA PRIVATE KEY----- 69

  36. OpenSSL RSA Key Recovery • OpenSSL Base64 Decoder uses inline Memcpy(-oS) • Triggered during the RSA Key Decoding from the PEM format: N (Modulus) d (Private Key) P Q d mod (p-1) d mod (q-1) Q^(-1) mod p 70

  37. OpenSSL RSA Key Recovery - Coppersmith • Knowledge of at least Τ 1 3 of P+Q • Create a 𝑜 dimensional hidden number problem where 𝑜 is relative to the number of recovered chunks • Feed it to the lattice-based algorithm to find the short vector P Q 71

  38. OpenSSL RSA Key Recovery – Coppersmith Attack • Knowledge of at least Τ 1 3 of P+Q. • Creating a 𝑜 dimensional hidden number problem where 𝑜 is relative to the number of recovered chunks. • Feeding it to the lattice-based algorithm to find the short vector. P Q Coppersmith P 72

  39. Store Buffer Leakage on Ice Lake • MSBDS (Fallout) on Ice Lake • November 2019: Intel sent us an Ice Lake Machine • March 2019: Tested Transyther on the Ice Lake CPU • Mar 27, 2020: Reported MSBDS Leakage on Ice Lake • May 5, 2020: Intel Completed triage • MDS mitigations are not deployed properly • Chicken bits were not enabled for all mitigations. • OEMs shipped with old/wrong microcode. • Embargoed till July • July 13, 2020: MDS advisory and list of affected CPUs were updated. 73

  40. 74

  41. 3. Hardware- based Trusted Computing 75

  42. What are other threat models? • We can not trust: • cloud providers. • software developers. • OEMs and computer manufacturers. Multiuser, multitask, several security domains • Trusted Computing • Others can compute on the data without giving them the data. • Example Applications: • Privacy-Preserving machine learning • Digital right management (DRM) • Anonymous blockchain transactions 76

  43. Trusted Execution Environment (TEE) – Intel SGX • Intel Software Guard eXtensions (SGX) App App App App App App OS OS Trusted Hypervisor Hypervisor Hardware Hardware Traditional Security Model 77

  44. System-level Threat to Trusted Execution Environments (T2) • Intel Software Guard eXtensions (SGX) • Enclave: A hardware protected user- level software module • Mapped by the operating system • Loaded by the user program App App App App • Authenticated and encrypted by CPU OS • It must protect secrets against blocked system-level adversary Hypervisor blocked Hardware Hardware New Attacker Model: Attacker gets full control over the OS 78

  45. CacheZoom and CacheQuote 79

  46. Intel SGX Attack Taxonomy • Intel’s Responsibility SGX Attacks • Microcode Patches / Hardware mitigation • TCB Recovery Intel Software Dev • Hyperthreading is out Hardware Responsibility • Remote Attestation Warning Foreshadow [1] Plundervolt [2] ZombieLoad [1] Van Bulck et al. "Foreshadow: Extracting the keys to the intel SGX kingdom with transient out-of-order execution." USENIX Security 2018. [2] Murdock et al. "Plundervolt: Software-based fault injection attacks against Intel SGX." IEEE S&P 2020. 80

  47. Intel SGX Attack Taxonomy • Intel’s Responsibility SGX Attacks • Microcode Patches / Hardware mitigation • TCB Recovery Intel Software Dev • Hyperthreading is out Hardware Responsibility • Remote Attestation Warning • µarch Side Channel Foreshadow [1] µarch Side • Constant-time Coding Channel Plundervolt [2] • Flushing and Isolating buffers ZombieLoad Cache [3][4][5] • Probabilistic Branch Predictors [6][7] Interrupt Latency [8] [1] Van Bulck et al. "Foreshadow: Extracting the keys to the intel SGX kingdom with transient out-of-order execution." USENIX Security 2018. [6] Evtyushkin, Dmitry, et al. "Branchscope: A new side-channel attack on directional branch predictor." ACM SIGPLAN 2018. [2] Murdock et al. "Plundervolt: Software-based fault injection attacks against Intel SGX." IEEE S&P 2020. [7] Lee, Sangho, et al. "Inferring fine-grained control flow inside {SGX} enclaves with branch shadowing." USENIX Security 2017. [3] Moghimi et al. "Cachezoom: How SGX amplifies the power of cache attacks." CHES 2017. [8] Van Bulck et al. "Nemesis: Studying microarchitectural timing leaks in rudimentary CPU interrupt logic." ACM CCS 2018. 81 [4] Brasser et al. "Software grand exposure:{SGX} cache attacks are practical." USENIX WOOT 2017. [5] Schwarz et al. "Malware guard extension: Using SGX to conceal cache attacks." DIMVA 2017.

  48. Intel SGX Attack Taxonomy • Intel’s Responsibility SGX Attacks • Microcode Patches / Hardware mitigation • TCB Recovery Intel Software Dev • Hyperthreading is out Hardware Responsibility • Remote Attestation Warning • µarch Side Channel Foreshadow [1] Deterministic µarch Side • Constant-time Coding Channel – Ctrl Channel Plundervolt [2] • Flushing and Isolating buffers ZombieLoad Cache [3][4][5] Page Fault [9] • Probabilistic Branch Predictors A/D Bit [10] [6][7] • Deterministic Attacks Interrupt Latency [8] • Page Fault, A/D Bit, etc. (4kB Granularity) [1] Van Bulck et al. "Foreshadow: Extracting the keys to the intel SGX kingdom with transient out-of-order execution." USENIX Security 2018. [6] Evtyushkin, Dmitry, et al. "Branchscope: A new side-channel attack on directional branch predictor." ACM SIGPLAN 2018. [2] Murdock et al. "Plundervolt: Software-based fault injection attacks against Intel SGX." IEEE S&P 2020. [7] Lee, Sangho, et al. "Inferring fine-grained control flow inside {SGX} enclaves with branch shadowing." USENIX Security 2017. [3] Moghimi et al. "Cachezoom: How SGX amplifies the power of cache attacks." CHES 2017. [8] Van Bulck et al. "Nemesis: Studying microarchitectural timing leaks in rudimentary CPU interrupt logic." ACM CCS 2018. 82 [4] Brasser et al. "Software grand exposure:{SGX} cache attacks are practical." USENIX WOOT 2017. [9] Xu et al. "Controlled-channel attacks: Deterministic side channels for untrusted operating systems." IEEE S&P 2015. [5] Schwarz et al. "Malware guard extension: Using SGX to conceal cache attacks." DIMVA 2017. [10] Wang, Wenhao, et al. "Leaky cauldron on the dark land: Understanding memory side-channel hazards in SGX." ACM CCS 2017.

  49. Can deterministic attacks do better? 83

  50. CopyCat Attack • Malicious OS controls the interrupt handler NOP ADD X XOR OR MUL DIV ADD MUL NOP NOP Enclave Time Execution Thread Starts 84

  51. CopyCat Attack • Malicious OS controls the interrupt handler • A threshold to execute 1 or 0 instructions IRQ Range 0 1 NOP ADD X XOR OR MUL DIV ADD MUL NOP NOP 𝑢 1 𝑢 2 Time 85

  52. CopyCat Attack • Malicious OS controls the interrupt handler • A threshold to execute 1 or 0 instructions IRQ Range 0 1 NOP ADD X XOR OR MUL DIV ADD MUL NOP NOP 𝑢 1 𝑢 2 Time 86

  53. CopyCat Attack • Malicious OS controls the interrupt handler • A threshold to execute 1 or 0 instructions IRQ Range 0 1 NOP ADD X XOR OR MUL DIV ADD MUL NOP NOP 𝑢 1 𝑢 2 Time 87

  54. CopyCat Attack • Malicious OS controls the interrupt handler • A threshold to execute 1 or 0 instructions IRQ Range 0 1 NOP ADD X XOR OR MUL DIV ADD MUL NOP NOP 𝑢 1 𝑢 2 Time 88

  55. CopyCat Attack • Malicious OS controls the interrupt handler • A threshold to execute 1 or 0 instructions I got 15 IRQs. How many zeros? 89

  56. CopyCat Attack • Malicious OS controls the interrupt handler • A threshold to execute 1 or 0 instructions • Filtering Zeros out: Clear the A bit before, Check the A bit after I got 15 IRQs. How many Code Page Virtual Address zeros? 0x000401 Page PMH Walk DTLB Physical Page R U P … A … … W S Number Physical Page R U A P … … … W S Number Physical Page R U P … A … … W S Number The A Bit is only set when an instruction is retired 90

  57. CopyCat Attack • Malicious OS controls the interrupt handler • A threshold to execute 1 or 0 instructions • Filtering Zeros out: Clear the A bit before, Check the A bit after • Deterministic Instruction Counting 91

  58. CopyCat Attack • Malicious OS controls the interrupt handler • A threshold to execute 1 or 0 instructions • Filtering Zeros out: Clear the A bit before, Check the A bit after • Deterministic Instruction Counting • Counting from start to end is not useful. • A Secondary oracle • Page table attack as a deterministic secondary oracle Target Code Page CALL ADD D X XOR R MUL PUS USH H ADD MUL MOV OV NOP Time 92

  59. CopyCat Attack • Malicious OS controls the interrupt handler • A threshold to execute 1 or 0 instructions • Filtering Zeros out: Clear the A bit before, Check the A bit after • Deterministic Instruction Counting • Counting from start to end is not useful. • A Secondary oracle • Page table attack as a deterministic secondary oracle Stack Target 4 Steps Page Code Page CALL ADD D X XOR R MUL PUS USH H ADD MUL MOV OV NOP Time 93

  60. CopyCat Attack • Malicious OS controls the interrupt handler • A threshold to execute 1 or 0 instructions • Filtering Zeros out: Clear the A bit before, Check the A bit after • Deterministic Instruction Counting • Counting from start to end is not useful. • A Secondary oracle • Page table attack as a deterministic secondary oracle Stack Target Data 4 Steps 3 Steps Page Code Page Page CALL ADD D X XOR R MUL PUS USH H ADD MUL MOV OV NOP Time 94

  61. CopyCat Attack • Previous controlled-channel attacks leak page access patterns. • CopyCat additionally leaks number of executed instructions per each page. Page A Page A Page D Page D 4 4 Page B Page B 6 Additional Data Page C Page C 8 CopyCat Traditional Attack Page-table Attacks 95

  62. CopyCat – Leaking Branches Stack S if(c == 0) { test %eax, %eax Code P1 r = add(r, d); je label Code P2 } mov %edx, %esi Compile Stack S else { label: Code P1 r = add(r, s); call add Code P2 } mov %eax, -0xc(%rbp) C Code 96

  63. Binary Extended Euclidean Algorithm (BEEA) • Previous attacks only leak some of the branches w/ some noise. 97

  64. Binary Extended Euclidean Algorithm (BEEA) • Previous attacks only leak some of the branches w/ some noise. • CopyCat synchronously leaks all the branches wo/ any noise. 98

  65. CopyCat on WolfSSL - Cryptanalysis • Single-trace attack during RSA key generation: 𝑟 𝑗𝑜𝑤 = 𝑟 −1 𝑛𝑝𝑒 𝑞 • We know that p. q = N , and N is public 99

  66. CopyCat on WolfSSL - Cryptanalysis • Single-trace attack during RSA key generation: 𝑟 𝑗𝑜𝑤 = 𝑟 −1 𝑛𝑝𝑒 𝑞 • We know that p. q = N , and N is public • Branch and prune algorithm with the help of the recovered trace p = . . . X q = . . . X p = . . . 0 p = . . . 0 p = . . . 1 p = . . . 1 q = . . . 0 q = . . . 1 q = . . . 0 q = . . . 1 100

Recommend


More recommend