microscope enabling microarchitectural replay attacks
play

MicroScope: Enabling Microarchitectural Replay Attacks Dimitrios - PowerPoint PPT Presentation

MicroScope: Enabling Microarchitectural Replay Attacks Dimitrios Skarlatos, Mengjia Yan, Bhargava Gopireddy, Read Sprabery, Josep Torrellas, and Christopher W. Fletcher Presented by Mengjia Yan MIT 6.888 Fall 2020 Why this paper? We have read


  1. MicroScope: Enabling Microarchitectural Replay Attacks Dimitrios Skarlatos, Mengjia Yan, Bhargava Gopireddy, Read Sprabery, Josep Torrellas, and Christopher W. Fletcher Presented by Mengjia Yan MIT 6.888 Fall 2020

  2. Why this paper? We have read a couple of attack papers, e.g., Spectre/Meltdown, Prime+Probe. Why read this paper? What is new here at a high level?

  3. Threat Model: Trusted Computing with SGX • OS/Hypervisor are untrusted • OS/Hypervisor cannot introspect/tamper enclave • Unfortunately, OS/Hypervisor still manages demand paging Attack Surface With Enclaves Attacker (OS) can: App App App • Manage page tables Operating System • Evict TLB entries Hypervisor • Evict page walk cache entries Hardware • Monitor side channels Attack Surface

  4. Recap: Address Translation Virtual Address Space (Programmer's View) Physical Address Space (limited by DRAM size) Page Table per process VA PA 4KB 4KB 4KB 4KB System software handles “page fault” 4

  5. Background: Page Fault • Page fault: access to a page that is • Unmapped • Invalid • Wrong access rights • Exception is generated → Run page fault handler • Page fault handler = Operating system (untrusted)

  6. Controlled Side Channels • OS can monitor enclaves access pattern at the granularity of page • After enclave start, remove access from all process pages (mark page not present) • Access will cause a page fault • Upon receiving a fault, the handler: if (secret = 1) • Logs the requested page access page A • Enables access to the page else access page B • Removes access to the previous page Controlled-Channel Attacks: Deterministic Side Channels for Untrusted Operating Systems; Xu et al. S&P’15

  7. Microscope Overview

  8. Motivation: Leakage over side channels Attacker: Victim: for .. if ( secret ) t1 = time() use resource use resource else t2 = time() don’t use resource • Need repeated measurements to be confident à Denoise • However, many applications run only once à Attacker gets 1 measurement • Can attackers really extract secrets?

  9. Overview: Microarchitectural Replay Attacks • Attacker leverages speculative execution } • To repeatedly replay a snippet of victim code Primitive to denoise arbitrary • That runs only once side channels Victim : Memory operation that will cause ld addr // “replay handle” a squash and re-execute … ld secret // secret the attacker tries to leak

  10. Contribution: Microarchitectural Replay Attacks Time Issue Replay Long Latency ld addr: Handle Event

  11. Contribution: Microarchitectural Replay Attacks Time Issue Replay Long Latency Event ld addr: Handle Speculative ld secret: Execution of Secret

  12. Contribution: Microarchitectural Replay Attacks Time Issue Replay Squash Clear Long Latency Event ld addr: Handle Event State ld secret: Speculative Execution of Secret Squash

  13. Contribution: Microarchitectural Replay Attacks Issue Replay Squash Clear Long Latency Event ld addr: Handle Event State ld secret: Speculative Execution of Secret Squash Replay!! Cause Shared Resource Contention & Monitor

  14. Strengths • Opens large new attack surface (for noisy side channels) • Exploits vulnerabilities of correct speculation • Dynamic instructions can be replayed through controlled squashes • Different from Spectre/Meltdown that exploits incorrect speculation • Demonstrate attacks on notoriously noisy side channels • Make impractical attacks possible

  15. Weaknesses • Is it really practical? • Attacker side: • Malicious OS • Control TLB/page mapping • Victim side: • The replay handler and the transmitter need to be in the ROB simultaneously • The replay handler and the transmitter needs to access different pages

  16. Page Tables Background Virtual Address 47 … 39 38 … 30 29 … 21 20 … 12 11 … 0 Virtual address 9-bits 9-bits 9-bits 9-bits Page Offset + pgd _t CR3 + pud_t + pmd_t + pte_t TLB Entry PGD PUD PMD PTE • Page tables stored in memory • On a TLB Miss à “ page walk ” = memory accesses • Each step of page walk = cache hit/miss. • Page walk cache (PWC): hardware cache of translations • If Present bit in pte_t is cleared à Page Fault, invoke OS

  17. Attack Examples Victim Code Loop Victim Code: 1. for i in ... 1. //public address 2. handle(pub_addrA); 2. handle(pub_addr); 3. ... 3. ... 4. transmit(secret[i]); 4. transmit(secret); 5. ... 5. ... 6. memOp(pub_addrB); 7. ...

  18. Terminology Victim Code Replay handle: • Load to a public address (known to OS) 1. //public address 2. handle(pub_addr); 3. ... 4. transmit(secret); 5. ... Transmitter: • Any instruction(s) whose execution reveals secret through some side channel • Occurs < ROB length from Replay Handle

  19. Timeline of a MicroScope Attack - Setup Attack Setup Time Attacker Victim

  20. Timeline of a MicroScope Attack - Setup Clear PTE Present Bit of Replay Handle Attack Setup Time Attacker Victim

  21. Timeline of a MicroScope Attack - Setup Clear PTE Flush Replay Handle Present Bit of Replay Handle Page Table Entries Attack Setup Time Attacker Victim

  22. Timeline of a MicroScope Attack - Setup Clear PTE Flush Replay Handle Flush Replay Handle Present Bit of Replay Handle Page Table Entries TLB Entry Attack Setup Time Attacker Victim

  23. Timeline of a MicroScope Attack Attack Setup Time Issue Replay handle(pub_addr): Handle Attacker Victim

  24. Timeline of a MicroScope Attack Attack Setup Time Issue Replay L1 TLB handle(pub_addr): Handle Miss Attacker Victim

  25. Timeline of a MicroScope Attack Attack Setup Time Issue Replay L1 TLB L2 TLB handle(pub_addr): Handle Miss Miss Speculative Execution transmit(secret): of Transmitter Attacker Victim

  26. Timeline of a MicroScope Attack Attack Setup Time Issue Replay L1 TLB L2 TLB PWC handle(pub_addr): Handle Miss Miss Miss Speculative Execution of transmit(secret): Transmitter Attacker Victim

  27. Timeline of a MicroScope Attack Attack Setup Time Issue Replay L1 TLB L2 TLB PWC PGD PUD PMD PTE handle(pub_addr): Handle Miss Miss Miss Walk Walk Walk Walk Speculative Execution of Transmitter transmit(secret): Attacker Victim

  28. Timeline of a MicroScope Attack Tune speculative execution duration with: Attack Cache Hit or Miss Setup Time Issue Replay L1 TLB L2 TLB PWC PGD PUD PMD PTE handle(pub_addr): Handle Miss Miss Miss Walk Walk Walk Walk Speculative Execution of Transmitter transmit(secret): Attacker Victim

  29. Timeline of a MicroScope Attack Attack Setup Time Issue Replay L1 TLB L2 TLB PWC PGD PUD PMD PTE Page handle(pub_addr): Handle Miss Miss Miss Walk Walk Walk Walk Fault Speculative Execution of Transmitter transmit(secret): Attacker Victim

  30. Timeline of a MicroScope Attack Attack Setup Time Issue Replay L1 TLB L2 TLB PWC PGD PUD PMD PTE Page handle(pub_addr): Handle Miss Miss Miss Walk Walk Walk Walk Fault Speculative Execution of Transmitter Squash transmit(secret): Attacker Victim

  31. Timeline of a MicroScope Attack Attack Setup Time Issue Replay L1 TLB L2 TLB PWC PGD PUD PMD PTE Page OS handle(pub_addr): Handle Miss Miss Miss Walk Walk Walk Walk Fault Invocation Speculative Execution of Transmitter Squash transmit(secret): Attacker Victim

  32. Timeline of a MicroScope Attack Page Fault Attack Handler Setup Issue Replay L1 TLB L2 TLB PWC PGD PUD PMD PTE Page OS handle(pub_addr): Handle Miss Miss Miss Walk Walk Walk Walk Fault Invocation Speculative Execution of Transmitter Squash transmit(secret): Attacker Victim

  33. Timeline of a MicroScope Attack Page Fault Flush Replay Handle Attack Handler Page Table Entries Setup Issue Replay L1 TLB L2 TLB PWC PGD PUD PMD PTE Page OS handle(pub_addr): Handle Miss Miss Miss Walk Walk Walk Walk Fault Invocation Speculative Execution of Transmitter Squash transmit(secret): Attacker Victim

  34. Timeline of a MicroScope Attack Attack Setup Issue Replay L1 TLB L2 TLB PWC PGD PUD PMD PTE Page OS handle(pub_addr): Handle Miss Miss Miss Walk Walk Walk Walk Fault Invocation Speculative Execution of Transmitter Squash transmit(secret): Replay!! Attacker Victim

  35. Timeline of a MicroScope Attack Attack Setup Issue Replay L1 TLB L2 TLB PWC PGD PUD PMD PTE Page OS handle(pub_addr): Handle Miss Miss Miss Walk Walk Walk Walk Fault Invocation Speculative Execution of Transmitter Squash transmit(secret): Attacker Victim

  36. Timeline of a MicroScope Attack Attack Setup Issue Replay L1 TLB L2 TLB PWC PGD PUD PMD PTE Page OS handle(pub_addr): Handle Miss Miss Miss Walk Walk Walk Walk Fault Invocation Speculative Execution of Transmitter Squash transmit(secret): Attacker Victim

  37. Timeline of a MicroScope Attack Attack Setup Issue Replay L1 TLB L2 TLB PWC PGD PUD PMD PTE Page OS handle(pub_addr): Handle Miss Miss Miss Walk Walk Walk Walk Fault Invocation Speculative Execution of Transmitter Squash transmit(secret): Replay!! Cause Shared Resource Contention & Monitor Attacker Victim Attacker Monitor/Contention thread

Recommend


More recommend