MicroScope: Enabling Microarchitectural Replay Attacks Dimitrios Skarlatos, Mengjia Yan, Bhargava Gopireddy, Read Sprabery, Josep Torrellas, and Christopher W. Fletcher Presented by Mengjia Yan MIT 6.888 Fall 2020
Why this paper? We have read a couple of attack papers, e.g., Spectre/Meltdown, Prime+Probe. Why read this paper? What is new here at a high level?
Threat Model: Trusted Computing with SGX • OS/Hypervisor are untrusted • OS/Hypervisor cannot introspect/tamper enclave • Unfortunately, OS/Hypervisor still manages demand paging Attack Surface With Enclaves Attacker (OS) can: App App App • Manage page tables Operating System • Evict TLB entries Hypervisor • Evict page walk cache entries Hardware • Monitor side channels Attack Surface
Recap: Address Translation Virtual Address Space (Programmer's View) Physical Address Space (limited by DRAM size) Page Table per process VA PA 4KB 4KB 4KB 4KB System software handles “page fault” 4
Background: Page Fault • Page fault: access to a page that is • Unmapped • Invalid • Wrong access rights • Exception is generated → Run page fault handler • Page fault handler = Operating system (untrusted)
Controlled Side Channels • OS can monitor enclaves access pattern at the granularity of page • After enclave start, remove access from all process pages (mark page not present) • Access will cause a page fault • Upon receiving a fault, the handler: if (secret = 1) • Logs the requested page access page A • Enables access to the page else access page B • Removes access to the previous page Controlled-Channel Attacks: Deterministic Side Channels for Untrusted Operating Systems; Xu et al. S&P’15
Microscope Overview
Motivation: Leakage over side channels Attacker: Victim: for .. if ( secret ) t1 = time() use resource use resource else t2 = time() don’t use resource • Need repeated measurements to be confident à Denoise • However, many applications run only once à Attacker gets 1 measurement • Can attackers really extract secrets?
Overview: Microarchitectural Replay Attacks • Attacker leverages speculative execution } • To repeatedly replay a snippet of victim code Primitive to denoise arbitrary • That runs only once side channels Victim : Memory operation that will cause ld addr // “replay handle” a squash and re-execute … ld secret // secret the attacker tries to leak
Contribution: Microarchitectural Replay Attacks Time Issue Replay Long Latency ld addr: Handle Event
Contribution: Microarchitectural Replay Attacks Time Issue Replay Long Latency Event ld addr: Handle Speculative ld secret: Execution of Secret
Contribution: Microarchitectural Replay Attacks Time Issue Replay Squash Clear Long Latency Event ld addr: Handle Event State ld secret: Speculative Execution of Secret Squash
Contribution: Microarchitectural Replay Attacks Issue Replay Squash Clear Long Latency Event ld addr: Handle Event State ld secret: Speculative Execution of Secret Squash Replay!! Cause Shared Resource Contention & Monitor
Strengths • Opens large new attack surface (for noisy side channels) • Exploits vulnerabilities of correct speculation • Dynamic instructions can be replayed through controlled squashes • Different from Spectre/Meltdown that exploits incorrect speculation • Demonstrate attacks on notoriously noisy side channels • Make impractical attacks possible
Weaknesses • Is it really practical? • Attacker side: • Malicious OS • Control TLB/page mapping • Victim side: • The replay handler and the transmitter need to be in the ROB simultaneously • The replay handler and the transmitter needs to access different pages
Page Tables Background Virtual Address 47 … 39 38 … 30 29 … 21 20 … 12 11 … 0 Virtual address 9-bits 9-bits 9-bits 9-bits Page Offset + pgd _t CR3 + pud_t + pmd_t + pte_t TLB Entry PGD PUD PMD PTE • Page tables stored in memory • On a TLB Miss à “ page walk ” = memory accesses • Each step of page walk = cache hit/miss. • Page walk cache (PWC): hardware cache of translations • If Present bit in pte_t is cleared à Page Fault, invoke OS
Attack Examples Victim Code Loop Victim Code: 1. for i in ... 1. //public address 2. handle(pub_addrA); 2. handle(pub_addr); 3. ... 3. ... 4. transmit(secret[i]); 4. transmit(secret); 5. ... 5. ... 6. memOp(pub_addrB); 7. ...
Terminology Victim Code Replay handle: • Load to a public address (known to OS) 1. //public address 2. handle(pub_addr); 3. ... 4. transmit(secret); 5. ... Transmitter: • Any instruction(s) whose execution reveals secret through some side channel • Occurs < ROB length from Replay Handle
Timeline of a MicroScope Attack - Setup Attack Setup Time Attacker Victim
Timeline of a MicroScope Attack - Setup Clear PTE Present Bit of Replay Handle Attack Setup Time Attacker Victim
Timeline of a MicroScope Attack - Setup Clear PTE Flush Replay Handle Present Bit of Replay Handle Page Table Entries Attack Setup Time Attacker Victim
Timeline of a MicroScope Attack - Setup Clear PTE Flush Replay Handle Flush Replay Handle Present Bit of Replay Handle Page Table Entries TLB Entry Attack Setup Time Attacker Victim
Timeline of a MicroScope Attack Attack Setup Time Issue Replay handle(pub_addr): Handle Attacker Victim
Timeline of a MicroScope Attack Attack Setup Time Issue Replay L1 TLB handle(pub_addr): Handle Miss Attacker Victim
Timeline of a MicroScope Attack Attack Setup Time Issue Replay L1 TLB L2 TLB handle(pub_addr): Handle Miss Miss Speculative Execution transmit(secret): of Transmitter Attacker Victim
Timeline of a MicroScope Attack Attack Setup Time Issue Replay L1 TLB L2 TLB PWC handle(pub_addr): Handle Miss Miss Miss Speculative Execution of transmit(secret): Transmitter Attacker Victim
Timeline of a MicroScope Attack Attack Setup Time Issue Replay L1 TLB L2 TLB PWC PGD PUD PMD PTE handle(pub_addr): Handle Miss Miss Miss Walk Walk Walk Walk Speculative Execution of Transmitter transmit(secret): Attacker Victim
Timeline of a MicroScope Attack Tune speculative execution duration with: Attack Cache Hit or Miss Setup Time Issue Replay L1 TLB L2 TLB PWC PGD PUD PMD PTE handle(pub_addr): Handle Miss Miss Miss Walk Walk Walk Walk Speculative Execution of Transmitter transmit(secret): Attacker Victim
Timeline of a MicroScope Attack Attack Setup Time Issue Replay L1 TLB L2 TLB PWC PGD PUD PMD PTE Page handle(pub_addr): Handle Miss Miss Miss Walk Walk Walk Walk Fault Speculative Execution of Transmitter transmit(secret): Attacker Victim
Timeline of a MicroScope Attack Attack Setup Time Issue Replay L1 TLB L2 TLB PWC PGD PUD PMD PTE Page handle(pub_addr): Handle Miss Miss Miss Walk Walk Walk Walk Fault Speculative Execution of Transmitter Squash transmit(secret): Attacker Victim
Timeline of a MicroScope Attack Attack Setup Time Issue Replay L1 TLB L2 TLB PWC PGD PUD PMD PTE Page OS handle(pub_addr): Handle Miss Miss Miss Walk Walk Walk Walk Fault Invocation Speculative Execution of Transmitter Squash transmit(secret): Attacker Victim
Timeline of a MicroScope Attack Page Fault Attack Handler Setup Issue Replay L1 TLB L2 TLB PWC PGD PUD PMD PTE Page OS handle(pub_addr): Handle Miss Miss Miss Walk Walk Walk Walk Fault Invocation Speculative Execution of Transmitter Squash transmit(secret): Attacker Victim
Timeline of a MicroScope Attack Page Fault Flush Replay Handle Attack Handler Page Table Entries Setup Issue Replay L1 TLB L2 TLB PWC PGD PUD PMD PTE Page OS handle(pub_addr): Handle Miss Miss Miss Walk Walk Walk Walk Fault Invocation Speculative Execution of Transmitter Squash transmit(secret): Attacker Victim
Timeline of a MicroScope Attack Attack Setup Issue Replay L1 TLB L2 TLB PWC PGD PUD PMD PTE Page OS handle(pub_addr): Handle Miss Miss Miss Walk Walk Walk Walk Fault Invocation Speculative Execution of Transmitter Squash transmit(secret): Replay!! Attacker Victim
Timeline of a MicroScope Attack Attack Setup Issue Replay L1 TLB L2 TLB PWC PGD PUD PMD PTE Page OS handle(pub_addr): Handle Miss Miss Miss Walk Walk Walk Walk Fault Invocation Speculative Execution of Transmitter Squash transmit(secret): Attacker Victim
Timeline of a MicroScope Attack Attack Setup Issue Replay L1 TLB L2 TLB PWC PGD PUD PMD PTE Page OS handle(pub_addr): Handle Miss Miss Miss Walk Walk Walk Walk Fault Invocation Speculative Execution of Transmitter Squash transmit(secret): Attacker Victim
Timeline of a MicroScope Attack Attack Setup Issue Replay L1 TLB L2 TLB PWC PGD PUD PMD PTE Page OS handle(pub_addr): Handle Miss Miss Miss Walk Walk Walk Walk Fault Invocation Speculative Execution of Transmitter Squash transmit(secret): Replay!! Cause Shared Resource Contention & Monitor Attacker Victim Attacker Monitor/Contention thread
Recommend
More recommend