NetCAT : Practical Cache Attacks from the Network Michael Kurth , Ben Gras, Dennis Andriesse, Cristiano Giuffrida, Herbert Bos, Kaveh Razavi
Cache Attack from the Network Client Server Remote Cache Attack SSH 2
Network Cache Attack 3
Outline • Background • Cache Attacks • DDIO • RDMA • NetCAT - CVE-2019-11184 • Reverse Engineering DDIO • End-to-End Attack • Demo • Conclusion 4
Cache Attacks (prev.) Cloud Java Script Other Browser VM 1 VM 2 Process Shared Shared Hardware Hardware (CPU / Cache) (CPU / Cache) 5
The Memory Wall - Caches Core 0 Core 1 Regs Small Regs Fast L1 L1 L1 L1 d-cache i-cache d-cache i-cache L2 cache L2 cache LLC cache (shared by all cores) Main Memory Slow Large 6
PRIME+PROBE Cache Lines Victim Probe Prime Access 7
Cache Hits & Misses 8
Cache Attacks With Cache Hits & Misses we can • Leak Crypto Keys (e.g. AES) • Guess visited Websites • Leak Memory Contents 9
DDIO • Data Direct I/O Technology • Enabled on all Intel server-grade processors since 2012 • Transparent for drivers and OS 10
DDIO DMA DDIO CP� CP� La�� Le�el Cache La�� Le�el Cache Mai� Mem��� Mai� Mem��� Wa� 17 Wa� 19 Wa� 20 Wa� 17 Wa� 19 Wa� 20 Wa� 1 Wa� 2 Wa� 3 Wa� 4 Wa� 1 Wa� 2 Wa� 3 Wa� 4 ... ... I��eg�a�ed Mem��� I��eg�a�ed Mem��� PCIe R��� C�m�le�� PCIe R��� C�m�le�� C�����lle� C�����lle� PCIe De�ice PCIe De�ice (NIC, GPU, S���age) (NIC, GPU, S���age) 11
Why is DDIO important? 12 From: Intel Data Direct I/O Technology Overview
Network Cache Attack – Main Challenges • Inner workings of DDIO • Remote PRIME+PROBE • End-to-end attack 13
RDMA TCP RDMA Target Target Application Application Buffer Buffer User Space User Space TCP TCP Buffer IP IP Buffer Kernel Kernel Interfaces Interfaces Buffer HW HW NIC NIC 14
RDMA • Available on Public Clouds • SMBDirect / NFS over RDMA • Applications: • High Performance Computing (HPC) • Data Centers / Cloud • Storage 15
Network Cache Attack • DDIO + RDMA Ø RDMA operations have accesses not only to the pinned memory region but also to parts of the LLC. Ø Foundation for our attack 16
Reverse Engineering DDIO • How does DDIO interact with the LLC? • Which portion of the cache can we access? 18
Reads served from memory vs LLC t1 = timed_rdma_ read (offsetX); rdma_ write (offsetX); t2 = timed_rdma_ read (offsetX); 19
DDIO Allocation Limitation CP� La�� Le�el Cache Mai� Mem��� Wa� 17 Wa� 19 Wa� 20 Wa� 1 Wa� 2 Wa� 3 Wa� 4 ... I��eg�a�ed Mem��� PCIe R��� C�m�le�� C�����lle� PCIe De�ice (NIC, GPU, S���age) 20
End-to-End Attack 22
Cache Attack from the Network Client Server SSH Remote Cache Attack 23
NIC’s ring buffer Ring B�ffe� Cache Ac�i�i�� Cache Ac�i�i�� Cache Ac�i�i�� Cache Ac�i�i�� Cache Ac�i�i�� 6 7 1 1 1 1 1 5 8 2 2 2 2 2 Cache L��e� Cache L��e� Cache L��e� Cache L��e� Cache L��e� 4 1 NIC CP� 3 3 3 3 3 2 3 Pac�e� 4 4 4 4 4 � � � � � Pac�e� Pac�e� Pac�e� Pac�e� T��e T��e T��e T��e T��e 4 3 2 1 24
Detecting the NIC’s ring buffer in LLC 25
Tracking the Ring Buffer Online Tracker Offline Extractor 26
Map inter-packet arrival times to Words “ because ” 27
Map inter-packet arrival times to Words • 20 subjects typing free and transcribed text • Total of 4’574 unique words, on average 228.7 unique words per subject • Each word is represented as a point in multidimensional Space • k -nearest neighbors' algorithm (k-NN) to classify measured word 28
Evaluation 29
CVE-2019-11184 - Demo 30
Mitigation • Turn off DDIO or do not use RDMA • Intel: “ limit direct access from untrusted networks when DDIO & RDMA are enabled ” 32
The name of our paper • It was a pun - NetCAT stands for Net work C ache AT tack. 33
Conclusion • LLC now directly on the I/O path • CVE-2019-11184 is the first DDIO side channel vulnerability • Intel acknowledged findings • Public disclosure was on September 10, 2019 • Bug Bounty payment • First security analysis on DDIO - future attacks likely @ mik __ @ vu5ec 34
Recommend
More recommend
