o n s ubnormal f loating p oint and a bnormal t iming
play

O N S UBNORMAL F LOATING P OINT AND A BNORMAL T IMING Marc Andrysco, - PowerPoint PPT Presentation

O N S UBNORMAL F LOATING P OINT AND A BNORMAL T IMING Marc Andrysco, David Kohlbrenner, Keaton Mowery, Ranjit Jhala, Sorin Lerner, and Hovav Shacham UC San Diego 2 3 L ETS RUN SOME CODE Subnormal Floating Normal Floating Point Point 4 L ETS


  1. O N S UBNORMAL F LOATING P OINT AND A BNORMAL T IMING Marc Andrysco, David Kohlbrenner, Keaton Mowery, Ranjit Jhala, Sorin Lerner, and Hovav Shacham UC San Diego

  2. 2

  3. 3

  4. L ETS RUN SOME CODE Subnormal Floating Normal Floating Point Point 4

  5. L ETS RUN SOME CODE Subnormal Floating Normal Floating Point Point 0.204s 4.332s 5

  6. 20 TIMES SLOWER ?  Who knew?  Numerical analysts  CPU designers  Game engine authors 6

  7. 20 TIMES SLOWER ?  Who knew?  Numerical analysts  CPU designers  Game engine authors  Who should know?  “What Every Computer Scientist Should Know About Floating-Point Arithmetic” – Goldberg ’91 7

  8. 20 TIMES SLOWER ?  Who knew?  Numerical analysts  CPU designers  Game engine authors  Who should know?  “What Every Computer Scientist Should Know About Floating-Point Arithmetic” – Goldberg ’91  Academic researchers claim to “effectively close[s] all known remotely exploitable channels” 8  Specifically referring to timing side channels!

  9. F LOATING P OINT AND T IMING 9

  10. W HAT HAPPENED ?  IEEE 754 specifies subnormal floating point values 10

  11. F LOATING P OINT N ORMAL AND S UBNORMAL   Value = (−1) 𝑡𝑗𝑕𝑜 ∗ 𝑡𝑗𝑕𝑜𝑗𝑔𝑗𝑑𝑏𝑜𝑒 ∗ 2 (𝑓𝑦𝑞𝑝𝑜𝑓𝑜𝑢−𝑐𝑗𝑏𝑡)  The exponent is non-zero  Normal values have an implicit leading 1 -bit on the significand  A subnormal value is a special encoding  The exponent is all zeroes 11  The significand has an implicit leading 0 -bit

  12. S UBNORMAL D ETAILS  Subnormal ranges (double)  Minimum: ~4.9 × 10 −324  Maximum: ~2.23 × 10 −308  Planck length: 1.6 × 10 −35 m  Why?  Extend the range of floating point  Graceful underflow if(a != b) 12 x = c / (a-b);

  13. W HAT HAPPENED ?  IEEE 754 specifies subnormal floating point values  FPUs are optimized for pure speed  Subnormals are not the common case  So let's pretend they don't matter!  Subnormals are a hardware slowpath  The Alpha trapped to kernel for subnormals!  Most GPUs don’t support them 13

  14. F LOATING P OINT IS A S ECURITY I SSUE  Ilya Mironov on Laplacian noise generation  Lack of dependable results 14  gcc – O1 vs gcc – O3

  15. L EVERAGING SUBNORMAL FLOATING POINT INTO ATTACKS 15

  16. F LOATING P OINT AS A S IDE -C HANNEL  Code that operates on secret and attacker values can result in timing side channels  From instruction traces  Or memory access patterns  Or IO usage  Etc.  We present the first instruction data based timing side channel attack on a commodity desktop processor  Proposed by Kocher 20 years ago! 16

  17. F LOATING P OINT H ARDWARE D ATA Core i7-3667U SSE and x87 Atom D2550 SSE and x87 17

  18. A MPLIFYING T IMING D IFFERENCES  Even a 100 cycle difference is hard to spot  Especially with a loaded system 18

  19. A MPLIFYING T IMING D IFFERENCES  Even a 100 cycle difference is hard to spot  Especially with a loaded system  We need an amplifier  Remember our sample code?  We need tight math loops 19

  20. D ETOUR T IME ! Firefox SVG Filters and Previous Attacks 20

  21. F IREFOX SVG F ILTERS  Turn this 21

  22. F IREFOX SVG F ILTERS  Into this! <svg><filter> <feGaussianBlur stdDeviation="3"/> </filter></svg> 22

  23. F IREFOX SVG F ILTERS  CSS defined filters  <div>  <iframe>  Really any element  Run various functions  convolve  blur  skew  gradient  clipping 23  Stackable!

  24. F IREFOX SVG F ILTER T IMING A TTACK  See Paul Stone’s “Pixel Perfect Timing Attacks with HTML 5” 24

  25. F IREFOX SVG F ILTER T IMING A TTACK  See Paul Stone’s “Pixel Perfect Timing Attacks with HTML 5” 25

  26. F IREFOX SVG F ILTER T IMING A TTACK  See Paul Stone’s “Pixel Perfect Timing Attacks with HTML 5” 26

  27. F IREFOX SVG F ILTER T IMING A TTACK  See Paul Stone’s “Pixel Perfect Timing Attacks with HTML 5” 27

  28. P AUL S TONE ’ S SVG T IMING S IDE C HANNEL  Relied on a fast path optimization in the femorphology SVG filter  In cases of a solid color image, filter ran much faster  Fix was to write constant time code!  Took ~2 years to land, and 150+ comment bug thread  “the problem boils down to: how to implement constant -time 28 min(a, b) and max(a, b) in C ++?” – Bugzilla thread

  29. B ACK TO T HE P RESENT 29

  30. N EW F IREFOX SVG F ILTER A TTACK  Firefox SVG Filters are still ‘vulnerable’ pending a timing difference  We have a new timing side-channel source 30

  31. N EW F IREFOX SVG F ILTER A TTACK  Firefox SVG Filters are still ‘vulnerable’ pending a timing difference  We have a new timing side-channel source  SVG Filters run floating point math! 31

  32. N EW F IREFOX SVG F ILTER A TTACK  Firefox SVG Filters are still ‘vulnerable’ pending a timing difference  We have a new timing side-channel source  SVG Filters run floating point math!  We need an amplifier 32

  33. N EW F IREFOX SVG F ILTER A TTACK  We need an amplifier 33

  34. F IREFOX SVG F ILTERS AND S UBNORMALS 34

  35. F IREFOX SVG F ILTERS AND S UBNORMALS 1 × 𝑡 0 × 𝑡 35

  36. F IREFOX SVG F ILTERS AND S UBNORMALS 𝑡 + 𝑡 0+0 36

  37. F IREFOX SVG F ILTER T IMING A TTACK 37

  38. F IREFOX SVG F ILTERS A TTACK I MPACT  Firefox does not consider running SVG filters over foreign pixels a violation of SOP  We disagree  Cross Origin Resource Sharing (CORS) is the obvious solution 38

  39. R EADING P IXELS  From other origins  Reconstruct characters (OCR)  Extract usernames, login status, user information, etc  Blocked with frame options or CSP  From our origin  History sniffing 39

  40. A VOIDING F LOATING P OINT P ROBLEMS 40

  41. R ECOMMENDATIONS  Don’t use floating point in security critical code  Unpredictable results  Large timing variations  Highly processor and build dependent  Use Fixed Point if you need non-integer math 41

  42. L IB FTFP – F IXED T IME F IXED P OINT  C library implementing most math operations  Add, divide, etc  Transcendentals  Exponents, logs, etc  Variable Width  Constant time! (Probably!) 42

  43. B UILDING L IB FTFP  Techniques  No data dependent jumps ( && , if , etc.)  No known variable time instructions ( div , idiv , etc.)  No look-up tables (due to caching)  We cannot be 100% sure of the constant-ness of our code  Intel doesn’t release any information about instruction data dependency  We cannot exhaustively test processors and instruction arguments  Writing constant time code is a battle against all future processors and compilers 43  LibFTFP uses approximations

  44. L IB FTFP S TATISTICS  Comparing to hardware slightly unfair  Comparing to infinite precision software (MPFR) also slightly unfair 44 github.com/kmowery/libfixedtimefixedpoint

  45. T AKEAWAYS  Security critical code should omit floating point or be extremely careful  Writing provably constant time code is impossible  Intel? Some help here?  Browsers should require CORS/CSP for computing over all foreign data  Like pixels 45

  46. F UTURE W ORK  Firefox attack works on FF 23-27  Attack stopped working when filters changed to GPU  GPU floating point implementations  “On NVIDIA GPUs starting with the Fermi architecture […] multi-instruction sequences such as square root and […] reciprocal square root, must do extra work and take a slower path for denormal values “  Other math operation data side channels  imul, div/idiv cycle counts are data dependent  What can we break with that? 46

  47. Q UESTIONS ? dkohlbre@cs.ucsd.edu LibFTFP: github.com/kmowery/libfixedtimefixedpoint 47

Recommend


More recommend