speculative execution vulnerabilities from a simple
play

Speculative Execution Vulnerabilities: From a Simple Oversight to a - PowerPoint PPT Presentation

Aug 31, 2022 •231 likes •1.05k views

Speculative Execution Vulnerabilities: From a Simple Oversight to a Technological Nightmare Raoul Strackx raoul.strackx@cs.kuleuven.be @raoul_strackx imec-DistriNet, KU Leuven, Celestijnenlaan 200A, B-3001 Belgium Hardwear.io, June 14 th , 2019

  1. Speculative Execution Vulnerabilities: From a Simple Oversight to a Technological Nightmare Raoul Strackx raoul.strackx@cs.kuleuven.be @raoul_strackx imec-DistriNet, KU Leuven, Celestijnenlaan 200A, B-3001 Belgium Hardwear.io, June 14 th , 2019

  2. Introduction Attacks Outlook Conclusion empty 2018 started very terrifying/exciting. . . • Spectre : Extract data from running processes • Meltdown : Read full RAM contents 2 /68 Raoul Strackx Speculative Execution Vulnerabilities

  3. Introduction Attacks Outlook Conclusion empty . . . and continued along the same path 3 /68 Raoul Strackx Speculative Execution Vulnerabilities

  4. Introduction Attacks Outlook Conclusion empty Comparing Foreshadow/Meltdown/Spectre/. . . Figure: source: https://software.intel.com/security-software-guidance/software-guidance 4 /68 Raoul Strackx Speculative Execution Vulnerabilities

  5. Introduction Attacks Outlook Conclusion empty Foreshadow Attacks • Independently discovered • Team of KU Leuven, Belgium • Team of Universities of Technion, Michigan and Adelaide and DATA61 • Intel discovered other variants foreshadowattack.eu 5 /68 Raoul Strackx Speculative Execution Vulnerabilities

  6. Introduction Attacks Outlook Conclusion empty Foreshadow Attacks • Independently discovered • Team of KU Leuven, Belgium • Team of Universities of Technion, Michigan and Adelaide and DATA61 • Intel discovered other variants foreshadowattack.eu 5 /68 Raoul Strackx Speculative Execution Vulnerabilities

  7. Introduction Attacks Outlook Conclusion empty These were vulnerabilities in the processor itself Hence, virtually every application was effected! This led to various reactions 6 /68 Raoul Strackx Speculative Execution Vulnerabilities

  8. Introduction Attacks Outlook Conclusion empty How we told our upper management at the university (Nov ’17). . . Figure: source: https://pin.it/k4j53t23xiiqcd 7 /68 Raoul Strackx Speculative Execution Vulnerabilities

  9. Introduction Attacks Outlook Conclusion empty How we told Intel (Jan ’18). . . Figure: source: https://pin.it/k4j53t23xiiqcd 8 /68 Raoul Strackx Speculative Execution Vulnerabilities

  10. Introduction Attacks Outlook Conclusion empty How IT professionals reacted (to this class of vulnerabilities). . . 9 /68 Raoul Strackx Speculative Execution Vulnerabilities Figure: source: https://pin.it/hehzyfhdsvnlkc

  11. Introduction Attacks Outlook Conclusion empty How Intel stock owners reacted. . . 10 /68 Raoul Strackx Speculative Execution Vulnerabilities

  12. Introduction Foreshadow-OS Attacks Foreshadow-VMM Outlook Foreshadow-SGX Conclusion empty How do these attacks work, in general? 11 /68 Raoul Strackx Speculative Execution Vulnerabilities

  13. Introduction Foreshadow-OS Attacks Foreshadow-VMM Outlook Foreshadow-SGX Conclusion empty . . . Side-channel attacks Figure: The Italian Job (source: imdb.com ) 12 /68 Raoul Strackx Speculative Execution Vulnerabilities

  14. Introduction Foreshadow-OS Attacks Foreshadow-VMM Outlook Foreshadow-SGX Conclusion empty Attacker Victim action: rotate & listen − − − − − − − − − − − − → carrier: sound ← − − − − − − − − Charlize Theron Vault Security flaw : Lever may produce sound sources: https://home.howstuffworks.com/ , imdb.com 13 /68 Raoul Strackx Speculative Execution Vulnerabilities

  15. Introduction Foreshadow-OS Attacks Foreshadow-VMM Outlook Foreshadow-SGX Conclusion empty How does the Foreshadow attack work? 14 /68 Raoul Strackx Speculative Execution Vulnerabilities

  16. Introduction Foreshadow-OS Attacks Foreshadow-VMM Outlook Foreshadow-SGX Conclusion empty One vulnerability to rule them all • Foreshadow-OS : Bare-metal not-present pages • Foreshadow-VMM : VM guest page tables • Foreshadow-SGX : Intel SGX enclaves • Foreshadow-SMM : Attacking Figure: source: xkcd.com/149/ System Management Mode → The target heavily affects how the Luckily, these attacks can “only” read attack can be launched privileged memory 15 /68 Raoul Strackx Speculative Execution Vulnerabilities

  17. Introduction Foreshadow-OS Attacks Foreshadow-VMM Outlook Foreshadow-SGX Conclusion empty Foreshadow-OS: Reading L1 data through bare-metal not-present pages. . . 16 /68 Raoul Strackx Speculative Execution Vulnerabilities

  18. Introduction Foreshadow-OS Attacks Foreshadow-VMM Outlook Foreshadow-SGX Conclusion empty Attacker Victim action: none − − − − − − − → carrier: cache changes ← − − − − − − − − − − − − − Other process’ memory Foreshadow-OS Security flaw : OoO execution leaves traces of transient instructions 17 /68 Raoul Strackx Speculative Execution Vulnerabilities

  19. Introduction Foreshadow-OS Attacks Foreshadow-VMM Outlook Foreshadow-SGX Conclusion empty Attacker Victim action: none − − − − − − − → carrier: cache changes ← − − − − − − − − − − − − − Other process’ memory Foreshadow-OS Security flaw : OoO execution leaves traces of transient instructions 18 /68 Raoul Strackx Speculative Execution Vulnerabilities

  20. Introduction Foreshadow-OS Attacks Foreshadow-VMM Outlook Foreshadow-SGX Conclusion empty Setting: Attacker-controlled process Attack model: • Attacker operates within a malicious process • Benign, bare-metal kernel ensures process isolation Attack objective: • Read data outside the process’ address space 19 /68 Raoul Strackx Speculative Execution Vulnerabilities

  21. Introduction Foreshadow-OS Attacks Foreshadow-VMM Outlook Foreshadow-SGX Conclusion empty Background: How does process isolation work. . . • MMU: map virtual address space to physical memory • Protect physical memory by: • Not providing a mapping • Restricting access (e.g., U/S-bit) 20 /68 Raoul Strackx Speculative Execution Vulnerabilities

  22. Introduction Foreshadow-OS Attacks Foreshadow-VMM Outlook Foreshadow-SGX Conclusion empty Background: How does process isolation work. . . • MMU: map virtual address space to physical memory • Protect physical memory by: • Not providing a mapping • Restricting access (e.g., U/S-bit) 20 /68 Raoul Strackx Speculative Execution Vulnerabilities

  23. Introduction Foreshadow-OS Attacks Foreshadow-VMM Outlook Foreshadow-SGX Conclusion empty Background: How does process isolation work. . . Figure: source: Intel 64 and IA-32 architectures software developer’s manual 21 /68 Raoul Strackx Speculative Execution Vulnerabilities

  24. Introduction Foreshadow-OS Attacks Foreshadow-VMM Outlook Foreshadow-SGX Conclusion empty Background: How does process isolation work. . . Figure: source: Intel 64 and IA-32 architectures software developer’s manual 21 /68 Raoul Strackx Speculative Execution Vulnerabilities

  25. Introduction Foreshadow-OS Attacks Foreshadow-VMM Outlook Foreshadow-SGX Conclusion empty Background: How does process isolation work. . . When P-bit is 0, the entry’s physical address field may be re-used to keep track of the swapped out page 22 /68 Raoul Strackx Speculative Execution Vulnerabilities

  26. Introduction Foreshadow-OS Attacks Foreshadow-VMM Outlook Foreshadow-SGX Conclusion empty Attacker Victim action: none − − − − − − − → carrier: cache changes ← − − − − − − − − − − − − − Other process’ memory Foreshadow-OS Security flaw : OoO execution leaves traces of transient instructions 23 /68 Raoul Strackx Speculative Execution Vulnerabilities

  27. Introduction Foreshadow-OS Attacks Foreshadow-VMM Outlook Foreshadow-SGX Conclusion empty The message carrier: How does the cache work? Caching • Problem: Memory performance grows much slow than CPU performance • Solution: fast but small caches • Intel 486: L1 cache (’89) • Intel Pentium Pro: L1 & L2 cache (’95) • Today: L1, L2 & L3 caches 24 /68 Raoul Strackx Speculative Execution Vulnerabilities

  28. Introduction Foreshadow-OS Attacks Foreshadow-VMM Outlook Foreshadow-SGX Conclusion empty The message carrier: How does the cache work? Caching • Problem: Memory performance grows much slow than CPU performance • Solution: fast but small caches • Intel 486: L1 cache (’89) • Intel Pentium Pro: L1 & L2 cache (’95) • Today: L1, L2 & L3 caches 24 /68 Raoul Strackx Speculative Execution Vulnerabilities

  29. Introduction Foreshadow-OS Attacks Foreshadow-VMM Outlook Foreshadow-SGX Conclusion empty The message carrier: how does the cache work? • Cache lines: 64 B • L1: virtually-indexed, physically tagged • 64 sets, 8 ways 25 /68 Raoul Strackx Speculative Execution Vulnerabilities

  30. Introduction Foreshadow-OS Attacks Foreshadow-VMM Outlook Foreshadow-SGX Conclusion empty The message carrier: how does the cache work? 26 /68 Raoul Strackx Speculative Execution Vulnerabilities

Recommend

SpeechMiner: A Framework for Investigating and Measuring Speculative Execution Vulnerabilities

SpeechMiner: A Framework for Investigating and Measuring Speculative Execution Vulnerabilities

SpeechMiner: A Framework for Investigating and Measuring Speculative Execution Vulnerabilities Yuan Xiao, Yinqian Zhang, Radu Teodorescu The Ohio State University SPEculative Execution side Channel Hardware (SPEECH) Vulnerabilities Leverage

512 views • 24 slides
Harmonizing Speculative and Non-Speculative Execution in Architectures for Ordered Parallelism

Harmonizing Speculative and Non-Speculative Execution in Architectures for Ordered Parallelism

Harmonizing Speculative and Non-Speculative Execution in Architectures for Ordered Parallelism MA MARK C. JEFFR FFREY , VICTOR A. YING, SUVINAY SUBRAMANIAN, HYUN RYONG LEE, JOEL EMER, DANIEL SANCHEZ MI MICRO 2018 There is a (false)

1.48k views • 130 slides
and Effi ficient Speculative Execution JIYONG YU, NAMRATA MANTRI, JOSEP TORRELLAS, ADAM

and Effi ficient Speculative Execution JIYONG YU, NAMRATA MANTRI, JOSEP TORRELLAS, ADAM

ISCA20 Section 5B Speculative Data-Oblivious Execution: Mobilizing Safe Prediction For Safe and Effi ficient Speculative Execution JIYONG YU, NAMRATA MANTRI, JOSEP TORRELLAS, ADAM MORRISON*, CHRISTOPHER W. FLETCHER UNIVERSITY OF ILLINOIS AT

833 views • 57 slides
Speculative Plan Execution for Information Agents Greg Barish University of Southern California

Speculative Plan Execution for Information Agents Greg Barish University of Southern California

Speculative Plan Execution for Information Agents Greg Barish University of Southern California Information Sciences Institute Advisor : Professor Craig A. Knoblock 1 Outline 1. Review and motivating example 2. Speculative plan execution 3.

1.15k views • 69 slides
FRACTAL AN EXECUTION MODEL FOR FINE-GRAIN NESTED SPECULATIVE PARALLELISM SU SUVINAY Y SU

FRACTAL AN EXECUTION MODEL FOR FINE-GRAIN NESTED SPECULATIVE PARALLELISM SU SUVINAY Y SU

FRACTAL AN EXECUTION MODEL FOR FINE-GRAIN NESTED SPECULATIVE PARALLELISM SU SUVINAY Y SU SUBRAMANIAN , MARK C. JEFFREY, MALEEN ABEYDEERA, HYUN RYONG LEE, VICTOR A. YING, JOEL EMER, DANIEL SANCHEZ IS ISCA 2017 Current speculative systems

984 views • 47 slides
Data-Centric Execution of Speculative Parallel Programs MA MARK JEFFREY, SUVINAY SUBRAMANIAN,

Data-Centric Execution of Speculative Parallel Programs MA MARK JEFFREY, SUVINAY SUBRAMANIAN,

Data-Centric Execution of Speculative Parallel Programs MA MARK JEFFREY, SUVINAY SUBRAMANIAN, MALEEN ABEYDEERA, JOEL EMER, DANIEL SANCHEZ MI MICRO 2016 Executive summary Many-cores must exploit cache locality to scale Current speculative

635 views • 49 slides
Data-Centric Execution of Speculative Parallel Programs MARK JEFFREY, SUVINAY SUBRAMANIAN,

Data-Centric Execution of Speculative Parallel Programs MARK JEFFREY, SUVINAY SUBRAMANIAN,

Data-Centric Execution of Speculative Parallel Programs MARK JEFFREY, SUVINAY SUBRAMANIAN, MALEEN ABEYDEERA, JOEL EMER, DANIEL SANCHEZ MICRO 2016 Executive summary Many-cores must exploit cache locality to scale Current speculative systems,

495 views • 27 slides
Speculative Execution Outcome unknown Block 1 Predict future execution path Begin executing

Speculative Execution Outcome unknown Block 1 Predict future execution path Begin executing

Speculative Execution Outcome unknown Block 1 Predict future execution path Begin executing instructions from predicted path ? Speculatively Executed A B Block Also Block 2 Speculatively Executed 1 Speculative Execution Block 1

428 views • 29 slides
Optimizing Distributed Transactions: Speculative Client Execution, Certified Serializability, and

Optimizing Distributed Transactions: Speculative Client Execution, Certified Serializability, and

Optimizing Distributed Transactions: Speculative Client Execution, Certified Serializability, and High Performance Run-Time Thesis DefenseMaster of Science Utkarsh Pandey Advisor: Binoy Ravindran Systems Software Research Group Virginia

504 views • 36 slides
1 The Hardware: Reorder Buffer Branch Prediction vs. Precise Interrupt If inst write results in

1 The Hardware: Reorder Buffer Branch Prediction vs. Precise Interrupt If inst write results in

Control Dependencies Every instruction is control dependent on some set of branches Lecture 7: Speculative Execution and if p1 Recovery S1; if p2 Branch prediction and speculative S2; execution, precise interrupt, reorder S1 is control

251 views • 3 slides
Performance Enhancement with Speculative Execution Based Parallelism for Processing Large-scale

Performance Enhancement with Speculative Execution Based Parallelism for Processing Large-scale

Introduction Parallel XML Conclusions Performance Enhancement with Speculative Execution Based Parallelism for Processing Large-scale XML-based Application Data Michael R. Head and Madhusudhan Govindaraju Grid Computing Research Laboratory

997 views • 47 slides
Execution-based Prediction Using Speculative Slices Craig Zilles and Guri Sohi University of

Execution-based Prediction Using Speculative Slices Craig Zilles and Guri Sohi University of

Execution-based Prediction Using Speculative Slices Craig Zilles and Guri Sohi University of Wisconsin - Madison International Symposium on Computer Architecture July, 2001 The Problem Two major barriers to achieving high ILP: MISPREDICTED

427 views • 27 slides
InvisiSpec: Making Speculative Execution Invisible in the Cache Hierarchy Mengjia Yan, Jiho Choi,

InvisiSpec: Making Speculative Execution Invisible in the Cache Hierarchy Mengjia Yan, Jiho Choi,

InvisiSpec: Making Speculative Execution Invisible in the Cache Hierarchy Mengjia Yan, Jiho Choi, Dimitrios Skarlatos, Adam Morrison, Christopher W. Fletcher, and Josep Torrellas University of Illinois at Urbana-Champaign Tel Aviv

559 views • 22 slides
A Reo Semantics for Reasoning about Speculative Execution Hans-Dieter A. Hiep Vrije Universiteit

A Reo Semantics for Reasoning about Speculative Execution Hans-Dieter A. Hiep Vrije Universiteit

A Reo Semantics for Reasoning about Speculative Execution Hans-Dieter A. Hiep Vrije Universiteit Amsterdam Centrum Wiskunde & Informatica November 13th, 2018 Overview 1. Motivation 2. Language 3. Foundation 4. Properties Motivation

911 views • 59 slides
Spectre Attacks: Exploiting Speculative Execution IEEE Security & Privacy (May 20, 2019) Paul

Spectre Attacks: Exploiting Speculative Execution IEEE Security & Privacy (May 20, 2019) Paul

Spectre Attacks: Exploiting Speculative Execution IEEE Security & Privacy (May 20, 2019) Paul Kocher 1 , Jann Horn 2 , Anders Fogh 3 , Daniel Genkin 4 , Daniel Gruss 5 , Werner Haas 6 , Mike Hamburg 7 , Mortiz Lipp 5 , Stefan Mangard 5 ,

410 views • 13 slides
An SSA-based Algorithm for Optimal Speculative Code Motion under an Execution Profile Hucheng

An SSA-based Algorithm for Optimal Speculative Code Motion under an Execution Profile Hucheng

An SSA-based Algorithm for Optimal Speculative Code Motion under an Execution Profile Hucheng Zhou Tsinghua University June 2011 Joint work with: Wenguang Chen (Tsinghua University), Fred Chow (ICube Technology Corp.) Contents Basic Concepts

670 views • 36 slides
Speculative Plan Execution for Information Agents Greg Barish University of Southern California

Speculative Plan Execution for Information Agents Greg Barish University of Southern California

Speculative Plan Execution for Information Agents Greg Barish University of Southern California June 30th, 2003 Thesis Committee Prof. Craig Knoblock (chair) Dr. Steven Minton, Fetch Technologies Prof. Paul Rosenbloom Prof. Cyrus Shahabi

989 views • 51 slides
Speculative execution in a distributed file system E. B. Nightingale, P. M. Chen, J. Flinn

Speculative execution in a distributed file system E. B. Nightingale, P. M. Chen, J. Flinn

Faculty of Computer Science Institute for System Architecture, Operating Systems Group Speculative execution in a distributed file system E. B. Nightingale, P. M. Chen, J. Flinn Dresden, 2010-09-01 Distributed File Systems NFS (v3),

194 views • 15 slides
DAWG : A Defense Against Cache Timing Attacks in Speculative Execution Processors Vladimir

DAWG : A Defense Against Cache Timing Attacks in Speculative Execution Processors Vladimir

DAWG : A Defense Against Cache Timing Attacks in Speculative Execution Processors Vladimir Kiriansky, Ilia Lebedev, Saman Amarasinghe, Srinivas Devadas, Joel Emer {vlk, ilebedev, saman, devadas, emer}@csail.mit.edu MICRO'18

949 views • 78 slides
Spectre and Meltdown: Data leaks during speculative execution Speaker: Jann Horn (Google Project

Spectre and Meltdown: Data leaks during speculative execution Speaker: Jann Horn (Google Project

Spectre and Meltdown: Data leaks during speculative execution Speaker: Jann Horn (Google Project Zero) Paul Kocher (independent) Daniel Genkin (University of Pennsylvania and University of Maryland) Yuval Yarom (University of Adelaide and

243 views • 22 slides
Triggering Deep Vulnerabilities Using Symbolic Execution Dan Caselden, Alex Bazhanyuk, Mathias

Triggering Deep Vulnerabilities Using Symbolic Execution Dan Caselden, Alex Bazhanyuk, Mathias

Triggering Deep Vulnerabilities Using Symbolic Execution Dan Caselden, Alex Bazhanyuk, Mathias Payer , Stephen McCamant, Dawn Song, and many other awesome researchers, coders, and reverse engineers in the BitBlaze group at UC Berkeley *

607 views • 39 slides
Triggering Deep Vulnerabilities Using Symbolic Execution Dan Caselden, Alex Bazhanyuk, Mathias

Triggering Deep Vulnerabilities Using Symbolic Execution Dan Caselden, Alex Bazhanyuk, Mathias

Triggering Deep Vulnerabilities Using Symbolic Execution Dan Caselden, Alex Bazhanyuk, Mathias Payer , Stephen McCamant, Dawn Song, and many other awesome researchers, coders, and reverse engineers in the BitBlaze group at UC Berkeley *

386 views • 36 slides
Finding 1-Day Vulnerabilities in Trusted Applications using Selective Symbolic Execution Marcel

Finding 1-Day Vulnerabilities in Trusted Applications using Selective Symbolic Execution Marcel

Finding 1-Day Vulnerabilities in Trusted Applications using Selective Symbolic Execution Marcel Busch , Kalle Dirsch 2020-02-23 Friedrich-Alexander-University Erlangen-Nrnberg, Germany BAR20 BAR20 Motivation How secure are

352 views • 16 slides
Speculative Defragmentation Speculative Defragmentation A Technique to Improve the

Speculative Defragmentation Speculative Defragmentation A Technique to Improve the

Ninth IEEE International Symposium on High Performance Distributed Computing, Pittsburgh, Pennsylvania, August 1-4, 2000 Speculative Defragmentation Speculative Defragmentation A Technique to Improve the Communication A Technique to

237 views • 22 slides

More recommend