transient side channels
play

Transient Side Channels Mengjia Yan Fall 2020 Based on slides from - PowerPoint PPT Presentation

Nov 17, 2022 •285 likes •561 views

Transient Side Channels Mengjia Yan Fall 2020 Based on slides from Christopher W. Fletcher Reminder 1 st paper review due midnight on 09/27 (before the next lecture) You will receive an invitation from HotCRP

  1. Transient Side Channels Mengjia Yan Fall 2020 Based on slides from Christopher W. Fletcher

  2. Reminder • 1 st paper review due midnight on 09/27 (before the next lecture) • You will receive an invitation from HotCRP • https://mit-6888-fa20.hotcrp.com/ 6.888 L6-Transient Side Channels 2

  3. Micro-architecture Side Channels secret-dependent execution A Channel (a micro-architecture structure) Victim Attacker X {Cache, DRAM, TLB, NoC, etc.} {Transient, Non-transient} Kiriansky et al. DAWG: a defense against cache timing attacks in speculative execution processors. MICRO’18 6.888 L6-Transient Side Channels 3

  4. Recap: 5-stage Pipeline 0x4 Add we rs1 rs2 rd1 we PC addr ws IR addr rdata ALU wdrd2 rdata GPRs Data Inst. Memory Memory Imm wdata Ext Write-Back Execute Memory Decode, Reg. Fetch I-Fetch (WB) (EX) (MA) (ID) (IF) 6.888 L6-Transient Side Channels 4

  5. 5-stage Pipeline 0x4 Add we rs1 rs2 rd1 we addr PC ws IR addr rdata ALU wdrd2 rdata GPRs Data Inst. Memory Imm Memory wdata Ext I-Fetch Write-Back Decode, Reg. Fetch Execute Memory (IF) (WB) (EX) (ID) (MA) • In-order execution: • Execute instructions according to the program order time t0 t1 t2 t3 t4 t5 t6 t7 . . . . instruction1 IF 1 ID 1 EX 1 MA 1 WB 1 instruction2 IF 2 ID 2 EX 2 MA 2 WB 2 instruction3 IF 3 ID 3 EX 3 MA 3 WB 3 instruction4 IF 4 ID 4 EX 4 MA 4 WB 4 instruction5 IF 5 ID 5 EX 5 MA 5 WB 5 6.888 L6-Transient Side Channels 5

  6. Data Hazard and Control Hazard time t0 t1 t2 t3 t4 t5 t6 t7 . . . . Loop: …… LD(R1, 0, R2) IF 1 ID 1 EX 1 MA 1 WB 1 ADD(R2, 10, R3) IF 2 ID 2 EX 2 MA 2 WB 2 BNE(R3, Loop) IF 3 ID 3 EX 3 MA 3 WB 3 …… 6.888 L6-Transient Side Channels 6

  7. Resolving Hazards • Stall or Bypass time t0 t1 t2 t3 t4 t5 t6 t7 . . . . Loop: …… LD(R1, 1, R2) IF 1 ID 1 EX 1 MA 1 WB 1 ADD(R2, 10, R3) IF 2 ID 2 EX 2 MA 2 WB 2 BNE(R3, Loop) IF 3 ID 3 EX 3 MA 3 WB 3 …… • Speculation (e.g., branch predictor) • Guess a value and continue executing anyway • When actual value is available, two cases • Guessed correctly à do nothing • Guessed incorrectly à restart with correct value (roll back) 6.888 L6-Transient Side Channels 7

  8. Branch Predictor • Predict Taken/Not taken • Not taken: PC+4 • Taken: need to know target address • Predict target address • Branch target buffer (BTB) • Map <current PC, target PC> • Use history information to setup the predictor 6.888 L6-Transient Side Channels 8

  9. Complex In-order Pipeline ALU Mem IF ID Issue WB Fadd GPRs FPRs Fmul Fdiv • Need complex bypass/stall/kill paths • In real systems, EX/MA can take multiple cycles 6.888 L6-Transient Side Channels 9

  10. Out-of-order Execution • When the pipeline is stalled, find something else to do • When we do out-of-order execution, we are speculating that previous instructions do not cause exception • If instruction n is speculative instruction, instruction n+i is also speculative time t0 t1 t2 t3 t4 t5 t6 t7 ALU Mem IF ID Issue WB LD(R1, 1, R2) IF 1 ID 1 EX 1 MA 1 MA 1 MA 1 MA 1 WB 1 Fadd GPRs ADD( R3 , 10, R4) IF 2 ID 2 EX 2 MA 2 WB 2 FPRs Fmul SUB(R4, 10, R5) IF 3 ID 3 EX 3 MA 3 WB 3 …… Fdiv 6.888 L6-Transient Side Channels 10

  11. Speculative & Out-of-Order Execution Update predictors Branch kill Resolution Branch kill kill Prediction kill Out-of-Order In-Order Decode & Reorder Buffer Commit PC Fetch Rename (ROB) (head of ROB) In-Order Physical Reg. File Physical Reg. File Dispatch logic: Detect data dependency, FALU …… issue instructions to execute ALU MEM Execute 11

  12. Terminology A speculative instruction may squash. When executed, can change uArch state • A Transient instruction will squash, i.e., will not commit. A Non-Transient instruction will not squash, i.e., will eventually retire. That is, transient instructions are unreachable on a non-speculative microarchitecture. 6.888 L6-Transient Side Channels 12

  13. General Attack Schema Attacker Victim Access secret recv() transmit (secret) Channel • The difference between transient and non-transient side channels • Whether the secret access or transmitter execution is transient 6.888 L6-Transient Side Channels 13

  14. Meltdown & Spectre

  15. Kernel/User Pages Virtual memory 0x00000000 • In x86, a process’s virtual address space Kernel pages includes kernel pages, but kernel pages are only accessible in kernel mode • For performance purpose • Avoids switching page tables on context switches • What will happen if accessing kernel User pages addresses in user mode? • Protection fault 6.888 L6-Transient Side Channels 15 0xffffffff

  16. Meltdown Exception handling is deferred when the instruction reaches the head of ROB. • Problem: Speculative instructions can change uArch state, e.g., cache • Attack procedure 1. Setup: Attacker allocates probe_array , with 256 cache lines. Flushes all its cache lines ROB head 2. Transmit: Attacker executes …… LD2 LD1 … … Ld1: uint8_t byte = *kernel_address; Ld2: unit8_t dummy = probe_array[byte*64]; 3. Receive: After handling protection fault, attacker performs cache side channel attack to figure out which line of probe_array is accessed à recovers byte 6.888 L6-Transient Side Channels 16

  17. Meltdown Type Attacks • Can be used to read arbitrary memory • Leaks across privilege levels • OS ßà Application • SGX ßà Application (e.g., Foreshadow) • Etc • Mitigations: • Stall speculation • Register poisoning • We generally consider it as a design bug 6.888 L6-Transient Side Channels 17

  18. Spectre Variant 1 – Exploit Branch Condition Always malicious? • Consider the following kernel code, e.g., in a system call No. It may be a benign misprediction. We do not consider Spectre as a bug. Br: if (x < size_array1) { ROB head Ld1: secret = array1[x]*64 Ld2: y = array2[secret] LD2 LD1 Br … … } Attacker to read arbitrary memory: 1. Setup: Train branch predictor 2. Transmit: Trigger branch misprediction; &array1[x] maps to some desired kernel address 3. Receive: Attacker probes cache to infer which line of array2 was fetched 6.888 L6-Transient Side Channels 18

  19. Spectre Variant 2 – Exploit Branch Target • Most BTBs store partial tags and targets… • <last n bits of current PC, target PC> BTB predicts … Ld1, Ld2 oxfff110 Br: if (…) { Branch target … } buffer (BTB) … oxfff234 Ld1: secret = array1[x]*4096 Fetch …… Ld2: y = array2[secret] Train BTB properly à Execute arbitrary gadgets speculatively 6.888 L6-Transient Side Channels 19

  20. General Attack Schema Attacker Victim Access secret recv() transmit (secret) Channel • Traditional (non-transient) attacks Hard to fix • Data-dependent program behavior • Transient attacks “Easy” to fix • Meltdown = transient execution + deferred exception handling • Spectre = transient execution on wrong paths Hard to fix 6.888 L6-Transient Side Channels 20

  21. Takeaways Transient execution attacks use (not “are”) side/covert channels. “Spectre” (wrong-path execution) is fundamental . Speculation/prediction is not perfect. “Meltdown” (deferred exceptions) is not fundamental . 6.888 L6-Transient Side Channels 21

  22. Transient v.s. Non-transient

  23. Classification recv() Access secret transmit (secret) Channel {Transient, Non-transient} secret x {Transient, Non-transient} transmitter Secret accessed Transmitter Classification Non-transient Non-transient Traditional side channels Transient Non-transient Not possible on today’s machines? Non-transient Transient Spectre Transient Transient Spectre 23

  24. Non-transient secret + Non-transient transmitter What can leak? A subset of committed architectural state, at each point in the program’s dynamic execution. secret <- load(0x5) secret <- load(0x5) secret <- load(0x5) if (false) secret <- secret + 1 Dummy<- load( secret ) Dummy<-load( secret ) secret -> store(0x5) secret does not leak secret leaks secret does not leak (assume ‘+’ data independent) 6.888 L6-Transient Side Channels 24

  25. Non-transient secret + {Transient, Non-transient} transmitter secret <- load(0x5) secret <- load(0x5) secret <- load(0x5) secret <- secret + 1 Dummy<- load( secret ) if (false) secret -> store(0x5) Dummy<-load( secret ) Non-transient secret + Non-transient transmitter: secret leaks secret does not leak secret does not leak = = Non-transient secret + Transient secret : secret leaks (!) secret does not leak secret leaks 6.888 L6-Transient Side Channels 25

  26. Leakage Summary {Transient, Non-transient} secret x {Transient, Non-transient} transmitter All of program memory Transient + Transient Non-transient + Transient Non-transient + Non-transient (Larger?) Subset of committed Subset of committed arch state. arch state Depends on what speculation. 6.888 L6-Transient Side Channels 26

  27. Next Lecture: Tiwari et al. Complete information flow tracking from the gates up. ASPLOS. 2009.

Recommend

Non-transient Side Channels Mengjia Yan Fall 2020 6.888 L5-Non-transient Side Channels 1 Lab

Non-transient Side Channels Mengjia Yan Fall 2020 6.888 L5-Non-transient Side Channels 1 Lab

Non-transient Side Channels Mengjia Yan Fall 2020 6.888 L5-Non-transient Side Channels 1 Lab Assignment Handout on course website Each (regular) student will receive an email Solo or 2-person group Individual GitHub repo

1.24k views • 102 slides
Non-transient Side Channels Mengjia Yan Fall 2020 6.888 L5-Non-transient Side Channels 1 Lab

Non-transient Side Channels Mengjia Yan Fall 2020 6.888 L5-Non-transient Side Channels 1 Lab

Non-transient Side Channels Mengjia Yan Fall 2020 6.888 L5-Non-transient Side Channels 1 Lab Assignment Handout on course website Each (regular) student will receive an email Solo or 2-person group Individual GitHub repo

978 views • 42 slides
Outline Side and covert channels Transient execution CSci 5271 Introduction to Computer

Outline Side and covert channels Transient execution CSci 5271 Introduction to Computer

Outline Side and covert channels Transient execution CSci 5271 Introduction to Computer Security Transient execution and kernel isolation: Meltdown Day 11: Side Channels and Transient Execution Stephen McCamant Transient execution and kernel

496 views • 4 slides
Transient Side Channels Mengjia Yan Fall 2020 Based on slides from Christopher W. Fletcher

Transient Side Channels Mengjia Yan Fall 2020 Based on slides from Christopher W. Fletcher

Transient Side Channels Mengjia Yan Fall 2020 Based on slides from Christopher W. Fletcher Reminder 1 st paper review due midnight on 09/27 (before the next lecture) You will receive an invitation from HotCRP

1.46k views • 78 slides
Side Channels and Covert Channels Daniel Bosk Department of Information and Communication Systems

Side Channels and Covert Channels Daniel Bosk Department of Information and Communication Systems

Side Channels Covert Channels References Side Channels and Covert Channels Daniel Bosk Department of Information and Communication Systems (ICS), Mid Sweden University, Sundsvall. 1st May 2017 Daniel Bosk MIUN ICS Side Channels and Covert

689 views • 32 slides
Screaming Ch Channels When Electromagnetic Side Channels Meet Radio Transceivers Giovanni

Screaming Ch Channels When Electromagnetic Side Channels Meet Radio Transceivers Giovanni

Screaming Ch Channels When Electromagnetic Side Channels Meet Radio Transceivers Giovanni Camurati, Sebastian Poeplau, Marius Muench, Tom Hayes, Aurlien Francillon Whats this all about? - A nov novel attack ex exploiting g EM side

886 views • 77 slides
Covert and Side Channels Robert Brotzman-Smith Covert Channels Any communication channel that

Covert and Side Channels Robert Brotzman-Smith Covert Channels Any communication channel that

Covert and Side Channels Robert Brotzman-Smith Covert Channels Any communication channel that can be exploited by a process to transfer information in a manner that violates the systems security policy US DoD 1985 Basically a

1.04k views • 67 slides
Outline Transient execution covert channels (contd) OS trust and assurance CSci 5271

Outline Transient execution covert channels (contd) OS trust and assurance CSci 5271

Outline Transient execution covert channels (contd) OS trust and assurance CSci 5271 Introduction to Computer Security Announcements intermission Transient Execution, OS Assurance, and Networks Brief introduction to networking Stephen

554 views • 7 slides
Palomar Transient Factory and the Search for Progenitors Channels of SNe Ia Peter Nugent, Chris

Palomar Transient Factory and the Search for Progenitors Channels of SNe Ia Peter Nugent, Chris

Palomar Transient Factory and the Search for Progenitors Channels of SNe Ia Peter Nugent, Chris Frohmaier &amp; Mark Sullivan Motivation SNe govern the heavy element production of the Universe and cycle matter in galaxies. - A SN rate provides

463 views • 27 slides
FUCHSIA: Data-Driven Debugging for Functional Side Channels Saeid Tizpaz-Niari* , Pavol Cerny,

FUCHSIA: Data-Driven Debugging for Functional Side Channels Saeid Tizpaz-Niari* , Pavol Cerny,

FUCHSIA: Data-Driven Debugging for Functional Side Channels Saeid Tizpaz-Niari* , Pavol Cerny, Ashutosh Trivedi *University of Colorado Boulder Functional Case Motivation Side Channels Studies Functional Case Motivation Side Channels

366 views • 24 slides
Side Channels CS 161: Computer Security Prof. David Wagner April 23, 2013 UI Side Channel

Side Channels CS 161: Computer Security Prof. David Wagner April 23, 2013 UI Side Channel

Side Channels CS 161: Computer Security Prof. David Wagner April 23, 2013 UI Side Channel Snooping Scenario: Ann the Attacker works in a building across the street from Victor the Victim. Late one night Ann can see Victor hard at work in

727 views • 44 slides
CSE 127: I ntroduction to Security Lecture 16: Side Channels and Constant-Time Code Nadia

CSE 127: I ntroduction to Security Lecture 16: Side Channels and Constant-Time Code Nadia

CSE 127: I ntroduction to Security Lecture 16: Side Channels and Constant-Time Code Nadia Heninger and Deian Stefan UCSD Fall 2019 Some material from Dan Boneh, Stefan Savage Reminder: Side-channel attacks You saw before how timing

1.37k views • 81 slides
Nomad : Mitigating Arbitrary Cloud Side Channels via Provider-Assisted Migration Soo-Jin Moon,

Nomad : Mitigating Arbitrary Cloud Side Channels via Provider-Assisted Migration Soo-Jin Moon,

Nomad : Mitigating Arbitrary Cloud Side Channels via Provider-Assisted Migration Soo-Jin Moon, Vyas Sekar Michael K. Reiter Co-residency side-channel attacks in clouds Stealing secrets (e.g., keys) VM VM VM Machine Machine Many

1.03k views • 69 slides
Loose Ends: Side Channels, Government Surveillance &amp; Targeted

Loose Ends: Side Channels, Government Surveillance &amp; Targeted

CSE 484 / CSE M 584: Computer Security and Privacy Loose Ends: Side Channels, Government Surveillance &amp; Targeted Attacks Spring 2015 Franziska

622 views • 27 slides
Off-Path Round Trip Time Measurement via TCP/IP Side Channels Geoffrey Alexander and Jedidiah R.

Off-Path Round Trip Time Measurement via TCP/IP Side Channels Geoffrey Alexander and Jedidiah R.

Off-Path Round Trip Time Measurement via TCP/IP Side Channels Geoffrey Alexander and Jedidiah R. Crandall University of New Mexico, USA How do you measure something? Interact directly T ake samples Multiple tests 2 Problem How

533 views • 26 slides
Isolation and side-channels Nadia Heninger and Deian Stefan Some slides adopted from John

Isolation and side-channels Nadia Heninger and Deian Stefan Some slides adopted from John

CSE 127: Computer Security Isolation and side-channels Nadia Heninger and Deian Stefan Some slides adopted from John Mitchell, Dan Boneh, and Stefan Savage Today Lecture objectives: Understand basic principles for building secure systems

1.08k views • 78 slides
Web Tracking (Continued) Side Channels Autumn 2018 Tadayoshi (Yoshi) Kohno

Web Tracking (Continued) Side Channels Autumn 2018 Tadayoshi (Yoshi) Kohno

CSE 484 / CSE M 584: Computer Security and Privacy Web Tracking (Continued) Side Channels Autumn 2018 Tadayoshi (Yoshi) Kohno yoshi@cs.Washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Ada Lerner, John Manferdelli, John

737 views • 40 slides
Cache attacks: From side channels to fault attacks Clmentine Maurice CNRS, Rennes, France

Cache attacks: From side channels to fault attacks Clmentine Maurice CNRS, Rennes, France

Cache attacks: From side channels to fault attacks Clmentine Maurice CNRS, Rennes, France November 16, 2017 Cryptacus Workshop, Nijmegen, Netherlands the attacker only needs unprivileged execution on the victims machine

1.99k views • 164 slides
Cross-VM Side Channels and Their Use to Extract Private Keys Yinqian Zhang (UNC-Chapel Hill) Ari

Cross-VM Side Channels and Their Use to Extract Private Keys Yinqian Zhang (UNC-Chapel Hill) Ari

Cross-VM Side Channels and Their Use to Extract Private Keys Yinqian Zhang (UNC-Chapel Hill) Ari Juels (RSA Labs) Michael K. Reiter (UNC-Chapel Hill) Thomas Ristenpart (U Wisconsin-Madison) Motivation Security Isolation by Virtualization VM

775 views • 40 slides
From bottom to top: Exploiting hardware side channels in web browsers Cl ementine Maurice,

From bottom to top: Exploiting hardware side channels in web browsers Cl ementine Maurice,

From bottom to top: Exploiting hardware side channels in web browsers Cl ementine Maurice, Graz University of Technology July 4, 2017RMLL, Saint- Etienne, France Rennes Graz Cl ementine Maurice now postdoc at TU Graz, Austria PhD

2.37k views • 178 slides
Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks Juraj

Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks Juraj

Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks Juraj Somorovsky Ruhr University Bochum 3curity GmbH juraj.somorovsky@3curity.de About me Security Researcher at: Chair for Network and Data Security,

818 views • 53 slides
Isolation and side-channels Deian Stefan Some slides adopted from Nadia Heninger,John Mitchell,

Isolation and side-channels Deian Stefan Some slides adopted from Nadia Heninger,John Mitchell,

CSE 127: Computer Security Isolation and side-channels Deian Stefan Some slides adopted from Nadia Heninger,John Mitchell, Dan Boneh, and Stefan Savage Today Lecture objectives: Understand basic principles for building secure systems

968 views • 78 slides
Loose Ends (Finish Anonymity, Fun Side Channels) Fall 2017 Franziska (Franzi) Roesner

Loose Ends (Finish Anonymity, Fun Side Channels) Fall 2017 Franziska (Franzi) Roesner

CSE 484 / CSE M 584: Computer Security and Privacy Loose Ends (Finish Anonymity, Fun Side Channels) Fall 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John

799 views • 33 slides
Nomad : Mitigating Arbitrary Cloud Side Channels via Provider-Assisted Migration Soo-Jin Moon,

Nomad : Mitigating Arbitrary Cloud Side Channels via Provider-Assisted Migration Soo-Jin Moon,

Nomad : Mitigating Arbitrary Cloud Side Channels via Provider-Assisted Migration Soo-Jin Moon, Vyas Sekar Michael K. Reiter Context: Infrastructure-as-a-Service Clouds Client API Cloud Controller VM VM Machine VM VM VM Machine Machine

919 views • 73 slides

More recommend