zombieload
play

ZombieLoad Cross-Privilege-Boundary Data Sampling Michael Schwarz 1 - PowerPoint PPT Presentation

Apr 20, 2023 •134 likes •1.17k views

ZombieLoad Cross-Privilege-Boundary Data Sampling Michael Schwarz 1 , Moritz Lipp 1 , Daniel Moghimi 2 , Jo Van Bulck 3 , Julian Stecklina 4 , Thomas Prescher 4 , Daniel Gruss 1 November 11, 2019 1 Graz University of Technology, 2 Worcester

  1. www.tugraz.at Complex Load Situations ... CDB Reorder buffer mov al, byte [rcx] µ OP µ OP µ OP µ OP µ OP µ OP µ OP µ OP ... Execution Engine Scheduler µ OP µ OP µ OP µ OP µ OP µ OP µ OP µ OP ALU, FMA, . . . ALU, AES, . . . ALU, Vect, . . . Load data Load data Store data ALU, Branch AGU Execution Units Core Memory Load Buffer Store Buffer DTLB L1 Data Cache LFB 9 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  2. www.tugraz.at Complex Load Situations ... CDB Reorder buffer mov al, byte [rcx] µ OP µ OP µ OP µ OP µ OP µ OP µ OP µ OP ... Execution Engine Scheduler µ OP µ OP µ OP µ OP µ OP µ OP µ OP µ OP ALU, FMA, . . . ALU, AES, . . . ALU, Vect, . . . Load data Load data Store data ALU, Branch AGU Execution Units Core Memory Load Buffer Store Buffer DTLB L1 Data Cache LFB 9 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  3. www.tugraz.at Complex Load Situations ... CDB Reorder buffer mov al, byte [rcx] µ OP µ OP µ OP µ OP µ OP µ OP µ OP µ OP ... Execution Engine Scheduler µ OP µ OP µ OP µ OP µ OP µ OP µ OP µ OP ALU, FMA, . . . ALU, AES, . . . ALU, Vect, . . . Load data Load data Store data ALU, Branch AGU Execution Units Core Memory Load Buffer Store Buffer DTLB L1 Data Cache LFB 9 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  4. www.tugraz.at Complex Load Situations ... CDB Reorder buffer mov al, byte [rcx] µ OP µ OP µ OP µ OP µ OP µ OP µ OP µ OP ... Execution Engine Scheduler µ OP µ OP µ OP µ OP µ OP µ OP µ OP µ OP ALU, FMA, . . . ALU, AES, . . . ALU, Vect, . . . Load data Load data Store data ALU, Branch AGU Execution Units Core Memory Load Buffer Store Buffer DTLB L1 Data Cache LFB 9 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  5. www.tugraz.at Complex Load Situations ... CDB Reorder buffer mov al, byte [rcx] µ OP µ OP µ OP µ OP µ OP µ OP µ OP µ OP ... Execution Engine Scheduler µ OP µ OP µ OP µ OP µ OP µ OP µ OP µ OP ALU, FMA, . . . ALU, AES, . . . ALU, Vect, . . . Load data Load data Store data ALU, Branch AGU Execution Units Core Memory #n-1 ... Load Buffer Store Buffer #n ppn vpn offset reg.no. DTLB #n+1 ... L1 Data Cache LFB 9 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  6. www.tugraz.at Complex Load Situations ... CDB Reorder buffer mov al, byte [rcx] µ OP µ OP µ OP µ OP µ OP µ OP µ OP µ OP ... Execution Engine Scheduler µ OP µ OP µ OP µ OP µ OP µ OP µ OP µ OP ALU, FMA, . . . ALU, AES, . . . ALU, Vect, . . . Load data Load data Store data ALU, Branch AGU Execution Units Core Memory #n-1 ... Load Buffer Store Buffer #n ppn vpn offset reg.no. DTLB #n+1 ... L1 Data Cache LFB 9 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  7. www.tugraz.at Complex Load Situations ... CDB Reorder buffer mov al, byte [rcx] µ OP µ OP µ OP µ OP µ OP µ OP µ OP µ OP ... Execution Engine Scheduler µ OP µ OP µ OP µ OP µ OP µ OP µ OP µ OP ALU, FMA, . . . ALU, AES, . . . ALU, Vect, . . . Load data Load data Store data ALU, Branch AGU Execution Units Core Memory #n-1 ... Load Buffer Store Buffer #n ppn vpn offset reg.no. DTLB #n+1 ... L1 Data Cache LFB 9 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  8. www.tugraz.at Complex Load Situations ... CDB Reorder buffer mov al, byte [rcx] µ OP µ OP µ OP µ OP µ OP µ OP µ OP µ OP ... Execution Engine Scheduler µ OP µ OP µ OP µ OP µ OP µ OP µ OP µ OP ALU, FMA, . . . ALU, AES, . . . ALU, Vect, . . . Load data Load data Store data ALU, Branch data can go AGU to register Execution Units Core Memory #n-1 ... Load Buffer Store Buffer #n ppn vpn offset reg.no. DTLB #n+1 ... L1 Data Cache LFB 9 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  9. www.tugraz.at Microcode Assists • Complex situations handled in microcode 10 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  10. www.tugraz.at Microcode Assists • Complex situations handled in microcode • Setting accessed/dirty bit 10 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  11. www.tugraz.at Microcode Assists • Complex situations handled in microcode • Setting accessed/dirty bit • TSX abort + rollback 10 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  12. www.tugraz.at Microcode Assists • Complex situations handled in microcode • Setting accessed/dirty bit • TSX abort + rollback • ... 10 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  13. www.tugraz.at Microcode Assists • Complex situations handled in microcode • Setting accessed/dirty bit • TSX abort + rollback • ... • Load needs to be re-issued 10 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  14. www.tugraz.at Microcode Assists • Complex situations handled in microcode • Setting accessed/dirty bit • TSX abort + rollback • ... • Load needs to be re-issued • Meltdown effects due to “microarchitectural fault” 10 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  15. www.tugraz.at Microcode Assists • Complex situations handled in microcode • Setting accessed/dirty bit • TSX abort + rollback • ... • Load needs to be re-issued • Meltdown effects due to “microarchitectural fault” • No architectural fault handling required 10 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  16. www.tugraz.at Attack Targets • Leak data on same and sibling hyperthread 11 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  17. www.tugraz.at Attack Targets • Leak data on same and sibling hyperthread Applications 11 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  18. www.tugraz.at Attack Targets • Leak data on same and sibling hyperthread Applications Operating System 11 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  19. www.tugraz.at Attack Targets • Leak data on same and sibling hyperthread Applications Operating System SGX Enclave 11 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  20. www.tugraz.at Attack Targets • Leak data on same and sibling hyperthread Applications Operating System SGX Enclave Virtual Machine 11 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  21. www.tugraz.at Attack Targets • Leak data on same and sibling hyperthread Applications Operating System SGX Enclave Hypervisor Virtual Machine 11 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  22. www.tugraz.at Control Page Number Page Offset 51 Physical 12 Meltdown 11 0 47 Virtual 12 Physical 51 12 Foreshadow 11 0 47 Virtual 12 Physical 51 12 Fallout 11 0 47 Virtual 12 ZombieLoad/ Physical 51 12 11 6 5 0 47 Virtual 12 RIDL 12 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  23. www.tugraz.at Control key n ( 0xD2 ) 1 1 0 1 0 0 1 0 13 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  24. www.tugraz.at Control (4,4)- domino n , n +1 ( 0x21 ) key n ( 0xD2 ) 1 1 0 1 0 0 1 0 0 0 0 1 13 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  25. www.tugraz.at Control (4,4)- domino n , n +1 ( 0x21 ) key n ( 0xD2 ) key n +1 ( 0x1C ) 1 1 0 1 0 0 1 0 0 0 0 1 1 1 0 0 13 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  26. www.tugraz.at Results AES-NI key 14 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  27. www.tugraz.at Results AES-NI key SGX sealing key 14 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  28. www.tugraz.at Results Cross-VM covert AES-NI key SGX sealing key channel 14 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  29. www.tugraz.at Results Cross-VM covert AES-NI key SGX sealing key channel Keyword matching 14 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  30. www.tugraz.at Results Cross-VM covert AES-NI key SGX sealing key channel Keyword matching URL recovery 14 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  31. www.tugraz.at Results Cross-VM covert AES-NI key SGX sealing key channel Keyword matching URL recovery Targeted leakage 14 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  32. www.tugraz.at Performance Variant 1 Kernel Mapping 5.30 kB / s 15 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  33. www.tugraz.at Performance Variant 1 Variant 2 Kernel Mapping Transactional Asynchronous Abort 5.30 kB / s 39.66 kB / s 15 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  34. www.tugraz.at Performance Variant 1 Variant 2 Variant 3 Kernel Mapping Transactional Microcode-Assisted Asynchronous Abort Page-Table Walk 5.30 kB / s 39.66 kB / s 7.73 kB / s 15 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  36. www.tugraz.at ZombieLoad Insights Address 17 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  37. www.tugraz.at ZombieLoad Insights Instruction Pointer Memory-based Side-Channel Attacks Address 17 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  38. www.tugraz.at ZombieLoad Insights Instruction Pointer Memory-based Side-Channel Attacks Data Address Meltdown 17 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  39. www.tugraz.at ZombieLoad Insights Instruction Pointer Memory-based Data Sampling Side-Channel (this paper ) Attacks Data Address Meltdown 17 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  40. www.tugraz.at Intel Mitigations • Disable hyperthreading or group scheduling 18 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  41. www.tugraz.at Intel Mitigations • Disable hyperthreading or group scheduling • Overwrite microarchitectural buffers 18 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  42. www.tugraz.at Intel Mitigations • Disable hyperthreading or group scheduling • Overwrite microarchitectural buffers • VERW instruction (microcode update) 18 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  43. www.tugraz.at Intel Mitigations • Disable hyperthreading or group scheduling • Overwrite microarchitectural buffers • VERW instruction (microcode update) • Software sequences 18 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  44. www.tugraz.at Intel Mitigations • Disable hyperthreading or group scheduling • Overwrite microarchitectural buffers • VERW instruction (microcode update) • Software sequences • New CPUs which are not affected CPU Meltdown Foreshadow RIDL Fallout MLPDS MDSUM 8th/9th gen. Intel Core Coffee Lake Intel Xeon Cascade Lake 18 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  45. www.tugraz.at Intel Mitigations • Disable hyperthreading or group scheduling • Overwrite microarchitectural buffers • VERW instruction (microcode update) • Software sequences • New CPUs which are not affected CPU Meltdown Foreshadow RIDL Fallout MLPDS MDSUM ZombieLoad 8th/9th gen. Intel Core Coffee Lake Intel Xeon Cascade Lake 18 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  46. www.tugraz.at Circumventing Mitigations • Variant 2 works on all CPUs 19 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  47. www.tugraz.at Circumventing Mitigations • Variant 2 works on all CPUs → Embargoed until November 12, 2019 19 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  48. www.tugraz.at Circumventing Mitigations • Variant 2 works on all CPUs → Embargoed until November 12, 2019 • Microcode and software sequences do not prevent ZombieLoad 19 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  49. www.tugraz.at Circumventing Mitigations • Variant 2 works on all CPUs → Embargoed until November 12, 2019 • Microcode and software sequences do not prevent ZombieLoad → Reported on May 16, 2019 19 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  50. www.tugraz.at Circumventing Mitigations • Variant 2 works on all CPUs → Embargoed until November 12, 2019 • Microcode and software sequences do not prevent ZombieLoad → Reported on May 16, 2019 • ZombieLoad might not only leak from fill buffer 19 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  51. www.tugraz.at ZombieLoad Mitigations • Disable hyperthreading 20 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  52. www.tugraz.at ZombieLoad Mitigations • Disable hyperthreading • Flush all buffers on privilege-level change 20 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  53. www.tugraz.at ZombieLoad Mitigations • Disable hyperthreading • Flush all buffers on privilege-level change • Fill buffer, store buffer, load ports → VERW 20 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  54. www.tugraz.at ZombieLoad Mitigations • Disable hyperthreading • Flush all buffers on privilege-level change • Fill buffer, store buffer, load ports → VERW • Flush L1 cache → MSR IA32 FLUSH CMD 20 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  55. www.tugraz.at ZombieLoad Mitigations • Disable hyperthreading • Flush all buffers on privilege-level change • Fill buffer, store buffer, load ports → VERW • Flush L1 cache → MSR IA32 FLUSH CMD • Disable Intel TSX ( MSR TSX FORCE ABORT ) 20 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  56. www.tugraz.at Transient Execution Attack Tree Transient cause 21 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  57. www.tugraz.at Transient Execution Attack Tree Transient cause Meltdown-type 21 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  58. www.tugraz.at Transient Execution Attack Tree Meltdown-PF Transient cause Meltdown-type Meltdown-MCA 21 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  59. www.tugraz.at Transient Execution Attack Tree Meltdown-PF Meltdown-US Meltdown-US-LFB Variant 1 Transient cause Meltdown-type Meltdown-AD Meltdown-AD-LFB Meltdown-MCA Variant 3 Meltdown-TAA Variant 2 21 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  61. www.tugraz.at GitHub You can find our proof-of-concept implementation on: • https://github.com/IAIK/ZombieLoad 22 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  62. www.tugraz.at Conclusion • Transient-execution attacks: the gift that keeps on giving 23 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  63. www.tugraz.at Conclusion • Transient-execution attacks: the gift that keeps on giving • Class of Meltdown attacks is larger than expected 23 Michael Schwarz (@misc0110) et al. — Graz University of Technology

  64. www.tugraz.at Conclusion • Transient-execution attacks: the gift that keeps on giving • Class of Meltdown attacks is larger than expected • CPUs are deterministic - there is no noise 23 Michael Schwarz (@misc0110) et al. — Graz University of Technology

More recommend