zombieload
play

ZombieLoad Cross-Privilege-Boundary Data Sampling Michael Schwarz, - PowerPoint PPT Presentation

Sep 10, 2023 •879 likes •1.55k views

ZombieLoad Cross-Privilege-Boundary Data Sampling Michael Schwarz, Moritz Lipp, Daniel Moghimi , Jo Van Bulck, Julian Stecklina, Thomas Prescher, Daniel Gruss whoami Daniel Moghimi (@danielmgmi) Computer Security since 2010 Reverse

  1. ZombieLoad Cross-Privilege-Boundary Data Sampling Michael Schwarz, Moritz Lipp, Daniel Moghimi , Jo Van Bulck, Julian Stecklina, Thomas Prescher, Daniel Gruss

  2. whoami ▪ Daniel Moghimi (@danielmgmi) ▪ Computer Security since 2010 ▪ Reverse Engineering ▪ Binary Analysis ▪ Application Security ▪ PhD Student since 2017 ▪ Microarchitectural Security ▪ Side Channels ▪ Breaking Cryptographic Implementations

  4. Background: Cache Attacks – Cache Memory CPU Register More expensive, but Faster Cheaper, but Slower Cache DRAM

  5. Background: Cache Attacks – Cache Miss Cache 10100110

  6. Background: Cache Attacks Cache 10100110 10100110

  7. Background: Cache Attacks Cache 10100110 10100110 10100110

  8. Background: Cache Attacks – Cache Hit Cache 10100110 10100110

  9. Background: Cache Attacks – Cache Hit Cache 10100110 10100110 10100110

  10. Background: Cache Attacks – Flush & Reload (Yarom et al.) Attacker Victim Cache 10100110 10100110

  11. Background: Cache Attacks – Flush & Reload (Yarom et al.) Attacker Victim Cache 10100110

  12. Background: Cache Attacks – Flush & Reload (Yarom et al.) Attacker Victim Cache 10100110 10100110

  13. Background: Cache Attacks – Flush & Reload (Yarom et al.) Attacker Victim Cache 10100110 10100110

  14. Background: Cache Attacks – Flush & Reload (Yarom et al.) delta > threshold = cache hit Attacker Victim delta < threshold = cache miss Cache 10100110 10100110

  15. 2018: Meltdown Attack?

  16. 2018: Meltdown Attack?

  17. 2018: Meltdown Attack? Virtual Address Space User Space CPU Registers Kernel Space 0xf…81a0123 P A S S W O R D 256 different CPU Cache Line

  18. 2018: Meltdown Attack? Virtual Address Space Oracle User Space CPU Registers Kernel Space 0xf…81a0123 P A S S W O R D 256 different CPU Cache Line

  19. 2018: Meltdown Attack? Virtual Address Space Fault Oracle User Space CPU Registers Kernel Space 0xf…81a0123 P A S S W O R D 256 different CPU Cache Line

  20. 2018: Meltdown Attack? Virtual Address Space Fault Oracle User Space P CPU Registers Kernel Space 0xf…81a0123 P A S S W O R D 256 different CPU Cache Line

  21. 2018: Meltdown Attack? Virtual Address Space Fault Oracle User Space P CPU Registers Kernel Space 0xf…81a0123 P A S S W O R D 256 different CPU Cache Line

  22. 2018: Meltdown Attack? Virtual Address Space Oracle User Space CPU Registers Kernel Space 0xf…81a0123 P A S S W O R D 256 different CPU Cache Line

  23. 2018: Meltdown Attack? Virtual Address Space Oracle User Space CPU Registers F+R Kernel Space 0xf…81a0123 P A S S W O R D 256 different CPU Cache Line

  24. 2018: Meltdown Attack? Virtual Address Space Oracle User Space CPU Registers F+R Kernel Space 0xf…81a0123 P A S S W O R D 256 different CPU Cache Line

  25. 2018: Meltdown Attack? Virtual Address Space Oracle User Space CPU Registers F+R Kernel Space 0xf…81a0123 P A S S W O R D 256 different CPU Cache Line

  26. 2018: Meltdown Attack? Virtual Address Space Oracle User Space CPU Registers Kernel Space ‘ P ’ = 0x50 0xf…81a0123 P A S S W O R D 256 different CPU Cache Line

  27. Meltdown-style Attacks !!! ▪ Can we do Meltdown with other faults/microcode-assists? ▪ Which part of the CPU leak the data?! ▪ Can we still leak somebody’s data? ▪ KPTI ▪ Meltdown-resistant CPUs, .e.g. Coffee Lake

  29. ZombieLoad – How does CPU Work these days? Virtual Address 0x000401 234

  30. ZombieLoad – How does CPU Work these days? Virtual Address 0x000401 234 TLB

  31. ZombieLoad – How does CPU Work these days? Virtual Address 0x000401 234 TLB PMH

  32. ZombieLoad – How does CPU Work these days? Virtual Address 0x000401 234 Page TLB PMH Walk P Physical Page Number RW US … A … …

  33. ZombieLoad – How does CPU Work these days? Core L1D Cache L2 L3 DRAM

  34. ZombieLoad – How does CPU Work these days? Core L1D Cache LFB L2 L3 DRAM

  35. ZombieLoad – How does CPU Work these days? Core L1D Cache LFB … L2 L3 DRAM

  36. ZombieLoad – How does CPU Work these days? Core L1D Cache Cache Line LFB … L2 L3 DRAM

  37. ZombieLoad – How does CPU Work these days? Core L1D Cache Cache Line LFB … L2 L3 DRAM

  38. ZombieLoad – How does CPU Work these days? Core L1D Cache Cache Line LFB x x x x x x x … L2 L3 DRAM

  39. ZombieLoad Attack !?! Core L1D Cache Cache Line LFB (10 entries) De-allocate x x x x x x x x … x L2 L3 DRAM

  40. ZombieLoad Attack !?! Core L1D Cache P US Physical Page Number RW … A … … Cache Line Cache Line LFB (10 entries) x x x x x x x x … x L2 L3 DRAM

  41. ZombieLoad Attack !?! Core L1D Cache P US Physical Page Number RW … A … … Cache Line LFB (10 entries) x x x x x x x x … x L2 L3 DRAM

  42. ZombieLoad Attack !?! Core L1D Cache P US Physical Page Number RW … A … … Cache Line LFB (10 entries) x x x x x x x x … x L2 L3 DRAM

  43. ZombieLoad Attack !?! Core L1D Cache P US Physical Page Number RW … A … … Cache Line LFB (10 entries) x x x x x x x x x x x x … x L2 L3 DRAM

  44. ZombieLoad Attack !?! Core L1D Cache P US Physical Page Number RW … A … … Cache Line 0 0 0 Cache Line LFB (10 entries) x x x x 0 0 0 0 x x x x … x L2 L3 DRAM

  45. ZombieLoad Attack !?! Core L1D Cache P US A Physical Page Number RW … … … Cache Line 0 0 0 Cache Line Variant 3 Variant 1 LFB (10 entries) x x x x 0 0 0 0 x x x x … x L2 L3 DRAM

  46. ZombieLoad – Microcode Assist on ‘ A’ Bit P A US Physical Page Number RW … … … Variant 3 ▪ Access Bit ▪ CPU tells → OS : A page has been accessed by setting the ‘A’ Bit ▪ OS tells → CPU: A page has not been accessed (just allocated) by clearing the bit ▪ ‘A’ Bit Microcode Assist ▪ Microcode Assists: The CPU executes an internal event handler to service complex instructions/operations ▪ The microcode assist flushes the pipeline. ▪ Intel CPUs set ‘A’ bit using a microcode assist

  47. ZombieLoad VS. other Meltdown-Style Attacks

  48. What can we do with this data leakage? ▪ Architecturally ▪ Attack across Process Context Switches ▪ Attack across Simultaneous Multithreading (SMT) AKA. Intel Hyperthreading ▪ Scenarios: ▪ Cross-Process ▪ Cross-VM ▪ Intel SGX

  49. Data Sampling - Domino Attack ▪ We may leak bytes of data from other unimportant fill buffer entries ▪ Leak domino bytes to perform error correction T arget … 1 1 0 1 0 0 1 1 0 1 1 1 1 1 1 1 0 1 1 1 1 1 1 1 Secret

  50. Data Sampling - Domino Attack ▪ We may leak bytes of data from other unimportant fill buffer entries ▪ Leak domino bytes to perform error correction T arget … 1 1 0 1 0 0 1 1 0 1 1 1 1 1 1 1 0 1 1 1 1 1 1 1 Secret 0xd3 0x10 0x4f

  51. Data Sampling - Domino Attack ▪ We may leak bytes of data from other unimportant fill buffer entries ▪ Leak domino bytes to perform error correction T arget … 1 1 0 1 0 0 1 1 0 1 1 1 1 1 1 1 0 1 1 1 1 1 1 1 Secret 0x0e 0x37 0xb0 0xd3 0x10 0x4f

  52. Data Sampling - Domino Attack ▪ We may leak bytes of data from other unimportant fill buffer entries ▪ Leak domino bytes to perform error correction T arget … 1 1 0 1 0 0 1 1 0 1 1 1 1 1 1 1 0 1 1 1 1 1 1 1 Secret 0x84 0x7f 0x0e 0x37 0xb0 0xd3 0x10 0x4f

  53. Data Sampling - Domino Attack ▪ We may leak bytes of data from other unimportant fill buffer entries ▪ Leak domino bytes to perform error correction T arget … 1 1 0 1 0 0 1 1 0 1 1 1 1 1 1 1 0 1 1 1 1 1 1 1 Secret 0x84 0x7f 0xd3 0x7f 0x0e 0x37 0xb0 0x37 0xd3 0x10 0x4f

  55. Recovering Intel SGX Sealing Key ▪ Intel SGX allow developers to have hardware support for TEE ▪ Malicious OS is part of the threat model ▪ We can read register values of a trusted enclave with help of a malicious OS

  56. Recovering Intel SGX Sealing Key ▪ Intel SGX allow developers to have hardware support for TEE ▪ Malicious OS is part of the threat model ▪ We can read register values of a trusted enclave with help of a malicious OS sgx-step

  57. Recovering Intel SGX Sealing Key ▪ Intel SGX allow developers to have hardware support for TEE ▪ Malicious OS is part of the threat model ▪ We can read register values of a trusted enclave with help of a malicious OS sgx-step

  58. Recovering Intel SGX Sealing Key ▪ Intel SGX allow developers to have hardware support for TEE ▪ Malicious OS is part of the threat model ▪ We can read register values of a trusted enclave with help of a malicious OS sgx-step

  59. Recovering Intel SGX Sealing Key ▪ Intel SGX allow developers to have hardware support for TEE ▪ Malicious OS is part of the threat model ▪ We can read register values of a trusted enclave with help of a malicious OS sgx-step

  60. Recovering Intel SGX Sealing Key ▪ Intel SGX allow developers to have hardware support for TEE ▪ Malicious OS is part of the threat model ▪ We can read register values of a trusted enclave with help of a malicious OS Mark Non- Executabl e z-step

More recommend