Spectre bug (variant 1 Bounds check bypass) Project Zero
News and updates from the Project Zero team at Google
Wednesday, January 3, 2018
Reading privileged memory with a side-channel Posted by Jann Horn, Project Zero
[...]
Consider the code sample below. If arr1->length is uncached, the processor can speculatively load data from arr1->data[untrusted_offset_from_caller]. This is an out-of-bounds read. That should not matter because the processor will effectively roll back the execution state when the branch has executed; none of the speculatively executed instructions will retire (e.g. cause registers etc. to be affected).
struct array { unsigned long length; unsigned char data[]; }; struct array *arr1 = ...; unsigned long untrusted_offset_from_caller = ...;
if (untrusted_offset_from_caller < arr1->length) { unsigned char value = arr1->data[untrusted_offset_from_caller]; ... } Spectre bug (variant 1 Bounds check bypass) However, in the following code sample, there's an issue. If arr1->length, arr2->data[0x200] and arr2->data[0x300] are not cached, but all other accessed data is, and the branch conditions are predicted as true, the processor can do the following speculatively before arr1->length has been loaded and the execution is re-steered:
Ÿ load value = arr1->data[untrusted_offset_from_caller] Ÿ start a load from a data-dependent offset in arr2->data, loading the corresponding cache line into the L1 cache
struct array { This also relys on the cache processing misses unsigned long length; “out of order” and in an overlapped order. unsigned char data[]; }; struct array *arr1 = ...; /* small array */ struct array *arr2 = ...; /* array of size 0x400 */
unsigned long untrusted_offset_from_caller = ...; if (untrusted_offset_from_caller < arr1->length) { unsigned char value = arr1->data[untrusted_offset_from_caller]; unsigned long index2 = ((value&1)*0x100)+0x200; if (index2 < arr2->length) { unsigned char value2 = arr2->data[index2]; } }
After the execution has been returned to the non-speculative path because the processor has noticed that untrusted_offset_from_caller is bigger than arr1->length, the cache line containing arr2->data[index2] stays in the L1 cache. By measuring the time required to load arr2->data[0x200] and arr2->data[0x300], an attacker can then determine whether the value of index2 during speculative execution was 0x200 or 0x300 - which discloses whether arr1->data[untrusted_offset_from_caller]&1 is 0 or 1.
Side-channel attack: In this case, the side-channel is time and can be used to expose information in the “secure” channel. Spectre bug (variant 1 Bounds check bypass) To be able to actually use this behavior for an attack, an attacker needs to be able to cause the execution of such a vulnerable code pattern in the targeted context with an out-of-bounds index. For this, the vulnerable code pattern must either be present in existing code, or there must be an interpreter or JIT engine that can be used to generate the vulnerable code pattern. So far, we have not actually identified any existing, exploitable instances of the vulnerable code pattern; the PoC for leaking kernel memory using variant 1 uses the eBPF interpreter or the eBPF JIT engine, which are built into the kernel and accessible to normal users.
https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html Memory Technology Typical access time $ per GB in 2012 SRAM semiconductor memory 0.5-2.5 ns $500 - $1000 DRAM semiconductor memory 50-70 ns $10 - $20 Flash semiconductor memory 5,000 - 50,000 ns $0.75 - $1.00 Magnetic Disk 5,000,000 - 20,000,000 ns $0.05 - $0.10
Current Processor Speed Size Cost ($/bit) technology
Fastest Memory Smallest Highest SRAM
Memory DRAM
Slowest Memory Biggest Lowest Magnetic disk
FIGURE 5.1 The basic structure of a memory hierarchy. By implementing the memory system as a hierarchy, the user has the illusion of a memory that is as large as the largest level of the hierarchy, but can be accessed as if it were all built from the fastest memory. Flash memory has replaced disks in many embedded devices , and may lead to a new level in the storage hierarchy for desktop and server computers; see Section 6.4. Copyright©2009 Elsevier, Inc. All rights reserved. Bank Column Rd/Wr
Act
Pre
Row
DRAM FIGURE 5.4 Internal organization of a DRAM. Modern DRAMs are organized in banks, SDRAM typically four for DDR3. Each bank consists of a series of rows. Sending a PRE DDR (precharge) command opens or closes a bank. A row address is sent with an Act (activate), which causes the row to transfer to a buffer. When the row is in the buffer, it can be transferred by successive column addresses at whatever the width of the DRAM is (typically 4, 8, or 16 bits in DDR3) or by specifying a block transfer and the starting address. Each command, as well as block transfers, is synchronized with a clock. Copyright©2014 Elsevier, Inc. All rights reserved.
DDR4-3200 = 3200 x106 transfers / sec using 1.6 GHz clock This is done using multiple banks, accessing the same row in all banks simultaneously and rotating between them This is also known as address interleaving.
DIMMS typically use 4-16 DRAM chips normally organized 8 bytes wide A DIMM with DDR4-3200 DRAMs can transfer 8 x 3200 x 106 = 25600 MB/s aka PC25600 The chips on a DIMM are organized in rows 8 bytes wide called ranks. Bank Column Rd/Wr
Act
Pre
Row Average column Total access time to access time to Year introduced Chip size $ per GiB a new row/column existing row 1980 64 Kibibit $1,500,000 250 ns 150 ns 1983 256 Kibibit $500,000 185 ns 100 ns 1985 1 Mebibit $200,000 135 ns 40 ns 1989 4 Mebibit $50,000 110 ns 40 ns 1992 16 Mebibit $15,000 90 ns 30 ns 1996 64 Mebibit $10,000 60 ns 12 ns 1998 128 Mebibit $4,000 60 ns 10 ns 2000 256 Mebibit $1,000 55 ns 7 ns 2004 512 Mebibit $250 50 ns 5 ns 2007 1 Gibibit $50 45 ns 1.25 ns 2010 2 Gibibit $30 40 ns 1 ns 2012 4 Gibibit $1 35 ns 0.8 ns
FIGURE 5.5 DRAM size increased by multiples of four approximately once every three years until 1996, and thereafter considerably slower. The improvements in access time have been slower but continuous, and cost roughly tracks density improvements, although cost is often affected by other issues, such as availability and demand. The cost per gibibyte is not adjusted for inflation. Copyright©2014 Elsevier, Inc. All rights reserved. Processor
Hit, Hit ratio Cache Locality: Temporal Data is transferred Spatial
Main Memory
FIGURE 5.2 Every pair of levels in the memory hierarchy can be thought of as having an upper and lower level. Within each level, the unit of information that is present or not is called a block or a line. Usually we transfer an entire block when we copy something between levels. Copyright©2009 Elsevier, Inc. All rights reserved. N = number of blocks in the cache cache block index = mod(memory block address, N) or the lower n bits of the memory block address if N = 2n Cache Block Index 0 1 0 0 1 0 1 1 0 0 1 1 0 0 1 1 0 0 0 0 1 1 1 1
Memory Block address: 00001 00101 01001 01101 10001 10101 11001 11101 Memory
FIGURE 5.8 A direct-mapped cache with eight entries showing the addresses of memory words between 0 and 31 that map to the same cache locations. Because there are eight words in the cache, an address X maps to the direct-mapped cache word X modulo 8. That is, the low- order log2(8) = 3 bits are used as the cache index. Thus, addresses 00001two, 01001two, 10001two, and 11001two all map to entry 001two of the cache, while addresses 00101two, 01101two, 10101two, and 11101two all map to entry 101two of the cache. Copyright © 2009 Elsevier, Inc. All rights reserved.