LVI Hijacking Transient Execution with Load Value Injection

Daniel Gruss, Daniel Moghimi, Jo Van Bulck Hardwear.io Virtual Con, April 30, 2020

1 Daniel Gruss, Daniel Moghimi, Jo Van Bulck National Geographic Processor security: Hardware isolation mechanisms

App App App Enclave

VM OS VM OS

Hypervisor (VMM)

3 Daniel Gruss, Daniel Moghimi, Jo Van Bulck CPU Cache

printf("%d", i); printf("%d", i);

4 Daniel Gruss, Daniel Moghimi, Jo Van Bulck CPU Cache

Cache miss printf("%d", i); printf("%d", i);

4 Daniel Gruss, Daniel Moghimi, Jo Van Bulck CPU Cache

Request Cache miss printf("%d", i); printf("%d", i);

4 Daniel Gruss, Daniel Moghimi, Jo Van Bulck CPU Cache

Request Cache miss printf("%d", i); i printf("%d", i); Response

4 Daniel Gruss, Daniel Moghimi, Jo Van Bulck CPU Cache

Request Cache miss printf("%d", i); i printf("%d", i); Response

Cache hit

4 Daniel Gruss, Daniel Moghimi, Jo Van Bulck CPU Cache

DRAM access, slow

Request Cache miss printf("%d", i); i printf("%d", i); Response

Cache hit No DRAM access, much faster 4 Daniel Gruss, Daniel Moghimi, Jo Van Bulck Flush+Reload

Shared Memory ATTACKER VICTIM

flush access access

5 Daniel Gruss, Daniel Moghimi, Jo Van Bulck Flush+Reload

Shared Memory ATTACKER VICTIM

flush cached Shared Memory access access cached

5 Daniel Gruss, Daniel Moghimi, Jo Van Bulck Flush+Reload

Shared Memory ATTACKER VICTIM

flush Shared Memory access access

5 Daniel Gruss, Daniel Moghimi, Jo Van Bulck Flush+Reload

Shared Memory ATTACKER VICTIM

flush access access

5 Daniel Gruss, Daniel Moghimi, Jo Van Bulck Flush+Reload

Shared Memory ATTACKER VICTIM

flush access access

5 Daniel Gruss, Daniel Moghimi, Jo Van Bulck Flush+Reload

Shared Memory ATTACKER VICTIM

flush Shared Memory access access

5 Daniel Gruss, Daniel Moghimi, Jo Van Bulck Flush+Reload

Shared Memory ATTACKER VICTIM

flush Shared Memory access access

5 Daniel Gruss, Daniel Moghimi, Jo Van Bulck Flush+Reload

Shared Memory ATTACKER VICTIM

flush Shared Memory access access

fast if victim accessed data, slow otherwise

5 Daniel Gruss, Daniel Moghimi, Jo Van Bulck Memory Access Latency

Cache Hits

107

104

101 Number of Accesses 50 100 150 200 250 300 350 400 Latency [Cycles]

6 Daniel Gruss, Daniel Moghimi, Jo Van Bulck Memory Access Latency

Cache Hits Cache Misses

107

104

101 Number of Accesses 50 100 150 200 250 300 350 400 Latency [Cycles]

6 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

We can communicate across protection walls using microarchitectural side-channels! Leaky processors: Jumping over protection walls with side-channels

App App App Enclave

VM OS VM OS

Hypervisor (VMM)

9 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

Side-channel attacks are known for decades already – what’s new?

4000

3000

2000 DO WE JUST SUCK AT... COMPUTERS? YUP. ESPECIALLY SHARED ONES. 1000

1990 1994 1998 2002 2006 2010 2014 2018

10 Daniel Gruss, Daniel Moghimi, Jo Van Bulck Side-channel attacks are known for decades already – what’s new?

4000

3000

2000 DO WE JUST SUCK AT... COMPUTERS? YUP. ESPECIALLY SHARED ONES. 1000

1990 1994 1998 2002 2006 2010 2014 2018

10 Daniel Gruss, Daniel Moghimi, Jo Van Bulck 4/30/2020

Pipeline Bubble

Fetch Decode Execute Commit

movb $20, %al F D

add %rax, %rcx F

sub %rdx, %rsi

jne target:

add %rax, %rax

target:

11 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

1

1 4/30/2020

Pipeline Bubble

Fetch Decode Execute Commit

movb $20, %al F D X

add %rax, %rcx F D

sub %rdx, %rsi F

jne target:

add %rax, %rax

target:

11 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

2

2 4/30/2020

Pipeline Bubble

Fetch Decode Execute Commit

movb $20, %al F D X C

add %rax, %rcx F D X

sub %rdx, %rsi F D

jne target: F

add %rax, %rax

target:

11 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

3

3 4/30/2020

Pipeline Bubble

Fetch Decode Execute Commit

movb $20, %al F D X C

add %rax, %rcx F D X C

sub %rdx, %rsi F D X

jne target: F D

add %rax, %rax

target:

11 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

4

4 4/30/2020

Pipeline Bubble

Fetch Decode Execute Commit

movb $20, %al F D X C

add %rax, %rcx F D X C

sub %rdx, %rsi F D X C

jne target: F D X

add %rax, %rax

target:

11 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

5

5 4/30/2020

Pipeline Bubble

Fetch Decode Execute Commit

movb $20, %al F D X C

add %rax, %rcx F D X C

sub %rdx, %rsi F D X C

jne target: F D X

add %rax, %rax F

target:

11 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

6

6 Branch Prediction and Side Channel

cmp %rax, %rbx 0x100123: jne

12 Daniel Gruss, Daniel Moghimi, Jo Van Bulck Branch Prediction and Side Channel

cmp %rax, %rbx 0x100123: jne PHT

12 Daniel Gruss, Daniel Moghimi, Jo Van Bulck Branch Prediction and Side Channel

cmp %rax, %rbx 0x100123: jne PHT BTB

12 Daniel Gruss, Daniel Moghimi, Jo Van Bulck Branch Prediction and Side Channel

cmp %rax, %rbx 0x100123: jne PHT BTB

0xff00123: jne

12 Daniel Gruss, Daniel Moghimi, Jo Van Bulck Branch Prediction and Side Channel

cmp %rax, %rbx 0x100123: jne PHT BTB

0xff00123: jne

12 Daniel Gruss, Daniel Moghimi, Jo Van Bulck Branch Prediction and Side Channel

cmp %rax, %rbx 0x100123: jne PHT BTB

0xff00123: jne

12 Daniel Gruss, Daniel Moghimi, Jo Van Bulck Branch Prediction and Side Channel

cmp %rax, %rbx 0x100123: jne PHT BTB

0xff00123: jne

12 Daniel Gruss, Daniel Moghimi, Jo Van Bulck RSA

M=C d modn

13 Daniel Gruss, Daniel Moghimi, Jo Van Bulck RSA

M=C d modn

1 1 0 0 1 1 0 ...

Result = C

13 Daniel Gruss, Daniel Moghimi, Jo Van Bulck RSA

M=C d modn

1 1 0 0 1 1 0 ...

Result = Result × Result × C

square multiply

13 Daniel Gruss, Daniel Moghimi, Jo Van Bulck RSA

M=C d modn

1 1 0 0 1 1 0 ...

Result = Result × Result

square

13 Daniel Gruss, Daniel Moghimi, Jo Van Bulck RSA

M=C d modn

1 1 0 0 1 1 0 ...

Result = Result × Result

square

13 Daniel Gruss, Daniel Moghimi, Jo Van Bulck RSA

M=C d modn

1 1 0 0 1 1 0 ...

Result = Result × Result × C

square multiply

13 Daniel Gruss, Daniel Moghimi, Jo Van Bulck RSA

M=C d modn

1 1 0 0 1 1 0 ...

Result = Result × Result × C

square multiply

13 Daniel Gruss, Daniel Moghimi, Jo Van Bulck RSA

M=C d modn

1 1 0 0 1 1 0 ...

Result = Result × Result

square

13 Daniel Gruss, Daniel Moghimi, Jo Van Bulck ? ??

Spectre-PHT (v1)

LUT index =0;

char* data = ”textKEY”;

if (index < 4)

else then Prediction

LUT[data[index] * 4096] 0

15 Daniel Gruss, Daniel Moghimi, Jo Van Bulck Spectre-PHT (v1)

LUT index =0;

char* data =”textKEY”;

if (index < 4)

else then Prediction

LUT[data[index] * 4096] 0

15 Daniel Gruss, Daniel Moghimi, Jo Van Bulck Spectre-PHT (v1)

LUT index =0;

char* data =”textKEY”;

if (index < 4) Speculate else then Prediction

LUT[data[index] * 4096] 0

15 Daniel Gruss, Daniel Moghimi, Jo Van Bulck Spectre-PHT (v1)

LUT index =0;

char* data =”textKEY”;

if (index < 4) Execute else then Index ’t’ Prediction

LUT[data[index] * 4096] 0

15 Daniel Gruss, Daniel Moghimi, Jo Van Bulck Spectre-PHT (v1)

LUT index =1;

char* data = ”textKEY”;

if (index < 4)

else then Prediction

LUT[data[index] * 4096] 0

15 Daniel Gruss, Daniel Moghimi, Jo Van Bulck Spectre-PHT (v1)

LUT index =1;

char* data = ”textKEY”;

if (index < 4)

else then Prediction

LUT[data[index] * 4096] 0

15 Daniel Gruss, Daniel Moghimi, Jo Van Bulck Spectre-PHT (v1)

LUT index =1;

char* data = ”textKEY”;

if (index < 4) Speculate Index ’e’ else then Prediction

LUT[data[index] * 4096] 0

15 Daniel Gruss, Daniel Moghimi, Jo Van Bulck Spectre-PHT (v1)

LUT index =1;

char* data = ”textKEY”;

if (index < 4)

Index ’e’ else then Prediction

LUT[data[index] * 4096] 0

15 Daniel Gruss, Daniel Moghimi, Jo Van Bulck Spectre-PHT (v1)

LUT index =2;

char* data = ”textKEY”;

if (index < 4)

else then Prediction

LUT[data[index] * 4096] 0

15 Daniel Gruss, Daniel Moghimi, Jo Van Bulck Spectre-PHT (v1)

LUT index =2;

char* data = ”textKEY”;

if (index < 4)

else then Prediction

LUT[data[index] * 4096] 0

15 Daniel Gruss, Daniel Moghimi, Jo Van Bulck Spectre-PHT (v1)

LUT index =2;

char* data = ”textKEY”;

if (index < 4) Speculate else then Prediction Index ’x’ LUT[data[index] * 4096] 0

15 Daniel Gruss, Daniel Moghimi, Jo Van Bulck Spectre-PHT (v1)

LUT index =2;

char* data = ”textKEY”;

if (index < 4)

else then Prediction Index ’x’ LUT[data[index] * 4096] 0

15 Daniel Gruss, Daniel Moghimi, Jo Van Bulck Spectre-PHT (v1)

LUT index =3;

char* data = ”textKEY”;

if (index < 4)

else then Prediction

LUT[data[index] * 4096] 0

15 Daniel Gruss, Daniel Moghimi, Jo Van Bulck Spectre-PHT (v1)

LUT index =3;

char* data = ”textKEY”;

if (index < 4)

else then Prediction

LUT[data[index] * 4096] 0

15 Daniel Gruss, Daniel Moghimi, Jo Van Bulck Spectre-PHT (v1)

LUT index =3;

char* data = ”textKEY”;

if (index < 4) Speculate else then Index ’t’ Prediction

LUT[data[index] * 4096] 0

15 Daniel Gruss, Daniel Moghimi, Jo Van Bulck Spectre-PHT (v1)

LUT index =3;

char* data = ”textKEY”;

if (index < 4)

else then Index ’t’ Prediction

LUT[data[index] * 4096] 0

15 Daniel Gruss, Daniel Moghimi, Jo Van Bulck Spectre-PHT (v1)

LUT index =4;

char* data = ”textKEY”;

if (index < 4)

else then Prediction

LUT[data[index] * 4096] 0

15 Daniel Gruss, Daniel Moghimi, Jo Van Bulck Spectre-PHT (v1)

LUT index =4;

char* data = ”textKEY”;

if (index < 4)

else then Prediction

LUT[data[index] * 4096] 0

15 Daniel Gruss, Daniel Moghimi, Jo Van Bulck Spectre-PHT (v1)

LUT index =4;

Index ’K’ char* data = ”textKEY”;

if (index < 4) Speculate else then Prediction

LUT[data[index] * 4096] 0

15 Daniel Gruss, Daniel Moghimi, Jo Van Bulck Spectre-PHT (v1)

LUT index =4;

Index ’K’ char* data = ”textKEY”;

if (index < 4) Execute else

then Prediction

LUT[data[index] * 4096] 0

15 Daniel Gruss, Daniel Moghimi, Jo Van Bulck Spectre-PHT (v1)

LUT index =5;

char* data = ”textKEY”;

if (index < 4)

else then Prediction

LUT[data[index] * 4096] 0

15 Daniel Gruss, Daniel Moghimi, Jo Van Bulck Spectre-PHT (v1)

LUT index =5;

char* data = ”textKEY”;

if (index < 4)

else then Prediction

LUT[data[index] * 4096] 0

15 Daniel Gruss, Daniel Moghimi, Jo Van Bulck Spectre-PHT (v1)

LUT index =5;

Index ’E’ char* data = ”textKEY”;

if (index < 4) Speculate else then Prediction

LUT[data[index] * 4096] 0

15 Daniel Gruss, Daniel Moghimi, Jo Van Bulck Spectre-PHT (v1)

LUT index =5;

Index ’E’ char* data = ”textKEY”;

if (index < 4) Execute else

then Prediction

LUT[data[index] * 4096] 0

15 Daniel Gruss, Daniel Moghimi, Jo Van Bulck Spectre-PHT (v1)

LUT index =6;

char* data = ”textKEY”;

if (index < 4)

else then Prediction

LUT[data[index] * 4096] 0

15 Daniel Gruss, Daniel Moghimi, Jo Van Bulck Spectre-PHT (v1)

LUT index =6;

char* data = ”textKEY”;

if (index < 4)

else then Prediction

LUT[data[index] * 4096] 0

15 Daniel Gruss, Daniel Moghimi, Jo Van Bulck Spectre-PHT (v1)

LUT index =6;

char* data = ”textKEY”; Index ’Y’

if (index < 4) Speculate else then Prediction

LUT[data[index] * 4096] 0

15 Daniel Gruss, Daniel Moghimi, Jo Van Bulck Spectre-PHT (v1)

LUT index =6;

char* data = ”textKEY”; Index ’Y’

if (index < 4) Execute else

then Prediction

LUT[data[index] * 4096] 0

15 Daniel Gruss, Daniel Moghimi, Jo Van Bulck ?? Meltdown: Transiently encoding unauthorized memory

Unauthorized access

16 Daniel Gruss, Daniel Moghimi, Jo Van Bulck Meltdown: Transiently encoding unauthorized memory

Unauthorized access Transient out-of-order window

oracle array secret idx

16 Daniel Gruss, Daniel Moghimi, Jo Van Bulck Meltdown: Transiently encoding unauthorized memory

Unauthorized access Transient out-of-order window Exception (discard architectural state)

16 Daniel Gruss, Daniel Moghimi, Jo Van Bulck Meltdown: Transiently encoding unauthorized memory

Unauthorized access Transient out-of-order window Exception handler

oracle array

cache hit

16 Daniel Gruss, Daniel Moghimi, Jo Van Bulck Meltdown variants: Microarchitectural bu€ers

CDB L1 Instruction Cache Reorder bu€er ITLB µOP µOP µOP µOP µOP µOP µOP µOP

Scheduler Branch Instruction Fetch & PreDecode Predictor µOP µOP µOP µOP µOP µOP µOP µOP Instruction Queue

µOP Cache 4-Way Decode AGU Frontend µ µ µ µ µ

OPs OP OP OP OP Load data Load data Store data ALU, Branch Execution Engine ALU, AES, . . .

MUX ALU, FMA, . . . ALU, Vect, . . .

Allocation Queue Execution Units

µ µOP µOP µOP OP

Load Bu€er Store Bu€er

DTLB STLB L1 Data Cache LFB L2 Cache L3 Cache DRAM Memory Subsystem

17 Daniel Gruss, Daniel Moghimi, Jo Van Bulck The transient-execution zoo https://transient.fail

PHT-CA-IP Cross-address-space PHT-CA-OP Spectre-PHT PHT-SA-IP Same-address-space PHT-SA-OP

BTB-CA-IP Cross-address-space BTB-CA-OP Spectre-BTB Spectre-type BTB-SA-IP Same-address-space BTB-SA-OP

RSB-CA-IP Cross-address-space RSB-CA-OP Spectre-RSB Spectre-STL RSB-SA-IP Same-address-space RSB-SA-OP

Meltdown-US-L1 Transient cause Meltdown-US Meltdown-US-LFB Meltdown-US-SB

Meltdown-NM-REG Meltdown-P-L1 Meltdown-PF Meltdown-P-LFB Meltdown-P Meltdown-P-SB Meltdown-RW Meltdown-P-LP Meltdown-PK-L1 Meltdown-SM-SB

Meltdown-type Meltdown-MPX Meltdown-BR Meltdown-BND

Meltdown-CPL-REG Meltdown-GP Meltdown-NC-SB

Meltdown-AD-LFB Meltdown-AD Meltdown-MCA Meltdown-AD-SB Meltdown-AVX-LP

18 Daniel Gruss, Daniel Moghimi, Jo Van Bulck ?

LVI: The basic idea

20 Daniel Gruss, Daniel Moghimi, Jo Van Bulck LVI: The basic idea

20 Daniel Gruss, Daniel Moghimi, Jo Van Bulck LVI: The basic idea

20 Daniel Gruss, Daniel Moghimi, Jo Van Bulck LVI: The basic idea

20 Daniel Gruss, Daniel Moghimi, Jo Van Bulck LVI: The basic idea

20 Daniel Gruss, Daniel Moghimi, Jo Van Bulck LVI: The basic idea

20 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

Enclaves to the rescue!

App App Enclave app

OS kernel

Hypervisor

TPM CPU Mem HDD

Intel SGX promise: hardware-level isolation and attestation

21 Daniel Gruss, Daniel Moghimi, Jo Van Bulck Intel So†ware Guard Extensions (SGX)

Application

Untrusted part Trusted part Create Enclave Trusted Fnc.

Call Trusted Fnc. Call Gate

Return

...

Operating System

22 Daniel Gruss, Daniel Moghimi, Jo Van Bulck • . . . but untrusted address translation may fault during enclaved execution (!)

Intel SGX: A look under the hood

logical address paging unit SGX checks physical address

• SGX machinery protects against direct address remapping attacks

23 Daniel Gruss, Daniel Moghimi, Jo Van Bulck Intel SGX: A look under the hood

logical address paging unit SGX checks physical address

page fault (#PF)

• SGX machinery protects against direct address remapping attacks • . . . but untrusted address translation may fault during enclaved execution (!)

23 Daniel Gruss, Daniel Moghimi, Jo Van Bulck Intel SGX: A look under the hood

logical address paging unit SGX checks physical address

page fault (#PF)

We can arbitrarily provoke page faults for trusted enclave loads!

23 Daniel Gruss, Daniel Moghimi, Jo Van Bulck A toy example

1 void c a l l victim(size t untrusted arg ) 2 { 3 * arg copy = untrusted arg ; 4 array [ **trusted ptr * 4096]; 5 }

24 Daniel Gruss, Daniel Moghimi, Jo Van Bulck A Toy Example: Recovering arbitrary secrets

600 400 200 [cycles]

Access time 0 0 20 40 60 80 100 120 140 160 180 200 220 240 Page

25 Daniel Gruss, Daniel Moghimi, Jo Van Bulck We can setup a fake transient stack in the store bu€er!

Real-world LVI ROP gadget in SGX-SDK

1 ;%rbx: user −controlled argument ptr(outside enclave) 2 sgx my sum bridge : 3 ... 4 c a l l my sum ; compute0x10(%rbx)+0x8(%rbx) 5 mov %rax,(%rbx) ; P1: store sum to user address 6 xor %eax,%eax 7 pop %rbx 8 ret ; P2: load from trusted stack 9

26 Daniel Gruss, Daniel Moghimi, Jo Van Bulck Real-world LVI ROP gadget in SGX-SDK

1 ;%rbx: user −controlled argument ptr(outside enclave) 2 sgx my sum bridge : 3 ... 4 c a l l my sum ; compute0x10(%rbx)+0x8(%rbx) 5 mov %rax,(%rbx) ; P1: store sum to user address 6 xor %eax,%eax 7 pop %rbx 8 ret ; P2: load from trusted stack 9

We can setup a fake transient stack in the store bu€er!

26 Daniel Gruss, Daniel Moghimi, Jo Van Bulck Real-world LVI-ROP gadget in Quoting Enclave

1 intel avx rep memcpy : ; libirc 2 . 4/efi2/libirc.a 2 ... ; P1: store to user address 3 vmovups %xmm0,−0x10(%rdi,%rcx ,1) 4 ... 5 pop %r12 ; P2: load from trusted stack 6 ret

7

27 Daniel Gruss, Daniel Moghimi, Jo Van Bulck JO: explain brie‚y Worse: “Inverse Foreshadow” can remap the L1D cache!

P1_gadget: 2 RAX mov (%rdi), %r12 P3 address mov -8(%rdi), %r13 Enclave code

L1D cache 3 P2_gadget: pop %rax LVI retq P3_gadget: 4 movb (%rax), %al 1 Page table entry stack mov (%rdi,%al), %rcx User page

RAX %rdi P3 gadget address virtual page offset

29 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

• . . . but NULL is a valid virtual memory address, under attacker control • . . . hijack function pointer-to-pointer

LVI-NULL: Why 0x00 is not a safe value

• Recent Intel CPUs forward 0x00 dummy values for faulting loads

30 Daniel Gruss, Daniel Moghimi, Jo Van Bulck • . . . hijack function pointer-to-pointer

LVI-NULL: Why 0x00 is not a safe value

NULL attacker-controlled page 2

1 trusted enclave load

• Recent Intel CPUs forward 0x00 dummy values for faulting loads • . . . but NULL is a valid virtual memory address, under attacker control

30 Daniel Gruss, Daniel Moghimi, Jo Van Bulck LVI-NULL: Why 0x00 is not a safe value

NULL &P3_gadget %rbx=NULL 2 %rax P2_gadget: 1 mov (%rax), %rbx &trusted_func_pt call (%rbx) &trusted_func

• Recent Intel CPUs forward 0x00 dummy values for faulting loads • . . . but NULL is a valid virtual memory address, under attacker control • . . . hijack function pointer-to-pointer

30 Daniel Gruss, Daniel Moghimi, Jo Van Bulck Real-World LVI-NULL gadget

1 asm oret : ;(linux −sgx/sdk/trts/linux/trts p i c . S#L454) 2 ... 3 mov 0x58(%rsp),%rbp ;%rbp <− NULL 4 ... 5 mov %rbp ,% rsp ;%rsp <− NULL 6 pop %rbp ;%rbp <− * (NULL) 7 ret ;%rip <− * (NULL+8) 8

31 Daniel Gruss, Daniel Moghimi, Jo Van Bulck LVI-NULL fault injection to reduce AES rounds

Architectural 1 Change Page Execution movdqu (%rdx), %xmm0 2 Input Permission movdqu (%rcx), %xmm4 add $0x10, %rdx Load RK0 pxor %xmm4, %xmm0 Single Step movdqu 0x10(%r2cx), %xmm4 Load RK1 aesdec %xmm4, %xmm0 movdqu 0x20(%rcx), %xmm4

Load RK2 times aesdec %xmm4, %xmm0

... Repeated 9 Transient 3 movdqu 0xa0(%rcx), %xmm4 Load RK10 Execution aesdeclast %xmm4, %xmm0 movdqu %xmm0, -0x10(%r8,%rdx,1) Output Recover Faulty 4 access oracle[output[byte_index] * 4096];4 Output

32 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

Mitigation Sequences

Instruction Possible Emulation Clobber ret pop %reg; lfence; jmp *%reg  ret not (%rsp); not (%rsp); lfence; ret  jmp (mem) mov (mem),%reg; lfence; jmp *%reg  call (mem) mov (mem),%reg; lfence; call *%reg 

34 Daniel Gruss, Daniel Moghimi, Jo Van Bulck Performance Overheads (Our Mitigation)

own-full own-ret 13 1,500 . 29 . 36 53 . . 978 87 81 . 88 . 15 . 782 , .

1 000 703 650 1 568 543 . 492 430 2 . 39 42 247 . .

500 91 59 02 74 62 . . . . . 85 15 12 5 5 2 1 0 Overhead [%] 0

ecdh aes-128 cbc rsa 4096 rsa 4096 ecdsa ecdsa ghash sha256 sha512 (sign) (verify) nistp256 nistp256 nistp256 (sign) (verify)

35 Daniel Gruss, Daniel Moghimi, Jo Van Bulck Performance Overheads (Intel’s Mitigation) 15

. gcc-lfence clang-full clang-ret 2,500 48 27 . 05 1868 . . 73 2,000 . 1372 1365 94 1287 . 61 1214 04 , 21 22 . 75 22 . 1 500 . . . . 01 25 . 51 820 5 89 . 758 757 . . . 715 712 , 699 1 000 638 94 56 439 . 379 . 48 352 45 326 298 . . 76 6 25 44 8 91 ...... Overhead [%]

500 98 82 16 15 8 5 3 2 0 0 0

ecdh aes-128 cbc rsa 4096 rsa 4096 ecdsa ecdsa ghash sha256 sha512 (sign) (verify) nistp256 nistp256 nistp256 (sign) (verify)

36 Daniel Gruss, Daniel Moghimi, Jo Van Bulck Performance Overheads (Intel’s Mitigation)

gcc-lfence clang-full clang-ret 26 1,500 . 13 . 1081 83 3 . . 830 , 24

1 000 . 58 4 673 . 661 15 . . 592 6 31 05 39 . . 55 502 . 82 78 . 71 . . . . 404 380 367 16 23 11 66 9 281 06 09 . . 264 261 81 . 500 . . 99 230 . . 215 . 207 189 188 . 52 86 . 84 82 80 76 Overhead [%] 75 67 30 23 2 0

657.xz 600.perlbench 602.gcc 605.mcf 620.omnetpp 623.xalancbmk 625.x264 631.deepsjeng 641.leela

37 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

Take Aways https://lviattack.eu/

⇒ New emerging and powerful class of transient-execution attacks

⇒ Importance of fundamental side-channel research

⇒ Security cross-cuts the system stack: hardware, hypervisor, kernel, compiler, application

38 Daniel Gruss, Daniel Moghimi, Jo Van Bulck LVI Hijacking Transient Execution with Load Value Injection

Daniel Gruss, Daniel Moghimi, Jo Van Bulck Hardwear.io Virtual Con, April 30, 2020

39 Daniel Gruss, Daniel Moghimi, Jo Van Bulck