arXiv:2007.06865v2 [cs.CR] 17 Jul 2020 rga lutae nomto ek i Spectre-PHT: via leaks information illustrates program culotoeo h rnhi ultimately is branch the of outcome actual ehns noeeuigthe executing into mechanism a xctd n hnuei opeitteotoeof outcome direction the one execute predict to to PHT the it the poisoning (say use By then branch. that and executed, was odtoa rnhs .. hte the whether i.e., branches, conditional use CPUs outcome the Modern Tables for branches. mechanism conditional prediction of the exploits [3], PHT n edmntaete nAMCortex-A53. SiSCloak ARM dubbed on vulnerabilities, them of demonstrate we class and new a by absence affected the in cache the loads. on speculative footprint of any leave buf T or cause execution. cannot overreads mispredictions out-of-order that fetchi was or argument speculative execution informal allow speculative they not because t but attack immune of claimed types were these Cortex-A53) (e.g., as croarchitectures methods, several via [6]. cache Flush+Reload measured use and be attacks [5] can Prime+Probe These abou that programs. information channels of sensitive side designs contents leak processor can memory that the produced channels has side out-of- with execution parallelism, level speculative instruction and of microarc use computer The current tecture. of insecurity fundamental the of vulnerab of class new SiSCloak this named We not does execution. microarchitecture out-of-order the if even leakage speculative side-channels. conten memory via the process about a out-of-o information pipelining, extract like to features speculation use attacks These softwar cure. make can optimizations microarchitectural modern 1 h rgnlSetevleaiiy ubdSpectre- dubbed vulnerability, Spectre original The nti ae eso htteeacietrscnbe can architectures these that show we paper this In mi- some published, was attack Spectre first the When evidence provided have [4] [3], Meltdown and Spectre Both by affected is Cortex-A53 that demonstrate we paper this In Abstract IgeSeuaieLa AttacK LOad SpeCulative SIngle PT orcr atrso ateeuin of executions past of patterns record to (PHT) 1 . true Tercn pcr tak aedmntae that demonstrated have attacks Spectre recent —The pcltv ekg nAMCortex-A53 ARM in Leakage Speculative rnh,a takrcnfo h prediction the fool can attacker an branch), I S II. .I I. ae Nemati Hamed NTRODUCTION PECTRE true -PHT ∗ emot etrfrIfrainScrt (CISPA) Security Information for Center Helmholtz rnh vnwe the when even branch, true ∗ oet Guanciale Roberto , false rthe or † T oa nttt fTechnology { of Institute Royal KTH atr History Pattern h following The . idea urs robertog buiras, lindnera, false [email protected] drand rder support branch inse- e order, ilities sof ts fer hi- ng he o t , † #B htrassniiedt,wihi ae sda ne o a for index as used later is read which memory data, second in sensitive access of reads memory that size out-of-bounds an the perform exceeds to that value a h estv aab evn rc ntecache. the on trace a leaving by data sensitive the h he eoyacse r nydpnato public of dependant only are location accesses the information: memory three the uin natce a oltepeito ehns yfirs by mechanism prediction of the values fool supplying can attacker an cution, rnhcniini eovd o hsrao,tela from load the reason, this For resolved. is condition branch sdi pclto,hence speculation, in used CPU from the load for to instance subsystem #A+R0 For instruction memory the pipeline. speculated request CPU speculatively a may short regis of the of absence and the result renaming to do due the it probably use operations, but subsequent actual to speculation, is in allow Cortex-A53 instructions not instance, executing For of accurate. capable totally not memory two is the execute leakage. speculative cannot instruction the it prevents the but This decode branch, reads. and wrong mis- fetch the may output, in CPU branch n the fetched the is because the above predict architectures presented these of on Spectre speculative successful execution of allow variation speculative The they prevent instructions. because but attacks fetching Spectre to immune nue that ensures #A fregister of of array element the every into that index data, confidential contain address at nti aetevci wsarrays owns victim the case this In R1) < (R0 if LD[#A-size] = R1 al Buiras Pablo , oee,i h iracietr uprsseuaieex speculative supports microarchitecture the if However, uigoreprmnsw icvrdta h bv claim above the that discovered we experiments our During claimed were Cortex-A53) (e.g., microarchitectures Some hspormi osdrdscr tteIAlvla it as level ISA the at secure considered is program This 3=LD[#B+R2] = LD[#A+R0] R3 = R2 h takrinput attacker the , and I.I III. } u h euto h eoyoeaincno be cannot operation memory the of result the but , @kth.se #B #A-size R0 VLEAIIYOF NVULNERABILITY epciey h ieo h rtaryi stored is array first the of size The respectively. R0 . † nra Lindner Andreas , lasle ihntebud of bounds the within lies always R0 B easm httetoary onot do arrays two the that assume We . LD[#B+R2] n htteatce otostevalue the controls attacker the that and , R0 hteeuethe execute that and , #A-size LD[#B+R2] #A[R0] A h atracs a leak can access latter The . R C ARM #A h oain of locations the , and † hscue h CPU the causes This . true . B ssaldutlthe until stalled is htsata address at start that ORTEX rnh n then and branch, LD[#A+R0] A -A53 savalid a is #A #A and and ter es ly ot e- s t #A+R0, whose address is not confidential, can affect the cache, their practical exploitation as future work. Similar to the while the load from LD[#B+R2], whose address may contain original Spectre PHT attack we mistrain the branch predictor confidential data, cannot. This makes the original version of by executing the victim code in a loop with valid inputs, Spectre ineffective on ARM Cortex-A53. thereby training the branch predictor to expect that conditional expression will be true. Next we execute the victim code with IV. SISCLOAK malicious inputs. While according to the processor reference The discussion above does not answer a more general manual speculative execution of the code residing in true question: do Cortex-A53 cores prevent all leakage due to branch should not happen with malicious input, we observed speculation? Here we show that the answer is no and we different effects at the microarchitectural level. provide two similar counterexamples. The first counterexample In order to collect evidence that speculative execution of is the following program: code after the conditional expression happens, we initially used R1 = LD[#A-size] ARM TrustZone and we exploited privileged debug instruc- if (R0 < R1) tions to directly inspect the cache state. Later we simulated a R2 = LD[#A+R0] real attack, were we used timing analysis to leak the secret. if (R2 & 0x80000000) This is done using Flush+Reload attack, where the attacker R3 = LD[#B+R2] invalidates shared cache lines, causes the execution of the victim code, and then measures the timing of a later access to In this case we assume that array B does not contain confi- the shared lines. If the access time to the shared lines incurs dential data, that every element of A is a valid index into the shorter latency, the attacker can infer which lines have been array B, and that the attacker controls the value of register accessed by the victim. To access timing information we used R0. We also assume that the highest bit of each element of the cycle counter of Cortex-A53 PMC, which allows us to A identifies the classification of the element itself, i.e. the accurately measure latency of memory accesses. element is public only if the highest bit is set. This program is considered secure at the ISA level as it ensures that R0 always VI. CONCLUDING REMARKS lies within the bounds of #A and that no memory access We show two new speculative vulnerabilities that affect the depends of non-public information. However, we discovered ARM Cortex-A53 processor. This invalidates common beliefs that on Cortex-A53 this program is not secure. In fact, the regarding the immunity of this processor against Spectre-like CPU may mispredict condition R2 & 0x80000000 which attacks. Our experiments show that Cortex-A53 speculatively leads to consider a confidential element is public. In this executes instructions located after a conditional expression case, the CPU may speculatively access #B+R2, making the which needs to load its operands from the memory. However, confidential data in R2 affect the cache. the length of this speculative execution is limited to at most The second counterexample (which was also previously two instructions; if one of the two instructions is a load froma presented but not experimented in [2]) is a variation of Spectre cacheable memory address then the corresponding cache-line PHT: is speculatively filled with values from the memory. R1 = LD[#A-size] Recently ARM published a similar vulnerability, which R2 = LD[#A+R0] has been called “straight-line speculation” [1]. Straight-line if (R0 < R1) speculation involves the processor to speculatively execute the R3 = LD[#B+R2] next instructions past an unconditional change in control flow. The report shows that existing ARM processors are affected With respect Spectre PHT, the access R2 = LD[#A+R0] has by this vulnerability for unconditional indirect branches and been anticipated by the programmer or the compiler. In this function returns, but are not affected for unconditional direct case, a Cortex-A53 CPU may mispredict condition R0 < R1 branches. We believe that both SiSCloak and straight-line and speculatively access #B+R2, which may contain data that speculation are caused by the ability of ARM Cortex-A53 to has been read out-of-bound. speculatively issue memory requests when the control flow can not be statically determined. V. EXPERIMENTATION We conducted our experiments on Raspberry Pi 3, which is RESPONSIBLE DISCLOSURE a widely available ARMv8 embedded system. The platform’s SiSCloak was responsibly disclosed to ARM by the authors CPU is a Cortex-A53, and according to the reference manual it on June 2020. As part of the disclosure process, ARM con- is an 8-stage pipelined processor with a 2-way superscalar and firmed that the Cortex-A53 is vulnerable to attacks based on in-order execution pipeline. The CPU also implements branch single speculative memory loads, as described in this report. prediction and a performance monitor counter (PMC) which we used for timing analysis. REFERENCES Our experimentation platform runs as bare-metal code, there [1] ARM: Straight-line speculation. Whitepaper (2020) are no background processes or interrupts. In fact, our goal is [2] Guarnieri, M., Kpf, B., Reineke, J., Vila, P.: Hardware-software contracts to show that these speculative leakages exist and we leave for secure speculation (2020) [3] Kocher, P., Horn, J., Fogh, A., Genkin, D., Gruss, D., Haas, W., Hamburg, M., Lipp, M., Mangard, S., Prescher, T., Schwarz, M., Yarom, Y.: Spectre attacks: Exploiting speculative execution. In: 2019 IEEE Symposium on Security and Privacy, SP 2019, San Francisco, CA, USA, May 19-23, 2019. pp. 1–19 (2019) [4] Lipp, M., Schwarz, M., Gruss, D., Prescher, T., Haas, W., Fogh, A., Horn, J., Mangard, S., Kocher, P., Genkin, D., et al.: Meltdown: Reading kernel memory from user space. In: 27th USENIX Security Symposium. pp. 973–990 (2018) [5] Liu, F., Yarom, Y., Ge, Q., Heiser, G., Lee, R.B.: Last-level cache side- channel attacks are practical. In: 2015 IEEE Symposium on Security and Privacy. pp. 605–622. IEEE (2015) [6] Yarom, Y., Falkner, K.: Flush+ reload: a high resolution, low noise, l3 cache side-channel attack. In: 23rd USENIX Security Symposium. pp. 719–732 (2014)