LVI: Hijacking Transient Execution through Microarchitectural Load Value Injection Jo Van Bulck∗, Daniel Moghimiy, Michael Schwarzz, Moritz Lippz, Marina Minkinx, Daniel Genkinx, Yuval Yarom{, Berk Sunary, Daniel Grussz, and Frank Piessens∗ ∗imec-DistriNet, KU Leuven yWorcester Polytechnic Institute zGraz University of Technology xUniversity of Michigan {University of Adelaide and Data61 Abstract—The recent Spectre attack first showed how to inject operations, which may encode the data before an exception incorrect branch targets into a victim domain by poisoning is eventually raised. Over the past year, delayed exception microarchitectural branch prediction history. In this paper, we handling and microcode assists have been shown to transiently generalize injection-based methodologies to the memory hierar- chy by directly injecting incorrect, attacker-controlled values into expose data from various microarchitectural elements (i.e., L1D a victim’s transient execution. We propose Load Value Injection cache [42, 61], FPU register file [57], line-fill buffer [42, 53, (LVI) as an innovative technique to reversely exploit Meltdown- 67], store buffer [9], and load ports [29, 67]). Unlike Spectre- type microarchitectural data leakage. LVI abuses that faulting type attacks, a Meltdown attacker in one security domain can or assisted loads, executed by a legitimate victim program, may directly exfiltrate architecturally inaccessible data belonging to transiently use dummy values or poisoned data from various microarchitectural buffers, before eventually being re-issued by another domain (e.g., kernel memory). Consequently, existing the processor. We show how LVI gadgets allow to expose Meltdown mitigations focus on restricting the attacker’s point victim secrets and hijack transient control flow. We practically of view, e.g., placing victim data out of reach [20], flushing demonstrate LVI in several proof-of-concept attacks against Intel buffers after victim execution [25, 29], or zeroing unauthorized SGX enclaves, and we discuss implications for traditional user data flow directly at the silicon level [28]. process and kernel isolation. State-of-the-art Meltdown and Spectre defenses, including Given the widespread deployment of Meltdown countermea- widespread silicon-level and microcode mitigations, are orthog- sures, including changes in operating systems and CPUs, we onal to our novel LVI techniques. LVI drastically widens the ask the following fundamental questions in this paper: spectrum of incorrect transient paths. Fully mitigating our attacks requires serializing the processor pipeline with lfence Can Meltdown-type effects only be used for leakage or also instructions after possibly every memory load. Additionally and for injection? Would current hardware and software defenses even worse, due to implicit loads, certain instructions have to suffice to fully eradicate Meltdown-type threats based on illegal be blacklisted, including the ubiquitous x86 ret instruction. data flow from faulting or assisted instructions? Intel plans compiler and assembler-based full mitigations that will allow at least SGX enclave programs to remain secure A. Our Results and Contributions on LVI-vulnerable systems. Depending on the application and In this paper, we introduce an innovative class of Load optimization strategy, we observe extensive overheads of factor 2 to 19 for prototype implementations of the full mitigation. Value Injection (LVI) attack techniques. Our key contribution is to recognize that, under certain adversarial conditions, I. INTRODUCTION unintended microarchitectural leakage can also be inverted Recent research on transient-execution attacks has been to inject incorrect data into the victim’s transient execution. characterized by a sharp split between on the one hand Spectre- Being essentially a “reverse Meltdown”-type attack, LVI abuses type misspeculation attacks, and on the other hand, Meltdown- that a faulting or assisted load instruction executed within a type data extraction attacks. The first category, Spectre-type victim domain does not always yield the expected result, but attacks [4, 23, 38, 39, 44], trick a victim into transiently may instead transiently forward dummy values or (attacker- diverting from its intended execution path. Particularly, by controlled) data from various microarchitectural buffers. We poisoning the processor’s branch predictor machinery, Spectre consider attackers that can either directly or indirectly induce adversaries steer the victim’s transient execution to gadget code page faults or microcode assists during victim execution. LVI snippets, which inadvertently expose secrets through the shared provides such attackers with a primitive to force a legitimate microarchitectural state. Importantly, Spectre gadgets execute victim execution to transiently compute on “poisoned” data entirely within the victim domain and can hence only leak (e.g., pointers, array indices) before the CPU eventually detects architecturally accessible data. the fault condition and discards the pending architectural The second category consists of Meltdown-type attacks [9, state changes. Much like in Spectre attacks, LVI relies on 42, 53, 57, 61, 67, 70], which target architecturally inaccessible “confused deputy” code gadgets surrounding the faulting or data by exploiting illegal data flow from faulting or assisted assisted load in the victim to hijack transient control flow and instructions. Particularly, on vulnerable processors, the results disclose information. We are the first to combine Meltdown- of unauthorized loads are still forwarded to subsequent transient style microarchitectural data leakage with Spectre-style code TABLE I. Characterization of known side-channel and transient-execution contrast to prior Spectre-type effects that are contained around attacks in terms of targeted microarchitectural predictor or data buffer (vertical clear-cut (branch) misprediction locations. axis) vs. leakage- or injection-based methodology (horizontal axis). The LVI attack plane, first explored in this paper, is indicated on the lower right and Successfully exploiting LVI requires the ability to induce applies an injection-based methodology known from Spectre attacks (upper page faults or microcode assists during victim execution. We right) to reversely exploit Meltdown-type data leakage (lower left). show that this requirement can be most easily met in Intel SGX environments, where we develop several proof-of-concept Methodology Leakage Injection attacks that abuse dangerous real-world gadgets to arbitrarily µ-Arch Buffer divert transient control flow in the enclave. We furthermore PHT BranchScope [15], Bluethunder [24] Spectre-PHT [38] BTB SBPA [1], BranchShadow [40] Spectre-BTB [38] mount a novel transient fault attack on AES-NI to extract full RSB Hyper-Channel [8] Spectre-RSB [39, 44] cryptographic keys from a victim enclave. While LVI attacks history STL — Spectre-STL [23] Prediction in non-SGX environments are generally much harder to mount, L1D Meltdown [42] LVI-NULL we consider none of the adversarial conditions for LVI to be L1D Foreshadow [61] LVI-L1D unique to Intel SGX. We explore consequences for traditional FPU LazyFP [57] LVI-FPU SB Fallout [9] LVI-SB process isolation by showing that, given a suitable LVI gadget Program data LFB/LP ZombieLoad [53], RIDL [67] LVI-LFB/LP and a faulting or assisted load in the kernel, arbitrary supervisor memory may leak to user space. We also show that the same vector could be exploited in a cross-process LVI attack. gadget abuse to compose a novel type of transient load value Underlining the impact and the practical challenges arising injection attacks. from our findings, Intel plans to mitigate LVI by extensive TableI summarizes how Spectre [ 38] first applied an revisions at the compiler and assembler levels to allow at injection-based methodology to invert prior branch prediction least compilation of SGX enclaves to remain secure on LVI- side-channel attacks, whereas LVI similarly shows that recent vulnerable systems. Particularly, fully mitigating LVI requires Meltdown-type microarchitectural data leakage can be reversely introducing lfence instructions to serialize the processor exploited. Looking at TableI, it becomes apparent that Spectre- pipeline after possibly every memory load operation. Addi- style injection attacks have so far only been applied to auxiliary tionally, certain instructions featuring implicit loads, including history-based branch prediction and dependency prediction the pervasive x86 ret instruction, should be blacklisted and buffers that accumulate program metadata to steer the victim’s emulated with equivalent serialized instruction sequences. We transient execution indirectly. Our techniques, on the other observe extensive performance overheads of factor 2 to 19 for hand, intervene much more directly in the victim’s transient our evaluation of prototype compiler mitigations, depending data stream by injecting erroneous load values straight from on the application and whether lfences were inserted by an the CPU’s memory hierarchy, i.e., intermediate load and store optimized compiler pass or through a naive post-compilation buffers and caches. assembler approach. These fundamentally different microarchitectural behaviors In summary, our main contributions are as follows: (i.e., misprediction vs. illegal data flow) also entail that LVI • We show that Meltdown-type data leakage can be inverted requires defenses that are orthogonal and complementary to into
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages19 Page
-
File Size-