seminar report Seminar: Embedded Systems in summer term 2020 Spectre & Meltdown A tamed ghost? Jonas Zeunert Technische Universität Kaiserslautern, Department of Computer Science Note: This report is a compilation of publications related to some topic as a result of a student seminar. It does not claim to introduce original work and all sources should be properly cited. Spectre and Meltdown are security attacks against the fundamental principles of out-of-order and speculative execution of processors dating back until 1996. Even though many people have heard about their impact their principles are often unknown even though they are not that hard to understand with a bit of background knowledge. Since a programmer is in responsibility of the security of his own code it should be a very important topic for him to understand exactly at which points of his code it is attack-able by Spectre vulnerabilities. So in this seminar we will have a look in detail about the principles and techniques used by Spectre and Meltdown attacks. 1 Introduction In this seminar we will look at the security breaches Spectre and Meltdown. They are the first practical example of hardware based side-channel attacks which were found in 2018 in parallel by Google’s Project Zero and Kocher et al. [15] at the University of Graz. Spectre is as of today still not fully mitigated since there are always new variants coming out while the mitigations which solve the problem behind Meltdown sometimes are disabled because of performance im- pacts. These attacks totally shifted the general awareness of hardware based attacks since they are more than easy exploitable via web-browsers and beforehand side-channel attacks were seen as an attack vector for only breaking cryptographic systems in a academical view but not for breaking arbitrary systems. Their ability to bypass protection of virtual machines or sandboxes makes them extremely viable in the view of the continuously growing cloud computing market and is therefore a big threat to all of such systems. We try to get an understanding on the history of the attacks, their impact, their function- ality and their mitigations and try to answer the question if this new ghost that appeared in the security realm was able to be finally tamed with the measures taken until today or if it is something that will eventually haunt us a much longer time. The rest of this paper is structured as follow: First we will get the necessary technical back- ground in section 2. This covers the basics of side-channel attacks and speculative execution and other things which are needed to understand the attacks. Then in section 3 we will talk about 1 the history and the evolution of the attacks. How the first side channel attacks were discovered and how everything evolved to today’s stand and also try to classify the impact of this. In the next section 4 we will actually take a look what the idea behind Spectre and Melt- down is and how they work. Afterwards in section 5 we will discuss possible mitigations taken both from software (5.1) and hardware (5.2) perspective. Finally in the last section 6 we will discuss if it was possible to tame the ghost introduced with Spectre and Meltdown or if it was not. 2 Technical Background Before describing how spectre and meltdown work in detail it is necessary to understand the underlying techniques which are combined for the Spectre like attacks. In this section we will take a look at the principles of caches, side channel attacks, out-of-order execution and branch prediction. 2.1 CPU Cache A CPU cache is a small sized but also very fast memory in a computer system located near the execution unit of the CPU. Its main purpose is to cache often used data so the data does not have to immediately be read from and written back to the main memory which is for Von- Neuman machines the biggest bottleneck in computation . Modern CPU’s typically have three levels of caches which are increasingly closer to the ALU which makes accesses faster but also scratch the possible size. To get an example of modern cache structures an AMD Ryzen 9 3900 [2] has 32KB level 1 cache and 512KB level 2 cache for every single core. The level 3 cache is typically shared between all cores and has about 64MiB. A cache is organized in lines and sets. A line contains multiple bytes of data while there are multiple sets containing the lines. This is helpful to match any given main memory address to a cache line and is important to understand for different side-channel attacks. 2.2 Side-channel attacks Let us first get a definition for the term: A side-channel attack is an attack enabled by leakage of information from a physical cryptosystem by an unintended channel. Characteristics that could be exploited in a side-channel attack include timing, power consumption, and electromagnetic and acoustic emissions. [22] So we see it is important for a side channel attack that some (here cryptographic) information is getting leaked on a channel that was not intended to leak information. Often it is not even 2 intended to communicate any information like power consumption. Standaert [25] goes further and subdivides side-channel attacks in both invasive or non-invasive and active or passive. (Non-)Invasion describes the ability if the attack requires a direct access to the physical chip or not and active and passive distinguishes if the attack changes the func- tionality of the original algorithm or if it does not. To give an example of this different attacks are classified in this scheme in figure 1 Invasive Non-Invasive Active Induce signals on a device to get back Flipping bits via a technique like information Rowhammer [13] to break page separation Passive Sensing the data on the DRAM bus Sensing electromagnetic signals emitted by a machine Figure 1: Examples for the side-channel classification as of Standaert (2010) [25] Since this domain is really large we will concentrate in this paper on the non-invasive tech- niques of cache based side-channel attacks which are the essential functionalities behind Spectre and also Meltdown. 2.3 Cache based side-channel attacks Cache based side-channel attacks can be classified with the scheme above as non-invasive pas- sive attacks. Since they are only based on accessing the cache which does not require any direct physical interaction they are non-invasive and even though they mess around with the cache this does not directly impact any behaviour of any program and therefore are passive. Most often they rely on the ability of the cache to decrease the time of memory accesses which is as of today really slow in comparison to registers which are located near the execution units. If a given data is already in the cache the execution of an algorithm is much faster than if it was not in the cache. This timing offset allows to draw conclusions about the accessed address and therefore about the actual data given the algorithm is known. Even though in present time there are many known cache based side-channel attacks it is sufficient to concentrate on the following three which are also used by Kocher et al. [15] in the original spectre paper: Flush+Reload (2.3.1), Evict+Reload (2.3.2) and Prime+Probe (2.3.3). 2.3.1 Flush+Reload Flush+Reload observed by Yarom et al. [29] is an attack which works with the clflush operation of the x86 processor architecture which erases all cache lines in all three cache levels. It also relies on the function of modern operating systems to share memory pages between processes and in its 3 more aggressive form of memory de-duplication where arbitrary similar looking pages are shared. Basically Flush+Reload works in three phases: 1. Flush the cache line which is observed with clflush 2. Wait for the victim to access the cache line 3. Probe the cache timing of the memory line by reading from cache associated data which is shared through page sharing The most critically part on this is the wait time since if you either probe to early or to late or even in the same time one could miss information. Also this only works if the memory pages are shared so one can access the difference between the instantiation of a shared library. 2.3.2 Evict+Reload Evict+Reload is a development from Flush+Reload made by Gruss et al. [11] It generalizes the approach so that not only specific binaries can be attacked but instead one can read arbitrary information from caches. The attack is based on templates which are automatically generated by profiling the cache hit ratio of a specific event like a keystroke which the attacker wants to catch. This generated tem- plate is afterwards used to match the timings of other program instantiations and the attacker is able to receive arbitrary data which he has profiled. 2.3.3 Prime+Probe Prime+Probe first described by Osvik et al. [21] in 2006 as a first-level cache attack against AES was further investigated by Liu et al. [18] in 2015 who shown that this attack can be practical to read data on last level caches. As an example this can be useful to extract data between virtual machines. The idea behind Prime+Probe is that an attacker first primes the cache by filling every cache line with its own data afterwards idles a bit so that he can probe at the end which cache lines are replaced and with this can draw conclusions about which memory addresses are accessed.