ARMageddon How Your Smartphone CPU Breaks Software-Level Security And Privacy Moritz Lipp and Cl´ementineMaurice November 3, 2016|Black Hat Europe • Information leaks because of the underlying hardware • We focus on the CPU cache • Cache attacks can be used for covert communications and attack crypto implementations • Only been demonstrated on Intel x86 for now • But why not on ARM? Motivation • Safe software infrastructure does not mean safe execution 2 • We focus on the CPU cache • Cache attacks can be used for covert communications and attack crypto implementations • Only been demonstrated on Intel x86 for now • But why not on ARM? Motivation • Safe software infrastructure does not mean safe execution • Information leaks because of the underlying hardware 2 • Cache attacks can be used for covert communications and attack crypto implementations • Only been demonstrated on Intel x86 for now • But why not on ARM? Motivation • Safe software infrastructure does not mean safe execution • Information leaks because of the underlying hardware • We focus on the CPU cache 2 • Only been demonstrated on Intel x86 for now • But why not on ARM? Motivation • Safe software infrastructure does not mean safe execution • Information leaks because of the underlying hardware • We focus on the CPU cache • Cache attacks can be used for covert communications and attack crypto implementations 2 • But why not on ARM? Motivation • Safe software infrastructure does not mean safe execution • Information leaks because of the underlying hardware • We focus on the CPU cache • Cache attacks can be used for covert communications and attack crypto implementations • Only been demonstrated on Intel x86 for now 2 Motivation • Safe software infrastructure does not mean safe execution • Information leaks because of the underlying hardware • We focus on the CPU cache • Cache attacks can be used for covert communications and attack crypto implementations • Only been demonstrated on Intel x86 for now • But why not on ARM? 2 Who We Are Who We Are • Moritz Lipp • Master Student, Graz University Of Technology • 7 @mlqxyz • R [email protected] 3 Who We Are • Cl´ementineMaurice • PhD in InfoSec; Postdoc, Graz University Of Technology • 7 @BloodyTangerine • R [email protected] 4 The rest of the team The rest of the research team • Daniel Gruss • Raphael Spreitzer • Stefan Mangard From Graz University of Technology 5 Demo 6 • What are the challenges for cache attacks on ARM? • How to solve those challenges • Attack scenarios • Tools Outline • Background information 7 • How to solve those challenges • Attack scenarios • Tools Outline • Background information • What are the challenges for cache attacks on ARM? 7 • Attack scenarios • Tools Outline • Background information • What are the challenges for cache attacks on ARM? • How to solve those challenges 7 • Tools Outline • Background information • What are the challenges for cache attacks on ARM? • How to solve those challenges • Attack scenarios 7 Outline • Background information • What are the challenges for cache attacks on ARM? • How to solve those challenges • Attack scenarios • Tools 7 Cache Attacks • CPU registers • Different levels of the CPU cache • Main memory • Disk storage Memory Hierarchy CPU Registers L1 Cache L2 Cache Memory Disk storage • Data can reside in 8 • Different levels of the CPU cache • Main memory • Disk storage Memory Hierarchy CPU Registers L1 Cache L2 Cache Memory Disk storage • Data can reside in • CPU registers 8 • Main memory • Disk storage Memory Hierarchy CPU Registers L1 Cache L2 Cache Memory Disk storage • Data can reside in • CPU registers • Different levels of the CPU cache 8 • Disk storage Memory Hierarchy CPU Registers L1 Cache L2 Cache Memory Disk storage • Data can reside in • CPU registers • Different levels of the CPU cache • Main memory 8 Memory Hierarchy CPU Registers L1 Cache L2 Cache Memory Disk storage • Data can reside in • CPU registers • Different levels of the CPU cache • Main memory • Disk storage 8 • cache ! fast (cache hit) • main memory ! slow (cache miss) ·104 Cache hit Cache miss 3 2 1 Number of accesses 0 200 400 600 800 1;000 1;200 Measured access time (CPU cycles) Cache Attacks • Exploit timing differences of memory accesses: 9 • main memory ! slow (cache miss) ·104 Cache hit Cache miss 3 2 1 Number of accesses 0 200 400 600 800 1;000 1;200 Measured access time (CPU cycles) Cache Attacks • Exploit timing differences of memory accesses: • cache ! fast (cache hit) 9 ·104 Cache hit Cache miss 3 2 1 Number of accesses 0 200 400 600 800 1;000 1;200 Measured access time (CPU cycles) Cache Attacks • Exploit timing differences of memory accesses: • cache ! fast (cache hit) • main memory ! slow (cache miss) 9 Cache Attacks • Exploit timing differences of memory accesses: • cache ! fast (cache hit) • main memory ! slow (cache miss) ·104 Cache hit Cache miss 3 2 1 Number of accesses 0 200 400 600 800 1;000 1;200 Measured access time (CPU cycles) 9 Set-Associative Caches 0 16 17 25 26 31 Address Index Offset Cache 10 Set-Associative Caches 0 16 17 25 26 31 Address Index Offset Cache set Cache Data loaded in a specific set depending on its address 10 Set-Associative Caches 0 16 17 25 26 31 Address Index Offset way 0 way 3 Cache set Cache Data loaded in a specific set depending on its address Several ways per set 10 Set-Associative Caches 0 16 17 25 26 31 Address Index Offset way 0 way 3 Cache set Cache line Cache Data loaded in a specific set depending on its address Several ways per set Cache line loaded in a specific way depending on the replacement policy 10 Cache Attacks: Flush+Reload Victim address space Cache Attacker address space Step 1: Attacker maps shared library (shared memory, in cache) 11 Cache Attacks: Flush+Reload cached cached Victim address space Cache Attacker address space Step 1: Attacker maps shared library (shared memory, in cache) 11 Cache Attacks: Flush+Reload flushes Victim address space Cache Attacker address space Step 1: Attacker maps shared library (shared memory, in cache) Step 2: Attacker flushes the shared cache line 11 Cache Attacks: Flush+Reload loads data Victim address space Cache Attacker address space Step 1: Attacker maps shared library (shared memory, in cache) Step 2: Attacker flushes the shared cache line Step 3: Victim loads the data 11 Cache Attacks: Flush+Reload reloads data Victim address space Cache Attacker address space Step 1: Attacker maps shared library (shared memory, in cache) Step 2: Attacker flushes the shared cache line Step 3: Victim loads the data Step 4: Attacker reloads the data 11 Cache Attacks: Prime+Probe Victim address space Cache Attacker address space 12 Cache Attacks: Prime+Probe Victim address space Cache Attacker address space Step 1: Attacker primes, i.e., fills, the cache (no shared memory) 12 Cache Attacks: Prime+Probe loads data Victim address space Cache Attacker address space Step 1: Attacker primes, i.e., fills, the cache (no shared memory) Step 2: Victim evicts cache lines while running 12 Cache Attacks: Prime+Probe loads data Victim address space Cache Attacker address space Step 1: Attacker primes, i.e., fills, the cache (no shared memory) Step 2: Victim evicts cache lines while running 12 Cache Attacks: Prime+Probe fast access Victim address space Cache Attacker address space Step 1: Attacker primes, i.e., fills, the cache (no shared memory) Step 2: Victim evicts cache lines while running Step 3: Attacker probes data to determine if set has been accessed 12 Cache Attacks: Prime+Probe slow access Victim address space Cache Attacker address space Step 1: Attacker primes, i.e., fills, the cache (no shared memory) Step 2: Victim evicts cache lines while running Step 3: Attacker probes data to determine if set has been accessed 12 Differences between Intel x86 and ARM • Cache maintenance instructions • Intel x86: Unprivileged clflush instruction • ARMv7-A: Only privileged cache maintenance instructions • ARMv8-A: Privileged instructions can be unlocked for userspace Challenge #1 No flush instruction Cache maintenance • Basic operation for cache attacks: invalidate cache lines 13 • Intel x86: Unprivileged clflush instruction • ARMv7-A: Only privileged cache maintenance instructions • ARMv8-A: Privileged instructions can be unlocked for userspace Challenge #1 No flush instruction Cache maintenance • Basic operation for cache attacks: invalidate cache lines • Cache maintenance instructions 13 • ARMv7-A: Only privileged cache maintenance instructions • ARMv8-A: Privileged instructions can be unlocked for userspace Challenge #1 No flush instruction Cache maintenance • Basic operation for cache attacks: invalidate cache lines • Cache maintenance instructions • Intel x86: Unprivileged clflush instruction 13 • ARMv8-A: Privileged instructions can be unlocked for userspace Challenge #1 No flush instruction Cache maintenance • Basic operation for cache attacks: invalidate cache lines • Cache maintenance instructions • Intel x86: Unprivileged clflush instruction • ARMv7-A: Only privileged cache maintenance instructions 13 Challenge #1 No flush instruction Cache maintenance • Basic operation for cache attacks: invalidate cache lines • Cache maintenance instructions • Intel x86: Unprivileged clflush instruction • ARMv7-A: Only privileged cache maintenance instructions • ARMv8-A: Privileged instructions can be unlocked for userspace 13 Cache maintenance • Basic operation for cache attacks: invalidate cache lines • Cache maintenance instructions • Intel x86: Unprivileged clflush instruction • ARMv7-A: Only privileged cache maintenance