A Systematic Analysis of Machine Clears and Their Implications For

A Systematic Analysis of Machine Clears and Their Implications For

Rage Against the Machine Clear: A Systematic Analysis of Machine Clears and Their Implications for Transient Execution Attacks Hany Ragab, Enrico Barberis, Herbert Bos, and Cristiano Giuffrida, Vrije Universiteit Amsterdam https://www.usenix.org/conference/usenixsecurity21/presentation/ragab This paper is included in the Proceedings of the 30th USENIX Security Symposium. August 11–13, 2021 978-1-939133-24-3 Open access to the Proceedings of the 30th USENIX Security Symposium is sponsored by USENIX. Rage Against the Machine Clear: A Systematic Analysis of Machine Clears and Their Implications for Transient Execution Attacks Hany Ragab∗ Enrico Barberis∗ Herbert Bos Cristiano Giuffrida [email protected] [email protected] [email protected] [email protected] Vrije Universiteit Amsterdam Amsterdam, The Netherlands ∗Equal contribution joint first authors Abstract 79, 82]. Building mostly on well-known causes of transient execution, such as branch mispredictions or aborting Intel Since the discovery of the Spectre and Meltdown vulnera- TSX transactions, such variants violate many security bound- bilities, transient execution attacks have increasingly gained aries, allowing attackers to obtain access to unauthorized data, momentum. However, while the community has investigated divert control flow, or inject values in transiently executed several variants to trigger attacks during transient execution, code. Nonetheless, little effort has been made to systemat- much less attention has been devoted to the analysis of the ically investigate the root causes of what Intel refers to as root causes of transient execution itself. Most attack vari- bad speculation [36]—the conditions that cause the CPU to ants simply build on well-known root causes, such as branch discard already issued micro-operations (µOps) and render misprediction and aborts of Intel TSX—which are no longer them transient. As a result, our understanding of these root supported on many recent processors. causes, as well as their security implications, is still limited. In this paper, we tackle the problem from a new perspective, In this paper, we systematically examine such causes with a closely examining the different root causes of transient exe- focus on a major, largely unexplored class of bad speculation. cution rather than focusing on new attacks based on known In particular, Intel [36] identifies two general causes of bad transient windows. Our analysis specifically focuses on the speculation (and transient execution)—branch misprediction class of transient execution based on machine clears (MC), and machine clears. Upon detecting branch mispredictions, reverse engineering previously unexplored root causes such the CPU needs to squash all the µOps executed in the the as Floating Point MC, Self-Modifying Code MC, Memory mispredicted branches. Such occurrences, in a wide variety Ordering MC, and Memory Disambiguation MC. We show of forms and manifestations, have been extensively examined these events not only originate new transient execution win- in the existing literature on transient execution attacks [10,11, dows that widen the horizon for known attacks, but also yield 31,40,41,43,48]. The same cannot be said for machine clears, entirely new attack primitives to inject transient values (Float- a class of bad speculation that relies on a full flush of the ing Point Value Injection or FPVI) and executing stale code processor pipeline to restart from the last retired instruction. (Speculative Code Store Bypass or SCSB). We present an In this paper, we therefore focus on the systematic exploration end-to-end FPVI exploit on the latest Mozilla SpiderMonkey of machine clears, their behavior, and security implications. JavaScript engine with all the mitigations enabled, disclosing arbitrary memory in the browser through attacker-controlled Specifically, by reverse engineering this undocumented and transiently-injected floating-point results. We also pro- class of bad speculation, we closely examine four previously pose mitigations for both attack primitives and evaluate their unexplored sources of machine clears (and thus transient exe- performance impact. Finally, as a by-product of our analysis, cution), related to floating points, self-modifying code, mem- we present a new root cause-based classification of all known ory ordering, and memory disambiguation. We show attackers transient execution paths. can exploit such causes to originate new transient execution windows with unique characteristics. For instance, attackers can exploit Floating Point Machine Clear events to embed 1 Introduction attacks in transient execution windows that require no train- ing or special (in many cases disabled) features such as Intel Since the public disclosure of the Meltdown and Spectre vul- TSX. Besides providing a general framework to run existing nerabilities in 2018, researchers have investigated ways to use and future attacks in a variety of transient execution windows transient execution windows for crafting several new attack with different constraints and leakage rates, our analysis also variants [6–11,28,40,43, 48,59,63,65,67,68,71,74 –76,78, uncovered new attack primitives based on machine clears. USENIX Association 30th USENIX Security Symposium 1451 In particular, we show that Self-Modifying Code Machine Modifying Code Machine Clear (SMC MC), Memory Clear events allow attackers to transiently execute stale code, Ordering Machine Clear (MO MC), and Memory Dis- while Floating Point Machine Clear events allow them to in- ambiguation Machine Clear (MD MC). ject transient values in victim code. We term these primitives Speculative Code Store Bypass (SCSB) and Floating Point • We present two novel machine clear-based transient exe- Value Injection (FPVI), respectively. The former is loosely cution attack primitives (FPVI and SCSB) and an end-to- related to Speculative Store Bypass (SSB) [55, 82], but al- end FPVI exploit disclosing arbitrary memory in Firefox. lows attackers to transiently reference stale code rather than • We propose and evaluate possible mitigations. data. The latter is loosely related to Load Value Injection (LVI) [71], but allows attackers to inject transient values by • We propose a new root-cause based classification of all controlling operands of floating-point operations rather than the known transient execution paths. triggering victim page faults or microcode assists. We also discuss possible gadgets for exploitation in applications such Code, exploit demo, and additional information are avail- as JIT engines. For instance, we found that developers follow- able at https://www.vusec.net/projects/fpvi-scsb. ing instructions detailed in the Intel optimization manual [36] ad litteram could easily introduce SCSB gadgets in their ap- 2 Background plications. In addition, we show that attackers controlling JIT’ed code can easily inject FPVI gadgets and craft arbitrary 2.1 IEEE-754 Denormal Numbers memory reads, even from JavaScript in a modern browser using NaN-boxing such as Mozilla Firefox [53]. Modern processors implement a Floating Point Unit (FPU). Moreover, since existing mitigations cannot hinder our To represent floating point numbers, the IEEE-754 stan- primitives, we implement new mitigations to eliminate the dard [1] distinguishes three components (Fig.1). First, the uncovered attack surface. As shown in our evaluation, SCSB most significant bit serves as the sign bit s. The next w bits can be efficiently mitigated with serializing instructions in the contain a biased exponent e. For instance, for double precision practical cases of interest such as JavaScript engines. FPVI 64-bit floating point numbers, e is 11 bits long and the bias can be mitigated using transient execution barriers between is 211−1 − 1 = 1023 (i.e., 2w−1 − 1). The value e is computed the source of injection and its transmit gadgets, either inserted by adding the real exponent ereal to the bias, which ensures by the programmer or by the compiler. We implemented the that e is a positive number even if the real exponent is neg- general compiler-based mitigation in LLVM [45], measuring ative. The remaining bits are used for the mantissa m. The an overhead of 32% / 53% on SPECfp 2006/2017 (geomean). combination of these components represents the value. As While not limited to Intel, our analysis does build on a vari- an example, suppose the sign bit s = 1, the biased exponent ety of performance counters available in different generations e = 100000000112 = 102710 so that ereal = 1027−1023 = 4, of Intel CPUs but not on other architectures. Nevertheless, and the mantissa m = 0111000:::0. In that case,the corre- 4 we show that our insights into the root causes of bad specu- sponding decimal value is −1 · 2 · (1 + 0:01112). We refer to lation also generalize to other architectures, by successfully such numbers as normal numbers, as they are in the normal- repeating our transient execution leakage experiments (we ized form with an implicit leading 1 present in the mantissa. originally designed for Intel) on AMD. Finally, armed with a deeper understanding of the root causes of transient execution, we also present a new classi- fication for the resulting paths. Existing classifications [10] are entirely attack-centric, focusing on classes of Spectre- or Meltdown-like attacks and blending together (common) Figure 1: Fields of a 64 bits IEEE 754 double causes of transient execution with their uses (i.e., what at- tackers can do with them). Such classifications cannot easily If e = 0 and m 6= 0, the CPU treats

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    19 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us