New Models for Understanding and Reasoning about Speculative Execution Attacks Zecheng He Guangyuan Hu Ruby Lee Princeton University Princeton University Princeton University [email protected] [email protected] [email protected] Abstract—Spectre and Meltdown attacks and their variants Lazy-FP [36] attacks and their variants are proposed to breach exploit hardware performance optimization features to cause the memory isolation by using a covert channel to exfiltrate security breaches. Secret information is accessed and leaked a secret obtained illegally under speculative execution. For through covert or side channels. New attack variants keep appearing and we do not have a systematic way to capture the example, Spectre breaches the memory isolation provided critical characteristics of these attacks and evaluate why they within a user application, while Meltdown breaches the succeed or fail. memory isolation between the kernel and a user application. In this paper, we provide a new attack-graph model for rea- Foreshadow breaches the isolation of Intel SGX secure enclaves. soning about speculative execution attacks. We model attacks as Foreshadow-OS and Foreshadow-VMM breach the isolation ordered dependency graphs, and prove that a race condition be- tween two nodes can occur if there is a missing dependency edge provided by the Operating System and the Virtual Machine between them. We define a new concept, “security dependency”, Monitor, respectively. All of these attacks leverage the specu- between a resource access and its prior authorization operation. lative execution feature of modern processors, transferring We show that a missing security dependency is equivalent to a the security-critical information to micro-architecture state race condition between authorization and access, which is a root observable by an unprivileged attacker through a covert channel. cause of speculative execution attacks. We show detailed examples of how our attack graph models the Spectre and Meltdown Unfortunately, while new attack variants are continuously being attacks, and is generalizable to all the attack variants published discovered, we do not have a systematic way to characterize so far. This attack model is also very useful for identifying these attacks and reason about them. The attack graph model new attacks and for generalizing defense strategies. We identify we propose serves this goal. several defense strategies with different performance-security While both industrial and academic solutions have been tradeoffs. We show that the defenses proposed so far all fit under one of our defense strategies. We also explain how attack graphs proposed to defend against speculative execution attacks [10], can be constructed and point to this as promising future work [17], [22], [23], [25], [28], [30], [32]–[34], [37], [42], [44], for tool designers. [46], there is currently no systematic way to show if these Index Terms—Hardware security, speculative execution at- defenses can defeat speculative attacks, and why. We show that tacks, graph model, security dependency, cache, side channel, our attack graph model can explain why a defense will work. covert channel, delayed exceptions, prediction, race condition The key questions answered in this paper are: ¬ How can we systematically model the essential common characteristics ­ I. INTRODUCTION of speculative execution attacks and reason about them? What defense strategies can be derived from the new models? In computer systems, hardware resources like memory, buses, ® Are the recently proposed defenses effective against these caches and functional units are often shared among different speculative attacks? processes and threads. This sharing increases the utilization Our key contributions in this paper are: of resources. However, preventing a secret from being leaked arXiv:2009.07998v2 [cs.CR] 22 Dec 2020 • We define a new attack graph model to systematically via shared resources is a fundamental and challenging security capture the critical operations in speculative execution problem. attacks. Memory isolation plays a key role in preventing information • We theoretically prove that a missing edge in an attack leakage. An application should not be able to read the memory graph is equivalent to a race condition, which is one of of the kernel or another application. Memory isolation is usually the root causes of speculative attacks. enforced by the operating system, to allow multiple applications • We define the new concept of “security dependencies”, to run simultaneously on the shared hardware resources without which must be observed by the hardware in addition to information leakage. It is also enforced by the Virtual Machine data dependencies and control dependencies. We show that Monitor to provide isolation between different virtual machines. a missing security dependency is equivalent to a missing Recently, speculative execution attacks, e.g., Spectre [25], edge in an attack graph, capable of causing a security Meltdown [29], Foreshadow [38], Foreshadow-NG [43] and breach. Accepted to IEEE International Symposium on High-Performance Computer • Our model shows that although attacks may look similar, Architecture (HPCA), 2021 e.g. the Spectre-type and Meltdown-type attacks, they are actually quite different in the sense that Meltdown-type TABLE I: Speculative attacks and their variants. attacks have to be investigated through intra-instruction Attack CVE Impact Boundary check by- Spectre v1 [25] CVE-2017-5753 micro-architectural dependencies, while Spectre-type at- pass tacks only need to consider inter-instruction dependencies. Speculative buffer Spectre v1.1 [24] CVE-2018-3693 This can simplify tool development for finding attack overflow Overwrite read-only Spectre v1.2 [24] N/A graphs and vulnerabilities that can be exploited in attacks. memory • Branch target injec- We derive new defense strategies from our attack graph Spectre v2 [25] CVE-2017-5715 model. These enable us to systematically explain why tion Kernel content leak- Meltdown (Spectre v3) a defense will or will not work. We also show that CVE-2017-5754 age to unprivileged [29] all currently proposed defenses, from both industry and attacker academia, can be modelled by our defense strategies. System register Meltdown variant1 value leakage CVE-2018-3640 • We show the benefits of our new model for future research (Spectre v3a) [2] to unprivileged for tool creation, discovering new attacks and finding new attacker Speculative store defenses. Spectre v4 [3] CVE-2018-3639 bypass, read stale data in memory II. BACKGROUND Return mis-predict, Spectre RSB [26] CVE-2018-15572 execute wrong code A. Speculative Attacks Foreshadow (L1 Termi- SGX enclave mem- CVE-2018-3615 Speculative execution vulnerabilities affect most modern nal Fault) [38] ory leakage Foreshadow-OS [43] CVE-2018-3620 OS memory leakage processors. They exploit speculative execution, Out-of-Order VMM memory leak- Foreshadow-VMM [43] CVE-2018-3646 (OOO) execution, hardware prediction and caching – all age Lazy FP [36] CVE-2018-3665 Leak of FPU state essential features for speeding up program execution. They Virtual-to-physical allow an unprivileged adversary to bypass the user-kernel Spoiler [21] CVE-2019-0162 address mapping isolation or user-defined boundaries. In a speculative execution leakage attack, a speculation window is induced to allow transient instructions that illegally access a secret, then perform some TABLE II: Industrial defenses against speculative attacks. micro-architectural state changes which essentially “send Attack Defense Strategy Defense out the secret” so that it can be observed by the attacker. LFence Spectre Serialization Upon detecting mis-speculation, architectural state changes are MFence KAISER discarded, but some micro-architectural state changes are not – Meltdown Kernel Isolation thus leaking the secret. Kernel Page Table Isolation (KPTI) Disable branch prediction We give a top-down description of a speculative attack Spectre variants Indirect Branch Restricted Speculation in Section III and a detailed discussion of the Spectre and requiring branch Prevent mis- Single Thread Indirect Branch Predictor Meltdown attacks in SectionIV. We list the first 13 published prediction training of branch Indirect Branch Prediction Barrier (Spectre v1, v1.1, prediction Invalidate branch predictor during attacks and their impacts in TableI. Later, in SectionV and v1.2, v2) context switch Table III, we also consider the newer attack variants. Retpoline Spectre boundary Coarse masking bypass Address masking B. Industry Defenses Implemented Data-dependent masking (v1, v1.1, v1.2) TableII shows some industry defenses that have been Speculative Store Bypass Barrier Serialize stores Spectre v4 (SSBB) implemented to mitigate some speculative attacks. and loads Speculative Store Bypass Safe (SSBS) Fences. Fences, including LFENCE and MFENCE [1], are Prevent RSB Spectre RSB RSB stuffing placed before memory operations to serialize the program underfill execution and prevent speculative execution. Kernel Isolation. KAISER (Kernel Address Isolation to have Side-channels Efficiently Removed) and its Linux implementa- Retpoline. Retpoline is a method where indirect branches, tion named Kernel Page Table Isolation (KPTI) isolate user- which use potentially poisoned BTBs, are replaced by return space memory from kernel space to prevent Meltdown attacks, instructions that use the return stack. by unmapping kernel pages from user-space [4]. Address Masking. To address
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages14 Page
-
File Size-