Leaky Processors Lessons from Spectre, Meltdown, and Foreshadow Jo Van Bulck (@jovanbulck)1, Daniel Gruss (@lavados)2 Red Hat Research Day, January 23, 2020 1 imec-DistriNet, KU Leuven, 2 Graz University of Technology v1, v2, v4, v5, v3, v3.1, v3a, Foreshadow-NG, Spectre-BTB, RDCL? L1TF? Spectre-RSB, ret2spec, SGXPectre, SmotherSpectre, NetSpectre? ZombieLoad, MDS? RIDL, Fallout? Lessons from Spectre, Meltdown, and Foreshadow? Spectre Meltdown Foreshadow 1 Jo Van Bulck (@jovanbulck), Daniel Gruss (@lavados) Lessons from Spectre, Meltdown, and Foreshadow? Spectre Meltdown Foreshadow v1, v2, v4, v5, v3, v3.1, v3a, Foreshadow-NG, Spectre-BTB, RDCL? L1TF? Spectre-RSB, ret2spec, SGXPectre, SmotherSpectre, NetSpectre? ZombieLoad, MDS? RIDL, Fallout? 1 Jo Van Bulck (@jovanbulck), Daniel Gruss (@lavados) • CPU builds \walls" for memory isolation between applications and privilege levels $ Architectural protection walls permeate microarchitectural side-channels! Processor security: Hardware isolation mechanisms App App App Enclave VM OS VM OS Hypervisor (VMM) • Different software protection domains: user processes, virtual machines, enclaves 2 Jo Van Bulck (@jovanbulck), Daniel Gruss (@lavados) $ Architectural protection walls permeate microarchitectural side-channels! Processor security: Hardware isolation mechanisms App App App Enclave VM OS VM OS Hypervisor (VMM) • Different software protection domains: user processes, virtual machines, enclaves • CPU builds \walls" for memory isolation between applications and privilege levels 2 Jo Van Bulck (@jovanbulck), Daniel Gruss (@lavados) Processor security: Hardware isolation mechanisms App App App Enclave VM OS VM OS Hypervisor (VMM) • Different software protection domains: user processes, virtual machines, enclaves • CPU builds \walls" for memory isolation between applications and privilege levels $ Architectural protection walls permeate microarchitectural side-channels! 2 Jo Van Bulck (@jovanbulck), Daniel Gruss (@lavados) National Geographic CPU Cache printf("%d", i); printf("%d", i); 5 Jo Van Bulck (@jovanbulck), Daniel Gruss (@lavados) CPU Cache Cache miss printf("%d", i); printf("%d", i); 5 Jo Van Bulck (@jovanbulck), Daniel Gruss (@lavados) CPU Cache Request Cache miss printf("%d", i); printf("%d", i); 5 Jo Van Bulck (@jovanbulck), Daniel Gruss (@lavados) CPU Cache Request Cache miss printf("%d", i); printf("%d", i); Response 5 Jo Van Bulck (@jovanbulck), Daniel Gruss (@lavados) CPU Cache Request Cache miss printf("%d", i); i printf("%d", i); Response 5 Jo Van Bulck (@jovanbulck), Daniel Gruss (@lavados) CPU Cache Request Cache miss printf("%d", i); i printf("%d", i); Response Cache hit 5 Jo Van Bulck (@jovanbulck), Daniel Gruss (@lavados) CPU Cache DRAM access, slow Request Cache miss printf("%d", i); i printf("%d", i); Response Cache hit 5 Jo Van Bulck (@jovanbulck), Daniel Gruss (@lavados) CPU Cache DRAM access, slow Request Cache miss printf("%d", i); i printf("%d", i); Response Cache hit No DRAM access, much faster 5 Jo Van Bulck (@jovanbulck), Daniel Gruss (@lavados) Flush+Reload Shared Memory ATTACKER VICTIM flush access access 6 Jo Van Bulck (@jovanbulck), Daniel Gruss (@lavados) Flush+Reload Shared Memory ATTACKER VICTIM flush cached Shared Memory access access cached 6 Jo Van Bulck (@jovanbulck), Daniel Gruss (@lavados) Flush+Reload Shared Memory ATTACKER VICTIM flush Shared Memory access access 6 Jo Van Bulck (@jovanbulck), Daniel Gruss (@lavados) Flush+Reload Shared Memory ATTACKER VICTIM flush access access 6 Jo Van Bulck (@jovanbulck), Daniel Gruss (@lavados) Flush+Reload Shared Memory ATTACKER VICTIM flush access access 6 Jo Van Bulck (@jovanbulck), Daniel Gruss (@lavados) Flush+Reload Shared Memory ATTACKER VICTIM flush Shared Memory access access 6 Jo Van Bulck (@jovanbulck), Daniel Gruss (@lavados) Flush+Reload Shared Memory ATTACKER VICTIM flush Shared Memory access access 6 Jo Van Bulck (@jovanbulck), Daniel Gruss (@lavados) Flush+Reload Shared Memory ATTACKER VICTIM flush Shared Memory access access fast if victim accessed data, slow otherwise 6 Jo Van Bulck (@jovanbulck), Daniel Gruss (@lavados) Memory Access Latency Cache Hits 107 104 101 Number of Accesses 50 100 150 200 250 300 350 400 Latency [Cycles] 7 Jo Van Bulck (@jovanbulck), Daniel Gruss (@lavados) Memory Access Latency Cache Hits Cache Misses 107 104 101 Number of Accesses 50 100 150 200 250 300 350 400 Latency [Cycles] 7 Jo Van Bulck (@jovanbulck), Daniel Gruss (@lavados) Cache Template Attack Demo We can communicate across protection walls using microarchitectural side-channels! Leaky processors: Jumping over protection walls with side-channels App App App Enclave VM OS VM OS Hypervisor (VMM) 9 Jo Van Bulck (@jovanbulck), Daniel Gruss (@lavados) Side-channel attacks are known for decades already { what's new? 4000 3000 2000 DO WE JUST SUCK AT... COMPUTERS? YUP. ESPECIALLY SHARED ONES. 1000 1990 1994 1998 2002 2006 2010 2014 2018 Based on github.com/Pold87/academic-keyword-occurrence and xkcd.com/1938/ 10 Jo Van Bulck (@jovanbulck), Daniel Gruss (@lavados) Can we do better? Can we demolish architectural protection walls instead of just peaking over? • Meltdown breaks user/kernel isolation • Foreshadow breaks SGX enclave and virtual machine isolation • Spectre breaks software-defined isolation on various levels • . many more { but all exploit the same underlying insights! Leaky processors: Breaking isolation mechanisms App App App Enclave VM OS VM OS Hypervisor (VMM) 12 Jo Van Bulck (@jovanbulck), Daniel Gruss (@lavados) • Foreshadow breaks SGX enclave and virtual machine isolation • Spectre breaks software-defined isolation on various levels • . many more { but all exploit the same underlying insights! Leaky processors: Breaking isolation mechanisms App App App Enclave VM OS VM OS Hypervisor (VMM) • Meltdown breaks user/kernel isolation 12 Jo Van Bulck (@jovanbulck), Daniel Gruss (@lavados) • Spectre breaks software-defined isolation on various levels • . many more { but all exploit the same underlying insights! Leaky processors: Breaking isolation mechanisms App App App Enclave VM OS VM OS Hypervisor (VMM) • Meltdown breaks user/kernel isolation • Foreshadow breaks SGX enclave and virtual machine isolation 12 Jo Van Bulck (@jovanbulck), Daniel Gruss (@lavados) • . many more { but all exploit the same underlying insights! Leaky processors: Breaking isolation mechanisms App App App Enclave VM OS VM OS Hypervisor (VMM) • Meltdown breaks user/kernel isolation • Foreshadow breaks SGX enclave and virtual machine isolation • Spectre breaks software-defined isolation on various levels 12 Jo Van Bulck (@jovanbulck), Daniel Gruss (@lavados) Leaky processors: Breaking isolation mechanisms App App App Enclave VM OS VM OS Hypervisor (VMM) • Meltdown breaks user/kernel isolation • Foreshadow breaks SGX enclave and virtual machine isolation • Spectre breaks software-defined isolation on various levels • . many more { but all exploit the same underlying insights! 12 Jo Van Bulck (@jovanbulck), Daniel Gruss (@lavados) • Modern CPUs are inherently parallel ) Execute instructions ahead of time Best-effort: What if triangle fails? ! Commit in-order, roll-back square ... But side-channels may leave traces (!) Out-of-order and speculative execution Key discrepancy: • Programmers write sequential instructions 13 Jo Van Bulck (@jovanbulck), Daniel Gruss (@lavados) Best-effort: What if triangle fails? ! Commit in-order, roll-back square ... But side-channels may leave traces (!) Out-of-order and speculative execution Key discrepancy: • Programmers write sequential instructions • Modern CPUs are inherently parallel ) Execute instructions ahead of time 13 Jo Van Bulck (@jovanbulck), Daniel Gruss (@lavados) Out-of-order and speculative execution Key discrepancy: • Programmers write sequential instructions • Modern CPUs are inherently parallel Overflow ) Execute instructions ahead of time Roll-back exception Best-effort: What if triangle fails? ! Commit in-order, roll-back square ... But side-channels may leave traces (!) 13 Jo Van Bulck (@jovanbulck), Daniel Gruss (@lavados) Transient world (microarchitecture) may temp bypass architectural software intentions: Transient-execution attacks: Welcome to the world of fun! CPU executes ahead of time in transient world • Success ! commit results to normal world • Fail ! discard results, compute again in normal, world / 14 Jo Van Bulck (@jovanbulck), Daniel Gruss (@lavados) Transient world (microarchitecture) may temp bypass architectural software intentions: Transient-execution attacks: Welcome to the world of fun! Key finding of 2018 ) Transmit secrets from transient to normal world 14 Jo Van Bulck (@jovanbulck), Daniel Gruss (@lavados) Transient-execution attacks: Welcome to the world of fun! Key finding of 2018 ) Transmit secrets from transient to normal world Transient world (microarchitecture) may temp bypass architectural software intentions: Delayed exception handling Control flow prediction 14 Jo Van Bulck (@jovanbulck), Daniel Gruss (@lavados) Transient-execution attacks: Welcome to the world of fun! Key finding of 2018 ) Transmit secrets from transient to normal world Transient world (microarchitecture) may temp bypass architectural software intentions: CPU access control bypass Speculative buffer overflow/ROP 14 Jo Van Bulck (@jovanbulck), Daniel Gruss (@lavados) The transient-execution zoo https://transient.fail PHT-CA-IP Cross-address-space PHT-CA-OP Spectre-PHT PHT-SA-IP Same-address-space PHT-SA-OP BTB-CA-IP Cross-address-space BTB-CA-OP Spectre-BTB Spectre-type BTB-SA-IP Same-address-space