1 / 55

MicroScope: Enabling Microarchitectural Replay Attacks

This research discusses microarchitectural replay attacks, where an attacker leverages speculative execution to repeatedly replay a snippet of victim code that runs only once. The paper explores how attackers can extract secrets through these attacks and introduces a framework called MicroScope to exploit such vulnerabilities. It delves into topics like time, latency, event handling, and the clear state squash event in speculative execution of secrets.

bangel
Download Presentation

MicroScope: Enabling Microarchitectural Replay Attacks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. MicroScope: Enabling Microarchitectural Replay Attacks Dimitrios Skarlatos, Mengjia Yan, Bhargava Gopireddy, Read Sprabery, JosepTorrellas, and Christopher W. Fletcher University of Illinois at Urbana-Champaign

  2. Overview

  3. The Era of Side-Channels Processor Main Memory L2 L3 L2 Core L2 Scheduler Port 3 Port 2 Port 0 Port 1 PortSmash’18 Non-Inclusive LLC’19 TLBLeed’18 Spectre’18 Branch ROB TLB ALU Branch Predictors’16 SGX Prime+Probe[13] LSQ D-L1 I-L1 FPU Subnormal FPU’15 TLB Contention’13 DRAMA’16 4K-Alliasing’18

  4. How much can leak over side channels? Victim: if (secret) use resource else don’t use resource Attacker: for .. t1 = time() use resource t2 = time() • Need repeated measurements to be confident  Denoise • However, many applications run only once  Attacker gets 1 measurement • Can attackers really extract secrets?

  5. Contribution: Microarchitectural Replay Attacks • Attacker leverages speculative execution • To repeatedly replay a snippet of victim code • That runs only once } Primitive to denoise arbitrary side channels Victim: Memory operation that will cause a squash and re-execute ldaddr // “replay handle” … ldsecret // secret the attacker tries to leak

  6. Contribution: Microarchitectural Replay Attacks Time Long Latency Event Issue Replay Handle ldaddr:

  7. Contribution: Microarchitectural Replay Attacks Time Issue Replay Handle Long Latency Event ldaddr: Speculative Execution of Secret ldsecret:

  8. Contribution: Microarchitectural Replay Attacks Time Issue Replay Handle Long Latency Event Clear State Squash Event ldaddr: Squash Speculative Execution of Secret ldsecret:

  9. Contribution: Microarchitectural Replay Attacks Issue Replay Handle Long Latency Event Clear State Squash Event ldaddr: Squash Speculative Execution of Secret ldsecret: Replay!! Cause Shared Resource Contention & Monitor

  10. Background

  11. Page Tables Background • Page tables stored in memory • On a TLB Miss  “page walk” = memory accesses • Each step of page walk = cache hit/miss. • Page walk cache (PWC): hardware cache of translations • If Present bit in pte_t is cleared  Page Fault, invoke OS Virtual Address Address A CR3 + + + TLB Entry + PGD pte_t pud_t pgd_t pmd_t PUD PMD PTE

  12. Trusted Computing with SGX • Designed to run sensitive applications in the cloud • Do not trust OS/Hypervisor • OS/Hypervisor cannot introspect/tamper enclave • Unfortunately, OS/Hypervisor still manages demand paging Attack Surface With Enclaves App App App Operating System Hypervisor Hardware Attack Surface

  13. Threat Model

  14. Threat Model In SGX the OS is responsible • Demand paging Attacker (OS) can: • Evict TLB entries • Evict page walk cache entries • Monitor side channels

  15. MicroScope: A framework to exploit microarchitectural replay attacks

  16. Attack Examples Victim Code Loop Victim Code: for i in ... handle(pub_addrA); ... transmit(secret[i]); ... memOp(pub_addrB); ... //public address handle(pub_addr); ... transmit(secret); ...

  17. Terminology Victim Code • Replay handle: • Load to a public address (known to OS) //public address handle(pub_addr); ... transmit(secret); ... • Transmitter: • Any instruction(s) whose execution reveals secret through some side channel • Occurs < ROB length from Replay Handle

  18. Timeline of a MicroScope Attack - Setup Attack Setup Time Attacker Victim

  19. Timeline of a MicroScope Attack - Setup Clear PTE Present Bit of Replay Handle Attack Setup Time Attacker Victim

  20. Timeline of a MicroScope Attack - Setup Clear PTE Present Bit of Replay Handle Flush Replay Handle Page Table Entries Attack Setup Time Attacker Victim

  21. Timeline of a MicroScope Attack - Setup Flush Replay Handle TLB Entry Clear PTE Present Bit of Replay Handle Flush Replay Handle Page Table Entries Attack Setup Time Attacker Victim

  22. Timeline of a MicroScope Attack Attack Setup Time Issue Replay Handle handle(pub_addr): Attacker Victim

  23. Timeline of a MicroScope Attack Attack Setup Time Issue Replay Handle L1 TLB Miss handle(pub_addr): Attacker Victim

  24. Timeline of a MicroScope Attack Attack Setup Time Issue Replay Handle L1 TLB Miss L2 TLB Miss handle(pub_addr): Speculative Execution of Transmitter transmit(secret): Attacker Victim

  25. Timeline of a MicroScope Attack Attack Setup Time Issue Replay Handle L1 TLB Miss L2 TLB Miss PWC Miss handle(pub_addr): Speculative Execution of Transmitter transmit(secret): Attacker Victim

  26. Timeline of a MicroScope Attack Attack Setup Time Issue Replay Handle L1 TLB Miss L2 TLB Miss PWC Miss PGD Walk PUD Walk PMD Walk PTE Walk handle(pub_addr): Speculative Execution of Transmitter transmit(secret): Attacker Victim

  27. Timeline of a MicroScope Attack Tune speculative execution duration with: Cache Hit or Miss Attack Setup Time Issue Replay Handle L1 TLB Miss L2 TLB Miss PWC Miss PGD Walk PUD Walk PMD Walk PTE Walk handle(pub_addr): Speculative Execution of Transmitter transmit(secret): Attacker Victim

  28. Timeline of a MicroScope Attack Attack Setup Time Issue Replay Handle L1 TLB Miss L2 TLB Miss PWC Miss PGD Walk PUD Walk PMD Walk PTE Walk Page Fault handle(pub_addr): Speculative Execution of Transmitter transmit(secret): Attacker Victim

  29. Timeline of a MicroScope Attack Attack Setup Time Issue Replay Handle L1 TLB Miss L2 TLB Miss PWC Miss PGD Walk PUD Walk PMD Walk PTE Walk Page Fault handle(pub_addr): Speculative Execution of Transmitter Squash transmit(secret): Attacker Victim

  30. Timeline of a MicroScope Attack Attack Setup Time Issue Replay Handle L1 TLB Miss L2 TLB Miss PWC Miss PGD Walk PUD Walk PMD Walk PTE Walk Page Fault OS Invocation handle(pub_addr): Speculative Execution of Transmitter Squash transmit(secret): Attacker Victim

  31. Timeline of a MicroScope Attack Page Fault Handler Attack Setup Issue Replay Handle L1 TLB Miss L2 TLB Miss PWC Miss PGD Walk PUD Walk PMD Walk PTE Walk Page Fault OS Invocation handle(pub_addr): Speculative Execution of Transmitter Squash transmit(secret): Attacker Victim

  32. Timeline of a MicroScope Attack Page Fault Handler Flush Replay Handle Page Table Entries Attack Setup Issue Replay Handle L1 TLB Miss L2 TLB Miss PWC Miss PGD Walk PUD Walk PMD Walk PTE Walk Page Fault OS Invocation handle(pub_addr): Speculative Execution of Transmitter Squash transmit(secret): Attacker Victim

  33. Timeline of a MicroScope Attack Attack Setup Issue Replay Handle L1 TLB Miss L2 TLB Miss PWC Miss PGD Walk PUD Walk PMD Walk PTE Walk Page Fault OS Invocation handle(pub_addr): Speculative Execution of Transmitter Squash transmit(secret): Replay!! Attacker Victim

  34. Timeline of a MicroScope Attack Attack Setup Issue Replay Handle L1 TLB Miss L2 TLB Miss PWC Miss PGD Walk PUD Walk PMD Walk PTE Walk Page Fault OS Invocation Squash Speculative Execution of Transmitter handle(pub_addr): transmit(secret): Attacker Victim

  35. Timeline of a MicroScope Attack Attack Setup Issue Replay Handle L1 TLB Miss L2 TLB Miss PWC Miss PGD Walk PUD Walk PMD Walk PTE Walk Page Fault OS Invocation Squash Speculative Execution of Transmitter handle(pub_addr): transmit(secret): Attacker Victim

  36. Timeline of a MicroScope Attack Attack Setup Page Fault PTE Walk PMD Walk PGD Walk PUD Walk PWC Miss Issue Replay Handle L1 TLB Miss L2 TLB Miss OS Invocation handle(pub_addr): Speculative Execution of Transmitter Squash transmit(secret): Replay!! Cause Shared Resource Contention & Monitor Attacker Victim Attacker Monitor/Contention thread

  37. Loop Example

  38. Loop Example Victim: for i in ... handle(pub_addrA); ... transmit(secret[i]); ... memOp(pub_addrB); ... • Goal: • Leak secret in every iteration • Challenge: • Monitor window of a replay handle < ROB length

  39. Loop Example Victim: for i in ... handle(pub_addrA); ... transmit(secret[i]); ... pivot(pub_addrB); ... Instruction used to pivot around transmit instructions Transmit Code Pivot Instruction Replay Handle

  40. In a Loop Dynamic code Static Code handle(pub_addrA); ... transmit(secret[0]); ... pivot(pub_addrB); ... handle(pub_addrA); ... transmit(secret[1]); ... pivot(pub_addrB); Iteration i=0 Monitor window for i in ... handle(pub_addrA); ... transmit(secret[i]); ... pivot(pub_addrB); ... Iteration i=1 Transmit Code Pivot Instruction Replay Handle

  41. In a Loop Dynamic code Static Code handle(pub_addrA); ... transmit(secret[0]); ... pivot(pub_addrB); ... handle(pub_addrA); ... transmit(secret[1]); ... pivot(pub_addrB); Pivot page fault for i in ... handle(pub_addrA); ... transmit(secret[i]); ... pivot(pub_addrB); ... Transmit Code Pivot Instruction Replay Handle

  42. In a Loop Dynamic code Static Code handle(pub_addrA); ... transmit(secret[0]); ... pivot(pub_addrB); ... handle(pub_addrA); ... transmit(secret[1]); ... pivot(pub_addrB); Retired instructions for i in ... handle(pub_addrA); ... transmit(secret[i]); ... pivot(pub_addrB); ... Cause page fault on pivot Transmit Code Pivot Instruction Replay Handle

  43. In a Loop Dynamic code Static Code handle(pub_addrA); ... transmit(secret[0]); ... pivot(pub_addrB); ... handle(pub_addrA); ... transmit(secret[1]); ... pivot(pub_addrB); Retired instructions for i in ... handle(pub_addrA); ... transmit(secret[i]); ... pivot(pub_addrB); ... Cause page fault in new replay handle Transmit Code Pivot Instruction Replay Handle

  44. In a Loop Dynamic code Static Code handle(pub_addrA); ... transmit(secret[0]); ... pivot(pub_addrB); ... handle(pub_addrA); ... transmit(secret[1]); ... pivot(pub_addrB); Retired Instructions for i in ... handle(pub_addrA); ... transmit(secret[i]); ... pivot(pub_addrB); ... New Monitor Window Use this idea to denoise side channels on AES (see paper) Transmit Code Pivot Instruction Replay Handle

  45. Port Contention Attack

  46. Port Contention Attack with MicroScope Victim: Attacker: Setup replay attack … for … t1 = time() attacker_div() t2 =time() } handle(pub_addrA); if (secret) victim_mul() else victim_div() No Loop! Transmit Code Attacker Code Replay Handle

  47. Port Contention Attack with MicroScope Victim Thread Attacker Thread Decode Victim: Attacker: Setup replay attack … for … t1 = time() attacker_div() t2 =time() } handle(pub_addrA); if (secret) victim_mul() else victim_div() FP DIV INT ALU Transmit Code Attacker Code Replay Handle

  48. Port Contention Attack with MicroScope Victim Thread Victim Thread Attacker Thread Attacker Thread Decode Victim: Attacker: Setup replay attack … for … t1 = time() attacker_div() t2 =time() } handle(pub_addrA); if (secret) victim_mul() else victim_div() FP DIV INT ALU Transmit Code Attacker Code Replay Handle

  49. Port Contention Attack with MicroScope Victim Thread Victim Thread Attacker Thread Attacker Thread Decode Victim: Attacker: Setup replay attack … for … t1 = time() attacker_div() t2 =time() } handle(pub_addrA); if (secret) victim_mul() else victim_div() FP DIV FP DIV INT ALU 10,000  1 Transmit Code Attacker Code Replay Handle

  50. Port Contention Results • Victim and attacker run on adjacent SMT contexts of same core • Attacker performs divisions in a loop and measures time • Victim performs two multiplications without a loop • Victim performs two divisions without a loop

More Related