Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

CPU vulnerabilities - where are we now?

9 views

Published on

Manuel Wiesinger in Bucharest, Romania on November 8-9th 2018 at DefCamp #9.

The videos and other presentations can be found on https://def.camp/archive

Published in: Technology
  • Be the first to comment

  • Be the first to like this

CPU vulnerabilities - where are we now?

  1. 1. CPU Vulnerabilities Where are we now? Manuel Wiesinger mwiesinger@sba-research.at
  2. 2. What happened so far? 2018 Spectre V1,V2,V3 (M eltdow n) Jan.
  3. 3. What happened so far? 2018 Spectre V1,V2,V3 (M eltdow n) Jan. Firstreportsofexperim entalexploitation Feb.
  4. 4. What happened so far? 2018 Spectre V1,V2,V3 (M eltdow n) Jan. Firstreportsofexperim entalexploitation Feb. BranchScope M ar. Spectre V3a,Spectre V4 M ay LazyFP,SGX Spectre Jun. Spectre1.1,Spectre1.2,NetSpectre,ret2spec,SpectreRSB Jul. L1TFSGX,L1TFOS/SM M ,L1TFVM M ,Labeled Aug.
  5. 5. What happened so far? 2018 Spectre V1,V2,V3 (M eltdow n) Jan. Firstreportsofexperim entalexploitation Feb. BranchScope M ar. Spectre V3a,Spectre V4 M ay LazyFP,SGX Spectre Jun. Spectre1.1,Spectre1.2,NetSpectre,ret2spec,SpectreRSB Jul. L1TFSGX,L1TFOS/SM M ,L1TFVM M ,Labeled Aug. Yetanotherone! Oct. 2
  6. 6. Impact • Allows data extraction from arbitrary local memory (!) 3
  7. 7. Impact • Allows data extraction from arbitrary local memory (!) • Exploitable from JavaScript environments (websites!!) 3
  8. 8. Impact • Allows data extraction from arbitrary local memory (!) • Exploitable from JavaScript environments (websites!!) • Via the network (!!!) 3
  9. 9. Impact • Allows data extraction from arbitrary local memory (!) • Exploitable from JavaScript environments (websites!!) • Via the network (!!!) 3
  10. 10. Who can feel safe? • Nobody using computers built after 1995. ◦ Any CPU manufacturer ◦ Any operating system ◦ Any Device type • Don’t trust the memory! 4
  11. 11. How can we fix CPU vulnerabilities ?
  12. 12. Can software fix this?Do we need to throw all our computers away? 5
  13. 13. 6
  14. 14. Attack Limitations • Difficult — conventional attacks typically easier 7
  15. 15. Attack Limitations • Difficult — conventional attacks typically easier • Via the network ◦ Works only under laboratory conditions ◦ Slow (15 bit / hour) 7
  16. 16. Attack Limitations • Difficult — conventional attacks typically easier • Via the network ◦ Works only under laboratory conditions ◦ Slow (15 bit / hour) — Still: extract a 256 bit key in ∼ 17 hours 7
  17. 17. Attack Limitations • Difficult — conventional attacks typically easier • Via the network ◦ Works only under laboratory conditions ◦ Slow (15 bit / hour) — Still: extract a 256 bit key in ∼ 17 hours • Mitigations on the way ◦ Partly already deployed via microcode and OS upgrades 7
  18. 18. Fixes for CPU-Vulnerabilities Name CVE Aliases CVSS Impact Fix available Spectre V1 2017-5753 Bounds Check Bypass 5.6 Memory Microcode/Browser/OS Spectre V2 2017-5715 5.6 Memory Microcode/Compiler ? Spectre V3 2017-5754 Meltdown 5.6 Kernel memory OS Spectre V3a 2018-3640 Spectre V3a (RSRE) 5.6 Register data Microcode? Spectre V4 2018-3639 Speculative Store Bypass (SSB) 5.5 Memory OS Spectre V5 N/A ret2spec 5.5 Memory Browser? SpectreRSB N/A N/A Memory OS Lazy FP 2018-3665 5.6 Registers OS Spectre1.1 2018-3693 5.6 Kernel memory OS Spectre1.2 N/A N/A Kerslidesmory OS L1TF: SGX 2018-3615 Foreshadow (SGX) 6.4 SGX enclaves Microcode L1TF: OS/SMM 2018-3620 Foreshadow-NG (OS) 5.6 Kernel memory Microcode L1TF: VMM 2018-3646 Foreshadow-NG (VMM) 5.6 Kernel memory Microcode BranchScope 2018-9056 5.6 VM memory Microcode? SGXPectre N/A N/A SGX enclaves Microcode? NetSpectre N/A N/A Remote memory OS? TLBleed N/A N/A Microcode? 8
  19. 19. We do not know what else is out there! 9
  20. 20. How do CPU vulnerabilities work?
  21. 21. Two Basic Terms • Side-channel ◦ Passive ◦ E.g Timing analysis, or even acoustic analysis 10
  22. 22. Two Basic Terms • Side-channel ◦ Passive ◦ E.g Timing analysis, or even acoustic analysis • Covered Channel ◦ Active ◦ E.g. Trojan Horse 10
  23. 23. CPU-Caches CPU CPU-Cache ← data → command → address → 11
  24. 24. Hyper-Threading CPU
  25. 25. Hyper-Threading CPU Process 1 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
  26. 26. Hyper-Threading CPU Process 1 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 Process 2 0xAE 0xAE 0xAE 0xAE 0xAE 0xAE 0xAE 0xAE 0xAE 0xAE 0xAE 0xAE
  27. 27. Hyper-Threading CPU Process 1 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 Process 2 0xAE 0xAE 0xAE 0xAE 0xAE 0xAE 0xAE 0xAE 0xAE 0xAE 0xAE 0xAE
  28. 28. Hyper-Threading CPU Process 1 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 Process 2 0xAE 0xAE 0xAE 0xAE 0xAE 0xAE 0xAE 0xAE 0xAE 0xAE 0xAE 0xAE 12
  29. 29. Speculative Execution CPU
  30. 30. Speculative Execution CPU Process 1 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
  31. 31. Speculative Execution CPU Process 1 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 Process 2 0xAE 0xAE 0xAE 0xAE 0xAE 0xAE 0xAE 0xAE 0xAE 0xAE 0xAE 0xAE
  32. 32. Speculative Execution CPU Process 1 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 Process 2 0xAE 0xAE 0xAE 0xAE 0xAE 0xAE 0xAE 0xAE 0xAE 0xAE 0xAE 0xAE CPU-Cache
  33. 33. Speculative Execution CPU Process 1 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 Process 2 0xAE 0xAE 0xAE 0xAE 0xAE 0xAE 0xAE 0xAE 0xAE 0xAE 0xAE 0xAE CPU-Cache ? ? ? ? ? ”I try to guess, so I’m faster!”
  34. 34. Speculative Execution CPU Process 1 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 Process 2 0xAE 0xAE 0xAE 0xAE 0xAE 0xAE 0xAE 0xAE 0xAE 0xAE 0xAE 0xAE CPU-Cache ? ? ? ? ? ”I try to guess, so I’m faster!”
  35. 35. Speculative Execution CPU Process 1 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 Process 2 0xAE 0xAE 0xAE 0xAE 0xAE 0xAE 0xAE 0xAE 0xAE 0xAE 0xAE 0xAE CPU-Cache ? ? ? ? ? ”I try to guess, so I’m faster!”
  36. 36. Speculative Execution CPU Process 1 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 Process 2 0xAE 0xAE 0xAE 0xAE 0xAE 0xAE 0xAE 0xAE 0xAE 0xAE 0xAE 0xAE CPU-Cache ? ? ? ? ? ”I try to guess, so I’m faster!”
  37. 37. Speculative Execution CPU Process 1 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 Process 2 0xAE 0xAE 0xAE 0xAE 0xAE 0xAE 0xAE 0xAE 0xAE 0xAE 0xAE 0xAE CPU-Cache ? ? ? ? ? ”I try to guess, so I’m faster!” 13
  38. 38. Hands on! — Meltdown
  39. 39. Hands on! — Meltdown 1. Access data D at an illegal address — get’s executed speculatively 2. Make an address A of the data D — just a shl 3. Load data at address A 4. Program crashes 5. Do some tricks (e.g. fork) 6. Probe access time to A to learn if it is cached 7. Now we know that an address based on D is cached 8. Revert step 2 to get the data 14
  40. 40. How can you protect yourself? 15
  41. 41. How can you protect yourself? • As always: Apply Security-Updates! 15
  42. 42. How can you protect yourself? • As always: Apply Security-Updates! • Don’t trust the memory! 15
  43. 43. How can you protect yourself? • As always: Apply Security-Updates! • Don’t trust the memory! ◦ Overwrite critical data! 15
  44. 44. How can you protect yourself? • As always: Apply Security-Updates! • Don’t trust the memory! ◦ Overwrite critical data! ◦ C: explicit_bzero() 15
  45. 45. How can you protect yourself? • As always: Apply Security-Updates! • Don’t trust the memory! ◦ Overwrite critical data! ◦ C: explicit_bzero() ◦ Java: char[] 15
  46. 46. How can you protect yourself? • As always: Apply Security-Updates! • Don’t trust the memory! ◦ Overwrite critical data! ◦ C: explicit_bzero() ◦ Java: char[] ◦ Python, Go, and co. (essentially all garbage collecting languages with immutable strings): No guaranteed solution. 15
  47. 47. Questions? 16
  48. 48. Backup Slides
  49. 49. Meltdown 1 retry: 2 mov al , byte [rcx] 3 shl rax , 0xc 4 jz retry 5 mov rbx , qword [rbx + rax] 17
  50. 50. Meltdown 1 retry: 2 mov al , byte [rcx] 3 shl rax , 0xc 4 jz retry 5 mov rbx , qword [rbx + rax] 18
  51. 51. Meltdown 1 retry: 2 mov al, byte [rcx] 3 shl rax , 0xc 4 jz retry 5 mov rbx , qword [rbx + rax] 19
  52. 52. Meltdown 1 retry: 2 mov al , byte [rcx] 3 shl rax, 0xc 4 jz retry 5 mov rbx , qword [rbx + rax] 20
  53. 53. Meltdown 1 retry: 2 mov al , byte [rcx] 3 shl rax , 0xc 4 jz retry 5 mov rbx , qword [rbx + rax] 21
  54. 54. Meltdown 1 retry: 2 mov al , byte [rcx] 3 shl rax , 0xc 4 jz retry 5 mov rbx , qword [rbx + rax] 22
  55. 55. Meltdown 1 retry: 2 mov al , byte [rcx] 3 shl rax , 0xc 4 jz retry 5 mov rbx, qword [rbx + rax] 23

×