[投影片錯誤更正] p.43 中間32數字改成64。右上藍色小框64改成63
原本要整理Meltdown與Spectre,但這兩個所利用的硬體行為之後都跟cache side channel有關係,所以閱讀Meltdown與Spectre之餘,就整理了相關cache side channel攻擊與防禦。
回饋問題:
一: 為什麼LLC要切割成LLC slice?
"Modern Intel processors, starting with the Sandy Bridge microarchitecture, use a more complex architecture for the LLC, to improve its performance. The LLC is divided into per-core slices, which are connected by a ring bus. Slices can be accessed concurrently and are effectively separate caches, although the bus ensures that each core can access the full LLC (with higher latency for remote slices)."
二: flush+reload with shared memory pages,為什麼要 flush+reload? 不是可以直接存取到資料?
討論的是共用shared library,洩漏victim使用shared library的情形。
三: RDTSCP ?
可量測執行指令的cycle數。
四: side channel攻擊需要環境運作的程式不能太複雜?
Kuon: 實際案例 embed運作環境並不複雜,e.g. trustzone上可能只運作openSSL。
AJ: 就算在複雜環境,可以找到觸發Victim的特定運算點,也是可以進行觀測。
8. VIVT: Virtually
indexed, virtually
tagged
* Fast
* Virtual Tag is not
unique (Context
switches)
* Shared memory
more than once in
cache
PIPT: Physically
indexed, physically
tagged
* Slow (TLB lookup
for index)
* Shared memory
only once in cache!
[5]
9. PIVT: Physically
indexed, virtually
tagged
* Slow (TLB lookup for
index)
* Virtual Tag is not
unique (Context
switches)
* Shared memory
more than once in
cache
VIPT: Virtually indexed,
physically tagged
* Fast
* 4 KiB pages: last 12
bits of VA and PA are
equal
* Using more bits has
disadvantages (like VIVT)
! Cache size # ways
page size
[5]
21. Flush+Reload
step 0: attacker maps shared library ! shared memory, shared in cache
step 1: attacker flushes the shared line
[5]
22. Flush+Reload
step 0: attacker maps shared library ! shared memory, shared in cache
step 1: attacker flushes the shared line
step 2: victim loads data while performing encryption
[5]
23. Flush+Reload
step 0: attacker maps shared library ! shared memory, shared in cache
step 1: attacker flushes the shared line
step 2: victim loads data while performing encryption
step 3: attacker reloads data ! fast access if the victim loaded the line
[5]
31. Prime+Probe
step 0: attacker fills the cache (prime)
step 1: victim evicts cache lines while performing encryption
step 2: attacker probes data to determine if the set was accessed
[5]
32. Prime+Probe
[5]
step 0: attacker fills the cache (prime)
step 1: victim evicts cache lines while performing encryption
step 2: attacker probes data to determine if the set was accessed
33. Typically, 如何利用cache side channel
來達到information leakage
Prime+Probe在icache中,依照時間序列知道某cache set中的cache lines在
做存取,所以可以推敲出 ei 序列。
38. 好像很簡單?
困難: reverse-engineer some cache for finding
eviction set to occupy exactly one cache set
• VM (guest-VA guest-PA L1 L2 L3
PA)
• Browser (Typed Array Specification VA L1
L2 L3 PA)
• TrustZone (VA L1 L2 L3 PA)
39. cache L1
[6][9]
VIPT controlled VA
L3 PIPT not-controlled VA
slow
large(2MB) page mode 4 KB page mode
controlled VA
all the index bits are
within the page offset
the same set index bits may be
located in different LLC slices
41. cache L1
[6][9]
VIPT controlled VA
L3 PIPT not-controlled VA
slow
large(2MB) page mode 4 KB page mode
8MB “eviction buffer” of physical
memory will completely invalidate
all cache sets in the L3 cache
8192 cache sets in 131K offsets
(8MB/64bytes)
slow
42. 06111863 17
• 0-11 -> 4kb page mode
• 6-18 -> cache set index
• 17-63 -> are hashed to form the upper 2
bits of the cache index (4 slice)
fixing some subset of the 131K offsets
43. 4KB
00 01 64
32
64b
06111863 17 5
8MB
4KB
4KB
…000000000000
…000001000000
2^(18-11) cache set in
2^(18-11) cache sets in
…0000000000000
…1000000000000
有可能cache contention
cache contention
45. Side Channel Attacks of Address
Translation Cache
“Double page fault attack, where an unprivileged attacker
tries to access an inaccessible kernel memory location,
triggering a page fault. After the page fault interrupt is
handled by the operating system, the control is handed back
to an error handler in the user program. The attacker
measures the execution time of the page fault interrupt. If the
memory location is valid, regardless of whether it is accessible
or not, address translation table entries are copied into the
corresponding address translation caches. The attacker then
tries to access the same inaccessible memory location again. If
the memory location is valid, the address translation is
already cached and the page fault interrupt will take less time.
Thus, the attacker learns whether a memory location is valid
or not, even if it is not accessible from the user space.”
[3]
借助OS處理能力與page table共用特性
48. The reverse engineered BTB addressing scheme in the
HasWell processor
[7]
In particular, the kernel code must be aligned at
2MB boundaries.
To find a collision
49. [7]
As a result, only the Page Directory Entry (PDE) bits (9 bit)of virtual
addresses are randomized (512 possible)
54. Countermeasure for Cache Side-
Channel attacks
• Less accurate timer
• Page coloring
– Avoiding collisions in the LLC; Location in LLC determined
by physical address; Give each user a color (address bits);
• Behavior detection
– Hardware Performance Counters (HPCs) can track
hardware events (e.g. LLC misses)
• Design cache leakage free code (e.g. Square-and-
Multiply exponentiation)
• disable cache-line sharing
– Intel Cache Allocation Technology
[7][15]
55. Countermeasure for Side Channel
Attacks of Address Translation Caches
• Shadow Address Space
• 只是user kernel共用的page table分開,並把kennel page table藏起來。
效果會是kernel藏起來,但其實還是在physical memory中)
• 不是使用TLB flush,而是使用Disable the PTE global bits
[3]
58. Reference
• [0] “Negative Result: Reading Kernel Memory From User Mode”, July 28, 2017,
https://cyber.wtf/2017/07/28/negative-result-reading-kernel-memory-from-user-mode/
• [1] “Broadcom Bares Muscular ARM”,
https://investorshub.advfn.com/boards/read_msg.aspx?message_id=95215022
• [2] “Practical Timing Side Channel Attacks Against Kernel Space ASLR”, 19-22 May 2013,
http://www.ieee-security.org/TC/SP2013/papers/4977a191.pdf
• [3] “KASLR is Dead: Long Live KASLR”, 24 June 2017
https://misc0110.net/web/files/kaiser_slides.pdf, https://gruss.cc/files/kaiser.pdf
• [4] ] “ARM® Cortex® -A Series Version: 1.0 Programmer’s Guide for ARMv8-A”,
http://infocenter.arm.com/help/topic/com.arm.doc.den0024a/DEN0024A_v8_architecture_PG.
pdf
• [5] “Cache Side-Channel Attacks and the case of Rowhammer”, April 28, 2016,
https://gruss.cc/files/cache_and_rowhammer_ruhrsec.pdf
• [6] “Last-Level Cache Side-Channel Attacks are Practical”, 17-21 May 2015
http://palms.ee.princeton.edu/system/files/SP_vfinal.pdf,
https://pdfs.semanticscholar.org/81f6/c43188a2308b36a0c47570f7e7ec19cc20e1.pdf
• [7] “Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR”, 15-19 Oct. 2016
http://ieeexplore.ieee.org/document/7783743/
• [8] “TruSpy: Cache Side-Channel Information Leakage from the Secure World on ARM Devices”,
2016, https://eprint.iacr.org/2016/980.pdf
59. Reference
• [9] “The Spy in the Sandbox -- Practical Cache Attacks in Javascript and their Implications ”, 1 Mar
2015, http://www.cs.columbia.edu/~simha/spyjs.ccs15.pdf, https://arxiv.org/pdf/1502.07373.pdf
• [10] “Malware Guard Extension: Using SGX to Conceal Cache Attacks”, 1 Mar 2017 ,
https://arxiv.org/pdf/1702.08719.pdf
• [11]” DrK: Breaking Kernel Address Space Layout Randomization with Intel TSX”, August 3, 2016,
https://www.blackhat.com/docs/us-16/materials/us-16-Jang-Breaking-Kernel-Address-Space-
Layout-Randomization-KASLR-With-Intel-TSX.pdf
• [12] “ASLR on the Line: Practical Cache Attacks on the MMU”,2017 ,
http://www.cs.vu.nl/~giuffrida/papers/anc-ndss-2017.pdf
• [13] “Covert shotgun: Automatically finding covert channels in SMT”, September 27, 2016 ,
https://cyber.wtf/2016/09/27/covert-shotgun/,
https://www.youtube.com/watch?v=oVmPQCT5VkY [presentation]
• [14] “Cache Side Channel Attack: Exploitability and Countermeasures”, 2017,
https://www.blackhat.com/docs/asia-17/materials/asia-17-Irazoqui-Cache-Side-Channel-Attack-
Exploitability-And-Countermeasures.pdf
• [15] “Cache side channel attacks”, What Stone dream about: Cache side channel attacks,
http://dreamsofastone.blogspot.tw/2015/09/cache-side-channel-attacks.html
• [16] “Meltdown and Spectre”, 2017, https://meltdownattack.com/