asia-17-gorka-cache side channel attack exploitability and … · 2018-05-11 · enclave llc...

CacheSideChannelAttack:ExploitabilityandCountermeasures

Gorka IrazoquiXiaofei (Rex)Guo,Ph.D.girazoki *noSPAM*wpi.edu

xiaofei.rex.guo*noSPAM*tetrationanalytics.com

WhoareWe?

• GorkaIrazoqui• PhDcandidateinWPI• InternatIntelinsummer2016• Focusonmicro-architecturalattacks

WhoareWe?

• Xiaofei (Rex)Guo• TechnicalleadatCiscoTetration Analytics

• Visibilitytoeverythingindatacenterinrealtime• Automatedanddynamicpolicygenerationandenforcement

• WorkedatIntelSecurityCenterofExcellenceandQualcommProductSecurityInitiative• IoT andmobileplatformsecurity,infrastructuresecurity,and

applicationsecurity• PhDfromNewYorkUniversity

Wedon’tspeakforouremployer.Alltheopinionsandinformationhereareourresponsibilityincludingmistakesandbadjokes.

Disclaimer

“Youmustbekidding,cacheattacksarenotpractical!”

“Youmustbekidding,cacheattacksarenotpractical!”

“Youmustbekidding,cacheattacksarenotpractical!”

“Youmustbekidding,cacheattacksarenotpractical!”

“Youmustbekidding,cacheattacksarenotpractical!”

FeasibilityTrendIntel,Spark,AMD|Linux|OpenSSLAES

FeasibilityTrendIntel,Spark,AMD|Linux|OpenSSLAES

Intel|Linux|OpenSSLRSA

FeasibilityTrendIntel,Spark,AMD|Linux|OpenSSLAES

Intel|Linux|OpenSSLRSA

Intel(Cross-core)|Linux(deduplication)|GnuPGRSA

FeasibilityTrend

Intel(Cross-Core)|Linux(nodeduplication)|GnuPGRSA

Intel,Spark,AMD|Linux|OpenSSLAES

Intel|Linux|OpenSSLRSA

Intel(Cross-core)|Linux(deduplication)|GnuPGRSA

FeasibilityTrend

Intel(Cross-Core)|Linux(nodeduplication)|GnuPGRSA

Intel,Spark,AMD|Linux|OpenSSLAES

Intel|Linux|OpenSSLRSA

Intel(Cross-core)|Linux(deduplication)|GnuPGRSA

AMD(crossCPU)|Linux|OpenSSLAESandGnuPGElGamal

FeasibilityTrend

Intel(Cross-Core)|Linux(nodeduplication)|GnuPGRSA

Intel,Spark,AMD|Linux|OpenSSLAES

Intel|Linux|OpenSSLRSA

Intel(Cross-core)|Linux(deduplication)|GnuPGRSA

AMD(crossCPU)|Linux|OpenSSLAESandGnuPGElGamalARM(crosscore/CPU)|Android|BouncyCastleAES

Functionality

LLCasaSideChannel?• Caches:fastaccessmemories• WhywouldanattackeruseLLCascovertchannel?

• Cross-core• Inclusiveness• High resolution

• Setassociative:cachedividedinn-waysets• Locationinthecachedeterminedbyphysicaladdress

CacheArchitecture

Cachetag Set Byte

Offset

OffsetPhysicalPage

VirtualPage

MMU

S0S1

Sn

Cache

00001

....

....

....

tag

tag

tag

B0B0

B0

Bn

Bn

Bn

.

.

.

• Requirement1:deduplication• Identicalread-onlymemory

pagesareshared• Attackerandvictimaccessthe

sameaddress• LinuxandKVM(KSM),Vmware

(TPS)andAndroid(Zygote)• Requirement2:flush

instruction(e.g.,clflush inx86)• CVE2014-3356:Vmware

enableddeduplicationbydefault

Flush+ReloadAttack

• Attackerflushesacachedmemorylocation

Flush+ReloadAttackCache

• Attackerflushesacachedmemorylocation

Flush+ReloadAttack

Flush

Cache

• Attackerflushesacachedmemorylocation

• Victimaccesses/doesnotaccess

Flush+ReloadAttackCache

Access

• Attackerflushesacachedmemorylocation

• Victimaccesses/doesnotaccess

• Attackerre-accessesmemorylocation• Fastaccesstime->victim

accessed• Slowaccesstime->victimdidnot

access

Flush+ReloadAttack

Reload

Cache

• Pros:• Lownoise:focusononeline,

noisyprocessneedstofillanentireset

• ApplicableacrossCPUsockets!FlushinstructioninvalidatesmemoryinotherCPUs

• Worksinnon-inclusivecaches• Cons:

• Requirementmightbemetinsomescenarios

• Canonlyrecoverstaticallyallocateddata

Flush+ReloadAttackSummary

Evict+ReloadAttack

11

• Noflushinstruction?• AttackerneedstoevictdatafromLLC• Attackercanusehugepages• Physicaladdressselectsthesetto

occupy

Evict+ReloadAttack

Evict

Cache• Noflushinstruction?• AttackerneedstoevictdatafromLLC• Attackercanusehugepages• Physicaladdressselectsthesetto

occupy• Attackerevicts(fillsset)

Evict+ReloadAttack

Evict

Cache• Noflushinstruction?• AttackerneedstoevictdatafromLLC• Attackercanusehugepages• Physicaladdressselectsthesetto

occupy• Attackerevicts(fillsset)

Evict+ReloadAttack

Cache

Access

• Noflushinstruction?• AttackerneedstoevictdatafromLLC• Attackercanusehugepages• Physicaladdressselectsthesetto

occupy• Attackerevicts(fillsset)• Victimaccesses/doesnotaccess

Evict+ReloadAttack

Reload

Cache• Noflushinstruction?• AttackerneedstoevictdatafromLLC• Attackercanusehugepages• Physicaladdressselectsthesetto

occupy• Attackerevicts(fillsset)• Victimaccesses/doesnotaccess• Attackerreloads

• Fastaccesstime->victimaccessed• Slowaccesstime->victimdidnotaccess

• Pros:• Applicableinprocessorswithoutflushinstruction(e.g.mostARM

processors)

• Cons:• Canonlytargetstaticallyallocatedmemory• DealwithLLCslices(undocumented)• Onlyworkswithinclusivecaches• OnlyworksinthesameCPUsocket

Evict+ReloadAttackSummary

• Nosharedmemorypages?• Attackercanknowthesetutilized

bythevictim

• AttackerPrimes

Prime+ProbeAttack

Prime

Cache

• Nosharedmemorypages?• Attackercanknowthesetutilized

bythevictim

• AttackerPrimes• Victimaccesses/notaccesses

Prime+ProbeAttack

Cache

Access

• Nosharedmemorypages?• Attackercanknowthesetutilized

bythevictim

• AttackerPrimes• Victimaccesses/notaccesses• Attackerre-accesses

• Fastaccesstime->victimaccessed

• Slowaccesstime->victimdidnotaccess

Prime+ProbeAttack

Probe

Cache

• Pros• Doesnotneedsharedmemory!(Broaderimpact)• Cantargetstaticanddynamicallyallocatedmemory!

• Cons:• NoisierthanFlush+ Reload• DealingwithLLCslices(undocumented)• Onlyworkswithinclusivecaches• OnlyworksinthesameCPUsocket• Needtoidentifythetargetset

Prime+ProbeAttackSummary

Howtoretrieveinformation?MontgomeryladderRSA

P=0x7fffc480Physicaladdress

FlushandReload

P

Cache

Howtoretrieveinformation?

FlushandReloadCache

MontgomeryladderRSA

P=0x7fffc480Physicaladdress

Howtoretrieveinformation?

FlushandReloadCache

MontgomeryladderRSA

P=0x7fffc480Physicaladdress

Howtoretrieveinformation?

FlushandReload

P

Cache

MontgomeryladderRSA

P=0x7fffc480Physicaladdress

Howtoretrieveinformation?

FlushandReload

P

Cache

MontgomeryladderRSA

P=0x7fffc480Physicaladdress

Howtoretrieveinformation?

PrimeandProbeCache

MontgomeryladderRSA

P=0x7fffc480Physicaladdress

Howtoretrieveinformation?

PrimeandProbeCache

P

MontgomeryladderRSA

P=0x7fffc480Physicaladdress

Howtoretrieveinformation?

PrimeandProbeCache

MontgomeryladderRSA

P=0x7fffc480Physicaladdress

AttackComparison

Flush+Reload Evict+Reload Prime+Probe

RequireMemoryDeduplication

Y Y N

Requireflushinstruction

Y N N

Attackmemory type

static static static +dynamic

Noise low low high

Applicability

• VMsshareunderlyinghardware• Hardwareisolationisusuallynot

provided• ExampleRSAinAmazonEC2[INCI16]• Pros:

• OwnvirtualizedOS.Accesstotimersorhugepages

• Ifdeduplication enabled,both attacksareapplicable

• Cons:• Requiresco-residencyofVMs• Highamountofnoise

IaaS/PaaSCloudInfrastructures

Hardware

VMM

GuestOS#1 GuestOS#2

VM VM

SpyVictim

• Howtofindco-residency?• Useavailableinformation!• ProfilethetargetLLCaccesses• Doesthecachetracematchthetracewe

expect?• Ifyes,co-residency• Ifno,openmoreVMs

• Othermechanismsutilizememorybuslockingattacks

• ExampleRSAexponentiationseasilydistinguishable

IaaS/PaaSCloudInfrastructureshttprequest

0 1000 2000 3000 4000 5000 6000 7000 8000 9000 10000 110000

50

100

150

200

250

timeslot

Rel

oad

time

DecryptionStart

First SecretExponent (dp)

Second SecretExponent (dq)

GuestOS#2

VM

Spy GuestOS#1

VM

Victim

Demo:AESKeyRecoveryAcrossVMs• WeutilizeKVMhypervisor• ServerusingT-tableAES(T-tables

shared)• Serverencryptingplaintextwith

unknownkey• Attackerrequestsdecryptionsand

recoversthekey• WecheckwhethertheentriesoftheT-

tableshavebeenused• WeXORwiththeciphertext afterdoing

statisticstogetthekey

0x00

• AttackerembedsJSintothewebsite• Victimaccessesthewebsite• Victim’sbrowserexecutestheJS• Example:Incognitobrowsingprofiling[OREN15]• Pros:

• Noneedtofindco-residenttarget• Attackexecutedinlocalmachine(although

sandboxed)

• Cons:• FlushandReloadcannotbeapplied• Finegraintimershardtoachieve

BrowserJavascript

Hardware

www.yyyyy.com

• SmartphoneapplicationsarelogicallyisolatedbytheOS

• However,aswithTEEs,allapplicationsutilizethehardwarecaches

• Micro-architecturalattackslookasinnocentbinaries,astheyonlyperformtimedmemoryaccesses

• Example:AESkeystealacrossapps[LIPP16]

SmartPhoneApplications

Hardware

SmartPhoneApplications• Pros:

• Deduplication isgenerallyused(e.g.Android)

• Easydeployment

• Cons• Flush instructionhastobeenabledby

SoC (onlySamsunS6fornow)• PseudoRandomReplacementpolicies

(reverseengineered)• Devicedependent algorithms (e.g.

non-inclusivecachesorlockdown)

TrustedExecutionEnvironment• Trustedexecutionenvironments

designedtoachieveisolationfromuntrustedprocesses

• Butbothtrustedanduntrustedenvironmentsaccesssamehardwarecaches!

• Enclavetoenclaveorhosttoenclaveattacksarepossible

• Example:TrustZoneAESkeysteal[BRM15]

• Example:IntelSGXRSAkeysteal[SCW17]

TEEEnclave

LLC

Untrustedprocess

DRAM

Encrypted NonEncrypted

NonEncrypted

NonEncrypted

• Pros• Higherresolution:TheOScanbe

malicious!morefinegrainresources(includingscheduling)

• Noneedtofindco-residenttarget• Limitednoise:maliciousOScan

interruptprocessesafter(virtually)everymemoryaccess

• Cons• FlushandReloadnotapplicable

(deduplicationdisabled)

TrustExecutionEnvironment

Prime

Cache

• Pros• Higherresolution:TheOScanbe

malicious!morefinegrainresources(includingscheduling)

• Noneedtofindco-residenttarget• Limitednoise:maliciousOScan

interruptprocessesafter(virtually)everymemoryaccess

• Cons• FlushandReloadnotapplicable

(deduplicationdisabled)

TrustExecutionEnvironment

Cache

Access

• Pros• Higherresolution:TheOScanbe

malicious!morefinegrainresources(includingscheduling)

• Noneedtofindco-residenttarget• Lownoise:maliciousOScaninterrupt

processesafter(virtually)everymemoryaccess

• Cons• FlushandReloadnotapplicable

(deduplicationdisabled)

TrustExecutionEnvironment

Interrupt

Cache

Probe

Countermeasures

DesignCacheLeakageFreeCode• Secretindependentinstructionaccesses• Secretindependentdataaccesses• Identificationofvariablesthatcontaininformationrelatedto

thesecret(manualinspection,taintanalysis,etc.)• Obtaincachetimingtracestocorrelatewiththesecret

variablestomeasuretheleakage

Collectcachetiming

informationCorrelation

Identifysecret

dependentaccess

Design

DesignCacheLeakageFreeCodeCVE-2016-7439

DesignCacheLeakageFreeCode

secretdependentinstructionaccess

CVE-2016-7439

DesignCacheLeakageFreeCode

Secretindependentinstructionaccess

CVE-2016-7439

DesignCacheLeakageFreeCode

Secretindependentinstructionaccess

Secretdependentdataaccess

CVE-2016-7439

DesignCacheLeakageFreeCode

Secretindependentinstructionaccess

Secretindependentdataaccess

PageColoring• AvoidingcollisionsintheLLC• LocationinLLCdeterminedbyphysicaladdress• Giveeachuseracolor(addressbits)

00xxxxxx

01xxxxxx

10xxxxxx

11xxxxxx

DRAM

c

LLCPhysicaladdress

Users

CacheAllocationTechnology• IntelCATprovideshardwareframeworktolockthecache• AllowsOS/hypervisortomarkcachewaysasun-evictable• Attackercannotinfluencevictim’scacheaccesses• Modifyhypervisortosupportmorelockpartitions[LIU16]

Lock

Cache

CacheAllocationTechnology• IntelCATprovideshardwareframeworktolockthecache• AllowsOS/hypervisortomarkcachewaysasun-evictable• Attackercannotinfluencevictim’scacheaccesses• Modifyhypervisortosupportmorelockpartitions[LIU16]

CachePrime

CacheAllocationTechnology• IntelCATprovideshardwareframeworktolockthecache• AllowsOS/hypervisortomarkcachewaysasun-evictable• Attackercannotinfluencevictim’scacheaccesses• Modifyhypervisortosupportmorelockpartitions[LIU16]

CacheProbe

BehaviorDetection• HardwarePerformanceCounters(HPCs)cantrackhardware

events(e.g.LLCmisses)• LLCattacksleaveacleartraceintermsofcachemisses/hits• Hypervisor/OStracksthiseventstodetectunusualbehavior• Detectioncanbeimprovedbyinspectingmemoryaccess

HardwareHPCs

GuestOS(Process) GuestOS(Process)

Hypervisor (OS)Detection

CountermeasureComparison(Requirements)

LeakageFreeCode

PageColoring IntelCAT BehaviorDetection

Require sourcecodechange

Y N N N

Require OS(hypervisor)update

N Y Y Depends

Require newhardware

N N Y N

CountermeasureComparison(Coverage)

LeakageFreeCode

PageColoring IntelCAT BehaviorDetection

IaaS/PaaS Y Y Depends Y

Javascript inbroswer

Y Depends Depends Y

Smartphone Y Y Depends Y

TEE Y N N N

KeyTakeaways• Cache attacks are complex but a real threat!• Flush+Reload, Evict+Reload, Prime+Probe• IaaS/PaaS, web browsers, smartphones, TEE,...What

else?• Call to action:

• Application level: introduce cache leakage free code design• Hypervisor/OS level: page coloring for cache isolation• System level: use software to leverage hardware features (Intel

CAT, performance counters)

[INCI16]Inci,M.,Gulmezoglu,B.,Irazoqui,G.,Eisenbarth,T.,Sunar,B.CacheAttacksEnableBulkKeyRecoveryontheCloud.CHES2016

[OREN15]Oren,Y.,Kemerlis,V.,Sethumadhavan,S,Keromytis,A.TheSpyintheSandbox:PracticalCacheAttacksinJavaScriptandtheirImplications.ACMCCS2015

[BRM15]Brumley,B.CacheStorageAttacks.CT-RSA2015[SCW17]Schwarz,M.,Weiser,S.,Gruss,D.,Maurice,C.,Mangard,S.Malware

GuardExtension:UsingSGXtoConcealCacheAttacks.Arxiv 2017[LIPP16]Lipp,M.,Gruss,D.,Spreitzer,R.,Maurice,C.,Mangard,S.

ARMageddon:CacheAttacksonMobileDevices.USENIX2016[LIU16]Liu,F.,Yarom,Y.,Mckeen,F.,Rozas,C.,Heiser,G.,LeeR.CATalyst:

Defeatinglast-levelcachesidechannelattacksincloudcomputing.HPCA2016

References