software-based microarchitectural attacks · 2020-01-15 · software-based microarchitectural...
TRANSCRIPT
![Page 1: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/1.jpg)
www.iaik.tugraz.at
Software-basedMicroarchitectural AttacksDaniel GrussIAIK, Graz University of Technology
June 14, 2017 — PhD Defense
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense1
![Page 2: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/2.jpg)
www.iaik.tugraz.at
Thesis in numbers
32 months
10 invited talks and presentations at international venues
13 publications co-authored (7 times tier 1)
6 included in thesis (3 times tier 1)
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense2
![Page 3: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/3.jpg)
www.iaik.tugraz.at
Thesis in numbers
32 months
10 invited talks and presentations at international venues
13 publications co-authored (7 times tier 1)
6 included in thesis (3 times tier 1)
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense2
![Page 4: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/4.jpg)
www.iaik.tugraz.at
Thesis in numbers
32 months
10 invited talks and presentations at international venues
13 publications co-authored (7 times tier 1)
6 included in thesis (3 times tier 1)
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense2
![Page 5: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/5.jpg)
www.iaik.tugraz.at
Thesis in numbers
32 months
10 invited talks and presentations at international venues
13 publications co-authored (7 times tier 1)
6 included in thesis (3 times tier 1)
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense2
![Page 6: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/6.jpg)
www.iaik.tugraz.at
Thesis in numbers
32 months
10 invited talks and presentations at international venues
13 publications co-authored (7 times tier 1)
6 included in thesis (3 times tier 1)
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense2
![Page 7: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/7.jpg)
National Geographic
![Page 8: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/8.jpg)
www.iaik.tugraz.at
Software-based Side-Channel Attacks
security and privacy rely on secrets (unknown to attackers)
secrets can leak through side channels
software-based → no physical access
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense4
![Page 9: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/9.jpg)
www.iaik.tugraz.at
Software-based Side-Channel Attacks
security and privacy rely on secrets (unknown to attackers)
secrets can leak through side channels
software-based → no physical access
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense4
![Page 10: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/10.jpg)
www.iaik.tugraz.at
Plan (from March 2015)
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense5
![Page 11: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/11.jpg)
www.iaik.tugraz.at
Plan (how it worked out)
P+P
F+R
Page Dedup.
P+P in JS
CTA
Page Dedup. in JS
F+R on Memory
F+R in JS
F+R on ARM
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense6
![Page 12: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/12.jpg)
www.iaik.tugraz.at
Plan (how it worked out)
P+P
F+R
Page Dedup.
P+P in JS
CTA
Page Dedup. in JS
F+R on Memory
F+R in JS
F+R on ARM
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense6
![Page 13: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/13.jpg)
www.iaik.tugraz.at
Plan (how it worked out)
P+P
F+R
Page Dedup.
P+P in JS
CTA
Page Dedup. in JS
F+R on Memory
F+R in JS
F+R on ARM
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense6
![Page 14: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/14.jpg)
www.iaik.tugraz.at
Plan (how it worked out)
P+P
F+R
Page Dedup.
P+P in JS
CTA
Page Dedup. in JS
F+R on Memory
Rowhammer.js
F+R on ARM
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense6
![Page 15: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/15.jpg)
www.iaik.tugraz.at
Plan (how it worked out)
P+P
F+R
Page Dedup.
P+P in JS
CTA
Page Dedup. in JS
F+R on Memory
Rowhammer.js
ARMageddon
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense6
![Page 16: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/16.jpg)
www.iaik.tugraz.at
Plan (how it worked out)
P+P
F+R
Page Dedup.
P+P in JS
CTA
Page Dedup. in JS
DRAMA
Rowhammer.js
ARMageddon
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense6
![Page 17: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/17.jpg)
www.iaik.tugraz.at
Relation of the papersminimization of requirements
automation of attacksnovel side channels
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense7
![Page 18: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/18.jpg)
www.iaik.tugraz.at
Relation of the papersminimization of requirements
automation of attacksnovel side channels
CTA
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense7
![Page 19: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/19.jpg)
www.iaik.tugraz.at
Relation of the papersminimization of requirements
automation of attacksnovel side channels
CTA
Dedup.js
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense7
![Page 20: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/20.jpg)
www.iaik.tugraz.at
Relation of the papersminimization of requirements
automation of attacksnovel side channels
CTA
Dedup.js
RH.js
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense7
![Page 21: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/21.jpg)
www.iaik.tugraz.at
Relation of the papersminimization of requirements
automation of attacksnovel side channels
CTA
Dedup.js
RH.js
F+F
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense7
![Page 22: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/22.jpg)
www.iaik.tugraz.at
Relation of the papersminimization of requirements
automation of attacksnovel side channels
CTA
Dedup.js
RH.js
F+F
ARMageddon
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense7
![Page 23: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/23.jpg)
www.iaik.tugraz.at
Relation of the papersminimization of requirements
automation of attacksnovel side channels
CTA
Dedup.js
RH.js
F+F
ARMageddon
Prefetch
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense7
![Page 24: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/24.jpg)
www.iaik.tugraz.at
1. Introduction
2. Background
3. Contributions
4. Conclusion
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense8
![Page 25: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/25.jpg)
www.iaik.tugraz.at
CPU Caches
buffer frequently used slow memory for the fast CPU
every memory reference goes through the cache
transparent to OS and programs
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense9
![Page 26: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/26.jpg)
www.iaik.tugraz.at
Memory Access Latency
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense10
![Page 27: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/27.jpg)
www.iaik.tugraz.at
Memory Access Latency
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense10
![Page 28: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/28.jpg)
www.iaik.tugraz.at
A simple cache
Memory Address Cache
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense11
![Page 29: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/29.jpg)
www.iaik.tugraz.at
A simple cache
Memory Address CacheOffset
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense11
![Page 30: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/30.jpg)
www.iaik.tugraz.at
A simple cache
Memory Address CacheOffsetIndex
2n cache sets
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense11
![Page 31: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/31.jpg)
www.iaik.tugraz.at
A simple cache
Memory Address CacheOffsetIndexTag
2n cache sets
Way 2 Tag Way 2 DataWay 1 Tag Way 1 Data
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense11
![Page 32: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/32.jpg)
www.iaik.tugraz.at
Date and Instruction Caches
core 0
L1
L2
core 1
L1
L2
core 2
L1
L2
core 3
L1
L2 ring bus
LLCslice 0
LLCslice 1
LLCslice 2
LLCslice 3
last-level cache:
shared
inclusive
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense12
![Page 33: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/33.jpg)
www.iaik.tugraz.at
Date and Instruction Caches
core 0
L1
L2
core 1
L1
L2
core 2
L1
L2
core 3
L1
L2 ring bus
LLCslice 0
LLCslice 1
LLCslice 2
LLCslice 3
last-level cache:
shared
inclusive
→ shared memory shared is incache, across cores!
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense12
![Page 34: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/34.jpg)
www.iaik.tugraz.at
Date and Instruction Caches
core 0
L1
L2
core 1
L1
L2
core 2
L1
L2
core 3
L1
L2 ring bus
LLCslice 0
LLCslice 1
LLCslice 2
LLCslice 3
last-level cache:
shared
inclusive
→ shared memory shared is incache, across cores!
function maps addresses to slices (Maurice, Le Scouarnec, et al. 2015)
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense12
![Page 35: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/35.jpg)
www.iaik.tugraz.at
Flush+Reload
Attackeraddress space Cache Victim
address space
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense13
![Page 36: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/36.jpg)
www.iaik.tugraz.at
Flush+Reload
Attackeraddress space Cache Victim
address space
cached cached
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense13
![Page 37: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/37.jpg)
www.iaik.tugraz.at
Flush+Reload
Attackeraddress space Cache Victim
address space
flushes
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense13
![Page 38: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/38.jpg)
www.iaik.tugraz.at
Flush+Reload
Attackeraddress space Cache Victim
address space
loads data
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense13
![Page 39: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/39.jpg)
www.iaik.tugraz.at
Flush+Reload
Attackeraddress space Cache Victim
address space
reloads data
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense13
![Page 40: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/40.jpg)
www.iaik.tugraz.at
3. Contributions– Cache Template Attacks– Page Deduplication Attacks in JavaScript– Rowhammer.js– Flush+Flush– ARMageddon– Prefetch Attacks
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense14
![Page 41: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/41.jpg)
Cache Template Attack Demo
![Page 42: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/42.jpg)
www.iaik.tugraz.at
Cache Template
AD
DR
ES
S
KEYg h i j k l m n o p q r s t u v w x y z
0x7c6800x7c6c00x7c7000x7c7400x7c7800x7c7c00x7c8000x7c8400x7c8800x7c8c00x7c9000x7c9400x7c9800x7c9c00x7ca000x7cb800x7cc400x7cc800x7ccc00x7cd00
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense16
![Page 43: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/43.jpg)
www.iaik.tugraz.at
3. Contributions– Cache Template Attacks– Page Deduplication Attacks in JavaScript– Rowhammer.js– Flush+Flush– ARMageddon– Prefetch Attacks
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense17
![Page 44: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/44.jpg)
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address Space
Physical Address Space
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
![Page 45: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/45.jpg)
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
![Page 46: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/46.jpg)
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
![Page 47: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/47.jpg)
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Victim
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
![Page 48: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/48.jpg)
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Victim
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
![Page 49: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/49.jpg)
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Attacker generatesa page suspectedin victim process
Victim
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
![Page 50: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/50.jpg)
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Victim
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
![Page 51: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/51.jpg)
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Victim
Attacker waitsfor deduplication
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
![Page 52: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/52.jpg)
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Victim
Attacker waitsfor deduplication
t = time();p[0] = p[0];∆ = time() - t;
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
![Page 53: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/53.jpg)
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Victim
measure
∆
∆inµs
Time0
4
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
![Page 54: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/54.jpg)
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Victim
measure
∆
∆inµs
Time0
4
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
![Page 55: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/55.jpg)
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Victim
measure
∆
∆inµs
Time0
4
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
![Page 56: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/56.jpg)
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Victim
measure
∆
∆inµs
Time0
4
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
![Page 57: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/57.jpg)
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Victim
measure
∆
∆inµs
Time0
4
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
![Page 58: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/58.jpg)
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Victim
measure
∆
∆inµs
Time0
4
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
![Page 59: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/59.jpg)
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Victim
measure
∆
∆inµs
Time0
4
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
![Page 60: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/60.jpg)
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Victim
measure
∆
∆inµs
Time0
4
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
![Page 61: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/61.jpg)
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Victim
measure
∆
∆inµs
Time0
4
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
![Page 62: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/62.jpg)
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Victim
measure
∆
∆inµs
Time0
4
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
![Page 63: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/63.jpg)
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Victim
measure
∆
∆inµs
Time0
4
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
![Page 64: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/64.jpg)
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Victim
measure
∆
∆inµs
Time0
4
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
![Page 65: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/65.jpg)
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Victim
measure
∆
∆inµs
Time0
4
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
![Page 66: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/66.jpg)
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Victim
measure
∆
∆inµs
Time0
4
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
![Page 67: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/67.jpg)
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Victim
measure
∆
∆inµs
Time0
4
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
![Page 68: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/68.jpg)
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Victim
measure
∆
∆inµs
Time0
4
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
![Page 69: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/69.jpg)
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Victim
measure
∆
∆inµs
Time0
4
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
![Page 70: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/70.jpg)
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Victim
measure
∆
∆inµs
Time0
4
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
![Page 71: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/71.jpg)
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Victim
measure
∆
∆inµs
Time0
4
6=
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
![Page 72: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/72.jpg)
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Victim
measure
∆
∆inµs
Time0
4
6=
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
![Page 73: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/73.jpg)
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Victim
measure
∆
∆inµs
Time0
4
6=
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
![Page 74: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/74.jpg)
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Victim
measure
∆
∆inµs
Time0
4
6=
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
![Page 75: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/75.jpg)
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Victim
measure
∆
∆inµs
Time0
4
6=
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
![Page 76: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/76.jpg)
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Victim
measure
∆
∆inµs
Time0
4
6=
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
![Page 77: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/77.jpg)
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Victim
∆inµs
Time0
4
=
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
![Page 78: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/78.jpg)
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Victim
∆inµs
Time0
4
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
![Page 79: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/79.jpg)
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Victim
∆inµs
Time0
4
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
![Page 80: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/80.jpg)
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Victim
∆inµs
Time0
4
write and measure ∆
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
![Page 81: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/81.jpg)
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Victim
∆inµs
Time0
4
write and measure ∆
copy
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
![Page 82: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/82.jpg)
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Victim
∆inµs
Time0
4
write
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
![Page 83: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/83.jpg)
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Victim
∆inµs
Time0
4
Attacker learns thatanother process had
an identical page
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
![Page 84: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/84.jpg)
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Victim
∆inµs
Time0
4
Attacker learns thatanother process had
an identical page
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
![Page 85: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/85.jpg)
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Victim
∆inµs
Time0
4
Attacker learns thatanother process had
an identical page
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
![Page 86: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/86.jpg)
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Victim
∆inµs
Time0
4
Attacker learns thatanother process had
an identical page
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
![Page 87: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/87.jpg)
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Victim
∆inµs
Time0
4
Attacker learns thatanother process had
an identical page
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
![Page 88: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/88.jpg)
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Victim
∆inµs
Time0
4
Attacker learns thatanother process had
an identical page
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
![Page 89: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/89.jpg)
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Victim
∆inµs
Time0
4
Attacker learns thatanother process had
an identical page
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
![Page 90: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/90.jpg)
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Victim
∆inµs
Time0
4
Attacker learns thatanother process had
an identical page
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
![Page 91: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/91.jpg)
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Victim
∆inµs
Time0
4
Attacker learns thatanother process had
an identical page
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
![Page 92: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/92.jpg)
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Victim
∆inµs
Time0
4
Attacker learns thatanother process had
an identical page
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
![Page 93: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/93.jpg)
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Victim
∆inµs
Time0
4
Attacker learns thatanother process had
an identical page
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
![Page 94: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/94.jpg)
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Victim
∆inµs
Time0
4
Attacker learns thatanother process had
an identical page
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
![Page 95: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/95.jpg)
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Victim
∆inµs
Time0
4
Attacker learns thatanother process had
an identical page
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
![Page 96: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/96.jpg)
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Victim
∆inµs
Time0
4
Attacker learns thatanother process had
an identical page
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
![Page 97: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/97.jpg)
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Victim
∆inµs
Time0
4
Attacker learns thatanother process had
an identical page
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
![Page 98: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/98.jpg)
www.iaik.tugraz.at
Page Deduplication Attack
Virtual Address SpaceJavaScript
Physical Address Space
Victim
∆inµs
Time0
4
Attacker learns thatanother process had
an identical page
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense18
![Page 99: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/99.jpg)
www.iaik.tugraz.at
Our Attack
First page deduplication attack which
detects CSS files/images on websites,
runs in JavaScript (no rdtsc, no addresses),
runs on KVM, Windows 8.1 and Android.
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense19
![Page 100: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/100.jpg)
www.iaik.tugraz.at
Detect Image (JavaScript, Cross-VM, KVM)
500 1,000 1,500 2,000 2,500 3,000 3,500102
103
104
105
Page
Nan
osec
onds
Image not loaded Image loaded
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense20
![Page 101: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/101.jpg)
www.iaik.tugraz.at
3. Contributions– Cache Template Attacks– Page Deduplication Attacks in JavaScript– Rowhammer.js– Flush+Flush– ARMageddon– Prefetch Attacks
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense21
![Page 102: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/102.jpg)
www.iaik.tugraz.at
Rowhammer
Rowhammer: DRAM bug that causes bit flips (Kim et al. 2014)
Bug used in security exploits (Seaborn 2015)
Only non-cached accesses reach DRAM
Very similar to Flush+Reload
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense22
![Page 103: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/103.jpg)
www.iaik.tugraz.at
Rowhammer (with clflush)
DRAM bank
cache set 2
cache set 1
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense23
![Page 104: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/104.jpg)
www.iaik.tugraz.at
Rowhammer (with clflush)
DRAM bank
cache set 2
cache set 1
clflush
clflush
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense23
![Page 105: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/105.jpg)
www.iaik.tugraz.at
Rowhammer (with clflush)
DRAM bank
cache set 2
cache set 1
clflush
clflush
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense23
![Page 106: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/106.jpg)
www.iaik.tugraz.at
Rowhammer (with clflush)
DRAM bank
cache set 2
cache set 1
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense23
![Page 107: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/107.jpg)
www.iaik.tugraz.at
Rowhammer (with clflush)
DRAM bank
cache set 2
cache set 1
reload
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense23
![Page 108: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/108.jpg)
www.iaik.tugraz.at
Rowhammer (with clflush)
DRAM bank
cache set 2
cache set 1
reload
reload
reload
reload
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense23
![Page 109: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/109.jpg)
www.iaik.tugraz.at
Rowhammer (with clflush)
DRAM bank
cache set 2
cache set 1
clflush
clflush
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense23
![Page 110: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/110.jpg)
www.iaik.tugraz.at
Rowhammer (with clflush)
DRAM bank
cache set 2
cache set 1
reload
reload
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense23
![Page 111: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/111.jpg)
www.iaik.tugraz.at
Rowhammer (with clflush)
DRAM bank
cache set 2
cache set 1
clflush
clflush
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense23
![Page 112: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/112.jpg)
www.iaik.tugraz.at
Rowhammer (with clflush)
DRAM bank
cache set 2
cache set 1
reload
reload
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense23
![Page 113: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/113.jpg)
www.iaik.tugraz.at
Rowhammer (with clflush)
DRAM bank
cache set 2
cache set 1
clflush
clflush
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense23
![Page 114: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/114.jpg)
www.iaik.tugraz.at
Rowhammer (with clflush)
DRAM bank
cache set 2
cache set 1
reload
reload
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense23
![Page 115: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/115.jpg)
www.iaik.tugraz.at
Rowhammer (with clflush)
DRAM bank
cache set 2
cache set 1
clflush
clflush
wait for it. . .
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense23
![Page 116: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/116.jpg)
www.iaik.tugraz.at
Rowhammer (with clflush)
DRAM bank
cache set 2
cache set 1
reload
reload
bit flip!
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense23
![Page 117: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/117.jpg)
www.iaik.tugraz.at
Rowhammer without clflush
DRAM bank
cache set 2
cache set 1
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense24
![Page 118: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/118.jpg)
www.iaik.tugraz.at
Rowhammer without clflush
DRAM bank
cache set 2
cache set 1
load
load
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense24
![Page 119: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/119.jpg)
www.iaik.tugraz.at
Rowhammer without clflush
DRAM bank
cache set 2
cache set 1
load
load
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense24
![Page 120: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/120.jpg)
www.iaik.tugraz.at
Rowhammer without clflush
DRAM bank
cache set 2
cache set 1
load
load
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense24
![Page 121: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/121.jpg)
www.iaik.tugraz.at
Rowhammer without clflush
DRAM bank
cache set 2
cache set 1lo
ad
load
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense24
![Page 122: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/122.jpg)
www.iaik.tugraz.at
Rowhammer without clflush
DRAM bank
cache set 2
cache set 1
load
load
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense24
![Page 123: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/123.jpg)
www.iaik.tugraz.at
Rowhammer without clflush
DRAM bank
cache set 2
cache set 1
load
load
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense24
![Page 124: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/124.jpg)
www.iaik.tugraz.at
Rowhammer without clflush
DRAM bank
cache set 2
cache set 1lo
ad
load
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense24
![Page 125: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/125.jpg)
www.iaik.tugraz.at
Rowhammer without clflush
DRAM bank
cache set 2
cache set 1
load
load
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense24
![Page 126: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/126.jpg)
www.iaik.tugraz.at
Rowhammer without clflush
DRAM bank
cache set 2
cache set 1
reload
reload
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense24
![Page 127: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/127.jpg)
www.iaik.tugraz.at
Rowhammer without clflush
DRAM bank
cache set 2
cache set 1
repeat!
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense24
![Page 128: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/128.jpg)
www.iaik.tugraz.at
Rowhammer without clflush
DRAM bank
cache set 2
cache set 1
reload
reload
wait for it. . .
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense24
![Page 129: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/129.jpg)
www.iaik.tugraz.at
Rowhammer without clflush
DRAM bank
cache set 2
cache set 1
bit flip!
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense24
![Page 130: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/130.jpg)
www.iaik.tugraz.at
Rowhammer without clflush
Challenges:
1. How to get accurate timing (in JS)?
2. How to get physical addresses (in JS)?
3. Which physical addresses to access?
4. In which order to access them?
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense25
![Page 131: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/131.jpg)
www.iaik.tugraz.at
Rowhammer without clflush
Challenges:
1. How to get accurate timing (in JS)? → easy
2. How to get physical addresses (in JS)? → easy
3. Which physical addresses to access? → already solved
4. In which order to access them? → our contribution
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense25
![Page 132: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/132.jpg)
www.iaik.tugraz.at
Replacement policy on older CPUs
“LRU eviction” memory accesses
cache set
LRU replacement policy: oldest entry first
timestamps for every cache line
access updates timestamp
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense26
![Page 133: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/133.jpg)
www.iaik.tugraz.at
Replacement policy on older CPUs
“LRU eviction” memory accesses
cache set
LRU replacement policy: oldest entry first
timestamps for every cache line
access updates timestamp
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense26
![Page 134: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/134.jpg)
www.iaik.tugraz.at
Replacement policy on older CPUs
“LRU eviction” memory accesses
cache set 2 5 8 1 7 6 3 4
LRU replacement policy: oldest entry first
timestamps for every cache line
access updates timestamp
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense26
![Page 135: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/135.jpg)
www.iaik.tugraz.at
Replacement policy on older CPUs
“LRU eviction” memory accesses
cache set 2 5 8 1 7 6 3 4
load
9
LRU replacement policy: oldest entry first
timestamps for every cache line
access updates timestamp
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense26
![Page 136: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/136.jpg)
www.iaik.tugraz.at
Replacement policy on older CPUs
“LRU eviction” memory accesses
cache set 2 5 8 1 7 6 3 49
load
10
LRU replacement policy: oldest entry first
timestamps for every cache line
access updates timestamp
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense26
![Page 137: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/137.jpg)
www.iaik.tugraz.at
Replacement policy on older CPUs
“LRU eviction” memory accesses
cache set 2 5 8 1 7 6 3 4910
load
11
LRU replacement policy: oldest entry first
timestamps for every cache line
access updates timestamp
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense26
![Page 138: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/138.jpg)
www.iaik.tugraz.at
Replacement policy on older CPUs
“LRU eviction” memory accesses
cache set 2 5 8 1 7 6 3 4910 11load
12
LRU replacement policy: oldest entry first
timestamps for every cache line
access updates timestamp
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense26
![Page 139: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/139.jpg)
www.iaik.tugraz.at
Replacement policy on older CPUs
“LRU eviction” memory accesses
cache set 2 5 8 1 7 6 3 4910 11 12
load
13
LRU replacement policy: oldest entry first
timestamps for every cache line
access updates timestamp
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense26
![Page 140: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/140.jpg)
www.iaik.tugraz.at
Replacement policy on older CPUs
“LRU eviction” memory accesses
cache set 2 5 8 1 7 6 3 4910 11 1213
load
14
LRU replacement policy: oldest entry first
timestamps for every cache line
access updates timestamp
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense26
![Page 141: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/141.jpg)
www.iaik.tugraz.at
Replacement policy on older CPUs
“LRU eviction” memory accesses
cache set 2 5 8 1 7 6 3 4910 11 1213 14
load
15
LRU replacement policy: oldest entry first
timestamps for every cache line
access updates timestamp
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense26
![Page 142: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/142.jpg)
www.iaik.tugraz.at
Replacement policy on older CPUs
“LRU eviction” memory accesses
cache set 2 5 8 1 7 6 3 4910 11 1213 1415
load
16
LRU replacement policy: oldest entry first
timestamps for every cache line
access updates timestamp
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense26
![Page 143: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/143.jpg)
www.iaik.tugraz.at
Replacement policy on recent CPUs
“LRU eviction” memory accesses
cache set 2 5 8 1 7 6 3 4
no LRU replacement
only 75% success rate on Haswell
more accesses → higher success rate, but too slow
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense27
![Page 144: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/144.jpg)
www.iaik.tugraz.at
Replacement policy on recent CPUs
“LRU eviction” memory accesses
cache set 2 5 8 1 7 6 3 4
load
9
no LRU replacement
only 75% success rate on Haswell
more accesses → higher success rate, but too slow
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense27
![Page 145: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/145.jpg)
www.iaik.tugraz.at
Replacement policy on recent CPUs
“LRU eviction” memory accesses
cache set 2 5 8 1 7 6 3 49
load
10
no LRU replacement
only 75% success rate on Haswell
more accesses → higher success rate, but too slow
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense27
![Page 146: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/146.jpg)
www.iaik.tugraz.at
Replacement policy on recent CPUs
“LRU eviction” memory accesses
cache set 2 5 8 1 7 6 3 4910
load
11
no LRU replacement
only 75% success rate on Haswell
more accesses → higher success rate, but too slow
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense27
![Page 147: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/147.jpg)
www.iaik.tugraz.at
Replacement policy on recent CPUs
“LRU eviction” memory accesses
cache set 2 5 8 1 7 6 3 4910 11
load
12
no LRU replacement
only 75% success rate on Haswell
more accesses → higher success rate, but too slow
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense27
![Page 148: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/148.jpg)
www.iaik.tugraz.at
Replacement policy on recent CPUs
“LRU eviction” memory accesses
cache set 2 5 8 1 7 6 3 4910 1112
load
13
no LRU replacement
only 75% success rate on Haswell
more accesses → higher success rate, but too slow
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense27
![Page 149: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/149.jpg)
www.iaik.tugraz.at
Replacement policy on recent CPUs
“LRU eviction” memory accesses
cache set 2 5 8 1 7 6 3 4910 1112 13
load
14
no LRU replacement
only 75% success rate on Haswell
more accesses → higher success rate, but too slow
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense27
![Page 150: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/150.jpg)
www.iaik.tugraz.at
Replacement policy on recent CPUs
“LRU eviction” memory accesses
cache set 2 5 8 1 7 6 3 4910 1112 1314load
15
no LRU replacement
only 75% success rate on Haswell
more accesses → higher success rate, but too slow
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense27
![Page 151: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/151.jpg)
www.iaik.tugraz.at
Replacement policy on recent CPUs
“LRU eviction” memory accesses
cache set 2 5 8 1 7 6 3 4910 1112 1314 15load
16
no LRU replacement
only 75% success rate on Haswell
more accesses → higher success rate, but too slow
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense27
![Page 152: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/152.jpg)
www.iaik.tugraz.at
Replacement policy on recent CPUs
“LRU eviction” memory accesses
cache set 2 5 8 1 7 6 3 4910 1112 1314 1516
no LRU replacement
only 75% success rate on Haswell
more accesses → higher success rate, but too slow
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense27
![Page 153: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/153.jpg)
www.iaik.tugraz.at
Replacement policy on recent CPUs
“LRU eviction” memory accesses
cache set 2 5 8 1 7 6 3 4910 1112 1314 1516
no LRU replacement
only 75% success rate on Haswell
more accesses → higher success rate, but too slow
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense27
![Page 154: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/154.jpg)
www.iaik.tugraz.at
Cache eviction strategy: Notation (1)
Write eviction strategies as: P-C-D-L-S
for (s = 0; s <= S - D ; s += L )
for (c = 0; c <= C ; c += 1)
for (d = 0; d <= D ; d += 1)
*a[s+d];
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense28
![Page 155: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/155.jpg)
www.iaik.tugraz.at
Cache eviction strategy: Notation (1)
Write eviction strategies as: P-C-D-L-S
for (s = 0; s <= S - D ; s += L )
for (c = 0; c <= C ; c += 1)
for (d = 0; d <= D ; d += 1)
*a[s+d];
S: total number of differentaddresses (= set size)
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense28
![Page 156: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/156.jpg)
www.iaik.tugraz.at
Cache eviction strategy: Notation (1)
Write eviction strategies as: P-C-D-L-S
for (s = 0; s <= S - D ; s += L )
for (c = 0; c <= C ; c += 1)
for (d = 0; d <= D ; d += 1)
*a[s+d];
S: total number of differentaddresses (= set size)
D: different addresses perinner access loop
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense28
![Page 157: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/157.jpg)
www.iaik.tugraz.at
Cache eviction strategy: Notation (1)
Write eviction strategies as: P-C-D-L-S
for (s = 0; s <= S - D ; s += L )
for (c = 0; c <= C ; c += 1)
for (d = 0; d <= D ; d += 1)
*a[s+d];
S: total number of differentaddresses (= set size)
D: different addresses perinner access loop
L: step size of the inneraccess loop
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense28
![Page 158: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/158.jpg)
www.iaik.tugraz.at
Cache eviction strategy: Notation (1)
Write eviction strategies as: P-C-D-L-S
for (s = 0; s <= S - D ; s += L )
for (c = 0; c <= C ; c += 1)
for (d = 0; d <= D ; d += 1)
*a[s+d];
S: total number of differentaddresses (= set size)
D: different addresses perinner access loop
L: step size of the inneraccess loop
C: number of repetitions of theinner access loop
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense28
![Page 159: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/159.jpg)
www.iaik.tugraz.at
Cache eviction strategy: Notation (2)
for (s = 0; s <= S - D ; s += L )
for (c = 1; c <= C ; c += 1)
for (d = 1; d <= D ; d += 1)
*a[s+d];
P- 2 - 2 - 1 - 4 → 1, 2, 1, 2, 2, 3, 2, 3, 3, 4, 3, 4
P-1-1-1-4 → 1, 2, 3, 4 → LRU eviction with set size 4
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense29
![Page 160: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/160.jpg)
www.iaik.tugraz.at
Cache eviction strategy: Notation (2)
for (s = 0; s <= S - D ; s += L )
for (c = 1; c <= C ; c += 1)
for (d = 1; d <= D ; d += 1)
*a[s+d];
P- 2 - 2 - 1 - 4 → 1, 2, 1, 2, 2, 3, 2, 3, 3, 4, 3, 4
P-1-1-1-4 → 1, 2, 3, 4 → LRU eviction with set size 4
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense29
![Page 161: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/161.jpg)
www.iaik.tugraz.at
Cache eviction strategy: Notation (2)
for (s = 0; s <= S - D ; s += L )
for (c = 1; c <= C ; c += 1)
for (d = 1; d <= D ; d += 1)
*a[s+d];
P- 2 - 2 - 1 - 4 → 1, 2, 1, 2, 2, 3, 2, 3, 3, 4, 3, 4
P-1-1-1-4 → 1, 2, 3, 4 → LRU eviction with set size 4
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense29
![Page 162: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/162.jpg)
www.iaik.tugraz.at
Cache eviction strategies: Evaluation
We evaluated more than 10000 strategies...
strategy # accesses eviction rate loop time
P-1-1-1-17 17P-1-1-1-20 20
Executed in a loop, on a Haswell with a 16-way last-level cache
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense30
![Page 163: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/163.jpg)
www.iaik.tugraz.at
Cache eviction strategies: Evaluation
We evaluated more than 10000 strategies...
strategy # accesses eviction rate loop time
P-1-1-1-17 17 74.46% 7P-1-1-1-20 20 99.82% 3
Executed in a loop, on a Haswell with a 16-way last-level cache
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense30
![Page 164: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/164.jpg)
www.iaik.tugraz.at
Cache eviction strategies: Evaluation
We evaluated more than 10000 strategies...
strategy # accesses eviction rate loop time
P-1-1-1-17 17 74.46% 7 307 ns 3P-1-1-1-20 20 99.82% 3 934 ns 7
Executed in a loop, on a Haswell with a 16-way last-level cache
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense30
![Page 165: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/165.jpg)
www.iaik.tugraz.at
Cache eviction strategies: Evaluation
We evaluated more than 10000 strategies...
strategy # accesses eviction rate loop time
P-1-1-1-17 17 74.46% 7 307 ns 3P-1-1-1-20 20 99.82% 3 934 ns 7P-2-1-1-17 34
Executed in a loop, on a Haswell with a 16-way last-level cache
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense30
![Page 166: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/166.jpg)
www.iaik.tugraz.at
Cache eviction strategies: Evaluation
We evaluated more than 10000 strategies...
strategy # accesses eviction rate loop time
P-1-1-1-17 17 74.46% 7 307 ns 3P-1-1-1-20 20 99.82% 3 934 ns 7P-2-1-1-17 34 99.86% 3
Executed in a loop, on a Haswell with a 16-way last-level cache
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense30
![Page 167: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/167.jpg)
www.iaik.tugraz.at
Cache eviction strategies: Evaluation
We evaluated more than 10000 strategies...
strategy # accesses eviction rate loop time
P-1-1-1-17 17 74.46% 7 307 ns 3P-1-1-1-20 20 99.82% 3 934 ns 7P-2-1-1-17 34 99.86% 3 191 ns 3
Executed in a loop, on a Haswell with a 16-way last-level cache
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense30
![Page 168: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/168.jpg)
www.iaik.tugraz.at
Cache eviction strategies: Evaluation
We evaluated more than 10000 strategies...
strategy # accesses eviction rate loop time
P-1-1-1-17 17 74.46% 7 307 ns 3P-1-1-1-20 20 99.82% 3 934 ns 7P-2-1-1-17 34 99.86% 3 191 ns 3P-2-2-1-17 64
Executed in a loop, on a Haswell with a 16-way last-level cache
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense30
![Page 169: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/169.jpg)
www.iaik.tugraz.at
Cache eviction strategies: Evaluation
We evaluated more than 10000 strategies...
strategy # accesses eviction rate loop time
P-1-1-1-17 17 74.46% 7 307 ns 3P-1-1-1-20 20 99.82% 3 934 ns 7P-2-1-1-17 34 99.86% 3 191 ns 3P-2-2-1-17 64 99.98% 3
Executed in a loop, on a Haswell with a 16-way last-level cache
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense30
![Page 170: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/170.jpg)
www.iaik.tugraz.at
Cache eviction strategies: Evaluation
We evaluated more than 10000 strategies...
strategy # accesses eviction rate loop time
P-1-1-1-17 17 74.46% 7 307 ns 3P-1-1-1-20 20 99.82% 3 934 ns 7P-2-1-1-17 34 99.86% 3 191 ns 3P-2-2-1-17 64 99.98% 3 180 ns 3
Executed in a loop, on a Haswell with a 16-way last-level cache
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense30
![Page 171: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/171.jpg)
www.iaik.tugraz.at
Cache eviction strategies: Evaluation
We evaluated more than 10000 strategies...
strategy # accesses eviction rate loop time
P-1-1-1-17 17 74.46% 7 307 ns 3P-1-1-1-20 20 99.82% 3 934 ns 7P-2-1-1-17 34 99.86% 3 191 ns 3P-2-2-1-17 64 99.98% 3 180 ns 3
→ more accesses, smaller execution time? Executed in a loop, on aHaswell with a 16-way last-level cache
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense30
![Page 172: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/172.jpg)
www.iaik.tugraz.at
Cache eviction strategies (illustration)
P-1-1-1-17 (17 accesses, 307ns)
P-2-1-1-34 (34 accesses, 191ns)
Time in ns
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense31
![Page 173: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/173.jpg)
www.iaik.tugraz.at
Cache eviction strategies (illustration)
P-1-1-1-17 (17 accesses, 307ns)
P-2-1-1-34 (34 accesses, 191ns)
Time in ns
Miss(intended)
Miss(intended)
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense31
![Page 174: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/174.jpg)
www.iaik.tugraz.at
Cache eviction strategies (illustration)
P-1-1-1-17 (17 accesses, 307ns)
P-2-1-1-34 (34 accesses, 191ns)
Time in ns
Miss(intended)
Miss(intended)
Miss(intended)
Miss(intended)
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense31
![Page 175: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/175.jpg)
www.iaik.tugraz.at
Cache eviction strategies (illustration)
P-1-1-1-17 (17 accesses, 307ns)
P-2-1-1-34 (34 accesses, 191ns)
Time in ns
Miss(intended)
Miss(intended) H
Miss(intended)
Miss(intended) H
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense31
![Page 176: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/176.jpg)
www.iaik.tugraz.at
Cache eviction strategies (illustration)
P-1-1-1-17 (17 accesses, 307ns)
P-2-1-1-34 (34 accesses, 191ns)
Time in ns
Miss(intended)
Miss(intended) H Miss
Miss(intended)
Miss(intended) H H
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense31
![Page 177: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/177.jpg)
www.iaik.tugraz.at
Cache eviction strategies (illustration)
P-1-1-1-17 (17 accesses, 307ns)
P-2-1-1-34 (34 accesses, 191ns)
Time in ns
Miss(intended)
Miss(intended) H Miss
Miss(intended)
Miss(intended) H H H
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense31
![Page 178: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/178.jpg)
www.iaik.tugraz.at
Cache eviction strategies (illustration)
P-1-1-1-17 (17 accesses, 307ns)
P-2-1-1-34 (34 accesses, 191ns)
Time in ns
Miss(intended)
Miss(intended) H Miss
Miss(intended)
Miss(intended) H H H H
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense31
![Page 179: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/179.jpg)
www.iaik.tugraz.at
Cache eviction strategies (illustration)
P-1-1-1-17 (17 accesses, 307ns)
P-2-1-1-34 (34 accesses, 191ns)
Time in ns
Miss(intended)
Miss(intended) H Miss
Miss(intended)
Miss(intended) H H H H H
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense31
![Page 180: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/180.jpg)
www.iaik.tugraz.at
Cache eviction strategies (illustration)
P-1-1-1-17 (17 accesses, 307ns)
P-2-1-1-34 (34 accesses, 191ns)
Time in ns
Miss(intended)
Miss(intended) H Miss
Miss(intended)
Miss(intended) H H H H H H
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense31
![Page 181: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/181.jpg)
www.iaik.tugraz.at
Cache eviction strategies (illustration)
P-1-1-1-17 (17 accesses, 307ns)
P-2-1-1-34 (34 accesses, 191ns)
Time in ns
Miss(intended)
Miss(intended) H Miss
Miss(intended)
Miss(intended) H H H H H H H
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense31
![Page 182: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/182.jpg)
www.iaik.tugraz.at
Cache eviction strategies (illustration)
P-1-1-1-17 (17 accesses, 307ns)
P-2-1-1-34 (34 accesses, 191ns)
Time in ns
Miss(intended)
Miss(intended) H Miss
Miss(intended)
Miss(intended) H H H H H H H H
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense31
![Page 183: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/183.jpg)
www.iaik.tugraz.at
Cache eviction strategies (illustration)
P-1-1-1-17 (17 accesses, 307ns)
P-2-1-1-34 (34 accesses, 191ns)
Time in ns
Miss(intended)
Miss(intended) H Miss Miss
Miss(intended)
Miss(intended) H H H H H H H H Miss
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense31
![Page 184: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/184.jpg)
www.iaik.tugraz.at
Cache eviction strategies (illustration)
P-1-1-1-17 (17 accesses, 307ns)
P-2-1-1-34 (34 accesses, 191ns)
Time in ns
Miss(intended)
Miss(intended) H Miss Miss
Miss(intended)
Miss(intended) H H H H H H H H Miss H
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense31
![Page 185: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/185.jpg)
www.iaik.tugraz.at
Cache eviction strategies (illustration)
P-1-1-1-17 (17 accesses, 307ns)
P-2-1-1-34 (34 accesses, 191ns)
Time in ns
Miss(intended)
Miss(intended) H Miss Miss
Miss(intended)
Miss(intended) H H H H H H H H Miss H H
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense31
![Page 186: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/186.jpg)
www.iaik.tugraz.at
Cache eviction strategies (illustration)
P-1-1-1-17 (17 accesses, 307ns)
P-2-1-1-34 (34 accesses, 191ns)
Time in ns
Miss(intended)
Miss(intended) H Miss Miss
Miss(intended)
Miss(intended) H H H H H H H H Miss H H H
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense31
![Page 187: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/187.jpg)
www.iaik.tugraz.at
Cache eviction strategies (illustration)
P-1-1-1-17 (17 accesses, 307ns)
P-2-1-1-34 (34 accesses, 191ns)
Time in ns
Miss(intended)
Miss(intended) H Miss Miss Miss
Miss(intended)
Miss(intended) H H H H H H H H Miss H H H H
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense31
![Page 188: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/188.jpg)
www.iaik.tugraz.at
Cache eviction strategies (illustration)
P-1-1-1-17 (17 accesses, 307ns)
P-2-1-1-34 (34 accesses, 191ns)
Time in ns
Miss(intended)
Miss(intended) H Miss Miss Miss
Miss(intended)
Miss(intended) H H H H H H H H Miss H H H H H
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense31
![Page 189: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/189.jpg)
www.iaik.tugraz.at
Cache eviction strategies (illustration)
P-1-1-1-17 (17 accesses, 307ns)
P-2-1-1-34 (34 accesses, 191ns)
Time in ns
Miss(intended)
Miss(intended) H Miss Miss Miss
Miss(intended)
Miss(intended) H H H H H H H H Miss H H H H H H
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense31
![Page 190: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/190.jpg)
www.iaik.tugraz.at
Cache eviction strategies (illustration)
P-1-1-1-17 (17 accesses, 307ns)
P-2-1-1-34 (34 accesses, 191ns)
Time in ns
Miss(intended)
Miss(intended) H Miss Miss Miss
Miss(intended)
Miss(intended) H H H H H H H H Miss H H H H H H H
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense31
![Page 191: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/191.jpg)
www.iaik.tugraz.at
Cache eviction strategies (illustration)
P-1-1-1-17 (17 accesses, 307ns)
P-2-1-1-34 (34 accesses, 191ns)
Time in ns
Miss(intended)
Miss(intended) H Miss Miss Miss
Miss(intended)
Miss(intended) H H H H H H H H Miss H H H H H H H H
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense31
![Page 192: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/192.jpg)
www.iaik.tugraz.at
Cache eviction strategies (illustration)
P-1-1-1-17 (17 accesses, 307ns)
P-2-1-1-34 (34 accesses, 191ns)
Time in ns
Miss(intended)
Miss(intended) H Miss Miss Miss H
Miss(intended)
Miss(intended) H H H H H H H H Miss H H H H H H H H Miss
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense31
![Page 193: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/193.jpg)
www.iaik.tugraz.at
Cache eviction strategies (illustration)
P-1-1-1-17 (17 accesses, 307ns)
P-2-1-1-34 (34 accesses, 191ns)
Time in ns
Miss(intended)
Miss(intended) H Miss Miss Miss H Miss
Miss(intended)
Miss(intended) H H H H H H H H Miss H H H H H H H H Miss
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense31
![Page 194: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/194.jpg)
www.iaik.tugraz.at
Cache eviction strategies (illustration)
P-1-1-1-17 (17 accesses, 307ns)
P-2-1-1-34 (34 accesses, 191ns)
Time in ns
Miss(intended)
Miss(intended) H Miss Miss Miss H Miss
Miss(intended)
Miss(intended) H H H H H H H H Miss H H H H H H H H Miss H
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense31
![Page 195: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/195.jpg)
www.iaik.tugraz.at
Cache eviction strategies (illustration)
P-1-1-1-17 (17 accesses, 307ns)
P-2-1-1-34 (34 accesses, 191ns)
Time in ns
Miss(intended)
Miss(intended) H Miss Miss Miss H Miss
Miss(intended)
Miss(intended) H H H H H H H H Miss H H H H H H H H Miss H H
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense31
![Page 196: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/196.jpg)
www.iaik.tugraz.at
Cache eviction strategies (illustration)
P-1-1-1-17 (17 accesses, 307ns)
P-2-1-1-34 (34 accesses, 191ns)
Time in ns
Miss(intended)
Miss(intended) H Miss Miss Miss H Miss
Miss(intended)
Miss(intended) H H H H H H H H Miss H H H H H H H H Miss H H H
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense31
![Page 197: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/197.jpg)
www.iaik.tugraz.at
Cache eviction strategies (illustration)
P-1-1-1-17 (17 accesses, 307ns)
P-2-1-1-34 (34 accesses, 191ns)
Time in ns
Miss(intended)
Miss(intended) H Miss Miss Miss H Miss
Miss(intended)
Miss(intended) H H H H H H H H Miss H H H H H H H H Miss H H H H
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense31
![Page 198: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/198.jpg)
www.iaik.tugraz.at
Cache eviction strategies (illustration)
P-1-1-1-17 (17 accesses, 307ns)
P-2-1-1-34 (34 accesses, 191ns)
Time in ns
Miss(intended)
Miss(intended) H Miss Miss Miss H Miss
Miss(intended)
Miss(intended) H H H H H H H H Miss H H H H H H H H Miss H H H H H
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense31
![Page 199: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/199.jpg)
www.iaik.tugraz.at
Cache eviction strategies (illustration)
P-1-1-1-17 (17 accesses, 307ns)
P-2-1-1-34 (34 accesses, 191ns)
Time in ns
Miss(intended)
Miss(intended) H Miss Miss Miss H Miss
Miss(intended)
Miss(intended) H H H H H H H H Miss H H H H H H H H Miss H H H H H H
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense31
![Page 200: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/200.jpg)
www.iaik.tugraz.at
Cache eviction strategies (illustration)
P-1-1-1-17 (17 accesses, 307ns)
P-2-1-1-34 (34 accesses, 191ns)
Time in ns
Miss(intended)
Miss(intended) H Miss Miss Miss H Miss Miss
Miss(intended)
Miss(intended) H H H H H H H H Miss H H H H H H H H Miss H H H H H H H
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense31
![Page 201: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/201.jpg)
www.iaik.tugraz.at
Cache eviction strategies (illustration)
P-1-1-1-17 (17 accesses, 307ns)
P-2-1-1-34 (34 accesses, 191ns)
Time in ns
Miss(intended)
Miss(intended) H Miss Miss Miss H Miss Miss
Miss(intended)
Miss(intended) H H H H H H H H Miss H H H H H H H H Miss H H H H H H H H
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense31
![Page 202: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/202.jpg)
www.iaik.tugraz.at
Cache eviction strategies (illustration)
P-1-1-1-17 (17 accesses, 307ns)
P-2-1-1-34 (34 accesses, 191ns)
Time in ns
Miss(intended)
Miss(intended) H Miss Miss Miss H Miss Miss Miss
Miss(intended)
Miss(intended) H H H H H H H H Miss H H H H H H H H Miss H H H H H H H H Miss
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense31
![Page 203: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/203.jpg)
www.iaik.tugraz.at
Cache eviction strategies (illustration)
P-1-1-1-17 (17 accesses, 307ns)
P-2-1-1-34 (34 accesses, 191ns)
Time in ns
Miss(intended)
Miss(intended) H Miss Miss Miss H Miss Miss Miss
Miss(intended)
Miss(intended) H H H H H H H H Miss H H H H H H H H Miss H H H H H H H H Miss H
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense31
![Page 204: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/204.jpg)
www.iaik.tugraz.at
Cache eviction strategies (illustration)
P-1-1-1-17 (17 accesses, 307ns)
P-2-1-1-34 (34 accesses, 191ns)
Time in ns
Miss(intended)
Miss(intended) H Miss Miss Miss H Miss Miss Miss
Miss(intended)
Miss(intended) H H H H H H H H Miss H H H H H H H H Miss H H H H H H H H Miss H H
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense31
![Page 205: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/205.jpg)
www.iaik.tugraz.at
Cache eviction strategies (illustration)
P-1-1-1-17 (17 accesses, 307ns)
P-2-1-1-34 (34 accesses, 191ns)
Time in ns
Miss(intended)
Miss(intended) H Miss Miss Miss H Miss Miss Miss
Miss(intended)
Miss(intended) H H H H H H H H Miss H H H H H H H H Miss H H H H H H H H Miss H H H
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense31
![Page 206: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/206.jpg)
www.iaik.tugraz.at
Cache eviction strategies (illustration)
P-1-1-1-17 (17 accesses, 307ns)
P-2-1-1-34 (34 accesses, 191ns)
Time in ns
Miss(intended)
Miss(intended) H Miss Miss Miss H Miss Miss Miss
Miss(intended)
Miss(intended) H H H H H H H H Miss H H H H H H H H Miss H H H H H H H H Miss H H H H
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense31
![Page 207: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/207.jpg)
www.iaik.tugraz.at
Cache eviction strategies (illustration)
P-1-1-1-17 (17 accesses, 307ns)
P-2-1-1-34 (34 accesses, 191ns)
Time in ns
Miss(intended)
Miss(intended) H Miss Miss Miss H Miss Miss Miss
Miss(intended)
Miss(intended) H H H H H H H H Miss H H H H H H H H Miss H H H H H H H H Miss H H H H H
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense31
![Page 208: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/208.jpg)
www.iaik.tugraz.at
Cache eviction strategies (illustration)
P-1-1-1-17 (17 accesses, 307ns)
P-2-1-1-34 (34 accesses, 191ns)
Time in ns
Miss(intended)
Miss(intended) H Miss Miss Miss H Miss Miss Miss H
Miss(intended)
Miss(intended) H H H H H H H H Miss H H H H H H H H Miss H H H H H H H H Miss H H H H H
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense31
![Page 209: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/209.jpg)
www.iaik.tugraz.at
Cache eviction strategies (illustration)
P-1-1-1-17 (17 accesses, 307ns)
P-2-1-1-34 (34 accesses, 191ns)
Time in ns
Miss(intended)
Miss(intended) H Miss Miss Miss H Miss Miss Miss H Miss
Miss(intended)
Miss(intended) H H H H H H H H Miss H H H H H H H H Miss H H H H H H H H Miss H H H H H
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense31
![Page 210: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/210.jpg)
www.iaik.tugraz.at
Cache eviction strategies (illustration)
P-1-1-1-17 (17 accesses, 307ns)
P-2-1-1-34 (34 accesses, 191ns)
Time in ns
Miss(intended)
Miss(intended) H Miss Miss Miss H Miss Miss Miss H Miss Miss
Miss(intended)
Miss(intended) H H H H H H H H Miss H H H H H H H H Miss H H H H H H H H Miss H H H H H
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense31
![Page 211: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/211.jpg)
www.iaik.tugraz.at
Cache eviction strategies (illustration)
P-1-1-1-17 (17 accesses, 307ns)
P-2-1-1-34 (34 accesses, 191ns)
Time in ns
Miss(intended)
Miss(intended) H Miss Miss Miss H Miss Miss Miss H Miss Miss Miss
Miss(intended)
Miss(intended) H H H H H H H H Miss H H H H H H H H Miss H H H H H H H H Miss H H H H H
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense31
![Page 212: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/212.jpg)
www.iaik.tugraz.at
Cache eviction strategies (illustration)
P-1-1-1-17 (17 accesses, 307ns)
P-2-1-1-34 (34 accesses, 191ns)
Time in ns
Miss(intended)
Miss(intended) H Miss Miss Miss H Miss Miss Miss H Miss Miss Miss H
Miss(intended)
Miss(intended) H H H H H H H H Miss H H H H H H H H Miss H H H H H H H H Miss H H H H H
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense31
![Page 213: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/213.jpg)
www.iaik.tugraz.at
Cache eviction strategies (illustration)
P-1-1-1-17 (17 accesses, 307ns)
P-2-1-1-34 (34 accesses, 191ns)
Time in ns
Miss(intended)
Miss(intended) H Miss Miss Miss H Miss Miss Miss H Miss Miss Miss H Miss
Miss(intended)
Miss(intended) H H H H H H H H Miss H H H H H H H H Miss H H H H H H H H Miss H H H H H
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense31
![Page 214: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/214.jpg)
www.iaik.tugraz.at
Cache eviction strategies (illustration)
P-1-1-1-17 (17 accesses, 307ns)
P-2-1-1-34 (34 accesses, 191ns)
Time in ns
Miss(intended)
Miss(intended) H Miss Miss Miss H Miss Miss Miss H Miss Miss Miss H Miss Miss
Miss(intended)
Miss(intended) H H H H H H H H Miss H H H H H H H H Miss H H H H H H H H Miss H H H H H
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense31
![Page 215: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/215.jpg)
www.iaik.tugraz.at
Evaluation on Haswell
0 5 10 15 20 25 30 35 40 45 50 55 60 65 70100
102
104
106
Refresh interval in µs (BIOS configuration)
Bit
flips
clflush Evict (Native) Evict (JavaScript)
Figure: Number of bit flips within 15 minutes.
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense32
![Page 216: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/216.jpg)
www.iaik.tugraz.at
3. Contributions– Cache Template Attacks– Page Deduplication Attacks in JavaScript– Rowhammer.js– Flush+Flush– ARMageddon– Prefetch Attacks
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense33
![Page 217: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/217.jpg)
www.iaik.tugraz.at
Flush+Flush: Motivation
cache attacks → many cache misses
detect via performance counters
→ good idea, but not good enough
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense34
![Page 218: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/218.jpg)
www.iaik.tugraz.at
Flush+Reload
Attackeraddress space Cache Victim
address space
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense35
![Page 219: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/219.jpg)
www.iaik.tugraz.at
Flush+Reload
Attackeraddress space Cache Victim
address space
cached cached
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense35
![Page 220: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/220.jpg)
www.iaik.tugraz.at
Flush+Reload
Attackeraddress space Cache Victim
address space
step 1: attacker flushes the shared line
flushes
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense35
![Page 221: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/221.jpg)
www.iaik.tugraz.at
Flush+Reload
Attackeraddress space Cache Victim
address space
step 1: attacker flushes the shared linestep 2: victim loads data while performing encryption
loads data
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense35
![Page 222: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/222.jpg)
www.iaik.tugraz.at
Flush+Reload
Attackeraddress space Cache Victim
address space
step 1: attacker flushes the shared linestep 2: victim loads data while performing encryptionstep 3: attacker reloads data → fast access if the victim loaded the line
reloads data
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense35
![Page 223: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/223.jpg)
www.iaik.tugraz.at
Flush+Flush
Attackeraddress space Cache Victim
address space
step 0: attacker maps shared library → shared memory, shared in cache
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense36
![Page 224: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/224.jpg)
www.iaik.tugraz.at
Flush+Flush
Attackeraddress space Cache Victim
address space
step 0: attacker maps shared library → shared memory, shared in cache
cached cached
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense36
![Page 225: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/225.jpg)
www.iaik.tugraz.at
Flush+Flush
Attackeraddress space Cache Victim
address space
step 0: attacker maps shared library → shared memory, shared in cachestep 1: attacker flushes the shared line
flushes
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense36
![Page 226: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/226.jpg)
www.iaik.tugraz.at
Flush+Flush
Attackeraddress space Cache Victim
address space
step 0: attacker maps shared library → shared memory, shared in cachestep 1: attacker flushes the shared linestep 2: victim loads data while performing encryption
loads data
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense36
![Page 227: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/227.jpg)
www.iaik.tugraz.at
Flush+Flush
Attackeraddress space Cache Victim
address space
step 0: attacker maps shared library → shared memory, shared in cachestep 1: attacker flushes the shared linestep 2: victim loads data while performing encryptionstep 3: attacker flushes data → high execution time if the victim loaded the line
flushes
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense36
![Page 228: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/228.jpg)
www.iaik.tugraz.at
Flush+Flush: Conclusion
496 KB/s covert channel
same side channel targets as Flush+Reload
attacker causes no cache misses
→ fast→ stealthy
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense37
![Page 229: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/229.jpg)
www.iaik.tugraz.at
3. Contributions– Cache Template Attacks– Page Deduplication Attacks in JavaScript– Rowhammer.js– Flush+Flush– ARMageddon– Prefetch Attacks
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense38
![Page 230: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/230.jpg)
www.iaik.tugraz.at
Cache Attacks on mobile devices?
powerful cache attacks on Intel x86 in the last 10 years
nothing like Flush+Reload or Prime+Probe on mobile devices
→ why?
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense39
![Page 231: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/231.jpg)
www.iaik.tugraz.at
ARMageddon in a nutshell
1. no flush instruction
2. pseudo-random replacement
3. cycle counters require root
4. last-level caches not inclusive
5. multiple CPUs
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense40
![Page 232: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/232.jpg)
www.iaik.tugraz.at
ARMageddon in a nutshell
1. no flush instruction → Evict+Reload
2. pseudo-random replacement
3. cycle counters require root
4. last-level caches not inclusive
5. multiple CPUs
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense40
![Page 233: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/233.jpg)
www.iaik.tugraz.at
ARMageddon in a nutshell
1. no flush instruction → Evict+Reload
2. pseudo-random replacement → eviction strategies from Rowhammer.js
3. cycle counters require root
4. last-level caches not inclusive
5. multiple CPUs
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense40
![Page 234: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/234.jpg)
www.iaik.tugraz.at
ARMageddon in a nutshell
1. no flush instruction → Evict+Reload
2. pseudo-random replacement → eviction strategies from Rowhammer.js
3. cycle counters require root → new timing methods
4. last-level caches not inclusive
5. multiple CPUs
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense40
![Page 235: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/235.jpg)
www.iaik.tugraz.at
ARMageddon in a nutshell
1. no flush instruction → Evict+Reload
2. pseudo-random replacement → eviction strategies from Rowhammer.js
3. cycle counters require root → new timing methods
4. last-level caches not inclusive → let L1 spill to L2
5. multiple CPUs
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense40
![Page 236: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/236.jpg)
www.iaik.tugraz.at
ARMageddon in a nutshell
1. no flush instruction → Evict+Reload
2. pseudo-random replacement → eviction strategies from Rowhammer.js
3. cycle counters require root → new timing methods
4. last-level caches not inclusive → let L1 spill to L2
5. multiple CPUs → remote fetches + flushes
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense40
![Page 237: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/237.jpg)
ARMageddon Demo
![Page 238: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/238.jpg)
www.iaik.tugraz.at
3. Contributions– Cache Template Attacks– Page Deduplication Attacks in JavaScript– Rowhammer.js– Flush+Flush– ARMageddon– Prefetch Attacks
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense42
![Page 239: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/239.jpg)
www.iaik.tugraz.at
Prefetch: Motivation
PDPT PD PT cached P. uncached P.
200
300
400
230246
222
181
383
Mapping level
Exe
cutio
ntim
e
Idea: Would this also work on inaccessible kernel memory?Daniel Gruss, IAIKJune 14, 2017 — PhD Defense43
![Page 240: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/240.jpg)
www.iaik.tugraz.at
Prefetch: Kernel Memory Layout
Virtual address spaceUser Kernel
Physical memory
0
0 max. phys.
247 −247 −1
direct
map
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense44
![Page 241: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/241.jpg)
www.iaik.tugraz.at
Prefetching Kernel Addresses
0 20 40 60 80 100 120 140 160 180 200 220 240100
150
200
250
Page offset in kernel direct map
Min
.ac
cess
late
ncy
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense45
![Page 242: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/242.jpg)
www.iaik.tugraz.at
Prefetch: Locate Kernel Driver (defeat KASLR)
0 4,000 8,000 12,000
90
100
110
120
Page offset in kernel driver region
Avg
.ex
ecut
ion
time
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense46
![Page 243: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/243.jpg)
www.iaik.tugraz.at
Conclusions
1. microarchitectural attacks can be widely automated
2. unknown and novel side channels are likely to exist
3. minimal requirements enable attacks through websites
4. constructing countermeasures is difficult and requires solidunderstanding of attacks
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense47
![Page 244: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/244.jpg)
www.iaik.tugraz.at
Conclusions
1. microarchitectural attacks can be widely automated
2. unknown and novel side channels are likely to exist
3. minimal requirements enable attacks through websites
4. constructing countermeasures is difficult and requires solidunderstanding of attacks
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense47
![Page 245: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/245.jpg)
www.iaik.tugraz.at
Conclusions
1. microarchitectural attacks can be widely automated
2. unknown and novel side channels are likely to exist
3. minimal requirements enable attacks through websites
4. constructing countermeasures is difficult and requires solidunderstanding of attacks
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense47
![Page 246: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/246.jpg)
www.iaik.tugraz.at
Conclusions
1. microarchitectural attacks can be widely automated
2. unknown and novel side channels are likely to exist
3. minimal requirements enable attacks through websites
4. constructing countermeasures is difficult and requires solidunderstanding of attacks
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense47
![Page 247: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/247.jpg)
www.iaik.tugraz.at
Conclusions
1. microarchitectural attacks can be widely automated
2. unknown and novel side channels are likely to exist
3. minimal requirements enable attacks through websites
4. constructing countermeasures is difficult and requires solidunderstanding of attacks
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense47
![Page 248: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/248.jpg)
www.iaik.tugraz.at
Author’s Publications in this Thesis I
1. Daniel Gruss, Raphael Spreitzer, et al. (2015). “Cache Template Attacks:Automating Attacks on Inclusive Last-Level Caches”. In: USENIX SecuritySymposium
2. Daniel Gruss, David Bidner, et al. (2015). “Practical Memory DeduplicationAttacks in Sandboxed JavaScript”. In: ESORICS’15
3. Daniel Gruss, Clementine Maurice, Klaus Wagner, et al. (2016). “Flush+Flush:A Fast and Stealthy Cache Attack”. In: DIMVA’16
4. Daniel Gruss, Clementine Maurice, and Stefan Mangard (2016).“Rowhammer.js: A Remote Software-Induced Fault Attack in JavaScript”. In:DIMVA’16
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense48
![Page 249: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/249.jpg)
www.iaik.tugraz.at
Author’s Publications in this Thesis II5. Moritz Lipp et al. (2016). “ARMageddon: Cache Attacks on Mobile Devices”.
In: USENIX Security Symposium
6. Daniel Gruss, Clementine Maurice, Anders Fogh, et al. (2016). “PrefetchSide-Channel Attacks: Bypassing SMAP and Kernel ASLR”. In: CCS’16
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense49
![Page 250: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/250.jpg)
www.iaik.tugraz.at
Further Contributions I
1. Peter Pessl et al. (2016). “DRAMA: Exploiting DRAM Addressing forCross-CPU Attacks”. In: USENIX Security Symposium
2. Victor van der Veen et al. (2016). “Drammer: Deterministic RowhammerAttacks on Mobile Platforms”. In: CCS’16
3. Clementine Maurice, Manuel Weber, et al. (2017). “Hello from the Other Side:SSH over Robust Cache Covert Channels in the Cloud”. In: NDSS’17
4. Michael Schwarz, Clementine Maurice, et al. (2017). “Fantastic Timers andWhere to Find Them: High-Resolution Microarchitectural Attacks inJavaScript”. In: Financial Cryptography 2017
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense50
![Page 251: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/251.jpg)
www.iaik.tugraz.at
Further Contributions II5. Daniel Gruss, Moritz Lipp, et al. (2017). “KASLR is Dead: Long Live KASLR”.
In: ESSoS’17. (to appear)
6. Michael Schwarz, Daniel Gruss, et al. (2017). “Malware Guard Extension:Using SGX to Conceal Cache Attacks ”. In: DIMVA’17. (to appear)
7. Daniel Gruss, Julian Lettner, et al. (2017). “Strong and Efficient CacheSide-Channel Protection using Hardware Transactional Memory”. In: USENIXSecurity Symposium. (to appear)
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense51
![Page 252: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/252.jpg)
www.iaik.tugraz.at
Software-basedMicroarchitectural AttacksDaniel GrussIAIK, Graz University of Technology
June 14, 2017 — PhD Defense
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense52
![Page 253: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/253.jpg)
www.iaik.tugraz.at
Bibliography I
Gruss, Daniel, David Bidner, et al. (2015). “Practical Memory Deduplication Attacksin Sandboxed JavaScript”. In: ESORICS’15.
Gruss, Daniel, Julian Lettner, et al. (2017). “Strong and Efficient CacheSide-Channel Protection using Hardware Transactional Memory”. In: USENIXSecurity Symposium. (to appear).
Gruss, Daniel, Moritz Lipp, et al. (2017). “KASLR is Dead: Long Live KASLR”. In:ESSoS’17. (to appear).
Gruss, Daniel, Clementine Maurice, Anders Fogh, et al. (2016). “PrefetchSide-Channel Attacks: Bypassing SMAP and Kernel ASLR”. In: CCS’16.
Gruss, Daniel, Clementine Maurice, and Stefan Mangard (2016). “Rowhammer.js:A Remote Software-Induced Fault Attack in JavaScript”. In: DIMVA’16.
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense53
![Page 254: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/254.jpg)
www.iaik.tugraz.at
Bibliography IIGruss, Daniel, Clementine Maurice, Klaus Wagner, et al. (2016). “Flush+Flush: A
Fast and Stealthy Cache Attack”. In: DIMVA’16.Gruss, Daniel, Raphael Spreitzer, et al. (2015). “Cache Template Attacks:
Automating Attacks on Inclusive Last-Level Caches”. In: USENIX SecuritySymposium.
Kim, Yoongu et al. (2014). “Flipping bits in memory without accessing them: Anexperimental study of DRAM disturbance errors”. In: ISCA’14.
Lipp, Moritz et al. (2016). “ARMageddon: Cache Attacks on Mobile Devices”. In:USENIX Security Symposium.
Maurice, Clementine, Nicolas Le Scouarnec, et al. (2015). “Reverse EngineeringIntel Complex Addressing Using Performance Counters”. In: RAID’15.
Maurice, Clementine, Manuel Weber, et al. (2017). “Hello from the Other Side: SSHover Robust Cache Covert Channels in the Cloud”. In: NDSS’17.
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense54
![Page 255: Software-based Microarchitectural Attacks · 2020-01-15 · Software-based Microarchitectural Attacks Daniel Gruss IAIK, Graz University of Technology June 14, 2017 — PhD Defense](https://reader033.vdocuments.net/reader033/viewer/2022060403/5f0eaf5d7e708231d4406ed2/html5/thumbnails/255.jpg)
www.iaik.tugraz.at
Bibliography IIIPessl, Peter et al. (2016). “DRAMA: Exploiting DRAM Addressing for Cross-CPU
Attacks”. In: USENIX Security Symposium.Schwarz, Michael, Daniel Gruss, et al. (2017). “Malware Guard Extension: Using
SGX to Conceal Cache Attacks ”. In: DIMVA’17. (to appear).Schwarz, Michael, Clementine Maurice, et al. (2017). “Fantastic Timers and Where
to Find Them: High-Resolution Microarchitectural Attacks in JavaScript”. In:Financial Cryptography 2017.
Seaborn, Mark (2015). Exploiting the DRAM rowhammer bug to gain kernelprivileges. Retrieved on June 26, 2015. URL:http://googleprojectzero.blogspot.com/2015/03/exploiting-dram-
rowhammer-bug-to-gain.html.Veen, Victor van der et al. (2016). “Drammer: Deterministic Rowhammer Attacks on
Mobile Platforms”. In: CCS’16.
Daniel Gruss, IAIKJune 14, 2017 — PhD Defense55