# Side-Channel Lab II #### Michael Schwarz Security Week Graz 2019 • Two programs would like to communicate • Two programs would like to communicate but are not allowed to do so - Two programs would like to communicate but are not allowed to do so - either because there is no communication channel... - Two programs would like to communicate but are not allowed to do so - either because there is no communication channel... - ...or the channels are monitored and programs are stopped on communication attempts - Two programs would like to communicate but are not allowed to do so - either because there is no communication channel... - ...or the channels are monitored and programs are stopped on communication attempts - Use side channels and stay stealthy ### **Covert channel** ### **Covert channel** | method | raw capacity | err. rate | true capacity | env. | |--------------|--------------|-----------|---------------|--------| | F+F [Gru+16] | 3968Kbps | 0.840% | 3690Kbps | native | | F+R [Gru+16] | 2384Kbps | 0.005% | 2382Kbps | native | | E+R [Lip+16] | 1141Kbps | 1.100% | 1041Kbps | native | | P+P [Mau+17] | 601Kbps | 0.000% | 601Kbps | native | | P+P [Liu+15] | 600Kbps | 1.000% | 552Kbps | virt | | P+P [Mau+17] | 362Kbps | 0.000% | 362Kbps | native | #### Sender . . . D (0x44) E (0x45) F (0x46) G (0x47) H (0x48) I (0x49) . . . #### Last-level cache #### Sender . . . D (0x44) E (0x45) F (0x46) G (0x47) H (0x48) I (0x49) #### Last-level cache Receiver ••• .::: flush Cache Line on Page #0x43 flush Cache Line on Page #0x44 flush Cache Line on Page #0x45 flush Cache Line on Page #0x46 flush Cache Line on Page #0x47 flush Cache Line on Page #0x48 **,** flush Cache Line on Page #0x49 flush Cache Line on Page #0x4A #### Sender . . . D (0x44) E (0x45) F (0x46) G(0x47) H (0x48) I (0x49) . . . #### Last-level cache # Sender . . . (0x44)E(0x45)(0x46) $G (0x47) \xrightarrow{\text{reload}}$ H(0x48)I (0x49) . . . #### Last-level cache #### Sender . . . D (0x44) E (0x45) F(0x46) G (0x47) H (0x48) I (0x49) #### Last-level cache #### Sender . . . D (0x44) E (0x45) F (0x46) G (0x47) H (0x48) I (0x49) #### Sender . . . D (0x44) E (0x45) F (0x46) G (0x47) H (0x48) I (0x49) #### Sender . . . D (0x44) E (0x45) F (0x46) G (0x47) H(0x48) I (0x49) #### Sender . . . D (0x44) E (0x45) F (0x46) G (0x47) H (0x48) I (0x49) . . . #### Last-level cache # Sender . . . (0x44)E(0x45)F (0x46) reload G(0x47)H(0x48)I (0x49) . . . ### Last-level cache #### Sender . . . D (0x44) E (0x45) F (0x46) G (0x47) H(0x48) I (0x49) **Operating Systems 101** ### **Memory Isolation** • Kernel is isolated from user space ### Memory Isolation - Kernel is isolated from user space - This isolation is a combination of hardware and software ### Memory Isolation - Kernel is isolated from user space - This isolation is a combination of hardware and software - User applications cannot access anything from the kernel • CPU support virtual address spaces to isolate processes - CPU support virtual address spaces to isolate processes - Physical memory is organized in page frames - CPU support virtual address spaces to isolate processes - Physical memory is organized in page frames - Virtual memory pages are mapped to page frames using page tables ### Address Translation on x86-64 ### Address Translation on x86-64 • User/Supervisor bit defines in which privilege level the page can be accessed ## **Direct-physical map** • Kernel is typically mapped into every address space ### **Direct-physical map** - Kernel is typically mapped into every address space - Entire physical memory is mapped in the kernel ## **Loading an address** ### **Loading an address** # Loading an address # **Loading an address** # **Loading an address** # **Loading an address** Instruction Set Architecture (ISA) is an abstract model of a computer (x86, ARMv8, SPARC, . . . ) - Instruction Set Architecture (ISA) is an abstract model of a computer (x86, ARMv8, SPARC, . . . ) - Serves as the interface between hardware and software - Instruction Set Architecture (ISA) is an abstract model of a computer (x86, ARMv8, SPARC, . . . ) - Serves as the interface between hardware and software - Microarchitecture is an actual implementation of the ISA - Instruction Set Architecture (ISA) is an abstract model of a computer (x86, ARMv8, SPARC, . . . ) - Serves as the interface between hardware and software - Microarchitecture is an actual implementation of the ISA - Instructions are... - fetched (IF) from the L1 Instruction Cache - Instructions are... - fetched (IF) from the L1 Instruction Cache - decoded (ID) - Instructions are... - fetched (IF) from the L1 Instruction Cache - decoded (ID) - executed (EX) by execution units - Instructions are... - fetched (IF) from the L1 Instruction Cache - decoded (ID) - executed (EX) by execution units - Memory access is performed (MEM) - Instructions are... - fetched (IF) from the L1 Instruction Cache - decoded (ID) - executed (EX) by execution units - Memory access is performed (MEM) - Architectural register file is updated (WB) • Instructions are executed in-order - Instructions are executed in-order - Pipeline stalls when stages are not ready - Instructions are executed in-order - Pipeline stalls when stages are not ready - If data is not cached, we need to wait # #### Instructions are • fetched and decoded in the front-end #### Instructions are - fetched and decoded in the front-end - dispatched to the backend #### Instructions are - fetched and decoded in the front-end - dispatched to the backend - processed by individual execution units ### Instructions • are executed out-of-order - are executed out-of-order - wait until their dependencies are ready - are executed out-of-order - wait until their dependencies are ready - Later instructions might execute prior earlier instructions - are executed out-of-order - wait until their dependencies are ready - Later instructions might execute prior earlier instructions - retire in-order - are executed out-of-order - wait until their dependencies are ready - Later instructions might execute prior earlier instructions - retire in-order - State becomes architecturally visible - are executed out-of-order - wait until their dependencies are ready - Later instructions might execute prior earlier instructions - retire in-order - State becomes architecturally visible - Exceptions are checked during retirement - are executed out-of-order - wait until their dependencies are ready - Later instructions might execute prior earlier instructions - retire in-order - State becomes architecturally visible - Exceptions are checked during retirement - Flush pipeline and recover state # The state does not become architecturally visible but ... # The state does not become architecturally visible but ... #### New code ``` char data = 'S'; // a "secret" value // ... *(volatile char*) 0; array[data * 4096] = 0; ``` New code ``` char data = 'S'; // a "secret" value // ... *(volatile char*) 0; array[data * 4096] = 0; ``` Luckily we know how to catch a segfault New code ``` char data = 'S'; // a "secret" value // ... *(volatile char*) 0; array[data * 4096] = 0; ``` - Luckily we know how to catch a segfault - Then check whether any part of array is cached • Flush+Reload over all pages of the array ## Meltdown • Add another layer of indirection to test ``` char data = *(char*) Oxffffffff81a000e0; array[data * 4096] = 0; ``` #### Meltdown • Add another layer of indirection to test ``` char data = *(char*) Oxffffffff81a000e0; array[data * 4096] = 0; ``` • Check /proc/kallsyms sudo cat /proc/kallsyms | grep banner • Check /proc/kallsyms ``` sudo cat /proc/kallsyms | grep banner ``` or check /proc/pid/pagemap and print address ``` printf("target: %p\n", libsc_get_physical_address(ctx, vaddr)); ``` • Check /proc/kallsyms ``` sudo cat /proc/kallsyms | grep banner ``` or check /proc/pid/pagemap and print address ``` printf("target: %p\n", libsc_get_physical_address(ctx, vaddr)); ``` • or start at a random address and iterate operation #n timé prediction time #### **Spectre Root Cause** #### **Spectre Root Cause** #### **Spectre Root Cause** #### **Spectre Root Cause** #### **Spectre Root Cause** • Many predictors in modern CPUs - Many predictors in modern CPUs - Branch taken/not taken (PHT) - Many predictors in modern CPUs - Branch taken/not taken (PHT) - Call/Jump destination (BTB) - Many predictors in modern CPUs - Branch taken/not taken (PHT) - Call/Jump destination (BTB) - Function return destination (RSB) - Many predictors in modern CPUs - Branch taken/not taken (PHT) - Call/Jump destination (BTB) - Function return destination (RSB) - Load matches previous store (STL) - Many predictors in modern CPUs - Branch taken/not taken (PHT) - Call/Jump destination (BTB) - Function return destination (RSB) - Load matches previous store (STL) - Most are even shared among processes # Side-Channel Lab II #### Michael Schwarz Security Week Graz 2019 D. Gruss, C. Maurice, K. Wagner, and S. Mangard. Flush+Flush: A Fast and Stealthy Cache Attack. In: DIMVA. 2016. M. Lipp, D. Gruss, R. Spreitzer, C. Maurice, and S. Mangard. ARMageddon: Cache Attacks on Mobile Devices. In: USENIX Security Symposium. 2016. F. Liu, Y. Yarom, Q. Ge, G. Heiser, and R. B. Lee. Last-Level Cache Side-Channel Attacks are Practical. In: S&P. 2015. C. Maurice, M. Weber, M. Schwarz, L. Giner, D. Gruss, C. Alberto Boano, S. Mangard, and K. Römer. Hello from the Other Side: SSH over Robust Cache Covert Channels in the Cloud. In: NDSS, 2017.