Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
CacheSideChannelAttack:ExploitabilityandCountermeasures
Gorka IrazoquiXiaofei (Rex)Guo,Ph.D.girazoki *noSPAM*wpi.edu
xiaofei.rex.guo*noSPAM*tetrationanalytics.com
WhoareWe?
• GorkaIrazoqui• PhDcandidateinWPI• InternatIntelinsummer2016• Focusonmicro-architecturalattacks
WhoareWe?
• Xiaofei (Rex)Guo• TechnicalleadatCiscoTetration Analytics
• Visibilitytoeverythingindatacenterinrealtime• Automatedanddynamicpolicygenerationandenforcement
• WorkedatIntelSecurityCenterofExcellenceandQualcommProductSecurityInitiative• IoT andmobileplatformsecurity,infrastructuresecurity,and
applicationsecurity• PhDfromNewYorkUniversity
Wedon’tspeakforouremployer.Alltheopinionsandinformationhereareourresponsibilityincludingmistakesandbadjokes.
Disclaimer
“Youmustbekidding,cacheattacksarenotpractical!”
“Youmustbekidding,cacheattacksarenotpractical!”
“Youmustbekidding,cacheattacksarenotpractical!”
“Youmustbekidding,cacheattacksarenotpractical!”
“Youmustbekidding,cacheattacksarenotpractical!”
FeasibilityTrendIntel,Spark,AMD|Linux|OpenSSLAES
FeasibilityTrendIntel,Spark,AMD|Linux|OpenSSLAES
Intel|Linux|OpenSSLRSA
FeasibilityTrendIntel,Spark,AMD|Linux|OpenSSLAES
Intel|Linux|OpenSSLRSA
Intel(Cross-core)|Linux(deduplication)|GnuPGRSA
FeasibilityTrend
Intel(Cross-Core)|Linux(nodeduplication)|GnuPGRSA
Intel,Spark,AMD|Linux|OpenSSLAES
Intel|Linux|OpenSSLRSA
Intel(Cross-core)|Linux(deduplication)|GnuPGRSA
FeasibilityTrend
Intel(Cross-Core)|Linux(nodeduplication)|GnuPGRSA
Intel,Spark,AMD|Linux|OpenSSLAES
Intel|Linux|OpenSSLRSA
Intel(Cross-core)|Linux(deduplication)|GnuPGRSA
AMD(crossCPU)|Linux|OpenSSLAESandGnuPGElGamal
FeasibilityTrend
Intel(Cross-Core)|Linux(nodeduplication)|GnuPGRSA
Intel,Spark,AMD|Linux|OpenSSLAES
Intel|Linux|OpenSSLRSA
Intel(Cross-core)|Linux(deduplication)|GnuPGRSA
AMD(crossCPU)|Linux|OpenSSLAESandGnuPGElGamalARM(crosscore/CPU)|Android|BouncyCastleAES
Functionality
LLCasaSideChannel?• Caches:fastaccessmemories• WhywouldanattackeruseLLCascovertchannel?
• Cross-core• Inclusiveness• High resolution
• Setassociative:cachedividedinn-waysets• Locationinthecachedeterminedbyphysicaladdress
CacheArchitecture
Cachetag Set Byte
Offset
OffsetPhysicalPage
VirtualPage
MMU
S0S1
Sn
Cache
00001
....
....
....
tag
tag
tag
B0B0
B0
Bn
Bn
Bn
.
.
.
• Requirement1:deduplication• Identicalread-onlymemory
pagesareshared• Attackerandvictimaccessthe
sameaddress• LinuxandKVM(KSM),Vmware
(TPS)andAndroid(Zygote)• Requirement2:flush
instruction(e.g.,clflush inx86)• CVE2014-3356:Vmware
enableddeduplicationbydefault
Flush+ReloadAttack
• Attackerflushesacachedmemorylocation
Flush+ReloadAttackCache
• Attackerflushesacachedmemorylocation
Flush+ReloadAttack
Flush
Cache
• Attackerflushesacachedmemorylocation
• Victimaccesses/doesnotaccess
Flush+ReloadAttackCache
Access
• Attackerflushesacachedmemorylocation
• Victimaccesses/doesnotaccess
• Attackerre-accessesmemorylocation• Fastaccesstime->victim
accessed• Slowaccesstime->victimdidnot
access
Flush+ReloadAttack
Reload
Cache
• Pros:• Lownoise:focusononeline,
noisyprocessneedstofillanentireset
• ApplicableacrossCPUsockets!FlushinstructioninvalidatesmemoryinotherCPUs
• Worksinnon-inclusivecaches• Cons:
• Requirementmightbemetinsomescenarios
• Canonlyrecoverstaticallyallocateddata
Flush+ReloadAttackSummary
Evict+ReloadAttack
11
• Noflushinstruction?• AttackerneedstoevictdatafromLLC• Attackercanusehugepages• Physicaladdressselectsthesetto
occupy
Evict+ReloadAttack
Evict
Cache• Noflushinstruction?• AttackerneedstoevictdatafromLLC• Attackercanusehugepages• Physicaladdressselectsthesetto
occupy• Attackerevicts(fillsset)
Evict+ReloadAttack
Evict
Cache• Noflushinstruction?• AttackerneedstoevictdatafromLLC• Attackercanusehugepages• Physicaladdressselectsthesetto
occupy• Attackerevicts(fillsset)
Evict+ReloadAttack
Cache
Access
• Noflushinstruction?• AttackerneedstoevictdatafromLLC• Attackercanusehugepages• Physicaladdressselectsthesetto
occupy• Attackerevicts(fillsset)• Victimaccesses/doesnotaccess
Evict+ReloadAttack
Reload
Cache• Noflushinstruction?• AttackerneedstoevictdatafromLLC• Attackercanusehugepages• Physicaladdressselectsthesetto
occupy• Attackerevicts(fillsset)• Victimaccesses/doesnotaccess• Attackerreloads
• Fastaccesstime->victimaccessed• Slowaccesstime->victimdidnotaccess
• Pros:• Applicableinprocessorswithoutflushinstruction(e.g.mostARM
processors)
• Cons:• Canonlytargetstaticallyallocatedmemory• DealwithLLCslices(undocumented)• Onlyworkswithinclusivecaches• OnlyworksinthesameCPUsocket
Evict+ReloadAttackSummary
• Nosharedmemorypages?• Attackercanknowthesetutilized
bythevictim
• AttackerPrimes
Prime+ProbeAttack
Prime
Cache
• Nosharedmemorypages?• Attackercanknowthesetutilized
bythevictim
• AttackerPrimes• Victimaccesses/notaccesses
Prime+ProbeAttack
Cache
Access
• Nosharedmemorypages?• Attackercanknowthesetutilized
bythevictim
• AttackerPrimes• Victimaccesses/notaccesses• Attackerre-accesses
• Fastaccesstime->victimaccessed
• Slowaccesstime->victimdidnotaccess
Prime+ProbeAttack
Probe
Cache
• Pros• Doesnotneedsharedmemory!(Broaderimpact)• Cantargetstaticanddynamicallyallocatedmemory!
• Cons:• NoisierthanFlush+ Reload• DealingwithLLCslices(undocumented)• Onlyworkswithinclusivecaches• OnlyworksinthesameCPUsocket• Needtoidentifythetargetset
Prime+ProbeAttackSummary
Howtoretrieveinformation?MontgomeryladderRSA
P=0x7fffc480Physicaladdress
FlushandReload
P
Cache
Howtoretrieveinformation?
FlushandReloadCache
MontgomeryladderRSA
P=0x7fffc480Physicaladdress
Howtoretrieveinformation?
FlushandReloadCache
MontgomeryladderRSA
P=0x7fffc480Physicaladdress
Howtoretrieveinformation?
FlushandReload
P
Cache
MontgomeryladderRSA
P=0x7fffc480Physicaladdress
Howtoretrieveinformation?
FlushandReload
P
Cache
MontgomeryladderRSA
P=0x7fffc480Physicaladdress
Howtoretrieveinformation?
PrimeandProbeCache
MontgomeryladderRSA
P=0x7fffc480Physicaladdress
Howtoretrieveinformation?
PrimeandProbeCache
P
MontgomeryladderRSA
P=0x7fffc480Physicaladdress
Howtoretrieveinformation?
PrimeandProbeCache
MontgomeryladderRSA
P=0x7fffc480Physicaladdress
AttackComparison
Flush+Reload Evict+Reload Prime+Probe
RequireMemoryDeduplication
Y Y N
Requireflushinstruction
Y N N
Attackmemory type
static static static +dynamic
Noise low low high
Applicability
• VMsshareunderlyinghardware• Hardwareisolationisusuallynot
provided• ExampleRSAinAmazonEC2[INCI16]• Pros:
• OwnvirtualizedOS.Accesstotimersorhugepages
• Ifdeduplication enabled,both attacksareapplicable
• Cons:• Requiresco-residencyofVMs• Highamountofnoise
IaaS/PaaSCloudInfrastructures
Hardware
VMM
GuestOS#1 GuestOS#2
VM VM
SpyVictim
• Howtofindco-residency?• Useavailableinformation!• ProfilethetargetLLCaccesses• Doesthecachetracematchthetracewe
expect?• Ifyes,co-residency• Ifno,openmoreVMs
• Othermechanismsutilizememorybuslockingattacks
• ExampleRSAexponentiationseasilydistinguishable
IaaS/PaaSCloudInfrastructureshttprequest
0 1000 2000 3000 4000 5000 6000 7000 8000 9000 10000 110000
50
100
150
200
250
timeslot
Rel
oad
time
DecryptionStart
First SecretExponent (dp)
Second SecretExponent (dq)
GuestOS#2
VM
Spy GuestOS#1
VM
Victim
Demo:AESKeyRecoveryAcrossVMs• WeutilizeKVMhypervisor• ServerusingT-tableAES(T-tables
shared)• Serverencryptingplaintextwith
unknownkey• Attackerrequestsdecryptionsand
recoversthekey• WecheckwhethertheentriesoftheT-
tableshavebeenused• WeXORwiththeciphertext afterdoing
statisticstogetthekey
0x00
• AttackerembedsJSintothewebsite• Victimaccessesthewebsite• Victim’sbrowserexecutestheJS• Example:Incognitobrowsingprofiling[OREN15]• Pros:
• Noneedtofindco-residenttarget• Attackexecutedinlocalmachine(although
sandboxed)
• Cons:• FlushandReloadcannotbeapplied• Finegraintimershardtoachieve
BrowserJavascript
Hardware
www.yyyyy.com
• SmartphoneapplicationsarelogicallyisolatedbytheOS
• However,aswithTEEs,allapplicationsutilizethehardwarecaches
• Micro-architecturalattackslookasinnocentbinaries,astheyonlyperformtimedmemoryaccesses
• Example:AESkeystealacrossapps[LIPP16]
SmartPhoneApplications
Hardware
SmartPhoneApplications• Pros:
• Deduplication isgenerallyused(e.g.Android)
• Easydeployment• Cons
• Flush instructionhastobeenabledbySoC (onlySamsunS6fornow)
• PseudoRandomReplacementpolicies(reverseengineered)
• Devicedependent algorithms (e.g.non-inclusivecachesorlockdown)
TrustedExecutionEnvironment• Trustedexecutionenvironments
designedtoachieveisolationfromuntrustedprocesses
• Butbothtrustedanduntrustedenvironmentsaccesssamehardwarecaches!
• Enclavetoenclaveorhosttoenclaveattacksarepossible
• Example:TrustZoneAESkeysteal[BRM15]
• Example:IntelSGXRSAkeysteal[SCW17]
TEEEnclave
LLC
Untrustedprocess
DRAM
Encrypted NonEncrypted
NonEncrypted
NonEncrypted
• Pros• Higherresolution:TheOScanbe
malicious!morefinegrainresources(includingscheduling)
• Noneedtofindco-residenttarget• Limitednoise:maliciousOScan
interruptprocessesafter(virtually)everymemoryaccess
• Cons• FlushandReloadnotapplicable
(deduplicationdisabled)
TrustExecutionEnvironment
Prime
Cache
• Pros• Higherresolution:TheOScanbe
malicious!morefinegrainresources(includingscheduling)
• Noneedtofindco-residenttarget• Limitednoise:maliciousOScan
interruptprocessesafter(virtually)everymemoryaccess
• Cons• FlushandReloadnotapplicable
(deduplicationdisabled)
TrustExecutionEnvironment
Cache
Access
• Pros• Higherresolution:TheOScanbe
malicious!morefinegrainresources(includingscheduling)
• Noneedtofindco-residenttarget• Lownoise:maliciousOScaninterrupt
processesafter(virtually)everymemoryaccess
• Cons• FlushandReloadnotapplicable
(deduplicationdisabled)
TrustExecutionEnvironment
Interrupt
Cache
Probe
Countermeasures
DesignCacheLeakageFreeCode• Secretindependentinstructionaccesses• Secretindependentdataaccesses• Identificationofvariablesthatcontaininformationrelatedto
thesecret(manualinspection,taintanalysis,etc.)• Obtaincachetimingtracestocorrelatewiththesecret
variablestomeasuretheleakage
Collectcachetiming
informationCorrelation
Identifysecret
dependentaccess
Design
DesignCacheLeakageFreeCodeCVE-2016-7439
DesignCacheLeakageFreeCode
secretdependentinstructionaccess
CVE-2016-7439
DesignCacheLeakageFreeCode
Secretindependentinstructionaccess
CVE-2016-7439
DesignCacheLeakageFreeCode
Secretindependentinstructionaccess
Secretdependentdataaccess
CVE-2016-7439
DesignCacheLeakageFreeCode
Secretindependentinstructionaccess
Secretindependentdataaccess
PageColoring• AvoidingcollisionsintheLLC• LocationinLLCdeterminedbyphysicaladdress• Giveeachuseracolor(addressbits)
00xxxxxx
01xxxxxx
10xxxxxx
11xxxxxx
DRAM
c
LLCPhysicaladdressUsers
CacheAllocationTechnology• IntelCATprovideshardwareframeworktolockthecache• AllowsOS/hypervisortomarkcachewaysasun-evictable• Attackercannotinfluencevictim’scacheaccesses• Modifyhypervisortosupportmorelockpartitions[LIU16]
Lock
Cache
CacheAllocationTechnology• IntelCATprovideshardwareframeworktolockthecache• AllowsOS/hypervisortomarkcachewaysasun-evictable• Attackercannotinfluencevictim’scacheaccesses• Modifyhypervisortosupportmorelockpartitions[LIU16]
CachePrime
CacheAllocationTechnology• IntelCATprovideshardwareframeworktolockthecache• AllowsOS/hypervisortomarkcachewaysasun-evictable• Attackercannotinfluencevictim’scacheaccesses• Modifyhypervisortosupportmorelockpartitions[LIU16]
CacheProbe
BehaviorDetection• HardwarePerformanceCounters(HPCs)cantrackhardware
events(e.g.LLCmisses)• LLCattacksleaveacleartraceintermsofcachemisses/hits• Hypervisor/OStracksthiseventstodetectunusualbehavior• Detectioncanbeimprovedbyinspectingmemoryaccess
HardwareHPCs
GuestOS(Process) GuestOS(Process)
Hypervisor (OS)Detection
CountermeasureComparison(Requirements)
LeakageFreeCode
PageColoring IntelCAT BehaviorDetection
Require sourcecodechange
Y N N N
Require OS(hypervisor)update
N Y Y Depends
Require newhardware
N N Y N
CountermeasureComparison(Coverage)
LeakageFreeCode
PageColoring IntelCAT BehaviorDetection
IaaS/PaaS Y Y Depends Y
Javascript inbroswer
Y Depends Depends Y
Smartphone Y Y Depends Y
TEE Y N N N
KeyTakeaways• Cache attacks are complex but a real threat!• Flush+Reload, Evict+Reload, Prime+Probe• IaaS/PaaS, web browsers, smartphones, TEE,...What
else?• Call to action:
• Application level: introduce cache leakage free code design• Hypervisor/OS level: page coloring for cache isolation• System level: use software to leverage hardware features (Intel
CAT, performance counters)
[INCI16]Inci,M.,Gulmezoglu,B.,Irazoqui,G.,Eisenbarth,T.,Sunar,B.CacheAttacksEnableBulkKeyRecoveryontheCloud.CHES2016
[OREN15]Oren,Y.,Kemerlis,V.,Sethumadhavan,S,Keromytis,A.TheSpyintheSandbox:PracticalCacheAttacksinJavaScriptandtheirImplications.ACMCCS2015
[BRM15]Brumley,B.CacheStorageAttacks.CT-RSA2015[SCW17]Schwarz,M.,Weiser,S.,Gruss,D.,Maurice,C.,Mangard,S.Malware
GuardExtension:UsingSGXtoConcealCacheAttacks.Arxiv 2017[LIPP16]Lipp,M.,Gruss,D.,Spreitzer,R.,Maurice,C.,Mangard,S.
ARMageddon:CacheAttacksonMobileDevices.USENIX2016[LIU16]Liu,F.,Yarom,Y.,Mckeen,F.,Rozas,C.,Heiser,G.,LeeR.CATalyst:
Defeatinglast-levelcachesidechannelattacksincloudcomputing.HPCA2016
References