#### Micro-architectural Attacks 2 Milan Patnaik IIT Madras # Things we thought gave us security! - Cryptography - Passwords - Information Flow Policies - Privileged Rings - ASLR - Virtual Machines and confinement - Javascript and HTML5 (due to restricted access to system resouces) - Enclaves (SGX and Trustzone) # Micro-Architectural Attacks (can break all of this) - Cryptography - Passwords - Information Flow Policies - Privileged Rings - ASLR - Virtual Machines and confinement - Javascript and HTML5 (due to restricted access to system resouces) - Enclaves (SGX and Trustzone) Cache timing attack Branch prediction attack **Speculation Attacks** Row hammer **Fault Injection Attacks** cold boot attacks DRAM Row buffer (DRAMA) ..... and many more #### Causes Most micro-architectural attacks caused by performance optimizations Others due to inherent device properties Third, due to stronger attackers # Instruction Level Parallelism #### Out-of-order execution Out the processor core, execution looks in-order Insider the processor core, execution is done out-of-order ## **Speculative Execution** ``` cmp r0, r1 jnz label load r0, addr1 mov r2, r1 add r2, r2, r3 store r1, add2 sub r4, r5, r6 : : : label: more instructions ``` How instructions are fetched ``` cmp r0, r1 jnz label load r0, addr1 mov r2, r1 add r2, r2, r3 store r1, add2 sub r4, r5, r6 label: more instructions ``` How instructions are executed ``` Speculative execution (transient instructions) ``` How results are committed when speculation is **correct** ## **Speculative Execution** ``` cmp r0, r1 jnz label load r0, addr1 mov r2, r1 add r2, r2, r3 store r1, add2 sub r4, r5, r6 : : : label: more instructions ``` How instructions are fetched ``` cmp r0, r1 jnz label load r0, addr1 mov r2, r1 add r2, r2, r3 store r1, add2 sub r4, r5, r6 label: more instructions ``` How instructions are executed Speculative execution (transient instructions) How results are committed when speculation is **incorrect** ### **Speculative Execution** ``` cmp r0, r1 div r0, r1 load r0, addr1 mov r2, r1 add r2, r2, r3 store r1, add2 sub r4, r5, r6 : : : label: more instructions ``` How instructions are fetched ``` cmp r0, r1 div r0, r1 load r0, addr1 mov r2, r1 add r2, r2, r3 store r1, add2 sub r4, r5, r6 label: more instructions ``` How instructions are executed Speculative execution How results are committed when speculation is incorrect (eg. If r1 = 0) # Speculative Execution and Micro-architectural State ``` raise_exception(); // the line below is never reached cases(probe_array[data * 4096]); ``` Even though line 3 is not reached, the micro-architectural state is modified due to Line 3. ### **ILP Paradigms in Modern Processors** | Common name | Issue<br>structure | Hazard<br>detection | Scheduling | Distinguishing characteristic | Examples | |------------------------------|---------------------|-----------------------|--------------------------|---------------------------------------------------------------------------|-------------------------------------------------------------------------------------| | Superscalar<br>(static) | Dynamic | Hardware | Static | In-order execution | Mostly in the<br>embedded space:<br>MIPS and ARM,<br>including the ARM<br>Cortex-A8 | | Superscalar<br>(dynamic) | Dynamic | Hardware | Dynamic | Some out-of-order<br>execution, but no<br>speculation | None at the present | | Superscalar<br>(speculative) | Dynamic | Hardware | Dynamic with speculation | Out-of-order execution with speculation | Intel Core i3, i5, i7;<br>AMD Phenom; IBM<br>Power 7 | | VLIW/LIW | Static | Primarily<br>software | Static | All hazards determined<br>and indicated by compiler<br>(often implicitly) | Most examples are in<br>signal processing,<br>such as the TI C6x | | EPIC | Primarily<br>static | Primarily<br>software | Mostly static | All hazards determined<br>and indicated explicitly<br>by the compiler | Itanium | ### **Speculation Attacks** Meltdown and Spectre #### Meltdown Slides motivated from Yuval Yarom's talk on Meltdown and Spectre at the Cyber security research bootcamp 2018 ### Meltdown **Normal Circumstances** ### Meltdown #### **Not normal Circumstances** # Virtual address space of process Kernel space \*pointer User space array ### Meltdown **Not normal Circumstances** ### Meltdown **Not normal Circumstances** Cache Memory ### Meltdown **Not normal Circumstances** i = \*pointer y = array[i \* 256] #### Cache Memory cache miss cache hit #### Meltdown **Not normal Circumstances** i = \*pointer y = array[i \* 256] #### Cache Memory # Speculative Execution and Micro-architectural State ``` raise_exception(); // the line below is never reached coses(probe_array[data * 4096]); ``` ### Spectre Slides motivated from Yuval Yarom's talk on Meltdown and Spectre at the Cyber security research bootcamp 2018 # user space of a process array\_len secret array Χ array2 # Spectre (variant 1) Cache memory ``` if (x < array_len) { i = array[x]; y = array2[i * 256]; }</pre> ``` **Normal Behavior** ``` if (x < array_len) { i = array[x]; y = array2[i * 256]; }</pre> ``` **Normal Behavior** ``` if (x < array_len) { i = array[x]; y = array2[i * 256]; }</pre> ``` **Normal Behavior** ``` if (x < array_len) { i = array[x]; y = array2[i * 256];</pre> ``` **Under Attack** ``` if (x < array_len) { i = array[x]; y = array2[i * 256]; }</pre> ``` - x > array\_len - array\_len not in cache - secret in cache memory #### Countermeasures For meltdown: kpti (kernel page table isolation) Kernel page-table isolation # Countermeasures For Spectre (variant 1): compiler patches use barriers (LFENCE instruction) to prevent speculation static analysis to identify locations where attackers can control speculation # Countermeasures - For Spectre (Variant 2): Separate BTBs for each process - Prevent BTBs across SMT threads - Prevent user code does not learn from lower security execution # Countermeasures - For all: at hardware - Every speculative load and store should bypass cache and stored in a special buffer known as speculative buffer ## The Rowhammer Attack ## **DRAM** ### DRAM - ☐ DRAM stores charge in a **capacitor** (charge-based memory) - ☐ Capacitor must be large enough for reliable sensing # **DRAM Refresh Cycles** ☐ As time passes, the charges in the memory cells (capacitors) leak away, so without being refreshed the stored data would eventually be lost. To prevent this, external circuitry periodically reads each cell and rewrites it, restoring the charge on the capacitor to its original level. ☐ Refresh cycles are in orders of milliseconds though, consume some memory bandwidth # DRAM Cells arrangement - ☐ Scaling beyond 40-35nm (2013) is challenging [ITRS, 2009] - With reduction in transistor sizes, DRAM cells became smaller - ☐ As DRAM cells became smaller, the space between two such cells reduces - ☐ Closer the two charged bodies, higher the electromagnetic interference b. A single cell - ☐ As we keep accessing a particular row repeatedly during a refresh interval, neighboring cells have been found to leak charge at a faster rate due to electromagnetic coupling. - Toggling a row voltage briefly increases the voltage of adjacent rows - This slightly opens adjacent rows => Charge leakage - This leads to a decrease in their retention time. - Thus during refresh, the corrupted data will be read and written back again to the DRAM cell. http://apt.cs.manchester.ac.uk/projects/ARMOR/RowHammer/ # A Simple program ``` loop: mov (X), %eax mov (Y), %ebx clflush (X) clflush (Y) mfence jmp loop ``` To Avoid cache hits => Flush x from cache To void row hits to x in the row buffer => Read y in another row Download from: <a href="https://github.com/CMU-SAFARI/rowhammer">https://github.com/CMU-SAFARI/rowhammer</a> # Security implications One bit can make a lot of difference ## Solutions - ☐ Increase the access interval of the aggressor (attacking row). Less frequent accesses => fewer errors - ☐ Decrease the refresh cycles. More frequent refresh => fewer errors - ☐ Pattern of storing data in DRAMs. - ☐ Sophisticated Error Corrections. (As many as 4 errors were found per cache line) That's for the Day!!