For the past few years, CPU security has gained an ample attraction post-Google protect zero disclosure of Spectre and Meltdown in https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html
Before starting with CPU security, lets us understand a few basic terms in Modern CPU microarchitecture
1.Architecture: Describes instructions, logical registers, etc. Examples of different ISAs are x86 and ARMv8.
2. Microarchitecture: Describes how architecture is implemented.
3. Out of order Execution: To allow execution parallelism and maximum utilization of execution units Instructions are first broken into simpler micro-operations (µOPs). The final completion/retirement of the instructions always happens in order therefore CPU maintains a Re-order buffer(ROB) to keep track of the µOPs which are executing as CPU will execute the instruction which is way ahead of the retirement point due to the above parallelism. At retirement, it decides to update the architectural state or discard it. For example, exceptions are handled during retirement by flushing any outstanding µOP results from the ROB. The instructions which are not committed are termed as transient instructions.
4.Speculative Execution: Software is usually non-linear, which contains Conditional and data dependency between instructions. In theory, CPU has to be stall until this dependency is resolved, but the modern CPU does the predictions and maintains the execution in ROB which can be discarded if the prediction was wrong (misprediction)
5. Covert Channels: There are different types of covert channels that can be used to see get the secret information. The most common one being the cache covert channel. To understand the concept of cache covert channel consider that
Process P1: executes a load at location A and location B in a loop
loop{
LD AP1
LD BP1
}
And Process P2 also access the same location:
if (bit[i])
{
LD AP2
else
LD BP2
}
Execute Process P1 first which will warm the cache(L1) with Address A and B, Post that executes process P2 and consider bit[i] =1, This will remove the line brought by Process P1 for location A and will replace it with the data from Process P2.
By re-executing the Process P1, we can understand that time(Load A) > time(Load B), thus we can conclude that the bit[i] value was 1. Even though Process P1 and P2 are completely independently, by using the cache hit timing Process P2 can actually find out a secret key bit[i]
There are 2 types of covert cache channel attacks(also known as side-channel attacks) which are most commonly used :
Flush + Reload
Consider following function :
1 function exponent(b, e, m)
2 begin
3 x ← 1
4 for i ← |e| −1 downto 0 do
5 x ← x 2
6 x ← x mod m
7 if (ei = 1) then
8 x ← xb
9 x ← x mod m
10 endif
11 done
12 return x
13 end
Line 8 and 9 in the above code executes only when ei is 1. CLFLUSH is the instruction which takes an address as input and flushes that address from all the caches
The above figure explains the Flush + Reload attack. In (A) Attacker flushes the line and let the victim (the function exponent) execute, as ei=0 code doesn't bring the line into the cache, When the attacker does a reload, it takes a large time for reload to happen, and it infers that ei=0
In (B) consider a case of ei=1, The reload step will take less time as the victim has loaded the line into the cache and thus attacker infers that ei=1.
This way attacker will be able to leak the secret key.
2. Prime+ Probe
In the prime phase, the Attacker fill up all the lines of cache
Let the victim run the code, this will cause a few cache line to evict and have the victim fill them with its data.
Now in the probe phase, attackers again access all the cache lines and calculate the difference in time in access of each set as compared to the prime phase
This way through a huge number of iteration, the attacker can understand the area(set number) of high activity by the victim. The way of attack is very commonly used for getting the crypto key which is often used as the offset in the address calculation on the victim code side.
Another famous use-case of prime+probe is Keystroke sniffing. Whenever a key is pressed
Keystroke -> interrupt -> kernal mode switch -> ISR execution -> add to the keyboard buffer ->return from interrupt
All the above activity will cause eviction of lines which are set in prime phase
The above diagram shows the delay seen in the probe phase when a particular letter is typed. For Example, when the letter A is typed, there is a delay seen in the probe phase, the first spike line after 1.01 time. The period between the disturbance is used to predict the letter.
Reference:
A Systematic Evaluation of Transient Execution Attacks and Defenses Claudio Canella1, Jo Van Bulck2, Michael Schwarz
NPTEL : NOC: Information Security - 5 - Secure Systems Engineering
4. FLUSH+RELOAD: a High Resolution, Low Noise, L3 Cache Side-Channel Attack Yuval Yarom Katrina Falkner
5. Typing is writing: Linguistic properties modulate typing execution Svetlana Pinet, Johannes Ziegler, Alario F.-X
Commentaires