CPU Security: Basics Part - II

In this part, I want to take on one of the most talked-about side-channel attack: Meltdown Meltdown: Meltdown exploits out of order execution to allow userspace programs to access the privilege data. The modern processors use different methodologies to provide memory isolation between user programs so that they don't access each other data. The memory isolation strategies are also employed to isolate user space programs from the kernel/privilege program. On an architectural level, these isolation techniques work, but with high performant out of order execution (https://squareshape.wixsite.com/website/post/cpu-security-basics-part-1 ) coupled with the side-channel attack, the isolation can be cheated. Basics :

1. Virtual address Space: Virtual address space is the address provided by OS to a process. It is a map to the actual physical address using the page-tables. In security context, pagetables in combination with control registers give the permissions details i.e is the physical address readable/writeable/executable for the current process. This is the mechanism CPU uses to isolate the process from each other as each process has its process ID which is considered while doing VA to PA translation. This translation process also creates a boundary between access control of physical space used my higher privileged process and user-space code

2. Exception: Exception happens when there is something wrong with the execution of the instruction. When CPU hits an exception it jumps to a subroutine known as exception handler which takes an appropriate action depending on the type of exception like update the system register with the exception which OS can read and move to the next instruction, raising a pin on the CPU interface to communicate with an external device.

3. Side-channel attack + Exception :

Fig 1: Code snippet

Fig 2: Out of order execution of an instruction in the shadow of exception

Fig 3: Access of page in out of execution path Fig 1: shows the code snippet we are running, The line just after an exception is not supposed to execute as after raising the exception, control moves to the exception handler. Fig 2, shows this movement to exception handler from normal flow. Architecturally we don't see any effect of instructions just after the exception but due to out-of-order execution CPU executes the instructions and updates the microarchitectural states. In this particular case we are looking cache as a covert channel, let us assume that 'data' filed in the code of Fig.1 is 84, as the load with data 84 has happened, the page with offset 84 is accessed in out of order execution and later probe(using Flush and Reload) in Fig.3 can find out that page 84 was accessed in out of order execution by looking at the access time (see: https://squareshape.wixsite.com/website/post/cpu-security-basics-part-1 for more details) Attack : Meltdown Attack is divided into three steps : Step 1: Access the privilege location from user space and is loaded into a register

Step 1 is the execution of line 4, rcx is a kernel address location which is inaccessible to the attracter running the above code at user permission level. when the instruction at line 4 executes, CPU has to do two tasks, 1. Do a VA-PA conversion and do a cache access 2. Find out of the location is accessible at the current permission level Modern processor to gain on performance do the above 2 tasks in parallel. Architecturally for our example, the permissions will not be there to access rcx location, but there is a small window between the rating an exception and the PA access because of the above parallelism. The register al gets loaded with the value at location rcx . At the in-order retirement, an exception will be taken by the CPU and the value in register al and all the below instructions from line 5-7 will be flushed which will be already executed by the CPU due to out-of-order execution. Step 2: Transient instruction uses the secret data in the al register In this step attacker uses transient secret loaded from step one in the instructions from lines 5 to 7. In line 5, we multiple the secret byte with page_size(4k), to have a spatial distance between the access and also it will stop from the interference from the hardware prefetcher. Next in line 6, there is a retry to step 4 due to noise bias to value '0' of the byte. Next in line 7, the cache line is loaded into using a known location using the offset of secret data. This will bring the cache line into L1 and L3 as L3 is inclusive. The attack performs better if the TLB has the mapping of the page access in line 7 as there is a race condition between the execution of transient instruction (5 to 7) and the exception detection and movement to the exception handler Step 3: Step 3 is a classic side-channel attack Flush + Reload (more details here: https://squareshape.wixsite.com/website/post/cpu-security-basics-part-1), which discloses the secret data. Basically, the attacker looks at the which cache line is loaded which directly relates to the secret data Hardware fixes: There is no software vulnerability is involved in Meltdown, a proper hardware fix is needed. A very trivial fix would disable the out of order execution but this will reduce the performance of modern CPU's by huge and is not an acceptable solution. The next solution is to serialize the permission check and the memory access, this too reduces the performance of the CPU as for every access the permission needs to be check before the access. A more realistic solution would be to split of user space and kernel space VA range so that without doing the further lookup the permission can be determined for the access Reference : 1 . Meltdown: Reading Kernel Memory from User Space Moritz Lipp1 , Michael Schwarz1 , Daniel Gruss1 , Thomas Prescher2 , Werner Haas2 , Anders Fogh3 , Jann Horn4 , Stefan Mangard1 , Paul Kocher5 , Daniel Genkin6,9 , Yuval Yarom7 , Mike Hamburg8 1Graz University of Technology, 2Cyberus Technology GmbH, 3G-Data Advanced Analytics, 4Google Project Zero, 5 Independent (www.paulkocher.com), 6University of Michigan, 7University of Adelaide & Data61, 8Rambus, Cryptography Research Division 2. NPTEL : NOC: Information Security - 5 - Secure Systems Engineering 3. GPZ: https://googleprojectzero.blogspot.com/2018/01/readingprivileged-memory-with-side.html 4.A Systematic Evaluation of Transient Execution Attacks and Defenses Claudio Canella1, Jo Van Bulck2, Michael Schwarz