## **Evolution of micro-architectural attacks**

Clémentine Maurice, CNRS, CRIStAL

17 December 2021—32nd HP/HPE (Virtual) Colloquium On Information Security

• hardware usually modeled as an abstract layer behaving correctly

 hardware usually modeled as an abstract layer behaving correctly, but possible attacks

- hardware usually modeled as an abstract layer behaving correctly, but possible attacks
  - faults: bypassing software protections by causing hardware errors
  - side channels: observing side effects of hardware on computations

- hardware usually modeled as an abstract layer behaving correctly, but possible attacks
  - faults: bypassing software protections by causing hardware errors
  - side channels: observing side effects of hardware on computations



- hardware usually modeled as an abstract layer behaving correctly, but possible attacks
  - faults: bypassing software protections by causing hardware errors
  - side channels: observing side effects of hardware on computations



#### attack



- retrieving secret keys, keystroke timings
- bypassing OS security (ASLR)

## Hardware-based attacks a.k.a physical attacks



VS

## Software-based attacks a.k.a micro-architectural attacks



Physical access to hardware

 $\rightarrow$  embedded devices

 $\begin{array}{l} \mbox{Co-located or remote attacker} \\ \rightarrow \mbox{ complex systems} \end{array}$ 

#### Side-channel attacks









## From small optimizations...



• new microarchitectures yearly

## From small optimizations...



- new microarchitectures yearly
- performance improvement  $\approx 5\%$

## From small optimizations...



- new microarchitectures yearly
- performance improvement  $\approx 5\%$
- very small optimizations: caches, branch prediction...

• microarchitectural side channels come from these optimizations

- microarchitectural side channels come from these optimizations
- several processes are sharing microarchitectural components

- microarchitectural side channels come from these optimizations
- several processes are sharing microarchitectural components
- attacker infers information from a (vulnerable) victim process via hardware usage

- microarchitectural side channels come from these optimizations
- several processes are sharing microarchitectural components
- attacker infers information from a (vulnerable) victim process via hardware usage
- pure-software attacks by unprivileged processes

- microarchitectural side channels come from these optimizations
- several processes are sharing microarchitectural components
- attacker infers information from a (vulnerable) victim process via hardware usage
- pure-software attacks by unprivileged processes
- sequences of benign-looking actions  $\rightarrow$  hard to detect

## Historical recap of past attacks

## Historical recap of past attacks

**Recent advances** 

## Historical recap of past attacks

## **Recent advances**

Future and challenges

## **Historical Recap**

## Implementation







```
Algorithm 1: Square-and-multiply exponentiationInput: base b, exponent e, modulus nOutput: b^e \mod nX \leftarrow 1for i \leftarrow bitlen(e) downto 0 doX \leftarrow multiply(X,X)if e_i = 1 then| X \leftarrow multiply(X, b)|end
```

return X



## 1. Which software implementation is vulnerable?

## 2. Which hardware component is vulnerable?

## 1. Which software implementation is vulnerable?

#### State of the art (more or less)

- 1. Spend too much time reading OpenSSL code
- 2. Find vulnerability
- 3. Exploit it manually using known side channel  $\rightarrow$  e.g. CPU cache
- 4. Publish
- 5. goto step 1

For example: CVE-2016-0702, CVE-2016-2178, CVE-2016-7440, CVE-2016-7439, CVE-2016-7438,

CVE-2018-0495, CVE-2018-0737, CVE-2018-10846, CVE-2019-9495, CVE-2019-13627, CVE-2019-13628,

CVE-2019-13629, CVE-2020-16150



State of the art (more or less)

- 1. Spend too much time reading Intel manuals
- 2. Find weird behavior in corner cases
- 3. Exploit it
- 4. Publish
- 5. goto step 1



## From theoretical to practical cache attacks

- first theoretical attack in 1996 by Kocher
- first practical attack on RSA in 2005 by Percival, on AES in 2006 by Osvik et al.
- renewed interest for the field in 2014 after Flush+Reload by Yarom and Falkner

P. C. Kocher. "Timing Attacks on Implementations of Diffe-Hellman, RSA, DSS, and Other Systems". In: Crypto'96. 1996.

C. Percival. "Cache missing for fun and profit". In: Proceedings of BSDCan. 2005.

D. A. Osvik, A. Shamir, and E. Tromer. "Cache Attacks and Countermeasures: the Case of AES". In: CT-RSA 2006. 2006.

Y. Yarom and K. Falkner. "Flush+Reload: a High Resolution, Low Noise, L3 Cache Side-Channel Attack". In: USENIX Security Symposium. 2014.

## Hyper-threading: Same-core attacks

• threads sharing one core share resources: L1, L2 cache, branch predictor



# Possible side channels using components shared by a core?

# Possible side channels using components shared by a core?

Stop sharing a core!





• L1 and L2 are private



- L1 and L2 are private
- last-level cache
  - divided in slices
  - shared across cores
  - inclusive



| Image: Constraint of the second sec |  |  |  |  |  |
|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--|--|--|--|--|
| Image: Constraint of the second sec |  |  |  |  |  |
| Image: Constraint of the second sec |  |  |  |  |  |
| Image: Constraint of the second sec |  |  |  |  |  |
| Image: Constraint of the second sec |  |  |  |  |  |
|                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |  |  |  |  |  |
|                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |  |  |  |  |  |
|                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |  |  |  |  |  |
|                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |  |  |  |  |  |

Cache



Cache

#### Data loaded in a specific set depending on its address



Cache

Data loaded in a specific set depending on its address

Several ways per set



Cache

Data loaded in a specific set depending on its address

Several ways per set

Cache line loaded in a specific way depending on the replacement policy

• caches improve performance
- · caches improve performance
- + SRAM is expensive  $\rightarrow$  small caches

- · caches improve performance
- + SRAM is expensive  $\rightarrow$  small caches
- different timings for memory accesses

- caches improve performance
- + SRAM is expensive  $\rightarrow$  small caches
- different timings for memory accesses
  - 1. data is cached  $\rightarrow$  cache hit  $\rightarrow$  fast

- caches improve performance
- + SRAM is expensive  $\rightarrow$  small caches
- different timings for memory accesses
  - 1. data is cached  $\rightarrow$  cache hit  $\rightarrow$  fast
  - 2. data is not cached  $\rightarrow$  cache miss  $\rightarrow$  slow

- caches improve performance
- + SRAM is expensive  $\rightarrow$  small caches
- different timings for memory accesses
  - 1. data is cached  $\rightarrow$  cache hit  $\rightarrow$  fast
  - 2. data is not cached  $\rightarrow$  cache miss  $\rightarrow$  slow
- cache attacks leverage this timing difference





#### Step 1: Attacker maps shared library (shared memory, in cache)



Step 1: Attacker maps shared library (shared memory, in cache)



Step 1: Attacker maps shared library (shared memory, in cache)

Step 2: Attacker flushes the shared cache line



Step 1: Attacker maps shared library (shared memory, in cache)

Step 2: Attacker flushes the shared cache line

Step 3: Victim loads the data



Step 1: Attacker maps shared library (shared memory, in cache)

Step 2: Attacker flushes the shared cache line

Step 3: Victim loads the data

Step 4: Attacker reloads the data

- cross-VM side channel attacks on crypto algorithms
  - RSA: 96.7% of secret key bits in a single signature
  - AES: full key recovery in 30000 dec. (a few seconds)
- covert channels in native environments cross-VM: 298 KBps

Y. Yarom and K. Falkner. "Flush+Reload: a High Resolution, Low Noise, L3 Cache Side-Channel Attack". In: USENIX Security Symposium. 2014

B. Gülmezoglu et al. "A Faster and More Realistic Flush+Reload Attack on AES". In: Constructive Side-Channel Analysis and Secure Design (COSADE). 2015

• high spatial resolution: 1 cache line (64 Bytes)

- high spatial resolution: 1 cache line (64 Bytes)
- but requires shared memory + clflush instruction

- high spatial resolution: 1 cache line (64 Bytes)
- but requires shared memory + clflush instruction
- $\rightarrow$  memory deduplication between VMs

# Possible side channels using memory deduplication?

# Possible side channels using memory deduplication?

## Disable memory deduplication!

Victim address space

Cache

Attacker address space



**Step 1:** Attacker primes, *i.e.*, fills, the cache (no shared memory)



**Step 1:** Attacker primes, *i.e.*, fills, the cache (no shared memory)

Step 2: Victim evicts cache lines while running



**Step 1:** Attacker primes, *i.e.*, fills, the cache (no shared memory)

Step 2: Victim evicts cache lines while running



**Step 1:** Attacker primes, *i.e.*, fills, the cache (no shared memory)

**Step 2:** Victim evicts cache lines while running

Step 3: Attacker probes data to determine if set has been accessed



**Step 1:** Attacker primes, *i.e.*, fills, the cache (no shared memory)

**Step 2:** Victim evicts cache lines while running

Step 3: Attacker probes data to determine if set has been accessed

We need to evict caches lines without clflush or shared memory:

- 1. which addresses do we access to have congruent cache lines?
- 2. without any privilege?
- 3. and in which order do we access them?

We need:

- 1. an eviction set: addresses in the same set, in the same slice (issue #1 and #2)
- 2. an eviction strategy (issue #3)

- cross-VM side channel attacks on crypto algorithms:
  - El Gamal (sliding window): full key recovery in 12 min.
- tracking user behavior in the browser, in JavaScript
- covert channels between virtual machines in the cloud

F. Liu et al. "Last-Level Cache Side-Channel Attacks are Practical". In: S&P'15. 2015.

Y. Oren et al. "The Spy in the Sandbox: Practical Cache Attacks in JavaScript and their Implications". In: CCS'15. 2015.

C. Maurice et al. "Hello from the Other Side: SSH over Robust Cache Covert Channels in the Cloud". In: NDSS'17. 2017.

# Possible side channels using components shared by a CPU?

# Possible side channels using components shared by a CPU?

Stop sharing a CPU!?

### **Recent Advances**

## Increasing the attack surface

#### It's not just caches: DRAM, GPU, TLB, CPU ports, Ring interconnect...!



#### It's not just side channels: Fault attacks too!

Columbia University

The next for power, and energy official comparison has a second of the s

The next for property and next property in the next for a segmentative comparison of the next for a segmentative comparison of the next for the next

rendrad na dzimenie caspendre bachness software e erzy nanagement neckanism on medicin software e devices. Mani svesni trakis dzi somoto software e devices.

egg mangemen methanism in independent der ker. Man system tedy, for example, stationeder over example independent independent independent independent independent

derives. Most systems tody, for example, allow sol, how an example in the frequency and todade of the deduces of a save day around with a strong toda.

wate to control the frequency and values of the state fried have as a very free state state of the state is to be the state state state state of the state. bing handware at a tory the generatory to extend to: key life. Available their knowledge to extend to:

kery life. Daspite their kenedis, there substance exposed on a substance many management interferences from the substance of the substance of

Acceleration that have not been studied before: In any other set of the protocol and the Christian a new other set of the protocol and the Christian a new other set of the protocol and the christian set of the and the christian set of the christian set of the and the christian set of the christian set of the and the christian set of the christian set of the and the christian set of the christian set of the and the christian set of the christian set of the and the christian set of the christian set of the and the christian set of the christian set of the and the christian set of the christian set of the and the christian set of the christian set of the and the christian set of the christian set of the christian set of the and the christian set of the christian set of the christian set of the and the christian set of the christian set of the christian set of the and the christian set of the christian set of the christian set of the and the christian set of the christian set of the christian set of the and the christian set of the christian set of the christian set of the christian set of the and the christian set of the christian

a new class of fash attacks that explosit the second obtinitionness of entry states and a state of the second in the second seco

on

Daniel Gruss

Yanick . UC Santa vanick@cs.u

Clémentine Maurine Grez University of Technoluce. Grez maurice@uprez.al

Kaveh Razavi Vrik Unventeil Amberdam Vrik Unventeics.vuni

additionations of anothe instantionation downships for house every A anothe hereaft for the attackness to assure and anothe hereaft for the attackness is the

Areas areas a second and a second area and a sec

Been east starts to become some soverstade store bay can som e considered without the sover to be been at the sover to be as a sover a construction of the soverstade store bay to be the soverstade soverstade soverstade soverstade soverstade based of the soverstade soverstade soverstade soverstade soverstade soverstade soverstade based of the soverstade soverstade soverstade soverstade soverstade soverstade soverstade soverstade soverstade based of the soverstade soverstade soverstade soverstade soverstade soverstade soverstade soverstade soverstade based of the soverstade soverstade soverstade soverstade soverstade soverstade soverstade soverstade soverstade based of the soverstade soverstade soverstade soverstade soverstade soverstade soverstade soverstade soverstade based of the soverstade sover

any the trends and y training the next of an physical activity of the p

the devices or fault infection equipment. He demonstrated of the second states of the second

CLRSCREW on cosmooling ARM/Auford devices. No show that a malicion kernel differen (1) care estings every manufacture a manufacture of 1) care estings every

doga dia a malakana kamal dihari (1) can estasa kacina organi ang kacina kacina dihari (1) can estasa kacina a na kacina kacina di kacina di di ang kacina kacina a na kacina di kacina di kacina di di ang kacina kacina

CT programmente des formes Theorem and a fail of the second secon

in privileges by leading self-signed code into Transmos As the forwards to show the second random transmos

As the first work to show the second standard second standard second sec

Drammer: De

Victor van der Veen Victor van der Veen Vrije Universitet Amsterdam

Uanier Gruss Graz University of Tech

energy management mechanisms are grave a pleasing that have not been studied before.

Simha Sethumadhavan Columbia University

Salvatore Stolfo

Columbia University

Anatalize Performance Take as an example, formance interaction of the state of the

matange Performance. Take as an example, Detains and Forgency Scaling (DVS) [47], a state of a second secon

ution: every human and the state of the stat

by regulating the frameway and todage of the frameway are energy activating to reasone comparing demands. In the second of the second second

say range according to manufacturating demands. To support DVKS of the basebase kingl, resulters have body support according to according to the support of the support support to support according to the support of the support of the support support to support of the support

support DTAS, st die hardware kriej, verschere krie die die nie anderspring forgenerste die volgene regulations die ausrahte server a wake sowe of kongene regulations die die ausrahte server and ausrahilitätie sowe of the source and autong n da stader frig forgening stad verbage regulation of he prototile across a vide range of device works and no or our efficience. At the stad was lowed works and the stad was lowed works and device

he particular across a trade range of devices while onco-ing one efficiency. At the contents of devices while onco-neases and as track and once a manual devices that a doubt

opers need to leave and match program demands ating frequency and voltage settings to minim-

ating frequency and voltage settings to a communitytion for those demands. The

10

INTROI

consumption for those demands utility of DVFS, hardware and

atively and at very line

Despite the ubiquity

Despite the timpular i nisms on commodity syste

rusing on commonly sym-eration in the design of thes of known attacks, given a

or known anacks, knen ic software intersperability neg and time-to-marker concerns

and time-to-market concerns mechanisms have not given m meenanims neve not given me rity aspects of these mechanisms

A These combination of factor variveness of these mechanisms ma

on optimizing the functional app



Daniel Gruss, Clémentine Maurice<sup>†</sup>, and Stefan Mangard Graz University of Technology, Austria

-4, A fundamental assumption in software security is that a Son can only be modified by processes that may write to . However, a recent study has shown that parasitic n change the content of a memory cell without acccessing other memory locations in a high frequency. whammer bug occurs in most of today's memory modal consequences for the security of all affected systems,

d attacks related to Rowhammer so far rely on the availsche flush instruction in order to cause accesses to DRAM a sufficiently high frequency. We overcome this limitation by complex cache replacement policies. We show that caches can 1 into fast cache eviction to trigger the Rowhammer bug with gular memory accesses. This allows to trigger the Rowhammer

a highly restricted and even scripting environments. temonstrate a fully automated attack that requires nothing but a site with JavaScript to trigger faults on remote hardware. Thereby can gain unrestricted access to systems of website visitors. We show hat the attack works on off-the-shelf systems. Existing countermeasures ing this new Rowhammer attack.

### ling ous efficiency. At the software level, kernel devel opens need to task and match program company for the software software software software and the software software software software between the software Flipping Bits in Memory Without Accessing Them: An Experimental Study of DRAM Disturbance Errors

Yoongu Kim1 Ross Daly\* Jeremie Kim1 Chris Fallin\* Ji Hve Lee1 Donghyuk Lee1 Chris Wilkerson2 Konrad Lai Onur Mutlu1

1Carnegie Mellon University <sup>2</sup>Intel Labs

Abstract. Memory isolation is a key property of a reliable and secure computing system - an access to one memory address should not have unintended side effects on data stored in other addresses. However, as DRAM process technology scales down to smaller dimensions, it becomes more difficult to prevent DRAM cells from electrically interacting with each other. In this namer we expose the vulnerability of commodity

disturbance errors. DRAM manufacturers have been employing a two-pronged approach: (i) improving inter-cell isolation through circuit-level techniques [22, 32, 49, 61, 73] and (ii) screening for disturbance errors during post-production testing [3, 4, 64]. We demonstrate that their efforts to contain disturbance errors have not always been successful and that erroneous DPAM chine have been elipping into the field I

## **Transient execution attacks**

#### **Transient execution attacks**



- novel class of attacks  $\neq$  side-channel attacks
- $\rightarrow\,$  transient execution attacks leak the actual target data
  - disclosed in 2018 with Spectre and Meltdown

C. Canella et al. "A Systematic Evaluation of Transient Execution Attacks and Defenses". In: USENIX Security Symposium. 2019 https://transient.fail/

#### **Transient execution attacks**



- novel class of attacks  $\neq$  side-channel attacks
- ightarrow transient execution attacks leak the actual target data
  - disclosed in 2018 with Spectre and Meltdown
  - SO MANY VARIANTS

C. Canella et al. "A Systematic Evaluation of Transient Execution Attacks and Defenses". In: USENIX Security Symposium. 2019 https://transient.fail/



- CPU avoids waiting for input data or availability of execution units
- $\rightarrow~$  out-of-order execution and speculation
  - sequential semantics is preserved
- CPU avoids waiting for input data or availability of execution units
- ightarrow out-of-order execution and speculation
  - sequential semantics is preserved
  - some instructions are never committed, *i.e.*, finally executed
    - instructions that cause an exception + following instructions
    - instructions in branches that are mispredicted
  - these instructions are called transient instructions

- CPU avoids waiting for input data or availability of execution units
- ightarrow out-of-order execution and speculation
  - sequential semantics is preserved
  - some instructions are never committed, *i.e.*, finally executed
    - instructions that cause an exception + following instructions
    - instructions in branches that are mispredicted
  - these instructions are called transient instructions
  - architectural state  $\rightarrow$  everything is fine

- attacker uses a covert channel to encode the secret
- issue: instructions not committed leave traces in microarchitecture
- microarchitectural state is not supposed to be visible...
- ... but we know how to recover the state of caches



- attacker uses a covert channel to encode the secret
- issue: instructions not committed leave traces in microarchitecture
- microarchitectural state is not supposed to be visible...
- ... but we know how to recover the state of caches
- microarchitectural state  $\rightarrow$  everything is not fine



- attacker uses a covert channel to encode the secret
- issue: instructions not committed leave traces in microarchitecture
- microarchitectural state is not supposed to be visible...
- ... but we know how to recover the state of caches
- microarchitectural state  $\rightarrow$  everything is not fine
- leaking kernel memory, recovering passwords...



- attacker uses a covert channel to encode the secret
- issue: instructions not committed leave traces in microarchitecture
- microarchitectural state is not supposed to be visible...
- ... but we know how to recover the state of caches
- microarchitectural state  $\rightarrow$  everything is not fine
- leaking kernel memory, recovering passwords...
- difficult to fix: lazy error handling was a bug, but speculative execution is a feature!



## Porting micro-architectural attacks to the Web

### Porting micro-architectural attacks to the Web

 side-channel attacks on the cache, DRAM, MMU, (...), and transient execution attacks like Spectre, ret2spec, RIDL, (...), are coming to web browsers



- very low-level attacks in a high-level language with many abstraction layers in between
- complex but not impossible to perform
- fundamentally hard or impossible to fix in the browser

T. Rokicki, C. Maurice, and P. Laperdrix. "Sok: In search of lost time: A review of javascript timers in browsers". In: EuroS&P'21. 2021

#### JS and timers: A complicated history



T. Rokicki, C. Maurice, and P. Laperdrix. "Sok: In search of lost time: A review of javascript timers in browsers". In: EuroS&P'21. 2021

### JS and timers: A complicated history



- initial countermeasures: lowering timer resolution
- browsers are adopting better isolation between websites (e.g., Site Isolation) to counter transient execution attacks
- back to higher timer resolution for usability  $\rightarrow$  side-channel attacks are possible again!

T. Rokicki, C. Maurice, and P. Laperdrix. "Sok: In search of lost time: A review of javascript timers in browsers". In: EuroS&P'21. 2021

## Automating vulnerability and side channel discovery

#### Automating vulnerability and side channel discovery



## **Future and Challenges**

#### **Challenges and questions**

- · lack of documentation on microarchitectural components
- which components are vulnerable to these attacks?
- which software is vulnerable to these attacks?
- why do we still manually find vulnerabilities when we have automated tools?
- how to prevent attacks based on performance optimizations without removing performance?

CVE-2018-5407, CVE-2019-1563, CVE-2018-10844, CVE-2018-16868, CVE-2019-19960, CVE-2019-19963, CVE-2020-10932, CVE-2020-11713

- first paper by Kocher in 1996: 25 years of research in this area
- domain still in expansion: increasing number of papers published since 2015
- adopted countermeasures mainly target cryptographic implementations
- still a lot more to discover!
- quick fixes don't work
- still a lot more work needed to find satisfying countermeasures

# Thank you!

#### Contact

- ✓ clementine.maurice@inria.fr
- ✓ @BloodyTangerine

## **Evolution of micro-architectural attacks**

Clémentine Maurice, CNRS, CRIStAL

17 December 2021—32nd HP/HPE (Virtual) Colloquium On Information Security