

### Mitigation of actual CPU attacks A hare and hedgehog race not to win

09.08.2018

#### Jens Nazarenus

Conference 4th WAMOS 2018



| Recap '18 | Meltdown | Spectre  | RISC-V   | Conclusion | Literature |
|-----------|----------|----------|----------|------------|------------|
| 000       | 00000000 | 00000000 | 00000000 |            | 0000       |
| TOC       |          |          |          |            |            |

- 1. Recap '18
- 2. Meltdown
- 3. Spectre
- 4. RISC-V
- 5. Conclusion
- 6. Literature

## RECAP '18

| Recap '18 | Meltdown | Spectre | RISC-V   | Conclusion | Literature |
|-----------|----------|---------|----------|------------|------------|
| ○●○       | 00000000 | 0000000 | 00000000 |            | 0000       |
| RECAP '1  | 8        |         |          |            |            |

| 01/04/18 | Meltdown                           |
|----------|------------------------------------|
|          | Spectre variant 1                  |
|          | Spectre variant 2                  |
| 01/25/18 | Retpoline (Spectre variant 2)      |
| 01/28/18 | KAISER / KPTI                      |
| 02/07/18 | Kernel patches (Spectre variant 1) |
| 03/27/18 | Branchscope                        |
| 05/22/18 | Spectre variant 3                  |
|          | Spectre variant 4                  |
| 07/10/18 | Bounds check bypass store          |
|          |                                    |

| Recap ′18 | Meltdown | Spectre | RISC-V   | Conclusion | Literature |
|-----------|----------|---------|----------|------------|------------|
| ○O●       | 00000000 | 0000000 | 00000000 |            | 0000       |
| RFCAP '1  | 8        |         |          |            |            |

| 01/04/18 | Meltdown                           |
|----------|------------------------------------|
|          | Spectre variant 1                  |
|          | Spectre variant 2                  |
| 01/25/18 | Retpoline (Spectre variant 2)      |
| 01/28/18 | KAISER / KPTI                      |
| 02/07/18 | Kernel patches (Spectre variant 1) |
| 03/27/18 | Branchscope                        |
| 05/22/18 | Spectre variant 3                  |
|          | Spectre variant 4                  |
| 07/10/18 | Bounds check bypass store          |
|          |                                    |

## MELTDOWN

| <b>Recap '18</b><br>000 | Meltdown<br>○●○○○○○○ | Spectre<br>0000000 | RISC-V | Conclusion | Literature<br>0000 |
|-------------------------|----------------------|--------------------|--------|------------|--------------------|
| MELTDO                  | WN                   |                    |        |            |                    |

- 1 raise\_exception();
- $_2$  // the next line is never reached
- access(probe\_array[data \* 4096]);
  - $\rightarrow$  Execute (3) out-of-order
  - $\rightarrow$  Perform Cache-based side-channel attack

| <b>Recap '18</b> | Meltdown   | Spectre | <b>RISC-V</b> | Conclusion | Literature |
|------------------|------------|---------|---------------|------------|------------|
| 000              | ○○●○○○○○   | 0000000 | 00000000      |            | 0000       |
| OUT-OF-I         | ORDER EXEC | CUTION  |               |            |            |

- $\rightarrow\,$  CPU design paradigm to increase performance
- $\rightarrow$  Increases "Instructions per clock cycle" (IPC)
- $\rightarrow$  Does not preserve logical program order

| Recap '18<br>000 | Meltdown<br>000e0000 | Spectre<br>00000000 | RISC-V | Conclusion | Literature<br>0000 |
|------------------|----------------------|---------------------|--------|------------|--------------------|
|                  |                      |                     |        |            |                    |

#### OUT-OF-ORDER EXECUTION



clock cycles

| Recap '18<br>000 | Meltdown<br>○○○○●○○○○ | Spectre<br>0000000 | RISC-V<br>00000000 | Conclusion | Literature |
|------------------|-----------------------|--------------------|--------------------|------------|------------|
| MELTDO           | WN                    |                    |                    |            |            |

- 1 raise\_exception();
- 2 // the next line is never reached
- access(probe\_array[data \* 4096]);



| <b>Recap '18</b><br>000 | Meltdown<br>○○○○●○○ | Spectre<br>0000000 | RISC-V<br>00000000 | Conclusion | Literature |
|-------------------------|---------------------|--------------------|--------------------|------------|------------|
| CACHE                   | HIERARCHY           |                    |                    |            |            |

- $\rightarrow$  Small storages
- $\rightarrow\,$  Holds copies of recently used memory
- → Fast access time



#### L3 Cache

| Recap '18 | Meltdown<br>○○○○○●○ | Spectre<br>00000000 | RISC-V<br>00000000 | Conclusion | Literature |
|-----------|---------------------|---------------------|--------------------|------------|------------|
|           |                     |                     |                    |            |            |

#### CACHE-BASED SIDE-CHANNEL ATTACKS

- $\rightarrow$  Flush+Reload
- $\rightarrow$  Flush cache line in hierarchy
- $\rightarrow$  Wait for a specified time
- $\rightarrow\,$  Reload memory line
  - → Fast: Victim accessed memory
  - → Slow: Victim did not accessed memory
- $\rightarrow\,$  Spectre / Meltdown use Flush+Reload to access private data

| <b>Recap '18</b> | Meltdown    | Spectre | RISC-V   | Conclusion | Literature |
|------------------|-------------|---------|----------|------------|------------|
| 000              | ○○○○○○●     | 0000000 | 00000000 |            | 0000       |
| MITIGAT          | ION: KAISER |         |          |            |            |

- $\rightarrow$  Problem: Kernel mapped 1:1 into process page table
- $\rightarrow\,$  Solution: Split tables
- $\rightarrow~$  It is not possible to access kernel space anymore
- $\rightarrow$  Merged with Linux kernel 4.15



| <b>Recap '18</b> | Meltdown | Spectre | RISC-V   | Conclusion | Literature |
|------------------|----------|---------|----------|------------|------------|
| 000              | 00000000 | ••••••  | 00000000 |            | 0000       |
| SPECTRE          |          |         |          |            |            |

- $\rightarrow\,$  Variant 1: bounds check bypass
- $\rightarrow$  Variant 2: branch target injection

| Recap '18<br>000 | Meltdown<br>00000000 | Spectre<br>○○●○○○○○ | RISC-V<br>00000000 | Conclusion | Literature |
|------------------|----------------------|---------------------|--------------------|------------|------------|
| SPECUL           | ATIVE EXECL          | JTION               |                    |            |            |

- $\rightarrow$  Branch prediction
- $\rightarrow$  Motivation?

| Recap '18<br>000 | Meltdown<br>00000000 | Spectre | RISC-V<br>00000000 | Conclusion | Literature |
|------------------|----------------------|---------|--------------------|------------|------------|
| BRANCH           | I PREDICTION         | V       |                    |            |            |

- 1 lw x10, 0(x8)
- 2 bne x10, x0, routine
- 3 j x1 // ra



#### with branch prediction:

| <b>Recap '18</b> | Meltdown   | Spectre  | <b>RISC-V</b> | Conclusion | Literature |
|------------------|------------|----------|---------------|------------|------------|
| 000              | 00000000   | ○○○○●○○○ | 00000000      |            | 0000       |
| BRANCH           | PREDICTION | V        |               |            |            |

- $\rightarrow$  If guessed wrong: Rollback instructions
- $\rightarrow$  But cache changes remain

| <b>Recap '18</b> | Meltdown<br>00000000 | Spectre | RISC-V<br>00000000 | Conclusion | Literature<br>0000 |
|------------------|----------------------|---------|--------------------|------------|--------------------|
| SPECTRE          |                      |         |                    |            |                    |

- $\rightarrow\,$  Conditional jump gets mispredicted
- $\rightarrow$  array1[x] gets evaluated (because of condition)

k

$$\rightarrow$$
 Try to read array2[array1[x] \* 256]

- $\rightarrow$  Rollback instructions
- $\rightarrow\,$  Flush+Reload: Timing differences of <code>array2</code>.

| <b>Recap '18</b><br>000 | Meltdown<br>0000000 | Spectre<br>○○○○○●○ | RISC-V<br>00000000 | Conclusion | Literature |
|-------------------------|---------------------|--------------------|--------------------|------------|------------|
| MITIGAT                 | ION: RETPOL         | INE                |                    |            |            |

- → Problem: Indirect branches
- $\rightarrow\,$  Look in register  ${\rm x}$  and jump to this address
- 1 jmp \*%rax
- 1 call load\_label
  2 capture\_ret\_spec:
  3 pause ; lfence
  4 jmp capture\_ret\_spec
  5 load\_label:
  6 mov %rax, (%rsp)
  7 ret

| Recap '18 | Meltdown<br>00000000 | Spectre<br>○○○○○○● | RISC-V<br>00000000 | Conclusion | Literature<br>0000 |
|-----------|----------------------|--------------------|--------------------|------------|--------------------|
| MITIGAT   | ION: RETPOL          | _INE               |                    |            |                    |

- $\rightarrow\,$  Recompilation necessary
- $\rightarrow\,$  Merged with GCC 7.3
- $\rightarrow\,$  "007" improved Retpoline with minimal overhead



| Recap '18 | Meltdown | Spectre | RISC-V  | Conclusion | Literature |
|-----------|----------|---------|---------|------------|------------|
| 000       | 0000000  | 0000000 | 0000000 | 00         | 0000       |
|           |          |         |         |            |            |

#### THE HARE AND THE HEDGEHOG



Gustav Süs, 1855, gemeinfrei

| Recap '18 | Meltdown | Spectre | <b>RISC-V</b> | Conclusion | Literature |
|-----------|----------|---------|---------------|------------|------------|
| 000       | 00000000 | 0000000 | ○○●○○○○○      |            | 0000       |
| RECAP '18 | B        |         |               |            |            |

| 01/04/18 | Meltdown                           |
|----------|------------------------------------|
|          | Spectre variant 1                  |
|          | Spectre variant 2                  |
| 01/25/18 | Retpoline (Spectre variant 2)      |
| 01/28/18 | KAISER / KPTI                      |
| 02/07/18 | Kernel patches (Spectre variant 1) |
| 03/27/18 | Branchscope                        |
| 05/22/18 | Spectre variant 3                  |
|          | Spectre variant 4                  |
| 07/10/18 | Bounds check bypass store          |
|          |                                    |

| <b>Recap '18</b><br>000 | Meltdown<br>00000000 | Spectre<br>0000000 | <b>RISC-V</b><br>○○○●○○○○ | Conclusion | Literature |
|-------------------------|----------------------|--------------------|---------------------------|------------|------------|
| MITIGAT                 | ION ≠ FIX            |                    |                           |            |            |

- $\rightarrow\,$  CPU is an integrated circuit:
  - $\rightarrow~$  Only semiconductors can fix them
- $\rightarrow\,$  While there are no hardware fixes:
  - $\rightarrow~$  Software mitigation to protect data

| <b>Recap '18</b> | Meltdown<br>0000000 | Spectre<br>0000000 | <b>RISC-V</b><br>○○○○●○○○○ | Conclusion | Literature<br>0000 |
|------------------|---------------------|--------------------|----------------------------|------------|--------------------|
| MITIGAT          | ION $\neq$ FIX      |                    |                            |            |                    |

- $\rightarrow\,$  Developers chase the same hedgehog again and again
- $\rightarrow$  How can the hare win the race?

| <b>Recap '18</b> | Meltdown | Spectre | RISC-V   | Conclusion | Literature |
|------------------|----------|---------|----------|------------|------------|
| 000              | 00000000 | 0000000 | ○○○○○●○○ |            | 0000       |
| RISC-V           |          |         |          |            |            |

- $\rightarrow$  Open source Instruction set architecture (BSD license)
- $\rightarrow\,$  Developed at the University of California, Berkeley
- $\rightarrow$  Free Software implementations available
  - → https://github.com/freechipsproject/rocket-chip
  - → https://github.com/SpinalHDL/VexRiscv

| <b>Recap '18</b> | Meltdown | Spectre | <b>RISC-V</b> | Conclusion | Literature |
|------------------|----------|---------|---------------|------------|------------|
| 000              | 00000000 | 0000000 | ○○○○○○●○      |            | 0000       |
| RISC-V           |          |         |               |            |            |

- $\rightarrow$  Open-source development at GitHub
- $\rightarrow$  Frameworks for formal verification (RVFI)

| Recap '18 | Meltdown | Spectre | <b>RISC-V</b> | Conclusion | Literature |
|-----------|----------|---------|---------------|------------|------------|
| 000       | 00000000 | 0000000 | ○○○○○○○●      |            | 0000       |
| HIFIVE1   |          |         |               |            |            |

- $\rightarrow$  RISC-V based SoC
- $\rightarrow\,$  RISC-V CPU rocket-chip, which is free software



© SiFive, Inc.

## CONCLUSION

| <b>Recap '18</b> | Meltdown | Spectre | RISC-V   | Conclusion | Literature |
|------------------|----------|---------|----------|------------|------------|
| 000              | 00000000 | 0000000 | 00000000 | ○●         | 0000       |
| CONCLU           | SION     |         |          |            |            |

- $\rightarrow$  More and more CPU vulnerabilities
- $\rightarrow\,$  Huge time investment for mitigations
- $\rightarrow\,$  Free software RISC-V implementations as an alternative

## LITERATURE

| Recap '18 | Meltdown | Spectre  | RISC-V  | Conclusion | Literature |
|-----------|----------|----------|---------|------------|------------|
| 000       | 0000000  | 00000000 | 0000000 | 00         | 0000       |

D. Gruss, M. Lipp, M. Schwarz, R. Fellner, C. Maurice, and S. Mangard.

KASLR is Dead: Long Live KASLR, volume 10379 LNCS of Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), pages 161–176. Springer-Verlag Italia, Italy, 2017.

 P. Kocher, D. Genkin, D. Gruss, W. Haas, M. Hamburg, M. Lipp, S. Mangard, T. Prescher, M. Schwarz, and Y. Yarom. Spectre attacks: Exploiting speculative execution. ArXiv e-prints, Jan. 2018.

| Recap '18 | Meltdown | Spectre  | RISC-V   | Conclusion | Literature |
|-----------|----------|----------|----------|------------|------------|
| 000       | 0000000  | 00000000 | 00000000 | 00         | 0000       |

 M. Lipp, M. Schwarz, D. Gruss, T. Prescher, W. Haas, S. Mangard, P. Kocher, D. Genkin, Y. Yarom, and M. Hamburg. Meltdown. ArXiv e-prints, Jan. 2018.

- D. A. Patterson and J. L. Hennessy. Computer Architecture: A Quantitative Approach. Morgan Kaufmann Publishers Inc., San Francisco, CA, USA, 1990.
- Y. Yarom and K. Falkner.
   Flush+reload: A high resolution, low noise, l3 cache side-channel attack.
   In 23rd USENIX Security Symposium (USENIX Security 14), pages 719–732, San Diego, CA, 2014. USENIX Association.

| <b>Recap '18</b> | Meltdown | Spectre | RISC-V   | Conclusion | Literature |
|------------------|----------|---------|----------|------------|------------|
| 000              | 00000000 | 0000000 | 00000000 |            | ○○○●       |
| ΤY               |          |         |          |            |            |

# Thank you for listening.