ARMageddon: Cache Attacks on Mobile Devices

Size: px

Start display at page:

Download "ARMageddon: Cache Attacks on Mobile Devices"

Abigail Norman
5 years ago
Views:

1 ARMageddon: Cache Attacks on Mobile Devices Moritz Lipp, Daniel Gruss, Raphael Spreitzer, Clémentine Maurice, Stefan Mangard Graz University of Technology 1

2 TLDR powerful cache attacks (like Flush+Reload) on x86 why not on ARM? 2

3 TLDR powerful cache attacks (like Flush+Reload) on x86 why not on ARM? We identified and solved challenges systematically to: make all cache attack techniques applicable to ARM monitor user activity attack weak Android crypto show that ARM TrustZone leaks through the cache 2

4 What is a cache attack? (1) Number of accesses cache hits cache misses Access time in CPU cycles

5 What is a cache attack? (2) 4

6 What is a cache attack? (2) 4

7 What is a cache attack? (2) 4

8 What is a cache attack? (2) 4

9 What is a cache attack? (2) 4

10 What is a cache attack? (2) 4

11 What is a cache attack? (2) 4

12 What is a cache attack? (2) 4

13 Cache attack techniques Most important techniques: Flush+Reload Prime+Probe Both work on the last-level cache across cores 5

14 Flush+Reload Attacker address space Cache Victim address space step 0: attacker maps shared library shared memory, shared in cache 6

15 Flush+Reload Attacker address space Cache Victim address space cached cached step 0: attacker maps shared library shared memory, shared in cache 6

16 Flush+Reload Attacker address space Cache Victim address space flushes step 0: attacker maps shared library shared memory, shared in cache step 1: attacker flushes the shared line 6

17 Flush+Reload Attacker address space Cache Victim address space loads data step 0: attacker maps shared library shared memory, shared in cache step 1: attacker flushes the shared line step 2: victim loads data while performing encryption 6

18 Flush+Reload Attacker address space Cache Victim address space reloads data step 0: attacker maps shared library shared memory, shared in cache step 1: attacker flushes the shared line step 2: victim loads data while performing encryption step 3: attacker reloads data fast access if the victim loaded the line 6

19 Prime+Probe Attacker address space Cache Victim address space step 0: attacker fills the cache (prime) 7

20 Prime+Probe Attacker address space Cache Victim address space step 0: attacker fills the cache (prime) 7

21 Prime+Probe Attacker address space Cache Victim address space step 0: attacker fills the cache (prime) 7

22 Prime+Probe Attacker address space Cache Victim address space loads data step 0: attacker fills the cache (prime) step 1: victim evicts cache lines while performing encryption 7

23 Prime+Probe Attacker address space Cache Victim address space loads data step 0: attacker fills the cache (prime) step 1: victim evicts cache lines while performing encryption 7

24 Prime+Probe Attacker address space Cache Victim address space loads data step 0: attacker fills the cache (prime) step 1: victim evicts cache lines while performing encryption 7

25 Prime+Probe Attacker address space Cache Victim address space loads data step 0: attacker fills the cache (prime) step 1: victim evicts cache lines while performing encryption 7

26 Prime+Probe Attacker address space Cache Victim address space step 0: attacker fills the cache (prime) step 1: victim evicts cache lines while performing encryption 7

27 Prime+Probe Attacker address space Cache Victim address space step 0: attacker fills the cache (prime) step 1: victim evicts cache lines while performing encryption step 2: attacker probes data to determine if the set was accessed 7

28 Prime+Probe Attacker address space Cache Victim address space fast access step 0: attacker fills the cache (prime) step 1: victim evicts cache lines while performing encryption step 2: attacker probes data to determine if the set was accessed 7

29 Prime+Probe Attacker address space Cache Victim address space slow access step 0: attacker fills the cache (prime) step 1: victim evicts cache lines while performing encryption step 2: attacker probes data to determine if the set was accessed 7

30 Caches on Intel CPUs core 0 core 1 core 2 core 3 last-level cache (L3): L1 L2 L3 slice 0 L1 L2 L3 slice 1 L1 L2 L3 slice 2 L1 L2 L3 slice 3 shared inclusive = shared memory is shared in cache, across cores! 8

31 Caches on ARM Cortex-A CPUs core 0 core 1 core 2 core 3 last-level cache (L2): L1 L1 L2 L1 L1 shared but not inclusive = shared memory not in L2 is not shared in cache 9

32 Caches on ARM Cortex-A CPUs core 0 core 1 core 2 core 3 last-level cache (L2): L1 L1 L2 L1 L1 shared but not inclusive = shared memory not in L2 is not shared in cache Challenge #1: non-inclusive caches 9

33 Modern ARM SoCs big.little architecture (A53 + A57) multiple CPUs with no shared cache 10

34 Modern ARM SoCs big.little architecture (A53 + A57) multiple CPUs with no shared cache Challenge #2: no shared cache 10

35 Cache maintenance Instructions to enforce memory coherency x86: unprivileged clflush until ARMv7-A: n/a ARMv8-A: kernel can unlock a flush instruction for userspace 11

36 Cache maintenance Instructions to enforce memory coherency x86: unprivileged clflush until ARMv7-A: n/a ARMv8-A: kernel can unlock a flush instruction for userspace Challenge #3: no flush instruction 11

37 Cache eviction targeted cache eviction on ARM can be complicated: existing approaches introduce much noise pseudo-random replacement policy unclear how randomness affects existing approaches 12

38 Cache eviction targeted cache eviction on ARM can be complicated: existing approaches introduce much noise pseudo-random replacement policy unclear how randomness affects existing approaches Challenge #4: perform fast & reliable cache eviction 12

39 Timing measurements x86: rdtsc provides unprivileged access to cycle count ARM: existing attacks require access to privileged mode cycle counter 13

40 Timing measurements x86: rdtsc provides unprivileged access to cycle count ARM: existing attacks require access to privileged mode cycle counter Challenge #5: find unprivileged highly accurate timing sources 13

41 Challenges #1: non-inclusive caches #2: no shared cache #3: no flush #4: random eviction #5: no unprivileged timing 14

42 Solving #1: non-inclusive caches 15

43 Solving #1: non-inclusive caches Attacking instruction-inclusive data-non-inclusive caches 15

44 Solving #1: non-inclusive caches Attacking instruction-inclusive data-non-inclusive caches Core 0 Core 1 L1I L1D L1I L1D Sets L2 Unified Cache Sets 15

45 Solving #1: non-inclusive caches What about entirely non-inclusive caches? cache coherency protocol fetches data from remote cores instead of DRAM remote cache hits 16

46 Solving #1: non-inclusive caches What about entirely non-inclusive caches? Core 0 Core 1 L1I L1D L1I L1D Sets evict to DRAM L2 Unified Cache Sets 17

47 Solving #1: non-inclusive caches 10 4 Number of accesses Hit (same core) Miss (same core) Hit (cross-core) Miss (cross-core) ,000 Measured access time in CPU cycles (OnePlus One) 18

48 Solving #2: no shared cache Multiple CPUs with no shared cache 19

49 Solving #2: no shared cache Multiple CPUs with no shared cache again: cache coherency protocol fetches data from remote CPUs instead of DRAM keep local L2 filled to increase probability of remote L1/L2 eviction timing difference between local and remote still small enough 19

50 Solving #3: no flush idea: replace flush instruction with cache eviction Flush+Reload Evict+Reload 20

51 Solving #3: no flush idea: replace flush instruction with cache eviction Flush+Reload Evict+Reload (works on x86) 20

52 Solving #3: no flush idea: replace flush instruction with cache eviction Flush+Reload Evict+Reload (works on x86) but: cache eviction is slow and can be unreliable 20

53 Solving #3: no flush idea: replace flush instruction with cache eviction Flush+Reload Evict+Reload (works on x86) but: cache eviction is slow and can be unreliable unless you know how to evict 20

54 Solving #3: no flush idea: replace flush instruction with cache eviction Flush+Reload Evict+Reload (works on x86) but: cache eviction is slow and can be unreliable unless you know how to evict central idea of our Rowhammer.js paper 20

55 Solving #4: random eviction unique addr. # accesses Cycles Eviction rate % % % % % (on the Alcatel One Touch Pop 2) 21

56 Solving #5: no unprivileged timing Comparison of 4 different measurement techniques performance counter (privileged) perf event open (syscall, unprivileged) clock gettime (unprivileged) thread counter (multithreaded, unprivileged) 22

57 Solving #5: no unprivileged timing Number of accesses Hit (PMCCNTR) Miss (PMCCNTR) Hit (syscall.25) Miss (syscall.25) Hit (clock gettime.15) Miss (clock gettime.15) Hit (counter thread.05) Miss (counter thread.05) Measured access time (scaled) 23

58 Flush+Flush on the Samsung Galaxy S Number of cases Flush (address cached) Flush (address not cached) Measured execution time in CPU cycles 24

59 Prime+Probe on the Alcatel One Touch Pop 2 40% 30% Victim access No victim access Cases 20% 10% 0% 1,800 2,000 2,200 2,400 2,600 2,800 3,000 3,200 3,400 Execution time in CPU cycles 25

60 Covert channels on Android Work Type Bandwidth [bps] Error rate Ours (Samsung Galaxy S6) Flush+Reload, cross-core % Ours (Samsung Galaxy S6) Flush+Reload, cross-cpu % Ours (Samsung Galaxy S6) Flush+Flush, cross-core % Ours (Alcatel One Touch Pop 2) Evict+Reload, cross-core % Ours (OnePlus One) Evict+Reload, cross-core % Marforio et al. Type of Intents Marforio et al. UNIX socket discovery Schlegel et al. File locks 685 Schlegel et al. Volume settings 150 Schlegel et al. Vibration settings 87 26

61 Cache template attacks (CTA) Event key longpress swipe tap text 0x840 0x880 0x3280 0x7700 0x8080 0x8100 0x8140 0x8840 0x8880 0x8900 0x8940 0x8980 0x x x11080 Addresses Cache template matrix for libinput.so (on an Alcatel One Touch Pop 2) 27

Cache template attacks (CTA) Input alphabet enter space backspace 0x45140 0x56940 0x57280 0x58480 0x60280 0x60340

62 Cache template attacks (CTA) Input alphabet enter space backspace 0x x x x x x x x x66380 Addresses Cache template matrix for the default AOSP keyboard (on a Samsung Galaxy S6) 28

63 CTA: taps and swipes 200 Access time Tap Tap Tap Swipe Swipe Swipe Tap Tap Tap Swipe Swipe Time in seconds measured on an Alcatel One Touch Pop 2 29

64 CTA: taps and swipes 400 Access time 200 Tap Tap Tap Swipe Swipe Swipe Time in seconds measured on a Samsung Galaxy S6 30

65 CTA: taps and swipes 800 Access time Tap Tap Tap Swipe Swipe Swipe Time in seconds measured on measured on a OnePlus One 31

66 CTA: distinguishing keys Key Space Access time t 0 32 h i s Space 1 2 i s Space a Space 3 4 Time in seconds m 5 e s s a 6 g e 7

67 Bouncy Castle a widely used crypto library WhatsApp,... uses a T-table implementation 33

68 Attacking Bouncy Castle 0x00 0x10 0x20 0x30 0x40 0x50 0x60 0x70 0x80 0x90 0xA0 0xB0 0xC0 0xD0 0xE0 0xF0 Address Plaintext byte values 0x00 0x10 0x20 0x30 0x40 0x50 0x60 0x70 0x80 0x90 0xA0 0xB0 0xC0 0xD0 0xE0 0xF0 Address Plaintext byte values Evict+Reload (Alcatel) vs. Flush+Reload (Samsung) 34

Attacking Bouncy Castle with Prime+Probe (Alcatel) www.iaik.tugraz.

69 Attacking Bouncy Castle with Prime+Probe (Alcatel) Offset 0x240 0x280 0x2C0 0x300 0x340 0x380 0x3C0 0x00 0x10 0x20 0x30 0x40 0x50 0x60 0x70 0x80 0x90 0xA0 0xB0 0xC0 0xD0 0xE0 0xF0 Plaintext byte values 35

70 Leakage from ARM TrustZone (RSA signatures) Probing time in CPU cycles Valid key 1 Valid key 2 Valid key 3 Invalid key Set number 36

71 Conclusions all the powerful cache attacks applicable to smartphones monitor user activity with high accuracy derive crypto keys ARM TrustZone leaks through the cache 37

72 ARMageddon: Cache Attacks on Mobile Devices Moritz Lipp, Daniel Gruss, Raphael Spreitzer, Clémentine Maurice, Stefan Mangard Graz University of Technology 38

arxiv: v2 [cs.cr] 19 Jun 2016

arxiv: v2 [cs.cr] 19 Jun 2016 ARMageddon: Cache Attacks on Mobile Devices Moritz Lipp, Daniel Gruss, Raphael Spreitzer, Clémentine Maurice, and Stefan Mangard Graz University of Technology, Austria arxiv:1511.04897v2 [cs.cr] 19 Jun