Hello from the Other Side: SSH over Robust Cache Covert Channels in the Cloud

Size: px

Start display at page:

Download "Hello from the Other Side: SSH over Robust Cache Covert Channels in the Cloud"

Antony Fleming
5 years ago
Views:

1 Hello from the Other Side: SSH over Robust Cache Covert Channels in the Cloud Clémentine Maurice, Manuel Weber, Michael Schwarz, Lukas Giner, Daniel Gruss, Carlo Alberto Boano, Stefan Mangard, Kay Römer Graz University of Technology February 2017 NDSS / 25

2 Outline cache covert channels how do we get a covert channel working in the cloud? how do we get a covert channel working in a noisy environment? what are the applications of such covert channel? 2 / 25

3 CPU cache main memory is slow compared to the CPU 3 / 25

4 CPU cache main memory is slow compared to the CPU caches buffer frequently used data 3 / 25

5 CPU cache main memory is slow compared to the CPU caches buffer frequently used data every data access goes through the cache 3 / 25

6 CPU cache main memory is slow compared to the CPU caches buffer frequently used data every data access goes through the cache caches are transparent to the OS and the software 3 / 25

7 Caches on Intel CPUs L1 and L2 are private core 0 core 1 core 2 core 3 L1 L1 L1 L1 L2 L2 L2 L2 ring bus LLC slice 0 LLC slice 1 LLC slice 2 LLC slice 3 4 / 25

8 Caches on Intel CPUs L1 and L2 are private core 0 core 1 core 2 core 3 last-level cache L1 L1 L1 L1 L2 L2 L2 L2 ring bus LLC slice 0 LLC slice 1 LLC slice 2 LLC slice 3 4 / 25

9 Caches on Intel CPUs L1 and L2 are private core 0 core 1 core 2 core 3 last-level cache L1 L2 L1 L2 L1 L2 L1 L2 ring bus divided in slices LLC slice 0 LLC slice 1 LLC slice 2 LLC slice 3 4 / 25

10 Caches on Intel CPUs L1 and L2 are private core 0 core 1 core 2 core 3 last-level cache L1 L2 L1 L2 L1 L2 L1 L2 ring bus divided in slices shared across cores LLC slice 0 LLC slice 1 LLC slice 2 LLC slice 3 4 / 25

11 Caches on Intel CPUs L1 and L2 are private core 0 core 1 core 2 core 3 last-level cache L1 L2 L1 L2 L1 L2 L1 L2 ring bus divided in slices shared across cores inclusive LLC slice 0 LLC slice 1 LLC slice 2 LLC slice 3 4 / 25

12 Caches on Intel CPUs L1 and L2 are private core 0 core 1 core 2 core 3 last-level cache L1 L2 L1 L2 L1 L2 L1 L2 ring bus divided in slices shared across cores inclusive LLC slice 0 LLC slice 1 LLC slice 2 LLC slice 3 hash function maps a physical address to a slice 4 / 25

13 Set-associative caches Address Index Offset Cache 5 / 25

14 Set-associative caches Address Index Offset Cache set Cache Data loaded in a specific set depending on its address 5 / 25

15 Set-associative caches Address Index Offset way 0 way 3 Cache set Cache Data loaded in a specific set depending on its address Several ways per set 5 / 25

16 Set-associative caches Address Index Offset way 0 way 3 Cache set Cache line Cache Data loaded in a specific set depending on its address Several ways per set Cache line loaded in a specific way depending on the replacement policy 5 / 25

17 Timing differences cache hits cache misses Number of accesses Access time [CPU cycles] 6 / 25

18 Cache-based covert channels cache attacks exploit timing differences of memory accesses 7 / 25

19 Cache-based covert channels cache attacks exploit timing differences of memory accesses covert channel: two processes communicating with each other not allowed to do so, e.g., across VMs 7 / 25

20 Cache-based covert channels cache attacks exploit timing differences of memory accesses covert channel: two processes communicating with each other not allowed to do so, e.g., across VMs literature: stops working with noise on the machine 7 / 25

21 Cache-based covert channels cache attacks exploit timing differences of memory accesses covert channel: two processes communicating with each other not allowed to do so, e.g., across VMs literature: stops working with noise on the machine solution? Just use error-correcting codes 7 / 25

22 Prime+Probe attacker knows which cache set the victim accessed, not the content 8 / 25

23 Prime+Probe attacker knows which cache set the victim accessed, not the content works across CPU cores as the last-level cache is shared 8 / 25

24 Prime+Probe attacker knows which cache set the victim accessed, not the content works across CPU cores as the last-level cache is shared does not need shared memory, e.g., memory de-deduplication 8 / 25

25 Prime+Probe attacker knows which cache set the victim accessed, not the content works across CPU cores as the last-level cache is shared does not need shared memory, e.g., memory de-deduplication works across VM in the cloud, e.g., on Amazon EC2 8 / 25

26 Prime+Probe Victim address space Cache Attacker address space 9 / 25

27 Prime+Probe Victim address space Cache Attacker address space Step 1: Attacker primes, i.e., fills, the cache (no shared memory) 9 / 25

28 Prime+Probe loads data Victim address space Cache Attacker address space Step 1: Attacker primes, i.e., fills, the cache (no shared memory) Step 2: Victim evicts cache lines while running 9 / 25

29 Prime+Probe loads data Victim address space Cache Attacker address space Step 1: Attacker primes, i.e., fills, the cache (no shared memory) Step 2: Victim evicts cache lines while running 9 / 25

30 Prime+Probe fast access Victim address space Cache Attacker address space Step 1: Attacker primes, i.e., fills, the cache (no shared memory) Step 2: Victim evicts cache lines while running Step 3: Attacker probes data to determine if set has been accessed 9 / 25

31 Prime+Probe slow access Victim address space Cache Attacker address space Step 1: Attacker primes, i.e., fills, the cache (no shared memory) Step 2: Victim evicts cache lines while running Step 3: Attacker probes data to determine if set has been accessed 9 / 25

32 Why can t we just use error correcting codes? Sender Receiver (a) Transmission without errors 10 / 25

33 Why can t we just use error correcting codes? Sender Sender Receiver Receiver (a) Transmission without errors (b) Noise: substitution error 10 / 25

34 Why can t we just use error correcting codes? Sender Sender Receiver Receiver (a) Transmission without errors (b) Noise: substitution error Sender Receiver (c) Sender descheduled: insertions 10 / 25

35 Why can t we just use error correcting codes? Sender Sender Receiver Receiver (a) Transmission without errors (b) Noise: substitution error Sender Sender Receiver Receiver (c) Sender descheduled: insertions (d) Receiver descheduled: deletions 10 / 25

36 Our robust covert channel physical layer: transmits words as a sequence of 0 s and 1 s deals with synchronization errors data-link layer: divides data to transmit into packets corrects the remaining errors 11 / 25

37 Physical layer: Sending 0 s and 1 s sender and receiver agree on one set 12 / 25

38 Physical layer: Sending 0 s and 1 s sender and receiver agree on one set receiver probes the set continuously 12 / 25

39 Physical layer: Sending 0 s and 1 s sender and receiver agree on one set receiver probes the set continuously sender transmits 0 doing nothing lines of the receiver still in cache fast access 12 / 25

40 Physical layer: Sending 0 s and 1 s sender and receiver agree on one set receiver probes the set continuously sender transmits 0 doing nothing lines of the receiver still in cache fast access sender transmits 1 accessing addresses in the set evicts lines of the receiver slow access 12 / 25

41 Eviction set generation need a set of addresses in the same cache set and same slice 13 / 25

42 Eviction set generation need a set of addresses in the same cache set and same slice problem: slice number depends on all bits of the physical address 13 / 25

43 Eviction set generation need a set of addresses in the same cache set and same slice problem: slice number depends on all bits of the physical address cache tag cache set index cache line offset physical address xxxx 2MB page offset we can build a set of addresses in the same cache set and same slice 13 / 25

44 Eviction set generation need a set of addresses in the same cache set and same slice problem: slice number depends on all bits of the physical address cache tag cache set index cache line offset physical address xxxx 2MB page offset we can build a set of addresses in the same cache set and same slice without knowing which slice 13 / 25

45 Jamming agreement #1 #2 #3 #4 sender eviction sets Cache Sets receiver eviction sets 14 / 25

46 Jamming agreement #1 #2 #3 #4 sender eviction sets prime Cache Sets S S S S S S S S receiver eviction sets 14 / 25

47 Jamming agreement #1 #2 #3 #4 sender eviction sets Cache Sets S S S S S S S S R R R R R R R R prime receiver eviction sets 14 / 25

48 Jamming agreement #1 #2 #3 #4 sender eviction sets probe Cache Sets S S S S S S S S R R R R R R R R receiver eviction sets 14 / 25

49 Jamming agreement #1 #2 #3 #4 sender eviction sets Cache Sets S S S S S S S S R R R R R R R R probe receiver eviction sets 14 / 25

50 Jamming agreement #1 #2 #3 #4 sender eviction sets prime Cache Sets S S S S S S S S receiver eviction sets 14 / 25

51 Jamming agreement #1 #2 #3 #4 sender eviction sets Cache Sets S S S S S S S S prime receiver eviction sets R R R R R R R R 14 / 25

52 Jamming agreement #1 #2 #3 #4 sender eviction sets probe Cache Sets S S S S S S S S receiver eviction sets R R R R R R R R 14 / 25

53 Jamming agreement #1 #2 #3 #4 sender eviction sets Cache Sets S S S S S S S S probe receiver eviction sets R R R R R R R R 14 / 25

54 Jamming agreement #1 #2 #3 #4 sender eviction sets prime Cache Sets S S S S S S S S receiver eviction sets 14 / 25

55 Jamming agreement #1 #2 #3 #4 sender eviction sets Cache Sets R R R R R R R R S S S S S S S S prime receiver eviction sets 14 / 25

56 Jamming agreement #1 #2 #3 #4 sender eviction sets probe Cache Sets R R R R R R R R S S S S S S S S receiver eviction sets 14 / 25

57 Jamming agreement #1 #2 #3 #4 sender eviction sets Cache Sets R R R R R R R R S S S S S S S S probe receiver eviction sets 14 / 25

58 Jamming agreement #1 #2 #3 #4 sender eviction sets prime Cache Sets S S S S S S S S receiver eviction sets 14 / 25

59 Jamming agreement #1 #2 #3 #4 sender eviction sets Cache Sets R R R R R R R R prime receiver eviction sets 14 / 25

60 Jamming agreement #1 #2 #3 #4 sender eviction sets probe Cache Sets S S S S S S S S receiver eviction sets 14 / 25

61 Jamming agreement sender eviction sets receiver eviction sets #1 #2 #3 #4 Cache Sets R R R R R R R R probe #1 14 / 25

62 Jamming agreement sender eviction sets #1 #2 #3 #4 Cache Sets receiver eviction sets #1 14 / 25

63 Jamming agreement sender eviction sets #1 #2 #3 #4 Cache Sets receiver eviction sets #1 14 / 25

64 Jamming agreement sender eviction sets #1 #2 #3 #4 repeat! receiver eviction sets #1 14 / 25

65 Jamming agreement sender eviction sets #1 #2 #3 #4 repeat! receiver eviction sets #2 #1 14 / 25

66 Jamming agreement sender eviction sets #1 #2 #3 #4 repeat! receiver eviction sets #3 #2 #1 14 / 25

67 Jamming agreement sender eviction sets #1 #2 #3 #4 repeat! receiver eviction sets #4 #3 #2 #1 14 / 25

68 Sending the first image 15 / 25

69 Handling synchronization errors Physical layer word Data 12 bits 16 / 25

70 Handling synchronization errors deletion errors: request-to-send scheme that also serves as ack 3-bit sequence number request: encoded sequence number (7 bits) Physical layer word Data 12 bits SQN 3 bits 16 / 25

71 Handling synchronization errors deletion errors: request-to-send scheme that also serves as ack 3-bit sequence number request: encoded sequence number (7 bits) 0 -insertion errors: error detection code Berger codes appending the number of 0 s in the word to itself property: a word cannot consist solely of 0 s Physical layer word Data SQN EDC 12 bits 3 bits 4 bits 16 / 25

72 Synchronization (before) 17 / 25

73 Synchronization (after) 18 / 25

74 Synchronization (after) 18 / 25

75 Synchronization (after) 18 / 25

76 Data-link layer: Error correction Reed-Solomon codes to correct the remaining errors 19 / 25

77 Data-link layer: Error correction Reed-Solomon codes to correct the remaining errors RS word size = physical layer word size = 12 bits packet size = = 4095 RS words 10% error-correcting code: 409 parity and 3686 data RS words 3686 RS-words 409 RS-words Data-link layer packet Data Parity Physical layer word Data SQN EDC 12 bits 3 bits 4 bits 19 / 25

78 Error correction (after) 20 / 25

79 Evaluation Environment Bit rate Error rate Noise Native KBps 0.00% 21 / 25

80 Evaluation Environment Bit rate Error rate Noise Native KBps 0.00% Native KBps 0.00% stress -m 1 21 / 25

81 Evaluation Environment Bit rate Error rate Noise Native KBps 0.00% Native KBps 0.00% stress -m 1 Amazon EC KBps 0.00% 21 / 25

82 Evaluation Environment Bit rate Error rate Noise Native KBps 0.00% Native KBps 0.00% stress -m 1 Amazon EC KBps 0.00% Amazon EC KBps 0.00% web server serving files on sender VM Amazon EC KBps 0.00% stress -m 2 on sender VM Amazon EC KBps 0.00% stress -m 1 on receiver VM Amazon EC KBps 0.00% web server on all 3 VMs, stress -m 4 on 3rd VM, stress -m 1 on sender and receiver VMs Amazon EC KBps 0.00% stress -m 8 on third VM 21 / 25

83 Building an SSH connection VM 1 TCP Client (e.g. ssh) TCP File Socket File System Covert Channel VM 2 Hypervisor Socket File System TCP Server (e.g. sshd) TCP File Covert Channel Prime+Probe Prime+Probe Last Level Cache (LLC) 22 / 25

84 SSH evaluation Between two instances on Amazon EC2 Noise No noise stress -m 8 on third VM Web server on third VM Web server on SSH server VM Web server on all VMs stress -m 1 on server side Connection unstable 23 / 25

85 SSH evaluation Between two instances on Amazon EC2 Noise No noise stress -m 8 on third VM Web server on third VM Web server on SSH server VM Web server on all VMs stress -m 1 on server side Connection unstable Telnet also works with occasional corrupted bytes with stress -m 1 23 / 25

86 Conclusion cache covert channels are practical 24 / 25

87 Conclusion cache covert channels are practical even in the cloud, even in presence of extraordinary noise 24 / 25

88 Conclusion cache covert channels are practical even in the cloud, even in presence of extraordinary noise our robust covert channel supports an SSH connection 24 / 25

89 Conclusion cache covert channels are practical even in the cloud, even in presence of extraordinary noise our robust covert channel supports an SSH connection we extended Amazon s product portfolio :) 24 / 25

90 Conclusion cache covert channels are practical even in the cloud, even in presence of extraordinary noise our robust covert channel supports an SSH connection we extended Amazon s product portfolio :) 24 / 25

91 Conclusion cache covert channels are practical even in the cloud, even in presence of extraordinary noise our robust covert channel supports an SSH connection we extended Amazon s product portfolio :) 24 / 25

92 Hello from the Other Side: SSH over Robust Cache Covert Channels in the Cloud Clémentine Maurice, Manuel Weber, Michael Schwarz, Lukas Giner, Daniel Gruss, Carlo Alberto Boano, Stefan Mangard, Kay Römer Graz University of Technology February 2017 NDSS / 25

Évolution des attaques sur la micro-architecture

Évolution des attaques sur la micro-architecture Clémentine Maurice, CNRS, IRISA 23 Janvier 2019 Journée Nouvelles Avancées en Sécurité des Systèmes d Information, INSA de Toulouse/LAAS-CNRS Attacks on