Leaky Cauldron on the Dark Land: Understanding Memory Side-Channel Hazards in SGX

Transcription

1 Leak Cauldron on the Dark Land: Understanding Memor Side-Channel Hazards in SGX 1,4 Wenhao Wang, 2 Guoxing Chen, 1 Xiaorui Pan, 2 Yinqian Zhang, 1 XiaoFeng Wang, 3 Vincent Bindschaedler, 1 Haixu Tang and 3 Carl A. Gunter 1 Indiana Universit Bloomington 2 The Ohio State Universit 3 Universit of Illinois Urbana-Champaign 4 Institute of Information Engineering

2 Intel Software Guard Extensions Processor Reserved Memor (PRM) ELRANGE SSN, Financial/ Health Data PRM Enclave Page Cache (EPC) Application address space Phsical memor

3 Intel Software Guard Extensions Processor Reserved Memor (PRM) ELRANGE SSN, Financial/ Health Data PRM Enclave Page Cache (EPC) Application address space Phsical memor

4 Intel Software Guard Extensions Processor Reserved Memor (PRM) ELRANGE SSN, Financial/ Health Data PRM Enclave Page Cache (EPC) Application address space Phsical memor

5 Intel Software Guard Extensions Processor Reserved Memor (PRM) ELRANGE SSN, Financial/ Health Data PRM Enclave Page Cache (EPC) Application address space Phsical memor

6 Intel Software Guard Extensions Processor Reserved Memor (PRM) ELRANGE SSN, Financial/ Health Data Memor management PRM Enclave Page Cache (EPC) Application address space Phsical memor

7 Intel Software Guard Extensions Processor Reserved Memor (PRM) ELRANGE SSN, Financial/ Health Data page tables Memor management PRM Enclave Page Cache (EPC) Controlled-channel attacks: OS controls page tables and set traps b making pages inaccessible! Application address space Phsical memor

8 Defenses against page-fault attacks T-SGX Images taken from the authors slides

9 Defenses against page-fault attacks DEJA VU Timed Execution Trustworth Reference Clock CFG 1 t 1 2 t 2 3 t 3 User Space Kernel Privileged Code Images taken from the authors slides

10 Defenses against page-fault attacks Deterministic multiplexing Enclave s Staging Page Images taken from the authors slides

11 Defenses against page-fault attacks T-SGX DEJA VU Deterministic multiplexing CFG Timed Execution 1 Trustworth Reference Clock t 1 User Space 2 3 t 2 t 3 Enclave s Staging Page Kernel Privileged Code Images taken from the authors slides

12 Our contributions A comprehensive understanding of SGX memor side channels. 8 attack vectors.

13 Our contributions A comprehensive understanding of SGX memor side channels. 8 attack vectors. Reducing AEXs induced b page level attacks. A new tpe of attacks.

14 Our contributions A comprehensive understanding of SGX memor side channels. 8 attack vectors. Reducing AEXs induced b page level attacks. A new tpe of attacks. Achieving finer-grained (than 4 KB) spatial granularit. Cache-DRAM attack.

15 1. Understanding Attack Surfaces mov (%rax), %rbx %rax %rbx 7FFFF0014E F0014E20 Address translation unit 00882E2 TLB hit? n 4-level page table walk Cache fill from phsical memor 00882E2480 hit caches? n Page fault allocate EPC page n EPC page? page table entries (PTE) hit page structure caches? n hit caches? n access phsical memor

16 1. Understanding Attack Surfaces mov (%rax), %rbx %rax %rbx 7FFFF0014E F0014E20 Address translation unit 00882E2 TLB hit? n 4-level page table walk Cache fill from phsical memor 00882E2480 hit caches? n Page fault allocate EPC page n EPC page? page table entries (PTE) hit page structure caches? n hit caches? n access phsical memor

17 Summar of Attack vectors V1. Shared TLB entries under HT. V2. Selective TLB entries flushing without HT. V3. Referenced PTEs are cached as data. V4. Updates of accessed flags. V5. Updates of dirt flags. V6. Triggering page faults with P/X or reserved bits. V7. CPU caches are shared between the enclave and non-enclave code. V8. The memor hierarch, specificall the row buffers are shared.

18 Summar of Attack vectors V1. Shared TLB entries under HT. V2. Selective TLB entries flushing without HT. V3. Referenced PTEs are cached as data. V4. Updates of accessed flags. V5. Updates of dirt flags. V6. Triggering page faults with P/X or reserved bits. V7. CPU caches are shared between the enclave and non-enclave code. V8. The memor hierarch, specificall the row buffers are shared.

19 Summar of Attack vectors V1. Shared TLB entries under HT. V2. Selective TLB entries flushing without HT. V3. Referenced PTEs are cached as data. V4. Updates of accessed flags. V5. Updates of dirt flags. V6. Triggering page faults with P/X or reserved bits. V7. CPU caches are shared between the enclave and non-enclave code. V8. The memor hierarch, specificall the row buffers are shared.

20 Summar of Attack vectors V1. Shared TLB entries under HT. V2. Selective TLB entries flushing without HT. V3. Referenced PTEs are cached as data. V4. Updates of accessed flags. V5. Updates of dirt flags. V6. Triggering page faults with P/X or reserved bits. V7. CPU caches are shared between the enclave and non-enclave code. V8. The memor hierarch, specificall the row buffers are shared.

21 Summar of Attack vectors V1. Shared TLB entries under HT. V2. Selective TLB entries flushing without HT. V3. Referenced PTEs are cached as data. V4. Updates of accessed flags. V5. Updates of dirt flags. V6. Triggering page faults with P/X or reserved bits. V7. CPU caches are shared between the enclave and non-enclave code. V8. The memor hierarch, specificall the row buffers are shared.

22 Summar of Attack vectors V1. Shared TLB entries under HT. V2. Selective TLB entries flushing without HT. V3. Referenced PTEs are cached as data. V4. Updates of accessed flags. V5. Updates of dirt flags. V6. Triggering page faults with P/X or reserved bits. V7. CPU caches are shared between the enclave and non-enclave code. V8. The memor hierarch, specificall the row buffers are shared.

23 Can we make the attack stealth b reducing AEXs induced b the attack?

24 2. Sneak Page Monitoring Attacks (Vector 4) V1. Shared TLB entries under HT. V2. Selective TLB entries flushing without HT. V3. Referenced PTEs are cached as data. V4. Updates of accessed flags. V5. Updates of dirt flags. V6. Triggering page faults with P/X or reserved bits. V7. CPU caches are shared between the enclave and non-enclave code. V8. The memor hierarch, specificall the row buffers are shared.

25 2. Sneak Page Monitoring Attacks (Vector 4) V4. Updates of accessed flags. enclave pages OS page tables SGX hardware

26 2. Sneak Page Monitoring Attacks (Vector 4) V4. Updates of accessed flags. OS enclave pages page tables SGX hardware Whenever the processor uses a paging-structure entr as part of linearaddress translation, it sets the accessed flag in that entr (if it is not alread set).

27 2. Sneak Page Monitoring Attacks (Vector 4) Basic accessed flags monitoring attack: B-SPM OS enclave pages page tables SGX hardware wait A = 1? n Page Accessed. A = 0.

28 2. Sneak Page Monitoring Attacks (Vector 4) Basic accessed flags monitoring attack: B-SPM OS enclave pages page tables SGX hardware IPIs wait A = 1? n Page Accessed. A = 0.

29 2. Sneak Page Monitoring Attacks Basic accessed flags monitoring attack: B-SPM Evaluate on Hunspell. Slowdown is brought down from for page fault attack to 5.1 for B-SPM attack.

30 2. Sneak Page Monitoring Attacks What about if the pages that frequentl accessed are to be observed? BB0 condition = true? BB1 Path_A Path_B1 BB2 page Path_B2 BB3

31 2. Sneak Page Monitoring Attacks Timing enhancement: T-SPM α BB1 BB0 Path_A condition = true? Path_B1 BB2 Measure the time between two monitored pages page Path_B2 BB3 β

32 2. Sneak Page Monitoring Attacks Timing enhancement: T-SPM α BB0 condition = true? α 1 β 1 t 1 BB1 Path_A Path_B1 BB2 α 2 β 2 t 2 α 3 β 3 t 3 page Path_B2 BB3 α 4 β 4 t 4 β

33 2. Sneak Page Monitoring Attacks Timing enhancement: T-SPM Evaluate on FreeTpe. Slowdown is brought down from 252 for page fault attack to 0.16 for T-SPM attack.

34 2. Sneak Page Monitoring Attacks Can the side effect be further reduced?

35 2. Sneak Page Monitoring Attacks V1. Shared TLB entries under HT. V2. Selective TLB entries flushing without HT. V3. Referenced PTEs are cached as data. V4/5. Updates of accessed/dirt flags. V6. Triggering page faults with P/X or reserved bits. V7. CPU caches are shared between the enclave and non-enclave code. V8. The memor hierarch, specificall the row buffers are shared.

36 2. Sneak Page Monitoring Attacks TLB flushing with HT (Vector 1): HT-SPM memor reference TLB hit phsical address TLB miss Page table walk

37 2. Sneak Page Monitoring Attacks TLB flushing with HT (Vector 1): HT-SPM memor reference TLB hit phsical address TLB miss Page table walk

38 2. Sneak Page Monitoring Attacks TLB flushing with HT (Vector 1): HT-SPM memor reference TLB hit phsical address TLB miss Page table walk TLB priming

39 2. Sneak Page Monitoring Attacks Evaluation on EdDSA of Libgcrpt v1.7.6

40 2. Sneak Page Monitoring Attacks Evaluation on EdDSA of Libgcrpt v1.7.6 Attacks Page fault attack 71,000 B-SPM attack 33,000 T-SPM attack 1,300 Number of AEXs * HT-SPM is designed to reduce AEXs for data pages, and is not presented in the comparison.

41 2. Sneak Page Monitoring Attacks Evaluation on EdDSA of Libgcrpt v1.7.6 Attacks Page fault attack 71,000 B-SPM attack 33,000 T-SPM attack 1,300 Number of AEXs * HT-SPM is designed to reduce AEXs for data pages, and is not presented in the comparison.

42 3. Achieving fine-grained spatial granularit Cache-based attack Prime+Probe: 16 KB, if 2048 cache set, 128 MB EPC Flush+Reload: 64 B

43 3. Achieving fine-grained spatial granularit Cache-based attack Prime+Probe: 16 KB, if 2048 cache set, 128 MB EPC Flush+Reload: 64 B DRAMA attack The program needs to have a large memor footprint, otherwise the memor reference will mostl hit the cache.

44 3. Achieving fine-grained spatial granularit Cache-based attack Prime+Probe: 16 KB, if 2048 cache set, 128 MB EPC Flush+Reload: 64 B DRAMA attack The program needs to have a large memor footprint, otherwise the memor reference will mostl hit the cache. Cache-DRAM attack: finer-grained attack with less noise.

45 3. Achieving fine-grained spatial granularit Cache-DRAM attack 64 B granularit DRAM rows are onl shared among enclaves. No high resolution timer inside the enclaves. Victim enclave cache priming Cache probing Sstem software Row buffer Sping enclave Core 1 Core 2 Core n LLC Memor bus Address translation and timing support DRAM d p p

46 3. Achieving fine-grained spatial granularit Cache-DRAM attack 64 B granularit DRAM rows are onl shared among enclaves. No high resolution timer inside the enclaves. Evaluation on a conditional branch in Gap % detection, <1% false detection. DRAM Victim enclave d cache priming Cache probing Sstem software Memor bus Row buffer p Sping enclave Core 1 Core 2 Core n LLC p Address translation and timing support

47 Summar of Attack Vectors Vectors Spatial granularit AEX Slow-down * i/dcache PRIME+PROBE 2 MB High High * L2 Cache PRIME+PROBE 128 KB High High L3 Cache PRIME+PROBE 16 KB None Modest Page fault attack 4 KB High High B/T-SPM 4 KB Modest Modest HT-SPM 4 KB None Modest Cross-enclave DRAMA 1 KB None High Cache-DRAM 64 B None Minimal * Do not consider attacks under HT. Otherwise the AEX and slow-down will be low.

48 Summar of Attack Vectors Vectors Spatial granularit AEX Slow-down * i/dcache PRIME+PROBE 2 MB High High * L2 Cache PRIME+PROBE 128 KB High High L3 Cache PRIME+PROBE 16 KB None Modest Page fault attack 4 KB High High B/T-SPM 4 KB Modest Modest HT-SPM 4 KB None Modest Cross-enclave DRAMA 1 KB None High Cache-DRAM 64 B None Minimal * Do not consider attacks under HT. Otherwise the AEX and slow-down will be low.

49 Summar of Attack Vectors Vectors Spatial granularit AEX Slow-down * i/dcache PRIME+PROBE 2 MB High High * L2 Cache PRIME+PROBE 128 KB High High L3 Cache PRIME+PROBE 16 KB None Modest Page fault attack 4 KB High High B/T-SPM 4 KB Modest Modest HT-SPM 4 KB None Modest Cross-enclave DRAMA 1 KB None High Cache-DRAM 64 B None Minimal * Do not consider attacks under HT. Otherwise the AEX and slow-down will be low.

50 Conclusions We identified 8 attack vectors in SGX memor management.

51 Looking again at the attack surfaces mov (%rax), %rbx %rax %rbx 7FFFF0014E F0014E20 Address translation unit 00882E2 TLB hit? n 4-level page table walk Cache fill from phsical memor 00882E2480 hit caches? n Page fault allocate EPC page n EPC page? page table entries (PTE) hit page structure caches? n hit caches? n access phsical memor

52 Conclusions We identified 8 attack vectors in SGX memor management. There can be more.

53 Conclusions We identified 8 attack vectors in SGX memor management. There can be more. New attacks that induce few AEXs, that bpass existing defenses

54 Conclusions We identified 8 attack vectors in SGX memor management. There can be more. New attacks that induce few AEXs, that bpass existing defenses Interrupts are not necessar to attack the enclave.

55 Conclusions We identified 8 attack vectors in SGX memor management. There can be more. New attacks that induce few AEXs, that bpass existing defenses Interrupts are not necessar to attack the enclave. Attacks can achieve finer-grained spatial granularit.

56 Conclusions We identified 8 attack vectors in SGX memor management. There can be more. New attacks that induce few AEXs, that bpass existing defenses Interrupts are not necessar to attack the enclave. Attacks can achieve finer-grained spatial granularit. Attack vectors can be combined to be more effective TLB flushing + SPM, Cache + DRAM, Page monitoring + timing Others?

57 Conclusions We identified 8 attack vectors in SGX memor management. There can be more. New attacks that induce few AEXs, that bpass existing defenses Interrupts are not necessar to attack the enclave. Attacks can achieve finer-grained spatial granularit. Attack vectors can be combined to be more effective TLB flushing + SPM, Cache + DRAM, Page monitoring + timing Others? Defenses?

58 Thanks! An questions?

59 Backup Slides

60 Characterizing memor vectors Spatial granularit The smallest unit of information directl observable to the adversar. Temporal observabilit The abilit for the adversar to measure the timing signals generated during the execution of the target program. Side effects Observable anomalies caused b an attack, which could be emploed to detect the attack, such as AEX.

61 Intel Software Guard Extensions Life ccle of an enclave thread Enclave Initialization (ECREATE/EINIT) EENTER non-enclave mode ERESUME AEX enclave mode EEXIT Enclave Destro (EREMOVE)

62 Related work on Securit 17 Vector 3, 4

63 1. Understanding Attack Surfaces mov (%rax), %rbx

64 1. Understanding Attack Surfaces mov (%rax), %rbx virtual page number %rax 7FFFF0014E20480 F0014E20 %rbx 480 page offset

65 1. Understanding Attack Surfaces %rax %rbx mov (%rax), %rbx virtual page number Address F0014E20 translation unit phsical 480 page 00882E2 page offset number phsical address 00882E2480 7FFFF0014E20480 TLB hit?

66 1. Understanding Attack Surfaces %rax %rbx mov (%rax), %rbx virtual page number Address F0014E20 translation unit phsical 480 page 00882E2 page offset number phsical address 00882E2480 7FFFF0014E20480 TLB hit? EPC page? n 4-level page table walk hit page structure caches? n hit caches? n access phsical memor page table entries (PTE)

67 1. Understanding Attack Surfaces %rax %rbx mov (%rax), %rbx virtual page number Address F0014E20 translation unit phsical 480 page 00882E2 page offset number phsical address 00882E2480 7FFFF0014E20480 TLB hit? Page fault allocate EPC page n EPC page? n 4-level page table walk hit page structure caches? n hit caches? n access phsical memor page table entries (PTE)

68 1. Understanding Attack Surfaces %rax %rbx mov (%rax), %rbx virtual page number Address F0014E20 translation unit phsical 480 page 00882E2 page offset number phsical address 00882E2480 7FFFF0014E20480 hit caches? TLB hit? Page fault allocate EPC page n EPC page? n 4-level page table walk hit page structure caches? n hit caches? n access phsical memor page table entries (PTE)

69 1. Understanding Attack Surfaces %rax %rbx mov (%rax), %rbx virtual page number Address F0014E20 translation unit phsical 480 page 00882E2 page offset number phsical address 00882E2480 7FFFF0014E20480 Cache fill from phsical memor hit caches? n TLB hit? Page fault allocate EPC page n EPC page? page table entries (PTE) n 4-level page table walk hit page structure caches? n hit caches? n access phsical memor