Leaky Cauldron on the Dark Land: Understanding Memory Side-Channel Hazards in SGX

Transcription

1 Leaky Cauldron on the Dark Land: Understanding Memory Side-Channel Hazards in SGX W. Wang, G. Chen, X, Pan, Y. Zhang, XF. Wang, V. Bindschaedler, H. Tang, C. Gunter. September 19, 2017

2 Motivation Intel SGX Enclave uses resources controlled by OS (untrusted) Does not defend against several side-channel vectors Understand memory side channel threats to SGX First step towards a systematic analysis 2

3 Background: Address Translation & TLBs Address Translation Virtual Addresses Address Translation Translation Lookaside Buffers (TLBs) Physical Addresses Page Tables TLBs: multi-level set-associative hardware cache of Page Table Entries (PTE) TLBs: L1 TLB is split into itlb (instructions) and dtlb (data); L2 TLB is unified Recent Intel Processors: TLBs entries selectively flushed based on context (PCID) Note: processors also have other paging structure caches (e.g., PML4, PDPTE, PDE) 3

4 Background: Page Tables Page tables: multi-level data structures stored in main memory Entry at each level points to the next level (physical address) Controlled by the (untrusted) OS; e.g., page fault handling Page Table Entries dirty bit reserved bits access bit present bit Present bit: indicates whether a physical page is mapped; page fault if not set Access bit: set by processor when the PTE is referenced by a page-table walk Dirty bit: set when associated page is updated Reserved bits: trigger page faults if set 4

5 Background: Memory Isolation in SGX Virtual and Physical Memory Management Enclave programs and metadata use Processor Reserved Memory (PRM) 32, 64, or 128 MB MMU prevents access to PRM from outside programs Enclave Page Cache (EPC): subset of PRM from which enclave pages are allocated Translation Lookaside Buffer (TLB): works in traditional ways for EPC CPU transition between enclave and non-enclave EENTER, EEXIT instructions Asynchronous Enclave Exits (AEX) for faults, exceptions, interrupts TLB entries associated with Process-Context Identified (PCID) are flushed out Note: enclave (trusted) code can access non-enclave (untrusted) memory 5

6 Memory Side-Channels Spatial granularity Smallest unit of information directly observable Temporal observability Timing signals to help distinguish different scenarios Side effects Observable anomalies caused by a side-channel attack E.g., program runs visibly slower 6

7 Adversary Model Full control of the OS Modify kernel Knowledge of victim binary code (but not source code) Base virtual address of enclave Virtual-to-physical mapping => can derive mapping of binary code in pages, cache, DRAM Adversary has machine with same configuration prior to attack 7

8 Related Work: Controlled-Channel Attacks Controlled-channel attacks: Deterministic side channels for untrusted operating systems. Xu, Y., Cui, W. and Peinado, M. In IEEE S&P, Side-channel: page faults Input-dependent memory accesses Successful attacks JPEG decoding (libjpeg) Font rendering (FreeType): 100% accuracy Spell checking (Hunspell): 96% accuracy Source: authors slides Note: experiments performed on shielding systems (Haven & InkTag) not on SGX 8

9 Related Work: Controlled-Channel Attacks Controlled-channel attacks: Deterministic side channels for untrusted operating systems. Xu, Y., Cui, W. and Peinado, M. In IEEE S&P, Side-channel: page faults We implemented this attack and performed it on SGX However it causes significant slowdowns (e.g., 1000X) of the enclave program High AEX rate => highly anomalous execution Thwarted by protection which measure execution time! Can the attack be made stealthy? 9

10 Sneaky Page Monitoring Basic idea: continuously check PTEs accessed bits 10

11 Sneaky Page Monitoring (B-SPM) System-level process (outside an enclave): Inspect each PTE s accessed flag Record it when set Reset the flag Page-access trace is a sequence of page sets Cannot differentiate visit order of page within the same set Accessed flag not set again once page number added to TLB Does not cause AEX when page first visited Requires invalidating TLB entries proactively (causes AEX) Use Inter-Processor interrupt (IPI) to cause TLB shootdown Still more lightweight than page-fault attack Example: Page-access trace Round Page set 1 {1, 3} 2 {1, 3, 4} 3 {4, 5} 4 {1, 3, 4} 5 {1, 2, 3} 11

12 Timing Enhancement (T-SPM) Repeated visit to the same pages High resolution => more TLB shootdowns => anomalous interrupt rate Example: secret-dependent branch leaking timing information Idea: leverage timing information Secret-dependent information in same page If code fragment has unique entry & exit pages: Entry page a Exit page b Measure execution time between a and b Once accessed flag of b set; flush TLB & reset flags (a & b) Avoid interrupts between a and b Still learn execution path between them 12

13 TLB Flushing through HyperThreading (HT-SPM) Observation: When HT is turned on for a processor, we can clear TLB without issuing TLB shootdowns Makes all interrupt-based protection ineffective! HT is transparent to the OS Resource (physical) is shared among two virtual cores No interrupts generated Processes running on the two virtual cores share some of the TLB So an attacker can remove TLB entries (outside enclave) without causing interrupts Shared dtlb (64 entries) => only need to access 64 pages to evict 13

14 Evaluation: SPM vs. Page-Fault B-SPM on Hunspell T-SPM on Freetype 62,129 word lookups: Slowdown of 5.1X vs X HT-SPM on Hunspell 88 words recovered (out of 100) Overhead 39.1% ML to recover character from page-access trace Train: The Princess and the Goblin (1000 chars) Test: The Wonderful Wizard of Oz Characters: 69.9% precision Spellcheck: 72.14% words recovered Overhead 16% compared to slowdown 252X 14

15 Evaluation: Attacks on EdDSA Edwards-curve Digital Signature Algorithm (EdDSA) Attack on Libgcrypt (v1.7.6) to recover EdDSA session keys ECC scalar point multiplication Note: normal execution incurs about 1500 AEX 15

16 Spatial Granularity Address translation attacks have page granularity (i.e., 4KB) Recommendation: [Align] specific code and data blocks to exist entirely within a single page. Intel Makes sense only if page granularity is the finest spatial granularity achievable SGX is not designed to deal with cache attacks 16

17 Background: Cache & Memory Hierarchy Core 1 L1 (inst) L1 (data) L2 Cache (Unified) DRAM Core 2 L1 (inst) L1 (data) L2 Cache (Unified) L3 Cache (LLC) 17

18 Cache Attacks Flush + Reload 1. Flush: Evict memory line from cache 2. Wait: Victim enclaves uses cache 3. Reload: Measure time to reload the line Fine grained, low false positive Cannot work on SGX! No shared pages between enclaves Prime + Probe 1. Prime stage: Attacker fills cache with own cache lines 2. Idle stage: Victim enclave runs (utilizes the cache) 3. Probe stage: Measure time to load primed cache lines Works on SGX! Granularity: cache-set, i.e., 16KB (LLC ) Attack runs in non-enclave mode Recovered ElGamal private key (GnuPG)! 18

19 Related Work: DRAMA DRAMA: Exploiting DRAM Addressing for Cross-CPU Attacks. Pessl, P., Gruss, D., Maurice, C., Schwarz, M. and Mangard, S. In USENIX Security, Side-channel: DRAM access time(s) Keystrokes in Firefox address bar Source: authors slides 19

20 Background: DRAM Source: 20

21 DRAMA on SGX? Goal: victim accessed virtual address d Setup: Create a spying enclave Allocate two memory blocks p, p p on physical row corresponding to d p on different row on the same bank Attack: 1. Access memory block p 2. Wait for victim enclave operations 3. Measure access time to p If victim enclave has accessed d, then p is in the row buffer faster access time 21

22 Challenges: DRAMA & SGX 1. Victim memory accesses (most) will be cached (EPC cacheable by default) Attacker can manually disable cache (CD bit of CR0) => slowdown of approx. 1000X 2. DRAMA may false detect (unrelated) row hits 8KB DRAM row can be shared by multiple data structure / code regions 3. DRAMA cannot achieve finer granularity than 1KB Single memory page (4KB) distributed over 4 DRAM rows Best case: attacker occupies entire row except 1KB Note: Attack process must run as an enclave (to share PRM)! 22

23 Cache-DRAM Attacks Goal: improve spatial granularity with cache + DRAMA Attack: Thread1: non-enclave mode to Prime LLC (evict 1 cache set) Thread2: enclave mode to do DRAMA 6 unknown bits => 64B spatial granularity Additional Challenges: 1. Must share a row with victim (find p, p given d) We used reverse-engineering tools of DRAMA paper 2. Need to reliably measure access time SGXv1: no trusted time; can t read timestamp counter System calls? heavyweight, slow, inaccurate Solution: smuggle CPU cycle counts inside the enclave. (Enclave can read outside memory.) 23

24 Evaluation: Cache-DRAM Attacks Proof of concept attack on Gap computational discrete math library 24

25 Analysis of Attack Surfaces 25

26 Existing Defenses 1. Deterministic multiplexing Idea: place secret-dependent data & control flows in the same pages Effectiveness: orthogonal to cache side channels & DRAM side channels 2. Transactional memory (e.g., T-SGX) Idea: page faults cause transaction aborts that are handled inside the enclave Effectiveness: does not prevent accessed and dirty flags from being set 3. Hardware design changes (e.g., Sanctum) Idea: enclave has its own page table so page access patterns are invisible to OS Effectiveness: orthogonal to DRAMA attack 4. Timed execution Idea: measure execution time of basic blocks; larger time indicates enclave code interrupted by AEX Effectiveness: some attacks do not cause high rate of AEX (e.g., T-SPM, HT-SPM) 5. Enclave ASLR (e.g., SGX-Shield) Idea: fine-grained Address Space Layout Randomization (ASLR) for enclave programs Effectiveness: malicious OS might learn the memory layout after observing access patterns 26

27 Lessons Learned 1. Attack surface is larger than page-faults & cache Other channels: inter-page timing, DRAM, HyperThreading 2. Attacks can be stealthy and fine-grained Can t expect a high AEX rate Putting sensitive information in the same page is not effective 3. Hardware changes may be the best defense Downside: expensive, goes against the philosophy 27

28 Summary Systematic study of memory related side-channels threats to SGX Identified 8 attack vectors Proposed a suite of new attacks Attacks can be stealthy (low AEX rate) Timing can enhance attacks Fine-grained observation (64B << 4KB) All existing defenses are vulnerable, some are ineffective 28

29 Big Picture Research hype cycle of side-channel attacks: 1. Paper describes new side-channel attack 2. Researchers rush to propose defenses and publish them 3. Defenses are found to be ineffective against slight variants of the attack Instead: spend time to understand the problem at a fundamental level then think of how to fix it For SGX: more research needed Power statistics, cache miss statistics, branch timing, page accesses. 29