Spectre et Meltdown, 15 min pour tout comprendre @DevoxxFR

#DevoxxFR Spectre et Meltdown : 15 min pour tout comprendre
Alexis DUQUE @alexis0duque

#DevoxxFR ALEXIS DUQUE Embedded Software engineer & R&D leader at
Rtone PhD Student at CITI Lab, INSA de Lyon @alexis0duque alexisduque [email protected] alexisduque.me https://goo.gl/oNUWu6 About Me 2

#DevoxxFR Who? Werner Haas & Thomas Prescher Daniel Gruss, Moritz
Lipp, Michael Schwarz & Stefan Mangard Daniel Genkin Jann Horn Yuval Yaro Paul Kohcher

#DevoxxFR SPECTRE Variant 1 (CVE-2017-5753) Bounds Check Bypass • Primarily
affects interpreters/JITs SPECTRE Variant 2 (CVE-2017-5715) Branch Target Injection • Primarily affects kernels/hypervisors MELTDOWN (CVE-2017-5754) Rogue Data Cache Load • Affects kernels and equivalent software Attacks Overviews

#DevoxxFR What is a Side Channel?

#DevoxxFR Memory Access Timing L2 LLC Slice 0 L1 Core
0 L1 Core 1 L2 LLC Slice 1 Core 2 L2 LLC Slice 2 L1 Core 3 L2 LLC Slice 3 L1 Ring Bus RAM

#DevoxxFR Memory Mapping Virtual Memory Process 2 Virtual Memory Process
1 Physical Memory

#DevoxxFR Kernel Isolation Memory Userspace Applications OS Kernelspace Syscall

#DevoxxFR Out-of-Order Execution, Speculative Execution And Branch Prediction if (foo_array[index1]
^ foo_array[index2] == 0) { result = bar_array[100]; } else { result = bar_array[200]; } int index1, index2; char foo_array[FOO_SIZE]; char bar_array[BAR_SIZE]; char result; …… Out-of-Order

#DevoxxFR Conditional Branch: CPU select 1 of 2 choices depending
on the value of a condition (A > D) Indirect branch: CPU reads a value that tells it where to fetch the next instruction Conditional & Indirect Branch Redirect execution to whatever address at memory location 0x10000c5f0. In this case, it will call the initterm function.

#DevoxxFR Meltdown 16

#DevoxxFR TU Graz result Privilege-checks for memory access are performed
asynchronously Dependent instructions can execute before execution is aborted! Race condition in the privilege check Straightforward attack: leak cached data Meltdown / Variant 3

#DevoxxFR …. char secret_data = *(char *) 0xffffffff81a000e0; //<- Kernel
Address char* probe_array = new char[256 * 4096] // ... Make sure probe_array is not cached … char kernel_memory = *(char*)(kernel_address); char secret_data = kernel_memory * 4096; char dummy = probe_array[secret_data * 4096]; // ... catch page fault // ... determine which of 256 slots in probe_array is cached // with flush+reload side channel attack Spectre 1 Meltdown

#DevoxxFR Meltdown Mitigation 19

#DevoxxFR Memory Mapping V.Mem. Process 1 (Kernel) V.Mem. Process 1
(User) Physical Memory System Call

#DevoxxFR Userspace Kernelspace Applications Operating System Memory Userspace Kernelspace Applications
Kernel View User View Context switch

#DevoxxFR Spectre

#DevoxxFR char* data = "textKEY"; if (index < 4) index
= 0; LUT[data[index]4096]] 0 Prediction

#DevoxxFR char* data = "textKEY"; if (index < 4) LUT[data[index]4096]]
0 Prediction Execute index = 0;

0 Prediction index = 1;

0 Prediction Speculate index = 1;

#DevoxxFR char* data = "textKEY"; if (index < 4) Speculate
LUT[data[index]4096]] 0 Prediction index = 2;

0 Prediction Execute index = 4;

#DevoxxFR char* data = "textKEY"; if (index < 4) Execute

#DevoxxFR 1 if (index < data.length) { 2 index =
data[index | 0]; 3 index = (((index * TABLE1_STRIDE)|0) & (TABLE1_BYTES-1))|0; 4 localJunk ^= probeTable[index|0]|0; 5 } Spectre 1 4096B = page size Teach JIT that index is in bounds for data[] so it can omit bounds check in next line. Want length uncached for attack passes index will be in-bounds on training passes, and out-of-bounds on attack passes Do the out-of-bounds read on attack passes! This AND keeps the JIT from adding unwanted bounds checks on the next line Leak out-of-bounds read result into cache state! Need to use the result so the operations aren’t optimized JS optimizer trick (make result an int.) Spectre Variante 1

#DevoxxFR Branch predictor state is stored in a Branch Target
Buffer (BTB) Indexed and tagged by (on Intel Haswell) • partial virtual address • recent branch history fingerprint Branch prediction is expected to sometimes be wrong Spectre 2

#DevoxxFR LUT[data[index]4096]] 0 Prediction hotDrink* h = coffee; h->prepare() infuseTea()

#DevoxxFR Speculate LUT[data[index]4096]] 0 Prediction hotDrink* h = coffee; h->prepare()
infuseTea()

#DevoxxFR LUT[data[index]4096]] 0 Prediction hotDrink* h = coffee; h->prepare() infuseTea()
Execute

#DevoxxFR LUT[data[index]4096]] 0 Prediction hotDrink* h = coffee; h->prepare() brewCoffee()

#DevoxxFR LUT[data[index]4096]] 0 Prediction hotDrink* h = coffee; h->prepare() Speculate
brewCoffee()

#DevoxxFR hotDrink* h = coffee; h->prepare() LUT[data[index]4096]] 0 Prediction brewCoffee()

#DevoxxFR hotDrink* h = tea; h->prepare() LUT[data[index]4096]] 0 Prediction brewCoffee()

#DevoxxFR Speculate LUT[data[index]4096]] 0 Prediction hotDrink* h = tea; h->prepare()
brewCoffee()

#DevoxxFR LUT[data[index]4096]] 0 Prediction hotDrink* h = tea; h->prepare() brewCoffee()

#DevoxxFR Execute LUT[data[index]4096]] 0 Prediction hotDrink* h = tea; h->prepare()
brewCoffee()

#DevoxxFR Conclusion

#DevoxxFR Am I Vulnerable ? https://github.com/speed47/spectre-meltdown-checker https://support.microsoft.com/en-us/help/4073119/protect-against- speculative-execution-side-channel-vulnerabilities-in

#DevoxxFR Available Updates Linux, macOS: Meltdown (x64 only), Spectre variant
1&2 to some degree Windows: Meltdown (x64 only), Spectre variant 1, Spectre variant 2 partially (1/31/18: mitigate Spectre variant 2 for devices with Intel Skylake, Kaby Lake, and Coffee Lake processors ) https://blog.barkly.com/meltdown-spectre-patches-list- windows-update-help

#DevoxxFR Workaround: insert instructions stopping speculation • insert after every
bounds check • x86: LFENCE, ARM: CSDB • Available on all Intel CPUs, retrotted to existing: ARMv7 and ARMv8 Spectre 1 Mitigations

#DevoxxFR Intel released microcode updates • Indirect Branch Restricted Speculation
(IBRS) • Indirect Branch Predictor Barrier (IBPB): A compiler extension (software): Retpoline • Always predict to enter an endless loop instead of the correct (or wrong) target function! • Performance? ARM provides hardened Linux kernel Spectre 2 Mitigations

#DevoxxFR Some Thoughts Covert channels in CPUs are useful for
more than transferring secrets between isolated processes Not all security issues are correctness issues Increasing complexity introduced by Intel to improve performance breaks security assumptions Spectre2 is coming ...

#DevoxxFR References Prior research Y. Yarom, K. Falker, "FLUSH+RELOAD: a
High Resolution, Low Noise, L3 Cache Side-Channel Attack" D. Evtyushkin, D. Ponomarev, N. Abu-Ghazaleh, "Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR" F. Wilhelm, "PoC for breaking hypervisor ASLR using branch target buffer collisions" Papers, Blogposts on Meltdown & Spectre Spectre: https://spectreattack.com/spectre.pdf Meltdown: https://meltdownattack.com/meltdown.pdf https://blog.cyberus-technology.de/posts/2018-01-03-meltdown.html https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html https://cyber.wtf/2017/07/28/negative-result-reading-kernel-memory-from-user-mode/

#DevoxxFR Merci / Thanks you

Spectre et Meltdown, 15 min pour tout comprendre @DevoxxFR

Spectre et Meltdown, 15 min pour tout comprendre @DevoxxFR

More Decks by Alexis DUQUE

Other Decks in Technology

Featured

Transcript