### 

### Microarchitectural Side-Channel Attacks for Privileged Software Adversaries

A review & perspective

Jo Van Bulck

CIF Review, Leuven, October 28, 2021

☆ imec-DistriNet, KU Leuven ☑ jo.vanbulck@cs.kuleuven.be



#### The big picture: Enclaved execution attack surface



Traditional layered designs: large trusted computing base

#### The big picture: Enclaved execution attack surface



Intel SGX promise: hardware-level isolation and attestation

#### The big picture: Privileged side-channel attacks



**Game-changer:** Untrusted OS  $\rightarrow$  new class of powerful side channels!

#### The big picture: Privileged side-channel attacks



Xu et al. "Controlled-channel attacks: Deterministic side channels for untrusted operating systems", IEEE S&P 2015



1. Which novel privileged side channels exist?



2. How well can they be exploited in practice?

3. What can be leaked?

- 1. Which novel privileged side channels exist?
  - $\rightarrow$  We uncover previously unknown attack avenues



- 2. How well can they be exploited in practice?
  - $\rightarrow\,$  We develop new techniques and practical attack frameworks
- 3. What can be leaked?
  - $\rightarrow$  We recover metadata and data



# Idea 1: Privileged interrupts for side-channel amplification

```
1 void check_pwd(char *input)
2 {
3     for (int i=0; i < PWD_LEN; i++)
4         if (input[i] != pwd[i])
5             return 0;
6
7         return 1;
8 }</pre>
```







#### Building the side-channel oracle with execution timing?



#### Building the side-channel oracle with execution timing?

**Too noisy:** modern x86 processors are lightning fast...





https://github.com/jovanbulck/sgx-step

⊙ Unwatch - 27 ☆ Star 312 양 Fork 63







#### Demo: Building a deterministic password oracle with SGX-Step

```
[idt.c] DTR.base=0xfffffe000000000/size=4095 (256 entries)
[idt.c] established user space IDT mapping at 0x7f7ff8e9a000
[idt.c] installed asm IRO handler at 10:0x56312d19b000
[idt.c] IDT[ 45] @0x7f7ff8e9a2d0 = 0x56312d19b000 (seg sel 0x10): p=1: dpl=3: type=14: ist=0
[file.c] reading buffer from '/dev/cpu/1/msr' (size=8)
[apic.c] established local memory mapping for APIC BASE=0xfee00000 at 0x7f7ff8e99000
[apic.c] APIC ID=2000000: LVTT=400ec: TDCR=0
[apic.c] APIC timer one-shot mode with division 2 (lvtt=2d/tdcr=0)
[main.c] recovering password length
[attacker] steps=15: guess='******
[attacker] found pwd len = 6
[main.c] recovering password bytes
                          [attacker] steps=35; guess='SECRET' --> SUCCESS
[apic.c] Restored APIC LVTT=400ec/TDCR=0)
[file.c] writing buffer to '/dev/cpu/1/msr' (size=8)
```

[main.c] all done: counted 2260/2183 IROs (AEP/IDT)

io@breuer:~/sgx-step-demo\$

6

### CVE-2018-3626: ALL YOUR ZERO BYTES

## **ARE BELONG TO US**

imgflip.com

Van Bulck et al. "A Tale of Two Worlds: Assessing the Vulnerability of Enclave Shielding Runtimes", CCS 2019.

|     |                  |                     | AF  | PIC        |            | РТІ        | Ξ          | De         | esc        |           |
|-----|------------------|---------------------|-----|------------|------------|------------|------------|------------|------------|-----------|
| Yr  | Attack           | Temporal resolution | IRO | ·181       | #PF        | AlC        | PPN        | GDT        | IDT        | Drv       |
| '15 | Ctrl channel     | ~ Page              | 0   | 0          | ٠          | 0          | 0          | 0          | ٠          | / 🖷       |
| '16 | AsyncShock       | ~ Page              | 0   | 0          | ٠          | $^{\circ}$ | 0          | 0          | 0          | - &       |
| '17 | CacheZoom        | <mark>≯</mark> > 1  | ٠   | 0          | 0          | $^{\circ}$ | 0          | 0          | 0          | ∠ ∆       |
| '17 | Hahnel et al.    | <b>×</b> 0 − > 1    | ٠   | 0          | $^{\circ}$ | $^{\circ}$ | 0          | 0          | ٠          | 1         |
| '17 | BranchShadow     | 🗡 5 - 50            | ٠   | 0          | 0          | 0          | 0          | $^{\circ}$ | 0          | 🗡 \Lambda |
| '17 | Stealthy PTE     | ~ Page              | 0   | ٠          | $^{\circ}$ | ٠          | 0          | $^{\circ}$ | ٠          | ∠ ∆       |
| '17 | DarkROP          | ~ Page              | 0   | 0          | •          | $^{\circ}$ | $^{\circ}$ | 0          | $^{\circ}$ | ∠ ∆       |
| '17 | SGX-Step         | ✓ 0 - 1             | ٠   | 0          | ٠          | ٠          | 0          | 0          | 0          | 1-1       |
| '18 | Off-limits       | ✓ 0 - 1             | ۲   | 0          | ٠          | 0          | 0          | ٠          | 0          | 1-5       |
| '18 | Single-trace RSA | ~ Page              | 0   | 0          | ٠          | $^{\circ}$ | 0          | 0          | 0          | 1-1       |
| '18 | Foreshadow       | ✓ 0 - 1             | ٠   | 0          | ٠          | 0          | •          | 0          | 0          | 1-#       |
| '18 | Sg×Pectre        | ~ Page              | 0   | 0          | ٠          | 0          | 0          | 0          | 0          | ∠ ∆       |
| '18 | CacheQuote       | <mark>≯</mark> > 1  | ٠   | $^{\circ}$ | 0          | $^{\circ}$ | 0          | 0          | 0          | ✓ &       |
| '18 | SGXlinger        | <mark>≯</mark> > 1  | ٠   | 0          | 0          | $^{\circ}$ | 0          | $^{\circ}$ | $^{\circ}$ | 🗡 🔕       |
| '18 | Nemesis          | ✓ 1                 | ٠   | 0          | ٠          | ٠          | 0          | 0          | ٠          | 1-1       |

|     |                  |                     | APIC       |         | PTE     |            |     | Desc    |            |           |
|-----|------------------|---------------------|------------|---------|---------|------------|-----|---------|------------|-----------|
| Yr  | Attack           | Temporal resolution | 1RO        | ·1P1    | #PF     | A/D        | PPN | GDT     | 10T        | Drv       |
| '19 | Spoiler          | ✓ 1                 | ٠          | 0       | 0       | ٠          | 0   | 0       | ٠          | 1-5       |
| '19 | ZombieLoad       | ✓ 0 - 1             | •          | 0       | •       | •          | 0   | 0       | •          | 1-#       |
| '19 | Tale of 2 worlds | ✓ 1                 | ٠          | 0       | •       | ٠          | 0   | 0       | ٠          | 1-1       |
| '19 | MicroScope       | ~ 0 - Page          | 0          | 0       | ٠       | 0          | 0   | 0       | 0          | × \Lambda |
| '20 | Bluethunder      | ✓ 1                 | ٠          | $\circ$ | $\circ$ | 0          | 0   | $\circ$ | ٠          | 1-5       |
| '20 | Big troubles     | ~ Page              | $^{\circ}$ | 0       | ٠       | $\bigcirc$ | 0   | 0       | $^{\circ}$ | 1-15      |
| '20 | Viral primitive  | ✓ 1                 | ٠          | 0       | ٠       | ٠          | 0   | 0       | ٠          | 1-1       |
| '20 | CopyCat          | ✓ 1                 | ٠          | 0       | ٠       | ٠          | 0   | 0       | ٠          | 1-1       |
| '20 | LVI              | ✓ 1                 | ٠          | 0       | ٠       | ٠          | •   | 0       | ٠          | 1-1       |
| '20 | A to Z           | ~ Page              | 0          | 0       | ٠       | $\bigcirc$ | 0   | 0       | $^{\circ}$ | 1-1       |
| '20 | Frontal          | ✓ 1                 | ٠          | 0       | ٠       | ٠          | 0   | 0       | ٠          | 1-1       |
| '20 | CrossTalk        | ✓ 1                 | ٠          | 0       | ٠       | 0          | 0   | 0       | ٠          | 1-1       |
| '20 | Online template  | ~ Page              | 0          | 0       | ٠       | 0          | 0   | 0       | 0          | 1-1       |
| '20 | Déjà Vu NSS      | ~ Page              | 0          | 0       | ٠       | 0          | 0   | 0       | 0          | 1-5       |



# Idea 2: Privileged interrupts for microarchitectural leakage

#### Nemesis attack: Inferring key strokes from Sancus enclaves



#### Enclave x-ray: Start-to-end trace enclaved execution

#### Nemesis attack: Inferring key strokes from Sancus enclaves



#### Enclave x-ray: Keymap bit traversal (ground truth)

#### Nemesis attack: Inferring key strokes from Sancus enclaves





Instruction (interrupt number)

#### Intel SGX microbenchmarks: Measuring x86 cache misses



#### Intel SGX microbenchmarks: Measuring x86 cache misses



Van Bulck et al. "Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic", CCS 2018.



Idea 3: Privileged page tables for transient data leakage

#### Thesis outline: Privileged side channels (interrupt latency)



Van Bulck et al. "Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic", CCS 2018.

#### Thesis outline: Privileged side channels (page table accesses)



Van Bulck et al. "Telling Your Secrets Without Page Faults: Stealthy Page Table-Based Attacks on Enclaved Execution", USENIX Security 2017.

#### Thesis outline: Transient-execution attacks (Foreshadow, LVI)



Van Bulck et al. "Foreshadow: Extracting the Keys to the Intel SGX Kingdom with Transient Out-of-Order Execution", USENIX Security 2018. Van Bulck et al. "LVI: Hijacking Transient Execution through Microarchitectural Load Value Injection", S&P 2020.

# WHAT IF I TOLD YOU

## YOU CAN CHANGE RULES MID-GAME

imgflip.com

#### Abusing out-of-order and speculative execution



#### Abusing out-of-order and speculative execution



#### Abusing out-of-order and speculative execution



#### The transient-execution zoo

#### https://transient.fail



Canella et al. "A systematic evaluation of transient execution attacks and defenses", USENIX Security 2019







# inside<sup>™</sup>

# inside<sup>™</sup>

inside<sup>™</sup>

#### Rumors: Meltdown immunity for SGX enclaves?

# Meltdown melted down everything, except for one thing

"[enclaves] remain protected and completely secure"

— International Business Times, February 2018

ANJUNA'S SECURE-RUNTIME CAN PROTECT CRITICAL APPLICATIONS AGAINST THE MELTDOWN ATTACK USING ENCLAVES

"[enclave memory accesses] redirected to an abort page, which has no value" — Anjuna Security, Inc., March 2018

#### Rumors: Meltdown immunity for SGX enclaves?



SPECTRE-LIKE FLAW UNDERMINES INTEL PROCESSORS' MOST SECURE ELEMENT

AN SECURITY DB 14-18 D1:00 PM

I'M SURE THIS WON'T BE THE LAST SUCH PROBLEM —

# Intel's SGX blown wide open by, you guessed it, a speculative execution attack

Speculative execution attacks truly are the gift that keeps on giving.

https://wired.com and https://arstechnica.com

#### Building Foreshadow: Evade SGX abort page semantics



SGX checks prohibit unauthorized access

#### **Building Foreshadow: Evade SGX abort page semantics**



SGX checks prohibit unauthorized access

#### Building Foreshadow: Evade SGX abort page semantics



#### The microarchitecture behind Foreshadow



#### Foreshadow-SGX: Bypass enclave isolation

#### The microarchitecture behind Foreshadow



Foreshadow-VMM: Bypass virtual machine isolation

#### Mitigating Foreshadow: Flush CPU microarchitecture



#### Mitigating Foreshadow: Flush CPU microarchitecture

| 10BH | 267 | (IA32_FLUSH_CMD) | Flush Command (WO)<br>Gives software a way to invalidate<br>structures with finer granularity than other<br>architectural methods. | If any one of the<br>enumeration conditions<br>defined bit field positio<br>holds. |
|------|-----|------------------|------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------|
|      |     | 0                | (L1D_FLUSH: Writeback and invalidate the)<br>(L1 data cache)                                                                       | If CPUID.(EAX=07H,<br>ECX=0):EDX[28]=1                                             |
|      |     | 63:1             | Reserved                                                                                                                           |                                                                                    |









inside<sup>™</sup>



# inside<sup>™</sup>

### Idea: Inverting Foreshadow & co. with Load Value Injection (LVI)



## Idea: Inverting Foreshadow & co. with Load Value Injection (LVI)





www.freepik.com

#### Mitigating LVI: Fencing vulnerable load instructions



#### Mitigating LVI: Fencing vulnerable load instructions



## Mitigating LVI: Compiler and assembler support



-mlfence-after-load



-mlvi-hardening



-Qspectre-load

#### <mark>GNU Assembler</mark> Adds New Options For Mitigating Load Value Injection Attack

Written by Michael Larabel in GNU on 11 March 2020 at 02:55 PM EDT. 14 Comments

#### LLVM Lands <mark>Performance-Hitting Mitigation</mark> For Intel LVI Vulnerability

Written by Michael Larabel in Software on 3 April 2020. Page 1 of 3. 20 Comments

# More Spectre Mitigations in MSVC

March 13th, 2020

#### Intel architectural enclaves: lfence counts

libsgx\_qe.signed.so



## 23 fences

October 2019—"surgical precision"

#### Intel architectural enclaves: lfence counts

libsgx\_qe.signed.so



## 23 fences

October 2019—"surgical precision"

March 2020—"big hammer"

- 1. Universal attack primitives: Intel TDX, AMD SEV, ARM?
  - $\rightarrow$  Adversary capabilities, hardware vs. software monitor, automation, etc.

- 1. Universal attack primitives: Intel TDX, AMD SEV, ARM?
  - $\rightarrow$  Adversary capabilities, hardware vs. software monitor, automation, etc.
- 2. Hardware extensions for next-gen TEEs: MSP430-Sancus, RISC-V
  - $\rightarrow$  Provable security & limitations, availability, SMAP-like restrictions, etc.

- 1. Universal attack primitives: Intel TDX, AMD SEV, ARM?
  - $\rightarrow$  Adversary capabilities, hardware vs. software monitor, automation, etc.
- 2. Hardware extensions for next-gen TEEs: MSP430-Sancus, RISC-V
  - $\rightarrow$  Provable security & limitations, availability, SMAP-like restrictions, etc.
- 3. Transparent shielding: Enclave runtime, compiler
  - $\rightarrow$  Fuzzing, formal verification of the enclave interface
  - $\rightarrow$  Compile-time hardening for *incremental* side-channel resistance

- 1. Universal attack primitives: Intel TDX, AMD SEV, ARM?
  - $\rightarrow$  Adversary capabilities, hardware vs. software monitor, automation, etc.
- 2. Hardware extensions for next-gen TEEs: MSP430-Sancus, RISC-V
  - $\rightarrow$  Provable security & limitations, availability, SMAP-like restrictions, etc.
- 3. Transparent shielding: Enclave runtime, compiler
  - $\rightarrow\,$  Fuzzing, formal verification of the enclave interface
  - $\rightarrow$  Compile-time hardening for *incremental* side-channel resistance
- 4. Towards transient safety: Redefining the hardware-software contract
  - → Efficient containment of Spectre (long term) vs. LVI (short term)

