

## Deepen the Defenses: A Case for Microarchitectural Isolation

Jo Van Bulck

Cybersec Europe, FutureLab Stage, Brussels, May 11, 2022

☆ imec-DistriNet, KU Leuven, Belgium ☑ jo.vanbulck@cs.kuleuven.be ¥ jovanbulck



- Postdoctoral researcher @imec-DistriNet, KU Leuven, Belgium
  - → PhD "Microarchitectural Side-Channel Attacks for Privileged Software Adversaries"
- Trust across the system stack: App > compiler > OS > CPU >  $\mu$ -arch



Side-channel analysis

Transient-execution attacks (Intel x86 SGX)

Embedded trust (TI MSP430) **Hardware (noun.)** — The part of a computer that you can kick.

**Software (noun.)** — The reason you want to kick the hardware.

## Software Engineer vs Hardware Engineer



#### **Job Title**

Software engineer

#### Hardware engineer

Job Description

Develop, design and test software or construct, maintain computer networks and programs Research, develop and test hardware or computer equipment

#### Education

Software Engineering or Computer Science Degree Electrical & Computer Engineering Degree

····· Skill Sets

Technology Design, Complex Problem Solving, Critical Thinking, etc. Salary



\$107,840 \$112,760 Number of Jobs >1,128,000 >87,000

#### ComputerCareers.org



#### Processor security: Hardware isolation mechanisms



• Different software protection domains: Processes, VMs, enclaves

#### Processor security: Hardware isolation mechanisms



- Different software protection domains: Processes, VMs, enclaves
- CPU builds "walls" for memory isolation between apps and privilege levels

#### Processor security: Hardware isolation mechanisms



- Different software protection domains: Processes, VMs, enclaves
- CPU builds "walls" for memory isolation between apps and privilege levels
- ↔ Architectural protection walls permeate **microarchitectural side channels**!





#### Microarchitectural timing leaks in practice



**Cache principle:** CPU speed  $\gg$  DRAM  $\rightarrow$  cache code/data





Cache miss: Request data from (slow) DRAM upon first use







#### Cache timing attacks in practice: Flush+Reload



#### Cache timing attacks in practice: Flush+Reload





**DRAM memory** 

#### Cache timing attacks in practice: Flush+Reload







We can communicate across protection walls using microarchitectural side channels!

# WHAT IF I TOLD YOU

# **YOU CAN CHANGE RULES MID-GAME**

#### Abusing out-of-order and speculative execution



#### Abusing out-of-order and speculative execution



#### Abusing out-of-order and speculative execution





#### Transient-execution attacks: Welcome to the world of fun!







• Meltdown breaks user/kernel isolation



- Meltdown breaks user/kernel isolation
- Foreshadow breaks SGX enclave and virtual machine isolation



- Meltdown breaks user/kernel isolation
- Foreshadow breaks SGX enclave and virtual machine isolation
- Spectre breaks software-defined isolation on various levels



- Meltdown breaks user/kernel isolation
- Foreshadow breaks SGX enclave and virtual machine isolation
- Spectre breaks software-defined isolation on various levels
- ... many more but all exploit the same underlying insights!



• Programmer *intention*: no out-of-bounds accesses



- Programmer *intention*: no out-of-bounds accesses
- **Mistrain gadget** to speculatively "ahead of time" execute with *idx* ≥ *LEN* in the transient world



- Programmer *intention*: no out-of-bounds accesses
- **Mistrain gadget** to speculatively "ahead of time" execute with *idx* ≥ *LEN* in the transient world
- Side channels may leave traces after roll-back!



- Programmer intention: no out-of-bounds accesses
- Mistrain gadget to speculatively "ahead of time" execute with *idx* ≥ *LEN* in the transient world
- Side channels may leave traces after roll-back!
- Insert explicit **speculation barriers** to tell the CPU to halt the transient world...



## SHARING IS NOT CARING

# **SHARING IS LOSING YOUR STUFF TO OTHERS**

imgflip.com

#### A new golden age for computer architecture?



#### Conclusions and take-away

Hardware + software patches: Update your systems!

Hardware + software patches: Update your systems!

- $\Rightarrow$  New emerging and powerful class of transient-execution attacks
- ⇒ Importance of fundamental **side-channel research**; no silver-bullet defenses
- $\Rightarrow$  Security **cross-cuts** the system stack: hardware, OS, VMM, compiler, app

