armageddon - black hat briefings · motivation safe software infrastructure does not mean safe...
TRANSCRIPT
![Page 1: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/1.jpg)
ARMageddon
How Your Smartphone CPU Breaks Software-Level
Security And Privacy
Moritz Lipp and Clementine Maurice
November 3, 2016—Black Hat Europe
![Page 2: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/2.jpg)
Motivation
• Safe software infrastructure does not mean safe execution
• Information leaks because of the underlying hardware
• We focus on the CPU cache
• Cache attacks can be used for covert communications and
attack crypto implementations
• Only been demonstrated on Intel x86 for now
• But why not on ARM?
2
![Page 3: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/3.jpg)
Motivation
• Safe software infrastructure does not mean safe execution
• Information leaks because of the underlying hardware
• We focus on the CPU cache
• Cache attacks can be used for covert communications and
attack crypto implementations
• Only been demonstrated on Intel x86 for now
• But why not on ARM?
2
![Page 4: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/4.jpg)
Motivation
• Safe software infrastructure does not mean safe execution
• Information leaks because of the underlying hardware
• We focus on the CPU cache
• Cache attacks can be used for covert communications and
attack crypto implementations
• Only been demonstrated on Intel x86 for now
• But why not on ARM?
2
![Page 5: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/5.jpg)
Motivation
• Safe software infrastructure does not mean safe execution
• Information leaks because of the underlying hardware
• We focus on the CPU cache
• Cache attacks can be used for covert communications and
attack crypto implementations
• Only been demonstrated on Intel x86 for now
• But why not on ARM?
2
![Page 6: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/6.jpg)
Motivation
• Safe software infrastructure does not mean safe execution
• Information leaks because of the underlying hardware
• We focus on the CPU cache
• Cache attacks can be used for covert communications and
attack crypto implementations
• Only been demonstrated on Intel x86 for now
• But why not on ARM?
2
![Page 7: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/7.jpg)
Motivation
• Safe software infrastructure does not mean safe execution
• Information leaks because of the underlying hardware
• We focus on the CPU cache
• Cache attacks can be used for covert communications and
attack crypto implementations
• Only been demonstrated on Intel x86 for now
• But why not on ARM?
2
![Page 8: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/8.jpg)
Who We Are
![Page 9: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/9.jpg)
Who We Are
• Moritz Lipp
• Master Student, Graz University Of Technology
• 7 @mlqxyz
3
![Page 10: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/10.jpg)
Who We Are
• Clementine Maurice
• PhD in InfoSec; Postdoc, Graz University Of Technology
• 7 @BloodyTangerine
4
![Page 11: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/11.jpg)
The rest of the team
The rest of the research team
• Daniel Gruss
• Raphael Spreitzer
• Stefan Mangard
From Graz University of Technology
5
![Page 12: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/12.jpg)
Demo
6
![Page 13: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/13.jpg)
Outline
• Background information
• What are the challenges for cache attacks on ARM?
• How to solve those challenges
• Attack scenarios
• Tools
7
![Page 14: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/14.jpg)
Outline
• Background information
• What are the challenges for cache attacks on ARM?
• How to solve those challenges
• Attack scenarios
• Tools
7
![Page 15: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/15.jpg)
Outline
• Background information
• What are the challenges for cache attacks on ARM?
• How to solve those challenges
• Attack scenarios
• Tools
7
![Page 16: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/16.jpg)
Outline
• Background information
• What are the challenges for cache attacks on ARM?
• How to solve those challenges
• Attack scenarios
• Tools
7
![Page 17: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/17.jpg)
Outline
• Background information
• What are the challenges for cache attacks on ARM?
• How to solve those challenges
• Attack scenarios
• Tools
7
![Page 18: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/18.jpg)
Cache Attacks
![Page 19: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/19.jpg)
Memory Hierarchy
CPU Registers L1 Cache L2 Cache Memory Disk storage
• Data can reside in
• CPU registers
• Different levels of the CPU cache
• Main memory
• Disk storage
8
![Page 20: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/20.jpg)
Memory Hierarchy
CPU Registers L1 Cache L2 Cache Memory Disk storage
• Data can reside in
• CPU registers
• Different levels of the CPU cache
• Main memory
• Disk storage
8
![Page 21: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/21.jpg)
Memory Hierarchy
CPU Registers L1 Cache L2 Cache Memory Disk storage
• Data can reside in
• CPU registers
• Different levels of the CPU cache
• Main memory
• Disk storage
8
![Page 22: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/22.jpg)
Memory Hierarchy
CPU Registers L1 Cache L2 Cache Memory Disk storage
• Data can reside in
• CPU registers
• Different levels of the CPU cache
• Main memory
• Disk storage
8
![Page 23: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/23.jpg)
Memory Hierarchy
CPU Registers L1 Cache L2 Cache Memory Disk storage
• Data can reside in
• CPU registers
• Different levels of the CPU cache
• Main memory
• Disk storage
8
![Page 24: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/24.jpg)
Cache Attacks
• Exploit timing differences of memory accesses:
• cache → fast (cache hit)
• main memory → slow (cache miss)
0 200 400 600 800 1,000 1,200
1
2
3
·104
Measured access time (CPU cycles)
Nu
mb
erof
acce
sses
Cache hit
Cache miss
9
![Page 25: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/25.jpg)
Cache Attacks
• Exploit timing differences of memory accesses:• cache → fast (cache hit)
• main memory → slow (cache miss)
0 200 400 600 800 1,000 1,200
1
2
3
·104
Measured access time (CPU cycles)
Nu
mb
erof
acce
sses
Cache hit
Cache miss
9
![Page 26: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/26.jpg)
Cache Attacks
• Exploit timing differences of memory accesses:• cache → fast (cache hit)
• main memory → slow (cache miss)
0 200 400 600 800 1,000 1,200
1
2
3
·104
Measured access time (CPU cycles)
Nu
mb
erof
acce
sses
Cache hit
Cache miss
9
![Page 27: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/27.jpg)
Cache Attacks
• Exploit timing differences of memory accesses:• cache → fast (cache hit)
• main memory → slow (cache miss)
0 200 400 600 800 1,000 1,200
1
2
3
·104
Measured access time (CPU cycles)
Nu
mb
erof
acce
sses
Cache hit
Cache miss
9
![Page 28: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/28.jpg)
Set-Associative Caches
0 16 17 25 26 31
Index OffsetAddress
Cache
10
![Page 29: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/29.jpg)
Set-Associative Caches
0 16 17 25 26 31
Index OffsetAddress
Cache
Cache set
Data loaded in a specific set depending on its address
10
![Page 30: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/30.jpg)
Set-Associative Caches
0 16 17 25 26 31
Index OffsetAddress
Cache
Cache set
way 0 way 3
Data loaded in a specific set depending on its address
Several ways per set
10
![Page 31: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/31.jpg)
Set-Associative Caches
0 16 17 25 26 31
Index OffsetAddress
Cache
Cache set
way 0 way 3
Cache line
Data loaded in a specific set depending on its address
Several ways per set
Cache line loaded in a specific way depending on the replacement policy
10
![Page 32: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/32.jpg)
Cache Attacks: Flush+Reload
Victim address space Cache Attacker address space
Step 1: Attacker maps shared library (shared memory, in cache)
11
![Page 33: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/33.jpg)
Cache Attacks: Flush+Reload
Victim address space Cache Attacker address space
Step 1: Attacker maps shared library (shared memory, in cache)
cached cached
11
![Page 34: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/34.jpg)
Cache Attacks: Flush+Reload
Victim address space Cache Attacker address space
Step 1: Attacker maps shared library (shared memory, in cache)
flushes
Step 2: Attacker flushes the shared cache line
11
![Page 35: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/35.jpg)
Cache Attacks: Flush+Reload
Victim address space Cache Attacker address space
Step 1: Attacker maps shared library (shared memory, in cache)
Step 2: Attacker flushes the shared cache line
loads data
Step 3: Victim loads the data
11
![Page 36: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/36.jpg)
Cache Attacks: Flush+Reload
Victim address space Cache Attacker address space
Step 1: Attacker maps shared library (shared memory, in cache)
Step 2: Attacker flushes the shared cache line
Step 3: Victim loads the data
reloads data
Step 4: Attacker reloads the data
11
![Page 37: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/37.jpg)
Cache Attacks: Prime+Probe
Victim address space Cache Attacker address space
12
![Page 38: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/38.jpg)
Cache Attacks: Prime+Probe
Victim address space Cache Attacker address space
Step 1: Attacker primes, i.e., fills, the cache (no shared memory)
12
![Page 39: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/39.jpg)
Cache Attacks: Prime+Probe
Victim address space Cache Attacker address space
Step 1: Attacker primes, i.e., fills, the cache (no shared memory)
Step 2: Victim evicts cache lines while running
loads data
12
![Page 40: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/40.jpg)
Cache Attacks: Prime+Probe
Victim address space Cache Attacker address space
Step 1: Attacker primes, i.e., fills, the cache (no shared memory)
Step 2: Victim evicts cache lines while running
loads data
12
![Page 41: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/41.jpg)
Cache Attacks: Prime+Probe
Victim address space Cache Attacker address space
Step 1: Attacker primes, i.e., fills, the cache (no shared memory)
Step 2: Victim evicts cache lines while running
Step 3: Attacker probes data to determine if set has been accessed
fast access
12
![Page 42: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/42.jpg)
Cache Attacks: Prime+Probe
Victim address space Cache Attacker address space
Step 1: Attacker primes, i.e., fills, the cache (no shared memory)
Step 2: Victim evicts cache lines while running
Step 3: Attacker probes data to determine if set has been accessed
slow access
12
![Page 43: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/43.jpg)
Differences between Intel x86 and
ARM
![Page 44: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/44.jpg)
Cache maintenance
• Basic operation for cache attacks: invalidate cache lines
• Cache maintenance instructions
• Intel x86: Unprivileged clflush instruction
• ARMv7-A: Only privileged cache maintenance instructions
• ARMv8-A: Privileged instructions can be unlocked for
userspace
Challenge #1
No flush instruction
13
![Page 45: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/45.jpg)
Cache maintenance
• Basic operation for cache attacks: invalidate cache lines
• Cache maintenance instructions
• Intel x86: Unprivileged clflush instruction
• ARMv7-A: Only privileged cache maintenance instructions
• ARMv8-A: Privileged instructions can be unlocked for
userspace
Challenge #1
No flush instruction
13
![Page 46: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/46.jpg)
Cache maintenance
• Basic operation for cache attacks: invalidate cache lines
• Cache maintenance instructions
• Intel x86: Unprivileged clflush instruction
• ARMv7-A: Only privileged cache maintenance instructions
• ARMv8-A: Privileged instructions can be unlocked for
userspace
Challenge #1
No flush instruction
13
![Page 47: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/47.jpg)
Cache maintenance
• Basic operation for cache attacks: invalidate cache lines
• Cache maintenance instructions
• Intel x86: Unprivileged clflush instruction
• ARMv7-A: Only privileged cache maintenance instructions
• ARMv8-A: Privileged instructions can be unlocked for
userspace
Challenge #1
No flush instruction
13
![Page 48: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/48.jpg)
Cache maintenance
• Basic operation for cache attacks: invalidate cache lines
• Cache maintenance instructions
• Intel x86: Unprivileged clflush instruction
• ARMv7-A: Only privileged cache maintenance instructions
• ARMv8-A: Privileged instructions can be unlocked for
userspace
Challenge #1
No flush instruction
13
![Page 49: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/49.jpg)
Cache maintenance
• Basic operation for cache attacks: invalidate cache lines
• Cache maintenance instructions
• Intel x86: Unprivileged clflush instruction
• ARMv7-A: Only privileged cache maintenance instructions
• ARMv8-A: Privileged instructions can be unlocked for
userspace
Challenge #1
No flush instruction
13
![Page 50: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/50.jpg)
Cache eviction
• Fill the whole cache
→ too slow
• Fill a specific cache set
• Until the target address is evicted from the cache
cache set
→ Ideal case with LRU replacement policy
14
![Page 51: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/51.jpg)
Cache eviction
• Fill the whole cache → too slow
• Fill a specific cache set
• Until the target address is evicted from the cache
cache set
→ Ideal case with LRU replacement policy
14
![Page 52: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/52.jpg)
Cache eviction
• Fill the whole cache → too slow
• Fill a specific cache set
• Until the target address is evicted from the cache
cache set 2 5 8 1 7 6 3 4
→ Ideal case with LRU replacement policy
14
![Page 53: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/53.jpg)
Cache eviction
• Fill the whole cache → too slow
• Fill a specific cache set
• Until the target address is evicted from the cache
cache set 2 5 8 1 7 6 3 4
load
9
→ Ideal case with LRU replacement policy
14
![Page 54: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/54.jpg)
Cache eviction
• Fill the whole cache → too slow
• Fill a specific cache set
• Until the target address is evicted from the cache
cache set 2 5 8 1 7 6 3 49
load
10
→ Ideal case with LRU replacement policy
14
![Page 55: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/55.jpg)
Cache eviction
• Fill the whole cache → too slow
• Fill a specific cache set
• Until the target address is evicted from the cache
cache set 2 5 8 1 7 6 3 4910
load
11
→ Ideal case with LRU replacement policy
14
![Page 56: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/56.jpg)
Cache eviction
• Fill the whole cache → too slow
• Fill a specific cache set
• Until the target address is evicted from the cache
cache set 2 5 8 1 7 6 3 4910 11
load
12
→ Ideal case with LRU replacement policy
14
![Page 57: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/57.jpg)
Cache eviction
• Fill the whole cache → too slow
• Fill a specific cache set
• Until the target address is evicted from the cache
cache set 2 5 8 1 7 6 3 4910 11 12
load
13
→ Ideal case with LRU replacement policy
14
![Page 58: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/58.jpg)
Cache eviction
• Fill the whole cache → too slow
• Fill a specific cache set
• Until the target address is evicted from the cache
cache set 2 5 8 1 7 6 3 4910 11 1213
load
14
→ Ideal case with LRU replacement policy
14
![Page 59: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/59.jpg)
Cache eviction
• Fill the whole cache → too slow
• Fill a specific cache set
• Until the target address is evicted from the cache
cache set 2 5 8 1 7 6 3 4910 11 1213 14
load
15
→ Ideal case with LRU replacement policy
14
![Page 60: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/60.jpg)
Cache eviction
• Fill the whole cache → too slow
• Fill a specific cache set
• Until the target address is evicted from the cache
cache set 2 5 8 1 7 6 3 4910 11 1213 1415
load
16
→ Ideal case with LRU replacement policy
14
![Page 61: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/61.jpg)
Cache eviction
• Fill the whole cache → too slow
• Fill a specific cache set
• Until the target address is evicted from the cache
cache set 2 5 8 1 7 6 3 4910 11 1213 141516
→ Ideal case with LRU replacement policy
14
![Page 62: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/62.jpg)
Cache eviction (what actually happens)
• Pseudo-random cache replacement policy
cache set 2 5 8 1 7 6 3 4
→ Simple approach highly inefficient
Challenge #2
Pseudo-random replacement policy complicates eviction
15
![Page 63: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/63.jpg)
Cache eviction (what actually happens)
• Pseudo-random cache replacement policy
cache set 2 5 8 1 7 6 3 4
load
9
→ Simple approach highly inefficient
Challenge #2
Pseudo-random replacement policy complicates eviction
15
![Page 64: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/64.jpg)
Cache eviction (what actually happens)
• Pseudo-random cache replacement policy
cache set 2 5 8 1 7 6 3 49
load
10
→ Simple approach highly inefficient
Challenge #2
Pseudo-random replacement policy complicates eviction
15
![Page 65: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/65.jpg)
Cache eviction (what actually happens)
• Pseudo-random cache replacement policy
cache set 2 5 8 1 7 6 3 4910
load
11
→ Simple approach highly inefficient
Challenge #2
Pseudo-random replacement policy complicates eviction
15
![Page 66: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/66.jpg)
Cache eviction (what actually happens)
• Pseudo-random cache replacement policy
cache set 2 5 8 1 7 6 3 4910 11
load
12
→ Simple approach highly inefficient
Challenge #2
Pseudo-random replacement policy complicates eviction
15
![Page 67: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/67.jpg)
Cache eviction (what actually happens)
• Pseudo-random cache replacement policy
cache set 2 5 8 1 7 6 3 4910 1112
load
13
→ Simple approach highly inefficient
Challenge #2
Pseudo-random replacement policy complicates eviction
15
![Page 68: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/68.jpg)
Cache eviction (what actually happens)
• Pseudo-random cache replacement policy
cache set 2 5 8 1 7 6 3 4910 1112 13
load
14
→ Simple approach highly inefficient
Challenge #2
Pseudo-random replacement policy complicates eviction
15
![Page 69: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/69.jpg)
Cache eviction (what actually happens)
• Pseudo-random cache replacement policy
cache set 2 5 8 1 7 6 3 4910 1112 1314
load
15
→ Simple approach highly inefficient
Challenge #2
Pseudo-random replacement policy complicates eviction
15
![Page 70: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/70.jpg)
Cache eviction (what actually happens)
• Pseudo-random cache replacement policy
cache set 2 5 8 1 7 6 3 4910 1112 1314 15
load
16
→ Simple approach highly inefficient
Challenge #2
Pseudo-random replacement policy complicates eviction
15
![Page 71: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/71.jpg)
Cache eviction (what actually happens)
• Pseudo-random cache replacement policy
cache set 2 5 8 1 7 6 3 4910 1112 1314 1516
→ Simple approach highly inefficient
Challenge #2
Pseudo-random replacement policy complicates eviction
15
![Page 72: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/72.jpg)
Cache eviction (what actually happens)
• Pseudo-random cache replacement policy
cache set 2 5 8 1 7 6 3 4910 1112 1314 1516
→ Simple approach highly inefficient
Challenge #2
Pseudo-random replacement policy complicates eviction
15
![Page 73: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/73.jpg)
Timing measurements
• Need fine-grained timing measurements
• Intel x86: Unprivileged rdtsc instruction for cycle count
• ARM: Cycle counter only in privileged mode
→ Previous attacks required root access
Challenge #3
No unprivileged and accurate timing sources
16
![Page 74: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/74.jpg)
Timing measurements
• Need fine-grained timing measurements
• Intel x86: Unprivileged rdtsc instruction for cycle count
• ARM: Cycle counter only in privileged mode
→ Previous attacks required root access
Challenge #3
No unprivileged and accurate timing sources
16
![Page 75: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/75.jpg)
Timing measurements
• Need fine-grained timing measurements
• Intel x86: Unprivileged rdtsc instruction for cycle count
• ARM: Cycle counter only in privileged mode
→ Previous attacks required root access
Challenge #3
No unprivileged and accurate timing sources
16
![Page 76: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/76.jpg)
Timing measurements
• Need fine-grained timing measurements
• Intel x86: Unprivileged rdtsc instruction for cycle count
• ARM: Cycle counter only in privileged mode
→ Previous attacks required root access
Challenge #3
No unprivileged and accurate timing sources
16
![Page 77: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/77.jpg)
Timing measurements
• Need fine-grained timing measurements
• Intel x86: Unprivileged rdtsc instruction for cycle count
• ARM: Cycle counter only in privileged mode
→ Previous attacks required root access
Challenge #3
No unprivileged and accurate timing sources
16
![Page 78: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/78.jpg)
Cache Hierarchy on Intel CPUs
Core 0
L1 I-Cache L1 D-Cache
L2 Cache
Core 1
L1 I-Cache L1 D-Cache
L2 Cache
Core 2
L1 I-Cache L1 D-Cache
L2 Cache
Core 3
L1 I-Cache L1 D-Cache
L2 Cache
L3 Cache
• Last-level cache: L3
• shared
• inclusive
→ Shared memory is shared in the cache across all cores
17
![Page 79: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/79.jpg)
Cache Hierarchy on Intel CPUs
Core 0
L1 I-Cache L1 D-Cache
L2 Cache
Core 1
L1 I-Cache L1 D-Cache
L2 Cache
Core 2
L1 I-Cache L1 D-Cache
L2 Cache
Core 3
L1 I-Cache L1 D-Cache
L2 Cache
L3 Cache
• Last-level cache: L3
• shared
• inclusive
→ Shared memory is shared in the cache across all cores
17
![Page 80: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/80.jpg)
Cache Hierarchy on Intel CPUs
Core 0
L1 I-Cache L1 D-Cache
L2 Cache
Core 1
L1 I-Cache L1 D-Cache
L2 Cache
Core 2
L1 I-Cache L1 D-Cache
L2 Cache
Core 3
L1 I-Cache L1 D-Cache
L2 Cache
L3 Cache
• Last-level cache: L3
• shared
• inclusive
→ Shared memory is shared in the cache across all cores
17
![Page 81: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/81.jpg)
Cache Hierarchy on Intel CPUs
Core 0
L1 I-Cache L1 D-Cache
L2 Cache
Core 1
L1 I-Cache L1 D-Cache
L2 Cache
Core 2
L1 I-Cache L1 D-Cache
L2 Cache
Core 3
L1 I-Cache L1 D-Cache
L2 Cache
L3 Cache
• Last-level cache: L3
• shared
• inclusive
→ Shared memory is shared in the cache across all cores
17
![Page 82: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/82.jpg)
Cache Hierarchy on ARM Cortex-A CPUs
Core 0
L1 I-Cache L1 D-Cache
Core 1
L1 I-Cache L1 D-Cache
Core 2
L1 I-Cache L1 D-Cache
Core 3
L1 I-Cache L1 D-Cache
L2 Cache
• Last-level cache: L2
• shared
• not inclusive
→ Shared memory that is not in L2 is not shared in the cache.
Challenge #4
Non-inclusive caches
18
![Page 83: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/83.jpg)
Cache Hierarchy on ARM Cortex-A CPUs
Core 0
L1 I-Cache L1 D-Cache
Core 1
L1 I-Cache L1 D-Cache
Core 2
L1 I-Cache L1 D-Cache
Core 3
L1 I-Cache L1 D-Cache
L2 Cache
• Last-level cache: L2• shared
• not inclusive
→ Shared memory that is not in L2 is not shared in the cache.
Challenge #4
Non-inclusive caches
18
![Page 84: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/84.jpg)
Cache Hierarchy on ARM Cortex-A CPUs
Core 0
L1 I-Cache L1 D-Cache
Core 1
L1 I-Cache L1 D-Cache
Core 2
L1 I-Cache L1 D-Cache
Core 3
L1 I-Cache L1 D-Cache
L2 Cache
• Last-level cache: L2• shared
• not inclusive
→ Shared memory that is not in L2 is not shared in the cache.
Challenge #4
Non-inclusive caches
18
![Page 85: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/85.jpg)
Cache Hierarchy on ARM Cortex-A CPUs
Core 0
L1 I-Cache L1 D-Cache
Core 1
L1 I-Cache L1 D-Cache
Core 2
L1 I-Cache L1 D-Cache
Core 3
L1 I-Cache L1 D-Cache
L2 Cache
• Last-level cache: L2• shared
• not inclusive
→ Shared memory that is not in L2 is not shared in the cache.
Challenge #4
Non-inclusive caches
18
![Page 86: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/86.jpg)
Cache Hierarchy on ARM Cortex-A CPUs
Core 0
L1 I-Cache L1 D-Cache
Core 1
L1 I-Cache L1 D-Cache
Core 2
L1 I-Cache L1 D-Cache
Core 3
L1 I-Cache L1 D-Cache
L2 Cache
• Last-level cache: L2• shared
• not inclusive
→ Shared memory that is not in L2 is not shared in the cache.
Challenge #4
Non-inclusive caches
18
![Page 87: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/87.jpg)
Cache Hierarchy on ARM big.LITTLE
CPU1 CPU2
Core 0L1I L1D
Core 1L1I L1D
Core 2L1I L1D
Core 3L1I L1D
L2 Cache
Core 0L1I L1D
Core 1L1I L1D
Core 2L1I L1D
Core 3L1I L1D
L2 Cache
CoreLink CCI-400
• Interconnects multiple CPUs to combine energy efficiency and
performance
• CPUs do not share a cache
Challenge #5
No shared cache
19
![Page 88: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/88.jpg)
Cache Hierarchy on ARM big.LITTLE
CPU1 CPU2
Core 0L1I L1D
Core 1L1I L1D
Core 2L1I L1D
Core 3L1I L1D
L2 Cache
Core 0L1I L1D
Core 1L1I L1D
Core 2L1I L1D
Core 3L1I L1D
L2 Cache
CoreLink CCI-400
• Interconnects multiple CPUs to combine energy efficiency and
performance
• CPUs do not share a cache
Challenge #5
No shared cache
19
![Page 89: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/89.jpg)
Cache Hierarchy on ARM big.LITTLE
CPU1 CPU2
Core 0L1I L1D
Core 1L1I L1D
Core 2L1I L1D
Core 3L1I L1D
L2 Cache
Core 0L1I L1D
Core 1L1I L1D
Core 2L1I L1D
Core 3L1I L1D
L2 Cache
CoreLink CCI-400
• Interconnects multiple CPUs to combine energy efficiency and
performance
• CPUs do not share a cache
Challenge #5
No shared cache
19
![Page 90: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/90.jpg)
Let’s solve those challenges
![Page 91: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/91.jpg)
Challenges
Challenge #1 No flush instruction
Challenge #2 Pseudo-random replacement policy
Challenge #3 No unprivileged timing
Challenge #4 Non-inclusive caches
Challenge #5 No shared cache
20
![Page 92: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/92.jpg)
Solving #1: No flush instruction
• Replace the missing flush instruction with cache eviction
• Works on Intel x86
• Prime+Probe
• Flush+Reload → Evict+Reload
21
![Page 93: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/93.jpg)
Solving #1: No flush instruction
• Replace the missing flush instruction with cache eviction
• Works on Intel x86
• Prime+Probe
• Flush+Reload → Evict+Reload
21
![Page 94: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/94.jpg)
Solving #1: No flush instruction
• Replace the missing flush instruction with cache eviction
• Works on Intel x86
• Prime+Probe
• Flush+Reload → Evict+Reload
21
![Page 95: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/95.jpg)
Challenges
Challenge #1 No flush instruction Ë
Challenge #2 Pseudo-random replacement policy
Challenge #3 No unprivileged timing
Challenge #4 Non-inclusive caches
Challenge #5 No shared cache
22
![Page 96: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/96.jpg)
Challenges
23
![Page 97: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/97.jpg)
Challenges
• No.
• Eviction can be slow and unreliable. . .
• Unless you know how to properly evict data
→ Central idea of our Rowhammer.js paper
24
![Page 98: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/98.jpg)
Challenges
• No.
• Eviction can be slow and unreliable. . .
• Unless you know how to properly evict data
→ Central idea of our Rowhammer.js paper
24
![Page 99: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/99.jpg)
Challenges
• No.
• Eviction can be slow and unreliable. . .
• Unless you know how to properly evict data
→ Central idea of our Rowhammer.js paper
24
![Page 100: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/100.jpg)
Challenges
• No.
• Eviction can be slow and unreliable. . .
• Unless you know how to properly evict data
→ Central idea of our Rowhammer.js paper
24
![Page 101: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/101.jpg)
Solving #2: Pseudo-random replacement policy
• Cache line to be discarded is chosen pseudo-randomly
• Accessing once n addresses in an n-way cache set
→ Cache eviction slow and unreliable
Solution:
• Accessing unique addresses several times, with different access
patterns
25
![Page 102: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/102.jpg)
Solving #2: Pseudo-random replacement policy
• Cache line to be discarded is chosen pseudo-randomly
• Accessing once n addresses in an n-way cache set
→ Cache eviction slow and unreliable
Solution:
• Accessing unique addresses several times, with different access
patterns
25
![Page 103: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/103.jpg)
Solving #2: Pseudo-random replacement policy
• Cache line to be discarded is chosen pseudo-randomly
• Accessing once n addresses in an n-way cache set
→ Cache eviction slow and unreliable
Solution:
• Accessing unique addresses several times, with different access
patterns
25
![Page 104: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/104.jpg)
Solving #2: Pseudo-random replacement policy
• Cache line to be discarded is chosen pseudo-randomly
• Accessing once n addresses in an n-way cache set
→ Cache eviction slow and unreliable
Solution:
• Accessing unique addresses several times, with different access
patterns
25
![Page 105: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/105.jpg)
Solving #2: Pseudo-random replacement policy
Table 1: Different eviction strategies for the Alcatel One Touch Pop 2
Addresses Accesses Cycles Eviction rate
48 48 6 517 3 70.78% 7
200 200 33 110 7 96.04% 7
800 800 142 876 7 99.10% 3
21 96 4 275 3 99.93% 3
22 102 5 101 3 99.99% 3
23 190 6 209 3 100.0% 3
26
![Page 106: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/106.jpg)
Solving #2: Pseudo-random replacement policy
Table 1: Different eviction strategies for the Alcatel One Touch Pop 2
Addresses Accesses Cycles Eviction rate
48 48 6 517 3 70.78% 7
200 200 33 110 7 96.04% 7
800 800 142 876 7 99.10% 3
21 96 4 275 3 99.93% 3
22 102 5 101 3 99.99% 3
23 190 6 209 3 100.0% 3
26
![Page 107: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/107.jpg)
Solving #2: Pseudo-random replacement policy
Table 1: Different eviction strategies for the Alcatel One Touch Pop 2
Addresses Accesses Cycles Eviction rate
48 48 6 517 3 70.78% 7
200 200 33 110 7 96.04% 7
800 800 142 876 7 99.10% 3
21 96 4 275 3 99.93% 3
22 102 5 101 3 99.99% 3
23 190 6 209 3 100.0% 3
26
![Page 108: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/108.jpg)
Solving #2: Pseudo-random replacement policy
Table 1: Different eviction strategies for the Alcatel One Touch Pop 2
Addresses Accesses Cycles Eviction rate
48 48 6 517 3 70.78% 7
200 200 33 110 7 96.04% 7
800 800 142 876 7 99.10% 3
21 96 4 275 3 99.93% 3
22 102 5 101 3 99.99% 3
23 190 6 209 3 100.0% 3
26
![Page 109: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/109.jpg)
Solving #2: Pseudo-random replacement policy
Table 1: Different eviction strategies for the Alcatel One Touch Pop 2
Addresses Accesses Cycles Eviction rate
48 48 6 517 3 70.78% 7
200 200 33 110 7 96.04% 7
800 800 142 876 7 99.10% 3
21 96 4 275 3 99.93% 3
22 102 5 101 3 99.99% 3
23 190 6 209 3 100.0% 3
26
![Page 110: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/110.jpg)
Solving #2: Pseudo-random replacement policy
Table 1: Different eviction strategies for the Alcatel One Touch Pop 2
Addresses Accesses Cycles Eviction rate
48 48 6 517 3 70.78% 7
200 200 33 110 7 96.04% 7
800 800 142 876 7 99.10% 3
21 96 4 275 3 99.93% 3
22 102 5 101 3 99.99% 3
23 190 6 209 3 100.0% 3
26
![Page 111: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/111.jpg)
Solving #2: Pseudo-random replacement policy
• We fully automated this process
• Compile target executable with generated eviction strategy
• Execute on target device
• Evaluate log files and build result database
• Find fast and efficient eviction strategies for any device
27
![Page 112: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/112.jpg)
Solving #2: Pseudo-random replacement policy
• We fully automated this process
• Compile target executable with generated eviction strategy
• Execute on target device
• Evaluate log files and build result database
• Find fast and efficient eviction strategies for any device
27
![Page 113: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/113.jpg)
Solving #2: Pseudo-random replacement policy
• We fully automated this process
• Compile target executable with generated eviction strategy
• Execute on target device
• Evaluate log files and build result database
• Find fast and efficient eviction strategies for any device
27
![Page 114: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/114.jpg)
Solving #2: Pseudo-random replacement policy
• We fully automated this process
• Compile target executable with generated eviction strategy
• Execute on target device
• Evaluate log files and build result database
• Find fast and efficient eviction strategies for any device
27
![Page 115: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/115.jpg)
Solving #2: Pseudo-random replacement policy
• We fully automated this process
• Compile target executable with generated eviction strategy
• Execute on target device
• Evaluate log files and build result database
• Find fast and efficient eviction strategies for any device
27
![Page 116: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/116.jpg)
Solving #2: Pseudo-random replacement policy
Evict+Reload
0 50 100 150 200 250 3000
2
4
·104
Measured access time in cycles
Number
ofaccesses
Victim access No victim access
Prime+Probe
1,600 1,800 2,000 2,200 2,400 2,600 2,800 3,000 3,200 3,400
2
4
6
·103
Measured access time in cycles
Number
ofaccesses
Victim access No victim access
28
![Page 117: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/117.jpg)
Solving #2: Pseudo-random replacement policy
Evict+Reload
0 50 100 150 200 250 3000
2
4
·104
Measured access time in cycles
Number
ofaccesses
Victim access No victim access
Prime+Probe
1,600 1,800 2,000 2,200 2,400 2,600 2,800 3,000 3,200 3,400
2
4
6
·103
Measured access time in cycles
Number
ofaccesses
Victim access No victim access
28
![Page 118: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/118.jpg)
Challenges
Challenge #1 No flush instruction Ë
Challenge #2 Pseudo-random replacement policy Ë
Challenge #3 No unprivileged timing
Challenge #4 Non-inclusive caches
Challenge #5 No shared cache
29
![Page 119: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/119.jpg)
Solving #3: No unprivileged timing
1. Performance counter: Privileged
2. perf event open: Unprivileged syscall
• Unavailable on new devices: Privileged or kernel compiled with
CONFIG PERF=n
3. clock gettime: Unprivileged POSIX function
4. Thread counter: Unprivileged, multithreaded
• Unprivileged timing sources
• Nanosecond resolution for all sources
→ Allows distinguishing cache hits from cache misses
30
![Page 120: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/120.jpg)
Solving #3: No unprivileged timing
1. Performance counter: Privileged
2. perf event open: Unprivileged syscall
• Unavailable on new devices: Privileged or kernel compiled with
CONFIG PERF=n
3. clock gettime: Unprivileged POSIX function
4. Thread counter: Unprivileged, multithreaded
• Unprivileged timing sources
• Nanosecond resolution for all sources
→ Allows distinguishing cache hits from cache misses
30
![Page 121: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/121.jpg)
Solving #3: No unprivileged timing
1. Performance counter: Privileged
2. perf event open: Unprivileged syscall
• Unavailable on new devices: Privileged or kernel compiled with
CONFIG PERF=n
3. clock gettime: Unprivileged POSIX function
4. Thread counter: Unprivileged, multithreaded
• Unprivileged timing sources
• Nanosecond resolution for all sources
→ Allows distinguishing cache hits from cache misses
30
![Page 122: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/122.jpg)
Solving #3: No unprivileged timing
1. Performance counter: Privileged
2. perf event open: Unprivileged syscall
• Unavailable on new devices: Privileged or kernel compiled with
CONFIG PERF=n
3. clock gettime: Unprivileged POSIX function
4. Thread counter: Unprivileged, multithreaded
• Unprivileged timing sources
• Nanosecond resolution for all sources
→ Allows distinguishing cache hits from cache misses
30
![Page 123: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/123.jpg)
Solving #3: No unprivileged timing
1. Performance counter: Privileged
2. perf event open: Unprivileged syscall
• Unavailable on new devices: Privileged or kernel compiled with
CONFIG PERF=n
3. clock gettime: Unprivileged POSIX function
4. Thread counter: Unprivileged, multithreaded
• Unprivileged timing sources
• Nanosecond resolution for all sources
→ Allows distinguishing cache hits from cache misses
30
![Page 124: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/124.jpg)
Solving #3: No unprivileged timing
1. Performance counter: Privileged
2. perf event open: Unprivileged syscall
• Unavailable on new devices: Privileged or kernel compiled with
CONFIG PERF=n
3. clock gettime: Unprivileged POSIX function
4. Thread counter: Unprivileged, multithreaded
• Unprivileged timing sources
• Nanosecond resolution for all sources
→ Allows distinguishing cache hits from cache misses
30
![Page 125: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/125.jpg)
Solving #3: No unprivileged timing
1. Performance counter: Privileged
2. perf event open: Unprivileged syscall
• Unavailable on new devices: Privileged or kernel compiled with
CONFIG PERF=n
3. clock gettime: Unprivileged POSIX function
4. Thread counter: Unprivileged, multithreaded
• Unprivileged timing sources
• Nanosecond resolution for all sources
→ Allows distinguishing cache hits from cache misses
30
![Page 126: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/126.jpg)
Solving #3: No unprivileged timing
1. Performance counter: Privileged
2. perf event open: Unprivileged syscall
• Unavailable on new devices: Privileged or kernel compiled with
CONFIG PERF=n
3. clock gettime: Unprivileged POSIX function
4. Thread counter: Unprivileged, multithreaded
• Unprivileged timing sources
• Nanosecond resolution for all sources
→ Allows distinguishing cache hits from cache misses
30
![Page 127: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/127.jpg)
Solving #3: No unprivileged timing
0 20 40 60 80 100 120 140 160 180 2000
2
4
·104
Measured access time (scaled)
Nu
mb
erof
acce
sses
Hit (PMCCNTR) Hit (clock gettime×.15)Miss (PMCCNTR) Miss (clock gettime×.15)Hit (syscall×.25) Hit (counter thread×.05)Miss (syscall×.25) Miss (counter thread×.05)
31
![Page 128: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/128.jpg)
Challenges
Challenge #1 No flush instruction Ë
Challenge #2 Pseudo-random replacement policy Ë
Challenge #3 No unprivileged timing Ë
Challenge #4 Non-inclusive caches
Challenge #5 No shared cache
32
![Page 129: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/129.jpg)
Solving #4: Non-inclusive caches
Core 0
L1 I-Cache L1 D-Cache
Core 1
L1 I-Cache L1 D-Cache
L2 Cache
• Instruction-inclusive, data-non-inclusive caches
• Fill-up L1 D-Cache and begin to populate shared L2 Cache
• Inclusion: Line evicted from L2 → also evicted from L1
33
![Page 130: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/130.jpg)
Solving #4: Non-inclusive caches
Core 0
L1 I-Cache L1 D-Cache
Core 1
L1 I-Cache L1 D-Cache
L2 Cache
• Instruction-inclusive, data-non-inclusive caches
• Fill-up L1 D-Cache and begin to populate shared L2 Cache
• Inclusion: Line evicted from L2 → also evicted from L1
33
![Page 131: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/131.jpg)
Solving #4: Non-inclusive caches
Core 0
L1 I-Cache L1 D-Cache
Core 1
L1 I-Cache L1 D-Cache
L2 Cache
• Instruction-inclusive, data-non-inclusive caches
• Fill-up L1 D-Cache and begin to populate shared L2 Cache
• Inclusion: Line evicted from L2 → also evicted from L1
33
![Page 132: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/132.jpg)
Solving #4: Non-inclusive caches
Core 0
L1 I-Cache L1 D-Cache
Core 1
L1 I-Cache L1 D-Cache
L2 Cache
• Instruction-inclusive, data-non-inclusive caches
• Fill-up L1 D-Cache and begin to populate shared L2 Cache
• Inclusion: Line evicted from L2 → also evicted from L1
33
![Page 133: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/133.jpg)
Solving #4: Non-inclusive caches
Core 0
L1 I-Cache L1 D-Cache
Core 1
L1 I-Cache L1 D-Cache
L2 Cache
• Instruction-inclusive, data-non-inclusive caches
• Fill-up L1 D-Cache and begin to populate shared L2 Cache
• Inclusion: Line evicted from L2 → also evicted from L1
33
![Page 134: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/134.jpg)
Solving #4: Non-inclusive caches
Core 0
L1 I-Cache L1 D-Cache
Core 1
L1 I-Cache L1 D-Cache
L2 Cache
• Instruction-inclusive, data-non-inclusive caches
• Fill-up L1 D-Cache and begin to populate shared L2 Cache
• Inclusion: Line evicted from L2 → also evicted from L1
33
![Page 135: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/135.jpg)
Solving #4: Non-inclusive caches
Core 0
L1 I-Cache L1 D-Cache
Core 1
L1 I-Cache L1 D-Cache
L2 Cache
• Instruction-inclusive, data-non-inclusive caches
• Fill-up L1 D-Cache and begin to populate shared L2 Cache
• Inclusion: Line evicted from L2 → also evicted from L1
33
![Page 136: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/136.jpg)
Solving #4: Non-inclusive caches
Core 0
L1 I-Cache L1 D-Cache
Core 1
L1 I-Cache L1 D-Cache
L2 Cache
• Instruction-inclusive, data-non-inclusive caches
• Fill-up L1 D-Cache and begin to populate shared L2 Cache
• Inclusion: Line evicted from L2 → also evicted from L1
33
![Page 137: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/137.jpg)
Solving #4: Non-inclusive caches
Core 0
L1 I-Cache L1 D-Cache
Core 1
L1 I-Cache L1 D-Cache
L2 Cache
• Instruction-inclusive, data-non-inclusive caches
• Fill-up L1 D-Cache and begin to populate shared L2 Cache
• Inclusion: Line evicted from L2 → also evicted from L1
33
![Page 138: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/138.jpg)
Solving #4: Non-inclusive caches
Core 0
L1 I-Cache L1 D-Cache
Core 1
L1 I-Cache L1 D-Cache
L2 Cache
• Instruction-inclusive, data-non-inclusive caches
• Fill-up L1 D-Cache and begin to populate shared L2 Cache
• Inclusion: Line evicted from L2 → also evicted from L1
33
![Page 139: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/139.jpg)
Solving #4: Non-inclusive caches
Core 0
L1 I-Cache L1 D-Cache
Core 1
L1 I-Cache L1 D-Cache
L2 Cache
• Instruction-inclusive, data-non-inclusive caches
• Fill-up L1 D-Cache and begin to populate shared L2 Cache
• Inclusion: Line evicted from L2 → also evicted from L1
33
![Page 140: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/140.jpg)
Solving #4: Non-inclusive caches
Core 0
L1 I-Cache L1 D-Cache
Core 1
L1 I-Cache L1 D-Cache
L2 Cache
• Instruction-inclusive, data-non-inclusive caches
• Fill-up L1 D-Cache and begin to populate shared L2 Cache
• Inclusion: Line evicted from L2 → also evicted from L1
33
![Page 141: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/141.jpg)
Solving #4: Non-inclusive caches
Core 0
L1 I-Cache L1 D-Cache
Core 1
L1 I-Cache L1 D-Cache
L2 Cache
• Instruction-inclusive, data-non-inclusive caches
• Fill-up L1 D-Cache and begin to populate shared L2 Cache
• Inclusion: Line evicted from L2 → also evicted from L1
33
![Page 142: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/142.jpg)
Solving #4: Non-inclusive caches
Core 0
L1 I-Cache L1 D-Cache
Core 1
L1 I-Cache L1 D-Cache
L2 Cache
• Instruction-inclusive, data-non-inclusive caches
• Fill-up L1 D-Cache and begin to populate shared L2 Cache
• Inclusion: Line evicted from L2 → also evicted from L1
33
![Page 143: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/143.jpg)
Solving #4: Non-inclusive caches
Core 0
L1 I-Cache L1 D-Cache
Core 1
L1 I-Cache L1 D-Cache
L2 Cache
• Instruction-inclusive, data-non-inclusive caches
• Fill-up L1 D-Cache and begin to populate shared L2 Cache
• Inclusion: Line evicted from L2 → also evicted from L1
33
![Page 144: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/144.jpg)
Solving #4: Non-inclusive caches
Core 0
L1 I-Cache L1 D-Cache
Core 1
L1 I-Cache L1 D-Cache
L2 Cache
• Instruction-inclusive, data-non-inclusive caches
• Fill-up L1 D-Cache and begin to populate shared L2 Cache
• Inclusion: Line evicted from L2 → also evicted from L1
33
![Page 145: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/145.jpg)
Solving #4: Non-inclusive caches
Core 0
L1 I-Cache L1 D-Cache
Core 1
L1 I-Cache L1 D-Cache
L2 Cache
• Instruction-inclusive, data-non-inclusive caches
• Fill-up L1 D-Cache and begin to populate shared L2 Cache
• Inclusion: Line evicted from L2 → also evicted from L1
33
![Page 146: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/146.jpg)
Solving #4: Non-inclusive caches
Core 0
L1 I-Cache L1 D-Cache
Core 1
L1 I-Cache L1 D-Cache
L2 Cache
• Instruction-inclusive, data-non-inclusive caches
• Fill-up L1 D-Cache and begin to populate shared L2 Cache
• Inclusion: Line evicted from L2 → also evicted from L1
33
![Page 147: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/147.jpg)
Solving #4: Non-inclusive caches
Core 0
L1 I-Cache L1 D-Cache
Core 1
L1 I-Cache L1 D-Cache
L2 Cache
• Instruction-inclusive, data-non-inclusive caches
• Fill-up L1 D-Cache and begin to populate shared L2 Cache
• Inclusion: Line evicted from L2 → also evicted from L1
33
![Page 148: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/148.jpg)
Solving #4: Non-inclusive caches
Core 0
L1 I-Cache L1 D-Cache
Core 1
L1 I-Cache L1 D-Cache
L2 Cache
• Instruction-inclusive, data-non-inclusive caches
• Fill-up L1 D-Cache and begin to populate shared L2 Cache
• Inclusion: Line evicted from L2 → also evicted from L1
33
![Page 149: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/149.jpg)
Solving #4: Non-inclusive caches
Core 0
L1 I-Cache L1 D-Cache
Core 1
L1 I-Cache L1 D-Cache
L2 Cache
• Instruction-inclusive, data-non-inclusive caches
• Fill-up L1 D-Cache and begin to populate shared L2 Cache
• Inclusion: Line evicted from L2 → also evicted from L133
![Page 150: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/150.jpg)
Solving #4: Non-inclusive caches
Core 0
L1 I-Cache L1 D-Cache
Core 1
L1 I-Cache L1 D-Cache
L2 Cache
• Instruction-inclusive, data-non-inclusive caches
• Fill-up L1 D-Cache and begin to populate shared L2 Cache
• Inclusion: Line evicted from L2 → also evicted from L133
![Page 151: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/151.jpg)
Solving #4: Non-inclusive caches
• How can we determine if the victim has loaded the address?
• Cache coherency protocol• Fetches data from remote cores
• Remote cache hit is faster than DRAM access
→ Detect if another core has accessed the memory location
0 100 200 300 400 500 600 700 800 900 1,0000
1
2
3·104
Measured access time in cycles
Number
ofaccesses
Hit (same core) Hit (cross-core)
Miss (same core) Miss (cross-core)
34
![Page 152: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/152.jpg)
Solving #4: Non-inclusive caches
• How can we determine if the victim has loaded the address?• Cache coherency protocol
• Fetches data from remote cores
• Remote cache hit is faster than DRAM access
→ Detect if another core has accessed the memory location
0 100 200 300 400 500 600 700 800 900 1,0000
1
2
3·104
Measured access time in cycles
Number
ofaccesses
Hit (same core) Hit (cross-core)
Miss (same core) Miss (cross-core)
34
![Page 153: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/153.jpg)
Solving #4: Non-inclusive caches
• How can we determine if the victim has loaded the address?• Cache coherency protocol
• Fetches data from remote cores
• Remote cache hit is faster than DRAM access
→ Detect if another core has accessed the memory location
0 100 200 300 400 500 600 700 800 900 1,0000
1
2
3·104
Measured access time in cycles
Number
ofaccesses
Hit (same core) Hit (cross-core)
Miss (same core) Miss (cross-core)
34
![Page 154: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/154.jpg)
Solving #4: Non-inclusive caches
• How can we determine if the victim has loaded the address?• Cache coherency protocol
• Fetches data from remote cores
• Remote cache hit is faster than DRAM access
→ Detect if another core has accessed the memory location
0 100 200 300 400 500 600 700 800 900 1,0000
1
2
3·104
Measured access time in cycles
Number
ofaccesses
Hit (same core) Hit (cross-core)
Miss (same core) Miss (cross-core)
34
![Page 155: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/155.jpg)
Solving #4: Non-inclusive caches
• How can we determine if the victim has loaded the address?• Cache coherency protocol
• Fetches data from remote cores
• Remote cache hit is faster than DRAM access
→ Detect if another core has accessed the memory location
0 100 200 300 400 500 600 700 800 900 1,0000
1
2
3·104
Measured access time in cycles
Number
ofaccesses
Hit (same core) Hit (cross-core)
Miss (same core) Miss (cross-core)
34
![Page 156: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/156.jpg)
Challenges
Challenge #1 No flush instruction Ë
Challenge #2 Pseudo-random replacement policy Ë
Challenge #3 No unprivileged timing Ë
Challenge #4 Non-inclusive caches Ë
Challenge #5 No shared cache
35
![Page 157: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/157.jpg)
Solving #5: No shared cache
• Multiple CPUs that do not share a cache
• Cache coherency protocol (again)• Fetches data from remote CPU
• Remote cache hit is faster than DRAM access
0 50 100 150 200 250 300 350 400 450 5000
1
2
3
·104
Measured access time in cycles
Number
ofaccesses
Hit (same core) Hit (cross-cpu)
Miss (same core) Miss (cross-cpu)
36
![Page 158: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/158.jpg)
Solving #5: No shared cache
• Multiple CPUs that do not share a cache• Cache coherency protocol (again)
• Fetches data from remote CPU
• Remote cache hit is faster than DRAM access
0 50 100 150 200 250 300 350 400 450 5000
1
2
3
·104
Measured access time in cycles
Number
ofaccesses
Hit (same core) Hit (cross-cpu)
Miss (same core) Miss (cross-cpu)
36
![Page 159: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/159.jpg)
Solving #5: No shared cache
• Multiple CPUs that do not share a cache• Cache coherency protocol (again)
• Fetches data from remote CPU
• Remote cache hit is faster than DRAM access
0 50 100 150 200 250 300 350 400 450 5000
1
2
3
·104
Measured access time in cycles
Number
ofaccesses
Hit (same core) Hit (cross-cpu)
Miss (same core) Miss (cross-cpu)
36
![Page 160: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/160.jpg)
Solving #5: No shared cache
• Multiple CPUs that do not share a cache• Cache coherency protocol (again)
• Fetches data from remote CPU
• Remote cache hit is faster than DRAM access
0 50 100 150 200 250 300 350 400 450 5000
1
2
3
·104
Measured access time in cycles
Number
ofaccesses
Hit (same core) Hit (cross-cpu)
Miss (same core) Miss (cross-cpu)
36
![Page 161: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/161.jpg)
Challenges
Challenge #1 No flush instruction Ë
Challenge #2 Pseudo-random replacement policy Ë
Challenge #3 No unprivileged timing Ë
Challenge #4 Non-inclusive caches Ë
Challenge #5 No shared cache Ë
37
![Page 162: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/162.jpg)
Attack scenarios
![Page 163: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/163.jpg)
Case study #1
Covert communication
38
![Page 164: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/164.jpg)
Case Study #1: Covert Channel
• Malicious privacy gallery app
• No permissions except accessing your images
• Malicious weather widget
• No permissions except accessing the Internet
39
![Page 165: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/165.jpg)
Case Study #1: Covert Channel
• Malicious privacy gallery app• No permissions except accessing your images
• Malicious weather widget
• No permissions except accessing the Internet
39
![Page 166: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/166.jpg)
Case Study #1: Covert Channel
• Malicious privacy gallery app• No permissions except accessing your images
• Malicious weather widget
• No permissions except accessing the Internet
39
![Page 167: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/167.jpg)
Case Study #1: Covert Channel
• Malicious privacy gallery app• No permissions except accessing your images
• Malicious weather widget• No permissions except accessing the Internet
39
![Page 168: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/168.jpg)
Case Study #1: Covert Channel
• Malicious privacy gallery app• No permissions except accessing your images
• Malicious weather widget• No permissions except accessing the Internet
covert
channel
39
![Page 169: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/169.jpg)
Case Study #1: Covert Channel
• Malicious privacy gallery app• No permissions except accessing your images
• Malicious weather widget• No permissions except accessing the Internet
covert
channel
39
![Page 170: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/170.jpg)
Case Study #1: Covert Channel
• Malicious privacy gallery app• No permissions except accessing your images
• Malicious weather widget• No permissions except accessing the Internet
covert
channel
39
![Page 171: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/171.jpg)
Case Study #1: Covert Channel
• Two apps want to communicate with each other, but are notallowed or not able to do so
• No permissions
• No Intents, Binders, ASHMEM, . . .
• A covert channel
• Enables two unprivileged apps to communicate
• Does not use data transfer mechanisms provided by the OS
• Evades the sandboxing concept and permission system
→ Collusion attack
40
![Page 172: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/172.jpg)
Case Study #1: Covert Channel
• Two apps want to communicate with each other, but are notallowed or not able to do so
• No permissions
• No Intents, Binders, ASHMEM, . . .
• A covert channel
• Enables two unprivileged apps to communicate
• Does not use data transfer mechanisms provided by the OS
• Evades the sandboxing concept and permission system
→ Collusion attack
40
![Page 173: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/173.jpg)
Case Study #1: Covert Channel
• Two apps want to communicate with each other, but are notallowed or not able to do so
• No permissions
• No Intents, Binders, ASHMEM, . . .
• A covert channel
• Enables two unprivileged apps to communicate
• Does not use data transfer mechanisms provided by the OS
• Evades the sandboxing concept and permission system
→ Collusion attack
40
![Page 174: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/174.jpg)
Case Study #1: Covert Channel
• Two apps want to communicate with each other, but are notallowed or not able to do so
• No permissions
• No Intents, Binders, ASHMEM, . . .
• A covert channel
• Enables two unprivileged apps to communicate
• Does not use data transfer mechanisms provided by the OS
• Evades the sandboxing concept and permission system
→ Collusion attack
40
![Page 175: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/175.jpg)
Case Study #1: Covert Channel
• Two apps want to communicate with each other, but are notallowed or not able to do so
• No permissions
• No Intents, Binders, ASHMEM, . . .
• A covert channel
• Enables two unprivileged apps to communicate
• Does not use data transfer mechanisms provided by the OS
• Evades the sandboxing concept and permission system
→ Collusion attack
40
![Page 176: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/176.jpg)
Case Study #1: Covert Channel
• Two apps want to communicate with each other, but are notallowed or not able to do so
• No permissions
• No Intents, Binders, ASHMEM, . . .
• A covert channel
• Enables two unprivileged apps to communicate
• Does not use data transfer mechanisms provided by the OS
• Evades the sandboxing concept and permission system
→ Collusion attack
40
![Page 177: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/177.jpg)
Case Study #1: Covert Channel
• Two apps want to communicate with each other, but are notallowed or not able to do so
• No permissions
• No Intents, Binders, ASHMEM, . . .
• A covert channel
• Enables two unprivileged apps to communicate
• Does not use data transfer mechanisms provided by the OS
• Evades the sandboxing concept and permission system
→ Collusion attack
40
![Page 178: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/178.jpg)
Case Study #1: Covert Channel
• Two apps want to communicate with each other, but are notallowed or not able to do so
• No permissions
• No Intents, Binders, ASHMEM, . . .
• A covert channel
• Enables two unprivileged apps to communicate
• Does not use data transfer mechanisms provided by the OS
• Evades the sandboxing concept and permission system
→ Collusion attack
40
![Page 179: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/179.jpg)
Case Study #1: Covert Channel
• Build a covert channel using the cache
• Using addresses from a shared library/executable
• Bits transmitted with cache hits and misses
• Transmit 0: Do not access the address → cache miss
• Transmit 1: Access the address → cache hit
41
![Page 180: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/180.jpg)
Case Study #1: Covert Channel
• Build a covert channel using the cache
• Using addresses from a shared library/executable
• Bits transmitted with cache hits and misses
• Transmit 0: Do not access the address → cache miss
• Transmit 1: Access the address → cache hit
41
![Page 181: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/181.jpg)
Case Study #1: Covert Channel
• Build a covert channel using the cache
• Using addresses from a shared library/executable
• Bits transmitted with cache hits and misses
• Transmit 0: Do not access the address → cache miss
• Transmit 1: Access the address → cache hit
41
![Page 182: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/182.jpg)
Case Study #1: Covert Channel
• Build a covert channel using the cache
• Using addresses from a shared library/executable
• Bits transmitted with cache hits and misses
• Transmit 0: Do not access the address → cache miss
• Transmit 1: Access the address → cache hit
41
![Page 183: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/183.jpg)
Case Study #1: Covert Channel
• Build a covert channel using the cache
• Using addresses from a shared library/executable
• Bits transmitted with cache hits and misses
• Transmit 0: Do not access the address → cache miss
• Transmit 1: Access the address → cache hit
41
![Page 184: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/184.jpg)
Case Study #1: Covert Channel
• Build a protocol based on packets
• Use a sequence number (SQN)
• Protect payload and sequence number with a checksum
078232431
Sender SQN Payload CRC
02310
Receiver SQN CRC
42
![Page 185: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/185.jpg)
Case Study #1: Covert Channel
• Build a protocol based on packets
• Use a sequence number (SQN)
• Protect payload and sequence number with a checksum
078232431
Sender SQN Payload CRC
02310
Receiver SQN CRC
42
![Page 186: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/186.jpg)
Case Study #1: Covert Channel
• Build a protocol based on packets
• Use a sequence number (SQN)
• Protect payload and sequence number with a checksum
078232431
Sender SQN Payload CRC
02310
Receiver SQN CRC
42
![Page 187: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/187.jpg)
Case Study #1: Covert Channel
• Works using Flush+Reload, Evict+Reload and Flush+Flush
• Works cross-core and cross-CPU
• Faster than state of the art by several orders of magnitude
Work Type Bandwidth [bps] Error rate
43
![Page 188: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/188.jpg)
Case Study #1: Covert Channel
• Works using Flush+Reload, Evict+Reload and Flush+Flush
• Works cross-core and cross-CPU
• Faster than state of the art by several orders of magnitude
Work Type Bandwidth [bps] Error rate
43
![Page 189: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/189.jpg)
Case Study #1: Covert Channel
• Works using Flush+Reload, Evict+Reload and Flush+Flush
• Works cross-core and cross-CPU
• Faster than state of the art by several orders of magnitude
Work Type Bandwidth [bps] Error rate
43
![Page 190: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/190.jpg)
Case Study #1: Covert Channel
• Works using Flush+Reload, Evict+Reload and Flush+Flush
• Works cross-core and cross-CPU
• Faster than state of the art by several orders of magnitude
Work Type Bandwidth [bps] Error rate
Schlegel et al. Vibration settings 87 –
Schlegel et al. Volume settings 150 –
Schlegel et al. File locks 685 –
Marforio et al. UNIX socket discovery 2 600 –
Marforio et al. Type of Intents 4 300 –
43
![Page 191: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/191.jpg)
Case Study #1: Covert Channel
• Works using Flush+Reload, Evict+Reload and Flush+Flush
• Works cross-core and cross-CPU
• Faster than state of the art by several orders of magnitude
Work Type Bandwidth [bps] Error rate
Schlegel et al. Vibration settings 87 –
Schlegel et al. Volume settings 150 –
Schlegel et al. File locks 685 –
Marforio et al. UNIX socket discovery 2 600 –
Marforio et al. Type of Intents 4 300 –
Ours (OnePlus One) Evict+Reload, cross-core 12 537 5.00%
Ours (Alcatel One Touch Pop 2) Evict+Reload, cross-core 13 618 3.79%
Ours (Samsung Galaxy S6) Flush+Flush, cross-core 178 292 0.48%
Ours (Samsung Galaxy S6) Flush+Reload, cross-CPU 257 509 1.83%
Ours (Samsung Galaxy S6) Flush+Reload, cross-core 1 140 650 1.10%
43
![Page 192: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/192.jpg)
Case study #2
Spying on the user
44
![Page 193: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/193.jpg)
Case Study #2: Spying on the User
• Issue: Locating event-dependent memory access
→ Cache Template Attacks
1. Shared library or executable is mapped
2. Trigger an event in parallel and Flush+Reload one address
→ Cache hit: Address used by the library/executable
3. Repeat step 2 for every address
45
![Page 194: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/194.jpg)
Case Study #2: Spying on the User
• Issue: Locating event-dependent memory access
→ Cache Template Attacks
1. Shared library or executable is mapped
2. Trigger an event in parallel and Flush+Reload one address
→ Cache hit: Address used by the library/executable
3. Repeat step 2 for every address
45
![Page 195: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/195.jpg)
Case Study #2: Spying on the User
• Issue: Locating event-dependent memory access
→ Cache Template Attacks
1. Shared library or executable is mapped
2. Trigger an event in parallel and Flush+Reload one address
→ Cache hit: Address used by the library/executable
3. Repeat step 2 for every address
45
![Page 196: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/196.jpg)
Case Study #2: Spying on the User
• Issue: Locating event-dependent memory access
→ Cache Template Attacks
1. Shared library or executable is mapped
2. Trigger an event in parallel and Flush+Reload one address
→ Cache hit: Address used by the library/executable
3. Repeat step 2 for every address
45
![Page 197: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/197.jpg)
Case Study #2: Spying on the User
• Issue: Locating event-dependent memory access
→ Cache Template Attacks
1. Shared library or executable is mapped
2. Trigger an event in parallel and Flush+Reload one address
→ Cache hit: Address used by the library/executable
3. Repeat step 2 for every address
45
![Page 198: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/198.jpg)
Case Study #2: Spying on the User
• Issue: Locating event-dependent memory access
→ Cache Template Attacks
1. Shared library or executable is mapped
2. Trigger an event in parallel and Flush+Reload one address
→ Cache hit: Address used by the library/executable
3. Repeat step 2 for every address
45
![Page 199: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/199.jpg)
Case Study #2: Spying on the User
• Cache template matrix
= How many cache hits for each pair (event, address)?
• On shared library and ART binaries, e.g., AOSP keyboard
0x41500
0x45140
0x56940
0x57280
0x58480
0x60280
0x60340
0x60580
0x66340
0x66380
0x72300
0x72340
0x72380
0x78440
0x98600
A ddresses
backspace
space
enter
alphabet
Input
46
![Page 200: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/200.jpg)
Case Study #2: Spying on the User
• Cache template matrix
= How many cache hits for each pair (event, address)?
• On shared library and ART binaries, e.g., AOSP keyboard
0x41500
0x45140
0x56940
0x57280
0x58480
0x60280
0x60340
0x60580
0x66340
0x66380
0x72300
0x72340
0x72380
0x78440
0x98600
A ddresses
backspace
space
enter
alphabet
Input
Many cache hits
46
![Page 201: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/201.jpg)
Case Study #2: Spying on the User
• Cache template matrix
= How many cache hits for each pair (event, address)?
• On shared library and ART binaries, e.g., AOSP keyboard
0x41500
0x45140
0x56940
0x57280
0x58480
0x60280
0x60340
0x60580
0x66340
0x66380
0x72300
0x72340
0x72380
0x78440
0x98600
A ddresses
backspace
space
enter
alphabet
Input
Many cache hits
No cache hits
46
![Page 202: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/202.jpg)
Case Study #2: Spying on the User
Evict+Reload on two addresses on the Alcatel One Touch Pop 2 in
custpack@app@[email protected]@classes.dex
→ Differentiate keys from spaces
0 1 2 3 4 5 6 7
100
200
300
t h i s Space i s Space a Space m e s s a g e
Time in seconds
Accesstime
Key
Space
47
![Page 203: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/203.jpg)
Case Study #2: Spying on the User
• Endless possibilities
• Scan all the libraries
• Find all secret-dependent accesses and automate attacks
• No need for source code
• Spy and learn about user’s behavior
48
![Page 204: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/204.jpg)
Case Study #2: Spying on the User
• Endless possibilities
• Scan all the libraries
• Find all secret-dependent accesses and automate attacks
• No need for source code
• Spy and learn about user’s behavior
48
![Page 205: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/205.jpg)
Case Study #2: Spying on the User
• Endless possibilities
• Scan all the libraries
• Find all secret-dependent accesses and automate attacks
• No need for source code
• Spy and learn about user’s behavior
48
![Page 206: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/206.jpg)
Case Study #2: Spying on the User
• Endless possibilities
• Scan all the libraries
• Find all secret-dependent accesses and automate attacks
• No need for source code
• Spy and learn about user’s behavior
48
![Page 207: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/207.jpg)
Case Study #2: Spying on the User
• Endless possibilities
• Scan all the libraries
• Find all secret-dependent accesses and automate attacks
• No need for source code
• Spy and learn about user’s behavior
48
![Page 208: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/208.jpg)
Case study #3
Attacking cryptographic algorithms
49
![Page 209: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/209.jpg)
Case Study #3: Attacking Cryptographic Algorithms
• AES T-Tables: Fast software implementation
• Uses precomputed look-up tables
• One-round known-plaintext attack by Osvik et al. (2006)
• p plaintext and k secret key
• Intermediate state x (r) = (x(r)0 , . . . ,x
(r)15 ) at each round r
• First round, accessed table indices are
x(0)i = pi ⊕ki for all i = 0, . . . ,15
→ Recovering accessed table indices ⇒ recovering the key
50
![Page 210: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/210.jpg)
Case Study #3: Attacking Cryptographic Algorithms
• AES T-Tables: Fast software implementation
• Uses precomputed look-up tables
• One-round known-plaintext attack by Osvik et al. (2006)
• p plaintext and k secret key
• Intermediate state x (r) = (x(r)0 , . . . ,x
(r)15 ) at each round r
• First round, accessed table indices are
x(0)i = pi ⊕ki for all i = 0, . . . ,15
→ Recovering accessed table indices ⇒ recovering the key
50
![Page 211: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/211.jpg)
Case Study #3: Attacking Cryptographic Algorithms
• AES T-Tables: Fast software implementation
• Uses precomputed look-up tables
• One-round known-plaintext attack by Osvik et al. (2006)
• p plaintext and k secret key
• Intermediate state x (r) = (x(r)0 , . . . ,x
(r)15 ) at each round r
• First round, accessed table indices are
x(0)i = pi ⊕ki for all i = 0, . . . ,15
→ Recovering accessed table indices ⇒ recovering the key
50
![Page 212: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/212.jpg)
Case Study #3: Attacking Cryptographic Algorithms
• AES T-Tables: Fast software implementation
• Uses precomputed look-up tables
• One-round known-plaintext attack by Osvik et al. (2006)
• p plaintext and k secret key
• Intermediate state x (r) = (x(r)0 , . . . ,x
(r)15 ) at each round r
• First round, accessed table indices are
x(0)i = pi ⊕ki for all i = 0, . . . ,15
→ Recovering accessed table indices ⇒ recovering the key
50
![Page 213: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/213.jpg)
Case Study #3: Attacking Cryptographic Algorithms
• Bouncy Castle → default implementation uses T-Tables
→ Let’s monitor which T-Table entry is accessed!
• Java VM creates a copy of the T-tables when the app starts
• No shared memory → no Evict+Reload or Flush+Reload
→ Prime+Probe to the rescue!
0x00
0x01
0x02
0x03
0x04
0x05
0x06
0x07
0x08
0x09
0x0A
0x0B
0x0C
0x0D
0x0E
0x0F
P laintext byte values
Address
51
![Page 214: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/214.jpg)
Case Study #3: Attacking Cryptographic Algorithms
• Bouncy Castle → default implementation uses T-Tables
→ Let’s monitor which T-Table entry is accessed!
• Java VM creates a copy of the T-tables when the app starts
• No shared memory → no Evict+Reload or Flush+Reload
→ Prime+Probe to the rescue!
0x00
0x01
0x02
0x03
0x04
0x05
0x06
0x07
0x08
0x09
0x0A
0x0B
0x0C
0x0D
0x0E
0x0F
P laintext byte values
Address
51
![Page 215: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/215.jpg)
Case Study #3: Attacking Cryptographic Algorithms
• Bouncy Castle → default implementation uses T-Tables
→ Let’s monitor which T-Table entry is accessed!
• Java VM creates a copy of the T-tables when the app starts
• No shared memory → no Evict+Reload or Flush+Reload
→ Prime+Probe to the rescue!
0x00
0x01
0x02
0x03
0x04
0x05
0x06
0x07
0x08
0x09
0x0A
0x0B
0x0C
0x0D
0x0E
0x0F
P laintext byte values
Address
51
![Page 216: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/216.jpg)
Case Study #3: Attacking Cryptographic Algorithms
• Bouncy Castle → default implementation uses T-Tables
→ Let’s monitor which T-Table entry is accessed!
• Java VM creates a copy of the T-tables when the app starts
• No shared memory → no Evict+Reload or Flush+Reload
→ Prime+Probe to the rescue!
0x00
0x01
0x02
0x03
0x04
0x05
0x06
0x07
0x08
0x09
0x0A
0x0B
0x0C
0x0D
0x0E
0x0F
P laintext byte values
Address
51
![Page 217: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/217.jpg)
Case Study #3: Attacking Cryptographic Algorithms
• Bouncy Castle → default implementation uses T-Tables
→ Let’s monitor which T-Table entry is accessed!
• Java VM creates a copy of the T-tables when the app starts
• No shared memory → no Evict+Reload or Flush+Reload
→ Prime+Probe to the rescue!0x00
0x01
0x02
0x03
0x04
0x05
0x06
0x07
0x08
0x09
0x0A
0x0B
0x0C
0x0D
0x0E
0x0F
P laintext byte values
Address
51
![Page 218: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/218.jpg)
Case study #4
Monitoring ARM TrustZone
52
![Page 219: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/219.jpg)
Case Study #4: Monitoring ARM TrustZone
• Hardware-based security technology
• Secure Execution Environment
• Roots of Trust
• Applications (trustlets) running in a secure world
• Credential-store
• Secure element for payments
• Digital Rights Management (DRM)
• Information from the trusted world should not be leaked to
the non-secure world
53
![Page 220: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/220.jpg)
Case Study #4: Monitoring ARM TrustZone
• Hardware-based security technology
• Secure Execution Environment
• Roots of Trust
• Applications (trustlets) running in a secure world
• Credential-store
• Secure element for payments
• Digital Rights Management (DRM)
• Information from the trusted world should not be leaked to
the non-secure world
53
![Page 221: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/221.jpg)
Case Study #4: Monitoring ARM TrustZone
• Hardware-based security technology
• Secure Execution Environment
• Roots of Trust
• Applications (trustlets) running in a secure world
• Credential-store
• Secure element for payments
• Digital Rights Management (DRM)
• Information from the trusted world should not be leaked to
the non-secure world
53
![Page 222: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/222.jpg)
Case Study #4: Monitoring ARM TrustZone
• Hardware-based security technology
• Secure Execution Environment
• Roots of Trust
• Applications (trustlets) running in a secure world
• Credential-store
• Secure element for payments
• Digital Rights Management (DRM)
• Information from the trusted world should not be leaked to
the non-secure world
53
![Page 223: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/223.jpg)
Case Study #4: Monitoring ARM TrustZone
• Hardware-based security technology
• Secure Execution Environment
• Roots of Trust
• Applications (trustlets) running in a secure world
• Credential-store
• Secure element for payments
• Digital Rights Management (DRM)
• Information from the trusted world should not be leaked to
the non-secure world
53
![Page 224: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/224.jpg)
Case Study #4: Monitoring ARM TrustZone
• Hardware-based security technology
• Secure Execution Environment
• Roots of Trust
• Applications (trustlets) running in a secure world
• Credential-store
• Secure element for payments
• Digital Rights Management (DRM)
• Information from the trusted world should not be leaked to
the non-secure world
53
![Page 225: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/225.jpg)
Case Study #4: Monitoring ARM TrustZone
• Hardware-based security technology
• Secure Execution Environment
• Roots of Trust
• Applications (trustlets) running in a secure world
• Credential-store
• Secure element for payments
• Digital Rights Management (DRM)
• Information from the trusted world should not be leaked to
the non-secure world
53
![Page 226: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/226.jpg)
Case Study #4: Monitoring ARM TrustZone
• Hardware-based security technology
• Secure Execution Environment
• Roots of Trust
• Applications (trustlets) running in a secure world
• Credential-store
• Secure element for payments
• Digital Rights Management (DRM)
• Information from the trusted world should not be leaked to
the non-secure world
53
![Page 227: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/227.jpg)
Case Study #4: Monitoring ARM TrustZone
• Timing difference for different RSA signature keys
• No knowledge of the TrustZone/trustlet implementation
• Valid keys and invalid keys are distinguishable
250 260 270 280 290 300 310 320 330 340 3500
0.5
1
·106
Set number
MeanSquared
Error
(MSE)
Valid key 1
Valid key 2
Valid key 3
Invalid key
54
![Page 228: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/228.jpg)
Case Study #4: Monitoring ARM TrustZone
• Timing difference for different RSA signature keys
• No knowledge of the TrustZone/trustlet implementation
• Valid keys and invalid keys are distinguishable
250 260 270 280 290 300 310 320 330 340 3500
0.5
1
·106
Set number
MeanSquared
Error
(MSE)
Valid key 1
Valid key 2
Valid key 3
Invalid key
54
![Page 229: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/229.jpg)
Case Study #4: Monitoring ARM TrustZone
• Timing difference for different RSA signature keys
• No knowledge of the TrustZone/trustlet implementation
• Valid keys and invalid keys are distinguishable
250 260 270 280 290 300 310 320 330 340 3500
0.5
1
·106
Set number
MeanSquared
Error
(MSE)
Valid key 1
Valid key 2
Valid key 3
Invalid key
54
![Page 230: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/230.jpg)
Tools
![Page 231: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/231.jpg)
libflush
• Library to build cross-platform cache attacks
• x86
• ARMv7
• ARMv8
• Implements various attack techniques
• Flush+Reload
• Evict+Reload
• Prime+Probe
• Flush+Flush
• Prefetch
• Open Source
55
![Page 232: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/232.jpg)
libflush
• Library to build cross-platform cache attacks
• x86
• ARMv7
• ARMv8
• Implements various attack techniques
• Flush+Reload
• Evict+Reload
• Prime+Probe
• Flush+Flush
• Prefetch
• Open Source
55
![Page 233: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/233.jpg)
libflush
• Library to build cross-platform cache attacks
• x86
• ARMv7
• ARMv8
• Implements various attack techniques
• Flush+Reload
• Evict+Reload
• Prime+Probe
• Flush+Flush
• Prefetch
• Open Source
55
![Page 234: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/234.jpg)
libflush
• Library to build cross-platform cache attacks
• x86
• ARMv7
• ARMv8
• Implements various attack techniques
• Flush+Reload
• Evict+Reload
• Prime+Probe
• Flush+Flush
• Prefetch
• Open Source
55
![Page 235: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/235.jpg)
libflush
• All described examples have been developed on top of
libflush
• Includes eviction strategies for several devices
• Comes with example code and documentation
• Even allows to implement cross-platform Rowhammer attacks
� github.com/iaik/armageddon/libflush
56
![Page 236: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/236.jpg)
libflush
• All described examples have been developed on top of
libflush
• Includes eviction strategies for several devices
• Comes with example code and documentation
• Even allows to implement cross-platform Rowhammer attacks
� github.com/iaik/armageddon/libflush
56
![Page 237: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/237.jpg)
libflush
• All described examples have been developed on top of
libflush
• Includes eviction strategies for several devices
• Comes with example code and documentation
• Even allows to implement cross-platform Rowhammer attacks
� github.com/iaik/armageddon/libflush
56
![Page 238: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/238.jpg)
libflush
• All described examples have been developed on top of
libflush
• Includes eviction strategies for several devices
• Comes with example code and documentation
• Even allows to implement cross-platform Rowhammer attacks
� github.com/iaik/armageddon/libflush
56
![Page 239: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/239.jpg)
libflush
• All described examples have been developed on top of
libflush
• Includes eviction strategies for several devices
• Comes with example code and documentation
• Even allows to implement cross-platform Rowhammer attacks
� github.com/iaik/armageddon/libflush
56
![Page 240: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/240.jpg)
Eviction Strategy Evaluator
• Utilizes libflush to evaluate eviction strategies
• Automatically executed on target platform
• Results are stored in a database file
� github.com/iaik/armageddon/eviction_strategy_
evaluator
57
![Page 241: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/241.jpg)
Eviction Strategy Evaluator
• Utilizes libflush to evaluate eviction strategies
• Automatically executed on target platform
• Results are stored in a database file
� github.com/iaik/armageddon/eviction_strategy_
evaluator
57
![Page 242: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/242.jpg)
Eviction Strategy Evaluator
• Utilizes libflush to evaluate eviction strategies
• Automatically executed on target platform
• Results are stored in a database file
� github.com/iaik/armageddon/eviction_strategy_
evaluator
57
![Page 243: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/243.jpg)
Eviction Strategy Evaluator
• Utilizes libflush to evaluate eviction strategies
• Automatically executed on target platform
• Results are stored in a database file
� github.com/iaik/armageddon/eviction_strategy_
evaluator
57
![Page 244: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/244.jpg)
Cache Template Attacks
• Cross-platform cache template attack tool
• Scan libraries and executable for vulnerable addresses
• Additional tool to simulate input events
� github.com/iaik/armageddon/cache_template_attacks
58
![Page 245: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/245.jpg)
Cache Template Attacks
• Cross-platform cache template attack tool
• Scan libraries and executable for vulnerable addresses
• Additional tool to simulate input events
� github.com/iaik/armageddon/cache_template_attacks
58
![Page 246: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/246.jpg)
Cache Template Attacks
• Cross-platform cache template attack tool
• Scan libraries and executable for vulnerable addresses
• Additional tool to simulate input events
� github.com/iaik/armageddon/cache_template_attacks
58
![Page 247: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/247.jpg)
Cache Template Attacks
• Cross-platform cache template attack tool
• Scan libraries and executable for vulnerable addresses
• Additional tool to simulate input events
� github.com/iaik/armageddon/cache_template_attacks
58
![Page 248: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/248.jpg)
Countermeasures
![Page 249: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/249.jpg)
Countermeasures
• Coarse-grained timers
→ But a thread timer is sufficient. . .
• No shared memory
→ What about Prime+Probe?
• Restrict system information, e.g., pagemap
→ Harder but still possible
• Use cryptographic instruction extensions
→ Still not the default everywhere. . .
→ Doesn’t protect from spying user behavior. . .
→ Protect crypto. For the rest. . . No satisfying solution
59
![Page 250: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/250.jpg)
Countermeasures
• Coarse-grained timers
→ But a thread timer is sufficient. . .
• No shared memory
→ What about Prime+Probe?
• Restrict system information, e.g., pagemap
→ Harder but still possible
• Use cryptographic instruction extensions
→ Still not the default everywhere. . .
→ Doesn’t protect from spying user behavior. . .
→ Protect crypto. For the rest. . . No satisfying solution
59
![Page 251: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/251.jpg)
Countermeasures
• Coarse-grained timers
→ But a thread timer is sufficient. . .
• No shared memory
→ What about Prime+Probe?
• Restrict system information, e.g., pagemap
→ Harder but still possible
• Use cryptographic instruction extensions
→ Still not the default everywhere. . .
→ Doesn’t protect from spying user behavior. . .
→ Protect crypto. For the rest. . . No satisfying solution
59
![Page 252: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/252.jpg)
Countermeasures
• Coarse-grained timers
→ But a thread timer is sufficient. . .
• No shared memory
→ What about Prime+Probe?
• Restrict system information, e.g., pagemap
→ Harder but still possible
• Use cryptographic instruction extensions
→ Still not the default everywhere. . .
→ Doesn’t protect from spying user behavior. . .
→ Protect crypto. For the rest. . . No satisfying solution
59
![Page 253: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/253.jpg)
Countermeasures
• Coarse-grained timers
→ But a thread timer is sufficient. . .
• No shared memory
→ What about Prime+Probe?
• Restrict system information, e.g., pagemap
→ Harder but still possible
• Use cryptographic instruction extensions
→ Still not the default everywhere. . .
→ Doesn’t protect from spying user behavior. . .
→ Protect crypto. For the rest. . . No satisfying solution
59
![Page 254: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/254.jpg)
Countermeasures
• Coarse-grained timers
→ But a thread timer is sufficient. . .
• No shared memory
→ What about Prime+Probe?
• Restrict system information, e.g., pagemap
→ Harder but still possible
• Use cryptographic instruction extensions
→ Still not the default everywhere. . .
→ Doesn’t protect from spying user behavior. . .
→ Protect crypto. For the rest. . . No satisfying solution
59
![Page 255: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/255.jpg)
Countermeasures
• Coarse-grained timers
→ But a thread timer is sufficient. . .
• No shared memory
→ What about Prime+Probe?
• Restrict system information, e.g., pagemap
→ Harder but still possible
• Use cryptographic instruction extensions
→ Still not the default everywhere. . .
→ Doesn’t protect from spying user behavior. . .
→ Protect crypto. For the rest. . . No satisfying solution
59
![Page 256: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/256.jpg)
Countermeasures
• Coarse-grained timers
→ But a thread timer is sufficient. . .
• No shared memory
→ What about Prime+Probe?
• Restrict system information, e.g., pagemap
→ Harder but still possible
• Use cryptographic instruction extensions
→ Still not the default everywhere. . .
→ Doesn’t protect from spying user behavior. . .
→ Protect crypto. For the rest. . . No satisfying solution
59
![Page 257: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/257.jpg)
Countermeasures
• Coarse-grained timers
→ But a thread timer is sufficient. . .
• No shared memory
→ What about Prime+Probe?
• Restrict system information, e.g., pagemap
→ Harder but still possible
• Use cryptographic instruction extensions
→ Still not the default everywhere. . .
→ Doesn’t protect from spying user behavior. . .
→ Protect crypto. For the rest. . . No satisfying solution
59
![Page 258: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/258.jpg)
Countermeasures
• Coarse-grained timers
→ But a thread timer is sufficient. . .
• No shared memory
→ What about Prime+Probe?
• Restrict system information, e.g., pagemap
→ Harder but still possible
• Use cryptographic instruction extensions
→ Still not the default everywhere. . .
→ Doesn’t protect from spying user behavior. . .
→ Protect crypto.
For the rest. . . No satisfying solution
59
![Page 259: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/259.jpg)
Countermeasures
• Coarse-grained timers
→ But a thread timer is sufficient. . .
• No shared memory
→ What about Prime+Probe?
• Restrict system information, e.g., pagemap
→ Harder but still possible
• Use cryptographic instruction extensions
→ Still not the default everywhere. . .
→ Doesn’t protect from spying user behavior. . .
→ Protect crypto. For the rest. . .
No satisfying solution
59
![Page 260: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/260.jpg)
Countermeasures
• Coarse-grained timers
→ But a thread timer is sufficient. . .
• No shared memory
→ What about Prime+Probe?
• Restrict system information, e.g., pagemap
→ Harder but still possible
• Use cryptographic instruction extensions
→ Still not the default everywhere. . .
→ Doesn’t protect from spying user behavior. . .
→ Protect crypto. For the rest. . . No satisfying solution
59
![Page 261: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/261.jpg)
Conclusion
![Page 262: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/262.jpg)
Conclusion
• All powerful cache attacks are applicable to mobile devices
• Without any permissions or privileges
• Building fast covert channels
• Spying on user activity with a high accuracy
• Deriving cryptographic keys
• ARM TrustZone leaking through the cache
• Try our tools yourself!
60
![Page 263: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/263.jpg)
Conclusion
• All powerful cache attacks are applicable to mobile devices
• Without any permissions or privileges
• Building fast covert channels
• Spying on user activity with a high accuracy
• Deriving cryptographic keys
• ARM TrustZone leaking through the cache
• Try our tools yourself!
60
![Page 264: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/264.jpg)
Conclusion
• All powerful cache attacks are applicable to mobile devices
• Without any permissions or privileges
• Building fast covert channels
• Spying on user activity with a high accuracy
• Deriving cryptographic keys
• ARM TrustZone leaking through the cache
• Try our tools yourself!
60
![Page 265: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/265.jpg)
Conclusion
• All powerful cache attacks are applicable to mobile devices
• Without any permissions or privileges
• Building fast covert channels
• Spying on user activity with a high accuracy
• Deriving cryptographic keys
• ARM TrustZone leaking through the cache
• Try our tools yourself!
60
![Page 266: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/266.jpg)
Conclusion
• All powerful cache attacks are applicable to mobile devices
• Without any permissions or privileges
• Building fast covert channels
• Spying on user activity with a high accuracy
• Deriving cryptographic keys
• ARM TrustZone leaking through the cache
• Try our tools yourself!
60
![Page 267: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/267.jpg)
Conclusion
• All powerful cache attacks are applicable to mobile devices
• Without any permissions or privileges
• Building fast covert channels
• Spying on user activity with a high accuracy
• Deriving cryptographic keys
• ARM TrustZone leaking through the cache
• Try our tools yourself!
60
![Page 268: ARMageddon - Black Hat Briefings · Motivation Safe software infrastructure does not mean safe execution Information leaks because of theunderlying hardware We focus on the CPU cache](https://reader030.vdocument.in/reader030/viewer/2022041300/5e0f91a43b756871a71e1064/html5/thumbnails/268.jpg)
ARMageddon
How Your Smartphone CPU Breaks Software-Level
Security And Privacy
Moritz Lipp and Clementine Maurice
November 3, 2016—Black Hat Europe