Cache Timing Side-Channel Vulnerability Checking with

Computation Tree Logic

Shuwen Deng, Wenjie Xiong and Jakub SzeferYale University

HASPJune 2, 2018

Memory System

2

Typical set-associative cache

ways

sets

Cache

cache enables fast access to the data

CPU Memory

3

s0

s1

s4

s2

s6

ld issue

{probe}

{hit}

{miss}

{replace}{bypass}

ISA-level Microarchitecture-level

ldreturn

{forceevict}

s3

{return data}

s5la

tency

↔ ca

che

hit

or

mis

s

Cache State Machine

fast access

slow accesstiming latency ⟷

cache hit & miss

4

• For load/store instruction, time differs between hits and misses• For flush instruction, time depends on data existence

• Attacker’s Goal: get information of the address of victim’s sensitive data by observing the timing difference

• Threat Model:– An attacker (A) shares the same cache with a victim (V)– The attacker cannot directly access the cache state machine– The attacker can observe the timing of the victim or itself– The attacker can combine timing observation with some other knowledge

• The attacker knows some source code of the victim• The attacker can force victim to execute a specific function

• E.g. Flush + Reload Attack

Cache Timing Side-Channel Attacks

5

Set-associative cache

ways

sets

1- Attackerprimes each

cache set2- Victim accesses

critical data

3- Attackerprobes each cache set (measure time)

EvictedAccessTime

E.g. Prime + Probe Attack

E.g. Flush + Reload Attack

6

EvictedAccess

TimeSet-associative cache

ways

sets

1- Flush each line in the cache

2- Victim accesses critical data

3- Attackerreloads critical data by running specific process (measure time)

7

Spectre & Meltdown Attack

• speculative executions– Variant 1: Bounds Check – Variant 2: Branch Target Injection– Variant 3: Rogue Data Cache

• Variant 3a: Rogue System Register – Variant 4: Speculative Store

• timing side-channel in the cache

8

Spectre & Meltdown Attack

• Uses speculative executions• Leverages timing side-channel in

the cache

9

Use Computation

Tree Logic (CTL)

Model execution paths of the

processor cache focusing on side-channel attacks

Develop Cache Access

Model

Three-step single-cache-block-access

model construction

Analyze Timing

Vulnerabilities

Exhaustive search for

possible attacks based on three-

step model

Contribution

10

condition description𝑉#/𝐴# A specific known memory location.𝑉& A piece of memory containing data from a range of

victim’s memory addresses is accessed. 𝑉'/𝐴' single-cache-block access to “remove” the cache

block contents⋆ Attacker has no knowledge about memory location

𝑉#/𝐴#, 𝑉&, 𝑉'/𝐴', ⋆ 𝑉#/𝐴#, 𝑉&, 𝑉'/𝐴'𝑉#/𝐴#, 𝑉&, 𝑉'/𝐴'

Three-Step Single-Cache-Block-Access ModelWe use three steps to model all possible cache side channel attacks:

𝑆𝑡𝑒𝑝0 ⇝ 𝑆𝑡𝑒𝑝1 ⇝ 𝑆𝑡𝑒𝑝2

The initial state of the cache block

Actions of victim or attacker

Interference & final observation

11

• Prime + Probe Attack

– 𝐸𝐹(𝐸(𝐸 𝐴#𝑈𝑉& 𝑈𝐴#))

Vulnerability Examples

Set-associative cache

ways

sets

1- AttackerPrimes each

cache set

2- Victim accesses

critical data

3- AttackerProbes each cache set (measure time)

EvictedAccessTime

12

• Flush + Reload Attack

– 𝐴' ⇝ 𝑉& ⇝ 𝐴#– 𝑉' ⇝ 𝑉& ⇝ 𝐴#

Vulnerability Examples

EvictedAccess

TimeSet-associative cache

ways

sets

1- Flush each line in the cache

2- Victim accesses critical data

3- AttackerReloads critical data by running specific process (measure time)

condition description𝑉#/𝐴# A specific known memory location.𝑉& A piece of memory containing data from a range of victim’s

memory addresses is accessed. 𝑉'/𝐴' single-cache-block access to “remove” the cache block contents

13

Why three-step model can cover all?• One cache access

– Interference does not exist• Two cache accesses

– Same as three-step model with 𝑆𝑡𝑒𝑝0 to be “ ⋆ ”• More than three cache accesses

– {⋯ ⇝⋆⇝ ⋯} can be divided into two parts– ⋯ ⇝ 𝐴' ⇝ 𝐴' ⇝ ⋯ , ⋯ ⇝ 𝐴' ⇝ 𝑉' ⇝ ⋯ , {⋯ ⇝𝐴# ⇝ 𝑉# ⇝ ⋯}, {⋯ ⇝ 𝑉& ⇝ 𝑉& ⇝ ⋯},… can be reduced to ⋯ ⇝ 𝐴' ⇝ ⋯ , ⋯ ⇝ 𝑉' ⇝ ⋯ , {⋯ ⇝ 𝑉# ⇝⋯}, ⋯ ⇝ 𝑉& ⇝ ⋯ ,… , respectively

– ⋯ ⇝ (𝐴'/𝑉' ∕ 𝐴# ∕ 𝑉#) ⇝ 𝑉& ⇝ (𝐴'/𝑉' ∕ 𝐴# ∕ 𝑉#) ⇝ ⋯maps to effective vulnerabilities represented by three-step model

Soundness of Three-Step Model

14

• More than three cache accesses– {⋯ ⇝⋆⇝ ⋯} can be divided into two parts– ⋯ ⇝ 𝐴' ⇝ 𝐴' ⇝ ⋯ , ⋯ ⇝ 𝐴' ⇝ 𝑉' ⇝ ⋯ ,… , {⋯ ⇝𝐴# ⇝ 𝑉# ⇝ ⋯},… , {⋯ ⇝ 𝑉& ⇝ 𝑉& ⇝ ⋯} can be reduced to ⋯ ⇝ 𝐴' ⇝ ⋯ , ⋯ ⇝ 𝑉' ⇝ ⋯ ,… , {⋯ ⇝ 𝑉# ⇝⋯},… , {⋯ ⇝ 𝑉& ⇝ ⋯}, respectively

– ⋯ ⇝ (𝐴'/𝑉' ∕ 𝐴# ∕ 𝑉#) ⇝ 𝑉& ⇝ (𝐴'/𝑉' ∕ 𝐴# ∕ 𝑉#) ⇝ ⋯maps to known vulnerabilities represented by three-step model

Soundness of Three-step Model (b)

15

• Explicit enumeration of all the possible three steps (6x5x5=150)

• Identify 28 types of cache attacks– 20 types already known or categorized– 8 types previously not in literature

• Can be applied to evaluate any cache architecture with CTL logic

Exhaustive Vulnerability Search

16

S0 S1 S2 Recognized name

Categorization

𝑽𝒙 𝑨𝑹 𝑽𝒙 Type A𝑽𝒙 𝑽𝑹 𝑽𝒙 Type B𝑨𝑹 𝑨𝟏 𝑽𝒙 Type C𝑽𝑹 𝑨𝟏 𝑽𝒙 Type D𝑨𝟏 𝑨𝟏 𝑽𝒙 Type E𝑽𝟏 𝑨𝟏 𝑽𝒙 Type F𝑉& 𝐴# 𝑉& Evict+Time Type G𝐴' 𝑉# 𝑉& Cache Collision Type H𝑉' 𝑉# 𝑉& Cache Collision Type I

𝐴# 𝑉# 𝑉& Cache Collision Type J𝑉# 𝑉# 𝑉& Cache Collision Type K𝑉& 𝑉# 𝑉& Bernstein’s attack Type L

𝐴' 𝑉& 𝐴' Flush+Flush Type M𝑉' 𝑉& 𝐴' Flush+Flush Type N

Vulnerability Exhaustive ListS0 S1 S2 Recognized name Catego

rization

𝑉& 𝑉& 𝐴' Flush+Flush Type O𝐴' 𝑉& 𝑉' Flush+Flush Type P𝑉' 𝑉& 𝑉' Flush+Flush Type Q𝑉& 𝑉& 𝑉' Flush+Flush Type R𝐴' 𝑉& 𝐴# Flush(Evict)+Reload Type S 𝑉' 𝑉& 𝐴# Flush(Evict)+Reload Type T𝐴# 𝑉& 𝐴# Prime+Probe Type U𝑽𝟏 𝑽𝒙 𝑨𝟏 Type V𝑉& 𝑉& 𝐴# Flush(Evict)+Reload Type W𝐴' 𝑉& 𝑉# Cache Collision Type X𝑉' 𝑉& 𝑉# Cache Collision Type Y𝑨𝟏 𝑽𝒙 𝑽𝟏 Type Z𝑉# 𝑉& 𝑉# Bernstein’s attack Type AA𝑉& 𝑉& 𝑉# Cache Collision Type AB

17

• Flush + Reload Attack (Type S, T Attack)– 𝐴' ⇝ 𝑉& ⇝ 𝐴#– 𝑉' ⇝ 𝑉& ⇝ 𝐴#

Vulnerability Examples• New Type V Attack

– 𝑉# ⇝ 𝑉& ⇝ 𝐴#

Set-associative cache

ways

sets

1- Victimprimes each cache set

2- Victim accesses

critical data

3- Attackerprobes each cache set (measure time)

EvictedAccessTime

EvictedAccess

TimeSet-associative cache

ways

sets

1- Flush each line in the cache

2- Victim accesses critical data

3- Attackerreloads critical data by running specific process (measure time)

𝜓 𝜓 𝜓 𝜓 𝜓18

Treats time as discrete and branchingCan explore different execution paths

• Atomic propositions: , ,…• Boolean operators: ¬𝜑,𝜑 ∨ 𝜓,𝜑 ∧ 𝜓,…• Temporal modalities:

– X 𝜓 … “next𝜓” – 𝜑𝑈𝜓 … “𝜑until 𝜓” – F 𝜑 … “eventually 𝜑”– G 𝜑 … “always 𝜑”

• Path quantifiers:– E 𝜓 A 𝜓

𝜓𝜓𝜑𝜑

𝜓𝜑𝜑 𝜑 𝜑 𝜑

𝜑

Computation Tree Logic

Step0

Step1

Step2

19

For a single cache block, model execution paths that represent vulnerabilities to attacks:

M, s ⊨𝐸𝐹(𝐸(𝐸 𝑆𝑡𝑒𝑝0𝑈𝑆𝑡𝑒𝑝1 𝑈𝑆𝑡𝑒𝑝2))

Eventually there exists a path that corresponds to the vulnerability:𝑆𝑡𝑒𝑝0 ⇝ 𝑆𝑡𝑒𝑝1 ⇝ 𝑆𝑡𝑒𝑝2

Three-Step Model in CTL logic

E.g.𝐴' ⇝ 𝑉& ⇝ 𝐴#↔ 𝐸𝐹(𝐸(𝐸 𝐴'𝑈𝑉& 𝑈𝐴#))

The initial state of the cache block

Actions of victim or attacker

Interference & final observation

20

s0

s1

s4

s2

{probe}

{miss}

{replace}

s3

{returndata}

{hit}

Unfold from s0 to

computation tree

(s0,0)

(s1,1) (s

2,1)

(s3,2)(s

4,2)

(s0,3) (s

4,3)

(s0,4)(s

1,4) (s

2,4)

(s3,5)(s

4,5)

(s0,6) (s

4,6)

(s0,7)(s

1,7) (s

2,7)

(s1,5) (s

2,5)

(s3,6)(s

4,6)

(s0,7) (s

4,7)

(s1,8) (s

2,8)(s

3,8)(s

4,8)

(s4,9)

(s1,8) (s

2,8)

(s1,8) (s

2,8)(s

3,9)(s

4,9)

(s4,10)

(s0,7)

(s3,9)(s

4,9)

(s4,10) (s

3,10)(s

4,10)

(s4,11)

Step 0

Step 1

Step 2

three-step model:

Bounded Computation Tree

21

• hardware design of secure caches• cache state machine modeling• checking of vulnerability in CTL logic• improve CTL modeling

Future Work

22

Summary

• cache state machine modeling• checking of vulnerability in CTL logic• improve CTL modeling

Thank you!

Use Computation

Tree Logic (CTL)

Model execution paths of the

processor cache focusing on side-channel attacks

Develop Cache Access

Model

Three-step single-cache-block-access

model construction

Analyze Timing

Vulnerabilities

Exhaustive search for

possible attacks based on three-

step model

23

back up slides

24

• One cache access– Interference does not exist

• Two cache accesses– Same as three-step model with 𝑆𝑡𝑒𝑝0 to be “ ⋆ ”– None of them can form an attack

• Three cache accesses– Exhaustive vulnerability Search and effective

vulnerabilities derived

Soundness of Three-step Model (a)

25

• More than three cache accesses– {⋯ ⇝⋆⇝ ⋯} can be divided into two parts– ⋯ ⇝ 𝐴' ⇝ 𝐴' ⇝ ⋯ , ⋯ ⇝ 𝐴' ⇝ 𝑉' ⇝ ⋯ , {⋯ ⇝ 𝐴# ⇝𝑉# ⇝ ⋯}, ⋯ ⇝ 𝑉& ⇝ 𝑉& ⇝ ⋯ ,… can be reduced to ⋯ ⇝ 𝐴' ⇝ ⋯ , ⋯ ⇝ 𝑉' ⇝ ⋯ , ⋯ ⇝ 𝑉# ⇝ ⋯ , {⋯ ⇝𝑉& ⇝ ⋯},…, respectively

– ⋯ ⇝ (𝐴'/𝑉' ∕ 𝐴# ∕ 𝑉#) ⇝ 𝑉& ⇝ (𝐴'/𝑉' ∕ 𝐴# ∕ 𝑉#) ⇝ ⋯maps to effective vulnerabilities represented by three-step model

Soundness of Three-step Model (b)