cache timing side-channel vulnerability checking with ...€¦ · side channel attacks:)*+,0 ⇝...
TRANSCRIPT
Cache Timing Side-Channel Vulnerability Checking with
Computation Tree Logic
Shuwen Deng, Wenjie Xiong and Jakub SzeferYale University
HASPJune 2, 2018
Memory System
2
Typical set-associative cache
ways
sets
Cache
cache enables fast access to the data
CPU Memory
3
s0
s1
s4
s2
s6
ld issue
{probe}
{hit}
{miss}
{replace}{bypass}
ISA-level Microarchitecture-level
ldreturn
{forceevict}
s3
{return data}
s5la
tency
↔ ca
che
hit
or
mis
s
Cache State Machine
fast access
slow accesstiming latency ⟷
cache hit & miss
4
• For load/store instruction, time differs between hits and misses• For flush instruction, time depends on data existence
• Attacker’s Goal: get information of the address of victim’s sensitive data by observing the timing difference
• Threat Model:– An attacker (A) shares the same cache with a victim (V)– The attacker cannot directly access the cache state machine– The attacker can observe the timing of the victim or itself– The attacker can combine timing observation with some other knowledge
• The attacker knows some source code of the victim• The attacker can force victim to execute a specific function
• E.g. Flush + Reload Attack
Cache Timing Side-Channel Attacks
5
Set-associative cache
ways
sets
1- Attackerprimes each
cache set2- Victim accesses
critical data
3- Attackerprobes each cache set (measure time)
EvictedAccessTime
E.g. Prime + Probe Attack
E.g. Flush + Reload Attack
6
EvictedAccess
TimeSet-associative cache
ways
sets
1- Flush each line in the cache
2- Victim accesses critical data
3- Attackerreloads critical data by running specific process (measure time)
7
Spectre & Meltdown Attack
• speculative executions– Variant 1: Bounds Check – Variant 2: Branch Target Injection– Variant 3: Rogue Data Cache
• Variant 3a: Rogue System Register – Variant 4: Speculative Store
• timing side-channel in the cache
8
Spectre & Meltdown Attack
• Uses speculative executions• Leverages timing side-channel in
the cache
9
Use Computation
Tree Logic (CTL)
Model execution paths of the
processor cache focusing on side-channel attacks
Develop Cache Access
Model
Three-step single-cache-block-access
model construction
Analyze Timing
Vulnerabilities
Exhaustive search for
possible attacks based on three-
step model
Contribution
10
condition description𝑉#/𝐴# A specific known memory location.𝑉& A piece of memory containing data from a range of
victim’s memory addresses is accessed. 𝑉'/𝐴' single-cache-block access to “remove” the cache
block contents⋆ Attacker has no knowledge about memory location
𝑉#/𝐴#, 𝑉&, 𝑉'/𝐴', ⋆ 𝑉#/𝐴#, 𝑉&, 𝑉'/𝐴'𝑉#/𝐴#, 𝑉&, 𝑉'/𝐴'
Three-Step Single-Cache-Block-Access ModelWe use three steps to model all possible cache side channel attacks:
𝑆𝑡𝑒𝑝0 ⇝ 𝑆𝑡𝑒𝑝1 ⇝ 𝑆𝑡𝑒𝑝2
The initial state of the cache block
Actions of victim or attacker
Interference & final observation
11
• Prime + Probe Attack
– 𝐸𝐹(𝐸(𝐸 𝐴#𝑈𝑉& 𝑈𝐴#))
Vulnerability Examples
Set-associative cache
ways
sets
1- AttackerPrimes each
cache set
2- Victim accesses
critical data
3- AttackerProbes each cache set (measure time)
EvictedAccessTime
12
• Flush + Reload Attack
– 𝐴' ⇝ 𝑉& ⇝ 𝐴#– 𝑉' ⇝ 𝑉& ⇝ 𝐴#
Vulnerability Examples
EvictedAccess
TimeSet-associative cache
ways
sets
1- Flush each line in the cache
2- Victim accesses critical data
3- AttackerReloads critical data by running specific process (measure time)
condition description𝑉#/𝐴# A specific known memory location.𝑉& A piece of memory containing data from a range of victim’s
memory addresses is accessed. 𝑉'/𝐴' single-cache-block access to “remove” the cache block contents
13
Why three-step model can cover all?• One cache access
– Interference does not exist• Two cache accesses
– Same as three-step model with 𝑆𝑡𝑒𝑝0 to be “ ⋆ ”• More than three cache accesses
– {⋯ ⇝⋆⇝ ⋯} can be divided into two parts– ⋯ ⇝ 𝐴' ⇝ 𝐴' ⇝ ⋯ , ⋯ ⇝ 𝐴' ⇝ 𝑉' ⇝ ⋯ , {⋯ ⇝𝐴# ⇝ 𝑉# ⇝ ⋯}, {⋯ ⇝ 𝑉& ⇝ 𝑉& ⇝ ⋯},… can be reduced to ⋯ ⇝ 𝐴' ⇝ ⋯ , ⋯ ⇝ 𝑉' ⇝ ⋯ , {⋯ ⇝ 𝑉# ⇝⋯}, ⋯ ⇝ 𝑉& ⇝ ⋯ ,… , respectively
– ⋯ ⇝ (𝐴'/𝑉' ∕ 𝐴# ∕ 𝑉#) ⇝ 𝑉& ⇝ (𝐴'/𝑉' ∕ 𝐴# ∕ 𝑉#) ⇝ ⋯maps to effective vulnerabilities represented by three-step model
Soundness of Three-Step Model
14
• More than three cache accesses– {⋯ ⇝⋆⇝ ⋯} can be divided into two parts– ⋯ ⇝ 𝐴' ⇝ 𝐴' ⇝ ⋯ , ⋯ ⇝ 𝐴' ⇝ 𝑉' ⇝ ⋯ ,… , {⋯ ⇝𝐴# ⇝ 𝑉# ⇝ ⋯},… , {⋯ ⇝ 𝑉& ⇝ 𝑉& ⇝ ⋯} can be reduced to ⋯ ⇝ 𝐴' ⇝ ⋯ , ⋯ ⇝ 𝑉' ⇝ ⋯ ,… , {⋯ ⇝ 𝑉# ⇝⋯},… , {⋯ ⇝ 𝑉& ⇝ ⋯}, respectively
– ⋯ ⇝ (𝐴'/𝑉' ∕ 𝐴# ∕ 𝑉#) ⇝ 𝑉& ⇝ (𝐴'/𝑉' ∕ 𝐴# ∕ 𝑉#) ⇝ ⋯maps to known vulnerabilities represented by three-step model
Soundness of Three-step Model (b)
15
• Explicit enumeration of all the possible three steps (6x5x5=150)
• Identify 28 types of cache attacks– 20 types already known or categorized– 8 types previously not in literature
• Can be applied to evaluate any cache architecture with CTL logic
Exhaustive Vulnerability Search
16
S0 S1 S2 Recognized name
Categorization
𝑽𝒙 𝑨𝑹 𝑽𝒙 Type A𝑽𝒙 𝑽𝑹 𝑽𝒙 Type B𝑨𝑹 𝑨𝟏 𝑽𝒙 Type C𝑽𝑹 𝑨𝟏 𝑽𝒙 Type D𝑨𝟏 𝑨𝟏 𝑽𝒙 Type E𝑽𝟏 𝑨𝟏 𝑽𝒙 Type F𝑉& 𝐴# 𝑉& Evict+Time Type G𝐴' 𝑉# 𝑉& Cache Collision Type H𝑉' 𝑉# 𝑉& Cache Collision Type I
𝐴# 𝑉# 𝑉& Cache Collision Type J𝑉# 𝑉# 𝑉& Cache Collision Type K𝑉& 𝑉# 𝑉& Bernstein’s attack Type L
𝐴' 𝑉& 𝐴' Flush+Flush Type M𝑉' 𝑉& 𝐴' Flush+Flush Type N
Vulnerability Exhaustive ListS0 S1 S2 Recognized name Catego
rization
𝑉& 𝑉& 𝐴' Flush+Flush Type O𝐴' 𝑉& 𝑉' Flush+Flush Type P𝑉' 𝑉& 𝑉' Flush+Flush Type Q𝑉& 𝑉& 𝑉' Flush+Flush Type R𝐴' 𝑉& 𝐴# Flush(Evict)+Reload Type S 𝑉' 𝑉& 𝐴# Flush(Evict)+Reload Type T𝐴# 𝑉& 𝐴# Prime+Probe Type U𝑽𝟏 𝑽𝒙 𝑨𝟏 Type V𝑉& 𝑉& 𝐴# Flush(Evict)+Reload Type W𝐴' 𝑉& 𝑉# Cache Collision Type X𝑉' 𝑉& 𝑉# Cache Collision Type Y𝑨𝟏 𝑽𝒙 𝑽𝟏 Type Z𝑉# 𝑉& 𝑉# Bernstein’s attack Type AA𝑉& 𝑉& 𝑉# Cache Collision Type AB
17
• Flush + Reload Attack (Type S, T Attack)– 𝐴' ⇝ 𝑉& ⇝ 𝐴#– 𝑉' ⇝ 𝑉& ⇝ 𝐴#
Vulnerability Examples• New Type V Attack
– 𝑉# ⇝ 𝑉& ⇝ 𝐴#
Set-associative cache
ways
sets
1- Victimprimes each cache set
2- Victim accesses
critical data
3- Attackerprobes each cache set (measure time)
EvictedAccessTime
EvictedAccess
TimeSet-associative cache
ways
sets
1- Flush each line in the cache
2- Victim accesses critical data
3- Attackerreloads critical data by running specific process (measure time)
𝜓 𝜓 𝜓 𝜓 𝜓18
Treats time as discrete and branchingCan explore different execution paths
• Atomic propositions: , ,…• Boolean operators: ¬𝜑,𝜑 ∨ 𝜓,𝜑 ∧ 𝜓,…• Temporal modalities:
– X 𝜓 … “next𝜓” – 𝜑𝑈𝜓 … “𝜑until 𝜓” – F 𝜑 … “eventually 𝜑”– G 𝜑 … “always 𝜑”
• Path quantifiers:– E 𝜓 A 𝜓
𝜓𝜓𝜑𝜑
𝜓𝜑𝜑 𝜑 𝜑 𝜑
𝜑
Computation Tree Logic
Step0
Step1
Step2
19
For a single cache block, model execution paths that represent vulnerabilities to attacks:
M, s ⊨𝐸𝐹(𝐸(𝐸 𝑆𝑡𝑒𝑝0𝑈𝑆𝑡𝑒𝑝1 𝑈𝑆𝑡𝑒𝑝2))
Eventually there exists a path that corresponds to the vulnerability:𝑆𝑡𝑒𝑝0 ⇝ 𝑆𝑡𝑒𝑝1 ⇝ 𝑆𝑡𝑒𝑝2
Three-Step Model in CTL logic
E.g.𝐴' ⇝ 𝑉& ⇝ 𝐴#↔ 𝐸𝐹(𝐸(𝐸 𝐴'𝑈𝑉& 𝑈𝐴#))
The initial state of the cache block
Actions of victim or attacker
Interference & final observation
20
s0
s1
s4
s2
{probe}
{miss}
{replace}
s3
{returndata}
{hit}
Unfold from s0 to
computation tree
(s0,0)
(s1,1) (s
2,1)
(s3,2)(s
4,2)
(s0,3) (s
4,3)
(s0,4)(s
1,4) (s
2,4)
(s3,5)(s
4,5)
(s0,6) (s
4,6)
(s0,7)(s
1,7) (s
2,7)
(s1,5) (s
2,5)
(s3,6)(s
4,6)
(s0,7) (s
4,7)
(s1,8) (s
2,8)(s
3,8)(s
4,8)
(s4,9)
(s1,8) (s
2,8)
(s1,8) (s
2,8)(s
3,9)(s
4,9)
(s4,10)
(s0,7)
(s3,9)(s
4,9)
(s4,10) (s
3,10)(s
4,10)
(s4,11)
Step 0
Step 1
Step 2
three-step model:
Bounded Computation Tree
21
• hardware design of secure caches• cache state machine modeling• checking of vulnerability in CTL logic• improve CTL modeling
Future Work
22
Summary
• cache state machine modeling• checking of vulnerability in CTL logic• improve CTL modeling
Thank you!
Use Computation
Tree Logic (CTL)
Model execution paths of the
processor cache focusing on side-channel attacks
Develop Cache Access
Model
Three-step single-cache-block-access
model construction
Analyze Timing
Vulnerabilities
Exhaustive search for
possible attacks based on three-
step model
23
back up slides
24
• One cache access– Interference does not exist
• Two cache accesses– Same as three-step model with 𝑆𝑡𝑒𝑝0 to be “ ⋆ ”– None of them can form an attack
• Three cache accesses– Exhaustive vulnerability Search and effective
vulnerabilities derived
Soundness of Three-step Model (a)
25
• More than three cache accesses– {⋯ ⇝⋆⇝ ⋯} can be divided into two parts– ⋯ ⇝ 𝐴' ⇝ 𝐴' ⇝ ⋯ , ⋯ ⇝ 𝐴' ⇝ 𝑉' ⇝ ⋯ , {⋯ ⇝ 𝐴# ⇝𝑉# ⇝ ⋯}, ⋯ ⇝ 𝑉& ⇝ 𝑉& ⇝ ⋯ ,… can be reduced to ⋯ ⇝ 𝐴' ⇝ ⋯ , ⋯ ⇝ 𝑉' ⇝ ⋯ , ⋯ ⇝ 𝑉# ⇝ ⋯ , {⋯ ⇝𝑉& ⇝ ⋯},…, respectively
– ⋯ ⇝ (𝐴'/𝑉' ∕ 𝐴# ∕ 𝑉#) ⇝ 𝑉& ⇝ (𝐴'/𝑉' ∕ 𝐴# ∕ 𝑉#) ⇝ ⋯maps to effective vulnerabilities represented by three-step model
Soundness of Three-step Model (b)