![Page 1: Research Faculty Summit 2018 - microsoft.com€¦ · Ilia Lebedev, Srini Devadas With contributions from Victor Costan, Vladimir Kiriansky, Saman Amarasinghe and Joel Emer. Outline](https://reader035.vdocument.in/reader035/viewer/2022081405/5f08c0a67e708231d4238d13/html5/thumbnails/1.jpg)
Systems | Fueling future disruptions
ResearchFaculty Summit 2018
![Page 2: Research Faculty Summit 2018 - microsoft.com€¦ · Ilia Lebedev, Srini Devadas With contributions from Victor Costan, Vladimir Kiriansky, Saman Amarasinghe and Joel Emer. Outline](https://reader035.vdocument.in/reader035/viewer/2022081405/5f08c0a67e708231d4238d13/html5/thumbnails/2.jpg)
Secure Speculative Execution Processors
Ilia Lebedev, Srini Devadas
With contributions from Victor Costan, Vladimir Kiriansky, Saman Amarasinghe and Joel Emer
![Page 3: Research Faculty Summit 2018 - microsoft.com€¦ · Ilia Lebedev, Srini Devadas With contributions from Victor Costan, Vladimir Kiriansky, Saman Amarasinghe and Joel Emer. Outline](https://reader035.vdocument.in/reader035/viewer/2022081405/5f08c0a67e708231d4238d13/html5/thumbnails/3.jpg)
Outline
• Violating isolation by exploiting speculative execution
• Defenses against cache timing attacks
• Secure enclaves in Intel SGX and MIT Sanctum
![Page 4: Research Faculty Summit 2018 - microsoft.com€¦ · Ilia Lebedev, Srini Devadas With contributions from Victor Costan, Vladimir Kiriansky, Saman Amarasinghe and Joel Emer. Outline](https://reader035.vdocument.in/reader035/viewer/2022081405/5f08c0a67e708231d4238d13/html5/thumbnails/4.jpg)
Outline
• Violating isolation by exploiting speculative execution
• Defenses against cache timing attacks
• Secure enclaves in Intel SGX and MIT Sanctum
![Page 5: Research Faculty Summit 2018 - microsoft.com€¦ · Ilia Lebedev, Srini Devadas With contributions from Victor Costan, Vladimir Kiriansky, Saman Amarasinghe and Joel Emer. Outline](https://reader035.vdocument.in/reader035/viewer/2022081405/5f08c0a67e708231d4238d13/html5/thumbnails/5.jpg)
Architectural Isolation
Fundamental to maintaining correctness and privacy!
![Page 6: Research Faculty Summit 2018 - microsoft.com€¦ · Ilia Lebedev, Srini Devadas With contributions from Victor Costan, Vladimir Kiriansky, Saman Amarasinghe and Joel Emer. Outline](https://reader035.vdocument.in/reader035/viewer/2022081405/5f08c0a67e708231d4238d13/html5/thumbnails/6.jpg)
Control Flow Speculation for Performance
I: Compute
I+1: Compute
I+2: Compute
I+3: Compute
I: Control Flow
J: Compute
J+1: Compute
J+2: Compute
K: Compute
K+1: Compute
K+2: Compute
Correct direction
Mis-speculated direction
Sequential InstructionExecution
Non-sequential InstructionExecution
![Page 7: Research Faculty Summit 2018 - microsoft.com€¦ · Ilia Lebedev, Srini Devadas With contributions from Victor Costan, Vladimir Kiriansky, Saman Amarasinghe and Joel Emer. Outline](https://reader035.vdocument.in/reader035/viewer/2022081405/5f08c0a67e708231d4238d13/html5/thumbnails/7.jpg)
Control Flow Speculation is insecure
Speculative execution does not affect architectural state → “correct”… but can be observed via some “side channels” (primarily cache tag state)
… and attacker can influence (mis)speculation branch predictor inputs not authenticated
A huge, complex attack surface!
![Page 8: Research Faculty Summit 2018 - microsoft.com€¦ · Ilia Lebedev, Srini Devadas With contributions from Victor Costan, Vladimir Kiriansky, Saman Amarasinghe and Joel Emer. Outline](https://reader035.vdocument.in/reader035/viewer/2022081405/5f08c0a67e708231d4238d13/html5/thumbnails/8.jpg)
Side Channels in the Wild• Real systems: large, complex, cyberphysical
(not secure)
• Spies potentially everywhere
Hypervisor,Bios
CPU
DRAM
Chipset
Network
Thread L1 $L2 $
L3 $DRAM
Ctrl
.
Disk
Mainboard
OS
sharing!
sharing!sharing!
App
admins! users!vendors!
users!
admins!
![Page 9: Research Faculty Summit 2018 - microsoft.com€¦ · Ilia Lebedev, Srini Devadas With contributions from Victor Costan, Vladimir Kiriansky, Saman Amarasinghe and Joel Emer. Outline](https://reader035.vdocument.in/reader035/viewer/2022081405/5f08c0a67e708231d4238d13/html5/thumbnails/9.jpg)
AttackerDomain of Victim
Secret
ChannelTransmitterAccess
Secret
Receiver
Attack Schema
1. Create a channel2. Create the transmitter3. Launch the transmitter4. Access the secret
![Page 10: Research Faculty Summit 2018 - microsoft.com€¦ · Ilia Lebedev, Srini Devadas With contributions from Victor Costan, Vladimir Kiriansky, Saman Amarasinghe and Joel Emer. Outline](https://reader035.vdocument.in/reader035/viewer/2022081405/5f08c0a67e708231d4238d13/html5/thumbnails/10.jpg)
AttackerDomain of Victim
Secret
ChannelTransmitterAccess
Secret
Receiver
Building a Transmitter
Pre-existing (RSA conditional execution example)Written by attacker (Meltdown)Synthesized out of existing victim code by attacker (Spectre)
![Page 11: Research Faculty Summit 2018 - microsoft.com€¦ · Ilia Lebedev, Srini Devadas With contributions from Victor Costan, Vladimir Kiriansky, Saman Amarasinghe and Joel Emer. Outline](https://reader035.vdocument.in/reader035/viewer/2022081405/5f08c0a67e708231d4238d13/html5/thumbnails/11.jpg)
Outline
• Violating isolation by exploiting speculative execution
• Defenses against cache timing attacks
• Secure enclaves in Intel SGX and MIT Sanctum
![Page 12: Research Faculty Summit 2018 - microsoft.com€¦ · Ilia Lebedev, Srini Devadas With contributions from Victor Costan, Vladimir Kiriansky, Saman Amarasinghe and Joel Emer. Outline](https://reader035.vdocument.in/reader035/viewer/2022081405/5f08c0a67e708231d4238d13/html5/thumbnails/12.jpg)
AttackerDomain of Victim
Secret
ChannelTransmitterAccess
Secret
Receiver
Defense Schema
Here, we focus on this one
1. Create a channel2. Create the transmitter3. Launch the transmitter4. Access the secret
Block any of these steps!
![Page 13: Research Faculty Summit 2018 - microsoft.com€¦ · Ilia Lebedev, Srini Devadas With contributions from Victor Costan, Vladimir Kiriansky, Saman Amarasinghe and Joel Emer. Outline](https://reader035.vdocument.in/reader035/viewer/2022081405/5f08c0a67e708231d4238d13/html5/thumbnails/13.jpg)
Intel’s Cache Allocation Technology (CAT)
CAT can be configured to prevent a potential transmitter from evicting LLC lines of a potential receiver.
Core 0 Core 1
Shared cache
Private Cache
Private Cache
DRAMdomain 0
domain 1Way partitioning is flexible, but CAT is built for QoS and not for security
- Shared addresses are visible across domains
- Replacement metadata updates are not isolated
![Page 14: Research Faculty Summit 2018 - microsoft.com€¦ · Ilia Lebedev, Srini Devadas With contributions from Victor Costan, Vladimir Kiriansky, Saman Amarasinghe and Joel Emer. Outline](https://reader035.vdocument.in/reader035/viewer/2022081405/5f08c0a67e708231d4238d13/html5/thumbnails/14.jpg)
Intel’s CAT leaks information through cache hits
(rep. state,tag, data)
...
(rep. state,tag, data)
...
...
...
(rep. state,tag, data)
...
way 0 way 1 way wset 0set 1
address,class of service
set index
tag==?
CAT restricts cache fills to a portion of the LLC
Select way to fill from
ways
Fill the selected line, invalidate/writebackcurrent contents, if
applicable
==? ==?
No match → cache miss → cache fill
class of service→ ways
Match → cache hit → send / modify dataCache hits are not isolated
across domains
![Page 15: Research Faculty Summit 2018 - microsoft.com€¦ · Ilia Lebedev, Srini Devadas With contributions from Victor Costan, Vladimir Kiriansky, Saman Amarasinghe and Joel Emer. Outline](https://reader035.vdocument.in/reader035/viewer/2022081405/5f08c0a67e708231d4238d13/html5/thumbnails/15.jpg)
Sharing replacement metadata leaks information
![Page 16: Research Faculty Summit 2018 - microsoft.com€¦ · Ilia Lebedev, Srini Devadas With contributions from Victor Costan, Vladimir Kiriansky, Saman Amarasinghe and Joel Emer. Outline](https://reader035.vdocument.in/reader035/viewer/2022081405/5f08c0a67e708231d4238d13/html5/thumbnails/16.jpg)
Our Work: DAWG: Dynamically Allocated Way Guards
DAWG tracks global protection domains
Core 0 Core 1
Shared cache
Private Cache Private Cache
DRAMInstruction
fetch domain
Core 1’s DAWG domain_id MSRdomain 0
domain 1
domain 2(not currently scheduled)
Caches ensure protection domainsdo not interfere via cache tagsor replacement metadata.
Cores tag each access with a protection domain id:
Load domain Store*domain
Need DAWG-like approach for other shared microarchitectural state, e.g., branch predictors
![Page 17: Research Faculty Summit 2018 - microsoft.com€¦ · Ilia Lebedev, Srini Devadas With contributions from Victor Costan, Vladimir Kiriansky, Saman Amarasinghe and Joel Emer. Outline](https://reader035.vdocument.in/reader035/viewer/2022081405/5f08c0a67e708231d4238d13/html5/thumbnails/17.jpg)
Complication!
Masking cache hits may lead to duplicated lines!→ OS ensures only clean, read-only lines are duplicated.
This is conveniently compatible with modern copy-on-write sharing- Efficient ways to handle MMAP and Fork
![Page 18: Research Faculty Summit 2018 - microsoft.com€¦ · Ilia Lebedev, Srini Devadas With contributions from Victor Costan, Vladimir Kiriansky, Saman Amarasinghe and Joel Emer. Outline](https://reader035.vdocument.in/reader035/viewer/2022081405/5f08c0a67e708231d4238d13/html5/thumbnails/18.jpg)
Outline
• Violating isolation by exploiting speculative execution
• Defenses against cache timing attacks
• Secure enclaves in Intel SGX and MIT Sanctum
![Page 19: Research Faculty Summit 2018 - microsoft.com€¦ · Ilia Lebedev, Srini Devadas With contributions from Victor Costan, Vladimir Kiriansky, Saman Amarasinghe and Joel Emer. Outline](https://reader035.vdocument.in/reader035/viewer/2022081405/5f08c0a67e708231d4238d13/html5/thumbnails/19.jpg)
TRUSTED
TRUSTED
A Typical Computer System’ TCB
CPU
DRA
M
Chipset
Network
Thread L1 $L2 $
L3 $DRA
M C
trl.
Disk
Mainboard
Priv
ilege
BIOS (SMM)
Hypervisor (Ring 0, VMX root)
OS Kernel (Ring 0)
App App
(Ring 3)
Software…… Running on hardware
Secure App
![Page 20: Research Faculty Summit 2018 - microsoft.com€¦ · Ilia Lebedev, Srini Devadas With contributions from Victor Costan, Vladimir Kiriansky, Saman Amarasinghe and Joel Emer. Outline](https://reader035.vdocument.in/reader035/viewer/2022081405/5f08c0a67e708231d4238d13/html5/thumbnails/20.jpg)
Intel’s SGX to reduce TCB
• SGX protects a small codebase• good!
• Protected process = “Enclave”• Provides a trusted environment:
- app integrity- protects data
Priv
eleg
e
BIOS (SMM)
Hypervisor (VMX root)
OS Kernel (Ring 0)
App
(Ring 3) TRUSTEDEnclave
TRUSTEDCPU
DRA
M
Chipset
Network
ThreadL1 $L2 $
L3 $DRA
M C
trl.
Disk
Mainboard
![Page 21: Research Faculty Summit 2018 - microsoft.com€¦ · Ilia Lebedev, Srini Devadas With contributions from Victor Costan, Vladimir Kiriansky, Saman Amarasinghe and Joel Emer. Outline](https://reader035.vdocument.in/reader035/viewer/2022081405/5f08c0a67e708231d4238d13/html5/thumbnails/21.jpg)
SGX leaks privacy in many waysHyperthreading, Speculation, Page Tables, Caches, ...
![Page 22: Research Faculty Summit 2018 - microsoft.com€¦ · Ilia Lebedev, Srini Devadas With contributions from Victor Costan, Vladimir Kiriansky, Saman Amarasinghe and Joel Emer. Outline](https://reader035.vdocument.in/reader035/viewer/2022081405/5f08c0a67e708231d4238d13/html5/thumbnails/22.jpg)
Software uses attestation key to sign results of computationCache timing attacks could leak the keyForeshadow, Usenix Security
SGX Uses Enclaves for Attestation(EPID)
![Page 23: Research Faculty Summit 2018 - microsoft.com€¦ · Ilia Lebedev, Srini Devadas With contributions from Victor Costan, Vladimir Kiriansky, Saman Amarasinghe and Joel Emer. Outline](https://reader035.vdocument.in/reader035/viewer/2022081405/5f08c0a67e708231d4238d13/html5/thumbnails/23.jpg)
Sanctum Secure ProcessorNo Speculation, No Hyperthreading
LLC
Private Cache
Core 0
DRAM
In-order datapath
$
Core
1
$ $
Core
2
Core
3
I/O
PartitionedLast Level Cache
![Page 24: Research Faculty Summit 2018 - microsoft.com€¦ · Ilia Lebedev, Srini Devadas With contributions from Victor Costan, Vladimir Kiriansky, Saman Amarasinghe and Joel Emer. Outline](https://reader035.vdocument.in/reader035/viewer/2022081405/5f08c0a67e708231d4238d13/html5/thumbnails/24.jpg)
Sanctum’s Chain of Trust
Manufacturer
Sanctum HW
Security Monitor(SM)
Process
OS
ProcessUnprivileged(user mode)
Privileged(supervisor
mode)
Machine mode
Priv
iledg
e Certificate Authority
Strongly Isolated Enclave
![Page 25: Research Faculty Summit 2018 - microsoft.com€¦ · Ilia Lebedev, Srini Devadas With contributions from Victor Costan, Vladimir Kiriansky, Saman Amarasinghe and Joel Emer. Outline](https://reader035.vdocument.in/reader035/viewer/2022081405/5f08c0a67e708231d4238d13/html5/thumbnails/25.jpg)
Isolated Page Tables
![Page 26: Research Faculty Summit 2018 - microsoft.com€¦ · Ilia Lebedev, Srini Devadas With contributions from Victor Costan, Vladimir Kiriansky, Saman Amarasinghe and Joel Emer. Outline](https://reader035.vdocument.in/reader035/viewer/2022081405/5f08c0a67e708231d4238d13/html5/thumbnails/26.jpg)
Sanctum Secure ProcessorNo Speculation, No Hyperthreading
RISCV Rocket Core, Changes required by Sanctum (+ ~2% of core)
Also requires 9 new config registers
![Page 27: Research Faculty Summit 2018 - microsoft.com€¦ · Ilia Lebedev, Srini Devadas With contributions from Victor Costan, Vladimir Kiriansky, Saman Amarasinghe and Joel Emer. Outline](https://reader035.vdocument.in/reader035/viewer/2022081405/5f08c0a67e708231d4238d13/html5/thumbnails/27.jpg)
Status
• Sanctum on AWS F1—you too can use it (or break it!)
• Ongoing: Keystone processor on HiFive Unleashed RISC-V chip (with KrsteAsanovic and Dawn Song, UCB)
• Near future: Out-of-order “Sanctoom” processor
• Near future: Formal verification effort (with Adam Chlipala, MIT)
![Page 28: Research Faculty Summit 2018 - microsoft.com€¦ · Ilia Lebedev, Srini Devadas With contributions from Victor Costan, Vladimir Kiriansky, Saman Amarasinghe and Joel Emer. Outline](https://reader035.vdocument.in/reader035/viewer/2022081405/5f08c0a67e708231d4238d13/html5/thumbnails/28.jpg)
In Conclusion,
• Significant security concerns with outsourcing computation especially to public clouds
• Intel’s SGX helps but leaks privacy through software side channels and is quite opaque
• Rethinking processor architecture to not sacrifice isolation and privacy when optimizing for performance
![Page 29: Research Faculty Summit 2018 - microsoft.com€¦ · Ilia Lebedev, Srini Devadas With contributions from Victor Costan, Vladimir Kiriansky, Saman Amarasinghe and Joel Emer. Outline](https://reader035.vdocument.in/reader035/viewer/2022081405/5f08c0a67e708231d4238d13/html5/thumbnails/29.jpg)
Thank you!
![Page 30: Research Faculty Summit 2018 - microsoft.com€¦ · Ilia Lebedev, Srini Devadas With contributions from Victor Costan, Vladimir Kiriansky, Saman Amarasinghe and Joel Emer. Outline](https://reader035.vdocument.in/reader035/viewer/2022081405/5f08c0a67e708231d4238d13/html5/thumbnails/30.jpg)