science passion technology · science passion technology microarchitectural attacks: from the...
TRANSCRIPT
![Page 1: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/1.jpg)
SCIENCE PASSION TECHNOLOGY
Microarchitectural Attacks:
From the Basics to Arbitrary Read and Write Primitives without any Software Bugs
Daniel Gruss
June 19, 2018
Graz University of Technology
1 Daniel Gruss — Graz University of Technology
![Page 2: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/2.jpg)
![Page 3: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/3.jpg)
2 Daniel Gruss — Graz University of Technology
![Page 4: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/4.jpg)
2 Daniel Gruss — Graz University of Technology
![Page 5: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/5.jpg)
2 Daniel Gruss — Graz University of Technology
![Page 6: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/6.jpg)
2 Daniel Gruss — Graz University of Technology
![Page 7: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/7.jpg)
1337 4242
Revolutionary concept!
Store your food at home, never go to the grocery store during cooking.
Can store ALL kinds of food.
ONLY TODAY INSTEAD OF $1,300
ORDER VIA PHONE: +555 12345
2 Daniel Gruss — Graz University of Technology
![Page 8: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/8.jpg)
CPU Cache www.tugraz.at
printf("%d", i);
printf("%d", i);
3 Daniel Gruss — Graz University of Technology
![Page 9: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/9.jpg)
CPU Cache www.tugraz.at
printf("%d", i);Cache
miss
printf("%d", i);
3 Daniel Gruss — Graz University of Technology
![Page 10: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/10.jpg)
CPU Cache www.tugraz.at
printf("%d", i);Cache
miss Request
printf("%d", i);
3 Daniel Gruss — Graz University of Technology
![Page 11: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/11.jpg)
CPU Cache www.tugraz.at
printf("%d", i);Cache
miss Request
Response
printf("%d", i);
3 Daniel Gruss — Graz University of Technology
![Page 12: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/12.jpg)
CPU Cache www.tugraz.at
printf("%d", i);Cache
miss Request
Responsei
printf("%d", i);
3 Daniel Gruss — Graz University of Technology
![Page 13: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/13.jpg)
CPU Cache www.tugraz.at
printf("%d", i);Cache
miss Request
Responsei
printf("%d", i);
Cache hit
3 Daniel Gruss — Graz University of Technology
![Page 14: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/14.jpg)
CPU Cache www.tugraz.at
printf("%d", i);Cache
miss Request
Responsei
printf("%d", i);
Cache hit
DRAM access,slow
3 Daniel Gruss — Graz University of Technology
![Page 15: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/15.jpg)
CPU Cache www.tugraz.at
printf("%d", i);Cache
miss Request
Responsei
printf("%d", i);
Cache hit
No DRAM access,
much faster
DRAM access,slow
3 Daniel Gruss — Graz University of Technology
![Page 16: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/16.jpg)
Flush+Reload www.tugraz.at
Shared Memory
ATTACKER VICTIM
flushaccess
access
4 Daniel Gruss — Graz University of Technology
![Page 17: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/17.jpg)
Flush+Reload www.tugraz.at
Shared Memory
ATTACKER
Shared Memory
cached
cached
VICTIM
flushaccess
access
4 Daniel Gruss — Graz University of Technology
![Page 18: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/18.jpg)
Flush+Reload www.tugraz.at
Shared Memory
ATTACKER
Shared Memory
VICTIM
flushaccess
access
4 Daniel Gruss — Graz University of Technology
![Page 19: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/19.jpg)
Flush+Reload www.tugraz.at
Shared Memory
ATTACKER VICTIM
flushaccess
access
4 Daniel Gruss — Graz University of Technology
![Page 20: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/20.jpg)
Flush+Reload www.tugraz.at
Shared Memory
ATTACKER VICTIM
flushaccess
access
4 Daniel Gruss — Graz University of Technology
![Page 21: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/21.jpg)
Flush+Reload www.tugraz.at
Shared Memory
ATTACKER
Shared Memory
VICTIM
flushaccess
access
4 Daniel Gruss — Graz University of Technology
![Page 22: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/22.jpg)
Flush+Reload www.tugraz.at
Shared Memory
ATTACKER
Shared Memory
VICTIM
flushaccess
access
4 Daniel Gruss — Graz University of Technology
![Page 23: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/23.jpg)
Flush+Reload www.tugraz.at
Shared Memory
ATTACKER
Shared Memory
VICTIM
flushaccess
access
fast if victim accessed data,slow otherwise
4 Daniel Gruss — Graz University of Technology
![Page 24: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/24.jpg)
Memory Access Latency www.tugraz.at
50 100 150 200 250 300 350 400
101
104
107
Access time [CPU cycles]
Nu
mb
erof
acce
sses
Cache Hits
5 Daniel Gruss — Graz University of Technology
![Page 25: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/25.jpg)
Memory Access Latency www.tugraz.at
50 100 150 200 250 300 350 400
101
104
107
Access time [CPU cycles]
Nu
mb
erof
acce
sses
Cache Hits Cache Misses
5 Daniel Gruss — Graz University of Technology
![Page 26: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/26.jpg)
Cache Template Attack Demo
![Page 27: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/27.jpg)
Cache Template www.tugraz.at
Address
Keyg h i j k l m n o p q r s t u v w x y z
0x7c680
0x7c6c0
0x7c700
0x7c740
0x7c780
0x7c7c0
0x7c800
0x7c840
0x7c880
0x7c8c0
0x7c900
0x7c940
0x7c980
0x7c9c0
0x7ca00
0x7cb80
0x7cc40
0x7cc80
0x7ccc0
0x7cd00
7 Daniel Gruss — Graz University of Technology
![Page 28: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/28.jpg)
Back to Work
7 Daniel Gruss — Graz University of Technology
![Page 29: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/29.jpg)
7 Daniel Gruss — Graz University of Technology
![Page 30: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/30.jpg)
7 Daniel Gruss — Graz University of Technology
![Page 31: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/31.jpg)
Wait for an hour
7 Daniel Gruss — Graz University of Technology
![Page 32: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/32.jpg)
Wait for an hour
LATENCY
7 Daniel Gruss — Graz University of Technology
![Page 33: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/33.jpg)
7 Daniel Gruss — Graz University of Technology
![Page 34: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/34.jpg)
ParallelizeD
epen
denc
y
7 Daniel Gruss — Graz University of Technology
![Page 35: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/35.jpg)
Out-of-order Execution www.tugraz.at
1 int width = 10, height = 5;
2
3 float diagonal = sqrt(width * width
4 + height * height);
5 int area = width * height;
6
7 printf("Area %d x %d = %d\n", width , height , area);
8 Daniel Gruss — Graz University of Technology
![Page 36: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/36.jpg)
Out-of-order Execution www.tugraz.at
1 int width = 10, height = 5;
2
3 float diagonal = sqrt(width * width
4 + height * height);
5 int area = width * height;
6
7 printf("Area %d x %d = %d\n", width , height , area);
ParallelizeD
epen
denc
y
8 Daniel Gruss — Graz University of Technology
![Page 37: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/37.jpg)
Building Meltdown www.tugraz.at
1 char data = *(char*)0xffffffff81a000e0;
2 printf("%c\n", data);
1 segfault at ffffffff81a000e0 ip 0000000000400535
2 sp 00007 ffce4a80610 error 5 in reader
• Kernel addresses are not accessible
• Are privilege checks also done when executing instructions out of order?
9 Daniel Gruss — Graz University of Technology
![Page 38: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/38.jpg)
Building Meltdown www.tugraz.at
1 char data = *(char*)0xffffffff81a000e0;
2 printf("%c\n", data);
1 segfault at ffffffff81a000e0 ip 0000000000400535
2 sp 00007 ffce4a80610 error 5 in reader
• Kernel addresses are not accessible
• Are privilege checks also done when executing instructions out of order?
9 Daniel Gruss — Graz University of Technology
![Page 39: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/39.jpg)
Building Meltdown www.tugraz.at
1 char data = *(char*)0xffffffff81a000e0;
2 printf("%c\n", data);
1 segfault at ffffffff81a000e0 ip 0000000000400535
2 sp 00007 ffce4a80610 error 5 in reader
• Kernel addresses are not accessible
• Are privilege checks also done when executing instructions out of order?
9 Daniel Gruss — Graz University of Technology
![Page 40: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/40.jpg)
Building Meltdown www.tugraz.at
1 char data = *(char*)0xffffffff81a000e0;
2 printf("%c\n", data);
1 segfault at ffffffff81a000e0 ip 0000000000400535
2 sp 00007 ffce4a80610 error 5 in reader
• Kernel addresses are not accessible
• Are privilege checks also done when executing instructions out of order?
9 Daniel Gruss — Graz University of Technology
![Page 41: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/41.jpg)
Building Meltdown www.tugraz.at
• Adapted code
1 *( volatile char*)0;
2 array [84 * 4096] = 0; // unreachable
• Static code analyzer is not happy
1 warn ing : De r e f e r e n c e o f n u l l p o i n t e r
2 ∗( v o l a t i l e char ∗) 0 ;
10 Daniel Gruss — Graz University of Technology
![Page 42: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/42.jpg)
Building Meltdown www.tugraz.at
• Adapted code
1 *( volatile char*)0;
2 array [84 * 4096] = 0; // unreachable
• Static code analyzer is not happy
1 warn ing : De r e f e r e n c e o f n u l l p o i n t e r
2 ∗( v o l a t i l e char ∗) 0 ;
10 Daniel Gruss — Graz University of Technology
![Page 43: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/43.jpg)
Building Meltdown www.tugraz.at
• Flush+Reload over all pages of the array
0 50 100 150 200 250
300
400
500
Page
Accesstime
[cycles]
• “Unreachable” code line was actually executed
• Exception was only thrown afterwards
11 Daniel Gruss — Graz University of Technology
![Page 44: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/44.jpg)
Building Meltdown www.tugraz.at
• Flush+Reload over all pages of the array
0 50 100 150 200 250
300
400
500
Page
Accesstime
[cycles]
• “Unreachable” code line was actually executed
• Exception was only thrown afterwards
11 Daniel Gruss — Graz University of Technology
![Page 45: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/45.jpg)
Building Meltdown www.tugraz.at
• Combine the two things
1 char data = *(char*)0xffffffff81a000e0;
2 array[data * 4096] = 0;
• Then check whether any part of array is cached
12 Daniel Gruss — Graz University of Technology
![Page 46: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/46.jpg)
Building Meltdown www.tugraz.at
• Combine the two things
1 char data = *(char*)0xffffffff81a000e0;
2 array[data * 4096] = 0;
• Then check whether any part of array is cached
12 Daniel Gruss — Graz University of Technology
![Page 47: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/47.jpg)
Building Meltdown www.tugraz.at
• Flush+Reload over all pages of the array
0 50 100 150 200 250
300
400
500
Page
Accesstime
[cycles]
• Index of cache hit reveals data
• Permission check is in some cases not fast enough
13 Daniel Gruss — Graz University of Technology
![Page 48: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/48.jpg)
Building Meltdown www.tugraz.at
• Flush+Reload over all pages of the array
0 50 100 150 200 250
300
400
500
Page
Accesstime
[cycles]
• Index of cache hit reveals data
• Permission check is in some cases not fast enough
13 Daniel Gruss — Graz University of Technology
![Page 49: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/49.jpg)
![Page 50: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/50.jpg)
![Page 51: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/51.jpg)
![Page 52: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/52.jpg)
![Page 53: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/53.jpg)
Leaking Passwords from your Password Manager www.tugraz.at
18 Daniel Gruss — Graz University of Technology
![Page 54: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/54.jpg)
How to mitigate Meltdown?
18 Daniel Gruss — Graz University of Technology
![Page 55: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/55.jpg)
Take the kernel addresses... www.tugraz.at
• Kernel addresses in user space are a problem
• Why don’t we take the kernel addresses...
19 Daniel Gruss — Graz University of Technology
![Page 56: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/56.jpg)
Take the kernel addresses... www.tugraz.at
• Kernel addresses in user space are a problem
• Why don’t we take the kernel addresses...
19 Daniel Gruss — Graz University of Technology
![Page 57: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/57.jpg)
...and remove them www.tugraz.at
• ...and remove them if not needed?
• User accessible check in hardware is not reliable
20 Daniel Gruss — Graz University of Technology
![Page 58: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/58.jpg)
...and remove them www.tugraz.at
• ...and remove them if not needed?
• User accessible check in hardware is not reliable
20 Daniel Gruss — Graz University of Technology
![Page 59: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/59.jpg)
20 Daniel Gruss — Graz University of Technology
![Page 60: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/60.jpg)
20 Daniel Gruss — Graz University of Technology
![Page 61: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/61.jpg)
Kernel Address Isolation to have Side channels Efficiently Removed
20 Daniel Gruss — Graz University of Technology
![Page 62: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/62.jpg)
Kernel Address Isolation to have Side channels Efficiently Removed
KAISER /ˈkʌɪzə/1. [german] Emperor,ruler of an empire2. largest penguin, emperor penguin
20 Daniel Gruss — Graz University of Technology
![Page 63: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/63.jpg)
KAISER Illustration www.tugraz.at
Without KAISER:
Shared address space
User memory Kernel memory
0 −1
context switch
With KAISER:
User address space
User memory Not mapped
0 −1
Kernel address space
SMAP + SMEP Kernel memory
0 −1
context switch
switch
addr.
space
Interrupt
dispatcher
21 Daniel Gruss — Graz University of Technology
![Page 64: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/64.jpg)
Kernel Address Space Isolation www.tugraz.at
• We published KAISER in July 2017
• Intel and others improved and merged it into Linux as KPTI (Kernel
Page Table Isolation)
• Microsoft implemented similar concept in Windows 10
• Apple implemented it in macOS 10.13.2 and called it “Double Map”
• All share the same idea: switching address spaces on context switch
22 Daniel Gruss — Graz University of Technology
![Page 65: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/65.jpg)
Kernel Address Space Isolation www.tugraz.at
• We published KAISER in July 2017
• Intel and others improved and merged it into Linux as KPTI (Kernel
Page Table Isolation)
• Microsoft implemented similar concept in Windows 10
• Apple implemented it in macOS 10.13.2 and called it “Double Map”
• All share the same idea: switching address spaces on context switch
22 Daniel Gruss — Graz University of Technology
![Page 66: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/66.jpg)
Kernel Address Space Isolation www.tugraz.at
• We published KAISER in July 2017
• Intel and others improved and merged it into Linux as KPTI (Kernel
Page Table Isolation)
• Microsoft implemented similar concept in Windows 10
• Apple implemented it in macOS 10.13.2 and called it “Double Map”
• All share the same idea: switching address spaces on context switch
22 Daniel Gruss — Graz University of Technology
![Page 67: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/67.jpg)
Kernel Address Space Isolation www.tugraz.at
• We published KAISER in July 2017
• Intel and others improved and merged it into Linux as KPTI (Kernel
Page Table Isolation)
• Microsoft implemented similar concept in Windows 10
• Apple implemented it in macOS 10.13.2 and called it “Double Map”
• All share the same idea: switching address spaces on context switch
22 Daniel Gruss — Graz University of Technology
![Page 68: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/68.jpg)
Kernel Address Space Isolation www.tugraz.at
• We published KAISER in July 2017
• Intel and others improved and merged it into Linux as KPTI (Kernel
Page Table Isolation)
• Microsoft implemented similar concept in Windows 10
• Apple implemented it in macOS 10.13.2 and called it “Double Map”
• All share the same idea: switching address spaces on context switch
22 Daniel Gruss — Graz University of Technology
![Page 69: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/69.jpg)
Meltdown and Spectre www.tugraz.at
23 Daniel Gruss — Graz University of Technology
![Page 70: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/70.jpg)
Meltdown and Spectre www.tugraz.at
23 Daniel Gruss — Graz University of Technology
![Page 71: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/71.jpg)
23 Daniel Gruss — Graz University of Technology
![Page 72: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/72.jpg)
Prosciutto23 Daniel Gruss — Graz University of Technology
![Page 73: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/73.jpg)
Funghi23 Daniel Gruss — Graz University of Technology
![Page 74: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/74.jpg)
Diavolo23 Daniel Gruss — Graz University of Technology
![Page 75: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/75.jpg)
Diavolo23 Daniel Gruss — Graz University of Technology
![Page 76: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/76.jpg)
Diavolo23 Daniel Gruss — Graz University of Technology
![Page 77: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/77.jpg)
Diavolo23 Daniel Gruss — Graz University of Technology
![Page 78: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/78.jpg)
»A table for 6 please«
23 Daniel Gruss — Graz University of Technology
![Page 79: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/79.jpg)
23 Daniel Gruss — Graz University of Technology
![Page 80: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/80.jpg)
Speculative Cooking
23 Daniel Gruss — Graz University of Technology
![Page 81: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/81.jpg)
»A table for 6 please«
23 Daniel Gruss — Graz University of Technology
![Page 82: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/82.jpg)
23 Daniel Gruss — Graz University of Technology
![Page 83: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/83.jpg)
23 Daniel Gruss — Graz University of Technology
![Page 84: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/84.jpg)
23 Daniel Gruss — Graz University of Technology
![Page 85: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/85.jpg)
23 Daniel Gruss — Graz University of Technology
![Page 86: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/86.jpg)
What does Spectre do? www.tugraz.at
• Mistrains branch prediction
• CPU speculatively executes code which should not be executed
• Can also mistrain indirect calls
→ Spectre “convinces” program to execute code
24 Daniel Gruss — Graz University of Technology
![Page 87: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/87.jpg)
What does Spectre do? www.tugraz.at
• Mistrains branch prediction
• CPU speculatively executes code which should not be executed
• Can also mistrain indirect calls
→ Spectre “convinces” program to execute code
24 Daniel Gruss — Graz University of Technology
![Page 88: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/88.jpg)
What does Spectre do? www.tugraz.at
• Mistrains branch prediction
• CPU speculatively executes code which should not be executed
• Can also mistrain indirect calls
→ Spectre “convinces” program to execute code
24 Daniel Gruss — Graz University of Technology
![Page 89: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/89.jpg)
What does Spectre do? www.tugraz.at
• Mistrains branch prediction
• CPU speculatively executes code which should not be executed
• Can also mistrain indirect calls
→ Spectre “convinces” program to execute code
24 Daniel Gruss — Graz University of Technology
![Page 90: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/90.jpg)
Spectre (variant 1) www.tugraz.at
index = 0;
if (index < 4)
char* data = "textKEY";
LUT[data[index] * 4096] 0
then
else
Prediction
25 Daniel Gruss — Graz University of Technology
![Page 91: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/91.jpg)
Spectre (variant 1) www.tugraz.at
index = 0;
if (index < 4)
char* data = "textKEY";
LUT[data[index] * 4096] 0
then
else
Prediction
25 Daniel Gruss — Graz University of Technology
![Page 92: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/92.jpg)
Spectre (variant 1) www.tugraz.at
Speculate
index = 0;
if (index < 4)
char* data = "textKEY";
LUT[data[index] * 4096] 0
then
else
Prediction
25 Daniel Gruss — Graz University of Technology
![Page 93: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/93.jpg)
Spectre (variant 1) www.tugraz.at
Execute
index = 0;
if (index < 4)
char* data = "textKEY";
LUT[data[index] * 4096] 0
then
else
Prediction
25 Daniel Gruss — Graz University of Technology
![Page 94: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/94.jpg)
Spectre (variant 1) www.tugraz.at
index = 1;
if (index < 4)
char* data = "textKEY";
LUT[data[index] * 4096] 0
then
else
Prediction
25 Daniel Gruss — Graz University of Technology
![Page 95: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/95.jpg)
Spectre (variant 1) www.tugraz.at
index = 1;
if (index < 4)
char* data = "textKEY";
LUT[data[index] * 4096] 0
then
else
Prediction
25 Daniel Gruss — Graz University of Technology
![Page 96: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/96.jpg)
Spectre (variant 1) www.tugraz.at
Speculate
index = 1;
if (index < 4)
char* data = "textKEY";
LUT[data[index] * 4096] 0
then
else
Prediction
25 Daniel Gruss — Graz University of Technology
![Page 97: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/97.jpg)
Spectre (variant 1) www.tugraz.at
index = 1;
if (index < 4)
char* data = "textKEY";
LUT[data[index] * 4096] 0
then
else
Prediction
25 Daniel Gruss — Graz University of Technology
![Page 98: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/98.jpg)
Spectre (variant 1) www.tugraz.at
index = 2;
if (index < 4)
char* data = "textKEY";
LUT[data[index] * 4096] 0
then
else
Prediction
25 Daniel Gruss — Graz University of Technology
![Page 99: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/99.jpg)
Spectre (variant 1) www.tugraz.at
index = 2;
if (index < 4)
char* data = "textKEY";
LUT[data[index] * 4096] 0
then
else
Prediction
25 Daniel Gruss — Graz University of Technology
![Page 100: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/100.jpg)
Spectre (variant 1) www.tugraz.at
Speculate
index = 2;
if (index < 4)
char* data = "textKEY";
LUT[data[index] * 4096] 0
then
else
Prediction
25 Daniel Gruss — Graz University of Technology
![Page 101: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/101.jpg)
Spectre (variant 1) www.tugraz.at
index = 2;
if (index < 4)
char* data = "textKEY";
LUT[data[index] * 4096] 0
then
else
Prediction
25 Daniel Gruss — Graz University of Technology
![Page 102: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/102.jpg)
Spectre (variant 1) www.tugraz.at
index = 3;
if (index < 4)
char* data = "textKEY";
LUT[data[index] * 4096] 0
then
else
Prediction
25 Daniel Gruss — Graz University of Technology
![Page 103: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/103.jpg)
Spectre (variant 1) www.tugraz.at
index = 3;
if (index < 4)
char* data = "textKEY";
LUT[data[index] * 4096] 0
then
else
Prediction
25 Daniel Gruss — Graz University of Technology
![Page 104: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/104.jpg)
Spectre (variant 1) www.tugraz.at
Speculate
index = 3;
if (index < 4)
char* data = "textKEY";
LUT[data[index] * 4096] 0
then
else
Prediction
25 Daniel Gruss — Graz University of Technology
![Page 105: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/105.jpg)
Spectre (variant 1) www.tugraz.at
index = 3;
if (index < 4)
char* data = "textKEY";
LUT[data[index] * 4096] 0
then
else
Prediction
25 Daniel Gruss — Graz University of Technology
![Page 106: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/106.jpg)
Spectre (variant 1) www.tugraz.at
index = 4;
if (index < 4)
char* data = "textKEY";
LUT[data[index] * 4096] 0
then
else
Prediction
25 Daniel Gruss — Graz University of Technology
![Page 107: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/107.jpg)
Spectre (variant 1) www.tugraz.at
index = 4;
if (index < 4)
char* data = "textKEY";
LUT[data[index] * 4096] 0
then
else
Prediction
25 Daniel Gruss — Graz University of Technology
![Page 108: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/108.jpg)
Spectre (variant 1) www.tugraz.at
Speculate
index = 4;
if (index < 4)
char* data = "textKEY";
LUT[data[index] * 4096] 0
then
else
Prediction
25 Daniel Gruss — Graz University of Technology
![Page 109: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/109.jpg)
Spectre (variant 1) www.tugraz.at
Execute
index = 4;
if (index < 4)
char* data = "textKEY";
LUT[data[index] * 4096] 0
then
else
Prediction
25 Daniel Gruss — Graz University of Technology
![Page 110: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/110.jpg)
Spectre (variant 1) www.tugraz.at
index = 5;
if (index < 4)
char* data = "textKEY";
LUT[data[index] * 4096] 0
then
else
Prediction
25 Daniel Gruss — Graz University of Technology
![Page 111: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/111.jpg)
Spectre (variant 1) www.tugraz.at
index = 5;
if (index < 4)
char* data = "textKEY";
LUT[data[index] * 4096] 0
then
else
Prediction
25 Daniel Gruss — Graz University of Technology
![Page 112: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/112.jpg)
Spectre (variant 1) www.tugraz.at
Speculate
index = 5;
if (index < 4)
char* data = "textKEY";
LUT[data[index] * 4096] 0
then
else
Prediction
25 Daniel Gruss — Graz University of Technology
![Page 113: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/113.jpg)
Spectre (variant 1) www.tugraz.at
Execute
index = 5;
if (index < 4)
char* data = "textKEY";
LUT[data[index] * 4096] 0
then
else
Prediction
25 Daniel Gruss — Graz University of Technology
![Page 114: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/114.jpg)
Spectre (variant 1) www.tugraz.at
index = 6;
if (index < 4)
char* data = "textKEY";
LUT[data[index] * 4096] 0
then
else
Prediction
25 Daniel Gruss — Graz University of Technology
![Page 115: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/115.jpg)
Spectre (variant 1) www.tugraz.at
index = 6;
if (index < 4)
char* data = "textKEY";
LUT[data[index] * 4096] 0
then
else
Prediction
25 Daniel Gruss — Graz University of Technology
![Page 116: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/116.jpg)
Spectre (variant 1) www.tugraz.at
Speculate
index = 6;
if (index < 4)
char* data = "textKEY";
LUT[data[index] * 4096] 0
then
else
Prediction
25 Daniel Gruss — Graz University of Technology
![Page 117: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/117.jpg)
Spectre (variant 1) www.tugraz.at
Execute
index = 6;
if (index < 4)
char* data = "textKEY";
LUT[data[index] * 4096] 0
then
else
Prediction
25 Daniel Gruss — Graz University of Technology
![Page 118: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/118.jpg)
Spectre (variant 2) www.tugraz.at
a->move()
Animal* a = bird;
LUT[data[index] * 4096] 0
fly()
Prediction
swim()swim
()
26 Daniel Gruss — Graz University of Technology
![Page 119: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/119.jpg)
Spectre (variant 2) www.tugraz.at
Speculate
a->move()
Animal* a = bird;
LUT[data[index] * 4096] 0
fly()
Prediction
swim()swim
()
26 Daniel Gruss — Graz University of Technology
![Page 120: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/120.jpg)
Spectre (variant 2) www.tugraz.at
a->move()
Animal* a = bird;
LUT[data[index] * 4096] 0
fly()
Prediction
swim()swim
()
26 Daniel Gruss — Graz University of Technology
![Page 121: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/121.jpg)
Spectre (variant 2) www.tugraz.at
Execute
a->move()
Animal* a = bird;
LUT[data[index] * 4096] 0
fly()
Prediction
swim()swim
()
26 Daniel Gruss — Graz University of Technology
![Page 122: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/122.jpg)
Spectre (variant 2) www.tugraz.at
a->move()
Animal* a = bird;
LUT[data[index] * 4096] 0
fly()
Prediction
fly()swim
()
26 Daniel Gruss — Graz University of Technology
![Page 123: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/123.jpg)
Spectre (variant 2) www.tugraz.at
Speculate
a->move()
Animal* a = bird;
LUT[data[index] * 4096] 0
fly()
Prediction
fly()swim
()
26 Daniel Gruss — Graz University of Technology
![Page 124: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/124.jpg)
Spectre (variant 2) www.tugraz.at
a->move()
Animal* a = bird;
LUT[data[index] * 4096] 0
fly()
Prediction
fly()swim
()
26 Daniel Gruss — Graz University of Technology
![Page 125: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/125.jpg)
Spectre (variant 2) www.tugraz.at
a->move()
Animal* a = fish;
LUT[data[index] * 4096] 0
fly()
Prediction
fly()swim
()
26 Daniel Gruss — Graz University of Technology
![Page 126: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/126.jpg)
Spectre (variant 2) www.tugraz.at
Speculate
a->move()
Animal* a = fish;
LUT[data[index] * 4096] 0
fly()
Prediction
fly()swim
()
26 Daniel Gruss — Graz University of Technology
![Page 127: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/127.jpg)
Spectre (variant 2) www.tugraz.at
a->move()
Animal* a = fish;
LUT[data[index] * 4096] 0
fly()
Prediction
fly()swim
()
26 Daniel Gruss — Graz University of Technology
![Page 128: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/128.jpg)
Spectre (variant 2) www.tugraz.at
Execute
a->move()
Animal* a = fish;
LUT[data[index] * 4096] 0
fly()
Prediction
fly()swim
()
26 Daniel Gruss — Graz University of Technology
![Page 129: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/129.jpg)
Spectre (variant 2) www.tugraz.at
a->move()
Animal* a = fish;
LUT[data[index] * 4096] 0
fly()
Prediction
swim()swim
()
26 Daniel Gruss — Graz University of Technology
![Page 130: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/130.jpg)
Spectre (variant 4) www.tugraz.at
index = 0;
index = index & 0x3; // sanitization
char* data = "textKEY";
LUT[data[index] * 4096] LUT[data[index] * 4096]
consid
er ignore
Prediction
27 Daniel Gruss — Graz University of Technology
![Page 131: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/131.jpg)
Spectre (variant 4) www.tugraz.at
index = 0;
index = index & 0x3; // sanitization
char* data = "textKEY";
LUT[data[index] * 4096] LUT[data[index] * 4096]
consid
er ignore
Prediction
27 Daniel Gruss — Graz University of Technology
![Page 132: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/132.jpg)
Spectre (variant 4) www.tugraz.at
Speculate
index = 0;
index = index & 0x3; // sanitization
char* data = "textKEY";
LUT[data[index] * 4096] LUT[data[index] * 4096]
consid
er ignore
Prediction
27 Daniel Gruss — Graz University of Technology
![Page 133: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/133.jpg)
Spectre (variant 4) www.tugraz.at
index = 0;
index = index & 0x3; // sanitization
char* data = "textKEY";
LUT[data[index] * 4096] LUT[data[index] * 4096]
consid
er ignore
Prediction
27 Daniel Gruss — Graz University of Technology
![Page 134: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/134.jpg)
Spectre (variant 4) www.tugraz.at
index = 1;
index = index & 0x3; // sanitization
char* data = "textKEY";
LUT[data[index] * 4096] LUT[data[index] * 4096]
consid
er ignore
Prediction
27 Daniel Gruss — Graz University of Technology
![Page 135: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/135.jpg)
Spectre (variant 4) www.tugraz.at
index = 1;
index = index & 0x3; // sanitization
char* data = "textKEY";
LUT[data[index] * 4096] LUT[data[index] * 4096]
consid
er ignore
Prediction
27 Daniel Gruss — Graz University of Technology
![Page 136: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/136.jpg)
Spectre (variant 4) www.tugraz.at
Speculate
index = 1;
index = index & 0x3; // sanitization
char* data = "textKEY";
LUT[data[index] * 4096] LUT[data[index] * 4096]
consid
er ignore
Prediction
27 Daniel Gruss — Graz University of Technology
![Page 137: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/137.jpg)
Spectre (variant 4) www.tugraz.at
index = 1;
index = index & 0x3; // sanitization
char* data = "textKEY";
LUT[data[index] * 4096] LUT[data[index] * 4096]
consid
er ignore
Prediction
27 Daniel Gruss — Graz University of Technology
![Page 138: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/138.jpg)
Spectre (variant 4) www.tugraz.at
index = 2;
index = index & 0x3; // sanitization
char* data = "textKEY";
LUT[data[index] * 4096] LUT[data[index] * 4096]
consid
er ignore
Prediction
27 Daniel Gruss — Graz University of Technology
![Page 139: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/139.jpg)
Spectre (variant 4) www.tugraz.at
index = 2;
index = index & 0x3; // sanitization
char* data = "textKEY";
LUT[data[index] * 4096] LUT[data[index] * 4096]
consid
er ignore
Prediction
27 Daniel Gruss — Graz University of Technology
![Page 140: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/140.jpg)
Spectre (variant 4) www.tugraz.at
Speculate
index = 2;
index = index & 0x3; // sanitization
char* data = "textKEY";
LUT[data[index] * 4096] LUT[data[index] * 4096]
consid
er ignore
Prediction
27 Daniel Gruss — Graz University of Technology
![Page 141: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/141.jpg)
Spectre (variant 4) www.tugraz.at
index = 2;
index = index & 0x3; // sanitization
char* data = "textKEY";
LUT[data[index] * 4096] LUT[data[index] * 4096]
consid
er ignore
Prediction
27 Daniel Gruss — Graz University of Technology
![Page 142: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/142.jpg)
Spectre (variant 4) www.tugraz.at
index = 3;
index = index & 0x3; // sanitization
char* data = "textKEY";
LUT[data[index] * 4096] LUT[data[index] * 4096]
consid
er ignore
Prediction
27 Daniel Gruss — Graz University of Technology
![Page 143: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/143.jpg)
Spectre (variant 4) www.tugraz.at
index = 3;
index = index & 0x3; // sanitization
char* data = "textKEY";
LUT[data[index] * 4096] LUT[data[index] * 4096]
consid
er ignore
Prediction
27 Daniel Gruss — Graz University of Technology
![Page 144: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/144.jpg)
Spectre (variant 4) www.tugraz.at
Speculate
index = 3;
index = index & 0x3; // sanitization
char* data = "textKEY";
LUT[data[index] * 4096] LUT[data[index] * 4096]
consid
er ignore
Prediction
27 Daniel Gruss — Graz University of Technology
![Page 145: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/145.jpg)
Spectre (variant 4) www.tugraz.at
index = 3;
index = index & 0x3; // sanitization
char* data = "textKEY";
LUT[data[index] * 4096] LUT[data[index] * 4096]
consid
er ignore
Prediction
27 Daniel Gruss — Graz University of Technology
![Page 146: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/146.jpg)
Spectre (variant 4) www.tugraz.at
index = 4;
index = index & 0x3; // sanitization
char* data = "textKEY";
LUT[data[index] * 4096] LUT[data[index] * 4096]
consid
er ignore
Prediction
27 Daniel Gruss — Graz University of Technology
![Page 147: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/147.jpg)
Spectre (variant 4) www.tugraz.at
index = 4;
index = index & 0x3; // sanitization
char* data = "textKEY";
LUT[data[index] * 4096] LUT[data[index] * 4096]
consid
er ignore
Prediction
27 Daniel Gruss — Graz University of Technology
![Page 148: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/148.jpg)
Spectre (variant 4) www.tugraz.at
Speculate
index = 4;
index = index & 0x3; // sanitization
char* data = "textKEY";
LUT[data[index] * 4096] LUT[data[index] * 4096]
consid
er ignore
Prediction
27 Daniel Gruss — Graz University of Technology
![Page 149: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/149.jpg)
Spectre (variant 4) www.tugraz.at
Execute
index = 4;
index = index & 0x3; // sanitization
char* data = "textKEY";
LUT[data[index] * 4096] LUT[data[index] * 4096]
index
=0 ignore
Prediction
27 Daniel Gruss — Graz University of Technology
![Page 150: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/150.jpg)
Spectre (variant 4) www.tugraz.at
index = 5;
index = index & 0x3; // sanitization
char* data = "textKEY";
LUT[data[index] * 4096] LUT[data[index] * 4096]
consid
er ignore
Prediction
27 Daniel Gruss — Graz University of Technology
![Page 151: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/151.jpg)
Spectre (variant 4) www.tugraz.at
index = 5;
index = index & 0x3; // sanitization
char* data = "textKEY";
LUT[data[index] * 4096] LUT[data[index] * 4096]
consid
er ignore
Prediction
27 Daniel Gruss — Graz University of Technology
![Page 152: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/152.jpg)
Spectre (variant 4) www.tugraz.at
Speculate
index = 5;
index = index & 0x3; // sanitization
char* data = "textKEY";
LUT[data[index] * 4096] LUT[data[index] * 4096]
consid
er ignore
Prediction
27 Daniel Gruss — Graz University of Technology
![Page 153: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/153.jpg)
Spectre (variant 4) www.tugraz.at
Execute
index = 5;
index = index & 0x3; // sanitization
char* data = "textKEY";
LUT[data[index] * 4096] LUT[data[index] * 4096]
index
=1 ignore
Prediction
27 Daniel Gruss — Graz University of Technology
![Page 154: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/154.jpg)
Spectre (variant 4) www.tugraz.at
index = 6;
index = index & 0x3; // sanitization
char* data = "textKEY";
LUT[data[index] * 4096] LUT[data[index] * 4096]
consid
er ignore
Prediction
27 Daniel Gruss — Graz University of Technology
![Page 155: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/155.jpg)
Spectre (variant 4) www.tugraz.at
index = 6;
index = index & 0x3; // sanitization
char* data = "textKEY";
LUT[data[index] * 4096] LUT[data[index] * 4096]
consid
er ignore
Prediction
27 Daniel Gruss — Graz University of Technology
![Page 156: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/156.jpg)
Spectre (variant 4) www.tugraz.at
Speculate
index = 6;
index = index & 0x3; // sanitization
char* data = "textKEY";
LUT[data[index] * 4096] LUT[data[index] * 4096]
consid
er ignore
Prediction
27 Daniel Gruss — Graz University of Technology
![Page 157: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/157.jpg)
Spectre (variant 4) www.tugraz.at
Execute
index = 6;
index = index & 0x3; // sanitization
char* data = "textKEY";
LUT[data[index] * 4096] LUT[data[index] * 4096]
index
=2 ignore
Prediction
27 Daniel Gruss — Graz University of Technology
![Page 158: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/158.jpg)
Mitigating Spectre www.tugraz.at
• Trivial approach: disable speculative execution
• No wrong speculation if there is no speculation
• Problem: massive performance hit!
• Also: How to disable it?
• Speculative execution is deeply integrated into CPU
28 Daniel Gruss — Graz University of Technology
![Page 159: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/159.jpg)
Mitigating Spectre www.tugraz.at
• Trivial approach: disable speculative execution
• No wrong speculation if there is no speculation
• Problem: massive performance hit!
• Also: How to disable it?
• Speculative execution is deeply integrated into CPU
28 Daniel Gruss — Graz University of Technology
![Page 160: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/160.jpg)
Mitigating Spectre www.tugraz.at
• Trivial approach: disable speculative execution
• No wrong speculation if there is no speculation
• Problem: massive performance hit!
• Also: How to disable it?
• Speculative execution is deeply integrated into CPU
28 Daniel Gruss — Graz University of Technology
![Page 161: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/161.jpg)
Mitigating Spectre www.tugraz.at
• Trivial approach: disable speculative execution
• No wrong speculation if there is no speculation
• Problem: massive performance hit!
• Also: How to disable it?
• Speculative execution is deeply integrated into CPU
28 Daniel Gruss — Graz University of Technology
![Page 162: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/162.jpg)
Mitigating Spectre www.tugraz.at
• Trivial approach: disable speculative execution
• No wrong speculation if there is no speculation
• Problem: massive performance hit!
• Also: How to disable it?
• Speculative execution is deeply integrated into CPU
28 Daniel Gruss — Graz University of Technology
![Page 163: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/163.jpg)
Spectre Variant 1 Mitigations www.tugraz.at
• Workaround: insert instructions stopping speculation
→ insert after every bounds check
• x86: LFENCE, ARM: CSDB
• Available on all Intel CPUs, retrofitted to existing
ARMv7 and ARMv8
29 Daniel Gruss — Graz University of Technology
![Page 164: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/164.jpg)
Spectre Variant 1 Mitigations www.tugraz.at
• Workaround: insert instructions stopping speculation
→ insert after every bounds check
• x86: LFENCE, ARM: CSDB
• Available on all Intel CPUs, retrofitted to existing
ARMv7 and ARMv8
29 Daniel Gruss — Graz University of Technology
![Page 165: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/165.jpg)
Spectre Variant 1 Mitigations www.tugraz.at
• Workaround: insert instructions stopping speculation
→ insert after every bounds check
• x86: LFENCE, ARM: CSDB
• Available on all Intel CPUs, retrofitted to existing
ARMv7 and ARMv8
29 Daniel Gruss — Graz University of Technology
![Page 166: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/166.jpg)
Spectre Variant 1 Mitigations www.tugraz.at
• Workaround: insert instructions stopping speculation
→ insert after every bounds check
• x86: LFENCE, ARM: CSDB
• Available on all Intel CPUs, retrofitted to existing
ARMv7 and ARMv8
29 Daniel Gruss — Graz University of Technology
![Page 167: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/167.jpg)
Spectre Variant 1 Mitigations www.tugraz.at
• Workaround: insert instructions stopping speculation
→ insert after every bounds check
• x86: LFENCE, ARM: CSDB
• Available on all Intel CPUs, retrofitted to existing
ARMv7 and ARMv8
29 Daniel Gruss — Graz University of Technology
![Page 168: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/168.jpg)
Spectre Variant 1 Mitigations www.tugraz.at
• Speculation barrier requires compiler supported
• Already implemented in GCC, LLVM, and MSVC
• Can be automated (MSVC) → not really reliable
• Explicit use by programmer: builtin load no speculate
30 Daniel Gruss — Graz University of Technology
![Page 169: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/169.jpg)
Spectre Variant 1 Mitigations www.tugraz.at
• Speculation barrier requires compiler supported
• Already implemented in GCC, LLVM, and MSVC
• Can be automated (MSVC) → not really reliable
• Explicit use by programmer: builtin load no speculate
30 Daniel Gruss — Graz University of Technology
![Page 170: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/170.jpg)
Spectre Variant 1 Mitigations www.tugraz.at
• Speculation barrier requires compiler supported
• Already implemented in GCC, LLVM, and MSVC
• Can be automated (MSVC) → not really reliable
• Explicit use by programmer: builtin load no speculate
30 Daniel Gruss — Graz University of Technology
![Page 171: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/171.jpg)
Spectre Variant 1 Mitigations www.tugraz.at
• Speculation barrier requires compiler supported
• Already implemented in GCC, LLVM, and MSVC
• Can be automated (MSVC) → not really reliable
• Explicit use by programmer: builtin load no speculate
30 Daniel Gruss — Graz University of Technology
![Page 172: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/172.jpg)
Spectre Variant 1 Mitigations www.tugraz.at
• Speculation barrier requires compiler supported
• Already implemented in GCC, LLVM, and MSVC
• Can be automated (MSVC) → not really reliable
• Explicit use by programmer: builtin load no speculate
30 Daniel Gruss — Graz University of Technology
![Page 173: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/173.jpg)
Spectre Variant 1 Mitigations www.tugraz.at
31 Daniel Gruss — Graz University of Technology
![Page 174: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/174.jpg)
Spectre Variant 1 Mitigations www.tugraz.at
31 Daniel Gruss — Graz University of Technology
![Page 175: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/175.jpg)
Spectre Variant 1 Mitigations www.tugraz.at
• Speculation barrier works if affected code constructs are
known
• Programmer has to fully understand vulnerability
• Automatic detection is not reliable
• Non-negligible performance overhead of barriers
32 Daniel Gruss — Graz University of Technology
![Page 176: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/176.jpg)
Spectre Variant 1 Mitigations www.tugraz.at
• Speculation barrier works if affected code constructs are
known
• Programmer has to fully understand vulnerability
• Automatic detection is not reliable
• Non-negligible performance overhead of barriers
32 Daniel Gruss — Graz University of Technology
![Page 177: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/177.jpg)
Spectre Variant 1 Mitigations www.tugraz.at
• Speculation barrier works if affected code constructs are
known
• Programmer has to fully understand vulnerability
• Automatic detection is not reliable
• Non-negligible performance overhead of barriers
32 Daniel Gruss — Graz University of Technology
![Page 178: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/178.jpg)
Spectre Variant 1 Mitigations www.tugraz.at
• Speculation barrier works if affected code constructs are
known
• Programmer has to fully understand vulnerability
• Automatic detection is not reliable
• Non-negligible performance overhead of barriers
32 Daniel Gruss — Graz University of Technology
![Page 179: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/179.jpg)
Spectre Variant 1 Mitigations www.tugraz.at
• Speculation barrier works if affected code constructs are
known
• Programmer has to fully understand vulnerability
• Automatic detection is not reliable
• Non-negligible performance overhead of barriers
32 Daniel Gruss — Graz University of Technology
![Page 180: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/180.jpg)
Spectre Variant 2 Mitigations (Microcode/MSRs) www.tugraz.at
Intel released microcode updates
• Indirect Branch Restricted Speculation (IBRS):
• Do not speculate based on anything before entering IBRS mode
→ lesser privileged code cannot influence predictions
• Indirect Branch Predictor Barrier (IBPB):
• Flush branch-target buffer
• Single Thread Indirect Branch Predictors (STIBP):
• Isolates branch prediction state between two hyperthreads
33 Daniel Gruss — Graz University of Technology
![Page 181: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/181.jpg)
Spectre Variant 2 Mitigations (Microcode/MSRs) www.tugraz.at
Intel released microcode updates
• Indirect Branch Restricted Speculation (IBRS):
• Do not speculate based on anything before entering IBRS mode
→ lesser privileged code cannot influence predictions
• Indirect Branch Predictor Barrier (IBPB):
• Flush branch-target buffer
• Single Thread Indirect Branch Predictors (STIBP):
• Isolates branch prediction state between two hyperthreads
33 Daniel Gruss — Graz University of Technology
![Page 182: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/182.jpg)
Spectre Variant 2 Mitigations (Microcode/MSRs) www.tugraz.at
Intel released microcode updates
• Indirect Branch Restricted Speculation (IBRS):
• Do not speculate based on anything before entering IBRS mode
→ lesser privileged code cannot influence predictions
• Indirect Branch Predictor Barrier (IBPB):
• Flush branch-target buffer
• Single Thread Indirect Branch Predictors (STIBP):
• Isolates branch prediction state between two hyperthreads
33 Daniel Gruss — Graz University of Technology
![Page 183: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/183.jpg)
Spectre Variant 2 Mitigations (Microcode/MSRs) www.tugraz.at
Intel released microcode updates
• Indirect Branch Restricted Speculation (IBRS):
• Do not speculate based on anything before entering IBRS mode
→ lesser privileged code cannot influence predictions
• Indirect Branch Predictor Barrier (IBPB):
• Flush branch-target buffer
• Single Thread Indirect Branch Predictors (STIBP):
• Isolates branch prediction state between two hyperthreads
33 Daniel Gruss — Graz University of Technology
![Page 184: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/184.jpg)
Spectre Variant 2 Mitigations (Microcode/MSRs) www.tugraz.at
Intel released microcode updates
• Indirect Branch Restricted Speculation (IBRS):
• Do not speculate based on anything before entering IBRS mode
→ lesser privileged code cannot influence predictions
• Indirect Branch Predictor Barrier (IBPB):
• Flush branch-target buffer
• Single Thread Indirect Branch Predictors (STIBP):
• Isolates branch prediction state between two hyperthreads
33 Daniel Gruss — Graz University of Technology
![Page 185: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/185.jpg)
Spectre Variant 2 Mitigations (Microcode/MSRs) www.tugraz.at
Intel released microcode updates
• Indirect Branch Restricted Speculation (IBRS):
• Do not speculate based on anything before entering IBRS mode
→ lesser privileged code cannot influence predictions
• Indirect Branch Predictor Barrier (IBPB):
• Flush branch-target buffer
• Single Thread Indirect Branch Predictors (STIBP):
• Isolates branch prediction state between two hyperthreads
33 Daniel Gruss — Graz University of Technology
![Page 186: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/186.jpg)
Spectre Variant 2 Mitigations (Microcode/MSRs) www.tugraz.at
Intel released microcode updates
• Indirect Branch Restricted Speculation (IBRS):
• Do not speculate based on anything before entering IBRS mode
→ lesser privileged code cannot influence predictions
• Indirect Branch Predictor Barrier (IBPB):
• Flush branch-target buffer
• Single Thread Indirect Branch Predictors (STIBP):
• Isolates branch prediction state between two hyperthreads
33 Daniel Gruss — Graz University of Technology
![Page 187: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/187.jpg)
Spectre Variant 2 Mitigations (Software) www.tugraz.at
Retpoline (compiler extension)
1 push <call_target >
2 call 1f
3 2: ; speculation will continue here
4 lfence ; speculation barrier
5 jmp 2b ; endless loop
6 1:
7 lea 8(% rsp), %rsp ; restore stack pointer
8 ret ; the actual call to <call_target >
→ always predict to enter an endless loop
• instead of the correct (or wrong) target function → performance?
• On Broadwell or newer:
• ret may fall-back to the BTB for prediction
→ microcode patches to prevent that
34 Daniel Gruss — Graz University of Technology
![Page 188: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/188.jpg)
Spectre Variant 2 Mitigations (Software) www.tugraz.at
Retpoline (compiler extension)
1 push <call_target >
2 call 1f
3 2: ; speculation will continue here
4 lfence ; speculation barrier
5 jmp 2b ; endless loop
6 1:
7 lea 8(% rsp), %rsp ; restore stack pointer
8 ret ; the actual call to <call_target >
→ always predict to enter an endless loop
• instead of the correct (or wrong) target function → performance?
• On Broadwell or newer:
• ret may fall-back to the BTB for prediction
→ microcode patches to prevent that
34 Daniel Gruss — Graz University of Technology
![Page 189: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/189.jpg)
Spectre Variant 2 Mitigations (Software) www.tugraz.at
Retpoline (compiler extension)
1 push <call_target >
2 call 1f
3 2: ; speculation will continue here
4 lfence ; speculation barrier
5 jmp 2b ; endless loop
6 1:
7 lea 8(% rsp), %rsp ; restore stack pointer
8 ret ; the actual call to <call_target >
→ always predict to enter an endless loop
• instead of the correct (or wrong) target function
→ performance?
• On Broadwell or newer:
• ret may fall-back to the BTB for prediction
→ microcode patches to prevent that
34 Daniel Gruss — Graz University of Technology
![Page 190: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/190.jpg)
Spectre Variant 2 Mitigations (Software) www.tugraz.at
Retpoline (compiler extension)
1 push <call_target >
2 call 1f
3 2: ; speculation will continue here
4 lfence ; speculation barrier
5 jmp 2b ; endless loop
6 1:
7 lea 8(% rsp), %rsp ; restore stack pointer
8 ret ; the actual call to <call_target >
→ always predict to enter an endless loop
• instead of the correct (or wrong) target function → performance?
• On Broadwell or newer:
• ret may fall-back to the BTB for prediction
→ microcode patches to prevent that
34 Daniel Gruss — Graz University of Technology
![Page 191: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/191.jpg)
Spectre Variant 2 Mitigations (Software) www.tugraz.at
Retpoline (compiler extension)
1 push <call_target >
2 call 1f
3 2: ; speculation will continue here
4 lfence ; speculation barrier
5 jmp 2b ; endless loop
6 1:
7 lea 8(% rsp), %rsp ; restore stack pointer
8 ret ; the actual call to <call_target >
→ always predict to enter an endless loop
• instead of the correct (or wrong) target function → performance?
• On Broadwell or newer:
• ret may fall-back to the BTB for prediction
→ microcode patches to prevent that
34 Daniel Gruss — Graz University of Technology
![Page 192: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/192.jpg)
Spectre Variant 2 Mitigations (Software) www.tugraz.at
Retpoline (compiler extension)
1 push <call_target >
2 call 1f
3 2: ; speculation will continue here
4 lfence ; speculation barrier
5 jmp 2b ; endless loop
6 1:
7 lea 8(% rsp), %rsp ; restore stack pointer
8 ret ; the actual call to <call_target >
→ always predict to enter an endless loop
• instead of the correct (or wrong) target function → performance?
• On Broadwell or newer:
• ret may fall-back to the BTB for prediction
→ microcode patches to prevent that
34 Daniel Gruss — Graz University of Technology
![Page 193: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/193.jpg)
Spectre Variant 2 Mitigations (Software) www.tugraz.at
Retpoline (compiler extension)
1 push <call_target >
2 call 1f
3 2: ; speculation will continue here
4 lfence ; speculation barrier
5 jmp 2b ; endless loop
6 1:
7 lea 8(% rsp), %rsp ; restore stack pointer
8 ret ; the actual call to <call_target >
→ always predict to enter an endless loop
• instead of the correct (or wrong) target function → performance?
• On Broadwell or newer:
• ret may fall-back to the BTB for prediction
→ microcode patches to prevent that
34 Daniel Gruss — Graz University of Technology
![Page 194: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/194.jpg)
Spectre Variant 2 Mitigations (Software) www.tugraz.at
• ARM provides hardened Linux kernel
• Clears branch-predictor state on context switch
• Either via instruction (BPIALL)...
• ...or workaround (disable/enable MMU)
• Non-negligible performance overhead (≈ 200-300 ns)
35 Daniel Gruss — Graz University of Technology
![Page 195: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/195.jpg)
Spectre Variant 2 Mitigations (Software) www.tugraz.at
• ARM provides hardened Linux kernel
• Clears branch-predictor state on context switch
• Either via instruction (BPIALL)...
• ...or workaround (disable/enable MMU)
• Non-negligible performance overhead (≈ 200-300 ns)
35 Daniel Gruss — Graz University of Technology
![Page 196: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/196.jpg)
Spectre Variant 2 Mitigations (Software) www.tugraz.at
• ARM provides hardened Linux kernel
• Clears branch-predictor state on context switch
• Either via instruction (BPIALL)...
• ...or workaround (disable/enable MMU)
• Non-negligible performance overhead (≈ 200-300 ns)
35 Daniel Gruss — Graz University of Technology
![Page 197: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/197.jpg)
Spectre Variant 2 Mitigations (Software) www.tugraz.at
• ARM provides hardened Linux kernel
• Clears branch-predictor state on context switch
• Either via instruction (BPIALL)...
• ...or workaround (disable/enable MMU)
• Non-negligible performance overhead (≈ 200-300 ns)
35 Daniel Gruss — Graz University of Technology
![Page 198: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/198.jpg)
Spectre Variant 2 Mitigations (Software) www.tugraz.at
• ARM provides hardened Linux kernel
• Clears branch-predictor state on context switch
• Either via instruction (BPIALL)...
• ...or workaround (disable/enable MMU)
• Non-negligible performance overhead (≈ 200-300 ns)
35 Daniel Gruss — Graz University of Technology
![Page 199: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/199.jpg)
Spectre Variant 4 Mitigations (Microcode/MSRs) www.tugraz.at
Intel released microcode updates
• Disable store-to-load-forward speculation
• Performance impact of 2–8%
36 Daniel Gruss — Graz University of Technology
![Page 200: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/200.jpg)
Spectre Variant 4 Mitigations (Microcode/MSRs) www.tugraz.at
Intel released microcode updates
• Disable store-to-load-forward speculation
• Performance impact of 2–8%
36 Daniel Gruss — Graz University of Technology
![Page 201: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/201.jpg)
What does not work www.tugraz.at
• Prevent access to high-resolution timer
→ Own timer using timing thread
• Flush instruction only privileged
→ Cache eviction through memory accesses
• Just move secrets into secure world
→ Spectre works on secure enclaves
37 Daniel Gruss — Graz University of Technology
![Page 202: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/202.jpg)
What does not work www.tugraz.at
• Prevent access to high-resolution timer
→ Own timer using timing thread
• Flush instruction only privileged
→ Cache eviction through memory accesses
• Just move secrets into secure world
→ Spectre works on secure enclaves
37 Daniel Gruss — Graz University of Technology
![Page 203: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/203.jpg)
What does not work www.tugraz.at
• Prevent access to high-resolution timer
→ Own timer using timing thread
• Flush instruction only privileged
→ Cache eviction through memory accesses
• Just move secrets into secure world
→ Spectre works on secure enclaves
37 Daniel Gruss — Graz University of Technology
![Page 204: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/204.jpg)
What does not work www.tugraz.at
• Prevent access to high-resolution timer
→ Own timer using timing thread
• Flush instruction only privileged
→ Cache eviction through memory accesses
• Just move secrets into secure world
→ Spectre works on secure enclaves
37 Daniel Gruss — Graz University of Technology
![Page 205: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/205.jpg)
What does not work www.tugraz.at
• Prevent access to high-resolution timer
→ Own timer using timing thread
• Flush instruction only privileged
→ Cache eviction through memory accesses
• Just move secrets into secure world
→ Spectre works on secure enclaves
37 Daniel Gruss — Graz University of Technology
![Page 206: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/206.jpg)
What does not work www.tugraz.at
• Prevent access to high-resolution timer
→ Own timer using timing thread
• Flush instruction only privileged
→ Cache eviction through memory accesses
• Just move secrets into secure world
→ Spectre works on secure enclaves
37 Daniel Gruss — Graz University of Technology
![Page 207: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/207.jpg)
Meltdown vs. Spectre www.tugraz.at
Meltdown
• Out-of-Order Execution
• has nothing to do with branch prediction
• turning off speculative execution entirely
has no effect on Meltdown
→ melts down the isolation provided by the
user accessible-bit
• in theory: OoO not required, pipelining
can be sufficient
• mitigated by KAISER
Spectre
• Speculative Execution (subset of
Out-of-Order Execution)
• fundamentally builds on branch
(mis)prediction
• turning off speculative execution entirely
would work
• has nothing to do with the
user accessible-bit
• KAISER has no effect on Spectre at all
38 Daniel Gruss — Graz University of Technology
![Page 208: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/208.jpg)
Meltdown vs. Spectre www.tugraz.at
Meltdown
• Out-of-Order Execution
• has nothing to do with branch prediction
• turning off speculative execution entirely
has no effect on Meltdown
→ melts down the isolation provided by the
user accessible-bit
• in theory: OoO not required, pipelining
can be sufficient
• mitigated by KAISER
Spectre
• Speculative Execution (subset of
Out-of-Order Execution)
• fundamentally builds on branch
(mis)prediction
• turning off speculative execution entirely
would work
• has nothing to do with the
user accessible-bit
• KAISER has no effect on Spectre at all
38 Daniel Gruss — Graz University of Technology
![Page 209: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/209.jpg)
Meltdown vs. Spectre www.tugraz.at
Meltdown
• Out-of-Order Execution
• has nothing to do with branch prediction
• turning off speculative execution entirely
has no effect on Meltdown
→ melts down the isolation provided by the
user accessible-bit
• in theory: OoO not required, pipelining
can be sufficient
• mitigated by KAISER
Spectre
• Speculative Execution (subset of
Out-of-Order Execution)
• fundamentally builds on branch
(mis)prediction
• turning off speculative execution entirely
would work
• has nothing to do with the
user accessible-bit
• KAISER has no effect on Spectre at all
38 Daniel Gruss — Graz University of Technology
![Page 210: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/210.jpg)
Meltdown vs. Spectre www.tugraz.at
Meltdown
• Out-of-Order Execution
• has nothing to do with branch prediction
• turning off speculative execution entirely
has no effect on Meltdown
→ melts down the isolation provided by the
user accessible-bit
• in theory: OoO not required, pipelining
can be sufficient
• mitigated by KAISER
Spectre
• Speculative Execution (subset of
Out-of-Order Execution)
• fundamentally builds on branch
(mis)prediction
• turning off speculative execution entirely
would work
• has nothing to do with the
user accessible-bit
• KAISER has no effect on Spectre at all
38 Daniel Gruss — Graz University of Technology
![Page 211: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/211.jpg)
Meltdown vs. Spectre www.tugraz.at
Meltdown
• Out-of-Order Execution
• has nothing to do with branch prediction
• turning off speculative execution entirely
has no effect on Meltdown
→ melts down the isolation provided by the
user accessible-bit
• in theory: OoO not required, pipelining
can be sufficient
• mitigated by KAISER
Spectre
• Speculative Execution (subset of
Out-of-Order Execution)
• fundamentally builds on branch
(mis)prediction
• turning off speculative execution entirely
would work
• has nothing to do with the
user accessible-bit
• KAISER has no effect on Spectre at all
38 Daniel Gruss — Graz University of Technology
![Page 212: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/212.jpg)
Meltdown vs. Spectre www.tugraz.at
Meltdown
• Out-of-Order Execution
• has nothing to do with branch prediction
• turning off speculative execution entirely
has no effect on Meltdown
→ melts down the isolation provided by the
user accessible-bit
• in theory: OoO not required, pipelining
can be sufficient
• mitigated by KAISER
Spectre
• Speculative Execution (subset of
Out-of-Order Execution)
• fundamentally builds on branch
(mis)prediction
• turning off speculative execution entirely
would work
• has nothing to do with the
user accessible-bit
• KAISER has no effect on Spectre at all
38 Daniel Gruss — Graz University of Technology
![Page 213: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/213.jpg)
Meltdown vs. Spectre www.tugraz.at
Meltdown
• Out-of-Order Execution
• has nothing to do with branch prediction
• turning off speculative execution entirely
has no effect on Meltdown
→ melts down the isolation provided by the
user accessible-bit
• in theory: OoO not required, pipelining
can be sufficient
• mitigated by KAISER
Spectre
• Speculative Execution (subset of
Out-of-Order Execution)
• fundamentally builds on branch
(mis)prediction
• turning off speculative execution entirely
would work
• has nothing to do with the
user accessible-bit
• KAISER has no effect on Spectre at all
38 Daniel Gruss — Graz University of Technology
![Page 214: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/214.jpg)
Meltdown vs. Spectre www.tugraz.at
Meltdown
• performs illegal memory accesses → we
need to take care of processor exceptions
• exception handling
• exception suppression with TSX
• exception suppression with branch
misprediction
Spectre
• performs only legal memory accesses
• has nothing to do with exception
handling
or suppression
• abc
• abc
39 Daniel Gruss — Graz University of Technology
![Page 215: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/215.jpg)
Meltdown vs. Spectre www.tugraz.at
Meltdown
• performs illegal memory accesses → we
need to take care of processor exceptions
• exception handling
• exception suppression with TSX
• exception suppression with branch
misprediction
Spectre
• performs only legal memory accesses
• has nothing to do with exception
handling
or suppression
• abc
• abc
39 Daniel Gruss — Graz University of Technology
![Page 216: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/216.jpg)
Meltdown vs. Spectre www.tugraz.at
Meltdown
• performs illegal memory accesses → we
need to take care of processor exceptions
• exception handling
• exception suppression with TSX
• exception suppression with branch
misprediction
Spectre
• performs only legal memory accesses
• has nothing to do with exception
handling
or suppression
• abc
• abc
39 Daniel Gruss — Graz University of Technology
![Page 217: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/217.jpg)
Meltdown vs. Spectre www.tugraz.at
Meltdown
• performs illegal memory accesses → we
need to take care of processor exceptions
• exception handling
• exception suppression with TSX
• exception suppression with branch
misprediction
Spectre
• performs only legal memory accesses
• has nothing to do with exception
handling or suppression
• abc
• abc
39 Daniel Gruss — Graz University of Technology
![Page 218: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/218.jpg)
Meltdown vs. Spectre www.tugraz.at
Meltdown
• performs illegal memory accesses → we
need to take care of processor exceptions
• exception handling
• exception suppression with TSX
• exception suppression with branch
misprediction
Spectre
• performs only legal memory accesses
• has nothing to do with exception
handling or suppression
• abc
• abc
39 Daniel Gruss — Graz University of Technology
![Page 219: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/219.jpg)
What if we want to modify data?
39 Daniel Gruss — Graz University of Technology
![Page 220: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/220.jpg)
DRAM organization www.tugraz.at
channel 0
channel 1
back of DIMM: rank 1
front of DIMM:
rank 0
chip
40 Daniel Gruss — Graz University of Technology
![Page 221: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/221.jpg)
DRAM organization www.tugraz.at
channel 0
channel 1
back of DIMM: rank 1
front of DIMM:
rank 0
chip
40 Daniel Gruss — Graz University of Technology
![Page 222: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/222.jpg)
DRAM organization www.tugraz.at
channel 0
channel 1
back of DIMM: rank 1
front of DIMM:
rank 0
chip
40 Daniel Gruss — Graz University of Technology
![Page 223: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/223.jpg)
DRAM organization www.tugraz.at
channel 0
channel 1
back of DIMM: rank 1
front of DIMM:
rank 0
chip
40 Daniel Gruss — Graz University of Technology
![Page 224: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/224.jpg)
DRAM organization www.tugraz.at
chip
bank 0
row 0
row 1
row 2
. . .
row 32767
row buffer
64k cells
1 capacitor,
1 transitor each
41 Daniel Gruss — Graz University of Technology
![Page 225: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/225.jpg)
DRAM organization www.tugraz.at
chip
bank 0
row 0
row 1
row 2
. . .
row 32767
row buffer
64k cells
1 capacitor,
1 transitor each
41 Daniel Gruss — Graz University of Technology
![Page 226: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/226.jpg)
Rowhammer www.tugraz.at
DRAM bank
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
. . .
1 1 1 1 1 1 1 1 1 1 1 1 1 1
row buffer
• Cells leak → repetitive refresh
necessary
• Maximum interval between
refreshes to guarantee data
integrity
• Cells leak faster upon proximate
accesses → Rowhammer
42 Daniel Gruss — Graz University of Technology
![Page 227: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/227.jpg)
Rowhammer www.tugraz.at
DRAM bank
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
. . .
1 1 1 1 1 1 1 1 1 1 1 1 1 1
row buffer
activate
row buffer
copy
• Cells leak → repetitive refresh
necessary
• Maximum interval between
refreshes to guarantee data
integrity
• Cells leak faster upon proximate
accesses → Rowhammer
42 Daniel Gruss — Graz University of Technology
![Page 228: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/228.jpg)
Rowhammer www.tugraz.at
DRAM bank
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
. . .
1 1 1 1 1 1 1 1 1 1 1 1 1 1
row buffer
activate
row buffer
copy
• Cells leak → repetitive refresh
necessary
• Maximum interval between
refreshes to guarantee data
integrity
• Cells leak faster upon proximate
accesses → Rowhammer
42 Daniel Gruss — Graz University of Technology
![Page 229: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/229.jpg)
Rowhammer www.tugraz.at
DRAM bank
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
. . .
1 1 1 1 1 1 1 1 1 1 1 1 1 1
row buffer
activate
row buffer
copy
• Cells leak → repetitive refresh
necessary
• Maximum interval between
refreshes to guarantee data
integrity
• Cells leak faster upon proximate
accesses → Rowhammer
42 Daniel Gruss — Graz University of Technology
![Page 230: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/230.jpg)
Rowhammer www.tugraz.at
DRAM bank
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
. . .
1 1 1 1 1 1 1 1 1 1 1 1 1 1
row buffer
activate
row buffer
copy
• Cells leak → repetitive refresh
necessary
• Maximum interval between
refreshes to guarantee data
integrity
• Cells leak faster upon proximate
accesses → Rowhammer
42 Daniel Gruss — Graz University of Technology
![Page 231: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/231.jpg)
Rowhammer www.tugraz.at
DRAM bank
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
. . .
1 1 1 1 1 1 1 1 1 1 1 1 1 1
row bufferrow buffer
1 0 1 1 1 1 1 0 1 0 1 1 1 1
bit flips in row 2! • Cells leak → repetitive refresh
necessary
• Maximum interval between
refreshes to guarantee data
integrity
• Cells leak faster upon proximate
accesses → Rowhammer
42 Daniel Gruss — Graz University of Technology
![Page 232: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/232.jpg)
Hammering techniques www.tugraz.at
• There are two different hammering techniques
• #1: Hammer one row next to victim row and other random rows
• #2: Hammer two rows neighboring victim row
• #3: Hammer only one row next to victim row
43 Daniel Gruss — Graz University of Technology
![Page 233: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/233.jpg)
Hammering techniques www.tugraz.at
• There are two different hammering techniques
• #1: Hammer one row next to victim row and other random rows
• #2: Hammer two rows neighboring victim row
• #3: Hammer only one row next to victim row
43 Daniel Gruss — Graz University of Technology
![Page 234: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/234.jpg)
Hammering techniques www.tugraz.at
• There are two different hammering techniques
• #1: Hammer one row next to victim row and other random rows
• #2: Hammer two rows neighboring victim row
• #3: Hammer only one row next to victim row
43 Daniel Gruss — Graz University of Technology
![Page 235: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/235.jpg)
Hammering techniques www.tugraz.at
• There are three different hammering techniques
• #1: Hammer one row next to victim row and other random rows
• #2: Hammer two rows neighboring victim row
• #3: Hammer only one row next to victim row
43 Daniel Gruss — Graz University of Technology
![Page 236: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/236.jpg)
#1 - Single-sided hammering www.tugraz.at
DRAM bank
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
activate
44 Daniel Gruss — Graz University of Technology
![Page 237: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/237.jpg)
#1 - Single-sided hammering www.tugraz.at
DRAM bank
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
activate
44 Daniel Gruss — Graz University of Technology
![Page 238: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/238.jpg)
#1 - Single-sided hammering www.tugraz.at
DRAM bank
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
activate
44 Daniel Gruss — Graz University of Technology
![Page 239: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/239.jpg)
#1 - Single-sided hammering www.tugraz.at
DRAM bank
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1activate
44 Daniel Gruss — Graz University of Technology
![Page 240: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/240.jpg)
#1 - Single-sided hammering www.tugraz.at
DRAM bank
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
activate
44 Daniel Gruss — Graz University of Technology
![Page 241: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/241.jpg)
#1 - Single-sided hammering www.tugraz.at
DRAM bank
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 0 1 1 1 1 1 0 1 0 1 1 1 1
bit flips
44 Daniel Gruss — Graz University of Technology
![Page 242: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/242.jpg)
#2 - Double-sided hammering www.tugraz.at
DRAM bank
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
activate
45 Daniel Gruss — Graz University of Technology
![Page 243: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/243.jpg)
#2 - Double-sided hammering www.tugraz.at
DRAM bank
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
activate
45 Daniel Gruss — Graz University of Technology
![Page 244: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/244.jpg)
#2 - Double-sided hammering www.tugraz.at
DRAM bank
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
activate
45 Daniel Gruss — Graz University of Technology
![Page 245: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/245.jpg)
#2 - Double-sided hammering www.tugraz.at
DRAM bank
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
activate
45 Daniel Gruss — Graz University of Technology
![Page 246: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/246.jpg)
#2 - Double-sided hammering www.tugraz.at
DRAM bank
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
activate
45 Daniel Gruss — Graz University of Technology
![Page 247: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/247.jpg)
#2 - Double-sided hammering www.tugraz.at
DRAM bank
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
activate
1 0 1 1 1 1 1 0 1 0 1 1 1 1
bit flips
45 Daniel Gruss — Graz University of Technology
![Page 248: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/248.jpg)
#3 - One-location hammering www.tugraz.at
DRAM bank
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
activate
46 Daniel Gruss — Graz University of Technology
![Page 249: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/249.jpg)
#3 - One-location hammering www.tugraz.at
DRAM bank
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
46 Daniel Gruss — Graz University of Technology
![Page 250: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/250.jpg)
#3 - One-location hammering www.tugraz.at
DRAM bank
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
activate
46 Daniel Gruss — Graz University of Technology
![Page 251: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/251.jpg)
#3 - One-location hammering www.tugraz.at
DRAM bank
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
46 Daniel Gruss — Graz University of Technology
![Page 252: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/252.jpg)
#3 - One-location hammering www.tugraz.at
DRAM bank
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
activate
46 Daniel Gruss — Graz University of Technology
![Page 253: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/253.jpg)
#3 - One-location hammering www.tugraz.at
DRAM bank
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 0 1 1 1 1 1 0 1 0 1 1 1 1
bit flips
46 Daniel Gruss — Graz University of Technology
![Page 254: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/254.jpg)
How to exploit random bit flips? www.tugraz.at
• They are not random → highly reproducible flip pattern!
1. Choose a data structure that you can place at arbitrary memory
locations
2. Scan for “good” flips
3. Place data structure there
4. Trigger bit flip again
47 Daniel Gruss — Graz University of Technology
![Page 255: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/255.jpg)
How to exploit random bit flips? www.tugraz.at
• They are not random → highly reproducible flip pattern!
1. Choose a data structure that you can place at arbitrary memory
locations
2. Scan for “good” flips
3. Place data structure there
4. Trigger bit flip again
47 Daniel Gruss — Graz University of Technology
![Page 256: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/256.jpg)
How to exploit random bit flips? www.tugraz.at
• They are not random → highly reproducible flip pattern!
1. Choose a data structure that you can place at arbitrary memory
locations
2. Scan for “good” flips
3. Place data structure there
4. Trigger bit flip again
47 Daniel Gruss — Graz University of Technology
![Page 257: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/257.jpg)
How to exploit random bit flips? www.tugraz.at
• They are not random → highly reproducible flip pattern!
1. Choose a data structure that you can place at arbitrary memory
locations
2. Scan for “good” flips
3. Place data structure there
4. Trigger bit flip again
47 Daniel Gruss — Graz University of Technology
![Page 258: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/258.jpg)
How to exploit random bit flips? www.tugraz.at
• They are not random → highly reproducible flip pattern!
1. Choose a data structure that you can place at arbitrary memory
locations
2. Scan for “good” flips
3. Place data structure there
4. Trigger bit flip again
47 Daniel Gruss — Graz University of Technology
![Page 259: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/259.jpg)
How to exploit random bit flips? www.tugraz.at
• They are not random → highly reproducible flip pattern!
1. Choose a data structure that you can place at arbitrary memory
locations
2. Scan for “good” flips
3. Place data structure there
4. Trigger bit flip again
47 Daniel Gruss — Graz University of Technology
![Page 260: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/260.jpg)
How to exploit random bit flips? www.tugraz.at
• They are not random → highly reproducible flip pattern!
1. Choose a data structure that you can place at arbitrary memory
locations
2. Scan for “good” flips
3. Place data structure there
4. Trigger bit flip again
47 Daniel Gruss — Graz University of Technology
![Page 261: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/261.jpg)
How to exploit random bit flips? www.tugraz.at
• They are not random → highly reproducible flip pattern!
1. Choose a data structure that you can place at arbitrary memory
locations
2. Scan for “good” flips
3. Place data structure there
4. Trigger bit flip again
47 Daniel Gruss — Graz University of Technology
![Page 262: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/262.jpg)
What if we cannot target kernel pages? www.tugraz.at
• Many applications perform actions as root
• They can be used by unprivileged users as well
• sudo
48 Daniel Gruss — Graz University of Technology
![Page 263: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/263.jpg)
What if we cannot target kernel pages? www.tugraz.at
• Many applications perform actions as root
• They can be used by unprivileged users as well
• sudo
48 Daniel Gruss — Graz University of Technology
![Page 264: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/264.jpg)
What if we cannot target kernel pages? www.tugraz.at
• Many applications perform actions as root
• They can be used by unprivileged users as well
• sudo
48 Daniel Gruss — Graz University of Technology
![Page 265: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/265.jpg)
What if we cannot target kernel pages? www.tugraz.at
• Many applications perform actions as root
• They can be used by unprivileged users as well
• sudo
48 Daniel Gruss — Graz University of Technology
![Page 266: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/266.jpg)
What if we cannot target kernel pages? www.tugraz.at
• Many applications perform actions as root
• They can be used by unprivileged users as well
• sudo
48 Daniel Gruss — Graz University of Technology
![Page 267: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/267.jpg)
What if we cannot target kernel pages? www.tugraz.at
• Many applications perform actions as root
• They can be used by unprivileged users as well
• sudo
48 Daniel Gruss — Graz University of Technology
![Page 268: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/268.jpg)
What if we cannot target kernel pages? www.tugraz.at
• Many applications perform actions as root
• They can be used by unprivileged users as well
• sudo
48 Daniel Gruss — Graz University of Technology
![Page 269: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/269.jpg)
What if we cannot target kernel pages? www.tugraz.at
• Many applications perform actions as root
• They can be used by unprivileged users as well
• sudo
48 Daniel Gruss — Graz University of Technology
![Page 270: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/270.jpg)
Opcode Flipping - Conditional Jump www.tugraz.at
JE0 1 1 1 0 1 0 0
HLT1 1 1 1 0 1 0 0
<prefix>0 1 1 0 0 1 0 0
49 Daniel Gruss — Graz University of Technology
![Page 271: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/271.jpg)
Opcode Flipping - Conditional Jump www.tugraz.at
JE0 1 1 1 0 1 0 0
XORB0 0 1 1 0 1 0 0
<prefix>0 1 1 0 0 1 0 0
49 Daniel Gruss — Graz University of Technology
![Page 272: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/272.jpg)
Opcode Flipping - Conditional Jump www.tugraz.at
JE0 1 1 1 0 1 0 0
PUSHQ0 1 0 1 0 1 0 0
<prefix>0 1 1 0 0 1 0 0
49 Daniel Gruss — Graz University of Technology
![Page 273: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/273.jpg)
Opcode Flipping - Conditional Jump www.tugraz.at
JE0 1 1 1 0 1 0 0
<prefix>0 1 1 0 0 1 0 0
49 Daniel Gruss — Graz University of Technology
![Page 274: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/274.jpg)
Opcode Flipping - Conditional Jump www.tugraz.at
JE0 1 1 1 0 1 0 0
JL0 1 1 1 1 1 0 0
<prefix>0 1 1 0 0 1 0 0
49 Daniel Gruss — Graz University of Technology
![Page 275: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/275.jpg)
Opcode Flipping - Conditional Jump www.tugraz.at
JE0 1 1 1 0 1 0 0
JO0 1 1 1 0 0 0 0
<prefix>0 1 1 0 0 1 0 0
49 Daniel Gruss — Graz University of Technology
![Page 276: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/276.jpg)
Opcode Flipping - Conditional Jump www.tugraz.at
JE0 1 1 1 0 1 0 0
JBE0 1 1 1 0 1 1 0
<prefix>0 1 1 0 0 1 0 0
49 Daniel Gruss — Graz University of Technology
![Page 277: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/277.jpg)
Opcode Flipping - Conditional Jump www.tugraz.at
JE0 1 1 1 0 1 0 0
JNE0 1 1 1 0 1 0 1
<prefix>0 1 1 0 0 1 0 0
49 Daniel Gruss — Graz University of Technology
![Page 278: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/278.jpg)
ECC memory vs. refresh rate www.tugraz.at
Apple had a great idea:
• lowering the refresh rate saves energy but produces more bit flips
→ use ECC memory to mitigate bit flips
• in the end: it’s an optimization problem.
• too aggressive? bit flips will be possible
• too cautious? waste of energy
• what if the “too aggressive” changes over time?
• what if attackers come up with slightly better attacks?
→ difficult to optimize with an intelligent adversary
50 Daniel Gruss — Graz University of Technology
![Page 279: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/279.jpg)
ECC memory vs. refresh rate www.tugraz.at
Apple had a great idea:
• lowering the refresh rate saves energy but produces more bit flips
→ use ECC memory to mitigate bit flips
• in the end: it’s an optimization problem.
• too aggressive? bit flips will be possible
• too cautious? waste of energy
• what if the “too aggressive” changes over time?
• what if attackers come up with slightly better attacks?
→ difficult to optimize with an intelligent adversary
50 Daniel Gruss — Graz University of Technology
![Page 280: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/280.jpg)
ECC memory vs. refresh rate www.tugraz.at
Apple had a great idea:
• lowering the refresh rate saves energy but produces more bit flips
→ use ECC memory to mitigate bit flips
• in the end: it’s an optimization problem.
• too aggressive? bit flips will be possible
• too cautious? waste of energy
• what if the “too aggressive” changes over time?
• what if attackers come up with slightly better attacks?
→ difficult to optimize with an intelligent adversary
50 Daniel Gruss — Graz University of Technology
![Page 281: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/281.jpg)
ECC memory vs. refresh rate www.tugraz.at
Apple had a great idea:
• lowering the refresh rate saves energy but produces more bit flips
→ use ECC memory to mitigate bit flips
• in the end: it’s an optimization problem.
• too aggressive? bit flips will be possible
• too cautious? waste of energy
• what if the “too aggressive” changes over time?
• what if attackers come up with slightly better attacks?
→ difficult to optimize with an intelligent adversary
50 Daniel Gruss — Graz University of Technology
![Page 282: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/282.jpg)
ECC memory vs. refresh rate www.tugraz.at
Apple had a great idea:
• lowering the refresh rate saves energy but produces more bit flips
→ use ECC memory to mitigate bit flips
• in the end: it’s an optimization problem.
• too aggressive? bit flips will be possible
• too cautious? waste of energy
• what if the “too aggressive” changes over time?
• what if attackers come up with slightly better attacks?
→ difficult to optimize with an intelligent adversary
50 Daniel Gruss — Graz University of Technology
![Page 283: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/283.jpg)
ECC memory vs. refresh rate www.tugraz.at
Apple had a great idea:
• lowering the refresh rate saves energy but produces more bit flips
→ use ECC memory to mitigate bit flips
• in the end: it’s an optimization problem.
• too aggressive? bit flips will be possible
• too cautious? waste of energy
• what if the “too aggressive” changes over time?
• what if attackers come up with slightly better attacks?
→ difficult to optimize with an intelligent adversary
50 Daniel Gruss — Graz University of Technology
![Page 284: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/284.jpg)
ECC memory vs. refresh rate www.tugraz.at
Apple had a great idea:
• lowering the refresh rate saves energy but produces more bit flips
→ use ECC memory to mitigate bit flips
• in the end: it’s an optimization problem.
• too aggressive? bit flips will be possible
• too cautious? waste of energy
• what if the “too aggressive” changes over time?
• what if attackers come up with slightly better attacks?
→ difficult to optimize with an intelligent adversary
50 Daniel Gruss — Graz University of Technology
![Page 285: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/285.jpg)
ECC memory vs. refresh rate www.tugraz.at
Apple had a great idea:
• lowering the refresh rate saves energy but produces more bit flips
→ use ECC memory to mitigate bit flips
• in the end: it’s an optimization problem.
• too aggressive? bit flips will be possible
• too cautious? waste of energy
• what if the “too aggressive” changes over time?
• what if attackers come up with slightly better attacks?
→ difficult to optimize with an intelligent adversary
50 Daniel Gruss — Graz University of Technology
![Page 286: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/286.jpg)
What do we learn from it? www.tugraz.at
We have ignored microarchitectural attacks for many many years:
• attacks on crypto → “software should be fixed”
• attacks on ASLR → “ASLR is broken anyway”
• attacks on SGX and TrustZone → “not part of the threat model”
• Rowhammer attacks → “only affects cheap sub-standard modules”
→ for years we solely optimized for performance
51 Daniel Gruss — Graz University of Technology
![Page 287: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/287.jpg)
What do we learn from it? www.tugraz.at
We have ignored microarchitectural attacks for many many years:
• attacks on crypto
→ “software should be fixed”
• attacks on ASLR → “ASLR is broken anyway”
• attacks on SGX and TrustZone → “not part of the threat model”
• Rowhammer attacks → “only affects cheap sub-standard modules”
→ for years we solely optimized for performance
51 Daniel Gruss — Graz University of Technology
![Page 288: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/288.jpg)
What do we learn from it? www.tugraz.at
We have ignored microarchitectural attacks for many many years:
• attacks on crypto → “software should be fixed”
• attacks on ASLR → “ASLR is broken anyway”
• attacks on SGX and TrustZone → “not part of the threat model”
• Rowhammer attacks → “only affects cheap sub-standard modules”
→ for years we solely optimized for performance
51 Daniel Gruss — Graz University of Technology
![Page 289: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/289.jpg)
What do we learn from it? www.tugraz.at
We have ignored microarchitectural attacks for many many years:
• attacks on crypto → “software should be fixed”
• attacks on ASLR
→ “ASLR is broken anyway”
• attacks on SGX and TrustZone → “not part of the threat model”
• Rowhammer attacks → “only affects cheap sub-standard modules”
→ for years we solely optimized for performance
51 Daniel Gruss — Graz University of Technology
![Page 290: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/290.jpg)
What do we learn from it? www.tugraz.at
We have ignored microarchitectural attacks for many many years:
• attacks on crypto → “software should be fixed”
• attacks on ASLR → “ASLR is broken anyway”
• attacks on SGX and TrustZone → “not part of the threat model”
• Rowhammer attacks → “only affects cheap sub-standard modules”
→ for years we solely optimized for performance
51 Daniel Gruss — Graz University of Technology
![Page 291: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/291.jpg)
What do we learn from it? www.tugraz.at
We have ignored microarchitectural attacks for many many years:
• attacks on crypto → “software should be fixed”
• attacks on ASLR → “ASLR is broken anyway”
• attacks on SGX and TrustZone
→ “not part of the threat model”
• Rowhammer attacks → “only affects cheap sub-standard modules”
→ for years we solely optimized for performance
51 Daniel Gruss — Graz University of Technology
![Page 292: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/292.jpg)
What do we learn from it? www.tugraz.at
We have ignored microarchitectural attacks for many many years:
• attacks on crypto → “software should be fixed”
• attacks on ASLR → “ASLR is broken anyway”
• attacks on SGX and TrustZone → “not part of the threat model”
• Rowhammer attacks → “only affects cheap sub-standard modules”
→ for years we solely optimized for performance
51 Daniel Gruss — Graz University of Technology
![Page 293: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/293.jpg)
What do we learn from it? www.tugraz.at
We have ignored microarchitectural attacks for many many years:
• attacks on crypto → “software should be fixed”
• attacks on ASLR → “ASLR is broken anyway”
• attacks on SGX and TrustZone → “not part of the threat model”
• Rowhammer attacks
→ “only affects cheap sub-standard modules”
→ for years we solely optimized for performance
51 Daniel Gruss — Graz University of Technology
![Page 294: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/294.jpg)
What do we learn from it? www.tugraz.at
We have ignored microarchitectural attacks for many many years:
• attacks on crypto → “software should be fixed”
• attacks on ASLR → “ASLR is broken anyway”
• attacks on SGX and TrustZone → “not part of the threat model”
• Rowhammer attacks → “only affects cheap sub-standard modules”
→ for years we solely optimized for performance
51 Daniel Gruss — Graz University of Technology
![Page 295: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/295.jpg)
What do we learn from it? www.tugraz.at
We have ignored microarchitectural attacks for many many years:
• attacks on crypto → “software should be fixed”
• attacks on ASLR → “ASLR is broken anyway”
• attacks on SGX and TrustZone → “not part of the threat model”
• Rowhammer attacks → “only affects cheap sub-standard modules”
→ for years we solely optimized for performance
51 Daniel Gruss — Graz University of Technology
![Page 296: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/296.jpg)
When you read the manuals... www.tugraz.at
After learning about a side channel you realize:
• the side channels were documented in the Intel manual
• only now we understand the implications
52 Daniel Gruss — Graz University of Technology
![Page 297: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/297.jpg)
When you read the manuals... www.tugraz.at
After learning about a side channel you realize:
• the side channels were documented in the Intel manual
• only now we understand the implications
52 Daniel Gruss — Graz University of Technology
![Page 298: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/298.jpg)
When you read the manuals... www.tugraz.at
After learning about a side channel you realize:
• the side channels were documented in the Intel manual
• only now we understand the implications
52 Daniel Gruss — Graz University of Technology
![Page 299: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/299.jpg)
What do we learn from it? www.tugraz.at
Motor Vehicle Deaths in U.S. by Year
53 Daniel Gruss — Graz University of Technology
![Page 300: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/300.jpg)
Attacks vs. Defenses www.tugraz.at
• moral obligation to invest more time on defenses than on attacks
• dangerous: we overlooked Meltdown and Spectre for decades
• we don’t know all problems. do we know at least the most important subset?
• are we hammering on a small subset of problems and forgot about the bigger picture?
54 Daniel Gruss — Graz University of Technology
![Page 301: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/301.jpg)
Attacks vs. Defenses www.tugraz.at
• moral obligation to invest more time on defenses than on attacks
• dangerous: we overlooked Meltdown and Spectre for decades
• we don’t know all problems. do we know at least the most important subset?
• are we hammering on a small subset of problems and forgot about the bigger picture?
54 Daniel Gruss — Graz University of Technology
![Page 302: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/302.jpg)
Attacks vs. Defenses www.tugraz.at
• moral obligation to invest more time on defenses than on attacks
• dangerous: we overlooked Meltdown and Spectre for decades
• we don’t know all problems. do we know at least the most important subset?
• are we hammering on a small subset of problems and forgot about the bigger picture?
54 Daniel Gruss — Graz University of Technology
![Page 303: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/303.jpg)
Attacks vs. Defenses www.tugraz.at
• moral obligation to invest more time on defenses than on attacks
• dangerous: we overlooked Meltdown and Spectre for decades
• we don’t know all problems. do we know at least the most important subset?
• are we hammering on a small subset of problems and forgot about the bigger picture?
54 Daniel Gruss — Graz University of Technology
![Page 304: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/304.jpg)
Attacks vs. Defenses www.tugraz.at
• moral obligation to invest more time on defenses than on attacks
• dangerous: we overlooked Meltdown and Spectre for decades
• we don’t know all problems. do we know at least the most important subset?
• are we hammering on a small subset of problems and forgot about the bigger picture?
54 Daniel Gruss — Graz University of Technology
![Page 305: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/305.jpg)
Attacks vs. Defenses www.tugraz.at
• moral obligation to invest more time on defenses than on attacks
• dangerous: we overlooked Meltdown and Spectre for decades
• we don’t know all problems. do we know at least the most important subset?
• are we hammering on a small subset of problems and forgot about the bigger picture?
54 Daniel Gruss — Graz University of Technology
![Page 306: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/306.jpg)
Conclusions www.tugraz.at
A unique chance to
• rethink processor design
• grow up, like other fields (car industry, construction industry)
• dedicate more time into identifying problems and not solely in
mitigating known problems
55 Daniel Gruss — Graz University of Technology
![Page 307: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/307.jpg)
Conclusions www.tugraz.at
A unique chance to
• rethink processor design
• grow up, like other fields (car industry, construction industry)
• dedicate more time into identifying problems and not solely in
mitigating known problems
55 Daniel Gruss — Graz University of Technology
![Page 308: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/308.jpg)
Conclusions www.tugraz.at
A unique chance to
• rethink processor design
• grow up, like other fields (car industry, construction industry)
• dedicate more time into identifying problems and not solely in
mitigating known problems
55 Daniel Gruss — Graz University of Technology
![Page 309: SCIENCE PASSION TECHNOLOGY · SCIENCE PASSION TECHNOLOGY Microarchitectural Attacks: From the Basics to Arbitrary Read and Write Primitives without any Software Bugs Daniel Gruss](https://reader033.vdocument.in/reader033/viewer/2022041423/5e2057a3881cc37d9075e73a/html5/thumbnails/309.jpg)
SCIENCE PASSION TECHNOLOGY
Microarchitectural Attacks:
From the Basics to Arbitrary Read and Write Primitives without any Software Bugs
Daniel Gruss
June 19, 2018
Graz University of Technology
56 Daniel Gruss — Graz University of Technology