Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Wintel Hell II: Melting point - Martin Hron [AV...

Wintel Hell II: Melting point - Martin Hron [AVAST]

Ongoing series of talks about interesting CPU, OS features and issues. This talk is going to explain the big two security bugs from the beginning of this year. We are going to focus on the downside of constant speeding up and increasing CPU complexity. These particular bugs are in fact design flaws which are present in the most modern CPUs. Meet Spectre and Meltdown. I'll explain in detail how do they work, where the problem is, what the risks are, how they have been "patched" a what can be done about it in the future. #securitysession2018

SecuritySession

April 07, 2018
Tweet

More Decks by SecuritySession

Other Decks in Technology

Transcript

  1. Matter of trust : evolution 3 29,000 3,400,000,000 2 317,900

    Intel 8086 @ 5MHz Core i7 6950X @ 3GHz 10 cores 40 years MIPS transistors
  2. Matter of trust • Do you trust your CPU? •

    Complex beasts with microcode, simultaneous processing and state machines • Do you read CPU manual when doing low level stuff? • Have you ever read errata? 4
  3. Matter of trust 6 HASWELL errata has 173 items on

    6 pages Most of them have NO FIX
  4. Basics : virtual memory 10 virtual address space USER MODE

    KERNEL physical address space kernel page 200-249 user pages 150-199 user pages 50-99 physical frames 0-49 physical frames 50-99 physical frames 100-149 user pages 100-149 user pages 0-49 kernel page 250-299 physical frames 150-199 PAGE TABLES TLB CACHE
  5. dependency in-order out-of-order Basics: In-order / out-of-order execution 11 R1

    <- R4 / R7 R8 <- R1 + R2 R5 <- R5 + 1 R6 <- R6 – R3 R4 <- R5 + R6 R7 <- R8 * R4 1 2 3 4 5 6 1 2 3 4 5 6 2 3 4 5 6 1 2 3 4 5 6 1
  6. Meltdown : prerequisites 15 • Intel CPU, some IBM Power

    and ARM CPUs affected • Big array of 256 x 4K items - bigblock • Kernel address kernel_addr from which we want to read secret_kernel_byte MOV RBX, BIGBLOCK XOR EAX, EAX MOV AL, BYTE PTR [ KERNEL_ADDR ] SHL RAX, 12 MOV AL, [ RAX + RBX ]
  7. Meltdown : in order execution, single pipeline 16 read secret_kernel_byte

    check permission abort the read! read bigblock [ secret_kernel_byte ] MOV RBX, BIGBLOCK XOR EAX, EAX MOV AL, BYTE PTR [ KERNEL_ADDR ] SHL RAX, 12 MOV AL, [ RAX + RBX ]
  8. Meltdown : out-of-order execution 17 read from kernel_addr secret_kernel_byte check

    permission abort the read! read bigblock [ secret_kernel_byte ] Cache bigblock[skb] Cache contains bigblock[skb] MOV RBX, BIGBLOCK XOR EAX, EAX MOV AL, BYTE PTR [ KERNEL_ADDR ] SHL RAX, 12 MOV AL, [ RAX + RBX ]
  9. Meltdown : TSX to inhibit exception 19 XBEGIN L1 MOV

    RBX, BIGBLOCK XOR EAX, EAX MOV AL, BYTE PTR [ KERNEL_ADDR ] SHL RAX, 12 MOV AL, [ RAX + RBX ] XEND L1:
  10. Side channel attack In computer security, a side-channel attack is

    any attack based on information gained from the implementation of a computer system, rather than weaknesses in the implemented algorithm itself . Wikipedia 20 L3 cache on Hasswell-E
  11. Side channel attack : story of caches 21 • L1/L2/L3

    Caches • To lower memory – CPU speed gap • There is no instruction that can read specific cache line or tell you if there is data inside cache • However you can flush specific VA address (or cache line) from cache by CLFLUSH instruction • How could we learn what is inside cache?
  12. Intermezzo : everything is about right timing 22 MOV AL,

    BYTE PTR [ADDR ] 42 ADDR MOV AL, BYTE PTR [ADDR ] DRAM L3 L1/2 XX XX 42 XX XX ADDR 42 XX XX ADDR Time: T2 Time: T1
  13. Side channel attack : final plan 24 4K item 4K

    item … 256x 0 1 2 bigblock CLFLUSH idx unknown byte at kernel_addr secret_kernel_byte get start time access idx get stop time if stop-start ~ t-hit idx = idx + 1 secret_kernel_byte = idx kernel_addr idx = <0..255> NO YES … Use its value as an index to bigblock
  14. Spectre – bounds check bypass • Leverages speculative execution to

    access memory out of bounds of an array • If array1_size is not in cache, CPU has time enough to speculate and speculatively executes inner part of the condition no matter what is the value of x • That loads item from array2 to cache based on value of array1[x] where x can be anything 26 if (x < array1_size) { junk &= array2[array1[x] * 512]; }
  15. Spectre – indirect branch target injection • Manipulating branch predictor

    to speculative execute gadget of interest • Training branch predictor to jump to your desired target • The CPU before the legit code is executed speculatively runs your malgadget 27 JMP [ R11 ] branch predictor + MOV R11,malgadget JMP [ R11 ] repeat 1000x [ R11 ]: LEGIT CODE [malgadget]: ROGUE CODE SPECULATES
  16. Workarounds • Not easy to fix, the only proper fix

    is on silicon • In case of Spectre, it is an architectural problem • Meltdown – easy to fix , workarounds for most OSes available • Intel deploying microcode updates, but not all CPUs and not all variants of Spectre can be easily treated • Running 286 on 16MHz? You are safe :D 29
  17. virtual Workarounds : meltdown : KVAS and KPTI • Same

    concept , complete isolation of kernel and user space mappings • Induces some performance cost as page tables have to be switched and TLB flushed 30 virtual physical virtual mode = kernel, user mode = user KERNEL MAPPED PAGES USER MAPPED PAGES mode = kernel virtual mode = kernel, user KERNEL MAPPED PAGES USER MAPPED PAGES USER MAPPED PAGES USER MAPPED PAGES KERNEL MAPPED PAGES standard model KVAS and KPTI
  18. Workarounds : meltdown : KVAS and KPTI • Best solution

    against Meltdown, brings performance overhead up to 30% • Bigger performance hit with higher rate of syscalls and need of switching to privileged mode. • On modern CPUs with support of ASID or PCID (Address Space IDs or Processor-Context ID). Performance can be nearly “native” because TLB can be flushed only per address space 31
  19. Workarounds : Spectre : retpoline • A Branch Target Injection

    mitigation invented by Google using RSB • Software based -> needs recompilation • Upcoming support in gcc -mindirect-branch=thunk-extern 32 JMP [ R11 ] CALL LOAD CAPTURE: PAUSE JMP CAPTURE LOAD: MOV [ RSP ], R11 RET
  20. Workarounds : microcode updates • CPUID AX=0x7, return RDX.26 to

    indicate presence of this feature • IA32_SPEC_CTRL (0x48) and IA32_PRED_CMD (0x49) • IA32_SPEC_CTRL, bit0 – Indirect Branch Restricted Speculation (IBRS) • IA32_PRED_CMD, bit0 – Indirect Branch Prediction Barrier (IBPB) • IBRS - Indirect Branch Restricted Speculation If IBRS is set, near returns and near indirect jumps/calls will not allow their predicted target address to be controlled by code that executed in a less privileged prediction mode before the IBRS mode was last written with a value of 1 • STIBP - Single Thread Indirect Branch Predictors ( RDX.27 ). Stops sharing predictor cache between physical threads. • IBPB - Indirect Branch Predictor Barrier Setting of IBPB ensures that earlier code's behavior does not control later indirect branch predictions. It is used when context switching to new untrusted address space. 33
  21. 34 They do literally insane things. They do things that

    do not make sense ... The patches do things that are not sane. WHAT THE F*CK IS GOING ON? Linus Torvalds
  22. Page tables accessible from user mode • Affected version Windows

    7 x64, Windows 2008R2 • CVE-2018-1038 • Delivered via updates 2018-01, 2018-02 • Self referenced base entry for PML4 mapped and accessible in user mode • Allows to read whole physical memory without any special privileges 36
  23. Page tables accessible from user mode 37 0xFFFFF6FB7DBED000 virtual address

    space physical address space kernel page 200-249 user pages 150-199 user pages 50-99 physical frames 0-49 physical frames 50-99 physical frames 100-149 user pages 100-149 user pages 0-49 kernel page 250-299 physical frames 150-199 PAGE TABLES TLB CACHE
  24. Conclusion • This will haunt us for a long time

    • Every system is as safe as it’s weakest part • Hardware is not an exception • CPUs neither • Race for performance may induce unexpected behaviours • There are more versions of these bugs: SGXSpectre 38