Wintel Hell II: Melting point - Martin Hron [AVAST]

Transcript

1. Wintel Hell Melting point Martin Hron, research @ avast

2. Matter of trust 2

3. Matter of trust : evolution 3 29,000 3,400,000,000 2 317,900

   Intel 8086 @ 5MHz Core i7 6950X @ 3GHz 10 cores 40 years MIPS transistors

4. Matter of trust • Do you trust your CPU? •

   Complex beasts with microcode, simultaneous processing and state machines • Do you read CPU manual when doing low level stuff? • Have you ever read errata? 4

5. Matter of trust : flashback : Security Session 2016 5

6. Matter of trust 6 HASWELL errata has 173 items on

   6 pages Most of them have NO FIX

7. Matter of trust 7 RARE CONDITIONS ARE RARE UNTIL YOU

   LEARN HOW TO REPRODUCE THEM

8. Matter of trust : evolution 8 Intel 8086 Haswell

9. 9 BASICS

10. Basics : virtual memory 10 virtual address space USER MODE

    KERNEL physical address space kernel page 200-249 user pages 150-199 user pages 50-99 physical frames 0-49 physical frames 50-99 physical frames 100-149 user pages 100-149 user pages 0-49 kernel page 250-299 physical frames 150-199 PAGE TABLES TLB CACHE

11. dependency in-order out-of-order Basics: In-order / out-of-order execution 11 R1

    <- R4 / R7 R8 <- R1 + R2 R5 <- R5 + 1 R6 <- R6 – R3 R4 <- R5 + R6 R7 <- R8 * R4 1 2 3 4 5 6 1 2 3 4 5 6 2 3 4 5 6 1 2 3 4 5 6 1

12. Basics : speculative and out-of order execution : reason 12

13. Discovered bugs 13 CVE-2017-5754 CVE-2017-5753 CVE-2017-5715 BOUND S CHECK BYPASS

    ROGUE DATA CACHE LOAD BRANCH TARGET INJECTION

14. 14 CVE-2017-5754

15. Meltdown : prerequisites 15 • Intel CPU, some IBM Power

    and ARM CPUs affected • Big array of 256 x 4K items - bigblock • Kernel address kernel_addr from which we want to read secret_kernel_byte MOV RBX, BIGBLOCK XOR EAX, EAX MOV AL, BYTE PTR [ KERNEL_ADDR ] SHL RAX, 12 MOV AL, [ RAX + RBX ]

16. Meltdown : in order execution, single pipeline 16 read secret_kernel_byte

    check permission abort the read! read bigblock [ secret_kernel_byte ] MOV RBX, BIGBLOCK XOR EAX, EAX MOV AL, BYTE PTR [ KERNEL_ADDR ] SHL RAX, 12 MOV AL, [ RAX + RBX ]

17. Meltdown : out-of-order execution 17 read from kernel_addr secret_kernel_byte check

    permission abort the read! read bigblock [ secret_kernel_byte ] Cache bigblock[skb] Cache contains bigblock[skb] MOV RBX, BIGBLOCK XOR EAX, EAX MOV AL, BYTE PTR [ KERNEL_ADDR ] SHL RAX, 12 MOV AL, [ RAX + RBX ]

18. FlashBack: TSX – Security Session 2016 18

19. Meltdown : TSX to inhibit exception 19 XBEGIN L1 MOV

    RBX, BIGBLOCK XOR EAX, EAX MOV AL, BYTE PTR [ KERNEL_ADDR ] SHL RAX, 12 MOV AL, [ RAX + RBX ] XEND L1:

20. Side channel attack In computer security, a side-channel attack is

    any attack based on information gained from the implementation of a computer system, rather than weaknesses in the implemented algorithm itself . Wikipedia 20 L3 cache on Hasswell-E

21. Side channel attack : story of caches 21 • L1/L2/L3

    Caches • To lower memory – CPU speed gap • There is no instruction that can read specific cache line or tell you if there is data inside cache • However you can flush specific VA address (or cache line) from cache by CLFLUSH instruction • How could we learn what is inside cache?

22. Intermezzo : everything is about right timing 22 MOV AL,

    BYTE PTR [ADDR ] 42 ADDR MOV AL, BYTE PTR [ADDR ] DRAM L3 L1/2 XX XX 42 XX XX ADDR 42 XX XX ADDR Time: T2 Time: T1

23. Intermezzo : everything is about right timing 23 Time t-hit:

    T2 Time t-miss: T1 >

24. Side channel attack : final plan 24 4K item 4K

    item … 256x 0 1 2 bigblock CLFLUSH idx unknown byte at kernel_addr secret_kernel_byte get start time access idx get stop time if stop-start ~ t-hit idx = idx + 1 secret_kernel_byte = idx kernel_addr idx = <0..255> NO YES … Use its value as an index to bigblock

25. 25 CVE-2017-5715 CVE-2017-5753

26. Spectre – bounds check bypass • Leverages speculative execution to

    access memory out of bounds of an array • If array1_size is not in cache, CPU has time enough to speculate and speculatively executes inner part of the condition no matter what is the value of x • That loads item from array2 to cache based on value of array1[x] where x can be anything 26 if (x < array1_size) { junk &= array2[array1[x] * 512]; }

27. Spectre – indirect branch target injection • Manipulating branch predictor

    to speculative execute gadget of interest • Training branch predictor to jump to your desired target • The CPU before the legit code is executed speculatively runs your malgadget 27 JMP [ R11 ] branch predictor + MOV R11,malgadget JMP [ R11 ] repeat 1000x [ R11 ]: LEGIT CODE [malgadget]: ROGUE CODE SPECULATES

28. 28 FIXES WORKAROUNDS

29. Workarounds • Not easy to fix, the only proper fix

    is on silicon • In case of Spectre, it is an architectural problem • Meltdown – easy to fix , workarounds for most OSes available • Intel deploying microcode updates, but not all CPUs and not all variants of Spectre can be easily treated • Running 286 on 16MHz? You are safe :D 29

30. virtual Workarounds : meltdown : KVAS and KPTI • Same

    concept , complete isolation of kernel and user space mappings • Induces some performance cost as page tables have to be switched and TLB flushed 30 virtual physical virtual mode = kernel, user mode = user KERNEL MAPPED PAGES USER MAPPED PAGES mode = kernel virtual mode = kernel, user KERNEL MAPPED PAGES USER MAPPED PAGES USER MAPPED PAGES USER MAPPED PAGES KERNEL MAPPED PAGES standard model KVAS and KPTI

31. Workarounds : meltdown : KVAS and KPTI • Best solution

    against Meltdown, brings performance overhead up to 30% • Bigger performance hit with higher rate of syscalls and need of switching to privileged mode. • On modern CPUs with support of ASID or PCID (Address Space IDs or Processor-Context ID). Performance can be nearly “native” because TLB can be flushed only per address space 31

32. Workarounds : Spectre : retpoline • A Branch Target Injection

    mitigation invented by Google using RSB • Software based -> needs recompilation • Upcoming support in gcc -mindirect-branch=thunk-extern 32 JMP [ R11 ] CALL LOAD CAPTURE: PAUSE JMP CAPTURE LOAD: MOV [ RSP ], R11 RET

33. Workarounds : microcode updates • CPUID AX=0x7, return RDX.26 to

    indicate presence of this feature • IA32_SPEC_CTRL (0x48) and IA32_PRED_CMD (0x49) • IA32_SPEC_CTRL, bit0 – Indirect Branch Restricted Speculation (IBRS) • IA32_PRED_CMD, bit0 – Indirect Branch Prediction Barrier (IBPB) • IBRS - Indirect Branch Restricted Speculation If IBRS is set, near returns and near indirect jumps/calls will not allow their predicted target address to be controlled by code that executed in a less privileged prediction mode before the IBRS mode was last written with a value of 1 • STIBP - Single Thread Indirect Branch Predictors ( RDX.27 ). Stops sharing predictor cache between physical threads. • IBPB - Indirect Branch Predictor Barrier Setting of IBPB ensures that earlier code's behavior does not control later indirect branch predictions. It is used when context switching to new untrusted address space. 33

34. 34 They do literally insane things. They do things that

    do not make sense ... The patches do things that are not sane. WHAT THE F*CK IS GOING ON? Linus Torvalds

35. Fix that has fixed a bug and now has to

    be fixed 35

36. Page tables accessible from user mode • Affected version Windows

    7 x64, Windows 2008R2 • CVE-2018-1038 • Delivered via updates 2018-01, 2018-02 • Self referenced base entry for PML4 mapped and accessible in user mode • Allows to read whole physical memory without any special privileges 36

37. Page tables accessible from user mode 37 0xFFFFF6FB7DBED000 virtual address

    space physical address space kernel page 200-249 user pages 150-199 user pages 50-99 physical frames 0-49 physical frames 50-99 physical frames 100-149 user pages 100-149 user pages 0-49 kernel page 250-299 physical frames 150-199 PAGE TABLES TLB CACHE

38. Conclusion • This will haunt us for a long time

    • Every system is as safe as it’s weakest part • Hardware is not an exception • CPUs neither • Race for performance may induce unexpected behaviours • There are more versions of these bugs: SGXSpectre 38

39. Thank you for your attention! Ask and I’ll try to

    answer…. Martin Hron @thinkcz [email protected] , [email protected]