armageddon: cache attacks on mobile devices · 2019-12-18 · armageddon: cache attacks on mobile...
TRANSCRIPT
www.iaik.tugraz.at
ARMageddon:Cache Attacks on Mobile Devices
Moritz Lipp, Daniel Gruss, Raphael Spreitzer, Clementine Maurice, Stefan MangardGraz University of Technology
August 11, 2016 — Usenix Security 2016
Daniel Gruss, Graz University of TechnologyAugust 11, 2016 — Usenix Security 20161
www.iaik.tugraz.at
TLDR
powerful cache attacks (like Flush+Reload) on x86
why not on ARM?
We identified and solved challenges systematically to:
make all cache attack techniques applicable to ARM
monitor user activity
attack weak Android crypto
show that ARM TrustZone leaks through the cache
Daniel Gruss, Graz University of TechnologyAugust 11, 2016 — Usenix Security 20162
www.iaik.tugraz.at
TLDR
powerful cache attacks (like Flush+Reload) on x86
why not on ARM?
We identified and solved challenges systematically to:
make all cache attack techniques applicable to ARM
monitor user activity
attack weak Android crypto
show that ARM TrustZone leaks through the cache
Daniel Gruss, Graz University of TechnologyAugust 11, 2016 — Usenix Security 20162
www.iaik.tugraz.at
What is a cache attack? (1)
50 100 150 200 250 300 350 400
101
103
105
107
Access time in CPU cycles
Num
bero
facc
esse
s
cache hits cache misses
Daniel Gruss, Graz University of TechnologyAugust 11, 2016 — Usenix Security 20163
www.iaik.tugraz.at
What is a cache attack? (2)
Daniel Gruss, Graz University of TechnologyAugust 11, 2016 — Usenix Security 20164
www.iaik.tugraz.at
What is a cache attack? (2)
Daniel Gruss, Graz University of TechnologyAugust 11, 2016 — Usenix Security 20164
www.iaik.tugraz.at
What is a cache attack? (2)
Daniel Gruss, Graz University of TechnologyAugust 11, 2016 — Usenix Security 20164
www.iaik.tugraz.at
What is a cache attack? (2)
Daniel Gruss, Graz University of TechnologyAugust 11, 2016 — Usenix Security 20164
www.iaik.tugraz.at
What is a cache attack? (2)
Daniel Gruss, Graz University of TechnologyAugust 11, 2016 — Usenix Security 20164
www.iaik.tugraz.at
What is a cache attack? (2)
Daniel Gruss, Graz University of TechnologyAugust 11, 2016 — Usenix Security 20164
www.iaik.tugraz.at
What is a cache attack? (2)
Daniel Gruss, Graz University of TechnologyAugust 11, 2016 — Usenix Security 20164
www.iaik.tugraz.at
What is a cache attack? (2)
Daniel Gruss, Graz University of TechnologyAugust 11, 2016 — Usenix Security 20164
www.iaik.tugraz.at
Cache attack techniques
Most important techniques:
Flush+Reload
Prime+Probe
Both work on the last-level cache → across cores
Daniel Gruss, Graz University of TechnologyAugust 11, 2016 — Usenix Security 20165
www.iaik.tugraz.at
Flush+ReloadAttacker
address space Cache Victimaddress space
step 0: attacker maps shared library→ shared memory, shared in cache
Daniel Gruss, Graz University of TechnologyAugust 11, 2016 — Usenix Security 20166
www.iaik.tugraz.at
Flush+ReloadAttacker
address space Cache Victimaddress space
step 0: attacker maps shared library→ shared memory, shared in cache
cached cached
Daniel Gruss, Graz University of TechnologyAugust 11, 2016 — Usenix Security 20166
www.iaik.tugraz.at
Flush+ReloadAttacker
address space Cache Victimaddress space
step 0: attacker maps shared library→ shared memory, shared in cachestep 1: attacker flushes the shared line
flushes
Daniel Gruss, Graz University of TechnologyAugust 11, 2016 — Usenix Security 20166
www.iaik.tugraz.at
Flush+ReloadAttacker
address space Cache Victimaddress space
step 0: attacker maps shared library→ shared memory, shared in cachestep 1: attacker flushes the shared linestep 2: victim loads data while performing encryption
loads data
Daniel Gruss, Graz University of TechnologyAugust 11, 2016 — Usenix Security 20166
www.iaik.tugraz.at
Flush+ReloadAttacker
address space Cache Victimaddress space
step 0: attacker maps shared library→ shared memory, shared in cachestep 1: attacker flushes the shared linestep 2: victim loads data while performing encryptionstep 3: attacker reloads data→ fast access if the victim loaded the line
reloads data
Daniel Gruss, Graz University of TechnologyAugust 11, 2016 — Usenix Security 20166
www.iaik.tugraz.at
Prime+ProbeAttacker
address space Cache Victimaddress space
step 0: attacker fills the cache (prime)
Daniel Gruss, Graz University of TechnologyAugust 11, 2016 — Usenix Security 20167
www.iaik.tugraz.at
Prime+ProbeAttacker
address space Cache Victimaddress space
step 0: attacker fills the cache (prime)
Daniel Gruss, Graz University of TechnologyAugust 11, 2016 — Usenix Security 20167
www.iaik.tugraz.at
Prime+ProbeAttacker
address space Cache Victimaddress space
step 0: attacker fills the cache (prime)
Daniel Gruss, Graz University of TechnologyAugust 11, 2016 — Usenix Security 20167
www.iaik.tugraz.at
Prime+ProbeAttacker
address space Cache Victimaddress space
step 0: attacker fills the cache (prime)step 1: victim evicts cache lines while performing encryption
loads data
Daniel Gruss, Graz University of TechnologyAugust 11, 2016 — Usenix Security 20167
www.iaik.tugraz.at
Prime+ProbeAttacker
address space Cache Victimaddress space
step 0: attacker fills the cache (prime)step 1: victim evicts cache lines while performing encryption
loads data
Daniel Gruss, Graz University of TechnologyAugust 11, 2016 — Usenix Security 20167
www.iaik.tugraz.at
Prime+ProbeAttacker
address space Cache Victimaddress space
step 0: attacker fills the cache (prime)step 1: victim evicts cache lines while performing encryption
loads data
Daniel Gruss, Graz University of TechnologyAugust 11, 2016 — Usenix Security 20167
www.iaik.tugraz.at
Prime+ProbeAttacker
address space Cache Victimaddress space
step 0: attacker fills the cache (prime)step 1: victim evicts cache lines while performing encryption
loads data
Daniel Gruss, Graz University of TechnologyAugust 11, 2016 — Usenix Security 20167
www.iaik.tugraz.at
Prime+ProbeAttacker
address space Cache Victimaddress space
step 0: attacker fills the cache (prime)step 1: victim evicts cache lines while performing encryption
Daniel Gruss, Graz University of TechnologyAugust 11, 2016 — Usenix Security 20167
www.iaik.tugraz.at
Prime+ProbeAttacker
address space Cache Victimaddress space
step 0: attacker fills the cache (prime)step 1: victim evicts cache lines while performing encryptionstep 2: attacker probes data to determine if the set was accessed
Daniel Gruss, Graz University of TechnologyAugust 11, 2016 — Usenix Security 20167
www.iaik.tugraz.at
Prime+ProbeAttacker
address space Cache Victimaddress space
step 0: attacker fills the cache (prime)step 1: victim evicts cache lines while performing encryptionstep 2: attacker probes data to determine if the set was accessed
fast access
Daniel Gruss, Graz University of TechnologyAugust 11, 2016 — Usenix Security 20167
www.iaik.tugraz.at
Prime+ProbeAttacker
address space Cache Victimaddress space
step 0: attacker fills the cache (prime)step 1: victim evicts cache lines while performing encryptionstep 2: attacker probes data to determine if the set was accessed
slow access
Daniel Gruss, Graz University of TechnologyAugust 11, 2016 — Usenix Security 20167
www.iaik.tugraz.at
Caches on Intel CPUs
core 0
L1
L2
core 1
L1
L2
core 2
L1
L2
core 3
L1
L2
L3slice 0
L3slice 1
L3slice 2
L3slice 3
last-level cache (L3):
shared
inclusive
= shared memory is shared incache, across cores!
Daniel Gruss, Graz University of TechnologyAugust 11, 2016 — Usenix Security 20168
www.iaik.tugraz.at
Caches on ARM Cortex-A CPUs
core 0
L1
L2
core 1
L1
core 2
L1
core 3
L1
last-level cache (L2):
shared
but not inclusive
= shared memory not in L2 isnot shared in cache
Challenge #1: non-inclusive caches
Daniel Gruss, Graz University of TechnologyAugust 11, 2016 — Usenix Security 20169
www.iaik.tugraz.at
Caches on ARM Cortex-A CPUs
core 0
L1
L2
core 1
L1
core 2
L1
core 3
L1
last-level cache (L2):
shared
but not inclusive
= shared memory not in L2 isnot shared in cache
Challenge #1: non-inclusive caches
Daniel Gruss, Graz University of TechnologyAugust 11, 2016 — Usenix Security 20169
www.iaik.tugraz.at
Modern ARM SoCs
big.LITTLE architecture (A53 + A57)
→ multiple CPUs with no shared cache
Challenge #2: no shared cache
Daniel Gruss, Graz University of TechnologyAugust 11, 2016 — Usenix Security 201610
www.iaik.tugraz.at
Modern ARM SoCs
big.LITTLE architecture (A53 + A57)
→ multiple CPUs with no shared cache
Challenge #2: no shared cache
Daniel Gruss, Graz University of TechnologyAugust 11, 2016 — Usenix Security 201610
www.iaik.tugraz.at
Cache maintenance
Instructions to enforce memory coherency
x86: unprivileged clflush
until ARMv7-A: n/a
ARMv8-A: kernel can unlock a flush instruction for userspace
Challenge #3: no flush instruction
Daniel Gruss, Graz University of TechnologyAugust 11, 2016 — Usenix Security 201611
www.iaik.tugraz.at
Cache maintenance
Instructions to enforce memory coherency
x86: unprivileged clflush
until ARMv7-A: n/a
ARMv8-A: kernel can unlock a flush instruction for userspace
Challenge #3: no flush instruction
Daniel Gruss, Graz University of TechnologyAugust 11, 2016 — Usenix Security 201611
www.iaik.tugraz.at
Cache eviction
targeted cache eviction on ARM can be complicated:
existing approaches introduce much noisepseudo-random replacement policyunclear how randomness affects existing approaches
Challenge #4: perform fast & reliable cache eviction
Daniel Gruss, Graz University of TechnologyAugust 11, 2016 — Usenix Security 201612
www.iaik.tugraz.at
Cache eviction
targeted cache eviction on ARM can be complicated:
existing approaches introduce much noisepseudo-random replacement policyunclear how randomness affects existing approaches
Challenge #4: perform fast & reliable cache eviction
Daniel Gruss, Graz University of TechnologyAugust 11, 2016 — Usenix Security 201612
www.iaik.tugraz.at
Timing measurements
x86: rdtsc provides unprivileged access to cycle count
ARM: existing attacks require access to privileged mode cycle counter
Challenge #5: find unprivileged highly accurate timing sources
Daniel Gruss, Graz University of TechnologyAugust 11, 2016 — Usenix Security 201613
www.iaik.tugraz.at
Timing measurements
x86: rdtsc provides unprivileged access to cycle count
ARM: existing attacks require access to privileged mode cycle counter
Challenge #5: find unprivileged highly accurate timing sources
Daniel Gruss, Graz University of TechnologyAugust 11, 2016 — Usenix Security 201613
www.iaik.tugraz.at
Challenges
#1: non-inclusive caches
#2: no shared cache
#3: no flush
#4: random eviction
#5: no unprivileged timing
Daniel Gruss, Graz University of TechnologyAugust 11, 2016 — Usenix Security 201614
www.iaik.tugraz.at
Solving #1: non-inclusive caches
Attacking instruction-inclusive data-non-inclusive caches
Core 0
L1I
Set
s
L1D
Core 1
L1I L1D
L2 Unified Cache
Set
s
Daniel Gruss, Graz University of TechnologyAugust 11, 2016 — Usenix Security 201615
www.iaik.tugraz.at
Solving #1: non-inclusive caches
Attacking instruction-inclusive data-non-inclusive caches
Core 0
L1I
Set
s
L1D
Core 1
L1I L1D
L2 Unified Cache
Set
s
Daniel Gruss, Graz University of TechnologyAugust 11, 2016 — Usenix Security 201615
www.iaik.tugraz.at
Solving #1: non-inclusive caches
Attacking instruction-inclusive data-non-inclusive caches
Core 0
L1IS
ets
L1D
Core 1
L1I L1D
L2 Unified Cache
Set
s
Daniel Gruss, Graz University of TechnologyAugust 11, 2016 — Usenix Security 201615
www.iaik.tugraz.at
Solving #1: non-inclusive caches
What about entirely non-inclusive caches?
cache coherency protocol
fetches data from remote cores instead of DRAM
→ remote cache hits
Daniel Gruss, Graz University of TechnologyAugust 11, 2016 — Usenix Security 201616
www.iaik.tugraz.at
Solving #1: non-inclusive caches
What about entirely non-inclusive caches?
Core 0
L1I
Set
s
L1D
Core 1
L1I L1D
L2 Unified CacheS
ets
evict to DRAM
Daniel Gruss, Graz University of TechnologyAugust 11, 2016 — Usenix Security 201617
www.iaik.tugraz.at
Solving #1: non-inclusive caches
0 100 200 300 400 500 600 700 800 900 1,0000
1
2
3
·104
Measured access time in CPU cycles (OnePlus One)
Num
bero
facc
esse
s Hit (same core) Hit (cross-core)Miss (same core) Miss (cross-core)
Daniel Gruss, Graz University of TechnologyAugust 11, 2016 — Usenix Security 201618
www.iaik.tugraz.at
Solving #2: no shared cache
Multiple CPUs with no shared cache
again: cache coherency protocol
fetches data from remote CPUs instead of DRAM
keep local L2 filled to increase probability of remote L1/L2 eviction
timing difference between local and remote still small enough
Daniel Gruss, Graz University of TechnologyAugust 11, 2016 — Usenix Security 201619
www.iaik.tugraz.at
Solving #2: no shared cache
Multiple CPUs with no shared cache
again: cache coherency protocol
fetches data from remote CPUs instead of DRAM
keep local L2 filled to increase probability of remote L1/L2 eviction
timing difference between local and remote still small enough
Daniel Gruss, Graz University of TechnologyAugust 11, 2016 — Usenix Security 201619
www.iaik.tugraz.at
Solving #3: no flush
idea: replace flush instruction with cache eviction
Flush+Reload→ Evict+Reload
(works on x86)
but: cache eviction is slow and can be unreliable
unless you know how to evict
central idea of our Rowhammer.js paper
Daniel Gruss, Graz University of TechnologyAugust 11, 2016 — Usenix Security 201620
www.iaik.tugraz.at
Solving #3: no flush
idea: replace flush instruction with cache eviction
Flush+Reload→ Evict+Reload (works on x86)
but: cache eviction is slow and can be unreliable
unless you know how to evict
central idea of our Rowhammer.js paper
Daniel Gruss, Graz University of TechnologyAugust 11, 2016 — Usenix Security 201620
www.iaik.tugraz.at
Solving #3: no flush
idea: replace flush instruction with cache eviction
Flush+Reload→ Evict+Reload (works on x86)
but: cache eviction is slow and can be unreliable
unless you know how to evict
central idea of our Rowhammer.js paper
Daniel Gruss, Graz University of TechnologyAugust 11, 2016 — Usenix Security 201620
www.iaik.tugraz.at
Solving #3: no flush
idea: replace flush instruction with cache eviction
Flush+Reload→ Evict+Reload (works on x86)
but: cache eviction is slow and can be unreliable
unless you know how to evict
central idea of our Rowhammer.js paper
Daniel Gruss, Graz University of TechnologyAugust 11, 2016 — Usenix Security 201620
www.iaik.tugraz.at
Solving #3: no flush
idea: replace flush instruction with cache eviction
Flush+Reload→ Evict+Reload (works on x86)
but: cache eviction is slow and can be unreliable
unless you know how to evict
central idea of our Rowhammer.js paper
Daniel Gruss, Graz University of TechnologyAugust 11, 2016 — Usenix Security 201620
www.iaik.tugraz.at
Solving #4: random eviction
unique addr. # accesses Cycles Eviction rate
48 48 6 517 70.8%800 800 142 876 99.1%
23 50 6 209 100.0%22 102 5 101 100.0%21 96 4 275 99.9%
(on the Alcatel One Touch Pop 2)
Daniel Gruss, Graz University of TechnologyAugust 11, 2016 — Usenix Security 201621
www.iaik.tugraz.at
Solving #5: no unprivileged timing
Comparison of 4 different measurement techniques
performance counter (privileged)
perf event open (syscall, unprivileged)
clock gettime (unprivileged)
thread counter (multithreaded, unprivileged)
Daniel Gruss, Graz University of TechnologyAugust 11, 2016 — Usenix Security 201622
www.iaik.tugraz.at
Solving #5: no unprivileged timing
0 10 20 30 40 50 60 70 80 90 100 110 120 130 140 150 160 170 180 190 2000
1
2
3
4
5
·104
Measured access time (scaled)
Num
bero
facc
esse
s
Hit (PMCCNTR) Hit (clock gettime×.15)Miss (PMCCNTR) Miss (clock gettime×.15)Hit (syscall×.25) Hit (counter thread×.05)
Miss (syscall×.25) Miss (counter thread×.05)
Daniel Gruss, Graz University of TechnologyAugust 11, 2016 — Usenix Security 201623
www.iaik.tugraz.at
Flush+Flush on the Samsung Galaxy S6
0 50 100 150 200 250 300 350 400 450 500 550 6000
1
2
3
·104
Measured execution time in CPU cycles
Num
bero
fcas
es
Flush (address cached)Flush (address not cached)
Daniel Gruss, Graz University of TechnologyAugust 11, 2016 — Usenix Security 201624
www.iaik.tugraz.at
Prime+Probe on the Alcatel One Touch Pop 2
1,800 2,000 2,200 2,400 2,600 2,800 3,000 3,200 3,4000%
10%
20%
30%
40%
Execution time in CPU cycles
Cas
es
Victim accessNo victim access
Daniel Gruss, Graz University of TechnologyAugust 11, 2016 — Usenix Security 201625
www.iaik.tugraz.at
Covert channels on Android
Work Type Bandwidth [bps] Error rate
Ours (Samsung Galaxy S6) Flush+Reload, cross-core 1 140 650 1.10%Ours (Samsung Galaxy S6) Flush+Reload, cross-CPU 257 509 1.83%Ours (Samsung Galaxy S6) Flush+Flush, cross-core 178 292 0.48%Ours (Alcatel One Touch Pop 2) Evict+Reload, cross-core 13 618 3.79%Ours (OnePlus One) Evict+Reload, cross-core 12 537 5.00%Marforio et al. Type of Intents 4 300 –Marforio et al. UNIX socket discovery 2 600 –Schlegel et al. File locks 685 –Schlegel et al. Volume settings 150 –Schlegel et al. Vibration settings 87 –
Daniel Gruss, Graz University of TechnologyAugust 11, 2016 — Usenix Security 201626
www.iaik.tugraz.at
Cache template attacks (CTA)
0x84
00x
880
0x32
800x
7700
0x80
800x
8100
0x81
400x
8840
0x88
800x
8900
0x89
400x
8980
0x11
000
0x11
040
0x11
080
Addresses
texttap
swipelongpress
key
Eve
nt
Cache template matrix for libinput.so(on an Alcatel One Touch Pop 2)
Daniel Gruss, Graz University of TechnologyAugust 11, 2016 — Usenix Security 201627
www.iaik.tugraz.at
Cache template attacks (CTA)
0x45
140
0x56
940
0x57
280
0x58
480
0x60
280
0x60
340
0x60
580
0x66
340
0x66
380
Addresses
backspace
space
enter
alphabet
Inpu
t
Cache template matrix for the default AOSP keyboard(on a Samsung Galaxy S6)
Daniel Gruss, Graz University of TechnologyAugust 11, 2016 — Usenix Security 201628
www.iaik.tugraz.at
CTA: taps and swipes
0 2 4 6 8 10 12 14 16 18
50
100
150
200
Tap Tap Tap Swipe Swipe Swipe Tap Tap Tap Swipe Swipe
Time in seconds
Acc
ess
time
measured on an Alcatel One Touch Pop 2Daniel Gruss, Graz University of TechnologyAugust 11, 2016 — Usenix Security 201629
www.iaik.tugraz.at
CTA: taps and swipes
0 1 2 3 4 5 6 7 8 9
200
400
Tap Tap Tap Swipe Swipe Swipe
Time in seconds
Acc
ess
time
measured on a Samsung Galaxy S6Daniel Gruss, Graz University of TechnologyAugust 11, 2016 — Usenix Security 201630
www.iaik.tugraz.at
CTA: taps and swipes
0 1 2 3 4 5 6 7
200
400
600
800
Tap Tap Tap Swipe Swipe Swipe
Time in seconds
Acc
ess
time
measured on measured on a OnePlus OneDaniel Gruss, Graz University of TechnologyAugust 11, 2016 — Usenix Security 201631
www.iaik.tugraz.at
CTA: distinguishing keys
0 1 2 3 4 5 6 7
100
200
300
t h i s Space i s Space a Space m e s s a g e
Time in seconds
Acc
ess
time
KeySpace
Daniel Gruss, Graz University of TechnologyAugust 11, 2016 — Usenix Security 201632
www.iaik.tugraz.at
Bouncy Castle
a widely used crypto library
WhatsApp, ...
uses a T-table implementation
Daniel Gruss, Graz University of TechnologyAugust 11, 2016 — Usenix Security 201633
www.iaik.tugraz.at
Attacking Bouncy Castle0x
000x
100x
200x
300x
400x
500x
600x
700x
800x
900x
A0
0xB
00x
C0
0xD
00x
E0
0xF
0Plaintext byte values
Add
ress
0x00
0x10
0x20
0x30
0x40
0x50
0x60
0x70
0x80
0x90
0xA
00x
B0
0xC
00x
D0
0xE
00x
F0
Plaintext byte values
Add
ress
Evict+Reload (Alcatel) vs. Flush+Reload (Samsung)Daniel Gruss, Graz University of TechnologyAugust 11, 2016 — Usenix Security 201634
www.iaik.tugraz.at
Attacking Bouncy Castle with Prime+Probe (Alcatel)
0x00
0x10
0x20
0x30
0x40
0x50
0x60
0x70
0x80
0x90
0xA
00x
B0
0xC
00x
D0
0xE
00x
F0
Plaintext byte values
0x3C00x3800x3400x3000x2C00x2800x240
Off
set
Daniel Gruss, Graz University of TechnologyAugust 11, 2016 — Usenix Security 201635
www.iaik.tugraz.at
Leakage from ARM TrustZone (RSA signatures)
250 260 270 280 290 300 310 320 330 340 350
0
0.5
1
1.5·106
Set number
Pro
bing
time
inC
PU
cycl
es Valid key 1Valid key 2Valid key 3Invalid key
Daniel Gruss, Graz University of TechnologyAugust 11, 2016 — Usenix Security 201636
www.iaik.tugraz.at
Conclusions
all the powerful cache attacks applicable to smartphones
monitor user activity with high accuracy
derive crypto keys
ARM TrustZone leaks through the cache
Daniel Gruss, Graz University of TechnologyAugust 11, 2016 — Usenix Security 201637
www.iaik.tugraz.at
ARMageddon:Cache Attacks on Mobile Devices
Moritz Lipp, Daniel Gruss, Raphael Spreitzer, Clementine Maurice, Stefan MangardGraz University of Technology
August 11, 2016 — Usenix Security 2016
Daniel Gruss, Graz University of TechnologyAugust 11, 2016 — Usenix Security 201638