armageddon: cache attacks on mobile devices · 2019-12-18 · armageddon: cache attacks on mobile...

www.iaik.tugraz.at

ARMageddon:Cache Attacks on Mobile Devices

Moritz Lipp, Daniel Gruss, Raphael Spreitzer, Clementine Maurice, Stefan MangardGraz University of Technology

August 11, 2016 — Usenix Security 2016

Daniel Gruss, Graz University of TechnologyAugust 11, 2016 — Usenix Security 20161

www.iaik.tugraz.at

TLDR

powerful cache attacks (like Flush+Reload) on x86

why not on ARM?

We identified and solved challenges systematically to:

make all cache attack techniques applicable to ARM

monitor user activity

attack weak Android crypto

show that ARM TrustZone leaks through the cache


www.iaik.tugraz.at

What is a cache attack? (1)

50 100 150 200 250 300 350 400

101

103

105

107

Access time in CPU cycles

Num

bero

facc

esse

s

cache hits cache misses


www.iaik.tugraz.at

What is a cache attack? (2)


www.iaik.tugraz.at

Cache attack techniques

Most important techniques:

Flush+Reload

Prime+Probe

Both work on the last-level cache → across cores


www.iaik.tugraz.at

Flush+ReloadAttacker

address space Cache Victimaddress space

step 0: attacker maps shared library→ shared memory, shared in cache


www.iaik.tugraz.at



step 0: attacker maps shared library→ shared memory, shared in cache

cached cached


www.iaik.tugraz.at



step 0: attacker maps shared library→ shared memory, shared in cachestep 1: attacker flushes the shared line

flushes


www.iaik.tugraz.at



step 0: attacker maps shared library→ shared memory, shared in cachestep 1: attacker flushes the shared linestep 2: victim loads data while performing encryption

loads data


www.iaik.tugraz.at



step 0: attacker maps shared library→ shared memory, shared in cachestep 1: attacker flushes the shared linestep 2: victim loads data while performing encryptionstep 3: attacker reloads data→ fast access if the victim loaded the line

reloads data


www.iaik.tugraz.at

Prime+ProbeAttacker


step 0: attacker fills the cache (prime)


www.iaik.tugraz.at

Prime+ProbeAttacker


step 0: attacker fills the cache (prime)step 1: victim evicts cache lines while performing encryption

loads data


www.iaik.tugraz.at

Prime+ProbeAttacker


step 0: attacker fills the cache (prime)step 1: victim evicts cache lines while performing encryption


www.iaik.tugraz.at

Prime+ProbeAttacker


step 0: attacker fills the cache (prime)step 1: victim evicts cache lines while performing encryptionstep 2: attacker probes data to determine if the set was accessed


www.iaik.tugraz.at

Prime+ProbeAttacker



fast access


www.iaik.tugraz.at

Prime+ProbeAttacker



slow access


www.iaik.tugraz.at

Caches on Intel CPUs

core 0

L1

L2

core 1

L1

L2

core 2

L1

L2

core 3

L1

L2

L3slice 0

L3slice 1

L3slice 2

L3slice 3

last-level cache (L3):

shared

inclusive

= shared memory is shared incache, across cores!


www.iaik.tugraz.at

Caches on ARM Cortex-A CPUs

core 0

L1

L2

core 1

L1

core 2

L1

core 3

L1

last-level cache (L2):

shared

but not inclusive

= shared memory not in L2 isnot shared in cache

Challenge #1: non-inclusive caches


www.iaik.tugraz.at

Modern ARM SoCs

big.LITTLE architecture (A53 + A57)

→ multiple CPUs with no shared cache

Challenge #2: no shared cache


www.iaik.tugraz.at

Cache maintenance

Instructions to enforce memory coherency

x86: unprivileged clflush

until ARMv7-A: n/a

ARMv8-A: kernel can unlock a flush instruction for userspace

Challenge #3: no flush instruction


www.iaik.tugraz.at

Cache eviction

targeted cache eviction on ARM can be complicated:

existing approaches introduce much noisepseudo-random replacement policyunclear how randomness affects existing approaches

Challenge #4: perform fast & reliable cache eviction


www.iaik.tugraz.at

Timing measurements

x86: rdtsc provides unprivileged access to cycle count

ARM: existing attacks require access to privileged mode cycle counter

Challenge #5: find unprivileged highly accurate timing sources


www.iaik.tugraz.at

Challenges

#1: non-inclusive caches

#2: no shared cache

#3: no flush

#4: random eviction

#5: no unprivileged timing


www.iaik.tugraz.at

Solving #1: non-inclusive caches

Attacking instruction-inclusive data-non-inclusive caches

Core 0

L1I

Set

s

L1D

Core 1

L1I L1D

L2 Unified Cache

Set

s


www.iaik.tugraz.at


Attacking instruction-inclusive data-non-inclusive caches

Core 0

L1IS

ets

L1D

Core 1

L1I L1D

L2 Unified Cache

Set

s


www.iaik.tugraz.at


What about entirely non-inclusive caches?

cache coherency protocol

fetches data from remote cores instead of DRAM

→ remote cache hits


www.iaik.tugraz.at


What about entirely non-inclusive caches?

Core 0

L1I

Set

s

L1D

Core 1

L1I L1D

L2 Unified CacheS

ets

evict to DRAM


www.iaik.tugraz.at


0 100 200 300 400 500 600 700 800 900 1,0000

1

2

3

·104

Measured access time in CPU cycles (OnePlus One)

Num

bero

facc

esse

s Hit (same core) Hit (cross-core)Miss (same core) Miss (cross-core)


www.iaik.tugraz.at

Solving #2: no shared cache

Multiple CPUs with no shared cache

again: cache coherency protocol

fetches data from remote CPUs instead of DRAM

keep local L2 filled to increase probability of remote L1/L2 eviction

timing difference between local and remote still small enough


www.iaik.tugraz.at

Solving #3: no flush

idea: replace flush instruction with cache eviction

Flush+Reload→ Evict+Reload

(works on x86)

but: cache eviction is slow and can be unreliable

unless you know how to evict

central idea of our Rowhammer.js paper


www.iaik.tugraz.at

Solving #3: no flush

idea: replace flush instruction with cache eviction

Flush+Reload→ Evict+Reload (works on x86)

but: cache eviction is slow and can be unreliable

unless you know how to evict

central idea of our Rowhammer.js paper


www.iaik.tugraz.at

Solving #4: random eviction

unique addr. # accesses Cycles Eviction rate

48 48 6 517 70.8%800 800 142 876 99.1%

23 50 6 209 100.0%22 102 5 101 100.0%21 96 4 275 99.9%

(on the Alcatel One Touch Pop 2)


www.iaik.tugraz.at

Solving #5: no unprivileged timing

Comparison of 4 different measurement techniques

performance counter (privileged)

perf event open (syscall, unprivileged)

clock gettime (unprivileged)

thread counter (multithreaded, unprivileged)


www.iaik.tugraz.at

Solving #5: no unprivileged timing

0 10 20 30 40 50 60 70 80 90 100 110 120 130 140 150 160 170 180 190 2000

1

2

3

4

5

·104

Measured access time (scaled)

Num

bero

facc

esse

s

Hit (PMCCNTR) Hit (clock gettime×.15)Miss (PMCCNTR) Miss (clock gettime×.15)Hit (syscall×.25) Hit (counter thread×.05)

Miss (syscall×.25) Miss (counter thread×.05)


www.iaik.tugraz.at

Flush+Flush on the Samsung Galaxy S6

0 50 100 150 200 250 300 350 400 450 500 550 6000

1

2

3

·104

Measured execution time in CPU cycles

Num

bero

fcas

es

Flush (address cached)Flush (address not cached)


www.iaik.tugraz.at

Prime+Probe on the Alcatel One Touch Pop 2

1,800 2,000 2,200 2,400 2,600 2,800 3,000 3,200 3,4000%

10%

20%

30%

40%

Execution time in CPU cycles

Cas

es

Victim accessNo victim access


www.iaik.tugraz.at

Covert channels on Android

Work Type Bandwidth [bps] Error rate

Ours (Samsung Galaxy S6) Flush+Reload, cross-core 1 140 650 1.10%Ours (Samsung Galaxy S6) Flush+Reload, cross-CPU 257 509 1.83%Ours (Samsung Galaxy S6) Flush+Flush, cross-core 178 292 0.48%Ours (Alcatel One Touch Pop 2) Evict+Reload, cross-core 13 618 3.79%Ours (OnePlus One) Evict+Reload, cross-core 12 537 5.00%Marforio et al. Type of Intents 4 300 –Marforio et al. UNIX socket discovery 2 600 –Schlegel et al. File locks 685 –Schlegel et al. Volume settings 150 –Schlegel et al. Vibration settings 87 –


www.iaik.tugraz.at

Cache template attacks (CTA)

0x84

00x

880

0x32

800x

7700

0x80

800x

8100

0x81

400x

8840

0x88

800x

8900

0x89

400x

8980

0x11

000

0x11

040

0x11

080

Addresses

texttap

swipelongpress

key

Eve

nt

Cache template matrix for libinput.so(on an Alcatel One Touch Pop 2)


www.iaik.tugraz.at

Cache template attacks (CTA)

0x45

140

0x56

940

0x57

280

0x58

480

0x60

280

0x60

340

0x60

580

0x66

340

0x66

380

Addresses

backspace

space

enter

alphabet

Inpu

t

Cache template matrix for the default AOSP keyboard(on a Samsung Galaxy S6)


www.iaik.tugraz.at

CTA: taps and swipes

0 2 4 6 8 10 12 14 16 18

50

100

150

200

Tap Tap Tap Swipe Swipe Swipe Tap Tap Tap Swipe Swipe

Time in seconds

Acc

ess

time

measured on an Alcatel One Touch Pop 2Daniel Gruss, Graz University of TechnologyAugust 11, 2016 — Usenix Security 201629

www.iaik.tugraz.at


0 1 2 3 4 5 6 7 8 9

200

400

Tap Tap Tap Swipe Swipe Swipe

Time in seconds

Acc

ess

time

measured on a Samsung Galaxy S6Daniel Gruss, Graz University of TechnologyAugust 11, 2016 — Usenix Security 201630

www.iaik.tugraz.at


0 1 2 3 4 5 6 7

200

400

600

800

Tap Tap Tap Swipe Swipe Swipe

Time in seconds

Acc

ess

time

measured on measured on a OnePlus OneDaniel Gruss, Graz University of TechnologyAugust 11, 2016 — Usenix Security 201631

www.iaik.tugraz.at

CTA: distinguishing keys

0 1 2 3 4 5 6 7

100

200

300

t h i s Space i s Space a Space m e s s a g e

Time in seconds

Acc

ess

time

KeySpace


www.iaik.tugraz.at

Bouncy Castle

a widely used crypto library

WhatsApp, ...

uses a T-table implementation


www.iaik.tugraz.at

Attacking Bouncy Castle0x

000x

100x

200x

300x

400x

500x

600x

700x

800x

900x

A0

0xB

00x

C0

0xD

00x

E0

0xF

0Plaintext byte values

Add

ress

0x00

0x10

0x20

0x30

0x40

0x50

0x60

0x70

0x80

0x90

0xA

00x

B0

0xC

00x

D0

0xE

00x

F0

Plaintext byte values

Add

ress

Evict+Reload (Alcatel) vs. Flush+Reload (Samsung)Daniel Gruss, Graz University of TechnologyAugust 11, 2016 — Usenix Security 201634

www.iaik.tugraz.at

Attacking Bouncy Castle with Prime+Probe (Alcatel)

0x00

0x10

0x20

0x30

0x40

0x50

0x60

0x70

0x80

0x90

0xA

00x

B0

0xC

00x

D0

0xE

00x

F0

Plaintext byte values

0x3C00x3800x3400x3000x2C00x2800x240

Off

set


www.iaik.tugraz.at

Leakage from ARM TrustZone (RSA signatures)

250 260 270 280 290 300 310 320 330 340 350

0

0.5

1

1.5·106

Set number

Pro

bing

time

inC

PU

cycl

es Valid key 1Valid key 2Valid key 3Invalid key


www.iaik.tugraz.at

Conclusions

all the powerful cache attacks applicable to smartphones

monitor user activity with high accuracy

derive crypto keys

ARM TrustZone leaks through the cache


www.iaik.tugraz.at

ARMageddon:Cache Attacks on Mobile Devices

Moritz Lipp, Daniel Gruss, Raphael Spreitzer, Clementine Maurice, Stefan MangardGraz University of Technology

August 11, 2016 — Usenix Security 2016


armageddon: cache attacks on mobile devices · 2019-12-18 · armageddon: cache attacks on mobile...

Documents