cache timing side-channel vulnerability checking with ...€¦ · side channel attacks:)*+,0 ⇝...
TRANSCRIPT
![Page 1: Cache Timing Side-Channel Vulnerability Checking with ...€¦ · side channel attacks:)*+,0 ⇝ )*+,1 ⇝ )*+,2 The initial state of the cache block Actions of victim or attacker](https://reader030.vdocuments.us/reader030/viewer/2022040619/5f2c608e23d7fe56ce7e8487/html5/thumbnails/1.jpg)
Cache Timing Side-Channel Vulnerability Checking with
Computation Tree Logic
Shuwen Deng, Wenjie Xiong and Jakub SzeferYale University
HASPJune 2, 2018
![Page 2: Cache Timing Side-Channel Vulnerability Checking with ...€¦ · side channel attacks:)*+,0 ⇝ )*+,1 ⇝ )*+,2 The initial state of the cache block Actions of victim or attacker](https://reader030.vdocuments.us/reader030/viewer/2022040619/5f2c608e23d7fe56ce7e8487/html5/thumbnails/2.jpg)
Memory System
2
Typical set-associative cache
ways
sets
Cache
cache enables fast access to the data
CPU Memory
![Page 3: Cache Timing Side-Channel Vulnerability Checking with ...€¦ · side channel attacks:)*+,0 ⇝ )*+,1 ⇝ )*+,2 The initial state of the cache block Actions of victim or attacker](https://reader030.vdocuments.us/reader030/viewer/2022040619/5f2c608e23d7fe56ce7e8487/html5/thumbnails/3.jpg)
3
s0
s1
s4
s2
s6
ld issue
{probe}
{hit}
{miss}
{replace}{bypass}
ISA-level Microarchitecture-level
ldreturn
{forceevict}
s3
{return data}
s5la
tency
↔ ca
che
hit
or
mis
s
Cache State Machine
fast access
slow accesstiming latency ⟷
cache hit & miss
![Page 4: Cache Timing Side-Channel Vulnerability Checking with ...€¦ · side channel attacks:)*+,0 ⇝ )*+,1 ⇝ )*+,2 The initial state of the cache block Actions of victim or attacker](https://reader030.vdocuments.us/reader030/viewer/2022040619/5f2c608e23d7fe56ce7e8487/html5/thumbnails/4.jpg)
4
• For load/store instruction, time differs between hits and misses• For flush instruction, time depends on data existence
• Attacker’s Goal: get information of the address of victim’s sensitive data by observing the timing difference
• Threat Model:– An attacker (A) shares the same cache with a victim (V)– The attacker cannot directly access the cache state machine– The attacker can observe the timing of the victim or itself– The attacker can combine timing observation with some other knowledge
• The attacker knows some source code of the victim• The attacker can force victim to execute a specific function
• E.g. Flush + Reload Attack
Cache Timing Side-Channel Attacks
![Page 5: Cache Timing Side-Channel Vulnerability Checking with ...€¦ · side channel attacks:)*+,0 ⇝ )*+,1 ⇝ )*+,2 The initial state of the cache block Actions of victim or attacker](https://reader030.vdocuments.us/reader030/viewer/2022040619/5f2c608e23d7fe56ce7e8487/html5/thumbnails/5.jpg)
5
Set-associative cache
ways
sets
1- Attackerprimes each
cache set2- Victim accesses
critical data
3- Attackerprobes each cache set (measure time)
EvictedAccessTime
E.g. Prime + Probe Attack
![Page 6: Cache Timing Side-Channel Vulnerability Checking with ...€¦ · side channel attacks:)*+,0 ⇝ )*+,1 ⇝ )*+,2 The initial state of the cache block Actions of victim or attacker](https://reader030.vdocuments.us/reader030/viewer/2022040619/5f2c608e23d7fe56ce7e8487/html5/thumbnails/6.jpg)
E.g. Flush + Reload Attack
6
EvictedAccess
TimeSet-associative cache
ways
sets
1- Flush each line in the cache
2- Victim accesses critical data
3- Attackerreloads critical data by running specific process (measure time)
![Page 7: Cache Timing Side-Channel Vulnerability Checking with ...€¦ · side channel attacks:)*+,0 ⇝ )*+,1 ⇝ )*+,2 The initial state of the cache block Actions of victim or attacker](https://reader030.vdocuments.us/reader030/viewer/2022040619/5f2c608e23d7fe56ce7e8487/html5/thumbnails/7.jpg)
7
Spectre & Meltdown Attack
• speculative executions– Variant 1: Bounds Check – Variant 2: Branch Target Injection– Variant 3: Rogue Data Cache
• Variant 3a: Rogue System Register – Variant 4: Speculative Store
• timing side-channel in the cache
![Page 8: Cache Timing Side-Channel Vulnerability Checking with ...€¦ · side channel attacks:)*+,0 ⇝ )*+,1 ⇝ )*+,2 The initial state of the cache block Actions of victim or attacker](https://reader030.vdocuments.us/reader030/viewer/2022040619/5f2c608e23d7fe56ce7e8487/html5/thumbnails/8.jpg)
8
Spectre & Meltdown Attack
• Uses speculative executions• Leverages timing side-channel in
the cache
![Page 9: Cache Timing Side-Channel Vulnerability Checking with ...€¦ · side channel attacks:)*+,0 ⇝ )*+,1 ⇝ )*+,2 The initial state of the cache block Actions of victim or attacker](https://reader030.vdocuments.us/reader030/viewer/2022040619/5f2c608e23d7fe56ce7e8487/html5/thumbnails/9.jpg)
9
Use Computation
Tree Logic (CTL)
Model execution paths of the
processor cache focusing on side-channel attacks
Develop Cache Access
Model
Three-step single-cache-block-access
model construction
Analyze Timing
Vulnerabilities
Exhaustive search for
possible attacks based on three-
step model
Contribution
![Page 10: Cache Timing Side-Channel Vulnerability Checking with ...€¦ · side channel attacks:)*+,0 ⇝ )*+,1 ⇝ )*+,2 The initial state of the cache block Actions of victim or attacker](https://reader030.vdocuments.us/reader030/viewer/2022040619/5f2c608e23d7fe56ce7e8487/html5/thumbnails/10.jpg)
10
condition description𝑉#/𝐴# A specific known memory location.𝑉& A piece of memory containing data from a range of
victim’s memory addresses is accessed. 𝑉'/𝐴' single-cache-block access to “remove” the cache
block contents⋆ Attacker has no knowledge about memory location
𝑉#/𝐴#, 𝑉&, 𝑉'/𝐴', ⋆ 𝑉#/𝐴#, 𝑉&, 𝑉'/𝐴'𝑉#/𝐴#, 𝑉&, 𝑉'/𝐴'
Three-Step Single-Cache-Block-Access ModelWe use three steps to model all possible cache side channel attacks:
𝑆𝑡𝑒𝑝0 ⇝ 𝑆𝑡𝑒𝑝1 ⇝ 𝑆𝑡𝑒𝑝2
The initial state of the cache block
Actions of victim or attacker
Interference & final observation
![Page 11: Cache Timing Side-Channel Vulnerability Checking with ...€¦ · side channel attacks:)*+,0 ⇝ )*+,1 ⇝ )*+,2 The initial state of the cache block Actions of victim or attacker](https://reader030.vdocuments.us/reader030/viewer/2022040619/5f2c608e23d7fe56ce7e8487/html5/thumbnails/11.jpg)
11
• Prime + Probe Attack
– 𝐸𝐹(𝐸(𝐸 𝐴#𝑈𝑉& 𝑈𝐴#))
Vulnerability Examples
Set-associative cache
ways
sets
1- AttackerPrimes each
cache set
2- Victim accesses
critical data
3- AttackerProbes each cache set (measure time)
EvictedAccessTime
![Page 12: Cache Timing Side-Channel Vulnerability Checking with ...€¦ · side channel attacks:)*+,0 ⇝ )*+,1 ⇝ )*+,2 The initial state of the cache block Actions of victim or attacker](https://reader030.vdocuments.us/reader030/viewer/2022040619/5f2c608e23d7fe56ce7e8487/html5/thumbnails/12.jpg)
12
• Flush + Reload Attack
– 𝐴' ⇝ 𝑉& ⇝ 𝐴#– 𝑉' ⇝ 𝑉& ⇝ 𝐴#
Vulnerability Examples
EvictedAccess
TimeSet-associative cache
ways
sets
1- Flush each line in the cache
2- Victim accesses critical data
3- AttackerReloads critical data by running specific process (measure time)
condition description𝑉#/𝐴# A specific known memory location.𝑉& A piece of memory containing data from a range of victim’s
memory addresses is accessed. 𝑉'/𝐴' single-cache-block access to “remove” the cache block contents
![Page 13: Cache Timing Side-Channel Vulnerability Checking with ...€¦ · side channel attacks:)*+,0 ⇝ )*+,1 ⇝ )*+,2 The initial state of the cache block Actions of victim or attacker](https://reader030.vdocuments.us/reader030/viewer/2022040619/5f2c608e23d7fe56ce7e8487/html5/thumbnails/13.jpg)
13
Why three-step model can cover all?• One cache access
– Interference does not exist• Two cache accesses
– Same as three-step model with 𝑆𝑡𝑒𝑝0 to be “ ⋆ ”• More than three cache accesses
– {⋯ ⇝⋆⇝ ⋯} can be divided into two parts– ⋯ ⇝ 𝐴' ⇝ 𝐴' ⇝ ⋯ , ⋯ ⇝ 𝐴' ⇝ 𝑉' ⇝ ⋯ , {⋯ ⇝𝐴# ⇝ 𝑉# ⇝ ⋯}, {⋯ ⇝ 𝑉& ⇝ 𝑉& ⇝ ⋯},… can be reduced to ⋯ ⇝ 𝐴' ⇝ ⋯ , ⋯ ⇝ 𝑉' ⇝ ⋯ , {⋯ ⇝ 𝑉# ⇝⋯}, ⋯ ⇝ 𝑉& ⇝ ⋯ ,… , respectively
– ⋯ ⇝ (𝐴'/𝑉' ∕ 𝐴# ∕ 𝑉#) ⇝ 𝑉& ⇝ (𝐴'/𝑉' ∕ 𝐴# ∕ 𝑉#) ⇝ ⋯maps to effective vulnerabilities represented by three-step model
Soundness of Three-Step Model
![Page 14: Cache Timing Side-Channel Vulnerability Checking with ...€¦ · side channel attacks:)*+,0 ⇝ )*+,1 ⇝ )*+,2 The initial state of the cache block Actions of victim or attacker](https://reader030.vdocuments.us/reader030/viewer/2022040619/5f2c608e23d7fe56ce7e8487/html5/thumbnails/14.jpg)
14
• More than three cache accesses– {⋯ ⇝⋆⇝ ⋯} can be divided into two parts– ⋯ ⇝ 𝐴' ⇝ 𝐴' ⇝ ⋯ , ⋯ ⇝ 𝐴' ⇝ 𝑉' ⇝ ⋯ ,… , {⋯ ⇝𝐴# ⇝ 𝑉# ⇝ ⋯},… , {⋯ ⇝ 𝑉& ⇝ 𝑉& ⇝ ⋯} can be reduced to ⋯ ⇝ 𝐴' ⇝ ⋯ , ⋯ ⇝ 𝑉' ⇝ ⋯ ,… , {⋯ ⇝ 𝑉# ⇝⋯},… , {⋯ ⇝ 𝑉& ⇝ ⋯}, respectively
– ⋯ ⇝ (𝐴'/𝑉' ∕ 𝐴# ∕ 𝑉#) ⇝ 𝑉& ⇝ (𝐴'/𝑉' ∕ 𝐴# ∕ 𝑉#) ⇝ ⋯maps to known vulnerabilities represented by three-step model
Soundness of Three-step Model (b)
![Page 15: Cache Timing Side-Channel Vulnerability Checking with ...€¦ · side channel attacks:)*+,0 ⇝ )*+,1 ⇝ )*+,2 The initial state of the cache block Actions of victim or attacker](https://reader030.vdocuments.us/reader030/viewer/2022040619/5f2c608e23d7fe56ce7e8487/html5/thumbnails/15.jpg)
15
• Explicit enumeration of all the possible three steps (6x5x5=150)
• Identify 28 types of cache attacks– 20 types already known or categorized– 8 types previously not in literature
• Can be applied to evaluate any cache architecture with CTL logic
Exhaustive Vulnerability Search
![Page 16: Cache Timing Side-Channel Vulnerability Checking with ...€¦ · side channel attacks:)*+,0 ⇝ )*+,1 ⇝ )*+,2 The initial state of the cache block Actions of victim or attacker](https://reader030.vdocuments.us/reader030/viewer/2022040619/5f2c608e23d7fe56ce7e8487/html5/thumbnails/16.jpg)
16
S0 S1 S2 Recognized name
Categorization
𝑽𝒙 𝑨𝑹 𝑽𝒙 Type A𝑽𝒙 𝑽𝑹 𝑽𝒙 Type B𝑨𝑹 𝑨𝟏 𝑽𝒙 Type C𝑽𝑹 𝑨𝟏 𝑽𝒙 Type D𝑨𝟏 𝑨𝟏 𝑽𝒙 Type E𝑽𝟏 𝑨𝟏 𝑽𝒙 Type F𝑉& 𝐴# 𝑉& Evict+Time Type G𝐴' 𝑉# 𝑉& Cache Collision Type H𝑉' 𝑉# 𝑉& Cache Collision Type I
𝐴# 𝑉# 𝑉& Cache Collision Type J𝑉# 𝑉# 𝑉& Cache Collision Type K𝑉& 𝑉# 𝑉& Bernstein’s attack Type L
𝐴' 𝑉& 𝐴' Flush+Flush Type M𝑉' 𝑉& 𝐴' Flush+Flush Type N
Vulnerability Exhaustive ListS0 S1 S2 Recognized name Catego
rization
𝑉& 𝑉& 𝐴' Flush+Flush Type O𝐴' 𝑉& 𝑉' Flush+Flush Type P𝑉' 𝑉& 𝑉' Flush+Flush Type Q𝑉& 𝑉& 𝑉' Flush+Flush Type R𝐴' 𝑉& 𝐴# Flush(Evict)+Reload Type S 𝑉' 𝑉& 𝐴# Flush(Evict)+Reload Type T𝐴# 𝑉& 𝐴# Prime+Probe Type U𝑽𝟏 𝑽𝒙 𝑨𝟏 Type V𝑉& 𝑉& 𝐴# Flush(Evict)+Reload Type W𝐴' 𝑉& 𝑉# Cache Collision Type X𝑉' 𝑉& 𝑉# Cache Collision Type Y𝑨𝟏 𝑽𝒙 𝑽𝟏 Type Z𝑉# 𝑉& 𝑉# Bernstein’s attack Type AA𝑉& 𝑉& 𝑉# Cache Collision Type AB
![Page 17: Cache Timing Side-Channel Vulnerability Checking with ...€¦ · side channel attacks:)*+,0 ⇝ )*+,1 ⇝ )*+,2 The initial state of the cache block Actions of victim or attacker](https://reader030.vdocuments.us/reader030/viewer/2022040619/5f2c608e23d7fe56ce7e8487/html5/thumbnails/17.jpg)
17
• Flush + Reload Attack (Type S, T Attack)– 𝐴' ⇝ 𝑉& ⇝ 𝐴#– 𝑉' ⇝ 𝑉& ⇝ 𝐴#
Vulnerability Examples• New Type V Attack
– 𝑉# ⇝ 𝑉& ⇝ 𝐴#
Set-associative cache
ways
sets
1- Victimprimes each cache set
2- Victim accesses
critical data
3- Attackerprobes each cache set (measure time)
EvictedAccessTime
EvictedAccess
TimeSet-associative cache
ways
sets
1- Flush each line in the cache
2- Victim accesses critical data
3- Attackerreloads critical data by running specific process (measure time)
![Page 18: Cache Timing Side-Channel Vulnerability Checking with ...€¦ · side channel attacks:)*+,0 ⇝ )*+,1 ⇝ )*+,2 The initial state of the cache block Actions of victim or attacker](https://reader030.vdocuments.us/reader030/viewer/2022040619/5f2c608e23d7fe56ce7e8487/html5/thumbnails/18.jpg)
𝜓 𝜓 𝜓 𝜓 𝜓18
Treats time as discrete and branchingCan explore different execution paths
• Atomic propositions: , ,…• Boolean operators: ¬𝜑,𝜑 ∨ 𝜓,𝜑 ∧ 𝜓,…• Temporal modalities:
– X 𝜓 … “next𝜓” – 𝜑𝑈𝜓 … “𝜑until 𝜓” – F 𝜑 … “eventually 𝜑”– G 𝜑 … “always 𝜑”
• Path quantifiers:– E 𝜓 A 𝜓
𝜓𝜓𝜑𝜑
𝜓𝜑𝜑 𝜑 𝜑 𝜑
𝜑
Computation Tree Logic
![Page 19: Cache Timing Side-Channel Vulnerability Checking with ...€¦ · side channel attacks:)*+,0 ⇝ )*+,1 ⇝ )*+,2 The initial state of the cache block Actions of victim or attacker](https://reader030.vdocuments.us/reader030/viewer/2022040619/5f2c608e23d7fe56ce7e8487/html5/thumbnails/19.jpg)
Step0
Step1
Step2
19
For a single cache block, model execution paths that represent vulnerabilities to attacks:
M, s ⊨𝐸𝐹(𝐸(𝐸 𝑆𝑡𝑒𝑝0𝑈𝑆𝑡𝑒𝑝1 𝑈𝑆𝑡𝑒𝑝2))
Eventually there exists a path that corresponds to the vulnerability:𝑆𝑡𝑒𝑝0 ⇝ 𝑆𝑡𝑒𝑝1 ⇝ 𝑆𝑡𝑒𝑝2
Three-Step Model in CTL logic
E.g.𝐴' ⇝ 𝑉& ⇝ 𝐴#↔ 𝐸𝐹(𝐸(𝐸 𝐴'𝑈𝑉& 𝑈𝐴#))
The initial state of the cache block
Actions of victim or attacker
Interference & final observation
![Page 20: Cache Timing Side-Channel Vulnerability Checking with ...€¦ · side channel attacks:)*+,0 ⇝ )*+,1 ⇝ )*+,2 The initial state of the cache block Actions of victim or attacker](https://reader030.vdocuments.us/reader030/viewer/2022040619/5f2c608e23d7fe56ce7e8487/html5/thumbnails/20.jpg)
20
s0
s1
s4
s2
{probe}
{miss}
{replace}
s3
{returndata}
{hit}
Unfold from s0 to
computation tree
(s0,0)
(s1,1) (s
2,1)
(s3,2)(s
4,2)
(s0,3) (s
4,3)
(s0,4)(s
1,4) (s
2,4)
(s3,5)(s
4,5)
(s0,6) (s
4,6)
(s0,7)(s
1,7) (s
2,7)
(s1,5) (s
2,5)
(s3,6)(s
4,6)
(s0,7) (s
4,7)
(s1,8) (s
2,8)(s
3,8)(s
4,8)
(s4,9)
(s1,8) (s
2,8)
(s1,8) (s
2,8)(s
3,9)(s
4,9)
(s4,10)
(s0,7)
(s3,9)(s
4,9)
(s4,10) (s
3,10)(s
4,10)
(s4,11)
Step 0
Step 1
Step 2
three-step model:
Bounded Computation Tree
![Page 21: Cache Timing Side-Channel Vulnerability Checking with ...€¦ · side channel attacks:)*+,0 ⇝ )*+,1 ⇝ )*+,2 The initial state of the cache block Actions of victim or attacker](https://reader030.vdocuments.us/reader030/viewer/2022040619/5f2c608e23d7fe56ce7e8487/html5/thumbnails/21.jpg)
21
• hardware design of secure caches• cache state machine modeling• checking of vulnerability in CTL logic• improve CTL modeling
Future Work
![Page 22: Cache Timing Side-Channel Vulnerability Checking with ...€¦ · side channel attacks:)*+,0 ⇝ )*+,1 ⇝ )*+,2 The initial state of the cache block Actions of victim or attacker](https://reader030.vdocuments.us/reader030/viewer/2022040619/5f2c608e23d7fe56ce7e8487/html5/thumbnails/22.jpg)
22
Summary
• cache state machine modeling• checking of vulnerability in CTL logic• improve CTL modeling
Thank you!
Use Computation
Tree Logic (CTL)
Model execution paths of the
processor cache focusing on side-channel attacks
Develop Cache Access
Model
Three-step single-cache-block-access
model construction
Analyze Timing
Vulnerabilities
Exhaustive search for
possible attacks based on three-
step model
![Page 23: Cache Timing Side-Channel Vulnerability Checking with ...€¦ · side channel attacks:)*+,0 ⇝ )*+,1 ⇝ )*+,2 The initial state of the cache block Actions of victim or attacker](https://reader030.vdocuments.us/reader030/viewer/2022040619/5f2c608e23d7fe56ce7e8487/html5/thumbnails/23.jpg)
23
back up slides
![Page 24: Cache Timing Side-Channel Vulnerability Checking with ...€¦ · side channel attacks:)*+,0 ⇝ )*+,1 ⇝ )*+,2 The initial state of the cache block Actions of victim or attacker](https://reader030.vdocuments.us/reader030/viewer/2022040619/5f2c608e23d7fe56ce7e8487/html5/thumbnails/24.jpg)
24
• One cache access– Interference does not exist
• Two cache accesses– Same as three-step model with 𝑆𝑡𝑒𝑝0 to be “ ⋆ ”– None of them can form an attack
• Three cache accesses– Exhaustive vulnerability Search and effective
vulnerabilities derived
Soundness of Three-step Model (a)
![Page 25: Cache Timing Side-Channel Vulnerability Checking with ...€¦ · side channel attacks:)*+,0 ⇝ )*+,1 ⇝ )*+,2 The initial state of the cache block Actions of victim or attacker](https://reader030.vdocuments.us/reader030/viewer/2022040619/5f2c608e23d7fe56ce7e8487/html5/thumbnails/25.jpg)
25
• More than three cache accesses– {⋯ ⇝⋆⇝ ⋯} can be divided into two parts– ⋯ ⇝ 𝐴' ⇝ 𝐴' ⇝ ⋯ , ⋯ ⇝ 𝐴' ⇝ 𝑉' ⇝ ⋯ , {⋯ ⇝ 𝐴# ⇝𝑉# ⇝ ⋯}, ⋯ ⇝ 𝑉& ⇝ 𝑉& ⇝ ⋯ ,… can be reduced to ⋯ ⇝ 𝐴' ⇝ ⋯ , ⋯ ⇝ 𝑉' ⇝ ⋯ , ⋯ ⇝ 𝑉# ⇝ ⋯ , {⋯ ⇝𝑉& ⇝ ⋯},…, respectively
– ⋯ ⇝ (𝐴'/𝑉' ∕ 𝐴# ∕ 𝑉#) ⇝ 𝑉& ⇝ (𝐴'/𝑉' ∕ 𝐴# ∕ 𝑉#) ⇝ ⋯maps to effective vulnerabilities represented by three-step model
Soundness of Three-step Model (b)