prosper and friends: an overview - sciencesconf.org · prosper and friends: an overview mads dam...
TRANSCRIPT
PROSPERandFriends:AnOverview
MadsDamKTHRoyalIns=tuteofTechnology
Projectteam:MusardBalliu,ChristophBaumann,VictorDo,Chris=anGehrmann,RobertoGuanciale,JonasHaglund,NargesKhakpour,AndreasLindner,AndreasLundblad,
HamedNema=,OliverSchwarz,ArashVahidi
ThePROSPERProject
• JointprojectKTH-SICSfundedbySwedishFounda=onforStrategicResearch
• StartJan2012,endedOct2017• Projectobjec=ves:– Buildfunc=onalhypervisorforARM-basedsystems
• …focusonsecurity– Fullyverifiedatsystemlevel
• Hypervisorcode• …plusinterac=onwithhardwareplaXorm
– SupportforGPOSs–RTOS,Linux,Android• …plussomesecurityservices
PROSPER-Results
• Verifiedhypervisors:– Hypervisorv0–simplesepara=onkernelforARMv7– Hypervisorv1–memoryvirtualisa=onforARMv7– Hypervisorv2,HASPOC–hypervisorforARMv8– Increasingcomplexityandrealism
• Maindemonstrators:– Secureso\wareupdate(ARMv7)– Securenetworkinterface(ARMv7)– Red/blacksepara=onforAndroid(ARMv8,withTutusAB)– ...
• Modelsandframeworks:– Add-onstoFox’sCambridgeHOL4/L3models– Composi=onalmodelframework– Componentmodels:MMUs,GICs,SMMUs,networkdevices…
– Asynchronousdeviceframework
• Tools:– ISAanalyzers– TreeDroid– InfoflowanalysistoolsEnCover(JVM)+others(binaries)– HOL4->BAPli\er
…more
• Vulnerabili=esandcountermeasures:– Mismatchedcacheahributes– Countermeasuresintegrity,confiden=ality
• Systems:– So\boot– SecurebootforARMv8– Monotonicsepara=onkernel
• URLs:– prosper.sics.se– haspoc.sics.se
…more
• Gothroughthethreehypervisorgenera=onsonebyone• Explain:– Designra=onale– Modellingandverifica=onapproach– Results
• Alsodiscusssomeoftherelatedresults:– ISAanalyzer– Vulnerabili=es,countermeasures,refinements
ThisPresenta=on
Separa=onKernels
Separa=onkernel CPU CPU CPU
≅
• Execu=onenvironmentsindis=nguishablefromaphysicallydistributedsystem[Rushby’81]
CPU
…OrHypervisors…
• Execu=onenvironmentsindis=nguishablefromaphysicallydistributedsystem[Rushby’81]
Hypervisor CPU CPU CPU
≅
CPU
ProvableIsola=on–WhatIsInvolved?
• Largeendeavour• Formalsystemmodel– Processor,devices,interruptcontrollers,MMUs– Hypervisor,drivers,applica=oncode– Jus=fica=on:Precision,adequacy
• Formalizedsecurityrequirements– Securityspecifica=on– Jus=fica=on:Ahackmodel
• Verifica=on– Automated– Semi-automated– Interac=ve
≅
Virtualiza=onTarget
PROSPERv0
ARMv7Processor
MMU Memory
Networkcontroller DMAcontroller
Virtualiza=onTarget,v0,v1
ARMv7Processor
MemoryManagementUnit Memory
Networkcontroller DMAcontroller
PROSPERKernel,v0
• Contextswitch:Fixedround-robinscheduling• Sta=cmemoryalloca=on• Asynchronousmessagepassingthroughhypercall• Paravirtualiza=on
PROSPERKernel,v0
Hypervisor
Dam,Guanciale,Khakpour,Nema=,Schwarz:FormalVerifica=onofInforma=onFlowSecurityforaSimpleARM-BasedSepara=onKernel,CCS’13
Hypervisor
Verifica=onStrategy
Approach1:NoninterferenceConfiden=ality/nonexfiltra=on:• NoinfoflowfromGuest1toGuest2,…,GuestnortoHypervisorIntegrity(kindof)similar
Hypervisor
≅
Approach1:VanillanoninterferenceBut:• Thiswasnotthepicturewewanted!• Whataboutcommunica=on?
Hypervisor
Verifica=onStrategy
Hypervisor
≅
Alterna=veApproach
• Formulateidealmodel• Sa=sfiesisola=onproper=esbyconstruc=on
• Hypervisorfunc=onalityreplacedbyidealfunc=onality
• IdealCPUs–runonlyuserspacecode
• Allprivilegedexecu=onisidealized• Twoidealmessageboxes• Ideal=merfor“ac=vitytoggling”
CPU CPU
Verifica=onGoal
• Equivalence:Eachguest“sees”thesameobserva=ons• WhenguestGisac=ve,theusermodeobservablepartsofthe
ARMv7machinestateareiden=cal• =>VanillaNIintheabsenceofcommunica=on
Separa=onkernel CPU CPU
CPU
≅
UnwindingRela=on
Iden=cal:• MMUreadablememory• Usermodeobservableregisters• Messageboxes• Time
UnwindingRela=on
IdeWeakbisimula=on• Perpar==on• Usermodeobserva=onstobepreserved• Weak(non-preemp=ve)handlertransi=ons• Therela=on?Seethepreviousslide!
IdeBootLemma• Bootcodeterminatesandestablishestherela=on• Establishhypervisorinvariant• Machinecodeverifica=on(HOL4->BAP)
UnwindingRela=on
IdeUserLemma• Noinfiltra=on/noexfiltra=onforusermodetransi=ons,NI• Independentofhandlercode,independentofguestcode• Theoremproving(HOL4)
UnwindingRela=on
IdeSwitchLemma• Noinfiltra=on/noexfiltra=onforexcep=ons/interrupts• Independentofhandlercode,independentofguestcode• Theoremproving(HOL4)
UnwindingRela=on
IdeHandlerLemmas• Handlerssa=sfytheircontracts• Dependentonhandlercode,independentofguestcode• Machinecodeverifica=on(HOL4->BAP)
UnwindingRela=on
Verifica=onApproach
ARMv7proper2es
UserLemmaSwitchLemma
PropertyofARMv7
instruc=onsetarchitecture
HOL4+CambridgeARMv7model+L3+MMU
Noninterferencelemmas
Automa=on:Seelater
Handlercode
HandlerLemmasBootLemma
Codeproperty
Frequentlyupdated
C+assembly+gccBAP+STP
Contractverifica=on
“Semi”-automa=c
PROSPERv1
Processor
MemoryManagementUnit Memory
Networkcontroller DMAcontroller
PROSPERKernel,v1
MMUVirtualiza=on
• MMU:KeycomponenttovirtualizecommodityOSs
• L1andL2pagetables• Pagetablesmapvirtualaddresses
tointermediateaddressestophysicaladdresses
• Controlisvital– Forvirtualiza=on– Forsandboxing,etc.
Guanciale,Nema=,Dam,Baumann:Provablysecurememoryisola=onforLinuxonARM,JournalofComputerSecurity24(6),2016
TheProsperv1Hypervisor
• Primaryusecase:– SingleuntrustedOSguest– “Collabora=vely”scheduledsecureservices
• Paravirtualiza=on• Memorymanagement:– Directpaging,asinXen-x86orSecureVirtualArchitecture1– Pagetablesresideinguestmemory– Guestcanmanipulatepagetableswhennotinuse– Hypervisormediatesaccesstopagetableswhenac=ve– Guestfullyinchargeofmemorymanagement
1:Criswelletal:SecureVirtualArchitecture:Asafeexecu=onenvironment…SOSP’07
TheProsperv1Hypervisor
DMMU–theMMUvirtualiza=onAPI:• Memorypar==onedinphysicalblocksof4KB• Blocksaretyped:t(block)in{L1,L2,D}• 9primi=veAPIcallstoac=vate,createorfreepagetablesand
tomaporunmapmemoryblocks• Areferencecounterkeepstrackofac=vereferences• Hypervisorpreventsunsoundrequests:– Noaccessoutsidetheguestmemory– Nowritableaccesstoapagetable
• Blocktypecanbechangedifthereferencecounteriszero
Verifica=on
Twostages:1. Idealmodel– Hypervisorstateisidealized– Pagetablesstoredinmemory– Referencecounter=0=>pagetablecanbefreed– Hypervisoraddressesphysicalmemory– Correctnessproofisneeded
2. Implementa=onmodel– Algorithm+hypervisorstate->hypervisormemory– Hypervisoraddressesvirtualmemory
3. Refinementproof– Transfersinfoflowproper=estoimplementa=onmodel– Bisimula=onproofwithsometwists
IdealModelCorrectnessProof
Maincomponentsofproof:• Invariantpropertymaintainedbythe9APIcalls
Neededforthebelow• Completemedia=on:
Guesttransi=onscannotdirectlyaffectMMUbehaviour• Integrity:
Guesttransi=onscannotaffecthypervisororsecureguestsstate
• Confiden=ality:Noflowofinforma=onfromhypervisororsecuregueststatetoinsecureguest-noninterference
Implementa=on
Privilegedcomponents:• Interfacelayer• Linuxadapta=onlayer• DMMUhandlersFeatures:• Smallcri=calcore• Nodirectaccessto
cri=calfunc=onalityfromLinuxlayer
• Simplertoverify
Processor
MemoryManagementUnit Memory
Networkcontroller DMAcontroller
PROSPERKernelv1-Applica=ons
MProsper:ExecutableSpaceProtec=on
• Memoryblocksareexecutableorwriteable,butnotboth• Referencemonitorinterceptsmemoryahributechanges• Pagesaremadeexecutableonlyiftheyaredulysigned
• Examples:OpenBSD3.3,LinuxPaX,ExecShield,NetBSD,MSOsswithDataExecu=onPreven=on
• Here:UsingtheProsperkerneltoimplementthisinaprovablysecuremanner
• Monitorrunsasisolatedwithreadpermissions-tamperproof• ProofextendshypervisorsecurityproofChfouka,Nema=,Guanciale,Dam,Ekdahl:TrustworthyPreven=onofCodeInjec=oninLinuxonEmbeddedDevices,ESORICS’15
EnforceWXpolicyOnLinuxrequesttochangeaccessrights:• Downgraderequest• Storesuspended
requestintableOndata/prefetchabort:• Downgradeandstore
currentseyng• Re-enablesuspended
request,ifsafe
MProsperDesign
Processor
MemoryManagementUnit Memory
Networkcontroller DMAcontroller
PROSPERKernel,v1,Extensions
Devices
Issues:• Memory-mappedIOregisters• Interrupts• DMA• Asynchronousopera=onVirtualiza=on:• Virtualizedregisteraccesses• Sta=cmemorypar==oningModeling:• Interleavingofprocessor/device
memoryaccessesusingoracle
CPU CPU
CPU
Schwarz,Dam:FormalVerifica=onofSecureUserModeDeviceExecu=onwithDMA,HVC’14
StatusImplementa=on:
– PortsforLinux2.6.34andLinux3.10,BeagleBone,RPi2– PerformancecomparabletoXen– Lowmemoryoverheadcomparedtoshadowpaging– Experimentalmul=coreport,onehypervisorpercore
Models:– ARMv7modelinL3extendedwithMMUandsystemfunc=onality– ProvenISAlevelnon-interferenceproper=es– NIC+DMAmodels
Tools:– HOL4formodelanddesignverifica=on(refined-idealbisimula=on)– Li\erfromARMv7toBAP,par=allyverifiedinHOL4– Binarycodeverifica=onusingSMTsolver(STP)
Proofs:– Guestswitchlemma,verifiedhypervisordesign– Fullverifica=onv0,partbinaryverifica=onv1,– ProofforNICvirtualiza=oninprogress
PROSPERv2
Memory
CoreCore1Core1ARMv8-ACore
Virtualiza=onTargetv2,HASPOC
SMMU
NIC
SMMU
USB
GICGenericInterruptController
CoreCore1Core1MMU
MinimalCOTShypervisorforARMv8:• Fixed#guests,sta=cmemoryalloca=on• Coresanddevicesownedexclusively• Nodevicevirtualisa=onexceptGIC• Securebootloader• Memoryisola=onthroughHWextensionsand
SMMUs• Mainrun=mehypervisortaskisGICvirtualisa=on• Communica=ononlythroughpredefined
channels
SecurityGoal
• Idealmodel:Securebyconstruc=on• Bisimula=onrela=ontransfersinfoflowproper=es• Verifica=on:Focusononguest(usermode)execu=on
≅
StatusImplementa=on:
– HiKeyboard,<64KBcodebase<10KLoC,<2MBDRAM– Demonstratorsstable,<15%OH(interruptpenal=es)– Interguestcommunica=onupto750Mbps– SecurebootfasterthanARMTrustedFirmware
Models:– ARMv8modelinL3extendedwithMMUandsystemfeatures– Composi=onalmodelforproofreusabilityandrefinement– Sequen=almemory,cachemodelunderdevelopment
Tools:– Li\erfromARMv8toBAP,verifiedinHOL4– FormalBAPIntermediateLanguageseman=csinHOL4
Proofs:– SystemlevelHOL4proofofguestnon-interferencecomplete– Pen-and-paperproofofdesign,CommonCriteriacompa=ble– Verifiedweakestprecondi=ongenera=on(ongoing)– ExperimentsinbinaryARMv8codeverifica=on
ISAInforma=onFlow
ISAInfoFlowAnalysis
Recall:Thisisapropertyoftheinstruc=onsetarchitecture!Isitimportant?– Yes,checkMeltdown/Spectre
CouldwehavecaughtMeltdown/Spectre?– Currentlyhavecachesinmodel,notspecula=on– Givenadequatemodelandenoughcpucycles,maybe
Schwarz,Dam:Automa=cderiva=onofplaXormnoninterferenceproper=es.SEFM2016,27-44
Wishtodetermine:– Whatcanagivenuserprocessdetermineoftheprocessorstate?
Dualproblem:– Whichpartsoftheprocessorstatecanauserprocess(processatprivilegelevelx)influence?
– Canbesolvedinsimilarmanner
ISAInfoFlowAnalysis:TheProblem
pc reg0 pub secctrl
pc reg0 pub secctrl
Input:– Ini=allevelassignmentI
Output:– ProvablyminimalfinallevelassignmentFcontainingI
Objec=ves:– Soundness,precision– ApplytoHOL4ISAspecasis– ImplementinHOL4– Fullyautoma=c– Testonrealis=cspecs
ISAInfoFlowAnalysis:TheProblem
getControl s = !let m := s.mode! in ! let c := ! (if m = user ! bitmask (s.ctrl m) ! else ! s.ctrl m ! ) ! in (c,s) ! end !end !
ISAInfoFlowAnalysis:Complica=ons
Trickytomapintoastandardtype-basedseyng:• Mappingsneed
some=mestobeevaluated,some=mesnot
• Levelsneedsome=mestobeassignedbitwise,some=mesnot
• Heavycontextdependency
Rewri=ng– CambridgeISAspecsarelargesocareisneeded– UseFox’sARMsteplibrarywheneverpossible
Instruc=ontaskqueue:– Rewritetosuitablenormalform– AhempttoproveNI– Success,moveon– Failure:
• Failureofproofsearchtoimplycounterexample• Usecounterexampletorefinelow-equivalencerela=on• Thisgivesminimality• Re-enqueuevalidatedinstruc=ons
ISAInfoFlowAnalysis:Approach
ISAInfoFlowAnalysis:Results
ARMv7-Ausermode,noMMU,nosecurityorhypervisorextensions– Ini=al:PC– Finalincluded:Userreg’s,fullCPSR,someFPregisters,TEEHBR,SCTLRflagsEE,TE,V,A,U,DZ
– Notincluded:Bankedregisters,SPSRs,someFIQ-relatedregisters,CP15.SCTLR.{NMFI,VE}
– Running=me>21hrsonsingleXeonX3470coreMIPS-III– Ini=al:PC+somebasicregisters,final:all,1hr+
MIPS-IIIrestrictedusermode– Ini=alasabove,final:GPregisters+somestatusflags,38’
Caches,caches,caches
CachesandStuff
CurrentISAmodelingtendstoignoremanynastydetails– Cachesandcachemanagement– Specula=on– Lotsofsystemfeatures
Howmuchofaproblemisthis?Timingandpowerchannels– Verydifficulttoclosecompletely– Model-externalfeatures-abstractaway(?)
Cachestoragechannels– Determinis=cchannelsnotrelyingon=ming/power– Modelinternal-hardertoignore
PostMeltdown/Spectre:We’reintrouble(!)
Example:MemoryIncoherence
Coherentmemory:– Observers(cores,MMUs,etc)allseethesamesequenceofwrites,perloca=on
Controlledincoherence:– Ifoneagentcanbesetuptocontrolwhatanotheragentsees,wehaveapoten=alahack
Mismatchedcacheabilityahributes– Virtualaliaseswithconflic=ngcacheability– Reasonablescenariosexist(e.g.,virtualisa=on)– Ifcacheandmemorycandisagreewithoutentrybecomingdirtythereisaproblem
– Thisissome=mesthecase– Integrityandconfiden=alityahacks
Guanciale,Nema=,Baumann,Dam:Cachestoragechannels:Alias-drivenahacksandverifiedcountermeasures.S&P2016,38-55
Verifica=on
Need:– Morefine-grainedmodelwithcaches– Newproofmachinery– Formalisedcountermeasures– Notleast:Redoingworkalreadydone...
Approach:– Reuseverifica=ononcachelessmodel– Useproofobliga=ons:
• Onprocessormodel• Onhypervisor• Oncountermeasures• Onapplica=on
– Generalmul=leveldcache+icachemodel– Integrityproofdonefortwocountermeasures– Confiden=alityinprogress
Challenges
PreciseHardwareModels
Modernhardwareiscomplex– Weakly-consistentmemory– Out-of-Orderandspecula=on– Cachehierarchies,MMUs,DMAbusmasters,TLBs– Richfloraofdevicesw.rapidchurn– Howtokeepupandscale?
Vendor-providedmodels– Lackofdocumenta=onisabigissue– SeeAlastairReid’spresenta=ononARMmodels– Opensourcehardware,e.g.RISC-V?– Hiddeninstruc=ons?Vendor-specifics?HWTrojans?– “Unpredictablebehaviour”?
Generalityandreusability– vs.sidechannelprotec=on/bisimula=ons
ManagingComplexity
BuildingformalHWmodelsishard– Hugeinformalspecs– Implementa=on-dependentbehaviour– Hardtotest
Canwemakeiteasier?– Domain-specificlanguagescanhelp– Decomposedmodelsforspecandproofreuse
• Absolutelynecessaryformodernarchitectures– Frameworksneededtomechaniseproofsearch
• HOL4goodstar=ngpointforthis– Executablemodels
• Generalityvsexecutability&speed– Automa=ngmodelconstruc=on
• CheckoutHeuleetal:Stra=fiedsynthesis:Automa=callylearningthex86-64instruc=onset,PLDI’16
Thankyou!
ARMv8PlaXormModel
• Composi=onalmodel,asyncmessagepassing
ARMv8PlaXormModel
• Composi=onalmodel,asyncmessagepassing• (S)MMU:Ac=ve?,pagetablebase,currenttransla=ons
ARMv8PlaXormModel
• Composi=onalmodel,asyncmessagepassing• (S)MMU:Ac=ve?,pagetablebase,currenttransla=ons• Core:Execu=onmode,somehypervisorextregisters
ARMv8PlaXormModel
• Composi=onalmodel,asyncmessagepassing• (S)MMU:Ac=ve?,pagetablebase,currenttransla=ons• Core:Execu=onmode,somehypervisorextregisters• Device:Mostlyuninterpreted,DMAenabled?
ARMv8PlaXormModel
• Composi=onalmodel,asyncmessagepassing• (S)MMU:Ac=ve?,pagetablebase,currenttransla=ons• Core:Execu=onmode,somehypervisorextregisters• Device:Mostlyuninterpreted,DMAenabled?• Memory:Flatmap,memory-mappedIO
ARMv8PlaXormModel
• Composi=onalmodel,asyncmessagepassing• (S)MMU:Ac=ve?,pagetablebase,currenttransla=ons• Core:Execu=onmode,somehypervisorextregisters• Device:Mostlyuninterpreted,DMAenabled?• Memory:Flatmap,memory-mappedIO• GIC:Hypervisor-accessedregisters,interruptstate
ARMv8PlaXormModel
• Composi=onalmodel,asyncmessagepassing• (S)MMU:Ac=ve?,pagetablebase,currenttransla=ons• Core:Execu=onmode,somehypervisorextregisters• Device:Mostlyuninterpreted,DMAenabled?• Memory:Flatmap,memory-mappedIO• GIC:Hypervisor-accessedregisters,interruptstate• Hypervisor:Fine-grainedLTS,GICinterac=on
• Idealcore:HVinvisible/atomichypercallseman=cs
IdealModel
• Idealcore:HVinvisible/atomichypercallseman=cs• BufferforoutgoingIGCno=fica=oninterrupts
IdealModel
• Idealcore:HVinvisible/atomichypercallseman=cs• BufferforoutgoingIGCno=fica=oninterrupts• IGCsharedmemoryduplicatedandcopiedonwrite
IdealModel
• Idealcore:HVinvisible/atomichypercallseman=cs• BufferforoutgoingIGCno=fica=oninterrupts• IGCsharedmemoryduplicatedandcopiedonwrite• IdealGIC:interruptsepara=onbyconstruc=on
IdealModel
• Idealcore:HVinvisible/atomichypercallseman=cs• BufferforoutgoingIGCno=fica=oninterrupts• IGCsharedmemoryduplicatedandcopiedonwrite• IdealGIC:interruptsepara=onbyconstruc=on• Messagebuffersasplaceholdersfor(S)MMUs
IdealModel
• Idealcore:HVinvisible/atomichypercallseman=cs• BufferforoutgoingIGCno=fica=oninterrupts• IGCsharedmemoryduplicatedandcopiedonwrite• IdealGIC:interruptsepara=onbyconstruc=on• Messagebuffersasplaceholdersfor(S)MMUs• Memory:onlyguestpor=on,intermediatephysicaladdresses
IdealModel
Bisimula=onRela=on
Bisimula=onRela=on
Bisimula=onRela=on
Bisimula=onRela=on
Bisimula=onRela=on
Bisimula=onRela=on
Bisimula=onRela=on
IntegrityCacheIncoherenceAhack
V1: D = access(VA_c). . . A1: write(VA_nc,1). . . V2: D = access(VA_c)V3: if not policy(D) reject. . . [evict VA_c]. . .V4: use(VA_c)
Virtualmemory
Physicalmemory Cache
VA_c
VA_nc
PA 0
D
IntegrityCacheIncoherenceAhack
V1: D = access(VA_c). . . A1: write(VA_nc,1). . . V2: D = access(VA_c)V3: if not policy(D) reject. . . [evict VA_c]. . .V4: use(VA_c)
Virtualmemory
Physicalmemory Cache
D 0
VA_c
VA_nc
PA 0 PA 0
IntegrityCacheIncoherenceAhack
V1: D = access(VA_c). . . A1: write(VA_nc,1). . . V2: D = access(VA_c)V3: if not policy(D) reject. . . [evict VA_c]. . .V4: use(VA_c)
Virtualmemory
Physicalmemory Cache
D 0
VA_c
VA_nc
PA 1 PA 0
IntegrityCacheIncoherenceAhack
V1: D = access(VA_c). . . A1: write(VA_nc,1). . . V2: D = access(VA_c)V3: if not policy(D) reject. . . [evict VA_c]. . .V4: use(VA_c)
Virtualmemory
Physicalmemory Cache
D 0
VA_c
VA_nc
PA 1 PA 0
IntegrityCacheIncoherenceAhack
V1: D = access(VA_c). . . A1: write(VA_nc,1). . . V2: D = access(VA_c)V3: if not policy(D) reject. . . [evict VA_c]. . .V4: use(VA_c)
Virtualmemory
Physicalmemory Cache
D 0
VA_c
VA_nc
PA 1
IntegrityCacheIncoherenceAhack
V1: D = access(VA_c). . . A1: write(VA_nc,1). . . V2: D = access(VA_c)V3: if not policy(D) reject. . . [evict VA_c]. . .V4: use(VA_c)
Virtualmemory
Physicalmemory Cache
D 0
VA_c
VA_nc
PA 1 PA 1
Confiden=alityCacheIncoherenceAhack
A1:invalidate(VA_c)A2:write(VA_nc,0)A3:D=read(VA_c)A4:write(VA_nc,1)A5:callvic=mA6:D=read(VA_c)V1:ifsecraccess(VA_3)elseaccess(VA_4)
Virtualmemory
Physicalmemory Cache
VA_nc
VA_c PA-1
D
VA_3
VA_4
PA-3
PA-4
secr
set-idx
Confiden=alityCacheIncoherenceAhack
A1:invalidate(VA_c)A2:write(VA_nc,0)A3:D=read(VA_c)A4:write(VA_nc,1)A5:callvic=mA6:D=read(VA_c)V1:ifsecraccess(VA_3)elseaccess(VA_4)
Virtualmemory
Physicalmemory Cache
VA_nc
VA_c PA-1 0
D
VA_3
VA_4
PA-3
PA-4
secr
Confiden=alityCacheIncoherenceAhack
A1:invalidate(VA_c)A2:write(VA_nc,0)A3:D=read(VA_c)A4:write(VA_nc,1)A5:callvic=mA6:D=read(VA_c)V1:ifsecraccess(VA_3)elseaccess(VA_4)
Virtualmemory
Physicalmemory Cache
VA_nc
VA_c PA-1 0
PA-1 0
D 0
VA_3
VA_4
PA-3
PA-4
secr
Confiden=alityCacheIncoherenceAhack
A1:invalidate(VA_c)A2:write(VA_nc,0)A3:D=read(VA_c)A4:write(VA_nc,1)A5:callvic=mA6:D=read(VA_c)V1:ifsecraccess(VA_3)elseaccess(VA_4)
Virtualmemory
Physicalmemory Cache
VA_nc
VA_c PA-1 1
PA-1 0
D 0
VA_3
VA_4
PA-3
PA-4
secr
Confiden=alityCacheIncoherenceAhack
A1:invalidate(VA_c)A2:write(VA_nc,0)A3:D=read(VA_c)A4:write(VA_nc,1)A5:callvic=mA6:D=read(VA_c)V1:ifsecraccess(VA_3)elseaccess(VA_4)
Virtualmemory
Physicalmemory Cache
VA_nc
VA_c PA-1 1
PA-1 0
D 0
VA_3
VA_4
PA-3
PA-4
secr 0!
Confiden=alityCacheIncoherenceAhack
A1:invalidate(VA_c)A2:write(VA_nc,0)A3:D=read(VA_c)A4:write(VA_nc,1)A5:callvic=mA6:D=read(VA_c)V1:ifsecraccess(VA_3)elseaccess(VA_4)
Virtualmemory
Physicalmemory Cache
VA_nc
VA_c PA-1 1
PA-1 0
D 0
VA_3
VA_4
PA-3
PA-4 PA-4
secr 0
Confiden=alityCacheIncoherenceAhack
A1:invalidate(VA_c)A2:write(VA_nc,0)A3:D=read(VA_c)A4:write(VA_nc,1)A5:callvic=mA6:D=read(VA_c)V1:ifsecraccess(VA_3)elseaccess(VA_4)
Virtualmemory
Physicalmemory Cache
VA_nc
VA_c PA-1 1
PA-1 0
D 0
VA_3
VA_4
PA-3
PA-4 PA-4
secr 0
Confiden=alityCacheIncoherenceAhack
A1:invalidate(VA_c)A2:write(VA_nc,0)A3:D=read(VA_c)A4:write(VA_nc,1)A5:callvic=mA6:D=read(VA_c)V1:ifsecraccess(VA_3)elseaccess(VA_4)
Virtualmemory
Physicalmemory Cache
VA_nc
VA_c PA-1 1
PA-1 0
D 0
VA_3
VA_4
PA-3
PA-4 PA-4
secr 1!
Confiden=alityCacheIncoherenceAhack
A1:invalidate(VA_c)A2:write(VA_nc,0)A3:D=read(VA_c)A4:write(VA_nc,1)A5:callvic=mA6:D=read(VA_c)V1:ifsecraccess(VA_3)elseaccess(VA_4)
Virtualmemory
Physicalmemory Cache
VA_nc
VA_c PA-1 1
PA-1 0
D 0
VA_3
VA_4
PA-3
PA-4 PA-4
secr 1
Confiden=alityCacheIncoherenceAhack
A1:invalidate(VA_c)A2:write(VA_nc,0)A3:D=read(VA_c)A4:write(VA_nc,1)A5:callvic=mA6:D=read(VA_c)V1:ifsecraccess(VA_3)elseaccess(VA_4)
Virtualmemory
Physicalmemory Cache
VA_nc
VA_c PA-1 1
PA-3
D 0
VA_3
VA_4
PA-3
PA-4 PA-4
secr 1
Confiden=alityCacheIncoherenceAhack
A1:invalidate(VA_c)A2:write(VA_nc,0)A3:D=read(VA_c)A4:write(VA_nc,1)A5:callvic=mA6:D=read(VA_c)V1:ifsecraccess(VA_3)elseaccess(VA_4)
Virtualmemory
Physicalmemory Cache
VA_nc
VA_c PA-1 1
PA-1 1
D 1
VA_3
VA_4
PA-3
PA-4 PA-4
secr 1
ExampleAhacks
Threeahacksimplementedusingmismatchedcacheahributevector:1. AESinTrustzoneonRPi2
128bitkeyextracteda\er850encryp=ons2. Prosperv1onBeagleboardMX
Ahacker:Non-secureguestValida=onofnon-validpagetableAhackergetsfullcontrol
3. Extrac=onofexponentfrommodularexponenta=onprocedureNon-pcsecureprocedureinTrustzoneonRPi2Execu=onpathdetectedthroughinstruc=oncacheahack
Countermeasures
Forconfiden=ality:– Standard=mingapproaches:– PC-securecode,secretindependentmemoryaccesses,...
Forintegrity:– Guaranteecoherenceofaccessedmemory– Cacheflushes,explicitevic=onofcachelines,...
Specificformismatchedcacheahributes:– Secretindependentcachelineaccesses– Preventuncacheablealiasesforspecificmemoryregions