ridl - ieee-security.org · 5/20/2019 ridl: rogue in-flight data load...
TRANSCRIPT
![Page 1: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/1.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 1/163
*
RIDLRIDLROGUE IN-FLIGHT DATA LOADROGUE IN-FLIGHT DATA LOAD
Stephan van Schaik - Alyssa Milburn
Sebastian Österlund - Pietro Frigo - Giorgi Maisuradze*
Kaveh Razavi - Herbert Bos - Cristiano Guiffrida
1
![Page 2: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/2.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 2/163 2
![Page 3: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/3.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 3/163
What can we still do as an attacker?
3
![Page 4: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/4.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 4/163 4
![Page 5: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/5.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 5/163
Meet Rogue In-flight Data Load or RIDL
A new class of speculative execution attacks
that knows no boundaries
5
![Page 6: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/6.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 6/163
Privilege levels are just a social construct
6
![Page 7: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/7.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 7/163
SECURITY DOMAINSSECURITY DOMAINS
We can leak between hardware threads!
7.1
![Page 8: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/8.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 8/163
SECURITY DOMAINSSECURITY DOMAINS
But can we leak across other security domains?
7.2
![Page 9: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/9.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 9/163
SECURITY DOMAINSSECURITY DOMAINS
Yes, we can!
7.3
![Page 10: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/10.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 10/163
SECURITY DOMAINSSECURITY DOMAINS
We leak from the kernel …
7.4
![Page 11: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/11.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 11/163
SECURITY DOMAINSSECURITY DOMAINS
... across VMs …
7.5
![Page 12: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/12.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 12/163
SECURITY DOMAINSSECURITY DOMAINS
... from the hypervisor …
7.6
![Page 13: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/13.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 13/163
SECURITY DOMAINSSECURITY DOMAINS
... and from SGX enclaves!
7.7
![Page 14: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/14.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 14/163
We leak across all security domains!
7.8
![Page 15: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/15.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 15/163
SECURITY DOMAINSSECURITY DOMAINSCan we leak in the web browser?
7.9
![Page 16: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/16.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 16/163
SECURITY DOMAINSSECURITY DOMAINSYes, we can!
7.10
![Page 17: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/17.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 17/163
SECURITY DOMAINSSECURITY DOMAINSYes, we can!
We reproduced RIDL in Mozilla Firefox
7.10
![Page 18: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/18.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 18/163
SECURITY DOMAINSSECURITY DOMAINSYes, we can!
We reproduced RIDL in Mozilla Firefox
⇒ No need for special instructions
7.10
![Page 19: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/19.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 19/163
We leak across security domains, and in the browser!
7.11
![Page 20: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/20.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 20/163
Memory addresses are a social construct too
8
![Page 21: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/21.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 21/163
PREVIOUS ATTACKSPREVIOUS ATTACKS
Previous attacks show we can speculatively leak fromaddresses
9.1
![Page 22: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/22.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 22/163
PREVIOUS ATTACKSPREVIOUS ATTACKS
Our mitigation efforts focus on isolating/maskingaddresses
9.2
![Page 23: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/23.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 23/163
Spectre: access out-of-bound addresses
Meltdown: leak kernel data from virtual addresses
Foreshadow: leak from physical address
10.1
![Page 24: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/24.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 24/163
Spectre: mask array index to limit address range
Meltdown: unmap kernel addresses fromuserspace
Foreshadow: invalidate physical address
10.2
![Page 25: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/25.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 25/163
Example
10.3
![Page 26: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/26.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 26/163
MELTDOWNMELTDOWN
Problem: leak kernel data from virtual addresses
11.1
![Page 27: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/27.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 27/163
MELTDOWNMELTDOWN
Solution: unmap kernel addresses
11.2
![Page 28: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/28.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 28/163
PREVIOUS ATTACKSPREVIOUS ATTACKS
11.3
![Page 29: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/29.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 29/163
PREVIOUS ATTACKSPREVIOUS ATTACKSPrevious attacks exploit addressing
11.3
![Page 30: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/30.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 30/163
PREVIOUS ATTACKSPREVIOUS ATTACKSPrevious attacks exploit addressing
Mitigation by isolating/masking addresses
11.3
![Page 31: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/31.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 31/163
RIDLRIDLRIDL does not depend on addressing:
12
![Page 32: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/32.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 32/163
RIDLRIDLRIDL does not depend on addressing:
⇒ Bypass all address-based security checks
12
![Page 33: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/33.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 33/163
RIDLRIDLRIDL does not depend on addressing:
⇒ Bypass all address-based security checks
⇒ Makes RIDL hard to mitigate
12
![Page 34: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/34.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 34/163
What CPUs does RIDL affect?
13
![Page 35: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/35.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 35/163
We bought Intel and AMD CPUs from almost everygeneration since 2008
14.1
![Page 36: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/36.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 36/163
... and sent the invoices to Herbert
14.2
![Page 37: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/37.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 37/16314.3
![Page 38: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/38.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 38/163
RIDL works on all mainstream Intel CPUs since 2008
15.1
![Page 39: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/39.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 39/16315.2
![Page 40: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/40.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 40/16316.1
![Page 41: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/41.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 41/163
Intel announces Coffee Lake Refresh
16.2
![Page 42: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/42.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 42/163
In-silicon mitigations against Meltdown andForeshadow
16.3
![Page 43: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/43.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 43/163
Let’s buy the Intel Core i9-9900K!
16.4
![Page 44: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/44.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 44/163
... and send another invoice to Herbert
16.5
![Page 45: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/45.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 45/163
We got it the day a�er we submitted the paper
![Page 46: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/46.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 46/163
===
RIDL works regardless of these in-silicon mitigations
16.6
![Page 47: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/47.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 47/16316.7
![Page 48: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/48.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 48/163
AMDAMDWe also tried to reproduce it on AMD
17.1
![Page 49: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/49.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 49/163
AMDAMDWe also tried to reproduce it on AMD
RIDL does not affect AMD
17.2
![Page 50: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/50.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 50/16317.3
![Page 51: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/51.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 51/16318
![Page 52: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/52.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 52/163
But where are we actually leaking from?
19
![Page 53: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/53.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 53/163
LEAKY SOURCESLEAKY SOURCES
20.1
![Page 54: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/54.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 54/163
LEAKY SOURCESLEAKY SOURCES
Previous attacks had it easy, they leak from caches
20.2
![Page 55: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/55.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 55/163
LEAKY SOURCESLEAKY SOURCES
Caches are well documented and well understood.
20.3
![Page 56: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/56.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 56/163
LEAKY SOURCESLEAKY SOURCES
But RIDL does not leak from caches!
20.4
![Page 57: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/57.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 57/163
LEAKY SOURCESLEAKY SOURCES
But what else is there to leak from?
20.5
![Page 58: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/58.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 58/163
LEAKY SOURCESLEAKY SOURCES
There are other internal CPU buffers
20.6
![Page 59: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/59.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 59/163
LEAKY SOURCESLEAKY SOURCES
Line Fill Buffers, Store Buffers and Load Ports
20.7
![Page 60: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/60.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 60/163
LEAKY SOURCESLEAKY SOURCES
But there is more!
20.8
![Page 61: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/61.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 61/163
LEAKY SOURCESLEAKY SOURCES
Uncached Memory
20.9
![Page 62: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/62.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 62/163
We can leak from various internal CPU buffers!
20.10
![Page 63: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/63.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 63/163
RIDL is a class of speculative execution attacks
also known as Micro-architectural Data Sampling
20.11
![Page 64: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/64.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 64/163
Let’s focus on one particular instance:
Line Fill Buffers
21.1
![Page 65: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/65.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 65/163
MANUALSMANUALS
We first read the manuals
Some references to internal CPU buffers
But no further explanation
Where would you even start?
21.2
![Page 66: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/66.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 66/163
That’s why we started reading patents instead!
22.1
![Page 67: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/67.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 67/163
We read a lot of patents, and survived!
22.2
![Page 68: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/68.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 68/163
So today I can tell you a bit more about them
23.1
![Page 69: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/69.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 69/163
But wait, what are these
Line Fill Buffers?
23.2
![Page 70: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/70.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 70/163
They were never mentioned during
my Computer Architecture courses
but maybe I didn’t pay attention
23.3
![Page 71: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/71.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 71/163
LINE FILL BUFFERS?LINE FILL BUFFERS?
Central buffer between execution units, L1d and L2 toimprove memory throughput
23.4
![Page 72: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/72.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 72/163
LINE FILL BUFFERS?LINE FILL BUFFERS?
Central buffer between execution units, L1d and L2 toimprove memory throughput
23.5
![Page 73: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/73.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 73/163
LINE FILL BUFFERS?LINE FILL BUFFERS?
Central buffer between execution units, L1d and L2 toimprove memory throughput
23.6
![Page 74: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/74.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 74/163
LINE FILL BUFFERS?LINE FILL BUFFERS?
Central buffer between execution units, L1d and L2 toimprove memory throughput
23.7
![Page 75: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/75.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 75/163
LINE FILL BUFFERS?LINE FILL BUFFERS?Multiple roles:
Asynchronous memory requests
Load squashing
Write combining
Uncached memory
23.8
![Page 76: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/76.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 76/163
LINE FILL BUFFERS?LINE FILL BUFFERS?Multiple roles:
Asynchronous memory requests
Load squashing
Write combining
Uncached memory
23.9
![Page 77: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/77.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 77/163
LINE FILL BUFFERS?LINE FILL BUFFERS?CPU design: what to do on a cache miss?
24.1
![Page 78: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/78.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 78/163
LINE FILL BUFFERS?LINE FILL BUFFERS?CPU design: what to do on a cache miss?
Send out memory request
24.1
![Page 79: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/79.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 79/163
LINE FILL BUFFERS?LINE FILL BUFFERS?CPU design: what to do on a cache miss?
Send out memory request
Wait for completion
24.1
![Page 80: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/80.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 80/163
LINE FILL BUFFERS?LINE FILL BUFFERS?CPU design: what to do on a cache miss?
Send out memory request
Wait for completion
Blocks other loads/stores
24.1
![Page 81: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/81.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 81/163
LINE FILL BUFFERS?LINE FILL BUFFERS?Solution: keep track of address in LFB
24.2
![Page 82: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/82.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 82/163
LINE FILL BUFFERS?LINE FILL BUFFERS?Solution: keep track of address in LFB
Send out memory request
24.2
![Page 83: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/83.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 83/163
LINE FILL BUFFERS?LINE FILL BUFFERS?Solution: keep track of address in LFB
Send out memory request
Allocate LFB entry
24.2
![Page 84: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/84.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 84/163
LINE FILL BUFFERS?LINE FILL BUFFERS?Solution: keep track of address in LFB
Send out memory request
Allocate LFB entry
Store address in LFB
24.2
![Page 85: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/85.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 85/163
LINE FILL BUFFERS?LINE FILL BUFFERS?Solution: keep track of address in LFB
Send out memory request
Allocate LFB entry
Store address in LFB
Serve other loads/stores
24.2
![Page 86: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/86.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 86/163
LINE FILL BUFFERS?LINE FILL BUFFERS?Solution: keep track of address in LFB
Send out memory request
Allocate LFB entry
Store address in LFB
Serve other loads/stores
Pending request eventually completes
24.2
![Page 87: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/87.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 87/163
LINE FILL BUFFERS?LINE FILL BUFFERS?Solution: keep track of address in LFB
Send out memory request
Allocate LFB entry
Store address in LFB
Serve other loads/stores
Pending request eventually completes
24.3
![Page 88: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/88.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 88/163
LINE FILL BUFFERS?LINE FILL BUFFERS?Allocate LFB entry
May contain data from previous load
RIDL exploits this
24.4
![Page 89: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/89.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 89/163
EXPERIMENTSEXPERIMENTS
Experiments in the paper
25.1
![Page 90: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/90.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 90/163
EXPERIMENTSEXPERIMENTS
Experiments in the paper
25.2
![Page 91: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/91.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 91/163
EXPERIMENTSEXPERIMENTS
Experiments in the paper
25.3
![Page 92: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/92.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 92/163
EXPERIMENTSEXPERIMENTS
Conclusion: our primary RIDL instance leaks from LineFill Buffers
25.4
![Page 93: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/93.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 93/163
How do we mount a RIDL attack?
26.1
![Page 94: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/94.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 94/163
THREAT MODELTHREAT MODEL
Victim VM in the cloud
26.2
![Page 95: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/95.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 95/163
THREAT MODELTHREAT MODEL
We get a VM on the same server
26.3
![Page 96: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/96.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 96/163
THREAT MODELTHREAT MODEL
We make sure it is co-located
26.4
![Page 97: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/97.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 97/163
THREAT MODELTHREAT MODEL
Victim VM runs an SSH server
26.5
![Page 98: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/98.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 98/163
CHALLENGESCHALLENGES
27.1
![Page 99: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/99.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 99/163
IN-FLIGHT DATAIN-FLIGHT DATA
How do we get data in flight?
27.2
![Page 100: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/100.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 100/163
IN-FLIGHT DATAIN-FLIGHT DATA
We run an SSH client…
27.3
![Page 101: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/101.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 101/163
IN-FLIGHT DATAIN-FLIGHT DATA
... that keeps connecting to the SSH server
27.4
![Page 102: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/102.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 102/163
IN-FLIGHT DATAIN-FLIGHT DATA
The SSH server loads /etc/shadow through LFB
27.5
![Page 103: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/103.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 103/163
IN-FLIGHT DATAIN-FLIGHT DATA
The contents from /etc/shadow are in flight
27.6
![Page 104: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/104.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 104/163
CHALLENGESCHALLENGES
28.1
![Page 105: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/105.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 105/163
LEAKINGLEAKING
Now that the data is in flight, we want to leak it
28.2
![Page 106: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/106.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 106/163
LEAKINGLEAKING
We run our RIDL program on our server…
28.3
![Page 107: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/107.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 107/163
LEAKINGLEAKING
...which leaks the data from the LFB
28.4
![Page 108: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/108.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 108/163
What does this program look like?
29.1
![Page 109: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/109.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 109/16329.2
![Page 110: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/110.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 110/16329.3
![Page 111: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/111.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 111/16329.4
![Page 112: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/112.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 112/16329.5
![Page 113: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/113.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 113/16329.6
![Page 114: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/114.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 114/16329.7
![Page 115: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/115.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 115/16329.8
![Page 116: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/116.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 116/16329.9
![Page 117: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/117.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 117/16329.10
![Page 118: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/118.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 118/16329.11
![Page 119: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/119.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 119/16329.12
![Page 120: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/120.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 120/16329.13
![Page 121: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/121.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 121/16329.14
![Page 122: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/122.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 122/16329.15
![Page 123: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/123.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 123/163
CHALLENGESCHALLENGES
30
![Page 124: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/124.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 124/163
RIDL is like drinking from a fire hose
31.1
![Page 125: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/125.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 125/163
You just get whatever data is in flight!
31.2
![Page 126: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/126.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 126/163
FILTERING DATAFILTERING DATAHow can we filter data?
32.1
![Page 127: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/127.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 127/163
FILTERING DATAFILTERING DATAHow can we filter data?
We want to leak from /etc/shadow
32.1
![Page 128: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/128.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 128/163
FILTERING DATAFILTERING DATAHow can we filter data?
We want to leak from /etc/shadow
First line /etc/shadow is for root
32.1
![Page 129: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/129.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 129/163
FILTERING DATAFILTERING DATAHow can we filter data?
We want to leak from /etc/shadow
First line /etc/shadow is for root
Starts with "root:"
32.1
![Page 130: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/130.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 130/163
FILTERING DATAFILTERING DATAHow can we filter data?
We want to leak from /etc/shadow
First line /etc/shadow is for root
Starts with "root:"
Use prefix matching:
Match ⇒ we learn a new byte
No Match ⇒ discard
32.1
![Page 131: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/131.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 131/163
FILTERINGFILTERING
32.2
![Page 132: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/132.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 132/163
FILTERINGFILTERING
32.3
![Page 133: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/133.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 133/163
FILTERINGFILTERING
32.4
![Page 134: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/134.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 134/163
FILTERINGFILTERING
32.5
![Page 135: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/135.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 135/163
FILTERINGFILTERING
32.6
![Page 136: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/136.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 136/163
FILTERINGFILTERING
32.7
![Page 137: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/137.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 137/163
FILTERINGFILTERING
32.8
![Page 138: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/138.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 138/163
FILTERINGFILTERING
32.9
![Page 139: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/139.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 139/163
FILTERINGFILTERING
32.10
![Page 140: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/140.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 140/163
CHALLENGESCHALLENGES
33
![Page 141: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/141.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 141/163
MORE EXAMPLESMORE EXAMPLESMore examples in the paper:
34
![Page 142: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/142.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 142/163
MORE EXAMPLESMORE EXAMPLESMore examples in the paper:
Leaking internal CPU data (e.g. page tables)
34
![Page 143: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/143.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 143/163
MORE EXAMPLESMORE EXAMPLESMore examples in the paper:
Leaking internal CPU data (e.g. page tables)
Arbitrary kernel read
34
![Page 144: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/144.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 144/163
MORE EXAMPLESMORE EXAMPLESMore examples in the paper:
Leaking internal CPU data (e.g. page tables)
Arbitrary kernel read
Leaking in the browser
34
![Page 145: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/145.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 145/163
MITIGATIONMITIGATIONSame-thread:
verw overwrite all buffers
Special Assembly snippets
Cross-thread:
Complex scheduling and synchronization
35.1
![Page 146: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/146.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 146/163
MITIGATIONMITIGATIONSame-thread:
verw overwrite all buffers
Special Assembly snippets
Cross-thread:
Complex scheduling and synchronization
Disable Intel Hyper-Threading®
35.2
![Page 147: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/147.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 147/163
Disclosure process
36.1
![Page 148: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/148.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 148/16336.2
![Page 149: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/149.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 149/16336.3
![Page 150: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/150.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 150/16336.4
![Page 151: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/151.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 151/16336.5
![Page 152: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/152.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 152/16336.6
![Page 153: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/153.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 153/16336.7
![Page 154: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/154.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 154/16336.8
![Page 155: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/155.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 155/16336.9
![Page 156: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/156.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 156/163
MDS TOOLMDS TOOLWe wrote a tool to verify your system:
37
![Page 157: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/157.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 157/163
CONCLUSIONCONCLUSION
38.1
![Page 158: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/158.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 158/163
CONCLUSIONCONCLUSIONSpectre and Meltdown, just one mistake?
38.1
![Page 159: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/159.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 159/163
CONCLUSIONCONCLUSIONSpectre and Meltdown, just one mistake?
New class of speculative execution attacks
38.1
![Page 160: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/160.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 160/163
CONCLUSIONCONCLUSIONSpectre and Meltdown, just one mistake?
New class of speculative execution attacks
Many more buffers other than caches to leak from
38.1
![Page 161: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/161.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 161/163
CONCLUSIONCONCLUSIONSpectre and Meltdown, just one mistake?
New class of speculative execution attacks
Many more buffers other than caches to leak from
Does not rely on addresses ⇒ hard to mitigate
38.1
![Page 162: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/162.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 162/163
CONCLUSIONCONCLUSIONSpectre and Meltdown, just one mistake?
New class of speculative execution attacks
Many more buffers other than caches to leak from
Does not rely on addresses ⇒ hard to mitigate
Across security domains, and in the browser
38.1
![Page 163: RIDL - ieee-security.org · 5/20/2019 RIDL: Rogue In-flight Data Load file:///D:/slides/slides.html?print-pdf 2/ 163 2](https://reader034.vdocuments.us/reader034/viewer/2022042806/5f69df72609ad1643d04a8c2/html5/thumbnails/163.jpg)
5/20/2019 RIDL: Rogue In-flight Data Load
file:///D:/slides/slides.html?print-pdf 163/163
CONCLUSIONCONCLUSIONSpectre and Meltdown, just one mistake?
New class of speculative execution attacks
Many more buffers other than caches to leak from
Does not rely on addresses ⇒ hard to mitigate
Across security domains, and in the browser
@themadstephan @vu5ec
https://mdsattacks.com
38.2