

## Hardware-assisted Security: From Trust Anchors to Meltdown of Trust

Ahmad-Reza Sadeghi

Technische Universität Darmstadt &

Intel Collaborative Research Institute for Collaborative & Resilient Autonomous Systems





#### Historical Overview: Deployed Systems

| 1970         | 1980 1990          |                               | 2000                       |                                        |                  | 2010                          |               |           |           |
|--------------|--------------------|-------------------------------|----------------------------|----------------------------------------|------------------|-------------------------------|---------------|-----------|-----------|
| ambridge CAP | VAX/VMS            |                               | VAX/VMS                    |                                        | Truste<br>Modul  | usted Platform<br>pdule (TPM) |               | GP TEE    | standards |
|              | Simple sr<br>cards | nart                          | Java security architecture |                                        | Late launch      | n/TXT                         | TPM 2.0       |           |           |
|              | Protectio          | n rings                       | TI M-                      | Shield                                 | ARM<br>TrustZone | On-bo<br>Creder               | ard<br>ntials | Intel SGX |           |
| Reference I  | monitor            | Hardware-assisted secure boot |                            | Mobile hardware security architectures |                  |                               |               |           |           |
|              |                    | Java Ca                       | ard platform               | Mobile OS security architectures       |                  |                               |               |           |           |
|              |                    |                               |                            |                                        | Mobile           | e Truste                      | d             |           |           |
|              |                    |                               |                            |                                        | Modul            | e (IVI I IV                   |               |           |           |

Computer security Mobile security Smart card security



#### Deployed HW-Assisted Security Technologies







#### Historical Overview: Research



Trusted Execution Security Extensions





#### We Need Change of Culture!





#### Today's Systems: Attack Surface





#### **Goal: Self-Contained Security**





## Intrinsic Security Primitives: The PUF Myth





## Physically Unclonable Functions (PUFs)









DevicePhysically Unclonable Function(noisy function based on physical properties)

Hardware Fingerprint

(unique intrinsic identifier)



#### **Inherently Unclonable**

Due to unpredictable randomness during manufacturing of tag



#### Infeasible to predict

Challenge/response behavior is pseudo-random



#### Tamper-evident

Tampering with the PUF hardware changes challenge/response behavior



**Other PUFs** 





#### **PUFs: Main Categories**

#### **Memory-based PUFs**



Row Hammer-PUF [Schaller et al., HOST'17]



The output is based on the state of memory cells after a power cycle





The output determined by the faster path



#### Example: Arbiter PUF



Pair of identically designed delay lines

- Ideally both paths have the same delay
- Arbiter determines signal arrives first
- Challenge dependent switches
- Different delay paths by switches



Manufacturing variations affect delay lines

- Either of the two paths will be faster
- One bit response at signal arrival



#### How Good are PUFs in Practice?





#### **PUF Security in Practice**





| 2004      |                                                         | ML-Modeling A<br>[Lee et al., \                | <b>ttack (A-PUF)</b><br>/LSIC'04]                 | SELECTED ATTACKS & ANALYSIS                                 |                                               |  |  |
|-----------|---------------------------------------------------------|------------------------------------------------|---------------------------------------------------|-------------------------------------------------------------|-----------------------------------------------|--|--|
| 2008      |                                                         | ML-Modeling Att<br>[Majzoobi et a              | t <b>ack (FF A-PUF)</b><br>al., ITC'08]           |                                                             |                                               |  |  |
|           | ML-Modeling<br>[Ruh                                     | Attack delay-based F<br>armair et al., CCS'10] | PUFs Forn<br>[Arn                                 | nal Security Model<br>nknecht et al., S&P 2011]             |                                               |  |  |
| 2010-2012 | PUFs: Myth, I<br>[Katzenbeisse                          | Fact or Busted?<br>r et al., CHES'12]          | Semi-Invasive EN<br>[Merli et a                   | M Attack (RO-PUF)                                           |                                               |  |  |
|           | Semi-Invasiv<br>[Nedospasi                              | ve Attack on PUFs<br>ov et al., FDTC'13]       | Clor<br>[Helf                                     | ning SRAM PUF<br>meier et al., HOST'13]                     |                                               |  |  |
| 2013      | Rémanence D                                             | Decay SCA (SRAM PU<br>n et al., CHES'13]       | F) I                                              | Noise SCA (A-PUF)<br>[Delvaux et al., HOST'13]              |                                               |  |  |
|           | Photon Emission Analysi<br>[Tajik et al., CHES'14]      | s (A-PUF)                                      | ML-Model                                          | <b>ing Attack (Bistable</b><br>Hesselbarth et al., TRUST'14 | Ring PUF)                                     |  |  |
| 2014      | Hybrid Modeling Atta<br>[Kumar e                        | tecks (Current-based l<br>ht al., ICCD'14]     | PUF) Po                                           | <b>Dwer&amp;Timing SCA (</b><br>[Rührmair et al., CHES'1    | <b>A-PUF)</b><br><sup>14]</sup>               |  |  |
|           | Reliability-based ML-Modeling<br>[Becker, CHES'1        | <b>3 Attack (XOR A-PUF)</b>                    |                                                   | Unified Security I<br>[Armknecht et al.                     | <b>Model for PUFs</b><br>, CT-RSA 2016]       |  |  |
| 2015-2018 | ML-Modeling Attack (Bistable<br>[Ganji et al., CHES'16] | Ring PUF) ML-Mo                                | <b>odeling Attack on</b><br>[Vijaykumar et al., H | non-linear PUFs<br>HOST'16]                                 | Hammering RH-PUF<br>[Zeitouni et al., DAC'18] |  |  |



#### Example: Arbiter PUF

Goal: Recovering the values of the wire delays inside the switch boxes





# Arbiter PUF on a Complex Programmable Logic Device (CPLD): Backside View



Placement of an Arbiter PUF with 8 switches

















W<sub>l</sub>





| С              | 0x00  | 0x01 | 0x02 | 0x04 | 0x08 | 0x10 | 0x20 | 0x40 | 0x80 |
|----------------|-------|------|------|------|------|------|------|------|------|
| W <sub>u</sub> | $v_1$ |      |      |      |      |      |      |      |      |
| W <sub>l</sub> | $u_1$ |      |      |      |      |      |      |      |      |





| С              | 0x00                  | 0x01                  | 0x02 | 0x04 | 0x08 | 0x10 | 0x20 | 0x40 | 0x80 |
|----------------|-----------------------|-----------------------|------|------|------|------|------|------|------|
| W <sub>u</sub> | $v_1$                 | $v_2$                 |      |      |      |      |      |      |      |
| W <sub>l</sub> | <i>u</i> <sub>1</sub> | <i>u</i> <sub>2</sub> |      |      |      |      |      |      |      |





| С              | 0x00  | 0x01  | 0x02 | 0x04 | 0x08 | 0x10 | 0x20 | 0x40 | 0x80 |
|----------------|-------|-------|------|------|------|------|------|------|------|
| W <sub>u</sub> | $v_1$ | $v_2$ |      |      |      |      |      |      |      |
| W <sub>l</sub> | $u_1$ | $u_2$ |      |      |      |      |      |      |      |





| С              | 0x00  | 0x01  | 0x02 | 0x04 | 0x08 | 0x10 | 0x20 | 0x40 | 0x80 |
|----------------|-------|-------|------|------|------|------|------|------|------|
| W <sub>u</sub> | $v_1$ | $v_2$ |      |      |      |      |      |      |      |
| W <sub>l</sub> | $u_1$ | $u_2$ |      |      |      |      |      |      |      |





| С              | 0x00  | 0x01  | 0x02 | 0x04 | 0x08 | 0x10 | 0x20 | 0x40 | 0x80 |
|----------------|-------|-------|------|------|------|------|------|------|------|
| W <sub>u</sub> | $v_1$ | $v_2$ |      |      |      |      |      |      |      |
| Wl             | $u_1$ | $u_2$ |      |      |      |      |      |      |      |





| С              | 0x00                  | 0x01  | 0x02 | 0x04 | 0x08 | 0x10 | 0x20 | 0x40 | 0x80 |
|----------------|-----------------------|-------|------|------|------|------|------|------|------|
| W <sub>u</sub> | $v_1$                 | $v_2$ |      |      |      |      |      |      |      |
| W <sub>l</sub> | <i>u</i> <sub>1</sub> | $u_2$ |      |      |      |      |      |      |      |





| С              | 0x00           | 0x01  | 0x02 | 0x04 | 0x08 | 0x10 | 0x20 | 0x40 | 0x80 |
|----------------|----------------|-------|------|------|------|------|------|------|------|
| W <sub>u</sub> | $v_1$          | $v_2$ |      |      |      |      |      |      |      |
| W <sub>l</sub> | u <sub>1</sub> | $u_2$ |      |      |      |      |      |      |      |



#### Beyond CMOS-based PUFs

## CMOS-based PUFs exhibit linear behavior => vulnerable to machine learning

One Solution: Add components with non-linear behavior to complicate/escape machine learning attacks, e.g., Memristors



#### Memristors 🗢

- A resistor that changes it resistance as voltage is applied
- Applications:
  - Oscillators
  - Learners (Neural Networks)
  - Memories
  - PUFs!
- The top (bottom) figure shows Current-Voltage charcteristics of a memristor (resistor)





#### CMOS-based APUF vs. Memristor-based APUF





#### CMOS-based APUF vs. Memristor-based APUF



CMOS-based Arbiter PUF: Voltage at the upper path

Memristor-based Arbiter PUF: Voltage at the upper path



#### Conclusion

- Many PUF designs, no unified security model
- Several successful attacks
  - Non-destructive physical attacks
  - Modeling attacks
- Designing secure PUFs is challenging?
  - What are the costs?
- PUFs based on advanced memory technologies
  - E.g., Memristors



## Our Current Work: Framework for Evaluation of Memristor-based PUFs


# Framework for Evaluation of Memristor-based PUFs





# Integrated Security Devices: The TPM Promise





# **Trusted Computing**

• Authenticated Boot and Attestation





# **Trusted Computing**

• Authenticated Boot and Attestation





# **Trusted Computing**

• Authenticated Boot and Attestation





# Summary: TPM-based Trusted Computing

TPM assumptions and shortcomings

- Binary hashes express trustworthiness of code
  - Runtime attacks (e.g., code reuse) undermine this assumption
- Unforgeability of measurements
  - TPM 1.2 uses deprecated SHA1
- Protection against software attacks only
  - Hardware attacks on TPM



# Our Current Work: Control-Flow Attestation



# **Ongoing Work: Towards Run-time Attestation**

Control Flow Attestation [Davi et al, CCS 2016 & DAC 2017]





# **Trusted Execution Environment (TEE)**





#### Assumptions:

- Apps in Secure World are trustworthy
- Normal World cannot influence Secure World



IMEI: International Mobile Equipment Identifier



#### Assumptions:

- Apps in Secure World are trustwor
- Normal World cannot influence Se



#### iOS

- Device Encryption
  - Touch ID, Apple Pay



Android

٠

٠

Secure-I/O, Attestation

Full-Disk Encryption (FDE)

 Real-time Kernel Protection (TIMA)



IMEI: International Mobile Equipment Identifier



#### Assumptions:

- Apps in Secure World are trustworthy
- Normal World cannot influence Secure World



IMEI: International Mobile Equipment Identifier



#### Assumptions:

- Apps in Secure World are trustworthy
- Normal World cannot influence Secure World



IMEI: International Mobile Equipment Identifier



## Summary: ARM TrustZone

- ARM TrustZone Outdated?
  - Deployed for almost two decades
- Trusted computing for vendors and friends only
  - No access for app developer
- Many attacks have been shown over the last years
- On the positive side
  - Secure I/O



# Our Current Work: "Arbitrary" Number of TEEs in Normal World on ARM TZ



#### Intel Software Guard Extensions (SGX)





#### Intel Software Guard Extensions (SGX)





# SGX (Adversary) Model



NIC: Network Interface Controller MMU: Memory Management Unit



# SGX (Adversary) Model



NIC: Network Interface Controller MMU: Memory Management Unit



## **Run-time Attacks Inside the Enclave**







[Biondo et al., USENIX Sec. 2018]





[Biondo et al., USENIX Sec. 2018]





[Biondo et al., USENIX Sec. 2018]





[Biondo et al., USENIX Sec. 2018]





[Biondo et al., USENIX Sec. 2018]





[Biondo et al., USENIX Sec. 2018]



# Leakage in Intel's SGX





Granularity: page 4K, good for big data structures



EPC: Enclave Page Cache PT: Page Tables PF: Page-Fault



Granularity: page 4K, good for big data structures



EPC: Enclave Page Cache PT: Page Tables PF: Page-Fault



Granularity: page 4K, good for big data structures



EPC: Enclave Page Cache PT: Page Tables PF: Page-Fault





EPC: Enclave Page Cache PT: Page Tables PF: Page-Fault



PT: Page Tables

**PF:** Page-Fault





## Cache Attacks on SGX: Hack in The Box





## Cache Attacks on SGX: Hack in The Box





### Cache Attacks on SGX: Hack in The Box





# Side-Channel Attacks Basics: Prime + Probe






















- "Classical" scenario: unprivileged attacker
- OS\* is not collaborating with the attacker
  - OS can directly access process memory containing the victim's secret
  - System operates normally, impacting the caches (process scheduling, context switches, interrupts, etc.)



\*OS: Operating System and any other privileged system software



- "Classical" scenario: unprivileged attacker
- OS\* is not collaborating with the attacker
  - OS can directly access process memory containing the victim's secret
  - System operates normally, impacting the caches (process scheduling, context switches, interrupts, etc.)



\*OS: Operating System and any other privileged system software



- "Classical" scenario: unprivileged attacker
- OS\* is not collaborating with the attacker
  - OS can directly access process memory containing the victim's secret
  - System operates normally, impacting the caches (process scheduling, context switches, interrupts, etc.)



\*OS: Operating System and any other privileged system software



- "Classical" scenario: unprivileged attacker
- OS\* is not collaborating with the attacker
  - OS can directly access process memory containing the victim's secret
  - System operates normally, impacting the caches (process scheduling, context switches, interrupts, etc.)



\*OS: Operating System and any other privileged system software



- "Classical" scenario: unprivileged attacker
- OS\* is not collaborating with the attacker
  - OS can directly access process memory containing the victim's secret
  - System operates normally, impacting the caches (process scheduling, context switches, interrupts, etc.)



\*OS: Operating System and any other privileged system software



- "Classical" scenario: unprivileged attacker
- OS\* is not collaborating with the attacker
  - OS can directly access process memory containing the victim's secret
  - System operates normally, impacting the caches (process scheduling, context switches, interrupts, etc.)



\*OS: Operating System and any other privileged system software





EPC: Enclave Page Cache SMT: Simultaneous Multithreading





EPC: Enclave Page Cache SMT: Simultaneous Multithreading





EPC: Enclave Page Cache SMT: Simultaneous Multithreading





EPC: Enclave Page Cache SMT: Simultaneous Multithreading





EPC: Enclave Page Cache SMT: Simultaneous Multithreading





EPC: Enclave Page Cache SMT: Simultaneous Multithreading



# SGX Side-Channel Attacks Comparison

|                  | Attack Type         | Observed<br>Cache | Interrupting<br>Victim | Cache Eviction<br>Measurement | Attacker<br>Code | Attacked<br>Victim            |
|------------------|---------------------|-------------------|------------------------|-------------------------------|------------------|-------------------------------|
| Lee et al.       | Branch<br>Shadowing | BTB / LBR         | Yes                    | Execution<br>Timing           | OS               | RSA & SVM<br>classifier       |
| Moghimi et al.   | Prime +<br>Probe    | L1(D)             | Yes                    | Access timing                 | OS               | AES                           |
| Götzfried et al. | Prime +<br>Probe    | L1(D)             | No                     | PCM                           | OS               | AES                           |
| Our Attack       | Prime +<br>Probe    | L1(D)             | No                     | PCM                           | OS               | RSA &<br>Genome<br>Sequencing |
| Schwarz et al.   | Prime +<br>Probe    | L3                | No                     | Counting<br>Thread            | Enclave          | AES                           |

PCM: Performance Counter Monitor BTB: Branch Target Buffer LBR: Last Branch Record





Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018





Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018





Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018





Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018

APIC: Advanced Programmable Interrupt Controller **Counter Monitor** SMT: Simultaneous Multithreading PCM: Performance





Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018





Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018





Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018

APIC: Advanced Programmable Interrupt Controller **Counter Monitor** SMT: Simultaneous Multithreading PCM: Performance





Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018





APIC: Advanced Programmable Interrupt Controller **Counter Monitor** SMT: Simultaneous Multithreading PCM: Performance






































## Spatial vs. Temporal Resolution





## Our Attack Use-Cases

#### **Extracting 2048-bit RSA** decryption key

#### **Extracting genome sequences**

GAGGAGCTCACCTCCCACATCTG ATAAGATTAAACCAAGAAAAGGAAGCTGAAAJ

> GGG G Identity G G

TG

ACCTCTCTTTTAGCCCACCACCATCAGA CCCATAACAAACACCAAG

G

CAATCATCCTTTACC AGACATG

GAAGGG

TABACCCT

BOBBOBBO

PATCTAACCCAAAACCATT

BOOMBBOBBOBBOBOBO

CAAGACATCATT



[arXiv:1702.07521]











Attacker's goal: Identify k-mer sequences in the input string, allowing the identification of individuals

#### Genome Analysis Enclave (e.g. PRIMEX)





Attacker's goal: Identify k-mer sequences in the input string, allowing the identification of individuals

#### Encrypted Genome Sequence

TTGACCCACTGAATCACGTCTG...



Genome Analysis Enclave (e.g. PRIMEX)

#### **Pre-processing**

- Split input into sub-sequences (k-mer)
- Store k-mer positions in hashtable

#### Analysis

 Statistical analysis, e.g., to identify correlation in the data



## Human Genome

- Nucleobases
  - Adenine (A)
  - Cytosine (C)
  - Guanine (G)
  - Thymine (T)
- Microsatellite
  - Forensic analysis
  - Genetic fingerprinting
  - Kinship analysis

TTGACCCACTGAATCACGTCTGACCGCGCGTACGCGG TCACTTGCGGTGCCGTTTTCTTTGTTACCGACGACCG ACCAGCGACAGCCACCGCGCGCTCACTGCCACCAAAA GAGTCATATCGATCGATCGATCGATCGATCGATCGAT CGATCGATCGATCGATCGATCGATCGATCGATCATCA CAGCCGACCAGTTTCTGGAACGTTCCCGATACTGGAA CGGTCCTAATGCAGTATCCCACCCTCCTTCCATCGAC GCCAGTCGAATCACGCCGCCAGCCACCGTCCGCCAGC CGGCCAGAATACCGATGACTCGGCGGTCTCGTGTCGG TGCCGGCCTCGCAGCCATTGTACTGGCCCTGGCCGCA GTGTCGGCTGCCGCTCCGATTGCCGGGGCGCAGTCCG CCGGCAGCGGTGCGGTCTCAGTCACCATCGGCGACGT GGACGTCTCGCCTGCGAACCCAACCACGGGCACGCAG GTGTTGATCACCCCGTCGATCAACAACTCCGGATCGG CAAGCGGGTCCGCGCGCGTCAACGAGGTCACGCTGCG CGGCGACGGTCTCCTCGCAACGGAAGACAGCCTGGGG











## 

Hash Table



## AGCAGCATCAGGTAC... 0 3 1 2 Indexer ... Hash Table



### AGCAGCATCAGGTAC... 0 3 1 2 Indexer ... Hash Table

- Hash table access pattern
  - Hash table entry 8 bytes
  - Cache line size 64 bytes
  - Collisions
- Genome unstructured
- Microsatellites structured



## Microsatellites and Processed k-mers



The microsatellite will activate cache lines 2, 4, 5 and 0 repeatedly



## Genome Sequencing Attack Results

- Monitor cache lines associated to satellite
- High activity in cache lines reveal occurrence of satellite in input string





## SGX Side Channels & Defenses





## SGX Specific Side-Channel Defenses Using TSX

- Intel TSX is a hardware mechanism to allow synchronous memory transactions
- TSX is **not** available on all SGX-enable processors

T-SGX: Uses TSX to detect enclave interrupt [Shih et al., NDSS'17]

Cloak: Prime cache before accessing sensitive data [Schuster et al., USENIX 2017]

TSX

Déjà Vu : Uses TSX to detect enclave slowdown [Chen et al., AsiaCCS'17]

TSX: Transactional Synchronization Extensions



## General Hardware-based Side-Channel Defenses

### Temporal cache isolation



#### Cache partitioning / coloring



#### Randomized cache mappings





## General Hardware-based Side-Channel Defenses





## General Software-only Side-Channel Defenses

Side-channel resilient software design

# Monitoring for attack effects





## General Software-only Side-Channel Defenses





























## Summary: SGX – All Problems Solved?

- Side channels more drastic than originally thought
- Current add-on defenses not practical or effective
- Academic research solutions mostly not deployed
- Generic software-only side-channel defenses required
  - No security expertise of enclave developers (no annotations)
  - Hardware extensions/features not available in *all* SGX CPUs





## Our Current Work: Generic Software-only Side-Channel Defenses



# Our Current Work: Software-based Side-Channel Mitigations

[Brasser et al., DR. SGX: Hardening SGX Enclaves against Cache Attacks with Data Location Randomization, ArXiv]



Sensitive Array



## Our Current Work: Software-based Side-Channel Mitigations

[Brasser et al., DR. SGX: Hardening SGX Enclaves against Cache Attacks with Data Location Randomization, ArXiv]





# Our Current Work: Software-based Side-Channel Mitigations

[Brasser et al., DR. SGX: Hardening SGX Enclaves against Cache Attacks with Data Location Randomization, ArXiv]







## **DR.SGX Re-randomization**





# Meltdown and Spectre

We're all entitled to an occasional <u>Meltdown</u>





# So, you might have noticed...

Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018



## So, you might have noticed...



查看简体中文版|查看繁體中文版|Leer en español

By CADE METZ and NICOLE PERLROTH JAN. 3, 2018

1222

00



# So, you might have noticed...

#### the **INQUIRER**

rtificial Intelligence Internet of Things Open Source Hardware Software

#### Intel, ARM and AMD all affected by security-bypassing, kernelbothering CPU bugs

Fixes exist but it looks like fundamental processor designs are borked



MELTDOWN COULD BE IMMINENT for the central processor unit (CPU) world as **the security flaw that affects Intel chips** has been found to blight other slices of silicon.



Apple Goes Deeper Into La La Land With Damien Chazelle Project



The New Hork Times

TECH WE'RE USING Using Drones and Netflix in the Andes, but Sidestepping Google Maps

TECHNOLOGY

**Researchers Discover Two Major Flaws in the World's** 

查看简体中文版|查看繁體中文版|Leer en español

By CADE METZ and NICOLE PERLROTH JAN. 3, 2018


# So, you might have noticed...

| # WIRED  |         | Critical Intel Fla | SUBSCRIBE 🔎 |         |          |                |
|----------|---------|--------------------|-------------|---------|----------|----------------|
| BUSINESS | CULTURE | DESIGN             | GEAR        | SCIENCE | SECURITY | TRANSPORTATION |
|          |         |                    |             |         |          |                |

#### ANDY GREENBERG SECURITY 01.03.18 03:00 PM





Apple Goes Deeper Into La .a Land With Damien

Chazelle Project



The New Hork Times

TECH WE'RE USING Using Drones and Netflix in the Andes, but Sidestepping Google Maps



MELTDOWN COULD BE IMMINENT for the central processor unit (CPU) world as **the security flaw that affects Intel chips** has been found to blight other slices of silicon.

TECHNOLOGY

**Researchers Discover Two Major Flaws in the World's** 

查看简体中文版|查看繁體中文版|Leer en español

By CADE METZ and NICOLE PERLROTH JAN. 3, 2018



# So, you might have noticed...

| # WIRED  |         | Critical Intel Fla | SUBSCRIBE 🔎 |         |          |                |
|----------|---------|--------------------|-------------|---------|----------|----------------|
| BUSINESS | CULTURE | DESIGN             | GEAR        | SCIENCE | SECURITY | TRANSPORTATION |
|          |         |                    |             |         |          |                |

#### ANDY GREENBERG SECURITY 01.03.18 03:00 PM





Meltdown and Spectre: 'worst ever' CPU bugs affect virtually all computere

#### The New Hork Times





sing Drones and Netflix in the Andes, but Sidestepping



**Researchers Discover Two Major Flaws in the World's** 

irbnb Names First

查看简体中文版 | 查看繁體中文版 | Leer en español

By CADE METZ and NICOLE PERLROTH JAN. 3, 2018

Summer School on real-world crypto and privacy, Šibenik (Croatia), June 12



MELTDOWN COULD BE IMMINENT for the central processor unit (CPU) world as the security flaw that affects Intel chips has been found to blight other slices of silicon.



# Three Attacks

- CVE-2017-5754 (aka. *Meltdown*)
  - Exploits rogue data-cache loads during speculative execution
- CVE-2017-5753 (aka. Spectre)
  - Exploits bounds-check bypasses during speculative execution
- CVE-2017-5715 (aka. Spectre)
  - Exploits branch-target injection during speculative execution



# Intel Inside Bug inside Speculative Execution!



### And what is a processor anyways?





And what is a processor anyways?





And what is a processor anyways?





And what is a processor anyways?





And what is a processor anyways?





And what is a processor anyways?





And what is a processor anyways?





### Some operations are SLOOOOOOW

- Two read operations can easily stall the CPU for more than 100ns
- An integer addition takes two orders of magnitude less time (~1ns)
- So, in the time domain the execution looks like this:
- Processor does *NOTHING* for 100ns!





### **Instruction Stream:**

**Out-of-Order Execution:** 





#### **Instruction Stream:**

### **Out-of-Order Execution:**





#### **Instruction Stream:**

### **Out-of-Order Execution:**





#### **Instruction Stream:**

**Out-of-Order Execution:** 





#### **Instruction Stream:**

**Out-of-Order Execution:** 





#### **Instruction Stream:**

**Out-of-Order Execution:** 



To Boost Performance Modern Processors Execute Instructions Out-of-Order!



#### **Instruction Stream:**

### **Out-of-Order Execution:**





#### **Instruction Stream:**

#### **Out-of-Order Execution:**





#### **Instruction Stream: Out-of-Order Execution:** SLOW OP Maybe nobody MEMORY ACCESS (e.g., Memory Access or Branch) will notice.. and the second FAST OP **ALU** (e.g., ALU) ALU FAST OP (e.g., ALU) ALU -----FAST OP MEMORY ACCESS (e.g., ALU)



#### **Instruction Stream: Out-of-Order Execution:** SLOW OP Maybe nobody MEMORY ACCESS (e.g., Memory Access or Branch) will notice.. and the second FAST OP **ALU** (e.g., ALU) ALU FAST OP (e.g., ALU) ALU \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* Do it in 001 order, MEMORY ACCESS FAST OP stupid! (e.g., ALU) **Rollback!**



#### **Instruction Stream:**

**In Order Execution:** 



### Only correct optimizations are commited!



### *Out-of-Order* vs. *Speculative* Execution

• If the instruction that is re-ordered is a **branching instruction**, the resulting Out-of-Order stream is called *Speculative Execution* 



- Many processors **do not** optimize this
- Bigger processors invest a lot of work into optimizing branches!
- Simple optimization:
  - Always execute both branches
  - only commit the correct one







































:0x0

:0x4

D:0x8

:0xC

:0x70

:0x74

:0x78

:0x7C

