Load-to-store: store buffer暂态窗口时间泄露的利用

doi:10.11959/j.issn.1000-436x.2023051

摘要/Abstract

摘要：

为了研究现代处理器微架构中的漏洞并制定对应防护，针对负责管理访存指令执行顺序的内存顺序缓冲（MOB）进行分析，发现前向加载会把存在依赖的store指令的数据直接旁路到load指令，推测加载会提前执行不存在依赖的load指令，在带来效率优化的同时，也可能导致执行出错与相应的阻塞。针对Intel Coffee Lake微架构上现有MOB优化机制，分析如何利用内存顺序缓冲的4种执行模式与对应执行时间，构造包括暂态攻击、隐蔽信道与还原密码算法私钥的多种攻击。利用MOB引发的时间差还原内存指令地址，该地址可泄露AES T表实现的索引值。在Intel i5-9400处理器上对OpenSSL 3.0.0的AES-128进行了密钥还原实验，实验结果显示， 30 000组样本能以63.6%概率还原出一个密钥字节，且由于内存顺序缓冲的特性，该利用隐蔽性优于传统cache时间泄露。

关键词: 内存顺序缓冲, 微架构侧信道漏洞, OpenSSLAES, 时间侧信道

Abstract:

To research the vulnerability of modern microarchitecture and consider the mitigation, memory order buffer which was responsible for managing the execution order of memory access instructions was analyzed and found that load forward would directly bypass the data of dependent store instructions to load instructions, and speculative load would execute independent load instructions in advance.While bring efficiency optimizations, it might also lead to errors and corresponding blocking.The existing optimization mechanisms on the Intel Coffee Lake microarchitecture, and the leak attack scheme by using them were analyzed.Using the four execution modes of MOB and the corresponding duration, a variety of attacks were constructed including transient attack, covert channel, and recovery of the private key of the cryptographic algorithm.The time difference caused by MOB was used to leak the address of memory instructions, and the implementation of AES T table was attacked.Key recovery experiments were conducted on AES-128 with OpenSSL 3.0.0 on an Intel i5-9400 processor.The experimental results show that 30 000 sets of samples can recover a key byte with a probability of 63.6%.Due to the characteristics of memory order buffer, the concealment of the exploit is better than traditional cache time leaks.

Key words: memory order buffer, microarchitectural side-channel vulnerability, OpenSSL AES, timing side-channel

中图分类号:

TP309.2

唐明, 胡一凡. Load-to-store: store buffer暂态窗口时间泄露的利用[J]. 通信学报, 2023, 44(4): 64-77.

Ming TANG, Yifan HU. Load-to-store: exploit the time leakage of store buffer transient window[J]. Journal on Communications, 2023, 44(4): 64-77.

图/表 20

图1

图2

图3

图4

表1

图5

图6

图7

图8

图9

图10

图11

图12

图13

表2

图14

图15

图16

表3

A lts MOB 与其他微架构时间侧信道对比"

算法	所需加密次数/次	攻击时间/s	隐蔽性	已知防御
Flush+Reload	500	215	无	有
Prime+Probe	9 600	234	无	有
Flush+Flush	700	163	有	有
$A_{lts}^{MOB}$	30 000	279	有	无

表3

表4

参考文献 39

[1]	HENNESSY J L , PATTERSON D A . Computer architecture:a quantitative approach[M]. Fifth Edition. San Francisco: Margan Kaufmann, 2006.
[2]	SCHAIK V S , MILBURN A , ?STERLUND S ,et al. RIDL:rogue In-flight data load[C]// Proceedings of 2019 IEEE Symposium on Security and Privacy. Piscataway:IEEE Press, 2019: 88-105.
[3]	ABU-GHAZALEH N , PONOMAREV D , EVTYUSHKIN D . How the Spectre and meltdown hacks really worked[J]. IEEE Spectrum, 2019,56(3): 42-49.
[4]	SULLIVAN D , ARIAS O , MEADE T ,et al. Microarchitectural minefields:4K-aliasing covert channel and multi-tenant detection in IaaS clouds[C]// Proceedings of 2018 Network and Distributed System Security Symposium. Virginia:the Internet Society, 2018: 1-14.
[5]	MOGHIMI A , WICHELMANN J , EISENBARTH T ,et al. MemJam:a false dependency attack against constant-time crypto implementations[J]. International Journal of Parallel Programming, 2019,47(4): 538-570.
[6]	ISLAM S , MOGHIMI A , BRUHNS I ,et al. SPOILER:speculative load hazards boost rowhammer and cache attacks[C]// Proceedings of the 28th USENIX Conference on Security Symposium. New York:ACM Press, 2019: 621-637.
[7]	YAROM Y , FALKNER K . Flush+Reload:a high resolution,low noise,L3 cache side-channel attack[C]// Proceedings of the 23rd USENIX Conference on Security Symposium. New York:ACM Press, 2014: 719-732.
[8]	KOCHER P , HORN J , FOGH A ,et al. Spectre attacks:exploiting speculative execution[C]// Proceedings of 2019 IEEE Symposium on Security and Privacy. Piscataway:IEEE Press, 2019: 1-19.
[9]	LIPP M , SCHWARZ M , GRUSS D ,et al. Meltdown:reading kernel memory from user space[J]. Communications of the ACM, 2020,63(6): 46-56.
[10]	OSVIK D A , SHAMIR A , TROMER E . Cache attacks and countermeasures:the case of AES[C]// Proceedings of the Cryptographers’ Track at the RSA Conference on Topics in Cryptology. New York:ACM Press, 2006: 1-20.
[11]	GRUSS D , MAURICE C , WAGNER K ,et al. Flush+Flush:a fast and stealthy cache attack[M]. Cham: Springer International Publishing, 2016.
[12]	CANELLA C , GENKIN D , GINER L ,et al. Fallout:leaking data on meltdown-resistant CPUs[C]// Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. New York:ACM Press, 2019: 769-784.
[13]	YAN M J , CHOI J , SKARLATOS D ,et al. InvisiSpec:making speculative execution invisible in the cache hierarchy[C]// Proceedings of 51st Annual IEEE/ACM International Symposium on Microarchitecture. Piscataway:IEEE Press, 2018: 428-441.
[14]	BENGER N M , POL J V D , SMART N P ,et al. “Ooh aah...just a little bit”:a small amount of side channel can go a long way[C]// International Workshop on Cryptographic Hardware and Embedded Systems. Berlin:Springer, 2014: 75-92.
[15]	SCHWARZ M , CANELLA C , GINER L ,et al. Store-to-leak forwarding:leaking data on meltdown-resistant CPUs (updated and extended version)[J]. arXiv Preprint,arXiv:1905.05725, 2019.
[16]	KURTH M , GRAS B , ANDRIESSE D ,et al. NetCAT:practical cache attacks from the network[C]// Proceedings of 2020 IEEE Symposium on Security and Privacy. Piscataway:IEEE Press, 2020: 20-38.
[17]	RAMANATHAN R M , CURRY R , CHENNUPATY S ,et al. Extending the world’s most popular processor architecture[J]. Intel Whitepaper, 2006,1(1): 2-10.
[18]	BERNSTEIN D J , BREITNER J , GENKIN D ,et al. Sliding right into disaster:left-to-right sliding windows leak[C]// International Conference on Cryptographic Hardware and Embedded Systems. Berlin:Springer, 2017: 555-576.
[19]	LOU X X , ZHANG T W , JIANG J ,et al. A survey of microarchitectural side-channel vulnerabilities,attacks,and defenses in cryptography[J]. ACM Computing Surveys, 2022,54(6): 1-37.
[20]	XIONG W J , SZEFER J . Leaking information through cache LRU states[C]// Proceedings of 2020 IEEE International Symposium on High Performance Computer Architecture. Piscataway:IEEE Press, 2020: 139-152.
[21]	SCHAIK S V , MINKIN M , KWONG A ,et al. CacheOut:leaking data on Intel CPUs via cache evictions[C]// Proceedings of 2021 IEEE Symposium on Security and Privacy. Piscataway:IEEE Press, 2021: 339-354.
[22]	PURNAL A , GINER L , GRUSS D ,et al. Systematic analysis of randomization-based protected cache architectures[C]// Proceedings of 2021 IEEE Symposium on Security and Privacy. Piscataway:IEEE Press, 2021: 987-1002.
[23]	YAN M , FLETCHER C W , TORRELLAS J . Cache telepathy:leveraging shared resource attacks to learn {DNN} architectures[C]// Proceedings of 29th USENIX Security Symposium. Berkeley:USENIX Association, 2020: 2003-2020.
[24]	ABRAMSON J M , AKKARY H , GLEW A F ,et al. Method and apparatus for performing a store operation:US6378062[P].[2002-04-23].
[25]	ABRAMSON J M , AKKARY H , GLEW A F ,et al. Method and apparatus for dispatching and executing a load operation to memory:US5717882[P].[1998-02-10].
[26]	BARBERIS E , FRIGO P , MUENCH M ,et al. Branch history injection:on the effectiveness of hardware mitigations against Spectre-v2 attacks[C]// Proceedings of 31st USENIX Security Symposium. Berkeley:USENIX Association, 2022: 971-988.
[27]	OLEKSENKO O , TRACH B , REIHER T ,et al. You shall not bypass:employing data dependencies to prevent bounds check bypass[J]. arXiv Preprint,arXiv:1805.08506, 2018.
[28]	OLEKSENKO O , TRACH B , SILBERSTEIN M ,et al. SpecFuzz:bringing Spectre-type vulnerabilities to the surface[C]// Proceedings of the 29th USENIX Conference on Security Symposium. Berkeley:USENIX Association, 2020: 1481-1498.
[29]	WANG G H , CHATTOPADHYAY S , BISWAS A K ,et al. KLEESpectre:detecting information leakage through speculative cache attacks via symbolic execution[J]. ACM Transactions on Software Engineering and Methodology, 2020,29(3): 1-31.
[30]	YU J Y , YAN M J , KHYZHA A ,et al. Speculative taint tracking (STT):a comprehensive protection for speculatively accessed data[J]. IEEE Micro, 2020,40(3): 81-90.
[31]	FUSTOS J , FARSHCHI F , YUN H . SpectreGuard:an efficient data-centric defense mechanism against Spectre attacks[C]// Proceedings of 2019 56th ACM/IEEE Design Automation Conference. Piscataway:IEEE Press, 2019: 1-6.
[32]	KELSEY K , BAI T X , DING C ,et al. Fast track:a software system for speculative program optimization[C]// Proceedings of 2009 International Symposium on Code Generation and Optimization. Piscataway:IEEE Press, 2009: 157-168.
[33]	MCILROY R , SEVCIK J , TEBBI T ,et al. Spectre is here to stay:an analysis of side-channels and speculative execution[J]. arXiv Preprint,arXiv:1902.05178, 2019.
[34]	TARAM M , VENKAT A , TULLSEN D . Context-sensitive fencing:securing speculative execution via microcode customization[C]// Proceedings of the Twenty-Fourth International Conference on Architectural Support for Programming Languages and Operating Systems. New York:ACM Press, 2019: 395-410.
[35]	WEISSE O , NEAL I , LOUGHLIN K ,et al. NDA:preventing speculative execution attacks at their source[C]// Proceedings of the 52nd Annual IEEE/ACM International Symposium on Microarchitecture. New York:ACM Press, 2019: 572-586.
[36]	SUN K , BRANCO R , HU K . A new memory type against speculative side channel attacks[J]. Intel-Strategic Offensive Research ＆ Mitigations, 2019,1(1): 2-16.
[37]	AINSWORTH S , JONES T M . MuonTrap:preventing cross-domain Spectre-like attacks by capturing speculative state[C]// Proceedings of 2020 ACM/IEEE 47th Annual International Symposium on Computer Architecture. Piscataway:IEEE Press, 2020: 132-144.
[38]	SAILESHWAR G , QURESHI M K . CleanupSpec:an “undo” approach to safe speculation[C]// Proceedings of the 52nd Annual IEEE/ACM International Symposium on Microarchitecture. New York:ACM Press, 2019: 73-86.
[39]	SCHWARZ M , LIPP M , GRUSS D . JavaScript zero:real JavaScript and zero side-channel attacks[C]// Proceedings 2018 Network and Distributed System Security Symposium. Virginia:the Internet Society, 2018: 1-12.

情况	时间
SL正确触发	1.00
LF正确触发	0.98
LF出错	1.05
SL出错	1.02

硬件	配置
CPU	Intel(R) Core(TM) i5-9400 CPU @ 2.90GHz
系统环境	Windows10
内存	8.00 GB (7.87 GB 可用)

防护方案	防护措施	具体方法
针对TA的防护方案	软件级别防护TA触发	对spectre v1触发：文献[16,26]
	软件级别检测是否存在漏洞	对分支条件进行掩码防护：文献[27]
		模糊测试：文献[28]
		符号执行：文献[29]
	改进微架构设计	对条件分支相关部分的修改：文献[32-33]
		解码阶段的隔离：文献[34]
		修改数据传播的控制策略：文献[35]
		利用污点分析检测泄露：文献[30-31]
		安全内存设计：文献[36]
针对隐蔽信道的防护方案	阻止发送方发送有效信息	InvisiSpec：文献[13]
		Muontrap：文献[37]
		CleanupSpec：文献[38]
	降低信道质量	限制接收方带宽：文献[39]