

## Breaking through walls

How performance optimizations shatter security boundaries

Moritz Lipp Mar 05, 2018—QCon London 2018

IAIK, Graz University of Technology

- Moritz Lipp
- PhD student @ Graz University of Technology
- 🕑 @mlqxyz
- 🔽 mail@mlq.me



NEWS ALERT

#### INTEL REVEALS DESIGN FLAW THAT COULD ALLOW HACKERS TO ACCESS DATA

WASHINGTON,

D.C

WINTER STORM



**NEWS STREAM** 

#### GLOBAL

-

COMPUTER CHIP SCARE The bugs are known as 'Spectre' and 'Meltdown' -

B B C WORLD NEWS )

£:HK\$ 10.58

EURO:£

0.891

- Two major vulnerabilities in processors have been disclosed
- Affecting every CPU vendor and, thus, billions of devices
- Discovered in 2017 by 4 independent teams
- News coverage followed by a lot of panic
- What is this all about and what are the consequences?



- Modern computers are amazingly fast
- Get faster and faster every year
- Smaller and smaller
- Include many clever optimizations to maximize performance
- What are the downsides?



- Safe software infrastructure does not mean safe execution
- Information leaks because of the underlying hardware



- Exploit unintentional information leakage by side-effects
  - Power consumption
  - Execution time
  - CPU cache
  - ...
- Performance optimizations often induce side-channel leakage



- Do not require physical access
- Mounted solely by software
  - native code
  - within the browser

- Instruction Set Architecture (ISA) is an abstract model of a computer (x86, ARMv8, SPARC, ...)
- Serves as the interface between hardware and software
- Microarchitecture is an actual implementation of the instruction set
  - Vary in performance, size, costs, ...
  - Intel (Pentium, Sandy Bridge, Skylake, ...)
  - AMD (Athlon, Bobcat, Zen, ...)



- Side-channel attacks on the implementation of an ISA
- Expose internal state of the hardware
  - depending on secret data
  - to infer the secret data

### **Caches and Cache Attacks**





































#### **Memory Access Latency**



- Leak cryptographic keys
- Leak information on co-located virtual machines
- Monitor function calls of other applications
- Break (K)ASLR
- Allow Rowhammer attack in software
- Build covert communication channels



shell@zeroflte:/data/local/tmp \$ ./keyboard\_spy -c 0

Cache Attack Demo

# **Operating Systems 101**

- Kernel is isolated from user space
- This isolation is a combination of hardware and software
- User applications cannot access anything from the kernel
- There is only a well-defined interface called system calls



- Breaks isolation between applications and kernel
- User applications can access kernel addresses
- Entire physical memory is mapped in the kernel



#### (a) Kernelspace



Out-of-order execution and Meltdown

7. Serve with cooked and peeled potatoes







## Wait for an hour



## Wait for an hour

# LATENCY

1. Wash and cut vegetables

2. Pick the basil leaves and set aside

3. Heat 2 tablespoons of oil in a pan

4. Fry vegetables until golden and softened



1. Wash and cut vegetables

### Parallelize

2. Pick the basil leaves and set aside

3. Heat 2 tablespoons of oil in a pan

4. Fry vegetables until golden and softened





- Instructions are fetched and decoded in the front-end
- Instructions are dispatched to the backend
- Instructions are processed by individual execution units



- Instructions are executed out-of-order
- Instructions wait until their dependencies are ready
  - Later instructions might execute prior earlier instructions
- Instructions retire in-order
  - State becomes architecturally visible

Ê

- If an application reads memory, ...
  - ... permissions are checked
  - ... data is loaded
- If an application tries to read inaccessible memory, ...
  - ... an error occurs
  - ... application is stopped
- But what does the CPU really do?

#### Let's try to read kernel memory



• Find something human readable, e.g., the Linux version

# sudo grep linux\_banner /proc/kallsyms
ffffffff81a000e0 R linux\_banner



#### • Compile and run



segfault at ffffffff81a000e0 ip 0000000000400535
sp 00007ffce4a80610 error 5 in reader

#### • Compile and run



segfault at ffffffff81a000e0 ip 0000000000400535 sp 00007ffce4a80610 error 5 in reader

• Kernel addresses are of course not accessible

#### • Compile and run



segfault at ffffffff81a000e0 ip 0000000000000535 sp 00007ffce4a80610 error 5 in reader

- Kernel addresses are of course not accessible
- $\bullet$  Any invalid access throws an exception  $\rightarrow$  segmentation fault



• Just catch the segmentation fault!



- Just catch the segmentation fault!
- We can simply install a signal handler



- Just catch the segmentation fault!
- We can simply install a signal handler
- And if an exception occurs, just jump back and continue



- Just catch the segmentation fault!
- We can simply install a signal handler
- And if an exception occurs, just jump back and continue
- Then we can read the value



- Just catch the segmentation fault!
- We can simply install a signal handler
- And if an exception occurs, just jump back and continue
- Then we can read the value
- Sounds like a good idea



• Still no kernel memory



- Still no kernel memory
- Maybe it is not that straight forward



- Still no kernel memory
- Maybe it is not that straight forward
- Privilege checks seem to work



- Still no kernel memory
- Maybe it is not that straight forward
- Privilege checks seem to work
- Are privilege checks also done when executing instructions out of order?



- Still no kernel memory
- Maybe it is not that straight forward
- Privilege checks seem to work
- Are privilege checks also done when executing instructions out of order?
- Problem: out-of-order instructions are not visible

#### **Building the Code**

• Adapted code

```
*(volatile char*) 0;
array[0] = 0;
```



#### **Building the Code**

• Adapted code

```
*(volatile char*) 0;
array[0] = 0;
```

• volatile because compiler was not happy

```
warning: statement with no effect [-Wunused-
value]
 * (char*) 0;
```





#### **Building the Code**

• Adapted code

```
*(volatile char*) 0;
array[0] = 0;
```

• volatile because compiler was not happy

```
warning: statement with no effect [-Wunused-
value]
     *(char*) 0;
```

• Static code analyzer is still not happy





















• Out-of-order instructions leave microarchitectural traces



- Out-of-order instructions leave microarchitectural traces
- We can see them for example in the cache



- Out-of-order instructions leave microarchitectural traces
- We can see them for example in the cache
- Give such instructions a name: transient instructions



- Out-of-order instructions leave microarchitectural traces
- We can see them for example in the cache
- Give such instructions a name: transient instructions
- We can indirectly observe the execution of transient instructions

• Maybe there is no permission check in transient instructions...











- Maybe there is no permission check in transient instructions...
- ...or it is only done when commiting them
- Add another layer of indirection to test



- Maybe there is no permission check in transient instructions...
- ...or it is only done when commiting them
- Add another layer of indirection to test

• Then check whether any part of array is cached







• Index of cache hit reveals data







- Index of cache hit reveals data
- Permission check is in some cases not fast enough



• Using out-of-order execution, we can read data at any address

# **Building Meltdown**



- Using out-of-order execution, we can read data at any address
- Privilege checks are sometimes too slow

# **Building Meltdown**



- Using out-of-order execution, we can read data at any address
- Privilege checks are sometimes too slow
- Allows to leak kernel memory

# **Building Meltdown**



- Using out-of-order execution, we can read data at any address
- Privilege checks are sometimes too slow
- Allows to leak kernel memory
- Entire physical memory is typically also accessible in kernel address space

| pwd                     | × |
|-------------------------|---|
| Unlock Password Manager |   |
| Unloc                   | k |

|      |       |       |         | Terminal | ×    |  |
|------|-------|-------|---------|----------|------|--|
| File | Edit  | View  | Search  | Terminal | Help |  |
| msch | warz@ | lab06 | :~/Docu | uments\$ |      |  |

| used with autho  | 6f | 68 | 74 | 75 | 61 | 20 | 68 | 74 | 69 | 77 | 20 | 64 | 65 | 73 | 75 | 20 | e01d8130: |
|------------------|----|----|----|----|----|----|----|----|----|----|----|----|----|----|----|----|-----------|
| rization from. S | 53 | 20 | 0a | 6d | 6f | 72 | 66 | 20 | 6e | 6f | 69 | 74 | 61 | 7a | 69 | 72 | e01d8140: |
| ilicon Graphics, | 2c | 73 | 63 | 69 | 68 | 70 | 61 | 72 | 47 | 20 | 6e | 6f | 63 | 69 | 6c | 69 | e01d8150: |
| Inc. However,    | 20 | 2c | 72 | 65 | 76 | 65 | 77 | 6f | 48 | 20 | 20 | 2e | 63 | 6e | 49 | 20 | e01d8160: |
| the authors make | 65 | 6b | 61 | 6d | 20 | 73 | 72 | 6f | 68 | 74 | 75 | 61 | 20 | 65 | 68 | 74 | e01d8170: |
| no claim that M  | 4d | 20 | 74 | 61 | 68 | 74 | 20 | 6d | 69 | 61 | 6c | 63 | 20 | 6f | 6e | 20 | e01d8180: |
| esa. is in any w | 77 | 20 | 79 | 6e | 61 | 20 | 6e | 69 | 20 | 73 | 69 | 20 | 0a | 61 | 73 | 65 | e01d8190: |
| ay a compatible  | 20 | 65 | 6c | 62 | 69 | 74 | 61 | 70 | 6d | 6f | 63 | 20 | 61 | 20 | 79 | 61 | e01d81a0: |
| replacement for  | 20 | 72 | 6f | 66 | 20 | 74 | 6e | 65 | 6d | 65 | 63 | 61 | 6c | 70 | 65 | 72 | e01d81b0: |
| OpenGL or associ | 69 | 63 | 6f | 73 | 73 | 61 | 20 | 72 | 6f | 20 | 4c | 47 | 6e | 65 | 70 | 4f | e01d81c0: |
| ated with. Silic | 63 | 69 | 6c | 69 | 53 | 20 | 0a | 68 | 74 | 69 | 77 | 20 | 64 | 65 | 74 | 61 | e01d81d0: |
| on Graphics, Inc | 63 | 6e | 49 | 20 | 2c | 73 | 63 | 69 | 68 | 70 | 61 | 72 | 47 | 20 | 6e | 6f | e01d81e0: |
| This versi       | 69 | 73 | 72 | 65 | 76 | 20 | 73 | 69 | 68 | 54 | 20 | 0a | 2e | 20 | 0a | 2e | e01d81f0: |
| on of Mesa provi | 69 | 76 | 6f | 72 | 70 | 20 | 61 | 73 | 65 | 4d | 20 | 66 | 6f | 20 | 6e | 6f | e01d8200: |
| des GLX and DRI  | 20 | 49 | 52 | 44 | 20 | 64 | 6e | 61 | 20 | 58 | 4c | 47 | 20 | 73 | 65 | 64 | e01d8210: |
| capabilities: it | 74 | 69 | 20 | 3a | 73 | 65 | 69 | 74 | 69 | 6c | 69 | 62 | 61 | 70 | 61 | 63 | e01d8220: |
| is capable of.   | 20 | 0a | 66 | 6f | 20 | 65 | 6c | 62 | 61 | 70 | 61 | 63 | 20 | 73 | 69 | 20 | e01d8230: |
| both direct and  | 20 | 64 | 6e | 61 | 20 | 74 | 63 | 65 | 72 | 69 | 64 | 20 | 68 | 74 | 6f | 62 | e01d8240: |
| indirect renderi | 69 | 72 | 65 | 64 | 6e | 65 | 72 | 20 | 74 | 63 | 65 | 72 | 69 | 64 | 6e | 69 | e01d8250: |
| ng. For direct   | 20 | 74 | 63 | 65 | 72 | 69 | 64 | 20 | 72 | 6f | 46 | 20 | 20 | 2e | 67 | 6e | e01d8260: |
| rendering, it ca | 61 | 63 | 20 | 74 | 69 | 20 | 2c | 67 | 6e | 69 | 72 | 65 | 64 | 6e | 65 | 72 | e01d8270: |
| n use DRI. modul | 6c | 75 | 64 | 6f | 6d | 20 | 0a | 49 | 52 | 44 | 20 | 65 | 73 | 75 | 20 | 6e | e01d8280: |
| es from the libg | 67 | 62 | 69 | 6c | 20 | 65 | 68 | 74 | 20 | 6d | 6f | 72 | 66 | 20 | 73 | 65 | e01d8290: |
|                  |    |    |    |    |    |    |    |    |    |    |    |    |    |    |    |    |           |

# Can we fix that?

• Kernel addresses in user space are a problem

- Kernel addresses in user space are a problem
- Why don't we take the kernel addresses...





• ...and remove them if not needed?



- ...and remove them if not needed?
- User accessible check in hardware is not reliable



• Let's just unmap the kernel in user space



- Let's just unmap the kernel in user space
- Kernel addresses are then no longer present



- Let's just unmap the kernel in user space
- Kernel addresses are then no longer present
- Memory which is not mapped cannot be accessed at all





• We published KAISER in July 2017



- We published KAISER in July 2017
- Intel and others improved and merged it into Linux as KPTI (Kernel Page Table Isolation)



## Kernel Address Space Isolation





- Intel and others improved and merged it into Linux as KPTI (Kernel Page Table Isolation)
- Microsoft implemented similar concept in Windows 10

## Kernel Address Space Isolation





- Microsoft implemented similar concept in Windows 10
- Apple implemented it in macOS 10.13.2 and called it "Double Map"



## Kernel Address Space Isolation



- We published KAISER in July 2017
- Intel and others improved and merged it into Linux as KPTI (Kernel Page Table Isolation)
- Microsoft implemented similar concept in Windows 10
- Apple implemented it in macOS 10.13.2 and called it "Double Map"
- All share the same idea: switching address spaces on context switch



• Depends on how often you need to switch between kernel and user space



- Depends on how often you need to switch between kernel and user space
- Can be slow, 40% or more on old hardware



- Depends on how often you need to switch between kernel and user space
  - Can be slow, 40% or more on old hardware
  - But modern CPUs have additional features



- Depends on how often you need to switch between kernel and user space
  - Can be slow, 40% or more on old hardware
  - But modern CPUs have additional features
- $\Rightarrow$  Performance overhead on average below 2%

### **Speculative Execution and Spectre**





## Procsciutto



# Funghi













### **Speculative Cooking**

















- CPU tries to predict the future (branch predictor), ...
  - ... based on events learned in the past
- Speculative execution of instructions
- If the prediction was correct, ...
  - ... very fast
  - otherwise: Discard results
- Measurable side-effects?

index = 0;



Moritz Lipp — IAIK, Graz University of Technology

40







index = 1;

char\* data = "textKEY";



Moritz Lipp — IAIK, Graz University of Technology

40







index = 2;



Moritz Lipp — IAIK, Graz University of Technology

40







index = 3;

char\* data = "textKEY";



Moritz Lipp — IAIK, Graz University of Technology

40







index = 4;



Moritz Lipp — IAIK, Graz University of Technology

40







index = 5;



Moritz Lipp — IAIK, Graz University of Technology

40







index = 6;



Moritz Lipp — IAIK, Graz University of Technology

40











































- We can influence the CPU to mispredict the future
- CPU speculatively executes code that should never be executed
- Read own memory (e.g., sandbox escape)



- We can influence the CPU to mispredict the future
- CPU speculatively executes code that should never be executed
- Read own memory (e.g., sandbox escape)
- "Convince" other programs to reveal their secrets



- We can influence the CPU to mispredict the future
- CPU speculatively executes code that should never be executed
- Read own memory (e.g., sandbox escape)
- "Convince" other programs to reveal their secrets
- Again, a cache attack (Flush+Reload) is used to read the secret



- We can influence the CPU to mispredict the future
- CPU speculatively executes code that should never be executed
- Read own memory (e.g., sandbox escape)
- "Convince" other programs to reveal their secrets
- Again, a cache attack (Flush+Reload) is used to read the secret
- Much harder to fix, KAISER does not help



- We can influence the CPU to mispredict the future
- CPU speculatively executes code that should never be executed
- Read own memory (e.g., sandbox escape)
- "Convince" other programs to reveal their secrets
- Again, a cache attack (Flush+Reload) is used to read the secret
- Much harder to fix, KAISER does not help
- Ongoing effort to patch via microcode update and compiler extensions

# Can we fix that?



• Trivial approach: disable speculative execution



- Trivial approach: disable speculative execution
- No wrong speculation if there is no speculation



- Trivial approach: disable speculative execution
- No wrong speculation if there is no speculation
- Problem: Massive performance hit!



- Trivial approach: disable speculative execution
- No wrong speculation if there is no speculation
- Problem: Massive performance hit!
- Also: How to disable it?



- Trivial approach: disable speculative execution
- No wrong speculation if there is no speculation
- Problem: Massive performance hit!
- Also: How to disable it?
- Speculative execution is deeply integrated into CPU

# **Spectre Variant 1 Mitigations**



# **Spectre Variant 1 Mitigations**



• Workaround: insert instructions stopping speculation

# Spectre Variant 1 Mitigations



- Workaround: insert instructions stopping speculation
- $\rightarrow\,$  insert after every bounds check



- Workaround: insert instructions stopping speculation
- $\rightarrow\,$  insert after every bounds check
  - x86: LFENCE, ARM: CSDB



- Workaround: insert instructions stopping speculation
- $\rightarrow\,$  insert after every bounds check
  - x86: LFENCE, ARM: CSDB
  - Available on all Intel CPUs, retrofitted to existing ARMv7 and ARMv8



• Speculation barrier requires compiler supported



- Speculation barrier requires compiler supported
- Already implemented in GCC, LLVM, and MSVC



- Speculation barrier requires compiler supported
- Already implemented in GCC, LLVM, and MSVC
- Can be automated (MSVC)  $\rightarrow$  not really reliable



- Speculation barrier requires compiler supported
- Already implemented in GCC, LLVM, and MSVC
- Can be automated (MSVC)  $\rightarrow$  not really reliable
- Explicit use by programmer:

\_\_builtin\_load\_no\_speculate



```
// Unprotected
int array[N];
int get value(unsigned int n) {
  int tmp;
  if (n < N) {
   tmp = array[n]
  } else {
    tmp = FAIL:
  }
  return tmp;
```

```
// Protected
int array[N];
int get value(unsigned int n) {
 int *lower = array;
  int *ptr = array + n;
  int *upper = array + N;
  return
   builtin load no speculate
   (ptr, lower, upper, FAIL);
```



• Speculation barrier works if affected code constructs are known



- Speculation barrier works if affected code constructs are known
- Programmer has to fully understand vulnerability



- Speculation barrier works if affected code constructs are known
- Programmer has to fully understand vulnerability
- Automatic detection is not reliable



- Speculation barrier works if affected code constructs are known
- Programmer has to fully understand vulnerability
- Automatic detection is not reliable
- Non-negligible performance overhead of barriers

• Indirect Branch Restricted Speculation (IBRS):

୦-I-୦-I-୦ I-୦-I-୦-I ୦-I-୦-I-୦ I-୦-I-୦-I

- Indirect Branch Restricted Speculation (IBRS):
  - Do not speculate based on anything before entering IBRS mode

୦-I-୦-I-୦ I-୦-I-୦-I ୦-I-୦-I-୦ I-୦-I-୦-I

- Indirect Branch Restricted Speculation (IBRS):
  - Do not speculate based on anything before entering IBRS mode
  - $\rightarrow\,$  lesser privileged code cannot influence predictions

୦-I-୦-I-୦ I-୦-I-୦-I ୦-I-୦-I-୦ I-୦-I-୦-I

- Indirect Branch Restricted Speculation (IBRS):
  - Do not speculate based on anything before entering IBRS mode
  - $\rightarrow\,$  lesser privileged code cannot influence predictions
- Indirect Branch Predictor Barrier (IBPB):

0-1-0-1-0 1-0-1-0-1 0-1-0-1-0 1-0-1-0-1

- Indirect Branch Restricted Speculation (IBRS):
  - Do not speculate based on anything before entering IBRS mode
  - $\rightarrow\,$  lesser privileged code cannot influence predictions
- Indirect Branch Predictor Barrier (IBPB):
  - Flush branch-target buffer

୦-I-୦-I-୦ I-୦-I-୦-I ୦-I-୦-I-୦ I-୦-I-୦-I

- Indirect Branch Restricted Speculation (IBRS):
  - Do not speculate based on anything before entering IBRS mode
  - $\rightarrow\,$  lesser privileged code cannot influence predictions
- Indirect Branch Predictor Barrier (IBPB):
  - Flush branch-target buffer
- Single Thread Indirect Branch Predictors (STIBP):

0-1-0-1-0 1-0-1-0-1 0-1-0-1-0 1-0-1-0-1

- Indirect Branch Restricted Speculation (IBRS):
  - Do not speculate based on anything before entering IBRS mode
  - $\rightarrow\,$  lesser privileged code cannot influence predictions
- Indirect Branch Predictor Barrier (IBPB):
  - Flush branch-target buffer
- Single Thread Indirect Branch Predictors (STIBP):
  - Isolates branch prediction state between two hyperthreads

0-1-0-1-0 1-0-1-0-1 0-1-0-1-0 1-0-1-0-1

# Spectre Variant 2 Mitigations (Software)

```
push <call_target>
call 1f
2: ; speculation will continue here
lfence ; speculation barrier
jmp 2b ; endless loop
1:
lea 8(%rsp), %rsp ; restore stack pointer
ret ; the actual call to <call_target>
```

 $\rightarrow\,$  always predict to enter an endless loop

```
push <call_target>
call 1f
2:  ; speculation will continue here
lfence ; speculation barrier
jmp 2b ; endless loop
1:
lea 8(%rsp), %rsp ; restore stack pointer
ret ; the actual call to <call_target>
```

- $\rightarrow\,$  always predict to enter an endless loop
  - instead of the correct (or wrong) target function

```
push <call_target>
call 1f
2: ; speculation will continue here
lfence ; speculation barrier
jmp 2b ; endless loop
1:
lea 8(%rsp), %rsp ; restore stack pointer
ret ; the actual call to <call_target>
```

- $\rightarrow\,$  always predict to enter an endless loop
  - instead of the correct (or wrong) target function  $\rightarrow$  performance?

```
push <call_target>
call 1f
2:  ; speculation will continue here
lfence ; speculation barrier
jmp 2b ; endless loop
1:
lea 8(%rsp), %rsp ; restore stack pointer
ret ; the actual call to <call_target>
```

- $\rightarrow\,$  always predict to enter an endless loop
  - instead of the correct (or wrong) target function  $\rightarrow$  performance?
  - On Broadwell or newer:

```
push <call_target>
call 1f
2:  ; speculation will continue here
lfence ; speculation barrier
jmp 2b ; endless loop
1:
lea 8(%rsp), %rsp ; restore stack pointer
ret ; the actual call to <call_target>
```

- $\rightarrow\,$  always predict to enter an endless loop
  - instead of the correct (or wrong) target function  $\rightarrow$  performance?
  - On Broadwell or newer:
    - ret may fall-back to the BTB for prediction

```
push <call_target>
call 1f
2: ; speculation will continue here
lfence ; speculation barrier
jmp 2b ; endless loop
1:
lea 8(%rsp), %rsp ; restore stack pointer
ret ; the actual call to <call_target>
```

- $\rightarrow\,$  always predict to enter an endless loop
  - instead of the correct (or wrong) target function  $\rightarrow$  performance?
  - On Broadwell or newer:
    - ret may fall-back to the BTB for prediction  $\rightarrow$  microcode patches to prevent that



• ARM provides hardened Linux kernel



- ARM provides hardened Linux kernel
- Clears branch-predictor state on context switch



- ARM provides hardened Linux kernel
- Clears branch-predictor state on context switch
- Either via instruction (BPIALL)...



- ARM provides hardened Linux kernel
- Clears branch-predictor state on context switch
- Either via instruction (BPIALL)...
- ...or workaround (disable/enable MMU)



- ARM provides hardened Linux kernel
- Clears branch-predictor state on context switch
- Either via instruction (BPIALL)...
- ...or workaround (disable/enable MMU)
- Non-negligible performance overhead ( $\approx$  200-300 ns)

• Prevent access to high-resolution timer



- Prevent access to high-resolution timer
- $\rightarrow~{\rm Own}$  timer using timing thread



رژل کو

- Prevent access to high-resolution timer
- $\rightarrow~{\rm Own}$  timer using timing thread
- Flush instruction only privileged

«Ոີ 

- Prevent access to high-resolution timer
- $\rightarrow~$  Own timer using timing thread
- Flush instruction only privileged
- $\rightarrow\,$  Cache eviction through memory accesses



- Prevent access to high-resolution timer
- $\rightarrow~$  Own timer using timing thread
- Flush instruction only privileged
- $\rightarrow\,$  Cache eviction through memory accesses
  - Just move secrets into secure world



- Prevent access to high-resolution timer
- $\rightarrow~$  Own timer using timing thread
- Flush instruction only privileged
- $\rightarrow\,$  Cache eviction through memory accesses
  - Just move secrets into secure world
- $\rightarrow\,$  Spectre works on secure enclaves

## What to do now?





• attacks on crypto



 $\bullet$  attacks on crypto  $\rightarrow$  "software should be fixed"



- $\bullet$  attacks on crypto  $\rightarrow$  "software should be fixed"
- attacks on ASLR



- attacks on crypto  $\rightarrow$  "software should be fixed"
- attacks on ASLR  $\rightarrow$  "ASLR is broken anyway"



- attacks on crypto  $\rightarrow$  "software should be fixed"
- $\bullet$  attacks on ASLR  $\rightarrow$  "ASLR is broken anyway"
- attacks on SGX and TrustZone



- $\bullet$  attacks on crypto  $\rightarrow$  "software should be fixed"
- $\bullet$  attacks on ASLR  $\rightarrow$  "ASLR is broken anyway"
- attacks on SGX and TrustZone  $\rightarrow$  "not part of the threat model"



- $\bullet$  attacks on crypto  $\rightarrow$  "software should be fixed"
- attacks on ASLR  $\rightarrow$  "ASLR is broken anyway"
- attacks on SGX and TrustZone  $\rightarrow$  "not part of the threat model"
- $\rightarrow$  for years we solely optimized for performance



After learning about a side channel you realize:



After learning about a side channel you realize:

• the side channels were documented in the Intel manual



After learning about a side channel you realize:

- the side channels were documented in the Intel manual
- only now we understand the implications



## A unique chance to

- rethink processor design
- grow up, like other fields (car industry, construction industry)
- find good trade-offs between security and performance

## Conclusion



- Underestimated microarchitectural attacks for a long time
- Meltdown and Spectre exploit performance optimizations
  - Allow to leak arbitrary memory
- Countermeasures come with a performance impact
- Find trade-offs between security and performance



## Breaking through walls

How performance optimizations shatter security boundaries

Moritz Lipp Mar 05, 2018—QCon London 2018

IAIK, Graz University of Technology