Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018...
Transcript of Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018...
![Page 1: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/1.jpg)
SCIENCE PASSION TECHNOLOGY
Brief Overview on Meltdown and Spectre
Daniel Gruss
January 25, 2018
Graz University of Technology
1 Daniel Gruss — Graz University of Technology
![Page 2: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/2.jpg)
National Geographic
![Page 3: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/3.jpg)
Whoami www.tugraz.at
• Daniel Gruss
• Post-Doc @ Graz University of Technology
• Twitter: @lavados
• Email: [email protected]
3 Daniel Gruss — Graz University of Technology
![Page 4: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/4.jpg)
Software-based Side-Channel Attacks www.tugraz.at
• security and privacy rely on secrets (unknown to attackers)
• secrets can leak through side channels
• software-based → no physical access
4 Daniel Gruss — Graz University of Technology
![Page 5: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/5.jpg)
Software-based Side-Channel Attacks www.tugraz.at
• security and privacy rely on secrets (unknown to attackers)
• secrets can leak through side channels
• software-based → no physical access
4 Daniel Gruss — Graz University of Technology
![Page 6: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/6.jpg)
The Core of Meltdown/Spectre www.tugraz.at
• Kernel is isolated from user space
• This isolation is a combination of
hardware and software
• User applications cannot access
anything from the kernel
• There is only a well-defined
interface → syscalls
Userspace Kernelspace
ApplicationsOperatingSystem Memory
5 Daniel Gruss — Graz University of Technology
![Page 7: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/7.jpg)
The Core of Meltdown/Spectre www.tugraz.at
• Kernel is isolated from user space
• This isolation is a combination of
hardware and software
• User applications cannot access
anything from the kernel
• There is only a well-defined
interface → syscalls
Userspace Kernelspace
ApplicationsOperatingSystem Memory
5 Daniel Gruss — Graz University of Technology
![Page 8: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/8.jpg)
The Core of Meltdown/Spectre www.tugraz.at
• Kernel is isolated from user space
• This isolation is a combination of
hardware and software
• User applications cannot access
anything from the kernel
• There is only a well-defined
interface → syscalls
Userspace Kernelspace
ApplicationsOperatingSystem Memory
5 Daniel Gruss — Graz University of Technology
![Page 9: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/9.jpg)
The Core of Meltdown/Spectre www.tugraz.at
• Kernel is isolated from user space
• This isolation is a combination of
hardware and software
• User applications cannot access
anything from the kernel
• There is only a well-defined
interface → syscalls
Userspace Kernelspace
ApplicationsOperatingSystem Memory
5 Daniel Gruss — Graz University of Technology
![Page 10: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/10.jpg)
CPU Cache www.tugraz.at
printf("%d", i);
printf("%d", i);
6 Daniel Gruss — Graz University of Technology
![Page 11: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/11.jpg)
CPU Cache www.tugraz.at
printf("%d", i);Cache
miss
printf("%d", i);
6 Daniel Gruss — Graz University of Technology
![Page 12: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/12.jpg)
CPU Cache www.tugraz.at
printf("%d", i);Cache
miss Request
printf("%d", i);
6 Daniel Gruss — Graz University of Technology
![Page 13: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/13.jpg)
CPU Cache www.tugraz.at
printf("%d", i);Cache
miss Request
Response
printf("%d", i);
6 Daniel Gruss — Graz University of Technology
![Page 14: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/14.jpg)
CPU Cache www.tugraz.at
printf("%d", i);Cache
miss Request
Responsei
printf("%d", i);
6 Daniel Gruss — Graz University of Technology
![Page 15: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/15.jpg)
CPU Cache www.tugraz.at
printf("%d", i);Cache
miss Request
Responsei
printf("%d", i);
Cache hit
6 Daniel Gruss — Graz University of Technology
![Page 16: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/16.jpg)
CPU Cache www.tugraz.at
printf("%d", i);Cache
miss Request
Responsei
printf("%d", i);
Cache hit
DRAM access,slow
6 Daniel Gruss — Graz University of Technology
![Page 17: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/17.jpg)
CPU Cache www.tugraz.at
printf("%d", i);Cache
miss Request
Responsei
printf("%d", i);
Cache hit
No DRAM access,
much faster
DRAM access,slow
6 Daniel Gruss — Graz University of Technology
![Page 18: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/18.jpg)
Flush+Reload www.tugraz.at
Shared Memory
ATTACKER VICTIM
flushaccess
access
7 Daniel Gruss — Graz University of Technology
![Page 19: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/19.jpg)
Flush+Reload www.tugraz.at
Shared Memory
ATTACKER
Shared Memory
cached
cached
VICTIM
flushaccess
access
7 Daniel Gruss — Graz University of Technology
![Page 20: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/20.jpg)
Flush+Reload www.tugraz.at
Shared Memory
ATTACKER
Shared Memory
VICTIM
flushaccess
access
7 Daniel Gruss — Graz University of Technology
![Page 21: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/21.jpg)
Flush+Reload www.tugraz.at
Shared Memory
ATTACKER VICTIM
flushaccess
access
7 Daniel Gruss — Graz University of Technology
![Page 22: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/22.jpg)
Flush+Reload www.tugraz.at
Shared Memory
ATTACKER VICTIM
flushaccess
access
7 Daniel Gruss — Graz University of Technology
![Page 23: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/23.jpg)
Flush+Reload www.tugraz.at
Shared Memory
ATTACKER
Shared Memory
VICTIM
flushaccess
access
7 Daniel Gruss — Graz University of Technology
![Page 24: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/24.jpg)
Flush+Reload www.tugraz.at
Shared Memory
ATTACKER
Shared Memory
VICTIM
flushaccess
access
7 Daniel Gruss — Graz University of Technology
![Page 25: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/25.jpg)
Flush+Reload www.tugraz.at
Shared Memory
ATTACKER
Shared Memory
VICTIM
flushaccess
access
fast if victim accessed data,slow otherwise
7 Daniel Gruss — Graz University of Technology
![Page 26: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/26.jpg)
Memory Access Latency www.tugraz.at
8 Daniel Gruss — Graz University of Technology
![Page 27: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/27.jpg)
Memory Access Latency www.tugraz.at
8 Daniel Gruss — Graz University of Technology
![Page 28: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/28.jpg)
Cache Template Attack Demo
![Page 29: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/29.jpg)
Cache Template www.tugraz.at
Address
Keyg h i j k l m n o p q r s t u v w x y z
0x7c680
0x7c6c0
0x7c700
0x7c740
0x7c780
0x7c7c0
0x7c800
0x7c840
0x7c880
0x7c8c0
0x7c900
0x7c940
0x7c980
0x7c9c0
0x7ca00
0x7cb80
0x7cc40
0x7cc80
0x7ccc0
0x7cd00
10 Daniel Gruss — Graz University of Technology
![Page 30: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/30.jpg)
Out-of-order Execution www.tugraz.at
1 int width = 10, height = 5;
2
3 float diagonal = sqrt(width * width
4 + height * height);
5 int area = width * height;
6
7 printf("Area %d x %d = %d\n", width , height , area);
11 Daniel Gruss — Graz University of Technology
![Page 31: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/31.jpg)
Out-of-order Execution www.tugraz.at
1 int width = 10, height = 5;
2
3 float diagonal = sqrt(width * width
4 + height * height);
5 int area = width * height;
6
7 printf("Area %d x %d = %d\n", width , height , area);
ParallelizeD
epen
denc
y
11 Daniel Gruss — Graz University of Technology
![Page 32: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/32.jpg)
Building the Code www.tugraz.at
• Out-of-order instructions leave microarchitectural traces
• We can see them for example in the cache
• Give such instructions a name: transient instructions
• We can indirectly observe the execution of transient instructions
12 Daniel Gruss — Graz University of Technology
![Page 33: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/33.jpg)
Building the Code www.tugraz.at
• Out-of-order instructions leave microarchitectural traces
• We can see them for example in the cache
• Give such instructions a name: transient instructions
• We can indirectly observe the execution of transient instructions
12 Daniel Gruss — Graz University of Technology
![Page 34: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/34.jpg)
Building the Code www.tugraz.at
• Out-of-order instructions leave microarchitectural traces
• We can see them for example in the cache
• Give such instructions a name: transient instructions
• We can indirectly observe the execution of transient instructions
12 Daniel Gruss — Graz University of Technology
![Page 35: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/35.jpg)
Building the Code www.tugraz.at
• Out-of-order instructions leave microarchitectural traces
• We can see them for example in the cache
• Give such instructions a name: transient instructions
• We can indirectly observe the execution of transient instructions
12 Daniel Gruss — Graz University of Technology
![Page 36: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/36.jpg)
Building the Code www.tugraz.at
• Maybe there is no permission check in transient instructions...
• ...or it is only done when commiting them
• Add another layer of indirection to test
1 char data = *(char*)0xffffffff81a000e0;
2 array[data * 4096] = 0;
• Then check whether any part of array is cached
13 Daniel Gruss — Graz University of Technology
![Page 37: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/37.jpg)
Building the Code www.tugraz.at
• Maybe there is no permission check in transient instructions...
• ...or it is only done when commiting them
• Add another layer of indirection to test
1 char data = *(char*)0xffffffff81a000e0;
2 array[data * 4096] = 0;
• Then check whether any part of array is cached
13 Daniel Gruss — Graz University of Technology
![Page 38: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/38.jpg)
Building the Code www.tugraz.at
• Maybe there is no permission check in transient instructions...
• ...or it is only done when commiting them
• Add another layer of indirection to test
1 char data = *(char*)0xffffffff81a000e0;
2 array[data * 4096] = 0;
• Then check whether any part of array is cached
13 Daniel Gruss — Graz University of Technology
![Page 39: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/39.jpg)
Building the Code www.tugraz.at
• Maybe there is no permission check in transient instructions...
• ...or it is only done when commiting them
• Add another layer of indirection to test
1 char data = *(char*)0xffffffff81a000e0;
2 array[data * 4096] = 0;
• Then check whether any part of array is cached
13 Daniel Gruss — Graz University of Technology
![Page 40: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/40.jpg)
Building the Code www.tugraz.at
• Flush+Reload over all pages of the array
0 50 100 150 200 250
300
400
500
Page
Accesstime
[cycles]
• Index of cache hit reveals data
• Permission check is in some cases not fast enough
14 Daniel Gruss — Graz University of Technology
![Page 41: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/41.jpg)
Building the Code www.tugraz.at
• Flush+Reload over all pages of the array
0 50 100 150 200 250
300
400
500
Page
Accesstime
[cycles]
• Index of cache hit reveals data
• Permission check is in some cases not fast enough
14 Daniel Gruss — Graz University of Technology
![Page 42: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/42.jpg)
Spying on passwords
![Page 43: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/43.jpg)
Leaking a picture like in CSI Cyber
![Page 44: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/44.jpg)
Leaking a photo
![Page 45: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/45.jpg)
Leaking Passwords from your Password Manager www.tugraz.at
18 Daniel Gruss — Graz University of Technology
![Page 46: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/46.jpg)
How to stop a Meltdown? www.tugraz.at
• Kernel addresses in user space are a problem
• Let’s just unmap the kernel in user space
• Kernel addresses are then no longer present
• Memory which is not mapped cannot be accessed at all
19 Daniel Gruss — Graz University of Technology
![Page 47: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/47.jpg)
How to stop a Meltdown? www.tugraz.at
• Kernel addresses in user space are a problem
• Let’s just unmap the kernel in user space
• Kernel addresses are then no longer present
• Memory which is not mapped cannot be accessed at all
19 Daniel Gruss — Graz University of Technology
![Page 48: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/48.jpg)
How to stop a Meltdown? www.tugraz.at
• Kernel addresses in user space are a problem
• Let’s just unmap the kernel in user space
• Kernel addresses are then no longer present
• Memory which is not mapped cannot be accessed at all
19 Daniel Gruss — Graz University of Technology
![Page 49: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/49.jpg)
How to stop a Meltdown? www.tugraz.at
• Kernel addresses in user space are a problem
• Let’s just unmap the kernel in user space
• Kernel addresses are then no longer present
• Memory which is not mapped cannot be accessed at all
19 Daniel Gruss — Graz University of Technology
![Page 50: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/50.jpg)
KAISER Patch www.tugraz.at
Today’s operating systems:
Shared address space
User memory Kernel memory
0 −1
context switch
Stronger kernel isolation:
User address space
User memory Not mapped
0 −1
Kernel address space
Not mapped Kernel memory
0 −1
context switch
switch
addr.
space
Interrupt
dispatcher
20 Daniel Gruss — Graz University of Technology
![Page 51: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/51.jpg)
Kernel Address Space Isolation www.tugraz.at
• We published KAISER in July 2017
• Intel and others improved and merged it into Linux as KPTI (Kernel
Page Table Isolation)
• Microsoft implemented similar concept in Windows 10
• Apple implemented it in macOS 10.13.2 and called it “Double Map”
• All share the same idea: switching address spaces on context switch
21 Daniel Gruss — Graz University of Technology
![Page 52: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/52.jpg)
Kernel Address Space Isolation www.tugraz.at
• We published KAISER in July 2017
• Intel and others improved and merged it into Linux as KPTI (Kernel
Page Table Isolation)
• Microsoft implemented similar concept in Windows 10
• Apple implemented it in macOS 10.13.2 and called it “Double Map”
• All share the same idea: switching address spaces on context switch
21 Daniel Gruss — Graz University of Technology
![Page 53: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/53.jpg)
Kernel Address Space Isolation www.tugraz.at
• We published KAISER in July 2017
• Intel and others improved and merged it into Linux as KPTI (Kernel
Page Table Isolation)
• Microsoft implemented similar concept in Windows 10
• Apple implemented it in macOS 10.13.2 and called it “Double Map”
• All share the same idea: switching address spaces on context switch
21 Daniel Gruss — Graz University of Technology
![Page 54: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/54.jpg)
Kernel Address Space Isolation www.tugraz.at
• We published KAISER in July 2017
• Intel and others improved and merged it into Linux as KPTI (Kernel
Page Table Isolation)
• Microsoft implemented similar concept in Windows 10
• Apple implemented it in macOS 10.13.2 and called it “Double Map”
• All share the same idea: switching address spaces on context switch
21 Daniel Gruss — Graz University of Technology
![Page 55: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/55.jpg)
Kernel Address Space Isolation www.tugraz.at
• We published KAISER in July 2017
• Intel and others improved and merged it into Linux as KPTI (Kernel
Page Table Isolation)
• Microsoft implemented similar concept in Windows 10
• Apple implemented it in macOS 10.13.2 and called it “Double Map”
• All share the same idea: switching address spaces on context switch
21 Daniel Gruss — Graz University of Technology
![Page 56: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/56.jpg)
Performance www.tugraz.at
• Depends on how often you need to switch between kernel and user space
• Can be slow, 40% or more on old hardware
• But modern CPUs have additional features
• ⇒ Performance overhead on average below 2%
22 Daniel Gruss — Graz University of Technology
![Page 57: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/57.jpg)
Performance www.tugraz.at
• Depends on how often you need to switch between kernel and user space
• Can be slow, 40% or more on old hardware
• But modern CPUs have additional features
• ⇒ Performance overhead on average below 2%
22 Daniel Gruss — Graz University of Technology
![Page 58: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/58.jpg)
Performance www.tugraz.at
• Depends on how often you need to switch between kernel and user space
• Can be slow, 40% or more on old hardware
• But modern CPUs have additional features
• ⇒ Performance overhead on average below 2%
22 Daniel Gruss — Graz University of Technology
![Page 59: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/59.jpg)
Performance www.tugraz.at
• Depends on how often you need to switch between kernel and user space
• Can be slow, 40% or more on old hardware
• But modern CPUs have additional features
• ⇒ Performance overhead on average below 2%
22 Daniel Gruss — Graz University of Technology
![Page 60: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/60.jpg)
Meltdown and Spectre www.tugraz.at
23 Daniel Gruss — Graz University of Technology
![Page 61: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/61.jpg)
Meltdown and Spectre www.tugraz.at
23 Daniel Gruss — Graz University of Technology
![Page 62: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/62.jpg)
Spectre (variant 1) www.tugraz.at
index = 0;
if (index < 4)
char* data = "textKEY";
LUT[data[index] * 4096] 0
then
else
Prediction
24 Daniel Gruss — Graz University of Technology
![Page 63: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/63.jpg)
Spectre (variant 1) www.tugraz.at
index = 0;
if (index < 4)
char* data = "textKEY";
LUT[data[index] * 4096] 0
then
else
Prediction
24 Daniel Gruss — Graz University of Technology
![Page 64: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/64.jpg)
Spectre (variant 1) www.tugraz.at
Speculate
index = 0;
if (index < 4)
char* data = "textKEY";
LUT[data[index] * 4096] 0
then
else
Prediction
24 Daniel Gruss — Graz University of Technology
![Page 65: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/65.jpg)
Spectre (variant 1) www.tugraz.at
Execute
index = 0;
if (index < 4)
char* data = "textKEY";
LUT[data[index] * 4096] 0
then
else
Prediction
24 Daniel Gruss — Graz University of Technology
![Page 66: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/66.jpg)
Spectre (variant 1) www.tugraz.at
index = 1;
if (index < 4)
char* data = "textKEY";
LUT[data[index] * 4096] 0
then
else
Prediction
24 Daniel Gruss — Graz University of Technology
![Page 67: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/67.jpg)
Spectre (variant 1) www.tugraz.at
index = 1;
if (index < 4)
char* data = "textKEY";
LUT[data[index] * 4096] 0
then
else
Prediction
24 Daniel Gruss — Graz University of Technology
![Page 68: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/68.jpg)
Spectre (variant 1) www.tugraz.at
Speculate
index = 1;
if (index < 4)
char* data = "textKEY";
LUT[data[index] * 4096] 0
then
else
Prediction
24 Daniel Gruss — Graz University of Technology
![Page 69: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/69.jpg)
Spectre (variant 1) www.tugraz.at
index = 1;
if (index < 4)
char* data = "textKEY";
LUT[data[index] * 4096] 0
then
else
Prediction
24 Daniel Gruss — Graz University of Technology
![Page 70: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/70.jpg)
Spectre (variant 1) www.tugraz.at
index = 2;
if (index < 4)
char* data = "textKEY";
LUT[data[index] * 4096] 0
then
else
Prediction
24 Daniel Gruss — Graz University of Technology
![Page 71: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/71.jpg)
Spectre (variant 1) www.tugraz.at
index = 2;
if (index < 4)
char* data = "textKEY";
LUT[data[index] * 4096] 0
then
else
Prediction
24 Daniel Gruss — Graz University of Technology
![Page 72: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/72.jpg)
Spectre (variant 1) www.tugraz.at
Speculate
index = 2;
if (index < 4)
char* data = "textKEY";
LUT[data[index] * 4096] 0
then
else
Prediction
24 Daniel Gruss — Graz University of Technology
![Page 73: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/73.jpg)
Spectre (variant 1) www.tugraz.at
index = 2;
if (index < 4)
char* data = "textKEY";
LUT[data[index] * 4096] 0
then
else
Prediction
24 Daniel Gruss — Graz University of Technology
![Page 74: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/74.jpg)
Spectre (variant 1) www.tugraz.at
index = 3;
if (index < 4)
char* data = "textKEY";
LUT[data[index] * 4096] 0
then
else
Prediction
24 Daniel Gruss — Graz University of Technology
![Page 75: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/75.jpg)
Spectre (variant 1) www.tugraz.at
index = 3;
if (index < 4)
char* data = "textKEY";
LUT[data[index] * 4096] 0
then
else
Prediction
24 Daniel Gruss — Graz University of Technology
![Page 76: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/76.jpg)
Spectre (variant 1) www.tugraz.at
Speculate
index = 3;
if (index < 4)
char* data = "textKEY";
LUT[data[index] * 4096] 0
then
else
Prediction
24 Daniel Gruss — Graz University of Technology
![Page 77: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/77.jpg)
Spectre (variant 1) www.tugraz.at
index = 3;
if (index < 4)
char* data = "textKEY";
LUT[data[index] * 4096] 0
then
else
Prediction
24 Daniel Gruss — Graz University of Technology
![Page 78: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/78.jpg)
Spectre (variant 1) www.tugraz.at
index = 4;
if (index < 4)
char* data = "textKEY";
LUT[data[index] * 4096] 0
then
else
Prediction
24 Daniel Gruss — Graz University of Technology
![Page 79: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/79.jpg)
Spectre (variant 1) www.tugraz.at
index = 4;
if (index < 4)
char* data = "textKEY";
LUT[data[index] * 4096] 0
then
else
Prediction
24 Daniel Gruss — Graz University of Technology
![Page 80: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/80.jpg)
Spectre (variant 1) www.tugraz.at
Speculate
index = 4;
if (index < 4)
char* data = "textKEY";
LUT[data[index] * 4096] 0
then
else
Prediction
24 Daniel Gruss — Graz University of Technology
![Page 81: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/81.jpg)
Spectre (variant 1) www.tugraz.at
Execute
index = 4;
if (index < 4)
char* data = "textKEY";
LUT[data[index] * 4096] 0
then
else
Prediction
24 Daniel Gruss — Graz University of Technology
![Page 82: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/82.jpg)
Spectre (variant 1) www.tugraz.at
index = 5;
if (index < 4)
char* data = "textKEY";
LUT[data[index] * 4096] 0
then
else
Prediction
24 Daniel Gruss — Graz University of Technology
![Page 83: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/83.jpg)
Spectre (variant 1) www.tugraz.at
index = 5;
if (index < 4)
char* data = "textKEY";
LUT[data[index] * 4096] 0
then
else
Prediction
24 Daniel Gruss — Graz University of Technology
![Page 84: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/84.jpg)
Spectre (variant 1) www.tugraz.at
Speculate
index = 5;
if (index < 4)
char* data = "textKEY";
LUT[data[index] * 4096] 0
then
else
Prediction
24 Daniel Gruss — Graz University of Technology
![Page 85: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/85.jpg)
Spectre (variant 1) www.tugraz.at
Execute
index = 5;
if (index < 4)
char* data = "textKEY";
LUT[data[index] * 4096] 0
then
else
Prediction
24 Daniel Gruss — Graz University of Technology
![Page 86: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/86.jpg)
Spectre (variant 1) www.tugraz.at
index = 6;
if (index < 4)
char* data = "textKEY";
LUT[data[index] * 4096] 0
then
else
Prediction
24 Daniel Gruss — Graz University of Technology
![Page 87: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/87.jpg)
Spectre (variant 1) www.tugraz.at
index = 6;
if (index < 4)
char* data = "textKEY";
LUT[data[index] * 4096] 0
then
else
Prediction
24 Daniel Gruss — Graz University of Technology
![Page 88: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/88.jpg)
Spectre (variant 1) www.tugraz.at
Speculate
index = 6;
if (index < 4)
char* data = "textKEY";
LUT[data[index] * 4096] 0
then
else
Prediction
24 Daniel Gruss — Graz University of Technology
![Page 89: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/89.jpg)
Spectre (variant 1) www.tugraz.at
Execute
index = 6;
if (index < 4)
char* data = "textKEY";
LUT[data[index] * 4096] 0
then
else
Prediction
24 Daniel Gruss — Graz University of Technology
![Page 90: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/90.jpg)
Spectre (variant 2) www.tugraz.at
a->move()
Animal* a = bird;
LUT[data[index] * 4096] 0
fly()
Prediction
swim()swim
()
25 Daniel Gruss — Graz University of Technology
![Page 91: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/91.jpg)
Spectre (variant 2) www.tugraz.at
Speculate
a->move()
Animal* a = bird;
LUT[data[index] * 4096] 0
fly()
Prediction
swim()swim
()
25 Daniel Gruss — Graz University of Technology
![Page 92: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/92.jpg)
Spectre (variant 2) www.tugraz.at
a->move()
Animal* a = bird;
LUT[data[index] * 4096] 0
fly()
Prediction
swim()swim
()
25 Daniel Gruss — Graz University of Technology
![Page 93: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/93.jpg)
Spectre (variant 2) www.tugraz.at
Execute
a->move()
Animal* a = bird;
LUT[data[index] * 4096] 0
fly()
Prediction
swim()swim
()
25 Daniel Gruss — Graz University of Technology
![Page 94: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/94.jpg)
Spectre (variant 2) www.tugraz.at
a->move()
Animal* a = bird;
LUT[data[index] * 4096] 0
fly()
Prediction
fly()swim
()
25 Daniel Gruss — Graz University of Technology
![Page 95: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/95.jpg)
Spectre (variant 2) www.tugraz.at
Speculate
a->move()
Animal* a = bird;
LUT[data[index] * 4096] 0
fly()
Prediction
fly()swim
()
25 Daniel Gruss — Graz University of Technology
![Page 96: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/96.jpg)
Spectre (variant 2) www.tugraz.at
a->move()
Animal* a = bird;
LUT[data[index] * 4096] 0
fly()
Prediction
fly()swim
()
25 Daniel Gruss — Graz University of Technology
![Page 97: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/97.jpg)
Spectre (variant 2) www.tugraz.at
a->move()
Animal* a = fish;
LUT[data[index] * 4096] 0
fly()
Prediction
fly()swim
()
25 Daniel Gruss — Graz University of Technology
![Page 98: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/98.jpg)
Spectre (variant 2) www.tugraz.at
Speculate
a->move()
Animal* a = fish;
LUT[data[index] * 4096] 0
fly()
Prediction
fly()swim
()
25 Daniel Gruss — Graz University of Technology
![Page 99: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/99.jpg)
Spectre (variant 2) www.tugraz.at
a->move()
Animal* a = fish;
LUT[data[index] * 4096] 0
fly()
Prediction
fly()swim
()
25 Daniel Gruss — Graz University of Technology
![Page 100: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/100.jpg)
Spectre (variant 2) www.tugraz.at
Execute
a->move()
Animal* a = fish;
LUT[data[index] * 4096] 0
fly()
Prediction
fly()swim
()
25 Daniel Gruss — Graz University of Technology
![Page 101: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/101.jpg)
Spectre (variant 2) www.tugraz.at
a->move()
Animal* a = fish;
LUT[data[index] * 4096] 0
fly()
Prediction
swim()swim
()
25 Daniel Gruss — Graz University of Technology
![Page 102: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/102.jpg)
Spectre www.tugraz.at
• Read own memory (e.g., sandbox escape)
• “Convince” other programs to reveal their secrets
• Again, a cache attack (Flush+Reload) is used to read the secret
• Much harder to fix, KAISER does not help
• Ongoing effort to patch via microcode update and compiler extensions
26 Daniel Gruss — Graz University of Technology
![Page 103: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/103.jpg)
Spectre www.tugraz.at
• Read own memory (e.g., sandbox escape)
• “Convince” other programs to reveal their secrets
• Again, a cache attack (Flush+Reload) is used to read the secret
• Much harder to fix, KAISER does not help
• Ongoing effort to patch via microcode update and compiler extensions
26 Daniel Gruss — Graz University of Technology
![Page 104: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/104.jpg)
Spectre www.tugraz.at
• Read own memory (e.g., sandbox escape)
• “Convince” other programs to reveal their secrets
• Again, a cache attack (Flush+Reload) is used to read the secret
• Much harder to fix, KAISER does not help
• Ongoing effort to patch via microcode update and compiler extensions
26 Daniel Gruss — Graz University of Technology
![Page 105: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/105.jpg)
Spectre www.tugraz.at
• Read own memory (e.g., sandbox escape)
• “Convince” other programs to reveal their secrets
• Again, a cache attack (Flush+Reload) is used to read the secret
• Much harder to fix, KAISER does not help
• Ongoing effort to patch via microcode update and compiler extensions
26 Daniel Gruss — Graz University of Technology
![Page 106: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/106.jpg)
Spectre www.tugraz.at
• Read own memory (e.g., sandbox escape)
• “Convince” other programs to reveal their secrets
• Again, a cache attack (Flush+Reload) is used to read the secret
• Much harder to fix, KAISER does not help
• Ongoing effort to patch via microcode update and compiler extensions
26 Daniel Gruss — Graz University of Technology
![Page 107: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/107.jpg)
Spectre Variant 1 Mitigations www.tugraz.at
• LFENCE
→ speculation barrier to insert after every bounds check
• implemented as a compiler extension
27 Daniel Gruss — Graz University of Technology
![Page 108: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/108.jpg)
Spectre Variant 1 Mitigations www.tugraz.at
• LFENCE
→ speculation barrier to insert after every bounds check
• implemented as a compiler extension
27 Daniel Gruss — Graz University of Technology
![Page 109: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/109.jpg)
Spectre Variant 1 Mitigations www.tugraz.at
• LFENCE
→ speculation barrier to insert after every bounds check
• implemented as a compiler extension
27 Daniel Gruss — Graz University of Technology
![Page 110: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/110.jpg)
Spectre Variant 1 Mitigations www.tugraz.at
• LFENCE
→ speculation barrier to insert after every bounds check
• implemented as a compiler extension
27 Daniel Gruss — Graz University of Technology
![Page 111: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/111.jpg)
Spectre Variant 2 Mitigations (Microcode/MSRs) www.tugraz.at
• Indirect Branch Restricted Speculation (IBRS):
• do not speculate based on anything before entering or outside IBRS
mode
• Single Thread Indirect Branch Predictors (STIBP)
• do not speculate based on anything the other hyperthread does
• Indirect Branch Predictor Barrier (IBPB):
• flush branch-target buffer
28 Daniel Gruss — Graz University of Technology
![Page 112: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/112.jpg)
Spectre Variant 2 Mitigations (Microcode/MSRs) www.tugraz.at
• Indirect Branch Restricted Speculation (IBRS):
• do not speculate based on anything before entering or outside IBRS
mode
• Single Thread Indirect Branch Predictors (STIBP)
• do not speculate based on anything the other hyperthread does
• Indirect Branch Predictor Barrier (IBPB):
• flush branch-target buffer
28 Daniel Gruss — Graz University of Technology
![Page 113: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/113.jpg)
Spectre Variant 2 Mitigations (Microcode/MSRs) www.tugraz.at
• Indirect Branch Restricted Speculation (IBRS):
• do not speculate based on anything before entering or outside IBRS
mode
• Single Thread Indirect Branch Predictors (STIBP)
• do not speculate based on anything the other hyperthread does
• Indirect Branch Predictor Barrier (IBPB):
• flush branch-target buffer
28 Daniel Gruss — Graz University of Technology
![Page 114: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/114.jpg)
Spectre Variant 2 Mitigations (Microcode/MSRs) www.tugraz.at
• Indirect Branch Restricted Speculation (IBRS):
• do not speculate based on anything before entering or outside IBRS
mode
• Single Thread Indirect Branch Predictors (STIBP)
• do not speculate based on anything the other hyperthread does
• Indirect Branch Predictor Barrier (IBPB):
• flush branch-target buffer
28 Daniel Gruss — Graz University of Technology
![Page 115: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/115.jpg)
Spectre Variant 2 Mitigations (Microcode/MSRs) www.tugraz.at
• Indirect Branch Restricted Speculation (IBRS):
• do not speculate based on anything before entering or outside IBRS
mode
• Single Thread Indirect Branch Predictors (STIBP)
• do not speculate based on anything the other hyperthread does
• Indirect Branch Predictor Barrier (IBPB):
• flush branch-target buffer
28 Daniel Gruss — Graz University of Technology
![Page 116: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/116.jpg)
Spectre Variant 2 Mitigations (Microcode/MSRs) www.tugraz.at
• Indirect Branch Restricted Speculation (IBRS):
• do not speculate based on anything before entering or outside IBRS
mode
• Single Thread Indirect Branch Predictors (STIBP)
• do not speculate based on anything the other hyperthread does
• Indirect Branch Predictor Barrier (IBPB):
• flush branch-target buffer
28 Daniel Gruss — Graz University of Technology
![Page 117: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/117.jpg)
Spectre Variant 2 Mitigations (Software) www.tugraz.at
retpoline
1 push <call_target >
2 call 1f
3 2: ; speculation will continue here
4 lfence ; speculation barrier
5 jmp 2b ; endless loop
6 1:
7 lea 8(% rsp), %rsp ; restore stack pointer
8 ret ; the actual call to <call_target >
→ always predict to enter an endless loop
• instead of the correct (or wrong) target function
29 Daniel Gruss — Graz University of Technology
![Page 118: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/118.jpg)
Spectre Variant 2 Mitigations (Software) www.tugraz.at
retpoline
1 push <call_target >
2 call 1f
3 2: ; speculation will continue here
4 lfence ; speculation barrier
5 jmp 2b ; endless loop
6 1:
7 lea 8(% rsp), %rsp ; restore stack pointer
8 ret ; the actual call to <call_target >
→ always predict to enter an endless loop
• instead of the correct (or wrong) target function
29 Daniel Gruss — Graz University of Technology
![Page 119: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/119.jpg)
Spectre Variant 2 Mitigations (Software) www.tugraz.at
retpoline
1 push <call_target >
2 call 1f
3 2: ; speculation will continue here
4 lfence ; speculation barrier
5 jmp 2b ; endless loop
6 1:
7 lea 8(% rsp), %rsp ; restore stack pointer
8 ret ; the actual call to <call_target >
→ always predict to enter an endless loop
• instead of the correct (or wrong) target function
29 Daniel Gruss — Graz University of Technology
![Page 120: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/120.jpg)
Spectre Variant 2 Mitigations (Software) www.tugraz.at
retpoline
1 push <call_target >
2 call 1f
3 2: ; speculation will continue here
4 lfence ; speculation barrier
5 jmp 2b ; endless loop
6 1:
7 lea 8(% rsp), %rsp ; restore stack pointer
8 ret ; the actual call to <call_target >
→ always predict to enter an endless loop
• instead of the correct (or wrong) target function
29 Daniel Gruss — Graz University of Technology
![Page 121: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/121.jpg)
What do we learn from it? www.tugraz.at
We have ignored software side-channels for many many years:
• attacks on crypto → “software should be fixed”
• attacks on ASLR → “ASLR is broken anyway”
• attacks on SGX and TrustZone → “not part of the threat model”
→ for years we solely optimized for performance
30 Daniel Gruss — Graz University of Technology
![Page 122: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/122.jpg)
What do we learn from it? www.tugraz.at
We have ignored software side-channels for many many years:
• attacks on crypto
→ “software should be fixed”
• attacks on ASLR → “ASLR is broken anyway”
• attacks on SGX and TrustZone → “not part of the threat model”
→ for years we solely optimized for performance
30 Daniel Gruss — Graz University of Technology
![Page 123: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/123.jpg)
What do we learn from it? www.tugraz.at
We have ignored software side-channels for many many years:
• attacks on crypto → “software should be fixed”
• attacks on ASLR → “ASLR is broken anyway”
• attacks on SGX and TrustZone → “not part of the threat model”
→ for years we solely optimized for performance
30 Daniel Gruss — Graz University of Technology
![Page 124: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/124.jpg)
What do we learn from it? www.tugraz.at
We have ignored software side-channels for many many years:
• attacks on crypto → “software should be fixed”
• attacks on ASLR
→ “ASLR is broken anyway”
• attacks on SGX and TrustZone → “not part of the threat model”
→ for years we solely optimized for performance
30 Daniel Gruss — Graz University of Technology
![Page 125: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/125.jpg)
What do we learn from it? www.tugraz.at
We have ignored software side-channels for many many years:
• attacks on crypto → “software should be fixed”
• attacks on ASLR → “ASLR is broken anyway”
• attacks on SGX and TrustZone → “not part of the threat model”
→ for years we solely optimized for performance
30 Daniel Gruss — Graz University of Technology
![Page 126: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/126.jpg)
What do we learn from it? www.tugraz.at
We have ignored software side-channels for many many years:
• attacks on crypto → “software should be fixed”
• attacks on ASLR → “ASLR is broken anyway”
• attacks on SGX and TrustZone
→ “not part of the threat model”
→ for years we solely optimized for performance
30 Daniel Gruss — Graz University of Technology
![Page 127: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/127.jpg)
What do we learn from it? www.tugraz.at
We have ignored software side-channels for many many years:
• attacks on crypto → “software should be fixed”
• attacks on ASLR → “ASLR is broken anyway”
• attacks on SGX and TrustZone → “not part of the threat model”
→ for years we solely optimized for performance
30 Daniel Gruss — Graz University of Technology
![Page 128: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/128.jpg)
What do we learn from it? www.tugraz.at
We have ignored software side-channels for many many years:
• attacks on crypto → “software should be fixed”
• attacks on ASLR → “ASLR is broken anyway”
• attacks on SGX and TrustZone → “not part of the threat model”
→ for years we solely optimized for performance
30 Daniel Gruss — Graz University of Technology
![Page 129: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/129.jpg)
When you read the Intel manuals... www.tugraz.at
After learning about a side channel you realize:
• the side channels were documented in the Intel manual
• only now we understand the implications
31 Daniel Gruss — Graz University of Technology
![Page 130: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/130.jpg)
When you read the Intel manuals... www.tugraz.at
After learning about a side channel you realize:
• the side channels were documented in the Intel manual
• only now we understand the implications
31 Daniel Gruss — Graz University of Technology
![Page 131: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/131.jpg)
When you read the Intel manuals... www.tugraz.at
After learning about a side channel you realize:
• the side channels were documented in the Intel manual
• only now we understand the implications
31 Daniel Gruss — Graz University of Technology
![Page 132: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/132.jpg)
What do we learn from it? www.tugraz.at
Motor Vehicle Deaths in U.S. by Year
32 Daniel Gruss — Graz University of Technology
![Page 133: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/133.jpg)
What do we learn from it? www.tugraz.at
A unique chance to
• rethink processor design
• grow up, like other fields (car industry, construction industry)
• find good trade-offs between security and performance
33 Daniel Gruss — Graz University of Technology
![Page 134: Brief Overview on Meltdown and Spectre - Gruss · 2020. 1. 15. · Daniel Gruss January 25, 2018 Graz University of Technology 1 Daniel Gruss | Graz University of Technology](https://reader036.fdocuments.in/reader036/viewer/2022062416/6111e1b4ac1e822dac3a6ba3/html5/thumbnails/134.jpg)
SCIENCE PASSION TECHNOLOGY
Brief Overview on Meltdown and Spectre
Daniel Gruss
January 25, 2018
Graz University of Technology
34 Daniel Gruss — Graz University of Technology