Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs...
Transcript of Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs...
![Page 1: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/1.jpg)
Hardware-assisted Security: From Trust Anchors to Meltdown of Trust
Ahmad-Reza Sadeghi
Technische Universität Darmstadt &
Intel Collaborative Research Institute for Collaborative & Resilient Autonomous Systems
![Page 2: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/2.jpg)
Historical Overview: Deployed Systems
Cambridge CAP
1970 1980 1990 2000 2010
Reference monitor
Protection rings
VAX/VMS
Java security architecture
Hardware-assisted secure boot
Trusted Platform Module (TPM)
Late launch/TXT
Computer securityMobile securitySmart card security
Mobile hardware security architectures
TI M-ShieldARM TrustZone
Mobile OS security architectures
Mobile Trusted Module (MTM)
Simple smart cards
Java Card platform
TPM 2.0
Intel SGX
GP TEE standards
On-board Credentials
PUFs
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 3: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/3.jpg)
Deployed HW-Assisted Security Technologies
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 4: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/4.jpg)
Deployed HW-Assisted Security Technologies
Fantastic
Sad
Total Disaster
Very Sad
Complicated?
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 5: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/5.jpg)
Historical Overview: Research
On-boardCredentials(ObC)
2000 2004 2008 2012 2018
Sanctum
BastionAEGIS
Trusted ExecutionSecurity Extensions
HAFIX
ObC
HardBound
TrustLite
TyTAN
SMART
Sancus
SAFE
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 6: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/6.jpg)
HW-Assisted Security Technologies: Research
Fantastic
Almost Optimistic
Total Disaster
Sad
Complicated?
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 7: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/7.jpg)
We Need Change of Culture!
![Page 8: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/8.jpg)
Today’s Systems: Attack Surface
Hardware
Software Stack
Operating System
App 1 App 2 App 4App 3
Peripherals CPU I/OHardware
SoftwareStack
Memory
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 9: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/9.jpg)
Goal: Self-Contained Security
Operating System
App 1 App 2 App 4App 3
Hardware
SoftwareStack
Peripherals CPU I/OMemory
• Isolated execution
• Platform integrity
• Secure storage
• Device identification
• Device authentication capabilities
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 10: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/10.jpg)
Intrinsic Security Primitives: The PUF Myth
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 11: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/11.jpg)
Physically Unclonable Functions (PUFs)
Device Hardware Fingerprint(unique intrinsic identifier)
Infeasible to predict
Challenge/response behavior is pseudo-random
Inherently Unclonable
Due to unpredictable randomness during manufacturing of tag
≠
Tamper-evident
Tampering with the PUF hardware changes challenge/response behavior
Physically Unclonable Function(noisy function based on physical properties)
Challenge 𝑐
Response 𝑟
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 12: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/12.jpg)
2001
2002-2004
2006
2007
2008
SELECTED PUFsOptical PUF [P.Ravikanth, 2001]
Arbiter PUF & RO-PUF [Gassend et al., CCS‘02]
Feed-Forward A-PUF[Lee et al., VLSIC’04]
Coating PUF [Tuyls et al., CHES’06]
SRAM PUF [Guajardo et al., CHES’07][Holcomb et al., RFIDSec’07]
Latch PUF[Su et al., ISSCC‘07]
XOR A-PUF[Suh et al., DAC’07]
Lightweight PUF[Majzoobi et al., ICCAD‘08]
Flip-Flop PUF [Kumar et al., WiSec’08]
Butterfly PUF[Su et al., HOST‘08]
2010-2011 Glitch PUF[Anderson et al., ASP-DAC‘10]
2012-2013
2016-now
Bistable Ring PUF[Chen et al., HOST‘11]
Current-based PUF [Majzoobi et al., ISCAS‘11]
Flash PUF[Prabhu et al., ICTTC‘11]
Buskeeper PUF[Simons et al., HOST‘12]
DRAM PUF[Rosenblatt et al., SSC‘13]
Bitline PUF[Holcomb et al., CHES‘14]
MEMS PUF [Willers et al., CCS‘16]
Row Hammer-PUF[Schaller et al., HOST‘17]
Memory-based PUFs
Delay-based PUFs
Other PUFs
Processor-based PUF[Kong et al., DAC’14]
Subthreshold Current PUF[Kalyanaraman et al., HOST‘13]
Current Mirrors PUF[Kumar et al., HOST‘14]
Voltage Transfer PUF[Vijaykumar et al., DATE‘15]
2014-2015
EU UNIQUE Project
MXPUF[Nguyen et al., eprint‘17]
Monte Carlo PUF[Rožić et al., FPT ‘17]
www.unique-project.eu
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 13: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/13.jpg)
Arbiter PUF & RO-PUF [Gassend et al., CCS‘02]
Feed-Forward A-PUF[Lee et al., VLSIC’04]
SRAM PUF [Guajardo et al., CHES’07]
[Holcomb et al., RFIDSec’07]
XOR A-PUF[Suh et al., DAC’07]
Lightweight PUF[Majzoobi et al., ICCAD‘08]
Flip-Flop PUF [Kumar et al., WiSec’08]
DRAM PUF[Rosenblatt et al., SSC‘13]
Row Hammer-PUF[Schaller et al., HOST‘17]
The output determined by the faster pathThe output is based on the state of memory cells after a power cycle
Delay-based PUFsMemory-based PUFs
Power-on /
/
/
1
0
1
/
0
0
0
0
/
0
0
0
/
1
1
1
/
0
1
/
0
0
/
0
0
1
1
0
0
1
1
1
0
PUFs: Main Categories
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 14: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/14.jpg)
Example: Arbiter PUF
Pair of identically designed delay lines
• Ideally both paths have the same delay
• Arbiter determines signal arrives first
• Challenge dependent switches
•Different delay paths by switches
𝑤0𝑢
𝑤0𝑙
Switch
𝑤1𝑢
𝑤1𝑙
𝒄𝟎 = 0𝒄𝟎 = 1
ResponseImpulse1
0
𝒄𝟎 𝒄𝟏 𝒄𝟕𝒄𝟐 𝒄𝟑 𝒄𝟒 𝒄𝟓 𝒄𝟔
Challenge
Manufacturing variations affect delay lines
• Either of the two paths will be faster
•One bit response at signal arrival
Arbiter
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 15: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/15.jpg)
How Good are PUFs in Practice?
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 16: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/16.jpg)
Arbiter PUF [Gassend et al., CC‘04]
SRAM PUF [Guajardo et al., CHES’07]
[Holcomb et al., RFIDSec’07]
Delay-based PUFsMemory-based PUFs
Modeling Attacks
[Lee et al., VLSIC’04]
Physical Attacks
[Oren et al., CHES’13][Helfmeier et al., HOST’13]
Linear Behavior!
XOR A-PUF[Suh et al., DAC’07]
Modeling Attacks
[Ruhrmair et al., CCS’10][Becker, CHES’15]
Add non-linear funcions
Memristor A-PUF[Suh et al., DAC’15]
Add non-linear components
Physical Attacks[Merli et al., WESS’11][Tajik et al., CHES’14]
[Rührmair et al., CHES’14]
/
/
/
1
0
1
/
0
0
0
0
/
0
0
0
/
1
1
1
/
0
1
/
0
0
/
0
0
1
1
0
0
1
1
1
0
PUF Security in Practice
![Page 17: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/17.jpg)
2004
2008
SELECTED ATTACKS & ANALYSISML-Modeling Attack (A-PUF)
[Lee et al., VLSIC’04]
ML-Modeling Attack (FF A-PUF) [Majzoobi et al., ITC’08]
2010-2012
ML-Modeling Attack delay-based PUFs [Ruhrmair et al., CCS’10]
2013
2014
Semi-Invasive EM Attack (RO-PUF)[Merli et al., WESS’11]
Rémanence Decay SCA (SRAM PUF)[Oren et al., CHES’13]
Cloning SRAM PUF [Helfmeier et al., HOST’13]
Semi-Invasive Attack on PUFs [Nedospasov et al., FDTC’13]
Noise SCA (A-PUF)[Delvaux et al., HOST’13]
ML-Modeling Attack (Bistable Ring PUF)[Hesselbarth et al., TRUST’14]
Power&Timing SCA (A-PUF)[Rührmair et al., CHES’14]
Photon Emission Analysis (A-PUF)[Tajik et al., CHES’14]
Hybrid Modeling Attacks (Current-based PUF)[Kumar et al., ICCD’14]
PUFs: Myth, Fact or Busted?[Katzenbeisser et al., CHES‘12]
Unified Security Model for PUFs[Armknecht et al., CT-RSA 2016]
Formal Security Model[Armknecht et al., S&P 2011]
Reliability-based ML-Modeling Attack (XOR A-PUF) [Becker, CHES’15]
ML-Modeling Attack (Bistable Ring PUF)[Ganji et al., CHES’16]
ML-Modeling Attack on non-linear PUFs[Vijaykumar et al., HOST’16]
2015-2018
Hammering RH-PUF[Zeitouni et al., DAC’18]
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 18: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/18.jpg)
Example: Arbiter PUF
ResponseImpulse1
0
𝒄𝟎 𝒄𝟏 𝒄𝟕𝒄𝟐 𝒄𝟑 𝒄𝟒 𝒄𝟓 𝒄𝟔
Challenge
Arbiter
Goal: Recovering the values of the wire delays inside the switch boxes
Modeling Attacks(Machine Learning)
Physical Attacks(Semi-invasive/Side-channel)
CRPs ≈ 102 CRPs ≈ 103 - 106
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 19: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/19.jpg)
Arbiter PUF on a Complex Programmable Logic Device (CPLD): Backside View
Programmable Logic Blocks
Placement of an Arbiter PUF with 8 switches
Upper Path Lower Path
One switch
![Page 20: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/20.jpg)
Physical Attacks: Example: [Tajik et al., CHES’14]
Switch Arbiter
𝒄𝟎 𝒄𝟏 𝒄𝟕𝒄𝟐 𝒄𝟑 𝒄𝟒 𝒄𝟓 𝒄𝟔
ResponseImpulse
Challenge
1
0
![Page 21: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/21.jpg)
Physical Attacks: Example: [Tajik et al., CHES’14]
Switch Arbiter
ResponseImpulse
Challenge
1
0
1 0 0 0 0 0 0 0
![Page 22: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/22.jpg)
Physical Attacks: Example: [Tajik et al., CHES’14]
Switch Arbiter
ResponseImpulse
Lower path delay 𝑾𝒍 = 𝒕𝟐 − 𝒕𝟎
Upper path delay𝑾𝒖 = 𝒕𝟏 − 𝒕𝟎
Challenge
1
0
𝒕𝟎
𝒕𝟏
𝒕𝟐
1 0 0 0 0 0 0 0
![Page 23: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/23.jpg)
Physical Attacks: Example: [Tajik et al., CHES’14]
Switch Arbiter
𝒄𝟎 𝒄𝟏 𝒄𝟕𝒄𝟐 𝒄𝟑 𝒄𝟒 𝒄𝟓 𝒄𝟔
Response
Impulse
Lower path delay 𝑊𝑙
Upper path delay 𝑊𝑢
Challenge
1
0
C 0x00 0x01 0x02 0x04 0x08 0x10 0x20 0x40 0x80
𝑾𝒖
𝑾𝒍
![Page 24: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/24.jpg)
Physical Attacks: Example: [Tajik et al., CHES’14]
Switch Arbiter
Response
Impulse
Lower path delay 𝑊𝑙
Upper path delay 𝑊𝑢
Challenge
1
0
C 0x00 0x01 0x02 0x04 0x08 0x10 0x20 0x40 0x80
𝑾𝒖
𝑾𝒍
𝒗𝟏
𝒖𝟏
0 0 0 0 0 0 0 0
![Page 25: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/25.jpg)
Physical Attacks: Example: [Tajik et al., CHES’14]
Switch Arbiter
Response
Impulse
Lower path delay 𝑊𝑙
Upper path delay 𝑊𝑢
Challenge
1
0
C 0x00 0x01 0x02 0x04 0x08 0x10 0x20 0x40 0x80
𝑾𝒖
𝑾𝒍
𝒗𝟏
𝒖𝟏
𝒗𝟐
𝒖𝟐
1 0 0 0 0 0 0 0
![Page 26: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/26.jpg)
Physical Attacks: Example: [Tajik et al., CHES’14]
Switch Arbiter
𝒄𝟎 𝒄𝟏 𝒄𝟕𝒄𝟐 𝒄𝟑 𝒄𝟒 𝒄𝟓 𝒄𝟔
Response
Impulse
Lower path delay 𝑊𝑙
Upper path delay 𝑊𝑢
Challenge
1
0
C 0x00 0x01 0x02 0x04 0x08 0x10 0x20 0x40 0x80
𝑾𝒖
𝑾𝒍
𝒗𝟏
𝒖𝟏
𝒗𝟐
𝒖𝟐
![Page 27: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/27.jpg)
Physical Attacks: Example: [Tajik et al., CHES’14]
Switch Arbiter
𝒄𝟎 𝒄𝟏 𝒄𝟕𝒄𝟐 𝒄𝟑 𝒄𝟒 𝒄𝟓 𝒄𝟔
Response
Impulse
Lower path delay 𝑊𝑙
Upper path delay 𝑊𝑢
Challenge
1
0
Characterize each switch box in the Arbiter PUF by calculating the delay differences for upper and lower paths
C 0x00 0x01 0x02 0x04 0x08 0x10 0x20 0x40 0x80
𝑾𝒖
𝑾𝒍
𝒗𝟏
𝒖𝟏
𝒗𝟐
𝒖𝟐
![Page 28: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/28.jpg)
Physical Attacks: Example: [Tajik et al., CHES’14]
Switch Arbiter
𝒄𝟎 𝒄𝟏 𝒄𝟕𝒄𝟐 𝒄𝟑 𝒄𝟒 𝒄𝟓 𝒄𝟔
Response
Impulse
Lower path delay 𝑊𝑙
Upper path delay 𝑊𝑢
Challenge
1
0
Characterize each switch box in the Arbiter PUF by calculating the delay differences for upper and lower paths
C 0x00 0x01 0x02 0x04 0x08 0x10 0x20 0x40 0x80
𝑾𝒖
𝑾𝒍
𝒗𝟏
𝒖𝟏
𝒗𝟐
𝒖𝟐
![Page 29: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/29.jpg)
Physical Attacks: Example: [Tajik et al., CHES’14]
Switch Arbiter
𝒄𝟎 𝒄𝟏 𝒄𝟕𝒄𝟐 𝒄𝟑 𝒄𝟒 𝒄𝟓 𝒄𝟔
Response
Impulse
Lower path delay 𝑊𝑙
Upper path delay 𝑊𝑢
Challenge
1
0
Characterize each switch box in the Arbiter PUF by calculating the delay differences for upper and lower paths
𝒗𝟏 − 𝒗𝟐 = 𝒘𝟏𝒖𝟎 − 𝒘𝟎
𝒖𝟎
C 0x00 0x01 0x02 0x04 0x08 0x10 0x20 0x40 0x80
𝑾𝒖
𝑾𝒍
𝒗𝟏
𝒖𝟏
𝒗𝟐
𝒖𝟐
![Page 30: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/30.jpg)
Physical Attacks: Example: [Tajik et al., CHES’14]
Switch Arbiter
𝒄𝟎 𝒄𝟏 𝒄𝟕𝒄𝟐 𝒄𝟑 𝒄𝟒 𝒄𝟓 𝒄𝟔
Response
Impulse
Lower path delay 𝑊𝑙
Upper path delay 𝑊𝑢
Challenge
1
0
Characterize each switch box in the Arbiter PUF by calculating the delay differences for upper and lower paths
𝒗𝟏 − 𝒗𝟐 = 𝒘𝟏𝒖𝟎 − 𝒘𝟎
𝒖𝟎
𝒖𝟏 − 𝒖𝟐 = 𝑤1𝑙0 − 𝑤0
𝑙0
C 0x00 0x01 0x02 0x04 0x08 0x10 0x20 0x40 0x80
𝑾𝒖
𝑾𝒍
𝒗𝟏
𝒖𝟏
𝒗𝟐
𝒖𝟐
![Page 31: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/31.jpg)
Beyond CMOS-based PUFs
CMOS-based PUFs exhibit linear behavior => vulnerable to machine learning
One Solution: Add components with non-linear behavior to complicate/escape machine learning attacks, e.g.,
Memristors
![Page 32: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/32.jpg)
Memristors ∞
• A resistor that changes it resistance as voltage is applied
• Applications:• Oscillators
• Learners (Neural Networks)
• Memories
• PUFs!
• The top (bottom) figure shows Current-Voltage charcteristics of a memristor (resistor)
VoltageC
urr
ent
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 33: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/33.jpg)
CMOS-based APUF vs. Memristor-based APUF
Arbiter
𝒄𝟎 𝒄𝟏 𝒄𝟕𝒄𝟐 𝒄𝟑 𝒄𝟒 𝒄𝟓 𝒄𝟔
Challenge
Response
Impulse1
0
1
0∞
∞
∞
∞
∞
∞
∞
∞
∞
∞
∞
∞
∞
∞
∞
∞
𝒄𝟎 𝒄𝟏 𝒄𝟕𝒄𝟐 𝒄𝟑 𝒄𝟒 𝒄𝟓 𝒄𝟔
Challenge
Impulse
Arbiter
Response
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 34: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/34.jpg)
CMOS-based APUF vs. Memristor-based APUF
CMOS-based Arbiter PUF: Voltage at the upper path
Memristor-based Arbiter PUF: Voltage at the upper path
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 35: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/35.jpg)
Conclusion
• Many PUF designs, no unified security model
• Several successful attacks • Non-destructive physical attacks
• Modeling attacks
• Designing secure PUFs is challenging? • What are the costs?
• PUFs based on advanced memory technologies• E.g., Memristors
![Page 36: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/36.jpg)
Our Current Work: Framework for Evaluation of
Memristor-based PUFs
![Page 37: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/37.jpg)
Framework for Evaluation of Memristor-based PUFs
PUF Circuit Generation
Challenge-Response
Pairs Generation Analysis of PUF
properties: Reproducibility, uniqueness, etc
PUF DescriptionSpice PUF
circuit CRPsSecure/Insecure
PUF
Memristor model
Advanced Machine Learning
![Page 38: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/38.jpg)
Integrated Security Devices: The TPM Promise
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 39: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/39.jpg)
App 4
I/O
Trusted Computing
Operating System
App 1 App 2 App 3
TPMHardware
SoftwareStack
Peripherals CPU Memory
• Authenticated Boot and Attestation
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 40: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/40.jpg)
App 4
I/O
Trusted Computing
Operating System
App 1 App 2 App 3
TPMHardware
SoftwareStack
Peripherals CPU Memory
Operating System
App 4App 1 App 2 App 3
Example: IBM Integrity Measurement Architecture (IMA)
• Authenticated Boot and Attestation
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 41: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/41.jpg)
App 4
I/O
Trusted Computing
Operating System
App 1 App 2 App 3
TPMHardware
SoftwareStack
Peripherals CPU Memory
Runtime attacks (e.g., Code-reuse Attacks)
• Authenticated Boot and Attestation
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 42: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/42.jpg)
Summary: TPM-based Trusted Computing
• Binary hashes express trustworthiness of code • Runtime attacks (e.g., code reuse) undermine this assumption
•Unforgeability of measurements • TPM 1.2 uses deprecated SHA1
• Protection against software attacks only• Hardware attacks on TPM
TPM assumptions and shortcomings
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 43: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/43.jpg)
Our Current Work: Control-Flow Attestation
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 44: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/44.jpg)
Memory
Offline: Control-Flow Graph (CFG) Analysis & Path Measurement
App A
P*x P*2
Online:Runtime
ValidationProcessor
Attestation Engine
HashController
Challenge
P1 P2
LP1
Ongoing Work: Towards Run-time Attestation
• Control Flow Attestation [Davi et al, CCS 2016 & DAC 2017]
Measurement Database
ProverVerifier
Resilient to memory attacks
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 45: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/45.jpg)
Trusted Execution Environment (TEE)
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 46: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/46.jpg)
ARM TrustZone
Operating System
App 1 App 2 App 4App 3
Hardware
SoftwareStack
Peripherals CPU I/OMemory
IMEI: International Mobile Equipment Identifier
Assumptions:• Apps in Secure World are trustworthy• Normal World cannot influence Secure World
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 47: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/47.jpg)
ARM TrustZone
Hardware
SoftwareStack
Peripherals CPU I/OMemory
Operating System
App 1 App 2 App 3
Secure World
Tru
stle
t1
Tru
stle
t2
Tru
stle
t3
Operating System
Android• Full-Disk Encryption (FDE)• Samsung KNOX
• Secure-I/O, Attestation• Real-time Kernel
Protection (TIMA)
DRM • Netflix• Spotify• Widevine
• Subsidy Lock• IMEI Protection
IMEI: International Mobile Equipment Identifier
Assumptions:• Apps in Secure World are trustworthy• Normal World cannot influence Secure World
iOS• Device Encryption• Touch ID, Apple Pay
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 48: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/48.jpg)
ARM TrustZone
Hardware
SoftwareStack
Peripherals CPU I/OMemory
Operating System
App 1 App 2 App 3
Secure World
Tru
stle
t1
Tru
stle
t2
Tru
stle
t3
Operating System
IMEI: International Mobile Equipment Identifier
Assumptions:• Apps in Secure World are trustworthy• Normal World cannot influence Secure World
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 49: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/49.jpg)
ARM TrustZone
Hardware
SoftwareStack
Peripherals CPU I/OMemory
Operating System
App 1 App 2 App 3
Secure World
Tru
stle
t1
Tru
stle
t2
Tru
stle
t3
Operating System
Tru
stle
t1
Tru
stle
t2
Tru
stle
t3
Operating System
IMEI: International Mobile Equipment Identifier
• Reflections on trusting TrustZone[Dan Rosenberg, BlackHat US, 2014]
• Attacking your Trusted Core [Di Shen, BlackHat US, 2015]
• Breaking Android Full Disc Encryption [laginimaineb from Project Zero, 2016]
Assumptions:• Apps in Secure World are trustworthy• Normal World cannot influence Secure World
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 50: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/50.jpg)
Summary: ARM TrustZone
•ARM TrustZone – Outdated? • Deployed for almost two decades
• Trusted computing for vendors and friends only• No access for app developer
•Many attacks have been shown over the last years
•On the positive side• Secure I/O
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 51: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/51.jpg)
Our Current Work: “Arbitrary” Number of TEEs in Normal
World on ARM TZ
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 52: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/52.jpg)
Intel Software Guard Extensions (SGX)
Operating System
App 1 App 2 App 4App 3
Hardware
SoftwareStack
Peripherals CPU I/OMemory
Enclave 4Enclave 3Enclave 2Enclave 1
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 53: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/53.jpg)
Intel Software Guard Extensions (SGX)
Operating System
App 1 App 2 App 4App 3
Hardware
SoftwareStack
Peripherals CPU I/OMemory
Enclave 4Enclave 3Enclave 2Enclave 1
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 54: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/54.jpg)
Host Application
Operating System
SGX (Adversary) Model
Application N
NIC DRAMMMUCPU
AttackerEnclave
Isolation
NIC: Network Interface Controller MMU: Memory Management Unit Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 55: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/55.jpg)
Host Application
Host Application
Operating System
SGX (Adversary) Model
Application N
Operating System
NIC DRAMMMUCPU
AttackerEnclave
Isolation
Application N
DRAMNIC
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
NIC: Network Interface Controller MMU: Memory Management Unit
![Page 56: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/56.jpg)
Run-time Attacks Inside the Enclave
![Page 57: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/57.jpg)
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
Source
SGX
SDK
SGX SDK and The Guard’s Dilemma
App
Enclave
Function 0 Function 1
Function 2 Function 3
Compiler
App Code
Untrusted Runtime System (uRTS)
Trusted Runtime System (tRTS)
App-to-Enclave function call
(ECALL)
[Biondo et al., USENIX Sec. 2018]
![Page 58: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/58.jpg)
App
SGX SDK and The Guard’s Dilemma
Enclave
Function 0 Function 1
Function 2 Function 3
Trusted Runtime System (tRTS)State
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
[Biondo et al., USENIX Sec. 2018]
![Page 59: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/59.jpg)
App
SGX SDK and The Guard’s Dilemma
Enclave
Function 0 Function 1
Function 2 Function 3
Trusted Runtime System (tRTS)
Restore State
State
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
[Biondo et al., USENIX Sec. 2018]
![Page 60: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/60.jpg)
App
SGX SDK and The Guard’s Dilemma
Enclave
Function 0 Function 1
Function 2 Function 3
Trusted Runtime System (tRTS)
Restore State
State
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
[Biondo et al., USENIX Sec. 2018]
![Page 61: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/61.jpg)
App
SGX SDK and The Guard’s Dilemma
Enclave
Function 0 Function 1
Function 2 Function 3
Trusted Runtime System (tRTS)
Restore State
State
Counterfeit state
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
[Biondo et al., USENIX Sec. 2018]
![Page 62: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/62.jpg)
App
SGX SDK and The Guard’s Dilemma
Enclave
Function 0 Function 1
Function 2 Function 3
Trusted Runtime System (tRTS)
Restore State
State
Counterfeit state
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
[Biondo et al., USENIX Sec. 2018]
![Page 63: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/63.jpg)
Leakage in Intel’s SGX
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 64: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/64.jpg)
Page Fault Attacks on SGX
Enclave 1 Enclave 2 App 1 App 2 App 3
CPU
OS
EPCRAM
EPC: Enclave Page Cache PT: Page Tables PF: Page-Fault
Granularity: page 4K, good for big data structures
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 65: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/65.jpg)
Page Fault Attacks on SGX
Enclave 1 Enclave 2 App 1 App 2 App 3
CPU
OS
EPCRAM
PTPT
Granularity: page 4K, good for big data structures
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
EPC: Enclave Page Cache PT: Page Tables PF: Page-Fault
![Page 66: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/66.jpg)
Page Fault Attacks on SGX
Enclave 1 Enclave 2 App 1 App 2 App 3
CPU
OS
EPCRAM
PTPT PF Handler
IRQ
Granularity: page 4K, good for big data structures
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
EPC: Enclave Page Cache PT: Page Tables PF: Page-Fault
![Page 67: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/67.jpg)
Page Fault Attacks on SGX
Enclave 1 Enclave 2 App 1 App 2 App 3
CPU
OS
EPCRAM
PTPT PF Handler
IRQ
Granularity: page 4K, good for big data structures
[Xu et al., IEEE S&P’15]
Original Recovered
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
EPC: Enclave Page Cache PT: Page Tables PF: Page-Fault
![Page 68: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/68.jpg)
Page Fault Attacks on SGX
Enclave 1 Enclave 2 App 1 App 2 App 3
CPU
OS
EPCRAM
PTPT PF Handler
IRQ
Granularity: page 4K, good for big data structures
[Xu et al., IEEE S&P’15]
Original Recovered
Single-trace RSA key recovery from RSA key generation procedure of Intel SGX SSL via controlled-channel attack on
the binary Euclidean algorithm (BEA)
[Weiser et al., AsiaCCS’18]
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
EPC: Enclave Page Cache PT: Page Tables PF: Page-Fault
![Page 69: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/69.jpg)
Cache Attacks on SGX: Hack in The Box
Enclave 1 Enclave 2 App 1 App 2 App 3
CPU
EPCRAM
EPC: Enclave Page Cache
Cache
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 70: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/70.jpg)
Cache Attacks on SGX: Hack in The Box
Enclave 1 Enclave 2 App 1 App 2 App 3
CPU
EPCRAM
EPC: Enclave Page Cache
Cache
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 71: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/71.jpg)
Cache Attacks on SGX: Hack in The Box
Enclave 1 Enclave 2 App 1 App 2 App 3
CPU
EPCRAM
EPC: Enclave Page Cache
Cache
ob
serv
e
uses
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 72: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/72.jpg)
Side-Channel Attacks Basics:Prime + Probe
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 73: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/73.jpg)
Cache-based Side-Channel AttacksPrime + Probe
cache line 0cache line 1cache line 2
cache line 4cache line 3
cache line 5
cache line 0cache line 1cache line 2cache line 3cache line 4cache line 5
cache line 0cache line 1cache line 2cache line 3cache line 4cache line 5
t0 t1 t2
for each cline Z
write(Z)
if (keybit[i] == 0)
read(X)
else
read(Y)
For each cline Z
read(Z)
measure_time(read)
Prime Victim Probe
Cac
he
Co
de
cache line 0cache line 1cache line 2
cache line 4cache line 3
cache line 5
cache line 2
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 74: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/74.jpg)
Cache-based Side-Channel AttacksPrime + Probe
cache line 0cache line 1cache line 2
cache line 4cache line 3
cache line 5
cache line 0cache line 1cache line 2cache line 3cache line 4cache line 5
cache line 0cache line 1cache line 2cache line 3cache line 4cache line 5
t0 t1 t2
for each cline Z
write(Z)
if (keybit[i] == 0)
read(X)
else
read(Y)
For each cline Z
read(Z)
measure_time(read)
Prime Victim Probe
Cac
he
Co
de
cache line 2
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 75: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/75.jpg)
Cache-based Side-Channel AttacksPrime + Probe
cache line 0cache line 1cache line 2
cache line 4cache line 3
cache line 5
cache line 0cache line 1cache line 2cache line 3cache line 4cache line 5
cache line 0cache line 1cache line 2cache line 3cache line 4cache line 5
t0 t1 t2
for each cline Z
write(Z)
if (keybit[i] == 0)
read(X)
else
read(Y)
For each cline Z
read(Z)
measure_time(read)
Prime Victim Probe
Cac
he
Co
de
cache line 2
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 76: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/76.jpg)
Cache-based Side-Channel AttacksPrime + Probe
cache line 0cache line 1cache line 2
cache line 4cache line 3
cache line 5
cache line 0cache line 1cache line 2cache line 3cache line 4cache line 5
cache line 0cache line 1cache line 2cache line 3cache line 4cache line 5
t0 t1 t2
for each cline Z
write(Z)
if (keybit[i] == 0)
read(X)
else
read(Y)
For each cline Z
read(Z)
measure_time(read)
Prime Victim Probe
Cac
he
Co
de
cache line 2
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 77: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/77.jpg)
Cache-based Side-Channel AttacksPrime + Probe
cache line 0cache line 1cache line 2
cache line 4cache line 3
cache line 5
cache line 0cache line 1cache line 2cache line 3cache line 4cache line 5
cache line 0cache line 1cache line 2cache line 3cache line 4cache line 5
t0 t1 t2
for each cline Z
write(Z)
if (keybit[i] == 0)
read(X)
else
read(Y)
For each cline Z
read(Z)
measure_time(read)
Prime Victim Probe
Cac
he
Co
de
cache line 2 was used by victim
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 78: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/78.jpg)
cl 0
Side-Channel Attacker Challenge: Noise
• “Classical” scenario: unprivileged attacker
• OS* is not collaborating with the attacker• OS can directly access process memory containing the victim’s secret
• System operates normally, impacting the caches (process scheduling, context switches, interrupts, etc.)
*OS: Operating System and any other privileged system software
cl 0cl 1cl 2
Prime
tk tl tn
cl 0cl 1cl 2
cl 0cl 1cl 2
Other Process
cl 0cl 1cl 2
Victim
cl 2
tm
cl 0cl 1cl 2
Probe
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 79: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/79.jpg)
cl 0
Side-Channel Attacker Challenge: Noise
• “Classical” scenario: unprivileged attacker
• OS* is not collaborating with the attacker• OS can directly access process memory containing the victim’s secret
• System operates normally, impacting the caches (process scheduling, context switches, interrupts, etc.)
*OS: Operating System and any other privileged system software
cl 0cl 1cl 2
Prime
tk tl tn
cl 0cl 1cl 2
Other Process
cl 0cl 1cl 2
Victim
cl 2
tm
cl 0cl 1cl 2
Probe
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 80: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/80.jpg)
cl 0
Side-Channel Attacker Challenge: Noise
• “Classical” scenario: unprivileged attacker
• OS* is not collaborating with the attacker• OS can directly access process memory containing the victim’s secret
• System operates normally, impacting the caches (process scheduling, context switches, interrupts, etc.)
*OS: Operating System and any other privileged system software
cl 0cl 1cl 2
Prime
tk tl tn
cl 0cl 1cl 2
Other Process
cl 0cl 1cl 2
Victim
cl 2
tm
cl 0cl 1cl 2
Probe
cl 0
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 81: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/81.jpg)
cl 0
Side-Channel Attacker Challenge: Noise
• “Classical” scenario: unprivileged attacker
• OS* is not collaborating with the attacker• OS can directly access process memory containing the victim’s secret
• System operates normally, impacting the caches (process scheduling, context switches, interrupts, etc.)
*OS: Operating System and any other privileged system software
cl 0cl 1cl 2
Prime
tk tl tn
cl 0cl 1cl 2
Other Process
cl 0cl 1cl 2
Victim
tm
cl 0cl 1cl 2
Probe
cl 0
cl 2
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 82: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/82.jpg)
cl 0
Side-Channel Attacker Challenge: Noise
• “Classical” scenario: unprivileged attacker
• OS* is not collaborating with the attacker• OS can directly access process memory containing the victim’s secret
• System operates normally, impacting the caches (process scheduling, context switches, interrupts, etc.)
*OS: Operating System and any other privileged system software
cl 0cl 1cl 2
Prime
tk tl tn
cl 0cl 1cl 2
Other Process
cl 0cl 1cl 2
Victim
tm
cl 0cl 1cl 2
Probe
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 83: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/83.jpg)
cl 0
Side-Channel Attacker Challenge: Noise
• “Classical” scenario: unprivileged attacker
• OS* is not collaborating with the attacker• OS can directly access process memory containing the victim’s secret
• System operates normally, impacting the caches (process scheduling, context switches, interrupts, etc.)
*OS: Operating System and any other privileged system software
cl 0cl 1cl 2
Prime
tk tl tn
cl 0cl 1cl 2
Other Process
cl 0cl 1cl 2
Victim
tm
cl 0cl 1cl 2
Probe
cl0 and cl2 were used…
… by the victim?
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 84: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/84.jpg)
Cache Attacks on SGX
Enclave 1 Enclave 2 App 2 App 3
CPU
EPCRAM
Level 3
CPU CoreLevel 2
Level 1 Branch Pred.SMTSMT
OS
EPC: Enclave Page Cache SMT: Simultaneous Multithreading Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 85: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/85.jpg)
Cache Attacks on SGX
Enclave 1 Enclave 2 App 2 App 3
CPU
EPCRAM
Level 3
CPU CoreLevel 2
Level 1 Branch Pred.SMTSMT
OS
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018EPC: Enclave Page Cache SMT: Simultaneous Multithreading
![Page 86: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/86.jpg)
Cache Attacks on SGX
Enclave 1 Enclave 2 App 2 App 3
CPU
EPCRAM
Level 3
CPU CoreLevel 2
Level 1 Branch Pred.SMTSMT
OS Use CPU internal caches to infer control flow
[Lee et al., Usenix Sec’17] & [arXiv:1611.06952]
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018EPC: Enclave Page Cache SMT: Simultaneous Multithreading
![Page 87: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/87.jpg)
Cache Attacks on SGX
Enclave 1 Enclave 2 App 2 App 3
CPU
EPCRAM
Level 3
CPU CoreLevel 2
Level 1 Branch Pred.SMTSMT
OS Use CPU internal caches to infer control flow
[Lee et al., Usenix Sec’17] & [arXiv:1611.06952]
Use standard prime + probe to detect key dependent memory
accesses, interrupt enclave [Moghimi et al., arXiv:1703.06986]
Use prime + probe to extract key from synchronized victim enclave
[Götzfried et al., EuroSec’17]
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018EPC: Enclave Page Cache SMT: Simultaneous Multithreading
![Page 88: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/88.jpg)
Cache Attacks on SGX
Enclave 1 Enclave 2 App 2 App 3
CPU
EPCRAM
Level 3
CPU CoreLevel 2
Level 1 Branch Pred.SMTSMT
OS Use CPU internal caches to infer control flow
[Lee et al., Usenix Sec’17] & [arXiv:1611.06952]
Use standard prime + probe to detect key dependent memory
accesses, interrupt enclave [Moghimi et al., arXiv:1703.06986]
Use prime + probe to extract key from synchronized victim enclave
[Götzfried et al., EuroSec’17]
A malicious enclave prime + probes another enclave, evading detection
[Schwarz et al., DIMVA’17 & arXiv:1702.08719]
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018EPC: Enclave Page Cache SMT: Simultaneous Multithreading
![Page 89: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/89.jpg)
Cache Attacks on SGX
Enclave 1 Enclave 2 App 2 App 3
CPU
EPCRAM
Level 3
CPU CoreLevel 2
Level 1 Branch Pred.SMTSMT
OS Use CPU internal caches to infer control flow
[Lee et al., Usenix Sec’17] & [arXiv:1611.06952]
Use standard prime + probe to detect key dependent memory
accesses, interrupt enclave [Moghimi et al., arXiv:1703.06986]
Use prime + probe to extract key from synchronized victim enclave
[Götzfried et al., EuroSec’17]
A malicious enclave prime + probes another enclave, evading detection
[Schwarz et al., DIMVA’17 & arXiv:1702.08719]
Our attack: prime + probe attack from malicious OS extracting genome data
[Brasser et al., WOOT’17]
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018EPC: Enclave Page Cache SMT: Simultaneous Multithreading
![Page 90: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/90.jpg)
SGX Side-Channel Attacks Comparison
Attack TypeObserved
CacheInterrupting
VictimCache Eviction Measurement
Attacker Code
AttackedVictim
Lee et al.Branch
ShadowingBTB / LBR Yes
ExecutionTiming
OSRSA & SVM
classifier
Moghimi et al.Prime + Probe
L1(D) Yes Access timing OS AES
Götzfried et al.Prime + Probe
L1(D) No PCM OS AES
Our AttackPrime + Probe
L1(D) No PCM OSRSA &
Genome Sequencing
Schwarz et al.Prime + Probe
L3 NoCounting Thread
Enclave AES
PCM: Performance Counter Monitor BTB: Branch Target Buffer LBR: Last Branch Record
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 91: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/91.jpg)
[Brasser et al., WOOT’17]Our Attack
SMTSMT
L1
OS
Pro
cess
1
Pro
cess
2
Vic
tim
Pro
cess
n
Att
acke
r
Pro
cess
m
Pro
cess
m
+1
SMTSMT
L1
Core 0 Core n
PCM
PC
M: P
erfo
rman
ce C
ou
nte
r M
on
ito
rSM
T: S
imu
ltan
eou
s M
ult
ith
read
ing
AP
IC: A
dva
nce
d P
rogr
amm
able
Inte
rru
pt
Co
ntr
olle
r
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 92: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/92.jpg)
[Brasser et al., WOOT’17]Our Attack
SMTSMT
L1
OS
Pro
cess
1
Pro
cess
2
Vic
tim
Pro
cess
n
Att
acke
r
Pro
cess
m
Pro
cess
m
+1
SMTSMT
L1
Core 0 Core n
PCM
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018PC
M: P
erfo
rman
ce C
ou
nte
r M
on
ito
rSM
T: S
imu
ltan
eou
s M
ult
ith
read
ing
AP
IC: A
dva
nce
d P
rogr
amm
able
Inte
rru
pt
Co
ntr
olle
r
![Page 93: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/93.jpg)
[Brasser et al., WOOT’17]Our Attack
SMTSMT
L1
OS
Pro
cess
1
Pro
cess
2
Vic
tim
Pro
cess
n
Att
acke
r
Pro
cess
m
Pro
cess
m
+1
SMTSMT
L1
Core 0 Core n
PCM
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018PC
M: P
erfo
rman
ce C
ou
nte
r M
on
ito
rSM
T: S
imu
ltan
eou
s M
ult
ith
read
ing
AP
IC: A
dva
nce
d P
rogr
amm
able
Inte
rru
pt
Co
ntr
olle
r
![Page 94: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/94.jpg)
[Brasser et al., WOOT’17]Our Attack
SMTSMT
L1
OS
Pro
cess
1
Pro
cess
2
Vic
tim
Pro
cess
n
Att
acke
r
Pro
cess
m
Pro
cess
m
+1
SMTSMT
L1
Core 0 Core n
PCM
Modified Linux scheduler to exclude one core (two threads) from assigning task • Attacker assigns victim enclave to first SMT thread• Attacker assigns Prime+Probe code to second SMT
thread
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018PC
M: P
erfo
rman
ce C
ou
nte
r M
on
ito
rSM
T: S
imu
ltan
eou
s M
ult
ith
read
ing
AP
IC: A
dva
nce
d P
rogr
amm
able
Inte
rru
pt
Co
ntr
olle
r
![Page 95: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/95.jpg)
[Brasser et al., WOOT’17]Our Attack
SMTSMT
L1
OS
Pro
cess
1
Pro
cess
2
Vic
tim
Pro
cess
n
Att
acke
r
Pro
cess
m
Pro
cess
m
+1
SMTSMT
L1AP
ICCore 0 Core n
HandlerHandler Handler Handler
PCM
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018PC
M: P
erfo
rman
ce C
ou
nte
r M
on
ito
rSM
T: S
imu
ltan
eou
s M
ult
ith
read
ing
AP
IC: A
dva
nce
d P
rogr
amm
able
Inte
rru
pt
Co
ntr
olle
r
![Page 96: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/96.jpg)
[Brasser et al., WOOT’17]Our Attack
SMTSMT
L1
OS
Pro
cess
1
Pro
cess
2
Vic
tim
Pro
cess
n
Att
acke
r
Pro
cess
m
Pro
cess
m
+1
SMTSMT
L1AP
ICCore 0 Core n
Handler Handler
PCM
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018PC
M: P
erfo
rman
ce C
ou
nte
r M
on
ito
rSM
T: S
imu
ltan
eou
s M
ult
ith
read
ing
AP
IC: A
dva
nce
d P
rogr
amm
able
Inte
rru
pt
Co
ntr
olle
r
![Page 97: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/97.jpg)
[Brasser et al., WOOT’17]Our Attack
SMTSMT
L1
OS
Pro
cess
1
Pro
cess
2
Vic
tim
Pro
cess
n
Att
acke
r
Pro
cess
m
Pro
cess
m
+1
SMTSMT
L1AP
ICCore 0 Core n
Handler Handler
PCM
Use kernel sysfs interface to assign interruptsto other cores• Timer interrupt (per thread) cannot be reassigned• Lowered timer frequency to 100Hz (i.e., every 10ms)
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018PC
M: P
erfo
rman
ce C
ou
nte
r M
on
ito
rSM
T: S
imu
ltan
eou
s M
ult
ith
read
ing
AP
IC: A
dva
nce
d P
rogr
amm
able
Inte
rru
pt
Co
ntr
olle
r
![Page 98: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/98.jpg)
[Brasser et al., WOOT’17]Our Attack
SMTSMT
L1
OS
Pro
cess
1
Pro
cess
2
Vic
tim
Pro
cess
n
Att
acke
r
Pro
cess
m
Pro
cess
m
+1
SMTSMT
L1AP
ICCore 0 Core n
Handler Handler
PCM
Pro
be
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018PC
M: P
erfo
rman
ce C
ou
nte
r M
on
ito
rSM
T: S
imu
ltan
eou
s M
ult
ith
read
ing
AP
IC: A
dva
nce
d P
rogr
amm
able
Inte
rru
pt
Co
ntr
olle
r
![Page 99: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/99.jpg)
[Brasser et al., WOOT’17]Our Attack
SMTSMT
L1
OS
Pro
cess
1
Pro
cess
2
Vic
tim
Pro
cess
n
Att
acke
r
Pro
cess
m
Pro
cess
m
+1
SMTSMT
L1AP
ICCore 0 Core n
Handler Handler
PCM
Pro
be Prime+Probe attack using L1 data cache
• Eviction detection using Performance Counter Monitor (L1D_REPLACEMENT)
• Anti Side-Channel Interference (ASCI) not effective, monitoring cache events of attacker possible
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018PC
M: P
erfo
rman
ce C
ou
nte
r M
on
ito
rSM
T: S
imu
ltan
eou
s M
ult
ith
read
ing
AP
IC: A
dva
nce
d P
rogr
amm
able
Inte
rru
pt
Co
ntr
olle
r
![Page 100: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/100.jpg)
Spatial vs. Temporal Resolution
while ( i > 0) {prepare();x = table[secret];
process(x);}
prime() {write_cache();
} wait();
Probe() {test_evic();
}
Cache AttackerVictim Enclave
PCPC
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 101: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/101.jpg)
Spatial vs. Temporal Resolution
while ( i > 0) {prepare();x = table[secret];
process(x);}
prime() {write_cache();
} wait();
Probe() {test_evic();
}
Cache AttackerVictim Enclave
PCPC
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 102: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/102.jpg)
Spatial vs. Temporal Resolution
while ( i > 0) {prepare();x = table[secret];
process(x);}
prime() {write_cache();
} wait();
Probe() {test_evic();
}
Cache AttackerVictim Enclave
PC PC
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 103: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/103.jpg)
Spatial vs. Temporal Resolution
while ( i > 0) {prepare();x = table[secret];
process(x);}
prime() {write_cache();
} wait();
Probe() {test_evic();
}
Cache AttackerVictim Enclave
PCPC
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 104: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/104.jpg)
Spatial vs. Temporal Resolution
while ( i > 0) {prepare();x = table[secret];
process(x);}
prime() {write_cache();
} wait();
Probe() {test_evic();
}
Cache AttackerVictim Enclave
PC
PC
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 105: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/105.jpg)
Spatial vs. Temporal Resolution
while ( i > 0) {prepare();x = table[secret];
process(x);}
prime() {write_cache();
} wait();
Probe() {test_evic();
}
Cache AttackerVictim Enclave
PCPC
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 106: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/106.jpg)
Spatial vs. Temporal Resolution
while ( i > 0) {prepare();x = table[secret];
process(x);}
prime() {write_cache();
} wait();
Probe() {test_evic();
}
Cache AttackerVictim Enclave
PCPC
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 107: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/107.jpg)
Spatial vs. Temporal Resolution
while ( i > 0) {prepare();x = table[secret];
process(x);}
prime() {write_cache();
} wait();
Probe() {test_evic();
}
Cache AttackerVictim Enclave
PC PC
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 108: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/108.jpg)
Spatial vs. Temporal Resolution
while ( i > 0) {prepare();x = table[secret];
process(x);}
prime() {write_cache();
} wait();
Probe() {test_evic();
}
Cache AttackerVictim Enclave
PCPC
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 109: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/109.jpg)
Spatial vs. Temporal Resolution
while ( i > 0) {prepare();x = table[secret];
process(x);}
prime() {write_cache();
} wait();
Probe() {test_evic();
}
Cache AttackerVictim Enclave
PCPC
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 110: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/110.jpg)
Our Attack Use-Cases
Extracting 2048-bit RSA decryption key
Extracting genome sequences
[arXiv:1702.07521]
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 111: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/111.jpg)
Genome Sequencing
Encrypted Genome Sequence
Genome Analysis Enclave (e.g. PRIMEX)
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 112: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/112.jpg)
Genome Sequencing
Encrypted Genome Sequence
Pre-processing
• Split input into sub-sequences (k-mer)
• Store k-merpositions in hash-table
Analysis
• Statistical analysis, e.g., to identify correlation in the data
Genome Analysis Enclave (e.g. PRIMEX)
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 113: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/113.jpg)
Genome Sequencing
Encrypted Genome Sequence
Pre-processing
• Split input into sub-sequences (k-mer)
• Store k-merpositions in hash-table
Analysis
• Statistical analysis, e.g., to identify correlation in the data
Genome Analysis Enclave (e.g. PRIMEX)
Attacker’s goal: Identify k-mersequences in the input string, allowing
the identification of individuals
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 114: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/114.jpg)
Genome Sequencing
Pre-processing
• Split input into sub-sequences (k-mer)
• Store k-merpositions in hash-table
Analysis
• Statistical analysis, e.g., to identify correlation in the data
Genome Analysis Enclave (e.g. PRIMEX)
ATCGATCGATCG…
Attacker’s goal: Identify k-mersequences in the input string, allowing the identification of
individuals
TTGACCCACTGAATCACGTCTG…
Encrypted Genome Sequence
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 115: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/115.jpg)
Human Genome
• Nucleobases• Adenine (A)
• Cytosine (C)
• Guanine (G)
• Thymine (T)
• Microsatellite• Forensic analysis
• Genetic fingerprinting
• Kinship analysis
TTGACCCACTGAATCACGTCTGACCGCGCGTACGCGGTCACTTGCGGTGCCGTTTTCTTTGTTACCGACGACCGACCAGCGACAGCCACCGCGCGCTCACTGCCACCAAAAGAGTCATATCGATCGATCGATCGATCGATCGATCGATCGATCGATCGATCGATCGATCGATCGATCGATCATCACAGCCGACCAGTTTCTGGAACGTTCCCGATACTGGAACGGTCCTAATGCAGTATCCCACCCTCCTTCCATCGACGCCAGTCGAATCACGCCGCCAGCCACCGTCCGCCAGCCGGCCAGAATACCGATGACTCGGCGGTCTCGTGTCGGTGCCGGCCTCGCAGCCATTGTACTGGCCCTGGCCGCAGTGTCGGCTGCCGCTCCGATTGCCGGGGCGCAGTCCGCCGGCAGCGGTGCGGTCTCAGTCACCATCGGCGACGTGGACGTCTCGCCTGCGAACCCAACCACGGGCACGCAGGTGTTGATCACCCCGTCGATCAACAACTCCGGATCGGCAAGCGGGTCCGCGCGCGTCAACGAGGTCACGCTGCGCGGCGACGGTCTCCTCGCAACGGAAGACAGCCTGGGG
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 116: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/116.jpg)
…
Hash Table
0
Indexer
AG CA G CA T C AG GT A C…
Genome Preprocessing
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 117: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/117.jpg)
…
Hash Table
0
1
Indexer
AG CA G CA T C AG GT A C…
Genome Preprocessing
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 118: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/118.jpg)
…
Hash Table
0
1
2
Indexer
AG CA G CA T C AG GT A C…
Genome Preprocessing
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 119: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/119.jpg)
…
Hash Table
0 3
1
2
Indexer
AG CA G CA T C AG GT A C…
Genome Preprocessing
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 120: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/120.jpg)
…
Hash Table
0 3
1
2
Indexer
• Hash table access pattern• Hash table entry 8 bytes
• Cache line size 64 bytes
• Collisions
• Genome unstructured
• Microsatellites structured
AG CA G CA T C AG GT A C…
TTGACCCACTGAATCACGTCTGACCGCGCGTACGCGGTCACTTGCGGTGCCGTTTTCTTTGTTACCGACGACCGACCAGCGACAGCCACCGCGCGCTCACTGCCACCAAAAGAGTCATATCGATCGATCGATCGATCGATCGATCGATCGATCGATCGATCGATCGATCGATCGATCGATCATCACAGCCGACCAGTTTCTGGAACGTTCCCGATACTGGAACGGTCCTAATGCAGTATCCCACCCTCCTTCCATCGACGCCAGTCGAATCACGCCGCCAGCCACCGTCCGCCAGCCGGCCAGAATACCGATGACTCGGCGGTCTCGTGTCGGTGCCGGCCTCGCAGCCATTGTACTGGCCCTGGCCGCAGTGTCGGCTGCCGCTCCGATTGCCGGGGCGCAGTCCGCCGGCAGCGGTGCGGTCTCAGTCACCATCGGCGACGTGGACGTCTCGCCTGCGAACCCAACCACGGGCACGCAGGTGTTGATCACCCC
Genome Preprocessing
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 121: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/121.jpg)
Microsatellites and Processed k-mers
ATCGATCGATCGATCGATCGATCGATCGATCG
ATCG
TCGA
CGAT
GATC
ATCG
cache line 1
cache
cache line 2
cache line 3
cache line 4
cache line 5
cache line 6
cache line 8
cache line 7
cache line 0
The microsatellite will activate cache lines 2, 4, 5 and 0 repeatedly
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 122: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/122.jpg)
Genome Sequencing Attack Results
Execution Time
Activity in all related cache lines
• Monitor cache lines associated to satellite• High activity in cache lines reveal occurrence of satellite in input string
A
D
B
C
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 123: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/123.jpg)
SGX
SGX Side Channels & Defenses
SGX
Leakage Oracle
Caches• L1, L2, LLC, LBR
Page-Faults
Spectre
Obfuscators
SC-resilient SW-design (e.g., Scatter-and-Gather)
Cache-archichtecture re-design (e.g., Partitioning)
Intel TSX (e.g., T-SGX, Déjà Vu, Cloak )
ORAM / Oblivious Execution
Leakage Oracle
Enclave
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 124: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/124.jpg)
SGX Specific Side-Channel Defenses Using TSX
• Intel TSX is a hardware mechanism to allow synchronous memory transactions
• TSX is not available on all SGX-enable processors
TSX: Transactional Synchronization Extensions
TSX
T-SGX: Uses TSX to detect enclave interrupt
[Shih et al., NDSS’17]
Déjà Vu : Uses TSX to detect enclave slowdown [Chen et al., AsiaCCS’17]
Cloak: Prime cache before accessing sensitive data
[Schuster et al., USENIX 2017]
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 125: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/125.jpg)
General Hardware-based Side-Channel Defenses
Cache partitioning / coloringTemporal cache isolation
Randomized cache mappings
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 126: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/126.jpg)
General Hardware-based Side-Channel Defenses
Cache partitioning / coloringTemporal cache isolation
Randomized cache mappings
Problems
• Ineffective on SMT-enabled systems
Problems
• Frequency analysis for randomization secret
Problems
• Reduces the amount of cache available to individual software
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 127: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/127.jpg)
General Software-only Side-Channel Defenses
Side-channel resilient software design
Monitoring for attack effects
Oblivious execution / ORAM
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 128: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/128.jpg)
General Software-only Side-Channel Defenses
Side-channel resilient software design
Monitoring for attack effects
Oblivious execution / ORAM
Problems
• Not applicable to all applications
• Manual software hardening required
Problems
• Requires privileged entity (not available in SGX model)
Problems
• Too inefficient, ORAM metadata needs to be protected as well
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 129: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/129.jpg)
While(leak) { add_ORAM_layer(); }M
emo
ry (
RA
M /
Cac
he)
Enclave
Process(table){
}
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 130: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/130.jpg)
While(leak) { add_ORAM_layer(); }M
emo
ry (
RA
M /
Cac
he)
Enclave
Process(table){
}
ORAM
Process(stash){
}
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 131: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/131.jpg)
While(leak) { add_ORAM_layer(); }M
emo
ry (
RA
M /
Cac
he)
Enclave
Process(table){
}
ORAM
Process(stash){
}
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 132: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/132.jpg)
While(leak) { add_ORAM_layer(); }M
emo
ry (
RA
M /
Cac
he)
Enclave
Process(table){
}
ORAM
Process(stash){
}
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 133: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/133.jpg)
While(leak) { add_ORAM_layer(); }M
emo
ry (
RA
M /
Cac
he)
Enclave
Process(table){
}
ORAM
Process(stash){
}
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 134: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/134.jpg)
While(leak) { add_ORAM_layer(); }M
emo
ry (
RA
M /
Cac
he)
Enclave
Process(table){
}
ORAM
Process(stash){
}
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 135: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/135.jpg)
Summary: SGX – All Problems Solved?
• Side channels more drastic than originally thought
• Current add-on defenses not practical or effective
• Academic research solutions mostly not deployed
•Generic software-only side-channel defenses required• No security expertise of enclave developers (no annotations)• Hardware extensions/features not available in all SGX CPUs
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 136: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/136.jpg)
Our Current Work: Generic Software-only Side-Channel
Defenses
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 137: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/137.jpg)
Our Current Work: Software-based Side-Channel Mitigations
RAM
Sensitive Array
[Brasser et al., DR. SGX: Hardening SGX Enclaves against Cache Attacks with Data Location Randomization, ArXiv]
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 138: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/138.jpg)
Our Current Work: Software-based Side-Channel Mitigations
RAM
Sensitive ArrayORAM Tree
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
[Brasser et al., DR. SGX: Hardening SGX Enclaves against Cache Attacks with Data Location Randomization, ArXiv]
![Page 139: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/139.jpg)
Our Current Work: Software-based Side-Channel Mitigations
RAM
Sensitive Array
AES Key
DR. SGX(Pseudo-random
Permutation)
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
[Brasser et al., DR. SGX: Hardening SGX Enclaves against Cache Attacks with Data Location Randomization, ArXiv]
![Page 140: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/140.jpg)
DR.SGX Re-randomization
Initial layout Layout 1 Layout 2
A
B
C
D
E
F
G
H
F
C
G
E
D
H
A
B
G
D
B
E
H
A
F
C
Time
Perm
uta
tio
n π
1
AES-NI
Perm
uta
tio
n π
2
AES-NI
Re-randomization window
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 141: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/141.jpg)
Meltdown and Spectre
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 142: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/142.jpg)
So, you might have noticed...
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 143: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/143.jpg)
So, you might have noticed...
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 144: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/144.jpg)
So, you might have noticed...
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 145: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/145.jpg)
So, you might have noticed...
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 146: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/146.jpg)
So, you might have noticed...
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 147: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/147.jpg)
Three Attacks
•CVE-2017-5754 (aka. Meltdown)
• Exploits rogue data-cache loads during speculative execution
•CVE-2017-5753 (aka. Spectre)
• Exploits bounds-check bypasses during speculative execution
•CVE-2017-5715 (aka. Spectre)
• Exploits branch-target injection during speculative execution
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 148: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/148.jpg)
Intel Inside Bug insideSpeculative Execution!
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 149: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/149.jpg)
Speculative Execution? Sounds fishy..And what is a processor anyways?
Processor:
ADD
READ
WRITE
Input:
Code:READ 0xAREAD 0xB
ADDWRITE 0xA
Data:1742
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 150: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/150.jpg)
Speculative Execution? Sounds fishy..And what is a processor anyways?
Processor:
ADD
READ
WRITE
Output:
Code:READ 0xAREAD 0xB
ADDWRITE 0xC
Input:
:0xC:0xD:0xE:0xF
Data:1742
:0xA:0xB
Code:READ 0xAREAD 0xB
ADDWRITE 0xA
0xC:0xD:0xE:0xF:
Data:1742
0xA:0xB:
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 151: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/151.jpg)
Speculative Execution? Sounds fishy..And what is a processor anyways?
Processor:
ADD
READ
WRITE
Output:
Code:READ 0xAREAD 0xB
ADDWRITE 0xC
Program Counter (PC):
Input:
:0xC:0xD:0xE:0xF
Data:1742
:0xA:0xB
Code:READ 0xAREAD 0xB
ADDWRITE 0xA
0xC:0xD:0xE:0xF:
Data:1742
0xA:0xB:
0xC
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 152: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/152.jpg)
Speculative Execution? Sounds fishy..And what is a processor anyways?
Processor:
ADD
READ
WRITE
Output:
Code:READ 0xAREAD 0xB
ADDWRITE 0xC
Program Counter (PC):
Input:
:0xC:0xD:0xE:0xF
Data:1742
:0xA:0xB
Code:READ 0xAREAD 0xB
ADDWRITE 0xA
0xC:0xD:0xE:0xF:
Data:1742
0xA:0xB:
0xC
17
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 153: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/153.jpg)
0xD
Speculative Execution? Sounds fishy..And what is a processor anyways?
Processor:
ADD
READ
WRITE
Output:
Code:READ 0xAREAD 0xB
ADDWRITE 0xC
Program Counter (PC):
Input:
:0xC:0xD:0xE:0xF
Data:1742
:0xA:0xB
Code:READ 0xAREAD 0xB
ADDWRITE 0xA
0xC:0xD:0xE:0xF:
Data:1742
0xA:0xB:
17 42
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 154: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/154.jpg)
Speculative Execution? Sounds fishy..And what is a processor anyways?
Processor:
ADD
READ
WRITE
Output:
Code:READ 0xAREAD 0xB
ADDWRITE 0xC
Program Counter (PC):
Input:
:0xC:0xD:0xE:0xF
Data:1742
:0xA:0xB
Code:READ 0xAREAD 0xB
ADDWRITE 0xA
0xC:0xD:0xE:0xF:
Data:1742
0xA:0xB:
0xD
17 42
59
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 155: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/155.jpg)
Speculative Execution? Sounds fishy..And what is a processor anyways?
Processor:
ADD
READ
WRITE
Output:
Code:READ 0xAREAD 0xB
ADDWRITE 0xC
Program Counter (PC):
Input:
:0xC:0xD:0xE:0xF
Data:1742
:0xA:0xB
Code:READ 0xAREAD 0xB
ADDWRITE 0xA
0xC:0xD:0xE:0xF:
Data:1742
0xA:0xB:
0xE0xF
59
59
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 156: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/156.jpg)
Some operations are SLOOOOOOOW
• Two read operations can easily stall the CPU for more than 100ns
• An integer addition takes two orders of magnitude less time (~1ns)
• So, in the time domain the execution looks like this:
• Processor does NOTHING for 100ns!
READ 0xA READ 0xB ADD …
50ns 50ns 1ns
…
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 157: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/157.jpg)
Optimizing for Performance..Out-of-Order Execution:
SLOW OP(e.g., Memory Access or Branch)
FAST OP (e.g., ALU)
Instruction Stream:
FAST OP (e.g., ALU)
FAST OP (e.g., ALU)
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 158: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/158.jpg)
Optimizing for Performance..Out-of-Order Execution:
SLOW OP(e.g., Memory Access or Branch)
FAST OP (e.g., ALU)
MEMORY ACCESS
Instruction Stream:
Why should I waitfor a long time?
FAST OP (e.g., ALU)
FAST OP (e.g., ALU)
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 159: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/159.jpg)
Optimizing for Performance..Out-of-Order Execution:
SLOW OP(e.g., Memory Access or Branch)
FAST OP (e.g., ALU) ALU
ALU
ALU
Instruction Stream:
What happens if Ijust continue..
FAST OP (e.g., ALU)
FAST OP (e.g., ALU)
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 160: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/160.jpg)
Optimizing for Performance..Out-of-Order Execution:
SLOW OP(e.g., Memory Access or Branch)
FAST OP (e.g., ALU) ALU
ALU
ALU
Instruction Stream:
FAST OP (e.g., ALU)
FAST OP (e.g., ALU)
MEMORY ACCESS Looks like we areready!
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 161: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/161.jpg)
Optimizing for Performance..Out-of-Order Execution:
SLOW OP(e.g., Memory Access or Branch)
FAST OP (e.g., ALU) ALU
ALU
ALU
Instruction Stream:
FAST OP (e.g., ALU)
FAST OP (e.g., ALU)
MEMORY ACCESS Looks like we areready!
Ok, resultlooks good. You canleave earlytoday.Commit!
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 162: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/162.jpg)
Optimizing for Performance..Out-of-Order Execution:
SLOW OP(e.g., Memory Access or Branch)
FAST OP (e.g., ALU) ALU
ALU
ALU
Instruction Stream:
FAST OP (e.g., ALU)
FAST OP (e.g., ALU)
MEMORY ACCESS
To Boost Performance Modern Processors Execute Instructions Out-of-Order!Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 163: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/163.jpg)
..what if it does not work?Out-of-Order Execution:
SLOW OP(e.g., Memory Access or Branch)
FAST OP (e.g., ALU)
MEMORY ACCESS
Instruction Stream:
Why should I waitfor a long time?
FAST OP (e.g., ALU)
FAST OP (e.g., ALU)
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 164: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/164.jpg)
..what if it does not work?Out-of-Order Execution:
SLOW OP(e.g., Memory Access or Branch)
FAST OP (e.g., ALU) ALU
ALU
ALU
Instruction Stream:
What happens if Ijust continue..
FAST OP (e.g., ALU)
FAST OP (e.g., ALU)
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 165: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/165.jpg)
..what if it does not work?Out-of-Order Execution:
SLOW OP(e.g., Memory Access or Branch)
FAST OP (e.g., ALU) ALU
ALU
ALU
Instruction Stream:
FAST OP (e.g., ALU)
FAST OP (e.g., ALU)
MEMORY ACCESS Maybe nobodywill notice..
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 166: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/166.jpg)
..what if it does not work?Out-of-Order Execution:
SLOW OP(e.g., Memory Access or Branch)
FAST OP (e.g., ALU) ALU
ALU
ALU
Instruction Stream:
FAST OP (e.g., ALU)
FAST OP (e.g., ALU)
MEMORY ACCESS Maybe nobodywill notice..
Do it in order, stupid!
Rollback!
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 167: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/167.jpg)
..what if it does not work?
SLOW OP(e.g., Memory Access or Branch)
FAST OP (e.g., ALU)
Instruction Stream:
FAST OP (e.g., ALU)
FAST OP (e.g., ALU)
MEMORY ACCESS
Only correct optimizations are commited!
ALU
ALU
ALU
In Order Execution:
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 168: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/168.jpg)
Out-of-Order vs. Speculative Execution
• If the instruction that is re-ordered is a branching instruction, theresulting Out-of-Order stream is called Speculative Execution
CONDITIONAL BRANCH
…
…
…
…
• Many processors do not optimize this
• Bigger processors invest a lot of workinto optimizing branches!
• Simple optimization:• Always execute both branches
• only commit the correct one
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 169: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/169.jpg)
What could possibly go wrong?
OoO-Processor:
User Memory:0A 0B 0C 0D0E 0F 10 1A1B 1C 1D 1E1F 20 2A 2B
:0x70:0x74:0x78:0x7C
Cache:00 00 00 0000 00 00 0000 00 00 0000 00 00 00
:0x0:0x4:0x8:0xC
Code:MOV $ebx, [0x8]TEST $ebx, $ebx
JE CodeMOV 0x70, [0x70+$ebx]
OS Memory:0A 0B 0C 0D0E 0F 10 1A00 00 00 0C1F 20 2A 2B
0x70:0x74:0x78:0x7C:
MOV $ebx, [0x8]
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 170: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/170.jpg)
What could possibly go wrong?
OoO-Processor:
User Memory:0A 0B 0C 0D0E 0F 10 1A1B 1C 1D 1E1F 20 2A 2B
:0x70:0x74:0x78:0x7C
Cache:00 00 00 0000 00 00 0000 00 00 0000 00 00 00
:0x0:0x4:0x8:0xC
Code:MOV $ebx, [0x8]TEST $ebx, $ebx
JE CodeMOV 0x70, [0x70+$ebx]
OS Memory:0A 0B 0C 0D0E 0F 10 1A00 00 00 0C1F 20 2A 2B
0x70:0x74:0x78:0x7C:
MOV $ebx, [0x8]
TEST $ebx, $ebx
JE Code
MOV 0x70, [0x70+$ebx]
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 171: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/171.jpg)
What could possibly go wrong?
OoO-Processor:
User Memory:0A 0B 0C 0D0E 0F 10 1A1B 1C 1D 1E1F 20 2A 2B
:0x70:0x74:0x78:0x7C
Cache:00 00 00 0000 00 00 0000 00 00 0000 00 00 00
:0x0:0x4:0x8:0xC
Code:MOV $ebx, [0x8]TEST $ebx, $ebx
JE CodeMOV 0x70, [0x70+$ebx]
OS Memory:0A 0B 0C 0D0E 0F 10 1A00 00 00 0C1F 20 2A 2B
0x70:0x74:0x78:0x7C:
MOV $ebx, [0x8]
TEST $ebx, $ebx
JE Code
MOV 0x70, [0x70+$ebx]
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 172: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/172.jpg)
What could possibly go wrong?
OoO-Processor:
User Memory:0A 0B 0C 0D0E 0F 10 1A1B 1C 1D 1E1F 20 2A 2B
:0x70:0x74:0x78:0x7C
Cache:00 00 00 0000 00 00 0000 00 00 0000 00 00 00
:0x0:0x4:0x8:0xC
Code:MOV $ebx, [0x8]TEST $ebx, $ebx
JE CodeMOV 0x70, [0x70+$ebx]
OS Memory:0A 0B 0C 0D0E 0F 10 1A00 00 00 0C1F 20 2A 2B
0x70:0x74:0x78:0x7C:
MOV $ebx, [0x8]
TEST $ebx, $ebx
JE Code
MOV 0x70, [0x70+$ebx]
1F 20 2A 2B
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 173: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/173.jpg)
What could possibly go wrong?
OoO-Processor:
User Memory:0A 0B 0C 0D0E 0F 10 1A1B 1C 1D 1E1F 20 2A 2B
:0x70:0x74:0x78:0x7C
Cache:00 00 00 0000 00 00 0000 00 00 0000 00 00 00
:0x0:0x4:0x8:0xC
Code:MOV $ebx, [0x8]TEST $ebx, $ebx
JE CodeMOV 0x70, [0x70+$ebx]
OS Memory:0A 0B 0C 0D0E 0F 10 1A00 00 00 0C1F 20 2A 2B
0x70:0x74:0x78:0x7C:
MOV $ebx, [0x8]
TEST $ebx, $ebx
JE Code
MOV 0x70, [0x70+$ebx]
Accessnot allowed, stupid!
1F 20 2A 2B
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 174: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/174.jpg)
What could possibly go wrong?
OoO-Processor:
User Memory:0A 0B 0C 0D0E 0F 10 1A1B 1C 1D 1E1F 20 2A 2B
:0x70:0x74:0x78:0x7C
Cache:00 00 00 0000 00 00 0000 00 00 0000 00 00 00
:0x0:0x4:0x8:0xC
Code:MOV $ebx, [0x8]TEST $ebx, $ebx
JE CodeMOV 0x70, [0x70+$ebx]
OS Memory:0A 0B 0C 0D0E 0F 10 1A00 00 00 0C1F 20 2A 2B
0x70:0x74:0x78:0x7C:
MOV $ebx, [0x8]
TEST $ebx, $ebx
JE Code
MOV 0x70, [0x70+$ebx]
Accessnot allowed, stupid!
1F 20 2A 2B
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 175: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/175.jpg)
What could possibly go wrong?
OoO-Processor:
User Memory:0A 0B 0C 0D0E 0F 10 1A1B 1C 1D 1E1F 20 2A 2B
:0x70:0x74:0x78:0x7C
Cache:00 00 00 0000 00 00 0000 00 00 0000 00 00 00
:0x0:0x4:0x8:0xC
Code:MOV $ebx, [0x8]TEST $ebx, $ebx
JE CodeMOV 0x70, [0x70+$ebx]
OS Memory:0A 0B 0C 0D0E 0F 10 1A00 00 00 0C1F 20 2A 2B
0x70:0x74:0x78:0x7C:
Accessnot allowed, stupid!Rollback!
1F 20 2A 2B
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 176: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/176.jpg)
What could possibly go wrong?
OoO-Processor:
User Memory:0A 0B 0C 0D0E 0F 10 1A1B 1C 1D 1E1F 20 2A 2B
:0x70:0x74:0x78:0x7C
Cache:00 00 00 0000 00 00 0000 00 00 0000 00 00 00
:0x0:0x4:0x8:0xC
Code:MOV $ebx, [0x8]TEST $ebx, $ebx
JE CodeMOV 0x70, [0x70+$ebx]
OS Memory:0A 0B 0C 0D0E 0F 10 1A00 00 00 0C1F 20 2A 2B
0x70:0x74:0x78:0x7C:
OS memory isnone of yourbusiness! EXCEPTION
1F 20 2A 2B
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 177: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/177.jpg)
What could possibly go wrong?
User Memory:0A 0B 0C 0D0E 0F 10 1A1B 1C 1D 1E1F 20 2A 2B
:0x70:0x74:0x78:0x7C
Cache:00 00 00 0000 00 00 0000 00 00 001F 20 2A 2B
:0x0:0x4:0x8:0xC
Code:MOV $ebx, [0x8]TEST $ebx, $ebx
JE CodeMOV 0x70, [0x70+$ebx]
OS Memory:0A 0B 0C 0D0E 0F 10 1A00 00 00 0C1F 20 2A 2B
0x70:0x74:0x78:0x7C:
[FLUSH+RELOAD]
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018
![Page 178: Hardware-assisted Security: From Trust Anchors to Meltdown ......Unified Security Model for PUFs [Armknecht et al., CT-RSA 2016] Formal Security Model [Armknecht et al., S&P 2011]](https://reader035.fdocuments.in/reader035/viewer/2022081620/611aa1179a029f68eb5e2b66/html5/thumbnails/178.jpg)
What could possibly go wrong?
User Memory:0A 0B 0C 0D0E 0F 10 1A1B 1C 1D 1E1F 20 2A 2B
:0x70:0x74:0x78:0x7C
Cache:00 00 00 0000 00 00 0000 00 00 001F 20 2A 2B
:0x0:0x4:0x8:0xC
Code:MOV $ebx, [0x8]TEST $ebx, $ebx
JE CodeMOV 0x70, [0x70+$ebx]
OS Memory:0A 0B 0C 0D0E 0F 10 1A00 00 00 0C1F 20 2A 2B
0x70:0x74:0x78:0x7C:
• well well what do we have here..• Memory access happened at 0x7C• Actually, my start address was 0x70• The value at 0x8 must have been:
0x7C-0x70 = 0x0C![FLUSH+RELOAD]
Summer School on real-world crypto and privacy, Šibenik (Croatia), June 11–15, 2018