Medusa: Microarchitectural Data Leakage via Automated ...Medusa Attack •Medusa only leaks the...
Transcript of Medusa: Microarchitectural Data Leakage via Automated ...Medusa Attack •Medusa only leaks the...
![Page 1: Medusa: Microarchitectural Data Leakage via Automated ...Medusa Attack •Medusa only leaks the Write Combining Data •Implicit WC, i.e., ‘rep mov’, ‘rep sto’, can be leaked.](https://reader033.fdocuments.in/reader033/viewer/2022050918/5ffa22d153f10708c714cf7c/html5/thumbnails/1.jpg)
Medusa: Microarchitectural Data Leakage via Automated Attack Synthesis
• Daniel Moghimi
• Moritz Lipp
• Berk Sunar
• Michael Schwarz
![Page 2: Medusa: Microarchitectural Data Leakage via Automated ...Medusa Attack •Medusa only leaks the Write Combining Data •Implicit WC, i.e., ‘rep mov’, ‘rep sto’, can be leaked.](https://reader033.fdocuments.in/reader033/viewer/2022050918/5ffa22d153f10708c714cf7c/html5/thumbnails/2.jpg)
2018: Meltdown Attack?
2
![Page 3: Medusa: Microarchitectural Data Leakage via Automated ...Medusa Attack •Medusa only leaks the Write Combining Data •Implicit WC, i.e., ‘rep mov’, ‘rep sto’, can be leaked.](https://reader033.fdocuments.in/reader033/viewer/2022050918/5ffa22d153f10708c714cf7c/html5/thumbnails/3.jpg)
2018: Meltdown Attack?
3
0xf…81a0123
P A S S W O R D
Virtual Address Space
Use
r Space
Kern
el S
pace
256 different CPU Cache Line
CPU Registers
![Page 4: Medusa: Microarchitectural Data Leakage via Automated ...Medusa Attack •Medusa only leaks the Write Combining Data •Implicit WC, i.e., ‘rep mov’, ‘rep sto’, can be leaked.](https://reader033.fdocuments.in/reader033/viewer/2022050918/5ffa22d153f10708c714cf7c/html5/thumbnails/4.jpg)
2018: Meltdown Attack?
0xf…81a0123 P A S S W O R D
Virtual Address Space
Use
r Space
Kern
el S
pace
Oracle
256 different CPU Cache Line
CPU Registers
4
![Page 5: Medusa: Microarchitectural Data Leakage via Automated ...Medusa Attack •Medusa only leaks the Write Combining Data •Implicit WC, i.e., ‘rep mov’, ‘rep sto’, can be leaked.](https://reader033.fdocuments.in/reader033/viewer/2022050918/5ffa22d153f10708c714cf7c/html5/thumbnails/5.jpg)
2018: Meltdown Attack? (Step 1)
0xf…81a0123 P A S S W O R D
Virtual Address Space
Use
r Space
Kern
el S
pace
Oracle
256 different CPU Cache Line
CPU Registers
5
![Page 6: Medusa: Microarchitectural Data Leakage via Automated ...Medusa Attack •Medusa only leaks the Write Combining Data •Implicit WC, i.e., ‘rep mov’, ‘rep sto’, can be leaked.](https://reader033.fdocuments.in/reader033/viewer/2022050918/5ffa22d153f10708c714cf7c/html5/thumbnails/6.jpg)
2018: Meltdown Attack? (Step 1)
0xf…81a0123 P A S S W O R D
Virtual Address Space
Use
r Space
Kern
el S
pace
Oracle
256 different CPU Cache Line
CPU Registers P
6
![Page 7: Medusa: Microarchitectural Data Leakage via Automated ...Medusa Attack •Medusa only leaks the Write Combining Data •Implicit WC, i.e., ‘rep mov’, ‘rep sto’, can be leaked.](https://reader033.fdocuments.in/reader033/viewer/2022050918/5ffa22d153f10708c714cf7c/html5/thumbnails/7.jpg)
2018: Meltdown Attack? (Step 2)
0xf…81a0123 P A S S W O R D
Virtual Address Space
Use
r Space
Kern
el S
pace
Oracle
256 different CPU Cache Line
CPU Registers P
7
![Page 8: Medusa: Microarchitectural Data Leakage via Automated ...Medusa Attack •Medusa only leaks the Write Combining Data •Implicit WC, i.e., ‘rep mov’, ‘rep sto’, can be leaked.](https://reader033.fdocuments.in/reader033/viewer/2022050918/5ffa22d153f10708c714cf7c/html5/thumbnails/8.jpg)
2018: Meltdown Attack? (Step 2)
0xf…81a0123 P A S S W O R D
Virtual Address Space
Use
r Space
Kern
el S
pace
Oracle
256 different CPU Cache Line
CPU Registers
FaultFault
8
![Page 9: Medusa: Microarchitectural Data Leakage via Automated ...Medusa Attack •Medusa only leaks the Write Combining Data •Implicit WC, i.e., ‘rep mov’, ‘rep sto’, can be leaked.](https://reader033.fdocuments.in/reader033/viewer/2022050918/5ffa22d153f10708c714cf7c/html5/thumbnails/9.jpg)
2018: Meltdown Attack? (Step 3)
0xf…81a0123 P A S S W O R D
Virtual Address Space
Use
r Space
Kern
el S
pace
Oracle
256 different CPU Cache Line
CPU Registers
F+R
9
![Page 10: Medusa: Microarchitectural Data Leakage via Automated ...Medusa Attack •Medusa only leaks the Write Combining Data •Implicit WC, i.e., ‘rep mov’, ‘rep sto’, can be leaked.](https://reader033.fdocuments.in/reader033/viewer/2022050918/5ffa22d153f10708c714cf7c/html5/thumbnails/10.jpg)
2018: Meltdown Attack? (Step 3)
0xf…81a0123 P A S S W O R D
Virtual Address Space
Use
r Space
Kern
el S
pace
Oracle
256 different CPU Cache Line
CPU Registers
F+R
10
![Page 11: Medusa: Microarchitectural Data Leakage via Automated ...Medusa Attack •Medusa only leaks the Write Combining Data •Implicit WC, i.e., ‘rep mov’, ‘rep sto’, can be leaked.](https://reader033.fdocuments.in/reader033/viewer/2022050918/5ffa22d153f10708c714cf7c/html5/thumbnails/11.jpg)
2018: Meltdown Attack? (Step 3)
0xf…81a0123 P A S S W O R D
Virtual Address Space
Use
r Space
Kern
el S
pace
Oracle
256 different CPU Cache Line
CPU Registers
F+R
11
![Page 12: Medusa: Microarchitectural Data Leakage via Automated ...Medusa Attack •Medusa only leaks the Write Combining Data •Implicit WC, i.e., ‘rep mov’, ‘rep sto’, can be leaked.](https://reader033.fdocuments.in/reader033/viewer/2022050918/5ffa22d153f10708c714cf7c/html5/thumbnails/12.jpg)
2018: Meltdown Attack? (Step 3)
P A S S W O R D
Virtual Address Space
Use
r Space
Kern
el S
pace
Oracle
256 different CPU Cache Line
CPU Registers
‘P’ = 0x50
12
![Page 13: Medusa: Microarchitectural Data Leakage via Automated ...Medusa Attack •Medusa only leaks the Write Combining Data •Implicit WC, i.e., ‘rep mov’, ‘rep sto’, can be leaked.](https://reader033.fdocuments.in/reader033/viewer/2022050918/5ffa22d153f10708c714cf7c/html5/thumbnails/13.jpg)
Microarchitecture Data Sampling (MDS)
• Meltdown is fixed but you can still leak on the fix hardware.
• Which part of the CPU leak the data?!
• Why does it leak?
13
whatever
![Page 14: Medusa: Microarchitectural Data Leakage via Automated ...Medusa Attack •Medusa only leaks the Write Combining Data •Implicit WC, i.e., ‘rep mov’, ‘rep sto’, can be leaked.](https://reader033.fdocuments.in/reader033/viewer/2022050918/5ffa22d153f10708c714cf7c/html5/thumbnails/14.jpg)
CPU Memory Subsystem – Leaky Buffers
141414
VFNPFN
VFNPFN
VFNPFN
…….
Offset
Offset
Offset
…
DATA
DATA
DATA
…
Load Buffer
VFNPFN [8:0]
VFNPFN [8:0]
VFNPFN [8:0]
…….
Offset
Offset
Offset
…
DATA
DATA
DATA
…
Store Buffer
L1
Fill Buff
er
DT
LB
DRAM
L3
L2
Memory Subsystem
MFBDS
MSBDS
MLPDS
L1TF
![Page 15: Medusa: Microarchitectural Data Leakage via Automated ...Medusa Attack •Medusa only leaks the Write Combining Data •Implicit WC, i.e., ‘rep mov’, ‘rep sto’, can be leaked.](https://reader033.fdocuments.in/reader033/viewer/2022050918/5ffa22d153f10708c714cf7c/html5/thumbnails/15.jpg)
15
Memory
AccessCanonical
#GP
OffsetVFN
Virtual Address
![Page 16: Medusa: Microarchitectural Data Leakage via Automated ...Medusa Attack •Medusa only leaks the Write Combining Data •Implicit WC, i.e., ‘rep mov’, ‘rep sto’, can be leaked.](https://reader033.fdocuments.in/reader033/viewer/2022050918/5ffa22d153f10708c714cf7c/html5/thumbnails/16.jpg)
16
Memory
AccessCanonical
#GP
TLBY
PMH
Perm.Y
P RW US A … Physical Page Number ……
PTE
OffsetVFN
Virtual Address
![Page 17: Medusa: Microarchitectural Data Leakage via Automated ...Medusa Attack •Medusa only leaks the Write Combining Data •Implicit WC, i.e., ‘rep mov’, ‘rep sto’, can be leaked.](https://reader033.fdocuments.in/reader033/viewer/2022050918/5ffa22d153f10708c714cf7c/html5/thumbnails/17.jpg)
17
Memory
AccessCanonical
#GP
TLBY
PMH
Perm.Y
PresentY
#PF
P RW US A … Physical Page Number ……
PTE
OffsetVFN
Virtual Address
![Page 18: Medusa: Microarchitectural Data Leakage via Automated ...Medusa Attack •Medusa only leaks the Write Combining Data •Implicit WC, i.e., ‘rep mov’, ‘rep sto’, can be leaked.](https://reader033.fdocuments.in/reader033/viewer/2022050918/5ffa22d153f10708c714cf7c/html5/thumbnails/18.jpg)
18
Memory
AccessCanonical
#GP
TLBY
PMH
Perm.Y
PresentY
#PF
AccessedY
Set A
Bit
P RW US A … Physical Page Number ……
PTE
OffsetVFN
Virtual Address
![Page 19: Medusa: Microarchitectural Data Leakage via Automated ...Medusa Attack •Medusa only leaks the Write Combining Data •Implicit WC, i.e., ‘rep mov’, ‘rep sto’, can be leaked.](https://reader033.fdocuments.in/reader033/viewer/2022050918/5ffa22d153f10708c714cf7c/html5/thumbnails/19.jpg)
19
Memory
AccessCanonical
#GP
TLBY
PMH
Perm.Y
PresentY
#PF
AccessedY
Set A
Bit
Aligned
Vector
Y
P RW US A … Physical Page Number ……
PTE
OffsetVFN
Virtual Address
#GP
![Page 20: Medusa: Microarchitectural Data Leakage via Automated ...Medusa Attack •Medusa only leaks the Write Combining Data •Implicit WC, i.e., ‘rep mov’, ‘rep sto’, can be leaked.](https://reader033.fdocuments.in/reader033/viewer/2022050918/5ffa22d153f10708c714cf7c/html5/thumbnails/20.jpg)
20
Memory
AccessCanonical
#GP
TLBY
PMH
Perm.Y
PresentY
#PF
AccessedY
Set A
Bit
Aligned
Vector
Y
P RW US A … Physical Page Number ……
PTE
OffsetVFN
Virtual Address
#GP
Cache
Aligned
Split
Cache
YCached
Y
Cache Miss
Handler
False
Store Dep.
Y
Hazard
Recovery
TSX
Failure
Y
#RTM
![Page 21: Medusa: Microarchitectural Data Leakage via Automated ...Medusa Attack •Medusa only leaks the Write Combining Data •Implicit WC, i.e., ‘rep mov’, ‘rep sto’, can be leaked.](https://reader033.fdocuments.in/reader033/viewer/2022050918/5ffa22d153f10708c714cf7c/html5/thumbnails/21.jpg)
Challenges with MDS Testing?
• Reproducing attacks is not reliable. It may depend on:• massaging the pipeline with other instructions
• CPU configuration (generation, frequency, microcode patch and etc)
21
![Page 22: Medusa: Microarchitectural Data Leakage via Automated ...Medusa Attack •Medusa only leaks the Write Combining Data •Implicit WC, i.e., ‘rep mov’, ‘rep sto’, can be leaked.](https://reader033.fdocuments.in/reader033/viewer/2022050918/5ffa22d153f10708c714cf7c/html5/thumbnails/22.jpg)
Challenges with MDS Testing?
• Reproducing attacks is not reliable. It may depend on:• massaging the pipeline with other instructions
• CPU configuration (generation, frequency, microcode patch and etc)
• No public tool to find new variants or to verify hardware patches:• Too many things to test (Addressing mode, cache state, assists, and faults)
• Previous POCs may not work after MC update, but what does it mean?
22
![Page 23: Medusa: Microarchitectural Data Leakage via Automated ...Medusa Attack •Medusa only leaks the Write Combining Data •Implicit WC, i.e., ‘rep mov’, ‘rep sto’, can be leaked.](https://reader033.fdocuments.in/reader033/viewer/2022050918/5ffa22d153f10708c714cf7c/html5/thumbnails/23.jpg)
Challenges with MDS Testing?
• Reproducing attacks is not reliable. It may depend on:• massaging the pipeline with other instructions
• CPU configuration (generation, frequency, microcode patch and etc)
• No public tool to find new variants or to verify hardware patches:• Too many things to test (Addressing mode, cache state, assists, and faults)
• Previous POCs may not work after MC update, but what does it mean?
• Impossible to quantify the impact of leakage:• We should care about leakage rate and what data is leaked.
• My POC is faster than your POC!!
23
![Page 24: Medusa: Microarchitectural Data Leakage via Automated ...Medusa Attack •Medusa only leaks the Write Combining Data •Implicit WC, i.e., ‘rep mov’, ‘rep sto’, can be leaked.](https://reader033.fdocuments.in/reader033/viewer/2022050918/5ffa22d153f10708c714cf7c/html5/thumbnails/24.jpg)
24Transynther
![Page 25: Medusa: Microarchitectural Data Leakage via Automated ...Medusa Attack •Medusa only leaks the Write Combining Data •Implicit WC, i.e., ‘rep mov’, ‘rep sto’, can be leaked.](https://reader033.fdocuments.in/reader033/viewer/2022050918/5ffa22d153f10708c714cf7c/html5/thumbnails/25.jpg)
Transynther (Fuzzing-based Random MDS Testing)
25
Step 1:
Step 2:
Step 3:256 different CPU Cache Line
‘P’ = 0x50
![Page 26: Medusa: Microarchitectural Data Leakage via Automated ...Medusa Attack •Medusa only leaks the Write Combining Data •Implicit WC, i.e., ‘rep mov’, ‘rep sto’, can be leaked.](https://reader033.fdocuments.in/reader033/viewer/2022050918/5ffa22d153f10708c714cf7c/html5/thumbnails/26.jpg)
Transynther (Fuzzing-based Random MDS Testing)
26
CanonicalTLB
Perm.
Present
Accessed
Aligned
Vector
Cache
AlignedCached
False Store
Dep.
TSX Failure
Step 1:
Step 2:
Step 3:256 different CPU Cache Line
‘P’ = 0x50
![Page 27: Medusa: Microarchitectural Data Leakage via Automated ...Medusa Attack •Medusa only leaks the Write Combining Data •Implicit WC, i.e., ‘rep mov’, ‘rep sto’, can be leaked.](https://reader033.fdocuments.in/reader033/viewer/2022050918/5ffa22d153f10708c714cf7c/html5/thumbnails/27.jpg)
Transynther (Fuzzing-based Random MDS Testing)
27
CanonicalTLB
Perm.
Present
Accessed
Aligned
Vector
Cache
AlignedCached
False Store
Dep.
TSX Failure
Step 1:
Step 2:
Step 3:256 different CPU Cache Line
‘P’ = 0x50
Step 0:
Buffer
Grooming
Stores Same
Thread:
0x41424344
Stores Hyper
Thread:
0x61626364
Loads Same
Thread:
0x51525354
Loads Hyper thread
Thread:
0x71727374
![Page 28: Medusa: Microarchitectural Data Leakage via Automated ...Medusa Attack •Medusa only leaks the Write Combining Data •Implicit WC, i.e., ‘rep mov’, ‘rep sto’, can be leaked.](https://reader033.fdocuments.in/reader033/viewer/2022050918/5ffa22d153f10708c714cf7c/html5/thumbnails/28.jpg)
Transynther (Fuzzing-based Random MDS Testing)
28
CanonicalTLB
Perm.
Present
Accessed
Aligned
Vector
Cache
AlignedCached
False Store
Dep.
TSX Failure
Step 1:
Step 2:
Step 3:256 different CPU Cache Line
‘P’ = 0x50
Stores Same
Thread:
0x41424344
Stores Hyper
Thread:
0x61626364
Loads Same
Thread:
0x51525354
Loads Hyper thread
Thread:
0x71727374
Step 0:
Buffer
Grooming
![Page 29: Medusa: Microarchitectural Data Leakage via Automated ...Medusa Attack •Medusa only leaks the Write Combining Data •Implicit WC, i.e., ‘rep mov’, ‘rep sto’, can be leaked.](https://reader033.fdocuments.in/reader033/viewer/2022050918/5ffa22d153f10708c714cf7c/html5/thumbnails/29.jpg)
Transynther (Fuzzing-based MDS Testing)
29
![Page 30: Medusa: Microarchitectural Data Leakage via Automated ...Medusa Attack •Medusa only leaks the Write Combining Data •Implicit WC, i.e., ‘rep mov’, ‘rep sto’, can be leaked.](https://reader033.fdocuments.in/reader033/viewer/2022050918/5ffa22d153f10708c714cf7c/html5/thumbnails/30.jpg)
Transynther (Fuzzing-based MDS Testing)
30
![Page 31: Medusa: Microarchitectural Data Leakage via Automated ...Medusa Attack •Medusa only leaks the Write Combining Data •Implicit WC, i.e., ‘rep mov’, ‘rep sto’, can be leaked.](https://reader033.fdocuments.in/reader033/viewer/2022050918/5ffa22d153f10708c714cf7c/html5/thumbnails/31.jpg)
Transynther (Fuzzing-based MDS Testing)
31
![Page 32: Medusa: Microarchitectural Data Leakage via Automated ...Medusa Attack •Medusa only leaks the Write Combining Data •Implicit WC, i.e., ‘rep mov’, ‘rep sto’, can be leaked.](https://reader033.fdocuments.in/reader033/viewer/2022050918/5ffa22d153f10708c714cf7c/html5/thumbnails/32.jpg)
32
![Page 33: Medusa: Microarchitectural Data Leakage via Automated ...Medusa Attack •Medusa only leaks the Write Combining Data •Implicit WC, i.e., ‘rep mov’, ‘rep sto’, can be leaked.](https://reader033.fdocuments.in/reader033/viewer/2022050918/5ffa22d153f10708c714cf7c/html5/thumbnails/33.jpg)
33
![Page 34: Medusa: Microarchitectural Data Leakage via Automated ...Medusa Attack •Medusa only leaks the Write Combining Data •Implicit WC, i.e., ‘rep mov’, ‘rep sto’, can be leaked.](https://reader033.fdocuments.in/reader033/viewer/2022050918/5ffa22d153f10708c714cf7c/html5/thumbnails/34.jpg)
MDS Attacks - Insights
• Almost any exception/assist can leak from any buffer
• The CPU must flush the pipeline before executing an assist.
• Upon an Exception/Fault/Assist on a Load, Intel CPUs:• Execute the load until the last stage.
• Flush the pipeline at the retirement stage (Cheap Recovery Logic).
• Continue the load with some data to reach the retirement stage.
• Which data? (Fill buffer, Store Buffer, Load Buffer)
• Which one will be leaked first? (First come first serve)
34
![Page 35: Medusa: Microarchitectural Data Leakage via Automated ...Medusa Attack •Medusa only leaks the Write Combining Data •Implicit WC, i.e., ‘rep mov’, ‘rep sto’, can be leaked.](https://reader033.fdocuments.in/reader033/viewer/2022050918/5ffa22d153f10708c714cf7c/html5/thumbnails/35.jpg)
35
![Page 36: Medusa: Microarchitectural Data Leakage via Automated ...Medusa Attack •Medusa only leaks the Write Combining Data •Implicit WC, i.e., ‘rep mov’, ‘rep sto’, can be leaked.](https://reader033.fdocuments.in/reader033/viewer/2022050918/5ffa22d153f10708c714cf7c/html5/thumbnails/36.jpg)
Medusa Attack
• Medusa only leaks the Write Combining Data
• Implicit WC, i.e., ‘rep mov’, ‘rep sto’, can be leaked.• Memory Copy Routines
• File IO
• Served by a Write Combining Buffer (or just the the Fill Buffer).
• Advantages:• Prefiltered data
• Less Noise
• More targeted
36
![Page 37: Medusa: Microarchitectural Data Leakage via Automated ...Medusa Attack •Medusa only leaks the Write Combining Data •Implicit WC, i.e., ‘rep mov’, ‘rep sto’, can be leaked.](https://reader033.fdocuments.in/reader033/viewer/2022050918/5ffa22d153f10708c714cf7c/html5/thumbnails/37.jpg)
Medusa Attack – V1 Cache Indexing
37
8-byte8-byte8-byte8-byte8-byte8-byte8-byte8-byte
Cache Line Index
An invalid (Non-canon) address:
0x5550000000000008-20Faulty
Load
![Page 38: Medusa: Microarchitectural Data Leakage via Automated ...Medusa Attack •Medusa only leaks the Write Combining Data •Implicit WC, i.e., ‘rep mov’, ‘rep sto’, can be leaked.](https://reader033.fdocuments.in/reader033/viewer/2022050918/5ffa22d153f10708c714cf7c/html5/thumbnails/38.jpg)
Medusa Attack – V1 Cache Indexing
38
8-byte8-byte8-byte8-byte8-byte8-byte8-byte8-byte
Cache Line Index
An invalid (Non-canon) address:
0x5550000000000008-20Faulty
Load
![Page 39: Medusa: Microarchitectural Data Leakage via Automated ...Medusa Attack •Medusa only leaks the Write Combining Data •Implicit WC, i.e., ‘rep mov’, ‘rep sto’, can be leaked.](https://reader033.fdocuments.in/reader033/viewer/2022050918/5ffa22d153f10708c714cf7c/html5/thumbnails/39.jpg)
Medusa Attack – V1 Cache Indexing
39
8-byte8-byte8-byte8-byte8-byte8-byte8-byte8-byte
Cache Line Index
An invalid (Non-canon) address:
0x5550000000000008-20Faulty
Load
![Page 40: Medusa: Microarchitectural Data Leakage via Automated ...Medusa Attack •Medusa only leaks the Write Combining Data •Implicit WC, i.e., ‘rep mov’, ‘rep sto’, can be leaked.](https://reader033.fdocuments.in/reader033/viewer/2022050918/5ffa22d153f10708c714cf7c/html5/thumbnails/40.jpg)
Medusa Attack – V1 Cache Indexing
40
8-byte8-byte8-byte8-byte8-byte8-byte8-byte8-byte
Cache Line Index
Common Data Bus?!
![Page 41: Medusa: Microarchitectural Data Leakage via Automated ...Medusa Attack •Medusa only leaks the Write Combining Data •Implicit WC, i.e., ‘rep mov’, ‘rep sto’, can be leaked.](https://reader033.fdocuments.in/reader033/viewer/2022050918/5ffa22d153f10708c714cf7c/html5/thumbnails/41.jpg)
Medusa Attack – V2 Unaligned S2L Forwarding
41
8-byte8-byte8-byte8-byte8-byte8-byte8-byte8-byte
Cache Line Index
Faulty Load
![Page 42: Medusa: Microarchitectural Data Leakage via Automated ...Medusa Attack •Medusa only leaks the Write Combining Data •Implicit WC, i.e., ‘rep mov’, ‘rep sto’, can be leaked.](https://reader033.fdocuments.in/reader033/viewer/2022050918/5ffa22d153f10708c714cf7c/html5/thumbnails/42.jpg)
Medusa Attack – V2 Unaligned S2L Forwarding
42
8-byte8-byte8-byte8-byte8-byte8-byte8-byte8-byte
Cache Line Index
Faulty LoadYMMx
REPMOV on the Hyper thread:
ABCDEFGH IJKLMNOP QRSTUVWX YZ…
![Page 43: Medusa: Microarchitectural Data Leakage via Automated ...Medusa Attack •Medusa only leaks the Write Combining Data •Implicit WC, i.e., ‘rep mov’, ‘rep sto’, can be leaked.](https://reader033.fdocuments.in/reader033/viewer/2022050918/5ffa22d153f10708c714cf7c/html5/thumbnails/43.jpg)
Medusa Attack – V2 Unaligned S2L Forwarding
43
8-byte8-byte8-byte8-byte8-byte8-byte8-byte8-byte
Cache Line Index
Faulty LoadYMMx
8-byte8-byte8-byte8-byte8-byte8-byte8-byte8-byte
Cache Line Index
Store
REPMOV on the Hyper thread:
ABCDEFGH IJKLMNOP QRSTUVWX YZ…
![Page 44: Medusa: Microarchitectural Data Leakage via Automated ...Medusa Attack •Medusa only leaks the Write Combining Data •Implicit WC, i.e., ‘rep mov’, ‘rep sto’, can be leaked.](https://reader033.fdocuments.in/reader033/viewer/2022050918/5ffa22d153f10708c714cf7c/html5/thumbnails/44.jpg)
Medusa Attack – V2 Unaligned S2L Forwarding
44
8-byte8-byte8-byte8-byte8-byte8-byte8-byte8-byte
Cache Line Index
Faulty LoadYMMx
8-byte8-byte8-byte8-byte8-byte8-byte8-byte8-byte
Cache Line Index
Store
REPMOV on the Hyper thread:
ABCDEFGH IJKLMNOP QRSTUVWX YZ…
![Page 45: Medusa: Microarchitectural Data Leakage via Automated ...Medusa Attack •Medusa only leaks the Write Combining Data •Implicit WC, i.e., ‘rep mov’, ‘rep sto’, can be leaked.](https://reader033.fdocuments.in/reader033/viewer/2022050918/5ffa22d153f10708c714cf7c/html5/thumbnails/45.jpg)
Medusa Attack – V2 Unaligned S2L Forwarding
45
8-byte8-byte8-byte8-byte8-byte8-byte8-byte8-byte
Cache Line Index
Faulty LoadYMMx
8-byte8-byte8-byte8-byte8-byte8-byte8-byte8-byte
Cache Line Index
Store
REPMOV on the Hyper thread:
ABCDEFGH IJKLMNOP QRSTUVWX YZ…
![Page 46: Medusa: Microarchitectural Data Leakage via Automated ...Medusa Attack •Medusa only leaks the Write Combining Data •Implicit WC, i.e., ‘rep mov’, ‘rep sto’, can be leaked.](https://reader033.fdocuments.in/reader033/viewer/2022050918/5ffa22d153f10708c714cf7c/html5/thumbnails/46.jpg)
Medusa Attack – V3 Shadow REP MOV
46
• A REP MOV that fault on the load leaks:• the data from the legitimate store address
• but also the data from the REP MOV running on the hyper thread
AAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAA
HT 1: REP MOV
Valid Store, Faulty Load
ABCDEFGHIJKLMNOP
AAAAAAAAAAAAAAAA
HT 1: REP MOV
Valid Store, Faulty Load
![Page 47: Medusa: Microarchitectural Data Leakage via Automated ...Medusa Attack •Medusa only leaks the Write Combining Data •Implicit WC, i.e., ‘rep mov’, ‘rep sto’, can be leaked.](https://reader033.fdocuments.in/reader033/viewer/2022050918/5ffa22d153f10708c714cf7c/html5/thumbnails/47.jpg)
Medusa Attack – V3 Shadow REP MOV
47
• A REP MOV that fault on the load leaks:• the data from the legitimate store address
• but also the data from the REP MOV running on the hyper thread
AAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAA
HT 1: REP MOV
Valid Store, Faulty Load
ABCDEFGHIJKLMNOP
AAAAAAAAAAAAAAAA
HT 1: REP MOV
Valid Store, Faulty Load
AAAAAAAAAAAIIAAAIAIAAAIAIAIIIAAAAAA…
![Page 48: Medusa: Microarchitectural Data Leakage via Automated ...Medusa Attack •Medusa only leaks the Write Combining Data •Implicit WC, i.e., ‘rep mov’, ‘rep sto’, can be leaked.](https://reader033.fdocuments.in/reader033/viewer/2022050918/5ffa22d153f10708c714cf7c/html5/thumbnails/48.jpg)
48
![Page 49: Medusa: Microarchitectural Data Leakage via Automated ...Medusa Attack •Medusa only leaks the Write Combining Data •Implicit WC, i.e., ‘rep mov’, ‘rep sto’, can be leaked.](https://reader033.fdocuments.in/reader033/viewer/2022050918/5ffa22d153f10708c714cf7c/html5/thumbnails/49.jpg)
OpenSSL RSA Key Recovery
49
• OpenSSL Base64 Decoder uses inline Memcpy(-oS)
• Triggered during the RSA Key Decoding from the PEM format:
-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQDmTvQjjtGtnIqMwmmaLW+YjbYTsNR8PGKXr78iYwrMV5Ye4VGy
BwS6qLD4s/EzCzGIDwkWCVx+gVHvh2wGW15Ddof0gVAtAMkR6gRABy4TkK+6YFSK
AyjmHvKCfFHvc9loeFGDyjmwFFkfdwzppXnH1Wwt0OlnyCU1GbQ1w7AHuwIDAQAB
AoGBAMyDri7pQ29NBIfMmGQuFtw8c0R3EamlIdQbX7qUguFEoe2YHqjdrKho5oZj
nDu8o+Zzm5jzBSzdf7oZ4qaeekv0fO+ZSz6CKYLbuzG2IXUB8nHJ7NuH3lacfivD
V4Cfg0yFnTK+MDG/xTVqywrCTsslkTCYC/XZOXU5Xt5z32FZAkEA/nLWQhMC4YPM
0LqMtgKzfgQdJ7vbr43WVVNpC/dN/ibUASI/3YwY0uUtqSjilIghIY7pRohrPJ6W
ntSJw0UAhQJBAOe2b9cfiOTFKXxyU4j315VkulFfTyL6GwXi/7mvpcDCixDLNRyk
uRigmdKjtIUrAX0pwjgXa6niqJ691jExez8CQQCcMZZAvTbZhHSn9LwHxqS0SIY1
K+ZxX5ogirFDPS5NQzyE7adSsntSioh6/LQKBX6BAR9FwtxBPACtwz5F9geZAkA8
a3z0SlvG04aC1cjkgUPsx6wxxbl79F2RhmSKRbvh7JiYk3RQ+L7vJgmWPGu5AcLM
oVPsjmbbkKfJZNTyVOW/AkABepEi++ZQQW0FXJWZ3nM+2CNcXYCtTgi4bGkvnZPp
/1pAy9rjeVJYhb8acTRnt+dU+uZ74CTtfuzUTZLOIuVe
-----END RSA PRIVATE KEY-----
![Page 50: Medusa: Microarchitectural Data Leakage via Automated ...Medusa Attack •Medusa only leaks the Write Combining Data •Implicit WC, i.e., ‘rep mov’, ‘rep sto’, can be leaked.](https://reader033.fdocuments.in/reader033/viewer/2022050918/5ffa22d153f10708c714cf7c/html5/thumbnails/50.jpg)
OpenSSL RSA Key Recovery
50
• OpenSSL Base64 Decoder uses inline Memcpy(-oS)
• Triggered during the RSA Key Decoding from the PEM format:
-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQDmTvQjjtGtnIqMwmmaLW+YjbYTsNR8PGKXr78iYwrMV5Ye4VGy
BwS6qLD4s/EzCzGIDwkWCVx+gVHvh2wGW15Ddof0gVAtAMkR6gRABy4TkK+6YFSK
AyjmHvKCfFHvc9loeFGDyjmwFFkfdwzppXnH1Wwt0OlnyCU1GbQ1w7AHuwIDAQAB
AoGBAMyDri7pQ29NBIfMmGQuFtw8c0R3EamlIdQbX7qUguFEoe2YHqjdrKho5oZj
nDu8o+Zzm5jzBSzdf7oZ4qaeekv0fO+ZSz6CKYLbuzG2IXUB8nHJ7NuH3lacfivD
V4Cfg0yFnTK+MDG/xTVqywrCTsslkTCYC/XZOXU5Xt5z32FZAkEA/nLWQhMC4YPM
0LqMtgKzfgQdJ7vbr43WVVNpC/dN/ibUASI/3YwY0uUtqSjilIghIY7pRohrPJ6W
ntSJw0UAhQJBAOe2b9cfiOTFKXxyU4j315VkulFfTyL6GwXi/7mvpcDCixDLNRyk
uRigmdKjtIUrAX0pwjgXa6niqJ691jExez8CQQCcMZZAvTbZhHSn9LwHxqS0SIY1
K+ZxX5ogirFDPS5NQzyE7adSsntSioh6/LQKBX6BAR9FwtxBPACtwz5F9geZAkA8
a3z0SlvG04aC1cjkgUPsx6wxxbl79F2RhmSKRbvh7JiYk3RQ+L7vJgmWPGu5AcLM
oVPsjmbbkKfJZNTyVOW/AkABepEi++ZQQW0FXJWZ3nM+2CNcXYCtTgi4bGkvnZPp
/1pAy9rjeVJYhb8acTRnt+dU+uZ74CTtfuzUTZLOIuVe
-----END RSA PRIVATE KEY-----
![Page 51: Medusa: Microarchitectural Data Leakage via Automated ...Medusa Attack •Medusa only leaks the Write Combining Data •Implicit WC, i.e., ‘rep mov’, ‘rep sto’, can be leaked.](https://reader033.fdocuments.in/reader033/viewer/2022050918/5ffa22d153f10708c714cf7c/html5/thumbnails/51.jpg)
OpenSSL RSA Key Recovery
51
• OpenSSL Base64 Decoder uses inline Memcpy(-oS)
• Triggered during the RSA Key Decoding from the PEM format:
P
Q
d mod (p-1)
d mod (q-1)
Q^(-1) mod p
N (Modulus)
d (Private Key)
![Page 52: Medusa: Microarchitectural Data Leakage via Automated ...Medusa Attack •Medusa only leaks the Write Combining Data •Implicit WC, i.e., ‘rep mov’, ‘rep sto’, can be leaked.](https://reader033.fdocuments.in/reader033/viewer/2022050918/5ffa22d153f10708c714cf7c/html5/thumbnails/52.jpg)
OpenSSL RSA Key Recovery - Coppersmith
52
• Knowledge of at least Τ1 3 of P+Q
• Create a 𝑛 dimensional hidden number problem where 𝑛 is relative to the number of recovered chunks
• Feed it to the lattice-based algorithm to find the short vector
P
Q
![Page 53: Medusa: Microarchitectural Data Leakage via Automated ...Medusa Attack •Medusa only leaks the Write Combining Data •Implicit WC, i.e., ‘rep mov’, ‘rep sto’, can be leaked.](https://reader033.fdocuments.in/reader033/viewer/2022050918/5ffa22d153f10708c714cf7c/html5/thumbnails/53.jpg)
OpenSSL RSA Key Recovery – Coppersmith Attack
53
• Knowledge of at least Τ1 3 of P+Q.
• Creating a 𝑛 dimensional hidden number problem where 𝑛 is relative to the number of recovered chunks.
• Feeding it to the lattice-based algorithm to find the short vector.
P
Q
Coppersmith P
![Page 54: Medusa: Microarchitectural Data Leakage via Automated ...Medusa Attack •Medusa only leaks the Write Combining Data •Implicit WC, i.e., ‘rep mov’, ‘rep sto’, can be leaked.](https://reader033.fdocuments.in/reader033/viewer/2022050918/5ffa22d153f10708c714cf7c/html5/thumbnails/54.jpg)
Responsible Disclosure
• Medusa• June 24, 2019: Reported initial findings to Intel
• Intel confirmed that WC is part of the fill buffer, but embargoed due to TAA
• Nov 12, 2019: $$$ Awarded
54
![Page 55: Medusa: Microarchitectural Data Leakage via Automated ...Medusa Attack •Medusa only leaks the Write Combining Data •Implicit WC, i.e., ‘rep mov’, ‘rep sto’, can be leaked.](https://reader033.fdocuments.in/reader033/viewer/2022050918/5ffa22d153f10708c714cf7c/html5/thumbnails/55.jpg)
Conclusion
• Automated Testing for CPU Attacks• helps us to understand the root cause of these issues better.
• can be used to verify hardware mitigations.
• can help us to improve the leakage rate and understand the impact of attacks better.
• The impact of attacks depend also on the exploitation technique.
55
![Page 56: Medusa: Microarchitectural Data Leakage via Automated ...Medusa Attack •Medusa only leaks the Write Combining Data •Implicit WC, i.e., ‘rep mov’, ‘rep sto’, can be leaked.](https://reader033.fdocuments.in/reader033/viewer/2022050918/5ffa22d153f10708c714cf7c/html5/thumbnails/56.jpg)
Conclusion
• Automated Testing for CPU Attacks• helps us to understand the root cause of these issues better.
• can be used to verify hardware mitigations.
• can help us to improve the leakage rate and understand the impact of attacks better.
• The impact of attacks depend also on the exploitation technique.
56
![Page 57: Medusa: Microarchitectural Data Leakage via Automated ...Medusa Attack •Medusa only leaks the Write Combining Data •Implicit WC, i.e., ‘rep mov’, ‘rep sto’, can be leaked.](https://reader033.fdocuments.in/reader033/viewer/2022050918/5ffa22d153f10708c714cf7c/html5/thumbnails/57.jpg)
Conclusion
• Automated Testing for CPU Attacks• helps us to understand the root cause of these issues better.
• can be used to verify hardware mitigations.
• can help us to improve the leakage rate and understand the impact of attacks better.
• The impact of attacks depend also on the exploitation technique.
57
![Page 58: Medusa: Microarchitectural Data Leakage via Automated ...Medusa Attack •Medusa only leaks the Write Combining Data •Implicit WC, i.e., ‘rep mov’, ‘rep sto’, can be leaked.](https://reader033.fdocuments.in/reader033/viewer/2022050918/5ffa22d153f10708c714cf7c/html5/thumbnails/58.jpg)
Responsible Disclosure (Ice Lake)
• MSBDS (Fallout) on Ice Lake• November 2019: Intel sent us an Ice Lake Machine (Hardware mitigations)
58
![Page 59: Medusa: Microarchitectural Data Leakage via Automated ...Medusa Attack •Medusa only leaks the Write Combining Data •Implicit WC, i.e., ‘rep mov’, ‘rep sto’, can be leaked.](https://reader033.fdocuments.in/reader033/viewer/2022050918/5ffa22d153f10708c714cf7c/html5/thumbnails/59.jpg)
Responsible Disclosure (Ice Lake)
• MSBDS (Fallout) on Ice Lake• November 2019: Intel sent us an Ice Lake Machine
• March 2019: Tested Transyther on the Ice Lake CPU
59
![Page 60: Medusa: Microarchitectural Data Leakage via Automated ...Medusa Attack •Medusa only leaks the Write Combining Data •Implicit WC, i.e., ‘rep mov’, ‘rep sto’, can be leaked.](https://reader033.fdocuments.in/reader033/viewer/2022050918/5ffa22d153f10708c714cf7c/html5/thumbnails/60.jpg)
Responsible Disclosure (Ice Lake)
• MSBDS (Fallout) on Ice Lake• November 2019: Intel sent us an Ice Lake Machine
• March 2019: Tested Transyther on the Ice Lake CPU
60
![Page 61: Medusa: Microarchitectural Data Leakage via Automated ...Medusa Attack •Medusa only leaks the Write Combining Data •Implicit WC, i.e., ‘rep mov’, ‘rep sto’, can be leaked.](https://reader033.fdocuments.in/reader033/viewer/2022050918/5ffa22d153f10708c714cf7c/html5/thumbnails/61.jpg)
Responsible Disclosure (Ice Lake)
• MSBDS (Fallout) on Ice Lake• November 2019: Intel sent us an Ice Lake Machine
• March 2019: Tested Transyther on the Ice Lake CPU
• Mar 27, 2020: Reported MSBDS Leakage on Ice Lake
• May 5, 2020: Intel Completed triage• MDS mitigations are not deployed properly
• Chicken bits were not enabled for all mitigations.
• OEMs shipped with old/wrong microcode.
• Embargoed till July
• July 13, 2020: MDS advisory and list of affected CPUs were updated.• $$$ Awarded
61
![Page 62: Medusa: Microarchitectural Data Leakage via Automated ...Medusa Attack •Medusa only leaks the Write Combining Data •Implicit WC, i.e., ‘rep mov’, ‘rep sto’, can be leaked.](https://reader033.fdocuments.in/reader033/viewer/2022050918/5ffa22d153f10708c714cf7c/html5/thumbnails/62.jpg)
62
![Page 63: Medusa: Microarchitectural Data Leakage via Automated ...Medusa Attack •Medusa only leaks the Write Combining Data •Implicit WC, i.e., ‘rep mov’, ‘rep sto’, can be leaked.](https://reader033.fdocuments.in/reader033/viewer/2022050918/5ffa22d153f10708c714cf7c/html5/thumbnails/63.jpg)
Questions?!
63
https://github.com/
VernamLab/Medusa
https://github.com/
danielmgmi/IceBreak