CPU bug makes virtually all chips vulnerable

Discussions on more advanced topics such as monolithic vs micro-kernels, transactional memory models, and paging vs segmentation should go here. Use this forum to expand and improve the wiki!
Post Reply
mariuszp
Member
Member
Posts: 587
Joined: Sat Oct 16, 2010 3:38 pm

Re: CPU bug makes virtually all chips vulnerable

Post by mariuszp »

Korona wrote:That justs introduces a races condition between the timing measurement and the invalidation. It makes the attack harder but not impossible.
Well, i guess each core could have a completly separate cache, so that timing is impossible in parallel with the read and invalidation. Not sure how this would affect performance though.
User avatar
bluemoon
Member
Member
Posts: 1761
Joined: Wed Dec 01, 2010 3:41 am
Location: Hong Kong

Re: CPU bug makes virtually all chips vulnerable

Post by bluemoon »

mariuszp wrote:Could they perhaps fix both Spectre and Meltdown in hardware by simply deleting the results of speculative mis-execution from the cache, just like they are deleted from registers?
Then you can probe the other way, load both data into cache and see which cache get deleted.

PS. nothing is deleted from registers, they are just discarded by not aliasing them. Furthermore, meltdown confirm that the intermediate values in the register files are indeed used for subsequent speculations.
Last edited by bluemoon on Sun Jan 07, 2018 2:29 am, edited 1 time in total.
User avatar
bluemoon
Member
Member
Posts: 1761
Joined: Wed Dec 01, 2010 3:41 am
Location: Hong Kong

Re: CPU bug makes virtually all chips vulnerable

Post by bluemoon »

mariuszp wrote:If there was something already in that cache line then Spectre woudl not have worked anyway, so that case can be ignored.
No, Spectre works when the branch cannot be concluded (say, rely on A not in cache), and produce side effect on B.
By (naively) invalidating B itself is a side effect that can be measured. Even with a complex logic to revert the cache state (ie. invalidate only if its fetch by SE), it still create side effect which some other thing is evicted, and may be measured in theory.
User avatar
Sik
Member
Member
Posts: 251
Joined: Wed Aug 17, 2016 4:55 am

Re: CPU bug makes virtually all chips vulnerable

Post by Sik »

Is there a way to reliably predict what got evicted though? Especially since different CPUs have different cache sizes, and may have different eviction strategies (which likely vary way more than loading data into the cache). It probably gets even less predictable if the CPU decides to reorder cached writes to get better bandwidth (by writing to consecutive DRAM addresses which should have a much lesser time penalty than random access as far as I know).
User avatar
bluemoon
Member
Member
Posts: 1761
Joined: Wed Dec 01, 2010 3:41 am
Location: Hong Kong

Re: CPU bug makes virtually all chips vulnerable

Post by bluemoon »

Sik wrote:Is there a way to reliably predict what got evicted though? Especially since different CPUs have different cache sizes, and may have different eviction strategies (which likely vary way more than loading data into the cache). It probably gets even less predictable if the CPU decides to reorder cached writes to get better bandwidth (by writing to consecutive DRAM addresses which should have a much lesser time penalty than random access as far as I know).
You don't need to know what get evicted, you just need to know something had evicted. You don't even need to know the CPU cache size.
My thought experiment:
1. fill the cache with your array (this should be larger than actual cache size)
2. run offending code
3. read the array

some entry will get evicted anyway to run the code, but one branch will evict more (you can evict a big chunk in the speculated branch by loading multiple chunk of memory into registers), thus yielding different timing on (3)
This may involve very complex logic to pull out the attack, but in security perspective the door is already opened.

PS. Project Zero paper says the speculation execution can be prolonged to milliseconds ahead by purposely pollute the predictor, caches and other performance boosting units or just write code with badly stalls. This create an easy opportunity to make significantly measurable effect on the "bingo" branch.
mariuszp
Member
Member
Posts: 587
Joined: Sat Oct 16, 2010 3:38 pm

Re: CPU bug makes virtually all chips vulnerable

Post by mariuszp »

Well then, is there any possible solution at all other than completly removing speculation (which would be a performance disaster?)

Perhaps it doesn't really matter, as long as scripting languages and such can be properly secured. After all, binary code in a process reading its own memory through Spectre won't be a problem since it can read its own memory anyway.
User avatar
Roman
Member
Member
Posts: 568
Joined: Thu Mar 27, 2014 3:57 am
Location: Moscow, Russia
Contact:

Re: CPU bug makes virtually all chips vulnerable

Post by Roman »

Well then, is there any possible solution at all other than completly removing speculation (which would be a performance disaster?)
VLIW maybe?
"If you don't fail at least 90 percent of the time, you're not aiming high enough."
- Alan Kay
User avatar
~
Member
Member
Posts: 1228
Joined: Tue Mar 06, 2007 11:17 am
Libera.chat IRC: ArcheFire

Re: CPU bug makes virtually all chips vulnerable

Post by ~ »

mariuszp wrote:Well then, is there any possible solution at all other than completly removing speculation (which would be a performance disaster?)

Perhaps it doesn't really matter, as long as scripting languages and such can be properly secured. After all, binary code in a process reading its own memory through Spectre won't be a problem since it can read its own memory anyway.
An application like a web browser should be able to request the kernel to mark "cache-disabled" memory pages containing SSL-encrypted webpages, or user/password login information. There are bits for that in the page table entries.

In this way all something like Meltdown/Spectre could ever read would be binaries already on disk and non-critical stuff, because the critical pages would never be cached and then there would be no cache vulnerability for that data because it would just never be present in the cache that another program could try to leak inter-process.



I suspect that this would be an ideal solution because:

- It assumes that the cache needs to be treated securely regardless of CPU flaws.

- No operations that reduce efficiency would be used in this step, only marking individual pages cache-disabled as requested by the application itself, which knows where critical data would be as to indicate what to disable from cache.


But it would need to be tested to see how well it goes, to provide a kernel API that allows user-space programs and kernel drivers to specify to the kernel which pages to cache-disable for security or efficiency reasons.
User avatar
bluemoon
Member
Member
Posts: 1761
Joined: Wed Dec 01, 2010 3:41 am
Location: Hong Kong

Re: CPU bug makes virtually all chips vulnerable

Post by bluemoon »

~ wrote:An application like a web browser should be able to request the kernel to mark "cache-disabled" memory pages containing SSL-encrypted webpages, or user/password login information.
You won't design kernel or CPU around a specific use case.

Also, how about other non-critical information that not marked by "cache-disabled" pages, like key stokes, browsing history, website accessing cookies on other websites (session!), the list goes on. At the end you reached a point either no one care, or you have fully disabled cache - which is slower than running in full emulation like bochs.
Last edited by bluemoon on Sun Jan 07, 2018 11:14 am, edited 1 time in total.
User avatar
~
Member
Member
Posts: 1228
Joined: Tue Mar 06, 2007 11:17 am
Libera.chat IRC: ArcheFire

Re: CPU bug makes virtually all chips vulnerable

Post by ~ »

Cache enable/disable per page is a feature available to many types of CPUs, so it is a valid resource that would be intended for a case like this.

It's the same, but as you can see with cache-disable / enable capability exposed to any program for its own memory, the program just needs to decide what to protect more. It's easy to update for all browser and OS vendors.

All the examples you have mentioned are data that is accessed very infrequently, and they all are low-speed data, so if you wanted to configure your browser to protect all those things by default it would make for an efficient solution using only the basic protection features of all 32-bit CPUs since the 386 (selective cache-disable of pages as requested by each application).

Many of those data are in the disk anyway, but they should be possible to protect in this way at the CPU level.
User avatar
bluemoon
Member
Member
Posts: 1761
Joined: Wed Dec 01, 2010 3:41 am
Location: Hong Kong

Re: CPU bug makes virtually all chips vulnerable

Post by bluemoon »

Oh and I shall repeat once again. For meltdown and spectre, the sensitive information does not need to be in cache, they only need to be addressable. Did you read and understood the issue?
User avatar
~
Member
Member
Posts: 1228
Joined: Tue Mar 06, 2007 11:17 am
Libera.chat IRC: ArcheFire

Re: CPU bug makes virtually all chips vulnerable

Post by ~ »

I've read the cases, they always mention the cache, or trying to load currently non-present data into the cache.

It never mentions a case where all involved data is cache-disabled.

That's what makes me think that a cache-disabled single page would be invulnerable because all accesses to it would be performed directly in RAM, never in the potentially spillable CPU cache.
User avatar
bluemoon
Member
Member
Posts: 1761
Joined: Wed Dec 01, 2010 3:41 am
Location: Hong Kong

Re: CPU bug makes virtually all chips vulnerable

Post by bluemoon »

OK let me explain to you why cache over sensitive information is irrelevant, consider the meltdown case:

Code: Select all

mov rax, [kernel_address]
and rax, 1
mov rbx, [user_address + rax * 0x100]
On line one you access a faulty address, due to a bug in CPU, the permission is checked in async manner, exception will fire upon the instruction retire. Inside the CPU, that instruction will be break up into micro-op including 2 operations: fetch [kernel_address] into register file, alias result to rax. This instruction will run (and cause exception) with or without cache enabled.

Now with speculated execution, the following 2 lines will get executed, and using the internal register file even rax will get discard later (by not aliasing to rax). With [user_address] cache enabled, such speculation will cause a cache-effect on the user data.

Long time later you handle the exception gracefully and return rax = 0, then by checking if [user_address + 0x100] is in the cache you deduce if the bit is one.


The only way (in this direction) to totally avoid this is disable cache over [user_address], which is impractical.

The Boundary Check Bypass CVE works similar way and you cannot protect by disable cache over sensitive data.
Last edited by bluemoon on Sun Jan 07, 2018 11:31 am, edited 2 times in total.
mariuszp
Member
Member
Posts: 587
Joined: Sat Oct 16, 2010 3:38 pm

Re: CPU bug makes virtually all chips vulnerable

Post by mariuszp »

~ wrote:I've read the cases, they always mention the cache, or trying to load currently non-present data into the cache.

It never mentions a case where all involved data is cache-disabled.

That's what makes me think that a cache-disabled single page would be invulnerable because all accesses to it would be performed directly in RAM, never in the potentially spillable CPU cache.
The attacker allocates THEIR OWN memory, which they load into the cache. The data you are targetting does not hve to be cached at all.
User avatar
~
Member
Member
Posts: 1228
Joined: Tue Mar 06, 2007 11:17 am
Libera.chat IRC: ArcheFire

Re: CPU bug makes virtually all chips vulnerable

Post by ~ »

But your data will be marked cache-disabled.

A cache effect would happen in the registers, but I've never heard that a cache-disabled page would ever get loaded in the cache, it would have no reason to be cached, it would never be used anyway from the cache if it's cache-disabled and it would be too poor of a design if we think that pages could be marked like that because they will be used for DMA, so caching would waste resources for nothing.

It would be like saying that fully disabling the cache would still allow memory leakage through processes. That makes me think that if we cache-disable each page with the bit for that in their individual entries, then the actual contents of those pages won't be leakable because they won't be copied to the cache, at most the registers and addresses could be deduced, but not the cache-less-marked pages' content.

That's the case I've never read in the documents, it never claimed being able to dump cache-disabled pages, I found no occurrences about it, probably I should convert it to audio to see if I can find a case about successfully dumping cache-disabled pages, but I think that it's not possible, but untested because a kernel that exposes the capability to mark pages cache-disabled / enabled seems to be very rare, but now more necessary, and not really treated with here.
Post Reply