【HITCON FreeTalk 2018 -暢談 CPU 處理器的歷史包袱】 ➠ Talk: Spectre & Meltdown 漏洞原理說明與 POC 剖析 ➠ Speaker: Bletchley ➠共筆：https://hackmd.io/IYTgRsAMaQTAtAZhAEwGbwCxlgdniAMaIaGECmAjISoWAKzCbBA=?view ➠ Video: https://www.facebook.com/HITCON/videos/1732117933486188/

1. Bletchley 2018.01.19 1
https://www.youtube.com/watch?
v=L1N1P2zxaZE

2. § Discover Date: 2018.01.03
§ Threat
§ Adversary who can execute low
privilege code can read
unpermitted memory region
§ Impact
§ Meltdown: Most Intel processors
§ Spectre: Intel, AMD, and ARM
processors
§ Reason
§ Inconsistence between processor
architecture and
microarchitecture (cache)
§ Lack of permission checking
when CPU optimization
2

3. § Disclosure by
§ Meltdown
§ Jann Horn (Google Project Zero),
§ Werner Haas,Thomas Prescher (Cyberus Technology),
§ Daniel Gruss, Moritz Lipp, Stefan Mangard, Michael Schwarz (Graz
University of Technology)
§ Spectre
§ Jann Horn (Google Project Zero)
§ Paul Kocher + Daniel Genkin (University of Pennsylvania and
University of Maryland), Mike Hamburg (Rambus), Moritz Lipp
(Graz University of Technology), andYuvalYarom (University of
Adelaide and Data61)
§ Website
§ https://meltdownattack.com/
3

4. § CVE-2017-5753 - bounds check bypass (Spectre)
§ CVE-2017-5715 - branch target injection (Spectre)
§ CVE-2017-5754 - rogue data cache load (Meltdown)
4

5. • Frontend
• Fetch and Decode
• Execution Engine
• Reorder Buffer
• Execution Unit
5

6. § Once the data dependency is satisfied, the instructions are put into
Execution Units for execution
§ In order to fully utilize execution units, out-of-order execution is
used in most modern processors
§ Instruction can execute in advanced, even the previous instruction is not
yet finished.
§ In normal case,
§ Execution unit calculates and keeps the effect of this instruction.
§ Until all previous instructions finished, this instruction is retired, and
committing it’s result.
§ In error occurs,
§ The executing result will be discarded.
§ Even though the execution result may not commit to architecture,
the state of microarchitecture is already changed.
§ Cache state
6

7. § Speculative execution is one kind of out-of-order execution
§ Once a conditional branch instruction whose direction depends
on preceding instructions whose execution has not completed
yet.
§ CPU makes a prediction as to the path that the program will
follow, and speculatively execute instructions along the path.
§ Predict corrects, the instructions are retired and committed
§ Predict fails, the execution result is then discarded.
§ Even though the execution result may not commit to
architecture, the state of microarchitecture is already changed.
7

8. § Cache side-channel attacks exploit timing differences that are
introduced by the caches
§ Meltdown and Spectre take Microarchitectural Side-Channel
Attacks to uncover data in the microarchitecture
§ Several Side Channel Attacks
§ Evict+Time
§ Prime+Probe
§ Flush+Reload
8

9. § Flush+Reload attacks work on a single cache line granularity.
§ These attacks exploit the shared, inclusive last-level cache.
§ An attacker frequently flushes a targeted memory location
using the clflush instruction.
§ By measuring the time it takes to reload the data, the attacker
determines whether data was loaded into the cache by another
process in the meantime.
9

10. § array is an attacker-controllable data
§ Access time
§ Hit
§ Miss
§ 256 accesses help discover one byte data
Array[61*
cache_line_size ]
10

11. § Exploit out-of-order execution features in
processors
§ Transfer hidden data from cache via Cache
Side Channel Attack
11

12. § The content of an attacker-chosen memory location, which is
inaccessible to the attacker, is loaded into a register.
§ A transient instruction accesses a cache line based on the
secret content of the register.
§ The attacker uses Flush+Reload to determine the accessed
cache line and hence the secret stored at the chosen memory
location.
12

13. § Transient instruction
§ Instructions which should never executing
§ CPU executes it via out-of-order execution
§ Change the microarchitecture state of the processors
13

14. § Line 3 is never executing
§ CPU stealthy executing
line 3 in advance
§ Execution result will be
abandoned
§ But cache state is already
changed
14

15. § An traversal of probe array can be made to record time to
access each element in probe array
§ Data is 84
15

16. § Meltdown POC
§ https://github.com/IAIK/meltdown
§ Consists of 5 demo program
§ A first test to access other process’ memory
§ Breaking KASLR
§ Reliability test
§ Read physical memory
§ Dump the memory
§ Core library - libkdump
16

17. § Statistic time to access
cached/non-cached
data
§ Calculate threshold
17

18. § libkdump_read calls
§ libkdump_read_tsx()
§ libkdump_read_signal_handler()
to read memory
§ Call to MELTDOWN to trigger
out-of-order
§ Invoke flush_reload() to reveal
data value from cache
18

19. § Since memory in rcx is invalid, the exception will arise – line 50
§ Line 51 – 53 will be executed in an out-of-order manner
§ Part of probe array rbx is loaded to cache, thus reveals value of rcx
19

20. § Flush + Reload
§ Check if the value is in cache
20

21. § Reconstructing a photo with Meltdown
§ https://www.youtube.com/watch?v=L1N1P2zxaZE
21

22. § Exploit processors’ speculative
execution and branch prediction
feature
§ Discover cache data via Cache Side
Channel Attack
22

23. 1. Mistrain the processor so that it will later make an
exploitably erroneous speculative prediction
2. Speculatively executes instructions that transfer confidential
information from the victim context into a microarchitectural
side channel
3. Recovered the confidential data from cache
23

24. § Pretrain
§ make program enter this condition check many times
§ Adversary can chose malicious x for accessing unpermitted data, e.g. kernel
space memory
§ Since
§ array1_size is not in cache, CPU is delayed to read the value
§ Branch predictor beliefs the branch will taken, thus speculative execute the code in
branch with malicious x
§ In the end, the execution result will be discarded, but still remains in cache
§ Similar to Meltdown, Flush+Reload to recover the confidential data
No Cache
No
Cache
Cache
24

25. § Spectre POC
§ https://github.com/crozone/SpectrePoC
§ provided by Erik August's gist
25

26. § Make 5 train runs with 1 attack run
§ Mistrain branch predictor
26

27. § Victim function
§ When x is larger than array1_size, the code will speculative
execute
§ Change the cache state
27

28. § Calculate the time needed to access memory
§ Determine if it is in the cache
28

29. 29

30. 30

31. § handling, we catch the exception effectively occurring
after executing the transient instruction sequence,
and with exception suppression, we prevent the exception
from occurring at all and instead redirect the control
flow after executing the transient instruction sequence
31

32. § The Branch Target Buffer(BTB) keeps a mapping from
addresses of recently executed branch instructions to
destination addresses
32