



# Moritz



# Cooking





# Cooking

# Beekeeping





Beekeeping



## Cooking

## Side Channels



#### Side Channel Attacks are Black Magic!



In my first semester as a student, ...



... had to write a scientific report on side channel attacks.



So, I did some research ....



## Device





Device

# Specification







## Device

# Specification

### Interaction



Everything works as expected





# Everything works as expected

**No** bugs



## How can you attack this?



## Information leaks through side effects



## **Power Consumption**





## Power Consumption

### Temperature







### Power Consumption

### Temperature

### **Execution Time**



**Observe Device** 



#### **Evaluate data**



#### Get the secrets. Easy as that!



#### Witchcraft! This is not for me!



Looking for a master thesis ...







Secure Code Generation







Secure Code Generation Software-based Cache Attacks







Compiler Extensions Software-based Cache Attacks



Cache Attacks on ARM



• Instruction Set Architecture (ISA) is an abstract model of a computer (x86, ARMv8, SPARC, ...)



- Instruction Set Architecture (ISA) is an abstract model of a computer (x86, ARMv8, SPARC, ...)
- Interface between hardware and software



- Instruction Set Architecture (ISA) is an abstract model of a computer (x86, ARMv8, SPARC, ...)
- Interface between hardware and software
- Microarchitecture is an ISA implementation



- Instruction Set Architecture (ISA) is an abstract model of a computer (x86, ARMv8, SPARC, ...)
- Interface between hardware and software
- Microarchitecture is an ISA implementation









• Modern CPUs contain multiple microarchitectural elements



- Modern CPUs contain multiple microarchitectural elements
- Transparent for the programmer



- Modern CPUs contain multiple microarchitectural elements
- Transparent for the programmer
- Optimize for performance, power consumption, ...


- Modern CPUs contain multiple microarchitectural elements
- Transparent for the programmer
- Optimize for performance, power consumption, ...





















## **Caching speeds up Memory Accesses**









**Step 2:** Attacker flushes the shared cache line



**Step 2:** Attacker flushes the shared cache line

Step 3: Victim loads the data



Step 2: Attacker flushes the shared cache line

Step 3: Victim loads the data

Step 4: Attacker measures the access time to reload the data



• Leak cryptographic keys



- Leak cryptographic keys
- Leak information on co-located virtual machines



- Leak cryptographic keys
- Leak information on co-located virtual machines
- Monitor function calls of other applications



- Leak cryptographic keys
- Leak information on co-located virtual machines
- Monitor function calls of other applications
- Build covert communication channels
- . . .

₩ 87% 2 15:57 File Edit View Search Terminal Help

15:57



## shell@zeroflte:/data/local/tmp \$ ./keyboard\_spy -c 0

Tue, November 1





## Side-Channel Attacks are Fun



... and I started a PhD



# What my research is about ...

Motivation



## Abstraction

Motivation



Abstraction



#### Optimizations

## **Performance Optimizations**



## Common Case Make it fast

## **Performance Optimizations**



Common Case Make it fast



# Corner Case

Make sure to handle it

## Motivation



#### **Understand Inner Workings**



#### **Understand Inner Workings**



#### **Security Implications**



#### Software-only

No Physical Access required



## Software-only

No Physical Access required



## Misuse Interfaces Trigger Corner Cases



Advance the state of the art of *microarchitectural attacks and defenses*.

• Discovering transient-execution attacks.



- Discovering transient-execution attacks.
- Identify previously unknown attack vectors.



- Discovering transient-execution attacks.
- Identify previously unknown attack vectors.
- Exploring if different existing attacks can be mounted remotely.



- Discovering transient-execution attacks.
- Identify previously unknown attack vectors.
- Exploring if **different existing attacks** can be mounted remotely.
- Combining traditional physical side-channel analysis with modern software-based microarchitectural attack techniques.



- Discovering transient-execution attacks.
- Identify previously unknown attack vectors.
- Exploring if **different existing attacks** can be mounted remotely.
- Combining traditional physical side-channel analysis with modern software-based microarchitectural attack techniques.
- Giving **new insights** into efficiently mitigating attacks.


# Way Prediction

|         | 0 | 16 17 | 25    | 26 31  |
|---------|---|-------|-------|--------|
| Address |   |       | Index | Offset |

Cache



Cache

Data loaded in a specific set depending on its address



Cache

Data loaded in a specific set depending on its address

Several ways per set



Data loaded in a specific set depending on its address

Several ways per set



• In a set-associative cache, bits in the address determine in which set the cache line is located.



- In a set-associative cache, bits in the address determine in which set the cache line is located.
- With an *n*-way cache, *n* possible entries need to be checked.



- In a set-associative cache, bits in the address determine in which set the cache line is located.
- With an *n*-way cache, *n* possible entries need to be checked.
- Using way prediction [4], one entry is predicted
  - Correct prediction: Access completed
  - Incorrect prediction: Perform associate check



• Introduced with the AMD Bulldozer microarchitecture



- Introduced with the AMD Bulldozer microarchitecture
- Every cache line in the L1D is tagged with a  $\mu$ Tag



- Introduced with the AMD Bulldozer microarchitecture
- Every cache line in the L1D is tagged with a  $\mu {\rm Tag}$
- Predicts the cache way based on this  $\mu Tag$ 
  - Saving power and reduces bank conflicts



- Introduced with the AMD Bulldozer microarchitecture
- Every cache line in the L1D is tagged with a  $\mu {\rm Tag}$
- Predicts the cache way based on this  $\mu Tag$ 
  - Saving power and reduces bank conflicts
- No match for μTag, detect early miss and issue L2 request



• Two different virtual addresses with the same  $\mu$ Tag but different physical addresses will conflict



• L1D way predictor computes a hash (µTag) from the virtual address



- L1D way predictor computes a hash (μTag) from the virtual address
- This hash function is **not documented**



• Rely on  $\mu$ Tag collisions to reverse-engineer the hash function



- Rely on  $\mu$ Tag collisions to reverse-engineer the hash function
- Pick two random virtual addresses mapping to the same cache set



- Rely on  $\mu$ Tag collisions to reverse-engineer the hash function
- Pick two random virtual addresses mapping to the same cache set
- Access them repeatedly



- Rely on  $\mu$ Tag collisions to reverse-engineer the hash function
- Pick two random virtual addresses mapping to the same cache set
- Access them repeatedly
- If they have the same  $\mu$ Tag:
  - Increased access time
  - Increased number of performance counter for L1 misses



Figure 1: Measured duration of 250 alternating accesses to addresses with and without the same  $\mu$ Tag.



(b) Bulldozer, Piledriver, Steamroller



Covert Channel



Covert Channel



Break AES



Covert Channel





Break AES

Break KASLR



**Lipp, M.**, Hadžić, V., Schwarz, M., Perais, A., Maurice, C., Gruss, D., "Take a Way: Exploring the Security Implications of AMD's Cache Way Predictors". In: *AsiaCCS*. 2020



## Always leaking metadata ...



Virtual Address Space



• Find something human readable, e.g., the Linux version





### Invalid Access throws an Exception

#### **Memory Isolation**



• Kernel is isolated from user space

#### **Memory Isolation**



- Kernel is isolated from user space
- This isolation is a combination of hardware and software

#### **Memory Isolation**



- Kernel is isolated from user space
- This isolation is a combination of hardware and software
- User applications cannot access anything from the kernel



• CPU support virtual address spaces to isolate processes



- CPU support virtual address spaces to isolate processes
- Physical memory is organized in page frames



- CPU support virtual address spaces to isolate processes
- Physical memory is organized in page frames
- Virtual memory pages are mapped to page frames using page tables
### Address Translation on x86-64



### Address Translation on x86-64





• User/Supervisor bit defines in which privilege level the page can be accessed

- We try to load an inaccessible address
- Permission is checked



Instructions are

• fetched and decoded in the front-end



Instructions are

- fetched and decoded in the front-end
- dispatched to the backend



Instructions are

- fetched and decoded in the front-end
- dispatched to the backend
- processed by individual execution units



Instructions

• are executed out-of-order



- are executed out-of-order
- wait until their dependencies are ready



- are executed out-of-order
- wait until their dependencies are ready
  - Later instructions might execute prior earlier instructions



- are executed out-of-order
- wait until their dependencies are ready
  - Later instructions might execute prior earlier instructions
- retire in-order



- are executed out-of-order
- wait until their dependencies are ready
  - Later instructions might execute prior earlier instructions
- retire in-order
  - State becomes architecturally visible



- are executed out-of-order
- wait until their dependencies are ready
  - Later instructions might execute prior earlier instructions
- retire in-order
  - State becomes architecturally visible
- Exceptions are checked during retirement



- are executed out-of-order
- wait until their dependencies are ready
  - Later instructions might execute prior earlier instructions
- retire in-order
  - State becomes architecturally visible
- Exceptions are checked during retirement
  - Flush pipeline and recover state



\*(volatile char\*) 0; // raise\_exception();
array[84 \* 4096] = 0;



• Flush+Reload over all pages of the array





• Flush+Reload over all pages of the array



• "Unreachable" code line was actually executed



• Flush+Reload over all pages of the array



- "Unreachable" code line was actually executed
- Exception was only thrown afterwards

### Building a Covert Channel



• Transfer of the microarchitectural state into an architectural state

### **Building a Covert Channel**



- Transfer of the microarchitectural state into an architectural state
  - Transient instruction sequence is the sender

### **Building a Covert Channel**

![](_page_128_Picture_1.jpeg)

- Transfer of the microarchitectural state into an architectural state
- Transient instruction sequence is the sender
- Receiver receives the microarchitectural state change and deduces the secret from the state

![](_page_129_Figure_1.jpeg)

- Leverage techniques from cache attacks: Flush+Reload
- Transmit multiple bits at once
  - 256 different byte values  $\Rightarrow$  access different cache line

![](_page_130_Figure_1.jpeg)

- Leverage techniques from cache attacks: Flush+Reload
- Transmit multiple bits at once
  - 256 different byte values  $\Rightarrow$  access different cache line
- Not limited to the cache

![](_page_131_Picture_1.jpeg)

• Add another layer of indirection to test

![](_page_132_Picture_1.jpeg)

• Add another layer of indirection to test

• Then check whether any part of array is cached

![](_page_133_Picture_1.jpeg)

• Flush+Reload over all pages of the array

![](_page_133_Figure_3.jpeg)

• Index of cache hit reveals data

![](_page_134_Picture_1.jpeg)

• Flush+Reload over all pages of the array

![](_page_134_Figure_3.jpeg)

- Index of cache hit reveals data
- Permission check is in some cases not fast enough

![](_page_136_Picture_1.jpeg)

• Using out-of-order execution, we can read data at any address

### Meltdown

![](_page_137_Picture_1.jpeg)

- Using out-of-order execution, we can read data at any address
- Entire physical memory is typically accessible through kernel space

![](_page_138_Picture_1.jpeg)

- Using out-of-order execution, we can read data at any address
- Entire physical memory is typically accessible through kernel space
- Bypass the most fundamental security guarantees

![](_page_139_Picture_1.jpeg)

- Using out-of-order execution, we can read data at any address
- Entire physical memory is typically accessible through kernel space
- Bypass the most fundamental security guarantees
- Can leak data directly, not only meta data

With transient-execution attacks, a new research field emerged

![](_page_140_Picture_2.jpeg)

Meltdown

![](_page_140_Picture_4.jpeg)

Zombieload

![](_page_140_Picture_6.jpeg)

Spectre

![](_page_140_Picture_8.jpeg)

![](_page_140_Picture_9.jpeg)

![](_page_140_Picture_10.jpeg)

Medusa

![](_page_140_Picture_12.jpeg)

Fallout

![](_page_141_Picture_1.jpeg)

Lipp, M., Schwarz, M., Gruss, D., Prescher, T., Haas, W., Fogh, A., Horn, J., Mangard, S., Kocher, P., Genkin, D., Yarom, Y., Hamburg, M., "Meltdown: Reading Kernel Memory from User Space". In: USENIX Security Symposium. 2018

![](_page_142_Picture_0.jpeg)

# **Operating System Microarchitecture**

![](_page_143_Picture_1.jpeg)

• Many exploits rely on the knowledge of the memory location of a certain function


- Many exploits rely on the knowledge of the memory location of a certain function
- Statistical mitigation of memory corruption vulnerabilities



- Many exploits rely on the knowledge of the memory location of a certain function
- Statistical mitigation of memory corruption vulnerabilities
- Randomizing core kernel image and device drivers position at boot time

#### KASLR: Kernel Address Space Layout Randomization



• Driver is loaded to a different offset on every boot



- Double Page Fault Attack [3]
  - Measuring execution time of page fault handler
- TSX Attack [5]
  - Measuring execution time of TSX abort handler
- Prefetch [2]
  - Execution time of prefetch instruction

#### **Prefetch Side-Channel Attack**





• Stronger Kernel Address Isolation: Separate kernel space and user space





• Every process has two address spaces:



- Every process has two address spaces:
  - Kernel Address Space: Kernel mapped, user space mapped and protected with SMAP and SMEP



- Every process has two address spaces:
  - Kernel Address Space: Kernel mapped, user space mapped and protected with SMAP and SMEP
  - Shadow Address Space: User space mapped, Kernel not mapped



- Every process has two address spaces:
  - Kernel Address Space: Kernel mapped, user space mapped and protected with SMAP and SMEP
  - Shadow Address Space: User space mapped, Kernel not mapped
- Switching between the address space:



- Every process has two address spaces:
  - Kernel Address Space: Kernel mapped, user space mapped and protected with SMAP and SMEP
  - Shadow Address Space: User space mapped, Kernel not mapped
- Switching between the address space:
  - Update CR3 with corresponding PML4

#### **Prefetch Side-Channel Attack**



#### **Prefetch Side-Channel Attack**





• For Meltdown, kernel addresses in user space are a problem



- For Meltdown, kernel addresses in user space are a problem
- With KAISER, these mappings are gone



- For Meltdown, kernel addresses in user space are a problem
- With KAISER, these mappings are gone
- Inadvertently defeats Meltdown as well
  - Incorporated to Linux, Apple and Windows



Gruss, D., **Lipp, M.**, Schwarz, M., Fellner, R., Maurice, C., Mangard, S., "KASLR is Dead: Long Live KASLR". In: *ESSoS*. 2017



# Software-based Power Side Channel Attacks



• Need for Platform Thermal Management, Platform Power Limiting, Power/Performance Budgeting



- Need for Platform Thermal Management, Platform Power Limiting, Power/Performance Budgeting
- Intel Running Average Power Limit (RAPL) provides ...



- Need for Platform Thermal Management, Platform Power Limiting, Power/Performance Budgeting
- Intel Running Average Power Limit (RAPL) provides ...



Power Limiting



- Need for Platform Thermal Management, Platform Power Limiting, Power/Performance Budgeting
- Intel Running Average Power Limit (RAPL) provides ...



Power Limiting



#### Accurate Energy Reading



• On Linux, counters can be accessed using the powercap framework

/sys/devices/virtual/powercap/intel-rapl



• On Linux, counters can be accessed using the powercap framework

/sys/devices/virtual/powercap/intel-rapl

• On macOS and Windows, a driver from Intel needs to be installed

#### **Distinguishing Instructions**

• Measure the energy consumption of different instructions



## **Distinguishing Operands**

• Measure the energy consumption of different operands





• Measure the energy consumption of different load values



## **Distinguishing Load Targets**

• Measure the energy consumption of different load targets





Covert Channel



Covert Channel



Break AES-NI



Covert Channel



Break AES-NI



Break KASLR

mlq@dreadnought **~/platypus-aesni** % ./cpa -f . -c 2000000 -m 4 -n Trace folder: . Trace count: 2000000

#### \* < > + Q 注 Z 🗈





• Combine Intel RAPL with SGX-step



- Combine Intel RAPL with SGX-step
- Measure the energy consumption of single instructions

## **RSA** Toy Cipher





Lipp, M., Kogler, A., Oswald, D., Schwarz, M., Easdon, C., Canella, C., Gruss, D., "PLATYPUS: Software-based Power Side-Channel Attacks on x86". In: *IEEE S&P*. 2021


### Interrupt-based Side Channel from JavaScript



• Acquire accurate timestamps of keystrokes for input sequences

#### Motivation



- Acquire accurate timestamps of keystrokes for input sequences
- Depend on bigrams, syllables, words, keyboard layout and typing experience

#### Motivation



- Acquire accurate timestamps of keystrokes for input sequences
- Depend on bigrams, syllables, words, keyboard layout and typing experience
- Exploit timing characteristics to learn information about the user or the input
  - Infer typed sentences
  - Recover passphrases



• Idea: Continuously acquire a high-resolution timestamp and monitor differences between subsequent timestamps [11]



• Idea: Continuously acquire a high-resolution timestamp and monitor differences between subsequent timestamps [11]

### **Interrupt-timing Attacks**



• Look at how much time has passed since the last measurement

### **Interrupt-timing Attacks**



- Look at how much time has passed since the last measurement
- Significant differences occur when the process is interrupted

### **Interrupt-timing Attacks**



- Look at how much time has passed since the last measurement
- Significant differences occur when the process is interrupted
- More time the operating system consumes to handle the interrupt
  - $\rightarrow$  higher timing difference



Covert Channel



Covert Channel



```
User and URL Classification
```





Covert Channel

#### User and URL Classification

#### Touchscreen Interaction

### **PIN** input



**Figure 3:** Keystroke timing attack running in the Firefox browser on the Xiaomi Redmi Note 3. While the user locked the screen, the application still detects keystrokes as long as it is executed on the last used tab.



Lipp, M., Gruss, D., Schwarz, M., Bidner, D., Maurice, C.-m.-t.-n., Mangard, S., "Practical Keystroke Timing Attacks in Sandboxed JavaScript". In: *ESORICS*. 2017



### Nethammer: Remote Rowhammer



- Rowhammer always required local code execution.
- Is Rowhammer possible without any attacker-controlled code?



- Sending as many small UDP packets as possible, triggering memory accesses
- Artificial setup: bit flips every 350 ms.
- With Intel CAT, up to 25 bit flips in 15 minutes.



- Automatic classification of memory-controller policies
- Showed that TRR is insufficient in mitigating Rowhammer attacks



Lipp, M., Schwarz, M., Raab, L., Lamster, L., Aga, M. T., Maurice, C., Gruss, D., "Nethammer: Inducing Rowhammer Faults through Network Requests". In: *SILM Workshop*. 2020



## My PhD in Numbers



### 23 Publications (14 Tier 1, 2 Journals)



23 Publications (14 Tier 1, 2 Journals)



7 First Author (3 Tier 1, 1 Journal)



23 Publications (14 Tier 1, 2 Journals)



7 First Author (3 Tier 1, 1 Journal)



4 under submission



23 Publications (14 Tier 1, 2 Journals)



7 First Author (3 Tier 1, 1 Journal)



4 under submission



32 Talks



23 Publications (14 Tier 1, 2 Journals)



7 First Author (3 Tier 1, 1 Journal)



4 under submission



32 Talks



10 Awards + 11 CVEs



Met, worked and made friends with many incredible kind and talented people



Conclusion



- **Demonstrate** how **microarchitectural optimizations** can be **exploited** from **software**
- Typically **require** complex mitigations coming with a non-negligible performance impact
- Require **rethinking** on a microarchitectural level



... or in other words ...



## Cooking





# Cooking

# Beekeeping







## Cooking

## Beekeeping

### Side Channels



- Gruss, D., Lipp, M., Schwarz, M., Fellner, R., Maurice, C., Mangard, S., "KASLR is Dead: Long Live KASLR". In: ESSoS. 2017.
- [2] Gruss, D., Maurice, C., Fogh, A., Lipp, M., Mangard, S., "Prefetch Side-Channel Attacks: Bypassing SMAP and Kernel ASLR". In: ACM CCS. 2016.
- [3] Hund, R., Willems, C., Holz, T., "Practical Timing Side Channel Attacks against Kernel Space ASLR". In: IEEE S&P. 2013.
- [4] Inoue, K., Ishihara, T., Murakami, K., "Way-predicting set-associative cache for high performance and low energy consumption". In: Symposium on Low Power Electronics and Design. 1999.

### References ii

- [5] Jang, Y., Lee, S., Kim, T., "Breaking Kernel Address Space Layout Randomization with Intel TSX". In: *ACM CCS*. 2016.
- [6] Lipp, M., Gruss, D., Schwarz, M., Bidner, D., Maurice, C.-m.-t.-n., Mangard, S., "Practical Keystroke Timing Attacks in Sandboxed JavaScript". In: ESORICS. 2017.
- [7] Lipp, M., Hadžić, V., Schwarz, M., Perais, A., Maurice, C., Gruss, D., "Take a Way: Exploring the Security Implications of AMD's Cache Way Predictors". In: *AsiaCCS*. 2020.
- [8] Lipp, M., Kogler, A., Oswald, D., Schwarz, M., Easdon, C., Canella, C., Gruss, D., "PLATYPUS: Software-based Power Side-Channel Attacks on x86". In: IEEE S&P. 2021.

#### References iii

- [9] Lipp, M., Schwarz, M., Gruss, D., Prescher, T., Haas, W., Fogh, A., Horn, J., Mangard, S., Kocher, P., Genkin, D., Yarom, Y., Hamburg, M., "Meltdown: Reading Kernel Memory from User Space". In: USENIX Security Symposium. 2018.
- [10] Lipp, M., Schwarz, M., Raab, L., Lamster, L., Aga, M. T., Maurice, C., Gruss, D., "Nethammer: Inducing Rowhammer Faults through Network Requests". In: *SILM Workshop*. 2020.
- Schwarz, M., Lipp, M., Gruss, D., Weiser, S., Maurice, C.-m.-t.-n., Spreitzer, R., Mangard, S., "KeyDrown: Eliminating Software-Based Keystroke Timing Side-Channel Attacks". In: NDSS. 2018.
[12] Tatar, A., Krishnan, R., Athanasopoulos, E., Giuffrida, C., Bos, H., Razavi, K., "Throwhammer: Rowhammer Attacks over the Network and Defenses". In: USENIX ATC. 2018.