# CS 578: Cyber-security Part III: Side-channels

Sanghyun Hong

sanghyun.hong@oregonstate.edu





### HOW CAN WE BREAK THE ISOLATION?

- ROWHAMMER BREAKS INTEGRITY
- SIDE-CHANNELS BREAK CONFIDENTIALITY

#### **S**pectre

- Speculative execution is a CPU optimization
  - Instruction cycle: fetch decode execute
  - Instruction pipeline: instruction-level parallelism (on a single CPU)

| Instr. No.     | Pipeline Stage |    |    |     |     |     |     |
|----------------|----------------|----|----|-----|-----|-----|-----|
| 1              | Щ              | Ð  | EX | мем | WB  |     |     |
| 2              |                | IF | ID | EX  | МЕМ | WB  |     |
| 3              |                |    | IF | ID  | EX  | МЕМ | WB  |
| 4              |                |    |    | IF  | ID  | ΕX  | МЕМ |
| 5              |                |    |    |     | IF  | ID  | ΕX  |
| Clock<br>Cycle | 1              | 2  | 3  | 4   | 5   | 6   | 7   |



- Speculative execution is a CPU optimization
  - Out-of-order execution for speed-ups
  - Use to reduce the cost of, e.g., conditional branch

```
if (x < array1_size)
    y = array2[array1[x] * 4096];</pre>
```

- The first line causes a delay until x arrives from the memory
- The time it takes to load *x* from memory needs more cycles than running instructions
- A naïve solution is to *wait…* but do we have a better solution?





- Speculative execution is a CPU optimization
  - Out-of-order execution for speed-ups
  - Use to reduce the cost of, e.g., conditional branch

```
if (x < array1_size)
    y = array2[array1[x] * 4096];</pre>
```

- The first line causes a delay until x arrives from the memory
- The time it takes to load *x* from memory needs more cycles than running instructions
- Run the next instructions in the instruction pipeline





- Speculative execution is a CPU optimization
  - Out-of-order execution for speed-ups
  - Use to reduce the cost of, e.g., conditional branch

```
if (x < array1_size)
    y = array2[array1[x] * 4096];</pre>
```

- The first line causes a delay until x arrives from the memory
- The time it takes to load *x* from memory needs more cycles than running instructions
- Run the next instructions in the instruction pipeline
  - If the x satisfies the "if" condition, then commit performance gain
  - Otherwise, discard the faulty work



- Speculative execution is a CPU optimization
  - Out-of-order execution for speed-ups
  - Use to reduce the cost of, e.g., conditional branch

```
if (x < array1_size)
    y = array2[array1[x] * 4096];</pre>
```

- The first line causes a delay until x arrives from the memory
- The time it takes to load *x* from memory needs more cycles than running instructions
- Run the next instructions in the instruction pipeline
  - If the x satisfies the "if" condition, then commit performance gain
  - Otherwise, discard the faulty work
- CPU makes its errors on its on!



# SPECTRE ATTACK (VARIANT 1) – CONDITIONAL BRANCH MISPREDICTION

Attack scenario

if (x < array1\_size)
 y = array2[array1[x] \* 4096];</pre>

- The above code runs in secure environments
- The attacker wants to read the memory
- The attacker controls the variable x
- array1\_size and array2 is not in cache
- Suppose the memory status is like the left figure
  - The *array1\_size* is 8 bytes



array1 size = 00000008 Memory at array1 base address: 8 bytes of data (value doesn't matter) [... lots of memory up to array1 base+N...] **09** F1 98 CC 90... (something secret) array2[ 0\*512] arrav2[ 1\*512] array2[ 2\*512] array2[ 3\*512] array2[ 4\*512] array2[ 5\*512] Contents don't matter array2[ 6\*512] only care about cache status arrav2[ 7\*512] array2[ 8\*512] Uncached Cached array2[ 9\*512] array2[10\*512] arrav2[11\*512] ...



# **SPECTRE ATTACK (VARIANT 1) – CONDITIONAL BRANCH MISPREDICTION**

#### • Attack scenario

if (x < array1\_size)
 y = array2[array1[x] \* 4096];</pre>

- The variable x (control) is set to > 8 bytes
- CPU runs speculative execution as if "if" is true
- CPU reads the address array1 base + x
  - It returns the secret byte = 09 (fast in cache)
  - Requests memory at (array2 base + 09 \* 4096)
  - Brings array2[09\*4096] into cache
  - Realize the "if" statement is false, then discard this work
- The control returns to the caller
- The attacker uses cache side-channels to read 09





- Branch predictor
  - Every 5-7 instructions of a program has a branch (a lot!)
  - Costly
    - If the jump address is in a cache fast
    - If the jump address is not in a cache slow, wait for the address to come from memory
  - Consider an example C program below

```
for(i=0 ; i < m ; i++)
for(j=0; j<n ; j++)
begin S1; S2; ...; Sk end;
```



- Branch predictor
  - Branch predictor presumably jumps to a predicted address
    - Based on the branch history (a collection of previous jump addresses)
      - On an Intel Haswell, ~29 prior addresses are used
      - On an AMD Ryzen, ~9 prior branches are used
    - Run a jump
      - If the memory address is the correct one commit
      - If the address is incorrect discard faulty work



- Branch predictor
  - Branch predictor presumably jumps to a predicted address
    - Based on the branch history (a collection of previous jump addresses)
      - On an Intel Haswell, ~29 prior addresses are used
      - On an AMD Ryzen, ~9 prior branches are used
    - Run a jump
      - If the memory address is the correct one commit
      - If the address is incorrect discard faulty work
  - But what if it jumps to the address, it should not to?



Dregon State

Attack scenario

adc edi,dword ptr [ebx+edx+13BE13BDh]
adc dl,byte ptr [edi]

- sleep() function is done with \$ebx and \$edi
- The attacker controls \$ebx and \$edi, and they know \$edx
- The attacker sets \$edi to the base address of of the probe array m
- The attacker, for example, sets it to "m 0x13BE13BD edx"
- The instruction in the second line will load *m* into the cache
- Then they do the same cache side-channel to probe the content



#### **SPECTRE ATTACK**

- Mitigations
  - Disable speculative operations (Ifense instruction)
  - Prevent access to sensitive (or secret) data
  - Prevent data from entering covert channels
  - Limit data extraction from covert channels
  - Prevent branch poisoning (retpolines<sup>1</sup>)



https://support.google.com/faqs/answer/7625886

# **Thank You!**

Sanghyun Hong

https://secure-ai.systems/courses/Sec-Grad/current



