Confidential Burgers Inc

instruction into µOPs (“Burger”, “Coffee”)
Schedule µOPs
run 1st µOP (grill the burger)
run 2nd µOP (brew coffee, serial execution)
Retire instruction (customer)

EXECUTION ORDER EXAMPLE

customer1 after another (in order)
Each part of the order 2 executed in parallel
I.e. burger and coffee prepared at the same time
PRO: Faster bc. of better resource utilisation.
CON: Still not perfect, more complex

Decode instruction into µOPs
Schedule µOPs
run 1st µOP and 2nd µOP (parallel execution of µOPs)
retire instruction (customer)

EXECUTION ORDER EXAMPLE

EXECUTION

Customer

Waiter

Pizza oven

Burger grill

Coffee machine

#4711 DONE

Multiple customers’ orders executed in parallel1 and delivered (retired) in order
I.e. multiple orders prepared at the same time
PRO: Faster because resources are utilised even better
CON: More difficult to implement

1 this is called superscalar

EXECUTION ORDER EXAMPLE

all on one CPU core.

EXECUTION ORDER EXAMPLE

will finish before the red instruction.
The CPU ensures that red is seen before green.

Instruction

CPU core

Actual µOP execution order

Instruction execution order as seen

before CPU detects wrongdoing
Retrieve secret

OUT OF ORDER EXECUTION

MELTDOWN

in RAM
RAM is very slow
Reading one byte stalls the CPU for hundreds of µOPs

(IN CACHE)

Cache

RAM
Reading one byte stalls the CPU for hundreds of µOPs
CPU caches considerably speed this up
E.g. reading cached takes 3ns, reading uncached 103ns

The cache speeds up “what is the value at address X?”. This is called “(address) X is cached”

looks like this (µOPs):
Check that program may read from address
Store the value at address in register1

MELTDOWN & SPECTRE

“READ” INSTRUCTION

1 Register: The CPUs scratchpad

1

2

In our burger example:
Customer orders a burger & coffee
Burger is ready, coffee machine breaks
Customer does not get his burger

may read from address
Store the read value in register
Stash away secret
Magic
Retrieve secret (later)

MELTDOWN: READING FORBIDDEN DATA

1

2

1

1

2

1

µOPs:

MELTDOWN & SPECTRE

execution

The re-ordering on the right happens, when the “forbidden data” is already cached (because cache access is so fast).

In our burger example:
Customer orders a burger & coffee
Customer gets his burger
Coffee machine breaks
Customer runs away with burger

collector.
The spy will “steal” the secret and stash it away. The CPU will kill him for accessing the secret information.
The collector will find the stashed away secret.

the secret
Depending on the value, Spy will mark a grey block
CPU detects Spys access validation and terminates Spy
Collector now looks for Spys mark in all grey blocks

…

“IT’S A 2”

Places

“IT’S A 3”

“IT’S A 1”

SECRET (“3”)

…

“IT’S A 2”

the cache (value: 3)
Both Spy and Collector can read grey memory blocks

RAM

SECRET (“3”)

…

Cache

SECRET (“3”)

secret
Depending on the value, Spy will cache a grey block1
CPU detects Spys access validation and terminates Spy
Collector now reads all grey blocks and stops the time
Block “It’s a 3” will be the block read the fastest

…

“IT’S A 2”

RAM

“IT’S A 3”

“IT’S A 1”

SECRET (“3”)

…

Cache

SECRET (“3”)

“IT’S A 3”

“IT’S A 2”

read: 103ns (uncached read)

read: 103ns (uncached read)

read: 3ns (cached)

2

1

1 Actually Spy will cache the address of block #3 and Collector will read the blocks addresses

OPs and µOPs
Timing side channels for the cache
This allows an attacker to
Read all memory mapped1 in a process
This often includes all other processes memory
This does NOT allow reading “outside of a VM2”

MELTDOWN & SPECTRE

MELTDOWN

1 Virtual vs. physical memory is a subject for another time 2 For fully virtualised VMs

interesting variable from the address space of the kernel, which will cause an exception, but it will not be processed immediately.

const char* kernel_space_ptr = 0xBAADF00D; char tmp = *kernel_space_ptr;

char userspace_array[256*4096]; for (i = 0; i < 256*4096; i++) { _mm_clflush(&userspace_array[i]); }

Speculatively, we do a read from the array, which is located in our user address space, based on the value of the variable from item 2.

for (i = 0; i < 256; i++) { if (is_in_cache(userspace_array[i*4096])) { // Got it! *kernel_space_ptr == i }}

Thus, the object of the attack is the microarchitecture of the processor, and the attack itself cannot be repaired in the software.

char not_used = userspace_array[tmp * 4096];

We consistently read the array and accurately measure the access time. All the elements, except for one, will be read slowly, but the element that corresponds to the value at the address inaccessible to us is fast, because it has already entered the cache.

EXECUTION

Customer

Waiter

Pizza oven

Burger grill

Coffee machine

#4711 DONE

Multiple customers’ orders executed in parallel1 and delivered (retired) in order
I.e. multiple orders prepared at the same time
PRO: Faster because resources are utilised even better
CON: More difficult to implement

1 this is called superscalar

EXECUTION ORDER EXAMPLE

code paths

MELTDOWN & SPECTRE

SPECTRE

VICTIM PROCESS

A

B

C

D

E

D

Counter > 0?

ATTACKER PROCESS

retrieve secret

MELTDOWN & SPECTRE

SPECTRE

seen in Meltdown.

In the Meltdown attack the CPU knows the next instruction (order) and asynchronously checks the permissions
In Spectre the CPU guesses the next instructions based on heuristics (brew coffee without knowing the order)

is > 0
Reading Counter from memory is very slow
The CPU speculatively executes to improve performance

3

Counter

2

1

1

Counter > 0?

prediction of victim.
Making the victim speculatively execute “wrong” code.
E.g. loop even when Counter is == 0.

Counter > 0?

ATTACKER PROCESS

0

Counter

Prime the branch prediction to expect a loop
Make sure Counter is not cached so the CPU is more likely to speculatively run the code
Find a way that victim leaks data when B & C are executed speculatively

an indirect jump.
Indirect jumps use addresses stored "somewhere else”.
This can also be used to speculatively execute any code found in the target process (kernel).

3

Counter

2

1

1

(1) Counter > 0?

(2) Read next
instruction
address

(3) Jump to indirect address

D