Wrangling with the Ghost: An Inside Story of Mitigating Speculative Execution Side Channel Vulnerabilities

To accelerate our learnings, we brought in an expert in CPU
side channel attacks
Anders Fogh

Virtualization-based isolation Microsoft Azure, Hyper-V Affected
Kernel-user separation Windows Affected
Process-based isolation Windows Affected
Language-based isolation Microsoft Edge & Internet Explorer Affected
Enclaves Microsoft Azure, Windows Affected

Pipeline
Instructions are put on an “assembly line” and different jobs are done
in different stages
Superscalar Multiple instructions are executed at once
Out-of-order execution
Instructions are executed as dependencies are resolved and resources
are available
Speculative execution Instructions are executed based on predictions

Instruction Status
MOV RAX, [Address] Ready to execute
ADD RBX, RAX Has to wait
MOV RCX, [ECX] Ready to execute

A conditional branch can potentially mispredict, thus leading to a speculative out-of-
bounds load that feeds a second load, thus creating cache side effects based on a secret.
The attacker can train the branch to speculatively run the code.
if (untrusted_index < length) { This can mispredict executing the below lines with
any value of untrusted_index
char value = buf[untrusted_index]; Loads nearly arbitrary memory
char value2 = buf2[value * 0x40]; Loads the cache as an artifact of the value
}
Consequence
If an attacker can find/create & execute this code in Hypervisor/Kernel/Enclave/sandbox,
they can read the memory

An indirect branch can potentially mispredict the branch target, thus leading to
speculative execution from an attacker controlled target address which could perform a
load and feed that value to a second load
0x4000: JMP RAX ; RAX = 0x5000
....
This can mispredict the target address, thus
speculative executing anywhere
0x4141: MOVZX RCX, BYTE PTR [RCX]
SHL RCX, 6
MOV RCX, [RDX+RCX]
Loads any memory at RCX
Multiply by 0x40 (cacheline size)
Loads the cache as an artifact of the value
Consequence
If attacker can find/create & execute this code in Hypervisor/Kernel/Enclave/sandbox, they
can read the memory

Exception delivery may be deferred until instruction retirement, thus allowing data that
should be inaccessible to be speculatively forwarded onto other instructions
TEST RAX, RAX
JE Skip
MOVZX RCX, BYTE PTR [KERNEL_ADDR]
SHL RCX, 6
MOV RCX, [Buf2+RCX]
This can mispredict the target address, thus
speculative executing anywhere
Fetch any kernel address. Error/Roll back arrives
delayed
Multiply by 0x40 to store information in the cache
Consequence
An unprivileged user mode process can read kernel memory

Requirement Taxonomy
Speculation
1. Gaining speculation Speculation primitive
2. Maintaining speculation Windowing gadget
Side channel
3. Persisting the results Disclosure gadget
4. Observing the results Disclosure primitive
If any of these 4 components are not present, there is no speculative side channel

Spectre variant 1 Conditional branches are predicted on past behavior, thus we can train them
Spectre variant 2
Indirect branches can be trained in place like conditional branches, or since not all
bits are used for prediction, they can be trained in an attacker controlled context
Meltdown
The CPU may defer exceptions and may speculatively forward data on to dependent
instructions

1. Speculation primitive Example
Conditional branch
misprediction
if (n < *p) {
// can speculate when n >= *p
}
Indirect branch
misprediction
// can speculate wrong branch target
(*FuncPtr)();
Exception delivery
// may do permission check at
// retirement
value = *p;
2. Windowing gadget Example
Non-cached load
// *p not present in cache
value = *p;
Dependency chain of loads value = ********p;
Dependency chain of ALU
operations
value += 10;
value += 10;
value += 10;
…
3. Disclosure gadget Example
One level of memory indirection,
out-of-bounds
if (x < y)
return buf[x];
Two levels of memory indirection,
out-of-bounds
if (x < y) {
n = buf[x];
return buf2[n];
}
Three levels of memory indirection,
out-of-bounds
if (x < y) {
char *p = buf[n];
char b = *p;
return buf2[b];
}
…
4. Disclosure primitive Example
FLUSH+RELOAD
Priming phase: flush candidate cache lines
Trigger phase: cache line is loaded based off secret
Observing phase: load candidate cache lines, fastest
access may be signal
EVICT+TIME
Priming phase: evict congruent cache line
Trigger phase: cache line is loaded based off secret
Observing phase: measure time of operation, slowest
operation may be signal
PRIME+PROBE
Priming phase: load candidate cache lines
Triggering phase: cache set is evicted based off secret
Observing phase: load candidate cache lines, slowest
access may be signal

Attack category Attack scenario
Conditional branch
misprediction
Indirect branch
misprediction
Exception delivery
Inter-VM
Hypervisor-to-guest
Host-to-guest
Guest-to-guest
Intra-OS
Kernel-to-user
Process-to-process
Intra-process
Enclave Enclave-to-any
Applicable Not applicableLegend:

Prevent speculation
techniques
Prevent a speculation primitive from executing a disclosure gadget
Remove sensitive content
from memory
Ensure there is no sensitive information in memory that could be read
by a speculation technique
Remove observation
channels
Remove channels for communicating information via speculation
techniques

Goal: prevent a speculation primitive from executing a disclosure gadget
Speculation
primitive
Windowing
gadget
Disclosure
gadget
Disclosure
primitive

if (untrusted_index < length) {
_mm_lfence(); // barrier for speculation
char value = buf[untrusted_index];
char value2 = buf2[value * 0x40];
}
if (untrusted_index < length) {
// cmp untrusted_index, length
// xor reg,reg
// cmovae untrusted_index, reg
char value = buf[untrusted_index];
char value2 = buf2[value * 0x40];
}

Indirect Branch Restricted Speculation
(IBRS)
Indirect Branch Prediction Barrier
(IBPB)
Single-Thread Indirect Prediction Barrier
(STIBP)
When IBRS=1, less-privileged modes
cannot influence indirect branch
predictions of higher-privileged
modes
Kernel and/or hypervisor can set
IBRS=1 on entry to prevent less
privileged modes from attacking them
When IBPB=1, indirect branch
prediction state is flushed (BTB and
RSB)
Kernel and/or hypervisor can write
this when switching process or VM
contexts to prevent cross-process
and cross-VM attacks
When STIBP=1, sibling SMTs cannot
influence one another’s indirect branch
predictions
Processes can request that the kernel set
this to prevent cross-process SMT-based
attacks on indirect branch prediction

FAR JMP and FAR RET are not
predicted on Intel CPUs
RDTSCP or LFENCE before indirect
JMP is safe on AMD CPUs
Indirect calls and jumps can be
transformed into “retpolines”
transformed into FAR JMP on Intel
CPUs
transformed into RDTSCP or LFENCE
before indirect JMP on AMD CPUs
Google proposed “retpoline” which
transforms indirect calls and jumps
into “retpoline” stubs

Goal: ensure there is no sensitive information in memory that could be read by a speculation technique
Speculation
primitive
Windowing
gadget
Disclosure
gadget
Disclosure
primitive

Goal: remove channels for communicating information via speculation techniques
Speculation
primitive
Windowing
gadget
Disclosure
gadget
Disclosure
primitive

Mitigation Tactic Mitigation Name
Attack category Speculation primitive
Inter-VM Intra-OS Enclave
Conditional branch
misprediction
Indirect branch
misprediction
Exception
delivery
Prevent speculation techniques
Speculation barrier via execution serializing
instruction
Security domain CPU core isolation
Indirect branch speculation barrier on demand
and mode change
Non-speculated or safely-speculated indirect
branches
Remove sensitive content from
memory
Hypervisor address space segregation
Split user and kernel page tables (“KVA
Shadow”)
Remove observation channels
Map guest memory as noncacheable in root
extended page tables
Do not share physical pages across guests
Decrease browser timer precision
Applicable Not applicable

Variant Conceptualization
Variant 1 (CVE-2017-5753)
This is a hardware vulnerability class that requires
software changes in order to mitigate.
No universal mitigation for this variant exists today.
This is a hardware vulnerability that can be mitigated
through a combination of OS and firmware changes.
This is a hardware vulnerability that can be mitigated
through OS changes to create split user/kernel page
tables.

Disclosed Variant Speculation primitive category Mitigation
May, 2018
Speculative Store Bypass
(CVE-2018-3639)
Memory access misprediction
(new category)
• Disable speculative store bypass
optimization
• Speculation barrier prior to unsafe
store
June, 2018
Lazy FP State Restore
(CVE-2018-3665)
Exception delivery
(same as Meltdown)
• Use eager restore of FP state
(rather than lazy restore)
July, 2018 Bounds Check Bypass Store
Conditional branch misprediction
(same as Spectre variant 1)
• Speculation barrier as required
July, 2018 NetSpectre
Conditional branch misprediction
(same as Spectre variant 1)
• Speculation barrier as required

https://aka.ms/sescbounty
https://aka.ms/sescdevguide
https://blogs.technet.microsoft.com/srd/2018/03/15/mitigating-speculative-execution-side-channel-hardware-
vulnerabilities/
https://blogs.technet.microsoft.com/srd/2018/03/23/kva-shadow-mitigating-meltdown-on-windows/
https://blogs.technet.microsoft.com/srd/2018/05/21/analysis-and-mitigation-of-speculative-store-bypass-cve-
2018-3639/

Priming Getting the system into a known initial state (e.g. flushing cache lines)
Triggering Actively or passively causing the victim to execute
Observing Observe if state is changed and thereby infer information from this

Wrangling with the Ghost: An Inside Story of Mitigating Speculative Execution Side Channel Vulnerabilities

More Related Content

What's hot (20)

Similar to Wrangling with the Ghost: An Inside Story of Mitigating Speculative Execution Side Channel Vulnerabilities (20)

More from Priyanka Aash (20)

Recently uploaded (20)

Wrangling with the Ghost: An Inside Story of Mitigating Speculative Execution Side Channel Vulnerabilities