Revisiting Isolated and Trusted Execution via Microarchitectural Cryptanalysis


Downloadable Content

open in viewer

Shared computing resources shaping modern computing and the internet ecosystem introduce new security and privacy challenges. For instance, in a virtualized environment like the cloud, multiple users with virtually isolated security domains share the CPU and system memory. A malicious user may exploit microarchitectural side channels like the cache timing to snoop on other users’ memory access patterns in this environment. Such memory snooping attacks are also possible in other shared execution environments such as web browsers and smartphones. As a result of these attacks, security-sensitive applications, e.g., cryptographic protocols, require extra care against the danger of leaking secret bits to adversaries. Additionally, some attacks like the rowhammer go beyond compromising confidentiality. On a system with shared memory, rowhammer can compromise the integrity of applications by intentionally inducing memory errors. Microarchitectural side channels are severe threats to security and privacy concerning the growth of multitenancy, Consequently, researchers have recently proposed several mitigations to circumvent these attacks. However, these mitigations, for the most part, are based on the limited understanding of the microarchitecture and potential attack vectors. As some of our contributions highlight, we can construct new information channels based on low-level analysis and micro-benchmarking of the CPU’s memory subsystem. Based on our findings, we propose multiple contention-based techniques that improve previous attack vectors. By looking at the memory subsystem with more scrutiny, we show that existing mitigations against memory-related side-channel leakage are insufficient. The complex microarchitecture also exposes the software layer to a new class of attacks, transient execution attacks. In contrast to the aforementioned contention-based attacks, microarchitectural data sampling (MDS) allow a local adversary to leak the actual data bits rather than memory access patterns. Therefore, attackers will have full visibility to steal credentials and data from other users who run on the same CPU core. However, manual analysis and testing of some transient execution attacks like the MDS do not scale and limit our understanding of these vulnerabilities’ root causes. To automate sophisticated proof of concepts and find new variants, we developed a tool by adopting software vulnerability fuzzing techniques. With our automated approach, we provide new insights, discover new exploitation techniques, and report new vulnerabilities. Microarchitectural vulnerabilities go beyond affecting traditional software and security boundaries. A prominent element of modern processors and shared computing environments are the support for hardware-based trusted computing. For example, trusted execution environments (TEEs) are now available on various processors, including superscalar CPUs, mobile processors, and embedded systems. TEEs promise a wide range of security and privacy applications, such as privacy-preserving artificial intelligence and digital right management. However, TEEs face a more challenging threat model, especially for microarchitectural security, as the system software, including the operating system, is considered malicious. While it is intuitive that TEEs are as vulnerable to microarchitectural attacks, we present that the unique adversarial model suggested by a TEE like the Intel SGX exposes the trusted computation to unusual and innovative attack vectors. We show that an adversarial operating system can exploit its system-level capabilities and architectural features to leak fine-grained and deterministic side-channel information from secure enclaves, which are not possible in traditional threat models. TEEs are not the only relevant hardware-based trusted computing solution. cryptographic co-processors like the trusted platform module (TPM) are responsible for executing cryptographic operations in a physically-isolated fashion. TPMs even promise security guarantees against more intrusive side-channel attacks like physical probing and tampering. While TPM devices claim such security guarantees through external evaluation and security certification, we show that the obscurity of these cryptographic co-processors leaves them vulnerable to classic timing attacks. As a result, we develop high-precision timers to perform timing analysis of cryptographic operations inside TPMs empirically. Conclusively, to show the impact of security failures due to the above software-related side-channel and microarchitectural attacks, we demonstrate several realistic end-to-end attacks. In particular, cryptographic protocols are an essential ingredient of security primitives for network security, secure software isolation, and trusted execution environments. By combining the newly discovered attack vectors with theoretical cryptanalysis techniques and devising new algorithmic approaches, we demonstrate practical attacks to steal secret keys from encryption and digital signature operations. Our findings include discovering several critical vulnerabilities on deployed cryptographic products ranging from standard cryptographic libraries to hardware-based security solutions. In retrospect, we present the ideas, tools, and techniques under the framework of microarchitectural cryptanalysis. This framework helps the community to have a better understanding of security issues concerning complex microarchitectures. We discuss the importance of applying microarchitectural cryptanalysis to future systems having a heterogeneous microarchitecture. Microarchitectural cryptanalysis highlights the essential need for developing analysis and automation tools in this direction. We hope that our contribution will help the reader rethink threat models, design choices, and engineering practices for secure systems development.

  • etd-4696
Defense date
  • 2020
Date created
  • 2020-12-06
Resource type
Rights statement


In Collection:



Permanent link to this page: