# Analyzing The Security of The Cache Side Channel Defences With Attack Graphs

Limin Wang, Ziyuan Zhu, Zhanpeng Wang, Dan Meng {wanglimin, zhuziyuan, wangzhanpeng, mengdan}@iie.ac.cn

> Institute of Information Engineering Chinese Academy of Sciences

# Outline

- Introduction
- Motivation
- Method
- Experiments
- Conclusions

# Introduction

Cache side channel attacks on the microarchitecture

| FLUSH+RELOAD[1] | EVICT+TIME[2]      |
|-----------------|--------------------|
| PRIME+PROBE[3]  | CACHE COLLISION[4] |

Flush+Reload in detail

1 Flush cache lines mapped from carefully chosen memory address.



<sup>L</sup> Fast access time -> victim has not access

# Introduction

Hardware vulnerabilities on the microarchitecture

Spectre[5]

Meltdown[6]

Spectre in detail

1 Train the branch predictor, make a wrong branch prediction.

2 Exploit it, then the processor speculatively executes the attack program.

③ The attacker accesses the victim's data illegally and make them cached.



# Introduction

The increasing risk of cache side channel attacks

| FLUSH+RELOAD | EVICT+TIME      |
|--------------|-----------------|
| PRIME+PROBE  | CACHE COLLISION |

Hardware vulnerabilities make cache attacks more powerful

1 Flush carefully chosen cache lines.

Waits for the victim to access the flushed address and re-cache the data.

③ Re-access the cache lines, record the time.



The attacker accesses data illegally and make them cached.

# Outline

Introduction

# Motivation

- Method
- Experiments
- Conclusions

# Motivation

#### Analyze the security of the defences

#### Proposed defences to prevent attacks

| Software                | os —     | Secure Cache – | → Microarchitecture |
|-------------------------|----------|----------------|---------------------|
| Code<br>Obfuscation [7] | KPTI [8] | SP Cache [9]   | InvisiSpec [10]     |

The scope of defences extends from software to hardware

Problems of microarchitecture defences

- 1 Hardware is hard to patch after been published.
- 2 It is also hard to design perfect defences.

It is necessary to analyze the security of the microarchitecture defences at the early stage of designing the processors[11]

# Outline

- Introduction
- Motivation
- Method
- Experiments
- Conclusions

#### Proposed Approach: Analyzing defences with attack graph



#### Proposed Approach: Detail

#### **1.** How to develop security specifications for various exploits?

- Background: the features of different exploits
- Approach: expressed as a sequence of states
- How to: the details of our method
- Advantages: the advantages of our method

2. How to model the complex microarchitecture?

3. How to generate the Attack Graph for cache side channel attacks?

## 1. Security specifications: Background



#### The features of different exploits:

1) The cache attacks can be divided into several steps.

2 Successful attack step => states become what the attacker expects.

3 Different methods to make the system reach the insecure states.

4) The aim of the defences => make the insecure states hard to reach.

#### 1. Security specifications: Our approach



Key points: Even though exploits are increasing rapidly, but the relevant insecure states do not .

#### How to develop security specifications

Traditional: Methods in each step

1. Flush->Spectre->Reload 2. Evict->Spectre->Reload

This paper: A sequence of insecure states

1. S1->S2->S3->S4

#### 1. Security specifications: How to



#### How to develop security specifications for exploits:

1) Divide the attack into several steps manually.

2) Analyze the insecure states.

3 Express the security specification with computation tree logic.

Security Specification: ¬EF(S2 U S3)

Do NOT Exist a sequence in the Future

In the sequence, S2 holds Until S3 is true

#### 1. Security specifications: Advantages



## Advantages:

- 1 A security specification is able to represent a class of exploits.
- 2 Can enumerate the known and unknown attack paths that are able to reach these insecure states.

#### Proposed Approach: Detail

1. How to develop security specifications for various exploits?

#### 2. How to model the complex microarchitecture?

- Background: the properties of the microarchitectures
- Approach: abstract instruction method
- How to: the details of our method
- Advantages: the advantages of our method

3. How to generate the Attack Graph for cache side channel attacks?

#### 2. Microarchitecture model: Background

# The features of microarchitecture :

 Complex & with lots of properties.



- The states of the properties change:
- -- triggered by the execution of instructions.
- -- due to the restrictions between different microarchitecture components.

Noted

#### 2. Microarchitecture model: Our approach

#### **Abstract instruction model:**

Model

Build a state transition model for microarchitecture at the instruction level.

To express the states change triggered by instructions and restrictions.

The microarchitecture model has to satisfy the security specification

**Security Specifications** 

Do not exist a sequence of insecure states.

instructions

 $\neg EF(S2 \cup S3)$ 

satisfy

#### 2. Microarchitecture model: How to

#### How to build a model: $S = \{A, V, AI, C\}$ M=(S, I, R)**Properties** Microarchitecture model A: Attacker S : a set of microarchitecture states V: Victim **i**: initial states AI: Abstract Instructions R : transition relations, $R \subseteq S \times S$ C: Microarchitecture Components Instructions ∈ AI $\{A', V', AI', C'\}$ $\{A, V, AI, C\}$

#### 2. Microarchitecture model: How to

#### How model checking works:

#### Model:

M=(S, I, R) I= {s0} S= {s0, s1, s2, s3, s4, s5, s6, s7} R= {s0->s1, s0->s4, s0->s6, s1->s2, s1->s5, s6->s7, s2->s3, s5->s3, s7->s3} s0 + s1 + s5 + s3 + s6 + s7

Security Specification: ¬EF (s1->s2->s3)

Counterexample: s0->s1->s2->s3



#### 2. Microarchitecture model: Advantages



#### **Advantages:**

- Abstract model removes redundant features and Can conveniently express the microarchitecture.
- 2 The modeling method facilitates the construction of attack graphs.

## Proposed Approach: Detail

1. How to develop security specifications for various exploits?

2. How to model the complex microarchitecture?

#### 3. How to generate the Attack Graph for cache attacks?

- Background: what is the attack graph
- Our approach: how to generate an attack graph
- How to: the details of our method
- Advantages: the advantages of our method

#### 3. Attack Graphs: Background

#### What is the attack graph:

- Preconditions: the states have to be true before the atomic attack performs.
- Postconditions: the states will be true after the atomic attack performs.





2

#### 3. Attack Graphs: Our approach

#### **Our approach:**

State transition model=>
The counterexample is a sequence of states.

Divide the counterexample into 3 parts, and transform them to attack graph.





#### 3. Attack Graphs: How to

#### How to reduce:

(a) Attack paths with similar structure.

- (b) Attack paths that merging the similar structure
- (c) Attack paths with the same structure.
- (d) Attack paths with logically equivalent structure.



s1'

s2'

### 3. Attack Graphs: Advantages

## **Advantages:**

- 1 High readability.
- Easy to simplify.







s1'

# Outline

- Introduction
- Motivation
- Method
- Experiments
- Conclusions

#### An Simple Example



#### Microarchitecture model (No Defences)

| M=(S, | I, | R) |  |
|-------|----|----|--|
|-------|----|----|--|

#### Table: Selected microarchitecture components and properties

Microarchitecture Components Pa & Their Properties

Noted:

More detail the model is, More accurate the result is, But more time needed.

clflush load store branch





Figure: State transition for abstract instructions

#### Microarchitecture model (SP Cache)



Static-Partition Cache (SP Cache)

- -- Statically separates the cache for the victim and the attacker.
- -- Attacker cannot evict victim's cache lines.
- -- The state transition about Evict strategy will be deleted from the R.

/ M=(S, I, R)

## Microarchitecture model (SP Cache + InvisiSpec)



#### InvisiSpec

- -- InvisiSpec loads data into a new Speculative Buffer before committing the result until the speculative load is finally safe.
- -- The state transition about the branch will be modified to the mechanism InvisiSpec describes.



## **Security Specification**



0

InvisiSpec

| Results                           |                             |                                    |                        |                   |  |
|-----------------------------------|-----------------------------|------------------------------------|------------------------|-------------------|--|
| Microarchitecture model           |                             | Model Checking                     | Security specification |                   |  |
| 1. With no defe                   |                             | Model Checking                     | ¬EF(S2 U \$            | 53)               |  |
| 2. With SP Ca                     | che                         | Satisfy?                           | × ×                    | oad with Spectre) |  |
| 3. With SP Ca                     | che + InvisiSpec            |                                    | (Evict + Relo          | ad with Spectre)  |  |
| Table : Results of model checking |                             |                                    |                        |                   |  |
| Secure<br>Designs                 | Counterexamples<br>(Number) | s Reduced Attack Paths<br>(Number) |                        | Runtime<br>(s)    |  |
| None                              | 247                         | 22                                 |                        | 4.421             |  |
| SP Cache                          | 81                          | 20                                 |                        | 3.404             |  |
| SP Cache                          | 0                           | 0                                  |                        | 0.849             |  |

0

0.849



# Outline

- Introduction
- Motivation
- Method
- Experiments

## Conclusions

# Conclusions

#### Conclusions:

- 1. Use instruction abstract method to conveniently model the microarchitecture.
- 2. Use the sequence of insecure states to express the security specification.
- 3. Proposes a novel use of the attack graph technology to visualize the cache side-channel attack path.

Limitions:

- 1. State space explosion problem.
- 2. The attack that do not violate the security specifications will not be identified.

#### Reference

[1] Yarom, Yuval, and Katrina Falkner. "FLUSH+ RELOAD: a high resolution, low noise, L3 cache side-channel attack." *23rd {USENIX} Security Symposium ({USENIX} Security 14)*. 2014.

[2] E. Tromer, D. A. Osvik, and A. Shamir, "Efficient Cache Attacks on AES, and Countermeasures," J Cryptol, vol. 23, no. 1, pp. 37–71, Jan. 2010.

[3] M. Kayaalp, N. Abu-Ghazaleh, D. Ponomarev, and A. Jaleel, "A high-resolution side-channel attack on last-level cache," in Proceedings of the 53rd Annual Design Automation Conference on - DAC '16, Austin, Texas, 2016, pp. 1–6.

[4] J. Bonneau and I. Mironov, "Cache-Collision Timing Attacks Against AES," in Cryptographic Hardware and Embedded Systems - CHES 2006, vol. 4249, L. Goubin and M. Matsui, Eds. Berlin, Heidelberg: Springer Berlin Heidelberg, 2006, pp. 201– 215.

[5] P. Kocher et al., "Spectre attacks: Exploiting speculative execution," in 2019 IEEE symposium on security and privacy (SP), 2019, pp. 1–19.

#### Reference

[6] M. Lipp et al., "Meltdown: Reading kernel memory from user space," in 27th {USENIX} security symposium ({USENIX} security 18), 2018, pp. 973–990.

[7] B. Köpf, L. Mauborgne, and M. Ochoa, "Automatic Quantification of Cache Side-Channels," in Computer Aided Verification, vol. 7358, P. Madhusudan and S. A. Seshia, Eds. Berlin, Heidelberg: Springer Berlin Heidelberg, 2012, pp. 564–580.

[8] L. Müller, "KPTI a Mitigation Method against Meltdown," Advanced Microkernel Operating Systems, p. 41, 2018.

[9] D. Page, "Partitioned cache architecture as a side-channel defence mechanism."

[10] M. Yan, J. Choi, D. Skarlatos, A. Morrison, C. W. Fletcher, and J. Torrellas, "InvisiSpec: Making Speculative Execution Invisible in the Cache Hierarchy," p. 14.

[11] A. T. Markettos, R. N. M. Watson, S. W. Moore, P. Sewell, and P. G. Neumann, "Through computer architecture, darkly," Commun. ACM, vol. 62, no. 6, pp. 25–27, May 2019.

# Thank you! Any questions?