[Semi Thesis Review for me] Meltdown: reading Kernel Memory from User Space -(1)
Author: Moritz Lipp1 , Michael Schwarz1 , Daniel Gruss1 , Thomas Prescher2 , Werner Haas2 , Anders Fogh3 , Jann Horn4 , Stefan Mangard1 , Paul Kocher5 , Daniel Genkin6,9 , Yuval Yarom7 , Mike Hamburg8 1Graz University of Technology, 2Cyberus Technology GmbH, 3G-Data Advanced Analytics, 4Google Project Zero, 5 Independent (www.paulkocher.com), 6University of Michigan, 7University of Adelaide & Data61, 8Rambus, Cryptography Research Division
This paper is included in the Preceedings of the 27th USENIX Security Symposium. (August 15–17, 2018, Baltimore, MD, USA)
Total number of pages: 18
Writer: Yu-gyoung Yun
(DGIST, undergraduate student. searchien@dgist.ac.kr)
[Abstract]
- The security of computer systems fundamentally relies on memory isolation, e.g., kernel address ranges are marked as non-accessible and are protected from user access.
- Meltdown exploits side effects of out-of-order execution on modern processors to read arbitrary kernel-memory locations including personal data and passwords.
- Pros: The attack is independent of the operating system, and it does not rely on any software vulnerabilities.
- Meltdown breaks all security guarantees provided by address space isolation.
- Meltdown enables an adversary to read memory of other processes or virtual machines in the cloud without any permissions or privileges.
- Authors show that the KAISER defense mechanism for KASLR has the important side effect of impeding Meltdown. So, they stress that KAISER must be deployed immediately to prevent large scale exploitation of this severe information leakage.
[Pre-knowledge]
Q. Kernel Memory?
A.
Reference: (Korean)
[1. Introduction]
- memory isolation → user programs cannot access each other’s memory or kernel memory. → cornerstone of computing, running multiple applications at the same time, executing processes of multiple users on a single machine in the cloud.
- supervisor bit (defines whether a memory page of the kernel can be accessed or not)→ operating system(OS) to map the kernel into the address space of every process → isolation between the kernel and user processes. → →There is no change of the memory mapping when switching from a user process to the kernel.
- Meltdown provides a simple way for any user process to read the entire kernel memory of the machine it executes on, including all physical memory mapped in the kernel region.
- Meltdown does not exploit any software vulnerability, i.e., it works on all major operating systems.
- Meltdown exploits side-channel information available on most modern processors, e.g., modern Intel microarchitectures since 2010 and potentially on other CPUs of other vendors.
“ While side-channel attacks typically require very specific knowledge about the target application and are tailored to only leak information about its secrets, Meltdown allows an adversary who can run code on the vulnerable processor to obtain a dump of the entire kernel address space, including any mapped physical memory. The root cause of the simplicity and strength of Meltdown are side effects caused by out-of-order execution. “
Point: OoO execution may leak information
OoO execution may cause security problem such as a timing differences → leak information from both sequential and out-of-order execution.
But 1) On the architectural level(e.g., the abstract definition of how the precessor should perform computations), no security problem arises.
: Although OoO CPUs allow an unprivileged process to load data from a privileged (kernel or physical) address into a temporary CPU register. Moreover, the CPU even performs further computations based on this register value, e.g., access to an array based on the register value. → Solved by simply discarding the results of the memory lookups (e.g., the modified register states).
But 2) On the microarchitectural level(e.g., the actual hardware implementation), there is an exploitable security problem.
: OoO memory lookups influence the cache, which in tun can be dtected through the cache side channel.
Again, Meltdown breaks all security guarantees provided by the CPU’s memory isolation capabilities.
They’re evaluation shows that KAISER prevents Meltdown to a large extent.
→ importance to deploy KAISER on all OS immediately.
- Meltdown !=Spectre Attacks
: Spectre requires tailoring to the victim process’s software environment, but applies more broadly to CPUs and is not mitigated by KAISER.
[2. Background]
[2.1 Out-of-order execution]
Instead of processing instructions strictly in the sequential program order, the CPU executes them as soon as all required resources are available.
→ Instructions can be run in parallel. → allow running operatinos speculatively.
- Tomasulo algorithm
- unified reservation station
- CDB(common data bus)
- branch prediction → modern processors often use two-level adaptive predictors with a history of the last n outcomes.
[2.2] Address Spaces
To isolate processes from each other, CPUs support virtual address spaces where virtual addresses are translated to physical addresses.
To protect the kernel, kernel ASLR(KASLR) randomizes the offsets where drivers are located on every boot, making attacks harder as they now require to guess the location of kernel data structures.
But) side-channel attacks allow to detect the exact location of kernel data structures.
[2.3 Cache Attacks]
CPU caches hide slow memory access latencies by buffering frequently used data in smaller and faster internal memory.
point: Cache side-channel attacks exploit timing differences that ar introduced by the caches.
