Meltdown

(Press ? for help, n and p for next and previous slide)

Jonas Jostmann (License Information)
July 2018

1 Introduction

1.1 Prerequisites

Before you explore the interesting facts about the Meltdown securtiy vulnerability, you should aquire a basic knowledge about the topics listed below

  • Basic understanding of the functionality of Processes and how they interact with Operating Systems (OS)
  • Basic understanding of Virtual Memory

1.2 Learning Objectives

  • Explain fundamentals of the relation between Page Tables, Cache and CPU
    • Describe how they are utilized in the Meltdown attack
  • Explain the Meltdown attack procedure
    • Explain its assembler code
  • Recognize how patches for the Meltdown vulnerability work

1.3 Quick Overview

  • Security vulnerabilities in CPUs Meltdown and Spectre were published 4th January 2018
  • Kind of Side-channel Attack
  • Discovered independently by
    • Jann Horn (Google Project Zero),
    • Werner Haas, Thomas Prescher (Cyberus Technology),
    • Daniel Gruss, Moritz Lipp, Stefan Mangard, Michael Schwarz (Graz University of Technology)
  • Key findings are presented in their paper
  • Security vulnerability based on hardware issues not on software vulnerabilities
  • Allows unprivileged code to read privileged address spaces
  • Affected Systems:

2 Fundamentals

2.1 Page Tables

  • For several reasons processes do not operate with physical addresses
  • Each process has its own virtual address space
    • Split into larger units named Pages
    • Pages mapped with same sized units in physical memory called Frames
  • Mapping of virtual addresses to physical ones is defined by Page Tables

[OERVM]

Figure 6.10 of cite:Hai17

Example of allocation of frames to a process

Figure 6.10 of cite:Hai17 by Max Hailperin under CC BY-SA 3.0; converted from GitHub

  • Each Process has its own Page Table
    • Running Process’ Page Table stored in a CPU register
      • Page Table has to be switched for each process switch
    • Kernel has its own address space and Page Table
      • If process execution invokes system call, Page Table has to be switched to the Kernel’s one
      • After execution of system call the Page Table has to be switched back to the process’ one
      • That means two Page Table switches for only one process execution
    • Because Page Table switches are very slow, another solution is implemented in modern CPUs
  • For better performance: Each Page Table has part for owner process (User space) and for Kernel space
    • Fewer switches required
  • OS ensures that Kernel space is only accessible if CPU running in privileged mode [Lipp2018]

Page Table with User Space and Kernel Space

by Jonas Jostmann under CC BY-SA 4.0;

2.2 CPU cache

  • Reading data from Memory (RAM) is very slow in comparison with execution speed of CPU [EKom]
    • Reading from memory is Bottleneck of CPU
  • Solution: load specific data into much faster CPU cache
    • e.g., data which is used frequently

2.3 Out of Order Execution (OOOE)

  • Concept for CPU performance improvement
  • While CPU is waiting, e.g., for reading data from memory, CPU executes other instructions in queue speculatively out of the intended order
    • Use CPU cycles, which otherwise would be wasted
    • Increases execution speed
  • Results are stored afterwards in CPU cache
  • At the moment the instruction would be regulary exectuted, results are already there

[Böttcher2006]

2.4 Quiz Break

Please answer the following question:

Why are Page Tables devided into entries for User Space and Kernel Space?

  • Page Tables have a part for User and Kernel Space because of performance reasons
  • Otherwise several switches between Page Tables are necessary when executing system calls from a normal process

3 Meltdown Attack

3.1 Preperation

What is our goal?

  • Read a word (one byte) out of a specific Kernel space address

How do we do that?

  • Execution of instructions, which are normally not executed (with help of OOOE)
    • Reading data, which normally is only accessible in Kernel mode
  • Persisting this data in some form for future utilization

What do we need?

  • Reserved address space for a ProbeArray

    • 256 blocks with 4096 Bytes (assume 4 KB Pages)
      • One word = 8 bits, 2⁸ = 256 possible binary values, each block number in ProbeArray represents one of those
      • Later used for determining the value of the read word from Kernel space
    • Ensure that none of these 256 blocks is cached by CPU

    ProbeArray

    ProbeArray Blocks

    ProbeArray by Jonas Jostmann under CC BY-SA 4.0;

3.2 Attack’s procedure: Step 1

  • Let CPU execute instruction, which leads to an OOOE (e.g., load data from memory)
    • CPU executes out of order instruction, which reads privileged address space
    • CPU throws an exception when it recognizes that memory access was not allowed, though, data is read and stored in cache
      • OOOE = CPU has nothing better to do
    • Multiplies read value with 212 = 4096 (size in bytes of one Page)
      • Referring to starting address of the specific Page, which is represented by a block in ProbeArray, whose number equals read value (binary to decimal)
      • E.g., read value = 00000011 (binary) = 3 (decimal)
      • 3 * 4096 = 12288 (starting address of third page of ProbeArray)

3.3 Attack’s procedure: Step 2

  • Read in reserved address space with the multiplied value as index
    • In our example the third block of the ProbeArray has the starting address 12288 (3*4096)
  • After OOOE of mentioned instructions
    • From Kernel space read data is deleted from cache
  • But not the data from ProbeArray

Meltdown - Read privileged address space

Read privileged address space

Meltdown - Read privileged address space by Jonas Jostmann under CC BY-SA 4.0;

Meltdown - Read privileged address space

Read privileged address space

Meltdown - Read privileged address space by Jonas Jostmann under CC BY-SA 4.0;

Meltdown - Read privileged address space

Read privileged address space

Meltdown - Read privileged address space by Jonas Jostmann under CC BY-SA 4.0;

Meltdown - Read privileged address space

Read privileged address space

Meltdown - Read privileged address space by Jonas Jostmann under CC BY-SA 4.0;

3.4 Attack’s procedure: Step 3

  • Iterate over the 256 Pages of ProbeArray and measure time in which data is read
  • The data, which is stored in cache, is read significantly faster
    • In our example the third block of ProbeArray is not read from RAM but from Cache
    • Time difference shows that block 3 was loaded in Step 2 into CPU Cache
    • Block’s position in ProbeArray (3) equals the binary value (00000011) stored in the privileged address space

Meltdown - Read privileged address space

Iteration over ProbeArray and measure time needed for reading blocks

Meltdown - Read privileged address space by Jonas Jostmann under CC BY-SA 4.0;

  • Reached our goal of reading a word out of a specific Kernel space address
    • By exploiting vulnerabilites of OOOE and CPU Cache
  • This procedure can be repeated to read for example complete passwords

3.5 Explanation of Meltdown Code

Assembler Code of the Meltdown Attack:

;rcx = kernel address
;rbx = probe array
retry:
mov al, byte [rcx]
shl rax, 0xc
jz retry
mov rbx, qword [rbx + rax]

[Lipp2018]

Further information about assembler codes, see http://ref.x86asm.net/coder32.html

mov al, byte [rcx]
  • Moves the content, stored in address rcx of Kernel space, to the lower Bytes of CPU Cache
shl rax, 0xc
  • Multiplies read content with 4096
    • 0xc (hexa-code) = 12 (decimal)
    • shl (shift left) for 12 bits (212=4096)
  • Remember: 256 Blocks of 4096 Bytes in ProbeArray (referring to starting address of specific Page)
    • Ensures as well that only intended memory is loaded into cache and not adjacent one [Lipp2018]
jz retry
  • If zero is read (no secret is read) jump back to jump mark and retry reading secret
    • jz = jump if value equals zero
mov rbx, qword [rbx + rax]
  • Multiplied secret is added to the base address of the ProbeArray and stored in it

3.6 Quiz Break

Please answer the following questions:

Why has the ProbeArray 256 blocks?

  • 256 is the amount of possible values of a word, which is read out of privileged Kernel Space

Why is the read value multiplied with 4096?

  • The size of the blocks in the ProbeArray is 4096 bytes. Value is muliplied with 4096 to select the starting address of the intended Block, which number equals the read value.

4 Security Patches

4.1 Security Patches

  • Although Meltdown is a hardware vulnerability, OS patches can help to secure systems
  • Patches available for Linux, MacOS and Windows

4.2 Kernel Page Table Isolation (KPTI)

  • Division into two Page Tables
    • Kernel PGD e.g., for System Calls in Kernel mode
      • Includes complete Kernel space
    • Shadow PGD for normal processes executed in User mode
      • Includes only few Kernel space entries (e.g., what is necessary for normal Interrupt-Operations)

Kernel page-table isolation

Kernel Page Table Isolation

Kernel page-table isolation by Phoenix7777 under CC BY-SA 4.0;

  • Speculative executions of Meltdown instructions will fail, because there is no mapping to Kernel space in User mode
  • Performance issues

    • Slows down processes in which many switches between Kernel mode and User mode are necessary, because for each switch the Page Table must be switched as well

    [Matt2018]

5 Conclusion

5.1 Summary

  • Hardware characteristics for performance improvement like OOOE, CPU Caching
    • Meltdown Attack utilizes vulnerabilities in these
  • OS patches possible, but cause performance issues

Bibliography

License Information

Except where otherwise noted, this work, “Meltdown”, is © 2017, 2018 by Jonas Jostmann, published under the Creative Commons license CC BY-SA 4.0.

No warranties are given. The license may not give you all of the permissions necessary for your intended use.

In particular, trademark rights are not licensed under this license. Thus, rights concerning third party logos (e.g., on the title slide) and other (trade-) marks (e.g., “Creative Commons” itself) remain with their respective holders.