Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 5 Jan 2018 16:08:19 -0700
From:      Warner Losh <imp@bsdimp.com>
To:        Eric McCorkle <eric@metricspace.net>
Cc:        "freebsd-hackers@freebsd.org" <freebsd-hackers@freebsd.org>,  "freebsd-arch@freebsd.org" <freebsd-arch@freebsd.org>
Subject:   Re: A more general possible meltdown/spectre countermeasure
Message-ID:  <CANCZdfoYY5ACwbT0gUW-u=%2BHyG-Y2McoN%2B%2BNZZvqED=wU5MEUA@mail.gmail.com>
In-Reply-To: <72f6097e-c71e-b53f-6885-cfe5a5a56586@metricspace.net>
References:  <c98b7ac3-26f0-81ee-2769-432697f876e5@metricspace.net> <33bcd281-4018-7075-1775-4dfcd58e5a48@metricspace.net> <CANCZdfq2iHErm-pPU1cQ35zrvfdVFPBi1sKYshOyyWUgm3VHBA@mail.gmail.com> <4ec1f3b1-f4b0-80ab-0e68-0dd679dd9e37@metricspace.net> <CANCZdfo2MPbYxrOyuwSO82FAx9ur_kxgwUijoZCaRL2MDxFxFQ@mail.gmail.com> <72f6097e-c71e-b53f-6885-cfe5a5a56586@metricspace.net>

next in thread | previous in thread | raw e-mail | index | archive | help
Wouldn't you have to also unmap it from the direct map for this to be
effective?

Warner


On Fri, Jan 5, 2018 at 3:31 PM, Eric McCorkle <eric@metricspace.net> wrote:

> Well, the only way to find out would be to try it out.
>
> However, unless I'm missing something, if you're trying to pull a
> meltdown attack, you try and fetch from the kernel.  If that location
> isn't cached (or if your cache is physically indexed), you need the
> physical address (otherwise you don't know where to look), and thus have
> to go through address translation, at which point you detect that the
> page isn't accessible and fault.  In the mean time, you can't
> speculatively execute any of the operations that load up the
> side-channels, because you don't have the sensitive data.
>
> The reason you can pull off a meltdown attack at all is that a
> virtually-indexed cache lets you get the data in parallel with address
> translation (breaking the dependency between address translation and
> fetching data), which takes 1000s of cycles for a TLB miss, during which
> you have the data and can launch a whole bunch of transient ops.
>
> Again, these are uncharted waters we're in; so it's entirely possible
> I'm missing something here.
>
> On 01/05/2018 17:22, Warner Losh wrote:
> > While you might be right, I've seen no indication that a cache miss
> > would defeat these attacks in the public and non-public data I've looked
> > at, even though a large number of alternatives to the published
> > workarounds have been discussed. I'm therefore somewhat skeptical this
> > would be effective. I'm open, however, to data that changes that
> > skepticism...
> >
> > Warner
> >
> > On Fri, Jan 5, 2018 at 3:15 PM, Eric McCorkle <eric@metricspace.net
> > <mailto:eric@metricspace.net>> wrote:
> >
> >     Right, but you have to get the value "foo" into the pipeline in order
> >     for it to affect the side-channels.  This technique attempts to stop
> >     that from happening.
> >
> >     Unless I made a mistake, non-cached memory reads force address
> >     translation to happen first, which detects faults and blocks the
> >     meltdown attack.
> >
> >     It also stops spectre with very high probability, as it's very
> unlikely
> >     that an uncached load will arrive before the speculative thread gets
> >     squashed.
> >
> >     On 01/05/2018 17:10, Warner Losh wrote:
> >     > I think this is fatally flawed.
> >     >
> >     > The side channel is the cache. Not the data at risk.
> >     >
> >     > Any mapped memory, cached or not, can be used to influence the
> cache.
> >     > Storing stuff in uncached memory won't affect the side channel one
> bit.
> >     >
> >     > Basically, all attacks boil down to tricking the processor, at
> elevated
> >     > privs, to doing something like
> >     >
> >     > a = foo[offset];
> >     >
> >     > where foo + offset are designed to communicate information by
> populating
> >     > a cache line. offset need not be cached itself and can be the
> result of
> >     > simple computations that depend on anything accessible at all in
> the kernel.
> >     >
> >     > Warner
> >     >
> >     > On Fri, Jan 5, 2018 at 3:02 PM, Eric McCorkle <
> eric@metricspace.net <mailto:eric@metricspace.net>
> >     > <mailto:eric@metricspace.net <mailto:eric@metricspace.net>>>
> wrote:
> >     >
> >     >     Re-posting to -hackers and -arch.  I'm going to start working
> on
> >     >     something like this over the weekend.
> >     >
> >     >     -------- Forwarded Message --------
> >     >     Subject: A more general possible meltdown/spectre
> countermeasure
> >     >     Date: Thu, 4 Jan 2018 23:05:40 -0500
> >     >     From: Eric McCorkle <eric@metricspace.net
> >     <mailto:eric@metricspace.net> <mailto:eric@metricspace.net
> >     <mailto:eric@metricspace.net>>>
> >     >     To: freebsd-security@freebsd.org
> >     <mailto:freebsd-security@freebsd.org>
> >     >     <mailto:freebsd-security@freebsd.org
> >     <mailto:freebsd-security@freebsd.org>> <freebsd-security@freebsd.org
> >     <mailto:freebsd-security@freebsd.org>
> >     >     <mailto:freebsd-security@freebsd.org
> >     <mailto:freebsd-security@freebsd.org>>>
> >     >
> >     >     I've thought more about how to deal with meltdown/spectre, and
> >     I have an
> >     >     idea I'd like to put forward.  However, I'm still in something
> >     of a
> >     >     panic mode, so I'm not certain as to its effectiveness.
> >     Needless to
> >     >     say, I welcome any feedback on this, and I may be completely
> >     off-base.
> >     >
> >     >     I'm calling this a "countermeasure" as opposed to a
> >     "mitigation", as
> >     >     it's something that requires modification of code as opposed
> to a
> >     >     drop-in patch.
> >     >
> >     >     == Summary ==
> >     >
> >     >     Provide a kernel and userland API by which memory allocation
> >     can be done
> >     >     with extended attributes.  In userland, this could be
> >     accomplished by
> >     >     extending MMAP flags, and I could imagine a
> >     malloc-with-attributes flag.
> >     >      In kernel space, this must already exist, as drivers need to
> >     allocate
> >     >     memory with various MTRR-type attributes set.
> >     >
> >     >     The immediate aim here is to store sensitive information that
> must
> >     >     remain memory-resident in non-cacheable memory locations (or,
> >     if more
> >     >     effective attribute combinations exist, using those instead).
> >     See the
> >     >     rationale for the argument why this should work.
> >     >
> >     >     Assuming the rationale holds, then the attack surface should
> >     be greatly
> >     >     reduced.  Attackers would need to grab sensitive data out of
> stack
> >     >     frames or similar locations if/when it gets copied there for
> >     faster use.
> >     >      Moreover, if this is done right, it could dovetail nicely
> into a
> >     >     framework for storing and processing sensitive assets in more
> >     secure
> >     >     hardware[0] (like smart cards, the FPGAs I posted earlier, or
> >     other
> >     >     options).
> >     >
> >     >     The obvious downside is that you take a performance hit
> >     storing things
> >     >     in non-cacheable locations, especially if you plan on doing
> heavy
> >     >     computation in that memory (say, encryption/decryption).
> >     However, this
> >     >     is almost certainly going to be less than the projected 30-50%
> >     >     performance hit from other mitigations.  Also, this technique
> >     should
> >     >     work against spectre as well as meltdown (assuming the
> >     rationale holds).
> >     >
> >     >     The second downside is that you have to modify code for this
> >     to work,
> >     >     and you have to be careful not to keep copies of sensitive
> >     information
> >     >     around too long (this gets tricky in userland, where you might
> get
> >     >     interrupted and switched out).
> >     >
> >     >
> >     >     [0]: Full disclosure, enabling open hardware implementations
> >     of this
> >     >     kind of thing is something of an agenda of mine.
> >     >
> >     >     == Rationale ==
> >     >
> >     >     (Again, I'm tired, rushed, and somewhat panicked so my logic
> >     could be
> >     >     faulty at any point, so please point it out if it is)
> >     >
> >     >     The rationale for why this should work relies on assumptions
> about
> >     >     out-of-order pipelines that cannot be guaranteed to hold, but
> are
> >     >     extremely likely to be true.
> >     >
> >     >     As background, these attacks depend on out-of-order execution
> >     performing
> >     >     operations that end up affecting cache and branch-prediction
> >     state,
> >     >     ultimately storing information about sensitive data in these
> >     >     side-channels before the fault conditions are detected and
> >     acted upon.
> >     >     I'll borrow terminology from the paper, using "transient
> >     instructions"
> >     >     to refer to speculatively executed instructions that will
> >     eventually be
> >     >     cancelled by a fault.
> >     >
> >     >     These attacks depend entirely on transient instructions being
> >     able to
> >     >     get sensitive information into the processor core and then
> >     perform some
> >     >     kind of instruction on them before the fault condition cancels
> >     them.
> >     >     Therefore, anything that prevents them from doing this
> >     *should* counter
> >     >     the attack.  If the actual sensitive data never makes it to
> >     the core
> >     >     before the fault is detected, the dependent memory
> >     accesses/branches
> >     >     never get executed and the data never makes it to the
> >     side-channels.
> >     >
> >     >     Another assumption here is that CPU architects are going to
> >     want to
> >     >     squash faulted instructions ASAP and stop issuing along those
> >     >     speculative branches, so as to reclaim execution units.  So
> >     I'm assuming
> >     >     once a fault comes back from address translation, then
> transient
> >     >     execution stops dead.
> >     >
> >     >     Now, break down the cases for whether the address containing
> >     sensitive
> >     >     data is in cache and TLB or not.  (I'm assuming here that
> >     caches are
> >     >     virtually-indexed, which enables cache lookups to bypass
> address
> >     >     translation.)
> >     >
> >     >     * In cache, in TLB: You end up basically racing between the
> >     cache and
> >     >     TLB, which will very likely end up detecting the fault before
> >     the data
> >     >     arrives, but at the very worst, you get one or two cycles of
> >     transient
> >     >     instruction execution before the fault.
> >     >
> >     >     * In cache, not in TLB: Virtually-indexed tagged means you get
> >     a cache
> >     >     lookup racing a page-table walk.  The cache lookup beats the
> >     page table
> >     >     walk by potentially hundreds (maybe thousands) of cycles,
> >     giving you a
> >     >     bunch of transient instructions before a fault gets
> >     triggered.  This is
> >     >     the main attack case.
> >     >
> >     >     * Not in cache, in TLB: Memory access requires address
> >     translation,
> >     >     which comes back almost immediately as a fault.
> >     >
> >     >     * Not in cache, not in TLB: You have to do a page table walk
> >     before you
> >     >     can fetch the location, as you have to go out to physical
> >     memory (and
> >     >     therefore need a physical address).  The page table walk will
> >     come back
> >     >     with a fault, stopping the attack.
> >     >
> >     >     So, unless I'm missing something here, both non-cached cases
> >     defeat the
> >     >     meltdown attack, as you *cannot* get the data unless you do
> >     address
> >     >     translation first (and therefore detect faults).
> >     >
> >     >     As for why this defeats the spectre attack, the logic is
> >     similar: you've
> >     >     jumped into someone else's executable code, hoping to scoop up
> >     enough
> >     >     information into your branch predictor before the fault kicks
> >     you out.
> >     >     However, to capture anything about sensitive information in
> your
> >     >     side-channels, the transient instructions need to actually get
> >     it into
> >     >     the core before a fault gets detected.  The same case analysis
> >     as above
> >     >     applies, so you never actually get the sensitive info into the
> >     core
> >     >     before a fault comes back and you get squashed.
> >     >
> >     >
> >     >     [1]: A physically-indexed cache would be largely immune to
> >     this attack,
> >     >     as you'd have to do address translation before doing a cache
> >     lookup.
> >     >
> >     >
> >     >     I have some ideas that can build on this, but I'd like to get
> some
> >     >     feedback first.
> >     >     _______________________________________________
> >     >     freebsd-security@freebsd.org
> >     <mailto:freebsd-security@freebsd.org>
> >     <mailto:freebsd-security@freebsd.org
> >     <mailto:freebsd-security@freebsd.org>>
> >     >     mailing list
> >     >     https://lists.freebsd.org/mailman/listinfo/freebsd-security
> >     <https://lists.freebsd.org/mailman/listinfo/freebsd-security>;
> >     >     <https://lists.freebsd.org/mailman/listinfo/freebsd-security
> >     <https://lists.freebsd.org/mailman/listinfo/freebsd-security>>;
> >     >     To unsubscribe, send any mail to
> >     >     "freebsd-security-unsubscribe@freebsd.org
> >     <mailto:freebsd-security-unsubscribe@freebsd.org>
> >     >     <mailto:freebsd-security-unsubscribe@freebsd.org
> >     <mailto:freebsd-security-unsubscribe@freebsd.org>>"
> >     >     _______________________________________________
> >     >     freebsd-arch@freebsd.org <mailto:freebsd-arch@freebsd.org>
> >     <mailto:freebsd-arch@freebsd.org <mailto:freebsd-arch@freebsd.org>>
> >     mailing list
> >     >     https://lists.freebsd.org/mailman/listinfo/freebsd-arch
> >     <https://lists.freebsd.org/mailman/listinfo/freebsd-arch>;
> >     >     <https://lists.freebsd.org/mailman/listinfo/freebsd-arch
> >     <https://lists.freebsd.org/mailman/listinfo/freebsd-arch>>;
> >     >     To unsubscribe, send any mail to
> >     >     "freebsd-arch-unsubscribe@freebsd.org
> >     <mailto:freebsd-arch-unsubscribe@freebsd.org>
> >     >     <mailto:freebsd-arch-unsubscribe@freebsd.org
> >     <mailto:freebsd-arch-unsubscribe@freebsd.org>>"
> >     >
> >     >
> >
> >
>



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CANCZdfoYY5ACwbT0gUW-u=%2BHyG-Y2McoN%2B%2BNZZvqED=wU5MEUA>