#### Security Needs a New Hardware-Software Contract

Gernot Heiser gernot.heiser@data61.csiro.au | gernot@unsw.edu.au | @GernotHeiser

https://trustworthy.systems

DATA

6



### The New Year Shock

#### Vulnerabilities in modern Intel processors compromise the security of most compute



Updated 4 January 2018 at 3:36 pm First posted 4 January 2018 at 12:45 pm



**Data and computer security** 

#### Spectre and Meltdown processor security flaws - explained

What are Meltdown and Spectre? Do they only affect Intel chips? Will the fixes slow my computer ... and what even is a processor?



▲ Meltdown allows hackers to bypass hardware barriers, while Spectre can be used to trick applications into giving up secret information. Photograph: Hero Images/Natascha Eibl/Getty Images

#### **Samuel Gibbs**

Thu 4 Jan 2018 14.20 GMT



DATA 61

2 | SeHAS, HiPEAC'19, Valencia



#### Overview



- What are timing channels?
- *Time protection:* OS must close microarchitectural channels
- How helpful is present hardware?
- What are the requirements on hardware for closing timing channels?
- Defining the new hardware-software contract aISA



### What Are Timing Channels?

### **Timing Channels**



#### Information leakage through timing of events

• Typically by observing response latencies or own execution speed

**Covert channel:** Information flow that bypasses the security policy



Side channel: Covert channel exploitable without insider help

#### **Cause: Temporal Interference**





7 | SeHAS, HiPEAC'19, Valencia

#### **Sharing 1: Stateless Interconnect**





#### H/W is *bandwidth-limited*

- Interference during concurrent access
- Generally reveals no data or addresses
- Must encode info into access patterns
- Only usable as covert channel, not side channel

#### **Sharing 2: Stateful Hardware**





#### HW is *capacity-limited*

- Interference during
  - concurrent access
  - time-shared access
- Collisions reveal data or addresses
- Usable as side channel

Any state-holding microarchitectural feature:

• cache, branch predictor, pre-fetcher state machine



### **Time Protection**

#### **OS Must Enforce** *Time Protection*



• *Time protection* is completely absent

DATA

11 | SeHAS, HiPEAC'19, Valencia

#### **Time Protection: No Sharing of State** DATA 61 High High Low Flush Low Context Switch Cache Need Partition both! Flushing useless for concurrent access Cannot partition on-core High Low caches (L1, TLB, branch between HW predictor, prefetchers) threads, cores virtually-indexed for stateless HW ۲ OS cannot control ache

12 | SeHAS, HiPEAC'19, Valencia

#### **Requirements For Time Protection**



DATA



## Implementing Time Protection: Stateful Hardware



#### Flush on Domain Switch

Must remove any history dependence

- 1.  $T_0 = current_time()$
- 2. Switch user context
- 3. Flush on-core state
- 4. Touch all code/data needed for return
- 5. while (T<sub>0</sub>+WCET < current\_time()) ;
- 6. Reprogram timer
- 7. return

Latency depends on prior execution!

> Ensure deterministic execution

DATA

Time padding to Remove dependency

#### Partition Caches: Page Colouring



DATA

Exploit associative cache lookup:

- Particular address maps to specific cache subset, called cache colour
- # colours = cache size / (page size \* associativity)



#### sel4 Testbed: seL4 Microkernel

seL4: The world's only operating-system kernel with provable security enforcement (incl. memory protection) world's

seL4: The world's only protected-mode O3 with complete, sound timeliness analysis

seL4: The world's fastest microkernel

17 | seL4 | FMATS Cambridge | Sep'18



#### sel4 Security Proof Chain





19 | SeHAS, HiPEAC'19, Valencia

#### sel4 Memory Management Model













# Reality Check: Resetting On-Core State

#### **Evaluating Intra-Core Channels**



DATA

Mitigation on Intel and Arm processors:

- Disable data prefetcher (just to be sure)
- On context switch, perform all architected flush operations:
  - Intel: wbinvd + invpcid (no targeted L1-cache flush supported!)
  - Arm: DCCISW + ICIALLU + TLBIALL + BPIALL

25 | SeHAS, HiPEAC'19, Valencia



### Methodology: Channel Matrix











#### **HiSilicon A53 Branch History Buffer**



۲

۲



30 | SeHAS, HiPEAC'19, Valencia

#### **Intel Spectre Defences**



https://ts.data61.csiro.au/projects/TS/timingchannels/arch-mitigation.pml



### **Requirements on Hardware**

#### Hardware-Software Contract: ISA



- The ISA is a purely operational contract
  - sufficient to ensure *functional correctness*
  - abstracts away time
  - insufficient for ensuring either timing safety or security
- For security need an abstraction of microarchitectural state
  - essential for letting OS provide time protection

### New HW/SW Contract: aISA



#### Augmented ISA supporting time protection

For all shared microarchitectural resources:

- 1. Resource must be partitionable or resetable
- 2. Concurrently shared resource must be partitioned
- 3. Resource accessed solely by virtual address must be reset and not concurrently accessed
  - Implies cannot share HW threads across security domains!
- 4. Mechanisms must be sufficiently specified for OS to partition or reset
  - Must be constant time or of specified, bounded latency
- 5. OS must know if resettable state is derived from data, instructions, data addresses or instruction addresses

34 | SeHAS, HiPEAC'19, Valencia

#### **Cost of Reset**

- Flushing on-core state is not a performance issue:
  - no cost when not used
  - direct flush cost should for dirty L1-D in the order of  $1\mu s$
  - direct flush cost for everything else in the order of 100 cycles
  - indirect cost is negligible, if used on security-partition switch
    - eg VM switch, 10–100 Hz rate
    - no hot data in cache after other partition's execution
- Hardware support (eg targeted L1 flush) is essential!



#### Summary



- Timing channels are a mainstream security threat
- They are based on competition for shared hardware
- Prevention through OS-enforced time protection
  - OS must prevent sharing by partitioning or flushing
- The shared hardware is hidden by the ISA, the present HW-SW contract
  - OS cannot systematically prevent timing channels based on ISA
- Need a new, security-oriented contract, the aISA
  - alSA must expose enough microarchitecture for OS to enforce time protection

# Thank You

**Gernot Heiser** 

DATA

61

gernot.heiser@data61.csiro.au | @GernotHeiser

https://trustworthy.systems

