Software-Observable SC Beyond Resource Contention Flashcards
What is scatter-gathering (interleaving)?
A defense against cache SC. Relays blocks in memory so that accesses to different table entries hit the same cache sets. All blocks are accessed in the same order
Is scatter-gathering unbreakable?
No, can be broken with speculation based attacks
approach to speculation based attacks
- Pick traditional SC attack (not speculation based)
- Pick a victim that is protected against that attack
- Set things up so that the victim will leak sensitive data from speculation tables
- Use regular SC to recover that information
describe Spectre (Variant 2)
- Used Prime-and-Probe-like shared cache SC
- Victim RSA with scatter-gather
- Train branch-predictor so that it loads from memory based on a wval-based address
- Use Prime and Probe to recover
how to train branch predictor (Spectre V2)
- if secret is stored in R1, make victim program speculatively start executing at an address that uses R1 to access memory
- Can then use a cache SC to tell which memory was accessed ==> can figure out what value was in R1 ==> now know the secret
describe Spectre (Variant 1)
Use branch direction predictor (T/NT) to skip bounds checks
describe Meltdown
- Uses speculation shadow from page fault exceptions
- Load from an address that is supposed to be accessible only to the OS
- Data is loaded speculative before a fault occurs
- Subsequent loads put some of that data in the cache
- Fault is processed
- Can then use a cache SC to retrieve it
Why are resource management SC dangerous?
Don’t need access to other programs!! OS will tell you information about the system for free or your program can measure its own performance on the target resource
Describe a clock frequency SC
- Processor has different ‘power states’ = (freq, voltage) in order to maximize performance (do not always need to be operating at peak performance)
- Two malicious apps that are not supposed to communicate with each other can
- One transmits information by switching between idle and not-idle (0 or 1), which changes the clock frequency
- Other program receives information by measuring clock frequency or reading it from the OS
What are some benevolent uses for resource management SCs?
- Use SC information to determine what is executing on a system (which apps) and if they should be
- Monitor performance to detect malware => can see power usage over time in phone battery and compare to what should be running on the device