Software-Observable SC Beyond Resource Contention

Question 1

What is scatter-gathering (interleaving)?

Answer 1

A defense against cache SC. Relays blocks in memory so that accesses to different table entries hit the same cache sets. All blocks are accessed in the same order

Question 2

Is scatter-gathering unbreakable?

Answer 2

No, can be broken with speculation based attacks

Question 3

approach to speculation based attacks

Answer 3

• Pick traditional SC attack (not speculation based)
• Pick a victim that is protected against that attack
• Set things up so that the victim will leak sensitive data from speculation tables
• Use regular SC to recover that information

Question 4

describe Spectre (Variant 2)

Answer 4

• Used Prime-and-Probe-like shared cache SC
• Victim RSA with scatter-gather
• Train branch-predictor so that it loads from memory based on a wval-based address
• Use Prime and Probe to recover

Question 5

how to train branch predictor (Spectre V2)

Answer 5

• if secret is stored in R1, make victim program speculatively start executing at an address that uses R1 to access memory
• Can then use a cache SC to tell which memory was accessed ==> can figure out what value was in R1 ==> now know the secret

Question 6

describe Spectre (Variant 1)

Answer 6

Use branch direction predictor (T/NT) to skip bounds checks

Question 7

describe Meltdown

Answer 7

• Uses speculation shadow from page fault exceptions
• Load from an address that is supposed to be accessible only to the OS
• Data is loaded speculative before a fault occurs
• Subsequent loads put some of that data in the cache
• Fault is processed
• Can then use a cache SC to retrieve it

Question 8

Why are resource management SC dangerous?

Answer 8

Don’t need access to other programs!! OS will tell you information about the system for free or your program can measure its own performance on the target resource

Question 9

Describe a clock frequency SC

Answer 9

• Processor has different ‘power states’ = (freq, voltage) in order to maximize performance (do not always need to be operating at peak performance)
• Two malicious apps that are not supposed to communicate with each other can
• One transmits information by switching between idle and not-idle (0 or 1), which changes the clock frequency
• Other program receives information by measuring clock frequency or reading it from the OS

Question 10

What are some benevolent uses for resource management SCs?

Answer 10

• Use SC information to determine what is executing on a system (which apps) and if they should be
• Monitor performance to detect malware => can see power usage over time in phone battery and compare to what should be running on the device