



Xpl0it

by pietroborrello

inspired by: [CPU Introspection: Intel Load Port Snooping]





observe instructions executed





observe instructions executed









observe http interactions









observe http interactions











observe http interactions

observe network packets

observe instructions executed





















#### add qword ptr [rax], rbx $\Rightarrow$ Reg<sub>A</sub>, Reg<sub>B</sub>, Load<sub>A</sub>, Add, Store<sub>A</sub>





#### Modern CPUs are: broken



#### Meltdown, Spectre, Foreshadow, MDS, ...





### Modern CPUs are: undocumented



What do CPUs do:

- during speculation
- during out of order execution
- during microcode assists
- during faulting operations
- during *normal execution*



### Modern CPUs are: undocumented



What do CPUs do:

- during speculation
- during out of order execution
- during microcode assists
- during faulting operations
- during normal execution





Lack of precise CPU introspection utilities



# Modern CPUs may improve



How to find CPU vulnerabilities?

How to understand inner CPU behavior?



# Modern CPUs may improve



How to find CPU vulnerabilities?

How to understand inner CPU behavior?

Let's leverage CPU vulnerabilities!



# Microarchitectural Data Sampling <sup>(RRoman</sup> Xp10it







# Microarchitectural Data Sampling

- Cause a fault during a memory load which requires a microcode assist 1.
- 2. New data will not be loaded, so the previous value that was filled in the LFB entry (or in the load port) remains unchanged
- Access the data transiently and leak it through a side channel 3.
- 1. char array[256 \* 4096]
- flush all array cache lines 2. for(i = 0; i < 256; i++)2.
- 3. X = \*(char \*)(ptr)
- 4. tmp = array[X \* 4096]

```
1. handle SIGSEGV
```

measureTime(array[i\*4096])

3. The index with fastest access corresponds to X





 $\Rightarrow$  We can observe *any data* is passing through the CPU





 $\Rightarrow$  We can observe *any data* is passing through the CPU

<u>any data</u>





 $\Rightarrow$  We can observe *any data* is passing through the CPU

- <u>any data</u>
  - data loaded speculatively





⇒ We can observe *any data* is passing through the CPU

- <u>any data</u>
  - data loaded speculatively
  - data loaded by microcode assists



# Microarchitectural Data Sampling KRomar

So we are able to leak stale data recently transferred in the CPU by sibling threads

 $\Rightarrow$  We can observe *any data* is passing through the CPU

- <u>any data</u>
  - data loaded speculatively
  - data loaded by microcode assists
  - data loaded by faulting instructions





⇒ We can observe *any data* is passing through the CPU

- <u>any data</u>
  - data loaded speculatively
  - data loaded by microcode assists
  - data loaded by faulting instructions

What : 🗸





⇒ We can observe *any data* is passing through the CPU

- <u>any data</u>
  - data loaded speculatively
  - data loaded by microcode assists
  - data loaded by faulting instructions

WHAT : 🗸 When: 🗡



# Timing inference



We leak the data we are interested in:

 $\Rightarrow$  We know what data the CPU is actually using, but still not its order

|        | 0      |        |
|--------|--------|--------|
| 0xbd09 | 0xe4e7 | 0xbd09 |
| 0x4143 | 0x4143 | 0x4036 |
| 0xf178 | 0xbd09 | 0xf178 |
| 0xe4e7 | 0x4036 | 0xe4e7 |
| 0x4036 | 0xf178 | 0x4143 |
|        |        |        |
|        |        |        |
|        |        |        |



# Timing inference



We leak the data we are interested in:

 $\Rightarrow$  We know what data the CPU is actually using, but still not its order

| 0xbd09 | 0xe4e7 | 0xbd09 |
|--------|--------|--------|
| 0x4143 | 0x4143 | 0x4036 |
| 0xf178 | 0xbd09 | 0xf178 |
| 0xe4e7 | 0x4036 | 0xe4e7 |
| 0x4036 | 0xf178 | 0x4143 |
|        |        |        |
|        |        |        |
|        |        |        |

Use statistics!





























#### Monitoring core

- 1. setup attack
- 2. wait i clock cycles
- i. mds attack



#### Victim Core

- 2. execute actions
  uop...
  uop...
  - uop...
  - uop...
  - uop...













leaks: (i: 100, 0x1337)













leaks: (i: 100, 0x1337)
 (i: 71, 0xcafe)
 (i: 28, 0x1234)


### Core synchronization





leaks: (i: 100, 0x1337)
 (i: 71, 0xcafe)
 (i: 00, 0x1337)

- (i: 28, 0x1234)
- (i: 116, 0x1337)



### Core synchronization





leaks: (i: 100, 0x1337)

- (i: 71, 0xcafe)
- (i: 28, 0x1234)
- (i: 116, 0x1337)
- (i: 35, 0x1234)



#### Core synchronization





leaks: (i: 100, 0x1337)

- (i: 71, 0xcafe)
- (i: 28, 0x1234)
- (i: 116, 0x1337)
- (i: 35, 0x1234) ... millions of tries



Data analysis



(i: 30, 0x1234) leaks: (i: 100, 0x1337) (i: 71, 0xcafe) (i: 104, 0x1337) (i: 28, 0x1234) (i: 116, 0x1337) (i: 116, 0x1337) (i: 71, 0xcafe) (i: 35, 0x1234) (i: 68, 0xcafe) (i: 104, 0x1337) (i: 35, 0x1234) (i: 68, 0xcafe) (i: 28, 0x1234) (i: 38, 0x1234) (i: 38, 0x1234) (i: 98, 0x1337) (i: 105, 0x1337) (i: 40, 0x1234) (i: 40, 0x1234) (i: 105, 0x1337) (i: 121, 0x1337) (i: 70, 0xcafe) (i: 98, 0x1337) (i: 100, 0x1337) (i: 68, 0xcafe) (i: 121, 0x1337) (i: 68, 0xcafe) (i: 30, 0x1234) (i: 70, 0xcafe)

| (i: | 70,  | 0xcafe)  |
|-----|------|----------|
| (i: | 38,  | 0x1234)  |
| (i: | 68,  | 0xcafe)  |
| (i: | 35,  | 0x1234)  |
| (i: | 65,  | 0xcafe)  |
| (i: | 98,  | 0x1337)  |
| (i: | 71,  | 0xcafe)  |
| (i: | 28,  | 0x1234)  |
| (i: | 109, | 0x1337)  |
| (i: | 116, | 0x1337)  |
| (i: | 40,  | 0x1234)  |
| (i: | 100, | 0x1337)  |
| (i: | 30,  | 0x1234)  |
| (i: | 121, | 0x1337)  |
| (i: | 104, | 0x1337). |





























#### And now what?



We can precisely sequence what do load ports contain:

- during speculation
- during out of order execution
- during microcode assists
- during faulting operations

What : 🗸 When: 🗸





#### And now what?



We can precisely sequence what do load ports contain:

- during speculation
- during out of order execution
- during microcode assists
- during faulting operations

What : 🗸 When: 🗸

Let's see some examples!





Spectre attack



The CPU executes predicted instructions transiently

 $\Rightarrow$  There is a small window of instructions that shouldn't be executed, due to misprediction

• CPU may execute unexpected instructions on unexpected data

for (i = 0; i < len(array); i++) {
y += array[i]; // 0xaaaa</pre>





# Spectre attack







## CPU Reordering



The CPU may reorder instructions that are not ready to execute

- 1. a = uncached\_address[0];// 0x1111
- 2. b = cached\_address[0]; // 0x2222
- 3. c = cached\_address[1]; // 0x3333

Line 2 and 3 may execute before line 1



#### CPU Reordering







Processor Faults



CPU exceptions are enforced lazily:

⇒ After a faulty instruction, there is a small window of instructions that are still executed

1. a = **\*(**NULL);

3. c = array[1];

Even if instruction 1 generates a fault, instructions 2 and 3 are still executed transiently





## Processor Faults









There are different cases where the CPU automatically dispatches additional micro operations to be executed to deal with complex situations.

e.g. Page Table Updates:

a = \*never\_accessed\_page;



 $\Rightarrow$  the Page Table must be updated to set the *accessed* bit:



#### Microcode Assists











#### Questions?