Security has recently emerged as a first-class design consideration and an active research area in computer architecture community, with most top-tier conferences dedicating one or more sessions to security topics. Best Paper Awards at two most recent MICRO conferences went to security papers. The purpose of this blog post is to help researchers who are new to the security field orient themselves in the deluge of topics, threat models, and attack vectors. For now, we will focus on three attack vectors: transient execution attacks, code reuse attacks and rowhammer attacks. In subsequent posts, we will describe other attack vectors, delve deeper into attack mechanics and discuss recent attack papers from top security conferences.
Systems security research is driven by threat models and comes in the form of offensive and defensive research, where new attacks and defense mechanisms are investigated respectively. Previous CAT blog posts extensively discussed the value and ethical implications of offensive research – in short, it is important. However, most of the research works in the architecture community are focused on defense mechanisms. Indeed, opening up the possibility of changes to instruction sets and microarchitectures to support security in the environment with ever-increasing attack space, creates an opportunity for our community to thwart many classes of attacks in a more robust and performance-friendly manner compared to purely software-based mitigations. It is paramount to understand the space of current attacks to decide what problems to address with the most impact.
While it is enlightening to see papers in our conferences presenting new attack vectors to the architecture community that spearhead subsequent works on defenses, most offensive research is published in security conferences. Therefore, architects working on security topics would greatly benefit from reading not just the proceedings of architecture conferences, but also security conferences, in particular focusing on attack papers and thinking about how hardware and architecture can possibly play a role in stopping these attacks. The top four security conferences are IEEE Security and Privacy (aka Oakland), USENIX Security Symposium, ACM CCS, and NDSS. Most of these conferences have several yearly deadlines, and newly accepted papers continue to appear on their websites throughout the year. Other strong security conferences include RAID, ESORICS, ACSAC, ASIACCS, DIMVA and WOOT (workshop on offensive technologies held with USENIX Security Symposium).
Transient Execution Attacks and Side-channels. Defense from side-channel attacks has been a subject of research in our community since 2007, when the first paper on this topic appeared in ISCA. Attacks themselves were continuously evolving, with most papers published in top security venues. Many attack variations, primarily targeting caches (including shared last-level caches), have been proposed. The race between attacks and defenses have been slowly progressing with limited impact until well-publicized Meltdown and Spectre attacks challenged foundations of modern out-of-order architectures. Using well-developed cache attack as a building block, these new exploitations demonstrated how microarchitectural side-effects of misspeculated instructions can be used to leak sensitive information through a covert channel.
Meltdown exploits delayed recognition of an exception in some processors, allowing information leakage from speculatively executed instructions during that time. Spectre, on the other hand, is performed by poisoning the branch predictor and forcing the victim process to speculatively execute gadgets that leak secrets. Many variations of Spectre attacks have been proposed, including the ones that abuse return stack buffer, instead of branch predictor. These so-called transient execution attacks have been widely disclosed in the literature, including coverage in this blog. A thorough classification of these attacks is presented in this paper from USENIX Security’19. The industry and architecture research community responded in force to this new threat with multiple papers appearing on this topic in almost every recent architecture conference. During last year, several new transient execution attack variations emerged. Specifically, microarchitectural data sampling (MDS) attacks leak arbitrary in-flight data directly from internal CPU buffers, including line fill buffers, load ports and store buffers. Importantly, these attacks can leak data that was never brought into the CPU caches, unlike original Meltdown and Spectre attacks. Variations of these attacks include RIDL (S&P’19), Fallout (CCS’19) and ZombieLoad (CCS’19). Load Value Injection (LVI) attack (S&P’20) relies on injecting attacker’s data through hidden processor buffers into a victim program and forcing legitimate victim’s execution to speculatively compute on poisoned data to leak secrets. This attack bypasses all current mitigations for Spectre and Meltdown. There is an opportunity for computer architects to take a closer look at these attacks and develop efficient and low-overhead mitigations.
Code Reuse Attacks. While most of the recent attention was focused on transient execution attacks and side channels, other forms of attacks have also been a subject of active research in the security community. Code reuse attacks (CRAs) represent one such vector. Since modern memory protection mechanisms inhibit direct code injection attacks, the idea of a CRA is to compose a malicious code by stitching together pieces of existing library code without code injection. All the attacker has to do is to find a buffer overflow vulnerability in the target program and inject the starting addresses of gadgets onto the stack. The key is how to connect these gadgets to form a meaningful exploit. Return-Oriented Programming (ROP) attacks connect gadgets via return instructions, such that each gadget ends with a return, bringing the control back to the starting address of the next gadget that was injected. ROP attacks can be mitigated by matching call-return pairs, so more advanced attack variations recently emerged. Jump-Oriented Programming attacks connect gadgets using indirect jumps instead of returns, bypassing ROP defenses. A special dispatcher gadget is used to orchestrate the control flow and direct execution to functional gadgets.
A well-studied defense mechanism against these attacks is based on the concept of control flow integrity (CFI), which enforces that the program execution adheres to the control flow graph, thus inhibiting execution of malicious gadgets. Counterfeit Object-Oriented Programming (S&P’15) implements malicious behavior by only using chains of existing C++ virtual functions through legitimate call sites, thus bypassing many existing defenses. Block-Oriented Programming (CCS’18) is an even newer technique that uses entire basic blocks as gadgets along valid execution path in a program, thus bypassing defenses that rely on CFI or shadow stacks. All of these attacks have shown to be Turing-complete, so arbitrary malicious execution can be accomplished on many modern architectures. Some of these attacks can in fact be quite simple and short – a few gadgets can be enough to disable memory protection, thus re-enabling code injection capabilities. Again, there is a space for computer architects to delve into these types of attacks to offer hardware-supported mitigations.
Rowhammer Attacks. Rowhammer is one attack example that was introduced in an ISCA paper. The key idea is that it is possible to flip bits in DRAM without accessing them by performing multiple accesses to the neighboring rows. Subsequent works exploited this vulnerability for various types of attacks across security boundaries, resulting in privilege escalation on kernels and hypervisors (by targeted bit flips in page tables), sandbox escapes and denial-of-service attacks. Some of the threats of rowhammer can be addressed by memory integrity checking and ECC bits. A recent RAMBleed paper (S&P’20) demonstrated that even rowhammer bit flips within its own memory can have security implications. Specifically, the attacker can exploit data dependence between the induced bit flips in its own memory and bits in neighboring rows, therefore deducing those bits that potentially belong to other processes and the kernel. This attack works even in the presence of ECC bits.
Summary: It is important for hardware and architecture security researchers to understand state-of-the-art of modern attacks; most of these are published in security conferences. In this post, we provided pointers to some recent attacks to encourage further exploration and architectural solutions.
About the author: Dmitry Ponomarev is a Professor of Computer Science at Binghamton University. His research interests are in computer architecture, with a recent emphasis on security.
Disclaimer: These posts are written by individual contributors to share their thoughts on the Computer Architecture Today blog for the benefit of the community. Any views or opinions represented in this blog are personal, belong solely to the blog author and do not represent those of ACM SIGARCH or its parent organization, ACM.