Ghosts in a Nutshell

Presented at Black Hat Asia 2019, March 29, 2019, 2:15 p.m. (60 minutes).

At the beginning of 2018, two severe attacks, called Meltdown and Spectre, have been published. These attacks exploit that the CPU either lazily enforces exceptions or speculates on the outcome of branch predictions or data dependencies. While the results of those computations are never made visible on the architectural level, secret data can still leak on the microarchitectural level and be observed by an attacker.

Since then, many different versions of these attacks have been found by various research teams around the world, e.g., Spectre Variant 1, Spectre Variant 2, Variant 4, Meltdown, Foreshadow, Foreshadow-NG, LazyFP. Due to the confusing naming scheme and the large amounts of papers and articles published, it has quickly become difficult to differentiate them all. Additionally, researchers, as well as companies, have proposed various countermeasures to mitigate these attacks, making it even more confusing and difficult to keep a clear overview of the current state.

Many of the proposed mitigation techniques involve substantial overhead, basically reducing the processing power of modern CPUs. With all these defences, one question remains: Do they actually work or are they just reducing the performance of our CPUs? Did the operating system implement them correctly? Is everything fixed now or are there even more variants that have so far been overlooked?

In this talk, we will discuss all existing variants and introduce a newer, easier to understand naming scheme based on the microarchitectural element the attacks exploit. We will discuss all mitigation techniques proposed so far and classify them based on how they attempt to stop leakage. We will also discuss which of those mitigations work in practice and which ones we were able to circumvent with our experiments. We will present new variants of Meltdown and Spectre attacks that have not been published so far and which we were able to discover due to our systematisation.


Presenters:

  • Claudio Canella - PhD Student, Graz University of Technology
    Claudio Canella is an InfoSec PhD Student at Graz University of Technology. His research focuses on microarchitectural side-channel attacks and system security. He has obtained a master's degree in computer security at the University of Innsbruck.
  • Moritz Lipp - PhD Student, Graz University of Technology
    Moritz Lipp is a researcher in information security at Graz University of Technology. He is pursuing his PhD with a strong focus on microarchitectural side-channel attacks on personal computers and mobile devices at the Institute of Applied Information Processing and Communications. His research has been published at top academic conferences and presented on different venues around the world.

Links:

Similar Presentations: