blog/content/posts/1-spectre-attacks-exploitin...

5.5 KiB
Raw Blame History

+++ date = 2021-10-30T07:19:36Z description = "" draft = false slug = "1-spectre-attacks-exploiting-peculative-execution" title = "Spectre Attacks: Exploiting Speculative Execution"

+++

The Central Processing Unit (CPU) is a device that plays a major role as the brain of a computer. The CPU controls four main functions: memory, interpretation, computation, and control, which are based on the role of interpreting the commands of a given program to perform operations with data. In CPU, there are the program counter, a command register, an ALU (arithmetic logic unit), a control unit, a bus, and a register. Modern CPUs include cache memory or error correction devices for faster performance and more accurate computation.

The current CPU follows the Von-Neumann structure, which includes four functions: Fetch, Deocde, Execute, and Writeback. Ancient CPUs interpret instructions in order to convert data, which only can be slow. Modern CPUs speed up through out-of-order. Out-of-Order means that the CPU executes commands dynamically as the input data and execution units, rather than in a original order. This requires the cache memory as mentioned above, and uses Branch Prediction and Specific Memory Disambiguation, which results in Meltdown and Spectre vulnerabilities.

One day, I heard a news about Spectre and Meltdown Attack with my father. It said that it can affect within all of modern CPU manufactured in Intel, and also other companies. To defent that massive attack, we have to take a decrement of CPUs performance about half of entire CPU or more. Me and father thought that it is a big event that will effect the history of architecture of modern CPUs. And also will effect on the semiconductor development. After that day, I wanted to learn about the modern architecture of CPUs and basic operations of modern semiconductors. So I searched internet about it, read a university books to understand it, and also a paper written by many eminent researchers, like professor of KAIST and Samsung Semiconductor research center. After the days of learing CPUs, I finally read the paper of Spectre attack and Meltdown attack. It was hard for me to read, but I rarely can understand the way they found it. I also could understand how it works, and how to prevent it to happen. My knowledge about computer and semiconductors increased very fast after I read the entire paper. I can understand how CPU ultimately works, how to make a semiconductor, and also what I have to do to do what I want. Futhermore, I wanted to know the real of semiconductor design, manufacturing, and CPU designing. To learn that thing, I want to learn semiconductor professionally in universities.

Physical techniques and physically performed computations for improving and stabilizing the performance of modern CPUs often exhibit errors. Side-Channel attck aims to exploit vulnerabilities in these physical computational defects to obtain information that could not be obtained. Among these Side-Channel attacks, Spectre attack uses a buffer for Branch Prediction and Prediction History. This physical operation allows access to unacceptable memory. Branch prediction is a feature that improves execution performance by predicting true/false conditions when a processor executes code containing conditional statements such as if. When the processor encounters a conditional statement, it first predicts the outcome of the conditions it encounters, and first continues to execute the code based on the prediction. The processor calculates the results of the conditions while the code is running as predicted. When the results of the conditions are calculated, the processor verifies the results of the previously made predictions. If a prediction is previously correct, the execution continues and thus gains performance benefits. On the other hand, if the prediction is determined to be incorrect during execution as predicted, the result of the condition is returned to the predicted point and executed again. Spectre attack uses an attack method that allows an attacker with control flow to follow fragments of the machine language code of the targeted process and perform the desired task. An attacker discovers and executes parts of the target process that have the command he or she wants before returning. Since the attacker is free to change the control flow, changing the address of the return command to the address of the next instruction that the attacker wants to execute, even though the execution flow proceeds only within the target process.

There are two typical cases of Spectre discovered by researchers. Exploiting Conditional Branches and Bounds Check Bypass or Exploiting Indirect Branches and Branch Target Injection are known as Spectre attack. The way Bound Check Bypass work lies in the Speculative Execution by Branch Prediction. If there is an “if” or “while” statement in front of a code that causes Fault when accessed, the CPU is tricked into accessing data in the restricted area and stored in cache to allow this check to be checked. The value of the cache can then be determined using a time difference measurement to read the memory in the inaccessible zone. Branch Target Injection also uses Speculative Execution by Branch Prediction. If the attacker's precess repeats the branch to the location where the attack code, the code to be rejected, the location is stored in the Branch Target Buffer. The characteristic that all processes share the same Branch Target Buffer allows them to reject attack codes into the victim process.

Wikipedia / Spectre & Meltdown Original Paper