blog/public/posts/1-spectre-attacks-exploitin.../index.html

16 lines
21 KiB
HTML
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!doctype html><html lang=en dir=auto><head><meta charset=utf-8><meta http-equiv=x-ua-compatible content="IE=edge"><meta name=viewport content="width=device-width,initial-scale=1,shrink-to-fit=no"><meta name=robots content="index, follow"><title>Spectre Attacks: Exploiting Speculative Execution | Morgan's Blog</title><meta name=keywords content><meta name=description content="The Central Processing Unit (CPU) is a device that plays a major role as the brain of a computer. The CPU controls four main functions: memory, interpretation, computation, and control, which are based on the role of interpreting the commands of a given program to perform operations with data. In CPU, there are the program counter, a command register, an ALU (arithmetic logic unit), a control unit, a bus, and a register."><meta name=author content="Me"><link rel=canonical href=http://blog.morgan.kr/posts/1-spectre-attacks-exploiting-peculative-execution/><meta name=google-site-verification content="XYZabc"><meta name=yandex-verification content="XYZabc"><meta name=msvalidate.01 content="XYZabc"><link crossorigin=anonymous href=/assets/css/stylesheet.31527a12923607f33c1cac9636a2fa755f6ade7c55866bdb96e44c6bcaf6cfbb.css integrity="sha256-MVJ6EpI2B/M8HKyWNqL6dV9q3nxVhmvbluRMa8r2z7s=" rel="preload stylesheet" as=style><script defer crossorigin=anonymous src=/assets/js/highlight.f413e19d0714851f6474e7ee9632408e58ac146fbdbe62747134bea2fa3415e0.js integrity="sha256-9BPhnQcUhR9kdOfuljJAjlisFG+9vmJ0cTS+ovo0FeA=" onload=hljs.initHighlightingOnLoad()></script>
<link rel=icon href=https://blog.morgan.kr/favicon.ico><link rel=icon type=image/png sizes=16x16 href=http://blog.morgan.kr/favicon-16x16.png><link rel=icon type=image/png sizes=32x32 href=http://blog.morgan.kr/favicon-32x32.png><link rel=apple-touch-icon href=https://blog.morgan.kr/favicon.ico><link rel=mask-icon href=https://blog.morgan.kr/favicon.ico><meta name=theme-color content="#2e2e33"><meta name=msapplication-TileColor content="#2e2e33"><noscript><style>#theme-toggle,.top-link{display:none}</style><style>@media(prefers-color-scheme:dark){:root{--theme:rgb(29, 30, 32);--entry:rgb(46, 46, 51);--primary:rgb(218, 218, 219);--secondary:rgb(155, 156, 157);--tertiary:rgb(65, 66, 68);--content:rgb(196, 196, 197);--hljs-bg:rgb(46, 46, 51);--code-bg:rgb(55, 56, 62);--border:rgb(51, 51, 51)}.list{background:var(--theme)}.list:not(.dark)::-webkit-scrollbar-track{background:0 0}.list:not(.dark)::-webkit-scrollbar-thumb{border-color:var(--theme)}}</style></noscript><script type=application/javascript>var doNotTrack=!1;doNotTrack||(function(e,t,n,s,o,i,a){e.GoogleAnalyticsObject=o,e[o]=e[o]||function(){(e[o].q=e[o].q||[]).push(arguments)},e[o].l=1*new Date,i=t.createElement(n),a=t.getElementsByTagName(n)[0],i.async=1,i.src=s,a.parentNode.insertBefore(i,a)}(window,document,"script","https://www.google-analytics.com/analytics.js","ga"),ga("create","UA-123-45","auto"),ga("send","pageview"))</script><meta property="og:title" content="Spectre Attacks: Exploiting Speculative Execution"><meta property="og:description" content="The Central Processing Unit (CPU) is a device that plays a major role as the brain of a computer. The CPU controls four main functions: memory, interpretation, computation, and control, which are based on the role of interpreting the commands of a given program to perform operations with data. In CPU, there are the program counter, a command register, an ALU (arithmetic logic unit), a control unit, a bus, and a register."><meta property="og:type" content="article"><meta property="og:url" content="http://blog.morgan.kr/posts/1-spectre-attacks-exploiting-peculative-execution/"><meta property="og:image" content="http://blog.morgan.kr"><meta property="article:section" content="posts"><meta property="article:published_time" content="2021-10-30T07:19:36+00:00"><meta property="article:modified_time" content="2021-10-30T07:19:36+00:00"><meta property="og:site_name" content="Morgan's Blog"><meta name=twitter:card content="summary_large_image"><meta name=twitter:image content="http://blog.morgan.kr"><meta name=twitter:title content="Spectre Attacks: Exploiting Speculative Execution"><meta name=twitter:description content="The Central Processing Unit (CPU) is a device that plays a major role as the brain of a computer. The CPU controls four main functions: memory, interpretation, computation, and control, which are based on the role of interpreting the commands of a given program to perform operations with data. In CPU, there are the program counter, a command register, an ALU (arithmetic logic unit), a control unit, a bus, and a register."><script type=application/ld+json>{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":2,"name":"Posts","item":"http://blog.morgan.kr/posts/"},{"@type":"ListItem","position":3,"name":"Spectre Attacks: Exploiting Speculative Execution","item":"http://blog.morgan.kr/posts/1-spectre-attacks-exploiting-peculative-execution/"}]}</script><script type=application/ld+json>{"@context":"https://schema.org","@type":"BlogPosting","headline":"Spectre Attacks: Exploiting Speculative Execution","name":"Spectre Attacks: Exploiting Speculative Execution","description":"The Central Processing Unit (CPU) is a device that plays a major role as the brain of a computer. The CPU controls four main functions: memory, interpretation, computation, and control, which are based on the role of interpreting the commands of a given program to perform operations with data. In CPU, there are the program counter, a command register, an ALU (arithmetic logic unit), a control unit, a bus, and a register.","keywords":[],"articleBody":"The Central Processing Unit (CPU) is a device that plays a major role as the brain of a computer. The CPU controls four main functions: memory, interpretation, computation, and control, which are based on the role of interpreting the commands of a given program to perform operations with data. In CPU, there are the program counter, a command register, an ALU (arithmetic logic unit), a control unit, a bus, and a register. Modern CPUs include cache memory or error correction devices for faster performance and more accurate computation.\nThe current CPU follows the Von-Neumann structure, which includes four functions: Fetch, Deocde, Execute, and Writeback. Ancient CPUs interpret instructions in order to convert data, which only can be slow. Modern CPUs speed up through out-of-order. Out-of-Order means that the CPU executes commands dynamically as the input data and execution units, rather than in a original order. This requires the cache memory as mentioned above, and uses Branch Prediction and Specific Memory Disambiguation, which results in Meltdown and Spectre vulnerabilities.\nOne day, I heard a news about Spectre and Meltdown Attack with my father. It said that it can affect within all of modern CPU manufactured in Intel, and also other companies. To defent that massive attack, we have to take a decrement of CPUs performance about half of entire CPU or more. Me and father thought that it is a big event that will effect the history of architecture of modern CPUs. And also will effect on the semiconductor development. After that day, I wanted to learn about the modern architecture of CPUs and basic operations of modern semiconductors. So I searched internet about it, read a university books to understand it, and also a paper written by many eminent researchers, like professor of KAIST and Samsung Semiconductor research center. After the days of learing CPUs, I finally read the paper of Spectre attack and Meltdown attack. It was hard for me to read, but I rarely can understand the way they found it. I also could understand how it works, and how to prevent it to happen. My knowledge about computer and semiconductors increased very fast after I read the entire paper. I can understand how CPU ultimately works, how to make a semiconductor, and also what I have to do to do what I want. Futhermore, I wanted to know the real of semiconductor design, manufacturing, and CPU designing. To learn that thing, I want to learn semiconductor professionally in universities.\nPhysical techniques and physically performed computations for improving and stabilizing the performance of modern CPUs often exhibit errors. Side-Channel attck aims to exploit vulnerabilities in these physical computational defects to obtain information that could not be obtained. Among these Side-Channel attacks, Spectre attack uses a buffer for Branch Prediction and Prediction History. This physical operation allows access to unacceptable memory. Branch prediction is a feature that improves execution performance by predicting true/false conditions when a processor executes code containing conditional statements such as if. When the processor encounters a conditional statement, it first predicts the outcome of the conditions it encounters, and first continues to execute the code based on the prediction. The processor calculates the results of the conditions while the code is running as predicted. When the results of the conditions are calculated, the processor verifies the results of the previously made predictions. If a prediction is previously correct, the execution continues and thus gains performance benefits. On the other hand, if the prediction is determined to be incorrect during execution as predicted, the result of the condition is returned to the predicted point and executed again. Spectre attack uses an attack method that allows an attacker with control flow to follow fragments of the machine language code of the targeted process and perform the desired task. An attacker discovers and executes parts of the target process that have the command he or she wants before returning. Since the attacker is free to change the control flow, changing the address of the return command to the address of the next instruction that the attacker wants to execute, even though the execution flow proceeds only within the target process.\nThere are two typical cases of Spectre discovered by researchers. Exploiting Conditional Branches and Bounds Check Bypass or Exploiting Indirect Branches and Branch Target Injection are known as Spectre attack. The way Bound Check Bypass work lies in the Speculative Execution by Branch Prediction. If there is an “if” or “while” statement in front of a code that causes Fault when accessed, the CPU is tricked into accessing data in the restricted area and stored in cache to allow this check to be checked. The value of the cache can then be determined using a time difference measurement to read the memory in the inaccessible zone. Branch Target Injection also uses Speculative Execution by Branch Prediction. If the attackers precess repeats the branch to the location where the attack code, the code to be rejected, the location is stored in the Branch Target Buffer. The characteristic that all processes share the same Branch Target Buffer allows them to reject attack codes into the victim process.\nWikipedia / Spectre \u0026 Meltdown Original Paper\n","wordCount":"864","inLanguage":"en","datePublished":"2021-10-30T07:19:36Z","dateModified":"2021-10-30T07:19:36Z","author":{"@type":"Person","name":"Me"},"mainEntityOfPage":{"@type":"WebPage","@id":"http://blog.morgan.kr/posts/1-spectre-attacks-exploiting-peculative-execution/"},"publisher":{"@type":"Organization","name":"Morgan's Blog","logo":{"@type":"ImageObject","url":"https://blog.morgan.kr/favicon.ico"}}}</script></head><body id=top><script>localStorage.getItem("pref-theme")==="dark"?document.body.classList.add("dark"):localStorage.getItem("pref-theme")==="light"?document.body.classList.remove("dark"):window.matchMedia("(prefers-color-scheme: dark)").matches&&document.body.classList.add("dark")</script><script type=text/x-mathjax-config>
MathJax.Hub.Config({
tex2jax: {
inlineMath: [['$','$'], ['\\(','\\)']],
displayMath: [['$$','$$']],
},
"HTML-CSS": {
scale: 80
},
});
</script><script src="//cdn.mathjax.org/mathjax/latest/MathJax.js?config=TeX-AMS-MML_HTMLorMML"></script><header class=header><nav class=nav><div class=logo><div class=logo-switches><button id=theme-toggle accesskey=t title="(Alt + T)"><svg id="moon" xmlns="http://www.w3.org/2000/svg" width="24" height="18" viewBox="0 0 24 24" fill="none" stroke="currentcolor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="M21 12.79A9 9 0 1111.21 3 7 7 0 0021 12.79z"/></svg><svg id="sun" xmlns="http://www.w3.org/2000/svg" width="24" height="18" viewBox="0 0 24 24" fill="none" stroke="currentcolor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><circle cx="12" cy="12" r="5"/><line x1="12" y1="1" x2="12" y2="3"/><line x1="12" y1="21" x2="12" y2="23"/><line x1="4.22" y1="4.22" x2="5.64" y2="5.64"/><line x1="18.36" y1="18.36" x2="19.78" y2="19.78"/><line x1="1" y1="12" x2="3" y2="12"/><line x1="21" y1="12" x2="23" y2="12"/><line x1="4.22" y1="19.78" x2="5.64" y2="18.36"/><line x1="18.36" y1="5.64" x2="19.78" y2="4.22"/></svg></button></div></div><ul id=menu><li><a href=http://blog.morgan.kr/categories/ title=Categories><span>Categories</span></a></li><li><a href=http://blog.morgan.kr/tags/ title=Tags><span>Tags</span></a></li><li><a href=http://blog.morgan.kr/posts/ title=Posts><span>Posts</span></a></li></ul></nav></header><main class=main><article class=post-single><header class=post-header><div class=breadcrumbs><a href=http://blog.morgan.kr>Home</a>&nbsp;»&nbsp;<a href=http://blog.morgan.kr/posts/>Posts</a></div><h1 class=post-title>Spectre Attacks: Exploiting Speculative Execution</h1><div class=post-meta><span title='2021-10-30 07:19:36 +0000 UTC'>October 30, 30000</span>&nbsp;·&nbsp;864 words&nbsp;·&nbsp;Me</div></header><div class=post-content><p>The Central Processing Unit (CPU) is a device that plays a major role as the brain of a computer. The CPU controls four main functions: memory, interpretation, computation, and control, which are based on the role of interpreting the commands of a given program to perform operations with data. In CPU, there are the program counter, a command register, an ALU (arithmetic logic unit), a control unit, a bus, and a register. Modern CPUs include cache memory or error correction devices for faster performance and more accurate computation.</p><p>The current CPU follows the Von-Neumann structure, which includes four functions: Fetch, Deocde, Execute, and Writeback. Ancient CPUs interpret instructions in order to convert data, which only can be slow. Modern CPUs speed up through out-of-order. Out-of-Order means that the CPU executes commands dynamically as the input data and execution units, rather than in a original order. This requires the cache memory as mentioned above, and uses Branch Prediction and Specific Memory Disambiguation, which results in Meltdown and Spectre vulnerabilities.</p><p>One day, I heard a news about Spectre and Meltdown Attack with my father. It said that it can affect within all of modern CPU manufactured in Intel, and also other companies. To defent that massive attack, we have to take a decrement of CPUs performance about half of entire CPU or more. Me and father thought that it is a big event that will effect the history of architecture of modern CPUs. And also will effect on the semiconductor development. After that day, I wanted to learn about the modern architecture of CPUs and basic operations of modern semiconductors. So I searched internet about it, read a university books to understand it, and also a paper written by many eminent researchers, like professor of KAIST and Samsung Semiconductor research center. After the days of learing CPUs, I finally read the paper of Spectre attack and Meltdown attack. It was hard for me to read, but I rarely can understand the way they found it. I also could understand how it works, and how to prevent it to happen. My knowledge about computer and semiconductors increased very fast after I read the entire paper. I can understand how CPU ultimately works, how to make a semiconductor, and also what I have to do to do what I want. Futhermore, I wanted to know the real of semiconductor design, manufacturing, and CPU designing. To learn that thing, I want to learn semiconductor professionally in universities.</p><p>Physical techniques and physically performed computations for improving and stabilizing the performance of modern CPUs often exhibit errors. Side-Channel attck aims to exploit vulnerabilities in these physical computational defects to obtain information that could not be obtained. Among these Side-Channel attacks, Spectre attack uses a buffer for Branch Prediction and Prediction History. This physical operation allows access to unacceptable memory. Branch prediction is a feature that improves execution performance by predicting true/false conditions when a processor executes code containing conditional statements such as if. When the processor encounters a conditional statement, it first predicts the outcome of the conditions it encounters, and first continues to execute the code based on the prediction. The processor calculates the results of the conditions while the code is running as predicted. When the results of the conditions are calculated, the processor verifies the results of the previously made predictions. If a prediction is previously correct, the execution continues and thus gains performance benefits. On the other hand, if the prediction is determined to be incorrect during execution as predicted, the result of the condition is returned to the predicted point and executed again. Spectre attack uses an attack method that allows an attacker with control flow to follow fragments of the machine language code of the targeted process and perform the desired task. An attacker discovers and executes parts of the target process that have the command he or she wants before returning. Since the attacker is free to change the control flow, changing the address of the return command to the address of the next instruction that the attacker wants to execute, even though the execution flow proceeds only within the target process.</p><p>There are two typical cases of Spectre discovered by researchers. Exploiting Conditional Branches and Bounds Check Bypass or Exploiting Indirect Branches and Branch Target Injection are known as Spectre attack. The way Bound Check Bypass work lies in the Speculative Execution by Branch Prediction. If there is an “if” or “while” statement in front of a code that causes Fault when accessed, the CPU is tricked into accessing data in the restricted area and stored in cache to allow this check to be checked. The value of the cache can then be determined using a time difference measurement to read the memory in the inaccessible zone. Branch Target Injection also uses Speculative Execution by Branch Prediction. If the attacker&rsquo;s precess repeats the branch to the location where the attack code, the code to be rejected, the location is stored in the Branch Target Buffer. The characteristic that all processes share the same Branch Target Buffer allows them to reject attack codes into the victim process.</p><p>Wikipedia / Spectre & Meltdown Original Paper</p></div><footer class=post-footer><ul class=post-tags></ul><nav class=paginav><a class=prev href=http://blog.morgan.kr/posts/daehag-ibsiga-handangye-namassda/><span class=title>« Prev</span><br><span>대학 입시가 한단계만 남았다.</span></a>
<a class=next href=http://blog.morgan.kr/posts/jeonja-jeeoyi-segyein-mirae-geu-boanyi-wihyeob/><span class=title>Next »</span><br><span>전자 제어의 세계인 미래, 그 보안의 위협</span></a></nav><br></footer></article></main><footer class=footer><span>&copy; 2023 <a href=http://blog.morgan.kr>Morgan's Blog</a></span>
<span>Powered by
<a href=https://gohugo.io/ rel="noopener noreferrer" target=_blank>Hugo</a> &
<a href=https://github.com/adityatelange/hugo-PaperMod/ rel=noopener target=_blank>PaperMod</a></span></footer><a href=#top aria-label="go to top" title="Go to Top (Alt + G)" class=top-link id=top-link accesskey=g><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 12 6" fill="currentcolor"><path d="M12 6H0l6-6z"/></svg></a><script>let menu=document.getElementById("menu");menu&&(menu.scrollLeft=localStorage.getItem("menu-scroll-position"),menu.onscroll=function(){localStorage.setItem("menu-scroll-position",menu.scrollLeft)}),document.querySelectorAll('a[href^="#"]').forEach(e=>{e.addEventListener("click",function(e){e.preventDefault();var t=this.getAttribute("href").substr(1);window.matchMedia("(prefers-reduced-motion: reduce)").matches?document.querySelector(`[id='${decodeURIComponent(t)}']`).scrollIntoView():document.querySelector(`[id='${decodeURIComponent(t)}']`).scrollIntoView({behavior:"smooth"}),t==="top"?history.replaceState(null,null," "):history.pushState(null,null,`#${t}`)})})</script><script>var mybutton=document.getElementById("top-link");window.onscroll=function(){document.body.scrollTop>800||document.documentElement.scrollTop>800?(mybutton.style.visibility="visible",mybutton.style.opacity="1"):(mybutton.style.visibility="hidden",mybutton.style.opacity="0")}</script><script>document.getElementById("theme-toggle").addEventListener("click",()=>{document.body.className.includes("dark")?(document.body.classList.remove("dark"),localStorage.setItem("pref-theme","light")):(document.body.classList.add("dark"),localStorage.setItem("pref-theme","dark"))})</script></body></html>