Side-channel attacks: how to bypass processor security

Probably many have heard of Specter and Meltdown which, thanks to side-channel attacks, have undermined the security of processors , especially Intel. But why are they so dangerous and why did they cause such a stir once they were discovered? Mainly because they attack the very foundations of modern processor architecture and the concept of speculative execution, which is necessary for the evolution of CPU technology.

What Specter and Meltdown exploit

L 'speculative execution is a technique used in processors to increase the amount of processed data, especially in the presence of instructions that require the use of other units typically slower. In these cases, the processors are able to proceed with the execution of the code (out of order, that is, not sequentially), reconstructing the original flow only at the end. However, it can sometimes happen that the execution of a piece of code is conditional on the evaluation of an expression. For example, an IF statement may or may not cause a part of the program to execute. Typically, the processor uses a dedicated drive that makes decisions about whether that code can run . If the probability is high then the processor anticipates execution pending the evaluation of the IF.

The icons of the two side-channel attacks Specter and Meltdown: both exploit speculative execution to access protected portions of memory.

The problem arises in cases where the code already loaded is no longer executed due to an incorrect prediction: so-called side-channel attacks are grafted here. In fact, through the timing of the cache (an extremely important portion of the CPU memory that allows you to speed up I / O operations) it is possible to trace the portion of memory concerned . The reason lies in the speed of the cache with respect to the main memory: by analyzing the entire contents of the memory it will be possible to have a very low access time only in the case corresponding to the memory page already loaded. In other words, the code already loaded but then discarded due to the wrong prediction will already be in the cache; analyzing the memory access times we will obtain a cache hit (ie presence of the content in the cache) with an evident reduction in access times.

(No longer) isolated address spaces

Specter acts on the address spaces of applications: each program, in fact, has its own address space that does not coincide with that of other executables. This ensures the isolation of programs so that each does not interfere in the execution of the others. But Specter is able to break the well-designed division of processor manufacturers by inducing programs to access portions of memory not dedicated to them. The impact is very high since it is possible to work with data from other programs and potentially very personal.

The architecture of the modern processor itself should be rethought to ensure greater security from this type of attack.

On the contrary, Meltdown acts on the division between user space and kernel space of the operating system. In fact, to access this second memory area, the processor must work in privileged mode. In fact, the instructions to be executed in kernel space can impact the operation of the entire system. Meltdown is able, thanks to speculative execution, to obtain a complete dump of the kernel memory, where many of the passwords we use are also saved. The biggest pitfall lies precisely in the modalities of these attacks that exploit other channels (side-channel) to undermine the security of the processors.

How to protect us

Of course, the main processor manufacturers immediately ran for cover, releasing security patches that correct these unexpected behaviors. However, it should be emphasized that in reality the problem is not solved, since it is the entire processor architecture that is in crisis. Here then, alternative lines of research begin to develop, seeking to solve the problem at its root. We are talking about confidential computing , a branch of security born from the homonymous Linux Foundation consortium that wants to create a protected execution environment. In fact, the idea is to guarantee access to the processor and memory only to authorized code, thanks to an access system entirely based on hardware.

The technology is still embryonic but lends itself to many uses and especially to secure the systems of large companies that work with extremely confidential data. Certainly the whole issue will have to be monitored over time to understand whether new ways to exploit the CPU architecture in a different way can arise, and whether confidential computing will take hold and guarantee us greater security.

The article Side-Channel Attacks: How to Bypass Processor Security comes from Tech CuE | Close-up Engineering .