

December 8-10 | Virtual Event

### CONTRIBUTE. **COLLABORATE. COMMERCIALIZE.**



riscvsummit.com #RISCVSUMMIT



December 8-10 | Virtual Event

### **Time Protection** Preventing Microarchitectural Timing Channels on RISC-V

Nils Wistoff PhD Student Integrated Systems Laboratory – ETH Zurich Supervisors: Luca Benini, Gernot Heiser

**#RISCVSUMMIT** 

0000000 0000000 00 00 00 00 00

| The<br>Economist | Today | Weekly edition | ≡ Menu |
|------------------|-------|----------------|--------|
|------------------|-------|----------------|--------|



The chips are down Two security flaws in modern chips cause big headaches for the tech business

Fixing the underlying problems will take a long time



Jan 4th 2018

IT WAS a one-two punch for the computer industry. January 3rd saw the disclosure of two serious flaws in the design of the processors that power most of the world's computers. The first, appropriately called Meltdown, affects only chips made by Intel, and makes it possible to dissolve the virtual walls between the digital memory used by different programs, allowing hackers to steal sensitive data, such as passwords or a computer's encryption keys. The second,

[7]



SECURITY 01.03.2010 03:00 PM

ANDY GREENBERG

arallel Ultra Low Powe

theguardian news opinion sport arts lifestyle more us world environment soccer us politics business tech science homelessness Meltdown and Spectre: 'worst ever' CPU bugs affect virtually all computers Everything from smartphones and PCs to cloud computing affected by major security flaw found in Intel and other processors - and fix could slow devices Spectre and Meltdown processor security flaws - explained [9] TECH - REVIEWS - SCIENCE - CREATORS - ENTERTAINMENT - VIDEO MORE -f 🎽 🔊 116 🟴 Intel's processors have a security bug and [10] By Tom Warren | @tomwarren | Jan 3, 2018, 8:45am EST

A Critical Intel Flaw Breaks Basic Security for Most Computers

A Google-led team of researchers has found a critical chip flaw that developers are scrambling to patch in millions of computers.

RISC-V<sup>®</sup> Summit

[8]

00





riscvsummit.com

information Classification: General









Information Classification: General









nformation Classification: General

# Intel Skylake Microarchitecture



Parallel Ultra Low Powe

RISC-V<sup>®</sup> Summit

Information Classification: General

# Intel Skylake Microarchitecture



Parallel Ultra Low Powe

RISC-V<sup>®</sup> Summit

#RISCVSUMMIT @risc\_v

riscvsummit.com





### **Microarchitectural Timing Channel**



0000000

0000000

00









#RISCVSUMMIT @risc\_v

riscvsummit.com

Microarchitectural Timing Channel



Parallel Ultra Low Power

RISC-V<sup>®</sup> Summit

#RISCVSUMMIT @risc\_v

riscvsummit.com





Parallel Ultra Low Power





RISC-V<sup>®</sup> Summit

Microarchitectural Timing Channel



Parallel Ultra Low Power

riscvsummit.com

Information Classification: General

#RISCVSUMMIT @risc\_v

RISC-V<sup>®</sup> Summit Example: D\$ Timing Channel





#RISCVSUMMIT @risc\_v



#### riscvsummit.com





#RISCVSUMMIT @risc\_v

#### riscvsummit.com

















Partition all shared resources!





Temporally



riscvsummit.com

nformation Classification: Genera

Spatial Partitioning





#RISCVSUMMIT @risc\_v



#### riscvsummit.com











Temporal Partitioning







#### riscvsummit.com

nformation Classification: General









#RISCVSUMMIT @risc\_v



#### riscvsummit.com









• FPGA (Genesys 2) @50MHz

- Add timer peripheral and 512KiB LLC [3]
- Write-through 32KiB L1D\$ and 16KiB L1I\$
- 16-entry DTLB, 16-entry BTB, 64-entry BHT

Ariane RV64GC core [4]

Hardware platform



riscvsummit.com









CVA6 RV64GC core [4]

• FPGA (Genesys 2) @50MHz

- Add timer peripheral and 512KiB LLC [3]
- Write-through 32KiB L1D\$ and 16KiB L1I\$
- 16-entry DTLB, 16-entry BTB, 64-entry BHT

#### Hardware platform



Information Classification: Gener











**Evaluation Platform** 







Information Classification: Gene



Information Classification: Genera

## Channel Matrix: L1 D\$





 $N = 10^{6}$ 



#RISCVSUMMIT @risc\_v

riscvsummit.com







 $N = 10^{6}$ 



#RISCVSUMMIT @risc\_v

### Channel Matrix: L1 D\$







*M* = 1667.3 mb



Channel Matrix: L1 D\$





#RISCVSUMMIT @risc\_v



*M* = 1667.3 mb

 $M_0 = 0.5 \, \text{mb}$ 



 $M_0$  varies between Measurements!

#### riscvsummit.com

nformation Classification: General

## Let's try to flush in Software!







# Software Mitigation





#### 92500 -88000 -92250 - 10-2 · 10<sup>-2</sup> 86000 -Reduced Range 92000 -- 91750 -Cycles) 91200 -84000 Time (cycles) Probability Probability 82000 91250 · - 10-3 - 10<sup>-3</sup> 80000 -91000 · 78000 90750 · 0 32 64 96 128 160 192 224 256 0 32 64 96 128 160 192 224 256 Secret Secret

 $N = 10^{6}$ , M = 1471.5 mb,  $M_{0} = 0.6$  mb

L1 D\$ prime on context switch

#### Unmitigated

 $N = 10^{6}$ , M = 1667.3 mb,  $M_{0} = 0.5$  mb

riscvsummit.com

Information Classification: General

# Software Mitigation





#### Single L1 D\$ prime on context switch



 $N = 10^{6}$ , M = 1471.5 mb,  $M_{0} = 0.6$  mb

#### **Double L1 D\$ prime on context switch**



 $N = 10^{6}$ , M = 515.7 mb,  $M_{0} = 1.1$  mb

riscvsummit.com

# Software Mitigation





#### Single L1 D\$ prime on context switch

#### 92800 92500 -92250 -Still a Channel! · 10 2600 -10-2 92000 -Time (cycles) 91750 e (cycles) 92400 obability Probability 91500 We need Hardware Support! 91250 - 10-3 91000 92000 -90750 91800 -0 32 64 96 128 160 192 224 256 0 32 64 96 128 160 192 224 256 Secret Secret

 $N = 10^{6}$ , M = 1471.5 mb,  $M_{0} = 0.6$  mb

 $N = 10^{6}$ , M = 515.7 mb,  $M_{0} = 1.1$  mb

**Double L1 D\$ prime on context switch** 

#### riscvsummit.com

nformation Classification: General







RISC-V<sup>®</sup> Summit

#RISCVSUMMIT @risc\_v

riscvsummit.com

Information Classification: General



riscvsummit.com

#RISCVSUMMIT @risc\_v

Information Classification: General



#RISCVSUMMIT @risc\_v

#### riscvsummit.com

Information Classification: General



riscvsummit.com

Information Classification: Genera







#### Flush targeted components on context switch



 $N = 10^{6}$ , M = 7.7 mb,  $M_{0} = 1.4$  mb

#### Unmitigated



 $N = 10^{6}$ , M = 1667.3 mb,  $M_{0} = 0.5$  mb

riscvsummit.com

information Classification: General





Probability



#### Flush targeted components on context switch



 $N = 10^{6}$ , M = 7.7 mb,  $M_{0} = 1.4$  mb

Unmitigated



 $N = 10^{6}$ , M = 1667.3 mb,  $M_{0} = 0.5$  mb

riscvsummit.com

Information Classification: General

### Vulnerable 2<sup>nd</sup> Order State-Holding Components





#### • L1 D\$:

- LFSR for pseudo-random replacement policy
- Memory arbiter
- TX FIFO
- Write-buffer arbiters
- L1 I\$:
  - LFSR for pseudo-random replacement policy
- TLBs:
  - Pseudo-LRU tree for replacement policy



## Let's Have a Look at All Targeted Channels!



riscvsummit.com

nformation Classification: General







#### Unmitigated



 $N = 10^{6}$ , M = 1667.3 mb,  $M_{0} = 0.5$  mb

#### Flush all vulnerable components on context switch



 $N = 10^{6}$ , M = 8.4 mb,  $M_{0} = 9.6$  mb

riscvsummit.com

nformation Classification: General

### L1 I\$ Channel Full fence.t





#### Flush all vulnerable components on context switch



 $N = 10^{6}$ , M = 19.5 mb,  $M_{0} = 20.5$  mb

Unmitigated



 $N = 10^{6}$ , M = 1905.0 mb,  $M_{0} = 0.5$  mb

riscvsummit.com

## TLB Channel

Full fence.t





#### Flush all vulnerable components on context switch



 $N = 10^{6}$ , M = 2.7 mb,  $M_{0} = 5.4$  mb

#### Unmitigated



 $N = 10^{6}$ , M = 409.2 mb,  $M_{0} = 0.1$  mb

#### riscvsummit.com

Information Classification: General



### **BTB Channel**

Full fence.t

#### Unmitigated



 $N = 10^{\circ}$ , M = 3481.3 mb,  $M_0 = 0.1$  mb





#### Flush all vulnerable components on context switch



 $N = 10^{6}$ , M = 33.0 mb,  $M_{0} = 57.6$  mb

#### riscvsummit.com

nformation Classification: General



BHT Channel

Full fence.t

#### Unmitigated



 $N = 10^{6}$ , M = 4873.3 mb,  $M_{0} = 0.1$  mb





#### Flush all vulnerable components on context switch



 $N = 10^{6}$ , M = 44.1 mb,  $M_{0} = 58.8$  mb

riscvsummit.com

nformation Classification: General

## All Evaluated Channels Closed!





L1 D\$







BHT





riscvsummit.com

Information Classification: General

So What Are the Costs?





#### **Context Switch Latency**

seL4 one-way inter-address-space IPC microbenchmark

| Unmitigated |                 | D\$ Software Flush |                  | HW Flush        |
|-------------|-----------------|--------------------|------------------|-----------------|
| Hot         | Cold            | Single             | Double           |                 |
| 430 (±7.0)  | 1,180<br>(±1.0) | 12,099<br>(±52)    | 51,876<br>(±256) | 1,502<br>(±0.9) |



So What Are the Costs?





#### **Context Switch Latency**

seL4 one-way inter-address-space IPC microbenchmark

| Unmitigated |                 | D\$ Software Flush |                  | HW Flush        |
|-------------|-----------------|--------------------|------------------|-----------------|
| Hot         | Cold            | Single             | Double           |                 |
| 430 (±7.0)  | 1,180<br>(±1.0) | 12,099<br>(±52)    | 51,876<br>(±256) | 1,502<br>(±0.9) |
|             |                 |                    |                  |                 |

320 cycles overhead per context switch

Clk @1GHz, CS @1KHz: + 0.032%

So What Are the Costs?

#### **Context Switch Latency**

seL4 one-way inter-address-space IPC microbenchmark

| Unmitigated                            |                 | D\$ Software Flush |                  | HW Flush        |  |  |
|----------------------------------------|-----------------|--------------------|------------------|-----------------|--|--|
| Hot                                    | Cold            | Single             | Double           |                 |  |  |
| 430 (±7.0)                             | 1,180<br>(±1.0) | 12,099<br>(±52)    | 51,876<br>(±256) | 1,502<br>(±0.9) |  |  |
|                                        |                 |                    |                  |                 |  |  |
| 320 cycles overhead per context switch |                 |                    |                  |                 |  |  |
| Clk @1GHz, CS @1KHz: <b>+ 0.032%</b>   |                 |                    |                  |                 |  |  |





#### **Hardware Costs**



#RISCVSUMMIT @risc\_v

nformation Classification: General

### **Conclusion**



- Covert channels exist on RISC-V cores
  - We measure five distinct channels on Ariane
- Confirmed: OS needs HW-support for time protection [1]
  - Pure SW solutions cannot be comprehensive
- First HW platform with (experimental) support for time protection!
  - We propose a temporal fence (fence.t) instruction
  - Closes all evaluated channels at negligible costs
- HW-mechanism must flush all  $\mu$ Arch state
  - Identifying μArch state not always straight-forward
  - Systematic approach for HW / Security codesign needed
- Future Work
  - Evaluate on write-back L1 data cache
  - Systematic evaluation of µArch state



Special Thanks to...





Moritz Schneider (ETH Zurich) **Curtis Millar (Data61)** Qian Ge (Data61) Florian Zaruba (ETH Zurich) Wolfgang Rönninger (formerly ETH Zurich) Sascha Kegreiß (Hensoldt Cyber GmbH) Frank K. Gürkaynak (ETH Zurich) **Rainer Leupers (RWTH Aachen)** Luca Benini (ETH Zurich and University of Bologna) Gernot Heiser (UNSW Sydney and Data61 CSIRO)









### Sources



- [1] Qian Ge, Yuval Yarom, Tom Chothia, and Gernot Heiser: "Time Protection: The Missing OS Abstraction", EuroSys, 2019
- [2] R. E. Kessler and Mark D. Hill: "Page Placement Algorithm for Large Real-Indexed Caches", ACM Trans. Comp. Syst. 19, 1992
- [3] Wolfgang Rönninger: "Memory Subsystem for the First Fully Open-Source RISC-V Heterogeneous SoC", Master's thesis, ETH Zurich, 2019
- [4] Florian Zaruba and Luca Benini: "The Cost of Application-Class Processing: Energy and Performance Analysis of a Linux-Ready 1.7-GHz 64-Bit RISC-V Core in 22-nm FDSOI Technology", IEEE Trans. on VLSI Systems 27, 2019
- [5] Gerwin Klein, June Andronick, Kevin Elphistone, Toby Murray, Thomas Sewell, Rafal Kolanski, and Gernot Heiser: "Comprehensive Formal Verification of an OS Microkernel", ACM Trans. Comp. Syst. 32, 2014
- [6] Stephan van Schaik, Alyssa Milburn, Sebastian Österlund, Pietro Frigo, Giorgi Maisuradze, Kaveh Razavi, Herbert Bos, and Christiano Giuffrida: "RIDL: Rogue In-flight Data Load", 2019
- [7] "Two security flaws in modern chips cause big headaches for tech business", The Economist, January 4, 2018
- [8] Andy Greenberg: "A Critical Intel Flaw Breaks Basic Security for Most Computers", Wired, January 3, 2018
- [9] Samuel Gibbs: "Meltdown and Spectre: 'worst ever' CPU bugs affect virtually all computers", The Guardian, January 4, 2018
- [10] Tom Warren: "Intel's processors have a security bug and the fix could slow down PCs", The Verge, January 3, 2018
- [11] Wikipedia, https://en.wikipedia.org/wiki/File:C-3PO\_droid.png, accessed November 12, 2020



December 8-10 | Virtual Event

### Thank you for joining us. **Contribute to the RISC-V conversation on social!** #RISCVSUMMIT @risc\_v



riscvsummit.com #RISCVSUMMIT