Security

Question 1

What are exception levels in the ARMv8-A execution model

Answer 1

The levels determine the level of execution privilege, e.g. “user mode” and “privileged mode”

Question 2

What are trusted execution environments?

Answer 2

Split the architecture into a “normal world” and a “secure world”.

Question 3

What is the role of “secure world”?

Answer 3

Has its own software

Deals with more sensitive operations (encryption, etc.)

Question 4

What does the “secure world” in ARMv8-A consist of?

Answer 4

Has 3 exception levels:

EL0: For applications

EL1: For trusted OS

EL3: Secure monitor - higher privileged than other levels including the Hypervisor, this secure monitor manages both the normal- and the secure-world

Question 5

What does the “normal world” in ARMv8-A consist of?

Answer 5

EL0: Run applications

EL1: OS kernel (Guest OSes), e.g. Linux or Windows runnin in non-secure EL1. When running under a hypervisor, we can switch between the OSes and run the OS kernels either as host or guest.

EL2: Hypervisor, when present and enabled, switches operation between multiple guest OSes

EL3: Low-level firmware (Secure monitor)

Question 6

What does the Secure monitor in EL3 do?

Answer 6

Deals with the transition from normal- to secure-world

Question 7

What are the security states?

Answer 7

Normal world: Non-secure state
Secure world: Run specific security features

Question 8

What is Secure firmware in the secure world?

Answer 8

To ensure a secure system, the secure firmware is the first thing that is booted, and initializing everything, before handing it over to the normal, non-secure world.

It provides services such as platform initialization, installation of Trusted OS and routing of Secure monitor calls

Question 9

What does the Trusted OS do?

Answer 9

Partitions between different functionalities we want to have within the secure world, that are not supposed to interfene with each other or leak information to each other.

Provides secure services to the normal world.

Provides a runtime environment for executing Secure or trusted applications

Question 10

What exception level does the trusted OS run at?

Answer 10

EL2

Question 11

What exception level does secure firmware run at?

Answer 11

Runs at EL3 or EL1

Question 12

In the secure, and non-secure world, what is the component with the highest privilege?

Answer 12

The Monitor

Question 13

What does the monitor do in the secure- and non-secure world?

Answer 13

Handles communication and switching between the secure kernels and non-secure kernels

Question 14

How does a non-secure application communicate with the monitor?

Answer 14

Not directly, through the privileged modes escalation that is the non-secure kernel

app -> kernel -> monitor

Uses fixed entry points to the monitor

Question 15

How does caches and MMU separate between the secure- and non-secure world?

Answer 15

Have a security-bit (NS/S)
This separates the hardware resources, such that you cant access secure resources from the non-secure world.

The AXI protocol (from interconnects) has a AxPROT[1] signal that indicates if an access is secure or non-secure. When a message is sent on the interconnect, we have this additional wiring that tells if the message is sent securely or not.

Question 16

What can happen if secure booting does not happen correctly?

Answer 16

Can get a compromised system if the secure world is not enabled correctly or not at all

Question 17

Why is the design of a boot sequence important?

Answer 17

It is a fundamental part of creating a secure system.

Question 18

What are some normal boot actions when initializing a secure OS?

Answer 18

All these actions are done in secure-mode because we have access to all the hardware.

Generating page tables

Switch on the MMU (if design uses caches or memory protection)

Switch on the stack

Set up run time environment and program stacks for each processor mode

Question 19

What happens when we initialize the secure monitor, during the boot sequence?

Answer 19

The secure monitor is the component with highest privileges.

Allocates scratch workspace

Set up secure monitor stack pointer and initialize its state block

Question 20

What are the 4 steps in a boot sequence?

Answer 20

1: Initialize secure OS

2: Initialize secure monitor

3: Program the partition checker to allocate physical memory available to the non-secure OS

4: Yield control to the Non-secure OS, the non-secure OS boots after this - i.e. the windows or linux system will start booting

Question 21

Who is responsible for switching between secure and non-secure world?

Answer 21

The secure monitor

Question 22

What it the SMC instruction?

Answer 22

Called when we want to switch between worlds.

Requires privileged level.

A user application is required to execute a supervisor call (SVC) instruction and let the supervisor call handler perform the SMC and connect to the secure monitor

Question 23

What is the secure monitor mode?

Answer 23

Highest privilege level

Is always secure regardless of the state of the NS bit. There is a NS bit in the processor that tells if we are currently in the secure or non-secure mode.

Question 24

What is the Secure Monitor itself?

Answer 24

Code that runs in Secure Monitor mode (EL3)

It processes the switches between non-secure and secure world

Question 25

What does the overall security of the software rely on?

Answer 25

The security of the Secure monitor code, along with the secure boot code.

If there is a bug there, we can gain access to everything, because the NS bit does not mean anything here.

Question 26

What is the secure world used for?

Answer 26

Secure boot

Accessing hardware features
- user applications must go through the secure world to access these
- crypto engine
- credential storage(key store)
- true random number generator)

Digital rights management

Protecting/monitoring the normal world
- real time kernel protection
- periodic kernel measurement (go in and check if any modifications has been done to the kernel code)

Question 27

What is TrustZone in ARM microcontrollers?

Answer 27

The separation between non-secure and secure state

Non secure: Rich OS (linux)

Secure: Secure app/libs, -OS and -monitor

Question 27

What is the SAU (security attribution unit) in ARM micro controllers?

Answer 27

Separates the secure and non-secure world

Question 27

Describe the flow when a request comes from the CPU to the SAU

Answer 27

Request from CPU -> SAU

The SAU either accesses the non-secure MPU or secure MPU (memory protection unit).
Which MPU is accessed depends on the NS bit

Question 28

What happens if you do a NS access to a secure address?

Answer 28

Memory fault

Question 29

What are a structural difference between a secure- and non-secure MPU?

Answer 29

The NON-secure has some regions (memory addresses) that cannot be accessed, whereas these would be accessible in the secure state.

Question 30

What are a difference between code execution in a non-secure and a secure region?

Answer 30

Code executed from a non-secure region can only access non-secure regions, whereas code executed from a secure region can access memory in both regions.

Question 31

Give an example of the secure state using function calls to access the non-secure state?

Answer 31

Can use function calls to access resources/devices in the non-secure state, e.g. I/O driver

Question 32

Why is the switching between secure and non-secure state an important matter of itself?

Answer 32

Because this too must be done in a secure manner.

Question 33

How can the transition from secure to non-secure state be done?

Answer 33

By calling a non-secure function (BLXNS): The secure world is aware of what functions exist in the non-secure world. Can simply just access these.

Returning from an entry function (BXNS): The non-secure world has called into the secure world, and finished what it needed to do there, it can return from this call. In this case too, the secure state need to know where to return to.

Question 34

How can the transition from non-secure to secure state be done?

Answer 34

A branch to a secure gateway (BL to SG): Not allowed to call/jump into whatever region in the secure region we want. To limit this, a specific instruction is used. This instruction jumps into known places in the secure world.

Branch to the reserved value FNC_RETURN (BX to FNC):
The secure state has called a function in the non-secure state, when this function completes it wants to return to the secure state. The non-secure state executes a function return. The function return does not have a specific address, but this address is set when the insecure function is called. Store the return address in the secure world and this can’t be modified by the insecure state. This allows the secure world to have the full control of where it again will be entered, when the non-secure function returns.

Question 35

What is a secure gateway?

Answer 35

A occurrence of the secure gateway instruction (SG) in a special type of secure region, named non-secure callable region (NSC)

Question 36

What is SG?

Answer 36

Secure gateway instruction

Question 37

What is NSC?

Answer 37

A special type of secure region, named a non-secure callable region.

In the secure boot when address spaces are set up, one of these are the NSC.

In this region, the only thing we have is the secure gateway (SG) instructions, and the address into the secure world.

Question 38

What does FNC_RETURN do?

Answer 38

Causes the HW to switch to secure state., read an address from the top of the secure stack, and branch to that address

Question 39

Study the state diagrams in the Secure video 1 at 24:28

Question 40

How can the secure world be used in SW development?

Answer 40

Import the “Secure gateway import library”, this contains the addresses of the secure gateways.
- Defines symbols for all the secure gateways

A toolchain must support generating a secure gateway veneer for each entry function

Question 41

What is the memory layout of the Non-secure callable region (NSC)

Answer 41

It contains a vector of secure gateway veneers.

The veneers contain the secure gateway instruction that can call specific entry functions in the secure regions.

Each gateway has a specific address to call into specific entry functions.

Question 42

What is the memory layout of the Secure region?

Answer 42

Entry functions
Secure code (internal functions)
Secure data (Stack, heap, global data)

Question 43

What is the MPU?

Answer 43

Memory Protection Unit

A simpler version of the MMU (Memory management unit).

MPU handles more corse grained partitioning, and MMU enables virtual memory and page tables.

MPUs are normal in micro controllers where a complex OS and memory management are not needed, though the properties of the MPU and MMU are similar.

Question 44

Describe the ARM MPU

Answer 44

Programmable unit

Allows privileged software to define memory access permissions for different memory regions.

Monitors transactions, including fetches and data accesses from the processor. Checks if an access is allowed or not.

Question 45

Describe the ARMv8-M MPU

Answer 45

Supports a configurable number of programmable regions. Typical implementation supports 0-8 regions per security state.

Smallest size programmed for an MPU region is 32 bytes. Maximum is 4GiB, must be a multiple of 32 bytes.

All regions must begin on a 32-byte aligned address.

Regions have independent rd/wr access permissions for privileged and unprivileged code.

Question 46

What does the ARMv8-M Security Extensions allow?

Answer 46

To have one set of MPU configuration registers for the secure world and another set for the non-secure world.

Question 47

What are the 2 types of memory that can be specified?

Answer 47

Normal memory
Device memory

Question 48

What is normal memory used for?

Answer 48

Instructions and data

Question 49

What is device memory used for?

Answer 49

Used to access peripheral registers and Memory Mapped I/O (MMIO)

Question 50

What are some attributes of normal memory?

Answer 50

Cacheability

Shareability (for data and instructions)

eXecute Never (XN)

Question 51

Describe Shareability

Answer 51

Shareability (for data and instructions):
- Non-shareable: no one else uses it, memory accesses don’t need to be synchronised with other processors.

Relates to interconnects, and having clusters of CPUs
- Inner shareable: Data/instructions are shared within the cluster. The shareability domain can contain multiple masters, but not necessarily all the agents in a system.

• Outer shareable: Share between multiple clusters.

This knowledge helps with optimisation done for cache coherency, for example. If data is non-shareable, we don’t need to worry about coherency, and if it is inner we only need to have coherency within a cluster. An operation that affects an outer shareable domain also implicitly affects all inner shareable domains inside it.

Question 52

Describe cacheability

Answer 52

Cacheability:
- Cache policy (write-through, write-back)
- Allocation (if miss, should allocate a new line?)
- Transient Hint (Hint regarding temporal locality)

Question 53

Describe eXecute Never (XN)

Answer 53

Separates between instructions and data. Marks data non-executable.

Make sure an attacker cannot write code into data memory, which are actual instructions. And then make the CPU jump to this data which would make it execute it.

Question 54

What is device memory used for?

Answer 54

Must be used for memory regions that cover peripheral control registers.

For example, if control registers was cached, we could never detect changes in the registers themselves. If we wanted to write to it, we would not write to the device itself, but the cache.

This shows that some of the optimisations that are permitted for normal memory would not be safe for peripheral registers.

Question 55

Name attributes of device memory

Answer 55

G or nG (Gathering or non-Gathering):
Multiple accesses to a device can be merged into a single transaction. This is likely to be done if it is part of the data transfer, but not if it is part of the control.

R or nG (Reordering or Non-reordering)

E or nE (Early write Acknowledge - similar to bufferable):
Can you tell a CPU immediately that a request has been done, and that it can continue. Or do you need to go all the way to a device to make sure the request has taken affect, and that the device is in the correct state before we continue.

Question 56

What 2 prominent speculative side channel attacks were published in 2018, and why were these special?

Answer 56

Spectre & Meltdown

Spectra attacks exploit core features of modern architectures.

They are special because there weren’t any immediate ways of mitigating these, as they exploit the design itself.

Question 57

What is the core problem of speculative side channel attacks?

Answer 57

Speculation

Speculation is heavily relied on in modern architectures to hide latency

Types:
- Control flow speculation
- Memory disambiguation speculation
- Exception speculation

Question 58

What is control-flow speculation?

Answer 58

branch resolution (taken/non-taken)
BTB targets - where to branch to

Question 59

What is Memory disambiguation speculation?

Answer 59

This is when we assume that stores and loads do not alias.

Have a younger load, issue it by assuming it is not dependent on an earlier store that has an unresolved address.

If the store turns out to have a matching address with the load, the load will have gotten the wrong stale data from the cache and has propagated it through the system. This must then be squashed.

Question 60

What is Exception speculation

Answer 60

This is when we assume that instruction will not normally cause and exception.

E.g. floating-point operations will cause an exception when dividing by 0. When they do, we need to roll-back and handle the exception before continuing.

Question 61

How can speculation be exploited?

Answer 61

Speculation can set the processor in an illegal state, in which secrets can leaks, or normally inaccessible data can be retrieved.

This state is always squashed before it becomes architecturally visible. This means that the execution will always be EVENTUALLY correct, but there can be mistakes during execution.

The exploitation needs to find a way to access this illegal data before it gets squashed. This can be done using “transmitters”

Question 62

How can “transmitters” be used to make data visible in the micro architecture?

Answer 62

Transmitters are certain operations within the processor, that affects the micro-architectural state. They are called transmitters because they in some ways transmit information about the data that is used for them.

The problem is, that certain aspects of micro-architectures are observable for the architectural states. It is possible to explicitly address certain operations in such a way as to retrieve information about the micro-architectural state.

If we use a transmitter operation, with illegal data, we can get that illegal data back afterwards, after it has been squash. Resulting in the illegal data now being visible in the architectural state.

Through select execution dependent on data, we can change the micro-architectural state to hold data (best way of doing this is by modifying caches). This data can be brought back into the architectural state afterwards.

Question 63

What is micro-architectural state?

Answer 63

The state that is part of the system, but not explicitly defined by the ISA.

Not well-defined

A matter of implementation

There is no security guarantees for these states.

Question 64

What is architectural state?

Answer 64

State explicitly defined by the ISA

Question 65

Describe the micro architectural state in caches

Answer 65

• a load only defines that data must be retrieved from memory according to certain semantic, it does not say anything about the timing.
• depending on the address of the load, we can have different latencies (L1, L2, L3, memory)
• the timing is a part of the micro-architectural state
• the implementation of caches, what they store and don’t, how they prefetch, are all micro-architectural state.

Question 66

Describe the example of how we can reveal secrets using cache-modification.

Answer 66

Assumptions:
- Have a sequence of data, where each data occupy a different cache line
- All our data lives in an inclusive L2 cache (meaning all lines in L1 is also in L2).

Firstly we flush all data elements in L1, leaving an empty L1 cache.

Then, we access a single data element. We know that the secret is a value between 1 and 20. The base address, is the first array element that is stored in the L2 cache.
So, we fetch the element at *(base + secret). If secret=3 we access the 4th element of the data-array in the L2 cache, and bring it to the L1 cache.

The access time of L1 is 5 cycles and 15 for L2. This is an observable difference when using timers in the system.

What we do, is time all possible cache lines that the secret can be in. Every cache line will take 15 cycles, except from the one containing the secret, as we have brought this up to the L1 cache.

Since we know that the access pattern is (base + secret), we can, by looking at the access-time-graph, deduce that the secret=3.

Question 67

Describe the 4 steps of the Spectre v1 attack

Answer 67

0: Mistrain a branch predictor, and clear a selection of cache (make sure all data elements is in the same level of cache)

1: Acquire illegal data (secrets) through bypassing bounds checking after mistraining (accessing data elements outside the bounds of our array)

2: Transmit the data to the architectural state (in to the cache), by using the secret as an address

3: Wait for squash, and then time cache lines to retrieve secret

Question 68

Describe the 4 steps of the Spectre v2 attack

Answer 68

In contrast to v1, instead of you being the only process running, the spectre v2 has a victim process.

Step 0: Locate a gadget, which is a series of operations associated with a function, that inadvertently transmit some data

Step 1: The attacker then figures out some place where there is a branch in the victims code, then takes that branch to figure out what its index into the Branch Target Buffer is. Then, we retrain the BTB to index into the gadget instead of the actual target.

Step 2: Now we let the victim program execute. This will now speculate using the BTB and jump to gadget where it will transmit secret.

Step 3: As the attacker will begin by flushing out the cache, they can now time the cache line to retrieve the secret. In this case, we are looking for the access with the longest access time. The reason for this is that we used to have all the cache lines in a shared cache. The victim process then hoisted the cache line into their core, making it take a longer time to access.

Question 69

Describe the Meltdown attack

Answer 69

More an exploitation of an implementation error, than exploiting speculation within the core.

Step 0: Set up a long chain of instructions, and clear possible cache targets

Step 1: Access kernel data. This will trigger an exception, but the exception handling is delayed (need to reach the head of the ROB). You are still given the data, though. A user process should not be able to access the data that the kernel uses, but in some systems this data is mapped into the user space so that when system calls are made, you don’t have to map the data in externally. This gives a better response time from the kernel.

Step 2: The kernel data is then transmitted using the secret as an address. Index into it based on some value based out of possible cache targets.

Step 3: Time cache lines to find the fastes line, and retrieve secret.

Question 70

Why can Meltdown be though of as an implementation error?

Answer 70

If you can detect that we have an exception, you should give back a dud value instead of the real data.

Doing this is a suggested way of mitigating this problem.

Question 71

What are the 3 main state-of-the-art mitigation strategies for speculative side channel attacks?

Answer 71

1: Making execution invisible

2: Delaying dangerous operations

3: Cleaning up micro-architecture

Question 72

Describe how making execution invisible can be done to mitigate side channel attacks

Answer 72

Don’t show what you are doing

For example, in regards to caches, cache lines don’t move from L2 to L1 and seem to be invisible (not modified at all), until speculation is done.

Caches are the most prevalent source of transmitting, but not the only one.

The idea is to “hide” changes to these various side-channels until they are non-speculative.

Con:
- requires extra storage - the work must be placed somewhere
- Need to make changes to coherence and consistency models to account for this
- Requires you to think of every possible visible angle and their complications, changes done to achieve this can for example move the problem such that secrets are transmitted through different components in another part of the micro architecture.

Question 73

Describe how delaying dangerous operations can be done to mitigate side channel attacks

Answer 73

Define a category of dangerous operations, and delay these while we do useful work elsewhere.

Either restrict the propagation of secrets (NDA), or delay transmitters that depend on secrets (DoM, STT)

NDA: Does not let potential secrets propagate through the system, won’t give anyone the data until we know it’s safe to do so. This is generally safe, but loses out on some potential performance

The next two both prevent execution of certain operations, that they believe will create an observable difference. Delaying transmitters requires knowing all transmitters ahead of time, this can be really hard as new attacks are discovered.

Delay-on-Miss: Does this on speculation on operations it knows will modify the L1/L2 cache state. Tracks general speculation.

Speculative Taint Tracking: Does this on data it knows comes from a potential illegal access. Need to track dangerous data, and by this also track general speculation.

Question 74

Describe how cleaning up micro-architecture can be done to mitigate side channel attacks

Answer 74

CleanupSpec

Need to track everything that was done during speculation, and be able to revert back to previous state. This can be very expensive, as we need to keep track of every attack vector.
After mispredict, restore state to how it was before speculation started.

Some of this can be handled by only updating state on commit (same as invisible), but some of it must be tracked.

Requires knowing all possible states that can be altered during speculation and used as transmitter, for the cleanup system to be efficient.