单指令多数据流(Single Instruction stream,Multiple Data streams,SIMD)是一种利用数据级并行提高处理器性能的技术,旨在利用多个处理器并行执行同一条指令增加数据处理的吞吐量.随着大数据、人工智能等技术的兴起,人们对数据并行化处理的需求不断提高,这使得SIMD技术愈发重要.为了支持SIMD技术,Intel和AMD等x86处理器厂商从1996年开始在其处理器中陆续引入了 MMX(MultiMedia Extensions)、SSE(Streaming SIMD Extensions)、AVX(Advanced Vector eXtensions)等SIMD指令集扩展.通过调用SIMD指令,程序员能够无需理解SIMD技术的硬件层实现细节就方便地使用它的功能.然而,随着熔断、幽灵等处理器硬件漏洞的发现,人们逐渐认识到并行优化技术是一柄双刃剑,它在提高性能的同时也能带来安全风险.本文聚焦于x86 SIMD指令集扩展中的VMASKMOV指令,对它的安全脆弱性进行了分析.本文的主要贡献如下:(1)利用时间戳计数器等技术对VMASKMOV指令进行了微架构逆向工程,首次发现VMASKMOV指令与内存页管理和CPU Fill Buffer等安全风险的相关性;(2)披露了一个新的处理器漏洞EvilMask,它广泛存在于Intel和AMD处理器上,并提出了 3个EvilMask 攻击原语:VMASKMOVL+Time(MAP)、VMASKMOVS+Time(XD)和 VMASKMOVL+MDS,可用于实施去地址空间布局随机化攻击和进程数据窃取攻击;(3)给出了 2个EvilMask概念验证示例(Proof-of-Concept,PoC)验证了 EvilMask对真实世界的信息安全危害;(4)讨论了针对EvilMask的防御方案,指出最根本的解决方法是在硬件层面上重新实现VMASKMOV指令,并给出了初步的实现方案.
Security Vulnerability Analysis of the Vector Conditional Memory Instruction on x86 Processors
Single Instruction stream,Multiple Data streams(SIMD)is a technology that exploits data-level parallelism to improve processor performance.It aims to take advantage of multiple processors to execute the same instruction in parallel to increase data processing throughput.With the rapid rise of big data and artificial intelligence,the demand for data-parallel processing continues to increase,making SIMD technology increasingly important.To support SIMD technology,x86 processor manufacturers such as Intel and AMD have introduced SIMD instruction set extensions such as MMX(MultiMedia eXtensions),SSE(Streaming SIMD Extensions),and AVX(Advanced Vector eXtensions)in their processors since 1996.By calling SIMD instructions,programmers can easily use the SIMD feature without needing to understand the implementation details of SIMD at the hardware level.However,with the discovery of processor hardware vulnerabilities such as Meltdown and Spectre,people gradually realize that employing parallel optimization technology at the processor microarchitecture level is a double-edged sword that can bring securi-ty risks while improving performance.This paper focuses on the VMASKMOV instruction that implemented in the x86 SIMD instruction set extension and conducts an in-depth analysis of its security vulnerabilities.The main contributions of this paper are as follows:(1)the microarchi-tecture implementation details of the VMASKMOV instruction are studied by experiments with timestamp counters,hardware performance counters,Microarchitectural Data Sampling(MDS)techniques,and the instruction characteristics are summarized based on experimental results:① by measuring the execution time of the VMASKMOV instruction,it is possible to determine whether the target address is mapped or not and the status of most of the page attribute flags on the page it is located on;② even if the mask bit is zero,VMASKMOV(load)will copy all 128 or 256 bit data at the target address to a temporary storage,causing the masked data to move,and if this operation is performed on some Intel processors,the masked data will pass through the Fill Buffer and can be sampled using MDS technology;(2)based on experimental results,a new processor vulnerability named EvilMask is proposed,which is widely present on both Intel and AMD processors,then three attack primitives of EvilMask(VMASKMOVL+Time(MAP),VMASKMOVS+Time(XD),and VMASKMOVL+MDS)are presented,which can be used to implement de address space randomization attacks and process data leakage attack;(3)two Proof-of-Concept(PoC)examples are provided to demonstrate EvilMask's information security risks to the real world:① using VMASKMOVL+Time(MAP)and VMASKMOVS+Time(XD)to break the Kernel Address Space Layout Randomization(KASLR)by de randomizing the kernel base address,physically mapped base addresses,and kernel module address successfully on Intel Core i5-6200U,Intel Core i7-6700,AMD Ryzen 7 3700X,and AMD Ryzen 5 5650 processors,and② using VMASKMOVL+MDS to leak data in Linux kernel on an Intel Core i5-6200U processor;(4)the countermeasures for EvilMask are discussed and this paper points out that the most fundamental solution is to re implement the VMASKMOV instruction at the hardware level,then gives a preliminary implementation.
processor securitySingle Instruction stream,Multiple Data streams(SIMD)microarchitectural side-channel attacksVMASKMOV instructionAddress Space Layout Randomization(ASLR)
万方数据
维普
