Ben Gras & Kaveh Razavi

Designation

Ben Gras - Security Researcher, Vrije Universiteit Amsterdam
Kaveh Razavi - Security Researcher, Vrije Universiteit Amsterdam

Talk Title

TLBleed: When Protecting Your CPU Caches Is Not Enough

Abstract

We present TLBleed, a novel side-channel attack that leaks information out of Translation Lookaside Buffers (TLBs). TLBleed shows a reliable side channel without relying on the CPU data or instruction caches. This, therefore, bypasses several proposed CPU cache side-channel protections. Our TLBleed exploit successfully leaks a 256-bit EdDSA key from libgcrypt (used in e.g. GPG) with a 98% success rate after just a single observation of signing operation on a co-resident hyperthread and just 17 seconds of analysis time. Further, we show how another exploit based on TLBleed can leak bits from the side-channel resistant RSA implementation in libgcrypt. We use novel machine learning techniques to achieve this level of performance. These techniques will likely improve the quality of future side-channel attacks. This talk contains details about the architecture and complex behavior of modern, multilevel TLB's on several modern Intel microarchitectures that is undocumented and will be publically presented for the first time.


Bio

Ben Gras has been in the vusec security research group since 2015. He has worked on software reliability, defensive research projects, and most recently, offensive research. The offensive research was most noticeably making cross-VM Rowhammer exploitation reliable and a cache-based MMU side-channel attack. Most recently is this TLB side channel. He also can raise one eyebrow independently of the other.

In Feb-July 2017, he did a research internship with Cisco in the security research group in Knoxville, TN.

He is presently pursuing a Ph.D. in mischief.

Kaveh Razavi is a security researcher at the Vrije Universiteit Amsterdam in the Netherlands. He is currently most interested in reliable exploitation and mitigation of hardware vulnerabilities and side-channel attacks on OS/hardware interfaces. He has previously been part of a CERT team specializing on operating system security, has worked on authentication systems of a Swiss bank, and has spent two summers in Microsoft Research building large-scale system prototypes. He holds a BSc from the Sharif University of Technology, Tehran, an MSc from ETH Zurich and a Ph.D. from Vrije Universiteit Amsterdam.