x86处理器向量条件访存指令安全脆弱性分析  

作　　者：李丹萍 朱子元 史岗[1,2] 孟丹 LI Dan-Ping;ZHU Zi-Yuan;SHI Gang;MENG Dan(Institute of Information Engineering,Chinese Academy of Sciences,Beijing100085;School of Cyber Security,University of Chinese Academy of Sciences,Beijing100049)

机构地区：[1]中国科学院信息工程研究所,北京100085 [2]中国科学院大学网络空间安全学院,北京100049

出　　处：《计算机学报》2024年第3期525-543,共19页Chinese Journal of Computers

基　　金：中国科学院战略性先导科技专项(XDC02010400)资助.

摘　　要：单指令多数据流(Single Instruction stream,Multiple Data streams,SIMD)是一种利用数据级并行提高处理器性能的技术,旨在利用多个处理器并行执行同一条指令增加数据处理的吞吐量.随着大数据、人工智能等技术的兴起,人们对数据并行化处理的需求不断提高,这使得SIMD技术愈发重要.为了支持SIMD技术,Intel和AMD等x86处理器厂商从1996年开始在其处理器中陆续引入了MMX(MultiMedia Extensions)、SSE(Streaming SIMD Extensions)、AVX(Advanced Vector eXtensions)等SIMD指令集扩展.通过调用SIMD指令,程序员能够无需理解SIMD技术的硬件层实现细节就方便地使用它的功能.然而,随着熔断、幽灵等处理器硬件漏洞的发现,人们逐渐认识到并行优化技术是一柄双刃剑,它在提高性能的同时也能带来安全风险.本文聚焦于x86 SIMD指令集扩展中的VMASKMOV指令,对它的安全脆弱性进行了分析.本文的主要贡献如下:(1)利用时间戳计数器等技术对VMASKMOV指令进行了微架构逆向工程,首次发现VMASKMOV指令与内存页管理和CPU Fill Buffer等安全风险的相关性;(2)披露了一个新的处理器漏洞EvilMask,它广泛存在于Intel和AMD处理器上,并提出了3个EvilMask攻击原语:VMASKMOVL+Time(MAP)、VMASKMOVS+Time(XD)和VMASKMOVL+MDS,可用于实施去地址空间布局随机化攻击和进程数据窃取攻击;(3)给出了2个EvilMask概念验证示例(Proof-of-Concept,PoC)验证了EvilMask对真实世界的信息安全危害;(4)讨论了针对EvilMask的防御方案,指出最根本的解决方法是在硬件层面上重新实现VMASKMOV指令,并给出了初步的实现方案.Single Instruction stream,Multiple Data streams(SIMD)is a technology that exploits data-level parallelism to improve processor performance.It aims to take advantage of multiple processors to execute the same instruction in parallel to increase data processing throughput.With the rapid rise of big data and artificial intelligence,the demand for data-parallel processing continues to increase,making SIMD technology increasingly important.To support SIMD technology,x86 processor manufacturers such as Intel and AMD have introduced SIMD instruction set extensions such as MMX(MultiMedia eXtensions),SSE(Streaming SIMD Extensions),and AVX(Advanced Vector eXtensions)in their processors since 1996.By calling SIMD instructions,programmers can easily use the SIMD feature without needing to understand the implementation details of SIMD at the hardware level.However,with the discovery of processor hardware vulnerabilities such as Meltdown and Spectre,people gradually realize that employing parallel optimization technology at the processor microarchitecture level is a double-edged sword that can bring security risks while improving performance.This paper focuses on the VMASKMOV instruction that implemented in the x86 SIMD instruction set extension and conducts an in-depth analysis of its security vulnerabilities.The main contributions of this paper are as follows:(1)the microarchitecture implementation details of the VMASKMOV instruction are studied by experiments with timestamp counters,hardware performance counters,Microarchitectural Data Sampling(MDS)techniques,and the instruction characteristics are summarized based on experimental results:①by measuring the execution time of the VMASKMOV instruction,it is possible to determine whether the target address is mapped or not and the status of most of the page attribute flags on the page it is located on;②even if the mask bit is zero,VMASKMOV(load)will copy all 128 or 256 bit data at the target address to a temporary storage,causing the masked data to move,and if this operatio

关 键 词：处理器安全 单指令多数据流(SIMD) 微体系结构侧信道攻击 VMASKMOV指令 地址空间布局随机化(ASLR) 

分 类 号：TP309[自动化与计算机技术—计算机系统结构]