Reload+Reload：利用 AMD SEV 上的快取及記憶體旁通道

Abstract

為了支援加密的虛擬機器，AMD 提供 Secure Encrypted Virtualization（SEV）功能。在 SEV 中， CPU cache 含有未加密的資料，SEV 藉由在 cache lines 加上標籤來隔離不同 address space identifiers（ASIDs）的實體的 cache 存取。我們逆向了支援 SEV 的 AMD EPYC 處理器，發現存取不同標籤的 cache lines 會觸發 cache flush。另外，我們發現在不同 AISDs 的實體並行執行 memory 存取時會有 memory contention 的行為，無論 cache 是否啟用。我們的發現適用於所有版本的 SEV，包含 SEV，SEV-ES，以及 SEV-SNP。針對 cache flush 以及 memory contention 的行為，我們分別構造出兩種 Reload+Reload（RR）attacks：Reload+Reload-flush-set（RRFS）以及 Reload+Reload-memory-block（RRMB）。為了展現出 hypervisor 使用 RR attacks 攻擊 VMs 的可行性，我們使用 RRFS 作為 Spectre attack 中的隱蔽通道來洩漏出機密資訊，此外，我們使用 RRMB 破解出 AES-128 的密鑰。

AMD provides the Secure Encrypted Virtualization (SEV) extension to support encrypted virtual machines (VMs). In SEV, CPU caches contain unencrypted VM data. SEV tags cache lines to isolate cache accesses from different entities with their unique address space identifiers (ASIDs). In this work, we reverse-engineered AMD EPYC processor with SEV support. We found that access to cache lines with a mismatched tag triggers cache flushing. We also discovered memory contention behaviors when entities with different ASIDs concurrently access the same memory region, independent of cache configuration (enabled/disabled). Our findings apply to all versions of SEV, including SEV, SEV-ES, and SEV-SNP. We formulated two Reload+Reload (RR) attacks based on respectively to the flushing and contention behaviors: Reload+Reload-flush-set (RRFS) and Reload+Reload-memory-block (RRMB). We demonstrated the feasibility of a hypervisor carrying out RR attacks against its hosted VMs. We used RRFS to build a covert channel for a Spectre attack against a SEV VM to leak secret data. Additionally, we used RRMB to extract the AES-128 secret key from a SEV VM.