Scrooge Attack: Undervolting ARM Processors for Profit

40th International Symposium on Reliable Distributed Systems 2021
Chicago, USA
Scrooge Attack:
Undervolting ARM Processors for Profit
Christian Göttel∗, Konstantinos Parasyris†, Osman Unsal‡, Pascal Felber∗,
Marcelo Pasin∗, Valerio Schiavoni∗
∗University of Neuchâtel, Complex Systems, Switzerland
†Lawrence Livermore National Laboratory, USA
‡Barcelona Supercomputing Center, Spain
SRDS’21 22.09.2021 | IIUN, LLNL & BSC | Christian Göttel | christian.goettel@unine.ch
Scrooge Attack: Undervolting ARM Processors for Profit 1 / 15

Introduction
Expanding cloud market share of ARM-based instances
Before the Neoverse architecture, custom-developed or application-grade
microarchitectures were used for sever-grade platforms
Examples: Ampere eMAG, AWS Graviton, Marvell ThunderX
Conservative voltage margin due to process variation
Power management mechnanisms
Undervolted cloud infrastructure for profit
Danger
Low Voltage

Introduction
Undervolting:
Decreasing CPU voltage below nominal value
Conserving power
Reducing core aging
Maintining computational performance
Weakening reliability
Introducing errors due to timing violations
0 50 100 150 200 250
0.85
0.9
0.95
1
1.05
Throughput [Mop/s]
ETR
(normalized)
3B 3B+ 4B

Introduction
Consequences of undervotling for cloud user and cloud provider
Exploitable by malicious cloud user (out of scope)
Plundervolt [Murdock et al. S&P’20]
V0ltpwn [Kenjar et al. USENIX Security’20]
Detection method: crashing instances such that the user is covered by SLA
Heat dissipation adjusted by processor load and operating points
Temperature has always been a major issue
Non-selective fault injection method
Research questions:
1. What is necessary for a malicious cloud provider in order to pull off a stealthy
undervolting strategy?
2. Does a cloud user have the ability to uncover such an undervolting strategy?

Background
ARM in Data Centers
3
B
3
B
+
4
B
B
r
o
a
d
w
e
l
l
K
a
b
y
L
a
k
e
E
P
Y
C
H
a
r
p
e
r
t
o
w
n
0
0.1
0.2
Energy
[J/op]
CPU-bound
3
B
3
B
+
4
B
B
r
o
a
d
w
e
l
l
K
a
b
y
L
a
k
e
E
P
Y
C
H
a
r
p
e
r
t
o
w
n
1
2
Energy
[J/op]
Memory-bound
0
Low power processor design using ARM instances
Energy efficiency is comparable across architectures for CPU-bound benchmarks
26 % (4B) up to 122 % (3B+) less energy efficient than AMD EPYC
60 % (4B) more and 7 % (3B+) less energy efficient than Intel Kaby Lake
Memory-bound benchmarks are less energy efficient due to LPDDR performance

Background
Power management
Frequency scaling
(Dynamic) frequency regulation (overlocking, underclocking)
Conserving power and reducing heat dissipation
Voltage scaling
Open loop system (regulated by external setting)
Influences charging & discharging rate of capacitances (frequency)
Dynamic Voltage and Frequency Scaling (DVFS)
Simultaneous software-controlled voltage and frequency regulation
Operating performance points (frequency and voltage pairs)
Adaptive Voltage Scaling (AVS)
Closed loop system (regulated by feedback loop of sensor data)
Accounts for process variation and aging

Background
Raspberry Pi
Raspberry Pi 3B v1.2
Level Voltage
+25 mV
-25 mV
0
1
-1
2
-2
1.280 V
1.305 V
1.330 V
1.230 V
1.255 V
...
...
Component Raspberry Pi
Arm Cortex-A Processor
SoC
Broadcom®
VideoCore GPU
Memory 1 GiB and 4 GiB LPDDR
Disk microSD
Ethernet 10 Mbit/s to 1000 Mbit/s
Voltage adjustable in 25 mV steps
4B has no undervolting support
Mimicking server-grade ARM instance

Threat Model
shutdown deployed firmware request
reboot voltage reading
boot
deploy ❶ ❷ ❶ ❹ ❺
❸
❻
❷
¶ Exchange undervolted with nominal configuration
· Exchange back nominal with undervolted configuration
¸ Intercept voltage reading requests
¹ Forward voltage reading request
º Return voltage reading request
» Substitute undervolted voltage value by some nominal value

Evaluation
Setup
Raspberry Pi 3B, 3B+, 4B
Alciom PowerSpy2
Network-enabled power strip
UART-to-USB cable
Bluetooth dongle
Auxiliary machine

Evaluation
Temperature-based Guardband Analysis
30 40 50 60 70 80
1.20
1.25
1.30
Temperature [°C]
Voltage
[V]
safe critical failure nominal
Raspberry Pi 3B
30 40 50 60 70
1.20
1.30
Temperature [°C]
Voltage
[V]
safe critical failure nominal
Raspberry Pi 3B+
30 40 50 60 70 80
0.82
0.84
0.86
Temperature [°C]
Voltage
[V]
safe nominal undervolted
Raspberry Pi 4B
Measurement procedure
Start at nominal voltage and run benchmark
If successful, lower voltage configuration, restart, run benchmark again
Otherwise, reset to nominal voltage, increase temperature and repeat

Evaluation
Benchmark
Heat map indicating the relative energy efficiency for an undervolted setup compared to a
nominal setup
C
o
o
l
i
n
g
M
o
d
e
l
U
n
d
e
r
v
o
l
t
a
t
o
m
i
c
b
s
e
a
r
c
h
c
l
o
c
k
f
o
r
k
h
s
e
a
r
c
h
i
c
a
c
h
e
k
i
l
l
m
e
r
g
e
s
o
r
t
m
s
g
p
i
p
e
p
o
l
l
t
i
m
e
r
t
s
e
a
r
c
h
u
r
a
n
d
o
m
v
m
-
r
w
w
c
s
active
3B −75 mV 0.95 0.96 0.95 0.92 0.95 0.95 0.93 0.94 0.91 0.96 0.95 0.94 0.99 0.95 0.96 0.94
3B+ −75 mV 0.94 0.93 0.93 0.87 0.95 0.94 0.96 0.94 0.95 0.92 0.95 0.94 0.95 0.95 0.97 0.94
4B −15 mV 0.99 1.02 0.99 1.02 1.00 0.98 1.04 1.00 0.97 0.70 0.98 0.97 0.91 0.98 1.00 0.99
passive
3B −75 mV 0.95 0.92 0.93 0.91 0.94 0.94 0.94 0.93 0.92 1.03 0.93 0.92 0.96 0.94 0.96 0.93
3B+ −75 mV 0.95 0.96 0.95 0.98 0.95 0.95 0.95 0.95 0.95 0.96 0.94 0.95 0.97 0.96 0.97 0.95
4B −15 mV 0.97 1.02 0.99 1.01 0.99 1.03 1.00 1.00 1.03 1.01 1.00 1.00 0.91 0.99 0.97 0.99
Benchmark of choice: stress-ng (16 out of 169 shown)
The darker the shade, the more energy-efficient the stressor
None of the stressors crashed an undervolted instance

Evaluation
Failure Rate
30 40 50 60 70 80
0
0.2
0.4
0.6
0.8
1
Temperature [◦
C]
Failure
rate
3B 0mV 3B -75mV 3B -100mV
3B+ 0mV 3B+ -75mV 3B+ -100mV
Analysis of 265 failed out of 741 multiplication benchmarks
No incorrect benchmark results: multiplication not on timing-critical path
Highest crash probability at 60 °C (40 % 3B+, 90 % 3B)
Crash temperature decreases with undervolting
Process failure injection: 34 % user, 15 % kernel, 51 % unknown

Evaluation
Detection Method
Raspberry Pi 3B Raspberry Pi 3B+
Bare metal
[0; 200) [200; 400) [400; 600) [600; 800)
0
5
10
15
20
Run-time [s]
Frequency
[0; 20) [20; 40) [40; 60) [60; 80)
0
5
10
15
20
Temperature [°C]
Frequency
[0; 500) [500; 1,000) [1,000; 1,500)
0
5
10
15
20
Run-time [s]
Frequency
[0; 20) [20; 40) [40; 60) [60; 80)
0
5
10
15
20
Temperature [°C]
Frequency
Container
[0; 200) [200; 400) [400; 600) [600; 800)
0
5
10
15
20
Run-time [s]
Frequency
[0; 20) [20; 40) [40; 60) [60; 80)
0
5
10
15
20
Temperature [°C]
Frequency
[0; 0.5) [0.5; 1) [1; 1.5) [1.5; 2)
·103
0
5
10
15
20
Run-time [s]
Frequency
[0; 20) [20; 40) [40; 60) [60; 80)
0
5
10
15
20
Temperature [°C]
Frequency
Bare-metal: 175 s and 145 s (62 °C, 3B vs 3B+)
Container: 30 s and 250 s

Conclusion & Future Work
Conclusion:
Novel attack scenario based on undervolting by a scrooge cloud provider
Undervolting can save on average 5 % and up to 37 % energy
Aggressive undervolting is susceptible to thermal running
Active cooling can mitigate to some extend thermal running
Benchmarks are not the correct approach to guardband analysis
Future:
Apply Scrooge Attack on ARM server architecture
Include virtual machines in the evaluation
Develop a detection method that simultaneously crashes instances

Thank you
Thank you for your attention!
The Scrooge Attack data set is publicly available under
https://github.com/ChrisG55/Scrooge-Attack
The views and opinions of the authors do not necessarily reflect those of the U.S. government or
Lawrence Livermore National Security, LLC neither of whom nor any of their employees make any
endorsements, express or implied warranties or representations or assume any legal liability or
responsibility for the accuracy, completeness, or usefulness of the information contained herein. This
work was partially prepared by LLNL under Contract DE-AC52-07NA27344 (LLNL-CONF-817551) and by
the European Union’s Horizon 2020 research and innovation programme under the LEGaTO Project
(legato-project.eu), grant agreement No 780681.

Scrooge Attack: Undervolting ARM Processors for Profit

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (11)

Semelhante a Scrooge Attack: Undervolting ARM Processors for Profit

Semelhante a Scrooge Attack: Undervolting ARM Processors for Profit (20)

Mais de LEGATO project

Mais de LEGATO project (20)

Último

Último (20)

Scrooge Attack: Undervolting ARM Processors for Profit