b a s e b a n d e x p l o i t a t i o n i n 2 0 1 3 h e x
play

B a s e b a n d e x p l o i t a t i o n i n 2 - PowerPoint PPT Presentation

Feb 26, 2023 •260 likes •478 views

B a s e b a n d e x p l o i t a t i o n i n 2 0 1 3 : H e x a g o n c h a l l e n g e s R a l f - P h i l i p p W e i n m a n n < r a l f @ c o m s e c u r i s . c

  1. B a s e b a n d e x p l o i t a t i o n i n 2 0 1 3 : H e x a g o n c h a l l e n g e s R a l f - P h i l i p p W e i n m a n n < r a l f @ c o m s e c u r i s . c o m > P r e s e n t e d a t P a c s e c 2 0 1 3 2 0 1 3 - 1 1 - 1 4 , T o k y o , J a p a n

  2. W h o a m I ? ● S e c u r i t y r e s e a r c h e r f r o m G e r m a n y ● P r e v i o u s l y i n a c a d e m i a ( U n i v e r s i t y o f L u x e m b o u r g ) ● N o w w o r k i n g f o r m y o w n c o m p a n y ● K e e n i n t e r e s t i n s e c u r i t y o f m o b i l e , w i r e l e s s a n d e m b e d d e d s y s t e m s ● F i r s t t o d e m o n s t r a t e r e m o t e l y e x p l o i t a b l e v u l n e r a b i l i t i e s i n b a s e b a n d s t a c k s ( 3 y e a r s a g o )

  3. O v e r v i e w ● I m p o r t a n c e o f H e x a g o n f o r m o b i l e e x p l o i t a t i o n ● I n t r o t o t h e Q D S P 6 a r c h i t e c t u r e ● P a s t i s s u e s w i t h B L A S T ● O n t h e c o m p l e x i t y o f R O P a n d s i m i l a r t e c h n i q u e s ● A n e x a m p l e v u l n e r a b i l i t y ● C o n c l u s i o n s

  4. T h e n o w : c e l l u l a r b a s e b a n d m a r k e t 2 0 1 3 1 7 % Q u a l c o m m 7 % M e d i a t e k 1 3 % 6 3 % I n t e l O t h e r s

  5. L T E : B a s e b a n d m a r k e t s h a r e d i s t r i b u t i o n 3 % 9 7 % Q u a l c o m m E v e r y b o d y e l s e

  6. H e x a g o n a r c h i t e c t u r e ● O r i g i n a t e d f r o m Q C O M s g e n e r a l p u r p o s e D S P – U s e d f o r o n l y a u d i o p r o c e s s i n g a n d L 1 i n e a r l y d a y s ● V L I W a r c h i t e c t u r e [ 1 - 4 i n s t r u c t i o n s p e r c y c l e ] ● B a r r e l p r o c e s s o r ( i n t e r l e a v e d m u l t i t h r e a d i n g ) ● 3 2 - b i t u n i f i e d a d d r e s s s p a c e f o r c o d e a n d d a t a – B y t e a d d r e s s a b l e ● 3 2 G e n e r a l r e g i s t e r s ( 3 2 - b i t ) – a l s o u s a b l e p a i r w i s e : 6 4 - b i t r e g i s t e r p a i r s ● S u p p o r t s n e s t a b l e l o o p s ● M a n y a d d r e s s i n g m o d e s ( s p e c i f i c t o D S P u s a g e c a s e s ) ● L e a k e d d o c s c l a i m u p “ 3 x f e w e r c y c l e s t h a n A R M 9 o n c o n t r o l c o d e ”

  7. I n s t r u c t i o n p a c k e t s ● A t o m i c u n i t s g r o u p i n g i n s t r u c t i o n s e x e c u t e d i n p a r a l l e l ● 4 p a r a l l e l p i p e l i n e s ( c a l l e d s l o t s ) ● D i f f e r e n t i n s . t y p e s a s s i g n e d t o d i f f e r e n t s l o t s ● C o n s t r a i n t s f o r g r o u p i n g a p p l y – H W r e s o u r c e s c a n n o t b e o v e r s u b s c r i b e d ● M a n u a l s : n o b r a n c h i n g i n t o m i d d l e o f p a c k e t – E m p i r i c a l l y : y o u c a n r e t u r n i n t o m i d d l e o f p a c k e t

  8. C h i p s e t e v o l u t i o n ● Q D S P 6 v 1 : M S M 8 6 0 0 – P a n t e c h R a c e r V e g a ( a n y o n e ? ! ? ) ● Q D S P 6 v 2 : Q S D 8 6 5 0 ( v 1 / v 2 ) , M S M 8 2 0 0 ( v 1 / v 2 ) , C S M 8 9 0 0 , M D M 8 9 0 0 – e . g . S h a r p I S 0 3 / I S 0 5 ● Q D S P 6 v 3 : M D M 9 0 0 ( v 1 / v 2 ) , C S M 8 7 0 0 , F S M 9 0 0 0 , Q S D 8 6 5 0 a , M D M 8 2 0 0 a , M S M 8 6 6 0 , Q S D 8 x 7 2 – e . g . S o n y X p e r i a a c r o H D I S 1 2 S ● Q D S P 6 v 4 : M S M 8 9 6 0 , M D M 9 x 1 5 – e . g . S a m s u n g G a l a x y S 4 ( G T - i 9 5 0 5 ) , A p p l e i P h o n e 5 , B l a c k B e r r y Z 1 0 ● Q D S P 6 v 5 : M S M 8 9 7 4 – e . g . L G G 2 , S o n y X p e r i a Z U l t r a

  9. P r o b l e m s w i t h I S A ( r e v i s i o n s ) ● H e x a g o n P r o g r a m m e r ' s g u i d e o n l y a v a i l a b l e f o r v 2 ● A r c h i t e c t u r e h a s s i g n i f i c a n t l y e v o l v e d s i n c e ● M a n y d e t a i l s g u e s s e d a n d d e d u c e d f r o m t o o l c h a i n – E x a m p l e : i m m e x t ( p a y l o a d e x t e n d e r ) ● V e r y h a r d t o b u i l d t o o l s f r o m s c r a t c h b e c a u s e o f s h e e r c o m p l e x i t y o f I S A – T e s t i n g ? – E a s i e r t o s t a r t f r o m p u b l i c l y r e l e a s e d t o o l c h a i n

  10. U s e f u l i n s t r u c t i o n s ● T r a n s f e r : r X = r Y | | i m m e d i a t e ● A L U : R d = a d d ( R s , R t | | i m m e d i a t e ) [ 1 6 b i t s i g n e d i m m e d i a t e f o r a r i t h m e t i c , 1 0 b i t f o r l o g i c a l ] ● c o m b i n e : R d d = c o m b i n e ( i m m e d i a t e , i m m e d i a t e ) [ 8 b i t s i g n e d i m m e d i a t e s ] ● M U X : R d = m u x ( P u , R s | | i m m e d i a t e , R t | | i m m e d i a t e ) [ 8 b i t s i g n e d i m m e d i a t e s ] ● N 7f xx xx xx O P :

  11. C o n t r o l r e g i s t e r s ● LC0 [C1] , SA0 [C0] , LC1 [C3] , SA1 [C2] : L o o p r e g i s t e r s ● PC [C9] : P r o g r a m c o u n t e r ● USR [C8] : U s e r s t a t u s r e g i s t e r ● M0 [C6] M1 [C7] : M o d i f i e r r e g i s t e r s ( c i r c u l a r a d d r e s s i n g ) ● P3:0 [C4] : P r e d i c a t e r e g i s t e r s ● UGP [C10] : U s e r G e n e r a l P o i n t e r ( T L S ) ● GP [C11] : G l o b a l P o i n t e r

  12. C a l l i n g c o n v e n t i o n s ● allocframe ( s i z e [ u 1 4 ] ) Saved LR LR FP – P u s h a n d t o t o p o f Saved FP s t a c k . – S u b t r a c t s i z e [ 8 - b y t e a l i g n e d ] SP f r o m Procedure – FP = a d d r e s s o f ( o l d F P o n S t a c k ) local data ● deallocframe – L o a d s a v e d F P a n d L R v a l u e s f r o m a d d r e s s r e f e r e n c e d a t F P Saved LR – R e s t o r e S P t o p r e v i o u s f r a m e Saved FP

  13. H e x a g o n c o d e , e x a m p l e s some_func: 01 02 03 A3: memw (r0 + #0xC) = r3 ; memw (r0 + #8) = r1 00 30 02 A4: memw (r0 + #0x10) = r2 ; memw (r0 + #0) = #0 00 40 9F 52: { jumpr r31 80 C0 40 3C: memw (r0 + #4) = #0 } [...] 60 46 04 7C { r1:0 = combine (#0x33, #8) 46 42 33 04 immext (#0x43309180) 82 45 00 78 r2 = ##filename @ "/local/mnt/" … 43 C1 03 78 r3 = #0x60A } 51 42 33 04 { immext (#0x43309440) A4 46 00 78 r4 = ##message @ "<PRESENCE" … 00 40 5D 3C memw (r29 + #0) = #0 80 C0 5D 3C memw (r29 + #4) = #0 } 4A 63 64 5A { call logmsg 00 C1 5D 3C memw (r29 + #8) = #0 } [...]

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

SMT-based Software Model Checking: Experimental Comparison of Four Algorithms Matthias Dangl

SMT-based Software Model Checking: Experimental Comparison of Four Algorithms Matthias Dangl

SMT-based Software Model Checking: Experimental Comparison of Four Algorithms Matthias Dangl Joint work with Dirk Beyer University of Passau, Germany SMT-based Software Model Checking Bounded Model Checking ( Cbmc , CPAchecker , Esbmc ,

496 views • 26 slides
The Software Model Checker BLAST: Applications to Software Engineering Dirk Beyer, Thomas A.

The Software Model Checker BLAST: Applications to Software Engineering Dirk Beyer, Thomas A.

The Software Model Checker BLAST: Applications to Software Engineering Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala, Rupak Majumdar Int. Journal on Software Tools for Technology Transfer, 2007 Stefan Buchholz March 17, 2009 1 Model

456 views • 12 slides
Expression of Interest Letters for FY17 Audio is available only by conference call. Please call :

Expression of Interest Letters for FY17 Audio is available only by conference call. Please call :

Expression of Interest Letters for FY17 Audio is available only by conference call. Please call : (800) 700-7784 Participant Access Code: 407190 to join the conference call portion of the webinar (date) Office of Housing Counseling Webinar

550 views • 20 slides
Challenges in Delivering and Deploying Software at Scale in Large Clusters Douglas Thain and Kyle

Challenges in Delivering and Deploying Software at Scale in Large Clusters Douglas Thain and Kyle

Challenges in Delivering and Deploying Software at Scale in Large Clusters Douglas Thain and Kyle Sweeney University of Notre Dame {dthain|ksweene3}@nd.edu Software Deployment on HPC Classic Approach Single process MPI app created by end

1.06k views • 50 slides
Be sure you have signed-in Team registration is open http://www.purdue.edu/dp/bdmce/

Be sure you have signed-in Team registration is open http://www.purdue.edu/dp/bdmce/

Be sure you have signed-in Team registration is open http://www.purdue.edu/dp/bdmce/ Questions can be emailed to bmc@purdue.edu Competition Statistics 31 st year One of the oldest competitions in the US Purdue: 1987

363 views • 23 slides
Introduction to SAT and SMT Solvers Interfacing Yosys and SMT Solvers for BMC and more using

Introduction to SAT and SMT Solvers Interfacing Yosys and SMT Solvers for BMC and more using

Introduction to SAT and SMT Solvers Interfacing Yosys and SMT Solvers for BMC and more using SMT-LIB 2.5 Clifford Wolf 1 Abstract Bounded model checking and other SAT-based formal methods are an important part of todays digital design

773 views • 52 slides
bmclib A Baseboard Management Controller library One library to rule them all? Juliano Martinez

bmclib A Baseboard Management Controller library One library to rule them all? Juliano Martinez

Fosdem 2019 bmclib A Baseboard Management Controller library One library to rule them all? Juliano Martinez Joel Rebello Baseboard Management Controller A BMC is a system on chip that integrates various computer components in a single

401 views • 14 slides
Parameter Synthesis with IC3 A. Cimatti, A. Griggio , S. Mover, S. Tonetta FBK, Trento, Italy

Parameter Synthesis with IC3 A. Cimatti, A. Griggio , S. Mover, S. Tonetta FBK, Trento, Italy

FMCAD 2013 Parameter Synthesis with IC3 A. Cimatti, A. Griggio , S. Mover, S. Tonetta FBK, Trento, Italy Motivations and Contributions Parametric descriptions of systems arise in many domains E.g. software, cyber-physical systems, task

375 views • 23 slides
Bounded Model Checking bmc Revision: 1.11 1 [BiereCimattiClarkeZhu99] uses SAT for model

Bounded Model Checking bmc Revision: 1.11 1 [BiereCimattiClarkeZhu99] uses SAT for model

Bounded Model Checking bmc Revision: 1.11 1 [BiereCimattiClarkeZhu99] uses SAT for model checking historically not the first symbolic model checking approach scales better than original BDD based techniques mostly incomplete in

521 views • 28 slides
CDA 5416 Computer System Verification Bounded Model Checking Hao Zheng Department of Computer

CDA 5416 Computer System Verification Bounded Model Checking Hao Zheng Department of Computer

CDA 5416 Computer System Verification Bounded Model Checking Hao Zheng Department of Computer Science and Engineering University of South Florida H. Zheng (CSE USF) CDA 5416 CAV 1 / 26 Introduction Model Checking is used for exhaustive

438 views • 28 slides
U.S. Department of Housing and Urban Development Office of Housing Counseling Facilitated by

U.S. Department of Housing and Urban Development Office of Housing Counseling Facilitated by

U.S. Department of Housing and Urban Development Office of Housing Counseling Facilitated by Booth Management Consulting 7230 Lee Deforest Drive, Suite 202 Columbia, MD 21046 Understanding Financial Management Systems February 19, 2019 2pm

779 views • 41 slides
FBOSS: Building Switch Software at Scale Sean Choi, Sean Choi, Boris Burkov, Alex Eckert, Tian

FBOSS: Building Switch Software at Scale Sean Choi, Sean Choi, Boris Burkov, Alex Eckert, Tian

FBOSS: Building Switch Software at Scale Sean Choi, Sean Choi, Boris Burkov, Alex Eckert, Tian Fang, Saman Kazemkhani, Rob Sherwood, Ying Zhang, James Zeng Motivation Scale of Facebook Community 2.23B Monthly 1.3B Monthly 1B Monthly 1.5B

442 views • 28 slides
Bounded Model Checking Henrik Torland Klev November 2019 1 Introduction My initial idea was to

Bounded Model Checking Henrik Torland Klev November 2019 1 Introduction My initial idea was to

Bounded Model Checking Henrik Torland Klev November 2019 1 Introduction My initial idea was to use chapter 10 SAT-based Model Checking of [1] as a basis for this presentation. However, said chapter turned out to be more of a

264 views • 12 slides
Bounded Model Checking Julien Schmaltz Institute for Computing and Information Sciences Radboud

Bounded Model Checking Julien Schmaltz Institute for Computing and Information Sciences Radboud

Bounded Model Checking Julien Schmaltz Institute for Computing and Information Sciences Radboud University Nijmegen The Netherlands julien@cs.ru.nl April 15, 2009 J. Schmaltz Bounded Model Checking Agenda coming lectures ... Part I:

954 views • 56 slides
On Variable Selection in SAT-LP-based Bounded Model Checking of Linear Hybrid Automata Marc

On Variable Selection in SAT-LP-based Bounded Model Checking of Linear Hybrid Automata Marc

On Variable Selection in SAT-LP-based Bounded Model Checking of Linear Hybrid Automata Marc Herbstritt (joint work with Bernd Becker, Erika Abrah am, Christian Herde) Institute of Computer Science Albert-Ludwigs-University Freiburg im

568 views • 33 slides
Bounded Model Checking of MPL Systems via Predicate Abstractions FORMATS 2019 Muhammad Syifaul

Bounded Model Checking of MPL Systems via Predicate Abstractions FORMATS 2019 Muhammad Syifaul

Bounded Model Checking of MPL Systems via Predicate Abstractions FORMATS 2019 Muhammad Syifaul Mufid 1 , 3 Dieky Adzkiya 2 Alessandro Abate 1 1 Department of Computer Science, University of Oxford, UK 2 Department of Mathematics, ITS Surabaya,

1.35k views • 55 slides
Verification of Delta Form Realization in Fixed-Point Digital Controllers Using Bounded Model

Verification of Delta Form Realization in Fixed-Point Digital Controllers Using Bounded Model

Verification of Delta Form Realization in Fixed-Point Digital Controllers Using Bounded Model Checking Iury V. Bessa , Hussama I. Ibrahim, Lucas C. Cordeiro, and Joo E. C. Filho iurybessa@ufam.edu.br Motivation Controllers DCVerifier

563 views • 52 slides
SMT-Based Bounded Model Checking for Embedded ANSI-C Software for Embedded ANSI-C Software

SMT-Based Bounded Model Checking for Embedded ANSI-C Software for Embedded ANSI-C Software

SMT-Based Bounded Model Checking for Embedded ANSI-C Software for Embedded ANSI-C Software Lucas Cordeiro, Bernd Fischer, Joao Marques-Silva b.fischer@ecs.soton.ac.uk Bounded Model Checking (BMC) Basic Idea: check negation of given property

957 views • 33 slides
SAT-based verification (BMC, temporal induction) Mary Sheeran, Chalmers SAT-based verification

SAT-based verification (BMC, temporal induction) Mary Sheeran, Chalmers SAT-based verification

SAT-based verification (BMC, temporal induction) Mary Sheeran, Chalmers SAT-based verification now hot Used here in Sweden since 1989 mostly in safety critical applications (railway control program verification) Bounded Model Checking a

468 views • 25 slides
Model Checking with Maximal Causality Reduction Jeff Huang Assistant Professor A Real Bug

Model Checking with Maximal Causality Reduction Jeff Huang Assistant Professor A Real Bug

Model Checking with Maximal Causality Reduction Jeff Huang Assistant Professor A Real Bug $12 million loss of equipment

823 views • 71 slides
A new approach to efficient multi-party computation Carmit Hazay, Emmanuela Orsini, Peter Scholl

A new approach to efficient multi-party computation Carmit Hazay, Emmanuela Orsini, Peter Scholl

Tin inyKeys: : A new approach to efficient multi-party computation Carmit Hazay, Emmanuela Orsini, Peter Scholl and Eduardo Soria-Vazquez Motivation Large number of users want to conduct surveys, auctions, statistical analysis, measure

1.62k views • 30 slides
TinyKeys: A New Approach to Efficient Multi-Party Computation Carmit Hazay , Emmanuela Orsini,

TinyKeys: A New Approach to Efficient Multi-Party Computation Carmit Hazay , Emmanuela Orsini,

TinyKeys: A New Approach to Efficient Multi-Party Computation Carmit Hazay , Emmanuela Orsini, Peter Scholl and Eduardo Soria-Vazquez Based on slides prepared by Peter Scholl and Eduardo Soria-Vazquez Secure Multi-Party Computation (MPC)

756 views • 36 slides
Drago Rotaru and Tim Wood University of Bristol, KU Leuven * https://ia.cr/2019/207 Drago

Drago Rotaru and Tim Wood University of Bristol, KU Leuven * https://ia.cr/2019/207 Drago

INDOCRYPT 2019 MArBled Circuits: Mixing Arithmetic and Boolean Circuits with Active Security* Drago Rotaru and Tim Wood University of Bristol, KU Leuven * https://ia.cr/2019/207 Drago Rotaru 1 imec-Cosic, Dept. Electrical Engineering What

758 views • 60 slides
A universal MPC machine* Drago Rotaru University of Bristol, KU Leuven *MArBled Circuits:

A universal MPC machine* Drago Rotaru University of Bristol, KU Leuven *MArBled Circuits:

DIMACS Workshop 2019 A universal MPC machine* Drago Rotaru University of Bristol, KU Leuven *MArBled Circuits: Mixing Arithmetic and Boolean Circuits with Active Security; Joint work with Tim Wood. https://ia.cr/2019/207 Drago

685 views • 49 slides

More recommend