cache storage channels alias driven attacks formally
play

Cache Storage Channels Alias-driven Attacks Formally Verified - PowerPoint PPT Presentation

Feb 20, 2024 •35 likes •675 views

Roberto Guanciale Mads Dam Hamed Nemati Christoph Baumann Cache Storage Channels Alias-driven Attacks Formally Verified Platforms Formally Verified Platforms Caches Excluded Formally Verified from the analysis Platforms Caches Excluded

  1. Roberto Guanciale Mads Dam Hamed Nemati Christoph Baumann Cache Storage Channels Alias-driven Attacks

  2. Formally Verified Platforms

  3. Formally Verified Platforms

  4. Caches Excluded Formally Verified from the analysis Platforms

  5. Caches Excluded Formally Verified from the analysis Platforms

  6. Caches Excluded Formally Verified from the analysis Platforms

  7. Caches Excluded Formally Verified from the analysis Platforms

  8. Caches Excluded Formally Verified from the analysis Platforms Models should be Sound

  9. Caches Excluded Formally Verified from the analysis Platforms Models should be Sound Storage Channels can invalidate results

  10. Cacheable (std-memory) Virtual MMU Address Non-cacheable (devices) Page T ables Incoherent Cache Behaviors

  11. Mismatched cacheability attributes

  12. Mismatched cacheability attributes do not do this

  13. Mismatched cacheability attributes Please, do not do this

  14. Mismatched cacheability attributes Please, do not do this Incoherent Cache Behaviors

  15. Mismatched cacheability attributes Please, do not do this Incoherent Cache Behaviors ARM-terminology: unexpected cache hit if the data cache reports a hit on a memory location that is marked as non- cacheable, the cache might access the memory disregarding such hit.

  16. OS OS Hypervisor Scenarios

  17. ARM OS OS OS TrustZone Service Hypervisor Scenarios

  18. ARM OS OS OS TrustZone Service Hypervisor Device User Driver Process Scenarios Kernel

  19. Attacker w r i t e ( V A _ n c , 0 ) … memory w r i t e ( V A _ n c , 1 ) VA_nc f r e e ( V A _ n c ) Victim PA cache D = a c c e s s ( V A _ c ) line dirty VA_c … D = a c c e s s ( V A _ c ) i f n o t p o l i c y ( D ) R e j e c t ( ) … u s e ( V A _ c )

  20. Attacker w r i t e ( V A _ n c , 0 ) … memory w r i t e ( V A _ n c , 1 ) VA_nc f r e e ( V A _ n c ) Victim PA cache D = a c c e s s ( V A _ c ) line dirty VA_c … D = a c c e s s ( V A _ c ) i f n o t p o l i c y ( D ) R e j e c t ( ) … u s e ( V A _ c )

  21. Attacker w r i t e ( V A _ n c , 0 ) … memory w r i t e ( V A _ n c , 1 ) VA_nc f r e e ( V A _ n c ) Victim PA cache D = a c c e s s ( V A _ c ) line dirty VA_c … D = a c c e s s ( V A _ c ) i f n o t p o l i c y ( D ) R e j e c t ( ) … u s e ( V A _ c )

  22. Attacker w r i t e ( V A _ n c , 0 ) … memory w r i t e ( V A _ n c , 1 ) VA_nc 0 f r e e ( V A _ n c ) Victim PA cache D = a c c e s s ( V A _ c ) line dirty VA_c … D = a c c e s s ( V A _ c ) i f n o t p o l i c y ( D ) R e j e c t ( ) … u s e ( V A _ c )

  23. Attacker w r i t e ( V A _ n c , 0 ) … memory w r i t e ( V A _ n c , 1 ) VA_nc 0 f r e e ( V A _ n c ) Victim PA cache D = a c c e s s ( V A _ c ) line dirty VA_c … D = a c c e s s ( V A _ c ) i f n o t p o l i c y ( D ) R e j e c t ( ) … u s e ( V A _ c )

  24. Attacker w r i t e ( V A _ n c , 0 ) … memory w r i t e ( V A _ n c , 1 ) VA_nc 0 f r e e ( V A _ n c ) Victim PA cache D = a c c e s s ( V A _ c ) line dirty VA_c … D = a c c e s s ( V A _ c ) i f n o t p o l i c y ( D ) R e j e c t ( ) … u s e ( V A _ c )

  25. Attacker w r i t e ( V A _ n c , 0 ) … memory w r i t e ( V A _ n c , 1 ) VA_nc 0 f r e e ( V A _ n c ) Victim PA cache D = a c c e s s ( V A _ c ) line dirty VA_c … D = a c c e s s ( V A _ c ) i f n o t p o l i c y ( D ) R e j e c t ( ) … u s e ( V A _ c )

  26. Attacker w r i t e ( V A _ n c , 0 ) … memory w r i t e ( V A _ n c , 1 ) VA_nc 0 f r e e ( V A _ n c ) Victim PA cache D = a c c e s s ( V A _ c ) line dirty VA_c … 0 F D = a c c e s s ( V A _ c ) i f n o t p o l i c y ( D ) R e j e c t ( ) … u s e ( V A _ c )

  27. Attacker w r i t e ( V A _ n c , 0 ) … memory w r i t e ( V A _ n c , 1 ) VA_nc 0 f r e e ( V A _ n c ) Victim PA cache D = a c c e s s ( V A _ c ) line dirty VA_c … 0 F D = a c c e s s ( V A _ c ) i f n o t p o l i c y ( D ) R e j e c t ( ) … u s e ( V A _ c )

  28. Attacker w r i t e ( V A _ n c , 0 ) … memory w r i t e ( V A _ n c , 1 ) VA_nc 1 f r e e ( V A _ n c ) Victim PA cache D = a c c e s s ( V A _ c ) line dirty VA_c … 0 F D = a c c e s s ( V A _ c ) i f n o t p o l i c y ( D ) R e j e c t ( ) … u s e ( V A _ c )

  29. Attacker w r i t e ( V A _ n c , 0 ) … memory w r i t e ( V A _ n c , 1 ) VA_nc 1 f r e e ( V A _ n c ) Victim PA cache D = a c c e s s ( V A _ c ) line dirty VA_c … 0 F D = a c c e s s ( V A _ c ) i f n o t p o l i c y ( D ) R e j e c t ( ) … u s e ( V A _ c )

  30. Attacker w r i t e ( V A _ n c , 0 ) … memory w r i t e ( V A _ n c , 1 ) VA_nc 1 f r e e ( V A _ n c ) Victim PA cache D = a c c e s s ( V A _ c ) line dirty VA_c … 0 F D = a c c e s s ( V A _ c ) i f n o t p o l i c y ( D ) R e j e c t ( ) … u s e ( V A _ c )

  31. Attacker w r i t e ( V A _ n c , 0 ) … memory w r i t e ( V A _ n c , 1 ) VA_nc 1 f r e e ( V A _ n c ) Victim PA cache D = a c c e s s ( V A _ c ) line dirty VA_c … 0 F D = a c c e s s ( V A _ c ) i f n o t p o l i c y ( D ) R e j e c t ( ) … u s e ( V A _ c )

  32. Attacker w r i t e ( V A _ n c , 0 ) … memory w r i t e ( V A _ n c , 1 ) VA_nc 1 f r e e ( V A _ n c ) Victim PA cache D = a c c e s s ( V A _ c ) line dirty VA_c … 0 F D = a c c e s s ( V A _ c ) i f n o t p o l i c y ( D ) R e j e c t ( ) … u s e ( V A _ c )

  33. Attacker w r i t e ( V A _ n c , 0 ) … memory w r i t e ( V A _ n c , 1 ) VA_nc 1 f r e e ( V A _ n c ) Victim PA cache D = a c c e s s ( V A _ c ) line dirty VA_c … 0 F D = a c c e s s ( V A _ c ) i f n o t p o l i c y ( D ) R e j e c t ( ) … u s e ( V A _ c )

  34. Attacker w r i t e ( V A _ n c , 0 ) … memory w r i t e ( V A _ n c , 1 ) VA_nc 1 f r e e ( V A _ n c ) Victim PA cache D = a c c e s s ( V A _ c ) line dirty VA_c … 0 F D = a c c e s s ( V A _ c ) i f n o t p o l i c y ( D ) R e j e c t ( ) … u s e ( V A _ c )

  35. Attacker w r i t e ( V A _ n c , 0 ) … memory w r i t e ( V A _ n c , 1 ) VA_nc 1 f r e e ( V A _ n c ) Victim PA cache D = a c c e s s ( V A _ c ) line dirty VA_c … 0 F D = a c c e s s ( V A _ c ) i f n o t p o l i c y ( D ) R e j e c t ( ) … u s e ( V A _ c )

  36. Attacker w r i t e ( V A _ n c , 0 ) … memory w r i t e ( V A _ n c , 1 ) VA_nc 1 f r e e ( V A _ n c ) Victim PA cache D = a c c e s s ( V A _ c ) line dirty VA_c … 0 F D = a c c e s s ( V A _ c ) i f n o t p o l i c y ( D ) R e j e c t ( ) … u s e ( V A _ c )

  37. Attacker w r i t e ( V A _ n c , 0 ) … memory w r i t e ( V A _ n c , 1 ) VA_nc 1 f r e e ( V A _ n c ) Victim PA cache D = a c c e s s ( V A _ c ) line dirty VA_c … 0 F D = a c c e s s ( V A _ c ) i f n o t p o l i c y ( D ) R e j e c t ( ) … D = = 0 u s e ( V A _ c )

  38. Attacker w r i t e ( V A _ n c , 0 ) … memory w r i t e ( V A _ n c , 1 ) VA_nc 1 f r e e ( V A _ n c ) Victim PA cache D = a c c e s s ( V A _ c ) line dirty VA_c … 0 F D = a c c e s s ( V A _ c ) i f n o t p o l i c y ( D ) R e j e c t ( ) … D = = 0 u s e ( V A _ c )

  39. Attacker w r i t e ( V A _ n c , 0 ) … memory w r i t e ( V A _ n c , 1 ) VA_nc 1 f r e e ( V A _ n c ) Victim PA cache D = a c c e s s ( V A _ c ) line dirty VA_c … 0 F D = a c c e s s ( V A _ c ) i f n o t p o l i c y ( D ) R e j e c t ( ) … e v i c t i o n u s e ( V A _ c )

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Cache attacks: From side channels to fault attacks Clmentine Maurice CNRS, Rennes, France

Cache attacks: From side channels to fault attacks Clmentine Maurice CNRS, Rennes, France

Cache attacks: From side channels to fault attacks Clmentine Maurice CNRS, Rennes, France November 16, 2017 Cryptacus Workshop, Nijmegen, Netherlands the attacker only needs unprivileged execution on the victims machine

1.99k views • 164 slides
An Analytical Model for Tim e-Driven Cache Attacks Kris Tiri Onur Ac imez Michael Neve

An Analytical Model for Tim e-Driven Cache Attacks Kris Tiri Onur Ac imez Michael Neve

An Analytical Model for Tim e-Driven Cache Attacks Kris Tiri Onur Ac imez Michael Neve Flemming Andersen Outline Motivation Cache attacks: origins, time-driven attack Strength of an implementation Analytical model of

685 views • 19 slides
Dealing with cache based attacks in cryptography Speculating on cache attacks Simo Sorce Sr.

Dealing with cache based attacks in cryptography Speculating on cache attacks Simo Sorce Sr.

Dealing with cache based attacks in cryptography Speculating on cache attacks Simo Sorce Sr. Principal Software Engineer 2019/02/19 What are cache based attacks ? In cryptography In cryptographic operations, leaking the internal state of a

338 views • 8 slides
CDAC: Content-Driven Deduplication-Aware Storage Cache Yujuan Tan , Jing Xie, Congcong Xu, Zhichao

CDAC: Content-Driven Deduplication-Aware Storage Cache Yujuan Tan , Jing Xie, Congcong Xu, Zhichao

CDAC: Content-Driven Deduplication-Aware Storage Cache Yujuan Tan , Jing Xie, Congcong Xu, Zhichao Yan, Hong Jiang, Yajun Zhao, Min Fu, Xianzhang Chen, Duo Liu, Wen Xia Outline Introduction and Motivation Design of CDAC Performance

863 views • 42 slides
1 What Can Alias? (cont) Alias Analysis Arrays Goal: Statically identify aliases do b[c[i 1 ]]

1 What Can Alias? (cont) Alias Analysis Arrays Goal: Statically identify aliases do b[c[i 1 ]]

Alias Analysis Aliasing Last time What is aliasing? Midterm When two expressions denote the same mutable memory location e.g., p = new Object; Today q = p; * p and * q alias Alias analysis (pointer analysis) How do aliases

162 views • 5 slides
S CATTER C ACHE : Thwarting Cache Attacks via Cache Set Randomization Werner, Unterluggauer,

S CATTER C ACHE : Thwarting Cache Attacks via Cache Set Randomization Werner, Unterluggauer,

S CATTER C ACHE : Thwarting Cache Attacks via Cache Set Randomization Werner, Unterluggauer, Giner, Schwarz, Gruss, Mangard August 15, 2019 Graz University of Technology What is S CATTER C ACHE ? www.tugraz.at Alternative design for n-way

460 views • 27 slides
DNS Cache Poisoning Attack Relo loaded: Revolutions wit ith Sid ide Channels Keyu Man, Zhiyun

DNS Cache Poisoning Attack Relo loaded: Revolutions wit ith Sid ide Channels Keyu Man, Zhiyun

DNS Cache Poisoning Attack Relo loaded: Revolutions wit ith Sid ide Channels Keyu Man, Zhiyun Qian, Zhongjie Wang, Xiaofeng Zheng, Youjun Huang, Haixin Duan Contents Background DNS Cache Poisoning Part I: Infer

934 views • 23 slides
Replacement with Utility-Driven Adaptation Cong Li, Intel Corporation 12 th ACM International

Replacement with Utility-Driven Adaptation Cong Li, Intel Corporation 12 th ACM International

CLOCK-Pro+: Improving CLOCK-Pro Cache Replacement with Utility-Driven Adaptation Cong Li, Intel Corporation 12 th ACM International Systems & Storage Conference (SYSTOR 2019) Outline Introduction: Cache & Page Replacement

1.34k views • 35 slides
NetCAT : Practical Cache Attacks from the Network Michael Kurth , Ben Gras, Dennis Andriesse,

NetCAT : Practical Cache Attacks from the Network Michael Kurth , Ben Gras, Dennis Andriesse,

NetCAT : Practical Cache Attacks from the Network Michael Kurth , Ben Gras, Dennis Andriesse, Cristiano Giuffrida, Herbert Bos, Kaveh Razavi Cache Attack from the Network Client Server Remote Cache Attack SSH 2 Network Cache Attack 3

794 views • 32 slides
Abusing hardware for fun and profit Agenda Cache-based Covert channels w/ demo Spectre

Abusing hardware for fun and profit Agenda Cache-based Covert channels w/ demo Spectre

Abusing hardware for fun and profit Agenda Cache-based Covert channels w/ demo Spectre and Meltdown from covert channels Process isola8on + OS (CS 423) OS paging OS services 0x00000000 Communica<on to other processes

568 views • 15 slides
Playing with Maya thru MEL/ API Min Gyu Choi Kwangwoon University Alias Maya Alias|Wavefront

Playing with Maya thru MEL/ API Min Gyu Choi Kwangwoon University Alias Maya Alias|Wavefront

Playing with Maya thru MEL/ API Min Gyu Choi Kwangwoon University Alias Maya Alias|Wavefront Maya is one of the greatest and most complex computer programs ever made. Alias Maya Alias Maya Maya has many features as default. Maya

898 views • 65 slides
1 Classifying cache misses Cache Organization Classifying misses by causes (3Cs) Cache size,

1 Classifying cache misses Cache Organization Classifying misses by causes (3Cs) Cache size,

Cache Performance Metrics Cache miss rate: number of cache misses divided by number of accesses Lecture 14: Hardware Approaches for Cache Optimizations Cache hit time: the time between sending address and data returning from cache Cache

608 views • 4 slides
I Know Where Youve Been: ! Geo-Inference Attacks via the Browser Cache ! Yaoqi Jia Yaoqi Jia

I Know Where Youve Been: ! Geo-Inference Attacks via the Browser Cache ! Yaoqi Jia Yaoqi Jia

I Know Where Youve Been: ! Geo-Inference Attacks via the Browser Cache ! Yaoqi Jia Yaoqi Jia , Xinshu Dong , Zhenkai Liang , Prateek Saxena ! School of Computing, National University of Singapore ! Advanced Digital

496 views • 28 slides
DNSSEC aggressive cache (RFC 8198) Protection from random subdomain attacks Petr paek

DNSSEC aggressive cache (RFC 8198) Protection from random subdomain attacks Petr paek

DNSSEC aggressive cache (RFC 8198) Protection from random subdomain attacks Petr paek petr.spacek@nic.cz 2018-05-16 Talk outline Aggressive cache theory expectations efficiency Normal traffic measurements

823 views • 30 slides
Cache-Timing Attacks Matteo BOCCHI System Research & Applications STMicroelectronics S.r.l.

Cache-Timing Attacks Matteo BOCCHI System Research & Applications STMicroelectronics S.r.l.

Cache-Timing Attacks Matteo BOCCHI System Research & Applications STMicroelectronics S.r.l. 2018/12/06 Agenda 2 STM32 Nucleo Boards STM32 Firewall Cache-Timing Attack Evict&Time vs. MbedTLS AES on STM32

477 views • 20 slides
The 9 Lives of Bleichenbacher's CAT: New Cache ATtacks on TLS Implementations Eyal Ronen , Robert

The 9 Lives of Bleichenbacher's CAT: New Cache ATtacks on TLS Implementations Eyal Ronen , Robert

The 9 Lives of Bleichenbacher's CAT: New Cache ATtacks on TLS Implementations Eyal Ronen , Robert Gillham, Daniel Genkin, Adi Shamir, David Wong and Yuval Yarom Transport Layer Security (TLS) The most widely used cryptographic protocol

1.36k views • 120 slides
Symbolic Heap Abstraction with Demand-Driven Axiomatization of Memory Invariants Isil Dillig

Symbolic Heap Abstraction with Demand-Driven Axiomatization of Memory Invariants Isil Dillig

Symbolic Heap Abstraction with Demand-Driven Axiomatization of Memory Invariants Isil Dillig Thomas Dillig Alex Aiken Stanford University Isil Dillig Thomas Dillig Alex Aiken Symbolic Heap Abstraction with Demand-Driven Axiomatization

1.62k views • 123 slides
Efficient Memory Tracing by Program Skeletonization Alain Ketterlin Philippe Clauss Universit

Efficient Memory Tracing by Program Skeletonization Alain Ketterlin Philippe Clauss Universit

Efficient Memory Tracing by Program Skeletonization Alain Ketterlin Philippe Clauss Universit de Strasbourg (France) INRIA (CAMUS team, Centre Nancy Grand-Est) CNRS (LSIIT, UMR 7005) 2011 IEEE International Symposium on Performance

186 views • 16 slides
Kernel dynamic memory allocation tracking and reduction Consumer Electronics Work Group Project

Kernel dynamic memory allocation tracking and reduction Consumer Electronics Work Group Project

Kernel dynamic memory allocation tracking and reduction Consumer Electronics Work Group Project 2012 Ezequiel Garca Memory reduction and tracking Why do we care? Tiny embedded devices (but really tiny) Virtualization: might be

1.19k views • 52 slides
Virtual Memory Anne Bracy CS 3410 Computer Science Cornell University The slides are the

Virtual Memory Anne Bracy CS 3410 Computer Science Cornell University The slides are the

Virtual Memory Anne Bracy CS 3410 Computer Science Cornell University The slides are the product of many rounds of teaching CS 3410 by Professors Weatherspoon, Bala, Bracy, McKee, and Sirer. P & H Chapter 5.7 Picture Memory as ? Byte

571 views • 35 slides
Reduction of Operating System Jitter Caused by Page Reclaim Yoshihiro Oyama 1,3 Shun Ishiguro 1

Reduction of Operating System Jitter Caused by Page Reclaim Yoshihiro Oyama 1,3 Shun Ishiguro 1

Reduction of Operating System Jitter Caused by Page Reclaim Yoshihiro Oyama 1,3 Shun Ishiguro 1 Jun Murakami 1 Shin Sasaki 1 Ryo Matsumiya 1 Osamu Tatebe 2,3 1. The University of Electro-Communications 2. University of Tsukuba 3. Japan Science

701 views • 30 slides
Memory Sean Barker 1 Memory Addresses Sean Barker 2 Endianness int x = 0x01234567; // stored

Memory Sean Barker 1 Memory Addresses Sean Barker 2 Endianness int x = 0x01234567; // stored

Memory Sean Barker 1 Memory Addresses Sean Barker 2 Endianness int x = 0x01234567; // stored at address 0x100 Big Endian 0x100 0x101 0x102 0x103 01 01 23 23 45 45 67 67 Little Endian 0x100 0x101 0x102 0x103 67 45 23 01 67 45

369 views • 13 slides
DSAGEN: Synthesizing Programmable Spatial Accelerators Jian Weng, Sihao Liu, Vidushi Dadu,

DSAGEN: Synthesizing Programmable Spatial Accelerators Jian Weng, Sihao Liu, Vidushi Dadu,

DSAGEN: Synthesizing Programmable Spatial Accelerators Jian Weng, Sihao Liu, Vidushi Dadu, Zhengrong Wang, Preyas Shah, Tony Nowatzki University of California, Los Angeles May 15 th , 2020 1 Existing Domain-Specific Approach: Specialized

581 views • 30 slides
CS642: Computer Security Drew Davidson davidson@cs.wisc.edu From

CS642: Computer Security Drew Davidson davidson@cs.wisc.edu From

X86 Review Process Layout, ISA, etc. CS642: Computer Security Drew Davidson davidson@cs.wisc.edu From Last Week ACL-based permissions (UNIX style)

672 views • 28 slides

More recommend