from bottom to top exploiting hardware side channels in
play

From bottom to top: Exploiting hardware side channels in web - PowerPoint PPT Presentation

Dec 26, 2023 •578 likes •2.37k views

From bottom to top: Exploiting hardware side channels in web browsers Cl ementine Maurice, Graz University of Technology July 4, 2017RMLL, Saint- Etienne, France Rennes Graz Cl ementine Maurice now postdoc at TU Graz, Austria PhD

  1. DRAM side channels? • row buffers are caches • we can observe timing differences • how to exploit these timing differences? • target addresses in the same channel, rank and bank • but DRAM mapping functions are undocumented 12

  2. DRAM side channels? • row buffers are caches • we can observe timing differences • how to exploit these timing differences? • target addresses in the same channel, rank and bank • but DRAM mapping functions are undocumented → we reverse-engineered them! � https://github.com/IAIK/drama P. Pessl et al. “DRAMA: Exploiting DRAM Addressing for Cross-CPU Attacks”. In: USENIX Security Symposium . 2016 12

  3. DRAMA: DRAM Addressing attacks • infer behavior from memory accesses similarly to cache attacks 13

  4. DRAMA: DRAM Addressing attacks • infer behavior from memory accesses similarly to cache attacks • works across VMs, across cores, across CPUs 13

  5. DRAMA: DRAM Addressing attacks • infer behavior from memory accesses similarly to cache attacks • works across VMs, across cores, across CPUs • covert channels and side-channel attacks 13

  6. DRAMA: DRAM Addressing attacks • infer behavior from memory accesses similarly to cache attacks • works across VMs, across cores, across CPUs • covert channels and side-channel attacks • covert channel: two processes communicating with each other • not allowed to do so, e.g., across VMs 13

  7. DRAMA: DRAM Addressing attacks • infer behavior from memory accesses similarly to cache attacks • works across VMs, across cores, across CPUs • covert channels and side-channel attacks • covert channel: two processes communicating with each other • not allowed to do so, e.g., across VMs • side-channel attack: one malicious process spies on benign processes • e.g., spies on keystrokes 13

  8. DRAMA covert channel DRAM bank sender and receiver agree on one bank receiver continuously accesses a row i 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ... 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 row buffer 14

  9. DRAMA covert channel DRAM bank sender and receiver agree on one bank receiver continuously accesses a row i 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 activate 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ... copy 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 row buffer 0 0 0 0 0 0 0 0 14

  10. DRAMA covert channel DRAM bank sender and receiver agree on one bank receiver continuously accesses a row i 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 case #1: sender transmits 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ... 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 row buffer 0 0 0 0 0 0 0 0 14

  11. DRAMA covert channel DRAM bank sender and receiver agree on one bank receiver continuously accesses a row i 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 activate 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 case #1: sender transmits 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 sender accesses row j � = i 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ... copy 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 row buffer 0 0 0 0 0 0 0 0 14

  12. DRAMA covert channel DRAM bank sender and receiver agree on one bank receiver continuously accesses a row i 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 case #1: sender transmits 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 sender accesses row j � = i 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ... 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 row buffer 0 0 0 0 0 0 0 0 14

  13. DRAMA covert channel DRAM bank sender and receiver agree on one bank receiver continuously accesses a row i 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 case #1: sender transmits 1 activate 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 sender accesses row j � = i 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 next receiver access → copy row buffer ... copy 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 row buffer 0 0 0 0 0 0 0 0 14

  14. DRAMA covert channel DRAM bank sender and receiver agree on one bank receiver continuously accesses a row i 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 case #1: sender transmits 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 sender accesses row j � = i 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 next receiver access → copy row buffer ... → slow 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 row buffer 0 0 0 0 0 0 0 0 14

  15. DRAMA covert channel DRAM bank sender and receiver agree on one bank receiver continuously accesses a row i 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 case #2: sender transmits 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ... 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 row buffer 0 0 0 0 0 0 0 0 14

  16. DRAMA covert channel DRAM bank sender and receiver agree on one bank receiver continuously accesses a row i 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 case #2: sender transmits 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 sender does nothing 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ... 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 row buffer 0 0 0 0 0 0 0 0 14

  17. DRAMA covert channel DRAM bank sender and receiver agree on one bank receiver continuously accesses a row i 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 case #2: sender transmits 0 activate 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 sender does nothing 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 next receiver access → already in buffer ... 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 row buffer 0 0 0 0 0 0 0 0 14

  18. DRAMA covert channel DRAM bank sender and receiver agree on one bank receiver continuously accesses a row i 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 case #2: sender transmits 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 sender does nothing 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 next receiver access → already in buffer ... → fast 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 row buffer 0 0 0 0 0 0 0 0 14

  19. Two applications can covertly communicate with each other But can we use that for spying?

  20. DRAMA side-channel attacks DRAM bank spy and victim share a row i 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ... 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 row buffer 16

  21. DRAMA side-channel attacks DRAM bank spy and victim share a row i activate 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 case #1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 spy accesses row j � = i , copy to row buffer 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ... 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 row buffer 16

  22. DRAMA side-channel attacks DRAM bank spy and victim share a row i 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 case #1 activate 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 spy accesses row j � = i , copy to row buffer 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 victim accesses row i , copy to row buffer 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ... 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 row buffer 16

  23. DRAMA side-channel attacks DRAM bank spy and victim share a row i 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 case #1 activate 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 spy accesses row j � = i , copy to row buffer 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 victim accesses row i , copy to row buffer 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 spy accesses row i , no copy ... 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 row buffer 16

  24. DRAMA side-channel attacks DRAM bank spy and victim share a row i 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 case #1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 spy accesses row j � = i , copy to row buffer 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 victim accesses row i , copy to row buffer 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 spy accesses row i , no copy ... → fast 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 row buffer 16

  25. DRAMA side-channel attacks DRAM bank spy and victim share a row i activate 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 case #2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 spy accesses row j � = i , copy to row buffer 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ... 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 row buffer 16

  26. DRAMA side-channel attacks DRAM bank spy and victim share a row i 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 case #2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 spy accesses row j � = i , copy to row buffer 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 no victim access on row i 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ... 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 row buffer 16

  27. DRAMA side-channel attacks DRAM bank spy and victim share a row i 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 case #2 activate 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 spy accesses row j � = i , copy to row buffer 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 no victim access on row i 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 spy accesses row i , copy to row buffer ... 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 row buffer 16

  28. DRAMA side-channel attacks DRAM bank spy and victim share a row i 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 case #2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 spy accesses row j � = i , copy to row buffer 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 no victim access on row i 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 spy accesses row i , copy to row buffer ... → slow 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 row buffer 16

  29. Spying on keystrokes on the Firefox URL bar • side-channel: template attack • allocate a large fraction of memory to be in a row with the victim • profile memory and record row-hit ratio for each address 300 Access time 250 200 w w w . f a c e b o o k . c o m 150 0 2 4 10 12 14 6 8 Time in seconds 17

  30. I’m sure we’ll need to write a lot of C code At least we’re safe with JavaScript!

  31. Member Rowhammer.js?

  32. DRAM covert channels in JavaScript?

  33. Why JavaScript? • JavaScript is code executed in a sandbox 20

  34. Why JavaScript? • JavaScript is code executed in a sandbox • can’t do anything nasty since it is in a sandbox, right? 20

  35. Why JavaScript? • JavaScript is code executed in a sandbox • can’t do anything nasty since it is in a sandbox, right? • except side channels are only doing benign operations 20

  36. Why JavaScript? • JavaScript is code executed in a sandbox • can’t do anything nasty since it is in a sandbox, right? • except side channels are only doing benign operations 1. accessing their own memory 20

  37. Why JavaScript? • JavaScript is code executed in a sandbox • can’t do anything nasty since it is in a sandbox, right? • except side channels are only doing benign operations 1. accessing their own memory 2. measuring time 20

  38. Challenges with JavaScript 1. No knowledge about 2. No instruction to 3. No high-resolution physical addresses flush the cache timers 21

  39. #1. No knowledge about physical addresses • OS optimization: use Transparent Huge Pages (THP, 2MB pages) • = last 21 bits (2MB) of physical address • = last 21 bits (2MB) of virtual address 22

  40. #1. No knowledge about physical addresses • OS optimization: use Transparent Huge Pages (THP, 2MB pages) • = last 21 bits (2MB) of physical address • = last 21 bits (2MB) of virtual address → which JS array indices? 22

  41. #1. Obtaining the beginning of a THP Access time [ns] 10 6 10 4 10 2 0 2 4 10 12 14 6 8 Array index [MB] • physical pages for these THPs are mapped on-demand → page fault when an allocated THP is accessed for the first time D. Gruss et al. “Practical Memory Deduplication Attacks in Sandboxed JavaScript”. In: ESORICS’15 . 2015. 23

  42. #1. Choosing physical addresses • we now know the last 21 bits of physical addresses • enough for most systems, e.g., Sandy Bridge with DDR3 BA0 BA1 BA2 Rank ... 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 ... Ch. 24

  43. #2. No instruction to flush the cache CPU core • measure DRAM timing CPU • only non-cached accesses reach DRAM cache • no clflush instruction → evict data with other memory accesses DRAM 25

  44. #2. Bypassing the CPU cache: Basic idea • evicting cache line only using memory accesses cache set D. Gruss et al. “Rowhammer.js: A Remote Sofware-Induced Fault Attack in JavaScript”. In: DIMVA’16 . 2016. 26

  45. #2. Bypassing the CPU cache: Basic idea • evicting cache line only using memory accesses load cache set D. Gruss et al. “Rowhammer.js: A Remote Sofware-Induced Fault Attack in JavaScript”. In: DIMVA’16 . 2016. 26

  46. #2. Bypassing the CPU cache: Basic idea • evicting cache line only using memory accesses load cache set D. Gruss et al. “Rowhammer.js: A Remote Sofware-Induced Fault Attack in JavaScript”. In: DIMVA’16 . 2016. 26

  47. #2. Bypassing the CPU cache: Basic idea • evicting cache line only using memory accesses load cache set D. Gruss et al. “Rowhammer.js: A Remote Sofware-Induced Fault Attack in JavaScript”. In: DIMVA’16 . 2016. 26

  48. #2. Bypassing the CPU cache: Basic idea • evicting cache line only using memory accesses load cache set D. Gruss et al. “Rowhammer.js: A Remote Sofware-Induced Fault Attack in JavaScript”. In: DIMVA’16 . 2016. 26

  49. #2. Bypassing the CPU cache: Basic idea • evicting cache line only using memory accesses load cache set D. Gruss et al. “Rowhammer.js: A Remote Sofware-Induced Fault Attack in JavaScript”. In: DIMVA’16 . 2016. 26

  50. #2. Bypassing the CPU cache: Basic idea • evicting cache line only using memory accesses load cache set D. Gruss et al. “Rowhammer.js: A Remote Sofware-Induced Fault Attack in JavaScript”. In: DIMVA’16 . 2016. 26

  51. #2. Bypassing the CPU cache: Basic idea • evicting cache line only using memory accesses load cache set D. Gruss et al. “Rowhammer.js: A Remote Sofware-Induced Fault Attack in JavaScript”. In: DIMVA’16 . 2016. 26

  52. #2. Bypassing the CPU cache: Basic idea • evicting cache line only using memory accesses load cache set D. Gruss et al. “Rowhammer.js: A Remote Sofware-Induced Fault Attack in JavaScript”. In: DIMVA’16 . 2016. 26

  53. #2. Bypassing the CPU cache: Basic idea • evicting cache line only using memory accesses cache set • it’s a bit more complicated than that: replacement policy is not LRU D. Gruss et al. “Rowhammer.js: A Remote Sofware-Induced Fault Attack in JavaScript”. In: DIMVA’16 . 2016. 26

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Screaming Ch Channels When Electromagnetic Side Channels Meet Radio Transceivers Giovanni

Screaming Ch Channels When Electromagnetic Side Channels Meet Radio Transceivers Giovanni

Screaming Ch Channels When Electromagnetic Side Channels Meet Radio Transceivers Giovanni Camurati, Sebastian Poeplau, Marius Muench, Tom Hayes, Aurlien Francillon Whats this all about? - A nov novel attack ex exploiting g EM side

886 views • 77 slides
Exploiting Out-of-Order-Execution Processor Side Channels to Enable Cross VM Code Execution Sophia

Exploiting Out-of-Order-Execution Processor Side Channels to Enable Cross VM Code Execution Sophia

Exploiting Out-of-Order-Execution Processor Side Channels to Enable Cross VM Code Execution Sophia DAntoine REcon 2015 The Cloud 06/19/2015 Exploiting Out-of-Order-Execution 2/46 Cloud Computing (IaaS) Virtual instances Hypervisors

491 views • 46 slides
Non-transient Side Channels Mengjia Yan Fall 2020 6.888 L5-Non-transient Side Channels 1 Lab

Non-transient Side Channels Mengjia Yan Fall 2020 6.888 L5-Non-transient Side Channels 1 Lab

Non-transient Side Channels Mengjia Yan Fall 2020 6.888 L5-Non-transient Side Channels 1 Lab Assignment Handout on course website Each (regular) student will receive an email Solo or 2-person group Individual GitHub repo

1.24k views • 102 slides
Non-transient Side Channels Mengjia Yan Fall 2020 6.888 L5-Non-transient Side Channels 1 Lab

Non-transient Side Channels Mengjia Yan Fall 2020 6.888 L5-Non-transient Side Channels 1 Lab

Non-transient Side Channels Mengjia Yan Fall 2020 6.888 L5-Non-transient Side Channels 1 Lab Assignment Handout on course website Each (regular) student will receive an email Solo or 2-person group Individual GitHub repo

978 views • 42 slides
Side Channels and Covert Channels Daniel Bosk Department of Information and Communication Systems

Side Channels and Covert Channels Daniel Bosk Department of Information and Communication Systems

Side Channels Covert Channels References Side Channels and Covert Channels Daniel Bosk Department of Information and Communication Systems (ICS), Mid Sweden University, Sundsvall. 1st May 2017 Daniel Bosk MIUN ICS Side Channels and Covert

689 views • 32 slides
Hardware Security Organisational stuff Digital Security Radboud University Nijmegen 1 Other

Hardware Security Organisational stuff Digital Security Radboud University Nijmegen 1 Other

Hardware Security Organisational stuff Digital Security Radboud University Nijmegen 1 Other faces youll see Lejla Batina lectures on side-channels Anna Guinet & Niels Samwel JavaCard project & side-channel lab 2 This course:

424 views • 9 slides
CPU Side-Channel Attacks the Meltdown Attack Heechul Yun 1 This Week: Hardware Security

CPU Side-Channel Attacks the Meltdown Attack Heechul Yun 1 This Week: Hardware Security

CPU Side-Channel Attacks the Meltdown Attack Heechul Yun 1 This Week: Hardware Security Introduction Meltdown Papers Spectre Attacks: Exploiting Speculative Execution, IEEE Security and Privacy (S&P), 2019 (Dustin)

726 views • 44 slides
Covert and Side Channels Robert Brotzman-Smith Covert Channels Any communication channel that

Covert and Side Channels Robert Brotzman-Smith Covert Channels Any communication channel that

Covert and Side Channels Robert Brotzman-Smith Covert Channels Any communication channel that can be exploited by a process to transfer information in a manner that violates the systems security policy US DoD 1985 Basically a

1.04k views • 67 slides
FUCHSIA: Data-Driven Debugging for Functional Side Channels Saeid Tizpaz-Niari* , Pavol Cerny,

FUCHSIA: Data-Driven Debugging for Functional Side Channels Saeid Tizpaz-Niari* , Pavol Cerny,

FUCHSIA: Data-Driven Debugging for Functional Side Channels Saeid Tizpaz-Niari* , Pavol Cerny, Ashutosh Trivedi *University of Colorado Boulder Functional Case Motivation Side Channels Studies Functional Case Motivation Side Channels

366 views • 24 slides
for hardware or embedded security Erik Poll Digital Security Radboud University Nijmegen 1

for hardware or embedded security Erik Poll Digital Security Radboud University Nijmegen 1

Attacker Models for hardware or embedded security Erik Poll Digital Security Radboud University Nijmegen 1 Security-sensitive hardware: examples 2 Naive attacker model Attacks on communication channels exploiting lousy crypto or insecure

904 views • 45 slides
Side Channels CS 161: Computer Security Prof. David Wagner April 23, 2013 UI Side Channel

Side Channels CS 161: Computer Security Prof. David Wagner April 23, 2013 UI Side Channel

Side Channels CS 161: Computer Security Prof. David Wagner April 23, 2013 UI Side Channel Snooping Scenario: Ann the Attacker works in a building across the street from Victor the Victim. Late one night Ann can see Victor hard at work in

727 views • 44 slides
Breaking and Fixing VoLTE: Exploiting Hidden Data Channels and Mis-implementations Hongil Kim* ,

Breaking and Fixing VoLTE: Exploiting Hidden Data Channels and Mis-implementations Hongil Kim* ,

Breaking and Fixing VoLTE: Exploiting Hidden Data Channels and Mis-implementations Hongil Kim* , Dongkwan Kim* , Minhee Kwon, Hyeongseok Han, Yeongjin Jang, Taesoo Kim, Dongsu Han, Yongdae Kim 1 VoLTE = Voice over LTE 4G LTE: All-IP based

1.16k views • 113 slides
CSE 127: I ntroduction to Security Lecture 16: Side Channels and Constant-Time Code Nadia

CSE 127: I ntroduction to Security Lecture 16: Side Channels and Constant-Time Code Nadia

CSE 127: I ntroduction to Security Lecture 16: Side Channels and Constant-Time Code Nadia Heninger and Deian Stefan UCSD Fall 2019 Some material from Dan Boneh, Stefan Savage Reminder: Side-channel attacks You saw before how timing

1.37k views • 81 slides
Reducing Dynamic Power in Streaming CNN Hardware Accelerators by Exploiting Computational

Reducing Dynamic Power in Streaming CNN Hardware Accelerators by Exploiting Computational

Reducing Dynamic Power in Streaming CNN Hardware Accelerators by Exploiting Computational Redundancies Duvindu Piyasena, Rukshan Wickramasinghe, Debdeep Paul, Siew-Kei Lam and Meiqing Wu School of Computer Science and Engineering (SCSE)

334 views • 10 slides
Nomad : Mitigating Arbitrary Cloud Side Channels via Provider-Assisted Migration Soo-Jin Moon,

Nomad : Mitigating Arbitrary Cloud Side Channels via Provider-Assisted Migration Soo-Jin Moon,

Nomad : Mitigating Arbitrary Cloud Side Channels via Provider-Assisted Migration Soo-Jin Moon, Vyas Sekar Michael K. Reiter Co-residency side-channel attacks in clouds Stealing secrets (e.g., keys) VM VM VM Machine Machine Many

1.03k views • 69 slides
Abusing hardware for fun and profit Agenda Cache-based Covert channels w/ demo Spectre

Abusing hardware for fun and profit Agenda Cache-based Covert channels w/ demo Spectre

Abusing hardware for fun and profit Agenda Cache-based Covert channels w/ demo Spectre and Meltdown from covert channels Process isola8on + OS (CS 423) OS paging OS services 0x00000000 Communica<on to other processes

568 views • 15 slides
Dynamics of Lunar mantle evolution: exploring the role of compositional buoyancy E.M. Parmentier

Dynamics of Lunar mantle evolution: exploring the role of compositional buoyancy E.M. Parmentier

Dynamics of Lunar mantle evolution: exploring the role of compositional buoyancy E.M. Parmentier Brown University September 26, 2018 JAXA/NHK Global scale characteristics of the Moon 1) hemispheric crustal asymmetry a) mare basalt

508 views • 28 slides
New Directions in V&V Evidence, Arguments, and Automation John Rushby Computer Science

New Directions in V&V Evidence, Arguments, and Automation John Rushby Computer Science

New Directions in V&V Evidence, Arguments, and Automation John Rushby Computer Science Laboratory SRI International Menlo Park, California, USA John Rushby, SR I V&V: Evidence, Arguments, Automation 1 V&V for Fault Management

668 views • 32 slides
Isolation and side-channels Nadia Heninger and Deian Stefan Some slides adopted from John

Isolation and side-channels Nadia Heninger and Deian Stefan Some slides adopted from John

CSE 127: Computer Security Isolation and side-channels Nadia Heninger and Deian Stefan Some slides adopted from John Mitchell, Dan Boneh, and Stefan Savage Today Lecture objectives: Understand basic principles for building secure systems

1.08k views • 78 slides
Process isolation, VMs and side channel Deian Stefan Slides adopted from Stefan Savage Process

Process isolation, VMs and side channel Deian Stefan Slides adopted from Stefan Savage Process

CSE 127: Computer Security Process isolation, VMs and side channel Deian Stefan Slides adopted from Stefan Savage Process Isolation Process boundary is a trust boundary Any inter-process interface is part of the attack surface How

681 views • 50 slides
Model exploration for approximation of complex high-dimensional problems. Olivier Zahm

Model exploration for approximation of complex high-dimensional problems. Olivier Zahm

M2:SIAM (2019-2020) Model exploration for approximation of complex high-dimensional problems. Olivier Zahm olivier.zahm@inria.fr Cl ementine Prieur clementine.prieur@univ-grenoble-alpes.fr Overview What is a model? What is a complex

320 views • 28 slides
How can machine learning help to predict changes in size of Atlantic herring? Olga Lyashevska

How can machine learning help to predict changes in size of Atlantic herring? Olga Lyashevska

How can machine learning help to predict changes in size of Atlantic herring? Olga Lyashevska Clementine Harma Deirdre Brophy Coilin Minto Maurice Clarke * Marine and Freshwater Research Centre Galway-Mayo Institute of Technology (GMIT)

507 views • 24 slides
What is Data Mining Many Definitions Search for valuable information in large amounts of

What is Data Mining Many Definitions Search for valuable information in large amounts of

What is Data Mining Many Definitions Search for valuable information in large amounts of data Automated or Semi Automated Exploration and Analysis of large volumes of data in order to discover meaningful patterns A step in KDD process

1.21k views • 54 slides
SimAgent: TOOLS FOR DESIGNING MINDS (A toolkit for philosophers and engineers) Aaron Sloman

SimAgent: TOOLS FOR DESIGNING MINDS (A toolkit for philosophers and engineers) Aaron Sloman

Oxford Computing Lab, 30 Jan 2001 Birmingham 13 Oct 2003 York 11 Feb 2004 SimAgent: TOOLS FOR DESIGNING MINDS (A toolkit for philosophers and engineers) Aaron Sloman http://www.cs.bham.ac.uk/axs/ School of Computer Science The

480 views • 46 slides

More recommend