lvi
play

LVI Hijacking Transient Execution with Load Value Injection Daniel - PowerPoint PPT Presentation

May 31, 2023 •255 likes •1.47k views

LVI Hijacking Transient Execution with Load Value Injection Daniel Gruss, Daniel Moghimi, Jo Van Bulck Hardwear.io Virtual Con, April 30, 2020 1 Daniel Gruss, Daniel Moghimi, Jo Van Bulck National Geographic Processor security: Hardware

  1. Spectre-PHT (v1) LUT index = 2; char* data = ”textKEY”; if (index < 4) then else Prediction Index ’x’ 0 LUT[data[index] * 4096] 15 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

  2. Spectre-PHT (v1) LUT index = 3; char* data = ”textKEY”; if (index < 4) then else Prediction 0 LUT[data[index] * 4096] 15 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

  3. Spectre-PHT (v1) LUT index = 3; char* data = ”textKEY”; if (index < 4) then else Prediction 0 LUT[data[index] * 4096] 15 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

  4. Spectre-PHT (v1) LUT index = 3; char* data = ”textKEY”; if (index < 4) Speculate then else Index ’t’ Prediction 0 LUT[data[index] * 4096] 15 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

  5. Spectre-PHT (v1) LUT index = 3; char* data = ”textKEY”; if (index < 4) then else Index ’t’ Prediction 0 LUT[data[index] * 4096] 15 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

  6. Spectre-PHT (v1) LUT index = 4; char* data = ”textKEY”; if (index < 4) then else Prediction 0 LUT[data[index] * 4096] 15 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

  7. Spectre-PHT (v1) LUT index = 4; char* data = ”textKEY”; if (index < 4) then else Prediction 0 LUT[data[index] * 4096] 15 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

  8. Spectre-PHT (v1) LUT index = 4; Index ’K’ char* data = ”textKEY”; if (index < 4) Speculate then else Prediction 0 LUT[data[index] * 4096] 15 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

  9. Spectre-PHT (v1) LUT index = 4; Index ’K’ char* data = ”textKEY”; if (index < 4) Execute then else Prediction 0 LUT[data[index] * 4096] 15 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

  10. Spectre-PHT (v1) LUT index = 5; char* data = ”textKEY”; if (index < 4) then else Prediction 0 LUT[data[index] * 4096] 15 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

  11. Spectre-PHT (v1) LUT index = 5; char* data = ”textKEY”; if (index < 4) then else Prediction 0 LUT[data[index] * 4096] 15 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

  12. Spectre-PHT (v1) LUT index = 5; Index ’E’ char* data = ”textKEY”; if (index < 4) Speculate then else Prediction 0 LUT[data[index] * 4096] 15 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

  13. Spectre-PHT (v1) LUT index = 5; Index ’E’ char* data = ”textKEY”; if (index < 4) Execute then else Prediction 0 LUT[data[index] * 4096] 15 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

  14. Spectre-PHT (v1) LUT index = 6; char* data = ”textKEY”; if (index < 4) then else Prediction 0 LUT[data[index] * 4096] 15 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

  15. Spectre-PHT (v1) LUT index = 6; char* data = ”textKEY”; if (index < 4) then else Prediction 0 LUT[data[index] * 4096] 15 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

  16. Spectre-PHT (v1) LUT index = 6; char* data = ”textKEY”; Index ’Y’ if (index < 4) Speculate then else Prediction 0 LUT[data[index] * 4096] 15 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

  17. Spectre-PHT (v1) LUT index = 6; char* data = ”textKEY”; Index ’Y’ if (index < 4) Execute then else Prediction 0 LUT[data[index] * 4096] 15 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

  18. ? ?

  19. Meltdown: Transiently encoding unauthorized memory Unauthorized access 16 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

  20. Meltdown: Transiently encoding unauthorized memory Unauthorized access Transient out-of-order window oracle array secret idx 16 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

  21. Meltdown: Transiently encoding unauthorized memory Unauthorized access Transient out-of-order window Exception (discard architectural state) 16 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

  22. Meltdown: Transiently encoding unauthorized memory Unauthorized access Transient out-of-order window Exception handler oracle array cache hit 16 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

  23. Meltdown variants: Microarchitectural buffers CDB Reorder buffer L1 Instruction Cache ITLB µ OP µ OP µ OP µ OP µ OP µ OP µ OP µ OP Scheduler Execution Engine Branch Instruction Fetch & PreDecode Predictor µ OP µ OP µ OP µ OP µ OP µ OP µ OP µ OP Frontend Instruction Queue Store data Load data Load data ALU, AES, ... ALU, FMA, ... ALU, Vect, ... ALU, Branch 4-Way Decode AGU µ OP Cache µ OPs µ OP µ OP µ OP µ OP MUX Execution Units Allocation Queue µ OP µ OP µ OP µ OP Memory Subsystem Load Buffer Store Buffer DTLB STLB L1 Data Cache LFB L2 Cache L3 Cache DRAM 17 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

  24. The transient-execution zoo https://transient.fail PHT-CA-IP Cross-address-space PHT-CA-OP Spectre-PHT PHT-SA-IP Same-address-space PHT-SA-OP BTB-CA-IP Cross-address-space BTB-CA-OP Spectre-BTB Spectre-type BTB-SA-IP Same-address-space BTB-SA-OP RSB-CA-IP Cross-address-space RSB-CA-OP Spectre-RSB Spectre-STL RSB-SA-IP Same-address-space RSB-SA-OP Meltdown-US-L1 Transient cause Meltdown-US Meltdown-US-LFB Meltdown-US-SB Meltdown-NM-REG Meltdown-P-L1 Meltdown-PF Meltdown-P-LFB Meltdown-P Meltdown-P-SB Meltdown-RW Meltdown-P-LP Meltdown-PK-L1 Meltdown-SM-SB Meltdown-type Meltdown-MPX Meltdown-BR Meltdown-BND Meltdown-CPL-REG Meltdown-GP Meltdown-NC-SB Meltdown-AD-LFB Meltdown-AD Meltdown-MCA Meltdown-AD-SB Meltdown-AVX-LP 18 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

  25. ?

  28. LVI: The basic idea 20 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

  29. LVI: The basic idea 20 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

  30. LVI: The basic idea 20 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

  31. LVI: The basic idea 20 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

  32. LVI: The basic idea 20 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

  33. LVI: The basic idea 20 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

  35. Enclaves to the rescue! App App Enclave app OS kernel Hypervisor TPM CPU Mem HDD Intel SGX promise: hardware-level isolation and attestation 21 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

  36. Intel Sofware Guard Extensions (SGX) Application Untrusted part Trusted part Create Enclave Call Gate Trusted Fnc. Call Trusted Fnc. Return . . . Operating System 22 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

  37. Intel SGX: A look under the hood paging unit SGX checks logical address physical address • SGX machinery protects against direct address remapping attacks 23 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

  38. Intel SGX: A look under the hood paging unit SGX checks logical address physical address page fault (#PF) • SGX machinery protects against direct address remapping attacks • ...but untrusted address translation may fault during enclaved execution (!) 23 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

  39. Intel SGX: A look under the hood paging unit SGX checks logical address physical address page fault (#PF) We can arbitrarily provoke page faults for trusted enclave loads! 23 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

  40. A toy example 1 void c a l l v i c t i m ( s i z e t untrusted arg ) 2 { * arg copy = untrusted arg ; 3 array [ **trusted ptr * 4096]; 4 5 } 24 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Disclosures None How to Do a Knee Injection UCSF Primary Care Sports Medicine Conference 2018

Disclosures None How to Do a Knee Injection UCSF Primary Care Sports Medicine Conference 2018

Disclosures None How to Do a Knee Injection UCSF Primary Care Sports Medicine Conference 2018 Carlin Senter, MD Associate Professor Co-Director UCSF Sports Concussion Program Primary Care Sports Medicine University of California San

159 views • 5 slides
EXPLOITING SERVER SIDE TEMPLATE INJECTION WITH TPLMAP BY: DIVINE SELORM TSA 18 AUG 2018 Outline

EXPLOITING SERVER SIDE TEMPLATE INJECTION WITH TPLMAP BY: DIVINE SELORM TSA 18 AUG 2018 Outline

EXPLOITING SERVER SIDE TEMPLATE INJECTION WITH TPLMAP BY: DIVINE SELORM TSA 18 AUG 2018 Outline Introduction Template Engines SSTI SSTI Methodology Tplmap Demo Remediation What is a template engine? Helps

818 views • 16 slides
Practical Exploitation Using A Malicious Service Set Identifier (SSID) Deral Heiland

Practical Exploitation Using A Malicious Service Set Identifier (SSID) Deral Heiland

Practical Exploitation Using A Malicious Service Set Identifier (SSID) Deral Heiland Introduction Deral Heiland, CISSP, GWAPT: Senior Security Engineer at CDW, responsible for security assessments, penetration tests and consulting for

596 views • 58 slides
3D Printed Injection Molds How Companies Are Economically Testing Functional Prototypes with

3D Printed Injection Molds How Companies Are Economically Testing Functional Prototypes with

3D Printed Injection Molds How Companies Are Economically Testing Functional Prototypes with 3DP-IM GIL ROBINSON 1 STRATASYS / THE 3D PRINTING SOLUTIONS COMPANY WE ARE THE 3D PRINTING SOLUTIONS COMPANY 2 FROM SYSTEMS TO SERVICE 3

552 views • 33 slides
Attacks August 28, 2019 Conference on Cryptographic Hardware and Atlanta, USA Embedded Systems

Attacks August 28, 2019 Conference on Cryptographic Hardware and Atlanta, USA Embedded Systems

Shaping th the Glit litch: Claudio Bozzato 4 Riccardo Focardi 12 Francesco Palmarini 13 Optimizing Volt ltage 1 Ca Foscari University of Venice, 2 Cryptosense, Fault In Inje jection 3 Yarix, 4 Talos Attacks August 28, 2019 Conference on

369 views • 35 slides
Outline Cross-site scripting CSci 5271 More cross-site risks Introduction to Computer Security

Outline Cross-site scripting CSci 5271 More cross-site risks Introduction to Computer Security

Outline Cross-site scripting CSci 5271 More cross-site risks Introduction to Computer Security Web security, part 2 Announcements intermission Stephen McCamant Confidentiality and privacy University of Minnesota, Computer Science &amp;

892 views • 6 slides
Siva Hari Timothy Tsai, Mark Stephenson, Stephen W. Keckler, Joel Emer MOTIVATION Automotive

Siva Hari Timothy Tsai, Mark Stephenson, Stephen W. Keckler, Joel Emer MOTIVATION Automotive

Siva Hari Timothy Tsai, Mark Stephenson, Stephen W. Keckler, Joel Emer MOTIVATION Automotive and HPC systems need high resilience Need to evaluate resilience of applications Silent Data Corruption (SDC), Detected Unrecoverable Error (DUE)

368 views • 26 slides
INJECTING SECURITY INTO WEB APPS AT RUNTIME AJIN ABRAHAM SECURITY ENGINEER #WHOAMI

INJECTING SECURITY INTO WEB APPS AT RUNTIME AJIN ABRAHAM SECURITY ENGINEER #WHOAMI

INJECTING SECURITY INTO WEB APPS AT RUNTIME AJIN ABRAHAM SECURITY ENGINEER #WHOAMI Security Engineering @ Research on Runtime Application Self Defence Authored MobSF, Xenotix and NodeJSScan Teach Security: opsecx.com

906 views • 55 slides
Reaction Injection Molding (RIM)- Low Quantity Injection Molding for the Life Sciences Industry

Reaction Injection Molding (RIM)- Low Quantity Injection Molding for the Life Sciences Industry

Reaction Injection Molding (RIM)- Low Quantity Injection Molding for the Life Sciences Industry Presented by: Ken Schweitz, President and Doug Culbertson, VP Business Development of Premold Corp Section I. Advantages of RIM Economical

441 views • 29 slides
Using Fault Injection to Turn Data Transfers into Arbitrary Execution Cristofaro Mune Niek

Using Fault Injection to Turn Data Transfers into Arbitrary Execution Cristofaro Mune Niek

Using Fault Injection to Turn Data Transfers into Arbitrary Execution Cristofaro Mune Niek Timmers c.mune@pulse-sec.com niek@twentytwosecurity.com @pulsoid @tieknimmers Todays agenda Introduction Fault Injection basics Fault

1.05k views • 56 slides
Survey of Cyber Moving Targets Second Edition Authors: B.C. Ward S.R. Gomez R.W. Skowyra D.

Survey of Cyber Moving Targets Second Edition Authors: B.C. Ward S.R. Gomez R.W. Skowyra D.

Survey of Cyber Moving Targets Second Edition Authors: B.C. Ward S.R. Gomez R.W. Skowyra D. Bigelow J.N. Martin J.W. Landry H. Okhravi Presenter: Jinghui Liao Outline Cyber Kill Chain Attack technique Moving-targets technique

562 views • 37 slides
Cyber Moving Targets Yashar Dehkan Asl Introduction An overview of different cyber moving target

Cyber Moving Targets Yashar Dehkan Asl Introduction An overview of different cyber moving target

Cyber Moving Targets Yashar Dehkan Asl Introduction An overview of different cyber moving target techniques, their threat models, and their technical details. Cyber moving target technique: Defend a system Increase the complexity of cyber

442 views • 40 slides
Using Partial Taint Tracking To Protect Against Injection Attacks Ioannis Papagiannis , Matteo

Using Partial Taint Tracking To Protect Against Injection Attacks Ioannis Papagiannis , Matteo

PHP Aspis: Using Partial Taint Tracking To Protect Against Injection Attacks Ioannis Papagiannis , Matteo Migliavacca, Peter Pietzuch Department of Computing, Imperial College London USENIX WebApps 2011 Portland, OR, USA Injection

763 views • 47 slides
Robust Probabilistic Fake Packet Injection for Receiver-Location Privacy Ruben Rios 1 , Jorge

Robust Probabilistic Fake Packet Injection for Receiver-Location Privacy Ruben Rios 1 , Jorge

Robust Probabilistic Fake Packet Injection for Receiver-Location Privacy Ruben Rios 1 , Jorge Cuellar 2 , Javier Lopez 1 1 NICS Lab University of Mlaga 2 Siemens AG, Munich E SORI CS 2012 10-14 Se pt. Pisa (I ta ly)

432 views • 25 slides
A1 (Part 1): Injection Command and Code injection A1 Injection Tricking an application

A1 (Part 1): Injection Command and Code injection A1 Injection Tricking an application

A1 (Part 1): Injection Command and Code injection A1 Injection Tricking an application into executing commands or code embedded in data Data and code mixing! Often injected into interpreters SQL, PHP, Python, JavaScript, LDAP,

377 views • 14 slides
Morales 1 , 2 Hetor Garia Brue 2 Redaelli 2 tino 2 Ro derik , Sefano , Gianlua V alen

Morales 1 , 2 Hetor Garia Brue 2 Redaelli 2 tino 2 Ro derik , Sefano , Gianlua V alen

MD1388: A tiv e Halo Con trol using narro w band exitation at injetion Morales 1 , 2 Hetor Garia Brue 2 Redaelli 2 tino 2 Ro derik , Sefano , Gianlua V alen , h 2 agner 2 Xu 2 Daniel V alu , Jos hk a W , C.

190 views • 7 slides
NO SQL! NO INJECTION? A talk on the state of NoSQL security IBM Cyber Security Center of IBM

NO SQL! NO INJECTION? A talk on the state of NoSQL security IBM Cyber Security Center of IBM

NO SQL! NO INJECTION? A talk on the state of NoSQL security IBM Cyber Security Center of IBM AppScan Excellence Aviv Ron Emanuel Bronshtein Alexandra Shulman-Peleg IBM Security Systems Cyber Center of Excellence AVIV RON Security

452 views • 27 slides
Injection Attacks on Server (Section 7.3 in book + some extra stuff; Note: we skipped 7.2 for

Injection Attacks on Server (Section 7.3 in book + some extra stuff; Note: we skipped 7.2 for

Software and Web Security 2 Injection Attacks on Server (Section 7.3 in book + some extra stuff; Note: we skipped 7.2 for now) sws2 1 Recall: dynamically created web pages Most web pages you see are dynamically created (except for instance

1k views • 64 slides
Pure In-Memory (Shell)Code Injection In Linux Userland DeepSec18, Vienna, Austria Disclaimer

Pure In-Memory (Shell)Code Injection In Linux Userland DeepSec18, Vienna, Austria Disclaimer

Pure In-Memory (Shell)Code Injection In Linux Userland DeepSec18, Vienna, Austria Disclaimer The views and opinions expressed in this presentation are those of the author and do not necessarily represent offjcial policy or position of my

510 views • 36 slides
Welcome to Fluffs Rescue and Adoption Centre! Teach Today, we are learning to read words

Welcome to Fluffs Rescue and Adoption Centre! Teach Today, we are learning to read words

Welcome to Fluffs Rescue and Adoption Centre! Teach Today, we are learning to read words containing -tion . Teach When we see - tion in a word, it makes the sound /shun/. Look at these words below: attention potion section mention Teach

142 views • 13 slides
RD53A injection capacitor measurement results &amp; RD53A pixel hit delay measurement results

RD53A injection capacitor measurement results &amp; RD53A pixel hit delay measurement results

RD53A injection capacitor measurement results &amp; RD53A pixel hit delay measurement results 2/02/2018 Magne Lauritzen Part 1 Injection capacitor measurement Goal Measure capacitance of the injection capacitors that are present on

423 views • 16 slides
A 107 W MedRadio Injection-Locked Clock Multiplier with a CTAT-biased 126 ppm/ C Ring

A 107 W MedRadio Injection-Locked Clock Multiplier with a CTAT-biased 126 ppm/ C Ring

Session 3 - Oscillators and PLLs A 107 W MedRadio Injection-Locked Clock Multiplier with a CTAT-biased 126 ppm/ C Ring Oscillator Somok Mondal and Drew A. Hall University of California, San Diego La Jolla, CA, (USA) IEEE CICC, Austin, TX,

652 views • 29 slides
kR^X Comprehensive Kernel Protection against Just-In-Time Code Reuse Marios Pomonis 1 Theofilos

kR^X Comprehensive Kernel Protection against Just-In-Time Code Reuse Marios Pomonis 1 Theofilos

Introduction RX Fine-grained KASLR Evaluation kR^X Comprehensive Kernel Protection against Just-In-Time Code Reuse Marios Pomonis 1 Theofilos Petsios 1 Angelos D. Keromytis 1 Michalis Polychronakis 2 Vasileios P. Kemerlis 3 1 Columbia

1.18k views • 66 slides
FAROS: Illuminating In-Memory Injection Attacks via Provenance-based Whole System Dynamic

FAROS: Illuminating In-Memory Injection Attacks via Provenance-based Whole System Dynamic

FAROS: Illuminating In-Memory Injection Attacks via Provenance-based Whole System Dynamic Information Flow Tracking Meisam Navaki Arefi , Geoffrey Alexander, Hooman Rokham, Aokun Chen, Michalis Faloutsos, Xuetao Wei, Daniela Seabra Oliveira and

588 views • 32 slides

More recommend