medusa
play

Medusa: Microarchitectural Data Leakage via Automated Attack - PowerPoint PPT Presentation

Aug 01, 2023 •495 likes •1.14k views

Medusa: Microarchitectural Data Leakage via Automated Attack Synthesis Daniel Moghimi Moritz Lipp Berk Sunar Michael Schwarz 2018: Meltdown Attack? 2 2018: Meltdown Attack? Virtual Address Space User Space CPU Registers

  1. Medusa: Microarchitectural Data Leakage via Automated Attack Synthesis • Daniel Moghimi • Moritz Lipp • Berk Sunar • Michael Schwarz

  2. 2018: Meltdown Attack? 2

  3. 2018: Meltdown Attack? Virtual Address Space User Space CPU Registers Kernel Space P A S S W O R D 0xf…81a0123 256 different CPU Cache Line 3

  4. 2018: Meltdown Attack? Virtual Address Space Oracle User Space CPU Registers Kernel Space 0xf…81a0123 P A S S W O R D 256 different CPU Cache Line 4

  5. 2018: Meltdown Attack? (Step 1) Virtual Address Space Oracle User Space CPU Registers Kernel Space 0xf…81a0123 P A S S W O R D 256 different CPU Cache Line 5

  6. 2018: Meltdown Attack? (Step 1) Virtual Address Space Oracle User Space P CPU Registers Kernel Space 0xf…81a0123 P A S S W O R D 256 different CPU Cache Line 6

  7. 2018: Meltdown Attack? (Step 2) Virtual Address Space Oracle User Space P CPU Registers Kernel Space 0xf…81a0123 P A S S W O R D 256 different CPU Cache Line 7

  8. 2018: Meltdown Attack? (Step 2) Virtual Address Space Fault Fault Oracle User Space CPU Registers Kernel Space 0xf…81a0123 P A S S W O R D 256 different CPU Cache Line 8

  9. 2018: Meltdown Attack? (Step 3) Virtual Address Space Oracle User Space CPU Registers F+R Kernel Space 0xf…81a0123 P A S S W O R D 256 different CPU Cache Line 9

  10. 2018: Meltdown Attack? (Step 3) Virtual Address Space Oracle User Space CPU Registers F+R Kernel Space 0xf…81a0123 P A S S W O R D 256 different CPU Cache Line 10

  11. 2018: Meltdown Attack? (Step 3) Virtual Address Space Oracle User Space CPU Registers F+R Kernel Space 0xf…81a0123 P A S S W O R D 256 different CPU Cache Line 11

  12. 2018: Meltdown Attack? (Step 3) Virtual Address Space Oracle User Space CPU Registers Kernel Space ‘ P ’ = 0x50 P A S S W O R D 256 different CPU Cache Line 12

  13. Microarchitecture Data Sampling (MDS) • Meltdown is fixed but you can still leak on the fix hardware. whatever • Which part of the CPU leak the data?! • Why does it leak? 13

  14. CPU Memory Subsystem – Leaky Buffers Memory Subsystem Store Buffer MSBDS DATA PFN [8:0] VFN Offset DATA PFN [8:0] VFN Offset … …. … … DATA PFN [8:0] VFN Offset L1 Fill Buffer MLPDS Load Buffer DATA PFN VFN Offset DATA PFN VFN Offset DTLB … …. … … VFN Offset DATA PFN MFBDS L2 L3 L1TF DRAM 14 14 14

  15. Memory Canonical Access #GP Virtual Address VFN Offset 15

  16. Y Y Memory Canonical TLB Perm. Access PMH #GP Virtual Address VFN Offset PTE P Physical Page Number RW US … A … … 16

  17. Y Y Y Memory Canonical TLB Perm. Present Access PMH #GP #PF Virtual Address VFN Offset PTE Physical Page Number P RW US … A … … 17

  18. Y Y Y Y Memory Accessed Canonical TLB Perm. Present Access Set A PMH #GP #PF Bit Virtual Address VFN Offset PTE Physical Page Number P RW US … A … … 18

  19. Y Y Y Y Memory Accessed Canonical TLB Perm. Present Access Set A PMH Y #GP #PF Bit Aligned Vector #GP Virtual Address VFN Offset PTE Physical Page Number P RW US … A … … 19

  20. Y Y Y Y Memory Accessed Canonical TLB Perm. Present Access Set A PMH Y #GP #PF Bit Y Y Y Y TSX False Cache Aligned Cached Failure Store Dep. Aligned Vector #RTM Hazard Cache Miss Split #GP Recovery Handler Cache Virtual Address VFN Offset PTE Physical Page Number P RW US … A … … 20

  21. Challenges with MDS Testing? • Reproducing attacks is not reliable. It may depend on: • massaging the pipeline with other instructions • CPU configuration (generation, frequency, microcode patch and etc) 21

  22. Challenges with MDS Testing? • Reproducing attacks is not reliable. It may depend on: • massaging the pipeline with other instructions • CPU configuration (generation, frequency, microcode patch and etc) • No public tool to find new variants or to verify hardware patches: • Too many things to test (Addressing mode, cache state, assists, and faults) • Previous POCs may not work after MC update, but what does it mean? 22

  23. Challenges with MDS Testing? • Reproducing attacks is not reliable. It may depend on: • massaging the pipeline with other instructions • CPU configuration (generation, frequency, microcode patch and etc) • No public tool to find new variants or to verify hardware patches: • Too many things to test (Addressing mode, cache state, assists, and faults) • Previous POCs may not work after MC update, but what does it mean? • Impossible to quantify the impact of leakage: • We should care about leakage rate and what data is leaked. • My POC is faster than your POC!! 23

  24. Transynther 24

  25. Transynther (Fuzzing-based Random MDS Testing) Step 1: Step 2: ‘ P ’ = 0x50 Step 3: 256 different CPU Cache Line 25

  26. Transynther (Fuzzing-based Random MDS Testing) TLB Canonical Cache Aligned Cached Aligned Vector Perm. Step 1: False Store Dep. Present Accessed TSX Failure Step 2: ‘ P ’ = 0x50 Step 3: 256 different CPU Cache Line 26

  27. Transynther (Fuzzing-based Random MDS Testing) Step 0: Stores Hyper Stores Same Loads Same Thread: Loads Hyper thread Thread: Thread: 0x61626364 Buffer Thread: 0x41424344 0x51525354 0x71727374 Grooming TLB Canonical Cache Aligned Cached Aligned Vector Step 1: Perm. False Store Dep. Present Accessed TSX Failure Step 2: ‘ P ’ = 0x50 Step 3: 256 different CPU Cache Line 27

  28. Transynther (Fuzzing-based Random MDS Testing) Step 0: Stores Hyper Stores Same Loads Same Thread: Loads Hyper thread Thread: Thread: 0x61626364 Buffer Thread: 0x41424344 0x51525354 0x71727374 Grooming TLB Canonical Cache Aligned Cached Aligned Vector Step 1: Perm. False Store Dep. Present Accessed TSX Failure Step 2: ‘ P ’ = 0x50 Step 3: 256 different CPU Cache Line 28

  29. Transynther (Fuzzing-based MDS Testing) 29

  30. Transynther (Fuzzing-based MDS Testing) 30

  31. Transynther (Fuzzing-based MDS Testing) 31

  32. 32

  33. 33

  34. MDS Attacks - Insights • Almost any exception/assist can leak from any buffer • The CPU must flush the pipeline before executing an assist. • Upon an Exception/Fault/Assist on a Load, Intel CPUs: • Execute the load until the last stage. • Flush the pipeline at the retirement stage (Cheap Recovery Logic). • Continue the load with some data to reach the retirement stage. • Which data? (Fill buffer, Store Buffer, Load Buffer) • Which one will be leaked first? (First come first serve) 34

  35. 35

  36. Medusa Attack • Medusa only leaks the Write Combining Data • Implicit WC, i.e., ‘rep mov’, ‘rep sto ’, can be leaked. • Memory Copy Routines • File IO • Served by a Write Combining Buffer (or just the the Fill Buffer). • Advantages: • Prefiltered data • Less Noise • More targeted 36

  37. Medusa Attack – V1 Cache Indexing Cache Line Index 8-byte 8-byte 8-byte 8-byte 8-byte 8-byte 8-byte 8-byte An invalid (Non-canon) address: Faulty 0x5550000000000008-20 Load 37

  38. Medusa Attack – V1 Cache Indexing Cache Line Index 8-byte 8-byte 8-byte 8-byte 8-byte 8-byte 8-byte 8-byte An invalid (Non-canon) address: Faulty 0x5550000000000008-20 Load 38

  39. Medusa Attack – V1 Cache Indexing Cache Line Index 8-byte 8-byte 8-byte 8-byte 8-byte 8-byte 8-byte 8-byte An invalid (Non-canon) address: Faulty 0x5550000000000008-20 Load 39

  40. Medusa Attack – V1 Cache Indexing Cache Line Index 8-byte 8-byte 8-byte 8-byte 8-byte 8-byte 8-byte 8-byte Common Data Bus?! 40

  41. Medusa Attack – V2 Unaligned S2L Forwarding Cache Line Index 8-byte 8-byte 8-byte 8-byte 8-byte 8-byte 8-byte 8-byte Faulty Load 41

  42. Medusa Attack – V2 Unaligned S2L Forwarding Cache Line Index 8-byte 8-byte 8-byte 8-byte 8-byte 8-byte 8-byte 8-byte Faulty Load YMMx REPMOV on the Hyper thread: ABCDEFGH IJKLMNOP QRSTUVWX YZ… 42

  43. Medusa Attack – V2 Unaligned S2L Forwarding Cache Line Index 8-byte 8-byte 8-byte 8-byte 8-byte 8-byte 8-byte 8-byte Store Cache Line Index 8-byte 8-byte 8-byte 8-byte 8-byte 8-byte 8-byte 8-byte Faulty Load YMMx REPMOV on the Hyper thread: ABCDEFGH IJKLMNOP QRSTUVWX YZ… 43

  44. Medusa Attack – V2 Unaligned S2L Forwarding Cache Line Index 8-byte 8-byte 8-byte 8-byte 8-byte 8-byte 8-byte 8-byte Store Cache Line Index 8-byte 8-byte 8-byte 8-byte 8-byte 8-byte 8-byte 8-byte Faulty Load YMMx REPMOV on the Hyper thread: ABCDEFGH IJKLMNOP Q RSTUVWX YZ… 44

  45. Medusa Attack – V2 Unaligned S2L Forwarding Cache Line Index 8-byte 8-byte 8-byte 8-byte 8-byte 8-byte 8-byte 8-byte Store Cache Line Index 8-byte 8-byte 8-byte 8-byte 8-byte 8-byte 8-byte 8-byte Faulty Load YMMx REPMOV on the Hyper thread: ABCDEFGH IJKLMNOP QR STUVWX YZ… 45

  46. Medusa Attack – V3 Shadow REP MOV • A REP MOV that fault on the load leaks: • the data from the legitimate store address • but also the data from the REP MOV running on the hyper thread HT 1: REP MOV HT 1: REP MOV Valid Store, Faulty Load Valid Store, Faulty Load AAAAAAAAAAAAAAAA ABCDEFGHIJKLMNOP AAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAA 46

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Medusa Explorations www.medusa-online.com fenny@medusa-online.com Sensing Soil Physical

Medusa Explorations www.medusa-online.com fenny@medusa-online.com Sensing Soil Physical

Fenny van Egmond Medusa Explorations www.medusa-online.com fenny@medusa-online.com Sensing Soil Physical Properties Slide n 1 Physical soil properties Soil physical properties measured in 2012 and 2015 to: - Provide quantitative data for

593 views • 22 slides
Medusa Simplified Graph Processing on GPUs Motivation Graph processing algorithms are often

Medusa Simplified Graph Processing on GPUs Motivation Graph processing algorithms are often

Medusa Simplified Graph Processing on GPUs Motivation Graph processing algorithms are often inherently parallel GPUs consist of many processors running in parallel But writing this code is hard The Solution... Medusa is a

735 views • 18 slides
Network distribution in music applications with Medusa Fl avio Luiz SCHIAVONI Marcelo QUEIROZ

Network distribution in music applications with Medusa Fl avio Luiz SCHIAVONI Marcelo QUEIROZ

Network distribution in music applications with Medusa Network distribution in music applications with Medusa Fl avio Luiz SCHIAVONI Marcelo QUEIROZ Computer Science Department University of S ao Paulo S ao Paulo Brazil, { fls, mqz

386 views • 17 slides
Early Diagenesis Modelling with MEDUSA Guy Munhoven Laboratory for Planetary and Atmospheric

Early Diagenesis Modelling with MEDUSA Guy Munhoven Laboratory for Planetary and Atmospheric

Early Diagenesis Modelling with MEDUSA Guy Munhoven Laboratory for Planetary and Atmospheric Physics Fonds de la Recherche ScientifiqueFNRS AWI Bremerhaven 19th September 2017 Terrestrial Atmosphere and Carbon Cycle Atmosphere ocean

196 views • 16 slides
Medusa A disassembler and something more... Angelin Njakasoa BOOZ LSE Summer Week 2016

Medusa A disassembler and something more... Angelin Njakasoa BOOZ LSE Summer Week 2016

Medusa A disassembler and something more... Angelin Njakasoa BOOZ LSE Summer Week 2016 Quarkslab Angelin Njakasoa BOOZ (LSE Summer Week 2016) Medusa LSE Week 2016 1 / 20 Presentation Whoami? Where do I work? What do I do? Angelin

453 views • 20 slides
MEDUSA Quantitative Airborne Pollution Surveillance: Technology and Recent Results Presented by

MEDUSA Quantitative Airborne Pollution Surveillance: Technology and Recent Results Presented by

MEDUSA Quantitative Airborne Pollution Surveillance: Technology and Recent Results Presented by : Dr. Theo Hengstermann Business Development & Sales Optimare Systems GmbH Overview Company Introduction Airborne Pollution

289 views • 26 slides
PROJECT M EDU S A PROJECT M EDU S A Pact o por la Educacin La calidad, compromiso de todos

PROJECT M EDU S A PROJECT M EDU S A Pact o por la Educacin La calidad, compromiso de todos

CONSEJ ERA DE EDUCACIN CULTURA Y DEPORTES mEDUXa Educational linux distribution of the Canarian Goverment ANTONIO J IM NEZ M ORILLA MEDUSA TECHNICAL COORDINATOR OF INFRAESTRUCTURE & SYSTEMS AGUSTN BENITO BETHENCOURT DEVELOPER

485 views • 36 slides
Co- -located halogenated greenhouse gases located halogenated greenhouse gases Co measurements

Co- -located halogenated greenhouse gases located halogenated greenhouse gases Co measurements

Materials Sci ence & Technolog y Co- -located halogenated greenhouse gases located halogenated greenhouse gases Co measurements by GC- -ECDs ECDs and and measurements by GC Medusa- -GC/MS at the GC/MS at the Shangdianzi Shangdianzi

677 views • 26 slides
Women in Technology All Star Panel Moderated by: Debra Lilley, Associate Director at

Women in Technology All Star Panel Moderated by: Debra Lilley, Associate Director at

Women in Technology All Star Panel Moderated by: Debra Lilley, Associate Director at Accenture Debra.liley@Accenture.com | @debralilley Past and future TechCasts: Analytics and Data User Community: www.AnalyticsandDataSummit.org

282 views • 12 slides
Project Design Genome 559: Introduction to Statistical and Computational Genomics Elhanan

Project Design Genome 559: Introduction to Statistical and Computational Genomics Elhanan

Project Design Genome 559: Introduction to Statistical and Computational Genomics Elhanan Borenstein Hypothesis: The average degree in the metabolic networks of Prokaryotes is higher than the average degree in the metabolic networks of

539 views • 17 slides
Askaryan Calorimeter Experiment (ACE) Gary CPAD 2019 Carsten 1 / 20 Waveguides Microwave

Askaryan Calorimeter Experiment (ACE) Gary CPAD 2019 Carsten 1 / 20 Waveguides Microwave

Askaryan Calorimeter Experiment (ACE) Gary CPAD 2019 Carsten 1 / 20 Waveguides Microwave Cherenkov Impulses in Dielectric-loaded Picosecond Timing of High-Energy Particle Showers using Remy Prechelt 1 Peter Gorham 1 Christian Miki 1

490 views • 20 slides
CS 133 - Introduction to Computational and Data Science Instructor: Renzhi Cao Computer Science

CS 133 - Introduction to Computational and Data Science Instructor: Renzhi Cao Computer Science

1 CS 133 - Introduction to Computational and Data Science Instructor: Renzhi Cao Computer Science Department Pacific Lutheran University Spring 2017 Probability Quiz #3. Check Sakai for exercises. In the previous class, we learned

502 views • 14 slides
America Connects to Europe (ACE) and TransPAC3 (TP3) TransPAC3 (TP3) James Williams Director

America Connects to Europe (ACE) and TransPAC3 (TP3) TransPAC3 (TP3) James Williams Director

America Connects to Europe (ACE) and TransPAC3 (TP3) TransPAC3 (TP3) James Williams Director International Networking Director, International Networking williams@indiana.edu Presented by Jacqueline Brown Jacqueline.pacificwave@gmail.com Jim

653 views • 11 slides
Sampling from a Small Population Slides developed by Mine etinkaya-Rundel of OpenIntro The

Sampling from a Small Population Slides developed by Mine etinkaya-Rundel of OpenIntro The

Sampling from a Small Population Slides developed by Mine etinkaya-Rundel of OpenIntro The slides may be copied, edited, and/or shared via the CC BY-SA license Some images may be included under fair use guidelines (educational purposes)

352 views • 8 slides
Cyber Risk Management and Loss Mitigation Services The Convergence of Information Sharing,

Cyber Risk Management and Loss Mitigation Services The Convergence of Information Sharing,

Cyber Risk Management and Loss Mitigation Services The Convergence of Information Sharing, Technology, and Insurance Sponsored by: Cyber Risk Management and Loss Mitigation Services The Convergence of Information Sharing, Technology, and

340 views • 20 slides
A Comparison of Angiotensin Receptor- Neprilysin Inhibition (ARNI) With ACE Inhibition in the

A Comparison of Angiotensin Receptor- Neprilysin Inhibition (ARNI) With ACE Inhibition in the

A Comparison of Angiotensin Receptor- Neprilysin Inhibition (ARNI) With ACE Inhibition in the Long-Term Treatment of Chronic Heart Failure With a Reduced Ejection Fraction Milton Packer, John J.V. McMurray, Akshay S. Desai, Jianjian Gong,

599 views • 32 slides
FUN FLO FRIDAY - Synchronous Sandbox Session in Collaborate Ultra Hosted by Helena Prins,

FUN FLO FRIDAY - Synchronous Sandbox Session in Collaborate Ultra Hosted by Helena Prins,

FUN FLO FRIDAY - Synchronous Sandbox Session in Collaborate Ultra Hosted by Helena Prins, Advisor, BCcampus Facilitator: Lauren Halcomb-Smith Helena Prins BCcampus hprins@bccampus.ca June 19, 2020 Welcome to Collaborate Ultra! Please mute

614 views • 24 slides
Robust Incremental Neural Semantic Graph Parsing Jan Buys and Phil Blunsom Dependency Parsing vs

Robust Incremental Neural Semantic Graph Parsing Jan Buys and Phil Blunsom Dependency Parsing vs

Robust Incremental Neural Semantic Graph Parsing Jan Buys and Phil Blunsom Dependency Parsing vs Semantic Parsing Dependency parsing models the syntactic structure between words in a sentence. Dependency Parsing vs Semantic Parsing

637 views • 31 slides
In-browser code editing Marijn Haverbeke (Interactive slides at

In-browser code editing Marijn Haverbeke (Interactive slides at

In-browser code editing Marijn Haverbeke (Interactive slides at http://marijnhaverbeke.nl/talks/goto2012) a 3-part talk: state of the art inspirational demo implementation war stories textarea schmextarea who's who ACE

939 views • 24 slides
Data Poisoning Attack cks on Stoch chastic c Bandits Fang Liu and Ness Shroff Outline

Data Poisoning Attack cks on Stoch chastic c Bandits Fang Liu and Ness Shroff Outline

Data Poisoning Attack cks on Stoch chastic c Bandits Fang Liu and Ness Shroff Outline Background q What are bandits? q Motivations Data poisoning attacks on stochastic bandits q Offline model q Online model q Simulation results

218 views • 17 slides
Heart failure randomized clinical trials: how we changed standard of care. Karl Swedberg Senior

Heart failure randomized clinical trials: how we changed standard of care. Karl Swedberg Senior

Heart failure randomized clinical trials: how we changed standard of care. Karl Swedberg Senior professor of Medicine University of Gothenburg Professor of Cardiology Imperial College, London Disclosures: Honoraria/Consultancy: Amgen,

499 views • 45 slides
Finding Crash-Consistency Bugs with Bounded Black-Box Testing Jayashree Mohan , Ashlie Martinez,

Finding Crash-Consistency Bugs with Bounded Black-Box Testing Jayashree Mohan , Ashlie Martinez,

Finding Crash-Consistency Bugs with Bounded Black-Box Testing Jayashree Mohan , Ashlie Martinez, Soujanya Ponnapalli, Pandian Raju, Vijay Chidambaram Crashes I crashed This is very File saved! important File missing Image

878 views • 87 slides
Filtering with Abstract Particles Jacob Steinhardt Percy Liang Stanford University {

Filtering with Abstract Particles Jacob Steinhardt Percy Liang Stanford University {

Filtering with Abstract Particles Jacob Steinhardt Percy Liang Stanford University { jsteinhardt,pliang } @cs.stanford.edu May 1, 2013 J. Steinhardt & P. Liang (Stanford) Filtering with Abstract Particles May 1, 2013 1 / 12 Motivation

651 views • 34 slides
An Example Blackjack: Goal is to obtain cards whose sum is as great as possible without exceeding

An Example Blackjack: Goal is to obtain cards whose sum is as great as possible without exceeding

An Example Blackjack: Goal is to obtain cards whose sum is as great as possible without exceeding 21. All face cards count as 10, and an Ace can be About this class worth either 1 or 11. Back to MDPs Game proceeds as follows: two cards are

435 views • 9 slides

More recommend