meltdown spectre attacks overview
play

Meltdown & Spectre Attacks Overview An analogy CPU cache and - PowerPoint PPT Presentation

Jun 10, 2023 •428 likes •732 views

Meltdown & Spectre Attacks Overview An analogy CPU cache and use it as side channel Meltdown attack Spectre attack Microsoft Interview Question Stealing A Secret Secret: 7 Guard with Memory Eraser Restricted Room CPU

  1. Meltdown & Spectre Attacks

  2. Overview • An analogy • CPU cache and use it as side channel • Meltdown attack • Spectre attack

  3. Microsoft Interview Question

  4. Stealing A Secret Secret: 7 Guard with Memory Eraser Restricted Room

  5. CPU Cache

  6. From Lights to CPU Cache Question You just learned a secret number 7, and you want to keep it. However, your memory will be erased and whatever you do will be rolled back (except the CPU cache). How do you recall the secret after your memory about this secret number is erased?

  7. Using CPU Cache to Remember Secret

  8. The FLUSH+RELOAD Technique Secret S FLUSH: RELOAD: Access memory Flush the Check which one location at S CPU Cache is in the cache

  9. FLUSH+RELOAD: The FLUSH Step Flush the CPU Cache

  10. FLUSH+RELOAD: The RELOAD Step

  11. The Meltdown Attack

  12. The Security Room and Guard

  13. Staying Alive: Exception Handling in C

  14. Out-Of-Order Execution

  15. Out-of-Order Execution How do I prove that the out-of-order execution has happened?

  16. Out-of-Order Execution Experiment Evidence of out-of-order execution

  17. Meltdown Attack: A Naïve Approach

  18. Improvement: Get Secret Cached Why does this help?

  19. Improve the Attack Using Assembly Code Execution Results

  20. Improve the Attack Using Statistic Approach

  21. Countermeasures • Fundamental problem is in the CPU hardware Expensive to fix • • Develop workaround in operating system • KASLR (Kernel Address Space Layout Randomization) Does not map any kernel memory in the user space, except for some parts • required by the x86 architecture (e.g., interrupt handlers) User-level programs cannot directly use kernel memory addresses, as such • addresses cannot be resolved

  22. The Spectre Attack

  23. Will It Be Executed? Will Line 3 be executed if x > size ?

  24. Out-Of-Order Execution

  25. Let’s Find a Proof size is 10 FLUSH RELOAD Training Invoke Flush the Check which one is Train CPU to go victim(97) CPU Cache in the cache to the true branch Evidence Not always working though

  26. Target of the Attack This protection pattern is widely used in software sandbox (such as those implemented inside browsers)

  27. The Spectre Attack spectreAttack(int larger_x)

  28. Attack Result Why is 0 in the cache? Success

  29. Spectre Variant and Mitigation • Since it was discovered in 2017, several Spectre variants have been found • Affecting Intel, ARM, and ARM • The problem is in hardware • Unlike Meltdown, there is no easy software workaround

  30. Summary • Stealing secrets using side channels • Meltdown attack • Spectre attack • A form of race condition vulnerability • Vulnerabilities are inside hardware • AMD, Intel, and ARM are affected

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Spectre and Meltdown Clifford Wolf q/Talk 2018-01-30 Spectre and Meltdown Spectre

Spectre and Meltdown Clifford Wolf q/Talk 2018-01-30 Spectre and Meltdown Spectre

Spectre and Meltdown Clifford Wolf q/Talk 2018-01-30 Spectre and Meltdown Spectre (CVE-2017-5753 and CVE-2017-5715) Is an architectural security bug that effects most modern processors with speculative execution It allows a program

441 views • 16 slides
Exploiting modern microarchitectures: Meltdown, Spectre, and other attacks Jon Masters, Computer

Exploiting modern microarchitectures: Meltdown, Spectre, and other attacks Jon Masters, Computer

Exploiting modern microarchitectures: Meltdown, Spectre, and other attacks Jon Masters, Computer Architect, Red Hat, Inc. jcm@redhat.com | @jonmasters 2 Exploiting modern microarchitectures: Meltdown, Spectre, and other attacks Overview

1.58k views • 140 slides
Exploiting modern microarchitectures: Meltdown, Spectre, and other attacks Jon Masters, Computer

Exploiting modern microarchitectures: Meltdown, Spectre, and other attacks Jon Masters, Computer

Exploiting modern microarchitectures: Meltdown, Spectre, and other attacks Jon Masters, Computer Architect, Red Hat, Inc. jcm@redhat.com | @jonmasters 2 Exploiting modern microarchitectures: Meltdown, Spectre, and other attacks Overview

2.11k views • 184 slides
Transient Execution Attacks: Lessons from Spectre, Meltdown, and Foreshadow Jo Van Bulck

Transient Execution Attacks: Lessons from Spectre, Meltdown, and Foreshadow Jo Van Bulck

Transient Execution Attacks: Lessons from Spectre, Meltdown, and Foreshadow Jo Van Bulck imec-DistriNet, KU Leuven jo.vanbulck@cs.kuleuven.be jovanbulck ISSE Brussels, November 6, 2018 A primer on software security Secure

897 views • 58 slides
CPU Side-Channel Attacks the Meltdown Attack Heechul Yun 1 This Week: Hardware Security

CPU Side-Channel Attacks the Meltdown Attack Heechul Yun 1 This Week: Hardware Security

CPU Side-Channel Attacks the Meltdown Attack Heechul Yun 1 This Week: Hardware Security Introduction Meltdown Papers Spectre Attacks: Exploiting Speculative Execution, IEEE Security and Privacy (S&P), 2019 (Dustin)

726 views • 44 slides
Spectre/Meltdown at eCG: Rebooting 80k cores Bruno Bompastor Adrian Joian Cloud Reliability Team

Spectre/Meltdown at eCG: Rebooting 80k cores Bruno Bompastor Adrian Joian Cloud Reliability Team

Spectre/Meltdown at eCG: Rebooting 80k cores Bruno Bompastor Adrian Joian Cloud Reliability Team 2018 10 Brands In Multiple Countries NL/DE Datacenters Spectre/Meltdown - Meltdown: melts security boundaries which are normally enforced by

305 views • 26 slides
Meltdown an and Sp Spectre vu vuln lnerabili litie ies th the ch chall llenge is is up!

Meltdown an and Sp Spectre vu vuln lnerabili litie ies th the ch chall llenge is is up!

2/21/2018 Meltdown an and Sp Spectre vu vuln lnerabili litie ies th the ch chall llenge is is up! Jos van Eijndhoven Synopsys {040CODERS.nl} Meetup 20180215 Jos van Eijndhoven Profession: IC design tools, Hobby: Processor design

545 views • 15 slides
Spectre and Meltdown: Data leaks during speculative execution Speaker: Jann Horn (Google Project

Spectre and Meltdown: Data leaks during speculative execution Speaker: Jann Horn (Google Project

Spectre and Meltdown: Data leaks during speculative execution Speaker: Jann Horn (Google Project Zero) Paul Kocher (independent) Daniel Genkin (University of Pennsylvania and University of Maryland) Yuval Yarom (University of Adelaide and

243 views • 22 slides
Defense Mechanism against Spectre Attacks Jacob Fustos, Farzad Farshchi, Heechul Yun University

Defense Mechanism against Spectre Attacks Jacob Fustos, Farzad Farshchi, Heechul Yun University

SpectreGuard: An Efficient Data-centric Defense Mechanism against Spectre Attacks Jacob Fustos, Farzad Farshchi, Heechul Yun University of Kansas 1 Speculative Execution Attacks Attacks exploiting microarchitectural side-effects of

499 views • 21 slides
CSCI-UA.9480 Introduction to Computer Security Session 3.5 Meltdown and Spectre Prof. Nadim

CSCI-UA.9480 Introduction to Computer Security Session 3.5 Meltdown and Spectre Prof. Nadim

CSCI-UA.9480 Introduction to Computer Security Session 3.5 Meltdown and Spectre Prof. Nadim Kobeissi But Nadim, why are we covering this? 2 CSCI-UA.9480: Introduction to Computer Security Nadim Kobeissi Fixed confidentially across whole

365 views • 24 slides
arXiv:1801.01207 What is meltdown? Meltdown is a hardware exploit that allows unprivileged user to

arXiv:1801.01207 What is meltdown? Meltdown is a hardware exploit that allows unprivileged user to

arXiv:1801.01207 What is meltdown? Meltdown is a hardware exploit that allows unprivileged user to access system memory . Meltdown takes advantage of speculative execution , in particular its ability to meltdown security barrier

369 views • 8 slides
Spectre Attacks: Exploiting Speculative Execution IEEE Security & Privacy (May 20, 2019) Paul

Spectre Attacks: Exploiting Speculative Execution IEEE Security & Privacy (May 20, 2019) Paul

Spectre Attacks: Exploiting Speculative Execution IEEE Security & Privacy (May 20, 2019) Paul Kocher 1 , Jann Horn 2 , Anders Fogh 3 , Daniel Genkin 4 , Daniel Gruss 5 , Werner Haas 6 , Mike Hamburg 7 , Mortiz Lipp 5 , Stefan Mangard 5 ,

410 views • 13 slides
Meltdown Overview of a security vulnerability Stefano Ottolenghi @ Binary Analysis and Secure

Meltdown Overview of a security vulnerability Stefano Ottolenghi @ Binary Analysis and Secure

Meltdown Overview of a security vulnerability Stefano Ottolenghi @ Binary Analysis and Secure Coding Universit degli Studi di Genova December 3rd, 2018 Overview Meltdown breaks memory isolation and allows a process to read the entire

335 views • 18 slides
Meltdown Overview of a security vulnerability Stefano Ottolenghi @ Binary Analysis and Secure

Meltdown Overview of a security vulnerability Stefano Ottolenghi @ Binary Analysis and Secure

Meltdown Overview of a security vulnerability Stefano Ottolenghi @ Binary Analysis and Secure Coding Universit degli Studi di Genova December 3rd, 2018 Overview Meltdown breaks memory isolation and allows a process to read the entire

526 views • 25 slides
Abusing hardware for fun and profit Agenda Cache-based Covert channels w/ demo Spectre

Abusing hardware for fun and profit Agenda Cache-based Covert channels w/ demo Spectre

Abusing hardware for fun and profit Agenda Cache-based Covert channels w/ demo Spectre and Meltdown from covert channels Process isola8on + OS (CS 423) OS paging OS services 0x00000000 Communica<on to other processes

568 views • 15 slides
Meltdown or "Holy Crap: How did we do this to ourselves" Abstract Meltdown

Meltdown or "Holy Crap: How did we do this to ourselves" Abstract Meltdown

Meltdown or "Holy Crap: How did we do this to ourselves" Abstract Meltdown exploits side effects of out-of-order execution to read arbitrary kernel- memory locations Breaks all security assumptions given by address space

159 views • 13 slides
RECIPE : Converting Concurrent DRAM Indexes to Persistent-Memory Indexes Se Kwon Lee, Jayashree

RECIPE : Converting Concurrent DRAM Indexes to Persistent-Memory Indexes Se Kwon Lee, Jayashree

RECIPE : Converting Concurrent DRAM Indexes to Persistent-Memory Indexes Se Kwon Lee, Jayashree Mohan, Sanidhya Kashyap * , Taesoo Kim, Vijay Chidambaram *On the job market 1 Persistent Memory (PM) New storage class memory technology

1.01k views • 70 slides
Online Bigtable merge compaction Neal E. Young 1 Claire Mathieu Carl Staelin Arman Yousefia

Online Bigtable merge compaction Neal E. Young 1 Claire Mathieu Carl Staelin Arman Yousefia

Online Bigtable merge compaction Neal E. Young 1 Claire Mathieu Carl Staelin Arman Yousefia CNRS Paris Google Haifa UC Riverside UCLA Northeastern University, September 17, 2015 1 funded by faculty re$earch award BIGTABLE data storage

908 views • 57 slides
Ad-Hoc Problems Dr. Mattox Beckman University of Illinois at Urbana-Champaign Department of

Ad-Hoc Problems Dr. Mattox Beckman University of Illinois at Urbana-Champaign Department of

Introduction Games Strings and Such Time Wasters Ad-Hoc Problems Dr. Mattox Beckman University of Illinois at Urbana-Champaign Department of Computer Science Introduction Games Strings and Such Time Wasters Ad-Hoc Problems Your

548 views • 9 slides
HOW TO MAKE CHORD CORRECT Pamela Zave AT&T LaboratoriesResearch Florham Park, New Jersey,

HOW TO MAKE CHORD CORRECT Pamela Zave AT&T LaboratoriesResearch Florham Park, New Jersey,

HOW TO MAKE CHORD CORRECT Pamela Zave AT&T LaboratoriesResearch Florham Park, New Jersey, USA CHORD IS A DISTRIBUTED HASH TABLE: AN AD-HOC PEER-TO-PEER NETWORK identifier of a node (assumed IMPLEMENTING A unique) is an m-bit hash of

423 views • 40 slides
An Open Framework for Architecting TEEs Dayeol Lee, David Kohlbrenner, Shweta Shinde, Dawn Song,

An Open Framework for Architecting TEEs Dayeol Lee, David Kohlbrenner, Shweta Shinde, Dawn Song,

An Open Framework for Architecting TEEs Dayeol Lee, David Kohlbrenner, Shweta Shinde, Dawn Song, and Krste Asanovic Trusted Execution Environment (TEE) Applications User Program and Data Remote OS Attestation Trustworthy Hardware

815 views • 50 slides
DAWG : A Defense Against Cache Timing Attacks in Speculative Execution Processors Vladimir

DAWG : A Defense Against Cache Timing Attacks in Speculative Execution Processors Vladimir

DAWG : A Defense Against Cache Timing Attacks in Speculative Execution Processors Vladimir Kiriansky, Ilia Lebedev, Saman Amarasinghe, Srinivas Devadas, Joel Emer {vlk, ilebedev, saman, devadas, emer}@csail.mit.edu MICRO'18

949 views • 78 slides
Linux Performance Analysis New Tools and Old Secrets Brendan Gregg Senior Performance Architect

Linux Performance Analysis New Tools and Old Secrets Brendan Gregg Senior Performance Architect

Linux Performance Analysis New Tools and Old Secrets Brendan Gregg Senior Performance Architect Performance Engineering Team bgregg@netflix.com @brendangregg Porting these to Linux Massive Amazon EC2 Linux cloud Tens of thousands of

864 views • 75 slides
ROUNDERS (1998) CASINO ROYALE (2006) HAND RANKINGS HIGH CARD HAND RANKINGS PAIR HIGH CARD

ROUNDERS (1998) CASINO ROYALE (2006) HAND RANKINGS HIGH CARD HAND RANKINGS PAIR HIGH CARD

ROUNDERS (1998) CASINO ROYALE (2006) HAND RANKINGS HIGH CARD HAND RANKINGS PAIR HIGH CARD HAND RANKINGS TWO PAIR PAIR HIGH CARD HAND RANKINGS THREE OF A KIND TWO PAIR PAIR HIGH CARD HAND RANKINGS STRAIGHT THREE OF A KIND TWO PAIR

1.1k views • 106 slides

More recommend