microarchitectural attacks and
play

Microarchitectural Attacks and Heterogenous Cloud Computing By - PowerPoint PPT Presentation

Oct 24, 2023 •374 likes •663 views

Microarchitectural Attacks and Heterogenous Cloud Computing By Daniel Moghimi PhD Candidate Worcester Polytechnic Institute (WPI) @danielmgmi Outline Data Dependency SPOILER: Speculative Load Hazards Boost Rowhammer and Cache Attacks

  1. Microarchitectural Attacks and Heterogenous Cloud Computing By Daniel Moghimi PhD Candidate Worcester Polytechnic Institute (WPI) @danielmgmi

  2. Outline Data Dependency ▪ SPOILER: Speculative Load Hazards Boost Rowhammer and Cache Attacks ▪ Intel SCAP: Protecting Accelerators in the Cloud ▪ 2

  3. Data Dependency add %ebx, %eax 1 sub %eax, %edx 2 xor %ecx, %ecx 3 add %eax, %edi 4 sub %ecx, %edi 5 3

  4. Data Dependency - Pipelined Execuction add %ebx, %eax 1 IF ID sub %eax, %edx 2 IF xor %ecx, %ecx 3 add %eax, %edi 4 sub %ecx, %edi 5 Instruction Fetch IF Instruction Decode ID Execute EX Write Back WB 4

  5. Data Dependency - Pipelined Execuction add %ebx, %eax 1 IF ID EX sub %eax, %edx 2 IF ID xor %ecx, %ecx IF 3 add %eax, %edi 4 sub %ecx, %edi 5 Instruction Fetch IF Instruction Decode ID Execute EX Write Back WB 5

  6. Data Dependency - Pipelined Execuction add %ebx, %eax 1 WB IF ID EX sub %eax, %edx 2 IF ID EX xor %ecx, %ecx IF ID 3 add %eax, %edi IF 4 sub %ecx, %edi 5 Instruction Fetch IF Instruction Decode ID Execute EX Write Back WB 6

  7. Data Dependency - Pipelined Execuction add %ebx, %eax 1 WB IF ID EX sub %eax, %edx 2 IF ID EX EX WB xor %ecx, %ecx IF ID 3 EX WB add %eax, %edi WB EX IF ID 4 EX WB IF ID sub %ecx, %edi 5 Instruction Fetch IF Instruction Decode ID Execute EX Write Back WB 7

  8. 4K Aliasing False Dependency Memory loads/stores are executed out of order and speculatively ▪ The dependency is verified after the execution! ▪ mov %eax, (%ebx) Execute Execute Store Load Store mov (%ecx), %edx Load Dependent? Yes 4K Aliasing: Addresses that are 4K apart are assumed dependent ▪ Re-execute the load and corresponding instructions due to false dependency ▪ Virtual-to-physical address translation → Memory disambiguation ▪ 8

  9. SPOILER 9

  10. 1 MB Aliasing False Dependency 10

  11. 1 MB Aliasing False Dependency 11

  12. 1 MB Aliasing False Dependency 12

  13. Cross-Context Address Leakage? 13

  14. Rowhammer – Bank Colocation DRAM Banks are mapped based on the physical address ▪ 14

  15. Rowhammer – Detecting Contiguous Memory Memory is contiguous when the peaks 256 apart ▪ 15

  16. Cache Attacks Cache sets are mapped based on the physical address. ▪ https://github.com/UzL-ITS/Spoiler ▪ 16

  17. Optimized Application- ▪ specific Hardware Configuration e.g. Real-time Artificial ▪ Intelligence Accelerators in the Cloud 17

  18. Side channels on Heterogeneous Accelerators New Attack Surface: ▪ Accelerator Function Units (AFUs) placed on the FPGA can be used to interact with the CPU ▪ or other AFUs for malicious purpose. AFU to AFU Attack ▪ AFU to HPS Attack ▪ AFU to CPU Attack ▪ CPU to AFU Attack ▪ Across VMS ? ▪ Customizable Hardware → More Devastating Attacks ▪ E.g. Design your own timers, Direct access to memory interface, etc. ▪ Complex Threat Model ▪ 18

  19. Integrated FPGA-CPU Platforms 19

  20. Attack Vectors Rowhammer DMA/IOMMU Cache Attacks ▪ ▪ ▪ Trojan Bitstreams FPGA-centric Attacks Cold Boot ▪ ▪ ▪ 20

  21. Replicating μ Arch Attacks on FPGA-CPU Interface Memory Interface and the Cache Coherency Protocol ▪ Side-channel Analysis of Memory Operations ▪ 21

  22. Lab/Collaboration Setup Weekly Meeting ( 2 Faculty + 3 Students = 5 people are actively involved.) ▪ Software ▪ OPAE Stack ▪ Intel Quartus (Synthesis) ▪ KVM (Virtualization Scenario) ▪ Hardware ▪ Remote Access to Intel Labs (Xeon) ▪ Local Server including Intel PAC ▪ Heavy Load Workstation (Synthesis) ▪ 22

  23. Cache Attack and FPGAs 23

  24. Cache Attack and FPGAs 24

  25. WPI + Lubeck Team 25

  26. Other Works Transient Execution Attacks ▪ Schwarz et al. “ ZombieLoad: Cross-Privilege- Boundary Data Sampling” ▪ Minkin et al. “Fallout: Reading Kernel Writes From User Space” ▪ Microarchitectural Side Channels ▪ Islam et al. “SPOILER: Speculative Load Hazards Boost Rowhammer and Cache Attacks” ▪ Moghimi et al. “ MemJam: A False Dependency Attack against Constant-Time Crypto ▪ Implementations” Intel SGX / TEE ▪ Moghimi et al. “ CacheZoom : How SGX Amplifies The Power of Cache Attacks” ▪ Cryptographic Implementations ▪ Wichelmann et al. “ MicroWalk : A Framework for Finding Side Channels in Binaries” ▪ Dall et al. “ CacheQuote: Efficiently Recovering Long-term Secrets of SGX EPID via Cache ▪ Attacks” Are remote timing attack being still a thing in 2019 !??! ▪ 26

  27. Acknowledgements Thanks to Carlos Rosaz, Matthias Schunter, Anand ▪ Rajan, Evan Custodio and Alpa Trivedi from Intel 27

  28. THANKS ▪ Questions? @danielmgmi 28

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Microarchitectural Attacks: Protecting Cloud Accelerators By Ahmad Daniel Moghimi PhD

Microarchitectural Attacks: Protecting Cloud Accelerators By Ahmad Daniel Moghimi PhD

Microarchitectural Attacks: Protecting Cloud Accelerators By Ahmad Daniel Moghimi PhD Candidate Worcester Polytechnic Institute (WPI) @danielmgmi OUTLINE Summary of Recent Contributions: Microarchiture MemJam Intel SGX

950 views • 52 slides
Microarchitectural Attacks in the Cloud Thomas Eisenbarth 07.11.2017 Workshop on Cryptography

Microarchitectural Attacks in the Cloud Thomas Eisenbarth 07.11.2017 Workshop on Cryptography

Microarchitectural Attacks in the Cloud Thomas Eisenbarth 07.11.2017 Workshop on Cryptography for the Internet of Things and Cloud Ruhr-Universitt Bochum Outline Cloud and Cryptography Co-Location in the Cloud Cache Attacks in the

2.23k views • 37 slides
MicroScope: Enabling Microarchitectural Replay Attacks Dimitrios Skarlatos, Mengjia Yan, Bhargava

MicroScope: Enabling Microarchitectural Replay Attacks Dimitrios Skarlatos, Mengjia Yan, Bhargava

MicroScope: Enabling Microarchitectural Replay Attacks Dimitrios Skarlatos, Mengjia Yan, Bhargava Gopireddy, Read Sprabery, Josep Torrellas, and Christopher W. Fletcher Presented by Mengjia Yan MIT 6.888 Fall 2020 Why this paper? We have read

965 views • 42 slides
Defense Mechanism against Spectre Attacks Jacob Fustos, Farzad Farshchi, Heechul Yun University

Defense Mechanism against Spectre Attacks Jacob Fustos, Farzad Farshchi, Heechul Yun University

SpectreGuard: An Efficient Data-centric Defense Mechanism against Spectre Attacks Jacob Fustos, Farzad Farshchi, Heechul Yun University of Kansas 1 Speculative Execution Attacks Attacks exploiting microarchitectural side-effects of

499 views • 21 slides
Remote Timing Attacks on TPMs, AKA TPM-Fail Daniel Moghimi About Me Daniel Moghimi

Remote Timing Attacks on TPMs, AKA TPM-Fail Daniel Moghimi About Me Daniel Moghimi

Remote Timing Attacks on TPMs, AKA TPM-Fail Daniel Moghimi About Me Daniel Moghimi @danielmgmi https://moghimi.org Security Researcher PhD Candidate @ WPI Microarchitectural Attacks Side Channels Breaking Crypto

1.2k views • 71 slides
Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic Jo Van Bulck

Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic Jo Van Bulck

Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic Jo Van Bulck Frank Piessens Raoul Strackx imec-DistriNet, KU Leuven ACM CCS, October 2018 Microarchitectural side-channels and where to find them CPU cache

709 views • 47 slides
Protean General Purpose Guard (PGPG): Detecting and Mitigating Cache-based Microarchitectural

Protean General Purpose Guard (PGPG): Detecting and Mitigating Cache-based Microarchitectural

Protean General Purpose Guard (PGPG): Detecting and Mitigating Cache-based Microarchitectural Attacks Using Protean Code Jeremy Erickson Akshitha Sriraman Sai Gouravajhala jericks@umich.edu akshitha@umich.edu sairohit@umich.edu EECS 583:

331 views • 12 slides
Microarchitectural Analysis and Optimization Techniques Gunther Huebler Collaborators: Vincent

Microarchitectural Analysis and Optimization Techniques Gunther Huebler Collaborators: Vincent

Microarchitectural Analysis and Optimization Techniques Gunther Huebler Collaborators: Vincent Larson, John Dennis All the Work Presented Has Been Implemented in CLUBB (Cloud Layers Unified By Binormals) CLUBB is a model that solves a set of

431 views • 21 slides
Microarchitectural Mechanisms to Exploit Value Structure in SIMT Architectures Ji Kim,

Microarchitectural Mechanisms to Exploit Value Structure in SIMT Architectures Ji Kim,

Microarchitectural Mechanisms to Exploit Value Structure in SIMT Architectures Ji Kim, Christopher Torng, Shreesha Srinath, Derek Lockhart, and Christopher Batten Cornell University Cornell University IEEE/ACM International Symposium on

633 views • 31 slides
PipeProof: Automated Memory Consistency Proofs for Microarchitectural Specifications Yatin A.

PipeProof: Automated Memory Consistency Proofs for Microarchitectural Specifications Yatin A.

PipeProof: Automated Memory Consistency Proofs for Microarchitectural Specifications Yatin A. Manerkar , Daniel Lustig*, Margaret Martonosi, and Aarti Gupta Princeton University *NVIDIA MICRO-51 http:/ ://check.cs.p .princeton.edu/ Memory

1.36k views • 80 slides
Microarchitectural Cryptanalysis Daniel Moghimi Worcester Polytechnic Institute Committee

Microarchitectural Cryptanalysis Daniel Moghimi Worcester Polytechnic Institute Committee

Revisiting Isolated and Trusted Execution via Microarchitectural Cryptanalysis Daniel Moghimi Worcester Polytechnic Institute Committee Members: Prof. Donald R. Brown (Department Head) Prof. Thomas Eisenbarth (Co-advisor) Prof.

1.68k views • 138 slides
TUNING SLIDE Fast and Accurate Microarchitectural Simulation with ZSim Daniel Sanchez, Nathan

TUNING SLIDE Fast and Accurate Microarchitectural Simulation with ZSim Daniel Sanchez, Nathan

TUNING SLIDE Fast and Accurate Microarchitectural Simulation with ZSim Daniel Sanchez, Nathan Beckmann, Anurag Mukkara, Po-An Tsai MIT CSAIL MICRO-48 Tutorial December 5, 2015 Welcome! Agenda 4 8:30 9:10 Intro and Overview 9:10

1.53k views • 124 slides
Prevention of Microarchitectural Covert Channels on an Open-Source 64-bit RISC-V Core Fourth

Prevention of Microarchitectural Covert Channels on an Open-Source 64-bit RISC-V Core Fourth

Prevention of Microarchitectural Covert Channels on an Open-Source 64-bit RISC-V Core Fourth Workshop on Computer Architecture Research with RISC-V (CARRV 2020) May 29 th , 2020 Nils Wistoff Moritz Schneider Frank K. Grkaynak Luca Benini

750 views • 58 slides
Exploiting Microarchitectural Flaws in the Heart of the Memory Subsystem Daniel Moghimi,

Exploiting Microarchitectural Flaws in the Heart of the Memory Subsystem Daniel Moghimi,

Exploiting Microarchitectural Flaws in the Heart of the Memory Subsystem Daniel Moghimi, Worcester Polytechnic University Feb 20, 2020 Columbia University Spoiler!! 2 CPU Memory Subsystem Allocation Queue Front End CPU Memory Subsystem

1.59k views • 127 slides
NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3

NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3

CMPS122: COMPUTER SECURITY NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3 due tonight NETWORKING ATTACKS LAST TIME TCP/IP networking stack Physical layer Data link layer Network

1.1k views • 61 slides
Medusa: Microarchitectural Data Leakage via Automated Attack Synthesis Daniel Moghimi

Medusa: Microarchitectural Data Leakage via Automated Attack Synthesis Daniel Moghimi

Medusa: Microarchitectural Data Leakage via Automated Attack Synthesis Daniel Moghimi Moritz Lipp Berk Sunar Michael Schwarz 2018: Meltdown Attack? 2 2018: Meltdown Attack? Virtual Address Space User Space CPU Registers

1.14k views • 63 slides
Introduction to Machine Learning Hyperparameter Tuning - Introduction

Introduction to Machine Learning Hyperparameter Tuning - Introduction

Introduction to Machine Learning Hyperparameter Tuning - Introduction compstat-lmu.github.io/lecture_i2ml MOTIVATING EXAMPLE Given a dataset, we want to train a classification tree. We feel that a maximum tree depth of 4 has worked out well for

499 views • 7 slides
Speaking Truth to Power: Using Student Data to Drive Early Support and School Improvement * 2

Speaking Truth to Power: Using Student Data to Drive Early Support and School Improvement * 2

Speaking Truth to Power: Using Student Data to Drive Early Support and School Improvement * 2 Secondary Success & College Readiness 1. Academic Foundation (rigorous courses, master schedule, equity data) 2. Advising Systems (advisory,

679 views • 30 slides
Instructional Cycle FOR DISCUSSION 1. BUILD UNIT by identifying standards that need to be

Instructional Cycle FOR DISCUSSION 1. BUILD UNIT by identifying standards that need to be

We want to continue to build our capacities to implement strong instructional cycles. Instructional Cycle FOR DISCUSSION 1. BUILD UNIT by identifying standards that need to be 13.REFLECT on reassessment data covered and cycle more broadly 2.

528 views • 7 slides
Chiral Symmetry and Low-Energy Pion-Photon Reactions N. Kaiser (TU Mnchen) Hadron Physics

Chiral Symmetry and Low-Energy Pion-Photon Reactions N. Kaiser (TU Mnchen) Hadron Physics

Chiral Symmetry and Low-Energy Pion-Photon Reactions N. Kaiser (TU Mnchen) Hadron Physics Seminar, GSI Darmstadt, 26.9.2018 Tests of Chiral Perturbation Theory via low-energy reactions COMPASS@CERN: Primakoff effect to extract

395 views • 20 slides
HPS, A New Microarchitecture: Rationale and Introduction Yale N. Patt, Wen-mei Hwo, and Michael

HPS, A New Microarchitecture: Rationale and Introduction Yale N. Patt, Wen-mei Hwo, and Michael

HPS, A New Microarchitecture: Rationale and Introduction Yale N. Patt, Wen-mei Hwo, and Michael Shebanow Big Picture Three levels of paralellism Big -- threads Medium -- the compiler Small -- hardware Their focus Myopic,

317 views • 8 slides
CCA-Secure Keyed-Fully Homomorphic Encryption Junzuo Lai, Robert H. Deng, Changshe Ma, Kouichi

CCA-Secure Keyed-Fully Homomorphic Encryption Junzuo Lai, Robert H. Deng, Changshe Ma, Kouichi

Introduction CCA-Secure Keyed-Fully Homomorphic Encryption Junzuo Lai, Robert H. Deng, Changshe Ma, Kouichi Sakurai and Jian Weng 1 / 26 Introduction Outline Background Related Work CCA-Secure Keyed-Fully Homomorphic Encryption Conclusion

686 views • 26 slides
(Hierarchical) Identity-Based Encryption from Affine Message Authentication Crypto 2014 , Olivier

(Hierarchical) Identity-Based Encryption from Affine Message Authentication Crypto 2014 , Olivier

(Hierarchical) Identity-Based Encryption from Affine Message Authentication Crypto 2014 , Olivier Blazy Eike Kiltz Jiaxin Pan Horst Grtz Institute for IT Security Ruhr-University Bochum 1 Introduction 2 Affine MAC 3 From Affine MAC to IBE 4

880 views • 58 slides
Uni.lu HPC School 2019 PS4b: Monitoring & Profiling II: Advanced Performance engineering

Uni.lu HPC School 2019 PS4b: Monitoring & Profiling II: Advanced Performance engineering

Uni.lu HPC School 2019 PS4b: Monitoring & Profiling II: Advanced Performance engineering Uni.lu High Performance Computing (HPC) Team V. Plugaru, X. Besseron University of Luxembourg (UL), Luxembourg http://hpc.uni.lu V. Plugaru, X.

668 views • 53 slides

More recommend