speechminer a framework for investigating and measuring
play

SpeechMiner: A Framework for Investigating and Measuring - PowerPoint PPT Presentation

Jan 13, 2023 •266 likes •512 views

SpeechMiner: A Framework for Investigating and Measuring Speculative Execution Vulnerabilities Yuan Xiao, Yinqian Zhang, Radu Teodorescu The Ohio State University SPEculative Execution side Channel Hardware (SPEECH) Vulnerabilities Leverage

  1. SpeechMiner: A Framework for Investigating and Measuring Speculative Execution Vulnerabilities Yuan Xiao, Yinqian Zhang, Radu Teodorescu The Ohio State University

  2. SPEculative Execution side Channel Hardware (SPEECH) Vulnerabilities Leverage transient execution on modern x86 processors to leak • secret data whose access is forbidden Speculatively executes instructions Execution leaves trace in cache Execution results discarded Secrets inferred by cache side channel 2

  3. Race Condition “…, there is a race condition between raising this exception and our attack step 2 (Transmitting the secret) …” -- Lipp et al. , Meltdown: Reading Kernel Memory from User Space Is this true? What exactly are racing? • Can we create better race conditions to increase exploitation • success rate? 3

  4. According to Original Authors’ Github… These seem too ad-hoc… What if we directly peek into the processor hardware? 4

  5. Overview (Please Please Stay with Me and Don’t Get Lost) 1. SpeechMiner Framework 2. 2-phase Fault Handling Model 3. Understanding Speech Vulnerabilities 5

  6. Basic x86 Execution Engine Prediction Fetch Fetch Unit Instruction (uops) Instruction (uops) Decode Decode IDQ Instruction (uops) uops … uops Issue Issue ROB uops (out-of-order) … Execute Execute Ports

  7. SpeechMiner Input: Settings: Results: Execution Instruction Execution Covert Sequence Environment Channel Infer processor micro- • Systematically test the architectural states vulnerabilities on specific hardware • Understand the Speech from covert channel vulnerabilities better data 7

  8. An example Instruction Sequence • Windowing Gadget. – Enlarge the speculation window – Eliminate side-effects of instruction issuing • Speculation Primitive. * All assembly code follows AT&T syntax. – One or two instructions that will raise an exception when executed – Generated from Intel manual’s list of causes of exceptions • Disclosure Gadget. – Speculatively executed, utilizing covert-channel techniques to measure the speculation windows or the latency of data fetching, etc . 8

  9. Systematic Evaluation of Variants Exploitability of certain variants are implementation-specific. All tests are done with secret in L1D and TLB entry present. 9

  10. Overview (Here Comes the Big Part… Are You Still Here?) 1. SpeechMiner Framework 2. 2-phase Fault Handling Model 3. Understanding Speech Vulnerabilities 10

  11. 2-phase Fault Handling Model TLB entry Exception Captured Retirement ready By CPU (P1) (P2) P1: Processor’s exception handling scheme on executing uop • P2: To commit execution result of the instruction • 11

  12. Retirement (P2) • Squashes following instructions in ROB – Already executed: results discarded; never retires – Not executed: never executes • IDQ stops issuing instructions to ROB and is flushed • Exception information is saved for exception handler usage • Frontend is redirected to exception handler 12

  13. Exception Captured By CPU (P1) • Assumption: processor’s security check takes constant time after TLB is ready (given the same execution environment). • Change data fetching latency and prove: • P1 stops current computation (LD for Meltdown-type) • P1 only affects current execution unit TLB entry P1 Data P2 ready Available • If data not fetched yet (from memory): • Stops fetching • Returns dummy value (0) as data 13

  14. Exception Captured By CPU (P1) Q: Why does the original Meltdown often capture 0s? TLB entry Data P1 P2 ready Available • If data already fetched (from L1D): • Data immediately used by following instructions when it is available • Nothing to stop at P1 14

  15. Overview (It’s Almost Over… Hang in There A Little Bit!) 1. SpeechMiner Framework 2. 2-phase Fault Handling Model 3. Understanding Speech Vulnerabilities 15

  16. The Two Races Race I: data fetching vs. processor fault handling • Race II: covert channel transmission vs. speculative • instruction squashing TLB entry Data P1 Covert Channel P2 ready Available Transmission 16

  17. Race II Can Always Be Won Race II: covert channel transmission vs. speculative instruction squash 17

  18. Race I Can Be Quantitatively Measured (Race I: data fetching vs. processor fault handling) // Suppressing Primitive [MOV (%RAX), %RAX] // legal T(DATA T( TA_FETCHI TCHING) [MOV (%RAX), %RAX] // legal … MOVQ (%RAX), %RAX // illegal Correct data fetched // Speculation Primitive MOVQ (%RCX), %RCX // • T(SPEC1) = Suppressing Primitive window measured • T(SPEC2) = Speculation Primitive window // Disclosure Gadget • T(P1) = T(SPEC1) – T(SPEC2) – T(DELAY) [ADD $1, %RCX] • Similarly, T(DATA_FETCHING) [SUB $1, %RCX] = T(SPEC1) – T’(SPEC2) – T(DELAY) … MOVQ (%RBX, %RCX, 1), %RCX • Thus, T(RACE1) = T(DATA_FETCHING) – T(P1) = T(SPEC2) – T’(SPEC2) 18

  19. One more thing… 19

  20. Q: Why can Meltdown-US steal secrets not in L1D while Foreshadow (L1TF) requires that the secrets are in L1D? • Our experiment results (both Meltdown-P and Meltdown-US require secret to be in L1D) seem to contradict such claims. • A common mis-understanding. • It is untold by the authors of Meltdown how exactly they implemented their attack to steal non-L1D secret. • Fact? 20

  21. Study of Prefetching Effects of Meltdown-US • Experiment: 1. Force data in certain cache or in memory. 2. (a) Execute speculation primitive to access the illegal data. (b) Go to step 3. 3. Reload data and measure its access latency. 4. Repeat for 1,000,000 times and count distribution of reload latency. x-axis: access latency; y-axis: frequency of latency 21

  22. Study of Prefetching Effects of Meltdown-P x-axis: access latency; y-axis: frequency of latency * Meltdown-P is the speculative primitive of L1TF. 22

  23. Truth of Attacking Non-L1D Secret • ONE ROUND of Meltdown-US can only fetch L1D data, but its Speculation Primitive is able to “PREFETCH” L2/L3 data into faster cache to facilitate future attacks. • “PREFETCH” with Speculation Primitive also needs time during speculation. Memory-to-cache seems too slow to finish. • The Speculation Primitive of Meltdown-P CANNOT “PREFETCH” L2/L3 data into faster cache, probably due to “terminal fault”. • For claims that Meltdown-US also works for non-cached data, we believe they actually refer to the newly disclosed RIDL-like attacks which leverages LFB whose latency is lower than L1D. 23

  24. Finally… Thank You! xiao.465@osu.edu SpeechMiner: A Framework for Investigating and Measuring Speculative Execution Vulnerabilities Yuan Xiao, Yinqian Zhang, Radu Teodorescu The Ohio State University

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Hows Life? 2015 Measuring well-being 14 October 2015 The OECD well-being framework

Hows Life? 2015 Measuring well-being 14 October 2015 The OECD well-being framework

Hows Life? 2015 Measuring well-being 14 October 2015 The OECD well-being framework People rather than economic system or GDP Outcomes rather than inputs and outputs Both averages and inequalities Both objective and

488 views • 27 slides
A Framework for Measuring Financial Stress under Disruptive Energy Transition Scenarios David-Jan

A Framework for Measuring Financial Stress under Disruptive Energy Transition Scenarios David-Jan

A Framework for Measuring Financial Stress under Disruptive Energy Transition Scenarios David-Jan Jansen EBA/EBF Workshop on Sustainable Finance, 4 April 2019 Based on: Vermeulen, Robert, Edo Schets, Barbara Klbl, Melanie Lohuis, David-Jan

480 views • 18 slides
Overview of the ILOs Framework for Measuring Decent Work Malte Luebker, Chief Technical

Overview of the ILOs Framework for Measuring Decent Work Malte Luebker, Chief Technical

Overview of the ILOs Framework for Measuring Decent Work Malte Luebker, Chief Technical Advisor, MAP Project Tite Habiyakare, Specialist on Labour Statistics, SRO Addis Ababa Special Session of the Advisory Committee for the Zambia Decent

838 views • 44 slides
Understanding Engagement in Research PCORI Evaluation Framework Objectives for Measuring

Understanding Engagement in Research PCORI Evaluation Framework Objectives for Measuring

Understanding Engagement in Research PCORI Evaluation Framework Objectives for Measuring Engagement Describe engagement in PCORI funded projects Evaluate impact on PCORI strategic goals Inform PCORI funding requirements Guide

509 views • 34 slides
A Framework for Measuring Inclusive Growth James E. Foster George Washington University,

A Framework for Measuring Inclusive Growth James E. Foster George Washington University,

A Framework for Measuring Inclusive Growth James E. Foster George Washington University, IIEP,and Oxford, OPHI WIDER Conference on Inclusive Growth in Africa September 20, 2013 Motivation Why measure inclusive growth? Growth has potential to

503 views • 37 slides
Maternal Mortality Targets Tom Pullum, Director of Measuring Maternal Health Research, The

Maternal Mortality Targets Tom Pullum, Director of Measuring Maternal Health Research, The

A Framework for Post-MDG Maternal Mortality Targets Tom Pullum, Director of Measuring Maternal Health Research, The Demographic and in a Post-MDG World Health Surveys Program, ICFI Wilson Center, Dec. 1, 2014 Where did this framework come

478 views • 15 slides
Overview ROI: Framework ROI: Logic Model ROI: Model ROI: Framework A performance

Overview ROI: Framework ROI: Logic Model ROI: Model ROI: Framework A performance

Measuring Return On Investment (ROI) for State Government Overview ROI: Framework ROI: Logic Model ROI: Model ROI: Framework A performance measure used to evaluate the efficiency of an investment ROI = Impact from program Impact

180 views • 4 slides
Investigating Potential Investigating Potential Biases in Aerosol Light Biases in Aerosol Light

Investigating Potential Investigating Potential Biases in Aerosol Light Biases in Aerosol Light

Investigating Potential Investigating Potential Biases in Aerosol Light Biases in Aerosol Light Absorption Absorption Measurements Measurements Christine Walsh Lund University (Lund, Sweden) NOAA ERSL (Aerosol Research Group) Overview of

354 views • 17 slides
ITU on Measuring Speech Quality Measuring Perceived Quality Typically done by using standards

ITU on Measuring Speech Quality Measuring Perceived Quality Typically done by using standards

Outline Measuring Perceived Quality of Introduction Speech and Video in Multimedia Measuring Perceived Quality Conferencing Applications What is Multimedia Quality? UCL Approach to Measuring Quality Anna Watson and M. Angela

328 views • 4 slides
Developing and Investigating Online Programming Resources Andrew Petersen Department of

Developing and Investigating Online Programming Resources Andrew Petersen Department of

Developing and Investigating Online Programming Resources Andrew Petersen Department of Mathematical and Computational Sciences University of Toronto andrew.petersen@utoronto.ca Goals Introduce two of my areas of research Investigating

1.03k views • 91 slides
A unified framework for measuring industry spatial concentration based on marked spatial point

A unified framework for measuring industry spatial concentration based on marked spatial point

A unified framework for measuring industry spatial concentration based on marked spatial point processes Christine Thomas-Agnan and Florent Bonneu Toulouse School of Economics GREMAQ JMS2012 Christine Thomas-Agnan and Florent Bonneu (Toulouse

748 views • 43 slides
Describing is good: measuring is better. A new means of measuring the effectiveness of networks

Describing is good: measuring is better. A new means of measuring the effectiveness of networks

Describing is good: measuring is better. A new means of measuring the effectiveness of networks and simultaneously strengthening their function 9 th September 2015 Claire Grealy (Urbis) Gail Winkworth & Michael White Known dimensions of

422 views • 16 slides
Investigating Dimensionality Dimensionality Dimensionality with with Investigating

Investigating Dimensionality Dimensionality Dimensionality with with Investigating

Investigating Investigating Investigating Dimensionality Dimensionality Dimensionality with with Investigating Dimensionality Mokken Analysis Mokken Analysis and CFA and CFA by means of Nader et al. Nader et al. Mokken Analysis

571 views • 7 slides
p(E|H p(E|H p ) p ) p(E|H p(E|H d ) d ) Concerns Logically correct framework for evaluation

p(E|H p(E|H p ) p ) p(E|H p(E|H d ) d ) Concerns Logically correct framework for evaluation

Measuring the validity and reliability of forensic analysis systems Geoffrey Stewart Morrison p(E|H p(E|H p ) p ) p(E|H p(E|H d ) d ) Concerns Logically correct framework for evaluation of forensic evidence - ENFSI Guideline for

750 views • 54 slides
Auerbach-Gorodnichenko Measuring the Output Responses to Fiscal Policy AEJ-Economic

Auerbach-Gorodnichenko Measuring the Output Responses to Fiscal Policy AEJ-Economic

Auerbach-Gorodnichenko Measuring the Output Responses to Fiscal Policy AEJ-Economic Policy, 2012 Overview - Investigate whether multipliers are higher during recessions. - Use BP framework, but use a regime switching model. - Find large

457 views • 8 slides
Measuring the Internet Project Introduction Mat Ford / David Belson measuring@isoc.org

Measuring the Internet Project Introduction Mat Ford / David Belson measuring@isoc.org

14 September, 2020 African Internet Summit Measuring the Internet Project Introduction Mat Ford / David Belson measuring@isoc.org Presentation title Client name Measuring the Internet Why? The Internet Societys efforts focus on

336 views • 9 slides
Thinking Through Culture: Six Practical Steps to Addressing Race in Museums Welcome! The

Thinking Through Culture: Six Practical Steps to Addressing Race in Museums Welcome! The

Thinking Through Culture: Six Practical Steps to Addressing Race in Museums Welcome! The webinar will begin at 10:00 a.m. CT. While you wait: 1. Download PDFs of the slides and handout under the Handouts tab of your control bar. 2.

715 views • 28 slides
Outline Vulnerabilities in OS interaction Low-level view of memory CSci 5271 Introduction to

Outline Vulnerabilities in OS interaction Low-level view of memory CSci 5271 Introduction to

Outline Vulnerabilities in OS interaction Low-level view of memory CSci 5271 Introduction to Computer Security Logistics announcements Day 3: Low-level vulnerabilities Basic memory-safety problems Stephen McCamant Where overflows come from

521 views • 9 slides
ThreadSanitizer APIs for External Libraries Kuba Mracek, Apple ThreadSanitizer

ThreadSanitizer APIs for External Libraries Kuba Mracek, Apple ThreadSanitizer

ThreadSanitizer APIs for External Libraries Kuba Mracek, Apple ThreadSanitizer ThreadSanitizer Data race detector ThreadSanitizer Data race detector LLVM IR instrumentation: ThreadSanitizer Data race detector LLVM

706 views • 47 slides
Advancing Racial Equity With State Tax Policy Presentation to the California Budget and Policy

Advancing Racial Equity With State Tax Policy Presentation to the California Budget and Policy

Advancing Racial Equity With State Tax Policy Presentation to the California Budget and Policy Centers Policy Insights 2019 Michael Leachman March 27, 2019 1 2 3 4 5 6 7 8 9 10 Michael Leachman leachman@cbpp.org www.cbpp.org

399 views • 12 slides
Data Race-Free and Speculative Models Zach Pomper Maxwell Johnson DeNovo: Data Race-Free Model

Data Race-Free and Speculative Models Zach Pomper Maxwell Johnson DeNovo: Data Race-Free Model

Data Race-Free and Speculative Models Zach Pomper Maxwell Johnson DeNovo: Data Race-Free Model Modern consistency provides the programmer too much freedom Wild shared memory behaviors Requires sophisticated, complicated,

183 views • 15 slides
Good intentions are not enough: The science of implementing high quality restorative practices in

Good intentions are not enough: The science of implementing high quality restorative practices in

Good intentions are not enough: The science of implementing high quality restorative practices in schools Presenters: Anne Gregory, Alycia Davis, annegreg@rutgers.edu Additional authors: Kathleen Clawson, Jenifer Gerewitz, & Josh Korth Rutgers

642 views • 48 slides
Washington State COVID- 19 Data Megan Veith Senior Manager, Policy, Advocacy, & Research

Washington State COVID- 19 Data Megan Veith Senior Manager, Policy, Advocacy, & Research

Washington State COVID- 19 Data Megan Veith Senior Manager, Policy, Advocacy, & Research Building Changes Confirmed Cases /Deaths by Age Percent of Cases Percent of Deaths 55% 37% 35% 27% 25% 10% 8% 3% 0% 0% 0% 0% 0-19

444 views • 5 slides
& Gender in the Workplace Reimagine an Inclusive Workplace Objective Define Diversity

& Gender in the Workplace Reimagine an Inclusive Workplace Objective Define Diversity

Bridging The Gap of Race, Age & Gender in the Workplace Reimagine an Inclusive Workplace Objective Define Diversity & Inclusion Different forms of Diversity Race Age Gender The impact of Diversity &

740 views • 26 slides

More recommend