take a walk on the wild
play

Take a Walk on the Wild Side(-Channel) Enrico Perla DISCLAIMER - PowerPoint PPT Presentation

Dec 13, 2022 •259 likes •654 views

Take a Walk on the Wild Side(-Channel) Enrico Perla DISCLAIMER This presentation is my own work and does not necessarily reflect the views of my previous or current employer. This presentation lives on the shoulder of giants: Anders Fogh, Matt

  1. Take a Walk on the Wild Side(-Channel) Enrico Perla

  2. DISCLAIMER This presentation is my own work and does not necessarily reflect the views of my previous or current employer. This presentation lives on the shoulder of giants: Anders Fogh, Matt Miller and Christopher Ertl and all the other real deal researchers (Jann Horn, Daniel Gruss and the rest of the Graz University team and many others I can’t cite for space reasons).

  3. SO, WHAT HAPPENED • Spectre and Meltdown hit the news

  4. WHAT ARE WE DEALING WITH • A new class of hardware vulnerabilities • Information potentially leaking across privilege/isolation boundaries • A lower privilege entity may steal information from higher privilege entities • Principles affect many modern CPUs • Patching is not always straightforward

  5. ISOLATION • Hardware is not infinite, resources need to be shared • Sharing and orchestration done by a higher privileged entity to avoid interferences VMM Kernel Kernel Kernel Process Process Process Process Process Process Process Process

  6. ISOLATION • Hardware and software build on assumptions and define interfaces across privilege levels • Data not exposed by these interfaces is not accessible by lower privilege levels VMM Kernel Kernel Kernel Process Process Process Process Process Process Process Process

  7. HOW TO BREAK ISOLATION • Challenge and Bypass interface checks/restrictions and assumptions • Issues hide in complexity, performance optimizations, usability shortcuts and legacy/retro compatibility VMM Kernel Kernel Kernel Process Process Process Process Process Process Process Process

  8. PRIVILEGE ESCALATION • End tail of golden era of memory corruption attacks • More and more attempts at formalizing the behaviour and designing better defences • Thomas Dullien – Weird Machines, Exploitability and Provable Unexploitability https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=8226852&tag=1 • Attackers move down the stack as easier paths get closed • Improvements in userland defences -> kernel exploitation • Increasing interest into challenging hardware assumptions

  9. PROGRAM EXECUTION A program is a set of instructions with a well defined/expected flow MODEL: instructions execute sequentially, one after the other

  10. PROGRAM EXECUTION A program is a set of instructions with a well defined/expected flow MODEL: instructions execute sequentially, one after the other REALITY: this model of execution would be too slow. Modern CPUs use parallelism and speculation to improve performance

  11. PIPELINE Instructions are broken down into smaller steps that are executed independently

  12. SUPERSCALAR Multiple execution units allow to execute > 1 instruction per cycle

  13. OUT OF ORDER EXECUTION Instructions that don’t depend on each other can execute ahead of MOV RAX, [ADDRESS] time ADD RBX, RAX MOV RCX, [RDX] Depends on previous instruction, so has to wait

  14. SPECULATIVE EXECUTION When encountering a conditional flow change, the processor gambles on the TEST RAX, RAX future destination and keeps fetching instructions JE Dest MOV RBX, [RCX] If the gamble is wrong, the result of the computation is ROI on gamble depends on discarded the ability to correctly predict (history)

  15. SPECULATIVE EXECUTION MODEL: whenever the processor guesses wrong, the discarded results do not leave visible traces and execution proceeds through the right path.

  16. SPECULATIVE EXECUTION MODEL: whenever the processor guesses wrong, the discarded results do not leave visible traces and execution proceeds through the right path. REALITY: the thrown away execution leaves side effects. These side effects can be measured to extract information.

  17. SPECULATIVE EXECUTION MODEL: whenever the processor guesses wrong, the discarded results do not leave visible traces and execution proceeds through the right path. REALITY: the thrown away execution leaves side effects. These side effects can be measured to extract information. ATTACK: a lower privileged entity may extract this information to leak data from a more privileged entity.

  18. SIDE EFFECTS • Access to main memory is slow • Programs tend to access the same (or adjacent) memory locations multiple times • CPU have a set of caches where recently accessed memory is stored • Cache traffic is not discarded after a mispredicted speculation path • Caches are shared across different privilege levels • Different time of access leaks information on whether a given memory line is in cache or not

  19. SIDE EFFECTS • Access to main memory is slow • Programs tend to access the same (or adjacent) memory locations multiple times • CPU have a set of caches where recently accessed memory is stored • Cache traffic is not discarded after a mispredicted speculation path • Caches are shared across different privilege levels • Different time of access leaks information on whether a given memory line is in cache or not Side-channel

  20. SIDE-CHANNEL ATTACKS MODEL: 1.A lower privileged entity cannot reliably control speculation paths. 2.Extractable information is not valuable enough (address vs content).

  21. SIDE-CHANNEL ATTACKS MODEL: 1.A lower privileged entity cannot reliably control speculation paths. 2.Extractable information is not valuable enough (address vs content). REALITY: the prediction algorithm can be trained. Speculation choices become predictable. Certain code patterns leak content information.

  22. SIDE-CHANNEL ATTACKS MODEL: 1.A lower privileged entity cannot reliably control speculation paths. 2.Extractable information is not valuable enough (address vs content). REALITY: the prediction algorithm can be trained. Speculation choices become predictable. Certain code patterns leak content information. ATTACK: Spectre V1 : an attacker may force a mispredicted branch with controlled input, leading to a speculative out-of-bounds load whose content is used as input for a subsequent load. The second load leaks the first load content. Attackers can find these sequences in higher privileged code or, in certain circumstances, create them (JIT).

  23. SPECTRE V1 Speculate with index bigger than max_index if (controlled_index < max_index) { value1 = index_array[controlled_index]; value2 = data_array[value1 * 0x40]; } Second memory dereference populates cache line that leaks value1 when data_array address is known

  24. SIDE CHANNEL ATTACKS MODEL: lower privileged entities cannot influence the destination of predicted speculation.

  25. SIDE CHANNEL ATTACKS MODEL: lower privileged entities cannot influence the destination of predicted speculation. REALITY : space matters. Prediction tables don’t contain the whole source address and therefore aliasing from lower privileged entities may be possible.

  26. SIDE CHANNEL ATTACKS MODEL: lower privileged entities cannot influence the destination of predicted speculation. REALITY : space matters. Prediction tables don’t contain the whole source address and therefore aliasing from lower privileged entities may be possible. ATTACK: Spectre V2 : speculative ROP. Indirect branches can potentially be made to mispredict the target and jump to interesting gadgets.

  27. SPECTRE V2 Attacker trains the indirect branch to point to some different location. (*function_ptr )(par1, …); Number of attackable places increases significantly. New target contains a code sequence Attacker may also control similar to V1 parameters.

  28. SIDE CHANNEL ATTACKS MODEL: speculation stops on a privilege boundary (violation).

  29. SIDE CHANNEL ATTACKS MODEL: speculation stops on a privilege boundary (violation). REALITY: exceptions are deferred to instruction retirement, so speculative paths may access data that would be otherwise not accessible.

  30. SIDE CHANNEL ATTACKS MODEL: speculation stops on a privilege boundary (violation). REALITY: exceptions are deferred to instruction retirement, so speculative paths may access data that would be otherwise not accessible. ATTACK: Meltdown : attacker can construct code that would normally trap in order to access memory beyond an exception boundary. This allows to leak data from kernel to user space. Exfiltration is done through similar constructs as V1.

  31. Meltdown Access to kernel_address traps. Stash into a speculation path or a transaction for repeated use. value1 = *kernel_address; value2 = userland_array[value1 * 0x40];

  32. CONDITIONS FOR A SUCCESSFUL ATTACK • Have the CPU enter a speculation path • Have the CPU stay in the speculation path long enough • Have the speculation path leave side effects • Do not interfere with the side effects • Have a way to measure the side effects

  33. THE SINGLE BEST SLIDE I’VE EVER SEEN

  34. DEFENCE Fix ix the Kill ill the Prevent the in indiv ivid idual l exp xploitation bug cla lass bug bug techniq ique Increasing level of complexity, increasing level of effectiveness

  35. FIXING THE INDIVIDUAL ISSUE • A design issue, not strictly a bug • Naturally a class, see next slide ;-) • Affects all major CPUs • Sharing and performance optimizations are fundamental points on the evolution scale of CPUs • Reinforced take-aways: • sharing of resources should be done with side-channel attacks in mind • likely need more barriers at privilege boundaries

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

into the wild 2 jungle walk and tree top adventures 3 turtle release 4 authentic local

into the wild 2 jungle walk and tree top adventures 3 turtle release 4 authentic local

into the wild 2 jungle walk and tree top adventures 3 turtle release 4 authentic local cuisine 5 rejuvenation 6 club room 7 seaside club room 8 seaside suite wi with terrac ace 9 mutiara ma main restau auran rant 10

763 views • 29 slides
Take a walk on the wild side: the drip-line Forewords Part I. Nuclear forces towards the drip

Take a walk on the wild side: the drip-line Forewords Part I. Nuclear forces towards the drip

Take a walk on the wild side: the drip-line Forewords Part I. Nuclear forces towards the drip line By courtesy of A. Bonnaccorso Part II. Proton neutron forces in mirror nuclei. Forewords Broad resonance Narrow resonance t = ! E* E*

523 views • 27 slides
The Winter Walk at Wisley The Winter Walk at Wisley The Winter Walk at Wisley The Winter Walk at

The Winter Walk at Wisley The Winter Walk at Wisley The Winter Walk at Wisley The Winter Walk at

The Winter Walk at Wisley The Winter Walk at Wisley The Winter Walk at Wisley The Winter Walk at Wisley The Winter Walk at Wisley The Winter Walk at Wisley Daphne bholua Chimonanthus praecox Luteus Edgeworthia chrysantha grandiflora

487 views • 27 slides
Literacy Activity Wild Animal Habitat What is your favourite wild animal? Where do wild animals

Literacy Activity Wild Animal Habitat What is your favourite wild animal? Where do wild animals

Literacy Activity Wild Animal Habitat What is your favourite wild animal? Where do wild animals live? Wild animals live in their natural habit, this is where they are born. They do not depend on humans. Giant Panda Bear Research

366 views • 9 slides
Be Inspired. Get Connected. Walk MS. Be Inspired. Get Connected. Walk MS. OBJECTIVES

Be Inspired. Get Connected. Walk MS. Be Inspired. Get Connected. Walk MS. OBJECTIVES

Be Inspired. Get Connected. Walk MS. Be Inspired. Get Connected. Walk MS. OBJECTIVES Identify ways to make an impact through Walk MS. Be equipped to demonstrate boldness and enthusiasm when asking friends and family to join you in

407 views • 29 slides
Wild Horse and Burro Roundtable Wild Horse and Burro Roundtable Wild Horse and Burro Roundtable

Wild Horse and Burro Roundtable Wild Horse and Burro Roundtable Wild Horse and Burro Roundtable

Wild Horse and Burro Roundtable Wild Horse and Burro Roundtable Wild Horse and Burro Roundtable Wild Horse and Burro Roundtable Wild Horse and Burro Roundtable September 26, 2017 1 We must develop a broad coalition of interest groups and

355 views • 18 slides
Passwords in the Wild Passwords in the Wild Who am I...? My blog... SkullSecurity.org Random

Passwords in the Wild Passwords in the Wild Who am I...? My blog... SkullSecurity.org Random

Passwords in the Wild Passwords in the Wild Who am I...? My blog... SkullSecurity.org Random research, rants, etc. Nmap dev news Password database I post updates to Twitter https://twitter.com/iagox86 My job... Tenable Network Security

990 views • 88 slides
Wild Horse Tourism in NM Wild Horse Tourism in NM How the Jicarilla Ranger District of the Carson

Wild Horse Tourism in NM Wild Horse Tourism in NM How the Jicarilla Ranger District of the Carson

Wild Horse Tourism in NM Wild Horse Tourism in NM How the Jicarilla Ranger District of the Carson National Forest can utilize the Jicarilla Wild Horses Territory (JWHT) for Eco-Tourism, Rural Economic Development, Preservation of the Historical

419 views • 17 slides
Sushi Gone Wild: Skit &amp; Music Details for the flight of The Wild Sushi Adrienne Chan

Sushi Gone Wild: Skit &amp; Music Details for the flight of The Wild Sushi Adrienne Chan

Sushi Gone Wild: Skit &amp; Music Details for the flight of The Wild Sushi Adrienne Chan Elizabeth Chan Jenny Chan Katherine Chan July 21, 2006 Leonard Chan Wild Thing Models that represent the team and aircraft (from left to right):

134 views • 10 slides
Physics 2D Lecture Slides Oct 13 Vivek Sharma UCSD Physics Quiz 2 : Wild Wild West got a Bit

Physics 2D Lecture Slides Oct 13 Vivek Sharma UCSD Physics Quiz 2 : Wild Wild West got a Bit

Physics 2D Lecture Slides Oct 13 Vivek Sharma UCSD Physics Quiz 2 : Wild Wild West got a Bit too wild 50m/s MadBull x ScarFace In the old west, a sheriff riding on a train traveling 50m/s sees a shootout between two bandits standing on

280 views • 24 slides
Wild Atlantic Way Update 2016 Presented by Suzanne Trehy Client Services Manager The Wild

Wild Atlantic Way Update 2016 Presented by Suzanne Trehy Client Services Manager The Wild

Wild Atlantic Way Update 2016 Presented by Suzanne Trehy Client Services Manager The Wild Atlantic Way what and why? Where Land Meets Sea Wild Atlantic Way Vision To create a world class, sustainable and un-missable experience brand

500 views • 34 slides
Onelight.com Training Series Connecting the Pyramids and the Crystal Cities the ISIS Walk 2 The

Onelight.com Training Series Connecting the Pyramids and the Crystal Cities the ISIS Walk 2 The

Onelight.com Training Series Connecting the Pyramids and the Crystal Cities the ISIS Walk 2 The ISIS Walk The ISIS Walk 3 the ISIS Walk guide hyperspace package We will be introducing the ISIS Walk DVD this Fall 2010 with the option

912 views • 35 slides
Sin: to miss the mark. Walk the talk. Sin: to miss the mark. Walk the talk. The Mark: the

Sin: to miss the mark. Walk the talk. Sin: to miss the mark. Walk the talk. The Mark: the

Sin: to miss the mark. Walk the talk. Sin: to miss the mark. Walk the talk. The Mark: the standard of holiness established by God and evidenced by Jesus. We can never live deeply until we Walk the talk. deal with our sin. The ethical test

662 views • 26 slides
Medicine As dreams are the healing songs from the wilderness of our unconscious-- So wild

Medicine As dreams are the healing songs from the wilderness of our unconscious-- So wild

Medicine As dreams are the healing songs from the wilderness of our unconscious-- So wild animals, wild plants, wild landscapes are the healing dreams from the deep singing mind of the earth. --Dale Pendell, Living with Barbarians Design

1.15k views • 36 slides
Wild, Wild West How to Corral All Your Developers into Creating Secure Code Jonathan Beck

Wild, Wild West How to Corral All Your Developers into Creating Secure Code Jonathan Beck

Wild, Wild West How to Corral All Your Developers into Creating Secure Code Jonathan Beck Original State Static and Dynamic programs are great at finding vulnerabilities. Penetration Test performed to deeply inspect applications.

615 views • 27 slides
Wild Ways Well By Ryan Bryce Introduction Wild Ways Well is a project which was introduced to us

Wild Ways Well By Ryan Bryce Introduction Wild Ways Well is a project which was introduced to us

Wild Ways Well By Ryan Bryce Introduction Wild Ways Well is a project which was introduced to us by Paul and Rebecca. The project focusses on helping us : Connect with the Environment, Be Active, Take Notice, Keep Learning and Give Back. One

307 views • 6 slides
Fast and Adaptive Online Training of Feature-Rich Translation Models Spence Green Sida Wang

Fast and Adaptive Online Training of Feature-Rich Translation Models Spence Green Sida Wang

Fast and Adaptive Online Training of Feature-Rich Translation Models Spence Green Sida Wang Daniel Cer Christopher D. Manning Stanford University ACL 2013 Feature-Rich Research Industry/Evaluations Liang et al. 2006 Tillmann and Zhang

899 views • 65 slides
Speculative execution in a distributed file system E. B. Nightingale, P. M. Chen, J. Flinn

Speculative execution in a distributed file system E. B. Nightingale, P. M. Chen, J. Flinn

Faculty of Computer Science Institute for System Architecture, Operating Systems Group Speculative execution in a distributed file system E. B. Nightingale, P. M. Chen, J. Flinn Dresden, 2010-09-01 Distributed File Systems NFS (v3),

194 views • 15 slides
A Runtime System for Software Lock Elision Amitabha Roy (U. Cambridge) Steven Hand (U.

A Runtime System for Software Lock Elision Amitabha Roy (U. Cambridge) Steven Hand (U.

A Runtime System for Software Lock Elision Amitabha Roy (U. Cambridge) Steven Hand (U. Cambridge) Tim Harris (MSR Cambridge) Motivation Multicores mean application scalability is key to good performance Scaling programs synchronising

960 views • 50 slides
1 Store Buffer Design Example Memory Dependence Any load instruction receives the memory Store

1 Store Buffer Design Example Memory Dependence Any load instruction receives the memory Store

Register and Memory Dependences Store: SW Rt, A(Rs) LW Rt, A(Rs) 1. 1. Calculate effective Calculate effective Lecture 10: Memory Dependence memory address memory address Detection and Speculation dependent on Rs dependent on Rs

479 views • 3 slides
Nuclear Industry Perspectives on Waste Confidence Briefing on Waste Confidence Rulemaking March

Nuclear Industry Perspectives on Waste Confidence Briefing on Waste Confidence Rulemaking March

Nuclear Industry Perspectives on Waste Confidence Briefing on Waste Confidence Rulemaking March 21, 2014 Ellen C. Ginsberg Vice President, General Counsel and Secretary Nuclear Energy Institute Background Waste Confidence Decision: - A

277 views • 11 slides
Statistics 498 Summer 2009 Summer Practicum in Statistics and Financial Risk Professor Peter

Statistics 498 Summer 2009 Summer Practicum in Statistics and Financial Risk Professor Peter

Statistics 498 Summer 2009 Summer Practicum in Statistics and Financial Risk Professor Peter Bloomfield email: bloomfield@stat.ncsu.edu Course home page: http://www4.stat.ncsu.edu/ bloomfld/courses/498/ 1 Topic 1: Dynamics of Credit Ratings

201 views • 16 slides
What can we learn from law? Raphael Gellert &amp; Niels van Dijk (VUB/LSTS) Brno, 25 November

What can we learn from law? Raphael Gellert &amp; Niels van Dijk (VUB/LSTS) Brno, 25 November

Inroads into DPIA Methodologies What can we learn from law? Raphael Gellert &amp; Niels van Dijk (VUB/LSTS) Brno, 25 November 2016 Data Protection Impact Assessment Where a type of processing in particular using new technologies, and

606 views • 36 slides
Spend Analytics In current situation of covid 19 how spend analytics can help procurement ? Covid

Spend Analytics In current situation of covid 19 how spend analytics can help procurement ? Covid

Spend Analytics In current situation of covid 19 how spend analytics can help procurement ? Covid 19 Global Impacts World is closed Businesses are closed, global disruption Work from home Home office Global supply chain

962 views • 34 slides

More recommend