zombieload
play

ZombieLoad Cross-Privilege-Boundary Data Sampling Michael Schwarz, - PowerPoint PPT Presentation

Sep 10, 2023 •879 likes •1.55k views

ZombieLoad Cross-Privilege-Boundary Data Sampling Michael Schwarz, Moritz Lipp, Daniel Moghimi , Jo Van Bulck, Julian Stecklina, Thomas Prescher, Daniel Gruss whoami Daniel Moghimi (@danielmgmi) Computer Security since 2010 Reverse

  1. ZombieLoad Cross-Privilege-Boundary Data Sampling Michael Schwarz, Moritz Lipp, Daniel Moghimi , Jo Van Bulck, Julian Stecklina, Thomas Prescher, Daniel Gruss

  2. whoami ▪ Daniel Moghimi (@danielmgmi) ▪ Computer Security since 2010 ▪ Reverse Engineering ▪ Binary Analysis ▪ Application Security ▪ PhD Student since 2017 ▪ Microarchitectural Security ▪ Side Channels ▪ Breaking Cryptographic Implementations

  4. Background: Cache Attacks – Cache Memory CPU Register More expensive, but Faster Cheaper, but Slower Cache DRAM

  5. Background: Cache Attacks – Cache Miss Cache 10100110

  6. Background: Cache Attacks Cache 10100110 10100110

  7. Background: Cache Attacks Cache 10100110 10100110 10100110

  8. Background: Cache Attacks – Cache Hit Cache 10100110 10100110

  9. Background: Cache Attacks – Cache Hit Cache 10100110 10100110 10100110

  10. Background: Cache Attacks – Flush & Reload (Yarom et al.) Attacker Victim Cache 10100110 10100110

  11. Background: Cache Attacks – Flush & Reload (Yarom et al.) Attacker Victim Cache 10100110

  12. Background: Cache Attacks – Flush & Reload (Yarom et al.) Attacker Victim Cache 10100110 10100110

  13. Background: Cache Attacks – Flush & Reload (Yarom et al.) Attacker Victim Cache 10100110 10100110

  14. Background: Cache Attacks – Flush & Reload (Yarom et al.) delta > threshold = cache hit Attacker Victim delta < threshold = cache miss Cache 10100110 10100110

  15. 2018: Meltdown Attack?

  16. 2018: Meltdown Attack?

  17. 2018: Meltdown Attack? Virtual Address Space User Space CPU Registers Kernel Space 0xf…81a0123 P A S S W O R D 256 different CPU Cache Line

  18. 2018: Meltdown Attack? Virtual Address Space Oracle User Space CPU Registers Kernel Space 0xf…81a0123 P A S S W O R D 256 different CPU Cache Line

  19. 2018: Meltdown Attack? Virtual Address Space Fault Oracle User Space CPU Registers Kernel Space 0xf…81a0123 P A S S W O R D 256 different CPU Cache Line

  20. 2018: Meltdown Attack? Virtual Address Space Fault Oracle User Space P CPU Registers Kernel Space 0xf…81a0123 P A S S W O R D 256 different CPU Cache Line

  21. 2018: Meltdown Attack? Virtual Address Space Fault Oracle User Space P CPU Registers Kernel Space 0xf…81a0123 P A S S W O R D 256 different CPU Cache Line

  22. 2018: Meltdown Attack? Virtual Address Space Oracle User Space CPU Registers Kernel Space 0xf…81a0123 P A S S W O R D 256 different CPU Cache Line

  23. 2018: Meltdown Attack? Virtual Address Space Oracle User Space CPU Registers F+R Kernel Space 0xf…81a0123 P A S S W O R D 256 different CPU Cache Line

  24. 2018: Meltdown Attack? Virtual Address Space Oracle User Space CPU Registers F+R Kernel Space 0xf…81a0123 P A S S W O R D 256 different CPU Cache Line

  25. 2018: Meltdown Attack? Virtual Address Space Oracle User Space CPU Registers F+R Kernel Space 0xf…81a0123 P A S S W O R D 256 different CPU Cache Line

  26. 2018: Meltdown Attack? Virtual Address Space Oracle User Space CPU Registers Kernel Space ‘ P ’ = 0x50 0xf…81a0123 P A S S W O R D 256 different CPU Cache Line

  27. Meltdown-style Attacks !!! ▪ Can we do Meltdown with other faults/microcode-assists? ▪ Which part of the CPU leak the data?! ▪ Can we still leak somebody’s data? ▪ KPTI ▪ Meltdown-resistant CPUs, .e.g. Coffee Lake

  29. ZombieLoad – How does CPU Work these days? Virtual Address 0x000401 234

  30. ZombieLoad – How does CPU Work these days? Virtual Address 0x000401 234 TLB

  31. ZombieLoad – How does CPU Work these days? Virtual Address 0x000401 234 TLB PMH

  32. ZombieLoad – How does CPU Work these days? Virtual Address 0x000401 234 Page TLB PMH Walk P Physical Page Number RW US … A … …

  33. ZombieLoad – How does CPU Work these days? Core L1D Cache L2 L3 DRAM

  34. ZombieLoad – How does CPU Work these days? Core L1D Cache LFB L2 L3 DRAM

  35. ZombieLoad – How does CPU Work these days? Core L1D Cache LFB … L2 L3 DRAM

  36. ZombieLoad – How does CPU Work these days? Core L1D Cache Cache Line LFB … L2 L3 DRAM

  37. ZombieLoad – How does CPU Work these days? Core L1D Cache Cache Line LFB … L2 L3 DRAM

  38. ZombieLoad – How does CPU Work these days? Core L1D Cache Cache Line LFB x x x x x x x … L2 L3 DRAM

  39. ZombieLoad Attack !?! Core L1D Cache Cache Line LFB (10 entries) De-allocate x x x x x x x x … x L2 L3 DRAM

  40. ZombieLoad Attack !?! Core L1D Cache P US Physical Page Number RW … A … … Cache Line Cache Line LFB (10 entries) x x x x x x x x … x L2 L3 DRAM

  41. ZombieLoad Attack !?! Core L1D Cache P US Physical Page Number RW … A … … Cache Line LFB (10 entries) x x x x x x x x … x L2 L3 DRAM

  42. ZombieLoad Attack !?! Core L1D Cache P US Physical Page Number RW … A … … Cache Line LFB (10 entries) x x x x x x x x … x L2 L3 DRAM

  43. ZombieLoad Attack !?! Core L1D Cache P US Physical Page Number RW … A … … Cache Line LFB (10 entries) x x x x x x x x x x x x … x L2 L3 DRAM

  44. ZombieLoad Attack !?! Core L1D Cache P US Physical Page Number RW … A … … Cache Line 0 0 0 Cache Line LFB (10 entries) x x x x 0 0 0 0 x x x x … x L2 L3 DRAM

  45. ZombieLoad Attack !?! Core L1D Cache P US A Physical Page Number RW … … … Cache Line 0 0 0 Cache Line Variant 3 Variant 1 LFB (10 entries) x x x x 0 0 0 0 x x x x … x L2 L3 DRAM

  46. ZombieLoad – Microcode Assist on ‘ A’ Bit P A US Physical Page Number RW … … … Variant 3 ▪ Access Bit ▪ CPU tells → OS : A page has been accessed by setting the ‘A’ Bit ▪ OS tells → CPU: A page has not been accessed (just allocated) by clearing the bit ▪ ‘A’ Bit Microcode Assist ▪ Microcode Assists: The CPU executes an internal event handler to service complex instructions/operations ▪ The microcode assist flushes the pipeline. ▪ Intel CPUs set ‘A’ bit using a microcode assist

  47. ZombieLoad VS. other Meltdown-Style Attacks

  48. What can we do with this data leakage? ▪ Architecturally ▪ Attack across Process Context Switches ▪ Attack across Simultaneous Multithreading (SMT) AKA. Intel Hyperthreading ▪ Scenarios: ▪ Cross-Process ▪ Cross-VM ▪ Intel SGX

  49. Data Sampling - Domino Attack ▪ We may leak bytes of data from other unimportant fill buffer entries ▪ Leak domino bytes to perform error correction T arget … 1 1 0 1 0 0 1 1 0 1 1 1 1 1 1 1 0 1 1 1 1 1 1 1 Secret

  50. Data Sampling - Domino Attack ▪ We may leak bytes of data from other unimportant fill buffer entries ▪ Leak domino bytes to perform error correction T arget … 1 1 0 1 0 0 1 1 0 1 1 1 1 1 1 1 0 1 1 1 1 1 1 1 Secret 0xd3 0x10 0x4f

  51. Data Sampling - Domino Attack ▪ We may leak bytes of data from other unimportant fill buffer entries ▪ Leak domino bytes to perform error correction T arget … 1 1 0 1 0 0 1 1 0 1 1 1 1 1 1 1 0 1 1 1 1 1 1 1 Secret 0x0e 0x37 0xb0 0xd3 0x10 0x4f

  52. Data Sampling - Domino Attack ▪ We may leak bytes of data from other unimportant fill buffer entries ▪ Leak domino bytes to perform error correction T arget … 1 1 0 1 0 0 1 1 0 1 1 1 1 1 1 1 0 1 1 1 1 1 1 1 Secret 0x84 0x7f 0x0e 0x37 0xb0 0xd3 0x10 0x4f

  53. Data Sampling - Domino Attack ▪ We may leak bytes of data from other unimportant fill buffer entries ▪ Leak domino bytes to perform error correction T arget … 1 1 0 1 0 0 1 1 0 1 1 1 1 1 1 1 0 1 1 1 1 1 1 1 Secret 0x84 0x7f 0xd3 0x7f 0x0e 0x37 0xb0 0x37 0xd3 0x10 0x4f

  55. Recovering Intel SGX Sealing Key ▪ Intel SGX allow developers to have hardware support for TEE ▪ Malicious OS is part of the threat model ▪ We can read register values of a trusted enclave with help of a malicious OS

  56. Recovering Intel SGX Sealing Key ▪ Intel SGX allow developers to have hardware support for TEE ▪ Malicious OS is part of the threat model ▪ We can read register values of a trusted enclave with help of a malicious OS sgx-step

  57. Recovering Intel SGX Sealing Key ▪ Intel SGX allow developers to have hardware support for TEE ▪ Malicious OS is part of the threat model ▪ We can read register values of a trusted enclave with help of a malicious OS sgx-step

  58. Recovering Intel SGX Sealing Key ▪ Intel SGX allow developers to have hardware support for TEE ▪ Malicious OS is part of the threat model ▪ We can read register values of a trusted enclave with help of a malicious OS sgx-step

  59. Recovering Intel SGX Sealing Key ▪ Intel SGX allow developers to have hardware support for TEE ▪ Malicious OS is part of the threat model ▪ We can read register values of a trusted enclave with help of a malicious OS sgx-step

  60. Recovering Intel SGX Sealing Key ▪ Intel SGX allow developers to have hardware support for TEE ▪ Malicious OS is part of the threat model ▪ We can read register values of a trusted enclave with help of a malicious OS Mark Non- Executabl e z-step

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

ZombieLoad Cross-Privilege-Boundary Data Sampling Michael Schwarz 1 , Moritz Lipp 1 , Daniel

ZombieLoad Cross-Privilege-Boundary Data Sampling Michael Schwarz 1 , Moritz Lipp 1 , Daniel

ZombieLoad Cross-Privilege-Boundary Data Sampling Michael Schwarz 1 , Moritz Lipp 1 , Daniel Moghimi 2 , Jo Van Bulck 3 , Julian Stecklina 4 , Thomas Prescher 4 , Daniel Gruss 1 November 11, 2019 1 Graz University of Technology, 2 Worcester

1.17k views • 102 slides
Statistical Language Modeling with N-grams in Python By Olha Diakonova What are n-grams

Statistical Language Modeling with N-grams in Python By Olha Diakonova What are n-grams

Statistical Language Modeling with N-grams in Python By Olha Diakonova What are n-grams Sequences of n language units Probabilistic language models based on such sequences Collected from a text or speech corpus Units can

285 views • 15 slides
When brand trust is tested Centre for Events, Leisure, Society &amp; Culture Centre for

When brand trust is tested Centre for Events, Leisure, Society &amp; Culture Centre for

The Visitor Economy: Strategies &amp; Innovations 4 th -6 th September 2017 When brand trust is tested Centre for Events, Leisure, Society &amp; Culture Centre for Caroline Jackson, Julie Robson, Elvira Bolat, Influences on Juliet Memery,

613 views • 22 slides
AN INTRODUCTION TO THREAT MODELING IN PRACTICE Thorsten Tarrach, Christoph Schmittner WHAT IS

AN INTRODUCTION TO THREAT MODELING IN PRACTICE Thorsten Tarrach, Christoph Schmittner WHAT IS

AN INTRODUCTION TO THREAT MODELING IN PRACTICE Thorsten Tarrach, Christoph Schmittner WHAT IS THREAT MODELING Introduction WHAT IS THREAT MODELING Structured Process Examination of a system for potential weaknesses

391 views • 28 slides
Nonlinear Classification INFO-4604, Applied Machine Learning University of Colorado Boulder

Nonlinear Classification INFO-4604, Applied Machine Learning University of Colorado Boulder

Nonlinear Classification INFO-4604, Applied Machine Learning University of Colorado Boulder October 5-10, 2017 Prof. Michael Paul Linear Classification Most classifiers weve seen use linear functions to separate classes: Perceptron

842 views • 49 slides
Farm Business Management: The Fundamentals of Good Practice Peter L. Nuthall Chapter 14

Farm Business Management: The Fundamentals of Good Practice Peter L. Nuthall Chapter 14

COMPLIMENTARY TEACHING MATERIALS Farm Business Management: The Fundamentals of Good Practice Peter L. Nuthall Chapter 14 Improving Farming Systems Using Survey Data COMPLIMENTARY TEACHING MATERIALS LEARNING OBJECTIVES Understand the concept

680 views • 14 slides
Farmland preservation near growing urban regions: Lessons from Oregon Laura Schreiner, Dr. John

Farmland preservation near growing urban regions: Lessons from Oregon Laura Schreiner, Dr. John

1 Farmland preservation near growing urban regions: Lessons from Oregon Laura Schreiner, Dr. John Devlin University of Guelph April 11, 2018 | RPLC Webinar The question 2 Agriculture in southern Ontario is facing certain challenges.

403 views • 19 slides
DAVID FEATONBY Science on Stage Executive , Europe and UK Science on Stage Europe | Poststr. 4/5

DAVID FEATONBY Science on Stage Executive , Europe and UK Science on Stage Europe | Poststr. 4/5

Presented at Teaching Physics Innovatively August 2015 , Budapest DAVID FEATONBY Science on Stage Executive , Europe and UK Science on Stage Europe | Poststr. 4/5 | D-10178 Berlin | www.science-on-stage.eu QUESTION: As science educators, just

747 views • 39 slides
Content of this workshop EDIROM FOUNDATION Tchoukball Promotion P.O. Box EL 187, Elmina, Tel.:

Content of this workshop EDIROM FOUNDATION Tchoukball Promotion P.O. Box EL 187, Elmina, Tel.:

Content of this workshop EDIROM FOUNDATION Tchoukball Promotion P.O. Box EL 187, Elmina, Tel.: 024 925 10 55 / 0243 445 669 Email: tchoukball@getghana.com 1. Introduction 2. Origins Facilitators of this workshop: 3. Organization 4. Events

524 views • 6 slides
CEE 370 Environmental Engineering Principles Lecture #3 Environmental Chemistry I: Units of

CEE 370 Environmental Engineering Principles Lecture #3 Environmental Chemistry I: Units of

CEE 370 Lecture #3 9/9/2019 Print version Updated: 9 September 2019 CEE 370 Environmental Engineering Principles Lecture #3 Environmental Chemistry I: Units of Concentration Reading: M&amp;Z, Chapt 2 David Reckhow CEE 370 L#3 1

377 views • 24 slides
Its not how often you fall down but how often you pick yourself up Colin Edwards Image

Its not how often you fall down but how often you pick yourself up Colin Edwards Image

630 mile challenge www.port - er.com I have always loved the union between sea and land Colin Edwards Image Paul Jamieson 630 mile challenge www.port - er.com 1st May 2011 19th June 2011 The route has an overall ascent 4 tjmes the height of

455 views • 6 slides
In the end we shall make thoughtcrime literally impossible, because there will be no words in

In the end we shall make thoughtcrime literally impossible, because there will be no words in

Don't you see that the whole aim of Newspeak is to narrow the range of thought? In the end we shall make thoughtcrime literally impossible, because there will be no words in which to express it. Thought control (cont'd) Every concept that can

445 views • 18 slides
Mountain and Valley What is the same in the these 2 stories? What is different? Comparing the

Mountain and Valley What is the same in the these 2 stories? What is different? Comparing the

Mountain and Valley What is the same in the these 2 stories? What is different? Comparing the two... l People l Scenery / Landscape The Landscape... Good News Jesus is in Both! The People... Jesus and 3 disciples The good news is that

214 views • 8 slides
Long Term Operating Experience at MiniBooNE Ray Stefanski Fermilab 7th International Workshop on

Long Term Operating Experience at MiniBooNE Ray Stefanski Fermilab 7th International Workshop on

Long Term Operating Experience at MiniBooNE Ray Stefanski Fermilab 7th International Workshop on Neutrino Beams and Instrumentation August 29, 2010 Schematic Geography Beryllium target detector 12 4 10 ppp @ 15Hz 7 slugs each 800

375 views • 21 slides
Jesus Christ, the Son of God. Jesus Christ, the Son of God. SONG SHEETS GOODNESS OF GOD Verse

Jesus Christ, the Son of God. Jesus Christ, the Son of God. SONG SHEETS GOODNESS OF GOD Verse

Jesus Christ, the Son of God. Jesus Christ, the Son of God. SONG SHEETS GOODNESS OF GOD Verse 1 I love You, Lord Oh, Your mercy never fails me All my days, Ive been held in Your hands From the moment that I wake up

189 views • 6 slides
61A Lecture 24 Friday, November 1 Announcements 2 Announcements Homework 7 due Tuesday 11/5

61A Lecture 24 Friday, November 1 Announcements 2 Announcements Homework 7 due Tuesday 11/5

61A Lecture 24 Friday, November 1 Announcements 2 Announcements Homework 7 due Tuesday 11/5 @ 11:59pm. 2 Announcements Homework 7 due Tuesday 11/5 @ 11:59pm. Project 1 composition revisions due Thursday 11/7 @ 11:59pm. 2 Heard on

1.89k views • 135 slides
HOPWA/COVID-19: Planning &amp; Operating STRMU Programs With HOPWA and CARES Act Funding August

HOPWA/COVID-19: Planning &amp; Operating STRMU Programs With HOPWA and CARES Act Funding August

HOPWA/COVID-19: Planning &amp; Operating STRMU Programs With HOPWA and CARES Act Funding August 19, 2020 Presenters Kate Briddell, HIV Housing and Health Program, Collaborative Solutions Crystal Pope, HIV Housing and Health Program,

587 views • 48 slides
AARNET Mirror and CDN update Stephen Walsh Network Operations AARNet Net Copyri right 2012

AARNET Mirror and CDN update Stephen Walsh Network Operations AARNet Net Copyri right 2012

AARNet Net Copyri right 2012 15 th TF-Storage NDN2014 Uppsala AARNET Mirror and CDN update Stephen Walsh Network Operations AARNet Net Copyri right 2012 But First AARNet Net Copyri right 2012 Our National Connectivity 3 AARNet Net

368 views • 16 slides
Matthew Series Lesson #088 August 9, 2015 Dean Bible Ministries www.deanbibleministries.org

Matthew Series Lesson #088 August 9, 2015 Dean Bible Ministries www.deanbibleministries.org

Matthew Series Lesson #088 August 9, 2015 Dean Bible Ministries www.deanbibleministries.org Dr. Robert L. Dean, Jr. Grace to the Unloved, Unlovely, Marginalized, and Outcasts Matthew 15:2128 John 3:16, For God so loved the world that

770 views • 36 slides
8th Grade Energy of Objects in Motion Classwork-Homework 2015-08-25 www.njctl.org Slide 3 /

8th Grade Energy of Objects in Motion Classwork-Homework 2015-08-25 www.njctl.org Slide 3 /

Slide 1 / 113 Slide 2 / 113 8th Grade Energy of Objects in Motion Classwork-Homework 2015-08-25 www.njctl.org Slide 3 / 113 Classwork #1: Energy Slide 4 / 113 1 Define Energy. Slide 5 / 113 2 What two things are necessary for work to be

488 views • 38 slides
Gender, Poverty, and Inequality Nancy Folbre Professor of Economics University of Massachusetts

Gender, Poverty, and Inequality Nancy Folbre Professor of Economics University of Massachusetts

Gender, Poverty, and Inequality Nancy Folbre Professor of Economics University of Massachusetts Amherst A Feminist Critique of Political Economy Neoclassical economic theory is too market-centric and Marxian economic theory is too

516 views • 20 slides
Learning objectives Develop an understanding of what culture is and how the main components of

Learning objectives Develop an understanding of what culture is and how the main components of

Learning objectives Develop an understanding of what culture is and how the main components of a culture impact upon a cultures way of life Explain the intimate relationship between cultural influences, Ethics and Culture consumer needs

393 views • 5 slides
Communicating Across Cultures Youre very welcome this morning! Session starts at 10am

Communicating Across Cultures Youre very welcome this morning! Session starts at 10am

Communicating Across Cultures Youre very welcome this morning! Session starts at 10am You will be muted as you arrive (I will explain this further) You do not need your webcam for this session If you are having trouble

501 views • 24 slides
Bridging The Cultural Gap Katherine Alexander Vertex Business Services Discussion with Sal

Bridging The Cultural Gap Katherine Alexander Vertex Business Services Discussion with Sal

Bridging The Cultural Gap Katherine Alexander Vertex Business Services Discussion with Sal Laher 05 Mar 09 Globalization Not just outsourcing International presence for companies Benefits Challenges What does it mean for

326 views • 15 slides

More recommend