SlideShare une entreprise Scribd logo

Meltdown & spectre

S
Sergio Shevchenko

Meltdown and Spectre: two most important hardware level vulnerabilities that changed the world.

Logiciels
1  sur  39
Télécharger pour lire hors ligne
Meltdown & Spectre Mitigate the unmitigable Based on ● Meltdown: Reading Kernel Memory from User Space ● Spectre Attacks: Exploiting Speculative Execution
HELLO! We are 2 Sergiy Shevchenko Marco Cipriano
● What are them? ○ Vulnerabilities in most modern CPU, due to poorly understood interactions between speculative execution and side effects ● When? ○ Discovered in june/july of 2017 but leaked on 4th of january 2018 by Google’s Project Zero ● Effects? ○ Need to modify: ■ CPU Memory ■ OS Virtual memory handling ■ Compilers ■ Hypervisors ■ Browsers ○ Real solution: change CPU DESIGN 3 Are considered the greatest hardware vulnerabilities in computer history
Today’s Agenda 1. Speculative Execution 2. Meltdown attack 3. Spectre attack 4
1. Speculative Execution Let’s start from the beginning Presented by Sergiy Shevchenko
Basic memory model of modern CPU ❑ Each CPU has 3 caches*: ❏ L1 with access latency ~ 5 cycles (1.2 ns) ❏ L2 with access latency ~ 10 cycles (4.2 ns) ❏ L3 with access latency ~ 40 cycles (20 ns) ❏ DRAM (100 ns) *Modern Core i7 Xeon Server Edition 6
Fetch-decode-execute parallelism ❑ On a non-pipelined CPU, when a instruction is being processed at a particular stage, the other stages are at an idle state ❑ On a pipelined CPU, all the stages work in parallel: ❏ When the 1st instruction is being decoded by the Decoder Unit, the 2nd instruction is being fetched by the Fetch Unit. It only takes 5 clock cycles to execute 2 instructions on a pipelined CPU. Image source: https://stackpointer.io/hardware/how-pipelining-improves-cpu-performance/113/ 7
Intel SkyLake CPU Microarchitecture ❑ Simplified illustration of a single core of the Intel’s Skylake microarchitecture ❑ Instructions are decoded into µOPs and executed out-of-order in the execution engine by individual execution units Figure from MeltDown by Lipp https://www.usenix.org/system/files/conference/usenixsecurity18/sec18-lipp.pdf 8
Out-of-order processing 1 op per cycle 9 ❑ t = a + b ❑ u = c + d ❑ v = e + f ❑ w = v + g ❑ x = h + i ❑ y = j + k 6 clock cycles ❑ t = a + b, u = c + d ❑ v = e + f, w = v + g ❑ x = h + i, y = j + k 3 clock cycles 2 op per cycle
Out-of-order processing 1 op per cycle 10 ❑ t = a + b ❑ u = c + d ❑ v = e + f ❑ w = v + g ❑ x = h + i ❑ y = j + k 6 clock cycles ❑ t = a + b, u = c + d ❑ v = e + f, w = v + g ❑ x = h + i, y = j + k 3 clock cycles 2 op per cycle
Out-of-order processing 11 ❑ t = a + b, u = c + d ❑ v = e + f ❑ w = v + g, x = h + i ❑ y = j + k ❑ t = a + b, u = c + d ❑ v = e + f, y = j + k ❑ w = v + g, x = h + i 3 clock cycles, 2 op per cycle and out-of-order execution
Fast in a straight line not so good on corners
Branch prediction 13 ❑ Pipelining, superscalar and out-of-order execution only helps if you know what instructions are coming next ❑ Conditionals are a problem - we don’t know what to load into a pipeline until conditional IF is clear Branch prediction will help: let's guess ❑ If the guess is right, great ❑ If the guess is wrong, clear pipeline Branch Prediction Is Not A Solved Problem: Measurements, Opportunities, and Future Directions https://arxiv.org/pdf/1906.08170.pdf B1 B2 ?
Branch prediction + Speculative execution 14 ❑ Cache misses cause long delay in data extraction ❑ Speculative execution: ❏ Execute instructions on predicted branch ❏ If prediction was right - great! ❏ If prediction was wrong - undo all effects of running in speculative mode and flush pipeline Branch Prediction Is Not A Solved Problem: Measurements, Opportunities, and Future Directions https://arxiv.org/pdf/1906.08170.pdf
Example of branch prediction with speculation 15 1. C = A + B; 2. E = C + D; 3. G = E + F; 4. if (G == 0){ 5. J = H + I; 6. L = J + K; 7. N = L + M; 8. } Without speculation can’t reorder anything
Example of branch prediction with speculation 16 1. C = A + B; 2. E = C + D; 3. G = E + F; 4. if (G == 0){ 5. J = H + I; 6. L = J + K; 7. N = L + M; 8. } With speculation 1. C = A + B; _J = H + I; 2. E = C + D; _L = _J + K; 3. G = E + F; _N = _L + M; 4. if (G == 0){ 5. J =_J; L =_L; N=_N; 6. } Only make results available if G equals 0 ALU 1 ALU 2 ALU 1
Virtual memory ❑ Virtual memory is divided into Kernel and User space ❑ Page table handles mappings ❑ Kernel space pages have an extra bit ❑ If user code tries accessing kernel space a trap will occur 17 Kernel space User space Physical memory Page table
2. Meltdown attack Explained Presented by Sergiy Shevchenko
Meltdown Abstract 19 Meltdown exploits side effects of out-order execution on modern processors to read arbitrary kernel-memory locations including personal data and passwords. ...read memory of process or virtual machines in the cloud without any permissions or privileges. CVE-2017-5754
Meltdown attack: side channel 20 1. C = A + B; 2. E = C + D; 3. G = E + F; 4. Z = G + Y 5. if (Z == 0){ 6. J = kernel_mem[addr]; 7. L = J & 0x01; 8. N = L * 4096; 9. M = user_mem[N]; 10. } 1. C = A + B; _J = kernel_mem[addr]; 2. E = C + D; _L = _J & 0x01; 3. G = E + F; _N = _L * 4096; 4. Z = G + Y; _M = user_mem[_N]; 5. if (Z == 0){ 6. J =_J; L =_L; N =_N; M =_M; 7. } 8. t1 = get_time(); 9. V = user_mem[0]; 10. t2 = get_time(); 11. delta = t2 - t1; ALU 1 ALU 2 Predictor thinks this is true Normally, this should receive segmentation fault, but not in speculative case As this will never being executed, _J, _L and _N will be never revealed If the difference is < 10 cycles the 1st bit of kernel_mem[addr] = 0 Side channel magic here
Meltdown attack performance 21 ❑ Core i7-8700K: ❏ 582 KB/s error 0.003% ❑ Core i7-6700K: ❏ 569 KB/s error 0.002% ❑ Intel Xeon E5-1630: ❏ 491 KB/s error 10.7% * Meltdown Main Paper https://meltdownattack.com/meltdown.pdf
Meltdown mitigation 22 ❑ Why do operating systems map kernel memory into global address space? ❏ ...making in this way Meltdown possible.. ❑ .. because of memory page caching named TLB (translation lookaside buffer) ❏ Page table is stored in memory itself, so accessing it costs a lot * Meltdown Main Paper https://meltdownattack.com/meltdown.pdf
TLB 23 ❑ A translation lookaside buffer (TLB) is a memory cache that is used to reduce the time taken to access a user memory location, it is a part of MMU ❑ If you try accessing page which is not in TLB need to traverse all page table to find where the physical page is ❏ Cost is near 300-600 cycles! * Meltdown Main Paper https://meltdownattack.com/meltdown.pdf Kernel space User space Physical memory MMU TLB
KPTI - Kernel Page Table Isolation 24 ❑ Only have user space memory mapping in the page table ❏ So meltdown can “physically” read kernel memory ❑ Some additional line of code in kernel to handle userspace and kernel space page table switching
KPTI - Kernel Page Table Isolation 25 ❑ Complete mitigation of meltdown ❑ Changing page tables requires flushing TLB ❑ Big impact on performance (this will happen on each OS Call!) ❑ In some cases > 50% slowdown ❑ Newer Intel CPU has association Process Context ID with TLB ❏ This allows flushing only part of TLB
3. Spectre attack A really hard part Presented by Marco Cipriano
Spectre Abstract 27 ❏ Spectre Variant 1: Bound Check Bypass ❏ Exploiting Conditional Branches ❏ CVE-2017-5753 ❏ Spectre Variant 2: Branch Target Injection ❏ Exploiting Indirect Branches ❏ CVE-2017-5715 Spectre attacks involve inducing a victim to speculatively perform operations that would not occur during correct program execution and wich leak victim’s confidential information via a side channel to the adversary
Differences 28
Concepts 29
Spectre attack: Overview 30 ❑ Setup Phase: Minstrain the CPU ❑ Speculative Execution of Instructions that leak sensitive information to side channel ❑ Recovering sensitive instruction from side channel using: ❏ Flush + Reload ❏ Evict + Reload Yarom, Y., and Fakner, K. - FLUSH+RELOAD: A HIGH RESOLUTION, LOW NOISE, L3 CACHE SIDE-CHANNEL ATTACK, - in Usenix Security Symposium (2014). transitories
Variant 1 : Bound Check Bypass 31 1. array a = …; // size 400 2. array b = …; // size 512 3. offset = …; // user input 4. if (offset < size(a)){ 5. v = a[offset]; 6. i = (v & 0x01) * 4096; 7. x = b[i]; 8. }
Variant 2 : Poisoning Indirect Branches ❏ Indirect branch instructions have ability to jump to more than two possible target addresses. ❏ X86 example ❏ jmp eax: Address in register ❏ jmp [eax]: Address in memory location ❏ jmp dword ptr [0x12345678] ❏ Address from the stack (“ret”) ❏ MIPS example ❏ jr $ra 32
How can we use this? ❏ Find unsafe user code [unlikely] ❏ Use JIT Compiler of user code [highly likely] ❏ Google PoC uses BPF (packet filter in JIT) in Linux kernel ❏ Microsoft PoC uses Javascript ❏ Potentially any visited website can access all your RAM memory 33
Attack Variations 34
Attack Variation 1 : Evict + Time 35 Selecting bit to analyze Measuring access time If data is on CPU cache saving it
Mitigation Options 36
Preventing Speculative Execution Inserting speculative execution blocking instructions ❏ Degrades performance if used too extensively ❏ Use static analysis to find out optimum placement of blocking instructions ❏ Requires code recompilation 37 ❏ Intel Processors: ❏ add lfence before IF in bound checks (prevent speculation) ❏ ARM Processors: ❏ add build_in_no_speculate() to your compilation process
Conclusion ❏ Software Isolation techniques are widely deployed ❏ A fundamental security assumption underpinning all of these is that the CPU will faithfully execute software, including its safety checks ❏ Speculative execution violates this assumption that allow adversaries to determine the contents of memory and register ❏ Trade-offs between security and performance 38
THANKS! Any questions? Sergiy Shevchenko s.shevchenko @studenti.unisa.it Marco Cipriano m.cipriano12 @studenti.unisa.it

Recommandé

Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)
Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)
Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)Gavin Guo
 
Data oriented design and c++
Data oriented design and c++Data oriented design and c++
Data oriented design and c++Mike Acton
 
Final Exam OS fall 2012-2013 with answers
Final Exam OS fall 2012-2013 with answersFinal Exam OS fall 2012-2013 with answers
Final Exam OS fall 2012-2013 with answersArab Open University and Cairo University
 
44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON
 
Exploiting Modern Microarchitectures: Meltdown, Spectre, and other Attacks
Exploiting Modern Microarchitectures: Meltdown, Spectre, and other AttacksExploiting Modern Microarchitectures: Meltdown, Spectre, and other Attacks
Exploiting Modern Microarchitectures: Meltdown, Spectre, and other Attacksinside-BigData.com
 
Understand more about C
Understand more about CUnderstand more about C
Understand more about CYi-Hsiu Hsu
 
Dpdk performance
Dpdk performanceDpdk performance
Dpdk performanceStephen Hemminger
 
A look into the sanitizer family (ASAN & UBSAN) by Akul Pillai
A look into the sanitizer family (ASAN & UBSAN) by Akul PillaiA look into the sanitizer family (ASAN & UBSAN) by Akul Pillai
A look into the sanitizer family (ASAN & UBSAN) by Akul PillaiCysinfo Cyber Security Community
 

Recommandé

Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)
Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)
Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)Gavin Guo
 
Data oriented design and c++
Data oriented design and c++Data oriented design and c++
Data oriented design and c++Mike Acton
 
Final Exam OS fall 2012-2013 with answers
Final Exam OS fall 2012-2013 with answersFinal Exam OS fall 2012-2013 with answers
Final Exam OS fall 2012-2013 with answersArab Open University and Cairo University
 
44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON
 
Exploiting Modern Microarchitectures: Meltdown, Spectre, and other Attacks
Exploiting Modern Microarchitectures: Meltdown, Spectre, and other AttacksExploiting Modern Microarchitectures: Meltdown, Spectre, and other Attacks
Exploiting Modern Microarchitectures: Meltdown, Spectre, and other Attacksinside-BigData.com
 
Understand more about C
Understand more about CUnderstand more about C
Understand more about CYi-Hsiu Hsu
 
Dpdk performance
Dpdk performanceDpdk performance
Dpdk performanceStephen Hemminger
 
A look into the sanitizer family (ASAN & UBSAN) by Akul Pillai
A look into the sanitizer family (ASAN & UBSAN) by Akul PillaiA look into the sanitizer family (ASAN & UBSAN) by Akul Pillai
A look into the sanitizer family (ASAN & UBSAN) by Akul PillaiCysinfo Cyber Security Community
 
Understanding Android Benchmarks
Understanding Android BenchmarksUnderstanding Android Benchmarks
Understanding Android BenchmarksKoan-Sin Tan
 
Writing and testing high frequency trading engines in java
Writing and testing high frequency trading engines in javaWriting and testing high frequency trading engines in java
Writing and testing high frequency trading engines in javaPeter Lawrey
 
The Spectre of Meltdowns
The Spectre of MeltdownsThe Spectre of Meltdowns
The Spectre of MeltdownsAndriy Berestovskyy
 
PCA-SIFT: A More Distinctive Representation for Local Image Descriptors
PCA-SIFT: A More Distinctive Representation for Local Image DescriptorsPCA-SIFT: A More Distinctive Representation for Local Image Descriptors
PCA-SIFT: A More Distinctive Representation for Local Image Descriptorswolf
 
LLVM introduction
LLVM introductionLLVM introduction
LLVM introductionNational Cheng Kung University
 
SFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMU
SFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMUSFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMU
SFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMULinaro
 
淺談探索 Linux 系統設計之道
淺談探索 Linux 系統設計之道 淺談探索 Linux 系統設計之道
淺談探索 Linux 系統設計之道 National Cheng Kung University
 
Building Network Functions with eBPF & BCC
Building Network Functions with eBPF & BCCBuilding Network Functions with eBPF & BCC
Building Network Functions with eBPF & BCCKernel TLV
 
A Step Towards Data Orientation
A Step Towards Data OrientationA Step Towards Data Orientation
A Step Towards Data OrientationElectronic Arts / DICE
 
Reverse eningeering
Reverse eningeeringReverse eningeering
Reverse eningeeringKent Huang
 
Security Monitoring with eBPF
Security Monitoring with eBPFSecurity Monitoring with eBPF
Security Monitoring with eBPFAlex Maestretti
 
Introduction to the LLVM Compiler System
Introduction to the LLVM Compiler SystemIntroduction to the LLVM Compiler System
Introduction to the LLVM Compiler Systemzionsaint
 
DPDK KNI interface
DPDK KNI interfaceDPDK KNI interface
DPDK KNI interfaceDenys Haryachyy
 
Video Drivers
Video DriversVideo Drivers
Video DriversAnil Kumar Pugalia
 
IPC in Microkernel Systems, Capabilities
IPC in Microkernel Systems, CapabilitiesIPC in Microkernel Systems, Capabilities
IPC in Microkernel Systems, CapabilitiesMartin Děcký
 
Bellman-Ford Algorithm.pptx
Bellman-Ford Algorithm.pptxBellman-Ford Algorithm.pptx
Bellman-Ford Algorithm.pptxAshikHridoy2
 
Attacking Windows NDIS Drivers
Attacking Windows NDIS DriversAttacking Windows NDIS Drivers
Attacking Windows NDIS DriversKique Nissim
 
Experiment 9(exceptions)
Experiment 9(exceptions)Experiment 9(exceptions)
Experiment 9(exceptions)ShivamKumar682885
 
How shit works: the CPU
How shit works: the CPUHow shit works: the CPU
How shit works: the CPUTomer Gabel
 
Bcs 052 solved assignment
Bcs 052 solved assignmentBcs 052 solved assignment
Bcs 052 solved assignmentIndira Gnadhi National Open University (IGNOU)
 
Address/Thread/Memory Sanitizer
Address/Thread/Memory SanitizerAddress/Thread/Memory Sanitizer
Address/Thread/Memory SanitizerPlatonov Sergey
 
Davide Berardi - Linux hardening and security measures against Memory corruption
Davide Berardi - Linux hardening and security measures against Memory corruptionDavide Berardi - Linux hardening and security measures against Memory corruption
Davide Berardi - Linux hardening and security measures against Memory corruptionlinuxlab_conf
 

Contenu connexe

Tendances

Understanding Android Benchmarks
Understanding Android BenchmarksUnderstanding Android Benchmarks
Understanding Android BenchmarksKoan-Sin Tan
 
Writing and testing high frequency trading engines in java
Writing and testing high frequency trading engines in javaWriting and testing high frequency trading engines in java
Writing and testing high frequency trading engines in javaPeter Lawrey
 
PCA-SIFT: A More Distinctive Representation for Local Image Descriptors
PCA-SIFT: A More Distinctive Representation for Local Image DescriptorsPCA-SIFT: A More Distinctive Representation for Local Image Descriptors
PCA-SIFT: A More Distinctive Representation for Local Image Descriptorswolf
 
SFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMU
SFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMUSFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMU
SFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMULinaro
 
Building Network Functions with eBPF & BCC
Building Network Functions with eBPF & BCCBuilding Network Functions with eBPF & BCC
Building Network Functions with eBPF & BCCKernel TLV
 
Reverse eningeering
Reverse eningeeringReverse eningeering
Reverse eningeeringKent Huang
 
Security Monitoring with eBPF
Security Monitoring with eBPFSecurity Monitoring with eBPF
Security Monitoring with eBPFAlex Maestretti
 
Introduction to the LLVM Compiler System
Introduction to the LLVM Compiler SystemIntroduction to the LLVM Compiler System
Introduction to the LLVM Compiler Systemzionsaint
 
IPC in Microkernel Systems, Capabilities
IPC in Microkernel Systems, CapabilitiesIPC in Microkernel Systems, Capabilities
IPC in Microkernel Systems, CapabilitiesMartin Děcký
 
Bellman-Ford Algorithm.pptx
Bellman-Ford Algorithm.pptxBellman-Ford Algorithm.pptx
Bellman-Ford Algorithm.pptxAshikHridoy2
 
Attacking Windows NDIS Drivers
Attacking Windows NDIS DriversAttacking Windows NDIS Drivers
Attacking Windows NDIS DriversKique Nissim
 
How shit works: the CPU
How shit works: the CPUHow shit works: the CPU
How shit works: the CPUTomer Gabel
 

Tendances (20)

Understanding Android Benchmarks
Understanding Android BenchmarksUnderstanding Android Benchmarks
Understanding Android Benchmarks
 
Writing and testing high frequency trading engines in java
Writing and testing high frequency trading engines in javaWriting and testing high frequency trading engines in java
Writing and testing high frequency trading engines in java
 
The Spectre of Meltdowns
The Spectre of MeltdownsThe Spectre of Meltdowns
The Spectre of Meltdowns
 
PCA-SIFT: A More Distinctive Representation for Local Image Descriptors
PCA-SIFT: A More Distinctive Representation for Local Image DescriptorsPCA-SIFT: A More Distinctive Representation for Local Image Descriptors
PCA-SIFT: A More Distinctive Representation for Local Image Descriptors
 
LLVM introduction
LLVM introductionLLVM introduction
LLVM introduction
 
SFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMU
SFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMUSFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMU
SFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMU
 
淺談探索 Linux 系統設計之道
淺談探索 Linux 系統設計之道 淺談探索 Linux 系統設計之道
淺談探索 Linux 系統設計之道
 
Building Network Functions with eBPF & BCC
Building Network Functions with eBPF & BCCBuilding Network Functions with eBPF & BCC
Building Network Functions with eBPF & BCC
 
A Step Towards Data Orientation
A Step Towards Data OrientationA Step Towards Data Orientation
A Step Towards Data Orientation
 
Reverse eningeering
Reverse eningeeringReverse eningeering
Reverse eningeering
 
Security Monitoring with eBPF
Security Monitoring with eBPFSecurity Monitoring with eBPF
Security Monitoring with eBPF
 
Introduction to the LLVM Compiler System
Introduction to the LLVM Compiler SystemIntroduction to the LLVM Compiler System
Introduction to the LLVM Compiler System
 
DPDK KNI interface
DPDK KNI interfaceDPDK KNI interface
DPDK KNI interface
 
Video Drivers
Video DriversVideo Drivers
Video Drivers
 
IPC in Microkernel Systems, Capabilities
IPC in Microkernel Systems, CapabilitiesIPC in Microkernel Systems, Capabilities
IPC in Microkernel Systems, Capabilities
 
Bellman-Ford Algorithm.pptx
Bellman-Ford Algorithm.pptxBellman-Ford Algorithm.pptx
Bellman-Ford Algorithm.pptx
 
Attacking Windows NDIS Drivers
Attacking Windows NDIS DriversAttacking Windows NDIS Drivers
Attacking Windows NDIS Drivers
 
Experiment 9(exceptions)
Experiment 9(exceptions)Experiment 9(exceptions)
Experiment 9(exceptions)
 
How shit works: the CPU
How shit works: the CPUHow shit works: the CPU
How shit works: the CPU
 
Bcs 052 solved assignment
Bcs 052 solved assignmentBcs 052 solved assignment
Bcs 052 solved assignment
 

Similaire à Meltdown & spectre

Address/Thread/Memory Sanitizer
Address/Thread/Memory SanitizerAddress/Thread/Memory Sanitizer
Address/Thread/Memory SanitizerPlatonov Sergey
 
Davide Berardi - Linux hardening and security measures against Memory corruption
Davide Berardi - Linux hardening and security measures against Memory corruptionDavide Berardi - Linux hardening and security measures against Memory corruption
Davide Berardi - Linux hardening and security measures against Memory corruptionlinuxlab_conf
 
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...PROIDEA
 
Defcon CTF quals
Defcon CTF qualsDefcon CTF quals
Defcon CTF qualssnyff
 
Gpu and The Brick Wall
Gpu and The Brick WallGpu and The Brick Wall
Gpu and The Brick Wallugur candan
 
Java gpu computing
Java gpu computingJava gpu computing
Java gpu computingArjan Lamers
 
YOW2020 Linux Systems Performance
YOW2020 Linux Systems PerformanceYOW2020 Linux Systems Performance
YOW2020 Linux Systems PerformanceBrendan Gregg
 
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacket
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacketCsw2016 wheeler barksdale-gruskovnjak-execute_mypacket
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacketCanSecWest
 
Linux kernel tracing superpowers in the cloud
Linux kernel tracing superpowers in the cloudLinux kernel tracing superpowers in the cloud
Linux kernel tracing superpowers in the cloudAndrea Righi
 
C++ CoreHard Autumn 2018. Concurrency and Parallelism in C++17 and C++20/23 -...
C++ CoreHard Autumn 2018. Concurrency and Parallelism in C++17 and C++20/23 -...C++ CoreHard Autumn 2018. Concurrency and Parallelism in C++17 and C++20/23 -...
C++ CoreHard Autumn 2018. Concurrency and Parallelism in C++17 and C++20/23 -...corehard_by
 
Troubleshooting .net core on linux
Troubleshooting .net core on linuxTroubleshooting .net core on linux
Troubleshooting .net core on linuxPavel Klimiankou
 
OS scheduling and The anatomy of a context switch
OS scheduling and The anatomy of a context switchOS scheduling and The anatomy of a context switch
OS scheduling and The anatomy of a context switchDaniel Ben-Zvi
 
Craftsmanship in Computational Work
Craftsmanship in Computational WorkCraftsmanship in Computational Work
Craftsmanship in Computational WorkYung-Yu Chen
 
Alto Desempenho com Java
Alto Desempenho com JavaAlto Desempenho com Java
Alto Desempenho com Javacodebits
 
Potapenko, vyukov forewarned is forearmed. a san and tsan
Potapenko, vyukov forewarned is forearmed. a san and tsanPotapenko, vyukov forewarned is forearmed. a san and tsan
Potapenko, vyukov forewarned is forearmed. a san and tsanDefconRussia
 
TrC-MC: Decentralized Software Transactional Memory for Multi-Multicore Compu...
TrC-MC: Decentralized Software Transactional Memory for Multi-Multicore Compu...TrC-MC: Decentralized Software Transactional Memory for Multi-Multicore Compu...
TrC-MC: Decentralized Software Transactional Memory for Multi-Multicore Compu...Kinson Chan
 

Similaire à Meltdown & spectre (20)

Address/Thread/Memory Sanitizer
Address/Thread/Memory SanitizerAddress/Thread/Memory Sanitizer
Address/Thread/Memory Sanitizer
 
Davide Berardi - Linux hardening and security measures against Memory corruption
Davide Berardi - Linux hardening and security measures against Memory corruptionDavide Berardi - Linux hardening and security measures against Memory corruption
Davide Berardi - Linux hardening and security measures against Memory corruption
 
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...
 
Data race
Data raceData race
Data race
 
Java Memory Model
Java Memory ModelJava Memory Model
Java Memory Model
 
Defcon CTF quals
Defcon CTF qualsDefcon CTF quals
Defcon CTF quals
 
Gpu and The Brick Wall
Gpu and The Brick WallGpu and The Brick Wall
Gpu and The Brick Wall
 
Java gpu computing
Java gpu computingJava gpu computing
Java gpu computing
 
Memory model
Memory modelMemory model
Memory model
 
YOW2020 Linux Systems Performance
YOW2020 Linux Systems PerformanceYOW2020 Linux Systems Performance
YOW2020 Linux Systems Performance
 
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacket
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacketCsw2016 wheeler barksdale-gruskovnjak-execute_mypacket
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacket
 
Linux kernel tracing superpowers in the cloud
Linux kernel tracing superpowers in the cloudLinux kernel tracing superpowers in the cloud
Linux kernel tracing superpowers in the cloud
 
C++ CoreHard Autumn 2018. Concurrency and Parallelism in C++17 and C++20/23 -...
C++ CoreHard Autumn 2018. Concurrency and Parallelism in C++17 and C++20/23 -...C++ CoreHard Autumn 2018. Concurrency and Parallelism in C++17 and C++20/23 -...
C++ CoreHard Autumn 2018. Concurrency and Parallelism in C++17 and C++20/23 -...
 
Troubleshooting .net core on linux
Troubleshooting .net core on linuxTroubleshooting .net core on linux
Troubleshooting .net core on linux
 
OS scheduling and The anatomy of a context switch
OS scheduling and The anatomy of a context switchOS scheduling and The anatomy of a context switch
OS scheduling and The anatomy of a context switch
 
Craftsmanship in Computational Work
Craftsmanship in Computational WorkCraftsmanship in Computational Work
Craftsmanship in Computational Work
 
Alto Desempenho com Java
Alto Desempenho com JavaAlto Desempenho com Java
Alto Desempenho com Java
 
Programar para GPUs
Programar para GPUsProgramar para GPUs
Programar para GPUs
 
Potapenko, vyukov forewarned is forearmed. a san and tsan
Potapenko, vyukov forewarned is forearmed. a san and tsanPotapenko, vyukov forewarned is forearmed. a san and tsan
Potapenko, vyukov forewarned is forearmed. a san and tsan
 
TrC-MC: Decentralized Software Transactional Memory for Multi-Multicore Compu...
TrC-MC: Decentralized Software Transactional Memory for Multi-Multicore Compu...TrC-MC: Decentralized Software Transactional Memory for Multi-Multicore Compu...
TrC-MC: Decentralized Software Transactional Memory for Multi-Multicore Compu...
 

Plus de Sergio Shevchenko

Gestione dell'economia nelle reti di Self Sovereign Identity con Algorand Sm...
Gestione dell'economia nelle reti di Self Sovereign Identity con Algorand Sm...Gestione dell'economia nelle reti di Self Sovereign Identity con Algorand Sm...
Gestione dell'economia nelle reti di Self Sovereign Identity con Algorand Sm...Sergio Shevchenko
 
Kubernetes - from sketch to production
Kubernetes - from sketch to productionKubernetes - from sketch to production
Kubernetes - from sketch to productionSergio Shevchenko
 
Burrows-Wheeler transform for terabases
Burrows-Wheeler transform for terabasesBurrows-Wheeler transform for terabases
Burrows-Wheeler transform for terabasesSergio Shevchenko
 
Design patterns: Creational patterns
Design patterns: Creational patternsDesign patterns: Creational patterns
Design patterns: Creational patternsSergio Shevchenko
 
Qt Multiplatform development
Qt Multiplatform developmentQt Multiplatform development
Qt Multiplatform developmentSergio Shevchenko
 

Plus de Sergio Shevchenko (12)

Gestione dell'economia nelle reti di Self Sovereign Identity con Algorand Sm...
Gestione dell'economia nelle reti di Self Sovereign Identity con Algorand Sm...Gestione dell'economia nelle reti di Self Sovereign Identity con Algorand Sm...
Gestione dell'economia nelle reti di Self Sovereign Identity con Algorand Sm...
 
Kubernetes - from sketch to production
Kubernetes - from sketch to productionKubernetes - from sketch to production
Kubernetes - from sketch to production
 
The Google file system
The Google file systemThe Google file system
The Google file system
 
μ-Kernel Evolution
μ-Kernel Evolutionμ-Kernel Evolution
μ-Kernel Evolution
 
Burrows-Wheeler transform for terabases
Burrows-Wheeler transform for terabasesBurrows-Wheeler transform for terabases
Burrows-Wheeler transform for terabases
 
Presentazione CERT-CHECK
Presentazione CERT-CHECKPresentazione CERT-CHECK
Presentazione CERT-CHECK
 
Design patterns: Creational patterns
Design patterns: Creational patternsDesign patterns: Creational patterns
Design patterns: Creational patterns
 
Bitcoin and blockchain
Bitcoin and blockchainBitcoin and blockchain
Bitcoin and blockchain
 
Qt Multiplatform development
Qt Multiplatform developmentQt Multiplatform development
Qt Multiplatform development
 
Qt for beginners
Qt for beginnersQt for beginners
Qt for beginners
 
Continuous Integration
Continuous IntegrationContinuous Integration
Continuous Integration
 
Mobile Factor App
Mobile Factor AppMobile Factor App
Mobile Factor App
 

Dernier

Sending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdfSending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdf31events.com
 
Keeping your build tool updated in a multi repository world
Keeping your build tool updated in a multi repository worldKeeping your build tool updated in a multi repository world
Keeping your build tool updated in a multi repository worldRoberto Pérez Alcolea
 
A healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfA healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfMarharyta Nedzelska
 
Machine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringMachine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringHironori Washizaki
 
VK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web DevelopmentVK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web Developmentvyaparkranti
 
VictoriaMetrics Q1 Meet Up '24 - Community & News Update
VictoriaMetrics Q1 Meet Up '24 - Community & News UpdateVictoriaMetrics Q1 Meet Up '24 - Community & News Update
VictoriaMetrics Q1 Meet Up '24 - Community & News UpdateVictoriaMetrics
 
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...confluent
 
SAM Training Session - How to use EXCEL ?
SAM Training Session - How to use EXCEL ?SAM Training Session - How to use EXCEL ?
SAM Training Session - How to use EXCEL ?Alexandre Beguel
 
Comparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfComparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfDrew Moseley
 
Post Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on IdentityPost Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on Identityteam-WIBU
 
Understanding Flamingo - DeepMind's VLM Architecture
Understanding Flamingo - DeepMind's VLM ArchitectureUnderstanding Flamingo - DeepMind's VLM Architecture
Understanding Flamingo - DeepMind's VLM Architecturerahul_net
 
Patterns for automating API delivery. API conference
Patterns for automating API delivery. API conferencePatterns for automating API delivery. API conference
Patterns for automating API delivery. API conferencessuser9e7c64
 
What’s New in VictoriaMetrics: Q1 2024 Updates
What’s New in VictoriaMetrics: Q1 2024 UpdatesWhat’s New in VictoriaMetrics: Q1 2024 Updates
What’s New in VictoriaMetrics: Q1 2024 UpdatesVictoriaMetrics
 
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptxThe Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptxRTS corp
 
Introduction to Firebase Workshop Slides
Introduction to Firebase Workshop SlidesIntroduction to Firebase Workshop Slides
Introduction to Firebase Workshop Slidesvaideheekore1
 
Best Angular 17 Classroom & Online training - Naresh IT
Best Angular 17 Classroom & Online training - Naresh ITBest Angular 17 Classroom & Online training - Naresh IT
Best Angular 17 Classroom & Online training - Naresh ITmanoharjgpsolutions
 
Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...
Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...
Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...OnePlan Solutions
 
Not a Kubernetes fan? The state of PaaS in 2024
Not a Kubernetes fan? The state of PaaS in 2024Not a Kubernetes fan? The state of PaaS in 2024
Not a Kubernetes fan? The state of PaaS in 2024Anthony Dahanne
 
2024 DevNexus Patterns for Resiliency: Shuffle shards
2024 DevNexus Patterns for Resiliency: Shuffle shards2024 DevNexus Patterns for Resiliency: Shuffle shards
2024 DevNexus Patterns for Resiliency: Shuffle shardsChristopher Curtin
 
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Cizo Technology Services
 

Dernier (20)

Sending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdfSending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdf
 
Keeping your build tool updated in a multi repository world
Keeping your build tool updated in a multi repository worldKeeping your build tool updated in a multi repository world
Keeping your build tool updated in a multi repository world
 
A healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfA healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdf
 
Machine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringMachine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their Engineering
 
VK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web DevelopmentVK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web Development
 
VictoriaMetrics Q1 Meet Up '24 - Community & News Update
VictoriaMetrics Q1 Meet Up '24 - Community & News UpdateVictoriaMetrics Q1 Meet Up '24 - Community & News Update
VictoriaMetrics Q1 Meet Up '24 - Community & News Update
 
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
 
SAM Training Session - How to use EXCEL ?
SAM Training Session - How to use EXCEL ?SAM Training Session - How to use EXCEL ?
SAM Training Session - How to use EXCEL ?
 
Comparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfComparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdf
 
Post Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on IdentityPost Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on Identity
 
Understanding Flamingo - DeepMind's VLM Architecture
Understanding Flamingo - DeepMind's VLM ArchitectureUnderstanding Flamingo - DeepMind's VLM Architecture
Understanding Flamingo - DeepMind's VLM Architecture
 
Patterns for automating API delivery. API conference
Patterns for automating API delivery. API conferencePatterns for automating API delivery. API conference
Patterns for automating API delivery. API conference
 
What’s New in VictoriaMetrics: Q1 2024 Updates
What’s New in VictoriaMetrics: Q1 2024 UpdatesWhat’s New in VictoriaMetrics: Q1 2024 Updates
What’s New in VictoriaMetrics: Q1 2024 Updates
 
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptxThe Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
 
Introduction to Firebase Workshop Slides
Introduction to Firebase Workshop SlidesIntroduction to Firebase Workshop Slides
Introduction to Firebase Workshop Slides
 
Best Angular 17 Classroom & Online training - Naresh IT
Best Angular 17 Classroom & Online training - Naresh ITBest Angular 17 Classroom & Online training - Naresh IT
Best Angular 17 Classroom & Online training - Naresh IT
 
Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...
Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...
Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...
 
Not a Kubernetes fan? The state of PaaS in 2024
Not a Kubernetes fan? The state of PaaS in 2024Not a Kubernetes fan? The state of PaaS in 2024
Not a Kubernetes fan? The state of PaaS in 2024
 
2024 DevNexus Patterns for Resiliency: Shuffle shards
2024 DevNexus Patterns for Resiliency: Shuffle shards2024 DevNexus Patterns for Resiliency: Shuffle shards
2024 DevNexus Patterns for Resiliency: Shuffle shards
 
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
 

Meltdown & spectre

  • 1. Meltdown & Spectre Mitigate the unmitigable Based on ● Meltdown: Reading Kernel Memory from User Space ● Spectre Attacks: Exploiting Speculative Execution
  • 3. ● What are them? ○ Vulnerabilities in most modern CPU, due to poorly understood interactions between speculative execution and side effects ● When? ○ Discovered in june/july of 2017 but leaked on 4th of january 2018 by Google’s Project Zero ● Effects? ○ Need to modify: ■ CPU Memory ■ OS Virtual memory handling ■ Compilers ■ Hypervisors ■ Browsers ○ Real solution: change CPU DESIGN 3 Are considered the greatest hardware vulnerabilities in computer history
  • 4. Today’s Agenda 1. Speculative Execution 2. Meltdown attack 3. Spectre attack 4
  • 5. 1. Speculative Execution Let’s start from the beginning Presented by Sergiy Shevchenko
  • 6. Basic memory model of modern CPU ❑ Each CPU has 3 caches*: ❏ L1 with access latency ~ 5 cycles (1.2 ns) ❏ L2 with access latency ~ 10 cycles (4.2 ns) ❏ L3 with access latency ~ 40 cycles (20 ns) ❏ DRAM (100 ns) *Modern Core i7 Xeon Server Edition 6
  • 7. Fetch-decode-execute parallelism ❑ On a non-pipelined CPU, when a instruction is being processed at a particular stage, the other stages are at an idle state ❑ On a pipelined CPU, all the stages work in parallel: ❏ When the 1st instruction is being decoded by the Decoder Unit, the 2nd instruction is being fetched by the Fetch Unit. It only takes 5 clock cycles to execute 2 instructions on a pipelined CPU. Image source: https://stackpointer.io/hardware/how-pipelining-improves-cpu-performance/113/ 7
  • 8. Intel SkyLake CPU Microarchitecture ❑ Simplified illustration of a single core of the Intel’s Skylake microarchitecture ❑ Instructions are decoded into µOPs and executed out-of-order in the execution engine by individual execution units Figure from MeltDown by Lipp https://www.usenix.org/system/files/conference/usenixsecurity18/sec18-lipp.pdf 8
  • 9. Out-of-order processing 1 op per cycle 9 ❑ t = a + b ❑ u = c + d ❑ v = e + f ❑ w = v + g ❑ x = h + i ❑ y = j + k 6 clock cycles ❑ t = a + b, u = c + d ❑ v = e + f, w = v + g ❑ x = h + i, y = j + k 3 clock cycles 2 op per cycle
  • 10. Out-of-order processing 1 op per cycle 10 ❑ t = a + b ❑ u = c + d ❑ v = e + f ❑ w = v + g ❑ x = h + i ❑ y = j + k 6 clock cycles ❑ t = a + b, u = c + d ❑ v = e + f, w = v + g ❑ x = h + i, y = j + k 3 clock cycles 2 op per cycle
  • 11. Out-of-order processing 11 ❑ t = a + b, u = c + d ❑ v = e + f ❑ w = v + g, x = h + i ❑ y = j + k ❑ t = a + b, u = c + d ❑ v = e + f, y = j + k ❑ w = v + g, x = h + i 3 clock cycles, 2 op per cycle and out-of-order execution
  • 12. Fast in a straight line not so good on corners
  • 13. Branch prediction 13 ❑ Pipelining, superscalar and out-of-order execution only helps if you know what instructions are coming next ❑ Conditionals are a problem - we don’t know what to load into a pipeline until conditional IF is clear Branch prediction will help: let's guess ❑ If the guess is right, great ❑ If the guess is wrong, clear pipeline Branch Prediction Is Not A Solved Problem: Measurements, Opportunities, and Future Directions https://arxiv.org/pdf/1906.08170.pdf B1 B2 ?
  • 14. Branch prediction + Speculative execution 14 ❑ Cache misses cause long delay in data extraction ❑ Speculative execution: ❏ Execute instructions on predicted branch ❏ If prediction was right - great! ❏ If prediction was wrong - undo all effects of running in speculative mode and flush pipeline Branch Prediction Is Not A Solved Problem: Measurements, Opportunities, and Future Directions https://arxiv.org/pdf/1906.08170.pdf
  • 15. Example of branch prediction with speculation 15 1. C = A + B; 2. E = C + D; 3. G = E + F; 4. if (G == 0){ 5. J = H + I; 6. L = J + K; 7. N = L + M; 8. } Without speculation can’t reorder anything
  • 16. Example of branch prediction with speculation 16 1. C = A + B; 2. E = C + D; 3. G = E + F; 4. if (G == 0){ 5. J = H + I; 6. L = J + K; 7. N = L + M; 8. } With speculation 1. C = A + B; _J = H + I; 2. E = C + D; _L = _J + K; 3. G = E + F; _N = _L + M; 4. if (G == 0){ 5. J =_J; L =_L; N=_N; 6. } Only make results available if G equals 0 ALU 1 ALU 2 ALU 1
  • 17. Virtual memory ❑ Virtual memory is divided into Kernel and User space ❑ Page table handles mappings ❑ Kernel space pages have an extra bit ❑ If user code tries accessing kernel space a trap will occur 17 Kernel space User space Physical memory Page table
  • 19. Meltdown Abstract 19 Meltdown exploits side effects of out-order execution on modern processors to read arbitrary kernel-memory locations including personal data and passwords. ...read memory of process or virtual machines in the cloud without any permissions or privileges. CVE-2017-5754
  • 20. Meltdown attack: side channel 20 1. C = A + B; 2. E = C + D; 3. G = E + F; 4. Z = G + Y 5. if (Z == 0){ 6. J = kernel_mem[addr]; 7. L = J & 0x01; 8. N = L * 4096; 9. M = user_mem[N]; 10. } 1. C = A + B; _J = kernel_mem[addr]; 2. E = C + D; _L = _J & 0x01; 3. G = E + F; _N = _L * 4096; 4. Z = G + Y; _M = user_mem[_N]; 5. if (Z == 0){ 6. J =_J; L =_L; N =_N; M =_M; 7. } 8. t1 = get_time(); 9. V = user_mem[0]; 10. t2 = get_time(); 11. delta = t2 - t1; ALU 1 ALU 2 Predictor thinks this is true Normally, this should receive segmentation fault, but not in speculative case As this will never being executed, _J, _L and _N will be never revealed If the difference is < 10 cycles the 1st bit of kernel_mem[addr] = 0 Side channel magic here
  • 21. Meltdown attack performance 21 ❑ Core i7-8700K: ❏ 582 KB/s error 0.003% ❑ Core i7-6700K: ❏ 569 KB/s error 0.002% ❑ Intel Xeon E5-1630: ❏ 491 KB/s error 10.7% * Meltdown Main Paper https://meltdownattack.com/meltdown.pdf
  • 22. Meltdown mitigation 22 ❑ Why do operating systems map kernel memory into global address space? ❏ ...making in this way Meltdown possible.. ❑ .. because of memory page caching named TLB (translation lookaside buffer) ❏ Page table is stored in memory itself, so accessing it costs a lot * Meltdown Main Paper https://meltdownattack.com/meltdown.pdf
  • 23. TLB 23 ❑ A translation lookaside buffer (TLB) is a memory cache that is used to reduce the time taken to access a user memory location, it is a part of MMU ❑ If you try accessing page which is not in TLB need to traverse all page table to find where the physical page is ❏ Cost is near 300-600 cycles! * Meltdown Main Paper https://meltdownattack.com/meltdown.pdf Kernel space User space Physical memory MMU TLB
  • 24. KPTI - Kernel Page Table Isolation 24 ❑ Only have user space memory mapping in the page table ❏ So meltdown can “physically” read kernel memory ❑ Some additional line of code in kernel to handle userspace and kernel space page table switching
  • 25. KPTI - Kernel Page Table Isolation 25 ❑ Complete mitigation of meltdown ❑ Changing page tables requires flushing TLB ❑ Big impact on performance (this will happen on each OS Call!) ❑ In some cases > 50% slowdown ❑ Newer Intel CPU has association Process Context ID with TLB ❏ This allows flushing only part of TLB
  • 26. 3. Spectre attack A really hard part Presented by Marco Cipriano
  • 27. Spectre Abstract 27 ❏ Spectre Variant 1: Bound Check Bypass ❏ Exploiting Conditional Branches ❏ CVE-2017-5753 ❏ Spectre Variant 2: Branch Target Injection ❏ Exploiting Indirect Branches ❏ CVE-2017-5715 Spectre attacks involve inducing a victim to speculatively perform operations that would not occur during correct program execution and wich leak victim’s confidential information via a side channel to the adversary
  • 30. Spectre attack: Overview 30 ❑ Setup Phase: Minstrain the CPU ❑ Speculative Execution of Instructions that leak sensitive information to side channel ❑ Recovering sensitive instruction from side channel using: ❏ Flush + Reload ❏ Evict + Reload Yarom, Y., and Fakner, K. - FLUSH+RELOAD: A HIGH RESOLUTION, LOW NOISE, L3 CACHE SIDE-CHANNEL ATTACK, - in Usenix Security Symposium (2014). transitories
  • 31. Variant 1 : Bound Check Bypass 31 1. array a = …; // size 400 2. array b = …; // size 512 3. offset = …; // user input 4. if (offset < size(a)){ 5. v = a[offset]; 6. i = (v & 0x01) * 4096; 7. x = b[i]; 8. }
  • 32. Variant 2 : Poisoning Indirect Branches ❏ Indirect branch instructions have ability to jump to more than two possible target addresses. ❏ X86 example ❏ jmp eax: Address in register ❏ jmp [eax]: Address in memory location ❏ jmp dword ptr [0x12345678] ❏ Address from the stack (“ret”) ❏ MIPS example ❏ jr $ra 32
  • 33. How can we use this? ❏ Find unsafe user code [unlikely] ❏ Use JIT Compiler of user code [highly likely] ❏ Google PoC uses BPF (packet filter in JIT) in Linux kernel ❏ Microsoft PoC uses Javascript ❏ Potentially any visited website can access all your RAM memory 33
  • 35. Attack Variation 1 : Evict + Time 35 Selecting bit to analyze Measuring access time If data is on CPU cache saving it
  • 37. Preventing Speculative Execution Inserting speculative execution blocking instructions ❏ Degrades performance if used too extensively ❏ Use static analysis to find out optimum placement of blocking instructions ❏ Requires code recompilation 37 ❏ Intel Processors: ❏ add lfence before IF in bound checks (prevent speculation) ❏ ARM Processors: ❏ add build_in_no_speculate() to your compilation process
  • 38. Conclusion ❏ Software Isolation techniques are widely deployed ❏ A fundamental security assumption underpinning all of these is that the CPU will faithfully execute software, including its safety checks ❏ Speculative execution violates this assumption that allow adversaries to determine the contents of memory and register ❏ Trade-offs between security and performance 38