drama
play

DRAMA: Exploiting DRAM Addressing for Cross-CPU Attacks Peter - PowerPoint PPT Presentation

Aug 20, 2022 •499 likes •842 views

S C I E N C E P A S S I O N T E C H N O L O G Y DRAMA: Exploiting DRAM Addressing for Cross-CPU Attacks Peter Pessl, Daniel Gruss, Clmentine Maurice, Michael Schwarz, Stefan Mangard IAIK, Graz

  1. S C I E N C E  P A S S I O N  T E C H N O L O G Y DRAMA: Exploiting DRAM Addressing for Cross-CPU Attacks Peter Pessl, Daniel Gruss, Clémentine Maurice, Michael Schwarz, Stefan Mangard IAIK, Graz University of Technology, Austria Usenix Security 2016, August 11 u www.iaik.tugraz.at

  2. www.iaik.tugraz.at  Pessl, Gruss, Maurice, Schwarz, Mangard 2 Usenix Security 2016, August 11

  3. www.iaik.tugraz.at  Setting – Cloud Servers  Multi-CPU (multi-socket) systems  Multiple tenants  separate VMs  dedicated CPUs  no shared cache  No shared memory  no cross-VM memory deduplication  Previously  slow covert channel (< 1 kbps)  no side channel Pessl, Gruss, Maurice, Schwarz, Mangard 3 Usenix Security 2016, August 11

  4. www.iaik.tugraz.at  Overview  Cross-CPU attacks using DRAM a ddressing ( DRAMA )  fast covert channel (up to 2 Mbps)  first side-channel attack  Reverse-engineered DRAM addressing  two approaches  Improving existing attacks Pessl, Gruss, Maurice, Schwarz, Mangard 4 Usenix Security 2016, August 11

  5. www.iaik.tugraz.at  DRAM Organization Hierarchy of MC CPU 1 DRAM Bus  CPUs Interconnect MC CPU 2 DRAM Bus Pessl, Gruss, Maurice, Schwarz, Mangard 5 Usenix Security 2016, August 11

  6. www.iaik.tugraz.at  DRAM Organization Hierarchy of DIMM DIMM  CPUs  Channels Channel A  DIMMs MC CPU Channel B DIMM DIMM Pessl, Gruss, Maurice, Schwarz, Mangard 6 Usenix Security 2016, August 11

  7. www.iaik.tugraz.at  DRAM Organization Hierarchy of  CPUs Bank 1  Channels Bank 2  DIMMs .. .. Bank 8  Ranks  Banks Pessl, Gruss, Maurice, Schwarz, Mangard 7 Usenix Security 2016, August 11

  8. www.iaik.tugraz.at  DRAM Banks Row 1 Row 2 Row N Row Buffer  Memory array  rows of columns  Row Buffer  buffers one entire row (8 KB) Pessl, Gruss, Maurice, Schwarz, Mangard 8 Usenix Security 2016, August 11

  9. www.iaik.tugraz.at  The Row Buffer  Behavior similar to a cache  row hits  fast access  row conflicts  slow access Pessl, Gruss, Maurice, Schwarz, Mangard 9 Usenix Security 2016, August 11

  10. www.iaik.tugraz.at  Reverse Engineering of DRAM Addressing Pessl, Gruss, Maurice, Schwarz, Mangard 10 Usenix Security 2016, August 11

  11. www.iaik.tugraz.at  Reverse-Engineering DRAM Addressing  Mapping to banks using physical-address bits  „Complex“ addressing functions  distribute traffic to channels/banks  undisclosed (Intel)  Two approaches to reverse engineer  Presumption: linear functions (XORs) Pessl, Gruss, Maurice, Schwarz, Mangard 11 Usenix Security 2016, August 11

  12. www.iaik.tugraz.at  Approach 1: Probing the Memory Bus  Probing of control signals  CS, BA, …  measure voltage with Osci.  recover logic value  Repeated access to address  until value is determined  Function reconstruction  linear algebra over bits Pessl, Gruss, Maurice, Schwarz, Mangard 12 Usenix Security 2016, August 11

  13. www.iaik.tugraz.at  Approach 2: Fully Automated SW-based  Exploit timing differences  Measuring phase  build sets of same-bank addresses  alternating access to two addresses  measure avg. access time  Reconstruction phase  exhaustive search over linear functions with up to n set coefficients  Total time: seconds Pessl, Gruss, Maurice, Schwarz, Mangard 13 Usenix Security 2016, August 11

  14. www.iaik.tugraz.at  Comparison  Probing  recover function labels  find a ground truth  equipment and access to internals of machine  SW-based  fully automated  ability to run remotely, sandboxed, and on mobile devices Pessl, Gruss, Maurice, Schwarz, Mangard 14 Usenix Security 2016, August 11

  15. www.iaik.tugraz.at  Some Results - Desktop BA0 BA1 Rank BA2 ... 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 ... Ch. Intel Haswell (desktop system) – DDR3 Pessl, Gruss, Maurice, Schwarz, Mangard 15 Usenix Security 2016, August 11

  16. www.iaik.tugraz.at  Some Results – Server System BG0 CPU Rank BG1 BA0 BA1 ... 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 ... Ch. Dual-CPU Intel Haswell-EP – DDR4 Pessl, Gruss, Maurice, Schwarz, Mangard 16 Usenix Security 2016, August 11

  17. www.iaik.tugraz.at  Some Results – Mobile Rank BA0 BA1 BA2 ... 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 ... Ch. Samsung Exynos 7420 (Galaxy S6) – LPDDR4 Pessl, Gruss, Maurice, Schwarz, Mangard 17 Usenix Security 2016, August 11

  18. www.iaik.tugraz.at  Cross-CPU Attacks …and how it continues with Romeo and Juliet Pessl, Gruss, Maurice, Schwarz, Mangard 18 Usenix Security 2016, August 11

  19. www.iaik.tugraz.at  High-speed covert channel Pessl, Gruss, Maurice, Schwarz, Mangard 19 Usenix Security 2016, August 11

  20. www.iaik.tugraz.at  Concept  Occupy different rows in the same bank Sender Sender  Sender  send 1: continuously access row Receiver Receiver Receiver  s end 0: don‘t do anything  Receiver  access row and measure avg. time Row Buffer  infer sent bits based on time Pessl, Gruss, Maurice, Schwarz, Mangard 20 Usenix Security 2016, August 11

  21. www.iaik.tugraz.at  Implementation  Each bank is a channel  use up to 8 banks in parallel  multithreading  Performance:  desktop: 2.1 Mbps  multi-CPU server: 1.2 Mbps Intel Haswell (desktop system) Pessl, Gruss, Maurice, Schwarz, Mangard 21 Usenix Security 2016, August 11

  22. www.iaik.tugraz.at  Performance Comparison Performance Cross-CPU No Shared Memory   Ours 2.1 Mbps   Prime+Probe [2] 536 Kbps   Flush+Reload [2] 2.3 Mbps   Flush+Flush [2] 3.8 Mbps   Memory Bus Contention [3] 746 bps   Deduplication [4] 90 bps Pessl, Gruss, Maurice, Schwarz, Mangard 22 Usenix Security 2016, August 11

  23. www.iaik.tugraz.at  Low-noise side-channel attack Pessl, Gruss, Maurice, Schwarz, Mangard 23 Usenix Security 2016, August 11

  24. www.iaik.tugraz.at  Spying on Memory Accesses  Memory in the same row/bank  row size 8 KB / page size 4 KB Victim Victim Victim  Spy activates conflict row Victim Spy Spy Spy  Victim computes and possibly accesses shared row  Spy accesses shared row Row Buffer  fast  row hit  victim access Pessl, Gruss, Maurice, Schwarz, Mangard 24 Usenix Security 2016, August 11

  25. www.iaik.tugraz.at  Example Keystrokes in Firefox address bar Pessl, Gruss, Maurice, Schwarz, Mangard 25 Usenix Security 2016, August 11

  26. www.iaik.tugraz.at  Implementation  high spatial accuracy (down to 512 B)  very low number of false positives  monitor single events  Finding addresses: template attack [1]  automatic location of vulnerable addresses  scan large fraction of memory (4 KB pages) Pessl, Gruss, Maurice, Schwarz, Mangard 26 Usenix Security 2016, August 11

  27. www.iaik.tugraz.at  Countermeasures to DRAMA  Restrictions of  rdtsc  clflush  Multi-CPU: separating DRAM for tenants  only access to CPU-local memory  degradation into single-CPU system  Detection via high number of cache misses / row conflicts Pessl, Gruss, Maurice, Schwarz, Mangard 27 Usenix Security 2016, August 11

  28. www.iaik.tugraz.at  Improving Attacks - Rowhammer  Rowhammer  inducing bit flips in DRAM  by quickly switching rows  requires addressing functions  First documented bit flips on DDR4  Jan. 2016 Pessl, Gruss, Maurice, Schwarz, Mangard 28 Usenix Security 2016, August 11

  29. www.iaik.tugraz.at  The End … of Romeo and Juliet Pessl, Gruss, Maurice, Schwarz, Mangard 29 Usenix Security 2016, August 11

  30. www.iaik.tugraz.at  Source code for reverse-engineering tool and side-channel attack at https://github.com/IAIK/drama Pessl, Gruss, Maurice, Schwarz, Mangard 30 Usenix Security 2016, August 11

  31. www.iaik.tugraz.at  S C I E N C E  P A S S I O N  T E C H N O L O G Y DRAMA: Exploiting DRAM Addressing for Cross-CPU Attacks Peter Pessl, Daniel Gruss, Clémentine Maurice, Michael Schwarz, Stefan Mangard IAIK, Graz University of Technology, Austria Usenix Security 2016, August 11 Pessl, Gruss, Maurice, Schwarz, Mangard 31 u www.iaik.tugraz.at Usenix Security 2016, August 11

  32. www.iaik.tugraz.at  Bibliography [1] Gruss, Spreitzer, Mangard. Cache Template Attacks: Automating Attacks on Inclusive Last-Level Caches. In Usenix Security 2015 Gruss, Maurice, Wagner, Mangard. Flush+Flush : A Fast and Stealthy Cache Attack. In DIMVA’16 [2] [3] Wu, Xu, Wang. Whispers in the Hyper-space: High-bandwidth and Reliable Covert Channel Attacks Inside the Cloud. In Usenix Security 2012 [4] Xiao, Xu, Huang, Wang. Security implications of memory deduplication in a virtualized environment. In DSN‘13 Pessl, Gruss, Maurice, Schwarz, Mangard 32 Usenix Security 2016, August 11

Recommend

OF DRAMA DRAMA A story that is performed for an audience also known as a play. PLAYWRIGHT

OF DRAMA DRAMA A story that is performed for an audience also known as a play. PLAYWRIGHT

ELEMENTS OF DRAMA DRAMA A story that is performed for an audience also known as a play. PLAYWRIGHT The writer of a drama also known as a dramatist SCRIPT The written text of a drama DIALOGUE The words the actors speak this is

640 views • 17 slides
FIRST GLOBAL TURKISH DRAMA CHANNEL TIMELESS DRAMA CHANNEL TIMELESS DRAMA CHANNEL Love, family,

FIRST GLOBAL TURKISH DRAMA CHANNEL TIMELESS DRAMA CHANNEL TIMELESS DRAMA CHANNEL Love, family,

FIRST GLOBAL TURKISH DRAMA CHANNEL TIMELESS DRAMA CHANNEL TIMELESS DRAMA CHANNEL Love, family, betrayal, intrigue... love, passion, action Emotions know no geographical boundaries. Turkey has produced the highest number of fjctions ranked

423 views • 15 slides
Rubric For Drama Presentation Rubric For Drama Presentation We offer the most desired publication

Rubric For Drama Presentation Rubric For Drama Presentation We offer the most desired publication

Rubric For Drama Presentation.pdf Rubric For Drama Presentation Rubric For Drama Presentation We offer the most desired publication qualified Rubric For Drama Presentation by Brigitte Maier Study Group It is free of charge both downloading and

500 views • 13 slides
Story Drama Kristi Staton &amp; Amanda Chamberlin Story Drama is when you take a piece of

Story Drama Kristi Staton &amp; Amanda Chamberlin Story Drama is when you take a piece of

Story Drama Kristi Staton &amp; Amanda Chamberlin Story Drama is when you take a piece of literature and act it out. the most popular form of creative dramatics Story Drama can be used in lower elementary classrooms younger

428 views • 10 slides
Introduction to Drama &amp; the World of Shakespeare What Is Drama? A play is a story acted out,

Introduction to Drama &amp; the World of Shakespeare What Is Drama? A play is a story acted out,

Introduction to Drama &amp; the World of Shakespeare What Is Drama? A play is a story acted out, live and onstage. Structure of a Drama Like the plot of a story, the plot of a drama follows a rising and falling structure. Clim ax

594 views • 30 slides
The Birth of Drama The Birth of Drama The three great Classical tragedians: Aeschylus

The Birth of Drama The Birth of Drama The three great Classical tragedians: Aeschylus

Clst 181SK Ancient Greece and the Origins of Western Culture The Birth of Drama The Birth of Drama The three great Classical tragedians: Aeschylus 525-456 BC Oresteia (includes Agamemnon), Prometheus Bound Sophocles 496-406 BC Oedipus

589 views • 17 slides
Comparing First Generation Drama Engines What is a Drama Engine? An engine capable of

Comparing First Generation Drama Engines What is a Drama Engine? An engine capable of

Comparing First Generation Drama Engines What is a Drama Engine? An engine capable of interpreting domain language code to support interaction with dramatically interesting characters A way to creatively author character AI

552 views • 26 slides
The Birth of Drama The Birth of Drama The three great Classical tragedians: Aeschylus

The Birth of Drama The Birth of Drama The three great Classical tragedians: Aeschylus

Clst 181SK Ancient Greece and the Origins of Western Culture The Birth of Drama The Birth of Drama The three great Classical tragedians: Aeschylus 525-456 BC Sophocles 496-406 BC Euripides 486-406 BC pathei mathos - learning

908 views • 41 slides
YEAR 9 OPTIONS Dare to be Dramatic? #We Are Drama! Dare to be Dramatic? #We Are Drama! The

YEAR 9 OPTIONS Dare to be Dramatic? #We Are Drama! Dare to be Dramatic? #We Are Drama! The

YEAR 9 OPTIONS Dare to be Dramatic? #We Are Drama! Dare to be Dramatic? #We Are Drama! The GCSE Dram ama a specifi ecifica cation tion al allows s for much ch freedom om in the curricu rriculum lum in terms ms of Group p size

1.3k views • 86 slides
Chapter 13: Early Roman Theatre The Phases of Roman Theatre and Drama Native Italian drama

Chapter 13: Early Roman Theatre The Phases of Roman Theatre and Drama Native Italian drama

Chapter 13: Early Roman Theatre The Phases of Roman Theatre and Drama Native Italian drama (pre-240 BCE ) Native Italian drama Fescennine verses, phlyaces , Atellan farce Literary Drama (240-100 BCE ) Literary Drama

291 views • 27 slides
GCSE DRAMA HEAD OF PERFORMING ARTS MISS PARKER GCSE DRAMA TEACHERS: MISS PARKER AND MISS

GCSE DRAMA HEAD OF PERFORMING ARTS MISS PARKER GCSE DRAMA TEACHERS: MISS PARKER AND MISS

GCSE DRAMA HEAD OF PERFORMING ARTS MISS PARKER GCSE DRAMA TEACHERS: MISS PARKER AND MISS VOGLER WHAT SORT OF JOBS DOES GCSE DRAMA LEAD TO? ANYTHING!!! Drama can help you to gain: Ability to assert yourself Confidence

273 views • 9 slides
Eduqas GCSE Drama and GCE Drama and Theatre from 2016 Specification Highlights Two practical

Eduqas GCSE Drama and GCE Drama and Theatre from 2016 Specification Highlights Two practical

Eduqas GCSE Drama and GCE Drama and Theatre from 2016 Specification Highlights Two practical performances at GCSE, two at AS and three at A level Opportunities to act and/or design as suited to learner interests and abilities

628 views • 34 slides
Drama for Social Justice in ELT Riah Werner, March 29, 2018, TESOL Drama: a composition in verse

Drama for Social Justice in ELT Riah Werner, March 29, 2018, TESOL Drama: a composition in verse

Drama for Social Justice in ELT Riah Werner, March 29, 2018, TESOL Drama: a composition in verse or prose intended to portray life or character or to tell a story usually involving conflicts and emotions through action and dialogue and

879 views • 25 slides
YEAR 9 OPTIONS DARE E TO BE DRAMATIC? ATIC? #WE E ARE DRAMA! A! DARE E TO BE DRAMATIC?

YEAR 9 OPTIONS DARE E TO BE DRAMATIC? ATIC? #WE E ARE DRAMA! A! DARE E TO BE DRAMATIC?

YEAR 9 OPTIONS DARE E TO BE DRAMATIC? ATIC? #WE E ARE DRAMA! A! DARE E TO BE DRAMATIC? ATIC? #WE E ARE DRAMA! A! The GCSE Drama specification allows for much freedom in the curriculum in terms of Group sizes, Topics and

973 views • 86 slides
is aimed at people of all ages who love the drama genre and want to watch

is aimed at people of all ages who love the drama genre and want to watch

TIMELESS DRAMA CHANNEL LOVE, PASSION, ACTION is aimed at people of all ages who love the drama genre and want to watch critically-acclaimed shows that have defined the landscape of the Turkish and worldwide television. DISCOVER OUR NEW

680 views • 19 slides
FREMONT UNIFIED January 22, 2020 S C H O O L D I S T R I C T Centerville Middle School

FREMONT UNIFIED January 22, 2020 S C H O O L D I S T R I C T Centerville Middle School

FREMONT UNIFIED January 22, 2020 S C H O O L D I S T R I C T Centerville Middle School Conversion Drama Program Performance Space Site Plan Approved by the Board on June 26, 2019 2 Drama Classroom - Existing Drama Classroom: 1580sf;

667 views • 13 slides
Modes of Theatrical Modes of Theatrical pr e se n t a t io n Le ss o n 2 A study of the

Modes of Theatrical Modes of Theatrical pr e se n t a t io n Le ss o n 2 A study of the

Downloaded from www.studiestoday.com Modes of Theatrical Modes of Theatrical pr e se n t a t io n Le ss o n 2 A study of the various schools of drama is helpful to know which school of drama a play belongs to. Each school of drama came into

353 views • 11 slides
Digital Drama Unplugged commonsense.org/education Shareable with attribution for noncommercial

Digital Drama Unplugged commonsense.org/education Shareable with attribution for noncommercial

DIGITAL CITIZENSHIP | GRADE 6 Digital Drama Unplugged commonsense.org/education Shareable with attribution for noncommercial use. Remixing is permitted. Essential Question How can we de-escalate digital drama so it doesn't go too far?

396 views • 12 slides
Annotating characters' emotions in drama Rossana Damiano Vincenzo Lombardo Antonio Pizzo

Annotating characters' emotions in drama Rossana Damiano Vincenzo Lombardo Antonio Pizzo

Annotating characters' emotions in drama Rossana Damiano Vincenzo Lombardo Antonio Pizzo Cristina Battaglino Introduction Emotions are one of the distinctive feature of drama Annotation of narrative contents For example, the

593 views • 19 slides
Chapter 12: The Roman World Overview of Roman Drama we owe a great debt to the Romans in

Chapter 12: The Roman World Overview of Roman Drama we owe a great debt to the Romans in

Chapter 12: The Roman World Overview of Roman Drama we owe a great debt to the Romans in terms of culture, language, politics, DNA and also theatre, but only in certain ways Greek terms: theatre, drama, tragedy, comedy, critic,

636 views • 34 slides
English and Drama (SED) Online web event for incoming students #QMULfamily Question? Who

English and Drama (SED) Online web event for incoming students #QMULfamily Question? Who

English and Drama (SED) Online web event for incoming students #QMULfamily Question? Who is here for English? Who is here for Drama? Comment in the chat box please The confirmation process Results Day (Confirmation/Clearing):

291 views • 16 slides
The Arts in South Plainfield 1958-2019 Jordan L., Mike S. Abigail L. History of the Drama

The Arts in South Plainfield 1958-2019 Jordan L., Mike S. Abigail L. History of the Drama

The Arts in South Plainfield 1958-2019 Jordan L., Mike S. Abigail L. History of the Drama Department Some of the earliest mentions of a drama department begin in 1958 with the mention of the senior/freshman plays There used to be a

482 views • 11 slides
the damned dam research this event, at the time I thought it was just an urban legend.

the damned dam research this event, at the time I thought it was just an urban legend.

In the year 2000 a group of progressive radio broadcasters aired a radio drama entitled Catastrophe on Radio Lukavac (Lukavac is a small industrial town in Bosnia and Herzegovina). The radio drama tells of the nearby dam breaking. The

160 views • 3 slides
Here to help: chris@primaryeducationadvisors.co.uk lindsay@primaryeducationadvisors.co.uk Drama

Here to help: chris@primaryeducationadvisors.co.uk lindsay@primaryeducationadvisors.co.uk Drama

Here to help: chris@primaryeducationadvisors.co.uk lindsay@primaryeducationadvisors.co.uk Drama for language Ci Cind nder erella ella The Invitation Arrives The Fairy Godmother The Ball The Search The Shoe Fits @EnglishHubUK

300 views • 9 slides

More recommend