meltdown spectre attacks overview
play

Meltdown & Spectre Attacks Overview An analogy CPU cache and - PowerPoint PPT Presentation

Jun 10, 2023 •428 likes •732 views

Meltdown & Spectre Attacks Overview An analogy CPU cache and use it as side channel Meltdown attack Spectre attack Microsoft Interview Question Stealing A Secret Secret: 7 Guard with Memory Eraser Restricted Room CPU

  1. Meltdown & Spectre Attacks

  2. Overview • An analogy • CPU cache and use it as side channel • Meltdown attack • Spectre attack

  3. Microsoft Interview Question

  4. Stealing A Secret Secret: 7 Guard with Memory Eraser Restricted Room

  5. CPU Cache

  6. From Lights to CPU Cache Question You just learned a secret number 7, and you want to keep it. However, your memory will be erased and whatever you do will be rolled back (except the CPU cache). How do you recall the secret after your memory about this secret number is erased?

  7. Using CPU Cache to Remember Secret

  8. The FLUSH+RELOAD Technique Secret S FLUSH: RELOAD: Access memory Flush the Check which one location at S CPU Cache is in the cache

  9. FLUSH+RELOAD: The FLUSH Step Flush the CPU Cache

  10. FLUSH+RELOAD: The RELOAD Step

  11. The Meltdown Attack

  12. The Security Room and Guard

  13. Staying Alive: Exception Handling in C

  14. Out-Of-Order Execution

  15. Out-of-Order Execution How do I prove that the out-of-order execution has happened?

  16. Out-of-Order Execution Experiment Evidence of out-of-order execution

  17. Meltdown Attack: A Naïve Approach

  18. Improvement: Get Secret Cached Why does this help?

  19. Improve the Attack Using Assembly Code Execution Results

  20. Improve the Attack Using Statistic Approach

  21. Countermeasures • Fundamental problem is in the CPU hardware Expensive to fix • • Develop workaround in operating system • KASLR (Kernel Address Space Layout Randomization) Does not map any kernel memory in the user space, except for some parts • required by the x86 architecture (e.g., interrupt handlers) User-level programs cannot directly use kernel memory addresses, as such • addresses cannot be resolved

  22. The Spectre Attack

  23. Will It Be Executed? Will Line 3 be executed if x > size ?

  24. Out-Of-Order Execution

  25. Let’s Find a Proof size is 10 FLUSH RELOAD Training Invoke Flush the Check which one is Train CPU to go victim(97) CPU Cache in the cache to the true branch Evidence Not always working though

  26. Target of the Attack This protection pattern is widely used in software sandbox (such as those implemented inside browsers)

  27. The Spectre Attack spectreAttack(int larger_x)

  28. Attack Result Why is 0 in the cache? Success

  29. Spectre Variant and Mitigation • Since it was discovered in 2017, several Spectre variants have been found • Affecting Intel, ARM, and ARM • The problem is in hardware • Unlike Meltdown, there is no easy software workaround

  30. Summary • Stealing secrets using side channels • Meltdown attack • Spectre attack • A form of race condition vulnerability • Vulnerabilities are inside hardware • AMD, Intel, and ARM are affected

Recommend

Spectre and Meltdown Clifford Wolf q/Talk 2018-01-30 Spectre and Meltdown Spectre

Spectre and Meltdown Clifford Wolf q/Talk 2018-01-30 Spectre and Meltdown Spectre

Spectre and Meltdown Clifford Wolf q/Talk 2018-01-30 Spectre and Meltdown Spectre (CVE-2017-5753 and CVE-2017-5715) Is an architectural security bug that effects most modern processors with speculative execution It allows a program

441 views • 16 slides
Exploiting modern microarchitectures: Meltdown, Spectre, and other attacks Jon Masters, Computer

Exploiting modern microarchitectures: Meltdown, Spectre, and other attacks Jon Masters, Computer

Exploiting modern microarchitectures: Meltdown, Spectre, and other attacks Jon Masters, Computer Architect, Red Hat, Inc. jcm@redhat.com | @jonmasters 2 Exploiting modern microarchitectures: Meltdown, Spectre, and other attacks Overview

1.58k views • 140 slides
Exploiting modern microarchitectures: Meltdown, Spectre, and other attacks Jon Masters, Computer

Exploiting modern microarchitectures: Meltdown, Spectre, and other attacks Jon Masters, Computer

Exploiting modern microarchitectures: Meltdown, Spectre, and other attacks Jon Masters, Computer Architect, Red Hat, Inc. jcm@redhat.com | @jonmasters 2 Exploiting modern microarchitectures: Meltdown, Spectre, and other attacks Overview

2.11k views • 184 slides
Transient Execution Attacks: Lessons from Spectre, Meltdown, and Foreshadow Jo Van Bulck

Transient Execution Attacks: Lessons from Spectre, Meltdown, and Foreshadow Jo Van Bulck

Transient Execution Attacks: Lessons from Spectre, Meltdown, and Foreshadow Jo Van Bulck imec-DistriNet, KU Leuven jo.vanbulck@cs.kuleuven.be jovanbulck ISSE Brussels, November 6, 2018 A primer on software security Secure

897 views • 58 slides
CPU Side-Channel Attacks the Meltdown Attack Heechul Yun 1 This Week: Hardware Security

CPU Side-Channel Attacks the Meltdown Attack Heechul Yun 1 This Week: Hardware Security

CPU Side-Channel Attacks the Meltdown Attack Heechul Yun 1 This Week: Hardware Security Introduction Meltdown Papers Spectre Attacks: Exploiting Speculative Execution, IEEE Security and Privacy (S&P), 2019 (Dustin)

726 views • 44 slides
Spectre/Meltdown at eCG: Rebooting 80k cores Bruno Bompastor Adrian Joian Cloud Reliability Team

Spectre/Meltdown at eCG: Rebooting 80k cores Bruno Bompastor Adrian Joian Cloud Reliability Team

Spectre/Meltdown at eCG: Rebooting 80k cores Bruno Bompastor Adrian Joian Cloud Reliability Team 2018 10 Brands In Multiple Countries NL/DE Datacenters Spectre/Meltdown - Meltdown: melts security boundaries which are normally enforced by

305 views • 26 slides
Meltdown an and Sp Spectre vu vuln lnerabili litie ies th the ch chall llenge is is up!

Meltdown an and Sp Spectre vu vuln lnerabili litie ies th the ch chall llenge is is up!

2/21/2018 Meltdown an and Sp Spectre vu vuln lnerabili litie ies th the ch chall llenge is is up! Jos van Eijndhoven Synopsys {040CODERS.nl} Meetup 20180215 Jos van Eijndhoven Profession: IC design tools, Hobby: Processor design

545 views • 15 slides
Spectre and Meltdown: Data leaks during speculative execution Speaker: Jann Horn (Google Project

Spectre and Meltdown: Data leaks during speculative execution Speaker: Jann Horn (Google Project

Spectre and Meltdown: Data leaks during speculative execution Speaker: Jann Horn (Google Project Zero) Paul Kocher (independent) Daniel Genkin (University of Pennsylvania and University of Maryland) Yuval Yarom (University of Adelaide and

243 views • 22 slides
Defense Mechanism against Spectre Attacks Jacob Fustos, Farzad Farshchi, Heechul Yun University

Defense Mechanism against Spectre Attacks Jacob Fustos, Farzad Farshchi, Heechul Yun University

SpectreGuard: An Efficient Data-centric Defense Mechanism against Spectre Attacks Jacob Fustos, Farzad Farshchi, Heechul Yun University of Kansas 1 Speculative Execution Attacks Attacks exploiting microarchitectural side-effects of

499 views • 21 slides
CSCI-UA.9480 Introduction to Computer Security Session 3.5 Meltdown and Spectre Prof. Nadim

CSCI-UA.9480 Introduction to Computer Security Session 3.5 Meltdown and Spectre Prof. Nadim

CSCI-UA.9480 Introduction to Computer Security Session 3.5 Meltdown and Spectre Prof. Nadim Kobeissi But Nadim, why are we covering this? 2 CSCI-UA.9480: Introduction to Computer Security Nadim Kobeissi Fixed confidentially across whole

365 views • 24 slides
arXiv:1801.01207 What is meltdown? Meltdown is a hardware exploit that allows unprivileged user to

arXiv:1801.01207 What is meltdown? Meltdown is a hardware exploit that allows unprivileged user to

arXiv:1801.01207 What is meltdown? Meltdown is a hardware exploit that allows unprivileged user to access system memory . Meltdown takes advantage of speculative execution , in particular its ability to meltdown security barrier

369 views • 8 slides
Spectre Attacks: Exploiting Speculative Execution IEEE Security & Privacy (May 20, 2019) Paul

Spectre Attacks: Exploiting Speculative Execution IEEE Security & Privacy (May 20, 2019) Paul

Spectre Attacks: Exploiting Speculative Execution IEEE Security & Privacy (May 20, 2019) Paul Kocher 1 , Jann Horn 2 , Anders Fogh 3 , Daniel Genkin 4 , Daniel Gruss 5 , Werner Haas 6 , Mike Hamburg 7 , Mortiz Lipp 5 , Stefan Mangard 5 ,

410 views • 13 slides
Meltdown Overview of a security vulnerability Stefano Ottolenghi @ Binary Analysis and Secure

Meltdown Overview of a security vulnerability Stefano Ottolenghi @ Binary Analysis and Secure

Meltdown Overview of a security vulnerability Stefano Ottolenghi @ Binary Analysis and Secure Coding Universit degli Studi di Genova December 3rd, 2018 Overview Meltdown breaks memory isolation and allows a process to read the entire

335 views • 18 slides
Meltdown Overview of a security vulnerability Stefano Ottolenghi @ Binary Analysis and Secure

Meltdown Overview of a security vulnerability Stefano Ottolenghi @ Binary Analysis and Secure

Meltdown Overview of a security vulnerability Stefano Ottolenghi @ Binary Analysis and Secure Coding Universit degli Studi di Genova December 3rd, 2018 Overview Meltdown breaks memory isolation and allows a process to read the entire

526 views • 25 slides
Abusing hardware for fun and profit Agenda Cache-based Covert channels w/ demo Spectre

Abusing hardware for fun and profit Agenda Cache-based Covert channels w/ demo Spectre

Abusing hardware for fun and profit Agenda Cache-based Covert channels w/ demo Spectre and Meltdown from covert channels Process isola8on + OS (CS 423) OS paging OS services 0x00000000 Communica<on to other processes

568 views • 15 slides
Meltdown or "Holy Crap: How did we do this to ourselves" Abstract Meltdown

Meltdown or "Holy Crap: How did we do this to ourselves" Abstract Meltdown

Meltdown or "Holy Crap: How did we do this to ourselves" Abstract Meltdown exploits side effects of out-of-order execution to read arbitrary kernel- memory locations Breaks all security assumptions given by address space

159 views • 13 slides
SpECTRE CCE tutorial ICERM, September 2020 Jordan Moxon, on behalf of the SpECTRE team and SXS

SpECTRE CCE tutorial ICERM, September 2020 Jordan Moxon, on behalf of the SpECTRE team and SXS

SpECTRE CCE tutorial ICERM, September 2020 Jordan Moxon, on behalf of the SpECTRE team and SXS moxon@black-holes.org I. INTRODUCTION This is a quick description on how to get up and running with the stand-alone version of the SpECTRE CCE

546 views • 6 slides
SpECTRE: Towards improved simulations of relativistic astrophysical systems Nils Deppe May 1,

SpECTRE: Towards improved simulations of relativistic astrophysical systems Nils Deppe May 1,

SpECTRE: Towards improved simulations of relativistic astrophysical systems Nils Deppe May 1, 2019 github.com/sxs-collaboration/spectre 1 Table of Contents 1 Background and motivation 2 Numerical methods 3 SpECTRE implementation

880 views • 38 slides
A SpECTRE With a New face Nils Deppe Simulating eXtreme Spacetimes Collaboration Charm ++

A SpECTRE With a New face Nils Deppe Simulating eXtreme Spacetimes Collaboration Charm ++

A SpECTRE With a New face Nils Deppe Simulating eXtreme Spacetimes Collaboration Charm ++ Workshop April 11, 2018 github.com/sxs-collaboration/spectre A SpECTRE With a New Face 1 / 21 Table of Contents 1 SpECTRE 2 The New face

623 views • 29 slides
ConTExT A Generic Approach for Mitigating Spectre Michael Schwarz, Moritz Lipp, Claudio Canella,

ConTExT A Generic Approach for Mitigating Spectre Michael Schwarz, Moritz Lipp, Claudio Canella,

ConTExT A Generic Approach for Mitigating Spectre Michael Schwarz, Moritz Lipp, Claudio Canella, Robert Schilling, Florian Kargl, Daniel Gruss February 26, 2020 Graz University of Technology Transient Execution Attacks www.tugraz.at 1

1.07k views • 80 slides
Goals for Today Learning Objective: Explore how operating systems fail. Announcements,

Goals for Today Learning Objective: Explore how operating systems fail. Announcements,

Goals for Today Learning Objective: Explore how operating systems fail. Announcements, etc: MP3 is out! Due April 18th . Monday Spectre & Meltdown presentation w/ Chris Fletcher!! Wednesday MP4 Walkthrough w/

387 views • 18 slides
ATRADIUS INDUSTRY OVERVIEW Headlines UK Steel Industry in Meltdown Tata Steel Confirms

ATRADIUS INDUSTRY OVERVIEW Headlines UK Steel Industry in Meltdown Tata Steel Confirms

ATRADIUS INDUSTRY OVERVIEW Headlines UK Steel Industry in Meltdown Tata Steel Confirms 1,200 job losses British Steel in Crisis UK St Steel Se Sector Imploding Steel production in the UK has been in decline for

795 views • 5 slides
Resilient Networking 6: Attacks on DNS 1 Chapter Outline Overview of DNS Known attacks

Resilient Networking 6: Attacks on DNS 1 Chapter Outline Overview of DNS Known attacks

Resilient Networking 6: Attacks on DNS 1 Chapter Outline Overview of DNS Known attacks on DNS Denial-of-Service Cache Poisoning Securing DNS Split-Split-DNS DNSSEC 2 DNS The Domain Name System Naming Service

1.15k views • 46 slides
The impact of Meltre and Specdown on microkernel systems Matthias Lange, Kernkonzept GmbH, FOSDEM

The impact of Meltre and Specdown on microkernel systems Matthias Lange, Kernkonzept GmbH, FOSDEM

The impact of Meltre and Specdown on microkernel systems Matthias Lange, Kernkonzept GmbH, FOSDEM 2019 We need to talk about Meltre and Specdown. Conf call with customer, early 2018 The impact of Meltdown and Spectre on the L4Re

621 views • 47 slides

More recommend