microarchitectural attacks and
play

Microarchitectural Attacks and Heterogenous Cloud Computing By - PowerPoint PPT Presentation

Oct 24, 2023 •374 likes •663 views

Microarchitectural Attacks and Heterogenous Cloud Computing By Daniel Moghimi PhD Candidate Worcester Polytechnic Institute (WPI) @danielmgmi Outline Data Dependency SPOILER: Speculative Load Hazards Boost Rowhammer and Cache Attacks

  1. Microarchitectural Attacks and Heterogenous Cloud Computing By Daniel Moghimi PhD Candidate Worcester Polytechnic Institute (WPI) @danielmgmi

  2. Outline Data Dependency ▪ SPOILER: Speculative Load Hazards Boost Rowhammer and Cache Attacks ▪ Intel SCAP: Protecting Accelerators in the Cloud ▪ 2

  3. Data Dependency add %ebx, %eax 1 sub %eax, %edx 2 xor %ecx, %ecx 3 add %eax, %edi 4 sub %ecx, %edi 5 3

  4. Data Dependency - Pipelined Execuction add %ebx, %eax 1 IF ID sub %eax, %edx 2 IF xor %ecx, %ecx 3 add %eax, %edi 4 sub %ecx, %edi 5 Instruction Fetch IF Instruction Decode ID Execute EX Write Back WB 4

  5. Data Dependency - Pipelined Execuction add %ebx, %eax 1 IF ID EX sub %eax, %edx 2 IF ID xor %ecx, %ecx IF 3 add %eax, %edi 4 sub %ecx, %edi 5 Instruction Fetch IF Instruction Decode ID Execute EX Write Back WB 5

  6. Data Dependency - Pipelined Execuction add %ebx, %eax 1 WB IF ID EX sub %eax, %edx 2 IF ID EX xor %ecx, %ecx IF ID 3 add %eax, %edi IF 4 sub %ecx, %edi 5 Instruction Fetch IF Instruction Decode ID Execute EX Write Back WB 6

  7. Data Dependency - Pipelined Execuction add %ebx, %eax 1 WB IF ID EX sub %eax, %edx 2 IF ID EX EX WB xor %ecx, %ecx IF ID 3 EX WB add %eax, %edi WB EX IF ID 4 EX WB IF ID sub %ecx, %edi 5 Instruction Fetch IF Instruction Decode ID Execute EX Write Back WB 7

  8. 4K Aliasing False Dependency Memory loads/stores are executed out of order and speculatively ▪ The dependency is verified after the execution! ▪ mov %eax, (%ebx) Execute Execute Store Load Store mov (%ecx), %edx Load Dependent? Yes 4K Aliasing: Addresses that are 4K apart are assumed dependent ▪ Re-execute the load and corresponding instructions due to false dependency ▪ Virtual-to-physical address translation → Memory disambiguation ▪ 8

  9. SPOILER 9

  10. 1 MB Aliasing False Dependency 10

  11. 1 MB Aliasing False Dependency 11

  12. 1 MB Aliasing False Dependency 12

  13. Cross-Context Address Leakage? 13

  14. Rowhammer – Bank Colocation DRAM Banks are mapped based on the physical address ▪ 14

  15. Rowhammer – Detecting Contiguous Memory Memory is contiguous when the peaks 256 apart ▪ 15

  16. Cache Attacks Cache sets are mapped based on the physical address. ▪ https://github.com/UzL-ITS/Spoiler ▪ 16

  17. Optimized Application- ▪ specific Hardware Configuration e.g. Real-time Artificial ▪ Intelligence Accelerators in the Cloud 17

  18. Side channels on Heterogeneous Accelerators New Attack Surface: ▪ Accelerator Function Units (AFUs) placed on the FPGA can be used to interact with the CPU ▪ or other AFUs for malicious purpose. AFU to AFU Attack ▪ AFU to HPS Attack ▪ AFU to CPU Attack ▪ CPU to AFU Attack ▪ Across VMS ? ▪ Customizable Hardware → More Devastating Attacks ▪ E.g. Design your own timers, Direct access to memory interface, etc. ▪ Complex Threat Model ▪ 18

  19. Integrated FPGA-CPU Platforms 19

  20. Attack Vectors Rowhammer DMA/IOMMU Cache Attacks ▪ ▪ ▪ Trojan Bitstreams FPGA-centric Attacks Cold Boot ▪ ▪ ▪ 20

  21. Replicating μ Arch Attacks on FPGA-CPU Interface Memory Interface and the Cache Coherency Protocol ▪ Side-channel Analysis of Memory Operations ▪ 21

  22. Lab/Collaboration Setup Weekly Meeting ( 2 Faculty + 3 Students = 5 people are actively involved.) ▪ Software ▪ OPAE Stack ▪ Intel Quartus (Synthesis) ▪ KVM (Virtualization Scenario) ▪ Hardware ▪ Remote Access to Intel Labs (Xeon) ▪ Local Server including Intel PAC ▪ Heavy Load Workstation (Synthesis) ▪ 22

  23. Cache Attack and FPGAs 23

  24. Cache Attack and FPGAs 24

  25. WPI + Lubeck Team 25

  26. Other Works Transient Execution Attacks ▪ Schwarz et al. “ ZombieLoad: Cross-Privilege- Boundary Data Sampling” ▪ Minkin et al. “Fallout: Reading Kernel Writes From User Space” ▪ Microarchitectural Side Channels ▪ Islam et al. “SPOILER: Speculative Load Hazards Boost Rowhammer and Cache Attacks” ▪ Moghimi et al. “ MemJam: A False Dependency Attack against Constant-Time Crypto ▪ Implementations” Intel SGX / TEE ▪ Moghimi et al. “ CacheZoom : How SGX Amplifies The Power of Cache Attacks” ▪ Cryptographic Implementations ▪ Wichelmann et al. “ MicroWalk : A Framework for Finding Side Channels in Binaries” ▪ Dall et al. “ CacheQuote: Efficiently Recovering Long-term Secrets of SGX EPID via Cache ▪ Attacks” Are remote timing attack being still a thing in 2019 !??! ▪ 26

  27. Acknowledgements Thanks to Carlos Rosaz, Matthias Schunter, Anand ▪ Rajan, Evan Custodio and Alpa Trivedi from Intel 27

  28. THANKS ▪ Questions? @danielmgmi 28

Recommend

Microarchitectural Attacks: Protecting Cloud Accelerators By Ahmad Daniel Moghimi PhD

Microarchitectural Attacks: Protecting Cloud Accelerators By Ahmad Daniel Moghimi PhD

Microarchitectural Attacks: Protecting Cloud Accelerators By Ahmad Daniel Moghimi PhD Candidate Worcester Polytechnic Institute (WPI) @danielmgmi OUTLINE Summary of Recent Contributions: Microarchiture MemJam Intel SGX

950 views • 52 slides
Microarchitectural Attacks in the Cloud Thomas Eisenbarth 07.11.2017 Workshop on Cryptography

Microarchitectural Attacks in the Cloud Thomas Eisenbarth 07.11.2017 Workshop on Cryptography

Microarchitectural Attacks in the Cloud Thomas Eisenbarth 07.11.2017 Workshop on Cryptography for the Internet of Things and Cloud Ruhr-Universitt Bochum Outline Cloud and Cryptography Co-Location in the Cloud Cache Attacks in the

2.23k views • 37 slides
MicroScope: Enabling Microarchitectural Replay Attacks Dimitrios Skarlatos, Mengjia Yan, Bhargava

MicroScope: Enabling Microarchitectural Replay Attacks Dimitrios Skarlatos, Mengjia Yan, Bhargava

MicroScope: Enabling Microarchitectural Replay Attacks Dimitrios Skarlatos, Mengjia Yan, Bhargava Gopireddy, Read Sprabery, Josep Torrellas, and Christopher W. Fletcher Presented by Mengjia Yan MIT 6.888 Fall 2020 Why this paper? We have read

965 views • 42 slides
Defense Mechanism against Spectre Attacks Jacob Fustos, Farzad Farshchi, Heechul Yun University

Defense Mechanism against Spectre Attacks Jacob Fustos, Farzad Farshchi, Heechul Yun University

SpectreGuard: An Efficient Data-centric Defense Mechanism against Spectre Attacks Jacob Fustos, Farzad Farshchi, Heechul Yun University of Kansas 1 Speculative Execution Attacks Attacks exploiting microarchitectural side-effects of

499 views • 21 slides
Remote Timing Attacks on TPMs, AKA TPM-Fail Daniel Moghimi About Me Daniel Moghimi

Remote Timing Attacks on TPMs, AKA TPM-Fail Daniel Moghimi About Me Daniel Moghimi

Remote Timing Attacks on TPMs, AKA TPM-Fail Daniel Moghimi About Me Daniel Moghimi @danielmgmi https://moghimi.org Security Researcher PhD Candidate @ WPI Microarchitectural Attacks Side Channels Breaking Crypto

1.2k views • 71 slides
Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic Jo Van Bulck

Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic Jo Van Bulck

Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic Jo Van Bulck Frank Piessens Raoul Strackx imec-DistriNet, KU Leuven ACM CCS, October 2018 Microarchitectural side-channels and where to find them CPU cache

709 views • 47 slides
Protean General Purpose Guard (PGPG): Detecting and Mitigating Cache-based Microarchitectural

Protean General Purpose Guard (PGPG): Detecting and Mitigating Cache-based Microarchitectural

Protean General Purpose Guard (PGPG): Detecting and Mitigating Cache-based Microarchitectural Attacks Using Protean Code Jeremy Erickson Akshitha Sriraman Sai Gouravajhala jericks@umich.edu akshitha@umich.edu sairohit@umich.edu EECS 583:

331 views • 12 slides
Microarchitectural Analysis and Optimization Techniques Gunther Huebler Collaborators: Vincent

Microarchitectural Analysis and Optimization Techniques Gunther Huebler Collaborators: Vincent

Microarchitectural Analysis and Optimization Techniques Gunther Huebler Collaborators: Vincent Larson, John Dennis All the Work Presented Has Been Implemented in CLUBB (Cloud Layers Unified By Binormals) CLUBB is a model that solves a set of

435 views • 21 slides
Microarchitectural Mechanisms to Exploit Value Structure in SIMT Architectures Ji Kim,

Microarchitectural Mechanisms to Exploit Value Structure in SIMT Architectures Ji Kim,

Microarchitectural Mechanisms to Exploit Value Structure in SIMT Architectures Ji Kim, Christopher Torng, Shreesha Srinath, Derek Lockhart, and Christopher Batten Cornell University Cornell University IEEE/ACM International Symposium on

636 views • 31 slides
PipeProof: Automated Memory Consistency Proofs for Microarchitectural Specifications Yatin A.

PipeProof: Automated Memory Consistency Proofs for Microarchitectural Specifications Yatin A.

PipeProof: Automated Memory Consistency Proofs for Microarchitectural Specifications Yatin A. Manerkar , Daniel Lustig*, Margaret Martonosi, and Aarti Gupta Princeton University *NVIDIA MICRO-51 http:/ ://check.cs.p .princeton.edu/ Memory

1.36k views • 80 slides
Microarchitectural Cryptanalysis Daniel Moghimi Worcester Polytechnic Institute Committee

Microarchitectural Cryptanalysis Daniel Moghimi Worcester Polytechnic Institute Committee

Revisiting Isolated and Trusted Execution via Microarchitectural Cryptanalysis Daniel Moghimi Worcester Polytechnic Institute Committee Members: Prof. Donald R. Brown (Department Head) Prof. Thomas Eisenbarth (Co-advisor) Prof.

1.68k views • 138 slides
TUNING SLIDE Fast and Accurate Microarchitectural Simulation with ZSim Daniel Sanchez, Nathan

TUNING SLIDE Fast and Accurate Microarchitectural Simulation with ZSim Daniel Sanchez, Nathan

TUNING SLIDE Fast and Accurate Microarchitectural Simulation with ZSim Daniel Sanchez, Nathan Beckmann, Anurag Mukkara, Po-An Tsai MIT CSAIL MICRO-48 Tutorial December 5, 2015 Welcome! Agenda 4 8:30 9:10 Intro and Overview 9:10

1.53k views • 124 slides
Prevention of Microarchitectural Covert Channels on an Open-Source 64-bit RISC-V Core Fourth

Prevention of Microarchitectural Covert Channels on an Open-Source 64-bit RISC-V Core Fourth

Prevention of Microarchitectural Covert Channels on an Open-Source 64-bit RISC-V Core Fourth Workshop on Computer Architecture Research with RISC-V (CARRV 2020) May 29 th , 2020 Nils Wistoff Moritz Schneider Frank K. Grkaynak Luca Benini

750 views • 58 slides
Exploiting Microarchitectural Flaws in the Heart of the Memory Subsystem Daniel Moghimi,

Exploiting Microarchitectural Flaws in the Heart of the Memory Subsystem Daniel Moghimi,

Exploiting Microarchitectural Flaws in the Heart of the Memory Subsystem Daniel Moghimi, Worcester Polytechnic University Feb 20, 2020 Columbia University Spoiler!! 2 CPU Memory Subsystem Allocation Queue Front End CPU Memory Subsystem

1.59k views • 127 slides
NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3

NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3

CMPS122: COMPUTER SECURITY NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3 due tonight NETWORKING ATTACKS LAST TIME TCP/IP networking stack Physical layer Data link layer Network

1.1k views • 61 slides
Medusa: Microarchitectural Data Leakage via Automated Attack Synthesis Daniel Moghimi

Medusa: Microarchitectural Data Leakage via Automated Attack Synthesis Daniel Moghimi

Medusa: Microarchitectural Data Leakage via Automated Attack Synthesis Daniel Moghimi Moritz Lipp Berk Sunar Michael Schwarz 2018: Meltdown Attack? 2 2018: Meltdown Attack? Virtual Address Space User Space CPU Registers

1.14k views • 63 slides
Intro to Microarchitectural Atacks Thomas Eisenbarth 12.06.2018 Summer School on Real-World

Intro to Microarchitectural Atacks Thomas Eisenbarth 12.06.2018 Summer School on Real-World

Intro to Microarchitectural Atacks Thomas Eisenbarth 12.06.2018 Summer School on Real-World Crypto & Privacy ibenik, Croata Outline Timing Attcks Ctche Attcks Cloud Ctche Attcks Speculttve Executon Attcks Preventng

434 views • 39 slides
Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22 Overview What is a stream cipher? Classification of attacks Different Attacks Exhaustive Key Search Time Memory Tradeoffs

656 views • 22 slides
Wireless Security Wireless Network Attacks Access control attacks These attacks attempt to

Wireless Security Wireless Network Attacks Access control attacks These attacks attempt to

Wireless Security Wireless Network Attacks Access control attacks These attacks attempt to penetrate a network by using wireless or evading WLAN access control measures, like AP MAC filters and 802.1X port access controls. Type of Attack

184 views • 7 slides
Stratus: Clouds with Microarchitectural Resource Management Kaveh Razavi and Animesh Trivedi

Stratus: Clouds with Microarchitectural Resource Management Kaveh Razavi and Animesh Trivedi

Stratus: Clouds with Microarchitectural Resource Management Kaveh Razavi and Animesh Trivedi Once Upon a Time in the Cloud Large: 4 cores, 16 GB Medium: 2 cores, 8 GB Small: 1 core, 4 GB 2 Once Upon a Time in the Cloud Large: 4 cores, 16

852 views • 29 slides
Backbone Infrastructure Attacks and Protections draft-savola-rtgwg-backbone-attacks-01.txt Pekka

Backbone Infrastructure Attacks and Protections draft-savola-rtgwg-backbone-attacks-01.txt Pekka

Backbone Infrastructure Attacks and Protections draft-savola-rtgwg-backbone-attacks-01.txt Pekka Savola Introduction Describes a view of ISP backbone network attacks Lots of folks in IETF and elsewhere had quite different ideas whats out

529 views • 9 slides
CROSS SITE SCRIPTING (XSS) ATTACKS Injection attacks 3/18/19 1 Whoami Ad Adam Nu Nurudin

CROSS SITE SCRIPTING (XSS) ATTACKS Injection attacks 3/18/19 1 Whoami Ad Adam Nu Nurudin

CROSS SITE SCRIPTING (XSS) ATTACKS Injection attacks 3/18/19 1 Whoami Ad Adam Nu Nurudin ini CEH, ITIL L V3, 3, CCNA, CCNP, CASP, PCI-DS DSS.. .. Lead Security Researcher @ Netwatch Technologies Project Consultant, Information

377 views • 20 slides
Dealing with cache based attacks in cryptography Speculating on cache attacks Simo Sorce Sr.

Dealing with cache based attacks in cryptography Speculating on cache attacks Simo Sorce Sr.

Dealing with cache based attacks in cryptography Speculating on cache attacks Simo Sorce Sr. Principal Software Engineer 2019/02/19 What are cache based attacks ? In cryptography In cryptographic operations, leaking the internal state of a

338 views • 8 slides
Spotting and Stopping Business Email Compromise Attacks How spear phishing and BEC attacks

Spotting and Stopping Business Email Compromise Attacks How spear phishing and BEC attacks

Spotting and Stopping Business Email Compromise Attacks How spear phishing and BEC attacks require a full- lifecycle approach to email security Paul Roberts, Editor in Chief Speakers Kevin OBrien, CEO 2:00 - 2:05 Introductions,

483 views • 23 slides

More recommend