SlideShare a Scribd company logo

The ring 0 facade: awakening the processor's inner demons

Priyanka Aash
Priyanka Aash

In this talk, we walk through how we discovered a privilege escalation backdoor in a family of x86 CPUs, that allows an unprivileged user, on an unmodified system, to circumvent all processor security checks and escalate from ring 3 to ring 0 – permitting an unprivileged, arbitrary userland program to directly modify and execute code inside of the kernel, regardless of the operating system, security patches, antivirus, firmware, etc. Speakers: Christopher Domas, Cyber Security Researcher

Technology
1 of 57
Download to read offline
{domas / @xoreaxeaxeax / DEF CON 2018 The ring 0 facade: awakening the processor's inner demons
 Christopher Domas  Cyber Security Researcher ./bio
disclaimer: The research presented herein was conducted and completed as an independent consultant. None of the research presented herein was conducted under the auspices of my current employer. The views, information and opinions expressed in this presentation and its associated research paper are mine only and do not reflect the views, information or opinions of my current employer.
 General-purpose-registers  Special-purpose-registers  FPU, MMX, XMM, YMM, ZMM  Control registers  Model-specific-registers Processor registers
 Debugging  Execution tracing  Performance monitoring  Clocking  Thermal controls  Cache behavior Model-specific-registers
 Accessing MSRs:  Ring 0  Accessed by address, not name  0x00000000 – 0xFFFFFFFF  Only a small fraction are implemented  10s – few 100s  64 bits  Read with rdmsr  Read to edx:eax  Written with wrmsr  Written from edx:eax Model-specific-registers
movl $0x1a0, %%ecx /* load msr address */ rdmsr /* read msr 0x1a0 */ /* configure new values for msr */ orl $1, %%eax orl $4, %%edx wrmsr /* write msr 0x1a0 */ Model-specific-registers
 Undocumented debug features  Unlock disabled cores  Hardware backdoors Secrets…
“ Additionally, accessing some of the internal control registers can enable the user to bypass security mechanisms, e.g., allowing ring 0 access at ring 3. In addition, these control registers may reveal information that the processor designers wish to keep proprietary. For these reasons, the various x86 processor manufacturers have not publicly documented any description of the address or function of some control MSRs . ” - US 8341419 Secrets…
“ Nevertheless, the existence and location of the undocumented control MSRs are easily found by programmers, who typically then publish their findings for all to use. Furthermore, a processor manufacturer may need to disclose the addresses and description of the control MSRs to its customers for their testing and debugging purposes. The disclosure to the customer may result in the secret of the control MSRs becoming widely known, and thus usable by anyone on any processor. ” - US 8341419 Secrets…
“ The microprocessor also includes a secret key, manufactured internally within the microprocessor and externally invisible. The microprocessor also includes an encryption engine, coupled to the secret key, configured to decrypt a user-supplied password using the secret key to generate a decrypted result in response to a user instruction instructing the microprocessor to access the control register. ” - US 8341419 Secrets…
 Could my processor have… secret, undocumented, password protected …registers in it, right now? Secrets…
 AMD K7, K8  Known password protected MSRs  Discovered through firmware RE  32 bit password loaded into a GPR  Let’s start here, as a case study Password protections
movl $0x12345678, %%edi /* password */ movl $0x1337c0de, %%ecx /* msr */ rdmsr /* if MSR 0x1337c0de does not exist, CPU generates #GP(0) exception */ /* if password 0x12345678 is incorrect, CPU generates #GP(0) exception */ Password protections
 Challenge:  To detect a password protected MSR, must guess the MSR address and the MSR password  Guessing either one wrong gives the same result: #GP(0) exception  32 bit address + 32 bit password = 64 bits Password protections
// naive password protected MSR identification for msr in 0 to 0xffffffff: for p in 0 to 0xffffffff: p -> eax, ebx, edx, esi, edi, esp, ebp msr -> ecx try: rdmsr catch: // fault: incorrect password, or msr does not exist continue // no fault: correct password, and msr exists return (msr, p) Password protections
 Even in the simple embodiment (32 bit passwords)  At 1,000,000,000 guesses per second  Finding all password-protected MSRs takes 600 years Password protections
 How might we detect whether our processor is hiding password protected registers, without needing to know the password first? Password protections
 Assembly is a high level abstraction  CPU micro-ops execute assembly instructions Speculation
 Possible pseudocode for microcoded MSR accesses (rdmsr, wrmsr): if msr == 0x1: ... // (service msr 0x1) elif msr == 0x6: ... // (service msr 0x6) elif msr == 0x1000: ... // (service msr 0x1000) else: // msr does not exist // raise general protection exception #gp(0) Speculation
 Possible pseudocode for password-protected microcoded MSR accesses (rdmsr, wrmsr): if msr == 0x1: ... // (service msr 0x1) elif msr == 0x6: ... // (service msr 0x6) elif msr == 0x1337c0de: // password protected register – verify password if ebx == 0xfeedface: ... // (service msr 0x1337c0de) else: // wrong password // raise general protection exception #gp(0) else: // msr does not exist // raise general protection exception #gp(0) Speculation
 Microcode:  Checks if the user is accessing a password-protected register  Then checks if supplied password is correct  Same visible result to the user  But…  Accessing a password-protected MSR takes a slightly different amount of time than accessing a non-password-protected MSR Speculation
 Non-password-protected path: if msr == 0x1: ... // (service msr 0x1) elif msr == 0x6: ... // (service msr 0x6) elif msr == 0x1337c0de: // password protected register – verify password if ebx == 0xfeedface: ... // (service msr 0x1337c0de) else: // wrong password // raise general protection exception #gp(0) else: // msr does not exist // raise general protection exception #gp(0) Speculation
 Password-protected path: if msr == 0x1: ... // (service msr 0x1) elif msr == 0x6: ... // (service msr 0x6) elif msr == 0x1337c0de: // password protected register – verify password if ebx == 0xfeedface: ... // (service msr 0x1337c0de) else: // wrong password // raise general protection exception #gp(0) else: // msr does not exist // raise general protection exception #gp(0) Speculation
 Depending on exact implementation  Password-protected path may be longer or shorter  But should be different  Possible to craft each path to have identical execution time  Complexities of microcode + no public research attacking MSRs = seems unlikely Speculation
mov %[_msr], %%ecx /* load msr */ mov %%eax, %%dr0 /* serialize */ rdtsc /* start time */ movl %%eax, %%ebx rdmsr /* access msr */ rdmsr_handler: /* exception handler */ mov %%eax, %%dr0 /* serialize */ rdtsc /* end time */ subl %%ebx, %%eax /* calculate access time */ A timing side-channel
 Attack executed in ring 0 kernel module  #GP(0) exception is redirected to instruction following rdmsr  System stack reset after each measurement to avoid specific fault handling logic A timing side-channel
 Initial configuration routine measures execution time of a #GP(0) exception (by executing a ud2 instruction)  Subtracted out of faulting MSR measurements  Serialization handles out-of-order execution  Simplicity: only track low 32 bits of timer  Repeat sample, select lowest measurement A timing side-channel
AMD K8
 Timing measurements let us speculate on a rough model of the underlying microcode  Specifically, focused on variations in observed fault times. A timing side-channel
AMD K8
 Speculate that separate ucode paths exist for processing each fault group.  Practically speaking, breaking ucode MSR checks into groups improves execution time A timing side-channel
if msr < 0x174: if msr == 0x0: ... elif msr == 0x1: ... elif msr == 0x10: ... ... else: #gp(0) elif msr < 0x200: if msr == 0x174: ... ... else: #gp(0) elif msr < 0x270: if msr == 0x200: ... ... else: #gp(0) elif msr < 0x400: if msr == 0x277: ... ... else: #gp(0) elif msr < 0xc0000000: if msr == 0x400: ... ... else: #gp(0) elif msr < 0xc0000080: #gp(0) elif msr < 0xc0010000: if msr == 0xc0000080: ... ... else: #gp(0) elif msr < 0xc0011000: if msr == 0xc0010000: ... ... else: #gp(0) elif msr < 0xc0020000: #gp(0) else: #gp(0) // possible k8 ucode model
 Find the bounds checks that appear to exist for no purpose  i.e. regions explicitly checked by ucode, even though there are no visible MSRs within them A timing side-channel
if msr < 0x174: if msr == 0x0: ... elif msr == 0x1: ... elif msr == 0x10: ... ... else: #gp(0) elif msr < 0x200: if msr == 0x174: ... ... else: #gp(0) elif msr < 0x270: if msr == 0x200: ... ... else: #gp(0) elif msr < 0x400: if msr == 0x277: ... ... else: #gp(0) elif msr < 0xc0000000: if msr == 0x400: ... ... else: #gp(0) elif msr < 0xc0000080: #gp(0) elif msr < 0xc0010000: if msr == 0xc0000080: ... ... else: #gp(0) elif msr < 0xc0011000: if msr == 0xc0010000: ... ... else: #gp(0) elif msr < 0xc0020000: #gp(0) else: #gp(0) // possible k8 ucode model
 Timings show that there are explicit ucode checks on the regions:  0xC0000000 – 0xC000007F  0xC0011000 – 0xC001FFFF  … even though there are no visible MSRs in those regions A timing side-channel
AMD K8
 Speculate that anomalies must be due to password checks  Reduces MSR search space by 99.999%  Cracking passwords is now feasible Cracking protected registers
 Simple embodiment:  32 bit password  Loaded into GPR or XMM register  Use list of side-channel derived MSRs  Continue until MSR is unlocked, or all passwords are tried Cracking protected registers
// side-channel assisted password identification for msr in [0xC0000000:0xC000007F, 0xC0011000: 0xC001FFFF]: for p in 0 to 0xffffffff: p -> eax, ebx, edx, esi, edi, esp, ebp msr -> ecx try: rdmsr catch: // fault: incorrect password, or msr does not exist continue // no fault: correct password, and msr exists return (msr, p) Cracking protected registers
 Cracked the AMD K8  Password 0x9c5a203a loaded into edi  MSRs: 0xc0011000 – 0xc001ffff  Check on 0xc0000000 – 0xc000007f remains unexplained Cracking protected registers
 This region and password were already known through firmware reverse engineering  But this is the first approach to uncovering these MSRs without first observing them in use Cracking protected registers
 Side-channel attacks into the microcode offer a powerful opportunity  … so what else can we find? Digging deeper…
AMD E350
VIA C3
VIA Nano
Intel Atom N270
Intel Core i5
 Cracking extensions:  Write protected MSRs  64 bit password in 2 32 bit registers  Accessible from real mode Advanced cracking
 And…  Failed.  No new passwords uncovered. Advanced cracking
 Sometimes, that’s research. Conclusions
 How to explain the timing anomalies?  64/128/256 bit passwords in XMM etc. registers  More advanced password checks, as described in patent literature  MSRs only accessible in ultra-privileged modes beyond ring 0 Conclusions
 … or, something totally benign:  Microcode checks on processor family, model, stepping  Allow one ucode update to be used on many processors  Timing anomalies in MSR faults on Intel processors seemed to accurately align with specific documented MSRs on related families Conclusions
 So, we’re in the clear?  Sadly, no.  Instruction grep through firmware databases reveals previously unknown passwords:  0x380dcb0f in esi register  Hundreds of firmwares, variety of vendors  Windows kernel Conclusions
 We’ve raised more questions than we’ve answered  But the stakes are high:  MSRs control everything on the processor  Research is promising  Entirely new approach to detecting processor secrets The truth is out there…
github.com/xoreaxeaxeax  project:nightshyft  project:rosenbridge  sandsifter  M/o/Vfuscator  REpsych  x86 0-day PoC  Etc. Feedback? Ideas? domas  @xoreaxeaxeax  xoreaxeaxeax@gmail.com
The ring 0 facade: awakening the processor's inner demons

Recommended

GOD MODE Unlocked: Hardware backdoors in x86 CPUs
GOD MODE Unlocked: Hardware backdoors in x86 CPUsGOD MODE Unlocked: Hardware backdoors in x86 CPUs
GOD MODE Unlocked: Hardware backdoors in x86 CPUsPriyanka Aash
 
GOD MODE UNLOCKED - Hardware Backdoors in x86 CPUs
GOD MODE UNLOCKED - Hardware Backdoors in x86 CPUsGOD MODE UNLOCKED - Hardware Backdoors in x86 CPUs
GOD MODE UNLOCKED - Hardware Backdoors in x86 CPUsPriyanka Aash
 
OpenIot & ELC Europe 2016 Berlin - How to develop the ARM 64bit board, Samsun...
OpenIot & ELC Europe 2016 Berlin - How to develop the ARM 64bit board, Samsun...OpenIot & ELC Europe 2016 Berlin - How to develop the ARM 64bit board, Samsun...
OpenIot & ELC Europe 2016 Berlin - How to develop the ARM 64bit board, Samsun...Chanwoo Choi
 
Countering Innovative Sandbox Evasion Techniques Used by Malware
Countering Innovative Sandbox Evasion Techniques Used by MalwareCountering Innovative Sandbox Evasion Techniques Used by Malware
Countering Innovative Sandbox Evasion Techniques Used by MalwareTyler Borosavage
 
Attack your Trusted Core
Attack your Trusted CoreAttack your Trusted Core
Attack your Trusted CoreDi Shen
 
Comparative Analysis of Personal Firewalls
Comparative Analysis of Personal FirewallsComparative Analysis of Personal Firewalls
Comparative Analysis of Personal FirewallsAndrej Šimko
 
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)Nate Lawson
 
Lost in Translation: When Industrial Protocol Translation goes Wrong [CONFide...
Lost in Translation: When Industrial Protocol Translation goes Wrong [CONFide...Lost in Translation: When Industrial Protocol Translation goes Wrong [CONFide...
Lost in Translation: When Industrial Protocol Translation goes Wrong [CONFide...Marco Balduzzi
 

Recommended

GOD MODE Unlocked: Hardware backdoors in x86 CPUs
GOD MODE Unlocked: Hardware backdoors in x86 CPUsGOD MODE Unlocked: Hardware backdoors in x86 CPUs
GOD MODE Unlocked: Hardware backdoors in x86 CPUsPriyanka Aash
 
GOD MODE UNLOCKED - Hardware Backdoors in x86 CPUs
GOD MODE UNLOCKED - Hardware Backdoors in x86 CPUsGOD MODE UNLOCKED - Hardware Backdoors in x86 CPUs
GOD MODE UNLOCKED - Hardware Backdoors in x86 CPUsPriyanka Aash
 
OpenIot & ELC Europe 2016 Berlin - How to develop the ARM 64bit board, Samsun...
OpenIot & ELC Europe 2016 Berlin - How to develop the ARM 64bit board, Samsun...OpenIot & ELC Europe 2016 Berlin - How to develop the ARM 64bit board, Samsun...
OpenIot & ELC Europe 2016 Berlin - How to develop the ARM 64bit board, Samsun...Chanwoo Choi
 
Countering Innovative Sandbox Evasion Techniques Used by Malware
Countering Innovative Sandbox Evasion Techniques Used by MalwareCountering Innovative Sandbox Evasion Techniques Used by Malware
Countering Innovative Sandbox Evasion Techniques Used by MalwareTyler Borosavage
 
Attack your Trusted Core
Attack your Trusted CoreAttack your Trusted Core
Attack your Trusted CoreDi Shen
 
Comparative Analysis of Personal Firewalls
Comparative Analysis of Personal FirewallsComparative Analysis of Personal Firewalls
Comparative Analysis of Personal FirewallsAndrej Šimko
 
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)Nate Lawson
 
Lost in Translation: When Industrial Protocol Translation goes Wrong [CONFide...
Lost in Translation: When Industrial Protocol Translation goes Wrong [CONFide...Lost in Translation: When Industrial Protocol Translation goes Wrong [CONFide...
Lost in Translation: When Industrial Protocol Translation goes Wrong [CONFide...Marco Balduzzi
 
Xvisor: embedded and lightweight hypervisor
Xvisor: embedded and lightweight hypervisorXvisor: embedded and lightweight hypervisor
Xvisor: embedded and lightweight hypervisorNational Cheng Kung University
 
How Triton can help to reverse virtual machine based software protections
How Triton can help to reverse virtual machine based software protectionsHow Triton can help to reverse virtual machine based software protections
How Triton can help to reverse virtual machine based software protectionsJonathan Salwan
 
Austin c-c++-meetup-feb2018-spectre
Austin c-c++-meetup-feb2018-spectreAustin c-c++-meetup-feb2018-spectre
Austin c-c++-meetup-feb2018-spectreKim Phillips
 
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Vincenzo Iozzo
 
How to get LBR contents on Intel x86
How to get LBR contents on Intel x86How to get LBR contents on Intel x86
How to get LBR contents on Intel x86Mohammad Golyani
 
Georgy Nosenko - An introduction to the use SMT solvers for software security
Georgy Nosenko - An introduction to the use SMT solvers for software securityGeorgy Nosenko - An introduction to the use SMT solvers for software security
Georgy Nosenko - An introduction to the use SMT solvers for software securityDefconRussia
 
Troubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device DriversTroubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device DriversSatpal Parmar
 
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1Jagadisha Maiya
 
[CONFidence 2016] Dmitry Chastuhin, Dmitry Yudin - SAP, dos, dos, race condi...
[CONFidence 2016] Dmitry Chastuhin, Dmitry Yudin - SAP, dos, dos, race condi...[CONFidence 2016] Dmitry Chastuhin, Dmitry Yudin - SAP, dos, dos, race condi...
[CONFidence 2016] Dmitry Chastuhin, Dmitry Yudin - SAP, dos, dos, race condi...PROIDEA
 
[2009 CodeEngn Conference 03] koheung - 윈도우 커널 악성코드에 대한 분석 및 방법
[2009 CodeEngn Conference 03] koheung - 윈도우 커널 악성코드에 대한 분석 및 방법[2009 CodeEngn Conference 03] koheung - 윈도우 커널 악성코드에 대한 분석 및 방법
[2009 CodeEngn Conference 03] koheung - 윈도우 커널 악성코드에 대한 분석 및 방법GangSeok Lee
 
Escalating Privileges in Linux using Fault Injection - FDTC 2017
Escalating Privileges in Linux using Fault Injection - FDTC 2017Escalating Privileges in Linux using Fault Injection - FDTC 2017
Escalating Privileges in Linux using Fault Injection - FDTC 2017Cristofaro Mune
 
Debugging Ruby Systems
Debugging Ruby SystemsDebugging Ruby Systems
Debugging Ruby SystemsEngine Yard
 
Эксплуатируем неэксплуатируемые уязвимости SAP
Эксплуатируем неэксплуатируемые уязвимости SAPЭксплуатируем неэксплуатируемые уязвимости SAP
Эксплуатируем неэксплуатируемые уязвимости SAPPositive Hack Days
 
Getting access to the SAP server via SAP Management Console
Getting access to the SAP server via SAP Management ConsoleGetting access to the SAP server via SAP Management Console
Getting access to the SAP server via SAP Management ConsoleDmitry Iudin
 
Specification-Based Test Program Generation for ARM VMSAv8-64 MMUs
Specification-Based Test Program Generation for ARM VMSAv8-64 MMUsSpecification-Based Test Program Generation for ARM VMSAv8-64 MMUs
Specification-Based Test Program Generation for ARM VMSAv8-64 MMUsAlexander Kamkin
 
DEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitchDEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitchFelipe Prado
 
Performance tweaks and tools for Linux (Joe Damato)
Performance tweaks and tools for Linux (Joe Damato)Performance tweaks and tools for Linux (Joe Damato)
Performance tweaks and tools for Linux (Joe Damato)Ontico
 
ARM Architecture and Meltdown/Spectre
ARM Architecture and Meltdown/SpectreARM Architecture and Meltdown/Spectre
ARM Architecture and Meltdown/SpectreGlobalLogic Ukraine
 
D Trace Support In My Sql Guide To Solving Reallife Performance Problems
D Trace Support In My Sql Guide To Solving Reallife Performance ProblemsD Trace Support In My Sql Guide To Solving Reallife Performance Problems
D Trace Support In My Sql Guide To Solving Reallife Performance ProblemsMySQLConference
 
Hy 523
Hy 523Hy 523
Hy 523tonisss
 
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfPriyanka Aash
 

More Related Content

Similar to The ring 0 facade: awakening the processor's inner demons

How Triton can help to reverse virtual machine based software protections
How Triton can help to reverse virtual machine based software protectionsHow Triton can help to reverse virtual machine based software protections
How Triton can help to reverse virtual machine based software protectionsJonathan Salwan
 
Austin c-c++-meetup-feb2018-spectre
Austin c-c++-meetup-feb2018-spectreAustin c-c++-meetup-feb2018-spectre
Austin c-c++-meetup-feb2018-spectreKim Phillips
 
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Vincenzo Iozzo
 
How to get LBR contents on Intel x86
How to get LBR contents on Intel x86How to get LBR contents on Intel x86
How to get LBR contents on Intel x86Mohammad Golyani
 
Georgy Nosenko - An introduction to the use SMT solvers for software security
Georgy Nosenko - An introduction to the use SMT solvers for software securityGeorgy Nosenko - An introduction to the use SMT solvers for software security
Georgy Nosenko - An introduction to the use SMT solvers for software securityDefconRussia
 
Troubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device DriversTroubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device DriversSatpal Parmar
 
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1Jagadisha Maiya
 
[CONFidence 2016] Dmitry Chastuhin, Dmitry Yudin - SAP, dos, dos, race condi...
[CONFidence 2016] Dmitry Chastuhin, Dmitry Yudin - SAP, dos, dos, race condi...[CONFidence 2016] Dmitry Chastuhin, Dmitry Yudin - SAP, dos, dos, race condi...
[CONFidence 2016] Dmitry Chastuhin, Dmitry Yudin - SAP, dos, dos, race condi...PROIDEA
 
[2009 CodeEngn Conference 03] koheung - 윈도우 커널 악성코드에 대한 분석 및 방법
[2009 CodeEngn Conference 03] koheung - 윈도우 커널 악성코드에 대한 분석 및 방법[2009 CodeEngn Conference 03] koheung - 윈도우 커널 악성코드에 대한 분석 및 방법
[2009 CodeEngn Conference 03] koheung - 윈도우 커널 악성코드에 대한 분석 및 방법GangSeok Lee
 
Escalating Privileges in Linux using Fault Injection - FDTC 2017
Escalating Privileges in Linux using Fault Injection - FDTC 2017Escalating Privileges in Linux using Fault Injection - FDTC 2017
Escalating Privileges in Linux using Fault Injection - FDTC 2017Cristofaro Mune
 
Debugging Ruby Systems
Debugging Ruby SystemsDebugging Ruby Systems
Debugging Ruby SystemsEngine Yard
 
Эксплуатируем неэксплуатируемые уязвимости SAP
Эксплуатируем неэксплуатируемые уязвимости SAPЭксплуатируем неэксплуатируемые уязвимости SAP
Эксплуатируем неэксплуатируемые уязвимости SAPPositive Hack Days
 
Getting access to the SAP server via SAP Management Console
Getting access to the SAP server via SAP Management ConsoleGetting access to the SAP server via SAP Management Console
Getting access to the SAP server via SAP Management ConsoleDmitry Iudin
 
Specification-Based Test Program Generation for ARM VMSAv8-64 MMUs
Specification-Based Test Program Generation for ARM VMSAv8-64 MMUsSpecification-Based Test Program Generation for ARM VMSAv8-64 MMUs
Specification-Based Test Program Generation for ARM VMSAv8-64 MMUsAlexander Kamkin
 
DEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitchDEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitchFelipe Prado
 
Performance tweaks and tools for Linux (Joe Damato)
Performance tweaks and tools for Linux (Joe Damato)Performance tweaks and tools for Linux (Joe Damato)
Performance tweaks and tools for Linux (Joe Damato)Ontico
 
ARM Architecture and Meltdown/Spectre
ARM Architecture and Meltdown/SpectreARM Architecture and Meltdown/Spectre
ARM Architecture and Meltdown/SpectreGlobalLogic Ukraine
 
D Trace Support In My Sql Guide To Solving Reallife Performance Problems
D Trace Support In My Sql Guide To Solving Reallife Performance ProblemsD Trace Support In My Sql Guide To Solving Reallife Performance Problems
D Trace Support In My Sql Guide To Solving Reallife Performance ProblemsMySQLConference
 

Similar to The ring 0 facade: awakening the processor's inner demons (20)

Xvisor: embedded and lightweight hypervisor
Xvisor: embedded and lightweight hypervisorXvisor: embedded and lightweight hypervisor
Xvisor: embedded and lightweight hypervisor
 
How Triton can help to reverse virtual machine based software protections
How Triton can help to reverse virtual machine based software protectionsHow Triton can help to reverse virtual machine based software protections
How Triton can help to reverse virtual machine based software protections
 
Austin c-c++-meetup-feb2018-spectre
Austin c-c++-meetup-feb2018-spectreAustin c-c++-meetup-feb2018-spectre
Austin c-c++-meetup-feb2018-spectre
 
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
 
How to get LBR contents on Intel x86
How to get LBR contents on Intel x86How to get LBR contents on Intel x86
How to get LBR contents on Intel x86
 
Georgy Nosenko - An introduction to the use SMT solvers for software security
Georgy Nosenko - An introduction to the use SMT solvers for software securityGeorgy Nosenko - An introduction to the use SMT solvers for software security
Georgy Nosenko - An introduction to the use SMT solvers for software security
 
Troubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device DriversTroubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device Drivers
 
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
 
[CONFidence 2016] Dmitry Chastuhin, Dmitry Yudin - SAP, dos, dos, race condi...
[CONFidence 2016] Dmitry Chastuhin, Dmitry Yudin - SAP, dos, dos, race condi...[CONFidence 2016] Dmitry Chastuhin, Dmitry Yudin - SAP, dos, dos, race condi...
[CONFidence 2016] Dmitry Chastuhin, Dmitry Yudin - SAP, dos, dos, race condi...
 
[2009 CodeEngn Conference 03] koheung - 윈도우 커널 악성코드에 대한 분석 및 방법
[2009 CodeEngn Conference 03] koheung - 윈도우 커널 악성코드에 대한 분석 및 방법[2009 CodeEngn Conference 03] koheung - 윈도우 커널 악성코드에 대한 분석 및 방법
[2009 CodeEngn Conference 03] koheung - 윈도우 커널 악성코드에 대한 분석 및 방법
 
Escalating Privileges in Linux using Fault Injection - FDTC 2017
Escalating Privileges in Linux using Fault Injection - FDTC 2017Escalating Privileges in Linux using Fault Injection - FDTC 2017
Escalating Privileges in Linux using Fault Injection - FDTC 2017
 
Debugging Ruby Systems
Debugging Ruby SystemsDebugging Ruby Systems
Debugging Ruby Systems
 
Эксплуатируем неэксплуатируемые уязвимости SAP
Эксплуатируем неэксплуатируемые уязвимости SAPЭксплуатируем неэксплуатируемые уязвимости SAP
Эксплуатируем неэксплуатируемые уязвимости SAP
 
Getting access to the SAP server via SAP Management Console
Getting access to the SAP server via SAP Management ConsoleGetting access to the SAP server via SAP Management Console
Getting access to the SAP server via SAP Management Console
 
Specification-Based Test Program Generation for ARM VMSAv8-64 MMUs
Specification-Based Test Program Generation for ARM VMSAv8-64 MMUsSpecification-Based Test Program Generation for ARM VMSAv8-64 MMUs
Specification-Based Test Program Generation for ARM VMSAv8-64 MMUs
 
DEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitchDEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitch
 
Performance tweaks and tools for Linux (Joe Damato)
Performance tweaks and tools for Linux (Joe Damato)Performance tweaks and tools for Linux (Joe Damato)
Performance tweaks and tools for Linux (Joe Damato)
 
ARM Architecture and Meltdown/Spectre
ARM Architecture and Meltdown/SpectreARM Architecture and Meltdown/Spectre
ARM Architecture and Meltdown/Spectre
 
D Trace Support In My Sql Guide To Solving Reallife Performance Problems
D Trace Support In My Sql Guide To Solving Reallife Performance ProblemsD Trace Support In My Sql Guide To Solving Reallife Performance Problems
D Trace Support In My Sql Guide To Solving Reallife Performance Problems
 
Hy 523
Hy 523Hy 523
Hy 523
 

More from Priyanka Aash

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfPriyanka Aash
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfPriyanka Aash
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfPriyanka Aash
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfPriyanka Aash
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfPriyanka Aash
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfPriyanka Aash
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdfPriyanka Aash
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfPriyanka Aash
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfPriyanka Aash
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfPriyanka Aash
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldPriyanka Aash
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksPriyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Priyanka Aash
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsPriyanka Aash
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 

More from Priyanka Aash (20)

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdf
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdf
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdf
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdf
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdf
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdf
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdf
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdf
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 Battlefield
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware Attacks
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 

Recently uploaded

Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 

Recently uploaded (20)

Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 

The ring 0 facade: awakening the processor's inner demons

  • 1. {domas / @xoreaxeaxeax / DEF CON 2018 The ring 0 facade: awakening the processor's inner demons
  • 2.  Christopher Domas  Cyber Security Researcher ./bio
  • 3. disclaimer: The research presented herein was conducted and completed as an independent consultant. None of the research presented herein was conducted under the auspices of my current employer. The views, information and opinions expressed in this presentation and its associated research paper are mine only and do not reflect the views, information or opinions of my current employer.
  • 4.  General-purpose-registers  Special-purpose-registers  FPU, MMX, XMM, YMM, ZMM  Control registers  Model-specific-registers Processor registers
  • 5.  Debugging  Execution tracing  Performance monitoring  Clocking  Thermal controls  Cache behavior Model-specific-registers
  • 6.  Accessing MSRs:  Ring 0  Accessed by address, not name  0x00000000 – 0xFFFFFFFF  Only a small fraction are implemented  10s – few 100s  64 bits  Read with rdmsr  Read to edx:eax  Written with wrmsr  Written from edx:eax Model-specific-registers
  • 7. movl $0x1a0, %%ecx /* load msr address */ rdmsr /* read msr 0x1a0 */ /* configure new values for msr */ orl $1, %%eax orl $4, %%edx wrmsr /* write msr 0x1a0 */ Model-specific-registers
  • 8.  Undocumented debug features  Unlock disabled cores  Hardware backdoors Secrets…
  • 9. “ Additionally, accessing some of the internal control registers can enable the user to bypass security mechanisms, e.g., allowing ring 0 access at ring 3. In addition, these control registers may reveal information that the processor designers wish to keep proprietary. For these reasons, the various x86 processor manufacturers have not publicly documented any description of the address or function of some control MSRs . ” - US 8341419 Secrets…
  • 10. “ Nevertheless, the existence and location of the undocumented control MSRs are easily found by programmers, who typically then publish their findings for all to use. Furthermore, a processor manufacturer may need to disclose the addresses and description of the control MSRs to its customers for their testing and debugging purposes. The disclosure to the customer may result in the secret of the control MSRs becoming widely known, and thus usable by anyone on any processor. ” - US 8341419 Secrets…
  • 11. “ The microprocessor also includes a secret key, manufactured internally within the microprocessor and externally invisible. The microprocessor also includes an encryption engine, coupled to the secret key, configured to decrypt a user-supplied password using the secret key to generate a decrypted result in response to a user instruction instructing the microprocessor to access the control register. ” - US 8341419 Secrets…
  • 12.  Could my processor have… secret, undocumented, password protected …registers in it, right now? Secrets…
  • 13.  AMD K7, K8  Known password protected MSRs  Discovered through firmware RE  32 bit password loaded into a GPR  Let’s start here, as a case study Password protections
  • 14. movl $0x12345678, %%edi /* password */ movl $0x1337c0de, %%ecx /* msr */ rdmsr /* if MSR 0x1337c0de does not exist, CPU generates #GP(0) exception */ /* if password 0x12345678 is incorrect, CPU generates #GP(0) exception */ Password protections
  • 15.  Challenge:  To detect a password protected MSR, must guess the MSR address and the MSR password  Guessing either one wrong gives the same result: #GP(0) exception  32 bit address + 32 bit password = 64 bits Password protections
  • 16. // naive password protected MSR identification for msr in 0 to 0xffffffff: for p in 0 to 0xffffffff: p -> eax, ebx, edx, esi, edi, esp, ebp msr -> ecx try: rdmsr catch: // fault: incorrect password, or msr does not exist continue // no fault: correct password, and msr exists return (msr, p) Password protections
  • 17.  Even in the simple embodiment (32 bit passwords)  At 1,000,000,000 guesses per second  Finding all password-protected MSRs takes 600 years Password protections
  • 18.  How might we detect whether our processor is hiding password protected registers, without needing to know the password first? Password protections
  • 19.  Assembly is a high level abstraction  CPU micro-ops execute assembly instructions Speculation
  • 20.  Possible pseudocode for microcoded MSR accesses (rdmsr, wrmsr): if msr == 0x1: ... // (service msr 0x1) elif msr == 0x6: ... // (service msr 0x6) elif msr == 0x1000: ... // (service msr 0x1000) else: // msr does not exist // raise general protection exception #gp(0) Speculation
  • 21.  Possible pseudocode for password-protected microcoded MSR accesses (rdmsr, wrmsr): if msr == 0x1: ... // (service msr 0x1) elif msr == 0x6: ... // (service msr 0x6) elif msr == 0x1337c0de: // password protected register – verify password if ebx == 0xfeedface: ... // (service msr 0x1337c0de) else: // wrong password // raise general protection exception #gp(0) else: // msr does not exist // raise general protection exception #gp(0) Speculation
  • 22.  Microcode:  Checks if the user is accessing a password-protected register  Then checks if supplied password is correct  Same visible result to the user  But…  Accessing a password-protected MSR takes a slightly different amount of time than accessing a non-password-protected MSR Speculation
  • 23.  Non-password-protected path: if msr == 0x1: ... // (service msr 0x1) elif msr == 0x6: ... // (service msr 0x6) elif msr == 0x1337c0de: // password protected register – verify password if ebx == 0xfeedface: ... // (service msr 0x1337c0de) else: // wrong password // raise general protection exception #gp(0) else: // msr does not exist // raise general protection exception #gp(0) Speculation
  • 24.  Password-protected path: if msr == 0x1: ... // (service msr 0x1) elif msr == 0x6: ... // (service msr 0x6) elif msr == 0x1337c0de: // password protected register – verify password if ebx == 0xfeedface: ... // (service msr 0x1337c0de) else: // wrong password // raise general protection exception #gp(0) else: // msr does not exist // raise general protection exception #gp(0) Speculation
  • 25.  Depending on exact implementation  Password-protected path may be longer or shorter  But should be different  Possible to craft each path to have identical execution time  Complexities of microcode + no public research attacking MSRs = seems unlikely Speculation
  • 26. mov %[_msr], %%ecx /* load msr */ mov %%eax, %%dr0 /* serialize */ rdtsc /* start time */ movl %%eax, %%ebx rdmsr /* access msr */ rdmsr_handler: /* exception handler */ mov %%eax, %%dr0 /* serialize */ rdtsc /* end time */ subl %%ebx, %%eax /* calculate access time */ A timing side-channel
  • 27.  Attack executed in ring 0 kernel module  #GP(0) exception is redirected to instruction following rdmsr  System stack reset after each measurement to avoid specific fault handling logic A timing side-channel
  • 28.  Initial configuration routine measures execution time of a #GP(0) exception (by executing a ud2 instruction)  Subtracted out of faulting MSR measurements  Serialization handles out-of-order execution  Simplicity: only track low 32 bits of timer  Repeat sample, select lowest measurement A timing side-channel
  • 30.  Timing measurements let us speculate on a rough model of the underlying microcode  Specifically, focused on variations in observed fault times. A timing side-channel
  • 32.  Speculate that separate ucode paths exist for processing each fault group.  Practically speaking, breaking ucode MSR checks into groups improves execution time A timing side-channel
  • 33. if msr < 0x174: if msr == 0x0: ... elif msr == 0x1: ... elif msr == 0x10: ... ... else: #gp(0) elif msr < 0x200: if msr == 0x174: ... ... else: #gp(0) elif msr < 0x270: if msr == 0x200: ... ... else: #gp(0) elif msr < 0x400: if msr == 0x277: ... ... else: #gp(0) elif msr < 0xc0000000: if msr == 0x400: ... ... else: #gp(0) elif msr < 0xc0000080: #gp(0) elif msr < 0xc0010000: if msr == 0xc0000080: ... ... else: #gp(0) elif msr < 0xc0011000: if msr == 0xc0010000: ... ... else: #gp(0) elif msr < 0xc0020000: #gp(0) else: #gp(0) // possible k8 ucode model
  • 34.  Find the bounds checks that appear to exist for no purpose  i.e. regions explicitly checked by ucode, even though there are no visible MSRs within them A timing side-channel
  • 35. if msr < 0x174: if msr == 0x0: ... elif msr == 0x1: ... elif msr == 0x10: ... ... else: #gp(0) elif msr < 0x200: if msr == 0x174: ... ... else: #gp(0) elif msr < 0x270: if msr == 0x200: ... ... else: #gp(0) elif msr < 0x400: if msr == 0x277: ... ... else: #gp(0) elif msr < 0xc0000000: if msr == 0x400: ... ... else: #gp(0) elif msr < 0xc0000080: #gp(0) elif msr < 0xc0010000: if msr == 0xc0000080: ... ... else: #gp(0) elif msr < 0xc0011000: if msr == 0xc0010000: ... ... else: #gp(0) elif msr < 0xc0020000: #gp(0) else: #gp(0) // possible k8 ucode model
  • 36.  Timings show that there are explicit ucode checks on the regions:  0xC0000000 – 0xC000007F  0xC0011000 – 0xC001FFFF  … even though there are no visible MSRs in those regions A timing side-channel
  • 38.  Speculate that anomalies must be due to password checks  Reduces MSR search space by 99.999%  Cracking passwords is now feasible Cracking protected registers
  • 39.  Simple embodiment:  32 bit password  Loaded into GPR or XMM register  Use list of side-channel derived MSRs  Continue until MSR is unlocked, or all passwords are tried Cracking protected registers
  • 40. // side-channel assisted password identification for msr in [0xC0000000:0xC000007F, 0xC0011000: 0xC001FFFF]: for p in 0 to 0xffffffff: p -> eax, ebx, edx, esi, edi, esp, ebp msr -> ecx try: rdmsr catch: // fault: incorrect password, or msr does not exist continue // no fault: correct password, and msr exists return (msr, p) Cracking protected registers
  • 41.  Cracked the AMD K8  Password 0x9c5a203a loaded into edi  MSRs: 0xc0011000 – 0xc001ffff  Check on 0xc0000000 – 0xc000007f remains unexplained Cracking protected registers
  • 42.  This region and password were already known through firmware reverse engineering  But this is the first approach to uncovering these MSRs without first observing them in use Cracking protected registers
  • 43.  Side-channel attacks into the microcode offer a powerful opportunity  … so what else can we find? Digging deeper…
  • 49.  Cracking extensions:  Write protected MSRs  64 bit password in 2 32 bit registers  Accessible from real mode Advanced cracking
  • 50.  And…  Failed.  No new passwords uncovered. Advanced cracking
  • 51.  Sometimes, that’s research. Conclusions
  • 52.  How to explain the timing anomalies?  64/128/256 bit passwords in XMM etc. registers  More advanced password checks, as described in patent literature  MSRs only accessible in ultra-privileged modes beyond ring 0 Conclusions
  • 53.  … or, something totally benign:  Microcode checks on processor family, model, stepping  Allow one ucode update to be used on many processors  Timing anomalies in MSR faults on Intel processors seemed to accurately align with specific documented MSRs on related families Conclusions
  • 54.  So, we’re in the clear?  Sadly, no.  Instruction grep through firmware databases reveals previously unknown passwords:  0x380dcb0f in esi register  Hundreds of firmwares, variety of vendors  Windows kernel Conclusions
  • 55.  We’ve raised more questions than we’ve answered  But the stakes are high:  MSRs control everything on the processor  Research is promising  Entirely new approach to detecting processor secrets The truth is out there…
  • 56. github.com/xoreaxeaxeax  project:nightshyft  project:rosenbridge  sandsifter  M/o/Vfuscator  REpsych  x86 0-day PoC  Etc. Feedback? Ideas? domas  @xoreaxeaxeax  xoreaxeaxeax@gmail.com