SlideShare a Scribd company logo

Smm and caching

Download as PPTX, PDF
H
Hoang Nguyen

Smm and caching

Technology
1 of 13
All materials are licensed under a Creative Commons “Share Alike” license. http://creativecommons.org/licenses/by-sa/3.0/ 1 Attribution condition: You must indicate that derivative work "Is derived from John Butterworth & Xeno Kovah’s ’Advanced Intel x86: BIOS and SMM’ class posted at http://opensecuritytraining.info/IntroBIOS.html”
SMRAM and Caching 2
Cache Basics • Temporary storage located on the CPU • Accesses to data/instructions in cache are much faster than those to physical memory • Caching is available in all operating modes, including SMM • Caching type for a physical memory range is defined in Memory-Type Range Registers (MTRRs) • MTRRs are a type of MSR (Model-Specific Register) that can be set to specify the type of CPU caching for ranges of physical memory • Typically configured by BIOS but can also be configured by the operating system as needed 3 From Intel Vol. 3. Ch. "Memory Cache Control"
• Physical memory ranges can be defined as having one of these types of caching properties • The only one we’ll discuss is the one that was the subject of the dual discovery by Duflot et al. and then later Wojtczuck et al. – Getting into SMRAM: SMM Reloaded, https://cansecwest.com/csw09/csw09- duflot.pdf – Attacking Memory via Intel CPU Cache Poisoning, http://invisiblethingslab.com/resources/misc09/smm_cache_fun.pdf • The attack is brilliant in its simplicity Memory Caching Types 4 From Intel Vol. 3. Ch. "Memory Cache Control"
Write-back (WB) • The point of Write-back caching is to reduce the amount of bus traffic between the processor and memory • Reads come from cache lines on cache hits • Writes are performed in the cache and not immediately written/flushed to memory • Both read and write misses cause cache fills • Modified CPU cache lines are written back (write-back) to memory at a later time* *Read the Intel Software Developers Guide Volume 3 • Simply put, reading/writing from/to a memory region that uses write-back caching will initially fill a line in the CPU cache • Subsequent reads/writes from/to that address will be from/to cache instead of memory • Until the processor writes-back that cache to memory* 5
6 (D_LCK bit) https://cansecwest.com/csw09/csw09-duflot.pdf
7 https://cansecwest.com/csw09/csw09-duflot.pdf
8 https://cansecwest.com/csw09/csw09-duflot.pdf
The fix: SMRR • The preceding is a great example of how security researchers can influence industry for the better. Damn fine job. • System-Management Range Register (SMRR) was introduced in Intel’s x64 architecture* • Provides a PHYSBASE/PHYSMASK pair just like MTRRs • Prevents the kind of attack that we just saw in the preceding example • SMRR restricts access to the address range defined in the SMRR registers • Defines the memory type (caching) for the SMRAM range • SMRRs can be written to only when the processor is in SMM • SMRR takes priority over MTRR in case of overlapping ranges * This is one of the only architecture-dependent security mechanisms. So far up to this point all has been x32/x64 agnostic 9
SMRR • When the processor is in SMM: – Memory accesses to this range will use the memory type defined in SMRR_PHYSBASE • When the processor is not in SMM: – Memory reads return a fixed value (0xFF in my experience) – Memory writes are ignored – Memory type is Uncacheable 10
Verify SMRR Support: IA32_MTRRCAP • SMRR is supported on a system if bit 11 in the IA32_MTRRCAP MSR is set • Verify next that it is being used 11
SMRR MSR Number • If you try to read the SMRR of your system, be sure to verify its location using the developers guide (MSR chapter) • The MSR register addresses are non "architectural" and will therefore differ between architectures – That’s why they are called Model-Specific Registers • RW-E does not appear to handle exceptions well since reading the wrong MSR will crash your system – As of latest version For the reference E6400 (Core2Duo) 12
Homework heads up • Find the value of SMRR_PHYSBASE for your particular hardware 13

Recommended

Memory
MemoryMemory
MemoryEm Magallon
 
Multithreading computer architecture
Multithreading computer architecture Multithreading computer architecture
Multithreading computer architecture Haris456
 
Smp and asmp architecture.
Smp and asmp architecture.Smp and asmp architecture.
Smp and asmp architecture.Gaurav Dalvi
 
What is simultaneous multithreading
What is simultaneous multithreadingWhat is simultaneous multithreading
What is simultaneous multithreadingFraboni Ec
 
Symmetric multiprocessing (smp)
Symmetric multiprocessing (smp)Symmetric multiprocessing (smp)
Symmetric multiprocessing (smp)rayhan basher
 
Symmetric multiprocessing and Microkernel
Symmetric multiprocessing and MicrokernelSymmetric multiprocessing and Microkernel
Symmetric multiprocessing and MicrokernelManoraj Pannerselum
 
ملٹی لیول کے شے۔
ملٹی لیول کے شے۔ملٹی لیول کے شے۔
ملٹی لیول کے شے۔maamir farooq
 
Symmetric multiprocessing
Symmetric multiprocessingSymmetric multiprocessing
Symmetric multiprocessingMohammad Ali Khan
 

Recommended

Memory
MemoryMemory
MemoryEm Magallon
 
Multithreading computer architecture
Multithreading computer architecture Multithreading computer architecture
Multithreading computer architecture Haris456
 
Smp and asmp architecture.
Smp and asmp architecture.Smp and asmp architecture.
Smp and asmp architecture.Gaurav Dalvi
 
What is simultaneous multithreading
What is simultaneous multithreadingWhat is simultaneous multithreading
What is simultaneous multithreadingFraboni Ec
 
Symmetric multiprocessing (smp)
Symmetric multiprocessing (smp)Symmetric multiprocessing (smp)
Symmetric multiprocessing (smp)rayhan basher
 
Symmetric multiprocessing and Microkernel
Symmetric multiprocessing and MicrokernelSymmetric multiprocessing and Microkernel
Symmetric multiprocessing and MicrokernelManoraj Pannerselum
 
ملٹی لیول کے شے۔
ملٹی لیول کے شے۔ملٹی لیول کے شے۔
ملٹی لیول کے شے۔maamir farooq
 
Symmetric multiprocessing
Symmetric multiprocessingSymmetric multiprocessing
Symmetric multiprocessingMohammad Ali Khan
 
Multithreaded processors ppt
Multithreaded processors pptMultithreaded processors ppt
Multithreaded processors pptSiddhartha Anand
 
Hardware multithreading
Hardware multithreadingHardware multithreading
Hardware multithreadingFraboni Ec
 
Lecture24 Multiprocessor
Lecture24 MultiprocessorLecture24 Multiprocessor
Lecture24 Multiprocessorallankliu
 
Multiple processor (ppt 2010)
Multiple processor (ppt 2010)Multiple processor (ppt 2010)
Multiple processor (ppt 2010)Arth Ramada
 
Computer architecture multi processor
Computer architecture multi processorComputer architecture multi processor
Computer architecture multi processorMazin Alwaaly
 
Symmetric Multi Processor Multiprocessors
Symmetric Multi Processor MultiprocessorsSymmetric Multi Processor Multiprocessors
Symmetric Multi Processor MultiprocessorsSaad Tanvir
 
Multi processing
Multi processingMulti processing
Multi processingMuhammad Ishaq
 
Graphics processing uni computer archiecture
Graphics processing uni computer archiectureGraphics processing uni computer archiecture
Graphics processing uni computer archiectureHaris456
 
Lecture 6.1
Lecture 6.1Lecture 6.1
Lecture 6.1Mr SMAK
 
Shared-Memory Multiprocessors
Shared-Memory MultiprocessorsShared-Memory Multiprocessors
Shared-Memory MultiprocessorsSalvatore La Bua
 
Multiprocessor Scheduling
Multiprocessor SchedulingMultiprocessor Scheduling
Multiprocessor SchedulingoDesk
 
Multi core processors
Multi core processorsMulti core processors
Multi core processorsAdithya Bhat
 
Hardware Multi-Threading
Hardware Multi-ThreadingHardware Multi-Threading
Hardware Multi-Threadingbabuece
 
Multiprocessor system
Multiprocessor systemMultiprocessor system
Multiprocessor systemEl-Moataz Bellah Osama
 
Memory Organization
Memory OrganizationMemory Organization
Memory OrganizationAcad
 
Cache recap
Cache recapCache recap
Cache recapHoang Nguyen
 
Hardware managed cache
Hardware managed cacheHardware managed cache
Hardware managed cacheHoang Nguyen
 
Optimizing shared caches in chip multiprocessors
Optimizing shared caches in chip multiprocessorsOptimizing shared caches in chip multiprocessors
Optimizing shared caches in chip multiprocessorsHoang Nguyen
 
Directory based cache coherence
Directory based cache coherenceDirectory based cache coherence
Directory based cache coherenceHoang Nguyen
 
Java basics
Java basicsJava basics
Java basicsHoang Nguyen
 
Extending burp with python
Extending burp with pythonExtending burp with python
Extending burp with pythonHoang Nguyen
 
Python language data types
Python language data typesPython language data types
Python language data typesHoang Nguyen
 

More Related Content

What's hot

Multithreaded processors ppt
Multithreaded processors pptMultithreaded processors ppt
Multithreaded processors pptSiddhartha Anand
 
Hardware multithreading
Hardware multithreadingHardware multithreading
Hardware multithreadingFraboni Ec
 
Lecture24 Multiprocessor
Lecture24 MultiprocessorLecture24 Multiprocessor
Lecture24 Multiprocessorallankliu
 
Multiple processor (ppt 2010)
Multiple processor (ppt 2010)Multiple processor (ppt 2010)
Multiple processor (ppt 2010)Arth Ramada
 
Computer architecture multi processor
Computer architecture multi processorComputer architecture multi processor
Computer architecture multi processorMazin Alwaaly
 
Symmetric Multi Processor Multiprocessors
Symmetric Multi Processor MultiprocessorsSymmetric Multi Processor Multiprocessors
Symmetric Multi Processor MultiprocessorsSaad Tanvir
 
Graphics processing uni computer archiecture
Graphics processing uni computer archiectureGraphics processing uni computer archiecture
Graphics processing uni computer archiectureHaris456
 
Lecture 6.1
Lecture 6.1Lecture 6.1
Lecture 6.1Mr SMAK
 
Shared-Memory Multiprocessors
Shared-Memory MultiprocessorsShared-Memory Multiprocessors
Shared-Memory MultiprocessorsSalvatore La Bua
 
Multiprocessor Scheduling
Multiprocessor SchedulingMultiprocessor Scheduling
Multiprocessor SchedulingoDesk
 
Multi core processors
Multi core processorsMulti core processors
Multi core processorsAdithya Bhat
 
Hardware Multi-Threading
Hardware Multi-ThreadingHardware Multi-Threading
Hardware Multi-Threadingbabuece
 
Memory Organization
Memory OrganizationMemory Organization
Memory OrganizationAcad
 

What's hot (15)

Multithreaded processors ppt
Multithreaded processors pptMultithreaded processors ppt
Multithreaded processors ppt
 
Hardware multithreading
Hardware multithreadingHardware multithreading
Hardware multithreading
 
Lecture24 Multiprocessor
Lecture24 MultiprocessorLecture24 Multiprocessor
Lecture24 Multiprocessor
 
Multiple processor (ppt 2010)
Multiple processor (ppt 2010)Multiple processor (ppt 2010)
Multiple processor (ppt 2010)
 
Computer architecture multi processor
Computer architecture multi processorComputer architecture multi processor
Computer architecture multi processor
 
Symmetric Multi Processor Multiprocessors
Symmetric Multi Processor MultiprocessorsSymmetric Multi Processor Multiprocessors
Symmetric Multi Processor Multiprocessors
 
Multi processing
Multi processingMulti processing
Multi processing
 
Graphics processing uni computer archiecture
Graphics processing uni computer archiectureGraphics processing uni computer archiecture
Graphics processing uni computer archiecture
 
Lecture 6.1
Lecture 6.1Lecture 6.1
Lecture 6.1
 
Shared-Memory Multiprocessors
Shared-Memory MultiprocessorsShared-Memory Multiprocessors
Shared-Memory Multiprocessors
 
Multiprocessor Scheduling
Multiprocessor SchedulingMultiprocessor Scheduling
Multiprocessor Scheduling
 
Multi core processors
Multi core processorsMulti core processors
Multi core processors
 
Hardware Multi-Threading
Hardware Multi-ThreadingHardware Multi-Threading
Hardware Multi-Threading
 
Multiprocessor system
Multiprocessor systemMultiprocessor system
Multiprocessor system
 
Memory Organization
Memory OrganizationMemory Organization
Memory Organization
 

Viewers also liked

Hardware managed cache
Hardware managed cacheHardware managed cache
Hardware managed cacheHoang Nguyen
 
Optimizing shared caches in chip multiprocessors
Optimizing shared caches in chip multiprocessorsOptimizing shared caches in chip multiprocessors
Optimizing shared caches in chip multiprocessorsHoang Nguyen
 
Directory based cache coherence
Directory based cache coherenceDirectory based cache coherence
Directory based cache coherenceHoang Nguyen
 
Extending burp with python
Extending burp with pythonExtending burp with python
Extending burp with pythonHoang Nguyen
 
Python language data types
Python language data typesPython language data types
Python language data typesHoang Nguyen
 
Programming for engineers in python
Programming for engineers in pythonProgramming for engineers in python
Programming for engineers in pythonHoang Nguyen
 
Big picture of data mining
Big picture of data miningBig picture of data mining
Big picture of data miningHoang Nguyen
 
Data and assessment
Data and assessmentData and assessment
Data and assessmentHoang Nguyen
 
Data mining maximumlikelihood
Data mining maximumlikelihoodData mining maximumlikelihood
Data mining maximumlikelihoodHoang Nguyen
 
Exception handling
Exception handlingException handling
Exception handlingHoang Nguyen
 
Data preprocessing
Data preprocessingData preprocessing
Data preprocessingHoang Nguyen
 
How analysis services caching works
How analysis services caching worksHow analysis services caching works
How analysis services caching worksHoang Nguyen
 
Object oriented analysis
Object oriented analysisObject oriented analysis
Object oriented analysisHoang Nguyen
 
Object oriented programming using c++
Object oriented programming using c++Object oriented programming using c++
Object oriented programming using c++Hoang Nguyen
 

Viewers also liked (20)

Cache recap
Cache recapCache recap
Cache recap
 
Hardware managed cache
Hardware managed cacheHardware managed cache
Hardware managed cache
 
Optimizing shared caches in chip multiprocessors
Optimizing shared caches in chip multiprocessorsOptimizing shared caches in chip multiprocessors
Optimizing shared caches in chip multiprocessors
 
Directory based cache coherence
Directory based cache coherenceDirectory based cache coherence
Directory based cache coherence
 
Java basics
Java basicsJava basics
Java basics
 
Extending burp with python
Extending burp with pythonExtending burp with python
Extending burp with python
 
Python language data types
Python language data typesPython language data types
Python language data types
 
Python basics
Python basicsPython basics
Python basics
 
Programming for engineers in python
Programming for engineers in pythonProgramming for engineers in python
Programming for engineers in python
 
Learning python
Learning pythonLearning python
Learning python
 
Exception
ExceptionException
Exception
 
Data preperation
Data preperationData preperation
Data preperation
 
Big picture of data mining
Big picture of data miningBig picture of data mining
Big picture of data mining
 
Data and assessment
Data and assessmentData and assessment
Data and assessment
 
Data mining maximumlikelihood
Data mining maximumlikelihoodData mining maximumlikelihood
Data mining maximumlikelihood
 
Exception handling
Exception handlingException handling
Exception handling
 
Data preprocessing
Data preprocessingData preprocessing
Data preprocessing
 
How analysis services caching works
How analysis services caching worksHow analysis services caching works
How analysis services caching works
 
Object oriented analysis
Object oriented analysisObject oriented analysis
Object oriented analysis
 
Object oriented programming using c++
Object oriented programming using c++Object oriented programming using c++
Object oriented programming using c++
 

Similar to Smm and caching

Board support package_on_linux
Board support package_on_linuxBoard support package_on_linux
Board support package_on_linuxVandana Salve
 
15CS44 MP & MC Module 4
15CS44 MP & MC Module 415CS44 MP & MC Module 4
15CS44 MP & MC Module 4RLJIT
 
Memory Organization | Computer Fundamental and Organization
Memory Organization | Computer Fundamental and OrganizationMemory Organization | Computer Fundamental and Organization
Memory Organization | Computer Fundamental and OrganizationSmit Luvani
 
Synchronization linux
Synchronization linuxSynchronization linux
Synchronization linuxSusant Sahani
 
Computer architecture for HNDIT
Computer architecture for HNDITComputer architecture for HNDIT
Computer architecture for HNDITtjunicornfx
 
ARM architcture
ARM architcture ARM architcture
ARM architcture Hossam Adel
 
Ct213 memory subsystem
Ct213 memory subsystemCt213 memory subsystem
Ct213 memory subsystemSandeep Kamath
 
BSP.pptx
BSP.pptxBSP.pptx
BSP.pptxtaruian
 
Exploring Of System Hardware
Exploring Of System HardwareExploring Of System Hardware
Exploring Of System HardwareMuhammad Nauman
 
Computer Architecture | Computer Fundamental and Organization
Computer Architecture | Computer Fundamental and OrganizationComputer Architecture | Computer Fundamental and Organization
Computer Architecture | Computer Fundamental and OrganizationSmit Luvani
 
Computer organisation ppt
Computer organisation pptComputer organisation ppt
Computer organisation pptchandkec
 
Taming Non-blocking Caches to Improve Isolation in Multicore Real-Time Systems
Taming Non-blocking Caches to Improve Isolation in Multicore Real-Time SystemsTaming Non-blocking Caches to Improve Isolation in Multicore Real-Time Systems
Taming Non-blocking Caches to Improve Isolation in Multicore Real-Time SystemsHeechul Yun
 
ARM Processor architecture
ARM Processor architectureARM Processor architecture
ARM Processor architecturerajkciitr
 

Similar to Smm and caching (20)

Board support package_on_linux
Board support package_on_linuxBoard support package_on_linux
Board support package_on_linux
 
15CS44 MP & MC Module 4
15CS44 MP & MC Module 415CS44 MP & MC Module 4
15CS44 MP & MC Module 4
 
Memory Organization | Computer Fundamental and Organization
Memory Organization | Computer Fundamental and OrganizationMemory Organization | Computer Fundamental and Organization
Memory Organization | Computer Fundamental and Organization
 
Memory (Computer Organization)
Memory (Computer Organization)Memory (Computer Organization)
Memory (Computer Organization)
 
Synchronization linux
Synchronization linuxSynchronization linux
Synchronization linux
 
It322 intro 2
It322 intro 2It322 intro 2
It322 intro 2
 
Computer architecture for HNDIT
Computer architecture for HNDITComputer architecture for HNDIT
Computer architecture for HNDIT
 
CA UNIT V..pptx
CA UNIT V..pptxCA UNIT V..pptx
CA UNIT V..pptx
 
ARM architcture
ARM architcture ARM architcture
ARM architcture
 
Ct213 memory subsystem
Ct213 memory subsystemCt213 memory subsystem
Ct213 memory subsystem
 
Rahman
RahmanRahman
Rahman
 
E.s unit 4 and 5
E.s unit 4 and 5E.s unit 4 and 5
E.s unit 4 and 5
 
BSP.pptx
BSP.pptxBSP.pptx
BSP.pptx
 
Exploring Of System Hardware
Exploring Of System HardwareExploring Of System Hardware
Exploring Of System Hardware
 
Computer Architecture | Computer Fundamental and Organization
Computer Architecture | Computer Fundamental and OrganizationComputer Architecture | Computer Fundamental and Organization
Computer Architecture | Computer Fundamental and Organization
 
COA (Unit_4.pptx)
COA (Unit_4.pptx)COA (Unit_4.pptx)
COA (Unit_4.pptx)
 
Computer organisation ppt
Computer organisation pptComputer organisation ppt
Computer organisation ppt
 
12429908.ppt
12429908.ppt12429908.ppt
12429908.ppt
 
Taming Non-blocking Caches to Improve Isolation in Multicore Real-Time Systems
Taming Non-blocking Caches to Improve Isolation in Multicore Real-Time SystemsTaming Non-blocking Caches to Improve Isolation in Multicore Real-Time Systems
Taming Non-blocking Caches to Improve Isolation in Multicore Real-Time Systems
 
ARM Processor architecture
ARM Processor architectureARM Processor architecture
ARM Processor architecture
 

More from Hoang Nguyen

Rest api to integrate with your site
Rest api to integrate with your siteRest api to integrate with your site
Rest api to integrate with your siteHoang Nguyen
 
How to build a rest api
How to build a rest apiHow to build a rest api
How to build a rest apiHoang Nguyen
 
Python your new best friend
Python your new best friendPython your new best friend
Python your new best friendHoang Nguyen
 
Cobol, lisp, and python
Cobol, lisp, and pythonCobol, lisp, and python
Cobol, lisp, and pythonHoang Nguyen
 
Data structures and algorithms
Data structures and algorithmsData structures and algorithms
Data structures and algorithmsHoang Nguyen
 
Data abstraction the walls
Data abstraction the wallsData abstraction the walls
Data abstraction the wallsHoang Nguyen
 
Data abstraction and object orientation
Data abstraction and object orientationData abstraction and object orientation
Data abstraction and object orientationHoang Nguyen
 
Classes and data abstraction
Classes and data abstractionClasses and data abstraction
Classes and data abstractionHoang Nguyen
 
Abstract data types
Abstract data typesAbstract data types
Abstract data typesHoang Nguyen
 
Object oriented programming-with_java
Object oriented programming-with_javaObject oriented programming-with_java
Object oriented programming-with_javaHoang Nguyen
 
Encapsulation getters setters_anonymousclass
Encapsulation getters setters_anonymousclassEncapsulation getters setters_anonymousclass
Encapsulation getters setters_anonymousclassHoang Nguyen
 
Concurrency with java
Concurrency with javaConcurrency with java
Concurrency with javaHoang Nguyen
 

More from Hoang Nguyen (17)

Rest api to integrate with your site
Rest api to integrate with your siteRest api to integrate with your site
Rest api to integrate with your site
 
How to build a rest api
How to build a rest apiHow to build a rest api
How to build a rest api
 
Api crash
Api crashApi crash
Api crash
 
Python your new best friend
Python your new best friendPython your new best friend
Python your new best friend
 
Cobol, lisp, and python
Cobol, lisp, and pythonCobol, lisp, and python
Cobol, lisp, and python
 
Object model
Object modelObject model
Object model
 
Data structures and algorithms
Data structures and algorithmsData structures and algorithms
Data structures and algorithms
 
Data abstraction the walls
Data abstraction the wallsData abstraction the walls
Data abstraction the walls
 
Data abstraction and object orientation
Data abstraction and object orientationData abstraction and object orientation
Data abstraction and object orientation
 
Classes and data abstraction
Classes and data abstractionClasses and data abstraction
Classes and data abstraction
 
Abstraction file
Abstraction fileAbstraction file
Abstraction file
 
Abstract data types
Abstract data typesAbstract data types
Abstract data types
 
Object oriented programming-with_java
Object oriented programming-with_javaObject oriented programming-with_java
Object oriented programming-with_java
 
Inheritance
InheritanceInheritance
Inheritance
 
Encapsulation getters setters_anonymousclass
Encapsulation getters setters_anonymousclassEncapsulation getters setters_anonymousclass
Encapsulation getters setters_anonymousclass
 
Concurrency with java
Concurrency with javaConcurrency with java
Concurrency with java
 
Abstract class
Abstract classAbstract class
Abstract class
 

Recently uploaded

Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 

Recently uploaded (20)

Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 

Smm and caching

  • 1. All materials are licensed under a Creative Commons “Share Alike” license. http://creativecommons.org/licenses/by-sa/3.0/ 1 Attribution condition: You must indicate that derivative work "Is derived from John Butterworth & Xeno Kovah’s ’Advanced Intel x86: BIOS and SMM’ class posted at http://opensecuritytraining.info/IntroBIOS.html”
  • 3. Cache Basics • Temporary storage located on the CPU • Accesses to data/instructions in cache are much faster than those to physical memory • Caching is available in all operating modes, including SMM • Caching type for a physical memory range is defined in Memory-Type Range Registers (MTRRs) • MTRRs are a type of MSR (Model-Specific Register) that can be set to specify the type of CPU caching for ranges of physical memory • Typically configured by BIOS but can also be configured by the operating system as needed 3 From Intel Vol. 3. Ch. "Memory Cache Control"
  • 4. • Physical memory ranges can be defined as having one of these types of caching properties • The only one we’ll discuss is the one that was the subject of the dual discovery by Duflot et al. and then later Wojtczuck et al. – Getting into SMRAM: SMM Reloaded, https://cansecwest.com/csw09/csw09- duflot.pdf – Attacking Memory via Intel CPU Cache Poisoning, http://invisiblethingslab.com/resources/misc09/smm_cache_fun.pdf • The attack is brilliant in its simplicity Memory Caching Types 4 From Intel Vol. 3. Ch. "Memory Cache Control"
  • 5. Write-back (WB) • The point of Write-back caching is to reduce the amount of bus traffic between the processor and memory • Reads come from cache lines on cache hits • Writes are performed in the cache and not immediately written/flushed to memory • Both read and write misses cause cache fills • Modified CPU cache lines are written back (write-back) to memory at a later time* *Read the Intel Software Developers Guide Volume 3 • Simply put, reading/writing from/to a memory region that uses write-back caching will initially fill a line in the CPU cache • Subsequent reads/writes from/to that address will be from/to cache instead of memory • Until the processor writes-back that cache to memory* 5
  • 9. The fix: SMRR • The preceding is a great example of how security researchers can influence industry for the better. Damn fine job. • System-Management Range Register (SMRR) was introduced in Intel’s x64 architecture* • Provides a PHYSBASE/PHYSMASK pair just like MTRRs • Prevents the kind of attack that we just saw in the preceding example • SMRR restricts access to the address range defined in the SMRR registers • Defines the memory type (caching) for the SMRAM range • SMRRs can be written to only when the processor is in SMM • SMRR takes priority over MTRR in case of overlapping ranges * This is one of the only architecture-dependent security mechanisms. So far up to this point all has been x32/x64 agnostic 9
  • 10. SMRR • When the processor is in SMM: – Memory accesses to this range will use the memory type defined in SMRR_PHYSBASE • When the processor is not in SMM: – Memory reads return a fixed value (0xFF in my experience) – Memory writes are ignored – Memory type is Uncacheable 10
  • 11. Verify SMRR Support: IA32_MTRRCAP • SMRR is supported on a system if bit 11 in the IA32_MTRRCAP MSR is set • Verify next that it is being used 11
  • 12. SMRR MSR Number • If you try to read the SMRR of your system, be sure to verify its location using the developers guide (MSR chapter) • The MSR register addresses are non "architectural" and will therefore differ between architectures – That’s why they are called Model-Specific Registers • RW-E does not appear to handle exceptions well since reading the wrong MSR will crash your system – As of latest version For the reference E6400 (Core2Duo) 12
  • 13. Homework heads up • Find the value of SMRR_PHYSBASE for your particular hardware 13

Editor's Notes

  1. Attribution condition: You must indicate that derivative work "Is derived from John Butterworth & Xeno Kovah’s ’Advanced Intel x86: BIOS and SMM’ class posted at http://opensecuritytraining.info/IntroBIOS.html”
  2. ***This is not going to be a discussion on CPU architecture, for details on caching I recommend 3 sources: Both the Intel and AMD Optimization Reference Manuals, and Agner Fog’s optimization references
  3. Todo, cite Loic's paper since they technically found it first