A study on NetSpectre

Aj MaChInE
Aj MaChInE
A Study on NetSpectre @ 若渴 2019.4.14 <ajblane0612@gmail.com> AjMaChInE
No code can be injected and Attacker only calls the API via network requests -> ? -> leak information (ASLR/ Password) NetSpectre
Key idea 在程式碼中,找到某些程式碼 (gadget) ,這個 gadget 搭配手法 (attacker-controlled) 會使得 microarchitecture elements 有些 side effect ,而這 side effect 可以透過一些測量 (measurement) 來觀察, 透過 side effect 與 gadget 搭配可以達到某些目的 (E.g. 推敲出一些重要的訊息 ) 。 ● cache-side channel attack ● spectre variant 1 ● ...
Cache-side channel attack – how to retrieve information [0] e.g. E= (1,…,0,0) I cache attacker victim
Cache-side channel attack – how to retrieve information [0]
Cache-side channel attack – how to retrieve information [0] Access
● Gadget ● Montgomery ladder RSA ● Attacker-controlled ● Flush and reload ● Microarchitecture element ● I Cache ● Measure access time ● Purpose ● Secret E
Speculate execution [1]
Speculate execution [1]
Speculate execution [1]
Speculate execution [1]
Assumptions [1] 共用 cache into not same entry cache into not same entry can reset cache
Spectre-PHT (aka Spectre Variant 1) [1] Step 1: reset cache
Spectre-PHT (aka Spectre Variant 1) [1] Step 2: out-of-bounds read
Spectre-PHT (aka Spectre Variant 1) [1] * glyph[X] – X is attacker-controlled * cache-side channel attack → cache hit → X=K → cache miss → X!=K Step 3: cache-side channel attack
Repeatly run step 1 ~ 3 -> leak memory via byte by byte
● Gadget ● ● Attacker-controlled ● If (x < array1_size) ● array2[X * 4096], array2 is shared memory ● Chache-side channel attack ● Microarchitecture element ● D Cache ● Purpose ● Memory content of out-of-bounds array
NetSpectre - the big picture
● Gadget ● Leak gadget ● Attacker-controlled ● Network API -> x ● Microarchitecture element ● Transmit gadget ● Network latency depends on API execution time (transmit gadget) → Measure the network roundtrip time ● Information ● Memory content of out-of-bounds array
Measuring the response time of a simple transmit gadget, that accesses a certain variable. Only by performing a large number of measurements, the difference in the response timings depending on the cache state of the variable becomes visible. The average values of the two distributions are shown as dashed vertical lines [2]
Leaking a byte via bit by bit [2][3]
Problem - how to find a gadget [2] ● Finding Spectre gadgets is still an open problem ● Out of all papers, only 4 show real-world gadgets [3] ● Among them, only 2 Spectre-PHT (v1) gadgets ● Still no fully automated approach ● Tainted flow analysis
● Gadget ● ?? ● Attacker-controlled ● ?? ● Microarchitecture element ● ?? ● Measure ?? ● Purpose ● ??
NetSpectre ALSR Network API (x)
A study on NetSpectre
Remote AVX-based covert channel against cache [2]
Reference ● [0] 2017, Cache Side Channel Attack: Exploitability and Countermeasures ● [1] 2019, NetSpectre A Truly Remote Spectre Variant ● [2] 2018, NetSpectre: Read Arbitrary Memory over Network ● [3] 2018, Spectre Attacks: Exploiting Speculative Execution
1 of 27

A study on NetSpectre

Download to read offline
Technology

連假期間念點書。

Aj MaChInE
Aj MaChInE

Recommended

Introduction to Adversary Evaluation ToolsIntroduction to Adversary Evaluation Tools
Introduction to Adversary Evaluation ToolsAj MaChInE
1.2K views45 slides
[RAT資安小聚] Study on Automatically Evading Malware Detection[RAT資安小聚] Study on Automatically Evading Malware Detection
[RAT資安小聚] Study on Automatically Evading Malware DetectionAj MaChInE
795 views71 slides
From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...
From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...Priyanka Aash
482 views55 slides
BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...
BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...BlueHat Security Conference
1.1K views58 slides
Paranoia 2018: A Process is No OneParanoia 2018: A Process is No One
Paranoia 2018: A Process is No OneJared Atkinson
539 views63 slides
Cyber_Attack_Forecasting_Jones_2015Cyber_Attack_Forecasting_Jones_2015
Cyber_Attack_Forecasting_Jones_2015Malachi Jones
946 views27 slides

More Related Content

What's hot

What's hot(20)

DeepLocker - Concealing Targeted Attacks with AI LocksmithingDeepLocker - Concealing Targeted Attacks with AI Locksmithing
DeepLocker - Concealing Targeted Attacks with AI Locksmithing
Priyanka Aash858 views
Careful PackingCareful Packing
Careful Packing
Flavio Toffalini68 views
IoT Malware: Comprehensive Survey, Analysis Framework and Case StudiesIoT Malware: Comprehensive Survey, Analysis Framework and Case Studies
IoT Malware: Comprehensive Survey, Analysis Framework and Case Studies
Priyanka Aash870 views
Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...
Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...
Priyanka Aash1.1K views
SmartphoneHacking_Android_ExploitationSmartphoneHacking_Android_Exploitation
SmartphoneHacking_Android_Exploitation
Malachi Jones316 views
The Heatmap
 - Why is Security Visualization so Hard?The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?
Raffael Marty2.5K views
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
Rod Soto1.4K views
Virtual Machine Introspection - Future of the CloudVirtual Machine Introspection - Future of the Cloud
Virtual Machine Introspection - Future of the Cloud
Tjylen Veselyj4.5K views
The Finest Penetration Testing Framework for Software-Defined NetworksThe Finest Penetration Testing Framework for Software-Defined Networks
The Finest Penetration Testing Framework for Software-Defined Networks
Priyanka Aash1.2K views
BlueHat v17 || Extracting Secrets from Silicon – A New Generation of Bug Hunt...BlueHat v17 || Extracting Secrets from Silicon – A New Generation of Bug Hunt...
BlueHat v17 || Extracting Secrets from Silicon – A New Generation of Bug Hunt...
BlueHat Security Conference1.1K views
Csw2016 d antoine_automatic_exploitgenerationCsw2016 d antoine_automatic_exploitgeneration
Csw2016 d antoine_automatic_exploitgeneration
CanSecWest3.2K views
Automating Analysis and Exploitation of Embedded Device FirmwareAutomating Analysis and Exploitation of Embedded Device Firmware
Automating Analysis and Exploitation of Embedded Device Firmware
Malachi Jones554 views
RSA 2006 - Visual Security Event AnalysisRSA 2006 - Visual Security Event Analysis
RSA 2006 - Visual Security Event Analysis
Raffael Marty1.8K views
The Lambda Defense Functional Paradigms for Cyber SecurityThe Lambda Defense Functional Paradigms for Cyber Security
The Lambda Defense Functional Paradigms for Cyber Security
Rod Soto698 views
Spectre & MeltdownSpectre & Meltdown
Spectre & Meltdown
Murray Security Services2.6K views
Insider Threat Visualization - HITB 2007, Kuala LumpurInsider Threat Visualization - HITB 2007, Kuala Lumpur
Insider Threat Visualization - HITB 2007, Kuala Lumpur
Raffael Marty902 views
Deliberately Un-Dependable Applications: the Role of Dependability Metrics in...Deliberately Un-Dependable Applications: the Role of Dependability Metrics in...
Deliberately Un-Dependable Applications: the Role of Dependability Metrics in...
a001206 views
MITRE ATT&CKcon 2018: Building an Atomic Testing Program, Brian Beyer, Red Ca...MITRE ATT&CKcon 2018: Building an Atomic Testing Program, Brian Beyer, Red Ca...
MITRE ATT&CKcon 2018: Building an Atomic Testing Program, Brian Beyer, Red Ca...
MITRE - ATT&CKcon2K views
The Heatmap
 - Why is Security Visualization so Hard?The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?
Raffael Marty8K views
Troopers15 Lightning talk: VMI & DRAKVUFTroopers15 Lightning talk: VMI & DRAKVUF
Troopers15 Lightning talk: VMI & DRAKVUF
Tamas K Lengyel1.1K views

Similar to A study on NetSpectre

Shall we play a game?Shall we play a game?
Shall we play a game?Maciej Lasyk
519.9K views43 slides

Similar to A study on NetSpectre(20)

Hunting Security Bugs in Modern Web ApplicationsHunting Security Bugs in Modern Web Applications
Hunting Security Bugs in Modern Web Applications
Toe Khaing393 views
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...
Kuniyasu Suzaki2.5K views
Ext GWT - Overview and Implementation Case StudyExt GWT - Overview and Implementation Case Study
Ext GWT - Overview and Implementation Case Study
Avi Perez247 views
Современные технологии и инструменты анализа вредоносного ПОСовременные технологии и инструменты анализа вредоносного ПО
Современные технологии и инструменты анализа вредоносного ПО
Positive Hack Days921 views
Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...
Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...
Ivan Piskunov1K views
Shall we play a game?Shall we play a game?
Shall we play a game?
Maciej Lasyk519.9K views
IRJET - Network Traffic Monitoring and Botnet Detection using K-ANN AlgorithmIRJET - Network Traffic Monitoring and Botnet Detection using K-ANN Algorithm
IRJET - Network Traffic Monitoring and Botnet Detection using K-ANN Algorithm
IRJET Journal10 views
Sparksummit2016 shareSparksummit2016 share
Sparksummit2016 share
Ping Yan112 views
A Graph-Based Method For Cross-Entity Threat Detection A Graph-Based Method For Cross-Entity Threat Detection
A Graph-Based Method For Cross-Entity Threat Detection
Jen Aman1.9K views
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
DefCamp1.6K views
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
CODE BLUE1K views
Proof-of-Stake & Its Improvements (San Francisco Bitcoin Devs Hackathon)Proof-of-Stake & Its Improvements (San Francisco Bitcoin Devs Hackathon)
Proof-of-Stake & Its Improvements (San Francisco Bitcoin Devs Hackathon)
Alex Chepurnoy2.4K views
Масштабируемый и эффективный фаззинг Google ChromeМасштабируемый и эффективный фаззинг Google Chrome
Масштабируемый и эффективный фаззинг Google Chrome
Positive Hack Days4.7K views
blockchain-and-trusted-computingblockchain-and-trusted-computing
blockchain-and-trusted-computing
YongraeJo3 views
OpenTelemetry For DevelopersOpenTelemetry For Developers
OpenTelemetry For Developers
Kevin Brockhoff2.1K views
Opencensus with prometheus and kubernetesOpencensus with prometheus and kubernetes
Opencensus with prometheus and kubernetes
Jinwoong Kim1.8K views
25 Million Flows Later – Large-scale Detection of DOM-based XSS25 Million Flows Later – Large-scale Detection of DOM-based XSS
25 Million Flows Later – Large-scale Detection of DOM-based XSS
Ben Stock920 views
FALCON.pptxFALCON.pptx
FALCON.pptx
AvinashRanjan8014 views
Monitoring - deeper diveMonitoring - deeper dive
Monitoring - deeper dive
Robert Kubiś68 views
Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Expl...Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Expl...
Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Expl...
egypt1.2K views

More from Aj MaChInE

More from Aj MaChInE(17)

An Intro on Data-oriented AttacksAn Intro on Data-oriented Attacks
An Intro on Data-oriented Attacks
Aj MaChInE301 views
A Study on .NET Framework for Red Team - Part IA Study on .NET Framework for Red Team - Part I
A Study on .NET Framework for Red Team - Part I
Aj MaChInE493 views
[若渴] A preliminary study on attacks against consensus in bitcoin[若渴] A preliminary study on attacks against consensus in bitcoin
[若渴] A preliminary study on attacks against consensus in bitcoin
Aj MaChInE345 views
[若渴] Preliminary Study on Design and Exploitation of Trustzone[若渴] Preliminary Study on Design and Exploitation of Trustzone
[若渴] Preliminary Study on Design and Exploitation of Trustzone
Aj MaChInE281 views
[若渴]Study on Side Channel Attacks and Countermeasures [若渴]Study on Side Channel Attacks and Countermeasures
[若渴]Study on Side Channel Attacks and Countermeasures
Aj MaChInE858 views
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
Aj MaChInE981 views
[若渴計畫] Introduction: Formal Verification for Code[若渴計畫] Introduction: Formal Verification for Code
[若渴計畫] Introduction: Formal Verification for Code
Aj MaChInE718 views
[若渴計畫] Studying ASLR^cache[若渴計畫] Studying ASLR^cache
[若渴計畫] Studying ASLR^cache
Aj MaChInE430 views
[若渴計畫] Black Hat 2017之過去閱讀相關整理[若渴計畫] Black Hat 2017之過去閱讀相關整理
[若渴計畫] Black Hat 2017之過去閱讀相關整理
Aj MaChInE434 views
[若渴計畫] Studying Concurrency[若渴計畫] Studying Concurrency
[若渴計畫] Studying Concurrency
Aj MaChInE4K views
閱讀文章分享@若渴 2016.1.24閱讀文章分享@若渴 2016.1.24
閱讀文章分享@若渴 2016.1.24
Aj MaChInE1.3K views
[若渴計畫2015.8.18] SMACK[若渴計畫2015.8.18] SMACK
[若渴計畫2015.8.18] SMACK
Aj MaChInE1.2K views
[SITCON2015] 自己的異質多核心平台自己幹[SITCON2015] 自己的異質多核心平台自己幹
[SITCON2015] 自己的異質多核心平台自己幹
Aj MaChInE2.6K views
[MOSUT20150131] Linux Runs on SoCKit Board with the GPGPU[MOSUT20150131] Linux Runs on SoCKit Board with the GPGPU
[MOSUT20150131] Linux Runs on SoCKit Board with the GPGPU
Aj MaChInE1.3K views
[若渴計畫]由GPU硬體概念到coding CUDA[若渴計畫]由GPU硬體概念到coding CUDA
[若渴計畫]由GPU硬體概念到coding CUDA
Aj MaChInE4.8K views
[若渴計畫]64-bit Linux Return-Oriented Programming[若渴計畫]64-bit Linux Return-Oriented Programming
[若渴計畫]64-bit Linux Return-Oriented Programming
Aj MaChInE2.2K views
[MOSUT] Format String Attacks[MOSUT] Format String Attacks
[MOSUT] Format String Attacks
Aj MaChInE2.6K views

Recently uploaded

Recently uploaded(20)

Microchip: CXL Use Cases and Enabling EcosystemMicrochip: CXL Use Cases and Enabling Ecosystem
Microchip: CXL Use Cases and Enabling Ecosystem
CXL Forum107 views
Green Leaf Consulting: Capabilities DeckGreen Leaf Consulting: Capabilities Deck
Green Leaf Consulting: Capabilities Deck
GreenLeafConsulting170 views
MemVerge: Memory Viewer SoftwareMemVerge: Memory Viewer Software
MemVerge: Memory Viewer Software
CXL Forum115 views
Photowave Presentation Slides - 11.8.23.pptxPhotowave Presentation Slides - 11.8.23.pptx
Photowave Presentation Slides - 11.8.23.pptx
CXL Forum118 views
Java 21 and Beyond- A Roadmap of Innovations .pdfJava 21 and Beyond- A Roadmap of Innovations .pdf
Java 21 and Beyond- A Roadmap of Innovations .pdf
Ana-Maria Mihalceanu51 views
How to reduce cold starts for Java Serverless applications in AWS at JCON Wor...How to reduce cold starts for Java Serverless applications in AWS at JCON Wor...
How to reduce cold starts for Java Serverless applications in AWS at JCON Wor...
Vadym Kazulkin45 views
Java Platform Approach 1.0 - Picnic MeetupJava Platform Approach 1.0 - Picnic Meetup
Java Platform Approach 1.0 - Picnic Meetup
Rick Ossendrijver23 views
METHOD AND SYSTEM FOR PREDICTING OPTIMAL LOAD FOR WHICH THE YIELD IS MAXIMUM ...METHOD AND SYSTEM FOR PREDICTING OPTIMAL LOAD FOR WHICH THE YIELD IS MAXIMUM ...
METHOD AND SYSTEM FOR PREDICTING OPTIMAL LOAD FOR WHICH THE YIELD IS MAXIMUM ...
Prity Khastgir IPR Strategic India Patent Attorney Amplify Innovation23 views
"Role of a CTO in software outsourcing company", Yuriy Nakonechnyy"Role of a CTO in software outsourcing company", Yuriy Nakonechnyy
"Role of a CTO in software outsourcing company", Yuriy Nakonechnyy
Fwdays35 views
Micron CXL product and architecture updateMicron CXL product and architecture update
Micron CXL product and architecture update
CXL Forum23 views
AI: mind, matter, meaning, metaphors, being, becoming, life valuesAI: mind, matter, meaning, metaphors, being, becoming, life values
AI: mind, matter, meaning, metaphors, being, becoming, life values
Twain Liu 刘秋艳28 views
MemVerge: Past Present and Future of CXLMemVerge: Past Present and Future of CXL
MemVerge: Past Present and Future of CXL
CXL Forum105 views
Astera Labs: Intelligent Connectivity for Cloud and AI InfrastructureAstera Labs: Intelligent Connectivity for Cloud and AI Infrastructure
Astera Labs: Intelligent Connectivity for Cloud and AI Infrastructure
CXL Forum118 views
"Fast Start to Building on AWS", Igor Ivaniuk"Fast Start to Building on AWS", Igor Ivaniuk
"Fast Start to Building on AWS", Igor Ivaniuk
Fwdays31 views
Empathic Computing: Delivering the Potential of the MetaverseEmpathic Computing: Delivering the Potential of the Metaverse
Empathic Computing: Delivering the Potential of the Metaverse
Mark Billinghurst389 views
Samsung: CMM-H Tiered Memory Solution with Built-in DRAMSamsung: CMM-H Tiered Memory Solution with Built-in DRAM
Samsung: CMM-H Tiered Memory Solution with Built-in DRAM
CXL Forum96 views
Data-centric AI and the convergence of data and model engineering: opportunit...Data-centric AI and the convergence of data and model engineering: opportunit...
Data-centric AI and the convergence of data and model engineering: opportunit...
Paolo Missier19 views
Spesifikasi Lengkap ASUS Vivobook Go 14Spesifikasi Lengkap ASUS Vivobook Go 14
Spesifikasi Lengkap ASUS Vivobook Go 14
Dot Semarang34 views
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
Splunk75 views
TE Connectivity: Card Edge InterconnectsTE Connectivity: Card Edge Interconnects
TE Connectivity: Card Edge Interconnects
CXL Forum93 views

A study on NetSpectre

  • 1. A Study on NetSpectre @ 若渴 2019.4.14 <ajblane0612@gmail.com> AjMaChInE
  • 2. No code can be injected and Attacker only calls the API via network requests -> ? -> leak information (ASLR/ Password) NetSpectre
  • 3. Key idea 在程式碼中,找到某些程式碼 (gadget) ,這個 gadget 搭配手法 (attacker-controlled) 會使得 microarchitecture elements 有些 side effect ,而這 side effect 可以透過一些測量 (measurement) 來觀察, 透過 side effect 與 gadget 搭配可以達到某些目的 (E.g. 推敲出一些重要的訊息 ) 。 ● cache-side channel attack ● spectre variant 1 ● ...
  • 4. Cache-side channel attack – how to retrieve information [0] e.g. E= (1,…,0,0) I cache attacker victim
  • 5. Cache-side channel attack – how to retrieve information [0]
  • 6. Cache-side channel attack – how to retrieve information [0] Access
  • 7. ● Gadget ● Montgomery ladder RSA ● Attacker-controlled ● Flush and reload ● Microarchitecture element ● I Cache ● Measure access time ● Purpose ● Secret E
  • 12. Assumptions [1] 共用 cache into not same entry cache into not same entry can reset cache
  • 13. Spectre-PHT (aka Spectre Variant 1) [1] Step 1: reset cache
  • 14. Spectre-PHT (aka Spectre Variant 1) [1] Step 2: out-of-bounds read
  • 15. Spectre-PHT (aka Spectre Variant 1) [1] * glyph[X] – X is attacker-controlled * cache-side channel attack → cache hit → X=K → cache miss → X!=K Step 3: cache-side channel attack
  • 16. Repeatly run step 1 ~ 3 -> leak memory via byte by byte
  • 17. ● Gadget ● ● Attacker-controlled ● If (x < array1_size) ● array2[X * 4096], array2 is shared memory ● Chache-side channel attack ● Microarchitecture element ● D Cache ● Purpose ● Memory content of out-of-bounds array
  • 18. NetSpectre - the big picture
  • 19. ● Gadget ● Leak gadget ● Attacker-controlled ● Network API -> x ● Microarchitecture element ● Transmit gadget ● Network latency depends on API execution time (transmit gadget) → Measure the network roundtrip time ● Information ● Memory content of out-of-bounds array
  • 20. Measuring the response time of a simple transmit gadget, that accesses a certain variable. Only by performing a large number of measurements, the difference in the response timings depending on the cache state of the variable becomes visible. The average values of the two distributions are shown as dashed vertical lines [2]
  • 21. Leaking a byte via bit by bit [2][3]
  • 22. Problem - how to find a gadget [2] ● Finding Spectre gadgets is still an open problem ● Out of all papers, only 4 show real-world gadgets [3] ● Among them, only 2 Spectre-PHT (v1) gadgets ● Still no fully automated approach ● Tainted flow analysis
  • 23. ● Gadget ● ?? ● Attacker-controlled ● ?? ● Microarchitecture element ● ?? ● Measure ?? ● Purpose ● ??
  • 26. Remote AVX-based covert channel against cache [2]
  • 27. Reference ● [0] 2017, Cache Side Channel Attack: Exploitability and Countermeasures ● [1] 2019, NetSpectre A Truly Remote Spectre Variant ● [2] 2018, NetSpectre: Read Arbitrary Memory over Network ● [3] 2018, Spectre Attacks: Exploiting Speculative Execution