2. Purposes of Page table and Physical Tag
virtual memory
physical memory
cache
page table physical tag
data/instructions data/instructions
3. Page Tables with MMU’s PT
Walker
• Page tables point to the next step in a tree
0x644b321f4000
11001000100101100110010000111110100000000000000
offset
5. A 32KB 4-way Set-associative Data
Cache with Physical Tag
http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.den0024a/ch11s01s02.html
Physical
way??
byte offset
* cache line(cache set)會表示 1~
n page entry, for example: 8 PE =
a cache line on x86_64. 1 PE = 8
bytes
* x86_64中,6bit表示cache set
,3ibt表示cache entry
6. A 2-way Set-associative Cache
http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.den0024a/ch11s01s02.html
0X000.0000的資料可能在way 0 或 way1
7. The Same Cache Set in Different Pages
https://arxiv.org/pdf/1702.07521.pdf
set field 一樣
Attacker
Victim
11. High Level Overview of the AnC Attack
• By executing specially crafted memory access
patterns on a commodity Intel processor, we
are able to infer which cache sets have been
accessed after a targeted MMU PT walk when
dereferencing a data pointer or executing a
piece of code. As only certain addresses map
to a specific cache set, knowing the cache sets
allows us to identify the offsets of the target
PT entries at each PT level, hence
derandomizing ASLR.
http://www.cs.vu.nl/~herbertb/download/papers/anc_ndss17.pdf
12. Intel i7 Memory Hierarchy plus Clock
Latency for the Relevant Stages
http://www.ieee-security.org/TC/SP2013/papers/4977a191.pdf
* 因為MMU/ Cache 只有一個,所以可由很多process共用
page table
17. 需要OS漏洞操作core 0 為 attack core
https://arxiv.org/pdf/1702.07521.pdf
Software Grand Exposure: SGX Cache
Attacks Are Practical
18. EVICT+TIME
Repeat
• Take a large enough set of memory pages to
act as eviction set
• Eviction set使TLB產生miss。
• 此cache line offset =page table的某一個level
的offset。對於x86_64,因為一個page table
有512 PT entry,9 bit中,6 bit表示cache line
offset,3 bit表示 8 page table entry,所以已
解出6 bit。
page
cache line
offset
TIME
EVICT
23. Reference
• ASLR on the Line: Practical Cache Attacks on
the MMU
• ASLR^Cache: Practical Cache Attacks on the
MMU
• Software Grand Exposure: SGX Cache Attacks
Are Practical
• https://www.vusec.net/projects/anc/
• https://github.com/vusec/revanc