13_14_MeltdownSpectre.pptx
•Download as PPTX, PDF•
0 likes•2 views
Meltdown and Spectre are attacks that exploit side channels in CPUs to access restricted memory or data. Meltdown allows reading kernel memory from user programs by exploiting out-of-order execution. Spectre tricks other programs into accessing arbitrary locations using speculative execution and cache timing. Both vulnerabilities are difficult to fix as they are hardware issues, requiring OS workarounds like KASLR and restricting access to kernel memory from user programs. Spectre variants have also been discovered affecting Intel, ARM, and other chip makers.
Report
Share
Report
Share
Recommended
SEH overwrite and its exploitability
The document discusses SEH (structured exception handling) overwrites and techniques to bypass protections against them. It explains that SEH overwrites can be used to exploit Windows software by overwriting exception handlers. Common protections like SafeSEH, software DEP, hardware DEP, and SEHOP aim to prevent this. However, the document demonstrates that under certain conditions, it is possible to bypass all of these protections simultaneously. Specifically, if an attacker knows addresses needed to recreate the SEH chain and has a non-SafeSEH module containing suitable "add esp, ret" instructions, they can exploit a buffer overflow to execute arbitrary code despite all protections. The document provides a detailed example of this technique on Windows 7.
Metasploit & Windows Kernel Exploitation
The document discusses kernel exploitation on Windows systems. It provides an overview of common vulnerability classes like write-what-where and use-after-free. It also covers techniques for executing code, mitigation technologies, writing exploits for Metasploit, and sources of instability. The speaker's background and agenda are introduced at the start.
GOD MODE Unlocked: Hardware backdoors in x86 CPUs
Complexity is increasing. Trust eroding. In the wake of Spectre and Meltdown, when it seems that things cannot get any darker for processor security, the last light goes out. This talk will demonstrate what everyone has long feared but never proven: there are hardware backdoors in x86 processors, and they’re buried deeper than we ever imagined possible.
In this talk, we walk through how we discovered a privilege escalation backdoor in a family of x86 CPUs, that allows an unprivileged user, on an unmodified system, to circumvent all processor security checks and escalate from ring 3 to ring 0 – permitting an unprivileged, arbitrary userland program to directly modify and execute code inside of the kernel, regardless of the operating system, security patches, antivirus, firmware, etc.
Speakers:
Christopher Domas, Cyber Security Researcher
How Triton can help to reverse virtual machine based software protections
The first part of the talk is going to be an introduction to the Triton framework to expose its components and to explain how they work together. Then, the second part will include demonstrations on how it's possible to reverse virtual machine based protections using taint analysis, symbolic execution, SMT simplifications and LLVM-IR optimizations.
HKUST Security Lab Opening Ceremony
Kelvin Chan works as a security and kernel researcher at Tencent. His work involves understanding how games are hacked in order to better defend against cheats and exploits. He discusses how cheats are typically developed through reverse engineering games to obtain needed information from memory, then building cheat programs or modules. Kelvin emphasizes the importance of low-level operating system and CPU research for security, as this allows monitoring at the instruction level where attacks occur. His examples demonstrate using this research to implement anti-debugging techniques and virtualization-based monitoring to detect unauthorized access.
2018 FRecure CISSP Mentor Program- Session 4
The document summarizes session 4 of a CISSP mentor program. It provides a check-in on the chapters covered so far in domains 1 through 3. It then includes several quiz questions to test knowledge as well as continuing the discussion on secure system design concepts and secure hardware architecture, covering topics like CPU components and memory protection methods.
Hacking Blind
We show that it is possible to write remote stack buffer overflow exploits without possessing a copy of the target binary or source code, against services that restart after a crash. This makes it possible to hack proprietary closed-binary services, or open-source servers manually compiled and installed from source where the binary remains unknown to the attacker. Traditional techniques are usually paired against a particular binary and distribution where the hacker knows the location of useful gadgets for Return Oriented Programming (ROP). Our Blind ROP (BROP) attack instead remotely finds enough ROP gadgets to perform a write system call and transfers the vulnerable binary over the network, after which an exploit can be completed using known techniques. This is accomplished by leaking a single bit of information based on whether a process crashed or not when given a particular input string. BROP requires a stack vulnerability and a service that restarts after a crash. The attack works against modern 64-bit Linux with address space layout randomization (ASLR), no-execute page protection (NX) and stack canaries.
Hacking blind
We show that it is possible to write remote stack buffer overflow exploits without possessing a copy of the target binary or source code, against services that restart after a crash. This makes it possible to hack proprietary closed-binary services, or open-source servers manually compiled and installed from source where the binary remains unknown to the attacker. Traditional techniques are usually paired against a particular binary and distribution where the hacker knows the location of useful gadgets for Return Oriented Programming (ROP). Our Blind ROP (BROP) attack instead remotely finds enough ROP gadgets to perform a write system call and transfers the vulnerable binary over the network, after which an exploit can be completed using known techniques. This is accomplished by leaking a single bit of information based on whether a process crashed or not when given a particular input string. BROP requires a stack vulnerability and a service that restarts after a crash. The attack works against modern 64-bit Linux with address space layout randomization (ASLR), no-execute page protection (NX) and stack canaries.
Recommended
SEH overwrite and its exploitability
The document discusses SEH (structured exception handling) overwrites and techniques to bypass protections against them. It explains that SEH overwrites can be used to exploit Windows software by overwriting exception handlers. Common protections like SafeSEH, software DEP, hardware DEP, and SEHOP aim to prevent this. However, the document demonstrates that under certain conditions, it is possible to bypass all of these protections simultaneously. Specifically, if an attacker knows addresses needed to recreate the SEH chain and has a non-SafeSEH module containing suitable "add esp, ret" instructions, they can exploit a buffer overflow to execute arbitrary code despite all protections. The document provides a detailed example of this technique on Windows 7.
Metasploit & Windows Kernel Exploitation
The document discusses kernel exploitation on Windows systems. It provides an overview of common vulnerability classes like write-what-where and use-after-free. It also covers techniques for executing code, mitigation technologies, writing exploits for Metasploit, and sources of instability. The speaker's background and agenda are introduced at the start.
GOD MODE Unlocked: Hardware backdoors in x86 CPUs
Complexity is increasing. Trust eroding. In the wake of Spectre and Meltdown, when it seems that things cannot get any darker for processor security, the last light goes out. This talk will demonstrate what everyone has long feared but never proven: there are hardware backdoors in x86 processors, and they’re buried deeper than we ever imagined possible.
In this talk, we walk through how we discovered a privilege escalation backdoor in a family of x86 CPUs, that allows an unprivileged user, on an unmodified system, to circumvent all processor security checks and escalate from ring 3 to ring 0 – permitting an unprivileged, arbitrary userland program to directly modify and execute code inside of the kernel, regardless of the operating system, security patches, antivirus, firmware, etc.
Speakers:
Christopher Domas, Cyber Security Researcher
How Triton can help to reverse virtual machine based software protections
The first part of the talk is going to be an introduction to the Triton framework to expose its components and to explain how they work together. Then, the second part will include demonstrations on how it's possible to reverse virtual machine based protections using taint analysis, symbolic execution, SMT simplifications and LLVM-IR optimizations.
HKUST Security Lab Opening Ceremony
Kelvin Chan works as a security and kernel researcher at Tencent. His work involves understanding how games are hacked in order to better defend against cheats and exploits. He discusses how cheats are typically developed through reverse engineering games to obtain needed information from memory, then building cheat programs or modules. Kelvin emphasizes the importance of low-level operating system and CPU research for security, as this allows monitoring at the instruction level where attacks occur. His examples demonstrate using this research to implement anti-debugging techniques and virtualization-based monitoring to detect unauthorized access.
2018 FRecure CISSP Mentor Program- Session 4
The document summarizes session 4 of a CISSP mentor program. It provides a check-in on the chapters covered so far in domains 1 through 3. It then includes several quiz questions to test knowledge as well as continuing the discussion on secure system design concepts and secure hardware architecture, covering topics like CPU components and memory protection methods.
Hacking Blind
We show that it is possible to write remote stack buffer overflow exploits without possessing a copy of the target binary or source code, against services that restart after a crash. This makes it possible to hack proprietary closed-binary services, or open-source servers manually compiled and installed from source where the binary remains unknown to the attacker. Traditional techniques are usually paired against a particular binary and distribution where the hacker knows the location of useful gadgets for Return Oriented Programming (ROP). Our Blind ROP (BROP) attack instead remotely finds enough ROP gadgets to perform a write system call and transfers the vulnerable binary over the network, after which an exploit can be completed using known techniques. This is accomplished by leaking a single bit of information based on whether a process crashed or not when given a particular input string. BROP requires a stack vulnerability and a service that restarts after a crash. The attack works against modern 64-bit Linux with address space layout randomization (ASLR), no-execute page protection (NX) and stack canaries.
Hacking blind
We show that it is possible to write remote stack buffer overflow exploits without possessing a copy of the target binary or source code, against services that restart after a crash. This makes it possible to hack proprietary closed-binary services, or open-source servers manually compiled and installed from source where the binary remains unknown to the attacker. Traditional techniques are usually paired against a particular binary and distribution where the hacker knows the location of useful gadgets for Return Oriented Programming (ROP). Our Blind ROP (BROP) attack instead remotely finds enough ROP gadgets to perform a write system call and transfers the vulnerable binary over the network, after which an exploit can be completed using known techniques. This is accomplished by leaking a single bit of information based on whether a process crashed or not when given a particular input string. BROP requires a stack vulnerability and a service that restarts after a crash. The attack works against modern 64-bit Linux with address space layout randomization (ASLR), no-execute page protection (NX) and stack canaries.
Practical Windows Kernel Exploitation
This document discusses a presentation on practical Windows kernel exploitation. It covers the basics of kernel exploitation, common vulnerability classes like write-what-where and use-after-free, techniques for executing code, mitigation technologies, writing Windows kernel exploits for Metasploit, and improving reliability. The speaker works at SecureState researching and developing kernel exploits and is an open source contributor to projects like Metasploit.
Metasploit Computer security testing tool
The document provides an overview of using the Metasploit framework to conduct penetration testing. It discusses installing required software, updating and opening MSFConsole. It describes different Metasploit interfaces like GUI, console and Armitage. It covers topics like exploits, payloads, encoders, information gathering, vulnerability scanning, exploitation, and Meterpreter. Advanced Meterpreter commands are also summarized like capturing screenshots, migrating processes, dumping password hashes, and maintaining persistence.
ETCSS: Into the Mind of a Hacker
The document describes an anatomy of a buffer overflow attack. It begins with disclaimers about the legal and ethical responsibilities when discussing exploits. It then provides an overview of the scenario which involves exploiting a vulnerability in a Windows FTP server to obtain a reverse shell. It defines relevant terminology like buffers, fuzzing, shellcode and bind/reverse shells. It also provides examples of assembly shellcode and encoded shellcode. Finally, it outlines the process of identifying the vulnerability, designing an exploit through fuzzing and overwriting registers, and obtaining a shell through the exploit.
GOD MODE UNLOCKED - Hardware Backdoors in x86 CPUs
Complexity is increasing. Trust eroding. In the wake of Spectre and Meltdown, when it seems that things cannot get any darker for processor security, the last light goes out. This talk will demonstrate what everyone has long feared but never proven: there are hardware backdoors in some x86 processors, and they're buried deeper than we ever imagined possible. While this research specifically examines a third-party processor, we use this as a stepping stone to explore the feasibility of more widespread hardware backdoors.
Exploiting Modern Microarchitectures: Meltdown, Spectre, and other Attacks
In this deck from the FOSDEM 2018 conference, Jon Masters from Red Hat presents: Exploiting modern microarchitectures Meltdown, Spectre, and other hardware attacks.
"Recently disclosed vulnerabilities against modern high performance computer microarchitectures known as 'Meltdown' and 'Spectre' are among an emerging wave of hardware-focused attacks. These include cache side-channel exploits against underlying shared resources, which arise as a result of common industry-wide performance optimizations. More broadly, attacks against hardware are entering a new phase of sophistication that will see more in the months ahead. This talk will describe several of these attacks, how they can be mitigated, and generally what we can do as an industry to bring performance without trading security."
Jon Masters is a Computer Architect at Red Hat, where he was tech lead for mitigation efforts against Meltdown and Spectre. Jon has worked closely with high performance microprocessor design teams for years on emerging alternative server platforms, and also currently leads the CCIX software working group helping to define high performance cache coherent interconnects for workload acceleration. Jon has been a Linux developer for 22 years, since beginning college at the age of 13, and has authored a number of books on Linux technology. He lives in Cambridge, MA, and will run his 11th marathon later this spring.
Watch the video: https://insidehpc.com/2018/02/exploiting-modern-microarchitectures-meltdown-spectre-attacks/
Learn more: https://fosdem.org/2018/
Sign up for our insideHPC Newsletter: http://insidehpc.com/newsletter
Meltdown and Spectre
A talk I gave about Meltdown and Specter to the Papers We Love SG meetup.
https://engineers.sg/v/2302
Meltdown Paper: https://meltdownattack.com/meltdown.pdf
Spectre Paper: https://spectreattack.com/spectre.pdf
Attack on the Core
Kernel vulnerabilities was commonly used to obtain admin privileges, and main rule was to stay in kernel as small time as possible! But nowdays even when you get admin / root then current operating systems are sometimes too restrictive. And that made kernel exploitation nice vector for installing to kernel mode!
In this talk we will examine steps from CPL3 to CPL0, including some nice tricks, and we end up with developing kernel mode drivers.
WIndows Kernel-Land exploitation
This document discusses exploiting vulnerabilities in the Windows kernel through a technique called use-after-free. It begins with an introduction to the speaker and an overview of kernel exploitation and the use-after-free technique. It then demonstrates a proof-of-concept use-after-free exploit against a Windows kernel driver using steps like allocating and freeing an object, spraying memory to create holes, and overwriting a pointer to execute shellcode. The document concludes by thanking the audience and inviting questions.
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
The demo is here - https://www.youtube.com/watch?v=vi9TzLrO_pE
All details and source code are here - http://www.bit.ly/MemoryMonRWX
Modern malware and spyware platforms attack existing antivirus solutions and even Microsoft PatchGuard. To protect users and business systems new technologies developed by Intel and AMD CPUs may be applied. To deal with the new malware we propose monitoring and controlling access to the memory in real time using Intel VT-x with EPT. We have checked this concept by developing MemoryMonRWX, which is a bare-metal hypervisor. MemoryMonRWX is able to track and trap all types of memory access: read, write, and execute. MemoryMonRWX also has the following competitive advantages: fine-grained analysis, support of multi-core CPUs and 64-bit Windows 10. MemoryMonRWX is able to protect critical kernel memory areas even when PatchGuard has been disabled by malware. Its main innovative features are as follows: guaranteed interception of every memory access, resilience, and low performance degradation.
Bsides tampa
Octavio Paguaga gave a presentation on using Powershell for both offensive and defensive security purposes. He demonstrated how Powershell modules like PowerView and Mimikatz can be used to perform network reconnaissance and steal passwords. He then discussed methods for detecting malicious Powershell activity like logging and AppLocker rules. Paguaga stressed the importance of limiting Powershell access and using features like Constrained Language Mode. While many defenses exist, he noted attackers can still bypass protections if they have administrative access or find ways to disable security measures.
Vulnerability, exploit to metasploit
The document discusses developing an exploit from a vulnerability and integrating it into the Metasploit framework. It covers finding a buffer overflow vulnerability in an application called "Free MP3 CD Ripper", using tools like ImmunityDebugger and Mona.py to crash the application and gain control of EIP. It then shows using Mona.py to generate an exploit, testing it works, and submitting it to the Metasploit framework. It also provides an overview of Meterpreter and its capabilities.
Offensive Python for Pentesting
Talk Venue: BSides Tampa 2020
Speakers: Mike Felch & Joff Thyer
This talk will focus on the many different ways that a penetration tester, or Red Teamer can leverage the Python programming language during offensive operations. Python is a rich and powerful programming language which above all else allows a competent developer to very quickly write new tools that might start as a Proof of Concept, but soon become an invaluable addition to the Red Teamer's tool-belt. Having the skills to both generate new tools, and modify existing tools on the fly is critically important to agility during testing engagement. Everything from utility processing of data, network protocol, API interaction, and exploit development can be rapidly developed due to the high functionality level and intuitive nature of Python.
Debugging With Id
- Immunity Debugger is a tool for security researchers and exploit developers that provides improved interfaces, Python integration, and automated binary analysis capabilities compared to other debuggers.
- It helps with challenges like heap exploitation on modern OSes, which requires understanding heap algorithms, controlling memory layout through leaks, and discovering data types in memory.
- The debugger includes specialized scripts and hooks to aid tasks like heap analysis, fingerprinting allocation patterns, fuzzing heaps, and injecting hooks to speed up analysis.
BlueHat v18 || Memory resident implants - code injection is alive and well
BlueHat v18 || Memory resident implants - code injection is alive and wellBlueHat Security Conference
Luke Jennings, Countercept
Attackers have been avoiding disk and staying memory resident for over a decade and this has traditionally proven an Achilles heels for security products and the teams that operate them. The boom in both EDR products and memory forensics toolkits in more recent years have helped defenders to fight back but attackers are already adapting their approaches.
This talk will cover both classic and modern techniques for injecting code into legitimate processes on Microsoft Windows systems, as well as several techniques for detecting them. This will include both system tracing methods, good for proactive detection, as well as memory analysis techniques that have the added benefit of allow detection of pre-existing compromises in real-world incident response scenarios, with a brief case study example. As part of this, practical examples will be given showing how Microsoft’s ATP and Sysmon help in this area as well as other techniques. Finally, the future of this area will be considered, including how the .NET runtime already complicates detection techniques in this area and how this will likely become increasingly challenging as more attackers discover and exploit this.
By the end of the talk, the audience should understand the importance of code injection in the context of memory-resident implants, the key techniques for performing it and detecting it and the challenges of achieving this in the real-world at enterprise scale.Recon2016 shooting the_osx_el_capitan_kernel_like_a_sniper_chen_he
This document discusses exploiting the OS X El Capitan kernel using a vulnerability found in IOAcceleratorFamily. It describes how memory spraying can be used to leak kernel information despite mitigations like kASLR. It then provides a case study of exploiting CVE-2016-1815, an out-of-bounds write bug, to leak bytes from kernel memory and eventually gain kernel code execution. The exploitation technique involves spraying kernel memory with controlled data, overwriting a function pointer to point to that data, and using an information leak primitive to read bytes from the sprayed region and bypass kASLR.
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
This document discusses kernel exploitation techniques. It begins by explaining the KernelIo technique for reading and writing kernel memory on Windows and Linux despite protections like SMAP and SMEP. It then discusses several vulnerability cases that can enable KernelIo like out of bounds writes, kmalloc overflows, and abusing KASLR. Next, it analyzes design flaws in kernels like linked lists, hidden pointers, and callback mechanisms. It evaluates the state of exploitation on modern systems and envisions future hardened operating system designs. It advocates moving to C++ for exploitation development rather than shellcoding and introduces a C++ exploitation framework. The document was presented by Peter Hlavaty of the Keen Team and encourages recruitment for vulnerability research.
Messing around avs
This document discusses techniques for bypassing antivirus software to execute malicious payloads. It begins by explaining reasons for needing antivirus bypassing such as bypassing firewalls during client-side attacks. It then discusses signature-based antivirus detection and techniques for bypassing it, including crypters that encrypt malware to avoid detection, and shellcode injection directly into processes. Specific crypters and tools for shellcode injection are mentioned. The document encourages questions and further discussion on antivirus bypassing techniques.
Performance and predictability (1)
These days fast code needs to operate in harmony with its environment. At the deepest level this means working well with hardware: RAM, disks and SSDs. A unifying theme is treating memory access patterns in a uniform and predictable way that is sympathetic to the underlying hardware. For example writing to and reading from RAM and Hard Disks can be significantly sped up by operating sequentially on the device, rather than randomly accessing the data. In this talk we’ll cover why access patterns are important, what kind of speed gain you can get and how you can write simple high level code which works well with these kind of patterns.
Performance and Predictability - Richard Warburton
This document discusses various low-level performance optimizations related to branch prediction, memory access, storage, and conclusions. It explains that branches can cause stalls, caches help mitigate slow memory access, and sequential access patterns outperform random access. The key themes are optimizing for predictability over randomness and prioritizing principles over specific tools.
The Supporting Role of Antivirus Evasion while Persisting
This talk goes over different techniques to evade detection by antivirus programs, talks about how Veil-Evasion evades the programs, and shows an AV signature bypass. It also then documents a large number of techniques on how actors can persist in networks.
Recycled Concrete Aggregate in Construction Part III
Using recycled concrete aggregates (RCA) for pavements is crucial to achieving sustainability. Implementing RCA for new pavement can minimize carbon footprint, conserve natural resources, reduce harmful emissions, and lower life cycle costs. Compared to natural aggregate (NA), RCA pavement has fewer comprehensive studies and sustainability assessments.
哪里办理(csu毕业证书)查尔斯特大学毕业证硕士学历原版一模一样
原版一模一样【微信:741003700 】【(csu毕业证书)查尔斯特大学毕业证硕士学历】【微信:741003700 】学位证,留信认证(真实可查,永久存档)offer、雅思、外壳等材料/诚信可靠,可直接看成品样本,帮您解决无法毕业带来的各种难题!外壳,原版制作,诚信可靠,可直接看成品样本。行业标杆!精益求精,诚心合作,真诚制作!多年品质 ,按需精细制作,24小时接单,全套进口原装设备。十五年致力于帮助留学生解决难题,包您满意。
本公司拥有海外各大学样板无数,能完美还原海外各大学 Bachelor Diploma degree, Master Degree Diploma
1:1完美还原海外各大学毕业材料上的工艺:水印,阴影底纹,钢印LOGO烫金烫银,LOGO烫金烫银复合重叠。文字图案浮雕、激光镭射、紫外荧光、温感、复印防伪等防伪工艺。材料咨询办理、认证咨询办理请加学历顾问Q/微741003700
留信网认证的作用:
1:该专业认证可证明留学生真实身份
2:同时对留学生所学专业登记给予评定
3:国家专业人才认证中心颁发入库证书
4:这个认证书并且可以归档倒地方
5:凡事获得留信网入网的信息将会逐步更新到个人身份内,将在公安局网内查询个人身份证信息后,同步读取人才网入库信息
6:个人职称评审加20分
7:个人信誉贷款加10分
8:在国家人才网主办的国家网络招聘大会中纳入资料,供国家高端企业选择人才
More Related Content
Similar to 13_14_MeltdownSpectre.pptx
Practical Windows Kernel Exploitation
This document discusses a presentation on practical Windows kernel exploitation. It covers the basics of kernel exploitation, common vulnerability classes like write-what-where and use-after-free, techniques for executing code, mitigation technologies, writing Windows kernel exploits for Metasploit, and improving reliability. The speaker works at SecureState researching and developing kernel exploits and is an open source contributor to projects like Metasploit.
Metasploit Computer security testing tool
The document provides an overview of using the Metasploit framework to conduct penetration testing. It discusses installing required software, updating and opening MSFConsole. It describes different Metasploit interfaces like GUI, console and Armitage. It covers topics like exploits, payloads, encoders, information gathering, vulnerability scanning, exploitation, and Meterpreter. Advanced Meterpreter commands are also summarized like capturing screenshots, migrating processes, dumping password hashes, and maintaining persistence.
ETCSS: Into the Mind of a Hacker
The document describes an anatomy of a buffer overflow attack. It begins with disclaimers about the legal and ethical responsibilities when discussing exploits. It then provides an overview of the scenario which involves exploiting a vulnerability in a Windows FTP server to obtain a reverse shell. It defines relevant terminology like buffers, fuzzing, shellcode and bind/reverse shells. It also provides examples of assembly shellcode and encoded shellcode. Finally, it outlines the process of identifying the vulnerability, designing an exploit through fuzzing and overwriting registers, and obtaining a shell through the exploit.
GOD MODE UNLOCKED - Hardware Backdoors in x86 CPUs
Complexity is increasing. Trust eroding. In the wake of Spectre and Meltdown, when it seems that things cannot get any darker for processor security, the last light goes out. This talk will demonstrate what everyone has long feared but never proven: there are hardware backdoors in some x86 processors, and they're buried deeper than we ever imagined possible. While this research specifically examines a third-party processor, we use this as a stepping stone to explore the feasibility of more widespread hardware backdoors.
Exploiting Modern Microarchitectures: Meltdown, Spectre, and other Attacks
In this deck from the FOSDEM 2018 conference, Jon Masters from Red Hat presents: Exploiting modern microarchitectures Meltdown, Spectre, and other hardware attacks.
"Recently disclosed vulnerabilities against modern high performance computer microarchitectures known as 'Meltdown' and 'Spectre' are among an emerging wave of hardware-focused attacks. These include cache side-channel exploits against underlying shared resources, which arise as a result of common industry-wide performance optimizations. More broadly, attacks against hardware are entering a new phase of sophistication that will see more in the months ahead. This talk will describe several of these attacks, how they can be mitigated, and generally what we can do as an industry to bring performance without trading security."
Jon Masters is a Computer Architect at Red Hat, where he was tech lead for mitigation efforts against Meltdown and Spectre. Jon has worked closely with high performance microprocessor design teams for years on emerging alternative server platforms, and also currently leads the CCIX software working group helping to define high performance cache coherent interconnects for workload acceleration. Jon has been a Linux developer for 22 years, since beginning college at the age of 13, and has authored a number of books on Linux technology. He lives in Cambridge, MA, and will run his 11th marathon later this spring.
Watch the video: https://insidehpc.com/2018/02/exploiting-modern-microarchitectures-meltdown-spectre-attacks/
Learn more: https://fosdem.org/2018/
Sign up for our insideHPC Newsletter: http://insidehpc.com/newsletter
Meltdown and Spectre
A talk I gave about Meltdown and Specter to the Papers We Love SG meetup.
https://engineers.sg/v/2302
Meltdown Paper: https://meltdownattack.com/meltdown.pdf
Spectre Paper: https://spectreattack.com/spectre.pdf
Attack on the Core
Kernel vulnerabilities was commonly used to obtain admin privileges, and main rule was to stay in kernel as small time as possible! But nowdays even when you get admin / root then current operating systems are sometimes too restrictive. And that made kernel exploitation nice vector for installing to kernel mode!
In this talk we will examine steps from CPL3 to CPL0, including some nice tricks, and we end up with developing kernel mode drivers.
WIndows Kernel-Land exploitation
This document discusses exploiting vulnerabilities in the Windows kernel through a technique called use-after-free. It begins with an introduction to the speaker and an overview of kernel exploitation and the use-after-free technique. It then demonstrates a proof-of-concept use-after-free exploit against a Windows kernel driver using steps like allocating and freeing an object, spraying memory to create holes, and overwriting a pointer to execute shellcode. The document concludes by thanking the audience and inviting questions.
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
The demo is here - https://www.youtube.com/watch?v=vi9TzLrO_pE
All details and source code are here - http://www.bit.ly/MemoryMonRWX
Modern malware and spyware platforms attack existing antivirus solutions and even Microsoft PatchGuard. To protect users and business systems new technologies developed by Intel and AMD CPUs may be applied. To deal with the new malware we propose monitoring and controlling access to the memory in real time using Intel VT-x with EPT. We have checked this concept by developing MemoryMonRWX, which is a bare-metal hypervisor. MemoryMonRWX is able to track and trap all types of memory access: read, write, and execute. MemoryMonRWX also has the following competitive advantages: fine-grained analysis, support of multi-core CPUs and 64-bit Windows 10. MemoryMonRWX is able to protect critical kernel memory areas even when PatchGuard has been disabled by malware. Its main innovative features are as follows: guaranteed interception of every memory access, resilience, and low performance degradation.
Bsides tampa
Octavio Paguaga gave a presentation on using Powershell for both offensive and defensive security purposes. He demonstrated how Powershell modules like PowerView and Mimikatz can be used to perform network reconnaissance and steal passwords. He then discussed methods for detecting malicious Powershell activity like logging and AppLocker rules. Paguaga stressed the importance of limiting Powershell access and using features like Constrained Language Mode. While many defenses exist, he noted attackers can still bypass protections if they have administrative access or find ways to disable security measures.
Vulnerability, exploit to metasploit
The document discusses developing an exploit from a vulnerability and integrating it into the Metasploit framework. It covers finding a buffer overflow vulnerability in an application called "Free MP3 CD Ripper", using tools like ImmunityDebugger and Mona.py to crash the application and gain control of EIP. It then shows using Mona.py to generate an exploit, testing it works, and submitting it to the Metasploit framework. It also provides an overview of Meterpreter and its capabilities.
Offensive Python for Pentesting
Talk Venue: BSides Tampa 2020
Speakers: Mike Felch & Joff Thyer
This talk will focus on the many different ways that a penetration tester, or Red Teamer can leverage the Python programming language during offensive operations. Python is a rich and powerful programming language which above all else allows a competent developer to very quickly write new tools that might start as a Proof of Concept, but soon become an invaluable addition to the Red Teamer's tool-belt. Having the skills to both generate new tools, and modify existing tools on the fly is critically important to agility during testing engagement. Everything from utility processing of data, network protocol, API interaction, and exploit development can be rapidly developed due to the high functionality level and intuitive nature of Python.
Debugging With Id
- Immunity Debugger is a tool for security researchers and exploit developers that provides improved interfaces, Python integration, and automated binary analysis capabilities compared to other debuggers.
- It helps with challenges like heap exploitation on modern OSes, which requires understanding heap algorithms, controlling memory layout through leaks, and discovering data types in memory.
- The debugger includes specialized scripts and hooks to aid tasks like heap analysis, fingerprinting allocation patterns, fuzzing heaps, and injecting hooks to speed up analysis.
BlueHat v18 || Memory resident implants - code injection is alive and well
BlueHat v18 || Memory resident implants - code injection is alive and wellBlueHat Security Conference
Luke Jennings, Countercept
Attackers have been avoiding disk and staying memory resident for over a decade and this has traditionally proven an Achilles heels for security products and the teams that operate them. The boom in both EDR products and memory forensics toolkits in more recent years have helped defenders to fight back but attackers are already adapting their approaches.
This talk will cover both classic and modern techniques for injecting code into legitimate processes on Microsoft Windows systems, as well as several techniques for detecting them. This will include both system tracing methods, good for proactive detection, as well as memory analysis techniques that have the added benefit of allow detection of pre-existing compromises in real-world incident response scenarios, with a brief case study example. As part of this, practical examples will be given showing how Microsoft’s ATP and Sysmon help in this area as well as other techniques. Finally, the future of this area will be considered, including how the .NET runtime already complicates detection techniques in this area and how this will likely become increasingly challenging as more attackers discover and exploit this.
By the end of the talk, the audience should understand the importance of code injection in the context of memory-resident implants, the key techniques for performing it and detecting it and the challenges of achieving this in the real-world at enterprise scale.Recon2016 shooting the_osx_el_capitan_kernel_like_a_sniper_chen_he
This document discusses exploiting the OS X El Capitan kernel using a vulnerability found in IOAcceleratorFamily. It describes how memory spraying can be used to leak kernel information despite mitigations like kASLR. It then provides a case study of exploiting CVE-2016-1815, an out-of-bounds write bug, to leak bytes from kernel memory and eventually gain kernel code execution. The exploitation technique involves spraying kernel memory with controlled data, overwriting a function pointer to point to that data, and using an information leak primitive to read bytes from the sprayed region and bypass kASLR.
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
This document discusses kernel exploitation techniques. It begins by explaining the KernelIo technique for reading and writing kernel memory on Windows and Linux despite protections like SMAP and SMEP. It then discusses several vulnerability cases that can enable KernelIo like out of bounds writes, kmalloc overflows, and abusing KASLR. Next, it analyzes design flaws in kernels like linked lists, hidden pointers, and callback mechanisms. It evaluates the state of exploitation on modern systems and envisions future hardened operating system designs. It advocates moving to C++ for exploitation development rather than shellcoding and introduces a C++ exploitation framework. The document was presented by Peter Hlavaty of the Keen Team and encourages recruitment for vulnerability research.
Messing around avs
This document discusses techniques for bypassing antivirus software to execute malicious payloads. It begins by explaining reasons for needing antivirus bypassing such as bypassing firewalls during client-side attacks. It then discusses signature-based antivirus detection and techniques for bypassing it, including crypters that encrypt malware to avoid detection, and shellcode injection directly into processes. Specific crypters and tools for shellcode injection are mentioned. The document encourages questions and further discussion on antivirus bypassing techniques.
Performance and predictability (1)
These days fast code needs to operate in harmony with its environment. At the deepest level this means working well with hardware: RAM, disks and SSDs. A unifying theme is treating memory access patterns in a uniform and predictable way that is sympathetic to the underlying hardware. For example writing to and reading from RAM and Hard Disks can be significantly sped up by operating sequentially on the device, rather than randomly accessing the data. In this talk we’ll cover why access patterns are important, what kind of speed gain you can get and how you can write simple high level code which works well with these kind of patterns.
Performance and Predictability - Richard Warburton
This document discusses various low-level performance optimizations related to branch prediction, memory access, storage, and conclusions. It explains that branches can cause stalls, caches help mitigate slow memory access, and sequential access patterns outperform random access. The key themes are optimizing for predictability over randomness and prioritizing principles over specific tools.
The Supporting Role of Antivirus Evasion while Persisting
This talk goes over different techniques to evade detection by antivirus programs, talks about how Veil-Evasion evades the programs, and shows an AV signature bypass. It also then documents a large number of techniques on how actors can persist in networks.
Similar to 13_14_MeltdownSpectre.pptx (20)
GOD MODE UNLOCKED - Hardware Backdoors in x86 CPUs
GOD MODE UNLOCKED - Hardware Backdoors in x86 CPUs
Exploiting Modern Microarchitectures: Meltdown, Spectre, and other Attacks
Exploiting Modern Microarchitectures: Meltdown, Spectre, and other Attacks
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
BlueHat v18 || Memory resident implants - code injection is alive and well
BlueHat v18 || Memory resident implants - code injection is alive and well
Recon2016 shooting the_osx_el_capitan_kernel_like_a_sniper_chen_he
Recon2016 shooting the_osx_el_capitan_kernel_like_a_sniper_chen_he
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
Performance and Predictability - Richard Warburton
Performance and Predictability - Richard Warburton
The Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while Persisting
Recently uploaded
Recycled Concrete Aggregate in Construction Part III
Using recycled concrete aggregates (RCA) for pavements is crucial to achieving sustainability. Implementing RCA for new pavement can minimize carbon footprint, conserve natural resources, reduce harmful emissions, and lower life cycle costs. Compared to natural aggregate (NA), RCA pavement has fewer comprehensive studies and sustainability assessments.
哪里办理(csu毕业证书)查尔斯特大学毕业证硕士学历原版一模一样
原版一模一样【微信:741003700 】【(csu毕业证书)查尔斯特大学毕业证硕士学历】【微信:741003700 】学位证,留信认证(真实可查,永久存档)offer、雅思、外壳等材料/诚信可靠,可直接看成品样本,帮您解决无法毕业带来的各种难题!外壳,原版制作,诚信可靠,可直接看成品样本。行业标杆!精益求精,诚心合作,真诚制作!多年品质 ,按需精细制作,24小时接单,全套进口原装设备。十五年致力于帮助留学生解决难题,包您满意。
本公司拥有海外各大学样板无数,能完美还原海外各大学 Bachelor Diploma degree, Master Degree Diploma
1:1完美还原海外各大学毕业材料上的工艺:水印,阴影底纹,钢印LOGO烫金烫银,LOGO烫金烫银复合重叠。文字图案浮雕、激光镭射、紫外荧光、温感、复印防伪等防伪工艺。材料咨询办理、认证咨询办理请加学历顾问Q/微741003700
留信网认证的作用:
1:该专业认证可证明留学生真实身份
2:同时对留学生所学专业登记给予评定
3:国家专业人才认证中心颁发入库证书
4:这个认证书并且可以归档倒地方
5:凡事获得留信网入网的信息将会逐步更新到个人身份内,将在公安局网内查询个人身份证信息后,同步读取人才网入库信息
6:个人职称评审加20分
7:个人信誉贷款加10分
8:在国家人才网主办的国家网络招聘大会中纳入资料,供国家高端企业选择人才
Modelagem de um CSTR com reação endotermica.pdf
Modelagem em função de transferencia. CSTR não-linear.
TIME DIVISION MULTIPLEXING TECHNIQUE FOR COMMUNICATION SYSTEM
Time Division Multiplexing (TDM) is a method of transmitting multiple signals over a single communication channel by dividing the signal into many segments, each having a very short duration of time. These time slots are then allocated to different data streams, allowing multiple signals to share the same transmission medium efficiently. TDM is widely used in telecommunications and data communication systems.
### How TDM Works
1. **Time Slots Allocation**: The core principle of TDM is to assign distinct time slots to each signal. During each time slot, the respective signal is transmitted, and then the process repeats cyclically. For example, if there are four signals to be transmitted, the TDM cycle will divide time into four slots, each assigned to one signal.
2. **Synchronization**: Synchronization is crucial in TDM systems to ensure that the signals are correctly aligned with their respective time slots. Both the transmitter and receiver must be synchronized to avoid any overlap or loss of data. This synchronization is typically maintained by a clock signal that ensures time slots are accurately aligned.
3. **Frame Structure**: TDM data is organized into frames, where each frame consists of a set of time slots. Each frame is repeated at regular intervals, ensuring continuous transmission of data streams. The frame structure helps in managing the data streams and maintaining the synchronization between the transmitter and receiver.
4. **Multiplexer and Demultiplexer**: At the transmitting end, a multiplexer combines multiple input signals into a single composite signal by assigning each signal to a specific time slot. At the receiving end, a demultiplexer separates the composite signal back into individual signals based on their respective time slots.
### Types of TDM
1. **Synchronous TDM**: In synchronous TDM, time slots are pre-assigned to each signal, regardless of whether the signal has data to transmit or not. This can lead to inefficiencies if some time slots remain empty due to the absence of data.
2. **Asynchronous TDM (or Statistical TDM)**: Asynchronous TDM addresses the inefficiencies of synchronous TDM by allocating time slots dynamically based on the presence of data. Time slots are assigned only when there is data to transmit, which optimizes the use of the communication channel.
### Applications of TDM
- **Telecommunications**: TDM is extensively used in telecommunication systems, such as in T1 and E1 lines, where multiple telephone calls are transmitted over a single line by assigning each call to a specific time slot.
- **Digital Audio and Video Broadcasting**: TDM is used in broadcasting systems to transmit multiple audio or video streams over a single channel, ensuring efficient use of bandwidth.
- **Computer Networks**: TDM is used in network protocols and systems to manage the transmission of data from multiple sources over a single network medium.
### Advantages of TDM
- **Efficient Use of Bandwidth**: TDM all
ACEP Magazine edition 4th launched on 05.06.2024
This document provides information about the third edition of the magazine "Sthapatya" published by the Association of Civil Engineers (Practicing) Aurangabad. It includes messages from current and past presidents of ACEP, memories and photos from past ACEP events, information on life time achievement awards given by ACEP, and a technical article on concrete maintenance, repairs and strengthening. The document highlights activities of ACEP and provides a technical educational article for members.
DEEP LEARNING FOR SMART GRID INTRUSION DETECTION: A HYBRID CNN-LSTM-BASED MODEL
As digital technology becomes more deeply embedded in power systems, protecting the communication
networks of Smart Grids (SG) has emerged as a critical concern. Distributed Network Protocol 3 (DNP3)
represents a multi-tiered application layer protocol extensively utilized in Supervisory Control and Data
Acquisition (SCADA)-based smart grids to facilitate real-time data gathering and control functionalities.
Robust Intrusion Detection Systems (IDS) are necessary for early threat detection and mitigation because
of the interconnection of these networks, which makes them vulnerable to a variety of cyberattacks. To
solve this issue, this paper develops a hybrid Deep Learning (DL) model specifically designed for intrusion
detection in smart grids. The proposed approach is a combination of the Convolutional Neural Network
(CNN) and the Long-Short-Term Memory algorithms (LSTM). We employed a recent intrusion detection
dataset (DNP3), which focuses on unauthorized commands and Denial of Service (DoS) cyberattacks, to
train and test our model. The results of our experiments show that our CNN-LSTM method is much better
at finding smart grid intrusions than other deep learning algorithms used for classification. In addition,
our proposed approach improves accuracy, precision, recall, and F1 score, achieving a high detection
accuracy rate of 99.50%.
CHINA’S GEO-ECONOMIC OUTREACH IN CENTRAL ASIAN COUNTRIES AND FUTURE PROSPECT
The rivalry between prominent international actors for dominance over Central Asia's hydrocarbon
reserves and the ancient silk trade route, along with China's diplomatic endeavours in the area, has been
referred to as the "New Great Game." This research centres on the power struggle, considering
geopolitical, geostrategic, and geoeconomic variables. Topics including trade, political hegemony, oil
politics, and conventional and nontraditional security are all explored and explained by the researcher.
Using Mackinder's Heartland, Spykman Rimland, and Hegemonic Stability theories, examines China's role
in Central Asia. This study adheres to the empirical epistemological method and has taken care of
objectivity. This study analyze primary and secondary research documents critically to elaborate role of
china’s geo economic outreach in central Asian countries and its future prospect. China is thriving in trade,
pipeline politics, and winning states, according to this study, thanks to important instruments like the
Shanghai Cooperation Organisation and the Belt and Road Economic Initiative. According to this study,
China is seeing significant success in commerce, pipeline politics, and gaining influence on other
governments. This success may be attributed to the effective utilisation of key tools such as the Shanghai
Cooperation Organisation and the Belt and Road Economic Initiative.
2008 BUILDING CONSTRUCTION Illustrated - Ching Chapter 02 The Building.pdf
2008 BUILDING CONSTRUCTION Illustrated - Ching Chapter 02 The Building
Unit-III-ELECTROCHEMICAL STORAGE DEVICES.ppt
Batteries -Introduction – Types of Batteries – discharging and charging of battery - characteristics of battery –battery rating- various tests on battery- – Primary battery: silver button cell- Secondary battery :Ni-Cd battery-modern battery: lithium ion battery-maintenance of batteries-choices of batteries for electric vehicle applications.
Fuel Cells: Introduction- importance and classification of fuel cells - description, principle, components, applications of fuel cells: H2-O2 fuel cell, alkaline fuel cell, molten carbonate fuel cell and direct methanol fuel cells.
A SYSTEMATIC RISK ASSESSMENT APPROACH FOR SECURING THE SMART IRRIGATION SYSTEMS
The smart irrigation system represents an innovative approach to optimize water usage in agricultural and landscaping practices. The integration of cutting-edge technologies, including sensors, actuators, and data analysis, empowers this system to provide accurate monitoring and control of irrigation processes by leveraging real-time environmental conditions. The main objective of a smart irrigation system is to optimize water efficiency, minimize expenses, and foster the adoption of sustainable water management methods. This paper conducts a systematic risk assessment by exploring the key components/assets and their functionalities in the smart irrigation system. The crucial role of sensors in gathering data on soil moisture, weather patterns, and plant well-being is emphasized in this system. These sensors enable intelligent decision-making in irrigation scheduling and water distribution, leading to enhanced water efficiency and sustainable water management practices. Actuators enable automated control of irrigation devices, ensuring precise and targeted water delivery to plants. Additionally, the paper addresses the potential threat and vulnerabilities associated with smart irrigation systems. It discusses limitations of the system, such as power constraints and computational capabilities, and calculates the potential security risks. The paper suggests possible risk treatment methods for effective secure system operation. In conclusion, the paper emphasizes the significant benefits of implementing smart irrigation systems, including improved water conservation, increased crop yield, and reduced environmental impact. Additionally, based on the security analysis conducted, the paper recommends the implementation of countermeasures and security approaches to address vulnerabilities and ensure the integrity and reliability of the system. By incorporating these measures, smart irrigation technology can revolutionize water management practices in agriculture, promoting sustainability, resource efficiency, and safeguarding against potential security threats.
22CYT12-Unit-V-E Waste and its Management.ppt
Introduction- e - waste – definition - sources of e-waste– hazardous substances in e-waste - effects of e-waste on environment and human health- need for e-waste management– e-waste handling rules - waste minimization techniques for managing e-waste – recycling of e-waste - disposal treatment methods of e- waste – mechanism of extraction of precious metal from leaching solution-global Scenario of E-waste – E-waste in India- case studies.
The Python for beginners. This is an advance computer language.
Python language is very important language at this time. we can easily understand this language by these notes.
Comparative analysis between traditional aquaponics and reconstructed aquapon...
The aquaponic system of planting is a method that does not require soil usage. It is a method that only needs water, fish, lava rocks (a substitute for soil), and plants. Aquaponic systems are sustainable and environmentally friendly. Its use not only helps to plant in small spaces but also helps reduce artificial chemical use and minimizes excess water use, as aquaponics consumes 90% less water than soil-based gardening. The study applied a descriptive and experimental design to assess and compare conventional and reconstructed aquaponic methods for reproducing tomatoes. The researchers created an observation checklist to determine the significant factors of the study. The study aims to determine the significant difference between traditional aquaponics and reconstructed aquaponics systems propagating tomatoes in terms of height, weight, girth, and number of fruits. The reconstructed aquaponics system’s higher growth yield results in a much more nourished crop than the traditional aquaponics system. It is superior in its number of fruits, height, weight, and girth measurement. Moreover, the reconstructed aquaponics system is proven to eliminate all the hindrances present in the traditional aquaponics system, which are overcrowding of fish, algae growth, pest problems, contaminated water, and dead fish.
Presentation of IEEE Slovenia CIS (Computational Intelligence Society) Chapte...
Presentation of IEEE Slovenia CIS (Computational Intelligence Society) Chapte...University of Maribor
Slides from talk presenting:
Aleš Zamuda: Presentation of IEEE Slovenia CIS (Computational Intelligence Society) Chapter and Networking.
Presentation at IcETRAN 2024 session:
"Inter-Society Networking Panel GRSS/MTT-S/CIS
Panel Session: Promoting Connection and Cooperation"
IEEE Slovenia GRSS
IEEE Serbia and Montenegro MTT-S
IEEE Slovenia CIS
11TH INTERNATIONAL CONFERENCE ON ELECTRICAL, ELECTRONIC AND COMPUTING ENGINEERING
3-6 June 2024, Niš, SerbiaKuberTENes Birthday Bash Guadalajara - K8sGPT first impressions
K8sGPT is a tool that analyzes and diagnoses Kubernetes clusters. This presentation was used to share the requirements and dependencies to deploy K8sGPT in a local environment.
Understanding Inductive Bias in Machine Learning
This presentation explores the concept of inductive bias in machine learning. It explains how algorithms come with built-in assumptions and preferences that guide the learning process. You'll learn about the different types of inductive bias and how they can impact the performance and generalizability of machine learning models.
The presentation also covers the positive and negative aspects of inductive bias, along with strategies for mitigating potential drawbacks. We'll explore examples of how bias manifests in algorithms like neural networks and decision trees.
By understanding inductive bias, you can gain valuable insights into how machine learning models work and make informed decisions when building and deploying them.
Computational Engineering IITH Presentation
This Presentation will give you a brief idea about what Computational Engineering at IIT Hyderabad has to offer.
Recently uploaded (20)
Recycled Concrete Aggregate in Construction Part III
Recycled Concrete Aggregate in Construction Part III
TIME DIVISION MULTIPLEXING TECHNIQUE FOR COMMUNICATION SYSTEM
TIME DIVISION MULTIPLEXING TECHNIQUE FOR COMMUNICATION SYSTEM
DEEP LEARNING FOR SMART GRID INTRUSION DETECTION: A HYBRID CNN-LSTM-BASED MODEL
DEEP LEARNING FOR SMART GRID INTRUSION DETECTION: A HYBRID CNN-LSTM-BASED MODEL
CHINA’S GEO-ECONOMIC OUTREACH IN CENTRAL ASIAN COUNTRIES AND FUTURE PROSPECT
CHINA’S GEO-ECONOMIC OUTREACH IN CENTRAL ASIAN COUNTRIES AND FUTURE PROSPECT
2008 BUILDING CONSTRUCTION Illustrated - Ching Chapter 02 The Building.pdf
2008 BUILDING CONSTRUCTION Illustrated - Ching Chapter 02 The Building.pdf
A SYSTEMATIC RISK ASSESSMENT APPROACH FOR SECURING THE SMART IRRIGATION SYSTEMS
A SYSTEMATIC RISK ASSESSMENT APPROACH FOR SECURING THE SMART IRRIGATION SYSTEMS
The Python for beginners. This is an advance computer language.
The Python for beginners. This is an advance computer language.
Comparative analysis between traditional aquaponics and reconstructed aquapon...
Comparative analysis between traditional aquaponics and reconstructed aquapon...
Presentation of IEEE Slovenia CIS (Computational Intelligence Society) Chapte...
Presentation of IEEE Slovenia CIS (Computational Intelligence Society) Chapte...
Generative AI leverages algorithms to create various forms of content
Generative AI leverages algorithms to create various forms of content
KuberTENes Birthday Bash Guadalajara - K8sGPT first impressions
KuberTENes Birthday Bash Guadalajara - K8sGPT first impressions
13_14_MeltdownSpectre.pptx
- 1. Meltdown & Spectre Attacks
- 2. Overview • An analogy • CPU cache and use it as side channel • Meltdown attack • Spectre attack
- 4. Stealing A Secret Secret: 7 Guard with Memory Eraser Restricted Room
- 5. CPU Cache
- 6. From Lights to CPU Cache Question You just learned a secret number 7, and you want to keep it. However, your memory will be erased and whatever you do will be rolled back (except the CPU cache). How do you recall the secret after your memory about this secret number is erased?
- 7. Using CPU Cache to Remember Secret
- 8. The FLUSH+RELOAD Technique FLUSH: Flush the CPU Cache RELOAD: Check which one is in the cache Access memory location at S Secret S
- 9. FLUSH+RELOAD: The FLUSH Step Flush the CPU Cache
- 10. FLUSH+RELOAD: The RELOAD Step
- 12. The Security Room and Guard
- 13. Staying Alive: Exception Handling in C
- 15. Out-of-Order Execution How do I prove that the out-of-order execution has happened?
- 16. Out-of-Order Execution Experiment Evidence of out-of-order execution
- 17. Meltdown Attack: A Naïve Approach
- 18. Improvement: Get Secret Cached Why does this help?
- 19. Improve the Attack Using Assembly Code Execution Results
- 20. Improve the Attack Using Statistic Approach
- 21. Countermeasures • Fundamental problem is in the CPU hardware • Expensive to fix • Develop workaround in operating system • KASLR (Kernel Address Space Layout Randomization) • Does not map any kernel memory in the user space, except for some parts required by the x86 architecture (e.g., interrupt handlers) • User-level programs cannot directly use kernel memory addresses, as such addresses cannot be resolved
- 23. Will It Be Executed? Will Line 3 be executed if x > size ?
- 25. Let’s Find a Proof FLUSH Flush the CPU Cache RELOAD Check which one is in the cache Invoke victim(97) size is 10 Not always working though Training Train CPU to go to the true branch Evidence
- 26. Target of the Attack This protection pattern is widely used in software sandbox (such as those implemented inside browsers)
- 27. The Spectre Attack spectreAttack(int larger_x)
- 28. Attack Result Why is 0 in the cache? Success
- 29. Spectre Variant and Mitigation • Since it was discovered in 2017, several Spectre variants have been found • Affecting Intel, ARM, and ARM • The problem is in hardware • Unlike Meltdown, there is no easy software workaround
- 30. Summary • Stealing secrets using side channels • Meltdown attack • Spectre attack • A form of race condition vulnerability • Vulnerabilities are inside hardware • AMD, Intel, and ARM are affected