SlideShare a Scribd company logo

Dima kovalenko - Is ARMv8.3 the end of ROP?

Hacken_Ecosystem
Hacken_Ecosystem

HackIT is an annual cybersecurity conference that gathers the best technical researchers and top players in the cybersecurity industry to explore cutting-edge technologies together. In 2018, HackIT focused on the use of blockchain technology. Join our community: Website - https://hacken.live/hackit-slideshare Twitter - https://hacken.live/twitter_hackit Facebook - https://hacken.live/facebook_hackit Instagram - https://hacken.live/instagram_hackit Reddit - https://hacken.live/reddit Telegram community - https://hacken.live/tg-hackit #hackit #cybersecurity #blockchain #hacking

1 of 30
Download to read offline
HackIT 4.0, Kyiv Is ARMv8.3 the end of ROP? Dima Kovalenko
HackIT 4.0, Kyiv Dima Kovalenko kov4l3nko@gmail.com iOS/Android reverse engineer, security researcher
Agenda • ARMv8.3 • Pointer authentication code (PAC) • QARMA • Possible attacks • What about the real world?
ARMv3.8
ARMv8.3 • It’s an optional extension of ARMv8 • It’s for AArch64 mode only. • It adds, among other things, 46 new machine instructions to implement signed pointers • It’s backward compatible with the standard ARMv8 instruction set
Pointer authentication code (PAC)
Pointer authentication code (PAC) • ARMv8.3 introduces Pointer Authentication Code (PAC) • It’s implemented if at least one of system registers ID_AA64ISAR1_EL1.APA, ID_AA64ISAR1_EL1.API, ID_AA64ISAR1_EL1.GPA, or ID_AA64ISAR1_EL1.GPI is 0b0001
Pointer authentication code (PAC) • PAC is stored in upper bits of a pointer: Bit range Description 0…TCR_ELx.TnSZ-1 Actually the address TCR_ELx.TnSZ…54 PAC 55 n 56…63 If n is 1, the the bit range holds address tag; else it holds PAC
Pointer authentication code (PAC) • PAC is calculated according the following general pattern: Pointer Modifier Key P(…) PAC + Pointer • If ID_AA64ISAR1_EL1.APA is 0b0001, then P(…) is QARMA; otherwise it’s IMPLEMENTATION DEFINED • Anyway the resulting PAC+Pointer is not a valid pointer!
Pointer authentication code (PAC) • The specifications defines five 128 bit keys: • API{A,B}Key_EL1 (for instruction pointers) is concatenation of the register values API{A,B}KeyHi_EL1:API{A,B}KeyLo_EL1. • APD{A,B}Key (for data pointers) is the concatenation of the register values APD{A,B}KeyHi_EL1:APD{A,B}KeyLo_EL1. • APGAKey (for data) is the concatenation of the register values APGAKeyHi_EL1:APGAKeyLo_EL1 • The keys are placed in *_EL1 registers and not accessible in EL0 (user mode)
Pointer authentication code (PAC) • The keys are expected to be ephemeral (per process for EL0 and per boot for EL1 to EL3) • Key management, including generating good quality random numbers, is the responsibility of the software (e.g. OS) • Some ARMv8.3 instructions (PACIA, PACIA1716 etc) also need a 64 bit modifier to calculate PAC. Depending on the instruction it can be SP, X16 or any Xn register.
Pointer authentication code (PAC) • In general, there are two groups of ARMv8.3 instructions: • Basic pointer authentication instructions. Each of these instructions only performs an operation that supports pointer authentication. • Combined instructions that include pointer authentication. Each of these instructions combines a pointer authentication with another operation that uses the authenticated pointer (e.g. BRAA branches to a register, with pointer authentication).
Pointer authentication code (PAC) • There are, in turn, three subgroups of basic pointer authentication instructions: • Instructions that calculate/add PAC • Instructions that authenticate/strip PAC. If authentication fails, the upper bits of a pointer are corrupted and any subsequent use of the pointer results in a Translation fault. • Instructions that just strip PAC without authentication.
Pointer authentication code (PAC) • ARMv8.3 instructions are backward compatible with ARMv8 because for early SoC’s they all are encoded as HINT #0 (NOP) :)
Pointer authentication code (PAC) • An example. No stack protection: ; function prologue SUB sp, sp, #0x40 
 STP x29, x30, [sp,#0x30] 
 ADD x29, sp, #0x30
 … ; function epilogue
 LDP x29,x30,[sp,#0x30] 
 ADD sp,sp,#0x40 
 RET
Pointer authentication code (PAC) • An example. The stack is protected with ARMv8.3: ; function prologue PACIASP ; <=== calculate/add PAC to LR, use SP as a modifier
 SUB sp, sp, #0x40 
 STP x29, x30, [sp,#0x30] 
 ADD x29, sp, #0x30
 … ; function epilogue
 LDP x29,x30,[sp,#0x30] 
 ADD sp,sp,#0x40
 AUTIASP ; <== auth./strip PAC from LR, use SP as a modifier
 RET
For more details on ARMv8.3 and PAC, see • “ARM Architecture Reference Manual ARMv8, for ARMv8-A architecture profile” by ARM team (https://developer.arm.com/docs/ ddi0487/latest/arm-architecture-reference-manual-armv8-for-armv8-a- architecture-profile) • “ARMv8.3 Pointer Authentication” by Mark Rutland from ARM (https:// events.static.linuxfound.org/sites/events/files/slides/slides_23.pdf) • “Pointer Authentication on ARMv8.3” by Qualcomm team (https:// www.qualcomm.com/media/documents/files/whitepaper-pointer- authentication-on-armv8-3.pdf)
QUARMA
QARMA • The size of PAC depends of virtual memory address range, it is between • 11…31 bits when memory tagging is used • 3…23 bits when memory tag is used • Qualcomm considered existing crypto algorithms and rejected it because of various reasons, e.g. • SipHash is relatively slow and can make impact on latency • PRINCE has a fixed-size input/output block, truncating can make PAC predictable
QARMA • QARMA was designed by Qualcomm to be fast and produce short signatures if needed • QARMA was carefully tested, including cryptanalysis tests • Is it really safe? It’s hard to say for sure :)
For more details on QARMA, see • “The QARMA Block Cipher Family” by Roberto Avanzi from Qualcomm (https://eprint.iacr.org/2016/444.pdf) (at least, check the section “4  Security Analysis”)
Possible attacks
Possible attacks • Guessing and forging PAC values. Complexity depends on the crypto algorithm. Theoretically, this attack must be hard for QARMA. • Pointer substitution attacks include various form of substituting one authenticated pointer with another. Probably it’s possible. Anyway, PAC should make finding ROP/JOB chains much harder. • Key management concerns and key reuse attacks. Generating/ managing keys is software responsibility, so it depends on the software.
Possible attacks • Interpreters and Just-in-Time Compilation (JIT) can not be protected by PAC (PAC does not protect again data-only attacks), so it’s a very good attack vector. Maybe the best.
What about the real world?
What about the real world? • ARMv8.3 supported by • GCC, starting from version 7 • LLVM, starting from the commit https://github.com/llvm-mirror/ llvm/commit/af93d17e0c779e519918a892adb33608c6f9dfdb • At the moment, the only widely known system on a chip with ARMv8.3 support is Apple A12. • It should prevent exploitation of memory corruption vulnerabilities on the newest iPhone XS, XS Max, and XR, but…
What about the real world? • …it looks like it doesn’t help. • The details are not known yet, so we are impatiently waiting for the writeup from @PanguTeam.
Links
Links “ARM Architecture Reference Manual ARMv8, for ARMv8-A architecture profile” by ARM team (https://developer.arm.com/docs/ddi0487/latest/arm-architecture- reference-manual-armv8-for-armv8-a-architecture-profile) “ARMv8.3 Pointer Authentication” by Mark Rutland from ARM (https:// events.static.linuxfound.org/sites/events/files/slides/slides_23.pdf) “Pointer Authentication on ARMv8.3” by Qualcomm team (https:// www.qualcomm.com/media/documents/files/whitepaper-pointer-authentication- on-armv8-3.pdf) “The QARMA Block Cipher Family” by Roberto Avanzi from Qualcomm (https:// eprint.iacr.org/2016/444.pdf)
Questions?

Recommended

Arm
ArmArm
Arm
Wave Digitech
 
OSMC 2014: Server Hardware Monitoring done right | Werner Fischer
OSMC 2014: Server Hardware Monitoring done right | Werner FischerOSMC 2014: Server Hardware Monitoring done right | Werner Fischer
OSMC 2014: Server Hardware Monitoring done right | Werner Fischer
NETWAYS
 
Embedded System Programming on ARM Cortex M3 and M4 Course
Embedded System Programming on ARM Cortex M3 and M4 CourseEmbedded System Programming on ARM Cortex M3 and M4 Course
Embedded System Programming on ARM Cortex M3 and M4 Course
FastBit Embedded Brain Academy
 
Mastering Microcontroller : TIMERS, PWM, CAN, RTC,LOW POWER
Mastering Microcontroller : TIMERS, PWM, CAN, RTC,LOW POWERMastering Microcontroller : TIMERS, PWM, CAN, RTC,LOW POWER
Mastering Microcontroller : TIMERS, PWM, CAN, RTC,LOW POWER
FastBit Embedded Brain Academy
 
Part-1 : Mastering microcontroller with embedded driver development
Part-1 : Mastering microcontroller with embedded driver development Part-1 : Mastering microcontroller with embedded driver development
Part-1 : Mastering microcontroller with embedded driver development
FastBit Embedded Brain Academy
 
Port scanning
Port scanningPort scanning
Port scanning
Hemanth Pasumarthi
 
Programming the ARM CORTEX M3 based STM32F100RBT6 Value Line Discovery Board
Programming the ARM CORTEX M3 based STM32F100RBT6 Value Line Discovery BoardProgramming the ARM CORTEX M3 based STM32F100RBT6 Value Line Discovery Board
Programming the ARM CORTEX M3 based STM32F100RBT6 Value Line Discovery Board
Gaurav Verma
 
Part-2: Mastering microcontroller with embedded driver development
Part-2: Mastering microcontroller with embedded driver developmentPart-2: Mastering microcontroller with embedded driver development
Part-2: Mastering microcontroller with embedded driver development
FastBit Embedded Brain Academy
 

Recommended

Arm
ArmArm
Arm
Wave Digitech
 
OSMC 2014: Server Hardware Monitoring done right | Werner Fischer
OSMC 2014: Server Hardware Monitoring done right | Werner FischerOSMC 2014: Server Hardware Monitoring done right | Werner Fischer
OSMC 2014: Server Hardware Monitoring done right | Werner Fischer
NETWAYS
 
Embedded System Programming on ARM Cortex M3 and M4 Course
Embedded System Programming on ARM Cortex M3 and M4 CourseEmbedded System Programming on ARM Cortex M3 and M4 Course
Embedded System Programming on ARM Cortex M3 and M4 Course
FastBit Embedded Brain Academy
 
Mastering Microcontroller : TIMERS, PWM, CAN, RTC,LOW POWER
Mastering Microcontroller : TIMERS, PWM, CAN, RTC,LOW POWERMastering Microcontroller : TIMERS, PWM, CAN, RTC,LOW POWER
Mastering Microcontroller : TIMERS, PWM, CAN, RTC,LOW POWER
FastBit Embedded Brain Academy
 
Part-1 : Mastering microcontroller with embedded driver development
Part-1 : Mastering microcontroller with embedded driver development Part-1 : Mastering microcontroller with embedded driver development
Part-1 : Mastering microcontroller with embedded driver development
FastBit Embedded Brain Academy
 
Port scanning
Port scanningPort scanning
Port scanning
Hemanth Pasumarthi
 
Programming the ARM CORTEX M3 based STM32F100RBT6 Value Line Discovery Board
Programming the ARM CORTEX M3 based STM32F100RBT6 Value Line Discovery BoardProgramming the ARM CORTEX M3 based STM32F100RBT6 Value Line Discovery Board
Programming the ARM CORTEX M3 based STM32F100RBT6 Value Line Discovery Board
Gaurav Verma
 
Part-2: Mastering microcontroller with embedded driver development
Part-2: Mastering microcontroller with embedded driver developmentPart-2: Mastering microcontroller with embedded driver development
Part-2: Mastering microcontroller with embedded driver development
FastBit Embedded Brain Academy
 
STM32 Microcontroller Clocks and RCC block
STM32 Microcontroller Clocks and RCC blockSTM32 Microcontroller Clocks and RCC block
STM32 Microcontroller Clocks and RCC block
FastBit Embedded Brain Academy
 
Module 3 Scanning
Module 3 ScanningModule 3 Scanning
Module 3 Scanningleminhvuong
 
Introduction to MPLAB IDE
Introduction to MPLAB IDEIntroduction to MPLAB IDE
Introduction to MPLAB IDE
Karim El-Rayes
 
Pic microcontroller step by step your complete guide
Pic microcontroller step by step your complete guidePic microcontroller step by step your complete guide
Pic microcontroller step by step your complete guide
Ashraf Said AlMadhoun - Educational Engineering Team
 
Port Scanning Overview
Port Scanning OverviewPort Scanning Overview
Port Scanning Overview
Publicly traded global multi-billion services company
 
LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3
LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3
LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3
Linaro
 
Detecting hardware virtualization rootkits
Detecting hardware virtualization rootkitsDetecting hardware virtualization rootkits
Detecting hardware virtualization rootkits
Edgar Barbosa
 
[Wroclaw #3] Trusted Computing
[Wroclaw #3] Trusted Computing[Wroclaw #3] Trusted Computing
[Wroclaw #3] Trusted Computing
OWASP
 
NMAP
NMAPNMAP
NMAP
PrateekAryan1
 
Mitigating overflows using defense in-depth. What can your compiler do for you?
Mitigating overflows using defense in-depth. What can your compiler do for you?Mitigating overflows using defense in-depth. What can your compiler do for you?
Mitigating overflows using defense in-depth. What can your compiler do for you?
Javier Tallón
 
Overview of LPC213x MCUs
Overview of LPC213x MCUsOverview of LPC213x MCUs
Overview of LPC213x MCUs
Premier Farnell
 
Presentation
PresentationPresentation
Presentation
Abhijit Das
 
Analysis of ESET Smart Security 6 personal firewall’s thresholds and detectio...
Analysis of ESET Smart Security 6 personal firewall’s thresholds and detectio...Analysis of ESET Smart Security 6 personal firewall’s thresholds and detectio...
Analysis of ESET Smart Security 6 personal firewall’s thresholds and detectio...
Andrej Šimko
 
PART-2 : Mastering RTOS FreeRTOS and STM32Fx with Debugging
PART-2 : Mastering RTOS FreeRTOS and STM32Fx with DebuggingPART-2 : Mastering RTOS FreeRTOS and STM32Fx with Debugging
PART-2 : Mastering RTOS FreeRTOS and STM32Fx with Debugging
FastBit Embedded Brain Academy
 
Final
FinalFinal
Final
Amir Sherman
 
Microcontroller part 2
Microcontroller part 2Microcontroller part 2
Microcontroller part 2
Keroles karam khalil
 
Aircrack
AircrackAircrack
Aircrack
Nithin Sathees
 
Let's Play STM32
Let's Play STM32Let's Play STM32
Let's Play STM32
Jay Chen
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacks
Kapil Nagrale
 
Assembler4
Assembler4Assembler4
Assembler4
Omar Sanchez
 
Doc8453
Doc8453Doc8453
Doc8453
khoaicuto
 
Effisiensi prog atmel
Effisiensi prog atmelEffisiensi prog atmel
Effisiensi prog atmelrm_dhozooo
 

More Related Content

What's hot

STM32 Microcontroller Clocks and RCC block
STM32 Microcontroller Clocks and RCC blockSTM32 Microcontroller Clocks and RCC block
STM32 Microcontroller Clocks and RCC block
FastBit Embedded Brain Academy
 
Module 3 Scanning
Module 3 ScanningModule 3 Scanning
Module 3 Scanningleminhvuong
 
Introduction to MPLAB IDE
Introduction to MPLAB IDEIntroduction to MPLAB IDE
Introduction to MPLAB IDE
Karim El-Rayes
 
Pic microcontroller step by step your complete guide
Pic microcontroller step by step your complete guidePic microcontroller step by step your complete guide
Pic microcontroller step by step your complete guide
Ashraf Said AlMadhoun - Educational Engineering Team
 
Port Scanning Overview
Port Scanning OverviewPort Scanning Overview
Port Scanning Overview
Publicly traded global multi-billion services company
 
LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3
LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3
LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3
Linaro
 
Detecting hardware virtualization rootkits
Detecting hardware virtualization rootkitsDetecting hardware virtualization rootkits
Detecting hardware virtualization rootkits
Edgar Barbosa
 
[Wroclaw #3] Trusted Computing
[Wroclaw #3] Trusted Computing[Wroclaw #3] Trusted Computing
[Wroclaw #3] Trusted Computing
OWASP
 
NMAP
NMAPNMAP
NMAP
PrateekAryan1
 
Mitigating overflows using defense in-depth. What can your compiler do for you?
Mitigating overflows using defense in-depth. What can your compiler do for you?Mitigating overflows using defense in-depth. What can your compiler do for you?
Mitigating overflows using defense in-depth. What can your compiler do for you?
Javier Tallón
 
Overview of LPC213x MCUs
Overview of LPC213x MCUsOverview of LPC213x MCUs
Overview of LPC213x MCUs
Premier Farnell
 
Presentation
PresentationPresentation
Presentation
Abhijit Das
 
Analysis of ESET Smart Security 6 personal firewall’s thresholds and detectio...
Analysis of ESET Smart Security 6 personal firewall’s thresholds and detectio...Analysis of ESET Smart Security 6 personal firewall’s thresholds and detectio...
Analysis of ESET Smart Security 6 personal firewall’s thresholds and detectio...
Andrej Šimko
 
PART-2 : Mastering RTOS FreeRTOS and STM32Fx with Debugging
PART-2 : Mastering RTOS FreeRTOS and STM32Fx with DebuggingPART-2 : Mastering RTOS FreeRTOS and STM32Fx with Debugging
PART-2 : Mastering RTOS FreeRTOS and STM32Fx with Debugging
FastBit Embedded Brain Academy
 
Final
FinalFinal
Final
Amir Sherman
 
Microcontroller part 2
Microcontroller part 2Microcontroller part 2
Microcontroller part 2
Keroles karam khalil
 
Aircrack
AircrackAircrack
Aircrack
Nithin Sathees
 
Let's Play STM32
Let's Play STM32Let's Play STM32
Let's Play STM32
Jay Chen
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacks
Kapil Nagrale
 
Assembler4
Assembler4Assembler4
Assembler4
Omar Sanchez
 

What's hot (20)

STM32 Microcontroller Clocks and RCC block
STM32 Microcontroller Clocks and RCC blockSTM32 Microcontroller Clocks and RCC block
STM32 Microcontroller Clocks and RCC block
 
Module 3 Scanning
Module 3 ScanningModule 3 Scanning
Module 3 Scanning
 
Introduction to MPLAB IDE
Introduction to MPLAB IDEIntroduction to MPLAB IDE
Introduction to MPLAB IDE
 
Pic microcontroller step by step your complete guide
Pic microcontroller step by step your complete guidePic microcontroller step by step your complete guide
Pic microcontroller step by step your complete guide
 
Port Scanning Overview
Port Scanning OverviewPort Scanning Overview
Port Scanning Overview
 
LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3
LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3
LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3
 
Detecting hardware virtualization rootkits
Detecting hardware virtualization rootkitsDetecting hardware virtualization rootkits
Detecting hardware virtualization rootkits
 
[Wroclaw #3] Trusted Computing
[Wroclaw #3] Trusted Computing[Wroclaw #3] Trusted Computing
[Wroclaw #3] Trusted Computing
 
NMAP
NMAPNMAP
NMAP
 
Mitigating overflows using defense in-depth. What can your compiler do for you?
Mitigating overflows using defense in-depth. What can your compiler do for you?Mitigating overflows using defense in-depth. What can your compiler do for you?
Mitigating overflows using defense in-depth. What can your compiler do for you?
 
Overview of LPC213x MCUs
Overview of LPC213x MCUsOverview of LPC213x MCUs
Overview of LPC213x MCUs
 
Presentation
PresentationPresentation
Presentation
 
Analysis of ESET Smart Security 6 personal firewall’s thresholds and detectio...
Analysis of ESET Smart Security 6 personal firewall’s thresholds and detectio...Analysis of ESET Smart Security 6 personal firewall’s thresholds and detectio...
Analysis of ESET Smart Security 6 personal firewall’s thresholds and detectio...
 
PART-2 : Mastering RTOS FreeRTOS and STM32Fx with Debugging
PART-2 : Mastering RTOS FreeRTOS and STM32Fx with DebuggingPART-2 : Mastering RTOS FreeRTOS and STM32Fx with Debugging
PART-2 : Mastering RTOS FreeRTOS and STM32Fx with Debugging
 
Final
FinalFinal
Final
 
Microcontroller part 2
Microcontroller part 2Microcontroller part 2
Microcontroller part 2
 
Aircrack
AircrackAircrack
Aircrack
 
Let's Play STM32
Let's Play STM32Let's Play STM32
Let's Play STM32
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacks
 
Assembler4
Assembler4Assembler4
Assembler4
 

Similar to Dima kovalenko - Is ARMv8.3 the end of ROP?

Doc8453
Doc8453Doc8453
Doc8453
khoaicuto
 
Effisiensi prog atmel
Effisiensi prog atmelEffisiensi prog atmel
Effisiensi prog atmelrm_dhozooo
 
Virtualization Support in ARMv8+
Virtualization Support in ARMv8+Virtualization Support in ARMv8+
Virtualization Support in ARMv8+
Aananth C N
 
BlueHat v17 || Raising the Bar: New Hardware Primitives for Exploit Mitigations
BlueHat v17 || Raising the Bar: New Hardware Primitives for Exploit Mitigations BlueHat v17 || Raising the Bar: New Hardware Primitives for Exploit Mitigations
BlueHat v17 || Raising the Bar: New Hardware Primitives for Exploit Mitigations
BlueHat Security Conference
 
Txt Introduction
Txt IntroductionTxt Introduction
Txt Introduction
Logic Solutions, Inc.
 
Intel IA 64
Intel IA 64Intel IA 64
Intel IA 64
Nartana Shenbagaraj
 
EC8791 ARM Processor and Peripherals.pptx
EC8791 ARM Processor and Peripherals.pptxEC8791 ARM Processor and Peripherals.pptx
EC8791 ARM Processor and Peripherals.pptx
deviifet2015
 
ARM® Cortex™ M Bootup_CMSIS_Part_3_3_Debug_Architecture
ARM® Cortex™ M Bootup_CMSIS_Part_3_3_Debug_ArchitectureARM® Cortex™ M Bootup_CMSIS_Part_3_3_Debug_Architecture
ARM® Cortex™ M Bootup_CMSIS_Part_3_3_Debug_Architecture
Raahul Raghavan
 
Mod 3.pptx
Mod 3.pptxMod 3.pptx
Mod 3.pptx
lekha349785
 
Architecture of pentium family
Architecture of pentium familyArchitecture of pentium family
Architecture of pentium family
University of Gujrat, Pakistan
 
Scale17x buffer overflows
Scale17x buffer overflowsScale17x buffer overflows
Scale17x buffer overflows
johseg
 
Lect 1.pptx
Lect 1.pptxLect 1.pptx
Lect 1.pptx
JimingKang
 
AAME ARM Techcon2013 006v02 Implementation Diversity
AAME ARM Techcon2013 006v02 Implementation DiversityAAME ARM Techcon2013 006v02 Implementation Diversity
AAME ARM Techcon2013 006v02 Implementation Diversity
Anh Dung NGUYEN
 
DvClub 2102 tlm based software control of uvcs for vertical verification re...
DvClub 2102 tlm based software control of uvcs for vertical verification re...DvClub 2102 tlm based software control of uvcs for vertical verification re...
DvClub 2102 tlm based software control of uvcs for vertical verification re...
Amit Bhandu
 
Introduction to i.MX27 Multimedia Applications Processors
Introduction to i.MX27 Multimedia Applications ProcessorsIntroduction to i.MX27 Multimedia Applications Processors
Introduction to i.MX27 Multimedia Applications Processors
Premier Farnell
 
Pentium processor
Pentium processorPentium processor
Pentium processor
Pranjali Deshmukh
 
A 32-Bit Parameterized Leon-3 Processor with Custom Peripheral Integration
A 32-Bit Parameterized Leon-3 Processor with Custom Peripheral IntegrationA 32-Bit Parameterized Leon-3 Processor with Custom Peripheral Integration
A 32-Bit Parameterized Leon-3 Processor with Custom Peripheral Integration
Talal Khaliq
 
Arm architecture
Arm architectureArm architecture
Arm architecture
Pantech ProLabs India Pvt Ltd
 

Similar to Dima kovalenko - Is ARMv8.3 the end of ROP? (20)

Doc8453
Doc8453Doc8453
Doc8453
 
Effisiensi prog atmel
Effisiensi prog atmelEffisiensi prog atmel
Effisiensi prog atmel
 
Virtualization Support in ARMv8+
Virtualization Support in ARMv8+Virtualization Support in ARMv8+
Virtualization Support in ARMv8+
 
Dsp on an-avr
Dsp on an-avrDsp on an-avr
Dsp on an-avr
 
BlueHat v17 || Raising the Bar: New Hardware Primitives for Exploit Mitigations
BlueHat v17 || Raising the Bar: New Hardware Primitives for Exploit Mitigations BlueHat v17 || Raising the Bar: New Hardware Primitives for Exploit Mitigations
BlueHat v17 || Raising the Bar: New Hardware Primitives for Exploit Mitigations
 
Txt Introduction
Txt IntroductionTxt Introduction
Txt Introduction
 
Intel IA 64
Intel IA 64Intel IA 64
Intel IA 64
 
EC8791 ARM Processor and Peripherals.pptx
EC8791 ARM Processor and Peripherals.pptxEC8791 ARM Processor and Peripherals.pptx
EC8791 ARM Processor and Peripherals.pptx
 
ARM® Cortex™ M Bootup_CMSIS_Part_3_3_Debug_Architecture
ARM® Cortex™ M Bootup_CMSIS_Part_3_3_Debug_ArchitectureARM® Cortex™ M Bootup_CMSIS_Part_3_3_Debug_Architecture
ARM® Cortex™ M Bootup_CMSIS_Part_3_3_Debug_Architecture
 
Mod 3.pptx
Mod 3.pptxMod 3.pptx
Mod 3.pptx
 
Architecture of pentium family
Architecture of pentium familyArchitecture of pentium family
Architecture of pentium family
 
Scale17x buffer overflows
Scale17x buffer overflowsScale17x buffer overflows
Scale17x buffer overflows
 
Lect 1.pptx
Lect 1.pptxLect 1.pptx
Lect 1.pptx
 
AAME ARM Techcon2013 006v02 Implementation Diversity
AAME ARM Techcon2013 006v02 Implementation DiversityAAME ARM Techcon2013 006v02 Implementation Diversity
AAME ARM Techcon2013 006v02 Implementation Diversity
 
DSP_Assign_1
DSP_Assign_1DSP_Assign_1
DSP_Assign_1
 
DvClub 2102 tlm based software control of uvcs for vertical verification re...
DvClub 2102 tlm based software control of uvcs for vertical verification re...DvClub 2102 tlm based software control of uvcs for vertical verification re...
DvClub 2102 tlm based software control of uvcs for vertical verification re...
 
Introduction to i.MX27 Multimedia Applications Processors
Introduction to i.MX27 Multimedia Applications ProcessorsIntroduction to i.MX27 Multimedia Applications Processors
Introduction to i.MX27 Multimedia Applications Processors
 
Pentium processor
Pentium processorPentium processor
Pentium processor
 
A 32-Bit Parameterized Leon-3 Processor with Custom Peripheral Integration
A 32-Bit Parameterized Leon-3 Processor with Custom Peripheral IntegrationA 32-Bit Parameterized Leon-3 Processor with Custom Peripheral Integration
A 32-Bit Parameterized Leon-3 Processor with Custom Peripheral Integration
 
Arm architecture
Arm architectureArm architecture
Arm architecture
 

More from Hacken_Ecosystem

Peter Todd - Hardware Wallets - Threats and Vulnerabilities
Peter Todd - Hardware Wallets - Threats and VulnerabilitiesPeter Todd - Hardware Wallets - Threats and Vulnerabilities
Peter Todd - Hardware Wallets - Threats and Vulnerabilities
Hacken_Ecosystem
 
Seyfullah Kilic - Hacking Cryptocurrency Miners with OSINT Techniques
Seyfullah Kilic - Hacking Cryptocurrency Miners with OSINT TechniquesSeyfullah Kilic - Hacking Cryptocurrency Miners with OSINT Techniques
Seyfullah Kilic - Hacking Cryptocurrency Miners with OSINT Techniques
Hacken_Ecosystem
 
Walter Belgers - Lockpicking and IT security
Walter Belgers - Lockpicking and IT securityWalter Belgers - Lockpicking and IT security
Walter Belgers - Lockpicking and IT security
Hacken_Ecosystem
 
Tomi Wen - The Blockchain Built for Real World Apps
Tomi Wen - The Blockchain Built for Real World AppsTomi Wen - The Blockchain Built for Real World Apps
Tomi Wen - The Blockchain Built for Real World Apps
Hacken_Ecosystem
 
Renaud Lifchitz - Blockchain decentralized apps: the future of malwares?
Renaud Lifchitz - Blockchain decentralized apps: the future of malwares?Renaud Lifchitz - Blockchain decentralized apps: the future of malwares?
Renaud Lifchitz - Blockchain decentralized apps: the future of malwares?
Hacken_Ecosystem
 
Dejan Podgorsek - Is Hyperledger Fabric secure enough for your Business?
Dejan Podgorsek - Is Hyperledger Fabric secure enough for your Business?Dejan Podgorsek - Is Hyperledger Fabric secure enough for your Business?
Dejan Podgorsek - Is Hyperledger Fabric secure enough for your Business?
Hacken_Ecosystem
 
Alex Zdrilko - АI and Blockchain in real life application with the highest se...
Alex Zdrilko - АI and Blockchain in real life application with the highest se...Alex Zdrilko - АI and Blockchain in real life application with the highest se...
Alex Zdrilko - АI and Blockchain in real life application with the highest se...
Hacken_Ecosystem
 
John Graham-Cumming - Helping to build a better Internet
John Graham-Cumming - Helping to build a better InternetJohn Graham-Cumming - Helping to build a better Internet
John Graham-Cumming - Helping to build a better Internet
Hacken_Ecosystem
 
Pedro Fortuna - Protecting Crypto Exchanges From a New Wave of Man-in-the-Bro...
Pedro Fortuna - Protecting Crypto Exchanges From a New Wave of Man-in-the-Bro...Pedro Fortuna - Protecting Crypto Exchanges From a New Wave of Man-in-the-Bro...
Pedro Fortuna - Protecting Crypto Exchanges From a New Wave of Man-in-the-Bro...
Hacken_Ecosystem
 
Max Keidun - How to build a Bitcoin exchange and not burn in hell
Max Keidun - How to build a Bitcoin exchange and not burn in hellMax Keidun - How to build a Bitcoin exchange and not burn in hell
Max Keidun - How to build a Bitcoin exchange and not burn in hell
Hacken_Ecosystem
 
Ryan Stortz & Sophia D'Antoine - “EVM2VEC: Bug Discovery in Smart Contracts”
Ryan Stortz & Sophia D'Antoine - “EVM2VEC: Bug Discovery in Smart Contracts”Ryan Stortz & Sophia D'Antoine - “EVM2VEC: Bug Discovery in Smart Contracts”
Ryan Stortz & Sophia D'Antoine - “EVM2VEC: Bug Discovery in Smart Contracts”
Hacken_Ecosystem
 
Brian Gorenc on the topic “Modern Day Entomology - Examing the Inner Workings...
Brian Gorenc on the topic “Modern Day Entomology - Examing the Inner Workings...Brian Gorenc on the topic “Modern Day Entomology - Examing the Inner Workings...
Brian Gorenc on the topic “Modern Day Entomology - Examing the Inner Workings...
Hacken_Ecosystem
 
Dinis Guarda "Hacking the DNA of Humanity with Blockchain and AI""
Dinis Guarda "Hacking the DNA of Humanity with Blockchain and AI""Dinis Guarda "Hacking the DNA of Humanity with Blockchain and AI""
Dinis Guarda "Hacking the DNA of Humanity with Blockchain and AI""
Hacken_Ecosystem
 

More from Hacken_Ecosystem (13)

Peter Todd - Hardware Wallets - Threats and Vulnerabilities
Peter Todd - Hardware Wallets - Threats and VulnerabilitiesPeter Todd - Hardware Wallets - Threats and Vulnerabilities
Peter Todd - Hardware Wallets - Threats and Vulnerabilities
 
Seyfullah Kilic - Hacking Cryptocurrency Miners with OSINT Techniques
Seyfullah Kilic - Hacking Cryptocurrency Miners with OSINT TechniquesSeyfullah Kilic - Hacking Cryptocurrency Miners with OSINT Techniques
Seyfullah Kilic - Hacking Cryptocurrency Miners with OSINT Techniques
 
Walter Belgers - Lockpicking and IT security
Walter Belgers - Lockpicking and IT securityWalter Belgers - Lockpicking and IT security
Walter Belgers - Lockpicking and IT security
 
Tomi Wen - The Blockchain Built for Real World Apps
Tomi Wen - The Blockchain Built for Real World AppsTomi Wen - The Blockchain Built for Real World Apps
Tomi Wen - The Blockchain Built for Real World Apps
 
Renaud Lifchitz - Blockchain decentralized apps: the future of malwares?
Renaud Lifchitz - Blockchain decentralized apps: the future of malwares?Renaud Lifchitz - Blockchain decentralized apps: the future of malwares?
Renaud Lifchitz - Blockchain decentralized apps: the future of malwares?
 
Dejan Podgorsek - Is Hyperledger Fabric secure enough for your Business?
Dejan Podgorsek - Is Hyperledger Fabric secure enough for your Business?Dejan Podgorsek - Is Hyperledger Fabric secure enough for your Business?
Dejan Podgorsek - Is Hyperledger Fabric secure enough for your Business?
 
Alex Zdrilko - АI and Blockchain in real life application with the highest se...
Alex Zdrilko - АI and Blockchain in real life application with the highest se...Alex Zdrilko - АI and Blockchain in real life application with the highest se...
Alex Zdrilko - АI and Blockchain in real life application with the highest se...
 
John Graham-Cumming - Helping to build a better Internet
John Graham-Cumming - Helping to build a better InternetJohn Graham-Cumming - Helping to build a better Internet
John Graham-Cumming - Helping to build a better Internet
 
Pedro Fortuna - Protecting Crypto Exchanges From a New Wave of Man-in-the-Bro...
Pedro Fortuna - Protecting Crypto Exchanges From a New Wave of Man-in-the-Bro...Pedro Fortuna - Protecting Crypto Exchanges From a New Wave of Man-in-the-Bro...
Pedro Fortuna - Protecting Crypto Exchanges From a New Wave of Man-in-the-Bro...
 
Max Keidun - How to build a Bitcoin exchange and not burn in hell
Max Keidun - How to build a Bitcoin exchange and not burn in hellMax Keidun - How to build a Bitcoin exchange and not burn in hell
Max Keidun - How to build a Bitcoin exchange and not burn in hell
 
Ryan Stortz & Sophia D'Antoine - “EVM2VEC: Bug Discovery in Smart Contracts”
Ryan Stortz & Sophia D'Antoine - “EVM2VEC: Bug Discovery in Smart Contracts”Ryan Stortz & Sophia D'Antoine - “EVM2VEC: Bug Discovery in Smart Contracts”
Ryan Stortz & Sophia D'Antoine - “EVM2VEC: Bug Discovery in Smart Contracts”
 
Brian Gorenc on the topic “Modern Day Entomology - Examing the Inner Workings...
Brian Gorenc on the topic “Modern Day Entomology - Examing the Inner Workings...Brian Gorenc on the topic “Modern Day Entomology - Examing the Inner Workings...
Brian Gorenc on the topic “Modern Day Entomology - Examing the Inner Workings...
 
Dinis Guarda "Hacking the DNA of Humanity with Blockchain and AI""
Dinis Guarda "Hacking the DNA of Humanity with Blockchain and AI""Dinis Guarda "Hacking the DNA of Humanity with Blockchain and AI""
Dinis Guarda "Hacking the DNA of Humanity with Blockchain and AI""
 

Recently uploaded

To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
Paul Groth
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Product School
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
Sri Ambati
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
RTTS
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
Safe Software
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
Dorra BARTAGUIZ
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Jeffrey Haguewood
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Ramesh Iyer
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
Product School
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
Frank van Harmelen
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 

Recently uploaded (20)

To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 

Dima kovalenko - Is ARMv8.3 the end of ROP?

  • 1. HackIT 4.0, Kyiv Is ARMv8.3 the end of ROP? Dima Kovalenko
  • 2. HackIT 4.0, Kyiv Dima Kovalenko kov4l3nko@gmail.com iOS/Android reverse engineer, security researcher
  • 3. Agenda • ARMv8.3 • Pointer authentication code (PAC) • QARMA • Possible attacks • What about the real world?
  • 5. ARMv8.3 • It’s an optional extension of ARMv8 • It’s for AArch64 mode only. • It adds, among other things, 46 new machine instructions to implement signed pointers • It’s backward compatible with the standard ARMv8 instruction set
  • 7. Pointer authentication code (PAC) • ARMv8.3 introduces Pointer Authentication Code (PAC) • It’s implemented if at least one of system registers ID_AA64ISAR1_EL1.APA, ID_AA64ISAR1_EL1.API, ID_AA64ISAR1_EL1.GPA, or ID_AA64ISAR1_EL1.GPI is 0b0001
  • 8. Pointer authentication code (PAC) • PAC is stored in upper bits of a pointer: Bit range Description 0…TCR_ELx.TnSZ-1 Actually the address TCR_ELx.TnSZ…54 PAC 55 n 56…63 If n is 1, the the bit range holds address tag; else it holds PAC
  • 9. Pointer authentication code (PAC) • PAC is calculated according the following general pattern: Pointer Modifier Key P(…) PAC + Pointer • If ID_AA64ISAR1_EL1.APA is 0b0001, then P(…) is QARMA; otherwise it’s IMPLEMENTATION DEFINED • Anyway the resulting PAC+Pointer is not a valid pointer!
  • 10. Pointer authentication code (PAC) • The specifications defines five 128 bit keys: • API{A,B}Key_EL1 (for instruction pointers) is concatenation of the register values API{A,B}KeyHi_EL1:API{A,B}KeyLo_EL1. • APD{A,B}Key (for data pointers) is the concatenation of the register values APD{A,B}KeyHi_EL1:APD{A,B}KeyLo_EL1. • APGAKey (for data) is the concatenation of the register values APGAKeyHi_EL1:APGAKeyLo_EL1 • The keys are placed in *_EL1 registers and not accessible in EL0 (user mode)
  • 11. Pointer authentication code (PAC) • The keys are expected to be ephemeral (per process for EL0 and per boot for EL1 to EL3) • Key management, including generating good quality random numbers, is the responsibility of the software (e.g. OS) • Some ARMv8.3 instructions (PACIA, PACIA1716 etc) also need a 64 bit modifier to calculate PAC. Depending on the instruction it can be SP, X16 or any Xn register.
  • 12. Pointer authentication code (PAC) • In general, there are two groups of ARMv8.3 instructions: • Basic pointer authentication instructions. Each of these instructions only performs an operation that supports pointer authentication. • Combined instructions that include pointer authentication. Each of these instructions combines a pointer authentication with another operation that uses the authenticated pointer (e.g. BRAA branches to a register, with pointer authentication).
  • 13. Pointer authentication code (PAC) • There are, in turn, three subgroups of basic pointer authentication instructions: • Instructions that calculate/add PAC • Instructions that authenticate/strip PAC. If authentication fails, the upper bits of a pointer are corrupted and any subsequent use of the pointer results in a Translation fault. • Instructions that just strip PAC without authentication.
  • 14. Pointer authentication code (PAC) • ARMv8.3 instructions are backward compatible with ARMv8 because for early SoC’s they all are encoded as HINT #0 (NOP) :)
  • 15. Pointer authentication code (PAC) • An example. No stack protection: ; function prologue SUB sp, sp, #0x40 
 STP x29, x30, [sp,#0x30] 
 ADD x29, sp, #0x30
 … ; function epilogue
 LDP x29,x30,[sp,#0x30] 
 ADD sp,sp,#0x40 
 RET
  • 16. Pointer authentication code (PAC) • An example. The stack is protected with ARMv8.3: ; function prologue PACIASP ; <=== calculate/add PAC to LR, use SP as a modifier
 SUB sp, sp, #0x40 
 STP x29, x30, [sp,#0x30] 
 ADD x29, sp, #0x30
 … ; function epilogue
 LDP x29,x30,[sp,#0x30] 
 ADD sp,sp,#0x40
 AUTIASP ; <== auth./strip PAC from LR, use SP as a modifier
 RET
  • 17. For more details on ARMv8.3 and PAC, see • “ARM Architecture Reference Manual ARMv8, for ARMv8-A architecture profile” by ARM team (https://developer.arm.com/docs/ ddi0487/latest/arm-architecture-reference-manual-armv8-for-armv8-a- architecture-profile) • “ARMv8.3 Pointer Authentication” by Mark Rutland from ARM (https:// events.static.linuxfound.org/sites/events/files/slides/slides_23.pdf) • “Pointer Authentication on ARMv8.3” by Qualcomm team (https:// www.qualcomm.com/media/documents/files/whitepaper-pointer- authentication-on-armv8-3.pdf)
  • 19. QARMA • The size of PAC depends of virtual memory address range, it is between • 11…31 bits when memory tagging is used • 3…23 bits when memory tag is used • Qualcomm considered existing crypto algorithms and rejected it because of various reasons, e.g. • SipHash is relatively slow and can make impact on latency • PRINCE has a fixed-size input/output block, truncating can make PAC predictable
  • 20. QARMA • QARMA was designed by Qualcomm to be fast and produce short signatures if needed • QARMA was carefully tested, including cryptanalysis tests • Is it really safe? It’s hard to say for sure :)
  • 21. For more details on QARMA, see • “The QARMA Block Cipher Family” by Roberto Avanzi from Qualcomm (https://eprint.iacr.org/2016/444.pdf) (at least, check the section “4  Security Analysis”)
  • 23. Possible attacks • Guessing and forging PAC values. Complexity depends on the crypto algorithm. Theoretically, this attack must be hard for QARMA. • Pointer substitution attacks include various form of substituting one authenticated pointer with another. Probably it’s possible. Anyway, PAC should make finding ROP/JOB chains much harder. • Key management concerns and key reuse attacks. Generating/ managing keys is software responsibility, so it depends on the software.
  • 24. Possible attacks • Interpreters and Just-in-Time Compilation (JIT) can not be protected by PAC (PAC does not protect again data-only attacks), so it’s a very good attack vector. Maybe the best.
  • 25. What about the real world?
  • 26. What about the real world? • ARMv8.3 supported by • GCC, starting from version 7 • LLVM, starting from the commit https://github.com/llvm-mirror/ llvm/commit/af93d17e0c779e519918a892adb33608c6f9dfdb • At the moment, the only widely known system on a chip with ARMv8.3 support is Apple A12. • It should prevent exploitation of memory corruption vulnerabilities on the newest iPhone XS, XS Max, and XR, but…
  • 27. What about the real world? • …it looks like it doesn’t help. • The details are not known yet, so we are impatiently waiting for the writeup from @PanguTeam.
  • 28. Links
  • 29. Links “ARM Architecture Reference Manual ARMv8, for ARMv8-A architecture profile” by ARM team (https://developer.arm.com/docs/ddi0487/latest/arm-architecture- reference-manual-armv8-for-armv8-a-architecture-profile) “ARMv8.3 Pointer Authentication” by Mark Rutland from ARM (https:// events.static.linuxfound.org/sites/events/files/slides/slides_23.pdf) “Pointer Authentication on ARMv8.3” by Qualcomm team (https:// www.qualcomm.com/media/documents/files/whitepaper-pointer-authentication- on-armv8-3.pdf) “The QARMA Block Cipher Family” by Roberto Avanzi from Qualcomm (https:// eprint.iacr.org/2016/444.pdf)