SlideShare a Scribd company logo

Smm and caching

Download as PPTX, PDF
J
James Wong

t

Technology
1 of 13
All materials are licensed under a Creative Commons “Share Alike” license. http://creativecommons.org/licenses/by-sa/3.0/ 1 Attribution condition: You must indicate that derivative work "Is derived from John Butterworth & Xeno Kovah’s ’Advanced Intel x86: BIOS and SMM’ class posted at http://opensecuritytraining.info/IntroBIOS.html”
SMRAM and Caching 2
Cache Basics • Temporary storage located on the CPU • Accesses to data/instructions in cache are much faster than those to physical memory • Caching is available in all operating modes, including SMM • Caching type for a physical memory range is defined in Memory-Type Range Registers (MTRRs) • MTRRs are a type of MSR (Model-Specific Register) that can be set to specify the type of CPU caching for ranges of physical memory • Typically configured by BIOS but can also be configured by the operating system as needed 3 From Intel Vol. 3. Ch. "Memory Cache Control"
• Physical memory ranges can be defined as having one of these types of caching properties • The only one we’ll discuss is the one that was the subject of the dual discovery by Duflot et al. and then later Wojtczuck et al. – Getting into SMRAM: SMM Reloaded, https://cansecwest.com/csw09/csw09- duflot.pdf – Attacking Memory via Intel CPU Cache Poisoning, http://invisiblethingslab.com/resources/misc09/smm_cache_fun.pdf • The attack is brilliant in its simplicity Memory Caching Types 4 From Intel Vol. 3. Ch. "Memory Cache Control"
Write-back (WB) • The point of Write-back caching is to reduce the amount of bus traffic between the processor and memory • Reads come from cache lines on cache hits • Writes are performed in the cache and not immediately written/flushed to memory • Both read and write misses cause cache fills • Modified CPU cache lines are written back (write-back) to memory at a later time* *Read the Intel Software Developers Guide Volume 3 • Simply put, reading/writing from/to a memory region that uses write-back caching will initially fill a line in the CPU cache • Subsequent reads/writes from/to that address will be from/to cache instead of memory • Until the processor writes-back that cache to memory* 5
6 (D_LCK bit) https://cansecwest.com/csw09/csw09-duflot.pdf
7 https://cansecwest.com/csw09/csw09-duflot.pdf
8 https://cansecwest.com/csw09/csw09-duflot.pdf
The fix: SMRR • The preceding is a great example of how security researchers can influence industry for the better. Damn fine job. • System-Management Range Register (SMRR) was introduced in Intel’s x64 architecture* • Provides a PHYSBASE/PHYSMASK pair just like MTRRs • Prevents the kind of attack that we just saw in the preceding example • SMRR restricts access to the address range defined in the SMRR registers • Defines the memory type (caching) for the SMRAM range • SMRRs can be written to only when the processor is in SMM • SMRR takes priority over MTRR in case of overlapping ranges * This is one of the only architecture-dependent security mechanisms. So far up to this point all has been x32/x64 agnostic 9
SMRR • When the processor is in SMM: – Memory accesses to this range will use the memory type defined in SMRR_PHYSBASE • When the processor is not in SMM: – Memory reads return a fixed value (0xFF in my experience) – Memory writes are ignored – Memory type is Uncacheable 10
Verify SMRR Support: IA32_MTRRCAP • SMRR is supported on a system if bit 11 in the IA32_MTRRCAP MSR is set • Verify next that it is being used 11
SMRR MSR Number • If you try to read the SMRR of your system, be sure to verify its location using the developers guide (MSR chapter) • The MSR register addresses are non "architectural" and will therefore differ between architectures – That’s why they are called Model-Specific Registers • RW-E does not appear to handle exceptions well since reading the wrong MSR will crash your system – As of latest version For the reference E6400 (Core2Duo) 12
Homework heads up • Find the value of SMRR_PHYSBASE for your particular hardware 13

Recommended

Memory
MemoryMemory
MemoryEm Magallon
 
Multithreading computer architecture
Multithreading computer architecture Multithreading computer architecture
Multithreading computer architecture Haris456
 
Smp and asmp architecture.
Smp and asmp architecture.Smp and asmp architecture.
Smp and asmp architecture.Gaurav Dalvi
 
What is simultaneous multithreading
What is simultaneous multithreadingWhat is simultaneous multithreading
What is simultaneous multithreadingFraboni Ec
 
Symmetric multiprocessing (smp)
Symmetric multiprocessing (smp)Symmetric multiprocessing (smp)
Symmetric multiprocessing (smp)rayhan basher
 
Symmetric multiprocessing and Microkernel
Symmetric multiprocessing and MicrokernelSymmetric multiprocessing and Microkernel
Symmetric multiprocessing and MicrokernelManoraj Pannerselum
 
ملٹی لیول کے شے۔
ملٹی لیول کے شے۔ملٹی لیول کے شے۔
ملٹی لیول کے شے۔maamir farooq
 
Symmetric multiprocessing
Symmetric multiprocessingSymmetric multiprocessing
Symmetric multiprocessingMohammad Ali Khan
 

Recommended

Memory
MemoryMemory
MemoryEm Magallon
 
Multithreading computer architecture
Multithreading computer architecture Multithreading computer architecture
Multithreading computer architecture Haris456
 
Smp and asmp architecture.
Smp and asmp architecture.Smp and asmp architecture.
Smp and asmp architecture.Gaurav Dalvi
 
What is simultaneous multithreading
What is simultaneous multithreadingWhat is simultaneous multithreading
What is simultaneous multithreadingFraboni Ec
 
Symmetric multiprocessing (smp)
Symmetric multiprocessing (smp)Symmetric multiprocessing (smp)
Symmetric multiprocessing (smp)rayhan basher
 
Symmetric multiprocessing and Microkernel
Symmetric multiprocessing and MicrokernelSymmetric multiprocessing and Microkernel
Symmetric multiprocessing and MicrokernelManoraj Pannerselum
 
ملٹی لیول کے شے۔
ملٹی لیول کے شے۔ملٹی لیول کے شے۔
ملٹی لیول کے شے۔maamir farooq
 
Symmetric multiprocessing
Symmetric multiprocessingSymmetric multiprocessing
Symmetric multiprocessingMohammad Ali Khan
 
Multithreaded processors ppt
Multithreaded processors pptMultithreaded processors ppt
Multithreaded processors pptSiddhartha Anand
 
Hardware multithreading
Hardware multithreadingHardware multithreading
Hardware multithreadingFraboni Ec
 
Lecture24 Multiprocessor
Lecture24 MultiprocessorLecture24 Multiprocessor
Lecture24 Multiprocessorallankliu
 
Multiple processor (ppt 2010)
Multiple processor (ppt 2010)Multiple processor (ppt 2010)
Multiple processor (ppt 2010)Arth Ramada
 
Computer architecture multi processor
Computer architecture multi processorComputer architecture multi processor
Computer architecture multi processorMazin Alwaaly
 
Symmetric Multi Processor Multiprocessors
Symmetric Multi Processor MultiprocessorsSymmetric Multi Processor Multiprocessors
Symmetric Multi Processor MultiprocessorsSaad Tanvir
 
Multi processing
Multi processingMulti processing
Multi processingMuhammad Ishaq
 
Graphics processing uni computer archiecture
Graphics processing uni computer archiectureGraphics processing uni computer archiecture
Graphics processing uni computer archiectureHaris456
 
Lecture 6.1
Lecture 6.1Lecture 6.1
Lecture 6.1Mr SMAK
 
Shared-Memory Multiprocessors
Shared-Memory MultiprocessorsShared-Memory Multiprocessors
Shared-Memory MultiprocessorsSalvatore La Bua
 
Multiprocessor Scheduling
Multiprocessor SchedulingMultiprocessor Scheduling
Multiprocessor SchedulingoDesk
 
Multi core processors
Multi core processorsMulti core processors
Multi core processorsAdithya Bhat
 
Hardware Multi-Threading
Hardware Multi-ThreadingHardware Multi-Threading
Hardware Multi-Threadingbabuece
 
Multiprocessor system
Multiprocessor systemMultiprocessor system
Multiprocessor systemEl-Moataz Bellah Osama
 
Memory Organization
Memory OrganizationMemory Organization
Memory OrganizationAcad
 
Key exchange in crypto
Key exchange in cryptoKey exchange in crypto
Key exchange in cryptoJames Wong
 
Decision tree
Decision treeDecision tree
Decision treeJames Wong
 
Exception
ExceptionException
ExceptionJames Wong
 
Big data
Big dataBig data
Big dataJames Wong
 
Python your new best friend
Python your new best friendPython your new best friend
Python your new best friendJames Wong
 
Stack queue
Stack queueStack queue
Stack queueJames Wong
 
Information retrieval
Information retrievalInformation retrieval
Information retrievalJames Wong
 

More Related Content

What's hot

Multithreaded processors ppt
Multithreaded processors pptMultithreaded processors ppt
Multithreaded processors pptSiddhartha Anand
 
Hardware multithreading
Hardware multithreadingHardware multithreading
Hardware multithreadingFraboni Ec
 
Lecture24 Multiprocessor
Lecture24 MultiprocessorLecture24 Multiprocessor
Lecture24 Multiprocessorallankliu
 
Multiple processor (ppt 2010)
Multiple processor (ppt 2010)Multiple processor (ppt 2010)
Multiple processor (ppt 2010)Arth Ramada
 
Computer architecture multi processor
Computer architecture multi processorComputer architecture multi processor
Computer architecture multi processorMazin Alwaaly
 
Symmetric Multi Processor Multiprocessors
Symmetric Multi Processor MultiprocessorsSymmetric Multi Processor Multiprocessors
Symmetric Multi Processor MultiprocessorsSaad Tanvir
 
Graphics processing uni computer archiecture
Graphics processing uni computer archiectureGraphics processing uni computer archiecture
Graphics processing uni computer archiectureHaris456
 
Lecture 6.1
Lecture 6.1Lecture 6.1
Lecture 6.1Mr SMAK
 
Shared-Memory Multiprocessors
Shared-Memory MultiprocessorsShared-Memory Multiprocessors
Shared-Memory MultiprocessorsSalvatore La Bua
 
Multiprocessor Scheduling
Multiprocessor SchedulingMultiprocessor Scheduling
Multiprocessor SchedulingoDesk
 
Multi core processors
Multi core processorsMulti core processors
Multi core processorsAdithya Bhat
 
Hardware Multi-Threading
Hardware Multi-ThreadingHardware Multi-Threading
Hardware Multi-Threadingbabuece
 
Memory Organization
Memory OrganizationMemory Organization
Memory OrganizationAcad
 

What's hot (15)

Multithreaded processors ppt
Multithreaded processors pptMultithreaded processors ppt
Multithreaded processors ppt
 
Hardware multithreading
Hardware multithreadingHardware multithreading
Hardware multithreading
 
Lecture24 Multiprocessor
Lecture24 MultiprocessorLecture24 Multiprocessor
Lecture24 Multiprocessor
 
Multiple processor (ppt 2010)
Multiple processor (ppt 2010)Multiple processor (ppt 2010)
Multiple processor (ppt 2010)
 
Computer architecture multi processor
Computer architecture multi processorComputer architecture multi processor
Computer architecture multi processor
 
Symmetric Multi Processor Multiprocessors
Symmetric Multi Processor MultiprocessorsSymmetric Multi Processor Multiprocessors
Symmetric Multi Processor Multiprocessors
 
Multi processing
Multi processingMulti processing
Multi processing
 
Graphics processing uni computer archiecture
Graphics processing uni computer archiectureGraphics processing uni computer archiecture
Graphics processing uni computer archiecture
 
Lecture 6.1
Lecture 6.1Lecture 6.1
Lecture 6.1
 
Shared-Memory Multiprocessors
Shared-Memory MultiprocessorsShared-Memory Multiprocessors
Shared-Memory Multiprocessors
 
Multiprocessor Scheduling
Multiprocessor SchedulingMultiprocessor Scheduling
Multiprocessor Scheduling
 
Multi core processors
Multi core processorsMulti core processors
Multi core processors
 
Hardware Multi-Threading
Hardware Multi-ThreadingHardware Multi-Threading
Hardware Multi-Threading
 
Multiprocessor system
Multiprocessor systemMultiprocessor system
Multiprocessor system
 
Memory Organization
Memory OrganizationMemory Organization
Memory Organization
 

Viewers also liked

Key exchange in crypto
Key exchange in cryptoKey exchange in crypto
Key exchange in cryptoJames Wong
 
Python your new best friend
Python your new best friendPython your new best friend
Python your new best friendJames Wong
 
Information retrieval
Information retrievalInformation retrieval
Information retrievalJames Wong
 
Exception handling
Exception handlingException handling
Exception handlingJames Wong
 
Rest api to integrate with your site
Rest api to integrate with your siteRest api to integrate with your site
Rest api to integrate with your siteJames Wong
 
Crypto theory practice
Crypto theory practiceCrypto theory practice
Crypto theory practiceJames Wong
 
Python language data types
Python language data typesPython language data types
Python language data typesJames Wong
 
Decision analysis
Decision analysisDecision analysis
Decision analysisJames Wong
 
Xml stylus studio
Xml stylus studioXml stylus studio
Xml stylus studioJames Wong
 
Crypto passport authentication
Crypto passport authenticationCrypto passport authentication
Crypto passport authenticationJames Wong
 
Stack squeues lists
Stack squeues listsStack squeues lists
Stack squeues listsJames Wong
 
Database concepts
Database conceptsDatabase concepts
Database conceptsJames Wong
 
Multi threaded rtos
Multi threaded rtosMulti threaded rtos
Multi threaded rtosJames Wong
 

Viewers also liked (19)

Key exchange in crypto
Key exchange in cryptoKey exchange in crypto
Key exchange in crypto
 
Decision tree
Decision treeDecision tree
Decision tree
 
Exception
ExceptionException
Exception
 
Big data
Big dataBig data
Big data
 
Python your new best friend
Python your new best friendPython your new best friend
Python your new best friend
 
Stack queue
Stack queueStack queue
Stack queue
 
Information retrieval
Information retrievalInformation retrieval
Information retrieval
 
Exception handling
Exception handlingException handling
Exception handling
 
Inheritance
InheritanceInheritance
Inheritance
 
Rest api to integrate with your site
Rest api to integrate with your siteRest api to integrate with your site
Rest api to integrate with your site
 
Crypto theory practice
Crypto theory practiceCrypto theory practice
Crypto theory practice
 
Python language data types
Python language data typesPython language data types
Python language data types
 
Decision analysis
Decision analysisDecision analysis
Decision analysis
 
Xml stylus studio
Xml stylus studioXml stylus studio
Xml stylus studio
 
Crypto passport authentication
Crypto passport authenticationCrypto passport authentication
Crypto passport authentication
 
Stack squeues lists
Stack squeues listsStack squeues lists
Stack squeues lists
 
Database concepts
Database conceptsDatabase concepts
Database concepts
 
Data race
Data raceData race
Data race
 
Multi threaded rtos
Multi threaded rtosMulti threaded rtos
Multi threaded rtos
 

Similar to Smm and caching

Board support package_on_linux
Board support package_on_linuxBoard support package_on_linux
Board support package_on_linuxVandana Salve
 
15CS44 MP & MC Module 4
15CS44 MP & MC Module 415CS44 MP & MC Module 4
15CS44 MP & MC Module 4RLJIT
 
Memory Organization | Computer Fundamental and Organization
Memory Organization | Computer Fundamental and OrganizationMemory Organization | Computer Fundamental and Organization
Memory Organization | Computer Fundamental and OrganizationSmit Luvani
 
Synchronization linux
Synchronization linuxSynchronization linux
Synchronization linuxSusant Sahani
 
Computer architecture for HNDIT
Computer architecture for HNDITComputer architecture for HNDIT
Computer architecture for HNDITtjunicornfx
 
ARM architcture
ARM architcture ARM architcture
ARM architcture Hossam Adel
 
Ct213 memory subsystem
Ct213 memory subsystemCt213 memory subsystem
Ct213 memory subsystemSandeep Kamath
 
BSP.pptx
BSP.pptxBSP.pptx
BSP.pptxtaruian
 
Exploring Of System Hardware
Exploring Of System HardwareExploring Of System Hardware
Exploring Of System HardwareMuhammad Nauman
 
Computer Architecture | Computer Fundamental and Organization
Computer Architecture | Computer Fundamental and OrganizationComputer Architecture | Computer Fundamental and Organization
Computer Architecture | Computer Fundamental and OrganizationSmit Luvani
 
Computer organisation ppt
Computer organisation pptComputer organisation ppt
Computer organisation pptchandkec
 
Taming Non-blocking Caches to Improve Isolation in Multicore Real-Time Systems
Taming Non-blocking Caches to Improve Isolation in Multicore Real-Time SystemsTaming Non-blocking Caches to Improve Isolation in Multicore Real-Time Systems
Taming Non-blocking Caches to Improve Isolation in Multicore Real-Time SystemsHeechul Yun
 
ARM Processor architecture
ARM Processor architectureARM Processor architecture
ARM Processor architecturerajkciitr
 

Similar to Smm and caching (20)

Board support package_on_linux
Board support package_on_linuxBoard support package_on_linux
Board support package_on_linux
 
15CS44 MP & MC Module 4
15CS44 MP & MC Module 415CS44 MP & MC Module 4
15CS44 MP & MC Module 4
 
Memory Organization | Computer Fundamental and Organization
Memory Organization | Computer Fundamental and OrganizationMemory Organization | Computer Fundamental and Organization
Memory Organization | Computer Fundamental and Organization
 
Memory (Computer Organization)
Memory (Computer Organization)Memory (Computer Organization)
Memory (Computer Organization)
 
Synchronization linux
Synchronization linuxSynchronization linux
Synchronization linux
 
It322 intro 2
It322 intro 2It322 intro 2
It322 intro 2
 
Computer architecture for HNDIT
Computer architecture for HNDITComputer architecture for HNDIT
Computer architecture for HNDIT
 
CA UNIT V..pptx
CA UNIT V..pptxCA UNIT V..pptx
CA UNIT V..pptx
 
ARM architcture
ARM architcture ARM architcture
ARM architcture
 
Ct213 memory subsystem
Ct213 memory subsystemCt213 memory subsystem
Ct213 memory subsystem
 
Rahman
RahmanRahman
Rahman
 
E.s unit 4 and 5
E.s unit 4 and 5E.s unit 4 and 5
E.s unit 4 and 5
 
BSP.pptx
BSP.pptxBSP.pptx
BSP.pptx
 
Exploring Of System Hardware
Exploring Of System HardwareExploring Of System Hardware
Exploring Of System Hardware
 
Computer Architecture | Computer Fundamental and Organization
Computer Architecture | Computer Fundamental and OrganizationComputer Architecture | Computer Fundamental and Organization
Computer Architecture | Computer Fundamental and Organization
 
COA (Unit_4.pptx)
COA (Unit_4.pptx)COA (Unit_4.pptx)
COA (Unit_4.pptx)
 
Computer organisation ppt
Computer organisation pptComputer organisation ppt
Computer organisation ppt
 
12429908.ppt
12429908.ppt12429908.ppt
12429908.ppt
 
Taming Non-blocking Caches to Improve Isolation in Multicore Real-Time Systems
Taming Non-blocking Caches to Improve Isolation in Multicore Real-Time SystemsTaming Non-blocking Caches to Improve Isolation in Multicore Real-Time Systems
Taming Non-blocking Caches to Improve Isolation in Multicore Real-Time Systems
 
ARM Processor architecture
ARM Processor architectureARM Processor architecture
ARM Processor architecture
 

More from James Wong

Business analytics and data mining
Business analytics and data miningBusiness analytics and data mining
Business analytics and data miningJames Wong
 
Data mining and knowledge discovery
Data mining and knowledge discoveryData mining and knowledge discovery
Data mining and knowledge discoveryJames Wong
 
Big picture of data mining
Big picture of data miningBig picture of data mining
Big picture of data miningJames Wong
 
How analysis services caching works
How analysis services caching worksHow analysis services caching works
How analysis services caching worksJames Wong
 
Optimizing shared caches in chip multiprocessors
Optimizing shared caches in chip multiprocessorsOptimizing shared caches in chip multiprocessors
Optimizing shared caches in chip multiprocessorsJames Wong
 
Directory based cache coherence
Directory based cache coherenceDirectory based cache coherence
Directory based cache coherenceJames Wong
 
Abstract data types
Abstract data typesAbstract data types
Abstract data typesJames Wong
 
Abstraction file
Abstraction fileAbstraction file
Abstraction fileJames Wong
 
Hardware managed cache
Hardware managed cacheHardware managed cache
Hardware managed cacheJames Wong
 
Abstract class
Abstract classAbstract class
Abstract classJames Wong
 
Object oriented analysis
Object oriented analysisObject oriented analysis
Object oriented analysisJames Wong
 
Concurrency with java
Concurrency with javaConcurrency with java
Concurrency with javaJames Wong
 
Data structures and algorithms
Data structures and algorithmsData structures and algorithms
Data structures and algorithmsJames Wong
 
Cobol, lisp, and python
Cobol, lisp, and pythonCobol, lisp, and python
Cobol, lisp, and pythonJames Wong
 
Learning python
Learning pythonLearning python
Learning pythonJames Wong
 
Programming for engineers in python
Programming for engineers in pythonProgramming for engineers in python
Programming for engineers in pythonJames Wong
 

More from James Wong (20)

Recursion
RecursionRecursion
Recursion
 
Business analytics and data mining
Business analytics and data miningBusiness analytics and data mining
Business analytics and data mining
 
Data mining and knowledge discovery
Data mining and knowledge discoveryData mining and knowledge discovery
Data mining and knowledge discovery
 
Cache recap
Cache recapCache recap
Cache recap
 
Big picture of data mining
Big picture of data miningBig picture of data mining
Big picture of data mining
 
How analysis services caching works
How analysis services caching worksHow analysis services caching works
How analysis services caching works
 
Optimizing shared caches in chip multiprocessors
Optimizing shared caches in chip multiprocessorsOptimizing shared caches in chip multiprocessors
Optimizing shared caches in chip multiprocessors
 
Directory based cache coherence
Directory based cache coherenceDirectory based cache coherence
Directory based cache coherence
 
Abstract data types
Abstract data typesAbstract data types
Abstract data types
 
Abstraction file
Abstraction fileAbstraction file
Abstraction file
 
Hardware managed cache
Hardware managed cacheHardware managed cache
Hardware managed cache
 
Object model
Object modelObject model
Object model
 
Abstract class
Abstract classAbstract class
Abstract class
 
Object oriented analysis
Object oriented analysisObject oriented analysis
Object oriented analysis
 
Concurrency with java
Concurrency with javaConcurrency with java
Concurrency with java
 
Data structures and algorithms
Data structures and algorithmsData structures and algorithms
Data structures and algorithms
 
Cobol, lisp, and python
Cobol, lisp, and pythonCobol, lisp, and python
Cobol, lisp, and python
 
Api crash
Api crashApi crash
Api crash
 
Learning python
Learning pythonLearning python
Learning python
 
Programming for engineers in python
Programming for engineers in pythonProgramming for engineers in python
Programming for engineers in python
 

Recently uploaded

Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGSujit Pal
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 

Recently uploaded (20)

Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 

Smm and caching

  • 1. All materials are licensed under a Creative Commons “Share Alike” license. http://creativecommons.org/licenses/by-sa/3.0/ 1 Attribution condition: You must indicate that derivative work "Is derived from John Butterworth & Xeno Kovah’s ’Advanced Intel x86: BIOS and SMM’ class posted at http://opensecuritytraining.info/IntroBIOS.html”
  • 3. Cache Basics • Temporary storage located on the CPU • Accesses to data/instructions in cache are much faster than those to physical memory • Caching is available in all operating modes, including SMM • Caching type for a physical memory range is defined in Memory-Type Range Registers (MTRRs) • MTRRs are a type of MSR (Model-Specific Register) that can be set to specify the type of CPU caching for ranges of physical memory • Typically configured by BIOS but can also be configured by the operating system as needed 3 From Intel Vol. 3. Ch. "Memory Cache Control"
  • 4. • Physical memory ranges can be defined as having one of these types of caching properties • The only one we’ll discuss is the one that was the subject of the dual discovery by Duflot et al. and then later Wojtczuck et al. – Getting into SMRAM: SMM Reloaded, https://cansecwest.com/csw09/csw09- duflot.pdf – Attacking Memory via Intel CPU Cache Poisoning, http://invisiblethingslab.com/resources/misc09/smm_cache_fun.pdf • The attack is brilliant in its simplicity Memory Caching Types 4 From Intel Vol. 3. Ch. "Memory Cache Control"
  • 5. Write-back (WB) • The point of Write-back caching is to reduce the amount of bus traffic between the processor and memory • Reads come from cache lines on cache hits • Writes are performed in the cache and not immediately written/flushed to memory • Both read and write misses cause cache fills • Modified CPU cache lines are written back (write-back) to memory at a later time* *Read the Intel Software Developers Guide Volume 3 • Simply put, reading/writing from/to a memory region that uses write-back caching will initially fill a line in the CPU cache • Subsequent reads/writes from/to that address will be from/to cache instead of memory • Until the processor writes-back that cache to memory* 5
  • 9. The fix: SMRR • The preceding is a great example of how security researchers can influence industry for the better. Damn fine job. • System-Management Range Register (SMRR) was introduced in Intel’s x64 architecture* • Provides a PHYSBASE/PHYSMASK pair just like MTRRs • Prevents the kind of attack that we just saw in the preceding example • SMRR restricts access to the address range defined in the SMRR registers • Defines the memory type (caching) for the SMRAM range • SMRRs can be written to only when the processor is in SMM • SMRR takes priority over MTRR in case of overlapping ranges * This is one of the only architecture-dependent security mechanisms. So far up to this point all has been x32/x64 agnostic 9
  • 10. SMRR • When the processor is in SMM: – Memory accesses to this range will use the memory type defined in SMRR_PHYSBASE • When the processor is not in SMM: – Memory reads return a fixed value (0xFF in my experience) – Memory writes are ignored – Memory type is Uncacheable 10
  • 11. Verify SMRR Support: IA32_MTRRCAP • SMRR is supported on a system if bit 11 in the IA32_MTRRCAP MSR is set • Verify next that it is being used 11
  • 12. SMRR MSR Number • If you try to read the SMRR of your system, be sure to verify its location using the developers guide (MSR chapter) • The MSR register addresses are non "architectural" and will therefore differ between architectures – That’s why they are called Model-Specific Registers • RW-E does not appear to handle exceptions well since reading the wrong MSR will crash your system – As of latest version For the reference E6400 (Core2Duo) 12
  • 13. Homework heads up • Find the value of SMRR_PHYSBASE for your particular hardware 13

Editor's Notes

  1. Attribution condition: You must indicate that derivative work "Is derived from John Butterworth & Xeno Kovah’s ’Advanced Intel x86: BIOS and SMM’ class posted at http://opensecuritytraining.info/IntroBIOS.html”
  2. ***This is not going to be a discussion on CPU architecture, for details on caching I recommend 3 sources: Both the Intel and AMD Optimization Reference Manuals, and Agner Fog’s optimization references
  3. Todo, cite Loic's paper since they technically found it first