SlideShare a Scribd company logo

[若渴]Study on Side Channel Attacks and Countermeasures

Aj MaChInE
Aj MaChInE

[投影片錯誤更正] p.43 中間32數字改成64。右上藍色小框64改成63 原本要整理Meltdown與Spectre,但這兩個所利用的硬體行為之後都跟cache side channel有關係,所以閱讀Meltdown與Spectre之餘,就整理了相關cache side channel攻擊與防禦。 回饋問題: 一: 為什麼LLC要切割成LLC slice? "Modern Intel processors, starting with the Sandy Bridge microarchitecture, use a more complex architecture for the LLC, to improve its performance. The LLC is divided into per-core slices, which are connected by a ring bus. Slices can be accessed concurrently and are effectively separate caches, although the bus ensures that each core can access the full LLC (with higher latency for remote slices)." 二: flush+reload with shared memory pages,為什麼要 flush+reload? 不是可以直接存取到資料? 討論的是共用shared library,洩漏victim使用shared library的情形。 三: RDTSCP ? 可量測執行指令的cycle數。 四: side channel攻擊需要環境運作的程式不能太複雜? Kuon: 實際案例 embed運作環境並不複雜,e.g. trustzone上可能只運作openSSL。 AJ: 就算在複雜環境,可以找到觸發Victim的特定運算點,也是可以進行觀測。

Education
1 of 60
Download to read offline
Study on Side Channel Attacks and Countermeasures @若渴 2018.1.20 <ajblane0612@gmail.com> AjMaChInE
Outline • Modem Computing Architectures • Side channel attacks • Countermeasures
Modem Computing Architectures * Modern high-performance CPU pipeline * Cache
[0]
[1]
[2]
[4]
VIVT: Virtually indexed, virtually tagged * Fast * Virtual Tag is not unique (Context switches) * Shared memory more than once in cache PIPT: Physically indexed, physically tagged * Slow (TLB lookup for index) * Shared memory only once in cache! [5]
PIVT: Physically indexed, virtually tagged * Slow (TLB lookup for index) * Virtual Tag is not unique (Context switches) * Shared memory more than once in cache VIPT: Virtually indexed, physically tagged * Fast * 4 KiB pages: last 12 bits of VA and PA are equal * Using more bits has disadvantages (like VIVT) ! Cache size # ways page size [5]
Ring Bus Architecture and Sliced LLC [6]
[0] 只有在獲取PA狀況下, 才可以準確控制cache
Address Translation on x86-64 [4]
Address Translation Caches [3]
TrustZone Enabled Processor Memory Hierarchy [8]
Branch Target Buffer BTB addressing scheme in Haswell processor [7]
Side Channel Attacks Side-Effect Channel Attacks channel attacker side-effect victim • 目標: information leakage • 思考點: – commonality (contention ) – 如何操作commonality
Side Channels with Commonality • Cache [2][5][6][8][9][10] • Address Translation Caches [3] • Branch Target Buffer (BTB) [7] • Translation Lookaside Buffer (TLB) [12] • SMT(hyper threading) CPU [13] • …?
Cache Side Channel Attacks • Flush+Reload with shared memory pages • Prime+Probe is a general technique • 利用cache當channel 至少有兩種操作手法 [8]
Flush+Reload [5]
Flush+Reload step 0: attacker maps shared library ! shared memory, shared in cache [5]
Flush+Reload step 0: attacker maps shared library ! shared memory, shared in cache step 1: attacker flushes the shared line [5]
Flush+Reload step 0: attacker maps shared library ! shared memory, shared in cache step 1: attacker flushes the shared line step 2: victim loads data while performing encryption [5]
Flush+Reload step 0: attacker maps shared library ! shared memory, shared in cache step 1: attacker flushes the shared line step 2: victim loads data while performing encryption step 3: attacker reloads data ! fast access if the victim loaded the line [5]
Prime+Probe step 0: attacker fills the cache (prime) [5]
Prime+Probe [5] step 0: attacker fills the cache (prime)
Prime+Probe step 0: attacker fills the cache (prime) step 1: victim evicts cache lines while performing encryption [5]
Prime+Probe [5] step 0: attacker fills the cache (prime) step 1: victim evicts cache lines while performing encryption
Prime+Probe [5] step 0: attacker fills the cache (prime) step 1: victim evicts cache lines while performing encryption
Prime+Probe [5] step 0: attacker fills the cache (prime) step 1: victim evicts cache lines while performing encryption
Prime+Probe [5] step 0: attacker fills the cache (prime) step 1: victim evicts cache lines while performing encryption
Prime+Probe step 0: attacker fills the cache (prime) step 1: victim evicts cache lines while performing encryption step 2: attacker probes data to determine if the set was accessed [5]
Prime+Probe [5] step 0: attacker fills the cache (prime) step 1: victim evicts cache lines while performing encryption step 2: attacker probes data to determine if the set was accessed
Typically, 如何利用cache side channel 來達到information leakage Prime+Probe在icache中,依照時間序列知道某cache set中的cache lines在 做存取,所以可以推敲出 ei 序列。
Cache Side Channel Attacks against VM [6] cryptographic keys
Cache Side Channel Attacks against Brower [9]
Cache Side Channel Attacks against TrustZone [8]
好像很簡單? 困難: reverse-engineer some cache for finding eviction set to occupy exactly one cache set • VM (guest-VA  guest-PA  L1  L2 L3  PA) • Browser (Typed Array Specification  VA  L1  L2  L3  PA) • TrustZone (VA  L1  L2  L3  PA)
cache L1 [6][9] VIPT controlled VA L3 PIPT not-controlled VA slow large(2MB) page mode 4 KB page mode controlled VA all the index bits are within the page offset the same set index bits may be located in different LLC slices
[6][9] set candidate
cache L1 [6][9] VIPT controlled VA L3 PIPT not-controlled VA slow large(2MB) page mode 4 KB page mode 8MB “eviction buffer” of physical memory will completely invalidate all cache sets in the L3 cache 8192 cache sets in 131K offsets (8MB/64bytes) slow
06111863 17 • 0-11 -> 4kb page mode • 6-18 -> cache set index • 17-63 -> are hashed to form the upper 2 bits of the cache index (4 slice) fixing some subset of the 131K offsets
4KB 00 01 64 32 64b 06111863 17 5 8MB 4KB 4KB …000000000000 …000001000000 2^(18-11) cache set in 2^(18-11) cache sets in …0000000000000 …1000000000000 有可能cache contention cache contention
cache L1 VIPT controlled VA L3 PIPT not-controlled VA slow large(2MB) page mode 4 KB page mode 效能差(操作L3 cache miss),但 可攻擊 只適用 cloud環境 [5][6][9] [10]
Side Channel Attacks of Address Translation Cache “Double page fault attack, where an unprivileged attacker tries to access an inaccessible kernel memory location, triggering a page fault. After the page fault interrupt is handled by the operating system, the control is handed back to an error handler in the user program. The attacker measures the execution time of the page fault interrupt. If the memory location is valid, regardless of whether it is accessible or not, address translation table entries are copied into the corresponding address translation caches. The attacker then tries to access the same inaccessible memory location again. If the memory location is valid, the address translation is already cached and the page fault interrupt will take less time. Thus, the attacker learns whether a memory location is valid or not, even if it is not accessible from the user space.” [3] 借助OS處理能力與page table共用特性
double page fault attack [5][11] –> KASLR is Dead
Side Channel Attacks of Branch Target Buffer BTB contention
The reverse engineered BTB addressing scheme in the HasWell processor [7] In particular, the kernel code must be aligned at 2MB boundaries. To find a collision
[7] As a result, only the Page Directory Entry (PDE) bits (9 bit)of virtual addresses are randomized (512 possible)
[7]
BTB side channel attacks –> KASLR is Dead [7]
SMT side channel attacks • 在沒有網路狀況下,兩VMs資料如何對傳? [13] senderreceiver SMT CPU
Countermeasure of Side Channel Attacks
Countermeasure for Cache Side- Channel attacks • Less accurate timer • Page coloring – Avoiding collisions in the LLC; Location in LLC determined by physical address; Give each user a color (address bits); • Behavior detection – Hardware Performance Counters (HPCs) can track hardware events (e.g. LLC misses) • Design cache leakage free code (e.g. Square-and- Multiply exponentiation) • disable cache-line sharing – Intel Cache Allocation Technology [7][15]
Countermeasure for Side Channel Attacks of Address Translation Caches • Shadow Address Space • 只是user kernel共用的page table分開,並把kennel page table藏起來。 效果會是kernel藏起來,但其實還是在physical memory中) • 不是使用TLB flush,而是使用Disable the PTE global bits [3]
對於BTB/TLB/SMT 的side channel attacks至目 前閱讀為止沒有好的countermeasures 。
萬萬沒想到 speculative execution在 執行完discard時,會把相關資訊留 在cache裡。 CVE-2017-5753 CVE-2017-5715 CVE-2017-5754 [16][17]
Reference • [0] “Negative Result: Reading Kernel Memory From User Mode”, July 28, 2017, https://cyber.wtf/2017/07/28/negative-result-reading-kernel-memory-from-user-mode/ • [1] “Broadcom Bares Muscular ARM”, https://investorshub.advfn.com/boards/read_msg.aspx?message_id=95215022 • [2] “Practical Timing Side Channel Attacks Against Kernel Space ASLR”, 19-22 May 2013, http://www.ieee-security.org/TC/SP2013/papers/4977a191.pdf • [3] “KASLR is Dead: Long Live KASLR”, 24 June 2017 https://misc0110.net/web/files/kaiser_slides.pdf, https://gruss.cc/files/kaiser.pdf • [4] ] “ARM® Cortex® -A Series Version: 1.0 Programmer’s Guide for ARMv8-A”, http://infocenter.arm.com/help/topic/com.arm.doc.den0024a/DEN0024A_v8_architecture_PG. pdf • [5] “Cache Side-Channel Attacks and the case of Rowhammer”, April 28, 2016, https://gruss.cc/files/cache_and_rowhammer_ruhrsec.pdf • [6] “Last-Level Cache Side-Channel Attacks are Practical”, 17-21 May 2015 http://palms.ee.princeton.edu/system/files/SP_vfinal.pdf, https://pdfs.semanticscholar.org/81f6/c43188a2308b36a0c47570f7e7ec19cc20e1.pdf • [7] “Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR”, 15-19 Oct. 2016 http://ieeexplore.ieee.org/document/7783743/ • [8] “TruSpy: Cache Side-Channel Information Leakage from the Secure World on ARM Devices”, 2016, https://eprint.iacr.org/2016/980.pdf
Reference • [9] “The Spy in the Sandbox -- Practical Cache Attacks in Javascript and their Implications ”, 1 Mar 2015, http://www.cs.columbia.edu/~simha/spyjs.ccs15.pdf, https://arxiv.org/pdf/1502.07373.pdf • [10] “Malware Guard Extension: Using SGX to Conceal Cache Attacks”, 1 Mar 2017 , https://arxiv.org/pdf/1702.08719.pdf • [11]” DrK: Breaking Kernel Address Space Layout Randomization with Intel TSX”, August 3, 2016, https://www.blackhat.com/docs/us-16/materials/us-16-Jang-Breaking-Kernel-Address-Space- Layout-Randomization-KASLR-With-Intel-TSX.pdf • [12] “ASLR on the Line: Practical Cache Attacks on the MMU”,2017 , http://www.cs.vu.nl/~giuffrida/papers/anc-ndss-2017.pdf • [13] “Covert shotgun: Automatically finding covert channels in SMT”, September 27, 2016 , https://cyber.wtf/2016/09/27/covert-shotgun/, https://www.youtube.com/watch?v=oVmPQCT5VkY [presentation] • [14] “Cache Side Channel Attack: Exploitability and Countermeasures”, 2017, https://www.blackhat.com/docs/asia-17/materials/asia-17-Irazoqui-Cache-Side-Channel-Attack- Exploitability-And-Countermeasures.pdf • [15] “Cache side channel attacks”, What Stone dream about: Cache side channel attacks, http://dreamsofastone.blogspot.tw/2015/09/cache-side-channel-attacks.html • [16] “Meltdown and Spectre”, 2017, https://meltdownattack.com/
DRAM Side Channel Attacks against SGX

Recommended

The Internals of "Hello World" Program
The Internals of "Hello World" ProgramThe Internals of "Hello World" Program
The Internals of "Hello World" ProgramNational Cheng Kung University
 
SFO15-503: Secure storage in OP-TEE
SFO15-503: Secure storage in OP-TEESFO15-503: Secure storage in OP-TEE
SFO15-503: Secure storage in OP-TEELinaro
 
Improve Android System Component Performance
Improve Android System Component PerformanceImprove Android System Component Performance
Improve Android System Component PerformanceNational Cheng Kung University
 
Process Address Space: The way to create virtual address (page table) of user...
Process Address Space: The way to create virtual address (page table) of user...Process Address Space: The way to create virtual address (page table) of user...
Process Address Space: The way to create virtual address (page table) of user...Adrian Huang
 
Vmlinux: anatomy of bzimage and how x86 64 processor is booted
Vmlinux: anatomy of bzimage and how x86 64 processor is bootedVmlinux: anatomy of bzimage and how x86 64 processor is booted
Vmlinux: anatomy of bzimage and how x86 64 processor is bootedAdrian Huang
 
Kernel Recipes 2017 - Understanding the Linux kernel via ftrace - Steven Rostedt
Kernel Recipes 2017 - Understanding the Linux kernel via ftrace - Steven RostedtKernel Recipes 2017 - Understanding the Linux kernel via ftrace - Steven Rostedt
Kernel Recipes 2017 - Understanding the Linux kernel via ftrace - Steven RostedtAnne Nicolas
 
Lcu14 107- op-tee on ar mv8
Lcu14 107- op-tee on ar mv8Lcu14 107- op-tee on ar mv8
Lcu14 107- op-tee on ar mv8Linaro
 
Memory Mapping Implementation (mmap) in Linux Kernel
Memory Mapping Implementation (mmap) in Linux KernelMemory Mapping Implementation (mmap) in Linux Kernel
Memory Mapping Implementation (mmap) in Linux KernelAdrian Huang
 

Recommended

The Internals of "Hello World" Program
The Internals of "Hello World" ProgramThe Internals of "Hello World" Program
The Internals of "Hello World" ProgramNational Cheng Kung University
 
SFO15-503: Secure storage in OP-TEE
SFO15-503: Secure storage in OP-TEESFO15-503: Secure storage in OP-TEE
SFO15-503: Secure storage in OP-TEELinaro
 
Improve Android System Component Performance
Improve Android System Component PerformanceImprove Android System Component Performance
Improve Android System Component PerformanceNational Cheng Kung University
 
Process Address Space: The way to create virtual address (page table) of user...
Process Address Space: The way to create virtual address (page table) of user...Process Address Space: The way to create virtual address (page table) of user...
Process Address Space: The way to create virtual address (page table) of user...Adrian Huang
 
Vmlinux: anatomy of bzimage and how x86 64 processor is booted
Vmlinux: anatomy of bzimage and how x86 64 processor is bootedVmlinux: anatomy of bzimage and how x86 64 processor is booted
Vmlinux: anatomy of bzimage and how x86 64 processor is bootedAdrian Huang
 
Kernel Recipes 2017 - Understanding the Linux kernel via ftrace - Steven Rostedt
Kernel Recipes 2017 - Understanding the Linux kernel via ftrace - Steven RostedtKernel Recipes 2017 - Understanding the Linux kernel via ftrace - Steven Rostedt
Kernel Recipes 2017 - Understanding the Linux kernel via ftrace - Steven RostedtAnne Nicolas
 
Lcu14 107- op-tee on ar mv8
Lcu14 107- op-tee on ar mv8Lcu14 107- op-tee on ar mv8
Lcu14 107- op-tee on ar mv8Linaro
 
Memory Mapping Implementation (mmap) in Linux Kernel
Memory Mapping Implementation (mmap) in Linux KernelMemory Mapping Implementation (mmap) in Linux Kernel
Memory Mapping Implementation (mmap) in Linux KernelAdrian Huang
 
Linux Memory Management
Linux Memory ManagementLinux Memory Management
Linux Memory ManagementNi Zo-Ma
 
Uvm dcon2013
Uvm dcon2013Uvm dcon2013
Uvm dcon2013sean chen
 
TEE - kernel support is now upstream. What this means for open source security
TEE - kernel support is now upstream. What this means for open source securityTEE - kernel support is now upstream. What this means for open source security
TEE - kernel support is now upstream. What this means for open source securityLinaro
 
Qemu device prototyping
Qemu device prototypingQemu device prototyping
Qemu device prototypingYan Vugenfirer
 
Trusted firmware deep_dive_v1.0_
Trusted firmware deep_dive_v1.0_Trusted firmware deep_dive_v1.0_
Trusted firmware deep_dive_v1.0_Linaro
 
ROP 輕鬆談
ROP 輕鬆談ROP 輕鬆談
ROP 輕鬆談hackstuff
 
LCU14 500 ARM Trusted Firmware
LCU14 500 ARM Trusted FirmwareLCU14 500 ARM Trusted Firmware
LCU14 500 ARM Trusted FirmwareLinaro
 
BPF Internals (eBPF)
BPF Internals (eBPF)BPF Internals (eBPF)
BPF Internals (eBPF)Brendan Gregg
 
Binary exploitation - AIS3
Binary exploitation - AIS3Binary exploitation - AIS3
Binary exploitation - AIS3Angel Boy
 
HKG15-311: OP-TEE for Beginners and Porting Review
HKG15-311: OP-TEE for Beginners and Porting ReviewHKG15-311: OP-TEE for Beginners and Porting Review
HKG15-311: OP-TEE for Beginners and Porting ReviewLinaro
 
HKG18-402 - Build secure key management services in OP-TEE
HKG18-402 - Build secure key management services in OP-TEEHKG18-402 - Build secure key management services in OP-TEE
HKG18-402 - Build secure key management services in OP-TEELinaro
 
4章 Linuxカーネル - 割り込み・例外 4
4章 Linuxカーネル - 割り込み・例外 4 4章 Linuxカーネル - 割り込み・例外 4
4章 Linuxカーネル - 割り込み・例外 4mao999
 
Exploiting Modern Microarchitectures: Meltdown, Spectre, and other Attacks
Exploiting Modern Microarchitectures: Meltdown, Spectre, and other AttacksExploiting Modern Microarchitectures: Meltdown, Spectre, and other Attacks
Exploiting Modern Microarchitectures: Meltdown, Spectre, and other Attacksinside-BigData.com
 
Linux device drivers
Linux device drivers Linux device drivers
Linux device drivers Emertxe Information Technologies Pvt Ltd
 
20111015 勉強会 (PCIe / SR-IOV)
20111015 勉強会 (PCIe / SR-IOV)20111015 勉強会 (PCIe / SR-IOV)
20111015 勉強会 (PCIe / SR-IOV)Kentaro Ebisawa
 
Shorten Device Boot Time for Automotive IVI and Navigation Systems
Shorten Device Boot Time for Automotive IVI and Navigation SystemsShorten Device Boot Time for Automotive IVI and Navigation Systems
Shorten Device Boot Time for Automotive IVI and Navigation SystemsNational Cheng Kung University
 
BKK16-201 Play Ready OPTEE Integration with Secure Video Path lhg-1
BKK16-201 Play Ready OPTEE Integration with Secure Video Path lhg-1BKK16-201 Play Ready OPTEE Integration with Secure Video Path lhg-1
BKK16-201 Play Ready OPTEE Integration with Secure Video Path lhg-1Linaro
 
malloc & vmalloc in Linux
malloc & vmalloc in Linuxmalloc & vmalloc in Linux
malloc & vmalloc in LinuxAdrian Huang
 
LLVM 總是打開你的心:從電玩模擬器看編譯器應用實例
LLVM 總是打開你的心:從電玩模擬器看編譯器應用實例LLVM 總是打開你的心:從電玩模擬器看編譯器應用實例
LLVM 總是打開你的心:從電玩模擬器看編譯器應用實例National Cheng Kung University
 
STM32 Microcontroller Clocks and RCC block
STM32 Microcontroller Clocks and RCC blockSTM32 Microcontroller Clocks and RCC block
STM32 Microcontroller Clocks and RCC blockFastBit Embedded Brain Academy
 
Ceph on arm64 upload
Ceph on arm64 uploadCeph on arm64 upload
Ceph on arm64 uploadCeph Community
 
VMworld 2013: Extreme Performance Series: Storage in a Flash
VMworld 2013: Extreme Performance Series: Storage in a Flash VMworld 2013: Extreme Performance Series: Storage in a Flash
VMworld 2013: Extreme Performance Series: Storage in a Flash VMworld
 

More Related Content

What's hot

Linux Memory Management
Linux Memory ManagementLinux Memory Management
Linux Memory ManagementNi Zo-Ma
 
Uvm dcon2013
Uvm dcon2013Uvm dcon2013
Uvm dcon2013sean chen
 
TEE - kernel support is now upstream. What this means for open source security
TEE - kernel support is now upstream. What this means for open source securityTEE - kernel support is now upstream. What this means for open source security
TEE - kernel support is now upstream. What this means for open source securityLinaro
 
Qemu device prototyping
Qemu device prototypingQemu device prototyping
Qemu device prototypingYan Vugenfirer
 
Trusted firmware deep_dive_v1.0_
Trusted firmware deep_dive_v1.0_Trusted firmware deep_dive_v1.0_
Trusted firmware deep_dive_v1.0_Linaro
 
ROP 輕鬆談
ROP 輕鬆談ROP 輕鬆談
ROP 輕鬆談hackstuff
 
LCU14 500 ARM Trusted Firmware
LCU14 500 ARM Trusted FirmwareLCU14 500 ARM Trusted Firmware
LCU14 500 ARM Trusted FirmwareLinaro
 
BPF Internals (eBPF)
BPF Internals (eBPF)BPF Internals (eBPF)
BPF Internals (eBPF)Brendan Gregg
 
Binary exploitation - AIS3
Binary exploitation - AIS3Binary exploitation - AIS3
Binary exploitation - AIS3Angel Boy
 
HKG15-311: OP-TEE for Beginners and Porting Review
HKG15-311: OP-TEE for Beginners and Porting ReviewHKG15-311: OP-TEE for Beginners and Porting Review
HKG15-311: OP-TEE for Beginners and Porting ReviewLinaro
 
HKG18-402 - Build secure key management services in OP-TEE
HKG18-402 - Build secure key management services in OP-TEEHKG18-402 - Build secure key management services in OP-TEE
HKG18-402 - Build secure key management services in OP-TEELinaro
 
4章 Linuxカーネル - 割り込み・例外 4
4章 Linuxカーネル - 割り込み・例外 4 4章 Linuxカーネル - 割り込み・例外 4
4章 Linuxカーネル - 割り込み・例外 4mao999
 
Exploiting Modern Microarchitectures: Meltdown, Spectre, and other Attacks
Exploiting Modern Microarchitectures: Meltdown, Spectre, and other AttacksExploiting Modern Microarchitectures: Meltdown, Spectre, and other Attacks
Exploiting Modern Microarchitectures: Meltdown, Spectre, and other Attacksinside-BigData.com
 
20111015 勉強会 (PCIe / SR-IOV)
20111015 勉強会 (PCIe / SR-IOV)20111015 勉強会 (PCIe / SR-IOV)
20111015 勉強会 (PCIe / SR-IOV)Kentaro Ebisawa
 
Shorten Device Boot Time for Automotive IVI and Navigation Systems
Shorten Device Boot Time for Automotive IVI and Navigation SystemsShorten Device Boot Time for Automotive IVI and Navigation Systems
Shorten Device Boot Time for Automotive IVI and Navigation SystemsNational Cheng Kung University
 
BKK16-201 Play Ready OPTEE Integration with Secure Video Path lhg-1
BKK16-201 Play Ready OPTEE Integration with Secure Video Path lhg-1BKK16-201 Play Ready OPTEE Integration with Secure Video Path lhg-1
BKK16-201 Play Ready OPTEE Integration with Secure Video Path lhg-1Linaro
 
malloc & vmalloc in Linux
malloc & vmalloc in Linuxmalloc & vmalloc in Linux
malloc & vmalloc in LinuxAdrian Huang
 
LLVM 總是打開你的心:從電玩模擬器看編譯器應用實例
LLVM 總是打開你的心:從電玩模擬器看編譯器應用實例LLVM 總是打開你的心:從電玩模擬器看編譯器應用實例
LLVM 總是打開你的心:從電玩模擬器看編譯器應用實例National Cheng Kung University
 

What's hot (20)

Linux Memory Management
Linux Memory ManagementLinux Memory Management
Linux Memory Management
 
Uvm dcon2013
Uvm dcon2013Uvm dcon2013
Uvm dcon2013
 
TEE - kernel support is now upstream. What this means for open source security
TEE - kernel support is now upstream. What this means for open source securityTEE - kernel support is now upstream. What this means for open source security
TEE - kernel support is now upstream. What this means for open source security
 
Qemu device prototyping
Qemu device prototypingQemu device prototyping
Qemu device prototyping
 
Trusted firmware deep_dive_v1.0_
Trusted firmware deep_dive_v1.0_Trusted firmware deep_dive_v1.0_
Trusted firmware deep_dive_v1.0_
 
ROP 輕鬆談
ROP 輕鬆談ROP 輕鬆談
ROP 輕鬆談
 
LCU14 500 ARM Trusted Firmware
LCU14 500 ARM Trusted FirmwareLCU14 500 ARM Trusted Firmware
LCU14 500 ARM Trusted Firmware
 
BPF Internals (eBPF)
BPF Internals (eBPF)BPF Internals (eBPF)
BPF Internals (eBPF)
 
Binary exploitation - AIS3
Binary exploitation - AIS3Binary exploitation - AIS3
Binary exploitation - AIS3
 
HKG15-311: OP-TEE for Beginners and Porting Review
HKG15-311: OP-TEE for Beginners and Porting ReviewHKG15-311: OP-TEE for Beginners and Porting Review
HKG15-311: OP-TEE for Beginners and Porting Review
 
HKG18-402 - Build secure key management services in OP-TEE
HKG18-402 - Build secure key management services in OP-TEEHKG18-402 - Build secure key management services in OP-TEE
HKG18-402 - Build secure key management services in OP-TEE
 
4章 Linuxカーネル - 割り込み・例外 4
4章 Linuxカーネル - 割り込み・例外 4 4章 Linuxカーネル - 割り込み・例外 4
4章 Linuxカーネル - 割り込み・例外 4
 
Exploiting Modern Microarchitectures: Meltdown, Spectre, and other Attacks
Exploiting Modern Microarchitectures: Meltdown, Spectre, and other AttacksExploiting Modern Microarchitectures: Meltdown, Spectre, and other Attacks
Exploiting Modern Microarchitectures: Meltdown, Spectre, and other Attacks
 
Linux device drivers
Linux device drivers Linux device drivers
Linux device drivers
 
20111015 勉強会 (PCIe / SR-IOV)
20111015 勉強会 (PCIe / SR-IOV)20111015 勉強会 (PCIe / SR-IOV)
20111015 勉強会 (PCIe / SR-IOV)
 
Shorten Device Boot Time for Automotive IVI and Navigation Systems
Shorten Device Boot Time for Automotive IVI and Navigation SystemsShorten Device Boot Time for Automotive IVI and Navigation Systems
Shorten Device Boot Time for Automotive IVI and Navigation Systems
 
BKK16-201 Play Ready OPTEE Integration with Secure Video Path lhg-1
BKK16-201 Play Ready OPTEE Integration with Secure Video Path lhg-1BKK16-201 Play Ready OPTEE Integration with Secure Video Path lhg-1
BKK16-201 Play Ready OPTEE Integration with Secure Video Path lhg-1
 
malloc & vmalloc in Linux
malloc & vmalloc in Linuxmalloc & vmalloc in Linux
malloc & vmalloc in Linux
 
LLVM 總是打開你的心:從電玩模擬器看編譯器應用實例
LLVM 總是打開你的心:從電玩模擬器看編譯器應用實例LLVM 總是打開你的心:從電玩模擬器看編譯器應用實例
LLVM 總是打開你的心:從電玩模擬器看編譯器應用實例
 
STM32 Microcontroller Clocks and RCC block
STM32 Microcontroller Clocks and RCC blockSTM32 Microcontroller Clocks and RCC block
STM32 Microcontroller Clocks and RCC block
 

Similar to [若渴]Study on Side Channel Attacks and Countermeasures

VMworld 2013: Extreme Performance Series: Storage in a Flash
VMworld 2013: Extreme Performance Series: Storage in a Flash VMworld 2013: Extreme Performance Series: Storage in a Flash
VMworld 2013: Extreme Performance Series: Storage in a Flash VMworld
 
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...DefconRussia
 
Intel® RDT Hands-on Lab
Intel® RDT Hands-on LabIntel® RDT Hands-on Lab
Intel® RDT Hands-on LabMichelle Holley
 
Experience In Building Scalable Web Sites Through Infrastructure's View
Experience In Building Scalable Web Sites Through Infrastructure's ViewExperience In Building Scalable Web Sites Through Infrastructure's View
Experience In Building Scalable Web Sites Through Infrastructure's ViewPhuwadon D
 
Caching Methodology & Strategies
Caching Methodology & StrategiesCaching Methodology & Strategies
Caching Methodology & StrategiesTiệp Vũ
 
Caching methodology and strategies
Caching methodology and strategiesCaching methodology and strategies
Caching methodology and strategiesTiep Vu
 
Maginatics Cloud Storage Platform - MCSP 3.0 Technical Highlights
Maginatics Cloud Storage Platform - MCSP 3.0 Technical HighlightsMaginatics Cloud Storage Platform - MCSP 3.0 Technical Highlights
Maginatics Cloud Storage Platform - MCSP 3.0 Technical HighlightsMaginatics
 
Circonus: Design failures - A Case Study
Circonus: Design failures - A Case StudyCirconus: Design failures - A Case Study
Circonus: Design failures - A Case StudyHeinrich Hartmann
 
SF Big Analytics & SF Machine Learning Meetup: Machine Learning at the Limit ...
SF Big Analytics & SF Machine Learning Meetup: Machine Learning at the Limit ...SF Big Analytics & SF Machine Learning Meetup: Machine Learning at the Limit ...
SF Big Analytics & SF Machine Learning Meetup: Machine Learning at the Limit ...Chester Chen
 
Beyond the Basics 1: Storage Engines
Beyond the Basics 1: Storage Engines Beyond the Basics 1: Storage Engines
Beyond the Basics 1: Storage Engines MongoDB
 
Lec10 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- Memory part2
Lec10 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- Memory part2Lec10 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- Memory part2
Lec10 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- Memory part2Hsien-Hsin Sean Lee, Ph.D.
 
NYJavaSIG - Big Data Microservices w/ Speedment
NYJavaSIG - Big Data Microservices w/ SpeedmentNYJavaSIG - Big Data Microservices w/ Speedment
NYJavaSIG - Big Data Microservices w/ SpeedmentSpeedment, Inc.
 
OSMC 2016 - Monitor your infrastructure with Elastic Beats by Monica Sarbu
OSMC 2016 - Monitor your infrastructure with Elastic Beats by Monica SarbuOSMC 2016 - Monitor your infrastructure with Elastic Beats by Monica Sarbu
OSMC 2016 - Monitor your infrastructure with Elastic Beats by Monica SarbuNETWAYS
 
OSMC 2016 | Monitor your Infrastructure with Elastic Beats by Monica Sarbu
OSMC 2016 | Monitor your Infrastructure with Elastic Beats by Monica SarbuOSMC 2016 | Monitor your Infrastructure with Elastic Beats by Monica Sarbu
OSMC 2016 | Monitor your Infrastructure with Elastic Beats by Monica SarbuNETWAYS
 
Deployment Strategy
Deployment StrategyDeployment Strategy
Deployment StrategyMongoDB
 
Interview with Anatoliy Kuznetsov, the author of BitMagic C++ library
Interview with Anatoliy Kuznetsov, the author of BitMagic C++ libraryInterview with Anatoliy Kuznetsov, the author of BitMagic C++ library
Interview with Anatoliy Kuznetsov, the author of BitMagic C++ libraryPVS-Studio
 
Deployment Strategies (Mongo Austin)
Deployment Strategies (Mongo Austin)Deployment Strategies (Mongo Austin)
Deployment Strategies (Mongo Austin)MongoDB
 

Similar to [若渴]Study on Side Channel Attacks and Countermeasures (20)

Ceph on arm64 upload
Ceph on arm64 uploadCeph on arm64 upload
Ceph on arm64 upload
 
VMworld 2013: Extreme Performance Series: Storage in a Flash
VMworld 2013: Extreme Performance Series: Storage in a Flash VMworld 2013: Extreme Performance Series: Storage in a Flash
VMworld 2013: Extreme Performance Series: Storage in a Flash
 
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
 
Intel® RDT Hands-on Lab
Intel® RDT Hands-on LabIntel® RDT Hands-on Lab
Intel® RDT Hands-on Lab
 
Experience In Building Scalable Web Sites Through Infrastructure's View
Experience In Building Scalable Web Sites Through Infrastructure's ViewExperience In Building Scalable Web Sites Through Infrastructure's View
Experience In Building Scalable Web Sites Through Infrastructure's View
 
eBPF Basics
eBPF BasicseBPF Basics
eBPF Basics
 
Caching Methodology & Strategies
Caching Methodology & StrategiesCaching Methodology & Strategies
Caching Methodology & Strategies
 
Caching methodology and strategies
Caching methodology and strategiesCaching methodology and strategies
Caching methodology and strategies
 
Maginatics Cloud Storage Platform - MCSP 3.0 Technical Highlights
Maginatics Cloud Storage Platform - MCSP 3.0 Technical HighlightsMaginatics Cloud Storage Platform - MCSP 3.0 Technical Highlights
Maginatics Cloud Storage Platform - MCSP 3.0 Technical Highlights
 
Circonus: Design failures - A Case Study
Circonus: Design failures - A Case StudyCirconus: Design failures - A Case Study
Circonus: Design failures - A Case Study
 
SF Big Analytics & SF Machine Learning Meetup: Machine Learning at the Limit ...
SF Big Analytics & SF Machine Learning Meetup: Machine Learning at the Limit ...SF Big Analytics & SF Machine Learning Meetup: Machine Learning at the Limit ...
SF Big Analytics & SF Machine Learning Meetup: Machine Learning at the Limit ...
 
Beyond the Basics 1: Storage Engines
Beyond the Basics 1: Storage Engines Beyond the Basics 1: Storage Engines
Beyond the Basics 1: Storage Engines
 
Lec10 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- Memory part2
Lec10 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- Memory part2Lec10 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- Memory part2
Lec10 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- Memory part2
 
NYJavaSIG - Big Data Microservices w/ Speedment
NYJavaSIG - Big Data Microservices w/ SpeedmentNYJavaSIG - Big Data Microservices w/ Speedment
NYJavaSIG - Big Data Microservices w/ Speedment
 
OSMC 2016 - Monitor your infrastructure with Elastic Beats by Monica Sarbu
OSMC 2016 - Monitor your infrastructure with Elastic Beats by Monica SarbuOSMC 2016 - Monitor your infrastructure with Elastic Beats by Monica Sarbu
OSMC 2016 - Monitor your infrastructure with Elastic Beats by Monica Sarbu
 
OSMC 2016 | Monitor your Infrastructure with Elastic Beats by Monica Sarbu
OSMC 2016 | Monitor your Infrastructure with Elastic Beats by Monica SarbuOSMC 2016 | Monitor your Infrastructure with Elastic Beats by Monica Sarbu
OSMC 2016 | Monitor your Infrastructure with Elastic Beats by Monica Sarbu
 
Deployment Strategy
Deployment StrategyDeployment Strategy
Deployment Strategy
 
Basics of JVM Tuning
Basics of JVM TuningBasics of JVM Tuning
Basics of JVM Tuning
 
Interview with Anatoliy Kuznetsov, the author of BitMagic C++ library
Interview with Anatoliy Kuznetsov, the author of BitMagic C++ libraryInterview with Anatoliy Kuznetsov, the author of BitMagic C++ library
Interview with Anatoliy Kuznetsov, the author of BitMagic C++ library
 
Deployment Strategies (Mongo Austin)
Deployment Strategies (Mongo Austin)Deployment Strategies (Mongo Austin)
Deployment Strategies (Mongo Austin)
 

More from Aj MaChInE

An Intro on Data-oriented Attacks
An Intro on Data-oriented AttacksAn Intro on Data-oriented Attacks
An Intro on Data-oriented AttacksAj MaChInE
 
A Study on .NET Framework for Red Team - Part I
A Study on .NET Framework for Red Team - Part IA Study on .NET Framework for Red Team - Part I
A Study on .NET Framework for Red Team - Part IAj MaChInE
 
A study on NetSpectre
A study on NetSpectreA study on NetSpectre
A study on NetSpectreAj MaChInE
 
Introduction to Adversary Evaluation Tools
Introduction to Adversary Evaluation ToolsIntroduction to Adversary Evaluation Tools
Introduction to Adversary Evaluation ToolsAj MaChInE
 
[若渴] A preliminary study on attacks against consensus in bitcoin
[若渴] A preliminary study on attacks against consensus in bitcoin[若渴] A preliminary study on attacks against consensus in bitcoin
[若渴] A preliminary study on attacks against consensus in bitcoinAj MaChInE
 
[RAT資安小聚] Study on Automatically Evading Malware Detection
[RAT資安小聚] Study on Automatically Evading Malware Detection[RAT資安小聚] Study on Automatically Evading Malware Detection
[RAT資安小聚] Study on Automatically Evading Malware DetectionAj MaChInE
 
[若渴] Preliminary Study on Design and Exploitation of Trustzone
[若渴] Preliminary Study on Design and Exploitation of Trustzone[若渴] Preliminary Study on Design and Exploitation of Trustzone
[若渴] Preliminary Study on Design and Exploitation of TrustzoneAj MaChInE
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote ShellcodeAj MaChInE
 
[若渴計畫] Introduction: Formal Verification for Code
[若渴計畫] Introduction: Formal Verification for Code[若渴計畫] Introduction: Formal Verification for Code
[若渴計畫] Introduction: Formal Verification for CodeAj MaChInE
 
[若渴計畫] Studying ASLR^cache
[若渴計畫] Studying ASLR^cache[若渴計畫] Studying ASLR^cache
[若渴計畫] Studying ASLR^cacheAj MaChInE
 
[若渴計畫] Black Hat 2017之過去閱讀相關整理
[若渴計畫] Black Hat 2017之過去閱讀相關整理[若渴計畫] Black Hat 2017之過去閱讀相關整理
[若渴計畫] Black Hat 2017之過去閱讀相關整理Aj MaChInE
 
[若渴計畫] Studying Concurrency
[若渴計畫] Studying Concurrency[若渴計畫] Studying Concurrency
[若渴計畫] Studying ConcurrencyAj MaChInE
 
閱讀文章分享@若渴 2016.1.24
閱讀文章分享@若渴 2016.1.24閱讀文章分享@若渴 2016.1.24
閱讀文章分享@若渴 2016.1.24Aj MaChInE
 
[若渴計畫2015.8.18] SMACK
[若渴計畫2015.8.18] SMACK[若渴計畫2015.8.18] SMACK
[若渴計畫2015.8.18] SMACKAj MaChInE
 
[SITCON2015] 自己的異質多核心平台自己幹
[SITCON2015] 自己的異質多核心平台自己幹[SITCON2015] 自己的異質多核心平台自己幹
[SITCON2015] 自己的異質多核心平台自己幹Aj MaChInE
 
[MOSUT20150131] Linux Runs on SoCKit Board with the GPGPU
[MOSUT20150131] Linux Runs on SoCKit Board with the GPGPU[MOSUT20150131] Linux Runs on SoCKit Board with the GPGPU
[MOSUT20150131] Linux Runs on SoCKit Board with the GPGPUAj MaChInE
 
[若渴計畫]由GPU硬體概念到coding CUDA
[若渴計畫]由GPU硬體概念到coding CUDA[若渴計畫]由GPU硬體概念到coding CUDA
[若渴計畫]由GPU硬體概念到coding CUDAAj MaChInE
 
[若渴計畫]64-bit Linux Return-Oriented Programming
[若渴計畫]64-bit Linux Return-Oriented Programming[若渴計畫]64-bit Linux Return-Oriented Programming
[若渴計畫]64-bit Linux Return-Oriented ProgrammingAj MaChInE
 
[MOSUT] Format String Attacks
[MOSUT] Format String Attacks[MOSUT] Format String Attacks
[MOSUT] Format String AttacksAj MaChInE
 

More from Aj MaChInE (19)

An Intro on Data-oriented Attacks
An Intro on Data-oriented AttacksAn Intro on Data-oriented Attacks
An Intro on Data-oriented Attacks
 
A Study on .NET Framework for Red Team - Part I
A Study on .NET Framework for Red Team - Part IA Study on .NET Framework for Red Team - Part I
A Study on .NET Framework for Red Team - Part I
 
A study on NetSpectre
A study on NetSpectreA study on NetSpectre
A study on NetSpectre
 
Introduction to Adversary Evaluation Tools
Introduction to Adversary Evaluation ToolsIntroduction to Adversary Evaluation Tools
Introduction to Adversary Evaluation Tools
 
[若渴] A preliminary study on attacks against consensus in bitcoin
[若渴] A preliminary study on attacks against consensus in bitcoin[若渴] A preliminary study on attacks against consensus in bitcoin
[若渴] A preliminary study on attacks against consensus in bitcoin
 
[RAT資安小聚] Study on Automatically Evading Malware Detection
[RAT資安小聚] Study on Automatically Evading Malware Detection[RAT資安小聚] Study on Automatically Evading Malware Detection
[RAT資安小聚] Study on Automatically Evading Malware Detection
 
[若渴] Preliminary Study on Design and Exploitation of Trustzone
[若渴] Preliminary Study on Design and Exploitation of Trustzone[若渴] Preliminary Study on Design and Exploitation of Trustzone
[若渴] Preliminary Study on Design and Exploitation of Trustzone
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
 
[若渴計畫] Introduction: Formal Verification for Code
[若渴計畫] Introduction: Formal Verification for Code[若渴計畫] Introduction: Formal Verification for Code
[若渴計畫] Introduction: Formal Verification for Code
 
[若渴計畫] Studying ASLR^cache
[若渴計畫] Studying ASLR^cache[若渴計畫] Studying ASLR^cache
[若渴計畫] Studying ASLR^cache
 
[若渴計畫] Black Hat 2017之過去閱讀相關整理
[若渴計畫] Black Hat 2017之過去閱讀相關整理[若渴計畫] Black Hat 2017之過去閱讀相關整理
[若渴計畫] Black Hat 2017之過去閱讀相關整理
 
[若渴計畫] Studying Concurrency
[若渴計畫] Studying Concurrency[若渴計畫] Studying Concurrency
[若渴計畫] Studying Concurrency
 
閱讀文章分享@若渴 2016.1.24
閱讀文章分享@若渴 2016.1.24閱讀文章分享@若渴 2016.1.24
閱讀文章分享@若渴 2016.1.24
 
[若渴計畫2015.8.18] SMACK
[若渴計畫2015.8.18] SMACK[若渴計畫2015.8.18] SMACK
[若渴計畫2015.8.18] SMACK
 
[SITCON2015] 自己的異質多核心平台自己幹
[SITCON2015] 自己的異質多核心平台自己幹[SITCON2015] 自己的異質多核心平台自己幹
[SITCON2015] 自己的異質多核心平台自己幹
 
[MOSUT20150131] Linux Runs on SoCKit Board with the GPGPU
[MOSUT20150131] Linux Runs on SoCKit Board with the GPGPU[MOSUT20150131] Linux Runs on SoCKit Board with the GPGPU
[MOSUT20150131] Linux Runs on SoCKit Board with the GPGPU
 
[若渴計畫]由GPU硬體概念到coding CUDA
[若渴計畫]由GPU硬體概念到coding CUDA[若渴計畫]由GPU硬體概念到coding CUDA
[若渴計畫]由GPU硬體概念到coding CUDA
 
[若渴計畫]64-bit Linux Return-Oriented Programming
[若渴計畫]64-bit Linux Return-Oriented Programming[若渴計畫]64-bit Linux Return-Oriented Programming
[若渴計畫]64-bit Linux Return-Oriented Programming
 
[MOSUT] Format String Attacks
[MOSUT] Format String Attacks[MOSUT] Format String Attacks
[MOSUT] Format String Attacks
 

Recently uploaded

Biting mechanism of poisonous snakes.pdf
Biting mechanism of poisonous snakes.pdfBiting mechanism of poisonous snakes.pdf
Biting mechanism of poisonous snakes.pdfadityarao40181
 
Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxIntroduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxpboyjonauth
 
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...Marc Dusseiller Dusjagr
 
Crayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon ACrayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon AUnboundStockton
 
Hierarchy of management that covers different levels of management
Hierarchy of management that covers different levels of managementHierarchy of management that covers different levels of management
Hierarchy of management that covers different levels of managementmkooblal
 
Capitol Tech U Doctoral Presentation - April 2024.pptx
Capitol Tech U Doctoral Presentation - April 2024.pptxCapitol Tech U Doctoral Presentation - April 2024.pptx
Capitol Tech U Doctoral Presentation - April 2024.pptxCapitolTechU
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxSayali Powar
 
भारत-रोम व्यापार.pptx, Indo-Roman Trade,
भारत-रोम व्यापार.pptx, Indo-Roman Trade,भारत-रोम व्यापार.pptx, Indo-Roman Trade,
भारत-रोम व्यापार.pptx, Indo-Roman Trade,Virag Sontakke
 
Historical philosophical, theoretical, and legal foundations of special and i...
Historical philosophical, theoretical, and legal foundations of special and i...Historical philosophical, theoretical, and legal foundations of special and i...
Historical philosophical, theoretical, and legal foundations of special and i...jaredbarbolino94
 
Painted Grey Ware.pptx, PGW Culture of India
Painted Grey Ware.pptx, PGW Culture of IndiaPainted Grey Ware.pptx, PGW Culture of India
Painted Grey Ware.pptx, PGW Culture of IndiaVirag Sontakke
 
Presiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsPresiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsanshu789521
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)eniolaolutunde
 
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
Proudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxProudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxthorishapillay1
 
History Class XII Ch. 3 Kinship, Caste and Class (1).pptx
History Class XII Ch. 3 Kinship, Caste and Class (1).pptxHistory Class XII Ch. 3 Kinship, Caste and Class (1).pptx
History Class XII Ch. 3 Kinship, Caste and Class (1).pptxsocialsciencegdgrohi
 

Recently uploaded (20)

Biting mechanism of poisonous snakes.pdf
Biting mechanism of poisonous snakes.pdfBiting mechanism of poisonous snakes.pdf
Biting mechanism of poisonous snakes.pdf
 
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
 
Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxIntroduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptx
 
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
 
Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝
 
Crayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon ACrayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon A
 
Hierarchy of management that covers different levels of management
Hierarchy of management that covers different levels of managementHierarchy of management that covers different levels of management
Hierarchy of management that covers different levels of management
 
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdfTataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
 
Capitol Tech U Doctoral Presentation - April 2024.pptx
Capitol Tech U Doctoral Presentation - April 2024.pptxCapitol Tech U Doctoral Presentation - April 2024.pptx
Capitol Tech U Doctoral Presentation - April 2024.pptx
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
 
भारत-रोम व्यापार.pptx, Indo-Roman Trade,
भारत-रोम व्यापार.pptx, Indo-Roman Trade,भारत-रोम व्यापार.pptx, Indo-Roman Trade,
भारत-रोम व्यापार.pptx, Indo-Roman Trade,
 
OS-operating systems- ch04 (Threads) ...
OS-operating systems- ch04 (Threads) ...OS-operating systems- ch04 (Threads) ...
OS-operating systems- ch04 (Threads) ...
 
Historical philosophical, theoretical, and legal foundations of special and i...
Historical philosophical, theoretical, and legal foundations of special and i...Historical philosophical, theoretical, and legal foundations of special and i...
Historical philosophical, theoretical, and legal foundations of special and i...
 
9953330565 Low Rate Call Girls In Rohini Delhi NCR
9953330565 Low Rate Call Girls In Rohini Delhi NCR9953330565 Low Rate Call Girls In Rohini Delhi NCR
9953330565 Low Rate Call Girls In Rohini Delhi NCR
 
Painted Grey Ware.pptx, PGW Culture of India
Painted Grey Ware.pptx, PGW Culture of IndiaPainted Grey Ware.pptx, PGW Culture of India
Painted Grey Ware.pptx, PGW Culture of India
 
Presiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsPresiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha elections
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)
 
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
 
Proudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxProudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptx
 
History Class XII Ch. 3 Kinship, Caste and Class (1).pptx
History Class XII Ch. 3 Kinship, Caste and Class (1).pptxHistory Class XII Ch. 3 Kinship, Caste and Class (1).pptx
History Class XII Ch. 3 Kinship, Caste and Class (1).pptx
 

[若渴]Study on Side Channel Attacks and Countermeasures

  • 1. Study on Side Channel Attacks and Countermeasures @若渴 2018.1.20 <ajblane0612@gmail.com> AjMaChInE
  • 2. Outline • Modem Computing Architectures • Side channel attacks • Countermeasures
  • 3. Modem Computing Architectures * Modern high-performance CPU pipeline * Cache
  • 4. [0]
  • 5. [1]
  • 6. [2]
  • 7. [4]
  • 8. VIVT: Virtually indexed, virtually tagged * Fast * Virtual Tag is not unique (Context switches) * Shared memory more than once in cache PIPT: Physically indexed, physically tagged * Slow (TLB lookup for index) * Shared memory only once in cache! [5]
  • 9. PIVT: Physically indexed, virtually tagged * Slow (TLB lookup for index) * Virtual Tag is not unique (Context switches) * Shared memory more than once in cache VIPT: Virtually indexed, physically tagged * Fast * 4 KiB pages: last 12 bits of VA and PA are equal * Using more bits has disadvantages (like VIVT) ! Cache size # ways page size [5]
  • 10. Ring Bus Architecture and Sliced LLC [6]
  • 14. TrustZone Enabled Processor Memory Hierarchy [8]
  • 15. Branch Target Buffer BTB addressing scheme in Haswell processor [7]
  • 16. Side Channel Attacks Side-Effect Channel Attacks channel attacker side-effect victim • 目標: information leakage • 思考點: – commonality (contention ) – 如何操作commonality
  • 17. Side Channels with Commonality • Cache [2][5][6][8][9][10] • Address Translation Caches [3] • Branch Target Buffer (BTB) [7] • Translation Lookaside Buffer (TLB) [12] • SMT(hyper threading) CPU [13] • …?
  • 18. Cache Side Channel Attacks • Flush+Reload with shared memory pages • Prime+Probe is a general technique • 利用cache當channel 至少有兩種操作手法 [8]
  • 20. Flush+Reload step 0: attacker maps shared library ! shared memory, shared in cache [5]
  • 21. Flush+Reload step 0: attacker maps shared library ! shared memory, shared in cache step 1: attacker flushes the shared line [5]
  • 22. Flush+Reload step 0: attacker maps shared library ! shared memory, shared in cache step 1: attacker flushes the shared line step 2: victim loads data while performing encryption [5]
  • 23. Flush+Reload step 0: attacker maps shared library ! shared memory, shared in cache step 1: attacker flushes the shared line step 2: victim loads data while performing encryption step 3: attacker reloads data ! fast access if the victim loaded the line [5]
  • 24. Prime+Probe step 0: attacker fills the cache (prime) [5]
  • 25. Prime+Probe [5] step 0: attacker fills the cache (prime)
  • 26. Prime+Probe step 0: attacker fills the cache (prime) step 1: victim evicts cache lines while performing encryption [5]
  • 27. Prime+Probe [5] step 0: attacker fills the cache (prime) step 1: victim evicts cache lines while performing encryption
  • 28. Prime+Probe [5] step 0: attacker fills the cache (prime) step 1: victim evicts cache lines while performing encryption
  • 29. Prime+Probe [5] step 0: attacker fills the cache (prime) step 1: victim evicts cache lines while performing encryption
  • 30. Prime+Probe [5] step 0: attacker fills the cache (prime) step 1: victim evicts cache lines while performing encryption
  • 31. Prime+Probe step 0: attacker fills the cache (prime) step 1: victim evicts cache lines while performing encryption step 2: attacker probes data to determine if the set was accessed [5]
  • 32. Prime+Probe [5] step 0: attacker fills the cache (prime) step 1: victim evicts cache lines while performing encryption step 2: attacker probes data to determine if the set was accessed
  • 33. Typically, 如何利用cache side channel 來達到information leakage Prime+Probe在icache中,依照時間序列知道某cache set中的cache lines在 做存取,所以可以推敲出 ei 序列。
  • 34. Cache Side Channel Attacks against VM [6] cryptographic keys
  • 35. Cache Side Channel Attacks against Brower [9]
  • 36. Cache Side Channel Attacks against TrustZone [8]
  • 37.
  • 38. 好像很簡單? 困難: reverse-engineer some cache for finding eviction set to occupy exactly one cache set • VM (guest-VA  guest-PA  L1  L2 L3  PA) • Browser (Typed Array Specification  VA  L1  L2  L3  PA) • TrustZone (VA  L1  L2  L3  PA)
  • 39. cache L1 [6][9] VIPT controlled VA L3 PIPT not-controlled VA slow large(2MB) page mode 4 KB page mode controlled VA all the index bits are within the page offset the same set index bits may be located in different LLC slices
  • 41. cache L1 [6][9] VIPT controlled VA L3 PIPT not-controlled VA slow large(2MB) page mode 4 KB page mode 8MB “eviction buffer” of physical memory will completely invalidate all cache sets in the L3 cache 8192 cache sets in 131K offsets (8MB/64bytes) slow
  • 42. 06111863 17 • 0-11 -> 4kb page mode • 6-18 -> cache set index • 17-63 -> are hashed to form the upper 2 bits of the cache index (4 slice) fixing some subset of the 131K offsets
  • 43. 4KB 00 01 64 32 64b 06111863 17 5 8MB 4KB 4KB …000000000000 …000001000000 2^(18-11) cache set in 2^(18-11) cache sets in …0000000000000 …1000000000000 有可能cache contention cache contention
  • 44. cache L1 VIPT controlled VA L3 PIPT not-controlled VA slow large(2MB) page mode 4 KB page mode 效能差(操作L3 cache miss),但 可攻擊 只適用 cloud環境 [5][6][9] [10]
  • 45. Side Channel Attacks of Address Translation Cache “Double page fault attack, where an unprivileged attacker tries to access an inaccessible kernel memory location, triggering a page fault. After the page fault interrupt is handled by the operating system, the control is handed back to an error handler in the user program. The attacker measures the execution time of the page fault interrupt. If the memory location is valid, regardless of whether it is accessible or not, address translation table entries are copied into the corresponding address translation caches. The attacker then tries to access the same inaccessible memory location again. If the memory location is valid, the address translation is already cached and the page fault interrupt will take less time. Thus, the attacker learns whether a memory location is valid or not, even if it is not accessible from the user space.” [3] 借助OS處理能力與page table共用特性
  • 46. double page fault attack [5][11] –> KASLR is Dead
  • 47. Side Channel Attacks of Branch Target Buffer BTB contention
  • 48. The reverse engineered BTB addressing scheme in the HasWell processor [7] In particular, the kernel code must be aligned at 2MB boundaries. To find a collision
  • 49. [7] As a result, only the Page Directory Entry (PDE) bits (9 bit)of virtual addresses are randomized (512 possible)
  • 50. [7]
  • 51. BTB side channel attacks –> KASLR is Dead [7]
  • 52. SMT side channel attacks • 在沒有網路狀況下,兩VMs資料如何對傳? [13] senderreceiver SMT CPU
  • 53. Countermeasure of Side Channel Attacks
  • 54. Countermeasure for Cache Side- Channel attacks • Less accurate timer • Page coloring – Avoiding collisions in the LLC; Location in LLC determined by physical address; Give each user a color (address bits); • Behavior detection – Hardware Performance Counters (HPCs) can track hardware events (e.g. LLC misses) • Design cache leakage free code (e.g. Square-and- Multiply exponentiation) • disable cache-line sharing – Intel Cache Allocation Technology [7][15]
  • 55. Countermeasure for Side Channel Attacks of Address Translation Caches • Shadow Address Space • 只是user kernel共用的page table分開,並把kennel page table藏起來。 效果會是kernel藏起來,但其實還是在physical memory中) • 不是使用TLB flush,而是使用Disable the PTE global bits [3]
  • 56. 對於BTB/TLB/SMT 的side channel attacks至目 前閱讀為止沒有好的countermeasures 。
  • 58. Reference • [0] “Negative Result: Reading Kernel Memory From User Mode”, July 28, 2017, https://cyber.wtf/2017/07/28/negative-result-reading-kernel-memory-from-user-mode/ • [1] “Broadcom Bares Muscular ARM”, https://investorshub.advfn.com/boards/read_msg.aspx?message_id=95215022 • [2] “Practical Timing Side Channel Attacks Against Kernel Space ASLR”, 19-22 May 2013, http://www.ieee-security.org/TC/SP2013/papers/4977a191.pdf • [3] “KASLR is Dead: Long Live KASLR”, 24 June 2017 https://misc0110.net/web/files/kaiser_slides.pdf, https://gruss.cc/files/kaiser.pdf • [4] ] “ARM® Cortex® -A Series Version: 1.0 Programmer’s Guide for ARMv8-A”, http://infocenter.arm.com/help/topic/com.arm.doc.den0024a/DEN0024A_v8_architecture_PG. pdf • [5] “Cache Side-Channel Attacks and the case of Rowhammer”, April 28, 2016, https://gruss.cc/files/cache_and_rowhammer_ruhrsec.pdf • [6] “Last-Level Cache Side-Channel Attacks are Practical”, 17-21 May 2015 http://palms.ee.princeton.edu/system/files/SP_vfinal.pdf, https://pdfs.semanticscholar.org/81f6/c43188a2308b36a0c47570f7e7ec19cc20e1.pdf • [7] “Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR”, 15-19 Oct. 2016 http://ieeexplore.ieee.org/document/7783743/ • [8] “TruSpy: Cache Side-Channel Information Leakage from the Secure World on ARM Devices”, 2016, https://eprint.iacr.org/2016/980.pdf
  • 59. Reference • [9] “The Spy in the Sandbox -- Practical Cache Attacks in Javascript and their Implications ”, 1 Mar 2015, http://www.cs.columbia.edu/~simha/spyjs.ccs15.pdf, https://arxiv.org/pdf/1502.07373.pdf • [10] “Malware Guard Extension: Using SGX to Conceal Cache Attacks”, 1 Mar 2017 , https://arxiv.org/pdf/1702.08719.pdf • [11]” DrK: Breaking Kernel Address Space Layout Randomization with Intel TSX”, August 3, 2016, https://www.blackhat.com/docs/us-16/materials/us-16-Jang-Breaking-Kernel-Address-Space- Layout-Randomization-KASLR-With-Intel-TSX.pdf • [12] “ASLR on the Line: Practical Cache Attacks on the MMU”,2017 , http://www.cs.vu.nl/~giuffrida/papers/anc-ndss-2017.pdf • [13] “Covert shotgun: Automatically finding covert channels in SMT”, September 27, 2016 , https://cyber.wtf/2016/09/27/covert-shotgun/, https://www.youtube.com/watch?v=oVmPQCT5VkY [presentation] • [14] “Cache Side Channel Attack: Exploitability and Countermeasures”, 2017, https://www.blackhat.com/docs/asia-17/materials/asia-17-Irazoqui-Cache-Side-Channel-Attack- Exploitability-And-Countermeasures.pdf • [15] “Cache side channel attacks”, What Stone dream about: Cache side channel attacks, http://dreamsofastone.blogspot.tw/2015/09/cache-side-channel-attacks.html • [16] “Meltdown and Spectre”, 2017, https://meltdownattack.com/
  • 60. DRAM Side Channel Attacks against SGX