SlideShare a Scribd company logo

Three things that rowhammer taught me by Halvar Flake

n|u - The Open Security Community
n|u - The Open Security Community

The presentation by Thomas aka Halvar Flake on his experiences of working on rowhammer and what it taught him about security in general.

Technology
1 of 59
Download to read offline
3 things that Rowhammer taught me … and their implications for future security research
Who am I? ● Reverse engineer since 1997, vuln development since 1999 ● Started reverse-engineering company “zynamics” in 2004 ● BinDiff, BinNavi, VxClass, many other contributions ● Acquired by Google in 2011 ● Worked on defending Google & large-scale malware analysis until 2015 ● Mathematician by trade, hacker by mentality (like to work on boundary between theory and practice) ● Currently on a one-year sabbatical to trave, read, and surf
What is Rowhammer?
The Rowhammer DRAM bug Repeated row activations can cause bit flips in adjacent rows ● A fault in many DRAM (DDR3) modules, from 2010 onwards ● Bypasses memory protection: One process can affect others ● All three big DRAM manufacturers shipped memory with this problem ○ A whole generation of machines ○ Particularly bad on Laptops (no ECC)
Simplified illustration of Rowhammer issue (hypothesized) Imagine DRAM as grid of wires, with bits of information stored at the “crossings” as charges
Simplified illustration of Rowhammer issue (hypothesized) Apply current to a “row” so that the values can be read out
Simplified illustration of Rowhammer issue (hypothesized) Apply current to a “row” so that the values can be read out
Simplified illustration of Rowhammer issue (hypothesized) Due to DRAM density, a tiny bit of charge leaks to neighboring “rows”
Simplified illustration of Rowhammer issue (hypothesized) This leads to tiny bits of charge leaking out of the neighboring cells
Simplified illustration of Rowhammer issue (hypothesized) Repeat often enough, and the neighboring bits can “flip”
Simplified illustration of Rowhammer issue (hypothesized) Repeat often enough, and the neighboring bits can “flip”
Exploiting Rowhammer Rowhammer was deemed non-exploitable and only a reliability issue ● We found a way to abuse it generically for local privilege escalation on x86 ● Core idea works on all major OSes (Windows / Linux / OSX) ● We implemented only the Linux variant (“We” == Mark Seaborn and me)
Exploiting Rowhammer: How to exploit a random bit flip How can a random bitflip be exploited? ● Page tables are 4k pages containing arrays of 512 “PTE”s (page table entries ● Each PTE is 64 bit and looks like this: ● ● Permission bit - 2% chance ● Physical page base address (20 bits) - 31% chance
Exploiting Rowhammer: How to exploit a random bit flip Basic strategy: Spray most of physical memory with page tables ● mmap() the same file repeatedly (and writeable) ● e.g. To fill 4GB of physical memory, mmap() 2048GB of virtual address space ○ Works because we have a 64-bit virtual address space ○ Works because major OS have no bounds on page tables Helps ensure two things: ● That a bit-flipped physical page number will point to a page table ● That a random bit flip will hit a PTE
Exploiting Rowhammer: How to exploit a random bit flip Begin “hammering” memory Periodically check for bit flip (indirectly): ● Scan virtual address space for a page that now points elsewhere ● If found, does the page look like a page table? ○ If so, deduce which address it controls ■ Modify it ■ Scan virtual address space for a second page that now points elsewhere Can be used to exploit completely random bit flips (e.g. from cosmic rays)
Lessons:
One bitflip is enough … at least when you don’t need 100% reliability
One bitflip is enough 2003 paper: “Using Memory Errors to Attack a Virtual Machine” Connected Heat lamp to RAM, induced bit flips 2015 Rowhammer. Common thread: The most random and obscure issues can be exploited. One bit is enough.
Deterministic computing is a good abstraction - but PREAM … “physics rules everything around me”
Deterministic computing is “just” an abstraction ● We think about computers as deterministic machines ● In reality, they are “probabilistically deterministic” ○ Deterministic most of the time ○ Probability of non-determinism in normal operation is made vanishingly low (“reliability”) ● What about the probability of non-determinism in worst-case operation? ○ Hardware is not engineered that way - probability of failure much higher
Deterministic computing is “just” an abstraction ● Example: Flash wear leveling ● Example: Speedpath analysis and yield maximization in CPU design ● Hardware vendors are incentivized to sell chips “just at the border of working” ● Bigger safety margins mean drastically reduced profit margins
Deterministic computing is “just” an abstraction: Cloud ● Cloud computing changes risk calculous ● Even if only 1 in 5000 CPUs can be made to misbehave, Cloud providers are at risk ● Attackers can rent CPUs until they get lucky
“Impenetrable defense” is not a good concept ... … because the chip at hand may not implement the spec all the time
“Impenetrable defense” is not a good concept ● Realizing that computers are only average-case deterministic means that “secure enclaves” may be a doomed concept ● A secure enclave (even with formally verified software) is verified against specified semantics of a chip ● Your particular chip may only honor those semantics 99.999% of the time ● The 0.001 may be enough for the attacker
“Impenetrable defense” is not a good concept ● Trend in recent years has been toward more opaque blocks in computers ● Intel Management Engine, Trustzone, Intel SGX etc. ● Trending concept is “hard, trusted, inviolable small cores” that are completely opaque and non-inspectable ● Once an attacker manages to get in, there is no way to tell, and no way to get him out
Implications? The three lessons from Rowhammer imply three interesting areas of research
Implications for fundamental security research ● The three lessons give importance to (at least) three exciting topics for research - one each in: ○ Theoretical computer science ○ Borders between Electrical engineering, Statistics, Physics ○ IT Systems Engineering (Hardware, Software, Ecosystems)
A proper theory of exploitation Theoretical Computer Science
A proper theory of exploitation ● Theoretical understanding of exploitation is weak ● Misjudgements happen even by seasoned professionals (“a random bit flip will not be exploitable”) ● No good theoretical framework exists to analyze ○ ... what issues are “exploitable” ○ … what issues are “not exploitable” ○ … where the boundary between them lies ○ … what facilitates exploitability ● Result: Misjudgements, bogus “mitigations”, etc.
A proper theory of exploitation: Suggestion ● Assume a tiny toy CPU ○ Finite array of memory cells, a few registers ○ PEEK, POKE, ADD, Jcc, RECV, SEND instructions ○ Read/write memory, add values, recv value, send value ○ Finite (but large) sequence of attacker-provided inputs ● Programmer “emulates” a finite state machine on this CPU - with a formally describable set of valid states ● Attacker gets to choose an arbitrary valid state as starting point ● Now assume corruption of a random bit - what is the probability that the attacker can now reach any possible state of the toy CPU given large enough input sequence?
A proper theory of exploitation: Suggestion ● A proper theory of exploitation would help understand many things: ○ Distinguish useful from not-useful mitigations ○ Help identify at what level of complexity of the emulated finite- state machine single-bit corruptions become exploitable ○ Put “exploitation” on sound footing in academic circles, and bring it out of obscurity / “magic” territory I hope to eventually get around to working on this
Worst-case analysis of chips, wear-and-tear, “achieving nondeterminism” Electrical Engineering, Statistics, Physics
Speed binning, worst-case paths, malicious input ● With cloud computing, virtualization, sandboxing and ubiquitous JIT, the instruction stream of the CPU is now malicious input ● CPUs are “speed binned” at end of production cycle ● IC manufacturers will optimize for maximum yield without “random” failures (speed path testing, crosstalk, leakage) ● What about “malicious inputs” (input code designed to cause pessimal behavior in the IC) ?
Speed binning, worst-case paths, malicious input EE community performs research on speed- and voltage-binning all the time - but with reliability focus. Security Research is needed on ... ● Identifying critical speed paths on silicon, identifying critical areas for crosstalk on silicon ● How to identify input that exercises worst-possible paths ● Can the critical path be made more critical by intentionally causing transistor degradation? Transistor aging is a thing, and solid-state is not always solid. It may become economical to rent 1000 CPUs for 1 year if I can get one of them to degrade enough to compromise the cloud provider.
Speed binning, worst-case paths, malicious input ● This looks like an extremely fruitful area of research! ○ IC manufacturers can’t afford to test every chip for very long. ○ Attackers can profit from small fractions of CPUs being faulty - even if those faults occur very rarely ○ IC manufacturers can’t be arbitrarily careful (direct impact on profitability). Research will need collaboration between security experts and people familiar with VLSI design, process-induced variations in IC production, and yield-optimization. Research may require budget (hardware investigation is expensive) Would love to investigate this, but need an EE collaborator :-)
Speed binning, worst-case paths, malicious input Side warning: I expect the IC industry to aggressively lobby against this research being performed out in the open. It is an incredibly competitive and secretive industry that adheres to the motto “only the paranoid survive”. Don’t go there unless you are willing to pick a fight.
Building inspectable (and hence defendable) systems “IT systems engineering” (Hardware, Software, Ecosystem)
Building inspectable (and hence defendable) systems ● The real world has the concept of “ownership” and “possession” ● I may be in possession of a rental car, but the car company has “ownership”. ● IT systems have a third dimension: “Control” ● I can have ownership and possession of an IT system, but I may not have control over it In today’s systems, it is impossible to establish who is in control. Hardware enclaves try to prevent loss-of-control, but this cannot be 100% -- remember PREAM.
Building inspectable (and hence defendable) systems ● If we want defendable systems, we need to build systems where it is possible for the person with ownership and possession to establish control. ● This implies: ○ Need to engineer systems to provide non-updateable and tamper-evident hardware paths to calculate & display checksums over code ○ Need to engineer systems so that every place that may contain code can be inspected ○ Need to engineer & build a public ledger infrastructure (similar to Certificate Transparency, but with working Gossip protocols) for signed code
Building inspectable (and hence defendable) systems ● The current approach of allowing (and even furthering) opacity makes our problems worse, not better ● In a world where all signing keys can be either stolen or coerced, any code signature scheme without publicly inspectable ledger needs to be rejected ● Possibility must exist to determine origin of all code within a machine
Building inspectable (and hence defendable) systems ● If you can’t establish who is in control of a machine, all security discussions devolve into scholasticism
Summary :-)
Summary :-) ● Rowhammer is an interesting issue, but it is the implications that are most interesting ● Computer security is full of extremely hard and extremely interesting questions ● Collaboration across disciplines (EE, Theoretical CS, product design) will be crucial ● If you find any of these topics interesting, please contact me at thomas.dullien (at) gmail.com ● I am particularly happy about any information from people with EE/VLSI/Chip-design/yield-optimization background
Questions?
Summary :-) ● Rowhammer is an interesting issue, but it is the implications that are most interesting ● Computer security is full of extremely hard and extremely interesting questions ● Collaboration across disciplines (EE, Theoretical CS, product design) will be crucial ● If you find any of these topics interesting, please contact me at thomas.dullien (at) gmail.com ● I am particularly happy about any information from people with EE/VLSI/Chip-design/yield-optimization background
Appendix: Illustration of Rowhammer PTE attack
... Virtual Address Space Physical Memory
... Virtual Address Space Physical Memory What happens when we map a file with read-write permissions?
... Virtual Address Space Physical Memory What happens when we map a file with read-write permissions? Indirection via page tables.
... Virtual Address Space Physical Memory What happens when we repeatedly map a file with read-write permissions?
... Virtual Address Space Physical Memory What happens when we repeatedly map a file with read-write permissions?
... Virtual Address Space Physical Memory What happens when we repeatedly map a file with read-write permissions? PTEs in physical memory help resolve virtual addresses to physical pages.
... Virtual Address Space Physical Memory What happens when we repeatedly map a file with read-write permissions? PTEs in physical memory help resolve virtual addresses to physical pages. We can fill physical memory with PTEs.
... Virtual Address Space Physical Memory What happens when we repeatedly map a file with read-write permissions? PTEs in physical memory help resolve virtual addresses to physical pages. We can fill physical memory with PTEs. Each of them points to pages in the same physical file mapping.
... Virtual Address Space Physical Memory What happens when we repeatedly map a file with read-write permissions? PTEs in physical memory help resolve virtual addresses to physical pages. We can fill physical memory with PTEs. Each of them points to pages in the same physical file mapping. If a bit in the right place in the PTE flips ...
... Virtual Address Space Physical Memory What happens when we repeatedly map a file with read-write permissions? PTEs in physical memory help resolve virtual addresses to physical pages. We can fill physical memory with PTEs. Each of them points to pages in the same physical file mapping. If a bit in the right place in the PTE flips … … the corresponding virtual address now points to a wrong physical page - with RW access.
... Virtual Address Space Physical Memory What happens when we repeatedly map a file with read-write permissions? PTEs in physical memory help resolve virtual addresses to physical pages. We can fill physical memory with PTEs. Each of them points to pages in the same physical file mapping. If a bit in the right place in the PTE flips … … the corresponding virtual address now points to a wrong physical page - with RW access. Chances are this wrong page contains a page table itself.
... Virtual Address Space Physical Memory What happens when we repeatedly map a file with read-write permissions? PTEs in physical memory help resolve virtual addresses to physical pages. We can fill physical memory with PTEs. Each of them points to pages in the same physical file mapping. If a bit in the right place in the PTE flips … … the corresponding virtual address now points to a wrong physical page - with RW access. Chances are this wrong page contains a page table itself. An attacker that can read / write page tables …
... Virtual Address Space Physical Memory What happens when we repeatedly map a file with read-write permissions? PTEs in physical memory help resolve virtual addresses to physical pages. We can fill physical memory with PTEs. Each of them points to pages in the same physical file mapping. If a bit in the right place in the PTE flips … … the corresponding virtual address now points to a wrong physical page - with RW access. Chances are this wrong page contains a page table itself. An attacker that can read / write page tables can use that to map any memory read-write.

Recommended

DNS hijacking - null Singapore
DNS hijacking - null SingaporeDNS hijacking - null Singapore
DNS hijacking - null Singapore
n|u - The Open Security Community
 
Hacker's jargons
Hacker's jargonsHacker's jargons
Hacker's jargons
n|u - The Open Security Community
 
Humla workshop on Android Security Testing - null Singapore
Humla workshop on Android Security Testing - null SingaporeHumla workshop on Android Security Testing - null Singapore
Humla workshop on Android Security Testing - null Singapore
n|u - The Open Security Community
 
Attacking VPN's
Attacking VPN'sAttacking VPN's
Attacking VPN's
n|u - The Open Security Community
 
iOS Application Pentesting
iOS Application PentestingiOS Application Pentesting
iOS Application Pentesting
n|u - The Open Security Community
 
Null Singapore - Can We secure the IoT - Chadi Hantouche
Null Singapore - Can We secure the IoT - Chadi HantoucheNull Singapore - Can We secure the IoT - Chadi Hantouche
Null Singapore - Can We secure the IoT - Chadi Hantouche
n|u - The Open Security Community
 
Identifying XSS Vulnerabilities
Identifying XSS VulnerabilitiesIdentifying XSS Vulnerabilities
Identifying XSS Vulnerabilities
n|u - The Open Security Community
 
News Bytes - December 2015
News Bytes - December 2015News Bytes - December 2015
News Bytes - December 2015
n|u - The Open Security Community
 

Recommended

DNS hijacking - null Singapore
DNS hijacking - null SingaporeDNS hijacking - null Singapore
DNS hijacking - null Singapore
n|u - The Open Security Community
 
Hacker's jargons
Hacker's jargonsHacker's jargons
Hacker's jargons
n|u - The Open Security Community
 
Humla workshop on Android Security Testing - null Singapore
Humla workshop on Android Security Testing - null SingaporeHumla workshop on Android Security Testing - null Singapore
Humla workshop on Android Security Testing - null Singapore
n|u - The Open Security Community
 
Attacking VPN's
Attacking VPN'sAttacking VPN's
Attacking VPN's
n|u - The Open Security Community
 
iOS Application Pentesting
iOS Application PentestingiOS Application Pentesting
iOS Application Pentesting
n|u - The Open Security Community
 
Null Singapore - Can We secure the IoT - Chadi Hantouche
Null Singapore - Can We secure the IoT - Chadi HantoucheNull Singapore - Can We secure the IoT - Chadi Hantouche
Null Singapore - Can We secure the IoT - Chadi Hantouche
n|u - The Open Security Community
 
Identifying XSS Vulnerabilities
Identifying XSS VulnerabilitiesIdentifying XSS Vulnerabilities
Identifying XSS Vulnerabilities
n|u - The Open Security Community
 
News Bytes - December 2015
News Bytes - December 2015News Bytes - December 2015
News Bytes - December 2015
n|u - The Open Security Community
 
Newbytes NullHyd
Newbytes NullHydNewbytes NullHyd
Newbytes NullHyd
n|u - The Open Security Community
 
Exploitation and State Machines
Exploitation and State MachinesExploitation and State Machines
Exploitation and State Machines
Michael Scovetta
 
Halvar Flake: Why Johnny can’t tell if he is compromised
Halvar Flake: Why Johnny can’t tell if he is compromisedHalvar Flake: Why Johnny can’t tell if he is compromised
Halvar Flake: Why Johnny can’t tell if he is compromised
Area41
 
OAuth Tokens
OAuth TokensOAuth Tokens
OAuth Tokens
n|u - The Open Security Community
 
Firewalking
FirewalkingFirewalking
Firewalking
n|u - The Open Security Community
 
Stegano Secrets - Python
Stegano Secrets - PythonStegano Secrets - Python
Stegano Secrets - Python
n|u - The Open Security Community
 
INTELLIGENT FACE RECOGNITION TECHNIQUES
INTELLIGENT FACE RECOGNITION TECHNIQUESINTELLIGENT FACE RECOGNITION TECHNIQUES
INTELLIGENT FACE RECOGNITION TECHNIQUES
Chirag Jain
 
Managing third party libraries
Managing third party librariesManaging third party libraries
Managing third party libraries
n|u - The Open Security Community
 
Understanding the fundamentals of attacks
Understanding the fundamentals of attacksUnderstanding the fundamentals of attacks
Understanding the fundamentals of attacks
Cyber Security Alliance
 
Firewall Penetration Testing
Firewall Penetration TestingFirewall Penetration Testing
Firewall Penetration Testing
Chirag Jain
 
Pentesting RESTful WebServices v1.0
Pentesting RESTful WebServices v1.0Pentesting RESTful WebServices v1.0
Pentesting RESTful WebServices v1.0
n|u - The Open Security Community
 
Pentesting ReST API
Pentesting ReST APIPentesting ReST API
Pentesting ReST API
Nutan Kumar Panda
 
Getting Started with API Security Testing
Getting Started with API Security TestingGetting Started with API Security Testing
Getting Started with API Security Testing
SmartBear
 
EDCC14 Keynote, Newcastle 15may14
EDCC14 Keynote, Newcastle 15may14EDCC14 Keynote, Newcastle 15may14
EDCC14 Keynote, Newcastle 15may14
Ian Phillips
 
How I Sped up Complex Matrix-Vector Multiplication: Finding Intel MKL's "S
How I Sped up Complex Matrix-Vector Multiplication: Finding Intel MKL's "SHow I Sped up Complex Matrix-Vector Multiplication: Finding Intel MKL's "S
How I Sped up Complex Matrix-Vector Multiplication: Finding Intel MKL's "S
Brandon Liu
 
Artificial Intelligence in practice - Gerbert Kaandorp - Codemotion Amsterdam...
Artificial Intelligence in practice - Gerbert Kaandorp - Codemotion Amsterdam...Artificial Intelligence in practice - Gerbert Kaandorp - Codemotion Amsterdam...
Artificial Intelligence in practice - Gerbert Kaandorp - Codemotion Amsterdam...
Codemotion
 
Intelligent Thumbnail Selection
Intelligent Thumbnail SelectionIntelligent Thumbnail Selection
Intelligent Thumbnail Selection
Kamil Sindi
 
Chalmers microprocessor sept 2010
Chalmers microprocessor sept 2010Chalmers microprocessor sept 2010
Chalmers microprocessor sept 2010
parallellabs
 
JDD 2016 - Jedrzej Dabrowa - Distributed System Fault Injection Testing With ...
JDD 2016 - Jedrzej Dabrowa - Distributed System Fault Injection Testing With ...JDD 2016 - Jedrzej Dabrowa - Distributed System Fault Injection Testing With ...
JDD 2016 - Jedrzej Dabrowa - Distributed System Fault Injection Testing With ...
PROIDEA
 
Our Concurrent Past; Our Distributed Future
Our Concurrent Past; Our Distributed FutureOur Concurrent Past; Our Distributed Future
Our Concurrent Past; Our Distributed Future
C4Media
 
Chaos Engineering: Injecting Failure for Building Resilience in Systems
Chaos Engineering: Injecting Failure for Building Resilience in SystemsChaos Engineering: Injecting Failure for Building Resilience in Systems
Chaos Engineering: Injecting Failure for Building Resilience in Systems
Yury Roa
 
AktaionPPTv5_JZedits
AktaionPPTv5_JZeditsAktaionPPTv5_JZedits
AktaionPPTv5_JZedits
Rod Soto
 

More Related Content

Viewers also liked

Newbytes NullHyd
Newbytes NullHydNewbytes NullHyd
Newbytes NullHyd
n|u - The Open Security Community
 
Exploitation and State Machines
Exploitation and State MachinesExploitation and State Machines
Exploitation and State Machines
Michael Scovetta
 
Halvar Flake: Why Johnny can’t tell if he is compromised
Halvar Flake: Why Johnny can’t tell if he is compromisedHalvar Flake: Why Johnny can’t tell if he is compromised
Halvar Flake: Why Johnny can’t tell if he is compromised
Area41
 
OAuth Tokens
OAuth TokensOAuth Tokens
OAuth Tokens
n|u - The Open Security Community
 
Firewalking
FirewalkingFirewalking
Firewalking
n|u - The Open Security Community
 
Stegano Secrets - Python
Stegano Secrets - PythonStegano Secrets - Python
Stegano Secrets - Python
n|u - The Open Security Community
 
INTELLIGENT FACE RECOGNITION TECHNIQUES
INTELLIGENT FACE RECOGNITION TECHNIQUESINTELLIGENT FACE RECOGNITION TECHNIQUES
INTELLIGENT FACE RECOGNITION TECHNIQUES
Chirag Jain
 
Managing third party libraries
Managing third party librariesManaging third party libraries
Managing third party libraries
n|u - The Open Security Community
 
Understanding the fundamentals of attacks
Understanding the fundamentals of attacksUnderstanding the fundamentals of attacks
Understanding the fundamentals of attacks
Cyber Security Alliance
 
Firewall Penetration Testing
Firewall Penetration TestingFirewall Penetration Testing
Firewall Penetration Testing
Chirag Jain
 
Pentesting RESTful WebServices v1.0
Pentesting RESTful WebServices v1.0Pentesting RESTful WebServices v1.0
Pentesting RESTful WebServices v1.0
n|u - The Open Security Community
 
Pentesting ReST API
Pentesting ReST APIPentesting ReST API
Pentesting ReST API
Nutan Kumar Panda
 
Getting Started with API Security Testing
Getting Started with API Security TestingGetting Started with API Security Testing
Getting Started with API Security Testing
SmartBear
 

Viewers also liked (13)

Newbytes NullHyd
Newbytes NullHydNewbytes NullHyd
Newbytes NullHyd
 
Exploitation and State Machines
Exploitation and State MachinesExploitation and State Machines
Exploitation and State Machines
 
Halvar Flake: Why Johnny can’t tell if he is compromised
Halvar Flake: Why Johnny can’t tell if he is compromisedHalvar Flake: Why Johnny can’t tell if he is compromised
Halvar Flake: Why Johnny can’t tell if he is compromised
 
OAuth Tokens
OAuth TokensOAuth Tokens
OAuth Tokens
 
Firewalking
FirewalkingFirewalking
Firewalking
 
Stegano Secrets - Python
Stegano Secrets - PythonStegano Secrets - Python
Stegano Secrets - Python
 
INTELLIGENT FACE RECOGNITION TECHNIQUES
INTELLIGENT FACE RECOGNITION TECHNIQUESINTELLIGENT FACE RECOGNITION TECHNIQUES
INTELLIGENT FACE RECOGNITION TECHNIQUES
 
Managing third party libraries
Managing third party librariesManaging third party libraries
Managing third party libraries
 
Understanding the fundamentals of attacks
Understanding the fundamentals of attacksUnderstanding the fundamentals of attacks
Understanding the fundamentals of attacks
 
Firewall Penetration Testing
Firewall Penetration TestingFirewall Penetration Testing
Firewall Penetration Testing
 
Pentesting RESTful WebServices v1.0
Pentesting RESTful WebServices v1.0Pentesting RESTful WebServices v1.0
Pentesting RESTful WebServices v1.0
 
Pentesting ReST API
Pentesting ReST APIPentesting ReST API
Pentesting ReST API
 
Getting Started with API Security Testing
Getting Started with API Security TestingGetting Started with API Security Testing
Getting Started with API Security Testing
 

Similar to Three things that rowhammer taught me by Halvar Flake

EDCC14 Keynote, Newcastle 15may14
EDCC14 Keynote, Newcastle 15may14EDCC14 Keynote, Newcastle 15may14
EDCC14 Keynote, Newcastle 15may14
Ian Phillips
 
How I Sped up Complex Matrix-Vector Multiplication: Finding Intel MKL's "S
How I Sped up Complex Matrix-Vector Multiplication: Finding Intel MKL's "SHow I Sped up Complex Matrix-Vector Multiplication: Finding Intel MKL's "S
How I Sped up Complex Matrix-Vector Multiplication: Finding Intel MKL's "S
Brandon Liu
 
Artificial Intelligence in practice - Gerbert Kaandorp - Codemotion Amsterdam...
Artificial Intelligence in practice - Gerbert Kaandorp - Codemotion Amsterdam...Artificial Intelligence in practice - Gerbert Kaandorp - Codemotion Amsterdam...
Artificial Intelligence in practice - Gerbert Kaandorp - Codemotion Amsterdam...
Codemotion
 
Intelligent Thumbnail Selection
Intelligent Thumbnail SelectionIntelligent Thumbnail Selection
Intelligent Thumbnail Selection
Kamil Sindi
 
Chalmers microprocessor sept 2010
Chalmers microprocessor sept 2010Chalmers microprocessor sept 2010
Chalmers microprocessor sept 2010
parallellabs
 
JDD 2016 - Jedrzej Dabrowa - Distributed System Fault Injection Testing With ...
JDD 2016 - Jedrzej Dabrowa - Distributed System Fault Injection Testing With ...JDD 2016 - Jedrzej Dabrowa - Distributed System Fault Injection Testing With ...
JDD 2016 - Jedrzej Dabrowa - Distributed System Fault Injection Testing With ...
PROIDEA
 
Our Concurrent Past; Our Distributed Future
Our Concurrent Past; Our Distributed FutureOur Concurrent Past; Our Distributed Future
Our Concurrent Past; Our Distributed Future
C4Media
 
Chaos Engineering: Injecting Failure for Building Resilience in Systems
Chaos Engineering: Injecting Failure for Building Resilience in SystemsChaos Engineering: Injecting Failure for Building Resilience in Systems
Chaos Engineering: Injecting Failure for Building Resilience in Systems
Yury Roa
 
AktaionPPTv5_JZedits
AktaionPPTv5_JZeditsAktaionPPTv5_JZedits
AktaionPPTv5_JZedits
Rod Soto
 
Rust Programming Language
Rust Programming LanguageRust Programming Language
Rust Programming Language
Jaeju Kim
 
Virtual Machines Security Internals: Detection and Exploitation
Virtual Machines Security Internals: Detection and Exploitation Virtual Machines Security Internals: Detection and Exploitation
Virtual Machines Security Internals: Detection and Exploitation
Mattia Salvi
 
rsec2a-2016-jheaton-morning
rsec2a-2016-jheaton-morningrsec2a-2016-jheaton-morning
rsec2a-2016-jheaton-morning
Jeff Heaton
 
Realtime
RealtimeRealtime
Realtime
Mark Veltzer
 
Sharding Containers: Make Go Apps Computer-Friendly Again by Andrey Sibiryov
Sharding Containers: Make Go Apps Computer-Friendly Again by Andrey Sibiryov Sharding Containers: Make Go Apps Computer-Friendly Again by Andrey Sibiryov
Sharding Containers: Make Go Apps Computer-Friendly Again by Andrey Sibiryov
Docker, Inc.
 
The trials and tribulations of providing engineering infrastructure
The trials and tribulations of providing engineering infrastructure The trials and tribulations of providing engineering infrastructure
The trials and tribulations of providing engineering infrastructure
TechExeter
 
Cloud accounting software uk
Cloud accounting software ukCloud accounting software uk
Cloud accounting software uk
Arcus Universe Ltd
 
Stronger than its Weakest Link
Stronger than its Weakest LinkStronger than its Weakest Link
Stronger than its Weakest Link
Ian Phillips
 
Kernel Recipes 2017 - The state of kernel self-protection - Kees Cook
Kernel Recipes 2017 - The state of kernel self-protection - Kees CookKernel Recipes 2017 - The state of kernel self-protection - Kees Cook
Kernel Recipes 2017 - The state of kernel self-protection - Kees Cook
Anne Nicolas
 
State-Of-The Art Machine Learning Algorithms and How They Are Affected By Nea...
State-Of-The Art Machine Learning Algorithms and How They Are Affected By Nea...State-Of-The Art Machine Learning Algorithms and How They Are Affected By Nea...
State-Of-The Art Machine Learning Algorithms and How They Are Affected By Nea...
inside-BigData.com
 
Sneaky computation
Sneaky computationSneaky computation
Sneaky computation
Juan J. Merelo
 

Similar to Three things that rowhammer taught me by Halvar Flake (20)

EDCC14 Keynote, Newcastle 15may14
EDCC14 Keynote, Newcastle 15may14EDCC14 Keynote, Newcastle 15may14
EDCC14 Keynote, Newcastle 15may14
 
How I Sped up Complex Matrix-Vector Multiplication: Finding Intel MKL's "S
How I Sped up Complex Matrix-Vector Multiplication: Finding Intel MKL's "SHow I Sped up Complex Matrix-Vector Multiplication: Finding Intel MKL's "S
How I Sped up Complex Matrix-Vector Multiplication: Finding Intel MKL's "S
 
Artificial Intelligence in practice - Gerbert Kaandorp - Codemotion Amsterdam...
Artificial Intelligence in practice - Gerbert Kaandorp - Codemotion Amsterdam...Artificial Intelligence in practice - Gerbert Kaandorp - Codemotion Amsterdam...
Artificial Intelligence in practice - Gerbert Kaandorp - Codemotion Amsterdam...
 
Intelligent Thumbnail Selection
Intelligent Thumbnail SelectionIntelligent Thumbnail Selection
Intelligent Thumbnail Selection
 
Chalmers microprocessor sept 2010
Chalmers microprocessor sept 2010Chalmers microprocessor sept 2010
Chalmers microprocessor sept 2010
 
JDD 2016 - Jedrzej Dabrowa - Distributed System Fault Injection Testing With ...
JDD 2016 - Jedrzej Dabrowa - Distributed System Fault Injection Testing With ...JDD 2016 - Jedrzej Dabrowa - Distributed System Fault Injection Testing With ...
JDD 2016 - Jedrzej Dabrowa - Distributed System Fault Injection Testing With ...
 
Our Concurrent Past; Our Distributed Future
Our Concurrent Past; Our Distributed FutureOur Concurrent Past; Our Distributed Future
Our Concurrent Past; Our Distributed Future
 
Chaos Engineering: Injecting Failure for Building Resilience in Systems
Chaos Engineering: Injecting Failure for Building Resilience in SystemsChaos Engineering: Injecting Failure for Building Resilience in Systems
Chaos Engineering: Injecting Failure for Building Resilience in Systems
 
AktaionPPTv5_JZedits
AktaionPPTv5_JZeditsAktaionPPTv5_JZedits
AktaionPPTv5_JZedits
 
Rust Programming Language
Rust Programming LanguageRust Programming Language
Rust Programming Language
 
Virtual Machines Security Internals: Detection and Exploitation
Virtual Machines Security Internals: Detection and Exploitation Virtual Machines Security Internals: Detection and Exploitation
Virtual Machines Security Internals: Detection and Exploitation
 
rsec2a-2016-jheaton-morning
rsec2a-2016-jheaton-morningrsec2a-2016-jheaton-morning
rsec2a-2016-jheaton-morning
 
Realtime
RealtimeRealtime
Realtime
 
Sharding Containers: Make Go Apps Computer-Friendly Again by Andrey Sibiryov
Sharding Containers: Make Go Apps Computer-Friendly Again by Andrey Sibiryov Sharding Containers: Make Go Apps Computer-Friendly Again by Andrey Sibiryov
Sharding Containers: Make Go Apps Computer-Friendly Again by Andrey Sibiryov
 
The trials and tribulations of providing engineering infrastructure
The trials and tribulations of providing engineering infrastructure The trials and tribulations of providing engineering infrastructure
The trials and tribulations of providing engineering infrastructure
 
Cloud accounting software uk
Cloud accounting software ukCloud accounting software uk
Cloud accounting software uk
 
Stronger than its Weakest Link
Stronger than its Weakest LinkStronger than its Weakest Link
Stronger than its Weakest Link
 
Kernel Recipes 2017 - The state of kernel self-protection - Kees Cook
Kernel Recipes 2017 - The state of kernel self-protection - Kees CookKernel Recipes 2017 - The state of kernel self-protection - Kees Cook
Kernel Recipes 2017 - The state of kernel self-protection - Kees Cook
 
State-Of-The Art Machine Learning Algorithms and How They Are Affected By Nea...
State-Of-The Art Machine Learning Algorithms and How They Are Affected By Nea...State-Of-The Art Machine Learning Algorithms and How They Are Affected By Nea...
State-Of-The Art Machine Learning Algorithms and How They Are Affected By Nea...
 
Sneaky computation
Sneaky computationSneaky computation
Sneaky computation
 

More from n|u - The Open Security Community

Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)
n|u - The Open Security Community
 
Osint primer
Osint primerOsint primer
Osint primer
n|u - The Open Security Community
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
n|u - The Open Security Community
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
n|u - The Open Security Community
 
Metasploit primary
Metasploit primaryMetasploit primary
Metasploit primary
n|u - The Open Security Community
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
n|u - The Open Security Community
 
Introduction to TLS 1.3
Introduction to TLS 1.3Introduction to TLS 1.3
Introduction to TLS 1.3
n|u - The Open Security Community
 
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
n|u - The Open Security Community
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
n|u - The Open Security Community
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
n|u - The Open Security Community
 
Owning a company through their logs
Owning a company through their logsOwning a company through their logs
Owning a company through their logs
n|u - The Open Security Community
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodan
n|u - The Open Security Community
 
Cloud security
Cloud security Cloud security
Cloud security
n|u - The Open Security Community
 
Detecting persistence in windows
Detecting persistence in windowsDetecting persistence in windows
Detecting persistence in windows
n|u - The Open Security Community
 
Frida - Objection Tool Usage
Frida - Objection Tool UsageFrida - Objection Tool Usage
Frida - Objection Tool Usage
n|u - The Open Security Community
 
OSQuery - Monitoring System Process
OSQuery - Monitoring System ProcessOSQuery - Monitoring System Process
OSQuery - Monitoring System Process
n|u - The Open Security Community
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
n|u - The Open Security Community
 
Extensible markup language attacks
Extensible markup language attacksExtensible markup language attacks
Extensible markup language attacks
n|u - The Open Security Community
 
Linux for hackers
Linux for hackersLinux for hackers
Linux for hackers
n|u - The Open Security Community
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentesting
n|u - The Open Security Community
 

More from n|u - The Open Security Community (20)

Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)
 
Osint primer
Osint primerOsint primer
Osint primer
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
 
Metasploit primary
Metasploit primaryMetasploit primary
Metasploit primary
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
Introduction to TLS 1.3
Introduction to TLS 1.3Introduction to TLS 1.3
Introduction to TLS 1.3
 
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
 
Owning a company through their logs
Owning a company through their logsOwning a company through their logs
Owning a company through their logs
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodan
 
Cloud security
Cloud security Cloud security
Cloud security
 
Detecting persistence in windows
Detecting persistence in windowsDetecting persistence in windows
Detecting persistence in windows
 
Frida - Objection Tool Usage
Frida - Objection Tool UsageFrida - Objection Tool Usage
Frida - Objection Tool Usage
 
OSQuery - Monitoring System Process
OSQuery - Monitoring System ProcessOSQuery - Monitoring System Process
OSQuery - Monitoring System Process
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
 
Extensible markup language attacks
Extensible markup language attacksExtensible markup language attacks
Extensible markup language attacks
 
Linux for hackers
Linux for hackersLinux for hackers
Linux for hackers
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentesting
 

Recently uploaded

Y-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PPY-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PP
c5vrf27qcz
 
"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba
"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba
"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba
Fwdays
 
Containers & AI - Beauty and the Beast!?!
Containers & AI - Beauty and the Beast!?!Containers & AI - Beauty and the Beast!?!
Containers & AI - Beauty and the Beast!?!
Tobias Schneck
 
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin..."$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
Fwdays
 
Getting the Most Out of ScyllaDB Monitoring: ShareChat's Tips
Getting the Most Out of ScyllaDB Monitoring: ShareChat's TipsGetting the Most Out of ScyllaDB Monitoring: ShareChat's Tips
Getting the Most Out of ScyllaDB Monitoring: ShareChat's Tips
ScyllaDB
 
Leveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and StandardsLeveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and Standards
Neo4j
 
AppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSFAppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSF
Ajin Abraham
 
Christine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptxChristine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptx
christinelarrosa
 
What is an RPA CoE? Session 2 – CoE Roles
What is an RPA CoE? Session 2 – CoE RolesWhat is an RPA CoE? Session 2 – CoE Roles
What is an RPA CoE? Session 2 – CoE Roles
DianaGray10
 
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsConnector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
DianaGray10
 
Essentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation ParametersEssentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation Parameters
Safe Software
 
GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)
Javier Junquera
 
Must Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during MigrationMust Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during Migration
Mydbops
 
AWS Certified Solutions Architect Associate (SAA-C03)
AWS Certified Solutions Architect Associate (SAA-C03)AWS Certified Solutions Architect Associate (SAA-C03)
AWS Certified Solutions Architect Associate (SAA-C03)
HarpalGohil4
 
From Natural Language to Structured Solr Queries using LLMs
From Natural Language to Structured Solr Queries using LLMsFrom Natural Language to Structured Solr Queries using LLMs
From Natural Language to Structured Solr Queries using LLMs
Sease
 
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance PanelsNorthern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving
 
Christine's Supplier Sourcing Presentaion.pptx
Christine's Supplier Sourcing Presentaion.pptxChristine's Supplier Sourcing Presentaion.pptx
Christine's Supplier Sourcing Presentaion.pptx
christinelarrosa
 
GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...
GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...
GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...
GlobalLogic Ukraine
 
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and BioinformaticiansBiomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Neo4j
 
JavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green MasterplanJavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green Masterplan
Miro Wengner
 

Recently uploaded (20)

Y-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PPY-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PP
 
"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba
"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba
"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba
 
Containers & AI - Beauty and the Beast!?!
Containers & AI - Beauty and the Beast!?!Containers & AI - Beauty and the Beast!?!
Containers & AI - Beauty and the Beast!?!
 
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin..."$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
 
Getting the Most Out of ScyllaDB Monitoring: ShareChat's Tips
Getting the Most Out of ScyllaDB Monitoring: ShareChat's TipsGetting the Most Out of ScyllaDB Monitoring: ShareChat's Tips
Getting the Most Out of ScyllaDB Monitoring: ShareChat's Tips
 
Leveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and StandardsLeveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and Standards
 
AppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSFAppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSF
 
Christine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptxChristine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptx
 
What is an RPA CoE? Session 2 – CoE Roles
What is an RPA CoE? Session 2 – CoE RolesWhat is an RPA CoE? Session 2 – CoE Roles
What is an RPA CoE? Session 2 – CoE Roles
 
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsConnector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
 
Essentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation ParametersEssentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation Parameters
 
GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)
 
Must Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during MigrationMust Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during Migration
 
AWS Certified Solutions Architect Associate (SAA-C03)
AWS Certified Solutions Architect Associate (SAA-C03)AWS Certified Solutions Architect Associate (SAA-C03)
AWS Certified Solutions Architect Associate (SAA-C03)
 
From Natural Language to Structured Solr Queries using LLMs
From Natural Language to Structured Solr Queries using LLMsFrom Natural Language to Structured Solr Queries using LLMs
From Natural Language to Structured Solr Queries using LLMs
 
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance PanelsNorthern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
 
Christine's Supplier Sourcing Presentaion.pptx
Christine's Supplier Sourcing Presentaion.pptxChristine's Supplier Sourcing Presentaion.pptx
Christine's Supplier Sourcing Presentaion.pptx
 
GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...
GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...
GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...
 
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and BioinformaticiansBiomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
 
JavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green MasterplanJavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green Masterplan
 

Three things that rowhammer taught me by Halvar Flake

  • 1. 3 things that Rowhammer taught me … and their implications for future security research
  • 2. Who am I? ● Reverse engineer since 1997, vuln development since 1999 ● Started reverse-engineering company “zynamics” in 2004 ● BinDiff, BinNavi, VxClass, many other contributions ● Acquired by Google in 2011 ● Worked on defending Google & large-scale malware analysis until 2015 ● Mathematician by trade, hacker by mentality (like to work on boundary between theory and practice) ● Currently on a one-year sabbatical to trave, read, and surf
  • 4. The Rowhammer DRAM bug Repeated row activations can cause bit flips in adjacent rows ● A fault in many DRAM (DDR3) modules, from 2010 onwards ● Bypasses memory protection: One process can affect others ● All three big DRAM manufacturers shipped memory with this problem ○ A whole generation of machines ○ Particularly bad on Laptops (no ECC)
  • 5. Simplified illustration of Rowhammer issue (hypothesized) Imagine DRAM as grid of wires, with bits of information stored at the “crossings” as charges
  • 6. Simplified illustration of Rowhammer issue (hypothesized) Apply current to a “row” so that the values can be read out
  • 7. Simplified illustration of Rowhammer issue (hypothesized) Apply current to a “row” so that the values can be read out
  • 8. Simplified illustration of Rowhammer issue (hypothesized) Due to DRAM density, a tiny bit of charge leaks to neighboring “rows”
  • 9. Simplified illustration of Rowhammer issue (hypothesized) This leads to tiny bits of charge leaking out of the neighboring cells
  • 10. Simplified illustration of Rowhammer issue (hypothesized) Repeat often enough, and the neighboring bits can “flip”
  • 11. Simplified illustration of Rowhammer issue (hypothesized) Repeat often enough, and the neighboring bits can “flip”
  • 12. Exploiting Rowhammer Rowhammer was deemed non-exploitable and only a reliability issue ● We found a way to abuse it generically for local privilege escalation on x86 ● Core idea works on all major OSes (Windows / Linux / OSX) ● We implemented only the Linux variant (“We” == Mark Seaborn and me)
  • 13. Exploiting Rowhammer: How to exploit a random bit flip How can a random bitflip be exploited? ● Page tables are 4k pages containing arrays of 512 “PTE”s (page table entries ● Each PTE is 64 bit and looks like this: ● ● Permission bit - 2% chance ● Physical page base address (20 bits) - 31% chance
  • 14. Exploiting Rowhammer: How to exploit a random bit flip Basic strategy: Spray most of physical memory with page tables ● mmap() the same file repeatedly (and writeable) ● e.g. To fill 4GB of physical memory, mmap() 2048GB of virtual address space ○ Works because we have a 64-bit virtual address space ○ Works because major OS have no bounds on page tables Helps ensure two things: ● That a bit-flipped physical page number will point to a page table ● That a random bit flip will hit a PTE
  • 15. Exploiting Rowhammer: How to exploit a random bit flip Begin “hammering” memory Periodically check for bit flip (indirectly): ● Scan virtual address space for a page that now points elsewhere ● If found, does the page look like a page table? ○ If so, deduce which address it controls ■ Modify it ■ Scan virtual address space for a second page that now points elsewhere Can be used to exploit completely random bit flips (e.g. from cosmic rays)
  • 17. One bitflip is enough … at least when you don’t need 100% reliability
  • 18. One bitflip is enough 2003 paper: “Using Memory Errors to Attack a Virtual Machine” Connected Heat lamp to RAM, induced bit flips 2015 Rowhammer. Common thread: The most random and obscure issues can be exploited. One bit is enough.
  • 19. Deterministic computing is a good abstraction - but PREAM … “physics rules everything around me”
  • 20. Deterministic computing is “just” an abstraction ● We think about computers as deterministic machines ● In reality, they are “probabilistically deterministic” ○ Deterministic most of the time ○ Probability of non-determinism in normal operation is made vanishingly low (“reliability”) ● What about the probability of non-determinism in worst-case operation? ○ Hardware is not engineered that way - probability of failure much higher
  • 21. Deterministic computing is “just” an abstraction ● Example: Flash wear leveling ● Example: Speedpath analysis and yield maximization in CPU design ● Hardware vendors are incentivized to sell chips “just at the border of working” ● Bigger safety margins mean drastically reduced profit margins
  • 22. Deterministic computing is “just” an abstraction: Cloud ● Cloud computing changes risk calculous ● Even if only 1 in 5000 CPUs can be made to misbehave, Cloud providers are at risk ● Attackers can rent CPUs until they get lucky
  • 23. “Impenetrable defense” is not a good concept ... … because the chip at hand may not implement the spec all the time
  • 24. “Impenetrable defense” is not a good concept ● Realizing that computers are only average-case deterministic means that “secure enclaves” may be a doomed concept ● A secure enclave (even with formally verified software) is verified against specified semantics of a chip ● Your particular chip may only honor those semantics 99.999% of the time ● The 0.001 may be enough for the attacker
  • 25. “Impenetrable defense” is not a good concept ● Trend in recent years has been toward more opaque blocks in computers ● Intel Management Engine, Trustzone, Intel SGX etc. ● Trending concept is “hard, trusted, inviolable small cores” that are completely opaque and non-inspectable ● Once an attacker manages to get in, there is no way to tell, and no way to get him out
  • 26. Implications? The three lessons from Rowhammer imply three interesting areas of research
  • 27. Implications for fundamental security research ● The three lessons give importance to (at least) three exciting topics for research - one each in: ○ Theoretical computer science ○ Borders between Electrical engineering, Statistics, Physics ○ IT Systems Engineering (Hardware, Software, Ecosystems)
  • 28. A proper theory of exploitation Theoretical Computer Science
  • 29. A proper theory of exploitation ● Theoretical understanding of exploitation is weak ● Misjudgements happen even by seasoned professionals (“a random bit flip will not be exploitable”) ● No good theoretical framework exists to analyze ○ ... what issues are “exploitable” ○ … what issues are “not exploitable” ○ … where the boundary between them lies ○ … what facilitates exploitability ● Result: Misjudgements, bogus “mitigations”, etc.
  • 30. A proper theory of exploitation: Suggestion ● Assume a tiny toy CPU ○ Finite array of memory cells, a few registers ○ PEEK, POKE, ADD, Jcc, RECV, SEND instructions ○ Read/write memory, add values, recv value, send value ○ Finite (but large) sequence of attacker-provided inputs ● Programmer “emulates” a finite state machine on this CPU - with a formally describable set of valid states ● Attacker gets to choose an arbitrary valid state as starting point ● Now assume corruption of a random bit - what is the probability that the attacker can now reach any possible state of the toy CPU given large enough input sequence?
  • 31. A proper theory of exploitation: Suggestion ● A proper theory of exploitation would help understand many things: ○ Distinguish useful from not-useful mitigations ○ Help identify at what level of complexity of the emulated finite- state machine single-bit corruptions become exploitable ○ Put “exploitation” on sound footing in academic circles, and bring it out of obscurity / “magic” territory I hope to eventually get around to working on this
  • 32. Worst-case analysis of chips, wear-and-tear, “achieving nondeterminism” Electrical Engineering, Statistics, Physics
  • 33. Speed binning, worst-case paths, malicious input ● With cloud computing, virtualization, sandboxing and ubiquitous JIT, the instruction stream of the CPU is now malicious input ● CPUs are “speed binned” at end of production cycle ● IC manufacturers will optimize for maximum yield without “random” failures (speed path testing, crosstalk, leakage) ● What about “malicious inputs” (input code designed to cause pessimal behavior in the IC) ?
  • 34. Speed binning, worst-case paths, malicious input EE community performs research on speed- and voltage-binning all the time - but with reliability focus. Security Research is needed on ... ● Identifying critical speed paths on silicon, identifying critical areas for crosstalk on silicon ● How to identify input that exercises worst-possible paths ● Can the critical path be made more critical by intentionally causing transistor degradation? Transistor aging is a thing, and solid-state is not always solid. It may become economical to rent 1000 CPUs for 1 year if I can get one of them to degrade enough to compromise the cloud provider.
  • 35. Speed binning, worst-case paths, malicious input ● This looks like an extremely fruitful area of research! ○ IC manufacturers can’t afford to test every chip for very long. ○ Attackers can profit from small fractions of CPUs being faulty - even if those faults occur very rarely ○ IC manufacturers can’t be arbitrarily careful (direct impact on profitability). Research will need collaboration between security experts and people familiar with VLSI design, process-induced variations in IC production, and yield-optimization. Research may require budget (hardware investigation is expensive) Would love to investigate this, but need an EE collaborator :-)
  • 36. Speed binning, worst-case paths, malicious input Side warning: I expect the IC industry to aggressively lobby against this research being performed out in the open. It is an incredibly competitive and secretive industry that adheres to the motto “only the paranoid survive”. Don’t go there unless you are willing to pick a fight.
  • 37. Building inspectable (and hence defendable) systems “IT systems engineering” (Hardware, Software, Ecosystem)
  • 38. Building inspectable (and hence defendable) systems ● The real world has the concept of “ownership” and “possession” ● I may be in possession of a rental car, but the car company has “ownership”. ● IT systems have a third dimension: “Control” ● I can have ownership and possession of an IT system, but I may not have control over it In today’s systems, it is impossible to establish who is in control. Hardware enclaves try to prevent loss-of-control, but this cannot be 100% -- remember PREAM.
  • 39. Building inspectable (and hence defendable) systems ● If we want defendable systems, we need to build systems where it is possible for the person with ownership and possession to establish control. ● This implies: ○ Need to engineer systems to provide non-updateable and tamper-evident hardware paths to calculate & display checksums over code ○ Need to engineer systems so that every place that may contain code can be inspected ○ Need to engineer & build a public ledger infrastructure (similar to Certificate Transparency, but with working Gossip protocols) for signed code
  • 40. Building inspectable (and hence defendable) systems ● The current approach of allowing (and even furthering) opacity makes our problems worse, not better ● In a world where all signing keys can be either stolen or coerced, any code signature scheme without publicly inspectable ledger needs to be rejected ● Possibility must exist to determine origin of all code within a machine
  • 41. Building inspectable (and hence defendable) systems ● If you can’t establish who is in control of a machine, all security discussions devolve into scholasticism
  • 43. Summary :-) ● Rowhammer is an interesting issue, but it is the implications that are most interesting ● Computer security is full of extremely hard and extremely interesting questions ● Collaboration across disciplines (EE, Theoretical CS, product design) will be crucial ● If you find any of these topics interesting, please contact me at thomas.dullien (at) gmail.com ● I am particularly happy about any information from people with EE/VLSI/Chip-design/yield-optimization background
  • 45. Summary :-) ● Rowhammer is an interesting issue, but it is the implications that are most interesting ● Computer security is full of extremely hard and extremely interesting questions ● Collaboration across disciplines (EE, Theoretical CS, product design) will be crucial ● If you find any of these topics interesting, please contact me at thomas.dullien (at) gmail.com ● I am particularly happy about any information from people with EE/VLSI/Chip-design/yield-optimization background
  • 48. ... Virtual Address Space Physical Memory What happens when we map a file with read-write permissions?
  • 49. ... Virtual Address Space Physical Memory What happens when we map a file with read-write permissions? Indirection via page tables.
  • 50. ... Virtual Address Space Physical Memory What happens when we repeatedly map a file with read-write permissions?
  • 51. ... Virtual Address Space Physical Memory What happens when we repeatedly map a file with read-write permissions?
  • 52. ... Virtual Address Space Physical Memory What happens when we repeatedly map a file with read-write permissions? PTEs in physical memory help resolve virtual addresses to physical pages.
  • 53. ... Virtual Address Space Physical Memory What happens when we repeatedly map a file with read-write permissions? PTEs in physical memory help resolve virtual addresses to physical pages. We can fill physical memory with PTEs.
  • 54. ... Virtual Address Space Physical Memory What happens when we repeatedly map a file with read-write permissions? PTEs in physical memory help resolve virtual addresses to physical pages. We can fill physical memory with PTEs. Each of them points to pages in the same physical file mapping.
  • 55. ... Virtual Address Space Physical Memory What happens when we repeatedly map a file with read-write permissions? PTEs in physical memory help resolve virtual addresses to physical pages. We can fill physical memory with PTEs. Each of them points to pages in the same physical file mapping. If a bit in the right place in the PTE flips ...
  • 56. ... Virtual Address Space Physical Memory What happens when we repeatedly map a file with read-write permissions? PTEs in physical memory help resolve virtual addresses to physical pages. We can fill physical memory with PTEs. Each of them points to pages in the same physical file mapping. If a bit in the right place in the PTE flips … … the corresponding virtual address now points to a wrong physical page - with RW access.
  • 57. ... Virtual Address Space Physical Memory What happens when we repeatedly map a file with read-write permissions? PTEs in physical memory help resolve virtual addresses to physical pages. We can fill physical memory with PTEs. Each of them points to pages in the same physical file mapping. If a bit in the right place in the PTE flips … … the corresponding virtual address now points to a wrong physical page - with RW access. Chances are this wrong page contains a page table itself.
  • 58. ... Virtual Address Space Physical Memory What happens when we repeatedly map a file with read-write permissions? PTEs in physical memory help resolve virtual addresses to physical pages. We can fill physical memory with PTEs. Each of them points to pages in the same physical file mapping. If a bit in the right place in the PTE flips … … the corresponding virtual address now points to a wrong physical page - with RW access. Chances are this wrong page contains a page table itself. An attacker that can read / write page tables …
  • 59. ... Virtual Address Space Physical Memory What happens when we repeatedly map a file with read-write permissions? PTEs in physical memory help resolve virtual addresses to physical pages. We can fill physical memory with PTEs. Each of them points to pages in the same physical file mapping. If a bit in the right place in the PTE flips … … the corresponding virtual address now points to a wrong physical page - with RW access. Chances are this wrong page contains a page table itself. An attacker that can read / write page tables can use that to map any memory read-write.