SlideShare a Scribd company logo

Wintel Hell: průvodce devíti kruhy Dantova technologického pekla / MARTIN HRON [AVAST]

Security Session
Security Session

Přednáška zaměřená na rychlý přehled nových technologií v operačním systému Windows 10 a nových mikroarchitekturách procesorů Intel (Haswell, Sky Lake a Kaby Lake). Detailněji se pak bude věnovat některým klíčovým novinkám jako je virtual based security ve Windows 10, nebo některým bezpečnostním rozšířením procesorů. Závěrem poskytne přehled zdrojů k detailním informacím a příkladům využití. Přednáška bude koncipována jako "svodka technologických novinek". Autor bude přítomný po celou dobu konání konference a rád odpoví na Vaše otázky.

Technology
1 of 24
Download to read offline
Wintel Hell A guide through nine circles of Dante’s technological inferno Martin Hron, researcher @ avast
CFG, VBS, VSM, SKM, MPX, TSX, SGX, MPK or PKU? WHAT THE HELL?
Vestibule Virtual based security Control flow guard Instrumentation callback Memory protection extensions Software guard extensions Transactional exectution ext. Memory protection keys Bottom of the Hell Complexity explosion YOU ARE HERE
Circle 1 – Complexity explosion
Circle 1 – Complexity explosion Intel 8086 29,000 transistors 3,000 nm 33 mm² area Intel 6th gen. SkyLake quad-core 1,750,000,000 transistors 14nm 122 mm² area
Circle 1 – Complexity explosion 790 pages 3883 pages
Upper Hell Windows
Circle 2 - VBS virtual based security • Windows 10 Enterprise and Server 2016 • Based on Hyper-V • VSM Virtual Secure Mode • Device Guard • Credential guard • Virtual TPM
Circle 2 - VBS virtual secure mode (VSM) HYPER-V NTOSKRNL WIN32 API YOUR OLD WINDOWS LIVES HERE RING -1 RING 0 RING 3 VTL 0 VTL 1 SKM SKCI.DLL CNG.SYS IUMDLL.DLLNTDLL.DLL CredentialGuard LSALSO vTPM LSASS DMA ACCESSVT-d
Circle 3 –CFG Control flow guard • Windows 10 and in Windows 8.1 Update 3 • Visual Studio 2015 • checking every indirect call for valid target function address • bitmap of valid entry points • compiler + OS support
Circle 3 –CFG Control flow guard • Windows 10 and in Windows 8.1 Update 3 • Visual Studio 2015 • checking every indirect call for valid target function address • bitmap of valid entry points • compiler + OS support
Circle 3 –CFG Control flow guard • Windows 10 and in Windows 8.1 Update 3 • Visual Studio 2015 • checking every indirect call for valid target function address • bitmap of valid entry points • compiler + OS support
Circle 4 - Instrumentation Callback • first seen in WIN7, WIN10 changed few things • can be set by just one call to NtSetInformationProcess NTOSKRNLRING 0 RING 3 NTDLL.DLL SYSENTER SYSEXIT INSTRUMENTATION CALLBACK
Lower Hell CPU
Circle 5 – MPX Memory Protection Extensions • Supported on SkyLake, VS2015 Update 1 (/d2MPX), special Intel driver needed on Windows • allows to check if pointer is inside bounds • low overhead, can be turn on/off on demand • equivalent to NOPS if disabled • 4 BNDx 128 bit registers, storing upper and lower bounds for checked pointer • Check instructions BNDCL, BNDCU • BNDSTX and BNDLDX instruction associates range with pointer and store them into special table
Circle 6 – TSX Transactional Synchronization Extensions • First introduced on Haswell (4th generation) • Comes in two flavours: • RTM Restricted Transactional Memory • HLE Hardware Lock Elision • Works like real transaction • EAX register contains reason of abort • XBEGIN, XEND, XABORT, XTEST instructions RETRY: or eax, 0FFFFFFFFh xbegin L0 L0: cmp eax, 0FFFFFFFFh jne L1 inc qword ptr [rbp] xend jmp L2 L1: jmp RETRY L2:
Circle 7 – SGX Software Guard Extensions • Supported on later SkyLake CPUs, WIN 10 Fall Update (October 26th) • Allows creating protected part of application which is isolated • Enclave could be only run through well known entry point • No privilege level or even HW has access when it runs • Content is always encrypted in physical RAM
MMU + CPU Circle 7 – SGX Software Guard Extensions EPC PROCESS ADDR. SPACE PHYSICAL RAM ENCLAVE MMU+CPU NORMAL CODE MAPPED RING3RING0HW MEE OPERATING SYSTEM
Circle 8 – MPK Memory protection keys • In upcoming processors “Kaby Lake” or “CannonLake” • You can divide address space to 16 regions and change access by just flipping value in one register PKRU • For certain applications this is huge speedup, because you don’t need to flush TLB cache. The protection-key feature provides an additional mechanism by which IA-32e paging controls access to usermode addresses. When CR4.PKE = 1, every linear address is associated with the 4-bit protection key located in bits 62:59 of the paging-structure entry that mapped the page containing the linear address (see Section 4.5). The PKRU register determines, for each protection key, whether user-mode addresses with that protection key may be read or written. Microsoft
Circle 9: deep at the bottom of the Hell Known bugs notes and conclusion • SkyLake CPUs are freezing at microcode level when running Prime95 test with special exponent. Fixed by microcode update in 01/2016 • Haswell and first Broadwells TSX: In August 2014 bug has been identified and this feature was disabled by microcode update • SGX is not present in all SkyLake processors • current errata contains, approx. 100 known bugs • don’t trust your CPU, always detect features using CPUID and/or it’s side effects.
Control Flow Guard demo
Tools used
Go ahead and ask! And I’ll try to answer. github repos with detailed documentation: https://github.com/thinkcz/SecuritySession2016 I’ll be around till the end of conference. Find me or send me PM via twitter if you want to ask: @thinkcz GITHUB REPO
Thank you! Martin Hron E: martin@hron.eu T: @thinkcz

Recommended

ARM Architecture and Meltdown/Spectre
ARM Architecture and Meltdown/SpectreARM Architecture and Meltdown/Spectre
ARM Architecture and Meltdown/Spectre
GlobalLogic Ukraine
 
U-boot and Android Verified Boot 2.0
U-boot and Android Verified Boot 2.0U-boot and Android Verified Boot 2.0
U-boot and Android Verified Boot 2.0
GlobalLogic Ukraine
 
The Silence of the Canaries
The Silence of the CanariesThe Silence of the Canaries
The Silence of the Canaries
Kernel TLV
 
Linux Kernel Platform Development: Challenges and Insights
Linux Kernel Platform Development: Challenges and Insights Linux Kernel Platform Development: Challenges and Insights
Linux Kernel Platform Development: Challenges and Insights
GlobalLogic Ukraine
 
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
Linaro
 
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...
PROIDEA
 
Embedded TCP/IP stack for FreeRTOS
Embedded TCP/IP stack for FreeRTOSEmbedded TCP/IP stack for FreeRTOS
Embedded TCP/IP stack for FreeRTOS
艾鍗科技
 
⭐⭐⭐⭐⭐ CHARLA #PUCESE Arduino Week: Hardware de Código Abierto TSC-LAB
⭐⭐⭐⭐⭐ CHARLA #PUCESE Arduino Week: Hardware de Código Abierto TSC-LAB ⭐⭐⭐⭐⭐ CHARLA #PUCESE Arduino Week: Hardware de Código Abierto TSC-LAB
⭐⭐⭐⭐⭐ CHARLA #PUCESE Arduino Week: Hardware de Código Abierto TSC-LAB
Victor Asanza
 

Recommended

ARM Architecture and Meltdown/Spectre
ARM Architecture and Meltdown/SpectreARM Architecture and Meltdown/Spectre
ARM Architecture and Meltdown/Spectre
GlobalLogic Ukraine
 
U-boot and Android Verified Boot 2.0
U-boot and Android Verified Boot 2.0U-boot and Android Verified Boot 2.0
U-boot and Android Verified Boot 2.0
GlobalLogic Ukraine
 
The Silence of the Canaries
The Silence of the CanariesThe Silence of the Canaries
The Silence of the Canaries
Kernel TLV
 
Linux Kernel Platform Development: Challenges and Insights
Linux Kernel Platform Development: Challenges and Insights Linux Kernel Platform Development: Challenges and Insights
Linux Kernel Platform Development: Challenges and Insights
GlobalLogic Ukraine
 
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
Linaro
 
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...
PROIDEA
 
Embedded TCP/IP stack for FreeRTOS
Embedded TCP/IP stack for FreeRTOSEmbedded TCP/IP stack for FreeRTOS
Embedded TCP/IP stack for FreeRTOS
艾鍗科技
 
⭐⭐⭐⭐⭐ CHARLA #PUCESE Arduino Week: Hardware de Código Abierto TSC-LAB
⭐⭐⭐⭐⭐ CHARLA #PUCESE Arduino Week: Hardware de Código Abierto TSC-LAB ⭐⭐⭐⭐⭐ CHARLA #PUCESE Arduino Week: Hardware de Código Abierto TSC-LAB
⭐⭐⭐⭐⭐ CHARLA #PUCESE Arduino Week: Hardware de Código Abierto TSC-LAB
Victor Asanza
 
Lcu14 107- op-tee on ar mv8
Lcu14 107- op-tee on ar mv8Lcu14 107- op-tee on ar mv8
Lcu14 107- op-tee on ar mv8
Linaro
 
Lee 2020 what the clock !
Lee 2020 what the clock !Lee 2020 what the clock !
Lee 2020 what the clock !
Neil Armstrong
 
Integrity Protection for Embedded Systems
Integrity Protection for Embedded SystemsIntegrity Protection for Embedded Systems
Integrity Protection for Embedded Systems
Samsung Open Source Group
 
Concurrency bug identification through kernel panic log (english)
Concurrency bug identification through kernel panic log (english)Concurrency bug identification through kernel panic log (english)
Concurrency bug identification through kernel panic log (english)
Sneeker Yeh
 
Lcu14 306 - OP-TEE Future Enhancements
Lcu14 306 - OP-TEE Future EnhancementsLcu14 306 - OP-TEE Future Enhancements
Lcu14 306 - OP-TEE Future Enhancements
Linaro
 
Deploy STM32 family on Zephyr - SFO17-102
Deploy STM32 family on Zephyr - SFO17-102Deploy STM32 family on Zephyr - SFO17-102
Deploy STM32 family on Zephyr - SFO17-102
Linaro
 
FreeRTOS introduction
FreeRTOS introductionFreeRTOS introduction
FreeRTOS introduction
Jegadeesh Vontlin
 
Mirko Damiani - An Embedded soft real time distributed system in Go
Mirko Damiani - An Embedded soft real time distributed system in GoMirko Damiani - An Embedded soft real time distributed system in Go
Mirko Damiani - An Embedded soft real time distributed system in Go
linuxlab_conf
 
Txt Introduction
Txt IntroductionTxt Introduction
Txt Introduction
Logic Solutions, Inc.
 
Learn How to Develop Embedded System for ARM @ 2014.12.22 JuluOSDev
Learn How to Develop Embedded System for ARM @ 2014.12.22 JuluOSDevLearn How to Develop Embedded System for ARM @ 2014.12.22 JuluOSDev
Learn How to Develop Embedded System for ARM @ 2014.12.22 JuluOSDev
Jian-Hong Pan
 
移植FreeRTOS 之嵌入式軟體研究與開發
移植FreeRTOS 之嵌入式軟體研究與開發移植FreeRTOS 之嵌入式軟體研究與開發
移植FreeRTOS 之嵌入式軟體研究與開發
艾鍗科技
 
BKK16-400A LuvOS and ACPI Compliance Testing
BKK16-400A LuvOS and ACPI Compliance TestingBKK16-400A LuvOS and ACPI Compliance Testing
BKK16-400A LuvOS and ACPI Compliance Testing
Linaro
 
F9 Microkernel code reading - part 1
F9 Microkernel code reading - part 1F9 Microkernel code reading - part 1
F9 Microkernel code reading - part 1
Benux Wei
 
LAS16-403: GDB Linux Kernel Awareness
LAS16-403: GDB Linux Kernel AwarenessLAS16-403: GDB Linux Kernel Awareness
LAS16-403: GDB Linux Kernel Awareness
Linaro
 
MOVED: RDK/WPE Port on DB410C - SFO17-206
MOVED: RDK/WPE Port on DB410C - SFO17-206MOVED: RDK/WPE Port on DB410C - SFO17-206
MOVED: RDK/WPE Port on DB410C - SFO17-206
Linaro
 
LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3
LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3
LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3
Linaro
 
Using SoC Vendor HALs in the Zephyr Project - SFO17-112
Using SoC Vendor HALs in the Zephyr Project - SFO17-112Using SoC Vendor HALs in the Zephyr Project - SFO17-112
Using SoC Vendor HALs in the Zephyr Project - SFO17-112
Linaro
 
SFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMU
SFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMUSFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMU
SFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMU
Linaro
 
BUD17-416: Benchmark and profiling in OP-TEE
BUD17-416: Benchmark and profiling in OP-TEE BUD17-416: Benchmark and profiling in OP-TEE
BUD17-416: Benchmark and profiling in OP-TEE
Linaro
 
OpenWrt From Top to Bottom
OpenWrt From Top to BottomOpenWrt From Top to Bottom
OpenWrt From Top to Bottom
Kernel TLV
 
AMD EPYC™ Microprocessor Architecture
AMD EPYC™ Microprocessor ArchitectureAMD EPYC™ Microprocessor Architecture
AMD EPYC™ Microprocessor Architecture
AMD
 
Introduction to FreeRTOS
Introduction to FreeRTOSIntroduction to FreeRTOS
Introduction to FreeRTOS
ICS
 

More Related Content

What's hot

Lcu14 107- op-tee on ar mv8
Lcu14 107- op-tee on ar mv8Lcu14 107- op-tee on ar mv8
Lcu14 107- op-tee on ar mv8
Linaro
 
Lee 2020 what the clock !
Lee 2020 what the clock !Lee 2020 what the clock !
Lee 2020 what the clock !
Neil Armstrong
 
Lcu14 306 - OP-TEE Future Enhancements
Lcu14 306 - OP-TEE Future EnhancementsLcu14 306 - OP-TEE Future Enhancements
Lcu14 306 - OP-TEE Future Enhancements
Linaro
 
Deploy STM32 family on Zephyr - SFO17-102
Deploy STM32 family on Zephyr - SFO17-102Deploy STM32 family on Zephyr - SFO17-102
Deploy STM32 family on Zephyr - SFO17-102
Linaro
 
BKK16-400A LuvOS and ACPI Compliance Testing
BKK16-400A LuvOS and ACPI Compliance TestingBKK16-400A LuvOS and ACPI Compliance Testing
BKK16-400A LuvOS and ACPI Compliance Testing
Linaro
 
LAS16-403: GDB Linux Kernel Awareness
LAS16-403: GDB Linux Kernel AwarenessLAS16-403: GDB Linux Kernel Awareness
LAS16-403: GDB Linux Kernel Awareness
Linaro
 
LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3
LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3
LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3
Linaro
 
Using SoC Vendor HALs in the Zephyr Project - SFO17-112
Using SoC Vendor HALs in the Zephyr Project - SFO17-112Using SoC Vendor HALs in the Zephyr Project - SFO17-112
Using SoC Vendor HALs in the Zephyr Project - SFO17-112
Linaro
 
SFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMU
SFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMUSFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMU
SFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMU
Linaro
 
BUD17-416: Benchmark and profiling in OP-TEE
BUD17-416: Benchmark and profiling in OP-TEE BUD17-416: Benchmark and profiling in OP-TEE
BUD17-416: Benchmark and profiling in OP-TEE
Linaro
 

What's hot (20)

Lcu14 107- op-tee on ar mv8
Lcu14 107- op-tee on ar mv8Lcu14 107- op-tee on ar mv8
Lcu14 107- op-tee on ar mv8
 
Lee 2020 what the clock !
Lee 2020 what the clock !Lee 2020 what the clock !
Lee 2020 what the clock !
 
Integrity Protection for Embedded Systems
Integrity Protection for Embedded SystemsIntegrity Protection for Embedded Systems
Integrity Protection for Embedded Systems
 
Concurrency bug identification through kernel panic log (english)
Concurrency bug identification through kernel panic log (english)Concurrency bug identification through kernel panic log (english)
Concurrency bug identification through kernel panic log (english)
 
Lcu14 306 - OP-TEE Future Enhancements
Lcu14 306 - OP-TEE Future EnhancementsLcu14 306 - OP-TEE Future Enhancements
Lcu14 306 - OP-TEE Future Enhancements
 
Deploy STM32 family on Zephyr - SFO17-102
Deploy STM32 family on Zephyr - SFO17-102Deploy STM32 family on Zephyr - SFO17-102
Deploy STM32 family on Zephyr - SFO17-102
 
FreeRTOS introduction
FreeRTOS introductionFreeRTOS introduction
FreeRTOS introduction
 
Mirko Damiani - An Embedded soft real time distributed system in Go
Mirko Damiani - An Embedded soft real time distributed system in GoMirko Damiani - An Embedded soft real time distributed system in Go
Mirko Damiani - An Embedded soft real time distributed system in Go
 
Txt Introduction
Txt IntroductionTxt Introduction
Txt Introduction
 
Learn How to Develop Embedded System for ARM @ 2014.12.22 JuluOSDev
Learn How to Develop Embedded System for ARM @ 2014.12.22 JuluOSDevLearn How to Develop Embedded System for ARM @ 2014.12.22 JuluOSDev
Learn How to Develop Embedded System for ARM @ 2014.12.22 JuluOSDev
 
移植FreeRTOS 之嵌入式軟體研究與開發
移植FreeRTOS 之嵌入式軟體研究與開發移植FreeRTOS 之嵌入式軟體研究與開發
移植FreeRTOS 之嵌入式軟體研究與開發
 
BKK16-400A LuvOS and ACPI Compliance Testing
BKK16-400A LuvOS and ACPI Compliance TestingBKK16-400A LuvOS and ACPI Compliance Testing
BKK16-400A LuvOS and ACPI Compliance Testing
 
F9 Microkernel code reading - part 1
F9 Microkernel code reading - part 1F9 Microkernel code reading - part 1
F9 Microkernel code reading - part 1
 
LAS16-403: GDB Linux Kernel Awareness
LAS16-403: GDB Linux Kernel AwarenessLAS16-403: GDB Linux Kernel Awareness
LAS16-403: GDB Linux Kernel Awareness
 
MOVED: RDK/WPE Port on DB410C - SFO17-206
MOVED: RDK/WPE Port on DB410C - SFO17-206MOVED: RDK/WPE Port on DB410C - SFO17-206
MOVED: RDK/WPE Port on DB410C - SFO17-206
 
LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3
LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3
LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3
 
Using SoC Vendor HALs in the Zephyr Project - SFO17-112
Using SoC Vendor HALs in the Zephyr Project - SFO17-112Using SoC Vendor HALs in the Zephyr Project - SFO17-112
Using SoC Vendor HALs in the Zephyr Project - SFO17-112
 
SFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMU
SFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMUSFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMU
SFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMU
 
BUD17-416: Benchmark and profiling in OP-TEE
BUD17-416: Benchmark and profiling in OP-TEE BUD17-416: Benchmark and profiling in OP-TEE
BUD17-416: Benchmark and profiling in OP-TEE
 
OpenWrt From Top to Bottom
OpenWrt From Top to BottomOpenWrt From Top to Bottom
OpenWrt From Top to Bottom
 

Similar to Wintel Hell: průvodce devíti kruhy Dantova technologického pekla / MARTIN HRON [AVAST]

Softcore processor.pptxSoftcore processor.pptxSoftcore processor.pptx
Softcore processor.pptxSoftcore processor.pptxSoftcore processor.pptxSoftcore processor.pptxSoftcore processor.pptxSoftcore processor.pptx
Softcore processor.pptxSoftcore processor.pptxSoftcore processor.pptx
SnehaLatha68
 
Building efficient 5G NR base stations with Intel® Xeon® Scalable Processors
Building efficient 5G NR base stations with Intel® Xeon® Scalable Processors Building efficient 5G NR base stations with Intel® Xeon® Scalable Processors
Building efficient 5G NR base stations with Intel® Xeon® Scalable Processors
Michelle Holley
 
High Performance Object Storage in 30 Minutes with Supermicro and MinIO
High Performance Object Storage in 30 Minutes with Supermicro and MinIOHigh Performance Object Storage in 30 Minutes with Supermicro and MinIO
High Performance Object Storage in 30 Minutes with Supermicro and MinIO
Rebekah Rodriguez
 
XPDS16: High-Performance Virtualization for HPC Cloud on Xen - Jun Nakajima &...
XPDS16: High-Performance Virtualization for HPC Cloud on Xen - Jun Nakajima &...XPDS16: High-Performance Virtualization for HPC Cloud on Xen - Jun Nakajima &...
XPDS16: High-Performance Virtualization for HPC Cloud on Xen - Jun Nakajima &...
The Linux Foundation
 
A Reimplementation of NetBSD Based on a Microkernel by Andrew S. Tanenbaum
A Reimplementation of NetBSD Based on a Microkernel by Andrew S. TanenbaumA Reimplementation of NetBSD Based on a Microkernel by Andrew S. Tanenbaum
A Reimplementation of NetBSD Based on a Microkernel by Andrew S. Tanenbaum
eurobsdcon
 

Similar to Wintel Hell: průvodce devíti kruhy Dantova technologického pekla / MARTIN HRON [AVAST] (20)

AMD EPYC™ Microprocessor Architecture
AMD EPYC™ Microprocessor ArchitectureAMD EPYC™ Microprocessor Architecture
AMD EPYC™ Microprocessor Architecture
 
Introduction to FreeRTOS
Introduction to FreeRTOSIntroduction to FreeRTOS
Introduction to FreeRTOS
 
Microcontrolador STM32WL55 - Fazendo uma aplicação LORAWAN do zero em poucos ...
Microcontrolador STM32WL55 - Fazendo uma aplicação LORAWAN do zero em poucos ...Microcontrolador STM32WL55 - Fazendo uma aplicação LORAWAN do zero em poucos ...
Microcontrolador STM32WL55 - Fazendo uma aplicação LORAWAN do zero em poucos ...
 
PowerDRC/LVS 2.0.1 released by POLYTEDA
PowerDRC/LVS 2.0.1 released by POLYTEDAPowerDRC/LVS 2.0.1 released by POLYTEDA
PowerDRC/LVS 2.0.1 released by POLYTEDA
 
Softcore processor.pptxSoftcore processor.pptxSoftcore processor.pptx
Softcore processor.pptxSoftcore processor.pptxSoftcore processor.pptxSoftcore processor.pptxSoftcore processor.pptxSoftcore processor.pptx
Softcore processor.pptxSoftcore processor.pptxSoftcore processor.pptx
 
Building efficient 5G NR base stations with Intel® Xeon® Scalable Processors
Building efficient 5G NR base stations with Intel® Xeon® Scalable Processors Building efficient 5G NR base stations with Intel® Xeon® Scalable Processors
Building efficient 5G NR base stations with Intel® Xeon® Scalable Processors
 
Doc32000
Doc32000Doc32000
Doc32000
 
High Performance Object Storage in 30 Minutes with Supermicro and MinIO
High Performance Object Storage in 30 Minutes with Supermicro and MinIOHigh Performance Object Storage in 30 Minutes with Supermicro and MinIO
High Performance Object Storage in 30 Minutes with Supermicro and MinIO
 
Polyteda Power DRC/LVS July 2016
Polyteda Power DRC/LVS July 2016Polyteda Power DRC/LVS July 2016
Polyteda Power DRC/LVS July 2016
 
Iot Bootcamp - abridged - part 1
Iot Bootcamp - abridged - part 1Iot Bootcamp - abridged - part 1
Iot Bootcamp - abridged - part 1
 
12C5XX.PDF
12C5XX.PDF12C5XX.PDF
12C5XX.PDF
 
XPDS16: High-Performance Virtualization for HPC Cloud on Xen - Jun Nakajima &...
XPDS16: High-Performance Virtualization for HPC Cloud on Xen - Jun Nakajima &...XPDS16: High-Performance Virtualization for HPC Cloud on Xen - Jun Nakajima &...
XPDS16: High-Performance Virtualization for HPC Cloud on Xen - Jun Nakajima &...
 
Crypto Performance on ARM Cortex-M Processors
Crypto Performance on ARM Cortex-M ProcessorsCrypto Performance on ARM Cortex-M Processors
Crypto Performance on ARM Cortex-M Processors
 
A Reimplementation of NetBSD Based on a Microkernel by Andrew S. Tanenbaum
A Reimplementation of NetBSD Based on a Microkernel by Andrew S. TanenbaumA Reimplementation of NetBSD Based on a Microkernel by Andrew S. Tanenbaum
A Reimplementation of NetBSD Based on a Microkernel by Andrew S. Tanenbaum
 
Polyteda: Power DRC/LVS, October 2016
Polyteda: Power DRC/LVS, October 2016Polyteda: Power DRC/LVS, October 2016
Polyteda: Power DRC/LVS, October 2016
 
Cyclone IV FPGA Device
Cyclone IV FPGA DeviceCyclone IV FPGA Device
Cyclone IV FPGA Device
 
Linux one vs x86
Linux one vs x86 Linux one vs x86
Linux one vs x86
 
Linux one vs x86 18 july
Linux one vs x86 18 julyLinux one vs x86 18 july
Linux one vs x86 18 july
 
POLYTEDA: Power DRC/LVS, June 2017
POLYTEDA: Power DRC/LVS, June 2017POLYTEDA: Power DRC/LVS, June 2017
POLYTEDA: Power DRC/LVS, June 2017
 
Sparc t4 1 system technical overview
Sparc t4 1 system technical overviewSparc t4 1 system technical overview
Sparc t4 1 system technical overview
 

More from Security Session

Insights of a brute-forcing botnet / VERONICA VALEROS [CISCO]
Insights of a brute-forcing botnet / VERONICA VALEROS [CISCO]Insights of a brute-forcing botnet / VERONICA VALEROS [CISCO]
Insights of a brute-forcing botnet / VERONICA VALEROS [CISCO]
Security Session
 
Robots against robots: How a Machine Learning IDS detected a novel Linux Botn...
Robots against robots: How a Machine Learning IDS detected a novel Linux Botn...Robots against robots: How a Machine Learning IDS detected a novel Linux Botn...
Robots against robots: How a Machine Learning IDS detected a novel Linux Botn...
Security Session
 
Co vše skrývá síťový provoz a jak detekovat kybernetické hrozby? / MARTIN ŠKO...
Co vše skrývá síťový provoz a jak detekovat kybernetické hrozby? / MARTIN ŠKO...Co vše skrývá síťový provoz a jak detekovat kybernetické hrozby? / MARTIN ŠKO...
Co vše skrývá síťový provoz a jak detekovat kybernetické hrozby? / MARTIN ŠKO...
Security Session
 
Falsifikace biometricke charakteristiky a detekce zivosti
Falsifikace biometricke charakteristiky a detekce zivostiFalsifikace biometricke charakteristiky a detekce zivosti
Falsifikace biometricke charakteristiky a detekce zivosti
Security Session
 

More from Security Session (20)

Getting your hands dirty: How to Analyze the Behavior of Malware Traffic / SE...
Getting your hands dirty: How to Analyze the Behavior of Malware Traffic / SE...Getting your hands dirty: How to Analyze the Behavior of Malware Traffic / SE...
Getting your hands dirty: How to Analyze the Behavior of Malware Traffic / SE...
 
Základy reverse engineeringu a assembleru / KAREL LEJSKA, MILAN BARTOŠ [DEFEN...
Základy reverse engineeringu a assembleru / KAREL LEJSKA, MILAN BARTOŠ [DEFEN...Základy reverse engineeringu a assembleru / KAREL LEJSKA, MILAN BARTOŠ [DEFEN...
Základy reverse engineeringu a assembleru / KAREL LEJSKA, MILAN BARTOŠ [DEFEN...
 
Zabezpečení nejen SSH na serveru pomocí Fail2Ban a jednoduchého honeypotu. / ...
Zabezpečení nejen SSH na serveru pomocí Fail2Ban a jednoduchého honeypotu. / ...Zabezpečení nejen SSH na serveru pomocí Fail2Ban a jednoduchého honeypotu. / ...
Zabezpečení nejen SSH na serveru pomocí Fail2Ban a jednoduchého honeypotu. / ...
 
Insights of a brute-forcing botnet / VERONICA VALEROS [CISCO]
Insights of a brute-forcing botnet / VERONICA VALEROS [CISCO]Insights of a brute-forcing botnet / VERONICA VALEROS [CISCO]
Insights of a brute-forcing botnet / VERONICA VALEROS [CISCO]
 
Softwarove protektory / KAREL LEJSKA, MILAN BARTOŠ [DEFENDIO]
Softwarove protektory / KAREL LEJSKA, MILAN BARTOŠ [DEFENDIO]Softwarove protektory / KAREL LEJSKA, MILAN BARTOŠ [DEFENDIO]
Softwarove protektory / KAREL LEJSKA, MILAN BARTOŠ [DEFENDIO]
 
Robots against robots: How a Machine Learning IDS detected a novel Linux Botn...
Robots against robots: How a Machine Learning IDS detected a novel Linux Botn...Robots against robots: How a Machine Learning IDS detected a novel Linux Botn...
Robots against robots: How a Machine Learning IDS detected a novel Linux Botn...
 
#ochranadat pred sebou samotným / MATEJ ZACHAR [SAFETICA TECHNOLOGIES S.R.O.]
#ochranadat pred sebou samotným / MATEJ ZACHAR [SAFETICA TECHNOLOGIES S.R.O.]#ochranadat pred sebou samotným / MATEJ ZACHAR [SAFETICA TECHNOLOGIES S.R.O.]
#ochranadat pred sebou samotným / MATEJ ZACHAR [SAFETICA TECHNOLOGIES S.R.O.]
 
Co vše skrývá síťový provoz a jak detekovat kybernetické hrozby? / MARTIN ŠKO...
Co vše skrývá síťový provoz a jak detekovat kybernetické hrozby? / MARTIN ŠKO...Co vše skrývá síťový provoz a jak detekovat kybernetické hrozby? / MARTIN ŠKO...
Co vše skrývá síťový provoz a jak detekovat kybernetické hrozby? / MARTIN ŠKO...
 
Bezpečnější pošta díky protokolu DANE / ONDŘEJ CALETKA [CESNET]
Bezpečnější pošta díky protokolu DANE / ONDŘEJ CALETKA [CESNET]Bezpečnější pošta díky protokolu DANE / ONDŘEJ CALETKA [CESNET]
Bezpečnější pošta díky protokolu DANE / ONDŘEJ CALETKA [CESNET]
 
Prezentace brno
Prezentace brnoPrezentace brno
Prezentace brno
 
OSINT and beyond
OSINT and beyondOSINT and beyond
OSINT and beyond
 
Exploitace – od minulosti po současnost - Jan Kopecký
Exploitace – od minulosti po současnost - Jan KopeckýExploitace – od minulosti po současnost - Jan Kopecký
Exploitace – od minulosti po současnost - Jan Kopecký
 
Kontrola uživatelských účtů ve Windows a jak ji obejít - Martin Dráb
Kontrola uživatelských účtů ve Windows a jak ji obejít - Martin DrábKontrola uživatelských účtů ve Windows a jak ji obejít - Martin Dráb
Kontrola uživatelských účtů ve Windows a jak ji obejít - Martin Dráb
 
Research in Liveness Detection - Martin Drahanský
Research in Liveness Detection - Martin DrahanskýResearch in Liveness Detection - Martin Drahanský
Research in Liveness Detection - Martin Drahanský
 
Dolování dat z řeči pro bezpečnostní aplikace - Jan Černocký
Dolování dat z řeči pro bezpečnostní aplikace - Jan ČernockýDolování dat z řeči pro bezpečnostní aplikace - Jan Černocký
Dolování dat z řeči pro bezpečnostní aplikace - Jan Černocký
 
Turris - Robert Šefr
Turris - Robert ŠefrTurris - Robert Šefr
Turris - Robert Šefr
 
Co se skrývá v datovém provozu? - Pavel Minařík
Co se skrývá v datovém provozu? - Pavel MinaříkCo se skrývá v datovém provozu? - Pavel Minařík
Co se skrývá v datovém provozu? - Pavel Minařík
 
Jak odesílat zprávy, když někdo vypne Internet - Pavel Táborský
Jak odesílat zprávy, když někdo vypne Internet - Pavel TáborskýJak odesílat zprávy, když někdo vypne Internet - Pavel Táborský
Jak odesílat zprávy, když někdo vypne Internet - Pavel Táborský
 
Two Years with botnet Asprox - Michal Ambrož
Two Years with botnet Asprox - Michal AmbrožTwo Years with botnet Asprox - Michal Ambrož
Two Years with botnet Asprox - Michal Ambrož
 
Falsifikace biometricke charakteristiky a detekce zivosti
Falsifikace biometricke charakteristiky a detekce zivostiFalsifikace biometricke charakteristiky a detekce zivosti
Falsifikace biometricke charakteristiky a detekce zivosti
 

Recently uploaded

Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
Bhaskar Mitra
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
Ralf Eggert
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
RTTS
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Jeffrey Haguewood
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
DianaGray10
 

Recently uploaded (20)

Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User Group
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
 
НАДІЯ ФЕДЮШКО БАЦ «Професійне зростання QA спеціаліста»
НАДІЯ ФЕДЮШКО БАЦ «Професійне зростання QA спеціаліста»НАДІЯ ФЕДЮШКО БАЦ «Професійне зростання QA спеціаліста»
НАДІЯ ФЕДЮШКО БАЦ «Професійне зростання QA спеціаліста»
 
UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
Quantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIsQuantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIs
 
IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024
 
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀Exploring UiPath Orchestrator API: updates and limits in 2024 🚀
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
 

Wintel Hell: průvodce devíti kruhy Dantova technologického pekla / MARTIN HRON [AVAST]

  • 1. Wintel Hell A guide through nine circles of Dante’s technological inferno Martin Hron, researcher @ avast
  • 2. CFG, VBS, VSM, SKM, MPX, TSX, SGX, MPK or PKU? WHAT THE HELL?
  • 3. Vestibule Virtual based security Control flow guard Instrumentation callback Memory protection extensions Software guard extensions Transactional exectution ext. Memory protection keys Bottom of the Hell Complexity explosion YOU ARE HERE
  • 4. Circle 1 – Complexity explosion
  • 5. Circle 1 – Complexity explosion Intel 8086 29,000 transistors 3,000 nm 33 mm² area Intel 6th gen. SkyLake quad-core 1,750,000,000 transistors 14nm 122 mm² area
  • 6. Circle 1 – Complexity explosion 790 pages 3883 pages
  • 8. Circle 2 - VBS virtual based security • Windows 10 Enterprise and Server 2016 • Based on Hyper-V • VSM Virtual Secure Mode • Device Guard • Credential guard • Virtual TPM
  • 9. Circle 2 - VBS virtual secure mode (VSM) HYPER-V NTOSKRNL WIN32 API YOUR OLD WINDOWS LIVES HERE RING -1 RING 0 RING 3 VTL 0 VTL 1 SKM SKCI.DLL CNG.SYS IUMDLL.DLLNTDLL.DLL CredentialGuard LSALSO vTPM LSASS DMA ACCESSVT-d
  • 10. Circle 3 –CFG Control flow guard • Windows 10 and in Windows 8.1 Update 3 • Visual Studio 2015 • checking every indirect call for valid target function address • bitmap of valid entry points • compiler + OS support
  • 11. Circle 3 –CFG Control flow guard • Windows 10 and in Windows 8.1 Update 3 • Visual Studio 2015 • checking every indirect call for valid target function address • bitmap of valid entry points • compiler + OS support
  • 12. Circle 3 –CFG Control flow guard • Windows 10 and in Windows 8.1 Update 3 • Visual Studio 2015 • checking every indirect call for valid target function address • bitmap of valid entry points • compiler + OS support
  • 13. Circle 4 - Instrumentation Callback • first seen in WIN7, WIN10 changed few things • can be set by just one call to NtSetInformationProcess NTOSKRNLRING 0 RING 3 NTDLL.DLL SYSENTER SYSEXIT INSTRUMENTATION CALLBACK
  • 15. Circle 5 – MPX Memory Protection Extensions • Supported on SkyLake, VS2015 Update 1 (/d2MPX), special Intel driver needed on Windows • allows to check if pointer is inside bounds • low overhead, can be turn on/off on demand • equivalent to NOPS if disabled • 4 BNDx 128 bit registers, storing upper and lower bounds for checked pointer • Check instructions BNDCL, BNDCU • BNDSTX and BNDLDX instruction associates range with pointer and store them into special table
  • 16. Circle 6 – TSX Transactional Synchronization Extensions • First introduced on Haswell (4th generation) • Comes in two flavours: • RTM Restricted Transactional Memory • HLE Hardware Lock Elision • Works like real transaction • EAX register contains reason of abort • XBEGIN, XEND, XABORT, XTEST instructions RETRY: or eax, 0FFFFFFFFh xbegin L0 L0: cmp eax, 0FFFFFFFFh jne L1 inc qword ptr [rbp] xend jmp L2 L1: jmp RETRY L2:
  • 17. Circle 7 – SGX Software Guard Extensions • Supported on later SkyLake CPUs, WIN 10 Fall Update (October 26th) • Allows creating protected part of application which is isolated • Enclave could be only run through well known entry point • No privilege level or even HW has access when it runs • Content is always encrypted in physical RAM
  • 18. MMU + CPU Circle 7 – SGX Software Guard Extensions EPC PROCESS ADDR. SPACE PHYSICAL RAM ENCLAVE MMU+CPU NORMAL CODE MAPPED RING3RING0HW MEE OPERATING SYSTEM
  • 19. Circle 8 – MPK Memory protection keys • In upcoming processors “Kaby Lake” or “CannonLake” • You can divide address space to 16 regions and change access by just flipping value in one register PKRU • For certain applications this is huge speedup, because you don’t need to flush TLB cache. The protection-key feature provides an additional mechanism by which IA-32e paging controls access to usermode addresses. When CR4.PKE = 1, every linear address is associated with the 4-bit protection key located in bits 62:59 of the paging-structure entry that mapped the page containing the linear address (see Section 4.5). The PKRU register determines, for each protection key, whether user-mode addresses with that protection key may be read or written. Microsoft
  • 20. Circle 9: deep at the bottom of the Hell Known bugs notes and conclusion • SkyLake CPUs are freezing at microcode level when running Prime95 test with special exponent. Fixed by microcode update in 01/2016 • Haswell and first Broadwells TSX: In August 2014 bug has been identified and this feature was disabled by microcode update • SGX is not present in all SkyLake processors • current errata contains, approx. 100 known bugs • don’t trust your CPU, always detect features using CPUID and/or it’s side effects.
  • 23. Go ahead and ask! And I’ll try to answer. github repos with detailed documentation: https://github.com/thinkcz/SecuritySession2016 I’ll be around till the end of conference. Find me or send me PM via twitter if you want to ask: @thinkcz GITHUB REPO
  • 24. Thank you! Martin Hron E: martin@hron.eu T: @thinkcz