Meltdown & Spectre Attacks

Slides:



Advertisements
Similar presentations
Practical Timing Side Channel Attacks Against Kernel Space ASLR
Advertisements

Yuanzhong Xu, Weidong Cui, Marcus Peinado
1 Last Class: Introduction Operating system = interface between user & architecture Importance of OS OS history: Change is only constant User-level Applications.
KVM/ARM: The Design and Implementation of the Linux ARM Hypervisor Fall 2014 Presented By: Probir Roy.
1 OS & Computer Architecture Modern OS Functionality (brief review) Architecture Basics Hardware Support for OS Features.
ITEC 325 Lecture 29 Memory(6). Review P2 assigned Exam 2 next Friday Demand paging –Page faults –TLB intro.
Secure Operating Systems Lesson B: Let’s go break something.
Input and Output Computer Organization and Assembly Language: Module 9.
1 Micro-kernel. 2 Key points Microkernel provides minimal abstractions –Address space, threads, IPC Abstractions –… are machine independent –But implementation.
Three fundamental concepts in computer security: Reference Monitors: An access control concept that refers to an abstract machine that mediates all accesses.
Operating Systems ECE344 Ashvin Goel ECE University of Toronto OS-Related Hardware.
CS 3204 Operating Systems Godmar Back Lecture 15.
I/O Computer Organization II 1 Interconnecting Components Need interconnections between – CPU, memory, I/O controllers Bus: shared communication channel.
G53SEC 1 Reference Monitors Enforcement of Access Control.
1 Virtual Memory Main memory can act as a cache for the secondary storage (disk) Advantages: –illusion of having more physical memory –program relocation.
Interrupt driven I/O. MIPS RISC Exception Mechanism The processor operates in The processor operates in user mode user mode kernel mode kernel mode Access.
Wireless and Mobile Security
Operating Systems ECE344 Ashvin Goel ECE University of Toronto Demand Paging.
Interrupt driven I/O Computer Organization and Assembly Language: Module 12.
Group 9. Exploiting Software The exploitation of software is one of the main ways that a users computer can be broken into. It involves exploiting the.
Security Architecture and Design Chapter 4 Part 2 Pages 319 to 357.
Embedded Real-Time Systems Processing interrupts Lecturer Department University.
Thwarting cache-based side- channel attacks Yuval Yarom The University of Adelaide and Data61.
Virtual Machine Monitors
X. Zhang, Y. Xiao, Y. Zhang Return-Oriented Flush-Reload Side Channels on ARM and Their Implications for Android Devices Xiaokuan Zhang, Yuan Xiao, Yinqian.
Chapter 8: Main Memory.
X. Zhang, Y. Xiao, Y. Zhang Return-Oriented Flush-Reload Side Channels on ARM and Their Implications for Android Devices Xiaokuan Zhang, Yuan Xiao, Yinqian.
Memory Protection: Kernel and User Address Spaces
Protection and OS Structure
CS 6560: Operating Systems Design
Memory Caches & TLB Virtual Memory
CS703 - Advanced Operating Systems
Today How was the midterm review? Lab4 due today.
Anton Burtsev February, 2017
Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR
RIC: Relaxed Inclusion Caches for Mitigating LLC Side-Channel Attacks
Bruhadeshwar Meltdown Bruhadeshwar
Patching firmware, computers, internet of things and more
Lecture 23: Cache, Memory, Security
CSCI/CMPE 3334 Systems Programming
OS Virtualization.
Chapter 9 :: Subroutines and Control Abstraction
Memory Protection: Kernel and User Address Spaces
Memory Protection: Kernel and User Address Spaces
Lecture 14 Virtual Memory and the Alpha Memory Hierarchy
Meltdown and Spectre: Complexity and the death of security
Diptendu Kar
Meltdown CSE 351 Winter 2018 Instructor: Mark Wyse
ConfMVM: A Hardware-Assisted Model to Confine Malicious VMs
AEGIS: Secure Processor for Certified Execution
Meltdown / Spectre issue?
Mengjia Yan† , Jiho Choi† , Dimitrios Skarlatos,
Meltdown and Spectre: Complexity and the death of security
CSE 451: Operating Systems Autumn 2003 Lecture 10 Paging & TLBs
CSE 451: Operating Systems Autumn 2003 Lecture 2 Architectural Support for Operating Systems Hank Levy 596 Allen Center 1.
Sai Krishna Deepak Maram, CS 6410
CSE 451: Operating Systems Autumn 2003 Lecture 10 Paging & TLBs
CSE 451: Operating Systems Winter 2007 Module 2 Architectural Support for Operating Systems Brian Bershad 562 Allen Center 1.
Shielding applications from an untrusted cloud with Haven
Computer System Structures
CSE 451: Operating Systems Winter 2003 Lecture 2 Architectural Support for Operating Systems Hank Levy 412 Sieg Hall 1.
CSE 471 Autumn 1998 Virtual memory
Steve Gribble (for Hank Levy)
Landon Cox January 17, 2018 January 22, 2018
OPERATING SYSTEMS MEMORY MANAGEMENT BY DR.V.R.ELANGOVAN.
Memory Protection: Kernel and User Address Spaces
Interrupts and System Calls
University of Illinois at Urbana-Champaign
Dirty COW Race Condition Attack
Introduction to CUDA Programming
Presentation transcript:

Meltdown & Spectre Attacks

Overview An analogy CPU cache and use it as side channel Meltdown attack Spectre attack

Microsoft Interview Question

Stealing A Secret Secret: 7 Guard with Memory Eraser Restricted Room

CPU Cache

From Lights to CPU Cache Question You just learned a secret number 7, and you want to keep it. However, your memory will be erased and whatever you do will be rolled back (except the CPU cache). How do you recall the secret after your memory about this secret number is erased?

Using CPU Cache to Remember Secret

The FLUSH+RELOAD Technique Secret S FLUSH: Flush the CPU Cache Access memory location at S RELOAD: Check which one is in the cache

FLUSH+RELOAD: The FLUSH Step Flush the CPU Cache

FLUSH+RELOAD: The RELOAD Step

The Meltdown Attack

The Security Room and Guard

Staying Alive: Exception Handling in C

Out-Of-Order Execution

Out-of-Order Execution How do I prove that the out-of-order execution has happened?

Out-of-Order Execution Experiment Evidence of out-of-order execution

Meltdown Attack: A Naïve Approach

Improvement: Get Secret Cached Why does this help?

Improve the Attack Using Assembly Code Execution Results

Improve the Attack Using Statistic Approach

Countermeasures Fundamental problem is in the CPU hardware Expensive to fix Develop workaround in operating system KASLR (Kernel Address Space Layout Randomization) Does not map any kernel memory in the user space, except for some parts required by the x86 architecture (e.g., interrupt handlers) User-level programs cannot directly use kernel memory addresses, as such addresses cannot be resolved

The Spectre Attack

Will It Be Executed? Will Line 3 be executed if x > size ?

Out-Of-Order Execution

Let’s Find a Proof Training Train CPU to go to the true branch FLUSH size is 10 Training Train CPU to go to the true branch FLUSH Flush the CPU Cache Invoke victim(97) RELOAD Check which one is in the cache Evidence Not always working though

Target of the Attack This protection pattern is widely used in software sandbox (such as those implemented inside browsers)

The Spectre Attack spectreAttack(int larger_x)

Attack Result Why is 0 in the cache? Success

Spectre Variant and Mitigation Since it was discovered in 2017, several Spectre variants have been found Affecting Intel, ARM, and ARM The problem is in hardware Unlike Meltdown, there is no easy software workaround

Summary Stealing secrets using side channels Meltdown attack Spectre attack A form of race condition vulnerability Vulnerabilities are inside hardware AMD, Intel, and ARM are affected

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.