Presentation is loading. Please wait.

Presentation is loading. Please wait.

Meltdown & Spectre Attacks

Published byΟκυροη Νικολαΐδης Modified over 5 years ago

Similar presentations

Presentation on theme: "Meltdown & Spectre Attacks"— Presentation transcript:

1 Meltdown & Spectre Attacks

2 Overview An analogy CPU cache and use it as side channel
Meltdown attack Spectre attack

3 Microsoft Interview Question

4 Stealing A Secret Secret: 7 Guard with Memory Eraser Restricted Room

5 CPU Cache

6 From Lights to CPU Cache
Question You just learned a secret number 7, and you want to keep it. However, your memory will be erased and whatever you do will be rolled back (except the CPU cache). How do you recall the secret after your memory about this secret number is erased?

7 Using CPU Cache to Remember Secret

8 The FLUSH+RELOAD Technique
Secret S FLUSH: Flush the CPU Cache Access memory location at S RELOAD: Check which one is in the cache

9 FLUSH+RELOAD: The FLUSH Step
Flush the CPU Cache

10 FLUSH+RELOAD: The RELOAD Step

11 The Meltdown Attack

12 The Security Room and Guard

13 Staying Alive: Exception Handling in C

14 Out-Of-Order Execution

15 Out-of-Order Execution
How do I prove that the out-of-order execution has happened?

16 Out-of-Order Execution Experiment
Evidence of out-of-order execution

17 Meltdown Attack: A Naïve Approach

18 Improvement: Get Secret Cached
Why does this help?

19 Improve the Attack Using Assembly Code
Execution Results

20 Improve the Attack Using Statistic Approach

21 Countermeasures Fundamental problem is in the CPU hardware
Expensive to fix Develop workaround in operating system KASLR (Kernel Address Space Layout Randomization) Does not map any kernel memory in the user space, except for some parts required by the x86 architecture (e.g., interrupt handlers) User-level programs cannot directly use kernel memory addresses, as such addresses cannot be resolved

22 The Spectre Attack

23 Will It Be Executed? Will Line 3 be executed if x > size ?

24 Out-Of-Order Execution

25 Let’s Find a Proof Training Train CPU to go to the true branch FLUSH
size is 10 Training Train CPU to go to the true branch FLUSH Flush the CPU Cache Invoke victim(97) RELOAD Check which one is in the cache Evidence Not always working though

26 Target of the Attack This protection pattern is widely
used in software sandbox (such as those implemented inside browsers)

27 The Spectre Attack spectreAttack(int larger_x)

28 Attack Result Why is 0 in the cache? Success

29 Spectre Variant and Mitigation
Since it was discovered in 2017, several Spectre variants have been found Affecting Intel, ARM, and ARM The problem is in hardware Unlike Meltdown, there is no easy software workaround

30 Summary Stealing secrets using side channels Meltdown attack
Spectre attack A form of race condition vulnerability Vulnerabilities are inside hardware AMD, Intel, and ARM are affected

Download ppt "Meltdown & Spectre Attacks"

Similar presentations

Practical Timing Side Channel Attacks Against Kernel Space ASLR

Practical Timing Side Channel Attacks Against Kernel Space ASLR
Yuanzhong Xu, Weidong Cui, Marcus Peinado

Yuanzhong Xu, Weidong Cui, Marcus Peinado
1 Last Class: Introduction Operating system = interface between user & architecture Importance of OS OS history: Change is only constant User-level Applications.

1 Last Class: Introduction Operating system = interface between user & architecture Importance of OS OS history: Change is only constant User-level Applications.
KVM/ARM: The Design and Implementation of the Linux ARM Hypervisor Fall 2014 Presented By: Probir Roy.

KVM/ARM: The Design and Implementation of the Linux ARM Hypervisor Fall 2014 Presented By: Probir Roy.
1 OS & Computer Architecture Modern OS Functionality (brief review) Architecture Basics Hardware Support for OS Features.

1 OS & Computer Architecture Modern OS Functionality (brief review) Architecture Basics Hardware Support for OS Features.
ITEC 325 Lecture 29 Memory(6). Review P2 assigned Exam 2 next Friday Demand paging –Page faults –TLB intro.

ITEC 325 Lecture 29 Memory(6). Review P2 assigned Exam 2 next Friday Demand paging –Page faults –TLB intro.
Secure Operating Systems Lesson B: Let’s go break something.

Secure Operating Systems Lesson B: Let’s go break something.
Input and Output Computer Organization and Assembly Language: Module 9.

Input and Output Computer Organization and Assembly Language: Module 9.
1 Micro-kernel. 2 Key points Microkernel provides minimal abstractions –Address space, threads, IPC Abstractions –… are machine independent –But implementation.

1 Micro-kernel. 2 Key points Microkernel provides minimal abstractions –Address space, threads, IPC Abstractions –… are machine independent –But implementation.
Three fundamental concepts in computer security: Reference Monitors: An access control concept that refers to an abstract machine that mediates all accesses.

Three fundamental concepts in computer security: Reference Monitors: An access control concept that refers to an abstract machine that mediates all accesses.
Operating Systems ECE344 Ashvin Goel ECE University of Toronto OS-Related Hardware.

Operating Systems ECE344 Ashvin Goel ECE University of Toronto OS-Related Hardware.
CS 3204 Operating Systems Godmar Back Lecture 15.

CS 3204 Operating Systems Godmar Back Lecture 15.
I/O Computer Organization II 1 Interconnecting Components Need interconnections between – CPU, memory, I/O controllers Bus: shared communication channel.

I/O Computer Organization II 1 Interconnecting Components Need interconnections between – CPU, memory, I/O controllers Bus: shared communication channel.
G53SEC 1 Reference Monitors Enforcement of Access Control.

G53SEC 1 Reference Monitors Enforcement of Access Control.
1 Virtual Memory Main memory can act as a cache for the secondary storage (disk) Advantages: –illusion of having more physical memory –program relocation.

1 Virtual Memory Main memory can act as a cache for the secondary storage (disk) Advantages: –illusion of having more physical memory –program relocation.
Interrupt driven I/O. MIPS RISC Exception Mechanism The processor operates in The processor operates in user mode user mode kernel mode kernel mode Access.

Interrupt driven I/O. MIPS RISC Exception Mechanism The processor operates in The processor operates in user mode user mode kernel mode kernel mode Access.
Wireless and Mobile Security

Wireless and Mobile Security
Operating Systems ECE344 Ashvin Goel ECE University of Toronto Demand Paging.

Operating Systems ECE344 Ashvin Goel ECE University of Toronto Demand Paging.
Interrupt driven I/O Computer Organization and Assembly Language: Module 12.

Interrupt driven I/O Computer Organization and Assembly Language: Module 12.
Group 9. Exploiting Software The exploitation of software is one of the main ways that a users computer can be broken into. It involves exploiting the.

Group 9. Exploiting Software The exploitation of software is one of the main ways that a users computer can be broken into. It involves exploiting the.

Similar presentations

Ads by Google