SlideShare ist ein Scribd-Unternehmen logo

Wintel Hell: průvodce devíti kruhy Dantova technologického pekla / MARTIN HRON [AVAST]

Security Session
Security Session

Přednáška zaměřená na rychlý přehled nových technologií v operačním systému Windows 10 a nových mikroarchitekturách procesorů Intel (Haswell, Sky Lake a Kaby Lake). Detailněji se pak bude věnovat některým klíčovým novinkám jako je virtual based security ve Windows 10, nebo některým bezpečnostním rozšířením procesorů. Závěrem poskytne přehled zdrojů k detailním informacím a příkladům využití. Přednáška bude koncipována jako "svodka technologických novinek". Autor bude přítomný po celou dobu konání konference a rád odpoví na Vaše otázky.

Technologie
1 von 24
Downloaden Sie, um offline zu lesen
Wintel Hell A guide through nine circles of Dante’s technological inferno Martin Hron, researcher @ avast
CFG, VBS, VSM, SKM, MPX, TSX, SGX, MPK or PKU? WHAT THE HELL?
Vestibule Virtual based security Control flow guard Instrumentation callback Memory protection extensions Software guard extensions Transactional exectution ext. Memory protection keys Bottom of the Hell Complexity explosion YOU ARE HERE
Circle 1 – Complexity explosion
Circle 1 – Complexity explosion Intel 8086 29,000 transistors 3,000 nm 33 mm² area Intel 6th gen. SkyLake quad-core 1,750,000,000 transistors 14nm 122 mm² area
Circle 1 – Complexity explosion 790 pages 3883 pages
Upper Hell Windows
Circle 2 - VBS virtual based security • Windows 10 Enterprise and Server 2016 • Based on Hyper-V • VSM Virtual Secure Mode • Device Guard • Credential guard • Virtual TPM
Circle 2 - VBS virtual secure mode (VSM) HYPER-V NTOSKRNL WIN32 API YOUR OLD WINDOWS LIVES HERE RING -1 RING 0 RING 3 VTL 0 VTL 1 SKM SKCI.DLL CNG.SYS IUMDLL.DLLNTDLL.DLL CredentialGuard LSALSO vTPM LSASS DMA ACCESSVT-d
Circle 3 –CFG Control flow guard • Windows 10 and in Windows 8.1 Update 3 • Visual Studio 2015 • checking every indirect call for valid target function address • bitmap of valid entry points • compiler + OS support
Circle 3 –CFG Control flow guard • Windows 10 and in Windows 8.1 Update 3 • Visual Studio 2015 • checking every indirect call for valid target function address • bitmap of valid entry points • compiler + OS support
Circle 3 –CFG Control flow guard • Windows 10 and in Windows 8.1 Update 3 • Visual Studio 2015 • checking every indirect call for valid target function address • bitmap of valid entry points • compiler + OS support
Circle 4 - Instrumentation Callback • first seen in WIN7, WIN10 changed few things • can be set by just one call to NtSetInformationProcess NTOSKRNLRING 0 RING 3 NTDLL.DLL SYSENTER SYSEXIT INSTRUMENTATION CALLBACK
Lower Hell CPU
Circle 5 – MPX Memory Protection Extensions • Supported on SkyLake, VS2015 Update 1 (/d2MPX), special Intel driver needed on Windows • allows to check if pointer is inside bounds • low overhead, can be turn on/off on demand • equivalent to NOPS if disabled • 4 BNDx 128 bit registers, storing upper and lower bounds for checked pointer • Check instructions BNDCL, BNDCU • BNDSTX and BNDLDX instruction associates range with pointer and store them into special table
Circle 6 – TSX Transactional Synchronization Extensions • First introduced on Haswell (4th generation) • Comes in two flavours: • RTM Restricted Transactional Memory • HLE Hardware Lock Elision • Works like real transaction • EAX register contains reason of abort • XBEGIN, XEND, XABORT, XTEST instructions RETRY: or eax, 0FFFFFFFFh xbegin L0 L0: cmp eax, 0FFFFFFFFh jne L1 inc qword ptr [rbp] xend jmp L2 L1: jmp RETRY L2:
Circle 7 – SGX Software Guard Extensions • Supported on later SkyLake CPUs, WIN 10 Fall Update (October 26th) • Allows creating protected part of application which is isolated • Enclave could be only run through well known entry point • No privilege level or even HW has access when it runs • Content is always encrypted in physical RAM
MMU + CPU Circle 7 – SGX Software Guard Extensions EPC PROCESS ADDR. SPACE PHYSICAL RAM ENCLAVE MMU+CPU NORMAL CODE MAPPED RING3RING0HW MEE OPERATING SYSTEM
Circle 8 – MPK Memory protection keys • In upcoming processors “Kaby Lake” or “CannonLake” • You can divide address space to 16 regions and change access by just flipping value in one register PKRU • For certain applications this is huge speedup, because you don’t need to flush TLB cache. The protection-key feature provides an additional mechanism by which IA-32e paging controls access to usermode addresses. When CR4.PKE = 1, every linear address is associated with the 4-bit protection key located in bits 62:59 of the paging-structure entry that mapped the page containing the linear address (see Section 4.5). The PKRU register determines, for each protection key, whether user-mode addresses with that protection key may be read or written. Microsoft
Circle 9: deep at the bottom of the Hell Known bugs notes and conclusion • SkyLake CPUs are freezing at microcode level when running Prime95 test with special exponent. Fixed by microcode update in 01/2016 • Haswell and first Broadwells TSX: In August 2014 bug has been identified and this feature was disabled by microcode update • SGX is not present in all SkyLake processors • current errata contains, approx. 100 known bugs • don’t trust your CPU, always detect features using CPUID and/or it’s side effects.
Control Flow Guard demo
Tools used
Go ahead and ask! And I’ll try to answer. github repos with detailed documentation: https://github.com/thinkcz/SecuritySession2016 I’ll be around till the end of conference. Find me or send me PM via twitter if you want to ask: @thinkcz GITHUB REPO
Thank you! Martin Hron E: martin@hron.eu T: @thinkcz

Empfohlen

ARM Architecture and Meltdown/Spectre
ARM Architecture and Meltdown/SpectreARM Architecture and Meltdown/Spectre
ARM Architecture and Meltdown/Spectre
GlobalLogic Ukraine
 
U-boot and Android Verified Boot 2.0
U-boot and Android Verified Boot 2.0U-boot and Android Verified Boot 2.0
U-boot and Android Verified Boot 2.0
GlobalLogic Ukraine
 
The Silence of the Canaries
The Silence of the CanariesThe Silence of the Canaries
The Silence of the Canaries
Kernel TLV
 
Linux Kernel Platform Development: Challenges and Insights
Linux Kernel Platform Development: Challenges and Insights Linux Kernel Platform Development: Challenges and Insights
Linux Kernel Platform Development: Challenges and Insights
GlobalLogic Ukraine
 
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
Linaro
 
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...
PROIDEA
 
Embedded TCP/IP stack for FreeRTOS
Embedded TCP/IP stack for FreeRTOSEmbedded TCP/IP stack for FreeRTOS
Embedded TCP/IP stack for FreeRTOS
艾鍗科技
 
⭐⭐⭐⭐⭐ CHARLA #PUCESE Arduino Week: Hardware de Código Abierto TSC-LAB
⭐⭐⭐⭐⭐ CHARLA #PUCESE Arduino Week: Hardware de Código Abierto TSC-LAB ⭐⭐⭐⭐⭐ CHARLA #PUCESE Arduino Week: Hardware de Código Abierto TSC-LAB
⭐⭐⭐⭐⭐ CHARLA #PUCESE Arduino Week: Hardware de Código Abierto TSC-LAB
Victor Asanza
 

Empfohlen

ARM Architecture and Meltdown/Spectre
ARM Architecture and Meltdown/SpectreARM Architecture and Meltdown/Spectre
ARM Architecture and Meltdown/Spectre
GlobalLogic Ukraine
 
U-boot and Android Verified Boot 2.0
U-boot and Android Verified Boot 2.0U-boot and Android Verified Boot 2.0
U-boot and Android Verified Boot 2.0
GlobalLogic Ukraine
 
The Silence of the Canaries
The Silence of the CanariesThe Silence of the Canaries
The Silence of the Canaries
Kernel TLV
 
Linux Kernel Platform Development: Challenges and Insights
Linux Kernel Platform Development: Challenges and Insights Linux Kernel Platform Development: Challenges and Insights
Linux Kernel Platform Development: Challenges and Insights
GlobalLogic Ukraine
 
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
Linaro
 
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...
PROIDEA
 
Embedded TCP/IP stack for FreeRTOS
Embedded TCP/IP stack for FreeRTOSEmbedded TCP/IP stack for FreeRTOS
Embedded TCP/IP stack for FreeRTOS
艾鍗科技
 
⭐⭐⭐⭐⭐ CHARLA #PUCESE Arduino Week: Hardware de Código Abierto TSC-LAB
⭐⭐⭐⭐⭐ CHARLA #PUCESE Arduino Week: Hardware de Código Abierto TSC-LAB ⭐⭐⭐⭐⭐ CHARLA #PUCESE Arduino Week: Hardware de Código Abierto TSC-LAB
⭐⭐⭐⭐⭐ CHARLA #PUCESE Arduino Week: Hardware de Código Abierto TSC-LAB
Victor Asanza
 
Lcu14 107- op-tee on ar mv8
Lcu14 107- op-tee on ar mv8Lcu14 107- op-tee on ar mv8
Lcu14 107- op-tee on ar mv8
Linaro
 
Lee 2020 what the clock !
Lee 2020 what the clock !Lee 2020 what the clock !
Lee 2020 what the clock !
Neil Armstrong
 
Integrity Protection for Embedded Systems
Integrity Protection for Embedded SystemsIntegrity Protection for Embedded Systems
Integrity Protection for Embedded Systems
Samsung Open Source Group
 
Concurrency bug identification through kernel panic log (english)
Concurrency bug identification through kernel panic log (english)Concurrency bug identification through kernel panic log (english)
Concurrency bug identification through kernel panic log (english)
Sneeker Yeh
 
Lcu14 306 - OP-TEE Future Enhancements
Lcu14 306 - OP-TEE Future EnhancementsLcu14 306 - OP-TEE Future Enhancements
Lcu14 306 - OP-TEE Future Enhancements
Linaro
 
Deploy STM32 family on Zephyr - SFO17-102
Deploy STM32 family on Zephyr - SFO17-102Deploy STM32 family on Zephyr - SFO17-102
Deploy STM32 family on Zephyr - SFO17-102
Linaro
 
FreeRTOS introduction
FreeRTOS introductionFreeRTOS introduction
FreeRTOS introduction
Jegadeesh Vontlin
 
Mirko Damiani - An Embedded soft real time distributed system in Go
Mirko Damiani - An Embedded soft real time distributed system in GoMirko Damiani - An Embedded soft real time distributed system in Go
Mirko Damiani - An Embedded soft real time distributed system in Go
linuxlab_conf
 
Txt Introduction
Txt IntroductionTxt Introduction
Txt Introduction
Logic Solutions, Inc.
 
Learn How to Develop Embedded System for ARM @ 2014.12.22 JuluOSDev
Learn How to Develop Embedded System for ARM @ 2014.12.22 JuluOSDevLearn How to Develop Embedded System for ARM @ 2014.12.22 JuluOSDev
Learn How to Develop Embedded System for ARM @ 2014.12.22 JuluOSDev
Jian-Hong Pan
 
移植FreeRTOS 之嵌入式軟體研究與開發
移植FreeRTOS 之嵌入式軟體研究與開發移植FreeRTOS 之嵌入式軟體研究與開發
移植FreeRTOS 之嵌入式軟體研究與開發
艾鍗科技
 
BKK16-400A LuvOS and ACPI Compliance Testing
BKK16-400A LuvOS and ACPI Compliance TestingBKK16-400A LuvOS and ACPI Compliance Testing
BKK16-400A LuvOS and ACPI Compliance Testing
Linaro
 
F9 Microkernel code reading - part 1
F9 Microkernel code reading - part 1F9 Microkernel code reading - part 1
F9 Microkernel code reading - part 1
Benux Wei
 
LAS16-403: GDB Linux Kernel Awareness
LAS16-403: GDB Linux Kernel AwarenessLAS16-403: GDB Linux Kernel Awareness
LAS16-403: GDB Linux Kernel Awareness
Linaro
 
MOVED: RDK/WPE Port on DB410C - SFO17-206
MOVED: RDK/WPE Port on DB410C - SFO17-206MOVED: RDK/WPE Port on DB410C - SFO17-206
MOVED: RDK/WPE Port on DB410C - SFO17-206
Linaro
 
LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3
LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3
LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3
Linaro
 
Using SoC Vendor HALs in the Zephyr Project - SFO17-112
Using SoC Vendor HALs in the Zephyr Project - SFO17-112Using SoC Vendor HALs in the Zephyr Project - SFO17-112
Using SoC Vendor HALs in the Zephyr Project - SFO17-112
Linaro
 
SFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMU
SFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMUSFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMU
SFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMU
Linaro
 
BUD17-416: Benchmark and profiling in OP-TEE
BUD17-416: Benchmark and profiling in OP-TEE BUD17-416: Benchmark and profiling in OP-TEE
BUD17-416: Benchmark and profiling in OP-TEE
Linaro
 
OpenWrt From Top to Bottom
OpenWrt From Top to BottomOpenWrt From Top to Bottom
OpenWrt From Top to Bottom
Kernel TLV
 
AMD EPYC™ Microprocessor Architecture
AMD EPYC™ Microprocessor ArchitectureAMD EPYC™ Microprocessor Architecture
AMD EPYC™ Microprocessor Architecture
AMD
 
Introduction to FreeRTOS
Introduction to FreeRTOSIntroduction to FreeRTOS
Introduction to FreeRTOS
ICS
 

Weitere ähnliche Inhalte

Was ist angesagt?

Lcu14 107- op-tee on ar mv8
Lcu14 107- op-tee on ar mv8Lcu14 107- op-tee on ar mv8
Lcu14 107- op-tee on ar mv8
Linaro
 
Lee 2020 what the clock !
Lee 2020 what the clock !Lee 2020 what the clock !
Lee 2020 what the clock !
Neil Armstrong
 
Lcu14 306 - OP-TEE Future Enhancements
Lcu14 306 - OP-TEE Future EnhancementsLcu14 306 - OP-TEE Future Enhancements
Lcu14 306 - OP-TEE Future Enhancements
Linaro
 
Deploy STM32 family on Zephyr - SFO17-102
Deploy STM32 family on Zephyr - SFO17-102Deploy STM32 family on Zephyr - SFO17-102
Deploy STM32 family on Zephyr - SFO17-102
Linaro
 
BKK16-400A LuvOS and ACPI Compliance Testing
BKK16-400A LuvOS and ACPI Compliance TestingBKK16-400A LuvOS and ACPI Compliance Testing
BKK16-400A LuvOS and ACPI Compliance Testing
Linaro
 
LAS16-403: GDB Linux Kernel Awareness
LAS16-403: GDB Linux Kernel AwarenessLAS16-403: GDB Linux Kernel Awareness
LAS16-403: GDB Linux Kernel Awareness
Linaro
 
LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3
LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3
LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3
Linaro
 
Using SoC Vendor HALs in the Zephyr Project - SFO17-112
Using SoC Vendor HALs in the Zephyr Project - SFO17-112Using SoC Vendor HALs in the Zephyr Project - SFO17-112
Using SoC Vendor HALs in the Zephyr Project - SFO17-112
Linaro
 
SFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMU
SFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMUSFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMU
SFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMU
Linaro
 
BUD17-416: Benchmark and profiling in OP-TEE
BUD17-416: Benchmark and profiling in OP-TEE BUD17-416: Benchmark and profiling in OP-TEE
BUD17-416: Benchmark and profiling in OP-TEE
Linaro
 

Was ist angesagt? (20)

Lcu14 107- op-tee on ar mv8
Lcu14 107- op-tee on ar mv8Lcu14 107- op-tee on ar mv8
Lcu14 107- op-tee on ar mv8
 
Lee 2020 what the clock !
Lee 2020 what the clock !Lee 2020 what the clock !
Lee 2020 what the clock !
 
Integrity Protection for Embedded Systems
Integrity Protection for Embedded SystemsIntegrity Protection for Embedded Systems
Integrity Protection for Embedded Systems
 
Concurrency bug identification through kernel panic log (english)
Concurrency bug identification through kernel panic log (english)Concurrency bug identification through kernel panic log (english)
Concurrency bug identification through kernel panic log (english)
 
Lcu14 306 - OP-TEE Future Enhancements
Lcu14 306 - OP-TEE Future EnhancementsLcu14 306 - OP-TEE Future Enhancements
Lcu14 306 - OP-TEE Future Enhancements
 
Deploy STM32 family on Zephyr - SFO17-102
Deploy STM32 family on Zephyr - SFO17-102Deploy STM32 family on Zephyr - SFO17-102
Deploy STM32 family on Zephyr - SFO17-102
 
FreeRTOS introduction
FreeRTOS introductionFreeRTOS introduction
FreeRTOS introduction
 
Mirko Damiani - An Embedded soft real time distributed system in Go
Mirko Damiani - An Embedded soft real time distributed system in GoMirko Damiani - An Embedded soft real time distributed system in Go
Mirko Damiani - An Embedded soft real time distributed system in Go
 
Txt Introduction
Txt IntroductionTxt Introduction
Txt Introduction
 
Learn How to Develop Embedded System for ARM @ 2014.12.22 JuluOSDev
Learn How to Develop Embedded System for ARM @ 2014.12.22 JuluOSDevLearn How to Develop Embedded System for ARM @ 2014.12.22 JuluOSDev
Learn How to Develop Embedded System for ARM @ 2014.12.22 JuluOSDev
 
移植FreeRTOS 之嵌入式軟體研究與開發
移植FreeRTOS 之嵌入式軟體研究與開發移植FreeRTOS 之嵌入式軟體研究與開發
移植FreeRTOS 之嵌入式軟體研究與開發
 
BKK16-400A LuvOS and ACPI Compliance Testing
BKK16-400A LuvOS and ACPI Compliance TestingBKK16-400A LuvOS and ACPI Compliance Testing
BKK16-400A LuvOS and ACPI Compliance Testing
 
F9 Microkernel code reading - part 1
F9 Microkernel code reading - part 1F9 Microkernel code reading - part 1
F9 Microkernel code reading - part 1
 
LAS16-403: GDB Linux Kernel Awareness
LAS16-403: GDB Linux Kernel AwarenessLAS16-403: GDB Linux Kernel Awareness
LAS16-403: GDB Linux Kernel Awareness
 
MOVED: RDK/WPE Port on DB410C - SFO17-206
MOVED: RDK/WPE Port on DB410C - SFO17-206MOVED: RDK/WPE Port on DB410C - SFO17-206
MOVED: RDK/WPE Port on DB410C - SFO17-206
 
LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3
LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3
LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3
 
Using SoC Vendor HALs in the Zephyr Project - SFO17-112
Using SoC Vendor HALs in the Zephyr Project - SFO17-112Using SoC Vendor HALs in the Zephyr Project - SFO17-112
Using SoC Vendor HALs in the Zephyr Project - SFO17-112
 
SFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMU
SFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMUSFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMU
SFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMU
 
BUD17-416: Benchmark and profiling in OP-TEE
BUD17-416: Benchmark and profiling in OP-TEE BUD17-416: Benchmark and profiling in OP-TEE
BUD17-416: Benchmark and profiling in OP-TEE
 
OpenWrt From Top to Bottom
OpenWrt From Top to BottomOpenWrt From Top to Bottom
OpenWrt From Top to Bottom
 

Ähnlich wie Wintel Hell: průvodce devíti kruhy Dantova technologického pekla / MARTIN HRON [AVAST]

Softcore processor.pptxSoftcore processor.pptxSoftcore processor.pptx
Softcore processor.pptxSoftcore processor.pptxSoftcore processor.pptxSoftcore processor.pptxSoftcore processor.pptxSoftcore processor.pptx
Softcore processor.pptxSoftcore processor.pptxSoftcore processor.pptx
SnehaLatha68
 
Building efficient 5G NR base stations with Intel® Xeon® Scalable Processors
Building efficient 5G NR base stations with Intel® Xeon® Scalable Processors Building efficient 5G NR base stations with Intel® Xeon® Scalable Processors
Building efficient 5G NR base stations with Intel® Xeon® Scalable Processors
Michelle Holley
 
High Performance Object Storage in 30 Minutes with Supermicro and MinIO
High Performance Object Storage in 30 Minutes with Supermicro and MinIOHigh Performance Object Storage in 30 Minutes with Supermicro and MinIO
High Performance Object Storage in 30 Minutes with Supermicro and MinIO
Rebekah Rodriguez
 
XPDS16: High-Performance Virtualization for HPC Cloud on Xen - Jun Nakajima &...
XPDS16: High-Performance Virtualization for HPC Cloud on Xen - Jun Nakajima &...XPDS16: High-Performance Virtualization for HPC Cloud on Xen - Jun Nakajima &...
XPDS16: High-Performance Virtualization for HPC Cloud on Xen - Jun Nakajima &...
The Linux Foundation
 
A Reimplementation of NetBSD Based on a Microkernel by Andrew S. Tanenbaum
A Reimplementation of NetBSD Based on a Microkernel by Andrew S. TanenbaumA Reimplementation of NetBSD Based on a Microkernel by Andrew S. Tanenbaum
A Reimplementation of NetBSD Based on a Microkernel by Andrew S. Tanenbaum
eurobsdcon
 

Ähnlich wie Wintel Hell: průvodce devíti kruhy Dantova technologického pekla / MARTIN HRON [AVAST] (20)

AMD EPYC™ Microprocessor Architecture
AMD EPYC™ Microprocessor ArchitectureAMD EPYC™ Microprocessor Architecture
AMD EPYC™ Microprocessor Architecture
 
Introduction to FreeRTOS
Introduction to FreeRTOSIntroduction to FreeRTOS
Introduction to FreeRTOS
 
Microcontrolador STM32WL55 - Fazendo uma aplicação LORAWAN do zero em poucos ...
Microcontrolador STM32WL55 - Fazendo uma aplicação LORAWAN do zero em poucos ...Microcontrolador STM32WL55 - Fazendo uma aplicação LORAWAN do zero em poucos ...
Microcontrolador STM32WL55 - Fazendo uma aplicação LORAWAN do zero em poucos ...
 
PowerDRC/LVS 2.0.1 released by POLYTEDA
PowerDRC/LVS 2.0.1 released by POLYTEDAPowerDRC/LVS 2.0.1 released by POLYTEDA
PowerDRC/LVS 2.0.1 released by POLYTEDA
 
Softcore processor.pptxSoftcore processor.pptxSoftcore processor.pptx
Softcore processor.pptxSoftcore processor.pptxSoftcore processor.pptxSoftcore processor.pptxSoftcore processor.pptxSoftcore processor.pptx
Softcore processor.pptxSoftcore processor.pptxSoftcore processor.pptx
 
Building efficient 5G NR base stations with Intel® Xeon® Scalable Processors
Building efficient 5G NR base stations with Intel® Xeon® Scalable Processors Building efficient 5G NR base stations with Intel® Xeon® Scalable Processors
Building efficient 5G NR base stations with Intel® Xeon® Scalable Processors
 
Doc32000
Doc32000Doc32000
Doc32000
 
High Performance Object Storage in 30 Minutes with Supermicro and MinIO
High Performance Object Storage in 30 Minutes with Supermicro and MinIOHigh Performance Object Storage in 30 Minutes with Supermicro and MinIO
High Performance Object Storage in 30 Minutes with Supermicro and MinIO
 
Polyteda Power DRC/LVS July 2016
Polyteda Power DRC/LVS July 2016Polyteda Power DRC/LVS July 2016
Polyteda Power DRC/LVS July 2016
 
Iot Bootcamp - abridged - part 1
Iot Bootcamp - abridged - part 1Iot Bootcamp - abridged - part 1
Iot Bootcamp - abridged - part 1
 
12C5XX.PDF
12C5XX.PDF12C5XX.PDF
12C5XX.PDF
 
XPDS16: High-Performance Virtualization for HPC Cloud on Xen - Jun Nakajima &...
XPDS16: High-Performance Virtualization for HPC Cloud on Xen - Jun Nakajima &...XPDS16: High-Performance Virtualization for HPC Cloud on Xen - Jun Nakajima &...
XPDS16: High-Performance Virtualization for HPC Cloud on Xen - Jun Nakajima &...
 
Crypto Performance on ARM Cortex-M Processors
Crypto Performance on ARM Cortex-M ProcessorsCrypto Performance on ARM Cortex-M Processors
Crypto Performance on ARM Cortex-M Processors
 
A Reimplementation of NetBSD Based on a Microkernel by Andrew S. Tanenbaum
A Reimplementation of NetBSD Based on a Microkernel by Andrew S. TanenbaumA Reimplementation of NetBSD Based on a Microkernel by Andrew S. Tanenbaum
A Reimplementation of NetBSD Based on a Microkernel by Andrew S. Tanenbaum
 
Polyteda: Power DRC/LVS, October 2016
Polyteda: Power DRC/LVS, October 2016Polyteda: Power DRC/LVS, October 2016
Polyteda: Power DRC/LVS, October 2016
 
Cyclone IV FPGA Device
Cyclone IV FPGA DeviceCyclone IV FPGA Device
Cyclone IV FPGA Device
 
Linux one vs x86
Linux one vs x86 Linux one vs x86
Linux one vs x86
 
Linux one vs x86 18 july
Linux one vs x86 18 julyLinux one vs x86 18 july
Linux one vs x86 18 july
 
POLYTEDA: Power DRC/LVS, June 2017
POLYTEDA: Power DRC/LVS, June 2017POLYTEDA: Power DRC/LVS, June 2017
POLYTEDA: Power DRC/LVS, June 2017
 
Sparc t4 1 system technical overview
Sparc t4 1 system technical overviewSparc t4 1 system technical overview
Sparc t4 1 system technical overview
 

Mehr von Security Session

Insights of a brute-forcing botnet / VERONICA VALEROS [CISCO]
Insights of a brute-forcing botnet / VERONICA VALEROS [CISCO]Insights of a brute-forcing botnet / VERONICA VALEROS [CISCO]
Insights of a brute-forcing botnet / VERONICA VALEROS [CISCO]
Security Session
 
Robots against robots: How a Machine Learning IDS detected a novel Linux Botn...
Robots against robots: How a Machine Learning IDS detected a novel Linux Botn...Robots against robots: How a Machine Learning IDS detected a novel Linux Botn...
Robots against robots: How a Machine Learning IDS detected a novel Linux Botn...
Security Session
 
Co vše skrývá síťový provoz a jak detekovat kybernetické hrozby? / MARTIN ŠKO...
Co vše skrývá síťový provoz a jak detekovat kybernetické hrozby? / MARTIN ŠKO...Co vše skrývá síťový provoz a jak detekovat kybernetické hrozby? / MARTIN ŠKO...
Co vše skrývá síťový provoz a jak detekovat kybernetické hrozby? / MARTIN ŠKO...
Security Session
 
Falsifikace biometricke charakteristiky a detekce zivosti
Falsifikace biometricke charakteristiky a detekce zivostiFalsifikace biometricke charakteristiky a detekce zivosti
Falsifikace biometricke charakteristiky a detekce zivosti
Security Session
 

Mehr von Security Session (20)

Getting your hands dirty: How to Analyze the Behavior of Malware Traffic / SE...
Getting your hands dirty: How to Analyze the Behavior of Malware Traffic / SE...Getting your hands dirty: How to Analyze the Behavior of Malware Traffic / SE...
Getting your hands dirty: How to Analyze the Behavior of Malware Traffic / SE...
 
Základy reverse engineeringu a assembleru / KAREL LEJSKA, MILAN BARTOŠ [DEFEN...
Základy reverse engineeringu a assembleru / KAREL LEJSKA, MILAN BARTOŠ [DEFEN...Základy reverse engineeringu a assembleru / KAREL LEJSKA, MILAN BARTOŠ [DEFEN...
Základy reverse engineeringu a assembleru / KAREL LEJSKA, MILAN BARTOŠ [DEFEN...
 
Zabezpečení nejen SSH na serveru pomocí Fail2Ban a jednoduchého honeypotu. / ...
Zabezpečení nejen SSH na serveru pomocí Fail2Ban a jednoduchého honeypotu. / ...Zabezpečení nejen SSH na serveru pomocí Fail2Ban a jednoduchého honeypotu. / ...
Zabezpečení nejen SSH na serveru pomocí Fail2Ban a jednoduchého honeypotu. / ...
 
Insights of a brute-forcing botnet / VERONICA VALEROS [CISCO]
Insights of a brute-forcing botnet / VERONICA VALEROS [CISCO]Insights of a brute-forcing botnet / VERONICA VALEROS [CISCO]
Insights of a brute-forcing botnet / VERONICA VALEROS [CISCO]
 
Softwarove protektory / KAREL LEJSKA, MILAN BARTOŠ [DEFENDIO]
Softwarove protektory / KAREL LEJSKA, MILAN BARTOŠ [DEFENDIO]Softwarove protektory / KAREL LEJSKA, MILAN BARTOŠ [DEFENDIO]
Softwarove protektory / KAREL LEJSKA, MILAN BARTOŠ [DEFENDIO]
 
Robots against robots: How a Machine Learning IDS detected a novel Linux Botn...
Robots against robots: How a Machine Learning IDS detected a novel Linux Botn...Robots against robots: How a Machine Learning IDS detected a novel Linux Botn...
Robots against robots: How a Machine Learning IDS detected a novel Linux Botn...
 
#ochranadat pred sebou samotným / MATEJ ZACHAR [SAFETICA TECHNOLOGIES S.R.O.]
#ochranadat pred sebou samotným / MATEJ ZACHAR [SAFETICA TECHNOLOGIES S.R.O.]#ochranadat pred sebou samotným / MATEJ ZACHAR [SAFETICA TECHNOLOGIES S.R.O.]
#ochranadat pred sebou samotným / MATEJ ZACHAR [SAFETICA TECHNOLOGIES S.R.O.]
 
Co vše skrývá síťový provoz a jak detekovat kybernetické hrozby? / MARTIN ŠKO...
Co vše skrývá síťový provoz a jak detekovat kybernetické hrozby? / MARTIN ŠKO...Co vše skrývá síťový provoz a jak detekovat kybernetické hrozby? / MARTIN ŠKO...
Co vše skrývá síťový provoz a jak detekovat kybernetické hrozby? / MARTIN ŠKO...
 
Bezpečnější pošta díky protokolu DANE / ONDŘEJ CALETKA [CESNET]
Bezpečnější pošta díky protokolu DANE / ONDŘEJ CALETKA [CESNET]Bezpečnější pošta díky protokolu DANE / ONDŘEJ CALETKA [CESNET]
Bezpečnější pošta díky protokolu DANE / ONDŘEJ CALETKA [CESNET]
 
Prezentace brno
Prezentace brnoPrezentace brno
Prezentace brno
 
OSINT and beyond
OSINT and beyondOSINT and beyond
OSINT and beyond
 
Exploitace – od minulosti po současnost - Jan Kopecký
Exploitace – od minulosti po současnost - Jan KopeckýExploitace – od minulosti po současnost - Jan Kopecký
Exploitace – od minulosti po současnost - Jan Kopecký
 
Kontrola uživatelských účtů ve Windows a jak ji obejít - Martin Dráb
Kontrola uživatelských účtů ve Windows a jak ji obejít - Martin DrábKontrola uživatelských účtů ve Windows a jak ji obejít - Martin Dráb
Kontrola uživatelských účtů ve Windows a jak ji obejít - Martin Dráb
 
Research in Liveness Detection - Martin Drahanský
Research in Liveness Detection - Martin DrahanskýResearch in Liveness Detection - Martin Drahanský
Research in Liveness Detection - Martin Drahanský
 
Dolování dat z řeči pro bezpečnostní aplikace - Jan Černocký
Dolování dat z řeči pro bezpečnostní aplikace - Jan ČernockýDolování dat z řeči pro bezpečnostní aplikace - Jan Černocký
Dolování dat z řeči pro bezpečnostní aplikace - Jan Černocký
 
Turris - Robert Šefr
Turris - Robert ŠefrTurris - Robert Šefr
Turris - Robert Šefr
 
Co se skrývá v datovém provozu? - Pavel Minařík
Co se skrývá v datovém provozu? - Pavel MinaříkCo se skrývá v datovém provozu? - Pavel Minařík
Co se skrývá v datovém provozu? - Pavel Minařík
 
Jak odesílat zprávy, když někdo vypne Internet - Pavel Táborský
Jak odesílat zprávy, když někdo vypne Internet - Pavel TáborskýJak odesílat zprávy, když někdo vypne Internet - Pavel Táborský
Jak odesílat zprávy, když někdo vypne Internet - Pavel Táborský
 
Two Years with botnet Asprox - Michal Ambrož
Two Years with botnet Asprox - Michal AmbrožTwo Years with botnet Asprox - Michal Ambrož
Two Years with botnet Asprox - Michal Ambrož
 
Falsifikace biometricke charakteristiky a detekce zivosti
Falsifikace biometricke charakteristiky a detekce zivostiFalsifikace biometricke charakteristiky a detekce zivosti
Falsifikace biometricke charakteristiky a detekce zivosti
 

Kürzlich hochgeladen

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 

Kürzlich hochgeladen (20)

Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 

Wintel Hell: průvodce devíti kruhy Dantova technologického pekla / MARTIN HRON [AVAST]

  • 1. Wintel Hell A guide through nine circles of Dante’s technological inferno Martin Hron, researcher @ avast
  • 2. CFG, VBS, VSM, SKM, MPX, TSX, SGX, MPK or PKU? WHAT THE HELL?
  • 3. Vestibule Virtual based security Control flow guard Instrumentation callback Memory protection extensions Software guard extensions Transactional exectution ext. Memory protection keys Bottom of the Hell Complexity explosion YOU ARE HERE
  • 4. Circle 1 – Complexity explosion
  • 5. Circle 1 – Complexity explosion Intel 8086 29,000 transistors 3,000 nm 33 mm² area Intel 6th gen. SkyLake quad-core 1,750,000,000 transistors 14nm 122 mm² area
  • 6. Circle 1 – Complexity explosion 790 pages 3883 pages
  • 8. Circle 2 - VBS virtual based security • Windows 10 Enterprise and Server 2016 • Based on Hyper-V • VSM Virtual Secure Mode • Device Guard • Credential guard • Virtual TPM
  • 9. Circle 2 - VBS virtual secure mode (VSM) HYPER-V NTOSKRNL WIN32 API YOUR OLD WINDOWS LIVES HERE RING -1 RING 0 RING 3 VTL 0 VTL 1 SKM SKCI.DLL CNG.SYS IUMDLL.DLLNTDLL.DLL CredentialGuard LSALSO vTPM LSASS DMA ACCESSVT-d
  • 10. Circle 3 –CFG Control flow guard • Windows 10 and in Windows 8.1 Update 3 • Visual Studio 2015 • checking every indirect call for valid target function address • bitmap of valid entry points • compiler + OS support
  • 11. Circle 3 –CFG Control flow guard • Windows 10 and in Windows 8.1 Update 3 • Visual Studio 2015 • checking every indirect call for valid target function address • bitmap of valid entry points • compiler + OS support
  • 12. Circle 3 –CFG Control flow guard • Windows 10 and in Windows 8.1 Update 3 • Visual Studio 2015 • checking every indirect call for valid target function address • bitmap of valid entry points • compiler + OS support
  • 13. Circle 4 - Instrumentation Callback • first seen in WIN7, WIN10 changed few things • can be set by just one call to NtSetInformationProcess NTOSKRNLRING 0 RING 3 NTDLL.DLL SYSENTER SYSEXIT INSTRUMENTATION CALLBACK
  • 15. Circle 5 – MPX Memory Protection Extensions • Supported on SkyLake, VS2015 Update 1 (/d2MPX), special Intel driver needed on Windows • allows to check if pointer is inside bounds • low overhead, can be turn on/off on demand • equivalent to NOPS if disabled • 4 BNDx 128 bit registers, storing upper and lower bounds for checked pointer • Check instructions BNDCL, BNDCU • BNDSTX and BNDLDX instruction associates range with pointer and store them into special table
  • 16. Circle 6 – TSX Transactional Synchronization Extensions • First introduced on Haswell (4th generation) • Comes in two flavours: • RTM Restricted Transactional Memory • HLE Hardware Lock Elision • Works like real transaction • EAX register contains reason of abort • XBEGIN, XEND, XABORT, XTEST instructions RETRY: or eax, 0FFFFFFFFh xbegin L0 L0: cmp eax, 0FFFFFFFFh jne L1 inc qword ptr [rbp] xend jmp L2 L1: jmp RETRY L2:
  • 17. Circle 7 – SGX Software Guard Extensions • Supported on later SkyLake CPUs, WIN 10 Fall Update (October 26th) • Allows creating protected part of application which is isolated • Enclave could be only run through well known entry point • No privilege level or even HW has access when it runs • Content is always encrypted in physical RAM
  • 18. MMU + CPU Circle 7 – SGX Software Guard Extensions EPC PROCESS ADDR. SPACE PHYSICAL RAM ENCLAVE MMU+CPU NORMAL CODE MAPPED RING3RING0HW MEE OPERATING SYSTEM
  • 19. Circle 8 – MPK Memory protection keys • In upcoming processors “Kaby Lake” or “CannonLake” • You can divide address space to 16 regions and change access by just flipping value in one register PKRU • For certain applications this is huge speedup, because you don’t need to flush TLB cache. The protection-key feature provides an additional mechanism by which IA-32e paging controls access to usermode addresses. When CR4.PKE = 1, every linear address is associated with the 4-bit protection key located in bits 62:59 of the paging-structure entry that mapped the page containing the linear address (see Section 4.5). The PKRU register determines, for each protection key, whether user-mode addresses with that protection key may be read or written. Microsoft
  • 20. Circle 9: deep at the bottom of the Hell Known bugs notes and conclusion • SkyLake CPUs are freezing at microcode level when running Prime95 test with special exponent. Fixed by microcode update in 01/2016 • Haswell and first Broadwells TSX: In August 2014 bug has been identified and this feature was disabled by microcode update • SGX is not present in all SkyLake processors • current errata contains, approx. 100 known bugs • don’t trust your CPU, always detect features using CPUID and/or it’s side effects.
  • 23. Go ahead and ask! And I’ll try to answer. github repos with detailed documentation: https://github.com/thinkcz/SecuritySession2016 I’ll be around till the end of conference. Find me or send me PM via twitter if you want to ask: @thinkcz GITHUB REPO
  • 24. Thank you! Martin Hron E: martin@hron.eu T: @thinkcz