SlideShare ist ein Scribd-Unternehmen logo

Pepe Vila - Cache and Syphilis [rooted2019]

RootedCON
RootedCON

Pepe Vila - Cache and Syphilis [rooted2019]

Technologie
1 von 36
Downloaden Sie, um offline zu lesen
Cache and Syphilis RootedCON 2019
Cache latencies: ● L1 ~5 cycles ● L2 ~12 cycles ● L3 ~50 cycles ● DRAM ~50 cycles + 50 ns (RAM) Coherence: ● Inclusive vs. non-inclusive vs. exclusive Haswell (4th generation) architecture
/microarchitectural_attacks Rowhammer Cache Attacks Evict+Time, Prime+Probe, Flush+Reload, etc. Memory deduplication Meltdown MMU and TLB GPU Port contention Foreshadow
/rowhammer Single Event Upsets (SEUs) in electronics first proposed in 1962 (J.T. Wallmark and S.M. Marcus) ● Cosmic rays can limit the scaling of devices Can random bit-flips in physical memory be exploited? Rowhammer allows to induce random bit-flips via software in an often repeatable fashion ● repetition is what makes exploitation reliable Some real exploits: ● NaCl bit-flip in x86 instructions to a non 32-byte-aligned address ● Linux Kernel bit-flip in physical frame number of PTE with R/W permission ● RSA keys (ssh and apt-get): bit-flip in public key allows easy factorization ● Trusted Zone bit-flip in private key, recover secret from signature ● Opcode flipping bit-flip to ignore privilege checks in setuid binaries
/rowhammer channel 0 channel 1 front of DIMM: rank 0 back of DIMM: rank 1 Dual In-line Memory Module chip Serial Presence Detect (SPD) bank 0 row 0 row 1 row 2 row N row buffer ... Bank = matrix of cells Cell = capacitor + transistor = 1-bit Cells grouped into rows Typical row size: 8K Row “activation” Cells leak charge, need to refresh Refresh rate ~64ms
/rowhammer bank row 0 row 1 row 2 row N row buffer ... Hammering a row = repeatedly activating a row ● Higher storage capacity -> Higher cell density -> Lower isolation ● An aggressor row that is repeatedly activated can cause victim row’s cells to bit-flip. ● Defective cells are randomly distributed loop: mov (A), %eax // Read from address A (row 1) mov (B), %ebx // Read from address B (row k) clflush (A) // Flush A from cache clflush (B) // Flush B from cache jmp loop
/spectre-v1 ● instruction fetch ● out-of-order execution ● branch prediction ● speculative execution
victim_func: # void victim_func(int offset) { mov eax, dword ptr [rip + arr1_size] # cmp rax, rdi # if (offset < arr1_size) { jbe .OOB # lea rax, [rip + arr1] # movzx eax, byte ptr [rdi + rax] # eax = arr1[offset]; shl rax, 6 # rax = rax * 64; lea rcx, [rip + arr2] # mov al, byte ptr [rax + rcx] # al = arr2[rax]; and byte ptr [rip + temp], al # temp = temp & al; .OOB: # } ret # return; # } arr1_size: .long 16 # 0x10 .size arr1_size, 4 arr1: .ascii "001002003004005006007btn013fr016017020" .size arr1, 16 temp: .byte 0 # 0x0 .size temp, 1 arr2: .comm arr2,131072,16 /spectre-v1
/caches ● Memory splitted in “blocks” (64B) ● Set-associative cache (n ways) ● Physically vs. virtually indexed ● Blocks “collide” in a cache set ● Replacement policy
/caches ● Memory splitted in “blocks” (64B) ● Set-associative cache (n ways) ● Physically vs. virtually indexed ● Blocks “collide” in a cache set ● Replacement policy Example: How many sets there are in a 6MB 12-way cache? 6*1024*1024 / (12*64) = 8192 sets We need 13 set-index bits! (w/o slicing)
/prime+probe line 0 line 0 line 1 line 1 line 2 line 2 line 3 line 3 Set 0 Set 1 for each set : s for each line : l in s access (l) PRIME line 0 line 0 line 1 line 1 line 2 line 2 line 3 line 3 Set 0 Set 1 for each set : s for each line : l in s time (access(l)) PROBE line 0 line 0 line 1 line 1 line 2 line 2 line 3 line 3 Set 0 Set 1 if (key[i] == 1): access (A) else nop Victim Attacker’s put the cache in a known state Victim performs sensible computation Attacker measure cache and learns which blocks have been evicted. Attacker can infer victim’s secret.
/problem Now… In JavaScript (and many other environments) you do not have `clflush` instructions You don’t even have pointers: i.e. no knowledge of virtual address (much less of physical address) ● How can we exploit Rowhammer? ● How can we surgically evict specific content from the cache? ● How can we put the cache in a controlled state or probe it?
/problem Now… In JavaScript (and many other environments) you do not have `clflush` instructions You don’t even have pointers: i.e. no knowledge of virtual address (much less of physical address) ● How can we exploit Rowhammer? ● How can we surgically evict specific content from the cache? ● How can we put the cache in a controlled state or probe it? SOLUTION: Eviction Sets!
/eviction_sets Two addresses x and y are congruent if set(x) == set(y) & slice(x) == slice(y) set(paddr) := (paddr >> 6) & (NSETS/NSLICES-1) slice(paddr) := /* RE hash function for Intel Core CPU with 8 slices */ [0x1b5f575440, 0x2eb5faa880, 0x3cccc93100] “Reverse Engineering Intel Last-Level Cache Complex Addressing Using Performance Counters” by Maurice et al. An eviction set for an address v is a set of at least associativity congruent addresses. (accessing an eviction sets ensures that v is evicted from the cache)* Without info about the physical address, we can test if a set is an eviction set for av :
/eviction_sets Any sufficiently large set is an eviction set, but efficient attacks require minimal eviction sets How hard is to find them? ● Depends on the amount of information about the physical address: γ ● Probability of two random addresses with γ identical set-index bits to collide: p=2γ-s-c ● Probability of a set of size N of having, at least, a collisions with some x: size associativity c = set-index bits s = slice bits
/eviction_sets Let’s imagine an attacker with native execution on a system with: 4KB pages, 8192 cache sets, 8 slices, and associativity 12 Virtual : b47 … b16 b15 b14 b13 b12 b11 b10 b9 b8 b7 b6 b5 b4 b3 b2 b1 b0 Physical: b39 … b16 b15 b14 b13 b12 b11 b10 b9 b8 b7 b6 b5 b4 b3 b2 b1 b0 s2 s1 s0 Probability of a having an eviction set (associativity=12) for a given address as a function of the set size: Page Offset Set index Line offset Slice index (has control over 12 bits -> P(collision) = 2-7 )
/eviction_sets But how do we find minimal eviction sets for v? We use our test: Bruteforce: try all subsets of size associativity until one evicts the address v Simple reduction: 1. start with a large enough eviction set S 2. C := pop(S) // pick one candidate element 3. if not (S is eviction set) append(S, C) // C is congruent 4. if (|S| = associativity) return S 5. else goto(2) (It’s also possible to keep track of congruent elements and stop once you find assoc many, but it’s less robust against noise) Problem? O(n2 ) memory accesses worst case (or n2 /2). Can we do better? Intuition: One can improve performance by finding trade offs with a smaller initial set size, or by changing step-2 to remove several elements instead of one (but it’s still asymptotically quadratic)
/group_testing https://en.wikipedia.org/wiki/Group_testing “Robert Dorfman in 1943 propose to the novel idea of group testing to reduce the expected number of tests needed to weed out all syphilitic men in a given pool of soldiers: - put the soldiers into groups of a given size, - and use individual testing (testing items in groups of size one) on the positive groups to find which were infected. Dorfman tabulated the optimum group sizes for this strategy against the prevalence rate of defectiveness in the population.” Improved by Generalised binary-splitting algorithm: find d defective elements in ~d*log(n/d) tests. Light Bulb problem example:
/eviction_sets We can do better inspired by group testing techniques. In particular, by using threshold group-testing: - Generalization to group-testing by Peter Damaschke (2006) - A test gives: - a positive answer if the group contains at least u defective elements - a negative answer if the group contains at most l defective elements - an arbitrary answer otherwise Our test, gives a positive answer if the set contains at least associativity elements, and a negative answer otherwise. Cache congruence is a threshold group-test! More specifically, this is a threshold group-testing without gap: u = associativity l = u - 1 And it is possible to identify d defective elements in O(d * log (n)) tests.
/eviction_sets Our problem is slightly different: we need to minimize the number of memory accesses, not the number of tests (i.e. the size of each test matters) Group-testing reduction: 1. start with a large enough eviction set S 2. T := split S in ASSOC+1 equally sized subsets 3. i := 1 4. while not (STi is eviction set) do // pidgeon principle guarantees termination 5. i := i+1 6. done 7. S := STi // discard unnecessary subset 8. if (|S| = associativity) return S 9. else goto(2) This takes us O(n) memory accesses worst case!* *For a complete cost analysis check the paper: a2 n+an−a3 −a2 .
/eviction_sets $ sudo ./evsets -b 3000 -c 6 -s 8 -a g -e 2 -n 12 -o 4096 -r 10 -t 95 -C 0 --verify --retry --backtracking --nohugepages [+] 11 MB buffer allocated at 0x7fb6dd79a000 (192000 blocks) [+] Default Threshold = 95 [+] Initial candidate set evicted victim [+] Created linked list structure (3000 elements) [+] Starting group reduction... [+] Reduction time: 0.057381 seconds [+] Total execution time: 0.086908 seconds [+] (ID=0) Found minimal eviction set for 0x7fb6d579a000 (length=12): 0x7fb6ddc25000 0x7fb6dfe85000 0x7fb6e08d5000 0x7fb6e4475000 0x7fb6dde75000 0x7fb6e47e5000 0x7fb6ddb69000 0x7fb6e0715000 0x7fb6e4d85000 0x7fb6dfb55000 0x7fb6de63d000 0x7fb6df995000 [+] Verify eviction set (only in Linux with root): - victim pfn: 0x2e1a95000, cache set: 0x140, slice: 0x2 - element pfn: 0x448915000, cache set: 0x140, slice: 0x2 - element pfn: 0x2e18f5000, cache set: 0x140, slice: 0x2 - element pfn: 0x2e34f5000, cache set: 0x140, slice: 0x2 .... - element pfn: 0x2f91d5000, cache set: 0x140, slice: 0x2 - element pfn: 0x2e6325000, cache set: 0x140, slice: 0x2 - element pfn: 0x2e4c65000, cache set: 0x140, slice: 0x2 [+] Verified! Tool for finding eviction sets: https://github.com/cgvwzq/evsets
/eviction_sets $ sudo ./evsets -b 3000 -c 6 -s 8 -a g -e 2 -n 12 -o 4096 -r 10 -t 95 -C 0 --verify --retry --backtracking --nohugepages [+] 11 MB buffer allocated at 0x7fb6dd79a000 (192000 blocks) [+] Default Threshold = 95 [+] Initial candidate set evicted victim [+] Created linked list structure (3000 elements) [+] Starting group reduction... [+] Reduction time: 0.057381 seconds [+] Total execution time: 0.086908 seconds [+] (ID=0) Found minimal eviction set for 0x7fb6d579a000 (length=12): 0x7fb6ddc25000 0x7fb6dfe85000 0x7fb6e08d5000 0x7fb6e4475000 0x7fb6dde75000 0x7fb6e47e5000 0x7fb6ddb69000 0x7fb6e0715000 0x7fb6e4d85000 0x7fb6dfb55000 0x7fb6de63d000 0x7fb6df995000 [+] Verify eviction set (only in Linux with root): - victim pfn: 0x2e1a95000, cache set: 0x140, slice: 0x2 - element pfn: 0x448915000, cache set: 0x140, slice: 0x2 - element pfn: 0x2e18f5000, cache set: 0x140, slice: 0x2 - element pfn: 0x2e34f5000, cache set: 0x140, slice: 0x2 .... - element pfn: 0x2f91d5000, cache set: 0x140, slice: 0x2 - element pfn: 0x2e6325000, cache set: 0x140, slice: 0x2 - element pfn: 0x2e4c65000, cache set: 0x140, slice: 0x2 [+] Verified! Tool for finding eviction sets: https://github.com/cgvwzq/evsets Sure... But what about JS?
https://www.aosabook.org/en/posa/high-performance-networking-in-chrome.html /chrome Multi-process architecture
https://www.aosabook.org/en/posa/high-performance-networking-in-chrome.html https://medium.com/dailyjs/understanding-v8s-bytecode-317d46c94775 /chrome Multi-process architecture TurboFan optimizer compiler
/wasm WebAssembly ● Stack machine ● Harvard architecture ● Statically typed language ● S-expressions ● Flat and sandboxed (fault isolation) memory ● More performance and predictability ● LiftOff vs. TurboFan (in Chrome)
/chrome Memory allocation: ● PartitionAlloc: Blink’s default memory allocator with built-in exploit mitigations (substitutes previous tcmalloc) ● Oilpan: PatitionAlloc is no longer used to allocate memory for DOM related C++ objects in Chrome ● Oilpan (or BlinkGC) is a new garbage collected heap ● Allocator can be changed at compile time (tcmalloc vs. jemalloc vs. winheap) Some subsystems, such as the V8 JavaScript engine, handle memory management autonomously: ● Orinoco GC: from sequential and stop-the-world to mostly parallel and concurrent (512KB pages, 3 generations, scavenges and full mark-compact) ● Different Object spaces: new, old, code, map, large, code large, new large, read only. ● We are interested in “LargeObjectSpace”: allocations greater than a region (512KB) use mmap directly. mmap -> page aligned region -> control over the page offset from JS! :)
/timers We also need a high-resolution timer: ● performance.now() is too coarse… ● there are many alternatives and amplification techniques ● but since SharedArrayBuffer has been re-enabled, let’s use it We can implement a high-resolution clock with a thread (aka Worker) and shared memory counter: // file: clock.js var arr; onmessage = function(evt) { arr = new Uint32Array(evt.memory.buffer); while (true) { arr[0]++; } } const clock = new Worker('clock.js'); const buffer = new SharedArrayBuffer(4); const rdtsc = new Uint32Array(buffer); clock.postMessage({"memory”: buffer}); ... let t0 = rdtsc[0]; foo(); let t1 = rdtsc[0] - t0;
/wasm 0 55 push rbp 1 4889e5 movq rbp,rsp 4 6a0a push 0xa 6 56 push rsi 7 488b9ea7000000 movq rbx,[rsi+0xa7] ;; memory e 8bd0 movl rdx,rax 10 49ba0000000001000000 movq r10,0x100000000 1a 4c3bd2 cmpq r10,rdx 1d 7320 jnc <+0x3f> ... 3f 8b0413 movl rax,[rbx+rdx*1] 42 4c8b15c9ffffff movq r10,[rip+0xffffffc9] 49 4c3bd0 cmpq r10,rax 4c 731d jnc <+0x6b> ... 6b 488be5 movq rsp,rbp 6e 5d pop rbp 6f c3 retl (module (import "env" "mem" (memory 1 1 shared)) (export "access" (func $x)) ;; simple memory access (func $x (param $ptr i32) (result i32) (i32.load (get_local $ptr)) (return) ) ) (on V8 v7.4.0) TurboFan x86_64 output $ wat2wasm --enable-threads -o a.wasm a.wat $ cat wrapper.js const mem = new WebAssembly.Memory({ initial: 1, maximum: 1, shared: true }); const buf = new Uint8Array(readbuffer(arguments[0])); const ffi = {env:{mem:mem}}; const module = new WebAssembly.Module(buf); const instance = new WebAssembly.Instance(module, ffi); instance.exports.access(0); $ d8 --experimental-wasm-threads --code-comments --wasm-tier-mask-for-testing 255 --print-wasm-code --experimental-wasm-bigint wrapper.js -- a.wasm How to build? Body (size = 608 = 593 + 15 padding) a.wat signcheckprologue epilogue wasm-instance = rsi args = rax, rdx, rcx, rbx, r9, (stack) return = rax
0 55 push rbp 1 4889e5 movq rbp,rsp 4 6a0a push 0xa 6 56 push rsi 7 488b9ea7000000 movq rbx,[rsi+0xa7] ;; memory e 25ffffff00 andl rax,0xff 13 488b0403 movq rax,[rbx+rax*1] 17 488be5 movq rsp,rbp 1a 5d pop rbp 1b c3 retl /wasm (on V8 v7.4.0) TurboFan x86_64 output Body (size = 384 = 357 + 27 padding) ;; optimized memory access (func $x (param $ptr i32) (result i64) (i64.load (i32.and (i32.const 0xffffffff) (get_local $ptr))) (return) ) a.wat ● i64.load vs i32.load ● apply bitmask to offset removes sign check ● safe bytes and control layout :) prologue epilogue (module (import "env" "mem" (memory 1 1 shared)) (export "access" (func $x)) ;; simple memory access (func $x (param $ptr i32) (result i32) (i32.load (get_local $ptr)) (return) ) ) a.wat
0 55 push rbp 1 4889e5 movq rbp,rsp 4 6a0a push 0xa 6 56 push rsi 7 4883ec08 subq rsp,0x8 b 488b86a7000000 movq rax,[rsi+0xa7] ;; memory 12 e913000000 jmp <+0x2a> 17 660f1f840000000000 nop 20 488b18 movq rbx,[rax] 23 4883c301 addq rbx,0x1 27 488918 movq [rax],rbx 2a 488b9ec700000 movq rbx,[rsi+0xc7] 31 483923 cmpq [rbx],rsp 34 72ea jc <+0x20> ... ;; infinite loop: compiler removes epilogue! :o /wasm (on V8 v7.4.0) TurboFan x86_64 output ;; load-store increment loop (func $x (loop $ccc (i64.store (i32.const 0) (i64.add (i64.load (i32.const 0)) (i64.const 1))) (br $ccc)) ) clock.wat prologue stack guard ;; atomic increment loop (func $x (loop $ccc (i64.atomic.rmw.add (i32.const 0) (i64.const 1)) (br $ccc)) ) clock.wat
0 55 push rbp 1 4889e5 movq rbp,rsp 4 6a0a push 0xa 6 56 push rsi 7 4883ec08 subq rsp,0x8 b 488b9ea7000000 movq rbx,[rsi+0xa7] ;; memory 12 ba01000000 movl rdx,0x1 17 e914000000 jmp <+0x30> 1c 0f1f4000 nop 20 488b03 movq rax,[rbx] 23 488bc8 movq rcx,rax 26 4803ca addq rcx,rdx 29 f0480fb10b lock cmpxchgq [rbx],rcx 2e 75f0 jnz <+0x20> 30 488b86c7000000 movq rax,[rsi+0xc7] 37 483920 cmpq [rax],rsp 3a 72e4 jc <+0x20> ;; infinite loop: compiler removes epilogue! :o /wasm (on V8 v7.4.0) TurboFan x86_64 output prologue stack guard ;; load-store increment loop (func $x (loop $ccc (i64.store (i32.const 0) (i64.add (i64.load (i32.const 0)) (i64.const 1))) (br $ccc)) ) clock.wat ;; atomic increment loop (func $x (loop $ccc (i64.atomic.rmw.add (i32.const 0) (i64.const 1)) (br $ccc)) ) clock.wat
0 55 push rbp 1 4889e5 movq rbp,rsp 4 6a0a push 0xa 6 56 push rsi 7 4883ec10 subq rsp,0x10 b 488b9ea7000000 movq rbx,[rsi+0xa7] 12 6666660f1f840000000000 nop 1d 0f1f00 nop 20 488b96c7000000 movq rdx,[rsi+0xc7] 27 483922 cmpq [rdx],rsp 2a 0f8340000000 jnc <+0x70> 30 8bc0 movl rax,rax 32 49ba0000000001000000 movq r10,0x100000000 3c 4c3bd0 cmpq r10,rax 3f 7320 jnc <+0x61> ... 61 488b0403 movq rax,[rbx+rax*1] 65 4883f800 cmpq rax,0x0 69 75b5 jnz <+0x20> 6b 488be5 movq rsp,rbp 6e 5d pop rbp 6f c3 retl /wasm (on V8 v7.4.0) TurboFan x86_64 output (func $x (param $ptr i64) (loop $iter (set_local $ptr (i64.load (i32.wrap/i64 (get_local $ptr)))) (br_if $iter (i32.eqz (i64.eqz (get_local $ptr))))) ) traverse.wat signcheckstack guard epilogue prologue
0 55 push rbp 1 4889e5 movq rbp,rsp 4 6a0a push 0xa 6 56 push rsi 7 488b9ea7000000 movq rbx,[rsi+0xa7] ;; memory e 83e0ff andl rax,0xff 11 488b1403 movq rdx,[rbx+rax*1] ;; access() 15 488b13 movq rdx,[rbx] ;; t_start 18 488b0c03 movq rcx,[rbx+rax*1] ;; access() 1c 488b1b movq rbx,[rbx] ;; t_end 1f 482bd3 subq rdx,rbx 22 48f7da negq rdx 25 488bc2 movq rax,rdx 28 488be5 movq rsp,rbp 2b 5d pop rbp 2c c3 retl /wasm (on V8 v7.4.0) TurboFan x86_64 outputhit.wat (func $x (param $victim i32) (result i64) (i64.const 0) ;; access victim (drop (i64.load (i32.and (i32.const 0xffffffff) (get_local $victim)))) ;; t_start (i64.load (i32.const 0));; shared counter ;; re-access victim (drop (i64.load (i32.and (i32.const 0xffffffff) (get_local $victim))))) ;; t_end (i64.load (i32.const 0));; shared counter (i64.sub) (i64.sub) (return) ) Problem: x86 looks good, but we have no guarantees that memory accesses are done in order… In practice we get a lot of zeros :( Solutions: Repeat measure many times, do internal calls instead of inlining accesses, or create a data dependency prologueepilogue
0 55 push rbp 1 4889e5 movq rbp,rsp 4 6a0a push 0xa 6 56 push rsi 7 488b9ea7000000 movq rbx,[rsi+0xa7] ;; memory e 488bd0 movq rdx,rax 11 83e2ff andl rdx,0xff 14 488b1413 movq rdx,[rbx+rdx*1] 18 4883fa00 cmpq rdx,0x0 1c 0f94c2 setzl dl 1f 0fb6d2 movzxbl rdx,rdx 22 83e2ff andl rdx,0xff 25 488b1413 movq rdx,[rbx+rdx*1] 29 4883fa00 cmpq rdx,0x0 2d 0f94c1 setzl cl 30 0fb6c9 movzxbl rcx,rcx 33 0bc8 orl rcx,rax 35 83e1ff andl rcx,0xff 38 488b0c0b movq rcx,[rbx+rcx*1] 3c 4883f900 cmpq rcx,0x0 40 0f94c1 setzl cl 43 0fb6c9 movzxbl rcx,rcx 46 83e1ff andl rcx,0xff 49 488b1c0b movq rbx,[rbx+rcx*1] 4d 482bda subq rbx,rdx 50 488bc3 movq rax,rbx 53 488be5 movq rsp,rbp 56 5d pop rbp 57 c3 retl /wasm (on V8 v7.4.0) TurboFan x86_64 output hit_opt.wat (func $x (param $victim i32) (result i64) (local $t0 i64) (local $t1 i64) (local $td i64) ;; acces victim (set_local $td (i64.load (i32.and (i32.const 0xffffffff) (get_local $victim)))) ;; t_start (set_local $t0 (i64.load (i32.and (i32.const 0xffffffff) ((i32.eqz (i64.eqz (get_local $td)))))) ;; re-access victim (set_local $td (i64.load (i32.and (i32.const 0xffffffff) (i32.or (get_local $victim) (i64.eqz (get_local $t0)))))) ;; t_end (set_local $t1 (i64.load (i32.and (i32.const 0xffffffff) ((i32.eqz (i64.eqz (get_local $td)))))) ;; ret time (i64.sub (get_local $t1) (get_local $t0)) (return) ) epilogueprologuevictimt_startvictimt_end
/demo

Empfohlen

Ghost Vulnerability CVE-2015-0235
Ghost Vulnerability CVE-2015-0235Ghost Vulnerability CVE-2015-0235
Ghost Vulnerability CVE-2015-0235Rajivarnan (Rajiv)
 
Rust vs C++
Rust vs C++Rust vs C++
Rust vs C++corehard_by
 
What the &~#@&lt;!? (Pointers in Rust)
What the &~#@&lt;!? (Pointers in Rust)What the &~#@&lt;!? (Pointers in Rust)
What the &~#@&lt;!? (Pointers in Rust)David Evans
 
Debugger Principle Overview & GDB Tricks
Debugger Principle Overview & GDB TricksDebugger Principle Overview & GDB Tricks
Debugger Principle Overview & GDB Tricksdutor
 
Code GPU with CUDA - Identifying performance limiters
Code GPU with CUDA - Identifying performance limitersCode GPU with CUDA - Identifying performance limiters
Code GPU with CUDA - Identifying performance limitersMarina Kolpakova
 
Building High-Performance Language Implementations With Low Effort
Building High-Performance Language Implementations With Low EffortBuilding High-Performance Language Implementations With Low Effort
Building High-Performance Language Implementations With Low EffortStefan Marr
 
Debug Line Issues After Relaxation.
Debug Line Issues After Relaxation.Debug Line Issues After Relaxation.
Debug Line Issues After Relaxation.Wang Hsiangkai
 
Zero-Overhead Metaprogramming: Reflection and Metaobject Protocols Fast and w...
Zero-Overhead Metaprogramming: Reflection and Metaobject Protocols Fast and w...Zero-Overhead Metaprogramming: Reflection and Metaobject Protocols Fast and w...
Zero-Overhead Metaprogramming: Reflection and Metaobject Protocols Fast and w...Stefan Marr
 

Empfohlen

Ghost Vulnerability CVE-2015-0235
Ghost Vulnerability CVE-2015-0235Ghost Vulnerability CVE-2015-0235
Ghost Vulnerability CVE-2015-0235Rajivarnan (Rajiv)
 
Rust vs C++
Rust vs C++Rust vs C++
Rust vs C++corehard_by
 
What the &~#@&lt;!? (Pointers in Rust)
What the &~#@&lt;!? (Pointers in Rust)What the &~#@&lt;!? (Pointers in Rust)
What the &~#@&lt;!? (Pointers in Rust)David Evans
 
Debugger Principle Overview & GDB Tricks
Debugger Principle Overview & GDB TricksDebugger Principle Overview & GDB Tricks
Debugger Principle Overview & GDB Tricksdutor
 
Code GPU with CUDA - Identifying performance limiters
Code GPU with CUDA - Identifying performance limitersCode GPU with CUDA - Identifying performance limiters
Code GPU with CUDA - Identifying performance limitersMarina Kolpakova
 
Building High-Performance Language Implementations With Low Effort
Building High-Performance Language Implementations With Low EffortBuilding High-Performance Language Implementations With Low Effort
Building High-Performance Language Implementations With Low EffortStefan Marr
 
Debug Line Issues After Relaxation.
Debug Line Issues After Relaxation.Debug Line Issues After Relaxation.
Debug Line Issues After Relaxation.Wang Hsiangkai
 
Zero-Overhead Metaprogramming: Reflection and Metaobject Protocols Fast and w...
Zero-Overhead Metaprogramming: Reflection and Metaobject Protocols Fast and w...Zero-Overhead Metaprogramming: Reflection and Metaobject Protocols Fast and w...
Zero-Overhead Metaprogramming: Reflection and Metaobject Protocols Fast and w...Stefan Marr
 
LLVM Register Allocation (2nd Version)
LLVM Register Allocation (2nd Version)LLVM Register Allocation (2nd Version)
LLVM Register Allocation (2nd Version)Wang Hsiangkai
 
Introduction to Rust language programming
Introduction to Rust language programmingIntroduction to Rust language programming
Introduction to Rust language programmingRodolfo Finochietti
 
Synchronization
SynchronizationSynchronization
SynchronizationDavid Evans
 
Zarzadzanie pamiecia w .NET - WDI
Zarzadzanie pamiecia w .NET - WDIZarzadzanie pamiecia w .NET - WDI
Zarzadzanie pamiecia w .NET - WDIKonrad Kokosa
 
Gpu workshop cluster universe: scripting cuda
Gpu workshop cluster universe: scripting cudaGpu workshop cluster universe: scripting cuda
Gpu workshop cluster universe: scripting cudaFerdinand Jamitzky
 
Error Control in Multimedia Communications using Wireless Sensor Networks report
Error Control in Multimedia Communications using Wireless Sensor Networks reportError Control in Multimedia Communications using Wireless Sensor Networks report
Error Control in Multimedia Communications using Wireless Sensor Networks reportMuragesh Kabbinakantimath
 
Proof of x
Proof of xProof of x
Proof of xMikal Villa
 
AA-sort with SSE4.1
AA-sort with SSE4.1AA-sort with SSE4.1
AA-sort with SSE4.1MITSUNARI Shigeo
 
C c++-meetup-1nov2017-autofdo
C c++-meetup-1nov2017-autofdoC c++-meetup-1nov2017-autofdo
C c++-meetup-1nov2017-autofdoKim Phillips
 
Introduction to Rust
Introduction to RustIntroduction to Rust
Introduction to RustJean Carlo Machado
 
Salsa20
Salsa20Salsa20
Salsa20Amit Ghosh
 
Антон Бикинеев, Reflection in C++Next
Антон Бикинеев, Reflection in C++NextАнтон Бикинеев, Reflection in C++Next
Антон Бикинеев, Reflection in C++NextSergey Platonov
 
To Swift 2...and Beyond!
To Swift 2...and Beyond!To Swift 2...and Beyond!
To Swift 2...and Beyond!Scott Gardner
 
Introduction to Data Oriented Design
Introduction to Data Oriented DesignIntroduction to Data Oriented Design
Introduction to Data Oriented DesignElectronic Arts / DICE
 
Rust: Reach Further (from QCon Sao Paolo 2018)
Rust: Reach Further (from QCon Sao Paolo 2018)Rust: Reach Further (from QCon Sao Paolo 2018)
Rust: Reach Further (from QCon Sao Paolo 2018)nikomatsakis
 
Code GPU with CUDA - Applying optimization techniques
Code GPU with CUDA - Applying optimization techniquesCode GPU with CUDA - Applying optimization techniques
Code GPU with CUDA - Applying optimization techniquesMarina Kolpakova
 
snarks <3 hash functions
snarks <3 hash functionssnarks <3 hash functions
snarks <3 hash functionsRebekah Mercer
 
Androsia: A step ahead in securing in-memory Android application data by Sami...
Androsia: A step ahead in securing in-memory Android application data by Sami...Androsia: A step ahead in securing in-memory Android application data by Sami...
Androsia: A step ahead in securing in-memory Android application data by Sami...CODE BLUE
 
深入淺出C語言
深入淺出C語言深入淺出C語言
深入淺出C語言Simen Li
 
A Step Towards Data Orientation
A Step Towards Data OrientationA Step Towards Data Orientation
A Step Towards Data OrientationElectronic Arts / DICE
 
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacket
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacketCsw2016 wheeler barksdale-gruskovnjak-execute_mypacket
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacketCanSecWest
 
1.Buffer Overflows
1.Buffer Overflows1.Buffer Overflows
1.Buffer Overflowsphanleson
 

Weitere ähnliche Inhalte

Was ist angesagt?

LLVM Register Allocation (2nd Version)
LLVM Register Allocation (2nd Version)LLVM Register Allocation (2nd Version)
LLVM Register Allocation (2nd Version)Wang Hsiangkai
 
Introduction to Rust language programming
Introduction to Rust language programmingIntroduction to Rust language programming
Introduction to Rust language programmingRodolfo Finochietti
 
Zarzadzanie pamiecia w .NET - WDI
Zarzadzanie pamiecia w .NET - WDIZarzadzanie pamiecia w .NET - WDI
Zarzadzanie pamiecia w .NET - WDIKonrad Kokosa
 
Gpu workshop cluster universe: scripting cuda
Gpu workshop cluster universe: scripting cudaGpu workshop cluster universe: scripting cuda
Gpu workshop cluster universe: scripting cudaFerdinand Jamitzky
 
Error Control in Multimedia Communications using Wireless Sensor Networks report
Error Control in Multimedia Communications using Wireless Sensor Networks reportError Control in Multimedia Communications using Wireless Sensor Networks report
Error Control in Multimedia Communications using Wireless Sensor Networks reportMuragesh Kabbinakantimath
 
C c++-meetup-1nov2017-autofdo
C c++-meetup-1nov2017-autofdoC c++-meetup-1nov2017-autofdo
C c++-meetup-1nov2017-autofdoKim Phillips
 
Антон Бикинеев, Reflection in C++Next
Антон Бикинеев, Reflection in C++NextАнтон Бикинеев, Reflection in C++Next
Антон Бикинеев, Reflection in C++NextSergey Platonov
 
To Swift 2...and Beyond!
To Swift 2...and Beyond!To Swift 2...and Beyond!
To Swift 2...and Beyond!Scott Gardner
 
Rust: Reach Further (from QCon Sao Paolo 2018)
Rust: Reach Further (from QCon Sao Paolo 2018)Rust: Reach Further (from QCon Sao Paolo 2018)
Rust: Reach Further (from QCon Sao Paolo 2018)nikomatsakis
 
Code GPU with CUDA - Applying optimization techniques
Code GPU with CUDA - Applying optimization techniquesCode GPU with CUDA - Applying optimization techniques
Code GPU with CUDA - Applying optimization techniquesMarina Kolpakova
 
snarks <3 hash functions
snarks <3 hash functionssnarks <3 hash functions
snarks <3 hash functionsRebekah Mercer
 
Androsia: A step ahead in securing in-memory Android application data by Sami...
Androsia: A step ahead in securing in-memory Android application data by Sami...Androsia: A step ahead in securing in-memory Android application data by Sami...
Androsia: A step ahead in securing in-memory Android application data by Sami...CODE BLUE
 
深入淺出C語言
深入淺出C語言深入淺出C語言
深入淺出C語言Simen Li
 

Was ist angesagt? (20)

LLVM Register Allocation (2nd Version)
LLVM Register Allocation (2nd Version)LLVM Register Allocation (2nd Version)
LLVM Register Allocation (2nd Version)
 
Introduction to Rust language programming
Introduction to Rust language programmingIntroduction to Rust language programming
Introduction to Rust language programming
 
Synchronization
SynchronizationSynchronization
Synchronization
 
Zarzadzanie pamiecia w .NET - WDI
Zarzadzanie pamiecia w .NET - WDIZarzadzanie pamiecia w .NET - WDI
Zarzadzanie pamiecia w .NET - WDI
 
Gpu workshop cluster universe: scripting cuda
Gpu workshop cluster universe: scripting cudaGpu workshop cluster universe: scripting cuda
Gpu workshop cluster universe: scripting cuda
 
Error Control in Multimedia Communications using Wireless Sensor Networks report
Error Control in Multimedia Communications using Wireless Sensor Networks reportError Control in Multimedia Communications using Wireless Sensor Networks report
Error Control in Multimedia Communications using Wireless Sensor Networks report
 
Proof of x
Proof of xProof of x
Proof of x
 
AA-sort with SSE4.1
AA-sort with SSE4.1AA-sort with SSE4.1
AA-sort with SSE4.1
 
C c++-meetup-1nov2017-autofdo
C c++-meetup-1nov2017-autofdoC c++-meetup-1nov2017-autofdo
C c++-meetup-1nov2017-autofdo
 
Introduction to Rust
Introduction to RustIntroduction to Rust
Introduction to Rust
 
Salsa20
Salsa20Salsa20
Salsa20
 
Антон Бикинеев, Reflection in C++Next
Антон Бикинеев, Reflection in C++NextАнтон Бикинеев, Reflection in C++Next
Антон Бикинеев, Reflection in C++Next
 
To Swift 2...and Beyond!
To Swift 2...and Beyond!To Swift 2...and Beyond!
To Swift 2...and Beyond!
 
Introduction to Data Oriented Design
Introduction to Data Oriented DesignIntroduction to Data Oriented Design
Introduction to Data Oriented Design
 
Rust: Reach Further (from QCon Sao Paolo 2018)
Rust: Reach Further (from QCon Sao Paolo 2018)Rust: Reach Further (from QCon Sao Paolo 2018)
Rust: Reach Further (from QCon Sao Paolo 2018)
 
Code GPU with CUDA - Applying optimization techniques
Code GPU with CUDA - Applying optimization techniquesCode GPU with CUDA - Applying optimization techniques
Code GPU with CUDA - Applying optimization techniques
 
snarks <3 hash functions
snarks <3 hash functionssnarks <3 hash functions
snarks <3 hash functions
 
Androsia: A step ahead in securing in-memory Android application data by Sami...
Androsia: A step ahead in securing in-memory Android application data by Sami...Androsia: A step ahead in securing in-memory Android application data by Sami...
Androsia: A step ahead in securing in-memory Android application data by Sami...
 
深入淺出C語言
深入淺出C語言深入淺出C語言
深入淺出C語言
 
A Step Towards Data Orientation
A Step Towards Data OrientationA Step Towards Data Orientation
A Step Towards Data Orientation
 

Ähnlich wie Pepe Vila - Cache and Syphilis [rooted2019]

Csw2016 wheeler barksdale-gruskovnjak-execute_mypacket
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacketCsw2016 wheeler barksdale-gruskovnjak-execute_mypacket
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacketCanSecWest
 
1.Buffer Overflows
1.Buffer Overflows1.Buffer Overflows
1.Buffer Overflowsphanleson
 
Parsing JSON Really Quickly: Lessons Learned
Parsing JSON Really Quickly: Lessons LearnedParsing JSON Really Quickly: Lessons Learned
Parsing JSON Really Quickly: Lessons LearnedDaniel Lemire
 
Spark 4th Meetup Londond - Building a Product with Spark
Spark 4th Meetup Londond - Building a Product with SparkSpark 4th Meetup Londond - Building a Product with Spark
Spark 4th Meetup Londond - Building a Product with Sparksamthemonad
 
Evgeniy Muralev, Mark Vince, Working with the compiler, not against it
Evgeniy Muralev, Mark Vince, Working with the compiler, not against itEvgeniy Muralev, Mark Vince, Working with the compiler, not against it
Evgeniy Muralev, Mark Vince, Working with the compiler, not against itSergey Platonov
 
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]Jose Selvi - Side-Channels Uncovered [rootedvlc2018]
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]RootedCON
 
20140531 serebryany lecture02_find_scary_cpp_bugs
20140531 serebryany lecture02_find_scary_cpp_bugs20140531 serebryany lecture02_find_scary_cpp_bugs
20140531 serebryany lecture02_find_scary_cpp_bugsComputer Science Club
 
Rust tutorial from Boston Meetup 2015-07-22
Rust tutorial from Boston Meetup 2015-07-22Rust tutorial from Boston Meetup 2015-07-22
Rust tutorial from Boston Meetup 2015-07-22nikomatsakis
 
Address/Thread/Memory Sanitizer
Address/Thread/Memory SanitizerAddress/Thread/Memory Sanitizer
Address/Thread/Memory SanitizerPlatonov Sergey
 
Analyzing the Performance Effects of Meltdown + Spectre on Apache Spark Workl...
Analyzing the Performance Effects of Meltdown + Spectre on Apache Spark Workl...Analyzing the Performance Effects of Meltdown + Spectre on Apache Spark Workl...
Analyzing the Performance Effects of Meltdown + Spectre on Apache Spark Workl...Databricks
 
Engineering Fast Indexes for Big-Data Applications: Spark Summit East talk by...
Engineering Fast Indexes for Big-Data Applications: Spark Summit East talk by...Engineering Fast Indexes for Big-Data Applications: Spark Summit East talk by...
Engineering Fast Indexes for Big-Data Applications: Spark Summit East talk by...Spark Summit
 
Engineering fast indexes (Deepdive)
Engineering fast indexes (Deepdive)Engineering fast indexes (Deepdive)
Engineering fast indexes (Deepdive)Daniel Lemire
 
Automatically Tolerating And Correcting Memory Errors
Automatically Tolerating And Correcting Memory ErrorsAutomatically Tolerating And Correcting Memory Errors
Automatically Tolerating And Correcting Memory ErrorsEmery Berger
 
Kamil witecki asynchronous, yet readable, code
Kamil witecki asynchronous, yet readable, codeKamil witecki asynchronous, yet readable, code
Kamil witecki asynchronous, yet readable, codeKamil Witecki
 
Introduction to Julia
Introduction to JuliaIntroduction to Julia
Introduction to Julia岳華 杜
 
High Performance Systems Without Tears - Scala Days Berlin 2018
High Performance Systems Without Tears - Scala Days Berlin 2018High Performance Systems Without Tears - Scala Days Berlin 2018
High Performance Systems Without Tears - Scala Days Berlin 2018Zahari Dichev
 
Java Performance Puzzlers
Java Performance PuzzlersJava Performance Puzzlers
Java Performance PuzzlersDoug Hawkins
 
Potapenko, vyukov forewarned is forearmed. a san and tsan
Potapenko, vyukov forewarned is forearmed. a san and tsanPotapenko, vyukov forewarned is forearmed. a san and tsan
Potapenko, vyukov forewarned is forearmed. a san and tsanDefconRussia
 

Ähnlich wie Pepe Vila - Cache and Syphilis [rooted2019] (20)

Csw2016 wheeler barksdale-gruskovnjak-execute_mypacket
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacketCsw2016 wheeler barksdale-gruskovnjak-execute_mypacket
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacket
 
1.Buffer Overflows
1.Buffer Overflows1.Buffer Overflows
1.Buffer Overflows
 
Parsing JSON Really Quickly: Lessons Learned
Parsing JSON Really Quickly: Lessons LearnedParsing JSON Really Quickly: Lessons Learned
Parsing JSON Really Quickly: Lessons Learned
 
Spark 4th Meetup Londond - Building a Product with Spark
Spark 4th Meetup Londond - Building a Product with SparkSpark 4th Meetup Londond - Building a Product with Spark
Spark 4th Meetup Londond - Building a Product with Spark
 
Ghost
GhostGhost
Ghost
 
Evgeniy Muralev, Mark Vince, Working with the compiler, not against it
Evgeniy Muralev, Mark Vince, Working with the compiler, not against itEvgeniy Muralev, Mark Vince, Working with the compiler, not against it
Evgeniy Muralev, Mark Vince, Working with the compiler, not against it
 
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]Jose Selvi - Side-Channels Uncovered [rootedvlc2018]
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]
 
20140531 serebryany lecture02_find_scary_cpp_bugs
20140531 serebryany lecture02_find_scary_cpp_bugs20140531 serebryany lecture02_find_scary_cpp_bugs
20140531 serebryany lecture02_find_scary_cpp_bugs
 
Rust tutorial from Boston Meetup 2015-07-22
Rust tutorial from Boston Meetup 2015-07-22Rust tutorial from Boston Meetup 2015-07-22
Rust tutorial from Boston Meetup 2015-07-22
 
Address/Thread/Memory Sanitizer
Address/Thread/Memory SanitizerAddress/Thread/Memory Sanitizer
Address/Thread/Memory Sanitizer
 
Analyzing the Performance Effects of Meltdown + Spectre on Apache Spark Workl...
Analyzing the Performance Effects of Meltdown + Spectre on Apache Spark Workl...Analyzing the Performance Effects of Meltdown + Spectre on Apache Spark Workl...
Analyzing the Performance Effects of Meltdown + Spectre on Apache Spark Workl...
 
Engineering Fast Indexes for Big-Data Applications: Spark Summit East talk by...
Engineering Fast Indexes for Big-Data Applications: Spark Summit East talk by...Engineering Fast Indexes for Big-Data Applications: Spark Summit East talk by...
Engineering Fast Indexes for Big-Data Applications: Spark Summit East talk by...
 
Engineering fast indexes (Deepdive)
Engineering fast indexes (Deepdive)Engineering fast indexes (Deepdive)
Engineering fast indexes (Deepdive)
 
Automatically Tolerating And Correcting Memory Errors
Automatically Tolerating And Correcting Memory ErrorsAutomatically Tolerating And Correcting Memory Errors
Automatically Tolerating And Correcting Memory Errors
 
Kamil witecki asynchronous, yet readable, code
Kamil witecki asynchronous, yet readable, codeKamil witecki asynchronous, yet readable, code
Kamil witecki asynchronous, yet readable, code
 
Introduction to Julia
Introduction to JuliaIntroduction to Julia
Introduction to Julia
 
High Performance Systems Without Tears - Scala Days Berlin 2018
High Performance Systems Without Tears - Scala Days Berlin 2018High Performance Systems Without Tears - Scala Days Berlin 2018
High Performance Systems Without Tears - Scala Days Berlin 2018
 
Java Performance Puzzlers
Java Performance PuzzlersJava Performance Puzzlers
Java Performance Puzzlers
 
Inferno Scalable Deep Learning on Spark
Inferno Scalable Deep Learning on SparkInferno Scalable Deep Learning on Spark
Inferno Scalable Deep Learning on Spark
 
Potapenko, vyukov forewarned is forearmed. a san and tsan
Potapenko, vyukov forewarned is forearmed. a san and tsanPotapenko, vyukov forewarned is forearmed. a san and tsan
Potapenko, vyukov forewarned is forearmed. a san and tsan
 

Mehr von RootedCON

Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro VillaverdeRooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro VillaverdeRootedCON
 
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...RootedCON
 
Rooted2020 hunting malware-using_process_behavior-roberto_amado
Rooted2020 hunting malware-using_process_behavior-roberto_amadoRooted2020 hunting malware-using_process_behavior-roberto_amado
Rooted2020 hunting malware-using_process_behavior-roberto_amadoRootedCON
 
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_RootedCON
 
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...RootedCON
 
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...RootedCON
 
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...RootedCON
 
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguerRooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguerRootedCON
 
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...RootedCON
 
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemyRooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemyRootedCON
 
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...RootedCON
 
Rooted2020 virtual pwned-network_-_manel_molina
Rooted2020 virtual pwned-network_-_manel_molinaRooted2020 virtual pwned-network_-_manel_molina
Rooted2020 virtual pwned-network_-_manel_molinaRootedCON
 
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...RootedCON
 
Rooted2020 todo a-siem_-_marta_lopez
Rooted2020 todo a-siem_-_marta_lopezRooted2020 todo a-siem_-_marta_lopez
Rooted2020 todo a-siem_-_marta_lopezRootedCON
 
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRootedCON
 
Rooted2020 live coding--_jesus_jara
Rooted2020 live coding--_jesus_jaraRooted2020 live coding--_jesus_jara
Rooted2020 live coding--_jesus_jaraRootedCON
 
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...RootedCON
 
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...RootedCON
 
Rooted2020 evading deep-learning_malware_detectors_-_javier_yuste
Rooted2020 evading deep-learning_malware_detectors_-_javier_yusteRooted2020 evading deep-learning_malware_detectors_-_javier_yuste
Rooted2020 evading deep-learning_malware_detectors_-_javier_yusteRootedCON
 
Rooted2020 encontrando 0days-en_2020_-_antonio_morales
Rooted2020 encontrando 0days-en_2020_-_antonio_moralesRooted2020 encontrando 0days-en_2020_-_antonio_morales
Rooted2020 encontrando 0days-en_2020_-_antonio_moralesRootedCON
 

Mehr von RootedCON (20)

Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro VillaverdeRooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
 
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
 
Rooted2020 hunting malware-using_process_behavior-roberto_amado
Rooted2020 hunting malware-using_process_behavior-roberto_amadoRooted2020 hunting malware-using_process_behavior-roberto_amado
Rooted2020 hunting malware-using_process_behavior-roberto_amado
 
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
 
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
 
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
 
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
 
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguerRooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
 
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
 
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemyRooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemy
 
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
 
Rooted2020 virtual pwned-network_-_manel_molina
Rooted2020 virtual pwned-network_-_manel_molinaRooted2020 virtual pwned-network_-_manel_molina
Rooted2020 virtual pwned-network_-_manel_molina
 
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
 
Rooted2020 todo a-siem_-_marta_lopez
Rooted2020 todo a-siem_-_marta_lopezRooted2020 todo a-siem_-_marta_lopez
Rooted2020 todo a-siem_-_marta_lopez
 
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
 
Rooted2020 live coding--_jesus_jara
Rooted2020 live coding--_jesus_jaraRooted2020 live coding--_jesus_jara
Rooted2020 live coding--_jesus_jara
 
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
 
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
 
Rooted2020 evading deep-learning_malware_detectors_-_javier_yuste
Rooted2020 evading deep-learning_malware_detectors_-_javier_yusteRooted2020 evading deep-learning_malware_detectors_-_javier_yuste
Rooted2020 evading deep-learning_malware_detectors_-_javier_yuste
 
Rooted2020 encontrando 0days-en_2020_-_antonio_morales
Rooted2020 encontrando 0days-en_2020_-_antonio_moralesRooted2020 encontrando 0days-en_2020_-_antonio_morales
Rooted2020 encontrando 0days-en_2020_-_antonio_morales
 

Kürzlich hochgeladen

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 

Kürzlich hochgeladen (20)

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 

Pepe Vila - Cache and Syphilis [rooted2019]

  • 2.
  • 3. Cache latencies: ● L1 ~5 cycles ● L2 ~12 cycles ● L3 ~50 cycles ● DRAM ~50 cycles + 50 ns (RAM) Coherence: ● Inclusive vs. non-inclusive vs. exclusive Haswell (4th generation) architecture
  • 4. /microarchitectural_attacks Rowhammer Cache Attacks Evict+Time, Prime+Probe, Flush+Reload, etc. Memory deduplication Meltdown MMU and TLB GPU Port contention Foreshadow
  • 5. /rowhammer Single Event Upsets (SEUs) in electronics first proposed in 1962 (J.T. Wallmark and S.M. Marcus) ● Cosmic rays can limit the scaling of devices Can random bit-flips in physical memory be exploited? Rowhammer allows to induce random bit-flips via software in an often repeatable fashion ● repetition is what makes exploitation reliable Some real exploits: ● NaCl bit-flip in x86 instructions to a non 32-byte-aligned address ● Linux Kernel bit-flip in physical frame number of PTE with R/W permission ● RSA keys (ssh and apt-get): bit-flip in public key allows easy factorization ● Trusted Zone bit-flip in private key, recover secret from signature ● Opcode flipping bit-flip to ignore privilege checks in setuid binaries
  • 6. /rowhammer channel 0 channel 1 front of DIMM: rank 0 back of DIMM: rank 1 Dual In-line Memory Module chip Serial Presence Detect (SPD) bank 0 row 0 row 1 row 2 row N row buffer ... Bank = matrix of cells Cell = capacitor + transistor = 1-bit Cells grouped into rows Typical row size: 8K Row “activation” Cells leak charge, need to refresh Refresh rate ~64ms
  • 7. /rowhammer bank row 0 row 1 row 2 row N row buffer ... Hammering a row = repeatedly activating a row ● Higher storage capacity -> Higher cell density -> Lower isolation ● An aggressor row that is repeatedly activated can cause victim row’s cells to bit-flip. ● Defective cells are randomly distributed loop: mov (A), %eax // Read from address A (row 1) mov (B), %ebx // Read from address B (row k) clflush (A) // Flush A from cache clflush (B) // Flush B from cache jmp loop
  • 8. /spectre-v1 ● instruction fetch ● out-of-order execution ● branch prediction ● speculative execution
  • 9. victim_func: # void victim_func(int offset) { mov eax, dword ptr [rip + arr1_size] # cmp rax, rdi # if (offset < arr1_size) { jbe .OOB # lea rax, [rip + arr1] # movzx eax, byte ptr [rdi + rax] # eax = arr1[offset]; shl rax, 6 # rax = rax * 64; lea rcx, [rip + arr2] # mov al, byte ptr [rax + rcx] # al = arr2[rax]; and byte ptr [rip + temp], al # temp = temp & al; .OOB: # } ret # return; # } arr1_size: .long 16 # 0x10 .size arr1_size, 4 arr1: .ascii "001002003004005006007btn013fr016017020" .size arr1, 16 temp: .byte 0 # 0x0 .size temp, 1 arr2: .comm arr2,131072,16 /spectre-v1
  • 10. /caches ● Memory splitted in “blocks” (64B) ● Set-associative cache (n ways) ● Physically vs. virtually indexed ● Blocks “collide” in a cache set ● Replacement policy
  • 11. /caches ● Memory splitted in “blocks” (64B) ● Set-associative cache (n ways) ● Physically vs. virtually indexed ● Blocks “collide” in a cache set ● Replacement policy Example: How many sets there are in a 6MB 12-way cache? 6*1024*1024 / (12*64) = 8192 sets We need 13 set-index bits! (w/o slicing)
  • 12. /prime+probe line 0 line 0 line 1 line 1 line 2 line 2 line 3 line 3 Set 0 Set 1 for each set : s for each line : l in s access (l) PRIME line 0 line 0 line 1 line 1 line 2 line 2 line 3 line 3 Set 0 Set 1 for each set : s for each line : l in s time (access(l)) PROBE line 0 line 0 line 1 line 1 line 2 line 2 line 3 line 3 Set 0 Set 1 if (key[i] == 1): access (A) else nop Victim Attacker’s put the cache in a known state Victim performs sensible computation Attacker measure cache and learns which blocks have been evicted. Attacker can infer victim’s secret.
  • 13. /problem Now… In JavaScript (and many other environments) you do not have `clflush` instructions You don’t even have pointers: i.e. no knowledge of virtual address (much less of physical address) ● How can we exploit Rowhammer? ● How can we surgically evict specific content from the cache? ● How can we put the cache in a controlled state or probe it?
  • 14. /problem Now… In JavaScript (and many other environments) you do not have `clflush` instructions You don’t even have pointers: i.e. no knowledge of virtual address (much less of physical address) ● How can we exploit Rowhammer? ● How can we surgically evict specific content from the cache? ● How can we put the cache in a controlled state or probe it? SOLUTION: Eviction Sets!
  • 15. /eviction_sets Two addresses x and y are congruent if set(x) == set(y) & slice(x) == slice(y) set(paddr) := (paddr >> 6) & (NSETS/NSLICES-1) slice(paddr) := /* RE hash function for Intel Core CPU with 8 slices */ [0x1b5f575440, 0x2eb5faa880, 0x3cccc93100] “Reverse Engineering Intel Last-Level Cache Complex Addressing Using Performance Counters” by Maurice et al. An eviction set for an address v is a set of at least associativity congruent addresses. (accessing an eviction sets ensures that v is evicted from the cache)* Without info about the physical address, we can test if a set is an eviction set for av :
  • 16. /eviction_sets Any sufficiently large set is an eviction set, but efficient attacks require minimal eviction sets How hard is to find them? ● Depends on the amount of information about the physical address: γ ● Probability of two random addresses with γ identical set-index bits to collide: p=2γ-s-c ● Probability of a set of size N of having, at least, a collisions with some x: size associativity c = set-index bits s = slice bits
  • 17. /eviction_sets Let’s imagine an attacker with native execution on a system with: 4KB pages, 8192 cache sets, 8 slices, and associativity 12 Virtual : b47 … b16 b15 b14 b13 b12 b11 b10 b9 b8 b7 b6 b5 b4 b3 b2 b1 b0 Physical: b39 … b16 b15 b14 b13 b12 b11 b10 b9 b8 b7 b6 b5 b4 b3 b2 b1 b0 s2 s1 s0 Probability of a having an eviction set (associativity=12) for a given address as a function of the set size: Page Offset Set index Line offset Slice index (has control over 12 bits -> P(collision) = 2-7 )
  • 18. /eviction_sets But how do we find minimal eviction sets for v? We use our test: Bruteforce: try all subsets of size associativity until one evicts the address v Simple reduction: 1. start with a large enough eviction set S 2. C := pop(S) // pick one candidate element 3. if not (S is eviction set) append(S, C) // C is congruent 4. if (|S| = associativity) return S 5. else goto(2) (It’s also possible to keep track of congruent elements and stop once you find assoc many, but it’s less robust against noise) Problem? O(n2 ) memory accesses worst case (or n2 /2). Can we do better? Intuition: One can improve performance by finding trade offs with a smaller initial set size, or by changing step-2 to remove several elements instead of one (but it’s still asymptotically quadratic)
  • 19. /group_testing https://en.wikipedia.org/wiki/Group_testing “Robert Dorfman in 1943 propose to the novel idea of group testing to reduce the expected number of tests needed to weed out all syphilitic men in a given pool of soldiers: - put the soldiers into groups of a given size, - and use individual testing (testing items in groups of size one) on the positive groups to find which were infected. Dorfman tabulated the optimum group sizes for this strategy against the prevalence rate of defectiveness in the population.” Improved by Generalised binary-splitting algorithm: find d defective elements in ~d*log(n/d) tests. Light Bulb problem example:
  • 20. /eviction_sets We can do better inspired by group testing techniques. In particular, by using threshold group-testing: - Generalization to group-testing by Peter Damaschke (2006) - A test gives: - a positive answer if the group contains at least u defective elements - a negative answer if the group contains at most l defective elements - an arbitrary answer otherwise Our test, gives a positive answer if the set contains at least associativity elements, and a negative answer otherwise. Cache congruence is a threshold group-test! More specifically, this is a threshold group-testing without gap: u = associativity l = u - 1 And it is possible to identify d defective elements in O(d * log (n)) tests.
  • 21. /eviction_sets Our problem is slightly different: we need to minimize the number of memory accesses, not the number of tests (i.e. the size of each test matters) Group-testing reduction: 1. start with a large enough eviction set S 2. T := split S in ASSOC+1 equally sized subsets 3. i := 1 4. while not (STi is eviction set) do // pidgeon principle guarantees termination 5. i := i+1 6. done 7. S := STi // discard unnecessary subset 8. if (|S| = associativity) return S 9. else goto(2) This takes us O(n) memory accesses worst case!* *For a complete cost analysis check the paper: a2 n+an−a3 −a2 .
  • 22. /eviction_sets $ sudo ./evsets -b 3000 -c 6 -s 8 -a g -e 2 -n 12 -o 4096 -r 10 -t 95 -C 0 --verify --retry --backtracking --nohugepages [+] 11 MB buffer allocated at 0x7fb6dd79a000 (192000 blocks) [+] Default Threshold = 95 [+] Initial candidate set evicted victim [+] Created linked list structure (3000 elements) [+] Starting group reduction... [+] Reduction time: 0.057381 seconds [+] Total execution time: 0.086908 seconds [+] (ID=0) Found minimal eviction set for 0x7fb6d579a000 (length=12): 0x7fb6ddc25000 0x7fb6dfe85000 0x7fb6e08d5000 0x7fb6e4475000 0x7fb6dde75000 0x7fb6e47e5000 0x7fb6ddb69000 0x7fb6e0715000 0x7fb6e4d85000 0x7fb6dfb55000 0x7fb6de63d000 0x7fb6df995000 [+] Verify eviction set (only in Linux with root): - victim pfn: 0x2e1a95000, cache set: 0x140, slice: 0x2 - element pfn: 0x448915000, cache set: 0x140, slice: 0x2 - element pfn: 0x2e18f5000, cache set: 0x140, slice: 0x2 - element pfn: 0x2e34f5000, cache set: 0x140, slice: 0x2 .... - element pfn: 0x2f91d5000, cache set: 0x140, slice: 0x2 - element pfn: 0x2e6325000, cache set: 0x140, slice: 0x2 - element pfn: 0x2e4c65000, cache set: 0x140, slice: 0x2 [+] Verified! Tool for finding eviction sets: https://github.com/cgvwzq/evsets
  • 23. /eviction_sets $ sudo ./evsets -b 3000 -c 6 -s 8 -a g -e 2 -n 12 -o 4096 -r 10 -t 95 -C 0 --verify --retry --backtracking --nohugepages [+] 11 MB buffer allocated at 0x7fb6dd79a000 (192000 blocks) [+] Default Threshold = 95 [+] Initial candidate set evicted victim [+] Created linked list structure (3000 elements) [+] Starting group reduction... [+] Reduction time: 0.057381 seconds [+] Total execution time: 0.086908 seconds [+] (ID=0) Found minimal eviction set for 0x7fb6d579a000 (length=12): 0x7fb6ddc25000 0x7fb6dfe85000 0x7fb6e08d5000 0x7fb6e4475000 0x7fb6dde75000 0x7fb6e47e5000 0x7fb6ddb69000 0x7fb6e0715000 0x7fb6e4d85000 0x7fb6dfb55000 0x7fb6de63d000 0x7fb6df995000 [+] Verify eviction set (only in Linux with root): - victim pfn: 0x2e1a95000, cache set: 0x140, slice: 0x2 - element pfn: 0x448915000, cache set: 0x140, slice: 0x2 - element pfn: 0x2e18f5000, cache set: 0x140, slice: 0x2 - element pfn: 0x2e34f5000, cache set: 0x140, slice: 0x2 .... - element pfn: 0x2f91d5000, cache set: 0x140, slice: 0x2 - element pfn: 0x2e6325000, cache set: 0x140, slice: 0x2 - element pfn: 0x2e4c65000, cache set: 0x140, slice: 0x2 [+] Verified! Tool for finding eviction sets: https://github.com/cgvwzq/evsets Sure... But what about JS?
  • 26. /wasm WebAssembly ● Stack machine ● Harvard architecture ● Statically typed language ● S-expressions ● Flat and sandboxed (fault isolation) memory ● More performance and predictability ● LiftOff vs. TurboFan (in Chrome)
  • 27. /chrome Memory allocation: ● PartitionAlloc: Blink’s default memory allocator with built-in exploit mitigations (substitutes previous tcmalloc) ● Oilpan: PatitionAlloc is no longer used to allocate memory for DOM related C++ objects in Chrome ● Oilpan (or BlinkGC) is a new garbage collected heap ● Allocator can be changed at compile time (tcmalloc vs. jemalloc vs. winheap) Some subsystems, such as the V8 JavaScript engine, handle memory management autonomously: ● Orinoco GC: from sequential and stop-the-world to mostly parallel and concurrent (512KB pages, 3 generations, scavenges and full mark-compact) ● Different Object spaces: new, old, code, map, large, code large, new large, read only. ● We are interested in “LargeObjectSpace”: allocations greater than a region (512KB) use mmap directly. mmap -> page aligned region -> control over the page offset from JS! :)
  • 28. /timers We also need a high-resolution timer: ● performance.now() is too coarse… ● there are many alternatives and amplification techniques ● but since SharedArrayBuffer has been re-enabled, let’s use it We can implement a high-resolution clock with a thread (aka Worker) and shared memory counter: // file: clock.js var arr; onmessage = function(evt) { arr = new Uint32Array(evt.memory.buffer); while (true) { arr[0]++; } } const clock = new Worker('clock.js'); const buffer = new SharedArrayBuffer(4); const rdtsc = new Uint32Array(buffer); clock.postMessage({"memory”: buffer}); ... let t0 = rdtsc[0]; foo(); let t1 = rdtsc[0] - t0;
  • 29. /wasm 0 55 push rbp 1 4889e5 movq rbp,rsp 4 6a0a push 0xa 6 56 push rsi 7 488b9ea7000000 movq rbx,[rsi+0xa7] ;; memory e 8bd0 movl rdx,rax 10 49ba0000000001000000 movq r10,0x100000000 1a 4c3bd2 cmpq r10,rdx 1d 7320 jnc <+0x3f> ... 3f 8b0413 movl rax,[rbx+rdx*1] 42 4c8b15c9ffffff movq r10,[rip+0xffffffc9] 49 4c3bd0 cmpq r10,rax 4c 731d jnc <+0x6b> ... 6b 488be5 movq rsp,rbp 6e 5d pop rbp 6f c3 retl (module (import "env" "mem" (memory 1 1 shared)) (export "access" (func $x)) ;; simple memory access (func $x (param $ptr i32) (result i32) (i32.load (get_local $ptr)) (return) ) ) (on V8 v7.4.0) TurboFan x86_64 output $ wat2wasm --enable-threads -o a.wasm a.wat $ cat wrapper.js const mem = new WebAssembly.Memory({ initial: 1, maximum: 1, shared: true }); const buf = new Uint8Array(readbuffer(arguments[0])); const ffi = {env:{mem:mem}}; const module = new WebAssembly.Module(buf); const instance = new WebAssembly.Instance(module, ffi); instance.exports.access(0); $ d8 --experimental-wasm-threads --code-comments --wasm-tier-mask-for-testing 255 --print-wasm-code --experimental-wasm-bigint wrapper.js -- a.wasm How to build? Body (size = 608 = 593 + 15 padding) a.wat signcheckprologue epilogue wasm-instance = rsi args = rax, rdx, rcx, rbx, r9, (stack) return = rax
  • 30. 0 55 push rbp 1 4889e5 movq rbp,rsp 4 6a0a push 0xa 6 56 push rsi 7 488b9ea7000000 movq rbx,[rsi+0xa7] ;; memory e 25ffffff00 andl rax,0xff 13 488b0403 movq rax,[rbx+rax*1] 17 488be5 movq rsp,rbp 1a 5d pop rbp 1b c3 retl /wasm (on V8 v7.4.0) TurboFan x86_64 output Body (size = 384 = 357 + 27 padding) ;; optimized memory access (func $x (param $ptr i32) (result i64) (i64.load (i32.and (i32.const 0xffffffff) (get_local $ptr))) (return) ) a.wat ● i64.load vs i32.load ● apply bitmask to offset removes sign check ● safe bytes and control layout :) prologue epilogue (module (import "env" "mem" (memory 1 1 shared)) (export "access" (func $x)) ;; simple memory access (func $x (param $ptr i32) (result i32) (i32.load (get_local $ptr)) (return) ) ) a.wat
  • 31. 0 55 push rbp 1 4889e5 movq rbp,rsp 4 6a0a push 0xa 6 56 push rsi 7 4883ec08 subq rsp,0x8 b 488b86a7000000 movq rax,[rsi+0xa7] ;; memory 12 e913000000 jmp <+0x2a> 17 660f1f840000000000 nop 20 488b18 movq rbx,[rax] 23 4883c301 addq rbx,0x1 27 488918 movq [rax],rbx 2a 488b9ec700000 movq rbx,[rsi+0xc7] 31 483923 cmpq [rbx],rsp 34 72ea jc <+0x20> ... ;; infinite loop: compiler removes epilogue! :o /wasm (on V8 v7.4.0) TurboFan x86_64 output ;; load-store increment loop (func $x (loop $ccc (i64.store (i32.const 0) (i64.add (i64.load (i32.const 0)) (i64.const 1))) (br $ccc)) ) clock.wat prologue stack guard ;; atomic increment loop (func $x (loop $ccc (i64.atomic.rmw.add (i32.const 0) (i64.const 1)) (br $ccc)) ) clock.wat
  • 32. 0 55 push rbp 1 4889e5 movq rbp,rsp 4 6a0a push 0xa 6 56 push rsi 7 4883ec08 subq rsp,0x8 b 488b9ea7000000 movq rbx,[rsi+0xa7] ;; memory 12 ba01000000 movl rdx,0x1 17 e914000000 jmp <+0x30> 1c 0f1f4000 nop 20 488b03 movq rax,[rbx] 23 488bc8 movq rcx,rax 26 4803ca addq rcx,rdx 29 f0480fb10b lock cmpxchgq [rbx],rcx 2e 75f0 jnz <+0x20> 30 488b86c7000000 movq rax,[rsi+0xc7] 37 483920 cmpq [rax],rsp 3a 72e4 jc <+0x20> ;; infinite loop: compiler removes epilogue! :o /wasm (on V8 v7.4.0) TurboFan x86_64 output prologue stack guard ;; load-store increment loop (func $x (loop $ccc (i64.store (i32.const 0) (i64.add (i64.load (i32.const 0)) (i64.const 1))) (br $ccc)) ) clock.wat ;; atomic increment loop (func $x (loop $ccc (i64.atomic.rmw.add (i32.const 0) (i64.const 1)) (br $ccc)) ) clock.wat
  • 33. 0 55 push rbp 1 4889e5 movq rbp,rsp 4 6a0a push 0xa 6 56 push rsi 7 4883ec10 subq rsp,0x10 b 488b9ea7000000 movq rbx,[rsi+0xa7] 12 6666660f1f840000000000 nop 1d 0f1f00 nop 20 488b96c7000000 movq rdx,[rsi+0xc7] 27 483922 cmpq [rdx],rsp 2a 0f8340000000 jnc <+0x70> 30 8bc0 movl rax,rax 32 49ba0000000001000000 movq r10,0x100000000 3c 4c3bd0 cmpq r10,rax 3f 7320 jnc <+0x61> ... 61 488b0403 movq rax,[rbx+rax*1] 65 4883f800 cmpq rax,0x0 69 75b5 jnz <+0x20> 6b 488be5 movq rsp,rbp 6e 5d pop rbp 6f c3 retl /wasm (on V8 v7.4.0) TurboFan x86_64 output (func $x (param $ptr i64) (loop $iter (set_local $ptr (i64.load (i32.wrap/i64 (get_local $ptr)))) (br_if $iter (i32.eqz (i64.eqz (get_local $ptr))))) ) traverse.wat signcheckstack guard epilogue prologue
  • 34. 0 55 push rbp 1 4889e5 movq rbp,rsp 4 6a0a push 0xa 6 56 push rsi 7 488b9ea7000000 movq rbx,[rsi+0xa7] ;; memory e 83e0ff andl rax,0xff 11 488b1403 movq rdx,[rbx+rax*1] ;; access() 15 488b13 movq rdx,[rbx] ;; t_start 18 488b0c03 movq rcx,[rbx+rax*1] ;; access() 1c 488b1b movq rbx,[rbx] ;; t_end 1f 482bd3 subq rdx,rbx 22 48f7da negq rdx 25 488bc2 movq rax,rdx 28 488be5 movq rsp,rbp 2b 5d pop rbp 2c c3 retl /wasm (on V8 v7.4.0) TurboFan x86_64 outputhit.wat (func $x (param $victim i32) (result i64) (i64.const 0) ;; access victim (drop (i64.load (i32.and (i32.const 0xffffffff) (get_local $victim)))) ;; t_start (i64.load (i32.const 0));; shared counter ;; re-access victim (drop (i64.load (i32.and (i32.const 0xffffffff) (get_local $victim))))) ;; t_end (i64.load (i32.const 0));; shared counter (i64.sub) (i64.sub) (return) ) Problem: x86 looks good, but we have no guarantees that memory accesses are done in order… In practice we get a lot of zeros :( Solutions: Repeat measure many times, do internal calls instead of inlining accesses, or create a data dependency prologueepilogue
  • 35. 0 55 push rbp 1 4889e5 movq rbp,rsp 4 6a0a push 0xa 6 56 push rsi 7 488b9ea7000000 movq rbx,[rsi+0xa7] ;; memory e 488bd0 movq rdx,rax 11 83e2ff andl rdx,0xff 14 488b1413 movq rdx,[rbx+rdx*1] 18 4883fa00 cmpq rdx,0x0 1c 0f94c2 setzl dl 1f 0fb6d2 movzxbl rdx,rdx 22 83e2ff andl rdx,0xff 25 488b1413 movq rdx,[rbx+rdx*1] 29 4883fa00 cmpq rdx,0x0 2d 0f94c1 setzl cl 30 0fb6c9 movzxbl rcx,rcx 33 0bc8 orl rcx,rax 35 83e1ff andl rcx,0xff 38 488b0c0b movq rcx,[rbx+rcx*1] 3c 4883f900 cmpq rcx,0x0 40 0f94c1 setzl cl 43 0fb6c9 movzxbl rcx,rcx 46 83e1ff andl rcx,0xff 49 488b1c0b movq rbx,[rbx+rcx*1] 4d 482bda subq rbx,rdx 50 488bc3 movq rax,rbx 53 488be5 movq rsp,rbp 56 5d pop rbp 57 c3 retl /wasm (on V8 v7.4.0) TurboFan x86_64 output hit_opt.wat (func $x (param $victim i32) (result i64) (local $t0 i64) (local $t1 i64) (local $td i64) ;; acces victim (set_local $td (i64.load (i32.and (i32.const 0xffffffff) (get_local $victim)))) ;; t_start (set_local $t0 (i64.load (i32.and (i32.const 0xffffffff) ((i32.eqz (i64.eqz (get_local $td)))))) ;; re-access victim (set_local $td (i64.load (i32.and (i32.const 0xffffffff) (i32.or (get_local $victim) (i64.eqz (get_local $t0)))))) ;; t_end (set_local $t1 (i64.load (i32.and (i32.const 0xffffffff) ((i32.eqz (i64.eqz (get_local $td)))))) ;; ret time (i64.sub (get_local $t1) (get_local $t0)) (return) ) epilogueprologuevictimt_startvictimt_end
  • 36. /demo