filmov
tv
#HITB2016AMS D2T1 - Cache Side Channel Attacks: CPU Design As A Security Problem - Anders Fogh
Показать описание
In a casual conversation with Thomas “Halvar Flake” Dullien I suggested that performance counters could be used as a software mitigation for the row hammer exploit he and Mark Seaborn had developed. Thomas encouraged me to research it and it became suggestion for a software solution for row hammer. I presented this research with Nishat Herath during Black Hat 2015. While researching row hammer I noticed that the methodology I was developing could be important in mitigating cache side channel attacks and this led me into an almost year long project researching these attacks.
In this talk we’ll focus on, how the micro architectural design of modern computers enables an attacker to breach trust boundaries. Specifically we’ll focus on how the cache subsystem of modern x86 computers can be abused to gain access to private data. Cache side channel attacks have been around for years, but have had a renaissance due to the emergence of a large, shared 3rd level cache and gained relevance through the spread of cloud computing due to increase attack surface. There are many side channels possible in modern computers; however, the cache is most likely the most important due to its central position in the computer. Given that cache side channel attacks are enabled by the CPU design, software defenses become notoriously difficult and yet at the same time in many cases it becomes the only viable solution.
Cache side channel attacks are relevant when an attacker already has access to the same hardware as the victim, but is stopped by local restrictions such as user privileges, virtual machines or sandboxes. At first this seems restrictive, but modern computing is full of examples of such scenarios. Virtual machines in cloud computers is the classic example and cache side channel attacks easily reach across otherwise iron clad boundaries between virtual machines. Thin clients, java script running locally on web pages or multi user systems are other common examples. Despite of modern cache side channel attacks being relatively new, many important attacks have already been demonstrated:
– Exfiltration of RSA 2048 private keys from co-located VM hosted in the amazon cloud
– AES key extraction
– ECDSA key extraction
– Spying on keyboard input
– Spying on mouse cursor
– Breaking KASRL (Kernel Address Space Randomization Layout)
======
Anders Fogh is a co-founder and the vice president of engineering at Protect Software GmbH. He has led numerous low level engineering efforts in the past 11 years. Prior to that he worked at VOB GmbH and Pinnacle System where he was responsible for major developments in video and CD/DVD recording software. Since 1993 he has been an avid malware hobbyist and has reverse engineering experience with operating systems from DOS to present day OSs as well as devices ranging from DVD players to USB sticks. He holds a master’s degree in economics from the University of Aarhus. He was the first to suggest a software solution to the row hammer bug and spoke at Black Hat 2015 with Nishat Herath on the topic of using performance counters for security out comes.
In this talk we’ll focus on, how the micro architectural design of modern computers enables an attacker to breach trust boundaries. Specifically we’ll focus on how the cache subsystem of modern x86 computers can be abused to gain access to private data. Cache side channel attacks have been around for years, but have had a renaissance due to the emergence of a large, shared 3rd level cache and gained relevance through the spread of cloud computing due to increase attack surface. There are many side channels possible in modern computers; however, the cache is most likely the most important due to its central position in the computer. Given that cache side channel attacks are enabled by the CPU design, software defenses become notoriously difficult and yet at the same time in many cases it becomes the only viable solution.
Cache side channel attacks are relevant when an attacker already has access to the same hardware as the victim, but is stopped by local restrictions such as user privileges, virtual machines or sandboxes. At first this seems restrictive, but modern computing is full of examples of such scenarios. Virtual machines in cloud computers is the classic example and cache side channel attacks easily reach across otherwise iron clad boundaries between virtual machines. Thin clients, java script running locally on web pages or multi user systems are other common examples. Despite of modern cache side channel attacks being relatively new, many important attacks have already been demonstrated:
– Exfiltration of RSA 2048 private keys from co-located VM hosted in the amazon cloud
– AES key extraction
– ECDSA key extraction
– Spying on keyboard input
– Spying on mouse cursor
– Breaking KASRL (Kernel Address Space Randomization Layout)
======
Anders Fogh is a co-founder and the vice president of engineering at Protect Software GmbH. He has led numerous low level engineering efforts in the past 11 years. Prior to that he worked at VOB GmbH and Pinnacle System where he was responsible for major developments in video and CD/DVD recording software. Since 1993 he has been an avid malware hobbyist and has reverse engineering experience with operating systems from DOS to present day OSs as well as devices ranging from DVD players to USB sticks. He holds a master’s degree in economics from the University of Aarhus. He was the first to suggest a software solution to the row hammer bug and spoke at Black Hat 2015 with Nishat Herath on the topic of using performance counters for security out comes.
Комментарии