What could possibly go wrong with <insert x86 instruction here>?

Clementine Lucie Noemie Maurice, Moritz Lipp

Publikation: Konferenzbeitrag(Altdaten) Vortrag oder PräsentationForschungBegutachtung

Abstract

Hardware is often considered as an abstract layer that behaves correctly, just executing instructions and outputting a result. However, the internal state of the hardware leaks information about the programs that are executing. In this talk, we focus on how to extract information from the execution of simple x86 instructions that do not require any privileges. Beyond classical cache-based side-channel attacks, we demonstrate how to perform cache attacks without a single memory access, as well as how to bypass kernel ASLR. This talk does not require any knowledge about assembly. We promise.

When hunting for bugs, the focus is mostly on the software layer. On the other hand, hardware is often considered as an abstract layer that behaves correctly, just executing instructions and outputing a result. However, the internal state of the hardware leaks information about the programs that are running. Unlike software bugs, these bugs are not easy to patch on current hardware, and manufacturers are also reluctant to fix them in future generations, as they are tightly tied with performance optimizations.

In this talk, we focus on how to extract information from the execution of simple x86 instructions that do not require any privileges. The most studied microarchitectural attacks are beyond doubt cache attacks. Indeed, the timing of a memory access depends heavily on the state of the CPU cache. But beyond memory accesses that are the base of classical cache-based side-channel attacks, other x86 instructions leak information about the internal state of the hardware, and thus about running programs. First, we present side channels caused by the "clflush" instruction, that flushes all content of the cache. We will explain how it can be used to perform side-channel attacks that are faster and stealthier than their classical counterpart, without performing so much as a single memory access [1]. Second, we present side channels caused by the prefetch instructions. We will explain how these instructions can be used to translate virtual addresses to physical addresses - without the use of the proc interface that is restricted today -, and to bypass kernel ASLR [2].

This talk does not require any knowledge about assembly. We promise.

The talk will be given as a joint presentation by Clémentine Maurice and Moritz Lipp.

[1] Daniel Gruss, Clémentine Maurice, Klaus Wagner and Stefan Mangard, "Flush+Flush: A Fast and Stealthy Cache Attack", DIMVA 2016
[2] Daniel Gruss, Clémentine Maurice, Anders Fogh, Moritz Lipp, Stefan Mangard, "Prefetch Side-Channel Attacks: Bypassing SMAP and Kernel ASLR", CCS 2016
Originalspracheenglisch
PublikationsstatusVeröffentlicht - 2016
Veranstaltung33. Chaos Communication Congress - Congress Center Hamburg, Hamburg, Deutschland
Dauer: 27 Dez 201630 Jan 2017
https://events.ccc.de/tag/33c3/

Konferenz

Konferenz33. Chaos Communication Congress
Kurztitel33C3
LandDeutschland
OrtHamburg
Zeitraum27/12/1630/01/17
Internetadresse

Fingerprint

Hardware
Data storage equipment
Virtual addresses
Physical addresses
Program processors
Side channel attack

Schlagwörter

    Dies zitieren

    Maurice, C. L. N., & Lipp, M. (2016). What could possibly go wrong with <insert x86 instruction here>?. 33. Chaos Communication Congress, Hamburg, Deutschland.

    What could possibly go wrong with <insert x86 instruction here>? / Maurice, Clementine Lucie Noemie; Lipp, Moritz.

    2016. 33. Chaos Communication Congress, Hamburg, Deutschland.

    Publikation: Konferenzbeitrag(Altdaten) Vortrag oder PräsentationForschungBegutachtung

    Maurice, CLN & Lipp, M 2016, 'What could possibly go wrong with <insert x86 instruction here>?', Hamburg, Deutschland, 27/12/16 - 30/01/17, .
    Maurice CLN, Lipp M. What could possibly go wrong with <insert x86 instruction here>?. 2016. 33. Chaos Communication Congress, Hamburg, Deutschland.
    Maurice, Clementine Lucie Noemie ; Lipp, Moritz. / What could possibly go wrong with <insert x86 instruction here>?. 33. Chaos Communication Congress, Hamburg, Deutschland.
    @conference{01e3c4291f91464082634eba9cefbd3a,
    title = "What could possibly go wrong with ?",
    abstract = "Hardware is often considered as an abstract layer that behaves correctly, just executing instructions and outputting a result. However, the internal state of the hardware leaks information about the programs that are executing. In this talk, we focus on how to extract information from the execution of simple x86 instructions that do not require any privileges. Beyond classical cache-based side-channel attacks, we demonstrate how to perform cache attacks without a single memory access, as well as how to bypass kernel ASLR. This talk does not require any knowledge about assembly. We promise.When hunting for bugs, the focus is mostly on the software layer. On the other hand, hardware is often considered as an abstract layer that behaves correctly, just executing instructions and outputing a result. However, the internal state of the hardware leaks information about the programs that are running. Unlike software bugs, these bugs are not easy to patch on current hardware, and manufacturers are also reluctant to fix them in future generations, as they are tightly tied with performance optimizations.In this talk, we focus on how to extract information from the execution of simple x86 instructions that do not require any privileges. The most studied microarchitectural attacks are beyond doubt cache attacks. Indeed, the timing of a memory access depends heavily on the state of the CPU cache. But beyond memory accesses that are the base of classical cache-based side-channel attacks, other x86 instructions leak information about the internal state of the hardware, and thus about running programs. First, we present side channels caused by the {"}clflush{"} instruction, that flushes all content of the cache. We will explain how it can be used to perform side-channel attacks that are faster and stealthier than their classical counterpart, without performing so much as a single memory access [1]. Second, we present side channels caused by the prefetch instructions. We will explain how these instructions can be used to translate virtual addresses to physical addresses - without the use of the proc interface that is restricted today -, and to bypass kernel ASLR [2].This talk does not require any knowledge about assembly. We promise.The talk will be given as a joint presentation by Cl{\'e}mentine Maurice and Moritz Lipp.[1] Daniel Gruss, Cl{\'e}mentine Maurice, Klaus Wagner and Stefan Mangard, {"}Flush+Flush: A Fast and Stealthy Cache Attack{"}, DIMVA 2016[2] Daniel Gruss, Cl{\'e}mentine Maurice, Anders Fogh, Moritz Lipp, Stefan Mangard, {"}Prefetch Side-Channel Attacks: Bypassing SMAP and Kernel ASLR{"}, CCS 2016",
    keywords = "side-channel attacks",
    author = "Maurice, {Clementine Lucie Noemie} and Moritz Lipp",
    year = "2016",
    language = "English",
    note = "33. Chaos Communication Congress, 33C3 ; Conference date: 27-12-2016 Through 30-01-2017",
    url = "https://events.ccc.de/tag/33c3/",

    }

    TY - CONF

    T1 - What could possibly go wrong with ?

    AU - Maurice, Clementine Lucie Noemie

    AU - Lipp, Moritz

    PY - 2016

    Y1 - 2016

    N2 - Hardware is often considered as an abstract layer that behaves correctly, just executing instructions and outputting a result. However, the internal state of the hardware leaks information about the programs that are executing. In this talk, we focus on how to extract information from the execution of simple x86 instructions that do not require any privileges. Beyond classical cache-based side-channel attacks, we demonstrate how to perform cache attacks without a single memory access, as well as how to bypass kernel ASLR. This talk does not require any knowledge about assembly. We promise.When hunting for bugs, the focus is mostly on the software layer. On the other hand, hardware is often considered as an abstract layer that behaves correctly, just executing instructions and outputing a result. However, the internal state of the hardware leaks information about the programs that are running. Unlike software bugs, these bugs are not easy to patch on current hardware, and manufacturers are also reluctant to fix them in future generations, as they are tightly tied with performance optimizations.In this talk, we focus on how to extract information from the execution of simple x86 instructions that do not require any privileges. The most studied microarchitectural attacks are beyond doubt cache attacks. Indeed, the timing of a memory access depends heavily on the state of the CPU cache. But beyond memory accesses that are the base of classical cache-based side-channel attacks, other x86 instructions leak information about the internal state of the hardware, and thus about running programs. First, we present side channels caused by the "clflush" instruction, that flushes all content of the cache. We will explain how it can be used to perform side-channel attacks that are faster and stealthier than their classical counterpart, without performing so much as a single memory access [1]. Second, we present side channels caused by the prefetch instructions. We will explain how these instructions can be used to translate virtual addresses to physical addresses - without the use of the proc interface that is restricted today -, and to bypass kernel ASLR [2].This talk does not require any knowledge about assembly. We promise.The talk will be given as a joint presentation by Clémentine Maurice and Moritz Lipp.[1] Daniel Gruss, Clémentine Maurice, Klaus Wagner and Stefan Mangard, "Flush+Flush: A Fast and Stealthy Cache Attack", DIMVA 2016[2] Daniel Gruss, Clémentine Maurice, Anders Fogh, Moritz Lipp, Stefan Mangard, "Prefetch Side-Channel Attacks: Bypassing SMAP and Kernel ASLR", CCS 2016

    AB - Hardware is often considered as an abstract layer that behaves correctly, just executing instructions and outputting a result. However, the internal state of the hardware leaks information about the programs that are executing. In this talk, we focus on how to extract information from the execution of simple x86 instructions that do not require any privileges. Beyond classical cache-based side-channel attacks, we demonstrate how to perform cache attacks without a single memory access, as well as how to bypass kernel ASLR. This talk does not require any knowledge about assembly. We promise.When hunting for bugs, the focus is mostly on the software layer. On the other hand, hardware is often considered as an abstract layer that behaves correctly, just executing instructions and outputing a result. However, the internal state of the hardware leaks information about the programs that are running. Unlike software bugs, these bugs are not easy to patch on current hardware, and manufacturers are also reluctant to fix them in future generations, as they are tightly tied with performance optimizations.In this talk, we focus on how to extract information from the execution of simple x86 instructions that do not require any privileges. The most studied microarchitectural attacks are beyond doubt cache attacks. Indeed, the timing of a memory access depends heavily on the state of the CPU cache. But beyond memory accesses that are the base of classical cache-based side-channel attacks, other x86 instructions leak information about the internal state of the hardware, and thus about running programs. First, we present side channels caused by the "clflush" instruction, that flushes all content of the cache. We will explain how it can be used to perform side-channel attacks that are faster and stealthier than their classical counterpart, without performing so much as a single memory access [1]. Second, we present side channels caused by the prefetch instructions. We will explain how these instructions can be used to translate virtual addresses to physical addresses - without the use of the proc interface that is restricted today -, and to bypass kernel ASLR [2].This talk does not require any knowledge about assembly. We promise.The talk will be given as a joint presentation by Clémentine Maurice and Moritz Lipp.[1] Daniel Gruss, Clémentine Maurice, Klaus Wagner and Stefan Mangard, "Flush+Flush: A Fast and Stealthy Cache Attack", DIMVA 2016[2] Daniel Gruss, Clémentine Maurice, Anders Fogh, Moritz Lipp, Stefan Mangard, "Prefetch Side-Channel Attacks: Bypassing SMAP and Kernel ASLR", CCS 2016

    KW - side-channel attacks

    M3 - (Old data) Lecture or Presentation

    ER -