SlideShare a Scribd company logo

[若渴]Study on Side Channel Attacks and Countermeasures

Aj MaChInE
Aj MaChInE

[投影片錯誤更正] p.43 中間32數字改成64。右上藍色小框64改成63 原本要整理Meltdown與Spectre,但這兩個所利用的硬體行為之後都跟cache side channel有關係,所以閱讀Meltdown與Spectre之餘,就整理了相關cache side channel攻擊與防禦。 回饋問題: 一: 為什麼LLC要切割成LLC slice? "Modern Intel processors, starting with the Sandy Bridge microarchitecture, use a more complex architecture for the LLC, to improve its performance. The LLC is divided into per-core slices, which are connected by a ring bus. Slices can be accessed concurrently and are effectively separate caches, although the bus ensures that each core can access the full LLC (with higher latency for remote slices)." 二: flush+reload with shared memory pages,為什麼要 flush+reload? 不是可以直接存取到資料? 討論的是共用shared library,洩漏victim使用shared library的情形。 三: RDTSCP ? 可量測執行指令的cycle數。 四: side channel攻擊需要環境運作的程式不能太複雜? Kuon: 實際案例 embed運作環境並不複雜,e.g. trustzone上可能只運作openSSL。 AJ: 就算在複雜環境,可以找到觸發Victim的特定運算點,也是可以進行觀測。

Education
1 of 60
Download to read offline
Study on Side Channel Attacks and Countermeasures @若渴 2018.1.20 <ajblane0612@gmail.com> AjMaChInE
Outline • Modem Computing Architectures • Side channel attacks • Countermeasures
Modem Computing Architectures * Modern high-performance CPU pipeline * Cache
[0]
[1]
[2]
[4]
VIVT: Virtually indexed, virtually tagged * Fast * Virtual Tag is not unique (Context switches) * Shared memory more than once in cache PIPT: Physically indexed, physically tagged * Slow (TLB lookup for index) * Shared memory only once in cache! [5]
PIVT: Physically indexed, virtually tagged * Slow (TLB lookup for index) * Virtual Tag is not unique (Context switches) * Shared memory more than once in cache VIPT: Virtually indexed, physically tagged * Fast * 4 KiB pages: last 12 bits of VA and PA are equal * Using more bits has disadvantages (like VIVT) ! Cache size # ways page size [5]
Ring Bus Architecture and Sliced LLC [6]
[0] 只有在獲取PA狀況下, 才可以準確控制cache
Address Translation on x86-64 [4]
Address Translation Caches [3]
TrustZone Enabled Processor Memory Hierarchy [8]
Branch Target Buffer BTB addressing scheme in Haswell processor [7]
Side Channel Attacks Side-Effect Channel Attacks channel attacker side-effect victim • 目標: information leakage • 思考點: – commonality (contention ) – 如何操作commonality
Side Channels with Commonality • Cache [2][5][6][8][9][10] • Address Translation Caches [3] • Branch Target Buffer (BTB) [7] • Translation Lookaside Buffer (TLB) [12] • SMT(hyper threading) CPU [13] • …?
Cache Side Channel Attacks • Flush+Reload with shared memory pages • Prime+Probe is a general technique • 利用cache當channel 至少有兩種操作手法 [8]
Flush+Reload [5]
Flush+Reload step 0: attacker maps shared library ! shared memory, shared in cache [5]
Flush+Reload step 0: attacker maps shared library ! shared memory, shared in cache step 1: attacker flushes the shared line [5]
Flush+Reload step 0: attacker maps shared library ! shared memory, shared in cache step 1: attacker flushes the shared line step 2: victim loads data while performing encryption [5]
Flush+Reload step 0: attacker maps shared library ! shared memory, shared in cache step 1: attacker flushes the shared line step 2: victim loads data while performing encryption step 3: attacker reloads data ! fast access if the victim loaded the line [5]
Prime+Probe step 0: attacker fills the cache (prime) [5]
Prime+Probe [5] step 0: attacker fills the cache (prime)
Prime+Probe step 0: attacker fills the cache (prime) step 1: victim evicts cache lines while performing encryption [5]
Prime+Probe [5] step 0: attacker fills the cache (prime) step 1: victim evicts cache lines while performing encryption
Prime+Probe [5] step 0: attacker fills the cache (prime) step 1: victim evicts cache lines while performing encryption
Prime+Probe [5] step 0: attacker fills the cache (prime) step 1: victim evicts cache lines while performing encryption
Prime+Probe [5] step 0: attacker fills the cache (prime) step 1: victim evicts cache lines while performing encryption
Prime+Probe step 0: attacker fills the cache (prime) step 1: victim evicts cache lines while performing encryption step 2: attacker probes data to determine if the set was accessed [5]
Prime+Probe [5] step 0: attacker fills the cache (prime) step 1: victim evicts cache lines while performing encryption step 2: attacker probes data to determine if the set was accessed
Typically, 如何利用cache side channel 來達到information leakage Prime+Probe在icache中,依照時間序列知道某cache set中的cache lines在 做存取,所以可以推敲出 ei 序列。
Cache Side Channel Attacks against VM [6] cryptographic keys
Cache Side Channel Attacks against Brower [9]
Cache Side Channel Attacks against TrustZone [8]
好像很簡單? 困難: reverse-engineer some cache for finding eviction set to occupy exactly one cache set • VM (guest-VA  guest-PA  L1  L2 L3  PA) • Browser (Typed Array Specification  VA  L1  L2  L3  PA) • TrustZone (VA  L1  L2  L3  PA)
cache L1 [6][9] VIPT controlled VA L3 PIPT not-controlled VA slow large(2MB) page mode 4 KB page mode controlled VA all the index bits are within the page offset the same set index bits may be located in different LLC slices
[6][9] set candidate
cache L1 [6][9] VIPT controlled VA L3 PIPT not-controlled VA slow large(2MB) page mode 4 KB page mode 8MB “eviction buffer” of physical memory will completely invalidate all cache sets in the L3 cache 8192 cache sets in 131K offsets (8MB/64bytes) slow
06111863 17 • 0-11 -> 4kb page mode • 6-18 -> cache set index • 17-63 -> are hashed to form the upper 2 bits of the cache index (4 slice) fixing some subset of the 131K offsets
4KB 00 01 64 32 64b 06111863 17 5 8MB 4KB 4KB …000000000000 …000001000000 2^(18-11) cache set in 2^(18-11) cache sets in …0000000000000 …1000000000000 有可能cache contention cache contention
cache L1 VIPT controlled VA L3 PIPT not-controlled VA slow large(2MB) page mode 4 KB page mode 效能差(操作L3 cache miss),但 可攻擊 只適用 cloud環境 [5][6][9] [10]
Side Channel Attacks of Address Translation Cache “Double page fault attack, where an unprivileged attacker tries to access an inaccessible kernel memory location, triggering a page fault. After the page fault interrupt is handled by the operating system, the control is handed back to an error handler in the user program. The attacker measures the execution time of the page fault interrupt. If the memory location is valid, regardless of whether it is accessible or not, address translation table entries are copied into the corresponding address translation caches. The attacker then tries to access the same inaccessible memory location again. If the memory location is valid, the address translation is already cached and the page fault interrupt will take less time. Thus, the attacker learns whether a memory location is valid or not, even if it is not accessible from the user space.” [3] 借助OS處理能力與page table共用特性
double page fault attack [5][11] –> KASLR is Dead
Side Channel Attacks of Branch Target Buffer BTB contention
The reverse engineered BTB addressing scheme in the HasWell processor [7] In particular, the kernel code must be aligned at 2MB boundaries. To find a collision
[7] As a result, only the Page Directory Entry (PDE) bits (9 bit)of virtual addresses are randomized (512 possible)
[7]
BTB side channel attacks –> KASLR is Dead [7]
SMT side channel attacks • 在沒有網路狀況下,兩VMs資料如何對傳? [13] senderreceiver SMT CPU
Countermeasure of Side Channel Attacks
Countermeasure for Cache Side- Channel attacks • Less accurate timer • Page coloring – Avoiding collisions in the LLC; Location in LLC determined by physical address; Give each user a color (address bits); • Behavior detection – Hardware Performance Counters (HPCs) can track hardware events (e.g. LLC misses) • Design cache leakage free code (e.g. Square-and- Multiply exponentiation) • disable cache-line sharing – Intel Cache Allocation Technology [7][15]
Countermeasure for Side Channel Attacks of Address Translation Caches • Shadow Address Space • 只是user kernel共用的page table分開,並把kennel page table藏起來。 效果會是kernel藏起來,但其實還是在physical memory中) • 不是使用TLB flush,而是使用Disable the PTE global bits [3]
對於BTB/TLB/SMT 的side channel attacks至目 前閱讀為止沒有好的countermeasures 。
萬萬沒想到 speculative execution在 執行完discard時,會把相關資訊留 在cache裡。 CVE-2017-5753 CVE-2017-5715 CVE-2017-5754 [16][17]
Reference • [0] “Negative Result: Reading Kernel Memory From User Mode”, July 28, 2017, https://cyber.wtf/2017/07/28/negative-result-reading-kernel-memory-from-user-mode/ • [1] “Broadcom Bares Muscular ARM”, https://investorshub.advfn.com/boards/read_msg.aspx?message_id=95215022 • [2] “Practical Timing Side Channel Attacks Against Kernel Space ASLR”, 19-22 May 2013, http://www.ieee-security.org/TC/SP2013/papers/4977a191.pdf • [3] “KASLR is Dead: Long Live KASLR”, 24 June 2017 https://misc0110.net/web/files/kaiser_slides.pdf, https://gruss.cc/files/kaiser.pdf • [4] ] “ARM® Cortex® -A Series Version: 1.0 Programmer’s Guide for ARMv8-A”, http://infocenter.arm.com/help/topic/com.arm.doc.den0024a/DEN0024A_v8_architecture_PG. pdf • [5] “Cache Side-Channel Attacks and the case of Rowhammer”, April 28, 2016, https://gruss.cc/files/cache_and_rowhammer_ruhrsec.pdf • [6] “Last-Level Cache Side-Channel Attacks are Practical”, 17-21 May 2015 http://palms.ee.princeton.edu/system/files/SP_vfinal.pdf, https://pdfs.semanticscholar.org/81f6/c43188a2308b36a0c47570f7e7ec19cc20e1.pdf • [7] “Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR”, 15-19 Oct. 2016 http://ieeexplore.ieee.org/document/7783743/ • [8] “TruSpy: Cache Side-Channel Information Leakage from the Secure World on ARM Devices”, 2016, https://eprint.iacr.org/2016/980.pdf
Reference • [9] “The Spy in the Sandbox -- Practical Cache Attacks in Javascript and their Implications ”, 1 Mar 2015, http://www.cs.columbia.edu/~simha/spyjs.ccs15.pdf, https://arxiv.org/pdf/1502.07373.pdf • [10] “Malware Guard Extension: Using SGX to Conceal Cache Attacks”, 1 Mar 2017 , https://arxiv.org/pdf/1702.08719.pdf • [11]” DrK: Breaking Kernel Address Space Layout Randomization with Intel TSX”, August 3, 2016, https://www.blackhat.com/docs/us-16/materials/us-16-Jang-Breaking-Kernel-Address-Space- Layout-Randomization-KASLR-With-Intel-TSX.pdf • [12] “ASLR on the Line: Practical Cache Attacks on the MMU”,2017 , http://www.cs.vu.nl/~giuffrida/papers/anc-ndss-2017.pdf • [13] “Covert shotgun: Automatically finding covert channels in SMT”, September 27, 2016 , https://cyber.wtf/2016/09/27/covert-shotgun/, https://www.youtube.com/watch?v=oVmPQCT5VkY [presentation] • [14] “Cache Side Channel Attack: Exploitability and Countermeasures”, 2017, https://www.blackhat.com/docs/asia-17/materials/asia-17-Irazoqui-Cache-Side-Channel-Attack- Exploitability-And-Countermeasures.pdf • [15] “Cache side channel attacks”, What Stone dream about: Cache side channel attacks, http://dreamsofastone.blogspot.tw/2015/09/cache-side-channel-attacks.html • [16] “Meltdown and Spectre”, 2017, https://meltdownattack.com/
DRAM Side Channel Attacks against SGX

Recommended

Exploiting Modern Microarchitectures: Meltdown, Spectre, and other Attacks
Exploiting Modern Microarchitectures: Meltdown, Spectre, and other AttacksExploiting Modern Microarchitectures: Meltdown, Spectre, and other Attacks
Exploiting Modern Microarchitectures: Meltdown, Spectre, and other Attacksinside-BigData.com
 
Linux Memory Management with CMA (Contiguous Memory Allocator)
Linux Memory Management with CMA (Contiguous Memory Allocator)Linux Memory Management with CMA (Contiguous Memory Allocator)
Linux Memory Management with CMA (Contiguous Memory Allocator)Pankaj Suryawanshi
 
Slideshare - linux crypto
Slideshare - linux cryptoSlideshare - linux crypto
Slideshare - linux cryptoJin Wu
 
Linux DMA Engine
Linux DMA EngineLinux DMA Engine
Linux DMA EngineSysPlay eLearning Academy for You
 
Linux Kernel Module - For NLKB
Linux Kernel Module - For NLKBLinux Kernel Module - For NLKB
Linux Kernel Module - For NLKBshimosawa
 
Workshop - Linux Memory Analysis with Volatility
Workshop - Linux Memory Analysis with VolatilityWorkshop - Linux Memory Analysis with Volatility
Workshop - Linux Memory Analysis with VolatilityAndrew Case
 
COSCUP 2020 RISC-V 32 bit linux highmem porting
COSCUP 2020 RISC-V 32 bit linux highmem portingCOSCUP 2020 RISC-V 32 bit linux highmem porting
COSCUP 2020 RISC-V 32 bit linux highmem portingEric Lin
 
Introduction to ARM big.LITTLE technology
Introduction to ARM big.LITTLE technologyIntroduction to ARM big.LITTLE technology
Introduction to ARM big.LITTLE technology義洋 顏
 

Recommended

Exploiting Modern Microarchitectures: Meltdown, Spectre, and other Attacks
Exploiting Modern Microarchitectures: Meltdown, Spectre, and other AttacksExploiting Modern Microarchitectures: Meltdown, Spectre, and other Attacks
Exploiting Modern Microarchitectures: Meltdown, Spectre, and other Attacksinside-BigData.com
 
Linux Memory Management with CMA (Contiguous Memory Allocator)
Linux Memory Management with CMA (Contiguous Memory Allocator)Linux Memory Management with CMA (Contiguous Memory Allocator)
Linux Memory Management with CMA (Contiguous Memory Allocator)Pankaj Suryawanshi
 
Slideshare - linux crypto
Slideshare - linux cryptoSlideshare - linux crypto
Slideshare - linux cryptoJin Wu
 
Linux DMA Engine
Linux DMA EngineLinux DMA Engine
Linux DMA EngineSysPlay eLearning Academy for You
 
Linux Kernel Module - For NLKB
Linux Kernel Module - For NLKBLinux Kernel Module - For NLKB
Linux Kernel Module - For NLKBshimosawa
 
Workshop - Linux Memory Analysis with Volatility
Workshop - Linux Memory Analysis with VolatilityWorkshop - Linux Memory Analysis with Volatility
Workshop - Linux Memory Analysis with VolatilityAndrew Case
 
COSCUP 2020 RISC-V 32 bit linux highmem porting
COSCUP 2020 RISC-V 32 bit linux highmem portingCOSCUP 2020 RISC-V 32 bit linux highmem porting
COSCUP 2020 RISC-V 32 bit linux highmem portingEric Lin
 
Introduction to ARM big.LITTLE technology
Introduction to ARM big.LITTLE technologyIntroduction to ARM big.LITTLE technology
Introduction to ARM big.LITTLE technology義洋 顏
 
03_03_Implementing_PCIe_ATS_in_ARM-based_SoCs_Final
03_03_Implementing_PCIe_ATS_in_ARM-based_SoCs_Final03_03_Implementing_PCIe_ATS_in_ARM-based_SoCs_Final
03_03_Implementing_PCIe_ATS_in_ARM-based_SoCs_FinalGopi Krishnamurthy
 
Shadow forensics print
Shadow forensics printShadow forensics print
Shadow forensics printn|u - The Open Security Community
 
RTOS - Real Time Operating Systems
RTOS - Real Time Operating SystemsRTOS - Real Time Operating Systems
RTOS - Real Time Operating SystemsEmertxe Information Technologies Pvt Ltd
 
Architecture Of The Linux Kernel
Architecture Of The Linux KernelArchitecture Of The Linux Kernel
Architecture Of The Linux Kernelguest547d74
 
Signal Handling in Linux
Signal Handling in LinuxSignal Handling in Linux
Signal Handling in LinuxTushar B Kute
 
Linux internal
Linux internalLinux internal
Linux internalmcganesh
 
Q4.11: ARM Architecture
Q4.11: ARM ArchitectureQ4.11: ARM Architecture
Q4.11: ARM ArchitectureLinaro
 
Prerequisite knowledge for shared memory concurrency
Prerequisite knowledge for shared memory concurrencyPrerequisite knowledge for shared memory concurrency
Prerequisite knowledge for shared memory concurrencyViller Hsiao
 
Namespaces and cgroups - the basis of Linux containers
Namespaces and cgroups - the basis of Linux containersNamespaces and cgroups - the basis of Linux containers
Namespaces and cgroups - the basis of Linux containersKernel TLV
 
The Theory and Implementation of DVFS on Linux
The Theory and Implementation of DVFS on LinuxThe Theory and Implementation of DVFS on Linux
The Theory and Implementation of DVFS on LinuxPicker Weng
 
Making Linux do Hard Real-time
Making Linux do Hard Real-timeMaking Linux do Hard Real-time
Making Linux do Hard Real-timeNational Cheng Kung University
 
HKG18- 115 - Partitioning ARM Systems with the Jailhouse Hypervisor
HKG18- 115 - Partitioning ARM Systems with the Jailhouse HypervisorHKG18- 115 - Partitioning ARM Systems with the Jailhouse Hypervisor
HKG18- 115 - Partitioning ARM Systems with the Jailhouse HypervisorLinaro
 
Linux : PSCI
Linux : PSCILinux : PSCI
Linux : PSCIMr. Vengineer
 
Linux Preempt-RT Internals
Linux Preempt-RT InternalsLinux Preempt-RT Internals
Linux Preempt-RT Internals哲豪 康哲豪
 
Virtualization Support in ARMv8+
Virtualization Support in ARMv8+Virtualization Support in ARMv8+
Virtualization Support in ARMv8+Aananth C N
 
Making Linux do Hard Real-time
Making Linux do Hard Real-timeMaking Linux do Hard Real-time
Making Linux do Hard Real-timeNational Cheng Kung University
 
High Bandwidth Memory(HBM)
High Bandwidth Memory(HBM)High Bandwidth Memory(HBM)
High Bandwidth Memory(HBM)HARINATH REDDY
 
ARM architcture
ARM architcture ARM architcture
ARM architcture Hossam Adel
 
L4 Microkernel :: Design Overview
L4 Microkernel :: Design OverviewL4 Microkernel :: Design Overview
L4 Microkernel :: Design OverviewNational Cheng Kung University
 
Linux kernel Architecture and Properties
Linux kernel Architecture and PropertiesLinux kernel Architecture and Properties
Linux kernel Architecture and PropertiesSaadi Rahman
 
Ceph on arm64 upload
Ceph on arm64 uploadCeph on arm64 upload
Ceph on arm64 uploadCeph Community
 
VMworld 2013: Extreme Performance Series: Storage in a Flash
VMworld 2013: Extreme Performance Series: Storage in a Flash VMworld 2013: Extreme Performance Series: Storage in a Flash
VMworld 2013: Extreme Performance Series: Storage in a Flash VMworld
 

More Related Content

What's hot

03_03_Implementing_PCIe_ATS_in_ARM-based_SoCs_Final
03_03_Implementing_PCIe_ATS_in_ARM-based_SoCs_Final03_03_Implementing_PCIe_ATS_in_ARM-based_SoCs_Final
03_03_Implementing_PCIe_ATS_in_ARM-based_SoCs_FinalGopi Krishnamurthy
 
Architecture Of The Linux Kernel
Architecture Of The Linux KernelArchitecture Of The Linux Kernel
Architecture Of The Linux Kernelguest547d74
 
Signal Handling in Linux
Signal Handling in LinuxSignal Handling in Linux
Signal Handling in LinuxTushar B Kute
 
Linux internal
Linux internalLinux internal
Linux internalmcganesh
 
Q4.11: ARM Architecture
Q4.11: ARM ArchitectureQ4.11: ARM Architecture
Q4.11: ARM ArchitectureLinaro
 
Prerequisite knowledge for shared memory concurrency
Prerequisite knowledge for shared memory concurrencyPrerequisite knowledge for shared memory concurrency
Prerequisite knowledge for shared memory concurrencyViller Hsiao
 
Namespaces and cgroups - the basis of Linux containers
Namespaces and cgroups - the basis of Linux containersNamespaces and cgroups - the basis of Linux containers
Namespaces and cgroups - the basis of Linux containersKernel TLV
 
The Theory and Implementation of DVFS on Linux
The Theory and Implementation of DVFS on LinuxThe Theory and Implementation of DVFS on Linux
The Theory and Implementation of DVFS on LinuxPicker Weng
 
HKG18- 115 - Partitioning ARM Systems with the Jailhouse Hypervisor
HKG18- 115 - Partitioning ARM Systems with the Jailhouse HypervisorHKG18- 115 - Partitioning ARM Systems with the Jailhouse Hypervisor
HKG18- 115 - Partitioning ARM Systems with the Jailhouse HypervisorLinaro
 
Linux Preempt-RT Internals
Linux Preempt-RT InternalsLinux Preempt-RT Internals
Linux Preempt-RT Internals哲豪 康哲豪
 
Virtualization Support in ARMv8+
Virtualization Support in ARMv8+Virtualization Support in ARMv8+
Virtualization Support in ARMv8+Aananth C N
 
High Bandwidth Memory(HBM)
High Bandwidth Memory(HBM)High Bandwidth Memory(HBM)
High Bandwidth Memory(HBM)HARINATH REDDY
 
ARM architcture
ARM architcture ARM architcture
ARM architcture Hossam Adel
 
Linux kernel Architecture and Properties
Linux kernel Architecture and PropertiesLinux kernel Architecture and Properties
Linux kernel Architecture and PropertiesSaadi Rahman
 

What's hot (20)

03_03_Implementing_PCIe_ATS_in_ARM-based_SoCs_Final
03_03_Implementing_PCIe_ATS_in_ARM-based_SoCs_Final03_03_Implementing_PCIe_ATS_in_ARM-based_SoCs_Final
03_03_Implementing_PCIe_ATS_in_ARM-based_SoCs_Final
 
Shadow forensics print
Shadow forensics printShadow forensics print
Shadow forensics print
 
RTOS - Real Time Operating Systems
RTOS - Real Time Operating SystemsRTOS - Real Time Operating Systems
RTOS - Real Time Operating Systems
 
Architecture Of The Linux Kernel
Architecture Of The Linux KernelArchitecture Of The Linux Kernel
Architecture Of The Linux Kernel
 
Signal Handling in Linux
Signal Handling in LinuxSignal Handling in Linux
Signal Handling in Linux
 
Linux internal
Linux internalLinux internal
Linux internal
 
Q4.11: ARM Architecture
Q4.11: ARM ArchitectureQ4.11: ARM Architecture
Q4.11: ARM Architecture
 
Prerequisite knowledge for shared memory concurrency
Prerequisite knowledge for shared memory concurrencyPrerequisite knowledge for shared memory concurrency
Prerequisite knowledge for shared memory concurrency
 
Namespaces and cgroups - the basis of Linux containers
Namespaces and cgroups - the basis of Linux containersNamespaces and cgroups - the basis of Linux containers
Namespaces and cgroups - the basis of Linux containers
 
The Theory and Implementation of DVFS on Linux
The Theory and Implementation of DVFS on LinuxThe Theory and Implementation of DVFS on Linux
The Theory and Implementation of DVFS on Linux
 
Making Linux do Hard Real-time
Making Linux do Hard Real-timeMaking Linux do Hard Real-time
Making Linux do Hard Real-time
 
HKG18- 115 - Partitioning ARM Systems with the Jailhouse Hypervisor
HKG18- 115 - Partitioning ARM Systems with the Jailhouse HypervisorHKG18- 115 - Partitioning ARM Systems with the Jailhouse Hypervisor
HKG18- 115 - Partitioning ARM Systems with the Jailhouse Hypervisor
 
Linux : PSCI
Linux : PSCILinux : PSCI
Linux : PSCI
 
Linux Preempt-RT Internals
Linux Preempt-RT InternalsLinux Preempt-RT Internals
Linux Preempt-RT Internals
 
Virtualization Support in ARMv8+
Virtualization Support in ARMv8+Virtualization Support in ARMv8+
Virtualization Support in ARMv8+
 
Making Linux do Hard Real-time
Making Linux do Hard Real-timeMaking Linux do Hard Real-time
Making Linux do Hard Real-time
 
High Bandwidth Memory(HBM)
High Bandwidth Memory(HBM)High Bandwidth Memory(HBM)
High Bandwidth Memory(HBM)
 
ARM architcture
ARM architcture ARM architcture
ARM architcture
 
L4 Microkernel :: Design Overview
L4 Microkernel :: Design OverviewL4 Microkernel :: Design Overview
L4 Microkernel :: Design Overview
 
Linux kernel Architecture and Properties
Linux kernel Architecture and PropertiesLinux kernel Architecture and Properties
Linux kernel Architecture and Properties
 

Similar to [若渴]Study on Side Channel Attacks and Countermeasures

VMworld 2013: Extreme Performance Series: Storage in a Flash
VMworld 2013: Extreme Performance Series: Storage in a Flash VMworld 2013: Extreme Performance Series: Storage in a Flash
VMworld 2013: Extreme Performance Series: Storage in a Flash VMworld
 
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...DefconRussia
 
Intel® RDT Hands-on Lab
Intel® RDT Hands-on LabIntel® RDT Hands-on Lab
Intel® RDT Hands-on LabMichelle Holley
 
Experience In Building Scalable Web Sites Through Infrastructure's View
Experience In Building Scalable Web Sites Through Infrastructure's ViewExperience In Building Scalable Web Sites Through Infrastructure's View
Experience In Building Scalable Web Sites Through Infrastructure's ViewPhuwadon D
 
Caching Methodology & Strategies
Caching Methodology & StrategiesCaching Methodology & Strategies
Caching Methodology & StrategiesTiệp Vũ
 
Caching methodology and strategies
Caching methodology and strategiesCaching methodology and strategies
Caching methodology and strategiesTiep Vu
 
Maginatics Cloud Storage Platform - MCSP 3.0 Technical Highlights
Maginatics Cloud Storage Platform - MCSP 3.0 Technical HighlightsMaginatics Cloud Storage Platform - MCSP 3.0 Technical Highlights
Maginatics Cloud Storage Platform - MCSP 3.0 Technical HighlightsMaginatics
 
Circonus: Design failures - A Case Study
Circonus: Design failures - A Case StudyCirconus: Design failures - A Case Study
Circonus: Design failures - A Case StudyHeinrich Hartmann
 
SF Big Analytics & SF Machine Learning Meetup: Machine Learning at the Limit ...
SF Big Analytics & SF Machine Learning Meetup: Machine Learning at the Limit ...SF Big Analytics & SF Machine Learning Meetup: Machine Learning at the Limit ...
SF Big Analytics & SF Machine Learning Meetup: Machine Learning at the Limit ...Chester Chen
 
Beyond the Basics 1: Storage Engines
Beyond the Basics 1: Storage Engines Beyond the Basics 1: Storage Engines
Beyond the Basics 1: Storage Engines MongoDB
 
Lec10 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- Memory part2
Lec10 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- Memory part2Lec10 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- Memory part2
Lec10 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- Memory part2Hsien-Hsin Sean Lee, Ph.D.
 
NYJavaSIG - Big Data Microservices w/ Speedment
NYJavaSIG - Big Data Microservices w/ SpeedmentNYJavaSIG - Big Data Microservices w/ Speedment
NYJavaSIG - Big Data Microservices w/ SpeedmentSpeedment, Inc.
 
OSMC 2016 - Monitor your infrastructure with Elastic Beats by Monica Sarbu
OSMC 2016 - Monitor your infrastructure with Elastic Beats by Monica SarbuOSMC 2016 - Monitor your infrastructure with Elastic Beats by Monica Sarbu
OSMC 2016 - Monitor your infrastructure with Elastic Beats by Monica SarbuNETWAYS
 
OSMC 2016 | Monitor your Infrastructure with Elastic Beats by Monica Sarbu
OSMC 2016 | Monitor your Infrastructure with Elastic Beats by Monica SarbuOSMC 2016 | Monitor your Infrastructure with Elastic Beats by Monica Sarbu
OSMC 2016 | Monitor your Infrastructure with Elastic Beats by Monica SarbuNETWAYS
 
Deployment Strategy
Deployment StrategyDeployment Strategy
Deployment StrategyMongoDB
 
Interview with Anatoliy Kuznetsov, the author of BitMagic C++ library
Interview with Anatoliy Kuznetsov, the author of BitMagic C++ libraryInterview with Anatoliy Kuznetsov, the author of BitMagic C++ library
Interview with Anatoliy Kuznetsov, the author of BitMagic C++ libraryPVS-Studio
 
Deployment Strategies (Mongo Austin)
Deployment Strategies (Mongo Austin)Deployment Strategies (Mongo Austin)
Deployment Strategies (Mongo Austin)MongoDB
 

Similar to [若渴]Study on Side Channel Attacks and Countermeasures (20)

Ceph on arm64 upload
Ceph on arm64 uploadCeph on arm64 upload
Ceph on arm64 upload
 
VMworld 2013: Extreme Performance Series: Storage in a Flash
VMworld 2013: Extreme Performance Series: Storage in a Flash VMworld 2013: Extreme Performance Series: Storage in a Flash
VMworld 2013: Extreme Performance Series: Storage in a Flash
 
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
 
Intel® RDT Hands-on Lab
Intel® RDT Hands-on LabIntel® RDT Hands-on Lab
Intel® RDT Hands-on Lab
 
Experience In Building Scalable Web Sites Through Infrastructure's View
Experience In Building Scalable Web Sites Through Infrastructure's ViewExperience In Building Scalable Web Sites Through Infrastructure's View
Experience In Building Scalable Web Sites Through Infrastructure's View
 
eBPF Basics
eBPF BasicseBPF Basics
eBPF Basics
 
Caching Methodology & Strategies
Caching Methodology & StrategiesCaching Methodology & Strategies
Caching Methodology & Strategies
 
Caching methodology and strategies
Caching methodology and strategiesCaching methodology and strategies
Caching methodology and strategies
 
Maginatics Cloud Storage Platform - MCSP 3.0 Technical Highlights
Maginatics Cloud Storage Platform - MCSP 3.0 Technical HighlightsMaginatics Cloud Storage Platform - MCSP 3.0 Technical Highlights
Maginatics Cloud Storage Platform - MCSP 3.0 Technical Highlights
 
Circonus: Design failures - A Case Study
Circonus: Design failures - A Case StudyCirconus: Design failures - A Case Study
Circonus: Design failures - A Case Study
 
SF Big Analytics & SF Machine Learning Meetup: Machine Learning at the Limit ...
SF Big Analytics & SF Machine Learning Meetup: Machine Learning at the Limit ...SF Big Analytics & SF Machine Learning Meetup: Machine Learning at the Limit ...
SF Big Analytics & SF Machine Learning Meetup: Machine Learning at the Limit ...
 
Beyond the Basics 1: Storage Engines
Beyond the Basics 1: Storage Engines Beyond the Basics 1: Storage Engines
Beyond the Basics 1: Storage Engines
 
Lec10 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- Memory part2
Lec10 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- Memory part2Lec10 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- Memory part2
Lec10 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- Memory part2
 
NYJavaSIG - Big Data Microservices w/ Speedment
NYJavaSIG - Big Data Microservices w/ SpeedmentNYJavaSIG - Big Data Microservices w/ Speedment
NYJavaSIG - Big Data Microservices w/ Speedment
 
OSMC 2016 - Monitor your infrastructure with Elastic Beats by Monica Sarbu
OSMC 2016 - Monitor your infrastructure with Elastic Beats by Monica SarbuOSMC 2016 - Monitor your infrastructure with Elastic Beats by Monica Sarbu
OSMC 2016 - Monitor your infrastructure with Elastic Beats by Monica Sarbu
 
OSMC 2016 | Monitor your Infrastructure with Elastic Beats by Monica Sarbu
OSMC 2016 | Monitor your Infrastructure with Elastic Beats by Monica SarbuOSMC 2016 | Monitor your Infrastructure with Elastic Beats by Monica Sarbu
OSMC 2016 | Monitor your Infrastructure with Elastic Beats by Monica Sarbu
 
Deployment Strategy
Deployment StrategyDeployment Strategy
Deployment Strategy
 
Basics of JVM Tuning
Basics of JVM TuningBasics of JVM Tuning
Basics of JVM Tuning
 
Interview with Anatoliy Kuznetsov, the author of BitMagic C++ library
Interview with Anatoliy Kuznetsov, the author of BitMagic C++ libraryInterview with Anatoliy Kuznetsov, the author of BitMagic C++ library
Interview with Anatoliy Kuznetsov, the author of BitMagic C++ library
 
Deployment Strategies (Mongo Austin)
Deployment Strategies (Mongo Austin)Deployment Strategies (Mongo Austin)
Deployment Strategies (Mongo Austin)
 

More from Aj MaChInE

An Intro on Data-oriented Attacks
An Intro on Data-oriented AttacksAn Intro on Data-oriented Attacks
An Intro on Data-oriented AttacksAj MaChInE
 
A Study on .NET Framework for Red Team - Part I
A Study on .NET Framework for Red Team - Part IA Study on .NET Framework for Red Team - Part I
A Study on .NET Framework for Red Team - Part IAj MaChInE
 
A study on NetSpectre
A study on NetSpectreA study on NetSpectre
A study on NetSpectreAj MaChInE
 
Introduction to Adversary Evaluation Tools
Introduction to Adversary Evaluation ToolsIntroduction to Adversary Evaluation Tools
Introduction to Adversary Evaluation ToolsAj MaChInE
 
[若渴] A preliminary study on attacks against consensus in bitcoin
[若渴] A preliminary study on attacks against consensus in bitcoin[若渴] A preliminary study on attacks against consensus in bitcoin
[若渴] A preliminary study on attacks against consensus in bitcoinAj MaChInE
 
[RAT資安小聚] Study on Automatically Evading Malware Detection
[RAT資安小聚] Study on Automatically Evading Malware Detection[RAT資安小聚] Study on Automatically Evading Malware Detection
[RAT資安小聚] Study on Automatically Evading Malware DetectionAj MaChInE
 
[若渴] Preliminary Study on Design and Exploitation of Trustzone
[若渴] Preliminary Study on Design and Exploitation of Trustzone[若渴] Preliminary Study on Design and Exploitation of Trustzone
[若渴] Preliminary Study on Design and Exploitation of TrustzoneAj MaChInE
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote ShellcodeAj MaChInE
 
[若渴計畫] Introduction: Formal Verification for Code
[若渴計畫] Introduction: Formal Verification for Code[若渴計畫] Introduction: Formal Verification for Code
[若渴計畫] Introduction: Formal Verification for CodeAj MaChInE
 
[若渴計畫] Studying ASLR^cache
[若渴計畫] Studying ASLR^cache[若渴計畫] Studying ASLR^cache
[若渴計畫] Studying ASLR^cacheAj MaChInE
 
[若渴計畫] Black Hat 2017之過去閱讀相關整理
[若渴計畫] Black Hat 2017之過去閱讀相關整理[若渴計畫] Black Hat 2017之過去閱讀相關整理
[若渴計畫] Black Hat 2017之過去閱讀相關整理Aj MaChInE
 
[若渴計畫] Studying Concurrency
[若渴計畫] Studying Concurrency[若渴計畫] Studying Concurrency
[若渴計畫] Studying ConcurrencyAj MaChInE
 
閱讀文章分享@若渴 2016.1.24
閱讀文章分享@若渴 2016.1.24閱讀文章分享@若渴 2016.1.24
閱讀文章分享@若渴 2016.1.24Aj MaChInE
 
[若渴計畫2015.8.18] SMACK
[若渴計畫2015.8.18] SMACK[若渴計畫2015.8.18] SMACK
[若渴計畫2015.8.18] SMACKAj MaChInE
 
[SITCON2015] 自己的異質多核心平台自己幹
[SITCON2015] 自己的異質多核心平台自己幹[SITCON2015] 自己的異質多核心平台自己幹
[SITCON2015] 自己的異質多核心平台自己幹Aj MaChInE
 
[MOSUT20150131] Linux Runs on SoCKit Board with the GPGPU
[MOSUT20150131] Linux Runs on SoCKit Board with the GPGPU[MOSUT20150131] Linux Runs on SoCKit Board with the GPGPU
[MOSUT20150131] Linux Runs on SoCKit Board with the GPGPUAj MaChInE
 
[若渴計畫]由GPU硬體概念到coding CUDA
[若渴計畫]由GPU硬體概念到coding CUDA[若渴計畫]由GPU硬體概念到coding CUDA
[若渴計畫]由GPU硬體概念到coding CUDAAj MaChInE
 
[若渴計畫]64-bit Linux Return-Oriented Programming
[若渴計畫]64-bit Linux Return-Oriented Programming[若渴計畫]64-bit Linux Return-Oriented Programming
[若渴計畫]64-bit Linux Return-Oriented ProgrammingAj MaChInE
 
[MOSUT] Format String Attacks
[MOSUT] Format String Attacks[MOSUT] Format String Attacks
[MOSUT] Format String AttacksAj MaChInE
 

More from Aj MaChInE (19)

An Intro on Data-oriented Attacks
An Intro on Data-oriented AttacksAn Intro on Data-oriented Attacks
An Intro on Data-oriented Attacks
 
A Study on .NET Framework for Red Team - Part I
A Study on .NET Framework for Red Team - Part IA Study on .NET Framework for Red Team - Part I
A Study on .NET Framework for Red Team - Part I
 
A study on NetSpectre
A study on NetSpectreA study on NetSpectre
A study on NetSpectre
 
Introduction to Adversary Evaluation Tools
Introduction to Adversary Evaluation ToolsIntroduction to Adversary Evaluation Tools
Introduction to Adversary Evaluation Tools
 
[若渴] A preliminary study on attacks against consensus in bitcoin
[若渴] A preliminary study on attacks against consensus in bitcoin[若渴] A preliminary study on attacks against consensus in bitcoin
[若渴] A preliminary study on attacks against consensus in bitcoin
 
[RAT資安小聚] Study on Automatically Evading Malware Detection
[RAT資安小聚] Study on Automatically Evading Malware Detection[RAT資安小聚] Study on Automatically Evading Malware Detection
[RAT資安小聚] Study on Automatically Evading Malware Detection
 
[若渴] Preliminary Study on Design and Exploitation of Trustzone
[若渴] Preliminary Study on Design and Exploitation of Trustzone[若渴] Preliminary Study on Design and Exploitation of Trustzone
[若渴] Preliminary Study on Design and Exploitation of Trustzone
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
 
[若渴計畫] Introduction: Formal Verification for Code
[若渴計畫] Introduction: Formal Verification for Code[若渴計畫] Introduction: Formal Verification for Code
[若渴計畫] Introduction: Formal Verification for Code
 
[若渴計畫] Studying ASLR^cache
[若渴計畫] Studying ASLR^cache[若渴計畫] Studying ASLR^cache
[若渴計畫] Studying ASLR^cache
 
[若渴計畫] Black Hat 2017之過去閱讀相關整理
[若渴計畫] Black Hat 2017之過去閱讀相關整理[若渴計畫] Black Hat 2017之過去閱讀相關整理
[若渴計畫] Black Hat 2017之過去閱讀相關整理
 
[若渴計畫] Studying Concurrency
[若渴計畫] Studying Concurrency[若渴計畫] Studying Concurrency
[若渴計畫] Studying Concurrency
 
閱讀文章分享@若渴 2016.1.24
閱讀文章分享@若渴 2016.1.24閱讀文章分享@若渴 2016.1.24
閱讀文章分享@若渴 2016.1.24
 
[若渴計畫2015.8.18] SMACK
[若渴計畫2015.8.18] SMACK[若渴計畫2015.8.18] SMACK
[若渴計畫2015.8.18] SMACK
 
[SITCON2015] 自己的異質多核心平台自己幹
[SITCON2015] 自己的異質多核心平台自己幹[SITCON2015] 自己的異質多核心平台自己幹
[SITCON2015] 自己的異質多核心平台自己幹
 
[MOSUT20150131] Linux Runs on SoCKit Board with the GPGPU
[MOSUT20150131] Linux Runs on SoCKit Board with the GPGPU[MOSUT20150131] Linux Runs on SoCKit Board with the GPGPU
[MOSUT20150131] Linux Runs on SoCKit Board with the GPGPU
 
[若渴計畫]由GPU硬體概念到coding CUDA
[若渴計畫]由GPU硬體概念到coding CUDA[若渴計畫]由GPU硬體概念到coding CUDA
[若渴計畫]由GPU硬體概念到coding CUDA
 
[若渴計畫]64-bit Linux Return-Oriented Programming
[若渴計畫]64-bit Linux Return-Oriented Programming[若渴計畫]64-bit Linux Return-Oriented Programming
[若渴計畫]64-bit Linux Return-Oriented Programming
 
[MOSUT] Format String Attacks
[MOSUT] Format String Attacks[MOSUT] Format String Attacks
[MOSUT] Format String Attacks
 

Recently uploaded

Fostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the ClassroomFostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the ClassroomPooky Knightsmith
 
How to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSHow to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSCeline George
 
On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsOn National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsMebane Rash
 
Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)Jisc
 
How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17Celine George
 
Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Jisc
 
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...Pooja Bhuva
 
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptxHMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptxEsquimalt MFRC
 
Understanding Accommodations and Modifications
Understanding Accommodations and ModificationsUnderstanding Accommodations and Modifications
Understanding Accommodations and ModificationsMJDuyan
 
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptxExploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptxPooja Bhuva
 
Python Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docxPython Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docxRamakrishna Reddy Bijjam
 
How to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptxHow to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptxCeline George
 
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptxMaritesTamaniVerdade
 
Graduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - EnglishGraduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - Englishneillewis46
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxheathfieldcps1
 
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptxHMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptxmarlenawright1
 
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...Pooja Bhuva
 
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...Nguyen Thanh Tu Collection
 
ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxAreebaZafar22
 
This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.christianmathematics
 

Recently uploaded (20)

Fostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the ClassroomFostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the Classroom
 
How to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSHow to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POS
 
On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsOn National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan Fellows
 
Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)
 
How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17
 
Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)
 
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
 
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptxHMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
 
Understanding Accommodations and Modifications
Understanding Accommodations and ModificationsUnderstanding Accommodations and Modifications
Understanding Accommodations and Modifications
 
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptxExploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
 
Python Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docxPython Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docx
 
How to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptxHow to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptx
 
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
 
Graduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - EnglishGraduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - English
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptx
 
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptxHMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
 
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
 
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
 
ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptx
 
This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.
 

[若渴]Study on Side Channel Attacks and Countermeasures

  • 1. Study on Side Channel Attacks and Countermeasures @若渴 2018.1.20 <ajblane0612@gmail.com> AjMaChInE
  • 2. Outline • Modem Computing Architectures • Side channel attacks • Countermeasures
  • 3. Modem Computing Architectures * Modern high-performance CPU pipeline * Cache
  • 4. [0]
  • 5. [1]
  • 6. [2]
  • 7. [4]
  • 8. VIVT: Virtually indexed, virtually tagged * Fast * Virtual Tag is not unique (Context switches) * Shared memory more than once in cache PIPT: Physically indexed, physically tagged * Slow (TLB lookup for index) * Shared memory only once in cache! [5]
  • 9. PIVT: Physically indexed, virtually tagged * Slow (TLB lookup for index) * Virtual Tag is not unique (Context switches) * Shared memory more than once in cache VIPT: Virtually indexed, physically tagged * Fast * 4 KiB pages: last 12 bits of VA and PA are equal * Using more bits has disadvantages (like VIVT) ! Cache size # ways page size [5]
  • 10. Ring Bus Architecture and Sliced LLC [6]
  • 14. TrustZone Enabled Processor Memory Hierarchy [8]
  • 15. Branch Target Buffer BTB addressing scheme in Haswell processor [7]
  • 16. Side Channel Attacks Side-Effect Channel Attacks channel attacker side-effect victim • 目標: information leakage • 思考點: – commonality (contention ) – 如何操作commonality
  • 17. Side Channels with Commonality • Cache [2][5][6][8][9][10] • Address Translation Caches [3] • Branch Target Buffer (BTB) [7] • Translation Lookaside Buffer (TLB) [12] • SMT(hyper threading) CPU [13] • …?
  • 18. Cache Side Channel Attacks • Flush+Reload with shared memory pages • Prime+Probe is a general technique • 利用cache當channel 至少有兩種操作手法 [8]
  • 20. Flush+Reload step 0: attacker maps shared library ! shared memory, shared in cache [5]
  • 21. Flush+Reload step 0: attacker maps shared library ! shared memory, shared in cache step 1: attacker flushes the shared line [5]
  • 22. Flush+Reload step 0: attacker maps shared library ! shared memory, shared in cache step 1: attacker flushes the shared line step 2: victim loads data while performing encryption [5]
  • 23. Flush+Reload step 0: attacker maps shared library ! shared memory, shared in cache step 1: attacker flushes the shared line step 2: victim loads data while performing encryption step 3: attacker reloads data ! fast access if the victim loaded the line [5]
  • 24. Prime+Probe step 0: attacker fills the cache (prime) [5]
  • 25. Prime+Probe [5] step 0: attacker fills the cache (prime)
  • 26. Prime+Probe step 0: attacker fills the cache (prime) step 1: victim evicts cache lines while performing encryption [5]
  • 27. Prime+Probe [5] step 0: attacker fills the cache (prime) step 1: victim evicts cache lines while performing encryption
  • 28. Prime+Probe [5] step 0: attacker fills the cache (prime) step 1: victim evicts cache lines while performing encryption
  • 29. Prime+Probe [5] step 0: attacker fills the cache (prime) step 1: victim evicts cache lines while performing encryption
  • 30. Prime+Probe [5] step 0: attacker fills the cache (prime) step 1: victim evicts cache lines while performing encryption
  • 31. Prime+Probe step 0: attacker fills the cache (prime) step 1: victim evicts cache lines while performing encryption step 2: attacker probes data to determine if the set was accessed [5]
  • 32. Prime+Probe [5] step 0: attacker fills the cache (prime) step 1: victim evicts cache lines while performing encryption step 2: attacker probes data to determine if the set was accessed
  • 33. Typically, 如何利用cache side channel 來達到information leakage Prime+Probe在icache中,依照時間序列知道某cache set中的cache lines在 做存取,所以可以推敲出 ei 序列。
  • 34. Cache Side Channel Attacks against VM [6] cryptographic keys
  • 35. Cache Side Channel Attacks against Brower [9]
  • 36. Cache Side Channel Attacks against TrustZone [8]
  • 37.
  • 38. 好像很簡單? 困難: reverse-engineer some cache for finding eviction set to occupy exactly one cache set • VM (guest-VA  guest-PA  L1  L2 L3  PA) • Browser (Typed Array Specification  VA  L1  L2  L3  PA) • TrustZone (VA  L1  L2  L3  PA)
  • 39. cache L1 [6][9] VIPT controlled VA L3 PIPT not-controlled VA slow large(2MB) page mode 4 KB page mode controlled VA all the index bits are within the page offset the same set index bits may be located in different LLC slices
  • 41. cache L1 [6][9] VIPT controlled VA L3 PIPT not-controlled VA slow large(2MB) page mode 4 KB page mode 8MB “eviction buffer” of physical memory will completely invalidate all cache sets in the L3 cache 8192 cache sets in 131K offsets (8MB/64bytes) slow
  • 42. 06111863 17 • 0-11 -> 4kb page mode • 6-18 -> cache set index • 17-63 -> are hashed to form the upper 2 bits of the cache index (4 slice) fixing some subset of the 131K offsets
  • 43. 4KB 00 01 64 32 64b 06111863 17 5 8MB 4KB 4KB …000000000000 …000001000000 2^(18-11) cache set in 2^(18-11) cache sets in …0000000000000 …1000000000000 有可能cache contention cache contention
  • 44. cache L1 VIPT controlled VA L3 PIPT not-controlled VA slow large(2MB) page mode 4 KB page mode 效能差(操作L3 cache miss),但 可攻擊 只適用 cloud環境 [5][6][9] [10]
  • 45. Side Channel Attacks of Address Translation Cache “Double page fault attack, where an unprivileged attacker tries to access an inaccessible kernel memory location, triggering a page fault. After the page fault interrupt is handled by the operating system, the control is handed back to an error handler in the user program. The attacker measures the execution time of the page fault interrupt. If the memory location is valid, regardless of whether it is accessible or not, address translation table entries are copied into the corresponding address translation caches. The attacker then tries to access the same inaccessible memory location again. If the memory location is valid, the address translation is already cached and the page fault interrupt will take less time. Thus, the attacker learns whether a memory location is valid or not, even if it is not accessible from the user space.” [3] 借助OS處理能力與page table共用特性
  • 46. double page fault attack [5][11] –> KASLR is Dead
  • 47. Side Channel Attacks of Branch Target Buffer BTB contention
  • 48. The reverse engineered BTB addressing scheme in the HasWell processor [7] In particular, the kernel code must be aligned at 2MB boundaries. To find a collision
  • 49. [7] As a result, only the Page Directory Entry (PDE) bits (9 bit)of virtual addresses are randomized (512 possible)
  • 50. [7]
  • 51. BTB side channel attacks –> KASLR is Dead [7]
  • 52. SMT side channel attacks • 在沒有網路狀況下,兩VMs資料如何對傳? [13] senderreceiver SMT CPU
  • 53. Countermeasure of Side Channel Attacks
  • 54. Countermeasure for Cache Side- Channel attacks • Less accurate timer • Page coloring – Avoiding collisions in the LLC; Location in LLC determined by physical address; Give each user a color (address bits); • Behavior detection – Hardware Performance Counters (HPCs) can track hardware events (e.g. LLC misses) • Design cache leakage free code (e.g. Square-and- Multiply exponentiation) • disable cache-line sharing – Intel Cache Allocation Technology [7][15]
  • 55. Countermeasure for Side Channel Attacks of Address Translation Caches • Shadow Address Space • 只是user kernel共用的page table分開,並把kennel page table藏起來。 效果會是kernel藏起來,但其實還是在physical memory中) • 不是使用TLB flush,而是使用Disable the PTE global bits [3]
  • 56. 對於BTB/TLB/SMT 的side channel attacks至目 前閱讀為止沒有好的countermeasures 。
  • 58. Reference • [0] “Negative Result: Reading Kernel Memory From User Mode”, July 28, 2017, https://cyber.wtf/2017/07/28/negative-result-reading-kernel-memory-from-user-mode/ • [1] “Broadcom Bares Muscular ARM”, https://investorshub.advfn.com/boards/read_msg.aspx?message_id=95215022 • [2] “Practical Timing Side Channel Attacks Against Kernel Space ASLR”, 19-22 May 2013, http://www.ieee-security.org/TC/SP2013/papers/4977a191.pdf • [3] “KASLR is Dead: Long Live KASLR”, 24 June 2017 https://misc0110.net/web/files/kaiser_slides.pdf, https://gruss.cc/files/kaiser.pdf • [4] ] “ARM® Cortex® -A Series Version: 1.0 Programmer’s Guide for ARMv8-A”, http://infocenter.arm.com/help/topic/com.arm.doc.den0024a/DEN0024A_v8_architecture_PG. pdf • [5] “Cache Side-Channel Attacks and the case of Rowhammer”, April 28, 2016, https://gruss.cc/files/cache_and_rowhammer_ruhrsec.pdf • [6] “Last-Level Cache Side-Channel Attacks are Practical”, 17-21 May 2015 http://palms.ee.princeton.edu/system/files/SP_vfinal.pdf, https://pdfs.semanticscholar.org/81f6/c43188a2308b36a0c47570f7e7ec19cc20e1.pdf • [7] “Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR”, 15-19 Oct. 2016 http://ieeexplore.ieee.org/document/7783743/ • [8] “TruSpy: Cache Side-Channel Information Leakage from the Secure World on ARM Devices”, 2016, https://eprint.iacr.org/2016/980.pdf
  • 59. Reference • [9] “The Spy in the Sandbox -- Practical Cache Attacks in Javascript and their Implications ”, 1 Mar 2015, http://www.cs.columbia.edu/~simha/spyjs.ccs15.pdf, https://arxiv.org/pdf/1502.07373.pdf • [10] “Malware Guard Extension: Using SGX to Conceal Cache Attacks”, 1 Mar 2017 , https://arxiv.org/pdf/1702.08719.pdf • [11]” DrK: Breaking Kernel Address Space Layout Randomization with Intel TSX”, August 3, 2016, https://www.blackhat.com/docs/us-16/materials/us-16-Jang-Breaking-Kernel-Address-Space- Layout-Randomization-KASLR-With-Intel-TSX.pdf • [12] “ASLR on the Line: Practical Cache Attacks on the MMU”,2017 , http://www.cs.vu.nl/~giuffrida/papers/anc-ndss-2017.pdf • [13] “Covert shotgun: Automatically finding covert channels in SMT”, September 27, 2016 , https://cyber.wtf/2016/09/27/covert-shotgun/, https://www.youtube.com/watch?v=oVmPQCT5VkY [presentation] • [14] “Cache Side Channel Attack: Exploitability and Countermeasures”, 2017, https://www.blackhat.com/docs/asia-17/materials/asia-17-Irazoqui-Cache-Side-Channel-Attack- Exploitability-And-Countermeasures.pdf • [15] “Cache side channel attacks”, What Stone dream about: Cache side channel attacks, http://dreamsofastone.blogspot.tw/2015/09/cache-side-channel-attacks.html • [16] “Meltdown and Spectre”, 2017, https://meltdownattack.com/
  • 60. DRAM Side Channel Attacks against SGX