Hardware Enclave Attacks CS261
|
|
- Bryan Anderson
- 5 years ago
- Views:
Transcription
1 Hardware Enclave Attacks CS261
2 Threat Model of Hardware Enclaves Intel Attestation Service (IAS) Process Enclave Untrusted Trusted Enclave Code Enclave Data Process Process Other Enclave OS and/or Hypervisor Off-chip devices 2
3 Attacks on Hardware Enclaves Attacks on Intel services: Traditional server-based attacks (not interesting) Attacks on enclave code: Exploiting software vulnerabilities Interesting API-based attacks: Iago attacks (ASPLOS 13) Attacks on Intel CPUs: Cache timing side channels, Spectre / Meltdown (Foreshadow) Controlled-channel attacks 3
4 Enclave Page Permissions Physical Memory EPC Process Enclave 1. EPCM VA V RWX SECS 2. Page Table Enclave Page Permission = EPCM[RWX] AND PT[RWX] VA RWX PA 4
5 Page Faults in Enclaves Physical Memory EPC Process AEP: ERESUME Enclave X = *(addr); Page Fault RAX: RBX: RIP: AEP (Async Exit Pointer) Fault Addr: addr & ~(FFF) OS Kernel Leaking the higher 52 bits (i.e., 64-12) of page fault address 5
6 Target Code Input-dependent branches if (secret & 0x1) process_one(); else process_zero(); Page A Page B Input-dependent data access data_array[secret << 12] = 1; secret = 0 secret = 1 secret = 2 Page X Page X + 1 Page X + 2 6
7 Distinguishing Same Page Addresses f2() { f4(); f1() { f2(); f3(); f3() { f5(); Page B f2() Page A f1() Page D f4(), f5() Page C f3() f4() { f5() { 7
8 Distinguishing Same Page Addresses f2() { f4(); f4() { f1() { f2(); f3(); f3() { f5(); f5() { Page A f1() Page B Page C f2() f3() Page D f4(), f5() Page addresses: A 8
9 Distinguishing Same Page Addresses f2() { f4(); f4() { f1() { f2(); f3(); f3() { f5(); f5() { Page A f1() Page B Page C f2() f3() Page D f4(), f5() Page addresses: A B 9
10 Distinguishing Same Page Addresses f2() { f4(); f4() { f1() { f2(); f3(); f3() { f5(); f5() { Page A f1() Page B Page C f2() f3() Page D f4(), f5() Page addresses: A B D 10
11 Distinguishing Same Page Addresses f2() { f4(); f4() { f1() { f2(); f3(); f3() { f5(); f5() { Page A f1() Page B Page C f2() f3() Page D f4(), f5() Page addresses: A B D B A 11
12 Distinguishing Same Page Addresses f2() { f4(); f4() { f1() { f2(); f3(); f3() { f5(); f5() { Page A f1() Page B Page C f2() f3() Page D f4(), f5() Page addresses: A B D B A C 12
13 Distinguishing Same Page Addresses f2() { f4(); f4() { f1() { f2(); f3(); f3() { f5(); f5() { Page A f1() Page B Page C f2() f3() Page D f4(), f5() Page addresses: A B D B A C D f4() f5() 13
14 Update the Page Table f2() { f4(); f4() { f1() { f2(); f3(); f3() { f5(); f5() { Page Fault Page A f1() Page B f2() R Page D f4(), f5() Page addresses: A R Page C f3() R R 14
15 Update the Page Table f2() { f4(); f4() { f1() { f2(); f3(); f3() { f5(); f5() { Page B f2() Page A f1() Page D f4(), f5() Page addresses: A B R Mark executable R X to continue Page C f3() R R 15
16 Update the Page Table f2() { f4(); f4() { f1() { f2(); f3(); f3() { f5(); f5() { Page A f1() R Page B Page C f2() R X f3() Page D f4(), f5() R Page addresses: A B D R 16
17 Example: Hunspell Checker Phase 1: inserts dictionary into hash buckets Phase 2: looks up words from a secret document 17
18 Hunspell Insertion Hash::add_word(std::string word) { struct hentry *hp = malloc(); int i = hash(word); struct hentry *dp = tableptr[i]; while (dp->next!= NULL) { dp = dp->next; strcpy(hp->word, word); dp->next = hp; Word word1 word2 word3 word4 Pages A, D B, D A, E B, D, F Page(tableptr[i]) Page(node 1) Page(node 2) Page(new node) 18
19 Hunspell Lookup Hash::lookup(std::string word) { int i = hash(word); struct hentry *dp = tableptr[i]; while (dp!= NULL) { if (!strcmp(hp->word, word)) return dp; dp = dp->next; Word word1 word2 word3 word4 Pages A, D B, D A, E B, D, F Page(tableptr[i]) Page(node 1) Page(node 2) Match with the oracle 19
20 Side Channels vs Controlled Channels Cache Side Channels Controlled Channels Granularity Cachelines (64-byte) Pages (4KB) Noisiness Highly noisy Noiseless and Lossless Synchronization Scope Two-phase synchronization (e.g., PRIME+PROBE, FLUSH+RELOAD) Common to most platforms No synchronization with the victim Specific to enclaves Privileges Non-root Need root privileges 20
21 Mitigation ASLR (Address Space Layout Randomization)? Not working Can detect entry points and start-up patterns Self-paging Some architecture (e.g., RISC-V) suggests self-paging in enclaves The OS never gets any page faults Detecting attacks Execution time, page fault count, etc Forbidding page faults from enclave code T-SGX 21
22 T-SGX (NDSS 17) Intel TSX (Transactional Synchronization Extensions) Any fault abort handler unsigned status; // Begin a transaction if ((status = _xbegin()) == _XBEGIN_STARTED) { // Run any code Page Fault _xend(); else { // Abort Can forbid all page faults in enclaves (i.e., no paging) 22
23 Other Enclave Attacks Page table access/dirty bits (USENIX 17) Recently read access bit; Recently written dirty bit Can be observed without page faults Branch Predictor States (USENIX 17) Enclave and non-enclave code shares branch predictor states Can observe which branches are taken Addresses on memory bus (CCS 13) Every memory command (read / write) is visible on bus Can observe with a DIMM interposer 23
24 Questions? Hardware Enclave Attacks 24
Controlled- Channel Attacks: Deterministic Side Channels for Untrusted Operating Systems
Controlled- Channel Attacks: Deterministic Side Channels for Untrusted Operating Systems Yuanzhong Xu, Weidong Cui, Marcus Peinado The University of Texas at Austin, Microsoft Research San Jose, CA May
More informationVarys. Protecting SGX Enclaves From Practical Side-Channel Attacks. Oleksii Oleksenko, Bohdan Trach. Mark Silberstein
Varys Protecting SGX Enclaves From Practical Side-Channel Attacks Oleksii Oleksenko, Bohdan Trach Robert Krahn, Andre Martin, Christof Fetzer Mark Silberstein Key issue of the cloud: We cannot trust it
More informationT-SGX: Eradicating Controlled-Channel
T-SGX: Eradicating Controlled-Channel Attacks Against Enclave Programs Ming-Wei Shih Sangho Lee Taesoo Kim Marcus Peinado Georgia Institute of Technology Microsoft Research 2 3 Intel SGX aims to secure
More informationRISCV with Sanctum Enclaves. Victor Costan, Ilia Lebedev, Srini Devadas
RISCV with Sanctum Enclaves Victor Costan, Ilia Lebedev, Srini Devadas Today, privilege implies trust (1/3) If computing remotely, what is the TCB? Priviledge CPU HW Hypervisor trusted computing base OS
More informationMeltdown or "Holy Crap: How did we do this to ourselves" Meltdown exploits side effects of out-of-order execution to read arbitrary kernelmemory
Meltdown or "Holy Crap: How did we do this to ourselves" Abstract Meltdown exploits side effects of out-of-order execution to read arbitrary kernelmemory locations Breaks all security assumptions given
More informationLeaky Cauldron on the Dark Land: Understanding Memory Side-Channel Hazards in SGX
Leaky Cauldron on the Dark Land: Understanding Memory Side-Channel Hazards in SGX W. Wang, G. Chen, X, Pan, Y. Zhang, XF. Wang, V. Bindschaedler, H. Tang, C. Gunter. September 19, 2017 Motivation Intel
More informationSGX Enclave Life Cycle Tracking TLB Flushes Security Guarantees
CSE 5095 & ECE 4451 & ECE 5451 Spring 2017 Lecture 3b SGX Enclave Life Cycle Tracking TLB Flushes Security Guarantees Slide deck extracted from Kamran s tutorial on SGX and Chenglu s security analysis
More informationIntroduction to SGX (Software Guard Extensions) and SGX Virtualization. Kai Huang, Jun Nakajima (Speaker) July 12, 2017
Introduction to SGX (Software Guard Extensions) and SGX Virtualization Kai Huang, Jun Nakajima (Speaker) July 12, 2017 1 INTEL RESTRICTED SECRET Agenda SGX Introduction Xen SGX Virtualization Support Backup
More informationSpectre and Meltdown: Data leaks during speculative execution
Spectre and Meltdown: Data leaks during speculative execution Speaker: Jann Horn (Google Project Zero) Paul Kocher (independent) Daniel Genkin (University of Pennsylvania and University of Maryland) Yuval
More informationTo accelerate our learnings, we brought in an expert in CPU side channel attacks. Anders Fogh
To accelerate our learnings, we brought in an expert in CPU side channel attacks Anders Fogh Virtualization-based isolation Microsoft Azure, Hyper-V Affected Kernel-user separation Windows Affected Process-based
More informationMeltdown and Spectre - understanding and mitigating the threats (Part Deux)
Meltdown and Spectre - understanding and mitigating the threats (Part Deux) Gratuitous vulnerability logos Jake Williams @MalwareJake SANS / Rendition Infosec sans.org / rsec.us @SANSInstitute / @RenditionSec
More informationLeaky Cauldron on the Dark Land: Understanding Memory Side-Channel Hazards in SGX
Leak Cauldron on the Dark Land: Understanding Memor Side-Channel Hazards in SGX 1,4 Wenhao Wang, 2 Guoxing Chen, 1 Xiaorui Pan, 2 Yinqian Zhang, 1 XiaoFeng Wang, 3 Vincent Bindschaedler, 1 Haixu Tang and
More informationSanctum: Minimal HW Extensions for Strong SW Isolation
CSE 5095 & ECE 4451 & ECE 5451 Spring 2017 Lecture 7a Sanctum: Minimal HW Extensions for Strong SW Isolation Marten van Dijk Syed Kamran Haider, Chenglu Jin, Phuong Ha Nguyen Department of Electrical &
More informationBreaking Kernel Address Space Layout Randomization (KASLR) with Intel TSX. Yeongjin Jang, Sangho Lee, and Taesoo Kim Georgia Institute of Technology
Breaking Kernel Address Space Layout Randomization (KASLR) with Intel TSX Yeongjin Jang, Sangho Lee, and Taesoo Kim Georgia Institute of Technology Kernel Address Space Layout Randomization (KASLR) A statistical
More informationMeltdown and Spectre - understanding and mitigating the threats
Meltdown and Spectre - understanding and mitigating the threats Gratuitous vulnerability logos Jake Williams @MalwareJake SANS / Rendition Infosec sans.org / rsec.us @RenditionSec The sky isn t falling!
More informationIntel Software Guard Extensions (Intel SGX) SGX2
Intel Software Guard Extensions (Intel SGX) SGX2 Frank McKeen, Ilya Alexandrovich, Ittai Anati, Dror Caspi, Simon Johnson, Rebekah Leslie- Hurd, Carlos Rozas, Mark Shanahan, Bin (Cedric) Xing June 18,
More informationSide Channels and Runtime Encryption Solutions with Intel SGX
Leader in Runtime Encryption Whitepaper Side Channels and Runtime Encryption Solutions with Intel SGX by Andy Leiserson, Chief Architect at Fortanix Executive Summary Introduction to Side Channel Attacks
More informationControlled-Channel Attacks: Deterministic Side Channels for Untrusted Operating Systems. Yuanzhong Xu, Weidong Cui, Marcus Peinado
: Deterministic Side Channels for Untrusted Operating Systems Yuanzhong Xu, Weidong Cui, Marcus Peinado 2 Goal Protect the data of applications running on remote hardware 3 New tech Trusted Platform Modules
More informationINFLUENTIAL OPERATING SYSTEM RESEARCH: SECURITY MECHANISMS AND HOW TO USE THEM CARSTEN WEINHOLD
Faculty of Computer Science Institute of Systems Architecture, Operating Systems Group INFLUENTIAL OPERATING SYSTEM RESEARCH: SECURITY MECHANISMS AND HOW TO USE THEM CARSTEN WEINHOLD OVERVIEW Fundamental
More informationThe Story of Meltdown and Spectre. Jann Horn & Daniel Gruss May 17, 2018
The Story of Meltdown and Spectre Jann Horn & Daniel Gruss May 17, 2018 1 Who are we Jann Horn Google Project Zero jannh@google.com 2 Who are we Daniel Gruss Post-Doc @ Graz University Of Technology @lavados
More informationMicro-architectural Attacks. Chester Rebeiro IIT Madras
Micro-architectural Attacks Chester Rebeiro IIT Madras 1 Cryptography Passwords Information Flow Policies Privileged Rings ASLR Virtual Machines and confinement Javascript and HTML5 (due to restricted
More informationKomodo: Using Verification to Disentangle Secure-Enclave Hardware from Software
Komodo: Using Verification to Disentangle Secure-Enclave Hardware from Software Andrew Ferraiuolo, Andrew Baumann, Chris Hawblitzel, Bryan Parno* Microsoft Research, Cornell University, Carnegie Mellon
More informationDisclaimer. This talk vastly over-simplifies things. See notes for full details and resources.
Greg Kroah-Hartman Disclaimer This talk vastly over-simplifies things. See notes for full details and resources. https://github.com/gregkh/presentation-spectre Spectre Hardware bugs Valid code can be tricked
More informationForeshadow: Extracting the Keys to the Intel SGX Kingdom with Transient Out-of-Order Execution
Foreshadow: Extracting the Keys to the Intel SGX Kingdom with Transient Out-of-Order Execution Jo Van Bulck, imec-distrinet, KU Leuven; Marina Minkin, Technion; Ofir Weisse, Daniel Genkin, and Baris Kasikci,
More informationIntel SGX Virtualization
Sean Christopherson Intel Intel SGX Virtualization KVM Forum 2018 Traditional VM Landscape App s secrets accessible by any privileged entity, e.g. VMM and OS App App App or a malicious app that has exploited
More informationMulti-level Translation. CS 537 Lecture 9 Paging. Example two-level page table. Multi-level Translation Analysis
Multi-level Translation CS 57 Lecture 9 Paging Michael Swift Problem: what if you have a sparse address space e.g. out of GB, you use MB spread out need one PTE per page in virtual address space bit AS
More informationHY225 Lecture 12: DRAM and Virtual Memory
HY225 Lecture 12: DRAM and irtual Memory Dimitrios S. Nikolopoulos University of Crete and FORTH-ICS May 16, 2011 Dimitrios S. Nikolopoulos Lecture 12: DRAM and irtual Memory 1 / 36 DRAM Fundamentals Random-access
More informationVirtual Memory Nov 9, 2009"
Virtual Memory Nov 9, 2009" Administrivia" 2! 3! Motivations for Virtual Memory" Motivation #1: DRAM a Cache for Disk" SRAM" DRAM" Disk" 4! Levels in Memory Hierarchy" cache! virtual memory! CPU" regs"
More informationExploiting Branch Target Injection. Jann Horn, Google Project Zero
Exploiting Branch Target Injection Jann Horn, Google Project Zero 1 Outline Introduction Reverse-engineering branch prediction Leaking host memory from KVM 2 Disclaimer I haven't worked in CPU design I
More informationDisclaimer. This talk vastly over-simplifies things. See notes for full details and resources.
Greg Kroah-Hartman Disclaimer This talk vastly over-simplifies things. See notes for full details and resources. https://github.com/gregkh/presentation-spectre Spectre Hardware bugs Valid code can be tricked
More informationLecture Secure, Trusted and Trustworthy Computing Introduction to SGX
Lecture Secure, and Trustworthy Computing Introduction to Prof. Dr.-Ing. Ahmad-Reza Sadeghi System Security Lab Technische Universität Darmstadt Germany Winter Term 2016/17 Intel Software Guard Extensions
More informationSpectre Returns! Speculation Attacks Using Return Stack Buffer
Spectre Returns! Speculation Attacks Using Return Stack Buffer Esmaeil Mohammadian, Khaled N. Khasawneh, Chengyue Song and Nael Abu-Ghazaleh University of California, Riverside WOOT 2018 BALTIMORE, USA
More informationCS 4284 Systems Capstone. Virtual Memory Page Tables Godmar Back
CS 4284 Systems Capstone Virtual Memory Page Tables Godmar Back Virtual Memory Virtual Memory Is not a kind of memory Is a technique that combines one or more of the following concepts: Address translation
More informationA Comparison Study of Intel SGX and AMD Memory Encryption Technology
A Comparison Study of Intel SGX and AMD Memory Encryption Technology Saeid Mofrad, Fengwei Zhang Shiyong Lu Wayne State University {saeid.mofrad, Fengwei, Shiyong}@wayne.edu Weidong Shi (Larry) University
More informationSpectre, Meltdown, and the Impact of Security Vulnerabilities on your IT Environment. Orin Jeff Melnick
Spectre, Meltdown, and the Impact of Security Vulnerabilities on your IT Environment Orin Thomas @orinthomas Jeff Melnick Jeff.Melnick@Netwrix.com In this session Vulnerability types Spectre Meltdown Spectre
More informationSoftware Solutions to Micro-architectural Side Channels. Yinqian Zhang Assistant Professor Computer Science & Engineering The Ohio State University
Software Solutions to Micro-architectural Side Channels Yinqian Zhang Assistant Professor Computer Science & Engineering The Ohio State University Introduction Research interests Computer system security
More informationComputer Architecture Background
CSE 5095 & ECE 4451 & ECE 5451 Spring 2017 Lecture 2b Computer Architecture Background Marten van Dijk Syed Kamran Haider, Chenglu Jin, Phuong Ha Nguyen Department of Electrical & Computer Engineering
More informationSGX Security Background. Masab Ahmad Department of Electrical and Computer Engineering University of Connecticut
SGX Security Background Masab Ahmad masab.ahmad@uconn.edu Department of Electrical and Computer Engineering University of Connecticut 1 Security Background Outline Cryptographic Primitives Cryptographic
More informationInfluential OS Research Security. Michael Raitza
Influential OS Research Security Michael Raitza raitza@os.inf.tu-dresden.de 1 Security recap Various layers of security Application System Communication Aspects of security Access control / authorization
More informationarxiv: v2 [cs.cr] 30 Aug 2017
Leaky Cauldron on the Dark Land: Understanding Memory Side-Channel Hazards in SGX Wenhao Wang 1, Guoxing Chen 3, Xiaorui Pan 2, Yinqian Zhang 3, XiaoFeng Wang 2, Vincent Bindschaedler 4, Haixu Tang 2,
More informationLecture 19: Virtual Memory: Concepts
CSCI-UA.2-3 Computer Systems Organization Lecture 9: Virtual Memory: Concepts Mohamed Zahran (aka Z) mzahran@cs.nyu.edu http://www.mzahran.com Some slides adapted (and slightly modified) from: Clark Barrett
More informationComputer Science 146. Computer Architecture
Computer Architecture Spring 2004 Harvard University Instructor: Prof. dbrooks@eecs.harvard.edu Lecture 18: Virtual Memory Lecture Outline Review of Main Memory Virtual Memory Simple Interleaving Cycle
More informationJump Over ASLR: Attacking Branch Predictors to Bypass ASLR
Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR Presentation by Eric Newberry and Youssef Tobah Paper by Dmitry Evtyushkin, Dmitry Ponomarev, and Nael Abu-Ghazaleh 1 Motivation Buffer overflow
More informationVirtual Memory. Virtual Memory
Virtual Memory Virtual Memory Main memory is cache for secondary storage Secondary storage (disk) holds the complete virtual address space Only a portion of the virtual address space lives in the physical
More informationVirtual Memory. CS 3410 Computer System Organization & Programming
Virtual Memory CS 3410 Computer System Organization & Programming These slides are the product of many rounds of teaching CS 3410 by Professors Weatherspoon, Bala, Bracy, and Sirer. Where are we now and
More informationIntel Software Guard Extensions (SGX) SW Development Guidance for Potential Bounds Check Bypass (CVE ) Side Channel Exploits.
Intel Software Guard Extensions (SGX) SW Development Guidance for Potential Bounds Check Bypass (CVE-2017-5753) Side Channel Exploits White Paper Revision 1.0 February 2018 Intel technologies features
More informationComputer Systems. Virtual Memory. Han, Hwansoo
Computer Systems Virtual Memory Han, Hwansoo A System Using Physical Addressing CPU Physical address (PA) 4 Main memory : : 2: 3: 4: 5: 6: 7: 8:... M-: Data word Used in simple systems like embedded microcontrollers
More informationLec 22: Interrupts. Kavita Bala CS 3410, Fall 2008 Computer Science Cornell University. Announcements
Lec 22: Interrupts Kavita Bala CS 3410, Fall 2008 Computer Science Cornell University HW 3 HW4: due this Friday Announcements PA 3 out Nov 14 th Due Nov 25 th (feel free to turn it in early) Demos and
More informationRetpoline: A Branch Target Injection Mitigation
Retpoline: A Branch Target Injection Mitigation White Paper Revision 003 June, 2018 Any future revisions to this content can be found at https://software.intel.com/security-software-guidance/ when new
More informationAscend: Architecture for Secure Computation on Encrypted Data Oblivious RAM (ORAM)
CSE 5095 & ECE 4451 & ECE 5451 Spring 2017 Lecture 7b Ascend: Architecture for Secure Computation on Encrypted Data Oblivious RAM (ORAM) Marten van Dijk Syed Kamran Haider, Chenglu Jin, Phuong Ha Nguyen
More informationCache Side Channel Attacks on Intel SGX
Cache Side Channel Attacks on Intel SGX Princeton University Technical Report CE-L2017-001 January 2017 Zecheng He Ruby B. Lee {zechengh, rblee}@princeton.edu Department of Electrical Engineering Princeton
More informationSpeculative Execution Side Channel Mitigations
Speculative Execution Side Channel Mitigations Revision 3.0 May 2018 Any future revisions to this content can be found at https://software.intel.com/security-software-guidance/ when new information is
More informationRyoan: A Distributed Sandbox for Untrusted Computation on Secret Data
Ryoan: A Distributed Sandbox for Untrusted Computation on Secret Data Tyler Hunt, Zhiting Zhu, Yuanzhong Xu, Simon Peter, and Emmett Witchel University of Texas at Austin OSDI 2016 Presented by John Alsop
More informationStrong and Efficient Cache Side-Channel Protection using Hardware Transactional Memory
Strong and Efficient Cache Side-Channel Protection using Hardware Transactional Memory Daniel Gruss, Graz University of Technology, Graz, Austria; Julian Lettner, University of California, Irvine, USA;
More informationvirtual memory Page 1 CSE 361S Disk Disk
CSE 36S Motivations for Use DRAM a for the Address space of a process can exceed physical memory size Sum of address spaces of multiple processes can exceed physical memory Simplify Management 2 Multiple
More informationSpectre and Meltdown. Clifford Wolf q/talk
Spectre and Meltdown Clifford Wolf q/talk 2018-01-30 Spectre and Meltdown Spectre (CVE-2017-5753 and CVE-2017-5715) Is an architectural security bug that effects most modern processors with speculative
More informationSide-Channel Attacks on Intel SGX: How SGX Amplifies The Power of Cache Attacks
Side-Channel Attacks on Intel SGX: How SGX Amplifies The Power of Cache Attacks by Ahmad Moghimi A Thesis Submitted to the Faculty of the WORCESTER POLYTECHNIC INSTITUTE In partial fulfillment of the requirements
More informationCSE 127 Computer Security
CSE 127 Computer Security Stefan Savage, Spring 2018, Lecture 19 Hardware Security: Meltdown, Spectre, Rowhammer Vulnerabilities and Abstractions Abstraction Reality Vulnerability Review: ISA and µarchitecture
More informationWho am I? Moritz Lipp PhD Graz University of
Who am I? Moritz Lipp PhD student @ Graz University of Technology @mlqxyz moritz.lipp@iaik.tugraz.at 1 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology Who am I? Michael Schwarz
More informationVersion:1.1. Overview of speculation-based cache timing side-channels
Author: Richard Grisenthwaite Date: January 2018 Version 1.1 Introduction This whitepaper looks at the susceptibility of Arm implementations following recent research findings from security researchers
More informationarxiv: v2 [cs.cr] 16 Jun 2018
SafeSpec: Banishing the Spectre of a Meltdown with Leakage-Free Speculation Khaled N. Khasawneh Department of Computer Science and Engineering University of California, Riverside Email: kkhas1@ucr.edu
More informationECE232: Hardware Organization and Design
ECE232: Hardware Organization and Design Lecture 28: More Virtual Memory Adapted from Computer Organization and Design, Patterson & Hennessy, UCB Overview Virtual memory used to protect applications from
More informationVirtual Memory. Motivation:
Virtual Memory Motivation:! Each process would like to see its own, full, address space! Clearly impossible to provide full physical memory for all processes! Processes may define a large address space
More informationRuntime Integrity Checking for Exploit Mitigation on Embedded Devices
Runtime Integrity Checking for Exploit Mitigation on Embedded Devices Matthias Neugschwandtner IBM Research, Zurich eug@zurich.ibm.com Collin Mulliner Northeastern University, Boston collin@mulliner.org
More informationMonitoring Hypervisor Integrity at Runtime. Student: Cuong Pham PIs: Prof. Zbigniew Kalbarczyk, Prof. Ravi K. Iyer ACC Meeting, Oct 2015
Monitoring Hypervisor Integrity at Runtime Student: Cuong Pham PIs: Prof. Zbigniew Kalbarczyk, Prof. Ravi K. Iyer ACC Meeting, Oct 2015 Motivation - Server Virtualization Trend x86 servers were virtualized
More informationBUILDING SECURE (CLOUD) APPLICATIONS USING INTEL S SGX
BUILDING SECURE (CLOUD) APPLICATIONS USING INTEL S SGX FLORIAN KERSCHBAUM, UNIVERSITY OF WATERLOO JOINT WORK WITH BENNY FUHRY (SAP), ANDREAS FISCHER (SAP) AND MANY OTHERS DO YOU TRUST YOUR CLOUD SERVICE
More informationVirtual Memory Oct. 29, 2002
5-23 The course that gives CMU its Zip! Virtual Memory Oct. 29, 22 Topics Motivations for VM Address translation Accelerating translation with TLBs class9.ppt Motivations for Virtual Memory Use Physical
More informationRacing in Hyperspace: Closing Hyper-Threading Side Channels on SGX with Contrived Data Races. CS 563 Young Li 10/31/18
Racing in Hyperspace: Closing Hyper-Threading Side Channels on SGX with Contrived Data Races CS 563 Young Li 10/31/18 Intel Software Guard extensions (SGX) and Hyper-Threading What is Intel SGX? Set of
More informationVirtual Memory. CS 3410 Computer System Organization & Programming. [K. Bala, A. Bracy, E. Sirer, and H. Weatherspoon]
Virtual Memory CS 3410 Computer System Organization & Programming [K. Bala, A. Bracy, E. Sirer, and H. Weatherspoon] Click any letter let me know you re here today. Instead of a DJ Clicker Question today,
More informationWilliam Stallings Computer Organization and Architecture. Chapter 11 CPU Structure and Function
William Stallings Computer Organization and Architecture Chapter 11 CPU Structure and Function CPU Structure CPU must: Fetch instructions Interpret instructions Fetch data Process data Write data Registers
More informationAnne Bracy CS 3410 Computer Science Cornell University
Anne Bracy CS 3410 Computer Science Cornell University The slides were originally created by Deniz ALTINBUKEN. P&H Chapter 4.9, pages 445 452, appendix A.7 Manages all of the software and hardware on the
More informationAddress Translation. Jinkyu Jeong Computer Systems Laboratory Sungkyunkwan University
Address Translation Jinkyu Jeong (jinkyu@skku.edu) Computer Systems Laboratory Sungkyunkwan University http://csl.skku.edu Today s Topics How to reduce the size of page tables? How to reduce the time for
More informationVirtual Memory II CSE 351 Spring
Virtual Memory II CSE 351 Spring 2018 https://xkcd.com/1495/ Virtual Memory (VM) Overview and motivation VM as a tool for caching Address translation VM as a tool for memory management VM as a tool for
More informationAnne Bracy CS 3410 Computer Science Cornell University
Anne Bracy CS 3410 Computer Science Cornell University The slides were originally created by Deniz ALTINBUKEN. P&H Chapter 4.9, pages 445 452, appendix A.7 Manages all of the software and hardware on the
More informationMeltdown, Spectre, and Security Boundaries in LEON/GRLIB. Technical note Doc. No GRLIB-TN-0014 Issue 1.1
Template: GQMS-TPLT-1-1-0 Meltdown, Spectre, and Security Boundaries in LEON/GRLIB Technical note 2018-03-15 Doc. No Issue 1.1 Date: 2018-03-15 Page: 2 of 8 CHANGE RECORD Issue Date Section / Page Description
More informationECE 471 Embedded Systems Lecture 22
ECE 471 Embedded Systems Lecture 22 Vince Weaver http://www.eece.maine.edu/~vweaver vincent.weaver@maine.edu 31 October 2018 Don t forget HW#7 Announcements 1 Computer Security and why it matters for embedded
More informationVirtual Memory. CS61, Lecture 15. Prof. Stephen Chong October 20, 2011
Virtual Memory CS6, Lecture 5 Prof. Stephen Chong October 2, 2 Announcements Midterm review session: Monday Oct 24 5:3pm to 7pm, 6 Oxford St. room 33 Large and small group interaction 2 Wall of Flame Rob
More informationTelling Your Secrets Without Page Faults: Stealthy Page Table-Based Attacks on Enclaved Execution
Telling Your Secrets Without Page Faults: Stealthy Page Table-Based Attacks on Enclaved Execution Jo Van Bulck, imec-distrinet, KU Leuven; Nico Weichbrodt and Rüdiger Kapitza, IBR DS, TU Braunschweig;
More informationVirtual Memory. Patterson & Hennessey Chapter 5 ELEC 5200/6200 1
Virtual Memory Patterson & Hennessey Chapter 5 ELEC 5200/6200 1 Virtual Memory Use main memory as a cache for secondary (disk) storage Managed jointly by CPU hardware and the operating system (OS) Programs
More informationVirtual Memory. Physical Addressing. Problem 2: Capacity. Problem 1: Memory Management 11/20/15
Memory Addressing Motivation: why not direct physical memory access? Address translation with pages Optimizing translation: translation lookaside buffer Extra benefits: sharing and protection Memory as
More informationHacking in Darkness: Return-oriented Programming against Secure Enclaves
Hacking in Darkness: Return-oriented Programming against Secure Enclaves Jaehyuk Lee and Jinsoo Jang, KAIST; Yeongjin Jang, Georgia Institute of Technology; Nohyun Kwak, Yeseul Choi, and Changho Choi,
More informationVirtual Memory. Motivations for VM Address translation Accelerating translation with TLBs
Virtual Memory Today Motivations for VM Address translation Accelerating translation with TLBs Fabián Chris E. Bustamante, Riesbeck, Fall Spring 2007 2007 A system with physical memory only Addresses generated
More informationarxiv: v1 [cs.cr] 3 Jan 2018
Meltdown arxiv:1801.01207v1 [cs.cr] 3 Jan 2018 Abstract Moritz Lipp 1, Michael Schwarz 1, Daniel Gruss 1, Thomas Prescher 2, Werner Haas 2, Stefan Mangard 1, Paul Kocher 3, Daniel Genkin 4, Yuval Yarom
More informationOperating System Security
Operating System Security Operating Systems Defined Hardware: I/o...Memory.CPU Operating Systems: Windows or Android, etc Applications run on operating system Operating Systems Makes it easier to use resources.
More informationShreds: S H R E. Fine-grained Execution Units with Private Memory. Yaohui Chen, Sebassujeen Reymondjohnson, Zhichuang Sun, Long Lu D S
Shreds: S H R E D S Fine-grained Execution Units with Private Memory Yaohui Chen, Sebassujeen Reymondjohnson, Zhichuang Sun, Long Lu RiS3 Lab / Computer Science / Stony Brook University 1 Execution Units
More information14 May 2012 Virtual Memory. Definition: A process is an instance of a running program
Virtual Memory (VM) Overview and motivation VM as tool for caching VM as tool for memory management VM as tool for memory protection Address translation 4 May 22 Virtual Memory Processes Definition: A
More informationInferring Fine-grained Control Flow Inside SGX Enclaves with Branch Shadowing
Inferring Fine-grained Control Flow Inside SGX Enclaves with Branch Shadowing Sangho Lee, Ming-Wei Shih, Prasun Gera, Taesoo Kim, and Hyesoon Kim, Georgia Institute of Technology; Marcus Peinado, Microsoft
More informationÉvolution des attaques sur la micro-architecture
Évolution des attaques sur la micro-architecture Clémentine Maurice, CNRS, IRISA 23 Janvier 2019 Journée Nouvelles Avancées en Sécurité des Systèmes d Information, INSA de Toulouse/LAAS-CNRS Attacks on
More informationCSE 351. Virtual Memory
CSE 351 Virtual Memory Virtual Memory Very powerful layer of indirection on top of physical memory addressing We never actually use physical addresses when writing programs Every address, pointer, etc
More informationCISC 360. Virtual Memory Dec. 4, 2008
CISC 36 Virtual Dec. 4, 28 Topics Motivations for VM Address translation Accelerating translation with TLBs Motivations for Virtual Use Physical DRAM as a Cache for the Disk Address space of a process
More informationCSE 560 Computer Systems Architecture
This Unit: CSE 560 Computer Systems Architecture App App App System software Mem I/O The operating system () A super-application Hardware support for an Page tables and address translation s and hierarchy
More informationCS5460: Operating Systems Lecture 14: Memory Management (Chapter 8)
CS5460: Operating Systems Lecture 14: Memory Management (Chapter 8) Important from last time We re trying to build efficient virtual address spaces Why?? Virtual / physical translation is done by HW and
More informationVMM Emulation of Intel Hardware Transactional Memory
VMM Emulation of Intel Hardware Transactional Memory Maciej Swiech, Kyle Hale, Peter Dinda Northwestern University V3VEE Project www.v3vee.org Hobbes Project 1 What will we talk about? We added the capability
More informationMemory Defenses. The Elevation from Obscurity to Headlines. Rajeev Balasubramonian School of Computing, University of Utah
Memory Defenses The Elevation from Obscurity to Headlines Rajeev Balasubramonian School of Computing, University of Utah Image sources: pinterest, gizmodo 2 Spectre Overview Victim Code x is controlled
More informationMemory Hierarchies 2009 DAT105
Memory Hierarchies Cache performance issues (5.1) Virtual memory (C.4) Cache performance improvement techniques (5.2) Hit-time improvement techniques Miss-rate improvement techniques Miss-penalty improvement
More informationSecurity-Aware Processor Architecture Design. CS 6501 Fall 2018 Ashish Venkat
Security-Aware Processor Architecture Design CS 6501 Fall 2018 Ashish Venkat Agenda Theme Selection (due today at 11:59:59pm) Readings and Presentation Logistics Quick Processor Architecture Review (continued
More informationVirtual Memory I. CSE 351 Spring Instructor: Ruth Anderson
Virtual Memory I CSE 35 Spring 27 Instructor: Ruth Anderson Teaching Assistants: Dylan Johnson Kevin Bi Linxing Preston Jiang Cody Ohlsen Yufang Sun Joshua Curtis Administrivia Midterms Graded If you did
More informationCarnegie Mellon. Bryant and O Hallaron, Computer Systems: A Programmer s Perspective, Third Edition
Carnegie Mellon Virtual Memory: Concepts 5-23: Introduction to Computer Systems 7 th Lecture, October 24, 27 Instructor: Randy Bryant 2 Hmmm, How Does This Work?! Process Process 2 Process n Solution:
More informationHello from the Other Side: SSH over Robust Cache Covert Channels in the Cloud
Hello from the Other Side: SSH over Robust Cache Covert Channels in the Cloud Clémentine Maurice, Manuel Weber, Michael Schwarz, Lukas Giner, Daniel Gruss, Carlo Alberto Boano, Stefan Mangard, Kay Römer
More informationWhite Paper. How the Meltdown and Spectre bugs work and what you can do to prevent a performance plummet. Contents
White Paper How the Meltdown and Spectre bugs work and what you can do to prevent a performance plummet Programs that do a lot of I/O are likely to be the worst hit by the patches designed to fix the Meltdown
More information