Hello from the Other Side: SSH over Robust Cache Covert Channels in the Cloud
|
|
- Antony Fleming
- 5 years ago
- Views:
Transcription
1 Hello from the Other Side: SSH over Robust Cache Covert Channels in the Cloud Clémentine Maurice, Manuel Weber, Michael Schwarz, Lukas Giner, Daniel Gruss, Carlo Alberto Boano, Stefan Mangard, Kay Römer Graz University of Technology February 2017 NDSS / 25
2 Outline cache covert channels how do we get a covert channel working in the cloud? how do we get a covert channel working in a noisy environment? what are the applications of such covert channel? 2 / 25
3 CPU cache main memory is slow compared to the CPU 3 / 25
4 CPU cache main memory is slow compared to the CPU caches buffer frequently used data 3 / 25
5 CPU cache main memory is slow compared to the CPU caches buffer frequently used data every data access goes through the cache 3 / 25
6 CPU cache main memory is slow compared to the CPU caches buffer frequently used data every data access goes through the cache caches are transparent to the OS and the software 3 / 25
7 Caches on Intel CPUs L1 and L2 are private core 0 core 1 core 2 core 3 L1 L1 L1 L1 L2 L2 L2 L2 ring bus LLC slice 0 LLC slice 1 LLC slice 2 LLC slice 3 4 / 25
8 Caches on Intel CPUs L1 and L2 are private core 0 core 1 core 2 core 3 last-level cache L1 L1 L1 L1 L2 L2 L2 L2 ring bus LLC slice 0 LLC slice 1 LLC slice 2 LLC slice 3 4 / 25
9 Caches on Intel CPUs L1 and L2 are private core 0 core 1 core 2 core 3 last-level cache L1 L2 L1 L2 L1 L2 L1 L2 ring bus divided in slices LLC slice 0 LLC slice 1 LLC slice 2 LLC slice 3 4 / 25
10 Caches on Intel CPUs L1 and L2 are private core 0 core 1 core 2 core 3 last-level cache L1 L2 L1 L2 L1 L2 L1 L2 ring bus divided in slices shared across cores LLC slice 0 LLC slice 1 LLC slice 2 LLC slice 3 4 / 25
11 Caches on Intel CPUs L1 and L2 are private core 0 core 1 core 2 core 3 last-level cache L1 L2 L1 L2 L1 L2 L1 L2 ring bus divided in slices shared across cores inclusive LLC slice 0 LLC slice 1 LLC slice 2 LLC slice 3 4 / 25
12 Caches on Intel CPUs L1 and L2 are private core 0 core 1 core 2 core 3 last-level cache L1 L2 L1 L2 L1 L2 L1 L2 ring bus divided in slices shared across cores inclusive LLC slice 0 LLC slice 1 LLC slice 2 LLC slice 3 hash function maps a physical address to a slice 4 / 25
13 Set-associative caches Address Index Offset Cache 5 / 25
14 Set-associative caches Address Index Offset Cache set Cache Data loaded in a specific set depending on its address 5 / 25
15 Set-associative caches Address Index Offset way 0 way 3 Cache set Cache Data loaded in a specific set depending on its address Several ways per set 5 / 25
16 Set-associative caches Address Index Offset way 0 way 3 Cache set Cache line Cache Data loaded in a specific set depending on its address Several ways per set Cache line loaded in a specific way depending on the replacement policy 5 / 25
17 Timing differences cache hits cache misses Number of accesses Access time [CPU cycles] 6 / 25
18 Cache-based covert channels cache attacks exploit timing differences of memory accesses 7 / 25
19 Cache-based covert channels cache attacks exploit timing differences of memory accesses covert channel: two processes communicating with each other not allowed to do so, e.g., across VMs 7 / 25
20 Cache-based covert channels cache attacks exploit timing differences of memory accesses covert channel: two processes communicating with each other not allowed to do so, e.g., across VMs literature: stops working with noise on the machine 7 / 25
21 Cache-based covert channels cache attacks exploit timing differences of memory accesses covert channel: two processes communicating with each other not allowed to do so, e.g., across VMs literature: stops working with noise on the machine solution? Just use error-correcting codes 7 / 25
22 Prime+Probe attacker knows which cache set the victim accessed, not the content 8 / 25
23 Prime+Probe attacker knows which cache set the victim accessed, not the content works across CPU cores as the last-level cache is shared 8 / 25
24 Prime+Probe attacker knows which cache set the victim accessed, not the content works across CPU cores as the last-level cache is shared does not need shared memory, e.g., memory de-deduplication 8 / 25
25 Prime+Probe attacker knows which cache set the victim accessed, not the content works across CPU cores as the last-level cache is shared does not need shared memory, e.g., memory de-deduplication works across VM in the cloud, e.g., on Amazon EC2 8 / 25
26 Prime+Probe Victim address space Cache Attacker address space 9 / 25
27 Prime+Probe Victim address space Cache Attacker address space Step 1: Attacker primes, i.e., fills, the cache (no shared memory) 9 / 25
28 Prime+Probe loads data Victim address space Cache Attacker address space Step 1: Attacker primes, i.e., fills, the cache (no shared memory) Step 2: Victim evicts cache lines while running 9 / 25
29 Prime+Probe loads data Victim address space Cache Attacker address space Step 1: Attacker primes, i.e., fills, the cache (no shared memory) Step 2: Victim evicts cache lines while running 9 / 25
30 Prime+Probe fast access Victim address space Cache Attacker address space Step 1: Attacker primes, i.e., fills, the cache (no shared memory) Step 2: Victim evicts cache lines while running Step 3: Attacker probes data to determine if set has been accessed 9 / 25
31 Prime+Probe slow access Victim address space Cache Attacker address space Step 1: Attacker primes, i.e., fills, the cache (no shared memory) Step 2: Victim evicts cache lines while running Step 3: Attacker probes data to determine if set has been accessed 9 / 25
32 Why can t we just use error correcting codes? Sender Receiver (a) Transmission without errors 10 / 25
33 Why can t we just use error correcting codes? Sender Sender Receiver Receiver (a) Transmission without errors (b) Noise: substitution error 10 / 25
34 Why can t we just use error correcting codes? Sender Sender Receiver Receiver (a) Transmission without errors (b) Noise: substitution error Sender Receiver (c) Sender descheduled: insertions 10 / 25
35 Why can t we just use error correcting codes? Sender Sender Receiver Receiver (a) Transmission without errors (b) Noise: substitution error Sender Sender Receiver Receiver (c) Sender descheduled: insertions (d) Receiver descheduled: deletions 10 / 25
36 Our robust covert channel physical layer: transmits words as a sequence of 0 s and 1 s deals with synchronization errors data-link layer: divides data to transmit into packets corrects the remaining errors 11 / 25
37 Physical layer: Sending 0 s and 1 s sender and receiver agree on one set 12 / 25
38 Physical layer: Sending 0 s and 1 s sender and receiver agree on one set receiver probes the set continuously 12 / 25
39 Physical layer: Sending 0 s and 1 s sender and receiver agree on one set receiver probes the set continuously sender transmits 0 doing nothing lines of the receiver still in cache fast access 12 / 25
40 Physical layer: Sending 0 s and 1 s sender and receiver agree on one set receiver probes the set continuously sender transmits 0 doing nothing lines of the receiver still in cache fast access sender transmits 1 accessing addresses in the set evicts lines of the receiver slow access 12 / 25
41 Eviction set generation need a set of addresses in the same cache set and same slice 13 / 25
42 Eviction set generation need a set of addresses in the same cache set and same slice problem: slice number depends on all bits of the physical address 13 / 25
43 Eviction set generation need a set of addresses in the same cache set and same slice problem: slice number depends on all bits of the physical address cache tag cache set index cache line offset physical address xxxx 2MB page offset we can build a set of addresses in the same cache set and same slice 13 / 25
44 Eviction set generation need a set of addresses in the same cache set and same slice problem: slice number depends on all bits of the physical address cache tag cache set index cache line offset physical address xxxx 2MB page offset we can build a set of addresses in the same cache set and same slice without knowing which slice 13 / 25
45 Jamming agreement #1 #2 #3 #4 sender eviction sets Cache Sets receiver eviction sets 14 / 25
46 Jamming agreement #1 #2 #3 #4 sender eviction sets prime Cache Sets S S S S S S S S receiver eviction sets 14 / 25
47 Jamming agreement #1 #2 #3 #4 sender eviction sets Cache Sets S S S S S S S S R R R R R R R R prime receiver eviction sets 14 / 25
48 Jamming agreement #1 #2 #3 #4 sender eviction sets probe Cache Sets S S S S S S S S R R R R R R R R receiver eviction sets 14 / 25
49 Jamming agreement #1 #2 #3 #4 sender eviction sets Cache Sets S S S S S S S S R R R R R R R R probe receiver eviction sets 14 / 25
50 Jamming agreement #1 #2 #3 #4 sender eviction sets prime Cache Sets S S S S S S S S receiver eviction sets 14 / 25
51 Jamming agreement #1 #2 #3 #4 sender eviction sets Cache Sets S S S S S S S S prime receiver eviction sets R R R R R R R R 14 / 25
52 Jamming agreement #1 #2 #3 #4 sender eviction sets probe Cache Sets S S S S S S S S receiver eviction sets R R R R R R R R 14 / 25
53 Jamming agreement #1 #2 #3 #4 sender eviction sets Cache Sets S S S S S S S S probe receiver eviction sets R R R R R R R R 14 / 25
54 Jamming agreement #1 #2 #3 #4 sender eviction sets prime Cache Sets S S S S S S S S receiver eviction sets 14 / 25
55 Jamming agreement #1 #2 #3 #4 sender eviction sets Cache Sets R R R R R R R R S S S S S S S S prime receiver eviction sets 14 / 25
56 Jamming agreement #1 #2 #3 #4 sender eviction sets probe Cache Sets R R R R R R R R S S S S S S S S receiver eviction sets 14 / 25
57 Jamming agreement #1 #2 #3 #4 sender eviction sets Cache Sets R R R R R R R R S S S S S S S S probe receiver eviction sets 14 / 25
58 Jamming agreement #1 #2 #3 #4 sender eviction sets prime Cache Sets S S S S S S S S receiver eviction sets 14 / 25
59 Jamming agreement #1 #2 #3 #4 sender eviction sets Cache Sets R R R R R R R R prime receiver eviction sets 14 / 25
60 Jamming agreement #1 #2 #3 #4 sender eviction sets probe Cache Sets S S S S S S S S receiver eviction sets 14 / 25
61 Jamming agreement sender eviction sets receiver eviction sets #1 #2 #3 #4 Cache Sets R R R R R R R R probe #1 14 / 25
62 Jamming agreement sender eviction sets #1 #2 #3 #4 Cache Sets receiver eviction sets #1 14 / 25
63 Jamming agreement sender eviction sets #1 #2 #3 #4 Cache Sets receiver eviction sets #1 14 / 25
64 Jamming agreement sender eviction sets #1 #2 #3 #4 repeat! receiver eviction sets #1 14 / 25
65 Jamming agreement sender eviction sets #1 #2 #3 #4 repeat! receiver eviction sets #2 #1 14 / 25
66 Jamming agreement sender eviction sets #1 #2 #3 #4 repeat! receiver eviction sets #3 #2 #1 14 / 25
67 Jamming agreement sender eviction sets #1 #2 #3 #4 repeat! receiver eviction sets #4 #3 #2 #1 14 / 25
68 Sending the first image 15 / 25
69 Handling synchronization errors Physical layer word Data 12 bits 16 / 25
70 Handling synchronization errors deletion errors: request-to-send scheme that also serves as ack 3-bit sequence number request: encoded sequence number (7 bits) Physical layer word Data 12 bits SQN 3 bits 16 / 25
71 Handling synchronization errors deletion errors: request-to-send scheme that also serves as ack 3-bit sequence number request: encoded sequence number (7 bits) 0 -insertion errors: error detection code Berger codes appending the number of 0 s in the word to itself property: a word cannot consist solely of 0 s Physical layer word Data SQN EDC 12 bits 3 bits 4 bits 16 / 25
72 Synchronization (before) 17 / 25
73 Synchronization (after) 18 / 25
74 Synchronization (after) 18 / 25
75 Synchronization (after) 18 / 25
76 Data-link layer: Error correction Reed-Solomon codes to correct the remaining errors 19 / 25
77 Data-link layer: Error correction Reed-Solomon codes to correct the remaining errors RS word size = physical layer word size = 12 bits packet size = = 4095 RS words 10% error-correcting code: 409 parity and 3686 data RS words 3686 RS-words 409 RS-words Data-link layer packet Data Parity Physical layer word Data SQN EDC 12 bits 3 bits 4 bits 19 / 25
78 Error correction (after) 20 / 25
79 Evaluation Environment Bit rate Error rate Noise Native KBps 0.00% 21 / 25
80 Evaluation Environment Bit rate Error rate Noise Native KBps 0.00% Native KBps 0.00% stress -m 1 21 / 25
81 Evaluation Environment Bit rate Error rate Noise Native KBps 0.00% Native KBps 0.00% stress -m 1 Amazon EC KBps 0.00% 21 / 25
82 Evaluation Environment Bit rate Error rate Noise Native KBps 0.00% Native KBps 0.00% stress -m 1 Amazon EC KBps 0.00% Amazon EC KBps 0.00% web server serving files on sender VM Amazon EC KBps 0.00% stress -m 2 on sender VM Amazon EC KBps 0.00% stress -m 1 on receiver VM Amazon EC KBps 0.00% web server on all 3 VMs, stress -m 4 on 3rd VM, stress -m 1 on sender and receiver VMs Amazon EC KBps 0.00% stress -m 8 on third VM 21 / 25
83 Building an SSH connection VM 1 TCP Client (e.g. ssh) TCP File Socket File System Covert Channel VM 2 Hypervisor Socket File System TCP Server (e.g. sshd) TCP File Covert Channel Prime+Probe Prime+Probe Last Level Cache (LLC) 22 / 25
84 SSH evaluation Between two instances on Amazon EC2 Noise No noise stress -m 8 on third VM Web server on third VM Web server on SSH server VM Web server on all VMs stress -m 1 on server side Connection unstable 23 / 25
85 SSH evaluation Between two instances on Amazon EC2 Noise No noise stress -m 8 on third VM Web server on third VM Web server on SSH server VM Web server on all VMs stress -m 1 on server side Connection unstable Telnet also works with occasional corrupted bytes with stress -m 1 23 / 25
86 Conclusion cache covert channels are practical 24 / 25
87 Conclusion cache covert channels are practical even in the cloud, even in presence of extraordinary noise 24 / 25
88 Conclusion cache covert channels are practical even in the cloud, even in presence of extraordinary noise our robust covert channel supports an SSH connection 24 / 25
89 Conclusion cache covert channels are practical even in the cloud, even in presence of extraordinary noise our robust covert channel supports an SSH connection we extended Amazon s product portfolio :) 24 / 25
90 Conclusion cache covert channels are practical even in the cloud, even in presence of extraordinary noise our robust covert channel supports an SSH connection we extended Amazon s product portfolio :) 24 / 25
91 Conclusion cache covert channels are practical even in the cloud, even in presence of extraordinary noise our robust covert channel supports an SSH connection we extended Amazon s product portfolio :) 24 / 25
92 Hello from the Other Side: SSH over Robust Cache Covert Channels in the Cloud Clémentine Maurice, Manuel Weber, Michael Schwarz, Lukas Giner, Daniel Gruss, Carlo Alberto Boano, Stefan Mangard, Kay Römer Graz University of Technology February 2017 NDSS / 25
Évolution des attaques sur la micro-architecture
Évolution des attaques sur la micro-architecture Clémentine Maurice, CNRS, IRISA 23 Janvier 2019 Journée Nouvelles Avancées en Sécurité des Systèmes d Information, INSA de Toulouse/LAAS-CNRS Attacks on
More informationCJAG: Cache-based Jamming Agreement
CJAG: Cache-based Jamming Agreement Establishing a covert channel between co-located VMs Michael Schwarz and Manuel Weber Graz University of Technology, Austria Abstract. Cache-based covert channels are
More informationFantastic Timers and Where to Find Them: High-Resolution Microarchitectural Attacks in JavaScript
Fantastic Timers and Where to Find Them: High-Resolution Microarchitectural Attacks in JavaScript Michael Schwarz, Clémentine Maurice, Daniel Gruss, Stefan Mangard Graz University of Technology April 2017
More informationARMageddon: Cache Attacks on Mobile Devices
ARMageddon: Cache Attacks on Mobile Devices Moritz Lipp, Daniel Gruss, Raphael Spreitzer, Clémentine Maurice, Stefan Mangard Graz University of Technology 1 TLDR powerful cache attacks (like Flush+Reload)
More informationFrom bottom to top: Exploiting hardware side channels in web browsers
From bottom to top: Exploiting hardware side channels in web browsers Clémentine Maurice, Graz University of Technology July 4, 2017 RMLL, Saint-Étienne, France Rennes Graz Clémentine Maurice PhD since
More informationRowhammer.js: Root privileges for web apps?
Rowhammer.js: Root privileges for web apps? Daniel Gruss (@lavados) 1, Clémentine Maurice (@BloodyTangerine) 2 1 IAIK, Graz University of Technology / 2 Technicolor and Eurecom 1 Rennes Graz Clémentine
More informationRowhammer.js: A Remote Software- Induced Fault Attack in Javascript
Rowhammer.js: A Remote Software- Induced Fault Attack in Javascript Daniel Gruss, Clementine Maurice and Stefan Mangard Graz University of Technology, Austria Rowhammer bug (I) Different DRAM cells can
More informationarxiv: v3 [cs.cr] 5 Apr 2016
Flush+Flush: A Fast and Stealthy Cache Attack Daniel Gruss, Clémentine Maurice, Klaus Wagner, and Stefan Mangard Graz University of Technology, Austria arxiv:1511.04594v3 [cs.cr] 5 Apr 2016 Abstract. Research
More informationReplayConfusion: Detecting Cache-based Covert Channel Attacks Using Record and Replay
ReplayConfusion: Detecting Cache-based Covert Channel Attacks Using Record and Replay Mengjia Yan, Yasser Shalabi, Josep Torrellas University of Illinois at Urbana-Champaign http://iacoma.cs.uiuc.edu MICRO
More informationFlush+Flush: A Stealthier Last-Level Cache Attack
Flush+Flush: A Stealthier Last-Level Cache Attack Daniel Gruss Graz University of Technology, Austria daniel.gruss@iaik.tugraz.at Clémentine Maurice Technicolor, Rennes, France Eurecom, Sophia-Antipolis,
More informationJavaScript Zero. Real JavaScript and Zero Side-Channel Attacks. Michael Schwarz, Moritz Lipp, Daniel Gruss
JavaScript Zero Real JavaScript and Zero Side-Channel Attacks Michael Schwarz, Moritz Lipp, Daniel Gruss 20.02.2018 www.iaik.tugraz.at 1 Michael Schwarz, Moritz Lipp, Daniel Gruss www.iaik.tugraz.at Outline
More informationarxiv: v2 [cs.cr] 30 Nov 2015
Reverse Engineering Intel DRAM Addressing and Exploitation - Work in Progress - arxiv:1511.08756v2 [cs.cr] 30 Nov 2015 Peter Pessl, Daniel Gruss, Clémentine Maurice, Michael Schwarz and Stefan Mangard
More informationECE232: Hardware Organization and Design
ECE232: Hardware Organization and Design Lecture 28: More Virtual Memory Adapted from Computer Organization and Design, Patterson & Hennessy, UCB Overview Virtual memory used to protect applications from
More informationS$A: A Shared Cache Attack that Works Across Cores and Defies VM Sandboxing and its Application to AES
2015 IEEE Symposium on Security and Privacy S$A: A Shared Cache Attack that Works Across Cores and Defies VM Sandboxing and its Application to AES Gorka Irazoqui Worcester Polytechnic Institute Worcester,USA
More informationMalware Guard Extension: Using SGX to Conceal Cache Attacks
Malware Guard Extension: Using SGX to Conceal Cache Attacks Michael Schwarz, Samuel Weiser, Daniel Gruss, Clémentine Maurice, and Stefan Mangard Graz University of Technology, Austria Abstract. In modern
More informationWhen Good Turns Evil: Using Intel SGX to Stealthily Steal Bitcoins
When Good Turns Evil: Using Intel SGX to Stealthily Steal Bitcoins Michael Schwarz, Moritz Lipp michael.schwarz@iaik.tugraz.at, moritz.lipp@iaik.tugraz.at Abstract In our talk, we show that despite all
More informationPractical Keystroke Timing Attacks in Sandboxed JavaScript
Practical Keystroke Timing Attacks in Sandboxed JavaScript M. Lipp, D. Gruss, M. Schwarz, D. Bidner, C. Maurice, S. Mangard Sep 11, 2017 ESORICS 17 Graz University of Technology Motivation Keystroke timing
More informationVirtual Memory. Patterson & Hennessey Chapter 5 ELEC 5200/6200 1
Virtual Memory Patterson & Hennessey Chapter 5 ELEC 5200/6200 1 Virtual Memory Use main memory as a cache for secondary (disk) storage Managed jointly by CPU hardware and the operating system (OS) Programs
More informationCSCI 466 Midterm Networks Fall 2013
CSCI 466 Midterm Networks Fall 2013 Name: This exam consists of 6 problems on the following 7 pages. You may use your single-sided hand-written 8 ½ x 11 note sheet and a calculator during the exam. No
More information1. Creates the illusion of an address space much larger than the physical memory
Virtual memory Main Memory Disk I P D L1 L2 M Goals Physical address space Virtual address space 1. Creates the illusion of an address space much larger than the physical memory 2. Make provisions for
More informationMalware Guard Extension: Using SGX to Conceal Cache Attacks (Extended Version)
Malware Guard Extension: Using SGX to Conceal Cache Attacks (Exted Version) Michael Schwarz Graz University of Technology Email: michael.schwarz@iaik.tugraz.at Samuel Weiser Graz University of Technology
More informationSpectre and Meltdown: Data leaks during speculative execution
Spectre and Meltdown: Data leaks during speculative execution Speaker: Jann Horn (Google Project Zero) Paul Kocher (independent) Daniel Genkin (University of Pennsylvania and University of Maryland) Yuval
More informationLast lecture we talked about how Intrusion Detection works. Today we will talk about the attacks. Intrusion Detection. Shell code
4/25/2006 Lecture Notes: DOS Beili Wang Last lecture we talked about how Intrusion Detection works. Today we will talk about the attacks. Intrusion Detection Aps Monitor OS Internet Shell code Model In
More informationInternet Layers. Physical Layer. Application. Application. Transport. Transport. Network. Network. Network. Network. Link. Link. Link.
Internet Layers Application Application Transport Transport Network Network Network Network Link Link Link Link Ethernet Fiber Optics Physical Layer Wi-Fi ARP requests and responses IP: 192.168.1.1 MAC:
More informationCSE502: Computer Architecture CSE 502: Computer Architecture
CSE 502: Computer Architecture Memory Hierarchy & Caches Motivation 10000 Performance 1000 100 10 Processor Memory 1 1985 1990 1995 2000 2005 2010 Want memory to appear: As fast as CPU As large as required
More informationVIRTUAL MEMORY II. Jo, Heeseung
VIRTUAL MEMORY II Jo, Heeseung TODAY'S TOPICS How to reduce the size of page tables? How to reduce the time for address translation? 2 PAGE TABLES Space overhead of page tables The size of the page table
More informationCache memories are small, fast SRAM-based memories managed automatically in hardware. Hold frequently accessed blocks of main memory
Cache Memories Cache memories are small, fast SRAM-based memories managed automatically in hardware. Hold frequently accessed blocks of main memory CPU looks first for data in caches (e.g., L1, L2, and
More informationarxiv: v2 [cs.cr] 19 Jun 2016
ARMageddon: Cache Attacks on Mobile Devices Moritz Lipp, Daniel Gruss, Raphael Spreitzer, Clémentine Maurice, and Stefan Mangard Graz University of Technology, Austria arxiv:1511.04897v2 [cs.cr] 19 Jun
More informationAddress Translation. Jinkyu Jeong Computer Systems Laboratory Sungkyunkwan University
Address Translation Jinkyu Jeong (jinkyu@skku.edu) Computer Systems Laboratory Sungkyunkwan University http://csl.skku.edu Today s Topics How to reduce the size of page tables? How to reduce the time for
More informationReplayConfusion: Detecting Cache-based Covert Channel Attacks Using Record and Replay
ReplayConfusion: Detecting Cache-based Covert Channel Attacks Using Record and Replay Mengjia Yan, Yasser Shalabi, and Josep Torrellas University of Illinois, Urbana-Champaign http://iacoma.cs.uiuc.edu
More informationCS 261 Fall Caching. Mike Lam, Professor. (get it??)
CS 261 Fall 2017 Mike Lam, Professor Caching (get it??) Topics Caching Cache policies and implementations Performance impact General strategies Caching A cache is a small, fast memory that acts as a buffer
More informationMeltdown or "Holy Crap: How did we do this to ourselves" Meltdown exploits side effects of out-of-order execution to read arbitrary kernelmemory
Meltdown or "Holy Crap: How did we do this to ourselves" Abstract Meltdown exploits side effects of out-of-order execution to read arbitrary kernelmemory locations Breaks all security assumptions given
More informationA Few Problems with Physical Addressing. Virtual Memory Process Abstraction, Part 2: Private Address Space
Process Abstraction, Part : Private Motivation: why not direct physical memory access? Address translation with pages Optimizing translation: translation lookaside buffer Extra benefits: sharing and protection
More informationBreaking Kernel Address Space Layout Randomization (KASLR) with Intel TSX. Yeongjin Jang, Sangho Lee, and Taesoo Kim Georgia Institute of Technology
Breaking Kernel Address Space Layout Randomization (KASLR) with Intel TSX Yeongjin Jang, Sangho Lee, and Taesoo Kim Georgia Institute of Technology Kernel Address Space Layout Randomization (KASLR) A statistical
More informationOff-Path TCP Exploits : Global Rate Limit Considered Dangerous
Off-Path TCP Exploits : Global Rate Limit Considered Dangerous Yue Cao, Zhiyun Qian, Zhongjie Wang, Tuan Dao, and Srikanth V. Krishnamurthy, University of California, Riverside; Lisa M. Marvel, United
More informationChapter 5 B. Large and Fast: Exploiting Memory Hierarchy
Chapter 5 B Large and Fast: Exploiting Memory Hierarchy Dependability 5.5 Dependable Memory Hierarchy Chapter 6 Storage and Other I/O Topics 2 Dependability Service accomplishment Service delivered as
More informationSystem-Level Protection Against Cache-Based Side Channel Attacks in the Cloud. Taesoo Kim, Marcus Peinado, Gloria Mainar-Ruiz
System-Level Protection Against Cache-Based Side Channel Attacks in the Cloud Taesoo Kim, Marcus Peinado, Gloria Mainar-Ruiz MIT CSAIL Microsoft Research Security is a big concern in cloud adoption Why
More informationECE7995 Caching and Prefetching Techniques in Computer Systems. Lecture 8: Buffer Cache in Main Memory (I)
ECE7995 Caching and Prefetching Techniques in Computer Systems Lecture 8: Buffer Cache in Main Memory (I) 1 Review: The Memory Hierarchy Take advantage of the principle of locality to present the user
More informationC5: Cross-Cores Cache Covert Channel
C5: Cross-Cores Cache Covert Channel Clémentine Maurice 1, Christoph Neumann 1, Olivier Heen 1, and Aurélien Francillon 2 1 Technicolor, Rennes, France, 2 Eurecom, Sophia-Antipolis, France {clementine.maurice,christoph.neumann,olivier.heen}@technicolor.com
More informationLeaky Cauldron on the Dark Land: Understanding Memory Side-Channel Hazards in SGX
Leaky Cauldron on the Dark Land: Understanding Memory Side-Channel Hazards in SGX W. Wang, G. Chen, X, Pan, Y. Zhang, XF. Wang, V. Bindschaedler, H. Tang, C. Gunter. September 19, 2017 Motivation Intel
More informationCISC 360. Cache Memories Exercises Dec 3, 2009
Topics ν CISC 36 Cache Memories Exercises Dec 3, 29 Review of cache memory mapping Cache Memories Cache memories are small, fast SRAM-based memories managed automatically in hardware. ν Hold frequently
More informationSystems Programming and Computer Architecture ( ) Timothy Roscoe
Systems Group Department of Computer Science ETH Zürich Systems Programming and Computer Architecture (252-0061-00) Timothy Roscoe Herbstsemester 2016 AS 2016 Caches 1 16: Caches Computer Architecture
More informationFast packet processing in the cloud. Dániel Géhberger Ericsson Research
Fast packet processing in the cloud Dániel Géhberger Ericsson Research Outline Motivation Service chains Hardware related topics, acceleration Virtualization basics Software performance and acceleration
More informationNetwork Protocols. Sarah Diesburg Operating Systems CS 3430
Network Protocols Sarah Diesburg Operating Systems CS 3430 Protocol An agreement between two parties as to how information is to be transmitted A network protocol abstracts packets into messages Physical
More informationHardware Enclave Attacks CS261
Hardware Enclave Attacks CS261 Threat Model of Hardware Enclaves Intel Attestation Service (IAS) Process Enclave Untrusted Trusted Enclave Code Enclave Data Process Process Other Enclave OS and/or Hypervisor
More informationCauldron: A Framework to Defend Against Cache-based Side-channel Attacks in Clouds
Cauldron: A Framework to Defend Against Cache-based Side-channel Attacks in Clouds Mohammad Ahmad, Read Sprabery, Konstantin Evchenko, Abhilash Raj, Dr. Rakesh Bobba, Dr. Sibin Mohan, Dr. Roy Campbell
More informationA MEASUREMENT STUDY ON CO-RESIDENCE THREAT INSIDE THE CLOUD
1 A MEASUREMENT STUDY ON CO-RESIDENCE THREAT INSIDE THE CLOUD Zhang Xu College of William and Mary Haining Wang University of Delaware Zhenyu Wu NEC Laboratories America 2 Cloud Becomes Tempting Target
More informationCS 33. Architecture and Optimization (3) CS33 Intro to Computer Systems XVI 1 Copyright 2018 Thomas W. Doeppner. All rights reserved.
CS 33 Architecture and Optimization (3) CS33 Intro to Computer Systems XVI 1 Copyright 2018 Thomas W. Doeppner. All rights reserved. Hyper Threading Instruction Control Instruction Control Retirement Unit
More informationVirtual Memory II. CSE 351 Autumn Instructor: Justin Hsia
Virtual Memory II CSE 35 Autumn 27 Instructor: Justin Hsia Teaching Assistants: Lucas Wotton Michael Zhang Parker DeWilde Ryan Wong Sam Gehman Sam Wolfson Savanna Yee Vinny Palaniappan https://xkcd.com/495/
More informationProtocol Principles. Framing, FCS and ARQ 2005/03/11. (C) Herbert Haas
Protocol Principles Framing, FCS and ARQ (C) Herbert Haas 2005/03/11 Link Layer Tasks Framing Frame Protection Optional Addressing Optional Error Recovery Connection-oriented or connectionless mode Optional
More informationComputer Architecture and System Software Lecture 09: Memory Hierarchy. Instructor: Rob Bergen Applied Computer Science University of Winnipeg
Computer Architecture and System Software Lecture 09: Memory Hierarchy Instructor: Rob Bergen Applied Computer Science University of Winnipeg Announcements Midterm returned + solutions in class today SSD
More informationCSE 120 Principles of Operating Systems Spring 2017
CSE 120 Principles of Operating Systems Spring 2017 Lecture 12: Paging Lecture Overview Today we ll cover more paging mechanisms: Optimizations Managing page tables (space) Efficient translations (TLBs)
More informationSpring 2016 :: CSE 502 Computer Architecture. Caches. Nima Honarmand
Caches Nima Honarmand Motivation 10000 Performance 1000 100 10 Processor Memory 1 1985 1990 1995 2000 2005 2010 Want memory to appear: As fast as CPU As large as required by all of the running applications
More informationCSE 120 Principles of Operating Systems
CSE 120 Principles of Operating Systems Spring 2018 Lecture 10: Paging Geoffrey M. Voelker Lecture Overview Today we ll cover more paging mechanisms: Optimizations Managing page tables (space) Efficient
More informationCS356: Discussion #9 Memory Hierarchy and Caches. Marco Paolieri Illustrations from CS:APP3e textbook
CS356: Discussion #9 Memory Hierarchy and Caches Marco Paolieri (paolieri@usc.edu) Illustrations from CS:APP3e textbook The Memory Hierarchy So far... We modeled the memory system as an abstract array
More informationCS 333 Introduction to Operating Systems. Class 11 Virtual Memory (1) Jonathan Walpole Computer Science Portland State University
CS 333 Introduction to Operating Systems Class 11 Virtual Memory (1) Jonathan Walpole Computer Science Portland State University Virtual addresses Virtual memory addresses (what the process uses) Page
More informationMemory Management. Disclaimer: some slides are adopted from book authors slides with permission 1
Memory Management Disclaimer: some slides are adopted from book authors slides with permission 1 CPU management Roadmap Process, thread, synchronization, scheduling Memory management Virtual memory Disk
More informationMulti-level Translation. CS 537 Lecture 9 Paging. Example two-level page table. Multi-level Translation Analysis
Multi-level Translation CS 57 Lecture 9 Paging Michael Swift Problem: what if you have a sparse address space e.g. out of GB, you use MB spread out need one PTE per page in virtual address space bit AS
More information20: Networking (2) TCP Socket Buffers. Mark Handley. TCP Acks. TCP Data. Application. Application. Kernel. Kernel. Socket buffer.
20: Networking (2) Mark Handley TCP Socket Buffers Application Application Kernel write Kernel read Socket buffer Socket buffer DMA DMA NIC TCP Acks NIC TCP Data 1 TCP Socket Buffers Send-side Socket Buffer
More informationECE 30 Introduction to Computer Engineering
ECE 0 Introduction to Computer Engineering Study Problems, Set #9 Spring 01 1. Given the following series of address references given as word addresses:,,, 1, 1, 1,, 8, 19,,,,, 7,, and. Assuming a direct-mapped
More informationWhy memory hierarchy? Memory hierarchy. Memory hierarchy goals. CS2410: Computer Architecture. L1 cache design. Sangyeun Cho
Why memory hierarchy? L1 cache design Sangyeun Cho Computer Science Department Memory hierarchy Memory hierarchy goals Smaller Faster More expensive per byte CPU Regs L1 cache L2 cache SRAM SRAM To provide
More informationarxiv: v1 [cs.cr] 3 Jan 2018
Meltdown arxiv:1801.01207v1 [cs.cr] 3 Jan 2018 Abstract Moritz Lipp 1, Michael Schwarz 1, Daniel Gruss 1, Thomas Prescher 2, Werner Haas 2, Stefan Mangard 1, Paul Kocher 3, Daniel Genkin 4, Yuval Yarom
More informationEC-Bench: Benchmarking Onload and Offload Erasure Coders on Modern Hardware Architectures
EC-Bench: Benchmarking Onload and Offload Erasure Coders on Modern Hardware Architectures Haiyang Shi, Xiaoyi Lu, and Dhabaleswar K. (DK) Panda {shi.876, lu.932, panda.2}@osu.edu The Ohio State University
More informationSecure Hierarchy-Aware Cache Replacement Policy (SHARP): Defending Against Cache-Based Side Channel Attacks
: Defending Against Cache-Based Side Channel Attacks Mengjia Yan, Bhargava Gopireddy, Thomas Shull, Josep Torrellas University of Illinois at Urbana-Champaign http://iacoma.cs.uiuc.edu Presented by Mengjia
More informationExploiting Branch Target Injection. Jann Horn, Google Project Zero
Exploiting Branch Target Injection Jann Horn, Google Project Zero 1 Outline Introduction Reverse-engineering branch prediction Leaking host memory from KVM 2 Disclaimer I haven't worked in CPU design I
More informationECE331: Hardware Organization and Design
ECE331: Hardware Organization and Design Lecture 29: an Introduction to Virtual Memory Adapted from Computer Organization and Design, Patterson & Hennessy, UCB Overview Virtual memory used to protect applications
More informationChapter Six. Errors, Error Detection, and Error Control. Data Communications and Computer Networks: A Business User s Approach Seventh Edition
Chapter Six Errors, Error Detection, and Error Control Data Communications and Computer Networks: A Business User s Approach Seventh Edition After reading this chapter, you should be able to: Identify
More informationEmbedded Systems Dr. Santanu Chaudhury Department of Electrical Engineering Indian Institute of Technology, Delhi
Embedded Systems Dr. Santanu Chaudhury Department of Electrical Engineering Indian Institute of Technology, Delhi Lecture - 13 Virtual memory and memory management unit In the last class, we had discussed
More informationVirtual Memory: Mechanisms. CS439: Principles of Computer Systems February 28, 2018
Virtual Memory: Mechanisms CS439: Principles of Computer Systems February 28, 2018 Last Time Physical addresses in physical memory Virtual/logical addresses in process address space Relocation Algorithms
More informationHypervisor security. Evgeny Yakovlev, DEFCON NN, 2017
Hypervisor security Evgeny Yakovlev, DEFCON NN, 2017 whoami Low-level development in C and C++ on x86 UEFI, virtualization, security Jetico, Kaspersky Lab QEMU/KVM developer at Virtuozzo 2 Agenda Why hypervisor
More informationCache Attacks Enable Bulk Key Recovery on the Cloud (Extended Version)
Cache Attacks Enable Bulk Key Recovery on the Cloud (Extended Version) Mehmet Sinan İnci, Berk Gulmezoglu, Gorka Irazoqui, Thomas Eisenbarth, Berk Sunar Worcester Polytechnic Institute, Worcester, MA,
More informationLeaky Cauldron on the Dark Land: Understanding Memory Side-Channel Hazards in SGX
Leak Cauldron on the Dark Land: Understanding Memor Side-Channel Hazards in SGX 1,4 Wenhao Wang, 2 Guoxing Chen, 1 Xiaorui Pan, 2 Yinqian Zhang, 1 XiaoFeng Wang, 3 Vincent Bindschaedler, 1 Haixu Tang and
More informationUNIT-II 1. Discuss the issues in the data link layer. Answer:
UNIT-II 1. Discuss the issues in the data link layer. Answer: Data Link Layer Design Issues: The data link layer has a number of specific functions it can carry out. These functions include 1. Providing
More informationError Detection Codes. Error Detection. Two Dimensional Parity. Internet Checksum Algorithm. Cyclic Redundancy Check.
Error Detection Two types Error Detection Codes (e.g. CRC, Parity, Checksums) Error Correction Codes (e.g. Hamming, Reed Solomon) Basic Idea Add redundant information to determine if errors have been introduced
More informationLecture 10: Cache Coherence: Part I. Parallel Computer Architecture and Programming CMU , Spring 2013
Lecture 10: Cache Coherence: Part I Parallel Computer Architecture and Programming Cache design review Let s say your code executes int x = 1; (Assume for simplicity x corresponds to the address 0x12345604
More informationCS 152 Computer Architecture and Engineering. Lecture 7 - Memory Hierarchy-II
CS 152 Computer Architecture and Engineering Lecture 7 - Memory Hierarchy-II Krste Asanovic Electrical Engineering and Computer Sciences University of California at Berkeley http://www.eecs.berkeley.edu/~krste!
More informationCIS Operating Systems Memory Management Cache. Professor Qiang Zeng Fall 2015
CIS 5512 - Operating Systems Memory Management Cache Professor Qiang Zeng Fall 2015 Previous class What is logical address? Who use it? Describes a location in the logical address space Compiler and CPU
More informationWait a minute! A fast, Cross-VM attack on AES
Wait a minute! A fast, Cross-VM attack on AES Gorka Irazoqui, Mehmet Sinan Inci, Thomas Eisenbarth, and Berk Sunar Worcester Polytechnic Institute, Worcester, MA, USA {girazoki,msinci,teisenbarth,sunar}@wpi.edu
More informationCogniFit Technical Security Details
Security Details CogniFit Technical Security Details CogniFit 2018 Table of Contents 1. Security 1.1 Servers........................ 3 1.2 Databases............................3 1.3 Network configuration......................
More informationCache Attacks and Rowhammer on ARM
Moritz Lipp, BSc Cache Attacks and Rowhammer on ARM MASTER S THESIS to achieve the university degree of Diplom-Ingenieur Master s degree programme: Computer Science submitted to Graz University of Technology
More informationAutoLock: Why Cache Attacks on ARM Are Harder Than You Think
AutoLock: Why Cache Attacks on ARM Are Harder Than You Think Marc Green W, Leandro Rodrigues-Lima F, Andreas Zankl F, Gorka Irazoqui W, Johann Heyszl F, and Thomas Eisenbarth W August 18 th 2017 USENIX
More informationMeltdown and Spectre - understanding and mitigating the threats (Part Deux)
Meltdown and Spectre - understanding and mitigating the threats (Part Deux) Gratuitous vulnerability logos Jake Williams @MalwareJake SANS / Rendition Infosec sans.org / rsec.us @SANSInstitute / @RenditionSec
More informationCurious case of Rowhammer: Flipping Secret Exponent Bits using Timing Analysis
Curious case of Rowhammer: Flipping Secret Exponent Bits using Timing Analysis Sarani Bhattacharya and Debdeep Mukhopadhyay Indian Institute of Technology Kharagpur CHES 2016 August 19, 2016 Objective
More informationLecture: Large Caches, Virtual Memory. Topics: cache innovations (Sections 2.4, B.4, B.5)
Lecture: Large Caches, Virtual Memory Topics: cache innovations (Sections 2.4, B.4, B.5) 1 Techniques to Reduce Cache Misses Victim caches Better replacement policies pseudo-lru, NRU Prefetching, cache
More informationDAT (cont d) Assume a page size of 256 bytes. physical addresses. Note: Virtual address (page #) is not stored, but is used as an index into the table
Assume a page size of 256 bytes 5 Page table size (determined by size of program) 1 1 0 1 0 0200 00 420B 00 xxxxxx 1183 00 xxxxxx physical addresses Residency Bit (0 page frame is empty) Note: Virtual
More informationECE Lab 8. Logic Design for a Direct-Mapped Cache. To understand the function and design of a direct-mapped memory cache.
ECE 201 - Lab 8 Logic Design for a Direct-Mapped Cache PURPOSE To understand the function and design of a direct-mapped memory cache. EQUIPMENT Simulation Software REQUIREMENTS Electronic copy of your
More informationI, J A[I][J] / /4 8000/ I, J A(J, I) Chapter 5 Solutions S-3.
5 Solutions Chapter 5 Solutions S-3 5.1 5.1.1 4 5.1.2 I, J 5.1.3 A[I][J] 5.1.4 3596 8 800/4 2 8 8/4 8000/4 5.1.5 I, J 5.1.6 A(J, I) 5.2 5.2.1 Word Address Binary Address Tag Index Hit/Miss 5.2.2 3 0000
More informationCS 318 Principles of Operating Systems
CS 318 Principles of Operating Systems Fall 2018 Lecture 10: Virtual Memory II Ryan Huang Slides adapted from Geoff Voelker s lectures Administrivia Next Tuesday project hacking day No class My office
More informationCache Memory COE 403. Computer Architecture Prof. Muhamed Mudawar. Computer Engineering Department King Fahd University of Petroleum and Minerals
Cache Memory COE 403 Computer Architecture Prof. Muhamed Mudawar Computer Engineering Department King Fahd University of Petroleum and Minerals Presentation Outline The Need for Cache Memory The Basics
More informationMobile Transport Layer Lesson 02 TCP Data Stream and Data Delivery
Mobile Transport Layer Lesson 02 TCP Data Stream and Data Delivery 1 TCP Data Stream Consists of bytes Delivered using a virtual connection between sockets Each socket has the port number and IP address
More informationBinghamton University. CS-220 Spring Cached Memory. Computer Systems Chapter
Cached Memory Computer Systems Chapter 6.2-6.5 Cost Speed The Memory Hierarchy Capacity The Cache Concept CPU Registers Addresses Data Memory ALU Instructions The Cache Concept Memory CPU Registers Addresses
More informationLecture 20: Multi-Cache Designs. Spring 2018 Jason Tang
Lecture 20: Multi-Cache Designs Spring 2018 Jason Tang 1 Topics Split caches Multi-level caches Multiprocessor caches 2 3 Cs of Memory Behaviors Classify all cache misses as: Compulsory Miss (also cold-start
More informationReactive NUCA: Near-Optimal Block Placement and Replication in Distributed Caches
Reactive NUCA: Near-Optimal Block Placement and Replication in Distributed Caches Nikos Hardavellas Michael Ferdman, Babak Falsafi, Anastasia Ailamaki Carnegie Mellon and EPFL Data Placement in Distributed
More informationLecture: Large Caches, Virtual Memory. Topics: cache innovations (Sections 2.4, B.4, B.5)
Lecture: Large Caches, Virtual Memory Topics: cache innovations (Sections 2.4, B.4, B.5) 1 More Cache Basics caches are split as instruction and data; L2 and L3 are unified The /L2 hierarchy can be inclusive,
More informationVirtual Memory. Physical Addressing. Problem 2: Capacity. Problem 1: Memory Management 11/20/15
Memory Addressing Motivation: why not direct physical memory access? Address translation with pages Optimizing translation: translation lookaside buffer Extra benefits: sharing and protection Memory as
More informationProf. Hakim Weatherspoon CS 3410, Spring 2015 Computer Science Cornell University. See P&H Chapter: , 5.8, 5.10, 5.15; Also, 5.13 & 5.
Prof. Hakim Weatherspoon CS 3410, Spring 2015 Computer Science Cornell University See P&H Chapter: 5.1-5.4, 5.8, 5.10, 5.15; Also, 5.13 & 5.17 Writing to caches: policies, performance Cache tradeoffs and
More informationChapter 5 Memory Hierarchy Design. In-Cheol Park Dept. of EE, KAIST
Chapter 5 Memory Hierarchy Design In-Cheol Park Dept. of EE, KAIST Why cache? Microprocessor performance increment: 55% per year Memory performance increment: 7% per year Principles of locality Spatial
More informationVirtual to physical address translation
Virtual to physical address translation Virtual memory with paging Page table per process Page table entry includes present bit frame number modify bit flags for protection and sharing. Page tables can
More informationVirtual Memory. Today. Handling bigger address spaces Speeding translation
Virtual Memory Today Handling bigger address spaces Speeding translation Considerations with page tables Two key issues with page tables Mapping must be fast Done on every memory reference, at least 1
More informationCSE398: Network Systems Design
CSE398: Network Systems Design Instructor: Dr. Liang Cheng Department of Computer Science and Engineering P.C. Rossin College of Engineering & Applied Science Lehigh University February 7, 2005 Outline
More information