JavaScript Zero. Real JavaScript and Zero Side-Channel Attacks. Michael Schwarz, Moritz Lipp, Daniel Gruss
|
|
- Clement Elliott
- 5 years ago
- Views:
Transcription
1 JavaScript Zero Real JavaScript and Zero Side-Channel Attacks Michael Schwarz, Moritz Lipp, Daniel Gruss Michael Schwarz, Moritz Lipp, Daniel Gruss
2 Outline Analysis of current microarchitectural and side-channel attacks Identifying building blocks for attacks Countermeasures for preventing attacks Implementation of countermeasures Evaluation of countermeasures 2 Michael Schwarz, Moritz Lipp, Daniel Gruss
3 Landscape of Microarchitectural Attacks Currently 11 microarchitectural and side-channel attacks in JavaScript 3 Michael Schwarz, Moritz Lipp, Daniel Gruss
4 Landscape of Microarchitectural Attacks Currently 11 microarchitectural and side-channel attacks in JavaScript Analyse requirements for every attack 3 Michael Schwarz, Moritz Lipp, Daniel Gruss
5 Landscape of Microarchitectural Attacks Currently 11 microarchitectural and side-channel attacks in JavaScript Analyse requirements for every attack Results in 5 categories 3 Michael Schwarz, Moritz Lipp, Daniel Gruss
6 Landscape of Microarchitectural Attacks Currently 11 microarchitectural and side-channel attacks in JavaScript Analyse requirements for every attack Results in 5 categories Memory addresses Accurate timing Multithreading Shared data Sensor API 3 Michael Schwarz, Moritz Lipp, Daniel Gruss
7 Landscape of Microarchitectural Attacks Currently 11 microarchitectural and side-channel attacks in JavaScript Analyse requirements for every attack Results in 5 categories Memory addresses Accurate timing Multithreading Shared data Sensor API Every attack is in at least one category 3 Michael Schwarz, Moritz Lipp, Daniel Gruss
8 Memory Addresses Language does not provide addresses to programmer 4 Michael Schwarz, Moritz Lipp, Daniel Gruss
9 Memory Addresses Language does not provide addresses to programmer Closest to virtual address: array indices 4 Michael Schwarz, Moritz Lipp, Daniel Gruss
10 Memory Addresses Language does not provide addresses to programmer Closest to virtual address: array indices Detect beginning of physical pages through high timing on page faults 4 Michael Schwarz, Moritz Lipp, Daniel Gruss
11 Accurate Timing Nearly all attacks require accurate timing 5 Michael Schwarz, Moritz Lipp, Daniel Gruss
12 Accurate Timing Nearly all attacks require accurate timing No absolute timestamps required, only time differences 5 Michael Schwarz, Moritz Lipp, Daniel Gruss
13 Accurate Timing Nearly all attacks require accurate timing No absolute timestamps required, only time differences Required accuracy varies between milliseconds and nanoseconds 5 Michael Schwarz, Moritz Lipp, Daniel Gruss
14 Multithreading JavaScript introduced multi threading with web workers 6 Michael Schwarz, Moritz Lipp, Daniel Gruss
15 Multithreading JavaScript introduced multi threading with web workers Real concurrency in applications 6 Michael Schwarz, Moritz Lipp, Daniel Gruss
16 Multithreading JavaScript introduced multi threading with web workers Real concurrency in applications Enables new side-channel attacks 6 Michael Schwarz, Moritz Lipp, Daniel Gruss
17 Shared Data Usually no shared data between threads due to synchronization issues 7 Michael Schwarz, Moritz Lipp, Daniel Gruss
18 Shared Data Usually no shared data between threads due to synchronization issues Exception: SharedArrayBuffer 7 Michael Schwarz, Moritz Lipp, Daniel Gruss
19 Shared Data Usually no shared data between threads due to synchronization issues Exception: SharedArrayBuffer Only useful in combination with web workers 7 Michael Schwarz, Moritz Lipp, Daniel Gruss
20 Shared Data Usually no shared data between threads due to synchronization issues Exception: SharedArrayBuffer Only useful in combination with web workers Not enabled by default 7 Michael Schwarz, Moritz Lipp, Daniel Gruss
21 Sensor API Some side-channel attacks only require access to sensors 8 Michael Schwarz, Moritz Lipp, Daniel Gruss
22 Sensor API Some side-channel attacks only require access to sensors Some sensors can be used without user consent, e.g., ambient light 8 Michael Schwarz, Moritz Lipp, Daniel Gruss
23 Sensor API Some side-channel attacks only require access to sensors Some sensors can be used without user consent, e.g., ambient light Every sensor is exploitable 8 Michael Schwarz, Moritz Lipp, Daniel Gruss
24 Defenses
25 Countermeasures Countermeasures have to address all categories 9 Michael Schwarz, Moritz Lipp, Daniel Gruss
26 Countermeasures Countermeasures have to address all categories Should not be visible to the programmer 9 Michael Schwarz, Moritz Lipp, Daniel Gruss
27 Countermeasures Countermeasures have to address all categories Should not be visible to the programmer Implementation is on the microarchitectural level of JavaScript 9 Michael Schwarz, Moritz Lipp, Daniel Gruss
28 Countermeasures Countermeasures have to address all categories Should not be visible to the programmer Implementation is on the microarchitectural level of JavaScript If no category is usable for attacks anymore, future attacks are hard 9 Michael Schwarz, Moritz Lipp, Daniel Gruss
29 Memory Addresses Ensure arrays are memory backed and not linear 10 Michael Schwarz, Moritz Lipp, Daniel Gruss
30 Memory Addresses Ensure arrays are memory backed and not linear Additionally, add random dummy accesses 10 Michael Schwarz, Moritz Lipp, Daniel Gruss
31 Memory Addresses Ensure arrays are memory backed and not linear Additionally, add random dummy accesses Prevents many microarchitectural attacks 10 Michael Schwarz, Moritz Lipp, Daniel Gruss
32 Memory Addresses Ensure arrays are memory backed and not linear Additionally, add random dummy accesses Prevents many microarchitectural attacks Side effect: make exploits harder where addresses are required 10 Michael Schwarz, Moritz Lipp, Daniel Gruss
33 Accurate Timing Reducing the resolution of performance.now() is a first step 11 Michael Schwarz, Moritz Lipp, Daniel Gruss
34 Accurate Timing Reducing the resolution of performance.now() is a first step Only rounding the timestamps is not sufficient 11 Michael Schwarz, Moritz Lipp, Daniel Gruss
35 Accurate Timing Reducing the resolution of performance.now() is a first step Only rounding the timestamps is not sufficient Fuzzy time (Vattikonda et al.) adds random jitter 11 Michael Schwarz, Moritz Lipp, Daniel Gruss
36 Accurate Timing Reducing the resolution of performance.now() is a first step Only rounding the timestamps is not sufficient Fuzzy time (Vattikonda et al.) adds random jitter Timestamps are still monotonic, but clock edges are randomized 11 Michael Schwarz, Moritz Lipp, Daniel Gruss
37 Multithreading Only real solution is to prevent multithreading 12 Michael Schwarz, Moritz Lipp, Daniel Gruss
38 Multithreading Only real solution is to prevent multithreading Some attacks can be prevented by adding random delays to postmessage 12 Michael Schwarz, Moritz Lipp, Daniel Gruss
39 Multithreading Only real solution is to prevent multithreading Some attacks can be prevented by adding random delays to postmessage Prevents certain timing primitives and attacks on the event-queue latency 12 Michael Schwarz, Moritz Lipp, Daniel Gruss
40 Shared Data Best countermeasures: do not allow shared data 13 Michael Schwarz, Moritz Lipp, Daniel Gruss
41 Shared Data Best countermeasures: do not allow shared data Many attacks exploit fast concurrent access to SharedArrayBuffer 13 Michael Schwarz, Moritz Lipp, Daniel Gruss
42 Shared Data Best countermeasures: do not allow shared data Many attacks exploit fast concurrent access to SharedArrayBuffer Alternative: delay access to buffer 13 Michael Schwarz, Moritz Lipp, Daniel Gruss
43 Shared Data Best countermeasures: do not allow shared data Many attacks exploit fast concurrent access to SharedArrayBuffer Alternative: delay access to buffer Degrades resolution of timing primitive to microseconds 13 Michael Schwarz, Moritz Lipp, Daniel Gruss
44 Sensor API Reduce resolution and update frequency of sensors 14 Michael Schwarz, Moritz Lipp, Daniel Gruss
45 Sensor API Reduce resolution and update frequency of sensors Sensor APIs should always ask user for permission 14 Michael Schwarz, Moritz Lipp, Daniel Gruss
46 Sensor API Reduce resolution and update frequency of sensors Sensor APIs should always ask user for permission Every sensor is usable for attacks, even ambient light sensor 14 Michael Schwarz, Moritz Lipp, Daniel Gruss
47 Sensor API Reduce resolution and update frequency of sensors Sensor APIs should always ask user for permission Every sensor is usable for attacks, even ambient light sensor To not break existing applications, sensors return constant value 14 Michael Schwarz, Moritz Lipp, Daniel Gruss
48 Implementation
49 Designing the Countermeasure Best solution is to implement defenses in the browser core 15 Michael Schwarz, Moritz Lipp, Daniel Gruss
50 Designing the Countermeasure Best solution is to implement defenses in the browser core Maintaining a browser fork is hard work 15 Michael Schwarz, Moritz Lipp, Daniel Gruss
51 Designing the Countermeasure Best solution is to implement defenses in the browser core Maintaining a browser fork is hard work We want a generic solution for multiple browsers 15 Michael Schwarz, Moritz Lipp, Daniel Gruss
52 Designing the Countermeasure Best solution is to implement defenses in the browser core Maintaining a browser fork is hard work We want a generic solution for multiple browsers Parsing JavaScript is hard 15 Michael Schwarz, Moritz Lipp, Daniel Gruss
53 Designing the Countermeasure Best solution is to implement defenses in the browser core Maintaining a browser fork is hard work We want a generic solution for multiple browsers Parsing JavaScript is hard Implementation in JavaScript Virtual machine layering 15 Michael Schwarz, Moritz Lipp, Daniel Gruss
54 Designing the Countermeasure Best solution is to implement defenses in the browser core Maintaining a browser fork is hard work We want a generic solution for multiple browsers Parsing JavaScript is hard Implementation in JavaScript Virtual machine layering Proof-of-concept is implemented as browser extension 15 Michael Schwarz, Moritz Lipp, Daniel Gruss
55 Virtual Machine Layering Functions and properties are replaced by wrappers Page Context Script Extension Context Return Call Wrapper Call Filtered value Default value Allowed? Yes Original Function No 16 Michael Schwarz, Moritz Lipp, Daniel Gruss
56 Virtual Machine Layering Functions can be re-defined in JavaScript var o r i g i n a l r e f e r e n c e = window. performance. now ; window. performance. now = function ( ) { return 0 ; } ; 17 Michael Schwarz, Moritz Lipp, Daniel Gruss
57 Virtual Machine Layering Functions can be re-defined in JavaScript var o r i g i n a l r e f e r e n c e = window. performance. now ; window. performance. now = function ( ) { return 0 ; } ; // call the new function (via function name) a l e r t ( window. performance. now ( ) ) ; // == alert(0) 17 Michael Schwarz, Moritz Lipp, Daniel Gruss
58 Virtual Machine Layering Functions can be re-defined in JavaScript var o r i g i n a l r e f e r e n c e = window. performance. now ; window. performance. now = function ( ) { return 0 ; } ; // call the new function (via function name) a l e r t ( window. performance. now ( ) ) ; // == alert(0) // call the original function (only via reference) a l e r t ( o r i g i n a l r e f e r e n c e. c a l l ( window. performance ) ) ; 17 Michael Schwarz, Moritz Lipp, Daniel Gruss
59 Virtual Machine Layering Functions can be re-defined in JavaScript var o r i g i n a l r e f e r e n c e = window. performance. now ; window. performance. now = function ( ) { return 0 ; } ; // call the new function (via function name) a l e r t ( window. performance. now ( ) ) ; // == alert(0) // call the original function (only via reference) a l e r t ( o r i g i n a l r e f e r e n c e. c a l l ( window. performance ) ) ; Properties can be replaced by accessor properties 17 Michael Schwarz, Moritz Lipp, Daniel Gruss
60 Virtual Machine Layering for Objects Objects are proxied new Object Methods Script Proxy(Object) Filter Methods Object 18 Michael Schwarz, Moritz Lipp, Daniel Gruss
61 Virtual Machine Layering for Objects Objects are proxied new Object Methods Script Proxy(Object) Filter Methods Object All properties and functions are handled by the original object 18 Michael Schwarz, Moritz Lipp, Daniel Gruss
62 Virtual Machine Layering for Objects Objects are proxied new Object Methods Script Proxy(Object) Filter Methods Object All properties and functions are handled by the original object Functions and properties can be overwritten in the proxy object 18 Michael Schwarz, Moritz Lipp, Daniel Gruss
63 Self Protection Attacker tries to circumvent JavaScript Zero 19 Michael Schwarz, Moritz Lipp, Daniel Gruss
64 Self Protection Attacker tries to circumvent JavaScript Zero Self protection is necessary if implemented in JavaScript 19 Michael Schwarz, Moritz Lipp, Daniel Gruss
65 Self Protection Attacker tries to circumvent JavaScript Zero Self protection is necessary if implemented in JavaScript Use closures to hide all references to original functions ( function ( ) { // original is only accessible in this scope var o r i g i n a l = window. performance. now ; window. performance. now =... } ) ( ) ; 19 Michael Schwarz, Moritz Lipp, Daniel Gruss
66 Self Protection Attacker tries to circumvent JavaScript Zero Self protection is necessary if implemented in JavaScript Use closures to hide all references to original functions ( function ( ) { // original is only accessible in this scope var o r i g i n a l = window. performance. now ; window. performance. now =... } ) ( ) ; Prevent objects from being modified: Object.freeze 19 Michael Schwarz, Moritz Lipp, Daniel Gruss
67 Evaluation
68 Page Border Detection Border of pages leak 12 or 21 bits (depending on page size) 20 Michael Schwarz, Moritz Lipp, Daniel Gruss
69 Page Border Detection Border of pages leak 12 or 21 bits (depending on page size) Create huge array 20 Michael Schwarz, Moritz Lipp, Daniel Gruss
70 Page Border Detection Border of pages leak 12 or 21 bits (depending on page size) Create huge array Iterate over array, measure access time 20 Michael Schwarz, Moritz Lipp, Daniel Gruss
71 Page Border Detection Border of pages leak 12 or 21 bits (depending on page size) Create huge array Iterate over array, measure access time Page border raise pagefault, taking significantly longer to access 20 Michael Schwarz, Moritz Lipp, Daniel Gruss
72 Page Border Detection Access time [cycles] Array offset [KB] Michael Schwarz, Moritz Lipp, Daniel Gruss
73 Page Border Detection with Random Access Access time [cycles] ,000 2,000 3,000 4,000 5,000 Array offset [KB] 22 Michael Schwarz, Moritz Lipp, Daniel Gruss
74 Interrupt Detection Multithreading allows to detect interrupts 23 Michael Schwarz, Moritz Lipp, Daniel Gruss
75 Interrupt Detection Multithreading allows to detect interrupts Endless loop which counts number of increments in time window 23 Michael Schwarz, Moritz Lipp, Daniel Gruss
76 Interrupt Detection Multithreading allows to detect interrupts Endless loop which counts number of increments in time window Different number of increments indicate interrupt 23 Michael Schwarz, Moritz Lipp, Daniel Gruss
77 Interrupt Detection Multithreading allows to detect interrupts Endless loop which counts number of increments in time window Different number of increments indicate interrupt Fuzzy time prevents deterministic equally-sized time window 23 Michael Schwarz, Moritz Lipp, Daniel Gruss
78 Interrupt Detection Delta [counter] 1,850 1,800 1,750 tap tap tap tap 1, Runtime [s] 24 Michael Schwarz, Moritz Lipp, Daniel Gruss
79 Interrupt Detection with Fuzzy Time Delta [counter] tap tap tap tap Runtime [s] 25 Michael Schwarz, Moritz Lipp, Daniel Gruss
80 Event Queue Spying Messages between web workers are handled in the event queue 26 Michael Schwarz, Moritz Lipp, Daniel Gruss
81 Event Queue Spying Messages between web workers are handled in the event queue User activity is also handled in the event queue 26 Michael Schwarz, Moritz Lipp, Daniel Gruss
82 Event Queue Spying Messages between web workers are handled in the event queue User activity is also handled in the event queue Posting many messages allows to measure latency 26 Michael Schwarz, Moritz Lipp, Daniel Gruss
83 Event Queue Spying Messages between web workers are handled in the event queue User activity is also handled in the event queue Posting many messages allows to measure latency Latency indicates user input 26 Michael Schwarz, Moritz Lipp, Daniel Gruss
84 Event Queue Spying Delta [ms] ,560 2,570 2,580 2,590 2,600 2,610 2,620 2,630 2,640 Runtime [ms] 27 Michael Schwarz, Moritz Lipp, Daniel Gruss
85 Event Queue Spying with Message Delay Delta [ms] ,860 2,870 2,880 2,890 2,900 2,910 2,920 2,930 2,940 Runtime [ms] 28 Michael Schwarz, Moritz Lipp, Daniel Gruss
86 SharedArrayBuffer Timing Primitive SharedArrayBuffer allows to build a timing primitive with the highest resolution 29 Michael Schwarz, Moritz Lipp, Daniel Gruss
87 SharedArrayBuffer Timing Primitive SharedArrayBuffer allows to build a timing primitive with the highest resolution One web worker continuously increments variable in the shared array 29 Michael Schwarz, Moritz Lipp, Daniel Gruss
88 SharedArrayBuffer Timing Primitive SharedArrayBuffer allows to build a timing primitive with the highest resolution One web worker continuously increments variable in the shared array Other worker uses this as a timestamp 29 Michael Schwarz, Moritz Lipp, Daniel Gruss
89 SharedArrayBuffer Timing Primitive SharedArrayBuffer allows to build a timing primitive with the highest resolution One web worker continuously increments variable in the shared array Other worker uses this as a timestamp Adding random delay to access degrades resolution 29 Michael Schwarz, Moritz Lipp, Daniel Gruss
90 SharedArrayBuffer 30 Michael Schwarz, Moritz Lipp, Daniel Gruss
91 SharedArrayBuffer with Random Delay 31 Michael Schwarz, Moritz Lipp, Daniel Gruss
92 Defense Prevents Rowham- Page Dedu- DRAM Covert Anti- Cache Keystroke Browser mer.js plication Channel ASLR Eviction Timing Buffer ASLR Array preloading Non-deterministic array Array index randomization Low-resolution timestamp Fuzzy time * * * * WebWorker polyfill Message delay Slow SharedArrayBuffer No SharedArrayBuffer * * * * Summary Symbols indicate whether a policy fully prevents an attack, ( ), partly prevents and attack by making it more difficult ( ), or does not prevent an attack ( ). A star (*) indicates that all policies marked with a star must be combined to prevent an attack. 32 Michael Schwarz, Moritz Lipp, Daniel Gruss
93 User Experience 33 Michael Schwarz, Moritz Lipp, Daniel Gruss
94 Conclusion Just rounding timers is not sufficient 34 Michael Schwarz, Moritz Lipp, Daniel Gruss
95 Conclusion Just rounding timers is not sufficient Multithreading and shared data allow to build new timers 34 Michael Schwarz, Moritz Lipp, Daniel Gruss
96 Conclusion Just rounding timers is not sufficient Multithreading and shared data allow to build new timers Microarchitectural attacks in the browser are possible at the moment 34 Michael Schwarz, Moritz Lipp, Daniel Gruss
97 Conclusion Just rounding timers is not sufficient Multithreading and shared data allow to build new timers Microarchitectural attacks in the browser are possible at the moment Efficient countermeasures can be implemented in browsers 34 Michael Schwarz, Moritz Lipp, Daniel Gruss
98 Conclusion Just rounding timers is not sufficient Multithreading and shared data allow to build new timers Microarchitectural attacks in the browser are possible at the moment Efficient countermeasures can be implemented in browsers More microarchitectural attacks in JavaScript will appear 34 Michael Schwarz, Moritz Lipp, Daniel Gruss
99
Fantastic Timers and Where to Find Them: High-Resolution Microarchitectural Attacks in JavaScript
Fantastic Timers and Where to Find Them: High-Resolution Microarchitectural Attacks in JavaScript Michael Schwarz, Clémentine Maurice, Daniel Gruss, Stefan Mangard Graz University of Technology April 2017
More informationFrom bottom to top: Exploiting hardware side channels in web browsers
From bottom to top: Exploiting hardware side channels in web browsers Clémentine Maurice, Graz University of Technology July 4, 2017 RMLL, Saint-Étienne, France Rennes Graz Clémentine Maurice PhD since
More informationPractical Keystroke Timing Attacks in Sandboxed JavaScript
Practical Keystroke Timing Attacks in Sandboxed JavaScript M. Lipp, D. Gruss, M. Schwarz, D. Bidner, C. Maurice, S. Mangard Sep 11, 2017 ESORICS 17 Graz University of Technology Motivation Keystroke timing
More informationARMageddon: Cache Attacks on Mobile Devices
ARMageddon: Cache Attacks on Mobile Devices Moritz Lipp, Daniel Gruss, Raphael Spreitzer, Clémentine Maurice, Stefan Mangard Graz University of Technology 1 TLDR powerful cache attacks (like Flush+Reload)
More informationTrusted Browsers for Uncertain Times
Trusted Browsers for Uncertain Times David Kohlbrenner and Hovav Shacham UC San Diego Building a browser that can provably mitigate timing attacks Trusted Browsers for Uncertain Times Time and web browsers
More informationHello from the Other Side: SSH over Robust Cache Covert Channels in the Cloud
Hello from the Other Side: SSH over Robust Cache Covert Channels in the Cloud Clémentine Maurice, Manuel Weber, Michael Schwarz, Lukas Giner, Daniel Gruss, Carlo Alberto Boano, Stefan Mangard, Kay Römer
More informationMemory Management. Disclaimer: some slides are adopted from book authors slides with permission 1
Memory Management Disclaimer: some slides are adopted from book authors slides with permission 1 CPU management Roadmap Process, thread, synchronization, scheduling Memory management Virtual memory Disk
More informationSpectre and Meltdown: Data leaks during speculative execution
Spectre and Meltdown: Data leaks during speculative execution Speaker: Jann Horn (Google Project Zero) Paul Kocher (independent) Daniel Genkin (University of Pennsylvania and University of Maryland) Yuval
More informationLeaky Cauldron on the Dark Land: Understanding Memory Side-Channel Hazards in SGX
Leaky Cauldron on the Dark Land: Understanding Memory Side-Channel Hazards in SGX W. Wang, G. Chen, X, Pan, Y. Zhang, XF. Wang, V. Bindschaedler, H. Tang, C. Gunter. September 19, 2017 Motivation Intel
More informationWhen Good Turns Evil: Using Intel SGX to Stealthily Steal Bitcoins
When Good Turns Evil: Using Intel SGX to Stealthily Steal Bitcoins Michael Schwarz, Moritz Lipp michael.schwarz@iaik.tugraz.at, moritz.lipp@iaik.tugraz.at Abstract In our talk, we show that despite all
More informationA Predictable RTOS. Mantis Cheng Department of Computer Science University of Victoria
A Predictable RTOS Mantis Cheng Department of Computer Science University of Victoria Outline I. Analysis of Timeliness Requirements II. Analysis of IO Requirements III. Time in Scheduling IV. IO in Scheduling
More informationCSE 127 Computer Security
CSE 127 Computer Security Stefan Savage, Spring 2018, Lecture 19 Hardware Security: Meltdown, Spectre, Rowhammer Vulnerabilities and Abstractions Abstraction Reality Vulnerability Review: ISA and µarchitecture
More informationRowhammer.js: Root privileges for web apps?
Rowhammer.js: Root privileges for web apps? Daniel Gruss (@lavados) 1, Clémentine Maurice (@BloodyTangerine) 2 1 IAIK, Graz University of Technology / 2 Technicolor and Eurecom 1 Rennes Graz Clémentine
More informationMemory Management. Disclaimer: some slides are adopted from book authors slides with permission 1
Memory Management Disclaimer: some slides are adopted from book authors slides with permission 1 Recap Paged MMU: Two main Issues Translation speed can be slow TLB Table size is big Multi-level page table
More informationLabVIEW programming II
FYS3240 PC-based instrumentation and microcontrollers LabVIEW programming II Spring 2016 Lecture #3 Bekkeng 18.01.2016 Dataflow programming With a dataflow model, nodes on a block diagram are connected
More informationBreaking Kernel Address Space Layout Randomization (KASLR) with Intel TSX. Yeongjin Jang, Sangho Lee, and Taesoo Kim Georgia Institute of Technology
Breaking Kernel Address Space Layout Randomization (KASLR) with Intel TSX Yeongjin Jang, Sangho Lee, and Taesoo Kim Georgia Institute of Technology Kernel Address Space Layout Randomization (KASLR) A statistical
More informationRowhammer.js: A Remote Software- Induced Fault Attack in Javascript
Rowhammer.js: A Remote Software- Induced Fault Attack in Javascript Daniel Gruss, Clementine Maurice and Stefan Mangard Graz University of Technology, Austria Rowhammer bug (I) Different DRAM cells can
More informationAdaptive algorithm for High-Performance FPGA Cores
1 Adaptive algorithm for High-Performance FPGA Cores Shankar Dheeraj Konidena dheeraj@ittc.ku.edu 2 Introduction Issue Background Architecture Implementation Results Conclusion & Future work Questions
More informationMeltdown or "Holy Crap: How did we do this to ourselves" Meltdown exploits side effects of out-of-order execution to read arbitrary kernelmemory
Meltdown or "Holy Crap: How did we do this to ourselves" Abstract Meltdown exploits side effects of out-of-order execution to read arbitrary kernelmemory locations Breaks all security assumptions given
More informationWho am I? Moritz Lipp PhD Graz University of
Who am I? Moritz Lipp PhD student @ Graz University of Technology @mlqxyz moritz.lipp@iaik.tugraz.at 1 Moritz Lipp, Michael Schwarz, Daniel Gruss Graz University of Technology Who am I? Michael Schwarz
More informationCUDA GPGPU Workshop 2012
CUDA GPGPU Workshop 2012 Parallel Programming: C thread, Open MP, and Open MPI Presenter: Nasrin Sultana Wichita State University 07/10/2012 Parallel Programming: Open MP, MPI, Open MPI & CUDA Outline
More informationReliably Measuring Responsiveness in the Wild
Reliably Measuring Responsiveness in the Wild Shubhie Panicker Nic Jansma @shubhie @nicj When is load? Old load metrics don t capture user experience. We need to rethink our metrics and focus on what
More informationLecture 25: Board Notes: Threads and GPUs
Lecture 25: Board Notes: Threads and GPUs Announcements: - Reminder: HW 7 due today - Reminder: Submit project idea via (plain text) email by 11/24 Recap: - Slide 4: Lecture 23: Introduction to Parallel
More informationChapter 8: Virtual Memory. Operating System Concepts
Chapter 8: Virtual Memory Silberschatz, Galvin and Gagne 2009 Chapter 8: Virtual Memory Background Demand Paging Copy-on-Write Page Replacement Allocation of Frames Thrashing Memory-Mapped Files Allocating
More informationMicro-architectural Attacks. Chester Rebeiro IIT Madras
Micro-architectural Attacks Chester Rebeiro IIT Madras 1 Cryptography Passwords Information Flow Policies Privileged Rings ASLR Virtual Machines and confinement Javascript and HTML5 (due to restricted
More informationVirtual Memory. Patterson & Hennessey Chapter 5 ELEC 5200/6200 1
Virtual Memory Patterson & Hennessey Chapter 5 ELEC 5200/6200 1 Virtual Memory Use main memory as a cache for secondary (disk) storage Managed jointly by CPU hardware and the operating system (OS) Programs
More informationMalware Guard Extension: Using SGX to Conceal Cache Attacks
Malware Guard Extension: Using SGX to Conceal Cache Attacks Michael Schwarz, Samuel Weiser, Daniel Gruss, Clémentine Maurice, and Stefan Mangard Graz University of Technology, Austria Abstract. In modern
More informationc. What are the machine cycle times (in nanoseconds) of the non-pipelined and the pipelined implementations?
Brown University School of Engineering ENGN 164 Design of Computing Systems Professor Sherief Reda Homework 07. 140 points. Due Date: Monday May 12th in B&H 349 1. [30 points] Consider the non-pipelined
More informationChapter 2. Parallel Hardware and Parallel Software. An Introduction to Parallel Programming. The Von Neuman Architecture
An Introduction to Parallel Programming Peter Pacheco Chapter 2 Parallel Hardware and Parallel Software 1 The Von Neuman Architecture Control unit: responsible for deciding which instruction in a program
More informationENGN 2910A Homework 03 (140 points) Due Date: Oct 3rd 2013
ENGN 2910A Homework 03 (140 points) Due Date: Oct 3rd 2013 Professor: Sherief Reda School of Engineering, Brown University 1. [from Debois et al. 30 points] Consider the non-pipelined implementation of
More informationSysSec. Aurélien Francillon
SysSec Aurélien Francillon francill@eurecom.fr https://www.krackattacks.com/ https://arstechnica.com/information-technology/2017/10/crypto-failure-cripples-millions-ofhigh-security-keys-750k-estonian-ids/
More informationMemory Management. Disclaimer: some slides are adopted from book authors slides with permission 1
Memory Management Disclaimer: some slides are adopted from book authors slides with permission 1 Demand paging Concepts to Learn 2 Abstraction Virtual Memory (VM) 4GB linear address space for each process
More informationUsing Software Transactional Memory In Interrupt-Driven Systems
Using Software Transactional Memory In Interrupt-Driven Systems Department of Mathematics, Statistics, and Computer Science Marquette University Thesis Defense Introduction Thesis Statement Software transactional
More informationCS555: Distributed Systems [Fall 2017] Dept. Of Computer Science, Colorado State University
CS 555: DISTRIBUTED SYSTEMS [THREADS] Shrideep Pallickara Computer Science Colorado State University Frequently asked questions from the previous class survey Shuffle less/shuffle better Which actions?
More informationInterrupts and Time. Real-Time Systems, Lecture 5. Martina Maggio 28 January Lund University, Department of Automatic Control
Interrupts and Time Real-Time Systems, Lecture 5 Martina Maggio 28 January 2016 Lund University, Department of Automatic Control Content [Real-Time Control System: Chapter 5] 1. Interrupts 2. Clock Interrupts
More informationVirtual Memory. Reading. Sections 5.4, 5.5, 5.6, 5.8, 5.10 (2) Lecture notes from MKP and S. Yalamanchili
Virtual Memory Lecture notes from MKP and S. Yalamanchili Sections 5.4, 5.5, 5.6, 5.8, 5.10 Reading (2) 1 The Memory Hierarchy ALU registers Cache Memory Memory Memory Managed by the compiler Memory Managed
More informationCS307: Operating Systems
CS307: Operating Systems Chentao Wu 吴晨涛 Associate Professor Dept. of Computer Science and Engineering Shanghai Jiao Tong University SEIEE Building 3-513 wuct@cs.sjtu.edu.cn Download Lectures ftp://public.sjtu.edu.cn
More informationarxiv: v1 [cs.cr] 3 Jan 2018
Meltdown arxiv:1801.01207v1 [cs.cr] 3 Jan 2018 Abstract Moritz Lipp 1, Michael Schwarz 1, Daniel Gruss 1, Thomas Prescher 2, Werner Haas 2, Stefan Mangard 1, Paul Kocher 3, Daniel Genkin 4, Yuval Yarom
More informationInterrupts and Time. Interrupts. Content. Real-Time Systems, Lecture 5. External Communication. Interrupts. Interrupts
Content Interrupts and Time Real-Time Systems, Lecture 5 [Real-Time Control System: Chapter 5] 1. Interrupts 2. Clock Interrupts Martina Maggio 25 January 2017 Lund University, Department of Automatic
More informationDesign Patterns for Real-Time Computer Music Systems
Design Patterns for Real-Time Computer Music Systems Roger B. Dannenberg and Ross Bencina 4 September 2005 This document contains a set of design patterns for real time systems, particularly for computer
More informationAdvanced Systems Security: Program Diversity
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:
More informationÉvolution des attaques sur la micro-architecture
Évolution des attaques sur la micro-architecture Clémentine Maurice, CNRS, IRISA 23 Janvier 2019 Journée Nouvelles Avancées en Sécurité des Systèmes d Information, INSA de Toulouse/LAAS-CNRS Attacks on
More informationVirtual Memory. Reading: Silberschatz chapter 10 Reading: Stallings. chapter 8 EEL 358
Virtual Memory Reading: Silberschatz chapter 10 Reading: Stallings chapter 8 1 Outline Introduction Advantages Thrashing Principal of Locality VM based on Paging/Segmentation Combined Paging and Segmentation
More informationSGX Security Background. Masab Ahmad Department of Electrical and Computer Engineering University of Connecticut
SGX Security Background Masab Ahmad masab.ahmad@uconn.edu Department of Electrical and Computer Engineering University of Connecticut 1 Security Background Outline Cryptographic Primitives Cryptographic
More informationMicro-Architectural Attacks and Countermeasures
Micro-Architectural Attacks and Countermeasures Çetin Kaya Koç koc@cs.ucsb.edu Çetin Kaya Koç http://koclab.org Winter 2017 1 / 25 Contents Micro-Architectural Attacks Cache Attacks Branch Prediction Attack
More informationIX: A Protected Dataplane Operating System for High Throughput and Low Latency
IX: A Protected Dataplane Operating System for High Throughput and Low Latency Adam Belay et al. Proc. of the 11th USENIX Symp. on OSDI, pp. 49-65, 2014. Presented by Han Zhang & Zaina Hamid Challenges
More informationCPU Scheduling. Daniel Mosse. (Most slides are from Sherif Khattab and Silberschatz, Galvin and Gagne 2013)
CPU Scheduling Daniel Mosse (Most slides are from Sherif Khattab and Silberschatz, Galvin and Gagne 2013) Basic Concepts Maximum CPU utilization obtained with multiprogramming CPU I/O Burst Cycle Process
More informationVirtual Memory III. Jo, Heeseung
Virtual Memory III Jo, Heeseung Today's Topics What if the physical memory becomes full? Page replacement algorithms How to manage memory among competing processes? Advanced virtual memory techniques Shared
More informationronny@mit.edu www.cag.lcs.mit.edu/scale Introduction Architectures are all about exploiting the parallelism inherent to applications Performance Energy The Vector-Thread Architecture is a new approach
More informationMultimedia Systems 2011/2012
Multimedia Systems 2011/2012 System Architecture Prof. Dr. Paul Müller University of Kaiserslautern Department of Computer Science Integrated Communication Systems ICSY http://www.icsy.de Sitemap 2 Hardware
More informationarxiv: v2 [cs.cr] 19 Jun 2016
ARMageddon: Cache Attacks on Mobile Devices Moritz Lipp, Daniel Gruss, Raphael Spreitzer, Clémentine Maurice, and Stefan Mangard Graz University of Technology, Austria arxiv:1511.04897v2 [cs.cr] 19 Jun
More informationWhite Paper. How the Meltdown and Spectre bugs work and what you can do to prevent a performance plummet. Contents
White Paper How the Meltdown and Spectre bugs work and what you can do to prevent a performance plummet Programs that do a lot of I/O are likely to be the worst hit by the patches designed to fix the Meltdown
More informationReal-Time Performance of Linux. OS Latency
Real-Time Performance of Linux Among others: A Measurement-Based Analysis of the Real- Time Performance of Linux (L. Abeni, A. Goel, C. Krasic, J. Snow, J. Walpole) [RTAS 2002] OS Latency Definition [OS
More information(b) External fragmentation can happen in a virtual memory paging system.
Alexandria University Faculty of Engineering Electrical Engineering - Communications Spring 2015 Final Exam CS333: Operating Systems Wednesday, June 17, 2015 Allowed Time: 3 Hours Maximum: 75 points Note:
More informationHonours/Master/PhD Thesis Projects Supervised by Dr. Yulei Sui
Honours/Master/PhD Thesis Projects Supervised by Dr. Yulei Sui Projects 1 Information flow analysis for mobile applications 2 2 Machine-learning-guide typestate analysis for UAF vulnerabilities 3 3 Preventing
More informationRemaining Contemplation Questions
Process Synchronisation Remaining Contemplation Questions 1. The first known correct software solution to the critical-section problem for two processes was developed by Dekker. The two processes, P0 and
More informationGLOSSARY. VisualDSP++ Kernel (VDK) User s Guide B-1
B GLOSSARY Application Programming Interface (API) A library of C/C++ functions and assembly macros that define VDK services. These services are essential for kernel-based application programs. The services
More informationMalware Guard Extension: Using SGX to Conceal Cache Attacks (Extended Version)
Malware Guard Extension: Using SGX to Conceal Cache Attacks (Exted Version) Michael Schwarz Graz University of Technology Email: michael.schwarz@iaik.tugraz.at Samuel Weiser Graz University of Technology
More information(Refer Slide Time: 1:26)
Information Security-3 Prof. V Kamakoti Department of Computer science and Engineering Indian Institute of Technology Madras Basics of Unix and Network Administration Operating Systems Introduction Mod01,
More informationPAGE REPLACEMENT. Operating Systems 2015 Spring by Euiseong Seo
PAGE REPLACEMENT Operating Systems 2015 Spring by Euiseong Seo Today s Topics What if the physical memory becomes full? Page replacement algorithms How to manage memory among competing processes? Advanced
More informationJava 8 Programming for OO Experienced Developers
www.peaklearningllc.com Java 8 Programming for OO Experienced Developers (5 Days) This course is geared for developers who have prior working knowledge of object-oriented programming languages such as
More informationCPU Scheduling. Operating Systems (Fall/Winter 2018) Yajin Zhou ( Zhejiang University
Operating Systems (Fall/Winter 2018) CPU Scheduling Yajin Zhou (http://yajin.org) Zhejiang University Acknowledgement: some pages are based on the slides from Zhi Wang(fsu). Review Motivation to use threads
More informationLecture 15 Designing Trusted Operating Systems
Lecture 15 Designing Trusted Operating Systems Thierry Sans 15-349: Introduction to Computer and Network Security Anatomy of an operating system Concept of Kernel Definition Component that provides an
More informationCS 5523 Operating Systems: Memory Management (SGG-8)
CS 5523 Operating Systems: Memory Management (SGG-8) Instructor: Dr Tongping Liu Thank Dr Dakai Zhu, Dr Palden Lama, and Dr Tim Richards (UMASS) for providing their slides Outline Simple memory management:
More informationLabVIEW programming II
FYS3240-4240 Data acquisition & control LabVIEW programming II Spring 2018 Lecture #3 Bekkeng 14.01.2018 Dataflow programming With a dataflow model, nodes on a block diagram are connected to one another
More informationCSE 410: Systems Programming
CSE 410: Systems Programming Concurrency Ethan Blanton Department of Computer Science and Engineering University at Buffalo Logical Control Flows The text defines a logical control flow as: [A] series
More informationCSE398: Network Systems Design
CSE398: Network Systems Design Instructor: Dr. Liang Cheng Department of Computer Science and Engineering P.C. Rossin College of Engineering & Applied Science Lehigh University February 23, 2005 Outline
More information!! How is a thread different from a process? !! Why are threads useful? !! How can POSIX threads be useful?
Chapter 2: Threads: Questions CSCI [4 6]730 Operating Systems Threads!! How is a thread different from a process?!! Why are threads useful?!! How can OSIX threads be useful?!! What are user-level and kernel-level
More informationOPERATING SYSTEM. Chapter 9: Virtual Memory
OPERATING SYSTEM Chapter 9: Virtual Memory Chapter 9: Virtual Memory Background Demand Paging Copy-on-Write Page Replacement Allocation of Frames Thrashing Memory-Mapped Files Allocating Kernel Memory
More informationCourse Details. Operating Systems with C/C++ Course Details. What is an Operating System?
Lecture Course in Autumn Term 2013 University of Birmingham Lecture notes and resources: http://www.cs.bham.ac.uk/ exr/teaching/lectures/opsys/13_14 closed facebook group: UoBOperatingSystems anyone registered
More informationEvaluating BFT Protocols for Spire
Evaluating BFT Protocols for Spire Henry Schuh & Sam Beckley 600.667 Advanced Distributed Systems & Networks SCADA & Spire Overview High-Performance, Scalable Spire Trusted Platform Module Known Network
More informationCMU /618 Practice Exercise 1
CMU 15-418/618 Practice Exercise 1 A Task Queue on a Multi-Core, Multi-Threaded CPU The figure below shows a simple single-core CPU with an and execution contexts for up to two threads of control. Core
More informationIntroduction to Multicore Programming
Introduction to Multicore Programming Minsoo Ryu Department of Computer Science and Engineering 2 1 Multithreaded Programming 2 Synchronization 3 Automatic Parallelization and OpenMP 4 GPGPU 5 Q& A 2 Multithreaded
More informationFlush+Flush: A Stealthier Last-Level Cache Attack
Flush+Flush: A Stealthier Last-Level Cache Attack Daniel Gruss Graz University of Technology, Austria daniel.gruss@iaik.tugraz.at Clémentine Maurice Technicolor, Rennes, France Eurecom, Sophia-Antipolis,
More informationMeltdown and Spectre - understanding and mitigating the threats (Part Deux)
Meltdown and Spectre - understanding and mitigating the threats (Part Deux) Gratuitous vulnerability logos Jake Williams @MalwareJake SANS / Rendition Infosec sans.org / rsec.us @SANSInstitute / @RenditionSec
More informationL0 L1 L2 L3 T0 T1 T2 T3. Eth1-4. Eth1-4. Eth1-2 Eth1-2 Eth1-2 Eth Eth3-4 Eth3-4 Eth3-4 Eth3-4.
Click! N P 10.3.0.1 10.3.1.1 Eth33 Eth1-4 Eth1-4 C0 C1 Eth1-2 Eth1-2 Eth1-2 Eth1-2 10.2.0.1 10.2.1.1 10.2.2.1 10.2.3.1 Eth3-4 Eth3-4 Eth3-4 Eth3-4 L0 L1 L2 L3 Eth24-25 Eth1-24 Eth24-25 Eth24-25 Eth24-25
More informationChapter 8: Virtual Memory. Operating System Concepts Essentials 2 nd Edition
Chapter 8: Virtual Memory Silberschatz, Galvin and Gagne 2013 Chapter 8: Virtual Memory Background Demand Paging Copy-on-Write Page Replacement Allocation of Frames Thrashing Memory-Mapped Files Allocating
More informationEECE.4810/EECE.5730: Operating Systems Spring Midterm Exam March 8, Name: Section: EECE.4810 (undergraduate) EECE.
EECE.4810/EECE.5730: Operating Systems Spring 2017 Midterm Exam March 8, 2017 Name: Section: EECE.4810 (undergraduate) EECE.5730 (graduate) For this exam, you may use two 8.5 x 11 double-sided page of
More informationCS 426 Parallel Computing. Parallel Computing Platforms
CS 426 Parallel Computing Parallel Computing Platforms Ozcan Ozturk http://www.cs.bilkent.edu.tr/~ozturk/cs426/ Slides are adapted from ``Introduction to Parallel Computing'' Topic Overview Implicit Parallelism:
More informationVirtual Memory Outline
Virtual Memory Outline Background Demand Paging Copy-on-Write Page Replacement Allocation of Frames Thrashing Memory-Mapped Files Allocating Kernel Memory Other Considerations Operating-System Examples
More informationCommercial Real-time Operating Systems An Introduction. Swaminathan Sivasubramanian Dependable Computing & Networking Laboratory
Commercial Real-time Operating Systems An Introduction Swaminathan Sivasubramanian Dependable Computing & Networking Laboratory swamis@iastate.edu Outline Introduction RTOS Issues and functionalities LynxOS
More informationLK-Tris: A embedded game on a phone. from Michael Zimmermann
LK-Tris: A embedded game on a phone from Michael Zimmermann Index 1) Project Goals 1.1) Must Haves 1.2) Nice to Haves 1.3) What I realized 2) What is embedded Software? 2.1) Little Kernel (LK) 3) Hardware
More informationInternet Programming Week 10. Instructor: Paulo Fernandes Applied Computer Science University of Winnipeg
Internet Programming Week 10 Instructor: Paulo Fernandes Applied Computer Science University of Winnipeg Web Workers Slides only Threading Ever get a slow script message? Q) How could a script be slow
More informationCS 161 Computer Security
Paxson Spring 2017 CS 161 Computer Security Discussion 2 Question 1 Software Vulnerabilities (15 min) For the following code, assume an attacker can control the value of basket passed into eval basket.
More informationTales of the Tail Hardware, OS, and Application-level Sources of Tail Latency
Tales of the Tail Hardware, OS, and Application-level Sources of Tail Latency Jialin Li, Naveen Kr. Sharma, Dan R. K. Ports and Steven D. Gribble February 2, 2015 1 Introduction What is Tail Latency? What
More informationIntroduction to Concurrency (Processes, Threads, Interrupts, etc.)
Introduction to Concurrency (Processes, Threads, Interrupts, etc.) CS-3013 Operating Systems Hugh C. Lauer (Slides include materials from Slides include materials from Modern Operating Systems, 3 rd ed.,
More informationChapter 10: Virtual Memory. Lesson 05: Translation Lookaside Buffers
Chapter 10: Virtual Memory Lesson 05: Translation Lookaside Buffers Objective Learn that a page table entry access increases the latency for a memory reference Understand that how use of translationlookaside-buffers
More informationHY225 Lecture 12: DRAM and Virtual Memory
HY225 Lecture 12: DRAM and irtual Memory Dimitrios S. Nikolopoulos University of Crete and FORTH-ICS May 16, 2011 Dimitrios S. Nikolopoulos Lecture 12: DRAM and irtual Memory 1 / 36 DRAM Fundamentals Random-access
More informationOS: An Overview. ICS332 Operating Systems
OS: An Overview ICS332 Operating Systems Why are we studying this? After all, you probably will not develop an OS Important to understand what you use: Develop better (apps); What can and cannot be done;
More informationGrand Central Dispatch
A better way to do multicore. (GCD) is a revolutionary approach to multicore computing. Woven throughout the fabric of Mac OS X version 10.6 Snow Leopard, GCD combines an easy-to-use programming model
More informationDan Noé University of New Hampshire / VeloBit
Dan Noé University of New Hampshire / VeloBit A review of how the CPU works The operating system kernel and when it runs User and kernel mode Device drivers Virtualization of memory Virtual memory Paging
More informationInstruction-Level Parallelism and Its Exploitation (Part III) ECE 154B Dmitri Strukov
Instruction-Level Parallelism and Its Exploitation (Part III) ECE 154B Dmitri Strukov Dealing With Control Hazards Simplest solution to stall pipeline until branch is resolved and target address is calculated
More informationExam TI2720-C/TI2725-C Embedded Software
Exam TI2720-C/TI2725-C Embedded Software Wednesday April 16 2014 (18.30-21.30) Koen Langendoen In order to avoid misunderstanding on the syntactical correctness of code fragments in this examination, we
More informationOperating Systems. Lecture Course in Autumn Term 2015 University of Birmingham. Eike Ritter. September 22, 2015
Lecture Course in Autumn Term 2015 University of Birmingham September 22, 2015 Course Details Overview Course Details What is an Operating System? OS Definition and Structure Lecture notes and resources:
More informationOUT-OF-ORDER COMMİT PROCESSORS. Paper by; Adrian Cristal, Daniel Ortega, Josep Llosa and Mateo Valero
OUT-OF-ORDER COMMİT PROCESSORS Paper by; Adrian Cristal, Daniel Ortega, Josep Llosa and Mateo Valero INTRODUCTİON Increasing gap between processor speed and memory speed is steadily increasing memory latencies
More informationDT0063 Design tip. Bluetooth Low Energy network: time-stamping and sample-rate-conversion. Purpose and benefits. BLE wireless link overview
DT0063 Design tip Bluetooth Low Energy network: time-stamping and sample-rate-conversion By Andrea Vitali Main components BLUENRG-MS BLUENRG-1 STEVAL- STLKT01V1 Bluetooth Low Energy Network Processor supporting
More informationDepartment of Computer Science, Institute for System Architecture, Operating Systems Group. Real-Time Systems '08 / '09. Hardware.
Department of Computer Science, Institute for System Architecture, Operating Systems Group Real-Time Systems '08 / '09 Hardware Marcus Völp Outlook Hardware is Source of Unpredictability Caches Pipeline
More informationThe Lesson Plan of OS. The syllabus of OS. Access the lesson plan and syllabus at
The Lesson Plan of OS The syllabus of OS Access the lesson plan and syllabus at http://mycse/cse The Slide does not contain all the information and cannot be treated as a study material for Operating System.
More informationCS370 Operating Systems
CS370 Operating Systems Colorado State University Yashwant K Malaiya Spring 2018 L20 Virtual Memory Slides based on Text by Silberschatz, Galvin, Gagne Various sources 1 1 Questions from last time Page
More informationBy Arjan Van De Ven, Senior Staff Software Engineer at Intel.
Absolute Power By Arjan Van De Ven, Senior Staff Software Engineer at Intel. Abstract: Power consumption is a hot topic from laptop, to datacenter. Recently, the Linux kernel has made huge steps forward
More information