How to have a Meltdown PDF
Preview How to have a Meltdown
www.tugraz.at How to have a Meltdown DanielGruss GrazUniversityofTechnology April19/20,2018—CryptacusTrainingSchool DanielGruss,GrazUniversityofTechnology 1 April19/20,2018—CryptacusTrainingSchool www.tugraz.at Get your computer ready! Within the first two hours we will: Checkout https://github.com/IAIK/cache_template_attacks Make a histogram Key stroke attack on an editor Try to establish a covert channel DanielGruss,GrazUniversityofTechnology 2 April19/20,2018—CryptacusTrainingSchool www.tugraz.at Get your computer ready! Within the third hour we will: Use our covert channel in a Meltdown attack Leak data from kernel addresses for Meltdown: boot with nopti nokaslr DanielGruss,GrazUniversityofTechnology 3 April19/20,2018—CryptacusTrainingSchool www.tugraz.at 1. Quick Start 2. Measuring and exploiting timing leakage 3. CPU caches 4. Cache attacks 5. Cache covert channels 6. Cache template attacks DanielGruss,GrazUniversityofTechnology 4 April19/20,2018—CryptacusTrainingSchool www.tugraz.at What to profile? # ps -A | grep gedit # cat /proc/pid/maps 00400000-00489000 r-xp 00000000 08:11 396356 /usr/bin/gedit 7f5a96991000-7f5a96a51000 r-xp 00000000 08:11 399365 /usr/lib/x86_64-linux-gnu/libgdk-3.so.0.1400.14 ... memory range, access rights, offset, –, –, file name DanielGruss,GrazUniversityofTechnology 5 April19/20,2018—CryptacusTrainingSchool www.tugraz.at Profiling a single event cd ../profiling/generic_low_frequency_example # put the threshold into spy.c (MIN_CACHE_MISS_CYCLES) make ./spy # start the targeted program sleep 2; ./spy 200 400000-489000 -- 20000 -- -- /usr/bin/gedit ... and hold down key in the targeted program save addresses with peaks! DanielGruss,GrazUniversityofTechnology 6 April19/20,2018—CryptacusTrainingSchool www.tugraz.at Exploitation phase cd ../exploitation/generic # put the threshold into spy.c (MIN_CACHE_MISS_CYCLES) make ./spy file offset DanielGruss,GrazUniversityofTechnology 7 April19/20,2018—CryptacusTrainingSchool www.tugraz.at Information leakage Shared hardware Memory x86 CPU Memory Memory Branch Arithmetic Data and deduplication bus prediction logic instruction unit unit cache DanielGruss,GrazUniversityofTechnology 8 April19/20,2018—CryptacusTrainingSchool fast cross-core attacks! → www.tugraz.at Why targeting the cache? shared across cores fast DanielGruss,GrazUniversityofTechnology 9 April19/20,2018—CryptacusTrainingSchool www.tugraz.at Why targeting the cache? shared across cores fast fast cross-core attacks! → DanielGruss,GrazUniversityofTechnology 9 April19/20,2018—CryptacusTrainingSchool
Description:The list of books you might like
