利用侧信道攻击绕过 ARM 的内存标记扩展.pdf

《利用侧信道攻击绕过 ARM 的内存标记扩展.pdf》由会员分享，可在线阅读，更多相关《利用侧信道攻击绕过 ARM 的内存标记扩展.pdf（68页珍藏版）》请在三个皮匠报告上搜索。

1、#BHUSA BlackHatEventsBypassing ARMs Memory Tagging Extension with a Side-Channel AttackSpeaker:Juhee Kim 2Juhee KimPh.D Student at CompSec Lab,Seoul National Universitykimjuhi96snu.ac.krFocuses on-Software and Systems security-Bug finding,Attack mitigation-Linux kernel,Web browser,GPU/ML systemsWhoa

2、miContributorsJinbum ParkSecurity researcher at Samsung ResearchSystem security,Confidential ComputingPublished in USENIX Security and ASPLOSSihyeon RohPh.D Student at CompSec LabHardware side-channelsJaeyoung ChungPh.D Student at CompSec LabSystem SecurityCTF playerYoungjoo LeePh.D Student at CompS

3、ec LabFuzzing,Browser security,Bug gountyCTF player3Taesoo KimVice president of Samsung Research Professor of Georgia TechWon several best paper awards from USENIX Security,EuroSysByoungyoung LeeProfessor of Seoul National UniversityLeads CompSec LabSystem security,Confidential computingPrevious CTF

4、 playerSpoken at Black HatMTE Tag Leakage Side-ChannelMTE4RoadmapCache Side-ChannelCacheSpeculative Executionif(cond)TrueFalseARM Memory Tagging ExtensionReal-world MTE Bypass AttackJSMTEMTE Tag Leakage Side-ChannelMTE5RoadmapCache Side-ChannelCacheSpeculative Executionif(cond)TrueFalseARM Memory Ta

5、gging ExtensionReal-world MTE Bypass AttackJSMTEMemory corruption attacksHeartbleed(2014)OpenSSL information leakBLASTPASS(2023)Bad Binder(2019)6have been the most pervasive and dangerous security threatsreggreSSHion(2024)What is Memory Corruption?7&obj1obj1PointerValid AccessMemory&obj2obj1PointerM

6、emoryInvalid Access(Out-of-bounds)obj2What is Memory Corruption?8&obj1obj1PointerValid AccessMemory&obj1FreedPointerMemoryInvalid Access(Use-after-free)70s-80sStack OverflowStack CanariesStackGuardASLRDEP/NXCFI90s2000s2010s2020sARM PACHeap OverflowROP/JOPDOPSpectreJIT sprayingAttack and Defense Tech