争夺特权：利用微架构竞争条件从任何英特尔系统中泄露特权内存.pdf

《争夺特权：利用微架构竞争条件从任何英特尔系统中泄露特权内存.pdf》由会员分享，可在线阅读，更多相关《争夺特权：利用微架构竞争条件从任何英特尔系统中泄露特权内存.pdf（69页珍藏版）》请在三个皮匠报告上搜索。

1、#BHUSA BlackHatEventsRacing for PrivilegeRacing for PrivilegeLeaking memory on any Intel processor with a microarchitectural race conditionSandro Regge&Johannes Wikner2SandroPhD studentWanted to defend,ended up attacking.JohannesPhD GraduateSpeculative execution vulnerabilitiesRetbleed,Phantom(e.g.,

2、Branch Type Confusion),Inception(SRSO)KavehProfessorback in 201734A new paradigm exploitation 5?6?SPECTREHilbert HagedoornOct.2024AMD Ryzen 9000 Die Shots gets Annotated In D COREBRANCH TARGET PREDICTIONSCACHES11CACHESProgram 1jmp regBRANCH TARGET PREDICTIONS12Program 1BRANCH TARGET PREDICTIONSCACHE

3、Smov reg,mem13Program 1BRANCH TARGET PREDICTIONSCACHESjmp .14Program 2BRANCH TARGET PREDICTIONSCACHESjmp mov mov jmp etc15OS/kernel(ring 0)BRANCH TARGET PREDICTIONSCACHESjmp mov mov jmp etc16VMM(“ring-1”)BRANCH TARGET PREDICTIONSCACHESjmp mov mov jmp etc17Program 1BRANCH TARGET PREDICTIONSCACHESmov

4、reg,mem18Program 1BRANCH TARGET PREDICTIONSCACHESmov reg,memL1$is tagged by the full1 physical memory address!19Program 1CACHESjmp regBRANCH TARGET PREDICTIONSPrediction is tagged by a portion of virtual memory address2 So what?Its a design choice.20Program 1CACHESjmp regBRANCH TARGET PREDICTIONS21m

5、ov;jmp CACHESProgram 1BRANCH TARGET PREDICTIONSjmp regInject prediction22Program 1BRANCH TARGET PREDICTIONSCACHESmov ;mov ;mov ;mov ;Prime side channelInject predictionInject prediction23Program 1BRANCH TARGET PREDICTIONSCACHESsyscallPrime side channelInject predictionInject predictionPrime side cha

6、nnel24OS/kernelOS/kernel(ring 0)BRANCH TARGET PREDICTIONSCACHESjmp regPrime side channelInject predictionInject predictionPrime side channel25OS/kernelOS/kernel(ring 0)BRANCH TARGET PREDICTIONSCACHESjmp regTrigger mispredictionPrime side channelInject predictionInject predictionPrime side channelTri