It's been more than a week since meltdown and spectre broke out. The CVE numbers corresponding to spectre are CVE-2017-5715 and CVE-2017-5753, and the CVE numbers corresponding to meltdown are CVE-2017-5754
The research related to meltdown and spectre was first described and conjectured at the Blackhat USA conference in 2016. The researchers found that in the user mode of the modern processor architecture, there is a possibility of leaking sensitive information in the inaccessible area of ​​the memory area. , But there was no specific implementation method at that time. Later, researchers from the Graz University of Technology and other laboratories jointly researched the use of the vulnerability conjecture.
Processor-level vulnerabilities can generally affect the development history of the entire cloud computing infrastructure, and the architecture of the cpu itself is also facing severe tests. After reading the general principles, combined with the side channel attack related knowledge that the teacher said when I was in the company's cissp class, I basically understood the vulnerabilities. First, let's take a look at a few concepts that need to be mastered.
Out of order executionIn the pipeline work of the cpu, if the cpu processes the execution instructions in a sequential manner, a relatively large overhead will be generated in the processing performance. Modern processors optimize the way the cpu processes instructions, and program instructions are executed out of order in the same unit clock cycle. Therefore, there may be a possibility of pre-executing the instructions that need to be executed in advance. Although this method improves the CPU's instruction processing efficiency, it may become a means of exploiting kernel vulnerabilities. Explain with examples on wiki
1. b = a * 5
2. v = * b
3. c = a + 3
Here, since 1 and 3 can run concurrently, and the b of 2 cannot be obtained immediately, you can calculate multiplication 1 and addition 3 first, and then run 2.
Address spaceEach process has its own independent memory space in the memory address. The memory space maps the actual memory address into a virtual address by means of PLT page table mapping. At the same time, it defines the kernel address privilege protection related means. This memory space is mainly divided into user-accessible memory addresses and inaccessible kernel address spaces.
The CPU executes an instruction. Generally speaking, at least it has to fetch the instruction from the memory, decode the instruction into a micro-operation (μOP), and the micro-operation finally drives the hardware circuit components in three steps (referred to as instruction fetching, decoding and execution) ), if you execute an instruction, you have to wait until these three steps are completed before the next instruction can be executed, then the execution time of an instruction is too long (in CPU hardware terms, it consumes multiple clock cycles), and the CPU running speed cannot be obtained Effectively improve, sequential execution is an execution method in which the current instruction must be executed before the next instruction can be executed. In order to solve this problem, modern CPUs use branch prediction to predict the instructions that the CPU will execute in advance. We use a simple sentence to summarize this mechanism: If a certain conditional jump goes to a fixed branch within a certain period of time, it can be predicted that this conditional jump instruction is likely to go to this branch next time.
Hidden channel attackIn order to improve memory IO efficiency, frequently used data is usually stored in the cache. The cpu cache reduces the cost of slow memory access delays by caching frequently used data in a smaller and faster memory. Modern CPUs have a multi-level cache mechanism. These caches can usually be provided for CPU memory use or shared by other caches. The PLT table may also be stored in the cache.
Let’s use a popular example to explain the principle of a hidden channel attack: Suppose there is a private space agency with a very high security level (similar to the US Central Intelligence Agency). This agency can only accept external specific intelligence messages (write), but You can’t leak all your internal information to the outside, (read), A is a staff member of the CIA, and B wants to get some sensitive information of the CIA for his own use. B got to know A through a variety of channels, and got some handles from A. A's work also had sensitive documents that B needed. A agreed to B's request for leaking sensitive documents for his own reputation. After discussion, B reached an agreement with A in order to prevent A from revealing himself; after B’s discovery, A’s office turned off the lights at around 12 o’clock every night and the time for turning off the lights was deviated, and B asked A to control the office by certain means. The turn-off time is 12 o'clock as the demarcation point. The turn-off signal before twelve o'clock is counted as 1, and the turn-off signal after twelve o'clock is counted as 0. In this way, B and A kept leaking the secrets of the CIA through covert methods.
Hidden channel attacks are also called side-channel attacks. This attack attack is a way to attack the CPU memory by using the timing difference introduced by the cache. The vulnerability poc uses a method based on Flush+Reload to leak the cache. This attack uses the last level of cache and uses clflush to refresh the target memory location. By measuring the time required to reload the data, an attacker can determine whether the data is loaded into the cache by another process at the same time.
0x02 Spectre attackAfter understanding the key points above, let's take a look at the real use of spectre attacks. Refer to the code snippet on spectre attack
if(x《array1_size)
y = array2ï¼»array1ï¼»xï¼½ * 256ï¼½
In the code snippet, it is first judged whether the user process crosses the boundary to access the illegal access area of ​​the array. To a certain extent, this approach prevents the processor from accessing illegally accessed sensitive data areas. However, under the condition of out-of-order execution, assuming that the attacker can manipulate the value of x (corresponding to array[x] = k) to leak the memory value of a single byte, at this time array1_size and array2 are not cached in the cache, but k has been stored The cache is cached. At this time, the attacker can let the cpu execute the instruction that is judged to be true multiple times. After multiple executions, the cpu will read the next instruction predictively. At this time, as long as the attacker suddenly changes x to the illegal access memory value, the cpu can be allowed Misread the value in the illegal area to achieve the purpose of leaking the memory information of the illegal address.
40 Port Usb Charger,Usb Power Strip,Multiple Usb Charger,40 Port Multiple Usb Chargers
shenzhen ns-idae technology co.,ltd , https://www.szbestchargers.com