-
Not Synced
OK everyone
-
Not Synced
also now please join me in welcoming Eric, who is a PhD-student at the VU Amsterdam,
and he will talk about ASLR.
-
Not Synced
Please give him a warm round of appluse.
-
Not Synced
Hello.
-
Not Synced
Like Herold said, I'm Eric, PhD-student at the VU Amsterdam, VUSec group.
-
Not Synced
I will now be presenting work, that we have done in the group.
-
Not Synced
But the work I'm presenting, most of the work was done by Ben and Kaveh and by Stephen, who showed that attack I'm presenting is applicable to all 22 micro CPU micro architectures that he has tested.
-
Not Synced
I tried to sneak this slide in all my talks, but this time is especially apt, because this talk is about finding them.
-
Not Synced
So this talk is about attacking ALSR, which is short for Address Space Layout Randomization.
-
Not Synced
It's an exploit mitigation technique, which as far as deployment concert is one of the success stories since it's been introduced.
-
Not Synced
It's been widely adopted and it makes exploitation somewhat more difficult.
-
Not Synced
The way ASLR makes it more difficult is that it changes the location of code and data usually every time the processes run, so that an attacker cannot rely on certain addresses to be the same all the time.
-
Not Synced
On modern 64 bit architectures the address space usually is 48 bits, which means you can address about 256 terabytes of memory.
-
Not Synced
Of course you cannot write everywhere or read everywhere, because your computer probably doesn't have that much memory.
-
Not Synced
So in reality only very small portion of the memory is allocated to a process.
-
Not Synced
So it's quite easy to change the location of that memory.
-
Not Synced
So it makes life for a exploit writer a tiny bit more difficult, because it's very usefull to know the location of data, for example if you want to overwrite a return address on the stack, then it's nice to know where you can jump to and if you don't known, you may jump into nowhere and the program crashes.
-
Not Synced
However not much is needed to bypass this mitigation.
-
Not Synced
You just need leak location of the memory.
-
Not Synced
So I really like this backronym.
-
Not Synced
You can try to reuse the bug, that you can use to exploit, to first leak information an then exploit.
-
Not Synced
Or, if that is not possible, you can find another bug, which allows you to leak this location.
-
Not Synced
Or maybe you don't have to.
-
Not Synced
This presentation si about an attack, which uses side channel from javascript on processes in the hardware itself, to discover information about locations of data or code in memory.
-
Not Synced
The modern CPU architecture is a wonderous abstraction layer.
-
Not Synced
Even if you as a programmer write machine code, there is lots of stuff you don't have to worry about.
-
Not Synced
Especially stuff to make your programs fast.
-
Not Synced
Memory access is very slow compared to CPU on modern computers.
-
Not Synced
That's why there is a cache mechanism built in.
-
Not Synced
Other things are also abstracted away.
-
Not Synced
For example if your program does a memory access, the data is written to the cache, but where is it written?
-
Not Synced
Your program gives a virtual address to the CPU and the CPU needs to translate that to the physical address, which is done by a component called memory management unit.
-
Not Synced
The memory management unit has a small cache of mappings from virtual memory to physical memory,
-
Not Synced
but if an address is not in the cache, it has to do a page table walk.
-
Not Synced
The page table walk is what we are going to try to attack.
-
Not Synced
We'll measure the effect, that page table walk will have on the L3 cache, the last and biggest cache on the CPU, to find out, what happens in the page table walk.
-
Not Synced
We're talking about doing timing attack from javascript to measure wheter mememory gets accessed, which means that we need a pretty good timer to be able to do this.
-
Not Synced
Luckely for us, the browser standard commitees have come up with an API to just do that.
-
Not Synced
You can take a timestamp, do an operation and then take another timestamp and then you get a very crisp time measurement.
-
Not Synced
Until someone published a paper, which showed basically that you can do last level cache attack on the cpu and discover something.
-
Not Synced
So the browser makers made the time measurements much more granular.
-
Not Synced
Every microsecond or so you get a little bump and then for one microsecond nothing changes.
-
Not Synced
But all is not lost for the attacker, because you can turn the coarse grained timer into a fine grained timer,
-
Not Synced
What you can do is for example wait for this bump to happen and then quickly do an operation and then start a counter.
-
Not Synced
And then, the longer the operation takes, the smaller the counter is when the jump happens.
-
Not Synced
So in chrome they chosed to vary the length of the time when this happens, but still you can do multiple measurements and then you take an average and then you can still get a good measurement.
-
Not Synced
However we can do better.
-
Not Synced
The browser makers decided to make this a bit more difficult, but when the browser standards commitee takes they also gives.
-
Not Synced
They decided to implement an object called the shared array buffer, which allows multiple threads, which are called webworkers in javascript, to work on single piece of memory.
-
Not Synced
They decided to enable this by default, which is actually after we published the attack.
-
Not Synced
They basically given up on preventing nanoseconds scale time measurements in javascript.
-
Not Synced
The shared array buffer can be used for other things, but I'll no talk about this today.
-
Not Synced
So how can we measure time using shared memory.
-
Not Synced
Well it's quite simple.
-
Not Synced
One thread is used for doing the time measurement and the other thread does the operation.
-
Not Synced
The timer thread waits until the the thread, which does the operation sets a variable and starts the operation, meanwhile the timer thread sees that the shared buffer has changed and will start counting and when the operation is done, the second thread changes the buffer again and the counter thread stops.
-
Not Synced
So this gives a very crisp measurement.
-
Not Synced
So now we have a nano second scaled timer and we can do side channel attacks from javascript.
-
Not Synced
So we'll be doing a timer attack on the last level cache and when the CPU accesses memory everything is on the granularity of cache line, which is 64 bytes.
-
Not Synced
Whitin for example the level 3 cache a certain phyiscal address maps on to a certain cache set and this cache set can for example on a four core desktop intel machine contain 16 different cache lines.
-
Not Synced
I'll talk about a modern intel machine, but the concept translates also to other microarchitectures.
