[Script Info]
Title: 
[Events]
Format: Layer, Start, End, Style, Name, MarginL, MarginR, MarginV, Effect, Text
Dialogue: 0,0:00:20.40,0:00:21.60,Default,,0000,0000,0000,,{\i1}36C3 preroll music{\i0}
Dialogue: 0,0:00:21.60,0:00:24.84,Default,,0000,0000,0000,,Herald Angel: OK. Welcome to our next\Ntalk. It's called flipping bits from
Dialogue: 0,0:00:24.84,0:00:30.09,Default,,0000,0000,0000,,software without Row hammer, small\Nreminder Row hammer used, still is a
Dialogue: 0,0:00:30.09,0:00:34.02,Default,,0000,0000,0000,,software based fault attack. It was\Npublished in 2015. There were
Dialogue: 0,0:00:34.02,0:00:39.66,Default,,0000,0000,0000,,countermeasures developed and we are still\Nin the process of deploying these
Dialogue: 0,0:00:39.66,0:00:45.69,Default,,0000,0000,0000,,everywhere. And now our two speakers are\Ngoing to talk about a new software based
Dialogue: 0,0:00:45.69,0:00:56.25,Default,,0000,0000,0000,,fault attack to execute commands inside\Nthe SGX environment. Our speakers,
Dialogue: 0,0:00:56.25,0:01:05.00,Default,,0000,0000,0000,,Professor Daniel Gruss from the University\Nof Graz and Kit Murdoch researching at the
Dialogue: 0,0:01:05.00,0:01:10.75,Default,,0000,0000,0000,,University of Birmingham. The content of\Nthis talk is actually in her first
Dialogue: 0,0:01:10.75,0:01:17.03,Default,,0000,0000,0000,,published paper published at IEEE, no\Naccepted at IEEE Security and Privacy next
Dialogue: 0,0:01:17.03,0:01:21.21,Default,,0000,0000,0000,,year. In case you do not come from the\Nacademic world, if this is your this is
Dialogue: 0,0:01:21.21,0:01:22.98,Default,,0000,0000,0000,,always a big deal. If this is your first\Npaper, it even more is, please welcome
Dialogue: 0,0:01:22.98,0:01:28.00,Default,,0000,0000,0000,,them, both of you get a round of applause\Nand enjoy the talk.
Dialogue: 0,0:01:28.00,0:01:31.19,Default,,0000,0000,0000,,{\i1}Applause{\i0}
Dialogue: 0,0:01:31.19,0:01:38.03,Default,,0000,0000,0000,,Kit Murdoch: Thank you. Hello. Let's get\Nstarted. This is my favorite recent
Dialogue: 0,0:01:38.03,0:01:45.27,Default,,0000,0000,0000,,attack. It's called Clockscrew. And the\Nreason that it's my favorite is it created
Dialogue: 0,0:01:45.27,0:01:50.14,Default,,0000,0000,0000,,a new class of fault attacks. Daniel\NGruss: Fault attacks. I, I know that.
Dialogue: 0,0:01:50.14,0:01:53.67,Default,,0000,0000,0000,,Fault attacks, you take these\Noscilloscopes and check the voltage line
Dialogue: 0,0:01:53.67,0:01:58.34,Default,,0000,0000,0000,,and then you drop the voltage for a f....\NKit: No, you see, this is why this one is
Dialogue: 0,0:01:58.34,0:02:04.81,Default,,0000,0000,0000,,cool because you don't need any equipment\Nat all. Adrian Tang. He created this
Dialogue: 0,0:02:04.81,0:02:09.70,Default,,0000,0000,0000,,wonderful attack that uses DVFS. What is\Nthat?
Dialogue: 0,0:02:09.70,0:02:13.40,Default,,0000,0000,0000,,Daniel: DVFS ? I don't know, don't\Nviolate format specifications.
Dialogue: 0,0:02:13.40,0:02:19.23,Default,,0000,0000,0000,,Kit: I asked my boyfriend this morning\Nwhat he thought DVFS stood for and he said
Dialogue: 0,0:02:19.23,0:02:22.23,Default,,0000,0000,0000,,Darth Vader fights Skywalker.\N{\i1}Laughter{\i0}
Dialogue: 0,0:02:22.23,0:02:26.29,Default,,0000,0000,0000,,Kit: I'm also wearing his t-shirt\Nspecially for him as well.
Dialogue: 0,0:02:26.29,0:02:30.34,Default,,0000,0000,0000,,Daniel: Maybe, maybe this is more\Ntechnical, maybe dazzling volt for
Dialogue: 0,0:02:30.34,0:02:34.59,Default,,0000,0000,0000,,security like SGX.\NKit: No, it's not that either. Mine was,
Dialogue: 0,0:02:34.59,0:02:39.65,Default,,0000,0000,0000,,the one I came up this morning was: Drink\Nvodka feel silly.
Dialogue: 0,0:02:39.65,0:02:42.93,Default,,0000,0000,0000,,{\i1}Laughter{\i0}\NKit: It's not that either. It stands for
Dialogue: 0,0:02:42.93,0:02:48.59,Default,,0000,0000,0000,,dynamic voltage and frequency scaling. And\Nwhat that means really simply is changing
Dialogue: 0,0:02:48.59,0:02:53.08,Default,,0000,0000,0000,,the voltage and changing the frequency of\Nyour CPU. Why do you want to do this? Why
Dialogue: 0,0:02:53.08,0:02:58.27,Default,,0000,0000,0000,,would anyone want to do this? Well, gamers\Nwant fast computers. I am sure there are a
Dialogue: 0,0:02:58.27,0:03:02.86,Default,,0000,0000,0000,,few people out here who will want a really\Nfast computer. Cloud Servers want high
Dialogue: 0,0:03:02.86,0:03:07.75,Default,,0000,0000,0000,,assurance and low running costs. And what\Ndo you do if your hardware gets hot?
Dialogue: 0,0:03:07.75,0:03:13.04,Default,,0000,0000,0000,,You're going to need to modify them. And\Nactually finding a voltage and frequency
Dialogue: 0,0:03:13.04,0:03:17.81,Default,,0000,0000,0000,,that work together is pretty difficult.\NAnd so what the manufacturers have done to
Dialogue: 0,0:03:17.81,0:03:23.23,Default,,0000,0000,0000,,make this easier, is they've created a way\Nto do this from software. They created
Dialogue: 0,0:03:23.23,0:03:29.41,Default,,0000,0000,0000,,memory mapped registers. You modify this\Nfrom software and it has an impact on the
Dialogue: 0,0:03:29.41,0:03:35.07,Default,,0000,0000,0000,,hardware. And that's what this wonderful\Nclockscrew attack did. But they found
Dialogue: 0,0:03:35.07,0:03:41.94,Default,,0000,0000,0000,,something else out, which is you may have\Nheard of: trust zone. Trust zone is in an
Dialogue: 0,0:03:41.94,0:03:47.85,Default,,0000,0000,0000,,enclave in ARM chips that should be able\Nto protect your data. But if you can
Dialogue: 0,0:03:47.85,0:03:52.36,Default,,0000,0000,0000,,modify the frequency and voltage of the\Nwhole core, then you can modify it for
Dialogue: 0,0:03:52.36,0:03:59.22,Default,,0000,0000,0000,,both trust zone and normal code. And this\Nis their attack. In software they modified
Dialogue: 0,0:03:59.22,0:04:05.29,Default,,0000,0000,0000,,the frequency to make it outside of the\Nnormal operating range. And they induced
Dialogue: 0,0:04:05.29,0:04:12.46,Default,,0000,0000,0000,,faults. And so in an arm chip running on a\Nmobile phone, they managed to get out an
Dialogue: 0,0:04:12.46,0:04:17.51,Default,,0000,0000,0000,,AES key from within trust zone. They\Nshould not be able to do that. They were
Dialogue: 0,0:04:17.51,0:04:22.71,Default,,0000,0000,0000,,able to trick trust zone into loading a\Nself-signed app. You should not be able to
Dialogue: 0,0:04:22.71,0:04:31.90,Default,,0000,0000,0000,,do that. That made this ARM attack really\Ninteresting. This year another attack came
Dialogue: 0,0:04:31.90,0:04:39.88,Default,,0000,0000,0000,,out called volt jockey. This also attacked\NARM chips. But instead of looking at
Dialogue: 0,0:04:39.88,0:04:49.46,Default,,0000,0000,0000,,frequency on ARM chips, they were looking\Nat voltage on ARM chips. We're thinking,
Dialogue: 0,0:04:49.46,0:04:57.27,Default,,0000,0000,0000,,what about Intel?\NDaniel: OK, so Intel. Actually, I know
Dialogue: 0,0:04:57.27,0:05:02.06,Default,,0000,0000,0000,,something about Intel because I had this\Nnice laptop from HP. I really liked it,
Dialogue: 0,0:05:02.06,0:05:06.52,Default,,0000,0000,0000,,but it had this problem that it was going\Ntoo hot all the time and I couldn't even
Dialogue: 0,0:05:06.52,0:05:12.91,Default,,0000,0000,0000,,work without it shutting down all the time\Nbecause of the heat problem. So what I did
Dialogue: 0,0:05:12.91,0:05:17.64,Default,,0000,0000,0000,,was I undervolted the CPU and actually\Nthis worked for me for several years. I
Dialogue: 0,0:05:17.64,0:05:21.53,Default,,0000,0000,0000,,used this undervolted for several years.\NYou can also see this, I just took this
Dialogue: 0,0:05:21.53,0:05:27.02,Default,,0000,0000,0000,,from somewhere on the Internet and they\Ncompared with undervolting and without
Dialogue: 0,0:05:27.02,0:05:31.93,Default,,0000,0000,0000,,undervolting. And you can see that the\Nbenchmark score improves by undervolting
Dialogue: 0,0:05:31.93,0:05:38.88,Default,,0000,0000,0000,,because you don't run into the thermal\Nthrottling that often. So there are
Dialogue: 0,0:05:38.88,0:05:43.84,Default,,0000,0000,0000,,different tools to do that. On Windows you\Ncould use RMClock, there's also
Dialogue: 0,0:05:43.84,0:05:47.79,Default,,0000,0000,0000,,Throttlestop. On Linux there's the Linux-\Nintel-undervolt GitHub repository.
Dialogue: 0,0:05:47.79,0:05:52.96,Default,,0000,0000,0000,,Kit: And there's one more, actually.\NAdrian Tang, who I don't know if you know
Dialogue: 0,0:05:52.96,0:05:58.89,Default,,0000,0000,0000,,a bit of a fan. He was the lead author on\NClocks Screw. He wrote his PhD Thesis and
Dialogue: 0,0:05:58.89,0:06:03.21,Default,,0000,0000,0000,,in the appendix he talked about\Nundervolting on Intel machines and how you
Dialogue: 0,0:06:03.21,0:06:07.55,Default,,0000,0000,0000,,do it. And I wish I'd read that before I\Nstarted the paper. That would have saved
Dialogue: 0,0:06:07.55,0:06:12.41,Default,,0000,0000,0000,,an awful lot of time. But thank you to the\Npeople on the Internet for making my life
Dialogue: 0,0:06:12.41,0:06:17.98,Default,,0000,0000,0000,,a lot easier, because what we discovered\Nwas there is this magic module specific
Dialogue: 0,0:06:17.98,0:06:26.88,Default,,0000,0000,0000,,register and it's called Hex 150. And this\Nenables you to change the voltage the
Dialogue: 0,0:06:26.88,0:06:31.23,Default,,0000,0000,0000,,people on the Internet did the work for\Nme. So I know how it works. You first of
Dialogue: 0,0:06:31.23,0:06:37.04,Default,,0000,0000,0000,,all tell it the plain RDX, what it is you\Nwant to, raise the voltage or lower the
Dialogue: 0,0:06:37.04,0:06:43.10,Default,,0000,0000,0000,,voltage. We discovered that the core and\Nthe cache are on the same plane. So you
Dialogue: 0,0:06:43.10,0:06:46.51,Default,,0000,0000,0000,,have to modify them both. But it has no\Neffect, they're together. I guess in the
Dialogue: 0,0:06:46.51,0:06:50.75,Default,,0000,0000,0000,,future they'll be separate. Then you\Nmodify the offset to say, I want to raise
Dialogue: 0,0:06:50.75,0:06:57.08,Default,,0000,0000,0000,,it by this much or lower it by this much.\NSo I thought, let's have a go. Let's write
Dialogue: 0,0:06:57.08,0:07:05.60,Default,,0000,0000,0000,,a little bit of code. Here is the code.\NThe smart people amongst you may have
Dialogue: 0,0:07:05.60,0:07:15.54,Default,,0000,0000,0000,,noticed something. I suspect even my\Nappalling C, even I would recognize that
Dialogue: 0,0:07:15.54,0:07:20.81,Default,,0000,0000,0000,,that loop should never exit. I'm just\Nmultiplying the same thing again and again
Dialogue: 0,0:07:20.81,0:07:25.50,Default,,0000,0000,0000,,and again and again and again and\Nexpecting it to exit. That shouldn't
Dialogue: 0,0:07:25.50,0:07:32.44,Default,,0000,0000,0000,,happen. But let's look at what happened.\NSo I'm gonna show you what I did. Oh..
Dialogue: 0,0:07:32.44,0:07:41.62,Default,,0000,0000,0000,,There we go. So the first thing I'm gonna\Ndo is I'm going to set the frequency to be
Dialogue: 0,0:07:41.62,0:07:45.75,Default,,0000,0000,0000,,one thing because I'm gonna play with\Nvoltage and if I'm gonna play with
Dialogue: 0,0:07:45.75,0:07:51.21,Default,,0000,0000,0000,,voltage, I want the frequency to be\Nset. So, It's quite easy using cpupower,
Dialogue: 0,0:07:51.21,0:07:56.53,Default,,0000,0000,0000,,you set the maximum and the minimum to be\N1 gigahertz. And now my machine is running
Dialogue: 0,0:07:56.53,0:08:01.17,Default,,0000,0000,0000,,at exactly 1 gigahertz. Now we'll look at\Nthe bit of code that you need to
Dialogue: 0,0:08:01.17,0:08:05.09,Default,,0000,0000,0000,,undervolt, again I didn't do the work,\Nthank you to the people on the internet
Dialogue: 0,0:08:05.09,0:08:12.20,Default,,0000,0000,0000,,for doing this. You put the MSR into the\Nkernel and let's have a look at the code.
Dialogue: 0,0:08:12.20,0:08:21.03,Default,,0000,0000,0000,,Does that look right? Oh, it does, looks\Nmuch better up there. Yes, it's that one
Dialogue: 0,0:08:21.03,0:08:27.06,Default,,0000,0000,0000,,line of code. That is the one line of code\Nyou need to open and then we're going to
Dialogue: 0,0:08:27.06,0:08:33.14,Default,,0000,0000,0000,,write to it. And again, oh why is it doing\Nthat? We have a touch sensitive screen
Dialogue: 0,0:08:33.14,0:08:52.67,Default,,0000,0000,0000,,here. Might touch it again. That's the\Nline of code that's gonna open it and
Dialogue: 0,0:08:52.67,0:08:55.97,Default,,0000,0000,0000,,that's how you write to it. And again, the\Npeople on the Internet did the work for me
Dialogue: 0,0:08:55.97,0:08:59.03,Default,,0000,0000,0000,,and told me how I had to write that. So\Nwhat I can do here is I'm just going to
Dialogue: 0,0:08:59.03,0:09:04.25,Default,,0000,0000,0000,,undervolt and I'm gonna undervolt,\Nmultiplying deadbeef by this really big
Dialogue: 0,0:09:04.25,0:09:08.66,Default,,0000,0000,0000,,number. I'm starting at minus two hundred\Nand fifty two millivolts. And we're just
Dialogue: 0,0:09:08.66,0:09:11.14,Default,,0000,0000,0000,,going to see if I ever get out of this\Nloop.
Dialogue: 0,0:09:11.14,0:09:14.02,Default,,0000,0000,0000,,Daniel: But surely the system would just\Ncrash, right?
Dialogue: 0,0:09:14.02,0:09:21.88,Default,,0000,0000,0000,,Kit: You'd hope so, wouldn't you? Let's\Nsee, there we go! We got a fault. I was a
Dialogue: 0,0:09:21.88,0:09:25.07,Default,,0000,0000,0000,,bit gobsmacked when that happened because\Nthe system didn't crash.
Dialogue: 0,0:09:25.07,0:09:29.79,Default,,0000,0000,0000,,Daniel: So that doesn't look too good. So\Nthe question now is, what is the... So you
Dialogue: 0,0:09:29.79,0:09:33.05,Default,,0000,0000,0000,,show some voltage here, some undervolting.\NKit: Yeah
Dialogue: 0,0:09:33.05,0:09:36.69,Default,,0000,0000,0000,,Daniel: What undervolting is actually\Nrequired to get a bit flip?
Dialogue: 0,0:09:36.69,0:09:40.76,Default,,0000,0000,0000,,Kit: We did a lot of tests. We didn't just\Nmultiply by deadbeef. We also multiplied
Dialogue: 0,0:09:40.76,0:09:44.86,Default,,0000,0000,0000,,by random numbers. So here I'm going to\Njust generate two random numbers. One is
Dialogue: 0,0:09:44.86,0:09:50.21,Default,,0000,0000,0000,,going up to f f f f f f one is going up to\Nff. I'm just going to try different, again
Dialogue: 0,0:09:50.21,0:09:57.45,Default,,0000,0000,0000,,I'm going to try undervolting to see if I\Nget different bit flips. And again, I got
Dialogue: 0,0:09:57.45,0:10:03.62,Default,,0000,0000,0000,,the same bit flipped, so I'm getting the\Nsame one single bit flip there. Okay, so
Dialogue: 0,0:10:03.62,0:10:08.00,Default,,0000,0000,0000,,maybe it's only ever going to be one bit\Nflip. Ah, I got a different bit flip and
Dialogue: 0,0:10:08.00,0:10:12.21,Default,,0000,0000,0000,,again a different bit flip and it's,\Nyou'll notice they always appear to be
Dialogue: 0,0:10:12.21,0:10:17.06,Default,,0000,0000,0000,,bits together next to one another. So to\Nanswer Daniel's question, I pressed my
Dialogue: 0,0:10:17.06,0:10:22.98,Default,,0000,0000,0000,,machine a lot in the process of doing\Nthis, but I wanted to know what were good
Dialogue: 0,0:10:22.98,0:10:29.33,Default,,0000,0000,0000,,values to undervolt at. And here they are.\NWe tried for all the frequencies. We tried
Dialogue: 0,0:10:29.33,0:10:33.29,Default,,0000,0000,0000,,what was the base voltage? And then when\Nwas the point at which we got the first
Dialogue: 0,0:10:33.29,0:10:37.53,Default,,0000,0000,0000,,fault? And once we'd done that, it made\Neverything really easy. We just made sure
Dialogue: 0,0:10:37.53,0:10:41.43,Default,,0000,0000,0000,,we didn't go under that and ended up with\Na kernel panic or the machine crashing.
Dialogue: 0,0:10:41.43,0:10:47.16,Default,,0000,0000,0000,,Daniel: So this is already great. I think\Nthis looks like it is exploitable and the
Dialogue: 0,0:10:47.16,0:10:53.91,Default,,0000,0000,0000,,first thing that you need when you are\Nworking on a vulnerability is the name and
Dialogue: 0,0:10:53.91,0:11:00.82,Default,,0000,0000,0000,,the logo and maybe a Website. Everything\Nlike that. And real people on the Internet
Dialogue: 0,0:11:00.82,0:11:05.69,Default,,0000,0000,0000,,agree with me. Like this tweet.\N{\i1}Laughter{\i0}
Dialogue: 0,0:11:05.69,0:11:12.16,Default,,0000,0000,0000,,Daniel: Yes. So we need a name and a logo.\NKit: No, no, we don't need it. Come on.
Dialogue: 0,0:11:12.16,0:11:15.12,Default,,0000,0000,0000,,then. Go on then. What is your idea?\NDaniel: So I thought this is like, it's
Dialogue: 0,0:11:15.12,0:11:20.92,Default,,0000,0000,0000,,like Row hammer. We are flipping bits, but\Nwith voltage. So I called it Volt hammer
Dialogue: 0,0:11:20.92,0:11:25.37,Default,,0000,0000,0000,,and I already have a logo for it.\NKit: We're not, we're not giving it a
Dialogue: 0,0:11:25.37,0:11:27.58,Default,,0000,0000,0000,,logo.\NDaniel: No, I think we need a logo because
Dialogue: 0,0:11:27.58,0:11:34.88,Default,,0000,0000,0000,,people can relate more to the images\Nthere, to the logo that we have. Reading a
Dialogue: 0,0:11:34.88,0:11:39.14,Default,,0000,0000,0000,,word is much more complicated than seeing\Na logo somewhere. It's better for
Dialogue: 0,0:11:39.14,0:11:45.48,Default,,0000,0000,0000,,communication. You make it easier to talk\Nabout your vulnerability. Yeah? And the
Dialogue: 0,0:11:45.48,0:11:50.07,Default,,0000,0000,0000,,name, same thing. How, how would you like\Nto call it? Like undervolting on Intel to
Dialogue: 0,0:11:50.07,0:11:54.35,Default,,0000,0000,0000,,induce flips in multiplications to then\Nrun an exploit? No, that's not a good
Dialogue: 0,0:11:54.35,0:12:02.25,Default,,0000,0000,0000,,vulnerability name. And speaking of the\Nname, if we choose a fancy name, we might
Dialogue: 0,0:12:02.25,0:12:05.55,Default,,0000,0000,0000,,even make it into TV shows like Row\Nhammer.
Dialogue: 0,0:12:05.55,0:12:11.74,Default,,0000,0000,0000,,Video Clip 1A: The hacker used a DRAM Row\Nhammer exploit to gain kernel privileges.
Dialogue: 0,0:12:11.74,0:12:15.05,Default,,0000,0000,0000,,Video Clip 1B: HQ, yeah we've got\Nsomething.
Dialogue: 0,0:12:15.05,0:12:20.69,Default,,0000,0000,0000,,Daniel: So this was in designated Survivor\Nin March 2018 and this guy just got shot.
Dialogue: 0,0:12:20.69,0:12:25.60,Default,,0000,0000,0000,,So hopefully we won't get shot but\Nactually we have also been working. So my
Dialogue: 0,0:12:25.60,0:12:32.83,Default,,0000,0000,0000,,group has been working on Row hammer and\Npresented this in 2015 here at CCC, in
Dialogue: 0,0:12:32.83,0:12:37.50,Default,,0000,0000,0000,,Hamburg back then. It was Row hammer JS\Nand we called it root privileges for web
Dialogue: 0,0:12:37.50,0:12:40.66,Default,,0000,0000,0000,,apps because we showed that you can do\Nthis from JavaScript in a browser. Looks
Dialogue: 0,0:12:40.66,0:12:44.17,Default,,0000,0000,0000,,pretty much like this, we hammered the\Nmemory a bit and then we see a bit flips
Dialogue: 0,0:12:44.17,0:12:49.69,Default,,0000,0000,0000,,in the memory. So how does this work?\NBecause maybe for another fault attack,
Dialogue: 0,0:12:49.69,0:12:52.80,Default,,0000,0000,0000,,software based fault attack, the only\Nother software based fault attack that we
Dialogue: 0,0:12:52.80,0:12:59.37,Default,,0000,0000,0000,,know. So, these are related to DFS and\Nthis is a different effect. So what do we
Dialogue: 0,0:12:59.37,0:13:03.87,Default,,0000,0000,0000,,do here is we look at the DRAM and the\NDRAM is organized in multiple rows and we
Dialogue: 0,0:13:03.87,0:13:10.05,Default,,0000,0000,0000,,will access these rows. These rows consist\Nof so-called cells, which are capacitors
Dialogue: 0,0:13:10.05,0:13:14.45,Default,,0000,0000,0000,,and transistors each. And they store one\Nbit of information each. And the row
Dialogue: 0,0:13:14.45,0:13:18.32,Default,,0000,0000,0000,,buffer, the row size usually is something\Nlike eight kilobytes. And then when you
Dialogue: 0,0:13:18.32,0:13:21.97,Default,,0000,0000,0000,,read something, you copy it to the row\Nbuffer. So it works pretty much like this:
Dialogue: 0,0:13:21.97,0:13:25.82,Default,,0000,0000,0000,,You read from a row, you copy it to the\Nrow buffer. The problem now is, these
Dialogue: 0,0:13:25.82,0:13:31.00,Default,,0000,0000,0000,,capacitors leak over time so you need to\Nrefresh them frequently. And they have
Dialogue: 0,0:13:31.00,0:13:37.66,Default,,0000,0000,0000,,also a maximum refresh interval defined in\Na standard to guarantee data integrity.
Dialogue: 0,0:13:37.66,0:13:43.15,Default,,0000,0000,0000,,Now the problem is that cells leak fast\Nupon proximate accesses, and that means if
Dialogue: 0,0:13:43.15,0:13:49.45,Default,,0000,0000,0000,,you access two locations in proximity to a\Nthird location, then the third location
Dialogue: 0,0:13:49.45,0:13:54.11,Default,,0000,0000,0000,,might flip a bit without accessing it. And\Nthis has been exploited in different
Dialogue: 0,0:13:54.11,0:13:58.71,Default,,0000,0000,0000,,exploits. So the usual strategies is\Nmaybe, maybe we can use some of them. So
Dialogue: 0,0:13:58.71,0:14:03.37,Default,,0000,0000,0000,,the usual strategies here are searching\Nfor a page with a bit flip. So you search
Dialogue: 0,0:14:03.37,0:14:08.23,Default,,0000,0000,0000,,for it and then you find some. Ah, There\Nis a flip here. Then you release the page
Dialogue: 0,0:14:08.23,0:14:13.18,Default,,0000,0000,0000,,with the flip in the next step. Now this\Nmemory is free and now you allocate a lot
Dialogue: 0,0:14:13.18,0:14:17.71,Default,,0000,0000,0000,,of target pages, for instance, page\Ntables, and then you hope that the target
Dialogue: 0,0:14:17.71,0:14:22.46,Default,,0000,0000,0000,,page is placed there. If it's a page\Ntable, for instance, like this and you
Dialogue: 0,0:14:22.46,0:14:26.65,Default,,0000,0000,0000,,induce a bit flip. So before it was\Npointing to User page, then it was
Dialogue: 0,0:14:26.65,0:14:32.54,Default,,0000,0000,0000,,pointing to no page at all because we\Nmaybe unmapped it. And the page that we
Dialogue: 0,0:14:32.54,0:14:37.85,Default,,0000,0000,0000,,use the bit flip now is actually the one\Nstoring all of the PTEs here. So the one
Dialogue: 0,0:14:37.85,0:14:42.99,Default,,0000,0000,0000,,in the middle is stored down there. And\Nthis one now has a bit flip and then our
Dialogue: 0,0:14:42.99,0:14:49.65,Default,,0000,0000,0000,,pointer to our own user page changes due\Nto the big flip and points to hopefully
Dialogue: 0,0:14:49.65,0:14:54.99,Default,,0000,0000,0000,,another page table because we filled that\Nmemory with page tables. Another direction
Dialogue: 0,0:14:54.99,0:15:01.84,Default,,0000,0000,0000,,that we could go here is flipping bits in\Ncode. For instance, if you think about a
Dialogue: 0,0:15:01.84,0:15:07.37,Default,,0000,0000,0000,,password comparison, you might have a jump\Nequal check here and the jump equal check
Dialogue: 0,0:15:07.37,0:15:13.19,Default,,0000,0000,0000,,if you flip one bit, it transforms into a\Ndifferent instruction. And fortunately, oh
Dialogue: 0,0:15:13.19,0:15:18.29,Default,,0000,0000,0000,,this already looks interesting. Ah,\NPerfect. Changing the password check nto a
Dialogue: 0,0:15:18.29,0:15:25.67,Default,,0000,0000,0000,,password incorrect check. I will always be\Nroot. And yeah, that's basically it. So
Dialogue: 0,0:15:25.67,0:15:30.70,Default,,0000,0000,0000,,these are two directions that we might\Nlook at for Row hammer. That's also maybe
Dialogue: 0,0:15:30.70,0:15:35.03,Default,,0000,0000,0000,,a question for Row hammer, why would we\Neven care about other fault attacks?
Dialogue: 0,0:15:35.03,0:15:39.82,Default,,0000,0000,0000,,Because Row hammer works on DDR 3, it\Nworks on DDR 4, it works on ECC memory.
Dialogue: 0,0:15:39.82,0:15:47.84,Default,,0000,0000,0000,,Kit: Does it, how does it deal with SGX?\NDaniel: Ahh yeah, yeah SGX. Ehh, yes. So
Dialogue: 0,0:15:47.84,0:15:51.42,Default,,0000,0000,0000,,maybe we should first explain what SGX is.\NKit: Yeah, go for it.
Dialogue: 0,0:15:51.42,0:15:56.53,Default,,0000,0000,0000,,Daniel: SGX is a so-called TEE trusted\Nexecution environment on Intel processors
Dialogue: 0,0:15:56.53,0:16:01.66,Default,,0000,0000,0000,,and Intel designed it this way that you\Nhave an untrusted part and this runs on
Dialogue: 0,0:16:01.66,0:16:05.88,Default,,0000,0000,0000,,top of an operating system, inside an\Napplication. And inside the application
Dialogue: 0,0:16:05.88,0:16:10.66,Default,,0000,0000,0000,,you can now create an enclave and the\Nenclave runs in a trusted part, which is
Dialogue: 0,0:16:10.66,0:16:16.79,Default,,0000,0000,0000,,supported by the hardware. The hardware is\Nthe trust anchor for this trusted enclave
Dialogue: 0,0:16:16.79,0:16:20.04,Default,,0000,0000,0000,,and the enclave, now you can from the\Nuntrusted part, you can call into the
Dialogue: 0,0:16:20.04,0:16:24.91,Default,,0000,0000,0000,,enclave via a Callgate pretty much like a\Nsystem call. And in there you execute a
Dialogue: 0,0:16:24.91,0:16:31.67,Default,,0000,0000,0000,,trusted function. Then you return to this\Nuntrusted part and then you can continue
Dialogue: 0,0:16:31.67,0:16:35.33,Default,,0000,0000,0000,,doing other stuff. And the operating\Nsystem has no direct access to this
Dialogue: 0,0:16:35.33,0:16:40.02,Default,,0000,0000,0000,,trusted part. This is also protected\Nagainst all kinds of other attacks. For
Dialogue: 0,0:16:40.02,0:16:44.29,Default,,0000,0000,0000,,instance, physical attacks. If you look at\Nthe memory that it uses, maybe I have 16
Dialogue: 0,0:16:44.29,0:16:50.10,Default,,0000,0000,0000,,gigabytes of RAM. Then there is a small\Nregion for the EPC, the enclave page
Dialogue: 0,0:16:50.10,0:16:55.04,Default,,0000,0000,0000,,cache, the memory that enclaves use and\Nit's encrypted and integrity protected and
Dialogue: 0,0:16:55.04,0:16:59.50,Default,,0000,0000,0000,,I can't tamper with it. So for instance,\Nif I want to mount a cold boot attack,
Dialogue: 0,0:16:59.50,0:17:04.35,Default,,0000,0000,0000,,pull out the DRAM, put it in another\Nmachine and read out what content it has.
Dialogue: 0,0:17:04.35,0:17:07.97,Default,,0000,0000,0000,,I can't do that because it's encrypted.\NAnd I don't have the key. The key is in
Dialogue: 0,0:17:07.97,0:17:14.94,Default,,0000,0000,0000,,the processor quite bad. So, what happens\Nif we have bit flips in the EPC? Good
Dialogue: 0,0:17:14.94,0:17:21.84,Default,,0000,0000,0000,,question. We tried that. The integrity\Ncheck fails. It locks up the memory
Dialogue: 0,0:17:21.84,0:17:27.28,Default,,0000,0000,0000,,controller, which means no further memory\Naccesses whatsoever run through this
Dialogue: 0,0:17:27.28,0:17:33.99,Default,,0000,0000,0000,,system. Everything stays where it is and\Nthe system halts basically. It's no
Dialogue: 0,0:17:33.99,0:17:41.42,Default,,0000,0000,0000,,exploit, it's just denial of service.\NKit: Huh. So maybe SGX can save us. So
Dialogue: 0,0:17:41.42,0:17:47.36,Default,,0000,0000,0000,,what I want to know is, Row Hammer clearly\Nfailed because of the integrity check. Is
Dialogue: 0,0:17:47.36,0:17:51.83,Default,,0000,0000,0000,,my attack where I can flip bits. Is this\Ngonna work inside SGX?
Dialogue: 0,0:17:51.83,0:17:55.04,Default,,0000,0000,0000,,Daniel: I don't think so because they\Nhave integrity protection, right?
Dialogue: 0,0:17:55.04,0:17:59.54,Default,,0000,0000,0000,,Kit: So what I'm gonna do is run the same\Nthing in the right hand side is user
Dialogue: 0,0:17:59.54,0:18:03.75,Default,,0000,0000,0000,,space. In the left hand side is the\Nenclave. As you can see, I'm running at
Dialogue: 0,0:18:03.75,0:18:12.28,Default,,0000,0000,0000,,minus 261 millivolts. No error minus 262.\NNo error minus 2... fingers crossed we
Dialogue: 0,0:18:12.28,0:18:20.92,Default,,0000,0000,0000,,don't get a kernel panic. Do you see that\Nthing at the bottom? That's a bit flip
Dialogue: 0,0:18:20.92,0:18:24.76,Default,,0000,0000,0000,,inside the enclave. Oh, yeah.\NDaniel: That's bad.
Dialogue: 0,0:18:24.76,0:18:29.91,Default,,0000,0000,0000,,{\i1}Applause{\i0}\NKit: Thank you. Yeah and it's the same
Dialogue: 0,0:18:29.91,0:18:33.92,Default,,0000,0000,0000,,bit flip that I was getting in user space\N, that is also really interesting.
Dialogue: 0,0:18:33.92,0:18:38.25,Default,,0000,0000,0000,,Daniel: I have an idea. So, it's\Nsurprising that it works right. But I have
Dialogue: 0,0:18:38.25,0:18:45.08,Default,,0000,0000,0000,,an idea. This is basically doing the same\Nthing as clocks group. But on SGX, right?
Dialogue: 0,0:18:45.08,0:18:47.32,Default,,0000,0000,0000,,Kit: Yeah.\NDaniel: And I thought maybe you didn't
Dialogue: 0,0:18:47.32,0:18:51.57,Default,,0000,0000,0000,,like the previous logo, maybe it was just\Ntoo much. So I came up with something more
Dialogue: 0,0:18:51.57,0:18:52.80,Default,,0000,0000,0000,,simple...\NKit: You've come up with a new... He's
Dialogue: 0,0:18:52.80,0:18:55.79,Default,,0000,0000,0000,,come up with a new name.\NDaniel: Yes, SGX Screw. How do you like
Dialogue: 0,0:18:55.79,0:18:59.00,Default,,0000,0000,0000,,it?\NKit: No, we don't even have an attack. We
Dialogue: 0,0:18:59.00,0:19:02.15,Default,,0000,0000,0000,,can't have a logo before we have an\Nattack.
Dialogue: 0,0:19:02.15,0:19:07.35,Default,,0000,0000,0000,,Daniel: The logo is important, right? I\Nmean, how would you present this on a
Dialogue: 0,0:19:07.35,0:19:08.67,Default,,0000,0000,0000,,website\Nwithout a logo?
Dialogue: 0,0:19:08.67,0:19:11.77,Default,,0000,0000,0000,,Kit: Well, first of all, I need an attack.\NWhat am I going to attack with this?
Dialogue: 0,0:19:11.77,0:19:15.06,Default,,0000,0000,0000,,Daniel: I have an idea what we could\Nattack. So, for instance, we could attack
Dialogue: 0,0:19:15.06,0:19:22.30,Default,,0000,0000,0000,,crypto, RSA. RSA is a crypto algorithm.\NIt's a public key crypto algorithm. And
Dialogue: 0,0:19:22.30,0:19:28.28,Default,,0000,0000,0000,,you can encrypt or sign messages. You can\Nsend this over an untrusted channel. And
Dialogue: 0,0:19:28.28,0:19:35.56,Default,,0000,0000,0000,,then you can also verify. So this is\Nactually a typo which should be decrypt...
Dialogue: 0,0:19:35.56,0:19:43.23,Default,,0000,0000,0000,,there, encrypt verifying messages with a\Npublic key or decrypt sign messages with a
Dialogue: 0,0:19:43.23,0:19:53.59,Default,,0000,0000,0000,,private key. So how does this work? Yeah,\Nbasically it's based on exponention modulo a
Dialogue: 0,0:19:53.59,0:20:01.27,Default,,0000,0000,0000,,number and this number is computed from\Ntwo prime numbers. So you, for the
Dialogue: 0,0:20:01.27,0:20:09.36,Default,,0000,0000,0000,,signature part, which is similar to the\Ndecryption basically, you take the hash of
Dialogue: 0,0:20:09.36,0:20:17.76,Default,,0000,0000,0000,,the message and then take it to the power\Nof d modulo n, the public modulus, and
Dialogue: 0,0:20:17.76,0:20:26.39,Default,,0000,0000,0000,,then you have the signature and everyone\Ncan verify that this is actually, later on
Dialogue: 0,0:20:26.39,0:20:34.43,Default,,0000,0000,0000,,can verify this because the exponent part\Nis public. So n is also public so we can
Dialogue: 0,0:20:34.43,0:20:39.88,Default,,0000,0000,0000,,later on do this. Now there is one\Noptimization which is quite nice, which is
Dialogue: 0,0:20:39.88,0:20:44.54,Default,,0000,0000,0000,,Chinese remainder theorem. And this part\Nis really expensive. It takes a long time.
Dialogue: 0,0:20:44.54,0:20:51.00,Default,,0000,0000,0000,,So it's a lot faster, if you split this in\Nmultiple parts. For instance, if you split
Dialogue: 0,0:20:51.00,0:20:56.32,Default,,0000,0000,0000,,it in two parts, you do two of those\Nexponentations, but with different
Dialogue: 0,0:20:56.32,0:21:02.10,Default,,0000,0000,0000,,numbers, with smaller numbers and then it's\Ncheaper. It takes fewer rounds. And if you
Dialogue: 0,0:21:02.10,0:21:06.88,Default,,0000,0000,0000,,do that, you of course have to adapt the\Nformula up here to compute the signature
Dialogue: 0,0:21:06.88,0:21:12.51,Default,,0000,0000,0000,,because, you now put it together out of\Nthe two pieces of the signature that you
Dialogue: 0,0:21:12.51,0:21:19.39,Default,,0000,0000,0000,,compute. OK, so this looks quite\Ncomplicated, but the point is we want to
Dialogue: 0,0:21:19.39,0:21:26.69,Default,,0000,0000,0000,,mount a fault attack on this. So what\Nhappens if we fault this? Let's assume we
Dialogue: 0,0:21:26.69,0:21:36.13,Default,,0000,0000,0000,,have two signatures which are not\Nidentical. Right, S and S', and we
Dialogue: 0,0:21:36.13,0:21:41.12,Default,,0000,0000,0000,,basically only need to know that in one of\Nthem, a fault occurred. So the first is
Dialogue: 0,0:21:41.12,0:21:45.14,Default,,0000,0000,0000,,something, the other is something else. We\Ndon't care. But what you see here is that
Dialogue: 0,0:21:45.14,0:21:51.51,Default,,0000,0000,0000,,both are multiplied by Q plus s2. And if\Nyou subtract one from the other, what do
Dialogue: 0,0:21:51.51,0:21:56.97,Default,,0000,0000,0000,,you get? You get something multiplied with\NQ. There is something else that is
Dialogue: 0,0:21:56.97,0:22:03.48,Default,,0000,0000,0000,,multiplied with Q, which is P and n is\Npublic. So what we can do now is we can
Dialogue: 0,0:22:03.48,0:22:09.64,Default,,0000,0000,0000,,compute the greatest common divisor of\Nthis and n and get q.
Dialogue: 0,0:22:09.64,0:22:14.73,Default,,0000,0000,0000,,Kit: Okay. So I'm interested to see if...\NI didn't understand a word of that, but
Dialogue: 0,0:22:14.73,0:22:19.89,Default,,0000,0000,0000,,I'm interested to see if I can use this to\Nmount an attack. So how am I going to do
Dialogue: 0,0:22:19.89,0:22:25.69,Default,,0000,0000,0000,,this? Well, I'll write a little RSA\Ndecrypt program and what I'll do is I use
Dialogue: 0,0:22:25.69,0:22:32.33,Default,,0000,0000,0000,,the same bit of multiplication that I've\Nbeen using before. And when I get a bit
Dialogue: 0,0:22:32.33,0:22:39.28,Default,,0000,0000,0000,,flip, then I'll do the decryption. All\Nthis is happening inside SGX, inside the
Dialogue: 0,0:22:39.28,0:22:44.14,Default,,0000,0000,0000,,enclave. So let's have a look at this.\NFirst of all, I'll show you the code that
Dialogue: 0,0:22:44.14,0:22:51.58,Default,,0000,0000,0000,,I wrote, again copied from the Internet.\NThank you. So there it is, I'm going to
Dialogue: 0,0:22:51.58,0:22:56.38,Default,,0000,0000,0000,,trigger the fault.I'm going to wait for\Nthe triggered fault, then I'm going to do
Dialogue: 0,0:22:56.38,0:23:00.87,Default,,0000,0000,0000,,a decryption. Well, let's have a quick\Nlook at the code, which should be exactly
Dialogue: 0,0:23:00.87,0:23:04.97,Default,,0000,0000,0000,,the same as it was right at the very\Nbeginning when we started this. Yeah.
Dialogue: 0,0:23:04.97,0:23:10.24,Default,,0000,0000,0000,,There's my deadbeef written slightly\Ndifferently. But there is my deadbeef. So,
Dialogue: 0,0:23:10.24,0:23:13.73,Default,,0000,0000,0000,,now this is ever so slightly messy on the\Nscreen, but I hope you're going to see
Dialogue: 0,0:23:13.73,0:23:22.85,Default,,0000,0000,0000,,this. So minus 239. Fine. Still fine.\NStill fine. I'll just pause there. You can
Dialogue: 0,0:23:22.85,0:23:27.36,Default,,0000,0000,0000,,see at the bottom I've written meh - all\Nfine., If you're wondering. So what we're
Dialogue: 0,0:23:27.36,0:23:33.06,Default,,0000,0000,0000,,looking at here is a correct decryption\Nand you can see inside the enclave, I'm
Dialogue: 0,0:23:33.06,0:23:38.34,Default,,0000,0000,0000,,initializing p and I'm initializing q. And\Nthose are part of the private key. I
Dialogue: 0,0:23:38.34,0:23:43.96,Default,,0000,0000,0000,,shouldn't be able to get those. So 239\Nisn't really working. Let's try going up
Dialogue: 0,0:23:43.96,0:23:49.31,Default,,0000,0000,0000,,to minus 240. Oh oh oh oh! RSA error, RSA\Nerror. Exciting!
Dialogue: 0,0:23:49.31,0:23:51.68,Default,,0000,0000,0000,,Daniel: Okay, So this should work for the\Nattack then.
Dialogue: 0,0:23:51.68,0:23:57.37,Default,,0000,0000,0000,,Kit: So let's have a look, again. I copied\Nsomebodys attack on the Internet where
Dialogue: 0,0:23:57.37,0:24:04.21,Default,,0000,0000,0000,,they very kindly, It's called the lenstra\Nattack. And again, I got I got an output.
Dialogue: 0,0:24:04.21,0:24:08.15,Default,,0000,0000,0000,,I don't know what it is because I didn't\Nunderstand any of that crypto stuff.
Dialogue: 0,0:24:08.15,0:24:09.62,Default,,0000,0000,0000,,Daniel: Me neither.\NKit: But let me have a look at the source
Dialogue: 0,0:24:09.62,0:24:15.69,Default,,0000,0000,0000,,code and see if that exists anywhere in\Nthe source code inside the enclave. It
Dialogue: 0,0:24:15.69,0:24:22.18,Default,,0000,0000,0000,,does. I found p. And if I found p, I can\Nfind q. So just to summarise what I've
Dialogue: 0,0:24:22.18,0:24:31.83,Default,,0000,0000,0000,,done, from a bit flip I have got the\Nprivate key out of the SGX enclave and I
Dialogue: 0,0:24:31.83,0:24:36.13,Default,,0000,0000,0000,,shouldn't be able to do that.\NDaniel: Yes, yes and I think I have an
Dialogue: 0,0:24:36.13,0:24:39.76,Default,,0000,0000,0000,,idea. So you didn't like the previous...\NKit: Ohh, I know where this is going. Yes.
Dialogue: 0,0:24:39.76,0:24:45.98,Default,,0000,0000,0000,,Daniel: ...didn't like the previous name.\NSo I came up with something more cute and
Dialogue: 0,0:24:45.98,0:24:52.74,Default,,0000,0000,0000,,relatable, maybe. So I thought, this is an\Nattack on RSA. So I called it Mufarsa.
Dialogue: 0,0:24:52.74,0:24:57.52,Default,,0000,0000,0000,,{\i1}Laughter{\i0}\NDaniel: My Undervolting Fault Attack On
Dialogue: 0,0:24:57.52,0:24:59.70,Default,,0000,0000,0000,,RSA.\NKit: That's not even a logo. That's just a
Dialogue: 0,0:24:59.70,0:25:02.26,Default,,0000,0000,0000,,picture of a lion.\NDaniel: Yeah, yeah it's, it's sort of...
Dialogue: 0,0:25:02.26,0:25:04.66,Default,,0000,0000,0000,,Kit: Disney are not going to let us use\Nthat.
Dialogue: 0,0:25:04.66,0:25:07.43,Default,,0000,0000,0000,,{\i1}Laughter{\i0}\NKit: Well it's not, is it Star Wars? No,
Dialogue: 0,0:25:07.43,0:25:10.69,Default,,0000,0000,0000,,I don't know. OK. OK, so Daniel, I really\Nenjoyed it.
Dialogue: 0,0:25:10.69,0:25:13.67,Default,,0000,0000,0000,,Daniel: I don't think you will like any of\Nthe names I suggest.
Dialogue: 0,0:25:13.67,0:25:17.94,Default,,0000,0000,0000,,Kit: Probably not. But I really enjoyed\Nbreaking RSA. So what I want to know is
Dialogue: 0,0:25:17.94,0:25:19.11,Default,,0000,0000,0000,,what else can I break?\NDaniel: Well...
Dialogue: 0,0:25:19.11,0:25:22.75,Default,,0000,0000,0000,,Kit: Give me something else I can break.\NDaniel: If you don't like the RSA part, we
Dialogue: 0,0:25:22.75,0:25:28.30,Default,,0000,0000,0000,,can also take other crypto. I mean there\Nis AES for instance, AES is a symmetric
Dialogue: 0,0:25:28.30,0:25:33.54,Default,,0000,0000,0000,,key crypto algorithm. Again, you encrypt\Nmessages, you transfer them over a public
Dialogue: 0,0:25:33.54,0:25:40.00,Default,,0000,0000,0000,,channel, this time with both sides having\Nthe key. You can also use that for
Dialogue: 0,0:25:40.00,0:25:47.83,Default,,0000,0000,0000,,storage. AES internally uses a 4x4 state\Nmatrix for 4x4 bytes and it runs through
Dialogue: 0,0:25:47.83,0:25:54.39,Default,,0000,0000,0000,,ten rounds which are S-box, which\Nbasically replaces a byte by another byte,
Dialogue: 0,0:25:54.39,0:25:59.03,Default,,0000,0000,0000,,some shifting of rows in this matrix, some\Nmixing of the columns, and then the round
Dialogue: 0,0:25:59.03,0:26:03.15,Default,,0000,0000,0000,,keys is added which is computed from the\NAES key that you provided to the
Dialogue: 0,0:26:03.15,0:26:08.68,Default,,0000,0000,0000,,algorithm. And if we look at the last\Nthree rounds because we want to, again,
Dialogue: 0,0:26:08.68,0:26:12.09,Default,,0000,0000,0000,,mount a fault attack, and there are\Ndifferent differential fault attacks on
Dialogue: 0,0:26:12.09,0:26:18.41,Default,,0000,0000,0000,,AES. If you look at the last rounds,\Nbecause the way of this algorithm works is
Dialogue: 0,0:26:18.41,0:26:22.87,Default,,0000,0000,0000,,it propagates, changes, differences\Nthrough this algorithm. If you'd look at
Dialogue: 0,0:26:22.87,0:26:28.30,Default,,0000,0000,0000,,the state matrix, which only has a\Ndifference in the top left corner, then
Dialogue: 0,0:26:28.30,0:26:33.83,Default,,0000,0000,0000,,this is how the state will propagate\Nthrough the 9th and 10th round. And you
Dialogue: 0,0:26:33.83,0:26:42.47,Default,,0000,0000,0000,,can put up formulas to compute possible\Nvalues for the state up there. If you have
Dialogue: 0,0:26:42.47,0:26:47.76,Default,,0000,0000,0000,,different, if you have encryption, which\Nonly have a difference there in exactly
Dialogue: 0,0:26:47.76,0:26:57.35,Default,,0000,0000,0000,,that single state byte. Now, how does this\Nwork in practice? Well, today everyone is
Dialogue: 0,0:26:57.35,0:27:02.20,Default,,0000,0000,0000,,using AES-NI because that's super fast.\NThat's, again, an instruction set
Dialogue: 0,0:27:02.20,0:27:07.51,Default,,0000,0000,0000,,extension by Intel and it's super fast.\NKit: Oh okay, I want to have a go. Right,
Dialogue: 0,0:27:07.51,0:27:11.97,Default,,0000,0000,0000,,so let me have a look if I can break some\Nof these AES-NI instructions. So I'm to
Dialogue: 0,0:27:11.97,0:27:16.04,Default,,0000,0000,0000,,come at this slightly differently. Last\Ntime I waited for a multiplication fault,
Dialogue: 0,0:27:16.04,0:27:19.71,Default,,0000,0000,0000,,I'm going to do something slightly\Ndifferent. What I'm going to do is put in
Dialogue: 0,0:27:19.71,0:27:26.68,Default,,0000,0000,0000,,a loop two AES encryptions. And I wrote\Nthis using Intel's code, I should say I we
Dialogue: 0,0:27:26.68,0:27:32.76,Default,,0000,0000,0000,,wrote this using Intel's code, example\Ncode. This should never fault. And we know
Dialogue: 0,0:27:32.76,0:27:36.58,Default,,0000,0000,0000,,what we're looking for. What we're looking\Nfor is a fault in the eighth round. So
Dialogue: 0,0:27:36.58,0:27:42.37,Default,,0000,0000,0000,,let's see if we get faults with this. So\Nthe first thing is I'm going to start at
Dialogue: 0,0:27:42.37,0:27:47.51,Default,,0000,0000,0000,,minus 262 millivolt. What's interesting is\Nthat you have to undervolt more when it's
Dialogue: 0,0:27:47.51,0:27:57.35,Default,,0000,0000,0000,,cold so you can tell at what time of day I\Nran these. Oh I got a fault, I got a fault.
Dialogue: 0,0:27:57.35,0:28:01.95,Default,,0000,0000,0000,,Well, unfortunately. Where did that?\NThat's actually in the fourth round. I'm
Dialogue: 0,0:28:01.95,0:28:04.48,Default,,0000,0000,0000,,I'm obviously, eh fifth round, okay.\NDaniel: You can't do anything with that.
Dialogue: 0,0:28:04.48,0:28:09.53,Default,,0000,0000,0000,,Kit: You can't do anything, again in the\Nfifth round. Can't do anything with that,
Dialogue: 0,0:28:09.53,0:28:14.80,Default,,0000,0000,0000,,fifth round again. Oh! Oh we got one. We\Ngot one in the eighth round. And so it
Dialogue: 0,0:28:14.80,0:28:20.71,Default,,0000,0000,0000,,means I can take these two ciphertext and\NI can use the differential fault attack. I
Dialogue: 0,0:28:20.71,0:28:26.62,Default,,0000,0000,0000,,actually ran this twice in order to get\Ntwo pairs of faulty output because it made
Dialogue: 0,0:28:26.62,0:28:30.65,Default,,0000,0000,0000,,it so much easier. And again, thank you to\Nsomebody on the Internet for having
Dialogue: 0,0:28:30.65,0:28:34.75,Default,,0000,0000,0000,,written a differential fault analysis\Nattack for me. You don't, you don't need
Dialogue: 0,0:28:34.75,0:28:39.47,Default,,0000,0000,0000,,two, but it just makes it easy for the\Npresentation. So I'm now going to compare.
Dialogue: 0,0:28:39.47,0:28:44.69,Default,,0000,0000,0000,,Let me just pause that a second, I used\Nsomebody else's differential fault attack
Dialogue: 0,0:28:44.69,0:28:49.60,Default,,0000,0000,0000,,and it gave me in one, for the first pair\Nit gave me 500 possible keys and for the
Dialogue: 0,0:28:49.60,0:28:54.47,Default,,0000,0000,0000,,second it gave me 200 possible keys. I'm\Noverlapping them. And there was only one
Dialogue: 0,0:28:54.47,0:28:59.86,Default,,0000,0000,0000,,key that matched both. And that's the key\Nthat came out. And let's just again check
Dialogue: 0,0:28:59.86,0:29:05.97,Default,,0000,0000,0000,,inside the source code, does that key\Nexist? What is the key? And yeah, that is
Dialogue: 0,0:29:05.97,0:29:09.59,Default,,0000,0000,0000,,the key. So, again what I've...\NDaniel: That is not a very good key,
Dialogue: 0,0:29:09.59,0:29:14.21,Default,,0000,0000,0000,,though.\NKit: No, Ehhh... I think, if you think
Dialogue: 0,0:29:14.21,0:29:17.64,Default,,0000,0000,0000,,about randomness, it's as good as any\Nother. Anyway, ehhh...
Dialogue: 0,0:29:17.64,0:29:21.47,Default,,0000,0000,0000,,{\i1}Laughter{\i0}\NKit: What have I done? I have flipped a
Dialogue: 0,0:29:21.47,0:29:29.37,Default,,0000,0000,0000,,bit inside SGX to create a fault in AES\NNew Instruction set that has enabled me to
Dialogue: 0,0:29:29.37,0:29:33.87,Default,,0000,0000,0000,,get the AES key out of SGX. You shouldn't\Nbe able to do that.
Dialogue: 0,0:29:33.87,0:29:40.07,Default,,0000,0000,0000,,Daniel: So. So now that we have multiple\Nattacks, we should think about a logo and
Dialogue: 0,0:29:40.07,0:29:43.28,Default,,0000,0000,0000,,a name, right?\NKit: This one better be good because the
Dialogue: 0,0:29:43.28,0:29:46.96,Default,,0000,0000,0000,,other one wasn't very good.\NDaniel: No, seriously, we are already
Dialogue: 0,0:29:46.96,0:29:47.96,Default,,0000,0000,0000,,soon...\NKit: Okay.
Dialogue: 0,0:29:47.96,0:29:51.43,Default,,0000,0000,0000,,Daniel: We are, we will write this out.\NSend this to a conference. People will
Dialogue: 0,0:29:51.43,0:29:56.51,Default,,0000,0000,0000,,like it, right. This is and I already have\Na name and a logo for it. Kit: Come on
Dialogue: 0,0:29:56.51,0:29:59.35,Default,,0000,0000,0000,,then.\NDaniel: Crypto Vault Screw Hammer.
Dialogue: 0,0:29:59.35,0:30:02.54,Default,,0000,0000,0000,,{\i1}Laughter{\i0}\NDaniel: It's like, we attack crypto in a
Dialogue: 0,0:30:02.54,0:30:07.30,Default,,0000,0000,0000,,vault, SGX, and it's like a, like the\NClock screw and like Row hammer. And
Dialogue: 0,0:30:07.30,0:30:11.61,Default,,0000,0000,0000,,like...\NKit: I don't think that's very catchy. But
Dialogue: 0,0:30:11.61,0:30:19.84,Default,,0000,0000,0000,,let me tell you, it's not just crypto. So\Nwe're faulting multiplication. So surely
Dialogue: 0,0:30:19.84,0:30:23.78,Default,,0000,0000,0000,,there's another use for this other than\Ncrypto. And this is where something really
Dialogue: 0,0:30:23.78,0:30:27.89,Default,,0000,0000,0000,,interesting happens. For those of you who\Nare really good at C you can come and
Dialogue: 0,0:30:27.89,0:30:33.87,Default,,0000,0000,0000,,explain this to me later. This is a really\Nsimple bit of C. All I'm doing is getting
Dialogue: 0,0:30:33.87,0:30:39.28,Default,,0000,0000,0000,,an offset of an array and taking the\Naddress of that and putting it into a
Dialogue: 0,0:30:39.28,0:30:43.93,Default,,0000,0000,0000,,pointer. Why is this interesting? Hmmm,\NIt's interesting because I want to know
Dialogue: 0,0:30:43.93,0:30:47.80,Default,,0000,0000,0000,,what the compiler does with that. So I am\Ngoing to wave my magic wand and what the
Dialogue: 0,0:30:47.80,0:30:53.03,Default,,0000,0000,0000,,compiler is going to do is it's going to\Nmake this. Why is that interesting?
Dialogue: 0,0:30:53.03,0:30:58.16,Default,,0000,0000,0000,,Daniel: Simple pointer arithmetic?\NKit: Hmmm. Well. we know that we can fault
Dialogue: 0,0:30:58.16,0:31:02.29,Default,,0000,0000,0000,,multiplications. So we're no longer\Nlooking at crypto. We're now looking at
Dialogue: 0,0:31:02.29,0:31:08.86,Default,,0000,0000,0000,,just memory. So let's see if I can use\Nthis as an attack. So let me try and
Dialogue: 0,0:31:08.86,0:31:12.58,Default,,0000,0000,0000,,explain what's going on here. On the right\Nhand side, you can see the undervolting.
Dialogue: 0,0:31:12.58,0:31:16.24,Default,,0000,0000,0000,,I'm going to create an enclave and I've\Nput it in debug mode so that I can see
Dialogue: 0,0:31:16.24,0:31:20.36,Default,,0000,0000,0000,,what's going on. You can see the size of\Nthe enclave because we've got the base and
Dialogue: 0,0:31:20.36,0:31:28.75,Default,,0000,0000,0000,,the limit of it. And if we look at that in\Na diagram, what that's saying is here. If
Dialogue: 0,0:31:28.75,0:31:34.78,Default,,0000,0000,0000,,I can write anything at the top above\Nthat, that will no longer be encrypted,
Dialogue: 0,0:31:34.78,0:31:41.72,Default,,0000,0000,0000,,that will be unencrypted. Okay, let's\Ncarry on with that. So, let's just write
Dialogue: 0,0:31:41.72,0:31:46.45,Default,,0000,0000,0000,,that one statement again and again, that\Npointer arithmetic again and again and
Dialogue: 0,0:31:46.45,0:31:53.06,Default,,0000,0000,0000,,again whilst I'm undervolting and see what\Nhappens. Oh, suddenly it changed and if
Dialogue: 0,0:31:53.06,0:31:57.56,Default,,0000,0000,0000,,you look at where it's mapped it to, it\Nhas mapped that pointer to memory that is
Dialogue: 0,0:31:57.56,0:32:05.56,Default,,0000,0000,0000,,no longer inside SGX, it has put it into\Nuntrusted memory. So we're just doing the
Dialogue: 0,0:32:05.56,0:32:10.42,Default,,0000,0000,0000,,same statement again and again whilst\Nundervolting. Besh, we've written
Dialogue: 0,0:32:10.42,0:32:14.63,Default,,0000,0000,0000,,something that was in the enclave out of\Nthe enclave. And I'm just going to display
Dialogue: 0,0:32:14.63,0:32:19.35,Default,,0000,0000,0000,,the page of memory that we've got there to\Nshow you what it was. And there's the one
Dialogue: 0,0:32:19.35,0:32:24.58,Default,,0000,0000,0000,,line, it's deadbeef And again, I'm just\Ngoing to look in my source code to see
Dialogue: 0,0:32:24.58,0:32:30.03,Default,,0000,0000,0000,,what it was. Yeah, it's, you know you\Nknow, endianness blah, blah, blah. I have
Dialogue: 0,0:32:30.03,0:32:36.27,Default,,0000,0000,0000,,now not even used crypto. I have purely\Nused pointer arithmetic to take something
Dialogue: 0,0:32:36.27,0:32:43.14,Default,,0000,0000,0000,,that was stored inside Intel's SGX and\Nmoved it into user space where anyone can
Dialogue: 0,0:32:43.14,0:32:46.38,Default,,0000,0000,0000,,read it.\NDaniel: So, yes, I get your point. It's
Dialogue: 0,0:32:46.38,0:32:48.75,Default,,0000,0000,0000,,more than just crypto, right?\NKit: Yeah.
Dialogue: 0,0:32:48.75,0:32:57.49,Default,,0000,0000,0000,,Daniel: It's way beyond that. So we, we\Nleaked RSA keys. We leaked AES keys.
Dialogue: 0,0:32:57.49,0:33:01.26,Default,,0000,0000,0000,,Kit: Go on... Yeah, we did not just that\Nthough we did memory corruption.
Dialogue: 0,0:33:01.26,0:33:06.34,Default,,0000,0000,0000,,Daniel: Okay, so. Yeah. Okay. Crypto Vault\NScrew Hammer, point taken, is not the
Dialogue: 0,0:33:06.34,0:33:10.98,Default,,0000,0000,0000,,ideal name, but maybe you could come up\Nwith something. We need a name and a logo.
Dialogue: 0,0:33:10.98,0:33:14.25,Default,,0000,0000,0000,,Kit: So pressures on me then. Right, here\Nwe go. So it's got to be due to
Dialogue: 0,0:33:14.25,0:33:20.71,Default,,0000,0000,0000,,undervolting because we're undervolting.\NMaybe we can get a pun on vault and volt
Dialogue: 0,0:33:20.71,0:33:26.37,Default,,0000,0000,0000,,in there somewhere. We're stealing\Nsomething, aren't we? We're corrupting
Dialogue: 0,0:33:26.37,0:33:30.59,Default,,0000,0000,0000,,something. Maybe. Maybe we're plundering\Nsomething.
Dialogue: 0,0:33:30.59,0:33:31.88,Default,,0000,0000,0000,,Daniel: Yeah?\NKit: I know.
Dialogue: 0,0:33:31.88,0:33:32.88,Default,,0000,0000,0000,,\NDaniel: No?
Dialogue: 0,0:33:32.88,0:33:37.25,Default,,0000,0000,0000,,Kit: Let's call it plunder volt.\NDaniel: Oh, no, no, no. That's not it.
Dialogue: 0,0:33:37.25,0:33:38.31,Default,,0000,0000,0000,,That's not a good nane.\NKit: What?
Dialogue: 0,0:33:38.31,0:33:42.71,Default,,0000,0000,0000,,Daniel: That, no. We need something...\NThat's really not a good name. People will
Dialogue: 0,0:33:42.71,0:33:51.08,Default,,0000,0000,0000,,hate this name.\NKit: Wait, wait, wait, wait, wait.
Dialogue: 0,0:33:51.08,0:33:53.87,Default,,0000,0000,0000,,Daniel: No...\N{\i1}Laughter{\i0}
Dialogue: 0,0:33:53.87,0:33:57.05,Default,,0000,0000,0000,,Kit: You can read this if you like,\NDaniel.
Dialogue: 0,0:33:57.05,0:34:01.41,Default,,0000,0000,0000,,Daniel: Okay. I, I think I get it. I, I\Nthink I get it.
Dialogue: 0,0:34:01.41,0:34:16.73,Default,,0000,0000,0000,,Kit: No, no, I haven't finished.\N{\i1}Laughter{\i0}
Dialogue: 0,0:34:16.73,0:34:35.33,Default,,0000,0000,0000,,Daniel: Okay. Yeah, this is really also a\Nvery nice comment. Yes. The quality of the
Dialogue: 0,0:34:35.33,0:34:37.66,Default,,0000,0000,0000,,videos, I think you did a very good job\Nthere.
Dialogue: 0,0:34:37.66,0:34:40.88,Default,,0000,0000,0000,,Kit: Thank you.\NDaniel: Also, the website really good job
Dialogue: 0,0:34:40.88,0:34:42.62,Default,,0000,0000,0000,,there.\NKit: So, just to summarize, what we've
Dialogue: 0,0:34:42.62,0:34:52.54,Default,,0000,0000,0000,,done with plunder volt is: It's a new type\Nof attack, it breaks the integrity of SGX.
Dialogue: 0,0:34:52.54,0:34:57.06,Default,,0000,0000,0000,,It's within SGX. We're doing stuff we\Nshouldn't be able to.
Dialogue: 0,0:34:57.06,0:35:01.05,Default,,0000,0000,0000,,Daniel: Like AES keys, we leak AES keys,\Nyeah.
Dialogue: 0,0:35:01.05,0:35:06.32,Default,,0000,0000,0000,,Kit: And we are retrieving the RSA\Nsignature key.
Dialogue: 0,0:35:06.32,0:35:11.11,Default,,0000,0000,0000,,Daniel: Yeah. And yes, we induced memory\Ncorruption in bug free code.
Dialogue: 0,0:35:11.11,0:35:20.02,Default,,0000,0000,0000,,Kit: And we made the Enclave write Secrets\Nto untrusted memory. This is the paper,
Dialogue: 0,0:35:20.02,0:35:27.61,Default,,0000,0000,0000,,that's been accepted next year. It is my\Nfirst paper, so thank you very much. Kit,
Dialogue: 0,0:35:27.61,0:35:29.93,Default,,0000,0000,0000,,that's me.\N{\i1}Applause{\i0}
Dialogue: 0,0:35:29.93,0:35:38.95,Default,,0000,0000,0000,,Kit: Thank you. David Oswald, Flavio\NGarcia, Jo Van Bulck and of course, the
Dialogue: 0,0:35:38.95,0:35:46.41,Default,,0000,0000,0000,,infamous and Frank Piessens. So all that\Nreally remains for me to do is to say,
Dialogue: 0,0:35:46.41,0:35:49.50,Default,,0000,0000,0000,,thank you very much for coming...\NDaniel: Wait a second, wait a second.
Dialogue: 0,0:35:49.50,0:35:53.44,Default,,0000,0000,0000,,There's one more thing, I think you\Noverlooked one of the tweets I added it
Dialogue: 0,0:35:53.44,0:35:56.51,Default,,0000,0000,0000,,here. You didn't see this slide yet?\NKit: I haven't seen this one.
Dialogue: 0,0:35:56.51,0:36:00.90,Default,,0000,0000,0000,,Daniel: This one, I really like it.\NKit: It's a slightly ponderous pun on
Dialogue: 0,0:36:00.90,0:36:06.33,Default,,0000,0000,0000,,Thunderbolt... pirate themed logo.\NDaniel: A pirate themed logo. I really
Dialogue: 0,0:36:06.33,0:36:13.08,Default,,0000,0000,0000,,like it. And if it's a pirate themed logo,\Ndon't you think there should be a pirate
Dialogue: 0,0:36:13.08,0:36:16.21,Default,,0000,0000,0000,,themed song?\N{\i1}Laughter{\i0}
Dialogue: 0,0:36:16.21,0:36:25.35,Default,,0000,0000,0000,,Kit: Daniel, have you written a pirate\Ntheme song? Go on then, play it. Let's,
Dialogue: 0,0:36:25.35,0:36:37.22,Default,,0000,0000,0000,,let's hear the pirate theme song.\N{\i1}music{\i0} -- see screen --
Dialogue: 0,0:36:37.22,0:37:09.23,Default,,0000,0000,0000,,Music: ...Volt down me enclaves yo ho. Aye\Nbut it's fixed with a microcode patch.
Dialogue: 0,0:37:09.23,0:37:30.37,Default,,0000,0000,0000,,Volt down me enclaves yo ho.\NDaniel: Thanks to...
Dialogue: 0,0:37:30.37,0:37:43.87,Default,,0000,0000,0000,,{\i1}Applause{\i0}\NDaniel: Thanks to Manuel Weber and also to
Dialogue: 0,0:37:43.87,0:37:47.48,Default,,0000,0000,0000,,my group at Theo Graz for volunteering for\Nthe choir.
Dialogue: 0,0:37:47.48,0:37:51.98,Default,,0000,0000,0000,,{\i1}Laughter{\i0}\NDaniel: And then, I mean, this is now the
Dialogue: 0,0:37:51.98,0:37:58.73,Default,,0000,0000,0000,,last slide. Thank you for your attention.\NThank you for being here. And we would
Dialogue: 0,0:37:58.73,0:38:02.37,Default,,0000,0000,0000,,like to answer questions in the Q&amp;A
Dialogue: 0,0:38:02.37,0:38:07.08,Default,,0000,0000,0000,,{\i1}Applause{\i0}
Dialogue: 0,0:38:07.08,0:38:13.79,Default,,0000,0000,0000,,Herald: Thank you for your great talk. And\Nthank you some more for the song. If you
Dialogue: 0,0:38:13.79,0:38:18.72,Default,,0000,0000,0000,,have questions, please line up on the\Nmicrophones in the room. First question
Dialogue: 0,0:38:18.72,0:38:22.64,Default,,0000,0000,0000,,goes to the signal angel, any question\Nfrom the Internet?
Dialogue: 0,0:38:22.64,0:38:26.98,Default,,0000,0000,0000,,Signal-Angel: Not as of now, no.\NHerald: All right. Then, microphone number
Dialogue: 0,0:38:26.98,0:38:29.80,Default,,0000,0000,0000,,4, your question please.\NMicrophone 4: Hi. Thanks for the great
Dialogue: 0,0:38:29.80,0:38:34.81,Default,,0000,0000,0000,,talk. So, why does this happen now? I\Nmean, thanks for the explanation for wrong
Dialogue: 0,0:38:34.81,0:38:38.44,Default,,0000,0000,0000,,number, but it wasn't clear. What's going\Non there?
Dialogue: 0,0:38:38.44,0:38:46.89,Default,,0000,0000,0000,,Daniel: So, too, if you look at circuits\Nfor the signal to be ready at the output,
Dialogue: 0,0:38:46.89,0:38:53.73,Default,,0000,0000,0000,,they need, electrons have to travel a bit.\NIf you increase the voltage, things will
Dialogue: 0,0:38:53.73,0:39:00.43,Default,,0000,0000,0000,,go faster. So they will, you will have the\Noutput signal ready at an earlier point in
Dialogue: 0,0:39:00.43,0:39:05.09,Default,,0000,0000,0000,,time. Now the frequency that you choose\Nfor your processor should be related to
Dialogue: 0,0:39:05.09,0:39:08.60,Default,,0000,0000,0000,,that. So if you choose the frequency too\Nhigh, the outputs will not be ready yet at
Dialogue: 0,0:39:08.60,0:39:13.32,Default,,0000,0000,0000,,this circuit. And this is exactly what\Nhappens, if you reduce the voltage the
Dialogue: 0,0:39:13.32,0:39:17.49,Default,,0000,0000,0000,,outputs are not ready yet for the next\Nclock cycle.
Dialogue: 0,0:39:17.49,0:39:22.72,Default,,0000,0000,0000,,Kit: And interestingly, we couldn't fault\Nreally short instructions. So anything
Dialogue: 0,0:39:22.72,0:39:26.40,Default,,0000,0000,0000,,like an add or an xor, it was basically\Nimpossible to fault. So they had to be
Dialogue: 0,0:39:26.40,0:39:30.86,Default,,0000,0000,0000,,complex instructions that probably weren't\Nfinishing by the time the next clock tick
Dialogue: 0,0:39:30.86,0:39:31.95,Default,,0000,0000,0000,,arrived.\NDaniel: Yeah.
Dialogue: 0,0:39:31.95,0:39:35.58,Default,,0000,0000,0000,,Microphone 4: Thank you.\NHerald: Thanks for your answer. Microphone
Dialogue: 0,0:39:35.58,0:39:38.96,Default,,0000,0000,0000,,number 4 again.\NMicrophone 4: Hello. It's a very
Dialogue: 0,0:39:38.96,0:39:45.16,Default,,0000,0000,0000,,interesting theoretical approach I think.\NBut you were capable to break these crypto
Dialogue: 0,0:39:45.16,0:39:53.05,Default,,0000,0000,0000,,mechanisms, for example, because you could\Ndo zillions of iterations and you are sure
Dialogue: 0,0:39:53.05,0:39:57.93,Default,,0000,0000,0000,,to trigger the fault. But in practice,\Nsay, as someone is having a secure
Dialogue: 0,0:39:57.93,0:40:03.86,Default,,0000,0000,0000,,conversation, is it practical, even close\Nto a possible too to break it with that?
Dialogue: 0,0:40:03.86,0:40:08.21,Default,,0000,0000,0000,,Daniel: It totally depends on your threat\Nmodel. So what can you do with the
Dialogue: 0,0:40:08.21,0:40:12.79,Default,,0000,0000,0000,,enclave? If you, we are assuming that we\Nare running with root privileges here and
Dialogue: 0,0:40:12.79,0:40:17.46,Default,,0000,0000,0000,,a root privileged attacker can certainly\Nrun the enclave with certain inputs, again
Dialogue: 0,0:40:17.46,0:40:21.97,Default,,0000,0000,0000,,and again. If the enclave doesn't have any\Nprotection against replay, then certainly
Dialogue: 0,0:40:21.97,0:40:25.76,Default,,0000,0000,0000,,we can mount an attack like that. Yes.\NMicrophone 4: Thank you.
Dialogue: 0,0:40:25.76,0:40:30.64,Default,,0000,0000,0000,,Herald: Signal-Angel your question.\NSignal: Somebody asked if the attack only
Dialogue: 0,0:40:30.64,0:40:33.98,Default,,0000,0000,0000,,applies to Intel or to AMD or other\Narchitectures as well.
Dialogue: 0,0:40:33.98,0:40:37.90,Default,,0000,0000,0000,,Kit: Oh, good question, I suspect right\Nnow there are people trying this attack on
Dialogue: 0,0:40:37.90,0:40:41.60,Default,,0000,0000,0000,,AMD in the same way that when clock screw\Ncame out, there were an awful lot of
Dialogue: 0,0:40:41.60,0:40:46.76,Default,,0000,0000,0000,,people starting to do stuff on Intel as\Nwell. We saw the clock screw attack on ARM
Dialogue: 0,0:40:46.76,0:40:52.46,Default,,0000,0000,0000,,with frequency. Then we saw ARM with\Nvoltage. Now we've seen Intel with
Dialogue: 0,0:40:52.46,0:40:57.37,Default,,0000,0000,0000,,voltage. And someone else has done similar\NVolt pwn has done something very similar
Dialogue: 0,0:40:57.37,0:41:01.80,Default,,0000,0000,0000,,to us. And I suspect AMD is the next one.\NI guess, because it's not out there as
Dialogue: 0,0:41:01.80,0:41:06.79,Default,,0000,0000,0000,,much. We've tried to do them in the order\Nof, you know, scaring people.
Dialogue: 0,0:41:06.79,0:41:10.13,Default,,0000,0000,0000,,{\i1}Laughter{\i0}\NKit: Scaring as many people as possible as
Dialogue: 0,0:41:10.13,0:41:13.79,Default,,0000,0000,0000,,quickly as possible.\NHerald: Thank you for the explanation.
Dialogue: 0,0:41:13.79,0:41:18.32,Default,,0000,0000,0000,,Microphone number 4.\NMicrophone 4: Hi. Hey, great. Thanks for
Dialogue: 0,0:41:18.32,0:41:25.34,Default,,0000,0000,0000,,the representation. Can you get similar\Nresults by Harrower? I mean by tweaking
Dialogue: 0,0:41:25.34,0:41:28.31,Default,,0000,0000,0000,,the voltage that you provide to the CPU\Nor...
Dialogue: 0,0:41:28.31,0:41:32.68,Default,,0000,0000,0000,,Kit: Well, I refer you to my earlier\Nanswer. I know for a fact that there are
Dialogue: 0,0:41:32.68,0:41:37.10,Default,,0000,0000,0000,,people doing this right now with physical\Nhardware, seeing what they can do. Yes,
Dialogue: 0,0:41:37.10,0:41:40.57,Default,,0000,0000,0000,,and I think it will not be long before\Nthat paper comes out.
Dialogue: 0,0:41:40.57,0:41:46.52,Default,,0000,0000,0000,,Microphone 4: Thank you.\NHerald: Thanks. Microphone number one.
Dialogue: 0,0:41:46.52,0:41:51.15,Default,,0000,0000,0000,,Your question. Sorry, microphone 4 again,\Nsorry.
Dialogue: 0,0:41:51.15,0:41:57.92,Default,,0000,0000,0000,,Microphone 4: Hey, thanks for the talk.\NTwo small questions. One, why doesn't
Dialogue: 0,0:41:57.92,0:42:07.79,Default,,0000,0000,0000,,anything break inside SGX when you do\Nthese tricks? And second one, why when you
Dialogue: 0,0:42:07.79,0:42:14.54,Default,,0000,0000,0000,,write outside the enclaves memory, their\Nvalue is not encrypted.
Dialogue: 0,0:42:14.54,0:42:21.84,Default,,0000,0000,0000,,Kit: So the enclave is an encrypted area\Nof memory. So when it points to an
Dialogue: 0,0:42:21.84,0:42:24.26,Default,,0000,0000,0000,,unencrypted, it's just\Ngoing to write it to the unencrypted
Dialogue: 0,0:42:24.26,0:42:28.65,Default,,0000,0000,0000,,memory. Does that make sense?\NDaniel: From the enclaves perspective,
Dialogue: 0,0:42:28.65,0:42:33.08,Default,,0000,0000,0000,,none of the memory is encrypted. This is\Njust transparent to the enclave. So if the
Dialogue: 0,0:42:33.08,0:42:36.68,Default,,0000,0000,0000,,enclave will write to another memory\Nlocation. Yes, it just won't be encrypted.
Dialogue: 0,0:42:36.68,0:42:40.61,Default,,0000,0000,0000,,Kit Yeah. And what's happening is we're\Ngetting flips in the registers. Which is
Dialogue: 0,0:42:40.61,0:42:44.08,Default,,0000,0000,0000,,why I think we're not getting an integrity\Ncheck because the enclave is completely
Dialogue: 0,0:42:44.08,0:42:48.15,Default,,0000,0000,0000,,unaware that anything's even gotten wrong.\NIt's got a value in its memory and it's
Dialogue: 0,0:42:48.15,0:42:51.23,Default,,0000,0000,0000,,gonna use it.\NDaniel: Yeah. The integrity check is only
Dialogue: 0,0:42:51.23,0:42:55.21,Default,,0000,0000,0000,,on the on the memory that you logged from\NRAM. Yeah.
Dialogue: 0,0:42:55.21,0:43:02.59,Default,,0000,0000,0000,,Herald: Okay, microphone number 7.\NMicrophone 7: Yeah. Thank you. Interesting
Dialogue: 0,0:43:02.59,0:43:11.95,Default,,0000,0000,0000,,work. I was wondering, you showed us the\Nexample of the code that wrote outside the
Dialogue: 0,0:43:11.95,0:43:17.23,Default,,0000,0000,0000,,Enclave Memory using simple pointer\Narithmetics. Have you been able to talk to
Dialogue: 0,0:43:17.23,0:43:23.56,Default,,0000,0000,0000,,Intel why this memory access actually\Nhappens? I mean, you showed us the output
Dialogue: 0,0:43:23.56,0:43:28.57,Default,,0000,0000,0000,,of the program. It crashes, but\Nnevertheless, it writes the result to the
Dialogue: 0,0:43:28.57,0:43:34.47,Default,,0000,0000,0000,,resulting memory address. So there must be\Nsomething wrong, like the attack that
Dialogue: 0,0:43:34.47,0:43:39.98,Default,,0000,0000,0000,,happened two years ago at the Congress\Nabout, you know, all that stuff.
Dialogue: 0,0:43:39.98,0:43:46.03,Default,,0000,0000,0000,,Daniel: So generally enclaves can read and\Nwrite any memory location in their host
Dialogue: 0,0:43:46.03,0:43:52.82,Default,,0000,0000,0000,,application. We have also published papers\Nthat basically argued that this might not
Dialogue: 0,0:43:52.82,0:44:00.14,Default,,0000,0000,0000,,be a good idea, good design decision. But\Nthat's the current design. And the reason
Dialogue: 0,0:44:00.14,0:44:04.85,Default,,0000,0000,0000,,is that this makes interaction with the\Nenclave very easy. You can just place your
Dialogue: 0,0:44:04.85,0:44:09.28,Default,,0000,0000,0000,,payload somewhere in the memory. Hand the\Npointer to the enclave and the enclave can
Dialogue: 0,0:44:09.28,0:44:13.81,Default,,0000,0000,0000,,use the data from there, maybe copy it\Ninto the enclave memory if necessary, or
Dialogue: 0,0:44:13.81,0:44:19.58,Default,,0000,0000,0000,,directly work on the data. So that's why\Nthis memory access to the normal memory
Dialogue: 0,0:44:19.58,0:44:24.50,Default,,0000,0000,0000,,region is not illegal.\NKit: And if you want to know more, you can
Dialogue: 0,0:44:24.50,0:44:29.45,Default,,0000,0000,0000,,come and find Daniel afterwards.\NHerald: Okay. Thanks for the answer.
Dialogue: 0,0:44:29.45,0:44:32.73,Default,,0000,0000,0000,,Signal-Angel, the questions from the\NInternet.
Dialogue: 0,0:44:32.73,0:44:39.14,Default,,0000,0000,0000,,Signal-Angel: Yes. The question came up. If, how\Nstable the system you're attacking with
Dialogue: 0,0:44:39.14,0:44:42.15,Default,,0000,0000,0000,,the hammering\Nis while you're performing their attack.
Dialogue: 0,0:44:42.15,0:44:46.18,Default,,0000,0000,0000,,Kit: It's really stable. Once I've been\Nthrough three months of crashing the
Dialogue: 0,0:44:46.18,0:44:49.72,Default,,0000,0000,0000,,computer. I got to a point where I had a\Nreally, really good frequency voltage
Dialogue: 0,0:44:49.72,0:44:55.52,Default,,0000,0000,0000,,combination. And we did discover on all\NIntel chips, it was different. So even, on
Dialogue: 0,0:44:55.52,0:44:59.28,Default,,0000,0000,0000,,what looked like and we bought almost an\Nidentical little nook, we bought one with
Dialogue: 0,0:44:59.28,0:45:05.67,Default,,0000,0000,0000,,exactly the same spec and it had a\Ndifferent sort of frequency voltage model.
Dialogue: 0,0:45:05.67,0:45:09.72,Default,,0000,0000,0000,,But once we'd done this sort of\Nbenchmarking, you could pretty much do any
Dialogue: 0,0:45:09.72,0:45:14.51,Default,,0000,0000,0000,,attack without it crashing at all.\NDaniel: But without this benchmarking,
Dialogue: 0,0:45:14.51,0:45:17.73,Default,,0000,0000,0000,,it's true. We would often reboot.\NKit: That was a nightmare yeah, I wish I'd
Dialogue: 0,0:45:17.73,0:45:20.44,Default,,0000,0000,0000,,done that the beginning. It would've saved\Nme so much time.
Dialogue: 0,0:45:20.44,0:45:25.02,Default,,0000,0000,0000,,Herald: Thanks again for answering.\NMicrophone number 4 your question.
Dialogue: 0,0:45:25.02,0:45:29.26,Default,,0000,0000,0000,,Microphone 4: Can Intel fix this with a\Nmicrocode update?
Dialogue: 0,0:45:29.26,0:45:36.55,Default,,0000,0000,0000,,Daniel: So, there are different approaches\Nto this. Of course, the quick fix is to
Dialogue: 0,0:45:36.55,0:45:41.69,Default,,0000,0000,0000,,remove the access to the MSR, which is of\Ncourse inconvenient because you can't
Dialogue: 0,0:45:41.69,0:45:45.24,Default,,0000,0000,0000,,undervolt your system anymore. So maybe\Nyou want to choose whether you want to use
Dialogue: 0,0:45:45.24,0:45:50.66,Default,,0000,0000,0000,,SGX or want to have a gaming computer\Nwhere you undervolt the system or control
Dialogue: 0,0:45:50.66,0:45:56.22,Default,,0000,0000,0000,,the voltage from software. But is this a\Nreal fix? I don't know. I think there are
Dialogue: 0,0:45:56.22,0:45:58.73,Default,,0000,0000,0000,,more vectors, right?\NKit: Yeah.But, well I'll be interested to
Dialogue: 0,0:45:58.73,0:46:01.21,Default,,0000,0000,0000,,see what they're going to do with the next\Ngeneration of chips.
Dialogue: 0,0:46:01.21,0:46:04.61,Default,,0000,0000,0000,,Daniel: Yeah.\NHerald: All right. Microphone number 7,
Dialogue: 0,0:46:04.61,0:46:08.86,Default,,0000,0000,0000,,what's your question?\NMicrophone 7: Yes, similarly to the other
Dialogue: 0,0:46:08.86,0:46:14.17,Default,,0000,0000,0000,,question, is there a way you can prevent\Nsuch attacks when writing code that runs
Dialogue: 0,0:46:14.17,0:46:17.82,Default,,0000,0000,0000,,in the secure enclave?\NKit: Well, no. That's the interesting
Dialogue: 0,0:46:17.82,0:46:22.74,Default,,0000,0000,0000,,thing, it's really hard to do. Because we\Nweren't writing code with bugs, we were
Dialogue: 0,0:46:22.74,0:46:26.100,Default,,0000,0000,0000,,just writing normal pointer arithmetic.\NNormal crypto. If anywhere in your code,
Dialogue: 0,0:46:26.100,0:46:29.55,Default,,0000,0000,0000,,you're using a multiplication. It can be\Nattacked.
Dialogue: 0,0:46:29.55,0:46:34.75,Default,,0000,0000,0000,,Daniel: But of course, you could use fault\Nresistant implementations inside the
Dialogue: 0,0:46:34.75,0:46:39.16,Default,,0000,0000,0000,,enclave. Whether that is a practical\Nsolution is yet to be determined
Dialogue: 0,0:46:39.16,0:46:41.86,Default,,0000,0000,0000,,Kit: Oh yes, yea, right, you could write\Nduplicate code and do comparison things
Dialogue: 0,0:46:41.86,0:46:46.83,Default,,0000,0000,0000,,like that. But if, yeah.\NHerald: Okay. Microphone number 3. What's
Dialogue: 0,0:46:46.83,0:46:47.83,Default,,0000,0000,0000,,your question?
Dialogue: 0,0:46:47.83,0:46:53.39,Default,,0000,0000,0000,,Microphone 3: Hi. I can't imagine Intel\Nbeing very happy about this and recently
Dialogue: 0,0:46:53.39,0:46:57.45,Default,,0000,0000,0000,,they were under fire for how they were\Nhandling a coordinated disclosure. So can
Dialogue: 0,0:46:57.45,0:47:01.30,Default,,0000,0000,0000,,you summarize experience?\NKit: They were... They were really nice.
Dialogue: 0,0:47:01.30,0:47:06.38,Default,,0000,0000,0000,,They were really nice. We disclosed really\Nearly, like before we had all of the
Dialogue: 0,0:47:06.38,0:47:08.96,Default,,0000,0000,0000,,attacks.\NDaniel: We just had a POC at that point.
Dialogue: 0,0:47:08.96,0:47:11.24,Default,,0000,0000,0000,,Kit: Yeah.\NDaniel: Yeah, Simply POC. Very simple.
Dialogue: 0,0:47:11.24,0:47:14.89,Default,,0000,0000,0000,,Kit: They've been really nice. They wanted\Nto know what we were doing. They wanted to
Dialogue: 0,0:47:14.89,0:47:18.66,Default,,0000,0000,0000,,see all our attacks. I found them lovely.\NDaniel: Yes.
Dialogue: 0,0:47:18.66,0:47:21.88,Default,,0000,0000,0000,,Kit: Am I allowed to say that?\N{\i1}Laughter{\i0}
Dialogue: 0,0:47:21.88,0:47:24.86,Default,,0000,0000,0000,,Daniel: I mean, they also have interest\Nin...
Dialogue: 0,0:47:24.86,0:47:26.95,Default,,0000,0000,0000,,Kit: Yeah.\NDaniel ...making these processes smooth.
Dialogue: 0,0:47:26.95,0:47:30.28,Default,,0000,0000,0000,,So that vulnerability researchers also\Nreport to them.
Dialogue: 0,0:47:30.28,0:47:32.04,Default,,0000,0000,0000,,Kit: Yeah.\NDaniel: Because if everyone says, oh this
Dialogue: 0,0:47:32.04,0:47:37.70,Default,,0000,0000,0000,,was awful, then they will also not get a\Nlot of reports. But if they do their job
Dialogue: 0,0:47:37.70,0:47:39.85,Default,,0000,0000,0000,,well and they did in our case.\NKit: Yeah.
Dialogue: 0,0:47:39.85,0:47:44.45,Default,,0000,0000,0000,,Daniel: Then of course, it's nice.\NHerald: Okay. Microphone number 4...
Dialogue: 0,0:47:44.45,0:47:48.50,Default,,0000,0000,0000,,Danie: We even got a bug bounty.\NKit: We did get a bug bounty. I didn't
Dialogue: 0,0:47:48.50,0:47:51.50,Default,,0000,0000,0000,,want to mention that because I haven't\Ntold my university yet.
Dialogue: 0,0:47:51.50,0:47:55.43,Default,,0000,0000,0000,,{\i1}Laughter{\i0}\NMicrophone 4: Thank you. Thank you for the
Dialogue: 0,0:47:55.43,0:48:01.80,Default,,0000,0000,0000,,funny talk. If I understood, you're right,\Nit means to really be able to exploit
Dialogue: 0,0:48:01.80,0:48:07.25,Default,,0000,0000,0000,,this. You need to do some benchmarking on\Nthe machine that you want to exploit. Do
Dialogue: 0,0:48:07.25,0:48:15.24,Default,,0000,0000,0000,,you see any way to convert this to a\Nremote exploit? I mean, that to me, it
Dialogue: 0,0:48:15.24,0:48:19.65,Default,,0000,0000,0000,,seems you need physical access right now\Nbecause you need to reboot the machine.
Dialogue: 0,0:48:19.65,0:48:23.86,Default,,0000,0000,0000,,Kit: If you've done benchmarking on an\Nidentical machine, I don't think you would
Dialogue: 0,0:48:23.86,0:48:27.04,Default,,0000,0000,0000,,have to have physical access.\NDaniel: But you would have to make sure
Dialogue: 0,0:48:27.04,0:48:29.55,Default,,0000,0000,0000,,that it's really an identical machine.\NKit: Yeah.
Dialogue: 0,0:48:29.55,0:48:33.50,Default,,0000,0000,0000,,Daniel: But in the cloud you will find a\Nlot of identical machines.
Dialogue: 0,0:48:33.50,0:48:41.12,Default,,0000,0000,0000,,{\i1}Laughter{\i0}\NHerald: Okay, microphone number 4 again.
Dialogue: 0,0:48:41.12,0:48:46.06,Default,,0000,0000,0000,,Daniel: Also, as we said, like the\Ntemperature plays an important role.
Dialogue: 0,0:48:46.06,0:48:47.65,Default,,0000,0000,0000,,Kit: Yeah.\NDaniel: You will also in the cloud find a
Dialogue: 0,0:48:47.65,0:48:52.39,Default,,0000,0000,0000,,lot of machines at similar temperatures\NKit: And there was, there is obviously
Dialogue: 0,0:48:52.39,0:48:55.57,Default,,0000,0000,0000,,stuff that we didn't show you. We did\Nstart measuring the total amount of clock
Dialogue: 0,0:48:55.57,0:49:00.26,Default,,0000,0000,0000,,ticks it took to do maybe 10 RSA\Nencryption. And then we did start doing
Dialogue: 0,0:49:00.26,0:49:03.82,Default,,0000,0000,0000,,very specific timing attacks. But\Nobviously it's much easier to just do
Dialogue: 0,0:49:03.82,0:49:10.45,Default,,0000,0000,0000,,10000 of them and hope that one faults.\NHerald: All right. Seems there are no
Dialogue: 0,0:49:10.45,0:49:13.94,Default,,0000,0000,0000,,further questions. Thank you very much for\Nyour talk. For your research and for
Dialogue: 0,0:49:13.94,0:49:15.14,Default,,0000,0000,0000,,answering all the questions.\N{\i1}Applause{\i0}
Dialogue: 0,0:49:15.14,0:49:18.53,Default,,0000,0000,0000,,Kit: Thank you.\NDaniel: Thank you.
Dialogue: 0,0:49:18.53,0:49:22.48,Default,,0000,0000,0000,,{\i1}postroll music{\i0}
Dialogue: 0,0:49:22.48,0:49:48.00,Default,,0000,0000,0000,,subtitles created by c3subtitles.de\Nin the year 20??. Join, and help us!