Microarchitecture Vulnerabilities: Past, Present, and Future

Past Present Logic Issues Exploitation Techniques Physical Domain in Software Mitigation Efforts Physical hardware cannot be changed in the field Vendors build in "Survivability features" Microcode is the most common used tool for mitigations Other firmware is also used "Chicken bits" to disable / change behavior Some issues are best mitigated in software Mitigations are not always possible/reasonable and almost difficult and time-consuming to engineer Prevention Pre-silicon Post-silicon Future Take Aways

SysBumps: Exploiting Speculative Execution in System Calls

The video presents an attack technique called SysBumps, demonstrated by researchers Hyerean Jang, Taehun Kim, and Youngjoo Shin at Black Hat Europe 2024. Here’s what it’s about: What SysBumps DoesSysBumps breaks Kernel Address Space Layout Randomization (KASLR) on macOS systems running on Apple Silicon, including M-series chips. It uses speculative execution within system calls, triggering side-channel behaviors that allow an unprivileged attacker to detect kernel memory layout. How the Attack WorksBy system calls that involve speculative execution, attackers can influence the translation lookaside buffer (TLB). This manipulation allows…

Bypassing ARM’s Memory Tagging Extension with a Side-Channel Attack

This explains a research project on how to bypass ARM's Memory Tagging Extension (MTE), a hardware feature designed to prevent memory corruption vulnerabilities. Here are the key takeaways: ARM MTE: MTE works like a "lock and key" system. Pointers have a "key" (a 4-bit tag) and memory objects have a "lock" (also a 4-bit tag). If the key and lock don't match when a pointer tries to access memory, the program will crash, preventing an attack. The Challenge: The tags are randomly generated, making it difficult for an…

Uncovering Supply Chain Attack with Code Genome Framework

This talk from IBM Research focuses on using AI and machine learning to combat supply chain attacks. The presenters highlight the increasing lack of trust in software due to major security breaches like the XZ backdoor. Here are the key takeaways: The Problem: There's a "semantic gap" between what code is expected to do and what it actually does. This gap is exploited in supply chain attacks where malicious code is hidden in software updates or open-source projects. The Solution: The researchers introduce the "Code Genome Framework," an…

The Devil is in the (Micro-) Architectures: Uncovering New Side-Channel and Bit-Flip Attack Surfaces

Jolio and Yenzo discusses new attack vectors on Deep Neural Network (DNN) executables, specifically focusing on side-channel and bit-flip vulnerabilities. Here's a summary of the key points: DNN Executables and Vulnerabilities: The talk begins by explaining that cloud service providers deploy machine learning models as valuable services. Attackers can exploit side-channels to learn about the architecture of these models, which then opens the door for other attacks. The speakers investigate if DNN executables, created through deep learning compilation for performance, are also vulnerable. Deep Compilation and Side-Channels: Deep…

Arbitrary Data Manipulation and Leakage with CPU Zero-Day Bugs on RISC-V

Fabian Thomas and Laurent Schmierer, introduces "GhostRider," a zero-day vulnerability they discovered in the T-Head C910 RISC-V processor. This vulnerability allows for data manipulation and leakage by bypassing software isolation and writing directly to physical memory. Here are the key points discussed: GhostRider Vulnerability: This exploit allows unprivileged applications to bypass operating systems and other security measures to interact directly with hardware. It exploits a flaw in a RISC-V vector instruction to write to physical memory instead of virtual memory, enabling arbitrary data manipulation, memory leakage, and privilege…

Ubuntu XRDP

XRDP is a cross-platform remote desktop connection tool that can be used on Windows and Linux . Using XRDP on Ubuntu allows you to remotely connect to a Linux from a Windows computer for file transfer, remote control, and other operations. Install XRDP First, you need to install XRDP on Ubuntu. Open the terminal and enter the following command to install it: sudo apt updatesudo apt install xrdp After the installation is complete, you can check whether XRDP was successfully installed by entering the following command: xrdp --version…

An introduction to GCC and GCC’s plugins

1. Brief introduction to GNU’s GCC The GNU toolchain is a collection of tools and libraries produced in the context of the GNU project. In 1983, Richard Stallman announced the GNU project. Its goal was to give the community freedom and control in their use of computing devices by developing (collaboratively) free software and letting users modify, copy, and distribute it freely. The GNU toolchain was part of that software and today includes some of the most widespread tools used to develop and compile application such as: GNU make:…

How to run a program with commandline arguments using GDB within a Bash script?

Run gdb with --args parameter: gdb --args executablename arg1 arg2 arg3 If you are doing this often (e.g. when running GDB from a script), you might want to consider the following arguments to automate things further. First, you can place your GDB commands (such as 'run') in a text file and provide the filename to the -x argument. Second, you can have GDB exit after running your commands by providing the --batch argument. A full example: gdb -x commands.txt --batch --args executablename arg1 arg2 arg3

Lima Ubuntu VM setup on Mac

Homebrew Installation /bin/zsh -c "$(curl -fsSL https://gitee.com/cunkai/HomebrewCN/raw/master/Homebrew.sh)" Uninstallation /bin/zsh -c "$(curl -fsSL https://gitee.com/cunkai/HomebrewCN/raw/master/HomebrewUninstall.sh)" Lima  launches Linux virtual machines with automatic file sharing and port forwarding (similar to WSL2). # Install brew install lima # Create VM limactl create --cpus=8 --memory=8 --name=default template://ubuntu limactl list # Start && Enter limactl start default limactl shell default # Stop limactl stop default # Delete limactl delete default # Protect && Unprotect limactl protect default limactl unprotect default # Copy # Host -> VM limactl cp ~/Downloads/test.png default:/tmp # VM -> Host…