Tag: Hardware

Microarchitecture Vulnerabilities: Past, Present, and Future

  • Haco
  • September 4, 2025
  • 1 min read

Past Present Logic Issues Exploitation Techniques Physical Domain in Software Mitigation Efforts Physical hardware cannot be changed in the field Vendors build in "Survivability features" Microcode is the most common used tool for mitigations Other firmware is also used "Chicken bits" to disable / change behavior Some issues are best mitigated in software Mitigations are not always possible/reasonable and almost difficult and time-consuming to engineer Prevention Pre-silicon Post-silicon Future Take Aways

Bypassing ARM’s Memory Tagging Extension with a Side-Channel Attack

  • Haco
  • September 2, 2025
  • 2 min read

This explains a research project on how to bypass ARM's Memory Tagging Extension (MTE), a hardware feature designed to prevent memory corruption vulnerabilities. Here are the key takeaways: ARM MTE: MTE works like a "lock and key" system. Pointers have a "key" (a 4-bit tag) and memory objects have a "lock" (also a 4-bit tag). If the key and lock don't match when a pointer tries to access memory, the program will crash, preventing an attack. The Challenge: The tags are randomly generated, making it difficult for an…

Arbitrary Data Manipulation and Leakage with CPU Zero-Day Bugs on RISC-V

  • Haco
  • September 2, 2025
  • 2 min read

Fabian Thomas and Laurent Schmierer, introduces "GhostRider," a zero-day vulnerability they discovered in the T-Head C910 RISC-V processor. This vulnerability allows for data manipulation and leakage by bypassing software isolation and writing directly to physical memory. Here are the key points discussed: GhostRider Vulnerability: This exploit allows unprivileged applications to bypass operating systems and other security measures to interact directly with hardware. It exploits a flaw in a RISC-V vector instruction to write to physical memory instead of virtual memory, enabling arbitrary data manipulation, memory leakage, and privilege…

【计算机体系结构】Tomasulo算法

  • Haco
  • December 18, 2024
  • 3 min read

1、数据冒险 数据相关有四种,分别是RAR、WAR、WAW、RAW。其中“RAR”不会影响指令的执行,所以提数据相关的时候一般忽略,而WAR、WAW、RAW的重要差别就出在“数据依赖”上。“WAR”和“WAW”这两种数据相关其实没有数据依赖,即发生冒险的指令之间其实没有数据流动,通过寄存器重命名就可以消除冒险。“RAW”冒险则无法解决,因为后序指令读取的数据由前序指令算得,这个过程有明确的数据依赖。 2、Tomasulo算法 Tomasulo是计算机硬件架构的一种指令动态调度算法,其通过寄存器重命名消除了假数据冒险,提高了机器的乱序性能。Tomasulo算法的调度分为三个步骤:发射、执行、写回。 Tomasulo算法的实现结构 发射:Tomasulo算法是顺序发射的,即指令按照程序中的顺序一条接一条被发射到保留站。判断能否发射的唯一标准是指令对应通路的保留站是否有空余位置,只要保留站有空余,就可以把指令发射到保留站中。周期结束时会更新保留站和寄存器结果状态表,如果指令有可以读取的数据,就会立刻拷贝到保留站中;寄存器结果状态表中总是存有最新的值,即如果后...

The Hack@DAC Story: Learnings from Organizing the World’s Largest Hardware Hacking Competition

  • Haco
  • September 27, 2024
  • 2 min read

Computing Stack Challenges Observed During Offensive Security Research at Intel Awareness of Hardware Common Weaknesses [CONCEPTS] Security-Aware Design Automation [TOOLS] "Shift-Left" to Detect & Fix Bugs in RTL [BEST PRACTICES] 1. Limited Awareness of HW Security Weaknesses 2. Need for Security-Aware Design Automation Tools 3. Need to Detect/Fix Bugs at RTL Design Phase SW bugs fixed with patches HW bugs are complicated to fix Time consuming Expensive Cause brand damage System on a Chip(Soc) Data Confidentiality Protect secrets from unauthorized access Data Integrity Protect data modification by untrusted…