The Memory of a Meltdown

hi welcome to track 3 thank you so if you could please silence your phones that would be appreciated we would like to also thank our sponsors Adobe for all the speaker gifts and Google and hacker won and all the volunteers that are here at besides this is track 3 our next speaker is Chris Magistrato he's gonna be presenting the memory of a meltdown and no we don't mean Britney he's also the co-founder of the hacking Club at Sarah's State San Francisco State University thank you hi everybody okay so I usually like to gauge the audience in terms of like technical understanding so it helps me like better present for everyone in my audience so I

can I see a raise of hands of people that know we'll go top-down Python yeah see assembly oh damn okay you guys are smart okay cool this is intimidating okay okay sweet so yeah so I usually like to start off talking about something more fun so I got really interested in like malware analysis and researching malware after traveling a little bit and stuff like that after meeting some more researchers so really just taking apart the binary and seeing what's there so I don't know if you guys are like me but you know taking a look at a piece of malware seeing how it works or seeing how people write it is very very interesting to me

and stuff like that so yeah and then more recently I've been I'm a security contractor as well so I've been contracted to create proprietary rules based on CVS and looking at different ransomware and stuff like that and this one was like more so discovered recently I thought it was really cool most ransomware it says you need to pay up this one specifically they forced you to play a demo for one hour and then they unlock your files it's not a very clever piece of brand somewhere because in the actual binary itself you can derive the key and just you know be okay but there's some technical feats that have to get done to do that but you can

also just download the thing to unlock your computer and then like most talks start these are my words these aren't any of my employers or anyone who's hired me and stuff like that this is just me talking and sharing with you what I've learned in my experience okay so I said before my name is Chris Machado I started I was one of the cofounders of the hacking Club at SF State started in 2016 it's still going strong we have different members come out all the time it's really great to see people passionate about security and really interested in learning more and being excited about learning I took at SF State I went to the computer science

department and I really saw that there was a need for other types of careers that the curriculum provided a lot of the curriculum seems like it's more geared towards web development you don't really get into deeper level architecture and things like that and I really wanted to show and that there was a obviously a career choice outside of the given path and stuff like that so I was very happy to do that I volunteered at Bay threat that doesn't exist anymore besides Las Vegas CCC camp and which is really fun definitely check out and then shot 2017 as well which I also spoke at and I've done a different a few different speaking engagements as well

so yeah that's me okay so let's get into the detail details so what would you talk about the reason for everything so we have to go over side-channel attacks speculation speculative execution and then out-of-order operations I just for the basis how many people are familiar with any one of those concepts okay alright sweet so I'll try to like go by that pretty quickly then and then the vulnerabilities spectrum meltdown exploitation mitigation and then POC n demo prey the demo gods for that okay so who discovered the bug so it was independent researchers of multiple parties to grass as well as the Google projects zero which they specifically just do research okay so we'll go over

side [ __ ] on text because most people know it we'll go over this pretty quickly so we can get to more of the fun stuff so you can sort data in different locations and stuff like that so what a side channel attack via cache is also known as like flush and reload it allows you to do something and then store some information in cache and then what you do is you check to see hey is this variable or this thing in cash and check to see the time it takes for you to receive that so you time how long it takes you to receive the item or the piece of data right in the information

so if it happens super quickly that means it's probably in cash somewhere why there be l1 l2 l3 and if it takes a little bit longer relative to the time it takes you to pull it in cache then it's probably in RAM and it's not there the reason this is important is because this is how you determine if you can pull information basically because of these vulnerability bugs you're able to pull anything that's stored in a cash registry and if it's on the core then you're able to just keep pulling all of it even if it's not your process even if it's not your VM so this brings us to auto or execution show hands of how many

people know this ok ok go it's been a little bit time on this one so instead of so when we're programming we believe that ok it goes in the process that we are actually wearing the code in in reality this is not entirely the case what happens is for optimization the people that design the CPU architectures or a lot of them they incorporated out of order execution to make programs run a lot faster and quicker and they started doing this a while ago we'll talk about that as well what this does is if you can look here and see it actually depends on if a variable is required prior to or not and in which case it'll just run it anyways

and this is important because if it runs it anyways it will put it in cash just in case it needs it okay so spectra and speculative execution so the same exact thing that it does with or out of order execution again I don't want execution it's its reliance on certain variables and stuff like that so if you don't need the variable if a variable is not required previously and you have two different ones it'll just do this do it for optimization now for a speculative execution what happens is you have an if statement and then it just says all right [ __ ] it we'll just run the other stuff anyways because the CPU is

chilling it's hanging out and it has the resources to do this so instead of waiting for that if statement to finish it we'll just start doing the other stuff then that other stuff could start putting stuff in the cache and then you can start pulling information from there via the vulnerabilities it's good to note that there's two types of variants for a spectra you have variant 1 which balance check bypass and this is specific to binaries so for to patch this and mitigate this you really have to worry about how a binary is compiled so this is a little bit different and this is actually the more difficult of the three CVEs to be patched variant two is just a

branch target interjection and there have been a lot of patches for that specifically and a lot easier to patch this allows you to read memory from processor hypervisors as well as in the kernel okay meltdown so this causes an exception or you cause an exception right so you whether it be invalid memory or division C or something and the data is saved to cache because it accesses that level of criminal it references the memory it is fetched into registry and then it also just stores it in cash just in case and that's where it [ __ ] up that's where you can start pulling it during out of or execution the registry memory can't tons are never

committed but it is saved in cash though so you pull it okay so now I'm not Sandra spectrum I'd like to very much thank Jake Williams of San Jose he did a really really great presentation on this and a lot of there was a lot of help from there so Mel town specifically attacks the kernel memory and read spectrum not as much spectrum is usually attributed to different types of browser exploitation so it specifically some of the future exploits that were probably going to see are going to be written in JavaScript probably on a malicious page and then once the browser hits it that's vulnerable it can dump everything that's in that browser so those are credentials

passwords anything that that browser has it can I can also pull and then affected chips there's a lot of things that are affected by this so these are the things if you have any of these you're probably affected and I will say like a lot a lot of people have come forward of these communities and have actually put patches and created patches for everyone but some of them they took a little bit longer than others I don't want to point names or fingers because you guys probably work for one of these I'm sure but yeah so the next question is like how long has it's been around so it's been around for while ever since order of execution as

well out of order execution as well as speculative execution has been around so for Intel that's 1995 you guys know what happened in 1995 like this was the image of what we were so it was a little it's been around for a minute so ways to exploit a spectrum browser leaks JavaScript execution off of Melissa's page will do the trick start pulling everything that you have in your browser it doesn't matter if you logged in to another web site if you have other credential keys session keys boom you got him you know but to secure yourself you can update your browser and you know we always update our browsers when we got a ridiculous amount of tabs

open right and just get rid of all of them especially if it's in a incognito mode right and just get them right back and then you can also leak module addresses which really [ __ ] up a SLR anyone ever play with that before yes that's really fun that's really fun stuff to do okay and then again but Jake Williams especially can be used to determine the address of a module memory and bypass a SLR so there's a little neat trick you can do how many people are familiar with a SLR right yes this is great audience alright so how many people are familiar with bypassing SLR mildly okay okay so I'm gonna say four

people don't know well for people that don't know what a SLR is every time you run a program the memory addresses are like quote-unquote randomized but what you can do is you can say okay like tell me where the base address of this library is and then you're like okay cool and then you say okay I know that Lipsy it's usually return to Lipsy I know that Lipsy is here at this location so how many bytes towards a specific function is so you know so you calculate that relative this and you would execute that so usually you can it be like execute and then you can execute shell and then somewhere in the binary you put your string for bin -

or bin SH and then boom you get the X's cool alright so a ways to exploit meltdown privilege escalation as well as container pair of virtual hypervisor xscape s-- work so this is a little bit terrifying because if you are a cloud provider have your services servers on a cloud and that's the the core that you're sharing with other people it can start pulling information that you don't want to have gone so as far as a previous escalation any on passion asserted hacker can just dump physical memory and then you can use a tool like volatility this you know have some real fun alternatively yeah if you're a cloud and hacker accesses other people's VMs

you know it's if you guys are using the same core you're gonna have some fun yeah cardi B by T getting alright so mitigation so AWS as a Google platform and cloud passage shout out to our sponsors you'll be alright so I know a gentleman named Alex M I'm not gonna slaughter his last name and Shaun Nicholson are both security engineers that wrote some good information about cloud passages how they're handling it documentation for the Google cloud is also really really good in terms of how they handled it they did project 0 so they found the vulnerability so they thought on it AWS and Windows is cool too the other ones I really depends you're gonna have to do

some research to see if your cloud providers actually handling and dressing the situation it's interesting so Google actually fixed the mitigation so they handled was it the variant two for spectrum by they handled it through a software update or something like that exactly what's that live migration a little bit more on that

okay they're gonna catch it mostly no well thank you how about that sorry it's been a long morning but for very one has been a little bit more difficult for them they said that it has to do with patching binaries specifically that are specifically that are running on the systems and they have different levels of mitigation to protect you by the way they have their architecture set up so that's again I think that's pretty difficult to have to handle is like if someone's bringing binary on your things and you have to secure them nice pretty cool but as more for mitigation this is only like half the list of vendors that have come out to actually have security

bulletins on the matter and other articles and it's really great they're actually really good reads if you can if you pick up anything I'm talking about you'll be able to pick up the rest of these like really easily okay okay and then more on mitigation so for browsers as long as Chrome it's better than 64 Mozilla Firefox 57 and exported i IE so the thing about Microsoft CVEs and and and portals out Microsoft TechNet it's at least when it comes to Internet Explorer they don't actually I don't think they tell you exactly what versions are past and stuff like that they just say which versions are affected and then just tell you to update it so yeah if you think the meet

ray CBS and the NVD ones are bad anything specific to a version of ie it's it's difficult because it's just like Elevens affected tens affected edges affected it's like what and then yeah and then any other software just if you updating it you'll probably be okay intel chips so these are the ones that are affected it's freaking everything pretty much back to dating back to 1995 so and they most recently they've released other patches and stuff like that so you can run this microcode I'm gonna have a update your firmware and then you'll be okay for the time being ARM chips the ones that are affected r7 r8 these these ones of these ones of 5a

and but the cortex in series are not affected and then you can update via the arm community and the arm community has been very forthcoming in talking about updates and stuff like that they approached it very quickly and handled it very nicely some other people have taken a little while AMD as of like five days ago I said they're still working on it you guys does anybody know if AMD patches have been updated and applied maybe kinda or yes okay okay beautiful so okay so yeah if you're not on Windows 10 go to the AMD site he said it they pushed it last week so it's been a taking them a little while because the

vulnerability was talked about in a January of this year so alright are you doing on time sometime alright let's go to demo time alright let's see if everything breaks

I do this you see a car you try this does anyone have any questions I will try to answer but it's a probably at open forum so other people so we can all get the correct information it's a nice one it's one I can't afford don't have enough money to afford but I'll dream and look at it all I'm at work but it's a Lamborghini anyone have any questions about the topic there you go meters plays there

okay bigger half my keys don't work on my laptop so this is the next solution until I fix it okay so like all other speakers and security I was setting on my presentation very close to presentation time I started last night and finished about thirty minutes before I came in here so I wanted to say like reading and understanding at POC given I didn't allocate the correct time to actually create one I apologize for that but uh reading other people's PLC's and actually understanding it right there was a little bit daunting when they don't have enough time to do it but it was very freaking amazing to be able to learn there you go it was very fun to

learn and just play with other people this this guy I'm gonna link you guys he just did it live he wrote the entire thing live on livestream or whatever and she just killed it that I'm so impressed I I want to be able to do that but okay with this would you guys like to see the code or reject just to see it run run it run it run it break okay so what's happening is you we are putting a secret so uh well okay we're putting a secret in the curl space so it's not supposed to be accessible but because of speculation we can tell the amount of time that takes were able to pull it

the message is L do you know gods of death like apples love apples so yes and these are the locations as well so this is what I have the POC is online I also linked that but it's it's an easy one to find and stuff like that I was really trying to find some JavaScript ones because I have not been able to see too many but I think that's gonna be the next level of attack in terms of malware that we're gonna be seeing in terms of like exploit kits and ransomware but their entry of one and ransomware so alright I hope you guys enjoyed the presentation uh yes and then we can do questions and I also have a bunch of bus

resources check out no sect or --g it's a great website if you want to get your hands dirty in some binaries i there taking them apart or developing your own POC code we do fun things like writing your own encrypt and decrypt hers and stuff like that so will like set up like little environments where we can write our own little ransomware stuff and just like do that all legitimate ly systems we own things like that so we also are live on IRC as well so thank you guys for coming out [Applause]