Jake Williams - Understanding Hardware Vulnerabilities

and talk about understanding hardware vulnerabilities the onus for this talk actually came down to there's a lot of these hardware vulnerabilities coming out I expect to see more of these every time one of these occurs management goes into a rage because well look this stuff is hard to understand and in fact how many folks in here if you don't mind me ask how many folks have a college degree where's your hand if you have a college degree keep your hands up for that degrees in computer science exactly right and so if you look around here you'll see the number of hands that are going down here and that's not a knock at all I will tell you that consistently

the people that have these information security or Mis degrees hit the ground running immediately after college and the folks have CS degrees they're like I'm ready to build a computer chip and you're like we don't have a job for you to do that all right like learn networking learn a bunch of other stuff they didn't teach you they're like the people that come out the s degrees by and large right true computer science degrees by and large or at a disadvantage I'll tell you in one spot that they're not of the disadvantages around these hardware vulnerabilities because a lot of this stuff is inherently difficult to understand if you didn't take computer science you probably didn't take computer

architecture right a lot of folks I know I took architecture and what they mean is I learned how an operating system works at a very you know very superficial level versus the actual on chip stuff right so I wanted to give this talk to kind of walk through some of the how the hardware vulnerabilities work and give you some management friendly analogies that you can use and we actually have a test over in addition it's called the Jake mom's Jake's mom threshold my mom is an absolute technical idiot she can brick a phone from 30 yards just by looking at it she is exactly the target audience that I want to review executive communications because she is as it turns out an

executive right she has an MBA master's nursing is been working in health care for decades and understands nothing about tech this is ideal right because again if she understands it's very likely that whoever our target audience our executive audience is gonna understand as well and if she doesn't yeah it's time we do someone just additional work here I want to mention that in getting this going this wasn't just me I actually have two of our two of our analysts at rendition Matt Stax and Haley Springer that helped generate some of the content for this talk for those that don't know me rendition InfoSec obviously out there I work with ions as well the Institute for applied

networks I should totally know what that stands for anyway I'm on faculty over there I'm not a CS cissp but I am a prolific InfoSec Twitter a poster let's go with poster and it was formally endorsed by the shadow brokers all right and oh darn how did that fall in there anyway I like pen test forensics and CTI alright and as far as dislikes go thought leaders right if you have to call yourself a thought leader you're not let's go ahead with that in blockchain all right blockchain has a place but but not many right so agenda hunson what are we going to talk about here the overall layout of the talk overall I want to

walk through a couple of remedial Hardware concepts talk about Hardware validities as well as some management analogies for those I'm gonna step on a landmine here even though I'm being reported I'm going to make a few bold predictions about the future and I I generally avoid this because if you came to me even five years ago and said hey you'll have a phone with eight cores and eight gigs a ram in your pocket I'd have been like no chance five years ago or and I was lucky to get a quad-core processor in a laptop there's no I'm gonna eat cores on a phone turns out that again in a few short years my phone has more computing power than my laptop

used to all right so so I want to be clear that making predictions about that about the future is horribly dangerous but but I'll go ahead and step on the landmine there and give it a shot we'll talk about some mitigation strategies and finally close out with a couple of thoughts so I'm gonna mention here that these are not a full list this is not a full list of hardware vulnerabilities overall there are way more hardware vulnerabilities out here than this I want to mention here that we're covering the the big ones serene as it were the ones that have gotten the management hype the reason that we chose these is that we've only got an hour to walk

through all this stuff right I picked the ones that got the most press in the first place and these aren't necessarily by the way the most damaging ones I want to be clear about that too there are a couple that I think are probably a as dangerous if not more so there's one called for shadow and for shadow next-gen that probably represent a larger danger than some of the stuff up here with the exception to meltdown perhaps and probably Ram believe but ultimately when it comes down to it we picked the stuff that got the most press I mean it turns out that well for good vulnerability today you need a media team right you

got to create a website you gotta have a logo and name the vulnerability cuz and by the way I want to murder the people absolutely want to murder the people the name de Hardware vulnerability netcat what were you thinking right what were you think actually it was brilliant when it comes down to it I mean I'm still mad about it but it was totally brilliant alright they they took something that was already in common use right and then when I had a name and partially malicious ish sure I potentially wanted software there but yeah anyway I want to give credit where credit's due as well right so all this the websites of the source papers for every vulnerability I

want to be clear based on some feedback that I got from Derby con and I had an employee of Kaspersky I may have spoken out about Kaspersky once or twice so we'll talk bias there but he was very very critical about some of the stuff that I didn't cite in my talk I'm going all the way back and I want to make sure that I don't do that again and I'm not naming names here about who it was I'm sure you can google that and find that out there look bottom line I'm sure somebody's gonna find fault anyway with me not citing the person who invented cache memory or did the original research on the security implications or

whatever and this would be one long bibliography if we did that but in that spirit I'd like to credit everybody from Ada Lovelace Charles Babbage to Grace Hopper to Bill freakin Gates for their help in advancing the field of computer science right done credit where credit is due right but not stolen he's gross he's a bad human and for those who don't know by the way Stallman was giving a lecture a while back and this is my gift to you I mean we were debating back and forth my CEO one of the rules that he kind of put in place and he took over he said man I gotta have the sensor button because I gotta have access to the leat

tweets I got out of the sensor button and so I went to him and I said hey can I can I show this video and he says it's your duty to show this video and I'm like game on brother there we go right anyway so Stallman was given a lecture for those that know no Stallman just Google Stallman right because he is a just a dumpster fire of human garbage I mean look bottom line hey it's great that he did good things for the free software foundation that does not excuse his behavior towards women when you make the comment that Epstein's victims were quote unquote willing and consensual I I think that's done there that shouldn't be a

controversial statement period but in case you're curious how gross and socially weird that this guy is he was given a lecture at MIT this is filmed at MIT I'm he's sitting down in a lecture hall very much like this up at the front and being videoed and he's wearing his Birkenstocks which is what he always wears he's well-known with his Birkenstocks there he's picking his feet and putting and I don't have time for the full video but google it if you have a have a good stomach there and he's putting a bunch of skin on the table but then he forgets where he's at and anyway so direct from foot to mouth it's not often that you get a chance to see some

of the like Stallman literally put his foot in his mouth but that's what he did here right anyway all right so alas let's get back to the more serious stuff here I mean now that Stallman isn't serious there could be a whole talk on that but alas problem with harbor vulnerabilities alright look these get a lot of attention when they're released I understand why how many folks have adopted a cloud first strategy yeah yeah nobody's gonna admit that yeah uh-huh only because you're an impost sec room you go to cio kind of things cio a kind of conference Interop for instance right is a big technology conference out in Vegas every year god they're like who's

adopted a cloud first strategy if you don't put your hand up right somebody's gonna come over and beat you kind of thing all right but no so cloud first right everybody's in the cloud totally in the clowny if you're not you're totally are on the cloud you don't know it yet one of my favorite ways to go find people in the cloud is to go to accounts payable and reimbursements and I love to go find out what people are submitting reimbursements for because it's rarer than employers let's wipe their own credit card every day to go to the cloud all right but they don't do it for free they always good and some of that for

reimbursements and that's a great way to go find shadow IT all right kind of helping you out with a breach and helping you create a breach anyway bottom line is to get into the cloud stuff the hardware vulnerabilities matter a lot there all right I'm not saying they don't matter other places but they probably matter more there anyplace else because at the end of the day the problem we run into in the cloud is that we have multi-tenant all right so I may be sharing a server with somebody else a physical server with somebody else that I do not trust and I would not trust to run my own stuff here I'll mention that again kind of I

started out with a lot of people in information security today don't have a computer science background so the concepts underpinning the vulnerabilities themselves are foreign alright I'll tell you that as these have come out I've done a lot of work with other other folks in the field and you know we'll talk about for instance like a branch predictor and they're like yeah I don't know what a branch predictor is all right and that's cool there's nothing wrong with that by the way I don't know everything either that's why I've got a big phone a friend list and don't ever hesitate to pick up the phone a call when I don't know what's going on all

right that said even when we try to understand these we really have trouble explaining the impacts to management to go back and say hey management this is what's going on the problem is that Bloomberg Frank and in things like Bloomberg Grant pick up these stories and sometimes embellish with chips the size of a grain of rice or or whatever on a super micro motherboard or you name it people are still listening to Bloomberg and in other publications like this and look the bottom line is the stuff gets overhyped that that's what it comes down to right what we need to do is create easy-to-understand analogies to help educate our management on various Hardware vulnerabilities I've

done this for you here at least for the ones that we know about are always the most common ones that we know about and that's how we're gonna spend our time today I'll mention here analogy is useful until they're not every analogy breaks down under severe scrutiny all right so while I'm positive that you can find fault with these a hundred percent positive you can find fault with these it doesn't mean that they're not useful and when it comes down to it while I would prefer that everybody have a perfect understanding of every underlying concept I know that's not realistic and when I'm presented with a choice of an imperfect understanding or no clue at all I'm gonna take the former

every day of the week all right so I'll take the you know some understanding versus a perfect understanding every day of the week I'll also mention that any analogies are relatively simple so it's entirely possible that somebody else has used these before I've also been speaking on these a lot of sands and other private venues for the last couple of years obviously not with netcat that's new as of a couple of months ago you know if somebody else says hey I heard that analogy somewhere else it's entirely possible chained down for me and if it didn't great minds think alike right bottom line again you know trying to stay out of that hole kaspersky crossfire there right so let's talk

about some remedial hardware because this is something that we don't get into a lot right talk about remedial hardware every process on a modern system has its own virtual memory address space right so I'm sure we've heard about this before it's like every process gets its own four gigs of memory all right now of course in x64 right get a full two to the 64 bits right how many bits are actually wired on a processor today for 64-bit anybody know this super geek stuff it's 48 bits right and by the way if you happen to go and win final jeopardy with that alright we're splitting the proceeds right but 48 bits today are wired alright we don't

even get the full 64 bits now granted if you look at 2 to the 48 that's 256 terabytes of RAM so if you run into a problem that I want to come work for you all right you have hardware that I do not write anyway bottom line we need a way to translate these virtual memory addresses to physical memory addresses the reason we have virtual memory in the first place is it's a sandbox right how many folks have kids whew I've got one my little child units running around here someplace with a rendition shirt on but she back in the day so maybe 4 years old give or take taught me a lot about virtual

memory going down to the going on the playground and got on the playground there and there's a sandbox like Daddy can I go play in the sandbox I'm like rock on let's do it right and she starts running over there and as I look over to the sandbox I see little bobby whip it out and literally just starts urinate in the sandbox and I'm like I'm doing this running soccer mom kind of save right kind of like grabbing her to get out of the sandbox they're not getting in the first place and yes that was a very expensive trip to the playground because our next stop was Lowe's where we went and bought some timber and place and and

I build her own sandbox in the backyard now anybody with kids knows the kids are gross right I mean let's just lay it out kids are gross I'm not gonna pretend that horrible stuff didn't happen in that sandbox I'm not gonna pretend that but what I am what I do know is that somehow as a parent and I think most people that are parents can kind of kind of you know resonate with us or at least work with us here as a parent I'm more comfortable with her sitting in her own filth or whatever then a gross situation somebody else created that's effective what virtual memory is every process gets its own sandbox and and the process

could indeed urinate in its own sandbox and tear a bunch of stuff up in its own sandbox but only impacts that process it's that one process right now if you start thinking about a multi-tenant server this is where we get into and this is true whether we're talking a multi-tenant hypervisor or a multi-tenant server and Jeff picture a server where you don't have root but 30 or 40 different people happen to have shell access to that server or different accounts it could be just two right we want a segment to weigh that memory we want to make sure that a memory from one process doesn't talk to or corrupt memory from another process that we can't read across that

boundary that's of those sandboxes end up creating or those virtual memory sandboxes end up creating and so and what ultimately happens here though we need to understand that the processor has to convert those virtual memory addresses into the actual physical memory addresses that actually address Ram each process in x86 has again four gigs of ram or 256 terabytes in the case of x64 and what we ultimately have to do though is convert an actual virtual memory address the way that all of our process and all of our programs speak into these basically into the underlying physical address and the way that they do this actually is this complex series of lookups right now I have the most

easy easiest one up here there's really three different sets of lookups there's old old-school x86 which is the easy one that's what we've got up here there's also x86 system called PAE physical address extensions some of you will Greybeards in here I know remember Windows 2000 data center right where it's still all x86 64 gigs of ram in an x86 system how did you do that right the answer was math right at the end of the day it was complex math PAE added an extra stage to this lookup right so it's three four or five stages three for old x86 four for PAE five for x64 I'm only covering the easy one because the hard

ones don't really matter they work give or take the same way just with extra sauce right so basically what happens here effectively is that every process has a pointer in a special register to the physical address where the directory table base basically the base of this write lands writes of the page directory table the physical address were those lands and what happens as we chop up that 32-bit address right so for x86 we've got 32 bits we chop that up into ten ten and twelve bits two to the tenth for those that are bad at math is 1024 two to the twelfth is 4096 or 4k so what ends up happening here is the first 10

bits in binary of that address are an index into the page directory table and what happens here then as we use that index into the page directory table and then we basically go and see you that is a pointer into the page table that points us to a specific page table and then we take the next ten bits and that's the index into the actual page table that holds the pages and we take those last twelve bits to the twelfth is 4096 each page is 4k and those last twelve bits tell us we're inside the actual page we actually want to go find that raw data the reason this matters is that several of these attacks allow us

to access physical memory the only thing that ever touches physical memory because all this back here this is all physical memory that's used to figure out where to go find these virtual memory pages it's all on abstraction if you're a database engineer it took databases in college you probably remember the idea of a view all right a view onto a table this is what I like to think of virtual memory as it's a view onto physical memory right basically a view the physical memory and again this is how we all come to break this up the only thing that should ever touch this all right these first two pieces is the operating system memory manager that's

it anything else touches that we can have catastrophic impacts and the reason is is if for instance me is a non privileged process if I can overwrite this pointer right for a given process for its page tables I will have readwrite access right to some other processes memory and in computer science we call that bad right it's a matter of acting InfoSec we just call that really really bad and that's that's a privilege escalation at the end of the day if it's only read access it's a data disclosure all right so I want to make sure we understand that there's seen physical and virtual memory and again I'll address which one we're talking about as

we talk about different Hardware vulnerabilities some of these operate in virtual memory some of these operate in only physical memory right another piece I want to mention in here is something called micro code and this is one of these spots where I asked people and I did on non-scientific survey it sands back at was that sans sans Vegas a few weeks ago and walk through and ask people about micro code I said hey do you know a processor microcode is and almost unilaterally I think I had out of the 20s and a lot of people I talked to in the hall random folk in the hall said hey do you have two minutes all right

you have two minutes to talk about processors and I guess I'll get out all right and I said hey let's processor microcode or do you know what processor microcode is first right out of that maybe 18 to 20 he said yes I said tell me processor microcode is an IKE well you know um let's back up here for a second all right and let's talk about what processor microcode actually is because i think it's easy to conceptualize or at least think about it we want to make sure we understand what it is because this does become useful as we talk about these hardware vulnerabilities back in the day every instruction on the processor every assembly instruction

actually was hardwired in the silicon variant the actual transistors were there for the and gates and the or gates and addition ok well nevermind whatever it was is the Russians know I'm talking again done I kid you not I actually gave a talk a couple of years ago at the Sands forensics Summit and it was kind of a pinch hit talk we had somebody with a death in the family I had to literally like take off I got notified like four hours earlier but the dnc hack was going on I'm like game on let's talk with the forensic evidence we have so far and I get up there on stage and I kid you not

like introduce myself hey say hey we're gonna talk about you know how it clearly is the Russians right because there's a lot of wrong goochy goochy goochy fur too like I can never pronounce that dude's name right but Gucci for to releasing data and I was like let's talk about this and and literally as soon as I said it's obviously Russia the fire alarm goes off right and I'm like clearly someone doesn't want you to hear this talk right anyway this one's probably not the Russians but alas I'm gonna come down to microcode we are beyond the point where every instruction can be hardwired in the silicon what we really have with a lot of the complex

instructions and if you took computer science way way back on today remember you may remember Sisk and risk right risk me in the reduced instruction set computer insist being complex instruction set Intel it's complex instruction sets so is AMD for that matter and what that means is that they have very complicated instructions but at the end of the day those complicated instructions are really built off of the building blocks of these smaller easier instructions those are baked into the silicon the microcode is actually a layer of code that you and I cannot see all right that operates independently of all everything that we deal with we just send the instruction to the chip and and

pray that everything works correctly the micro codes all proprietary to the processor manufacturer this can become important in a minute we talked about zombie load now recent use data separating from the microcode recent news data is cached in memory on the processor now everybody knows about cache aren't you no cache as fast RAM is slow every A+ Hardware technician of Best Buy's Geek Squad can tell you that I mean why do we care about cache memory and the answer comes down to what we call a timing attack because the stuff loaded in cache is so much faster and buy so much faster in orders of magnitude faster right what we end up being able to see then is to

query whether or not a particular piece of data is in cache how many folks are familiar with blind sequel injection anybody here couple yeah so if you're familiar blind sequel injection for those that aren't what we do is we ask lots of questions we can see the data come back but we can ask a yes/no question all right so we can say is the first letter of this particular field is it a no is it be no is it C no is it D yes okay cool next letter move on same thing here at the cache so if we don't get a yes or no answer back we don't get any answer at all what we're doing is

loading data and we're seeing how long it takes if it's fast then that means that it's stored in the cache I know the reason this is gonna matter here is gonna come into hyper threading and some some other stuff involving the cache here in a minute bottom line because cache data is so much faster and we are we are approaching amazing speeds on processors I don't have time to go into Numa non-uniform memory architecture but if you're interested in like just how fast processors are becoming Numa is absolutely fascinating Numa effectively and like I said own time to go all the way down the rabbit hole here but I'm some of the chip designers noticed and

chipset designers for high-end servers notice that basically for multi core or multi socket motherboards right that one socket was physically closer to the RAM banks than the others and the physical distance between picture this right we're so fast now in processing that the physical distance from the processor socket to the RAM bank is impacting the performance of the processor and so what they do now is they add additional Ram banks closer to each individual socket and the processors can access all of Ram but they try to go and access the RAM closest to them for performance enhancements right that's how fast we're moving all right so we talked about fast versus slow we're talking on the order

of Pecos than division's seconds it's not even Pico seconds it's faster than that but whatever anyway bottom line if we can measure these timings then we have effective we would call a cash timing attack so the first one I've talked about is meltdown and this is honestly probably the biggest concern for me as a you know even residually it's one of the first that we saw that was a big big deal in at least in the hype cycle right but basically what this allows us to do is read arbitrary kernel memory most folks know about ring 0 and ring 3 right ring 3 is user mode ring 0 is kernel mode right by the way there's actually two

bits that get stored two bits that get stored in basically are descriptors memory descriptors and those two bits control that ring zero versus ring 3 all right so there's something called the descriptor privilege level DPL and a requester privileges RPL now importantly meltdown does not allow you to read memory from another process you can only read kernel memory with us alright so I want to be very clear here you can't do cross process attacks but you can do something far worse right you can gain executive privileges in the kernel by data disclosure from the kernel memory and then at that point what's your system or route you've got full access to the machine anyway who cares right

then you can go read other processes through any number of techniques what happens here effectively as instructions are executed out of order in the processor right they call this batching and pipelining or the two terms you're used a lot for this what this means is I might say for instance and I might say for instance let's say that I wanted to in this concept to come in a couple of times here but let's say that I wanted to maybe go fill a bathtub up here for whatever reason all right I might say hey Mike can you go grab me some water and meanwhile can you go grab me the tub alright and it may be that Mike can't

get the water in which case we don't even need the tub alright I need to say oh I don't don't go get the tub at all meanwhile you're already coming back with the tub alright we're executing out of order we're not waiting for one thing to happen for the next does right and so what's happening here effectively is that we're gonna attempt to go read from kernel space this is definitely gonna fail we know what's gonna fail we don't even care about the failure what we care about is the fact that attempting to read from that space is actually going to load memory into the cache and what's happening here effectively is that the chip designers didn't look and say well

we loaded the data in the cache you're not going to use the data you can't read it directly directly from the cache right but what happens here is it's populated in the processor - the exception happens because we can't really read from kernel memory there's no water we don't need the tub in this analogy all right and so after the exception we can still go try to load data for different values the deal here is the data value in the cache is going to load much faster the processor for lots of reasons we talk at the sandbox as earlier this we're sandbox is kind of come back together if you're thinking why doesn't the processor just flush the

cache the answer is shared objects and DLLs all right so the reason shared objects and dll's are so much faster so much better from a memory perspective is that rather than loading let's say I've got a hundred processes on my machine and on a Windows machine everyone loads kernel32 I don't want a hundred copies there what I have is literally one copy of kernel32 in memory and a hundred pointers to it we don't want to flush the cache there because that data may actually be used by another process right on the back end there's that three four or five stage lookup so the data in the cache is gonna load much faster and basically this is just like a blind

sequel injection we're literally gonna ask again and again and again hey is that there is that era is that there now importantly meltdown can't read memory from other processes your unprivileged process can read all of your own memories this doesn't matter anyway we can't remember that isn't mapped so kernel pages that are unmapped when a user space process is active that in that case we're not able to read here and one of the patches for this is actually something like a PT I kernel page table isolation we knew the fix for this in fact the first academic paper on this was published almost a decade ago for kpti they're all a hey you know it'd

be really cool if a hardware attack comes out later you'll just set separate base of your page tables so that while you're in user space the kernel memory isn't mapped in the first place because again we talk about memory here we roll memory no physical memory involved at all with meltdown and so what happens here for this patch what's gonna happen here is the kernel pages basically remap does the transition to the kernel space then unmapped is returned back to user space this is obviously great to prevent the reading of all this kernel space data but you don't have to be very charles to see that there's going to be a huge performance impact here right for

unmapped and remapping all those pages every time we have to transition in to make a system call in fact some objective measurements put the slow down here around 30% all right so let me ask you this do you think that Windows and Linux have fully implemented kpti a hundred percent no right I mean yes some not a hundred percent all right so I want to just throw that out there I still expect there to be some interesting meltdown related vulnerabilities privilege escalation this kind of stuff and we'll see how that all plays out in the future and these are wicked hard to detect by the way from a local Sand Point is somebody actually floating one of these there's

been some academic research on that too where they're like hey mer of exceptions and based on the number of exceptions we'll be able to tell whether or not somebody's trying to exploit one of these there's no way you can run exception counters on production machines that also slows it down dramatically in that case the the fix is worse than the cure is worse than the disease so it's not gonna melt down analogy right if I want to explain this to management and these are all mom approved by the way all right so mom understands these and can brief these back to me suppose you send your kid to summer camp and there are 256 possible

activities they may participate in I do this every year so I'm I could to summer camp there's not that many activities but I don't typically know what she's gonna do all right now the difference here is when she gets home she tells him what she did but when your kid gets home they just refuse to tell you what they were learned what they were learning you asked but they refused what you do now effective is you build a test of items they can answer one per possible activity now the key here is you don't know the answers either right you don't know what the answers are you do create the test but you don't know the answers

all you do is you watch your kid you see how fast they answer each question and the one that they answer fastest that's the one that they actually participated in that's effective what we're doing with meltdown right basically your kid is the cash that's getting populated right everybody data the activity that they participated in they're populating it data into the cache and what we're gonna do affectively then is we're gonna make lots of reads and we're gonna monitor the time tests right and we're in a monitor the time and then we're gonna rinse lather or peat we're gonna do it again and again and again to disclose arbitrary numbers of bytes inside a kernel memory right now some

folks have said oh my gosh a SLR or an x64 is gonna take because again picture moving through 256 terabytes of memory that's ridiculous right that would take forever and initially some of the folks said meltdown is in fact I still run into people all right melt no big deal on x64 because there's so much memory and a SLR and I don't understand what I'm saying and that's pretty much what they they say at the end there because SLR doesn't randomize all the bits address space layout randomization only randomizes a small number of bits and so if I read I don't get anything there I basically get a fault and there's nothing there in the

cache that I move and I don't move up one byte at a time for goodness sakes because we're only randomizing in most case somewhere between 20 and 28 bits all right well duh in that case then I'm gonna jump by I'm gonna do math and I'm gonna jump i those bits and I don't have to go through too far to basically leak all of kernel memory right so effectively this is very fast once you find where the kernel memory is at it's very reliable meltdown is the one the one of these that keeps me up at night all right I'll mention there's probably one other one that we need to pay a little bit more attention to than we do

but meltdowns the one that keeps me up at night most systems have not been patched for this the vast majority of legacy systems have not been patched for this right an attacker who has any local access whatsoever you can go ahead and say they have they have local access that they pretty much can leak all of kernel memory I hear there's a lot of important stuff there right now you can't write kernel memory with us Vera mine this is a read-only operation it's a read-only operation but it's still definitely concerning regardless right we separate and a user space kernel space memory for good security reasons meltdown totally breaks that barrier it's like that Specter Specter I want to

clarify it's not a single vulnerability it's a entire class of vulnerabilities that rely on something called speculative execution and branch prediction and we'll talk about those mean and what those are but Specter very importantly I want to separate this from meltdown remember meltdown allows me to go into kernel memory and read all of kernel memory spectra does not allow me to do that what Specter does allow me to do is read memory from another process right so rather than me needing to go leak memory I can now read memory from another process entirely so what I'm looking for here effectively as I'm moving outside of my sandbox at this point I'm able to go see I can't write to another process

but I can see into another process so let's talk about branch prediction all right any given if-else statement most folks here are taking at least a little bit of program and you're familiar the idea of a of an if-else statement right usually one of those is going to be preferred like 95% of the time most the time when I write F else statements the vast majority the time when do an error handling and I should not have a lot of errors write errors should be a very I hope of my code is reasonable or should be a pretty infrequent kind of thing well the processor doesn't wait to get we talked about a pipelining and

batching and how instructions get executed out of order as we start looking at pipelining we get to this thing give the branch we have to decide which side of the branch to execute what ends up happening here effectively is that there's a branch predictor alright so branch predictor and a branch cache effectively that branch predictor looks and effectively becomes trained on which branch which side of the branch do we normally go is that the error handling ciders of the normal side now the processor has no idea it's literally a or B alright 1 or 0 effectively what happens here though is we train the branch predictor basically to go down a path that loads a piece of data that

we're interested in now the key here is that we have to have intimate knowledge of the program that we're trying to exploit meltdown again remember I melt down I need nothing I literally just can go read kernel memory that makes it super easy and super dangerous with Specter I need to understand the actual program that we're targeting that's running on the same physical machine all right as me all right it's the same physical machine bear in mind with Specter you're not just limited to a VM if you're in a hypervisor environment you can be leaking data from somebody else's processes alright so this does get a little bit as a little bit interesting but alas I'll mention here that a lot of

the times the branch predator is wrong in the interim though they've gone down that branch right whatever basically they've they've cached they said yep we should always zig left or most often zig left rather than Zach right they've started executing instructions zigging left and the realities they should have been zagging right meanwhile these instructions have loaded data into the cache we now have data in the cache effectively and what we can do then is we can go begin pulling those out now what's very interesting here is that to save there's a lot of interesting design decisions that we've found out over the years about the Intel chips and by the way I am not knocking the Intel CPU

engineers those folks are man some brilliant brilliant people all right when it comes down to it but they have made a lot of decisions for performance that have heavily in acted security in particular the x86 and x64 branch predators do not rely on the pig or the physical address to train the branch predictor they only look at the virtual address of that particular branch this is why we have to have intimate knowledge of the process we're trying to exploit if I wanna leak data from a process I have here the virtual address where those branches are at because what I'm gonna do is I'm gonna put something at the exact same virtual address and we're gonna train the branch

predator in fact train nothing we're gonna corrupt the branch predictor so what we do here effectively is confuse the branch predictor by repeatedly accessing the same virtual addresses as we're gonna see in the victim process what's gonna happen here effectively is when the victim process gets the same code page they're gonna take the wrong branch because we trained it to do that in the same time they're gonna load data into the cache bear in mind again that whole cache that's not getting flushed is moved between processes because we're really looking at that whole basically the physical backing a memory like we're talking about before or the paging if you don't understand all that just press

the I believe button and assume that whatever's in the cache is still gonna be in the cache and that's kind of the point there was a variant of this called net Specter and this was fascinating work where originally we thought Spectre was a local only attack and I'm gonna tell you I think it still is a net Specter they able to show that you could leak data over the network using a specter like they call these gadgets effectively right so when you look at a branch basic a branch and if-else kind of spot they call it a gadget there's a lot of reasons for that because there's a variant of it the d-link all drop or

turnaround of programming they use gadgets etc net specter basically goes and looks for a gadget that's accessible over the web right it's a picture you are calling in to let me channel channel Equifax right and we'll talk about struts all right so let's say you're you're going over to a website and there's a struts framework on the backend and and you know where gadgets at in memory if you can trigger that repeatedly by calling an API you can leak data over the net right now now I have to tell you that the the data leakage rates are not phenomenal all right so so we're talking about somewhere in the neighborhood of between 8 to 40 bits per hour bits now bytes

bits per hour right by the way on an idle server and with lots of error right so I'm gonna go ahead and say not really can learn about an inspector if you have an idle server out there someplace maybe I mean I think it's an academic attack only Specter on the other hand is not academic all right inspector local Specter meaning that I'm on a machine I'm trying to leak data from another process on the same machine that is absolutely not academic all right this I think net Specter is academic all right so real quick where we at meltdown right again we're able to go leak arbitrary memory with Specter we're not able to leak kernel memory but we can

leak data from another processes memory space so my Specter knowledge is very similar to the meltdown analogy except instead of learning about my child I want to know about somebody else's child now if you have children again you know children love peer pressure and if you tell your child to do something and they do what they do it a lot that other kid that's in their social group is going to do it too so what I'm going to do here and the other child right I want to know about their after camp or their basically their after camp actions they're already talking to their parents right now I can't ask them any questions but what I do is I talk to my

child and I'm like hey tell me what your activities tell me about your activities tell me about your activities and the other child looks and says mm-hmm I'll tell you about my activities and that populates that into the cache now of course in this particular case what I'm looking at is I can only observe what my kid is talking about but I'm able to see what the other child is talking about based on my kid now that's complicated that's a that's as little complicated as or as least complicated as I can make it bottom line here again what we're doing is we're leaking data from another process in this case I'm using kids right basically where I tell my kid to

do one thing the other kid does it and then I observe my own child to understand what the other kid did all right and this is all because they're sharing a common cache right as it were so row hammer row hammer was actually before a meltdown inspector this has been around since 2015 well it's been around for a lot longer than that we've known about us is 2015 cool project zero basically discovered that we could basically leak charges between memory cells all right so you look at ram ram is made up of a bunch of memory cells and we have to refresh those cells periodically or they lose charge and we talk about a Pte up here

RPT is a page table entry all right so a page table entry all right so row hammer effectively allows us to go modify a charge now again we're talking about ram ram it's physical memory now if you remember back we're talking with physical versus virtual memory most often we talk on a memory address it's virtual the only thing it touches physical memory right really is only the physical memory is the memory manager on the operating system and so we have Withrow hammer effectively is the ability to influence the charge of its flipped ones to zeros zeros to ones and if we can do that in exactly the right place we can modify page table entries

such that we're really writing to another processes memory google showed that this was definitely doable a lot of folks had theorized by the way if you go back in academia you can see that there's lots of errors in fact how many folks have servers out of ECC memory all right yeah all of you all right if you have servers at all you have servers at ECC memory all right what why do we have easy what does ECC even stand for error correction all right well look if there weren't errors there would be no errors to correct all right obviously we've known this was a problem as my point all right by the way you can actually

exploit this on ECC too by the way when it comes down to it that's a little bit more complicated but but still ECC is vulnerable what's really interesting about this though is that a lot of folks came back it's all academic and Google said hey hold my beer and basically wrote a working exploit where they're able to do privilege escalation they're basically remapping those page table entries so the analogy that I think about here is social network influence all right if everyone your social network shares the same world view right and and I'm gonna go ahead and I don't want to stray into politics right don't want to stray into politics when I have a political discussion but but let's say

that that's something's very binary and very divided kind of like Ram all right it's a 1 or 0 right you're a you're a Democrat or a Republican I'm leaving the leaving the 3rd parties out there for a minute because because anyway it doesn't work with the analogy because but bottom line if you're bombarded all the time with one worldview right you could see where potentially some of us may be or more weak-willed might adopt that worldview that we're being bombarded with that's effectively row hammer is right where hammers doing is we are surgically inserting people around right our target to influence their worldview we're constantly hammering them with the same weird weird whatever arbitrary worldview

and ensuring then that they adopt that worldview that's what row hammer is in a nutshell alright so basically row hammer works exactly like this we're constantly hammering those adjacent memory cells right and that influences the charge we're resulting in bit flips right now if you're thinking does a bit foot matter right the answer is yes a hundred percent right there's something called a task a struct in Linux or any task struct basically holds a lot of information one piece of that is the UID your user identifier right and what's the UID for root zero all right zero that means turn bits off and if in the task struct we turn bits off we make our

UID 0 that's bad well it's great if you're a Red Team or it's horrible if you're a defender right in trying to defend against this stuff because really we're talking about it's you can do this for an unprivileged process that's really the point all right this allows me to go privileged escalate now some researchers step back and said you know what the whole row hammer thing was neat but it's really really hard to execute and I it is hard to execute I can I could certify that they said hey wouldn't it be neat if we could just leak data using kind of the same technique and so they took to that task and it turns out ramble it is basically

the the instantiation of that it's the inversion of row hammer data gets leaked from a victim process so rather than flipping bits in a target process we basically set up we're like I am a sponge come fill me up with your data and that's exactly what happens right not quite that easy obviously I'm extracting a lot of this away all right but the attacker effectively manipulates memory in their own process right basically sets up what they call activation pages for a row hammer that that's where they go hammer lots of lots of memory and then they just wait I mean the idea is to get bit flips from adjacent process memory researchers were able to go leak out a 2048-bit RSA key

from a running ssh process now when i say an RSA key i mean an actual RSA key not those clowns sterling folks right crack on the 230 mm-hmm wait if you don't know about crown stirling anywho so Ram bleed let's talk about the analogy here for RAM bleed all right so basically it's tightly related row hammer I'm gonna use the social network influence analogy here to basically with row hammer we were surrounded by individuals that had all same worldview with RAM bleed we're gonna assume that instead of us trying to influence them alright we basically step back and say I'm a sponge right now the difference here is that I can't actually watch the presentation

myself so what I do is I get a patsy alright somebody to go into a presentation I say hey go in there and just be a sponge right now I can't ask them afterwards hey out the presentation go what you learn what I can do is I can ask them questions about hey what does your political influence look like now all right and from there then I can understand effectively and basically what the presentation was about just by asking them questions right so if you kind of picture that there we don't see the bit flip directly but we can ask about the bit flip and anyway so basically here again the idea is with remember with Roe hammer we're changing

data in a remote process here we're leaking data from a real process and very much like Spector by the way very much like Spector I have good news for you if you are on legacy servers how many folks have IT upgrade challenges oh come on people won't raise hands look if you're on legacy servers game on you're probably good all right this is one of the few spots where most often your own legacy stuff you're probably not good but because of RAM refresh rates being very low on ddr2 you're probably set so if you still have old old ddr2 memory you're probably good and if you have the latest and greatest stuff you're probably not right anyway so about that

let's talk about zombie load this is my favorite favorite harbor of vulnerability Bar None because we don't really understand it right so zombie load basically exploits and I say an apparent implementation issue because we're not a hundred percent sure but we think that it's involving a shared load buffer so with hyper-threading every here's about hyper threading now a lot of folks know what it is what's happened effectively is that Intel has increased the number of logical cores by sharing data between physical cores right so what's happening here effectively is that the hyper threading cores aren't full cores by themselves they share some components under the hood one of the components is the memory load buffer all

right that's what we're gonna talk about today and this is actually the buffer between as you read data into the process or any other process or cache from Ram there's a serial buffer a pipe as it were or I think it's filled up and and moved and and obviously when something when it enters and when it leaves right and so ultimately with that pipe effectively we're looking for that to be filled we call that the fill buffer right now the architecture is never intended to leak data between those logical cores on a physical core logical cores being that you know if you have a hyper threading machine it says 4 physical cores 8 logical cores that

means two logical cores per physical now modern processors only appear to execute instructions in order they don't do that at all what they do is they break out the instructions and they say okay let's go ahead and reorder these and if it's not dependent if the output of instruction a or instruction number one isn't dependent on I'm sorry the out the beginning of instruction number two is in depend on the output of instruction number one we can execute those in parallel and put the results together on the back end processors are really good at decomposing instruction sequences and they operate in parallel all right and so what happens here though is that sometimes we execute an instruction that

never should have really been executed right because let's say I'm executing ten instructions in parallel and instruction number seven generates and not execute instructions eight nine and ten I have to roll those back I have to do basically a basically a roll back instruction what happens though is that we don't care about the roll back so much care about is the fact that those next instructions instructions eight nine and ten may have actually loaded data into the cache this is important for us because this means we can actually then go extract that data you see a common pattern here with us caching stuff right coming back around again basically we can see that data there in the cache so zombie load abuses

the fact that it appears this load line is that cache line the load line is not flush for those faults and instruction chains this means the data can be leaked between processes run same physical core a guest VM and the host or multiple VMs running on a hypervisor my problem here is that unlike meltdown inspector where I can surgically choose what gets leaked with zombie load you got nothing I can leak data all day long but it's whatever happens to be in the cache line at the time all right so there is a little bit of a a little bit of a downside here right in that it does get a little bit more difficult to know what I've got all

right but but let's be clear there's a lot of interesting data that you can still decompose and take a look at if you've ever done forensics and you've carved for data before you know what I'm talking about time in this particular case we don't know what data were getting but we're getting something so as far as an analogy goes for zombie load let's suppose that I have a confidential but very complex project with multiple teams working a number of these tasks only matter brothers are successful but the teams are load balancing tasks and multiple different projects right so Mike were my my guy over here holding up my ten minute sign all right and Mike

would basically I would say hey go work on this and in the meantime I'm gonna have some work on another piece of the project and somebody else Mike has other projects too he's to give away a door prizes right at the end of the end of the talk right so he's working multiple things in parallel suppose the team fails on a task right and another team operating in parallel has already Requested resources for later tasks let's say for instance that Mike is only gonna give away door prizes if people give lots of applause at the end of the talk we think nobody gives applause all right well Mike's already fetched those let's say that I can't

actually see the door prizes all right well if you don't pick forgiven no idea what's going on with that anyway basically what happened there effectively is that we could a project manager from another project could see basically the resources that were requested for the other tasks is the stuff on the cash load line as it were so basically we're able to go dump data out of that cash load line from other processes again we don't know what it is we just know that we're dumping data from other processes finally we talk about netcat all right it's the netcat is DDI Oh direct data input output and our DMA remote direct memory access all this stuff is

basically to make the processors crazy fast Torian says you get in 10 gig Ethernet you don't want your Ethernet card to have to go back consistently basically go back to the processor basically the load memory so the idea with our DMA remote direct memory access is that your network card can directly write into RAM and read from RAM without the processor being involved this is really good for any performance perspective when everything works correctly from a security standpoint I'm sure you can see where this is a trade space between you know security and n4 that's right bottom line here the keystrokes sent over SSH sessions can get leaked remotely via timing attack if both DD IO and our DMA are enabled right

unfortunately or fortunately depending on which side of the coin or blue you're on this attack is most likely to be successful on an idle server all right so the reason is that well at the end of the day it's very difficult to pick what we have here all right we can leak any piece of memory that that's not the problem the problem is understanding what's in that memory that we're leaking right that's really the issue here and so the reason to talk about keystrokes being sent over SSH is there's a cadence to human typing that's not the same as basically loading from human typing it's not the same as other machine generated output so my analogy here involves

foreign languages I mean I've done a lot of traveling over the years I've been to a lot of countries where I do not speak the language and you sit down in the cafeteria and there's just a bunch of noise behind you I mean how do I know what's important or even if I was trying to listen to a given conversation transcribe that and whatever the foreign language was without understanding it it's it's hard to listen to right what I really need to figure out is which foreign language elements are relevant in the first place to collect because remember netcat could dump lots of different data the question is what's the important stuff Frank is if if you

just tell me I leaked some bits over the network one I wouldn't know if those are really the right bits or even good data at all all right it may be garbage data sitting in a cache what we're doing here in fact always figuring out conversations which ones are relevant by analyzing cadence of speech this is effectively a timing attack all right same things going on here with netcat right we're looking at is what's being typed into the SSH terminal versus what's being returned the stuff getting returned we can't find that effective we could still leak it we just wouldn't know what it was whereas the typing typing is pretty a pretty standard right we all type at a very varied cadence

right but still slower the machines right so I'm gonna make a couple of predictions here about future hardware vulnerabilities all right Pandora's box has been opened and you know this already right because after meltdown inspector actually if you want to back up the RAM bleed rambley it's really the first big modern hardware vulnerability right but with the processors getting the meltdown inspector the doors been open right there are some really smart people tackling a lot of these issues in fact if you trace the origin of meltdown it actually started at blackhat Europe in a bar right and you can trace back to the people who wrote that paper all kind of conglomerated round blackhat Europe the

year before where I am I told over drinks some folks kind of discussed some well I'm kind of thinking about this and thinking and suddenly there's an epiphany of we should go try that and they did and turns out that awesome this happened right so look Pandora's Box is open I'll say that modern processors have huge amounts of micro code that's all a peg to researchers meaning we can't go analyze the micro code directly zombie loads a great example of this we don't know precisely what's happening under the hood with zombie load we just know that it is happening the only way they found that is they're doing experiments we're getting better at designing these experiments alright you

can go read research papers you don't have to reinvent the wheel here you can literally go read the zombie load research paper and know how to perform other experiments and they've got frameworks around these and there are researchers all over the place doing this I expect we're going to see a lot more of these I'm gonna say that hyper-threading definitely increases the value of Intel's processors but there are a lot of details that are proprietary and a lot of architecture decisions that they made back in the day and we're talking a long time ago back in the day I think they valued performance over security we have a deficit understand black box alright there's a huge deficit here intel does

publish some details about their processors the micro code level all proprietary a lot of the stuff with how hyper threading works is proprietary as well there's some implementation details they tell you as a program or what they think you need to know which ABI which we need to know I think it's likely that future hardware vulnerabilities we discovered in two places I think to be the shared hardware for hyper threading again a lot of stuff that we don't know about today and microcode logic flaws again stuff we don't know about today how do you deal with this all right because I don't want to be all doom and gloom most hardware vulnerabilities luckily you can only be exploited

locally and those that work remotely are extremely unreliable and or slow alright so so good news there keep people off your servers in the first place if only it were that easy right now of course we have the whole hypervisor issue - it's not in just a matter of servers or a container right at the end of the day or we're talking about the processor all right so as you back up the actual physical not a lot physical processor that's we're running into problems here now I'll mention here most local vulnerabilities require significant numbers of executions exploit meaning I've got to come in and I've got to get exception after exception after exception if I'm

instrumented correctly we can see this the problem is instrumenting that's it's actually worse performance than that allowing that to happen in the first place but I'll mention you're the real threat in the vast majority of cases are multi-tenant environments where the threat can legitimately operate locally meaning the attacker can get a virtual server a VM set up on the physical server where your stuff is loaded as well all right maybe we have a scenario where an attacker or an illicit party has a shell account on one of your servers right but doesn't have privileged access right again this is more common and you might think for lots of different reasons universities of course deal with this a lot so far I'll

mention the most harbor vulnerabilities have been relatively low impact for most production use cases there have been lots of possible ideas here Specter for instance you can get rid of Specter entirely at speculative execution thing you can get rid of that entirely by recompiling your code good news just go grab the source code download a brand new compiler taking 15% performance hit done all right now most people can't do that right but there have been lots of mitigations here all right micro code updates kpti right for meltdown replacing hardware in extreme circumstances intel has not patched a lot of their chips for this for a lot of these vulnerabilities even when there's they basically when there's a patch available

for zero for the older stuff I'll say there's a nonzero chance that there's a critical hardware vulnerability waiting to be discovered that's gonna impact computing as we know it I would say a big takeaway here and we advise our customers is consider having a plan for separating workloads onto physical machines replace server hardware and accelerated fashion right so again this is a war game this have a plan for break glass in case of emergency if we have truly critical workloads and then mitigating threats and multi vent cloud services and this includes platform-as-a-service stuff right now up to this point and talk about OS platforms the service matters as well so let's close out with a couple of

thoughts here again the hardware vulnerabilities exist they may not matter in some of your architectural context may not matter at all I'll just say that as you see more of these I expect it's likely you're gonna see more of these have a plan spend some time considering upfront what can Editions actually make for a fire drill and then I'll mention that the next time one of these breaks bear in mind most of these so far but more bark than bite alright so there's a lot a lot of media that goes around and and the reality is it's probably not a big threat you probably have better stuff to spend your time on feel free to use this

historically right this presentation will release the slides today the video is going to go up as well feel free to use these as an example of hey remember the hype around this there was really nothing there right again nothing not a lot whatever anyway that's all I've got I'm out of time Mike if you want to come up and do some door prizes outstanding thank you