We're sorry but this page doesn't work properly without JavaScript enabled. Please enable it to continue.
Feedback

Inter-VM data exfiltration: The art of cache timing covert channel on x86 multi-core

00:00
subtitles
off
playback rate
1
subtitles
off
English (auto-generated)
playback rate
0.25
0.5
0.75
1
1.25
1.5
1.75
2
quality
576p
3
 Cite
 Share
 Download Purchase
No logo availableDEF CON
 Martineau, Etienne

Formal Metadata

Title
Inter-VM data exfiltration: The art of cache timing covert channel on x86 multi-core
Title of Series
Number of Parts
109
Author
License
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
Language

Content Metadata

Subject Area
Genre
Abstract
Inter-VM data exfiltration: The art of cache timing covert channel on x86 multi-core Etienne Martineau Software engineer, Cisco Systems On x86 multi-core covert channels between co-located Virtual Machine (VM) are real and practical thanks to the architecture that has many imperfections in the way shared resources are isolated. This talk will demonstrate how a non-privileged application from one VM can ex-filtrate data or even establish a reverse shell into a co-located VM using a cache timing covert channel that is totally hidden from the standard access control mechanisms while being able to offer surprisingly high bps at a low error rate. In this talk you'll learn about the various concepts, techniques and challenges involve in the design of a cache timing covert channel on x86 multi-core such as: An overview of some of the X86 shared resources and how we can use / abuse them to carry information across VMs. Fundamental concept behind cache line encoding / decoding. Getting around the hardware pre-fetching logic ( without disabling it from the BIOS! ) Data persistency and noise. What can be done? Guest to host page table de-obfuscation. The easy way. Phase Lock Loop and high precision inter-VM synchronization. All about timers. At the end of this talk we will go over a working VM to VM reverse shell example as well as some surprising bandwidth measurement results. We will also cover the detection aspect and the potential countermeasure to defeat such a communication channel. The source code is going to be release at that time on 'github' Speaker Bio: Etienne holds bachelor's degree in electrical engineering from University Laval at Quebec and is currently a senior technical leader at Cisco Systems. He has over 15 years' mission critical Linux in telecom and space industry experience. His career has covered broad range of high performance / high availability hardware and software technologies, system level architecture and since 2008 a very special focus on the KVM hypervisor. He likes to work on complex and challenging problems but when not working, he likes to spend time with his family and during the night hack virtual machines or rebuild car engines.
00:00
MultiplicationCore dumpCache (computing)Projective planeProof theoryMultiplication signCovering spaceCache (computing)ImplementationNetwork socketTheoryPhysicalismLecture/Conference
00:51
Computer networkPresentation of a groupInformationInternet service providerSource codeSoftwareProjective planeInformationCodeMereologyKernel (computing)Observational studyContext awarenessComputer
01:48
Thread (computing)Mathematical analysisDifferent (Kate Ryan album)PhysicalismQuicksortVirtual machine
02:29
Core dumpThread (computing)Execution unitPattern languageContent (media)InformationMultiplication signResultantOperator (mathematics)
03:32
PixelBitMultiplication signFunction (mathematics)Medical imaging
04:13
InformationNoise (electronics)Information securityPresentation of a groupMultiplication signLecture/Conference
04:42
DDR SDRAMKernel (computing)Virtual machineSound effectMedical imagingCore dumpBitRow (database)Compilation albumReal-time operating systemTelecommunicationKernel (computing)Noise (electronics)SoftwareLecture/Conference
05:37
Frame problemKernel (computing)Context awarenessCompilation albumMultiplication signKernel (computing)Lecture/Conference
06:06
Cache (computing)ImplementationStatisticsSynchronizationProcess (computing)MultiplicationCore dumpPell's equationLine (geometry)ImplementationCache (computing)Multiplication signMeasurementNoise (electronics)Band matrixProcess (computing)Computer hardwareQuicksortTheorySound effect
07:33
Cache (computing)Multiplication signWeb pageType theoryCASE <Informatik>Greatest elementLink (knot theory)Content (media)Computer animation
09:16
MultiplicationNetwork socketCache (computing)Line (geometry)Client (computing)Pattern languageServer (computing)Read-only memoryNetwork socketModule (mathematics)Bus (computing)Socket-SchnittstelleCache (computing)Multiplication signRight anglePattern languageClient (computing)Line (geometry)Server (computing)Semiconductor memoryDirection (geometry)Wechselseitiger AusschlussGreatest elementMereologyComputer programmingSoftware testingCodierung <Programmierung>
11:25
Cache (computing)Structural loadLine (geometry)Read-only memoryBefehlsprozessorComputer fileSoftware testingLine (geometry)Multiplication signCache (computing)CoprocessorArithmetic meanRight angleAlgorithmAddress spaceSemiconductor memory
12:17
Address spaceCache (computing)Line (geometry)Structural loadSimulationWeb pageRandom numberLevel (video gaming)Computer hardwareVirtual machineType theoryCache (computing)Web pageLine (geometry)Pattern languageWordLecture/Conference
13:03
Web pageRandom numberComputer hardwareVirtual machineCodierung <Programmierung>Server (computing)Lecture/Conference
13:33
EvaporationCache (computing)Codierung <Programmierung>Cache (computing)Physical systemWordMultiplication signNoise (electronics)
14:04
Loop (music)SoftwareInterrupt <Informatik>Noise (electronics)Kernel (computing)BefehlsprozessorVirtual machineTelecommunicationBitProcess (computing)Operating systemBasis <Mathematik>Run time (program lifecycle phase)Core dumpStructural loadCASE <Informatik>Cycle (graph theory)Computer programmingSoftware testingMultiplication sign
16:00
Client (computing)Address spaceMeta elementCache (computing)Cache (computing)Computer hardwareMultiplication signSoftware testingLine (geometry)Address spaceServer (computing)Client (computing)Direction (geometry)
16:40
Client (computing)Cache (computing)Meta elementAddress spaceComplex (psychology)Web pageKernel (computing)Read-only memoryOperations researchPhysical systemComputer-generated imagerySemiconductor memoryMedical imagingPhysical systemInformationOperating systemWeb pageThread (computing)Identity managementKernel (computing)Computer programmingTranslation (relic)Process (computing)
18:02
Server (computing)Client (computing)Uniqueness quantificationWeb pagePattern languageRead-only memoryServer (computing)Client (computing)Uniqueness quantificationWeb pageSemiconductor memoryPattern languageCartesian coordinate systemBitCache (computing)Structural loadOperating systemMatching (graph theory)Process (computing)Medical imagingMultiplication sign
19:41
SynchronizationProduct (business)Client (computing)Codierung <Programmierung>Server (computing)Process (computing)2 (number)Primitive (album)
20:34
Client (computing)Primitive (album)Data transmissionComputer configurationBefehlsprozessorLoop (music)Server (computing)SynchronizationBit rateClient (computing)Data transmissionComputer configurationServer (computing)Loop (music)3 (number)BefehlsprozessorBitPoint (geometry)Error messageSpacetimeComputer animation
22:01
Computer configurationFrequencyClient (computing)Server (computing)Phase transitionSynchronizationSweep line algorithmClient (computing)Pattern languageSynchronizationAnalogyPhase transitionServer (computing)ImplementationFrequency
22:45
Data transmissionPhase transitionComputer configurationSynchronizationPulse (signal processing)BefehlsprozessorCache (computing)Pulse (signal processing)Noise (electronics)Data transmissionTheoryClient (computing)SynchronizationMultiplication signBefehlsprozessorFrequencyOrder (biology)BitSoftwareNumberMaxima and minimaDistribution (mathematics)Graph (mathematics)Type theory
25:00
Loop (music)Loop (music)ResultantMultiplication signSoftwareRight angleCycle (graph theory)Structural loadVirtual machineGraph (mathematics)
25:32
Loop (music)Radio-frequency identificationPairwise comparisonNoise (electronics)SynchronizationPerspective (visual)Multiplication signProcess (computing)TelecommunicationKey (cryptography)Scaling (geometry)Befehlsprozessor
26:25
Read-only memoryCache (computing)Pell's equationLine (geometry)Process (computing)Level (video gaming)Numbering schemeCache (computing)Multiplication signCodierung <Programmierung>Semiconductor memoryWeb pageComputer hardwareDemo (music)Lecture/Conference
27:07
Data transmissionBitContent (media)Noise (electronics)FehlererkennungTelecommunicationLecture/Conference
27:54
Kernel (computing)Line (geometry)FingerprintString (computer science)RippingBitVirtual machineWindowSound effectTransmissionskoeffizientVideoconferencingRow (database)FingerprintNoise (electronics)SoftwareCommunications protocolOperating systemPhysical systemKernel (computing)Channel capacity
29:12
Kernel (computing)RippingInclusion mapNoise (electronics)Kernel (computing)Compilation album
29:42
Uniform resource locatorKernel (computing)FingerprintReal numberMathematicsComputer worm
30:18
First-person shooterFrame problemBefehlsprozessorFrame problemMultiplication signBefehlsprozessorComputer clusterUtility software2 (number)VideoconferencingMathematicsPixelBand matrix
30:54
Bit rateStreaming mediaDevice driverDefault (computer science)Cache (computing)Inclusion mapIntegration by partsFrame problemHill differential equationComputer fileRevision controlKernel (computing)Computer programmingBitAsynchronous Transfer ModeSoftware testingRight angleComputer wormDependent and independent variablesDemo (music)Source codeStreaming mediaReverse engineeringData transmissionTelecommunicationNoise (electronics)Gastropod shellServer (computing)Client (computing)Physical systemSynchronizationError messageMultiplication signProcess (computing)Sound effectBefehlsprozessorElectronic visual displayFehlererkennungLevel (video gaming)Function (mathematics)Lecture/Conference
35:10
Read-only memoryCodeSemiconductor memoryCartesian coordinate systemWeb pageBasis <Mathematik>Boundary value problemDemo (music)CuboidFingerprintLecture/Conference
36:20
Computer hardwareMathematical analysisPattern languageScheduling (computing)Process (computing)Slide ruleSystem callMathematical analysisHand fanPattern languageNoise (electronics)Process (computing)Computer hardwareQuicksortTelecommunicationCodeSource codeScheduling (computing)
Transcript: English(auto-generated)