Memory Deduplication: The Curse that Keeps on Giving

Video thumbnail (Frame 0) Video thumbnail (Frame 1405) Video thumbnail (Frame 2686) Video thumbnail (Frame 3929) Video thumbnail (Frame 5755) Video thumbnail (Frame 7043) Video thumbnail (Frame 8187) Video thumbnail (Frame 10200) Video thumbnail (Frame 13256) Video thumbnail (Frame 15237) Video thumbnail (Frame 17446) Video thumbnail (Frame 18590) Video thumbnail (Frame 20834) Video thumbnail (Frame 22332) Video thumbnail (Frame 24520) Video thumbnail (Frame 25898) Video thumbnail (Frame 27026) Video thumbnail (Frame 28303) Video thumbnail (Frame 30066) Video thumbnail (Frame 31236) Video thumbnail (Frame 32589) Video thumbnail (Frame 33801) Video thumbnail (Frame 36214) Video thumbnail (Frame 37473) Video thumbnail (Frame 38744) Video thumbnail (Frame 40732) Video thumbnail (Frame 42739) Video thumbnail (Frame 44064) Video thumbnail (Frame 46322) Video thumbnail (Frame 47476) Video thumbnail (Frame 48783) Video thumbnail (Frame 50406) Video thumbnail (Frame 51778) Video thumbnail (Frame 53432) Video thumbnail (Frame 54566) Video thumbnail (Frame 56329) Video thumbnail (Frame 57511) Video thumbnail (Frame 60829) Video thumbnail (Frame 62754) Video thumbnail (Frame 64778) Video thumbnail (Frame 66163) Video thumbnail (Frame 67319) Video thumbnail (Frame 68826) Video thumbnail (Frame 70159) Video thumbnail (Frame 71458) Video thumbnail (Frame 72624) Video thumbnail (Frame 74307) Video thumbnail (Frame 75456) Video thumbnail (Frame 78469) Video thumbnail (Frame 80293) Video thumbnail (Frame 81621) Video thumbnail (Frame 82936) Video thumbnail (Frame 84217) Video thumbnail (Frame 85480) Video thumbnail (Frame 86737) Video thumbnail (Frame 88165)
Video in TIB AV-Portal: Memory Deduplication: The Curse that Keeps on Giving

Formal Metadata

Memory Deduplication: The Curse that Keeps on Giving
A tale of 3 different memory deduplication based exploitation techniques
Title of Series
CC Attribution 4.0 International:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
We are 4 security researchers who have collectively worked on 3 different attack techniques that all (ab)use memory deduplication in one way or another. There is a cross-vm data leak attack, a cross-vm data write attack, and an in-sandbox (MS Edge) Javascript data leak + full memory read/write attack based in MS Edge. In this talk we detail how memory deduplication works and the many different ways it is exploited in our attacks.
Keywords Security

Related Material

The following resource is accompanying material for the video
Video is cited by the following resource
Read-only memory Different (Kate Ryan album) Reduction of order Computer worm Right angle Information security Read-only memory
Goodness of fit Group action Personal digital assistant Building Software System programming Website Student's t-test Information security Mereology
Computer font Message passing Read-only memory Website Physical law Cartesian coordinate system Message passing Read-only memory
Web page Point (geometry) Physical law Graph (mathematics) Content (media) Bit Web browser Dressing (medical) Number Leak Process (computing) Integrated development environment Read-only memory Reduction of order Process (computing) Quicksort Physical system Vulnerability (computing) Physical system Read-only memory
Web page Read-only memory Interior (topology) Read-only memory Visualization (computer graphics) Computer hardware Virtual machine Speech synthesis Integrated development environment Right angle Read-only memory Default (computer science)
Web page Addition Virtual machine Virtual machine Virtual reality Process (computing) Roundness (object) Read-only memory Read-only memory Right angle Address space Spacetime Physical system Read-only memory
Web page Implementation Parameter (computer programming) Content (media) Time domain Causality Read-only memory Kernel (computing) Operating system Musical ensemble Boundary value problem Default (computer science) Domain name Server (computing) Prisoner's dilemma Web page Sound effect Uniform resource locator Process (computing) Software Electronic meeting system Read-only memory Website Information security Family Read-only memory
Web page Read-only memory Table (information) Multiplication sign Web browser Thresholding (image processing) Perspective (visual) Leak Read-only memory Different (Kate Ryan album) Boundary value problem Process (computing) Normal (geometry) Information security Address space Web page Physical law Content (media) Sound effect Bit Instance (computer science) Thresholding (image processing) Measurement Kernel (computing) Process (computing) Personal digital assistant Website Right angle Information security Boundary value problem
Web page Noise (electronics) Proxy server Information Multiplication sign Web page Numbering scheme Content (media) Measurement Leak Arithmetic mean Bit rate Personal digital assistant Software Spacetime Right angle Noise Address space Metropolitan area network Address space
Web page Web page Computer-generated imagery Speech synthesis Address space Address space
Web page Email Matching (graph theory) Multiplication sign Web page Bit Density of states Tobit-Modell Route of administration Field (computer science) Bulletin board system Medical imaging Read-only memory Read-only memory Touch typing Entropie <Informationstheorie> Speech synthesis Library (computing) Address space Window Address space
Web page Point (geometry) Forcing (mathematics) Web page Bit 19 (number) Read-only memory Personal digital assistant Read-only memory Entropie <Informationstheorie> Website Right angle Address space
Point (geometry) Web page Implementation Multiplication sign Parameter (computer programming) Read-only memory Personal digital assistant Read-only memory Videoconferencing Self-organization Quicksort Implementation Speicheradresse
Web page Random number Aeroelasticity Multiplication sign Web page Buffer solution Numbering scheme Bit rate Thresholding (image processing) Thresholding (image processing) Data buffer
Rounding Group action Game controller Multiplication sign Measurement Entropie <Informationstheorie> Position operator Physical system Noise (electronics) Standard deviation Software developer Web page Bit Basis <Mathematik> Stack (abstract data type) Exploit (computer security) 19 (number) Uniformer Raum Entropie <Informationstheorie> Right angle Cycle (graph theory) Physical system Window Resultant Spacetime Booting
Web page Multiplication sign Read-only memory Source code Normal (geometry) Right angle Game theory Measurement
Web page Noise (electronics) Multiplication sign Right angle Position operator
Web page Point (geometry) Game controller Process (computing) Read-only memory Read-only memory Primitive (album) Right angle Control flow Leak Window Vulnerability (computing)
Software Read-only memory Computer hardware Software Graph (mathematics) Exploit (computer security) Web browser
Point (geometry) Computer font Projective plane Java applet Code Exploit (computer security) Bit Leak Uniform resource locator Pointer (computer programming) Process (computing) Computer hardware Read-only memory Software Right angle Object (grammar) Address space
Web page Read-only memory Read-only memory Multiplication sign Web page Computer worm Information Contrast (vision) Content (media) Leak
Web page Information Forcing (mathematics) Web page Content (media) Bit Content (media) Entire function Sequence Leak Leak Read-only memory Read-only memory Information Codierung <Programmierung> Spacetime
Web page Roundness (object) Personal digital assistant Read-only memory Web page Boundary value problem Sound effect Row (database)
Computer font Code Web page Moment (mathematics) Code Mereology Leak Personal digital assistant Buffer solution Right angle Partial derivative Address space Address space
Web page Functional (mathematics) Just-in-Time-Compiler Sweep line algorithm Code Web page Insertion loss Mereology Compiler 2 (number) Arithmetic mean Process (computing) Pointer (computer programming) Personal digital assistant Function (mathematics) Read-only memory Address space
Point (geometry) Computer font Randomization Web page Graph (mathematics) Sampling (statistics) Code Bit Mereology Leak Pointer (computer programming) Database normalization Entropie <Informationstheorie> Read-only memory Memory management Entropie <Informationstheorie> Website Determinant Address space
Pointer (computer programming) Resource allocation Object (grammar) Entropie <Informationstheorie> Read-only memory Memory management Operating system Bit Web browser Object (grammar)
Web page Group action Matching (graph theory) Read-only memory Read-only memory Object (grammar) Family
Web page Point (geometry) Game controller Interior (topology) Web page Range (statistics) Electronic mailing list Content (media) Mereology Code Entire function Resource allocation Bit rate Object (grammar) Read-only memory Boundary value problem Website Object (grammar) Dean number Spacetime Address space
Computer font Game controller Information Web page Code Bit Leak Pointer (computer programming) Pointer (computer programming) Resource allocation Object (grammar) Address space Row (database) Spacetime Address space
Read-only memory Data storage device Read-only memory DDR SDRAM Ranking
Forcing (mathematics) Combinational logic Bit Limit (category theory) Pointer (computer programming) Latent heat Uniform resource locator Pointer (computer programming) Process (computing) Cache (computing) Uniformer Raum Read-only memory Buffer solution Summierbarkeit Row (database) Data buffer
Revision control Computer hardware Software Virtual machine Computer programming Physical system
Web page Uniform resource locator Game controller Read-only memory Web page Physicalism Bit Right angle Video game console Mereology Power (physics)
Web page Web page Content (media) Virtual machine Bit Content (media) GEDCOM Symbol table Uniform resource locator Read-only memory Personal digital assistant Read-only memory Implementation Window Physical system
Computer file Key (cryptography) Authorization Bit Bit Public-key cryptography
Purchasing Source code Domain name Divisor Computer file Demo (music) Key (cryptography) Bit Login 2 (number) Time domain Category of being Mechanism design Sign (mathematics) Repository (publishing) Factorization RSA (algorithm) Directed graph
Virtual machine Computer worm Right angle Bit Mereology Directed graph
Sign (mathematics) Pearson product-moment correlation coefficient Menu (computing)
Internetworking Multiplication sign Computer worm Information security 10 (number) Read-only memory
Web page Bridging (networking) Read-only memory Mereology Row (database)
Web page Process (computing) Personal digital assistant Multiplication sign Graph (mathematics) Window Form (programming)
Point (geometry) Integrated development environment Information Virtual machine Virtualization Web browser Neuroinformatik
Randomization Process (computing) Profil (magazine) Read-only memory Virtual machine Position operator Window Computer graphics (computer science)
Web page Beat (acoustics) Game controller Software developer Multiplication sign Content (media) Cartesian coordinate system Computer programming Goodness of fit Read-only memory Operating system Energy level Spacetime Exception handling
Web page Time zone Implementation Computer file Multiplication sign 1 (number) Bit
Time zone Different (Kate Ryan album) Multiplication sign Operator (mathematics) Right angle Wave packet
Uniform resource locator Beta function Key (cryptography) Confidence interval Internetworking Structural load Multiplication sign Right angle Public-key cryptography Row (database)
Web page Android (robot) Mechanism design Group action Personal digital assistant Different (Kate Ryan album) Read-only memory Projective plane Graph (mathematics) Online help Computer programming Computer architecture
Median Cartesian closed category Data storage device
you. the years. the implication is so widely applied to reduce memory consumption today we're going to see a third the attack techniques that exploit memory d. duplications.
we have to do incredible security researchers to assess today that will show us how the attack works and to the left i have two new about i see and to my right is it like last month bosman sorry and said they will then use the chance to also. introduce themselves please help me welcome and don't you and a act.
morning everyone. this is my medication cursed that keeps on giving so unfortunately it's a just so bent and carve it can make it about this a high just want to say that a credit scores also to them so you prepared to talk together a big part of the cult of comes from then. so eric. it was introduced he's a ph d. student at the food sec that assistance a good research group of them sought for want to see what did you go to the website set up that.
the co-founder of exile up this i to secure the company in zurich so the work that we're going to present actually i'm work a lot of other people working on that and hear some acknowledgments.
yeah so let's start so the message today is actually quite simple and straightforward.
many the application is much more dangerous that you might possibly think in the beginning to call the long like nice little future the house you'll save memory but the we're going to show you that it's actually dangerous and much will see the year and we're going to do that by showing you three at tech techniques that all. slowed new medication one or another way.
before we do that we'll look at them and of occasions so everyone knows what it is we're going to show you the site's channel that gets introduce fight.
and then we start with the three attacks so first half came across the only detect which basically allows you to leak based dresses for other secrets with higher and two p. from other of the ams and we applied to his the law because we thought it's an interesting case and on. the license number of unification will ensure you get up its market is a attack against the process and actually got to pony awards a to this year's like that for most innovative research and it relies on medication all hammer and basically it allows you to read and write. i was put in edge. without any sort of vulnerability. and then we're going to present things we eventually is a cross the m. the flip attacks have basically you imagine you called flip a bit in another v.m. and only requirement is to you you have to know the content off the page of any pitch so how would you actually compromise that system so we're going to show you saw first of all how you can be flipped precisely and then we're going to.
to show you to techniques to actually compromise the system with that. after that it will conclude so let's start with the medication so i would love to cation is a method to reduce memory consumption and it's usually used in know which allows environment but not exclusively was also enabled and i emphasise is on was in the last eight point one and ten.
so that he is that the inner toys enormous for example.
little machine washable try to a be quite a resource them. all try to save memory so basically overcome its own resources like memory and the occasion is a technique to reclaim certain pages in a clever way or the or easily said speaking to run more via it's basically it's a nice feature right and it is you can.
you can just have more vs on the same hardware but you'll see that it has certainly been occasions.
so let's look at how it looked at it works so basically is an example you see many pages of to virtual machines and the physical memory of the harbour so let's say you have like the picture of the mona lisa or as same process running so the same called pages or something and some data so basically.
enormous n are you have both address faces filled up with these pages and all consume one physical pitch when medication is unable to the memory medication from additional try to identify these a duplicate and then emergence all that the new space gets free again.
the market is pages with a copy and write some antics which basically means have some rights to read it it has to do something else it's not going to work. no one commentator in his skull same page merging with k k b m i am sure most of you know that saw a shoe have or want to serve or want to system usually that's i think even now enabled by the fold and you can check it's all there is like a round fight on the buses faces to more you see if there is a wonder it's unable to enter.
a certain parameters that allow you to work define how fast the medication should work. and they're all the implementation as well. i saw the problem with me that location was implementations is that it doesn't respect this really domain and basically even between two different the ems or if it's done for process as it has two different causes you cannot trust each other but it still works across these boundaries actually that's the dilemma of family to look. the publication because the indy and want to save memory and it makes a lot of sense what effect a lot of the ensuing the same operating system software it makes sense to cross these boundaries but the problem is it introduces a site's channel so let's look at the site chosen to defend a page of the low belongs to you you just try to eat and that's it.
the problem is if you have married occasion have copyright sinatra rights to its needs to go to the kernel of the page has to be debilitated again. stoppage troubles and one reason the process again and then you have basically can rights to that pitch to see that are a lot of more steps involved to this introduces a one bit sites channel that allows you to see basically if such a page existing look across as only lot of young.
works cross the ambitious implemented in the russian monitor across courses or as we will see was one instance of that attack even within the process of different security boundaries think about your job as we called right saw its money might be interesting for a job he called in a browser to find alton things. so let's look at the tech or perspective now so what does an attacker have to exploit it. so if you detect has his memories might be of the young or process and then there is the victim. so there is a secret page that basically knowing that that page exists might help your take on one or another way. so what effect it has to do is the tech has to guess the pitch saw in that case he really has to get the content of that age has to wait thirty amount of time. to its modify his copy off the page this is totally legitimate you do need more privileges right measure the time and then see if the right time is a bof a certain threshold detector candid use that is that page existed in your the young for example and. gifford writers below us that a certain threshold would you take or me or continues that didn't exist or. ok. so let's look at the first an attack kate so king's cross liam address basically of introspection actually regrets already the law he and the time have to see basically only relies on the debris cation.
years to use that to work rate is so are basically have young runs next to me that occasions enabled and you will be able to find out what the base address for example entered yellow is in the other via.
so let's recap what you have to do with an attacker first need a secret page that allows you to do things interesting information and your case is serious low base address for certain the allow for example. the question here is what page we use then of course there are also certain practical challenges so how long should you actually wait for because you have no idea how fast medication scheme is and then in the end you have to practically detect that it was merged you can measure right time but you'll see that. the practice to there is also noise and ball sometimes right times higher and it's not because of man we need a vacation. so look that those who will pay just to break his alarm and and i mean certain straightforward critique of years are you have to noise an attacker that the page exists in a lot of young has to be read only ideal in the young because if you change is too often and then it will not be the topic eight it.
that's a page largely so you really need to know the continent mostly of that speech and then if you want to break its large you meet ideally a page that has the base address in there so basically the green party is totally predictable for an attacker and the only thing that the tech a dozen nor is the base of us.
or another possible page will be a page that actually has different venues did were derived from a basic us from the secret that your interest. another thing you have to know is also the offsets off these secrets within the page.
so we're looking for certain pages and we have showed how much more a but luckily when we were looking at the first page of every executable p match in memory you already had to have a hit so if you look at the peak five foreman it looks like on the left for the image on this visit him. which base field there which basically get updated with the wrong time days address in memory and is expected what we need we can predict into all the bites except for the base address with has and nineteen bits of entropy. no of course other pages to to feel that what you have a touch with all the mean why should we look for if you already have and have to use that page in the pop.
another problem is you have the speech you can basically asked that medications such as if you've that exists or not but the problem is you still have to guess the base address so we have nineteen bits of entropy. so now admits of entropy the in x. sixty four windows is used for the base of rest of the yellow for example saw as a neat one page per guess it's more than five hundred thousand the pages that you would need to write so if you will do that after a child basically will take a lot of. nine.
of course we can just brute force it right so we can use much more memory all the memory the detector actually has a right.
so the tigers much memory can assume that usually you have me you have a different the into for the more you go bites so you can just fill up the entire memory that is that all this for them with all the guests and in case of nineteen bits of entropy and one page for guess it's two gigabytes which actually. is this is ok. you. so what you do is you have these pages and then you are located them and then you try to detect it and it's a classical brute force to take on these that a medication site. so the other challenge that we had a practical one is that how long should we wait of course we could just wait like i was frightened at some point to work.
but it depends so we wanted to be a better so in indiana depends on the memory location implementation to how fast is it so we have seen so the parameters for kia some sort depending on the parameters it might be faster or slower but it also depends on the memory users so if you have a lot of the us running in the end you have to compare. they're all the pages to each other so we have to go through all the pages and if you assume the worst case then your guest page will be compared with the secret page the latest point in time so there is a trade off for the attacker so if the tech awaits too little then they take was just not work but if the takeover which too long then the tectonic. this and that's also not favorable for for the attack so what we came up with is a detection organism to detect these medications i'm basically at the time you have to wait till you have certain guarantees that your page was compared with another one called sleep time detection and videos.
as a tech you can just look at a lot of random bites lot of pages and then you copy every second pages of the heart of the buffer to the other half of the buffets what you create is basically the situation like on the slight where we have a lot of merging opportunity to basically i give them any publication scheme a lot of.
work you create a lot of pages that can be dedicated and then way to certain amount of time like ten minutes to try to detect how many of these pages were merged why don't you detection magic and that if the threshold is above the detection of the bof a certain threshold you say that's the right time so use it in your attacks and if not you just. increase tea and then try again. so last practical challenges how do you actually tech that the page was merchant what you have to do is i mean you have to write to it and you have to measure the right eye so what it is we every time we have a guest page so that's the orange won the merchant one we have pages the jason pages that are for sure not me.
each we know that because we can just feel it up with random bites so you create the buffet in in such a way and then you just try to it and you measure the cycles and then you basically see this signal now of course of my be noise saw me develop certain juris ticks i would invest that much time to the. once you see their work pretty well and that was fine for us works for me. i. now lost the question is how to handle noyce right so we just implementing quite conservative where the action nor harlow if you have certain pay just have to have certain false positives so we need is we implemented on space system was the you try to detect it. you can do it again with the guess is that might eventually the correct. and you do it over and over again and in the end as the noise will not affect the same guess all the time it will work what it might take certain rights.
so i'm a show some results for a windows attacks all week implemented it to go to an mission is to eat and to the low base of us have a neighbouring windows says four bit systems to look at the entrance you see they suffer data is quite high saw that approach with them work that easily. at least not if you have no control over how these are the secret is aligned so basically a for deals with nineteen bits of entropy and if you have the basis of one and to allow you to a sickly can use it in your exploits for all your the courses because it's usually not we really are randomised. so we did it with the standards k b m k some consideration with a suitably six two hundred that's the fold and basically you see when you take one single the yen it took us a bit less than five hours to basically do that and we had like some wrong still be reduced entropy from nineteen dates to the actual basis.
this. and we also wanted to show that it works with want to be a the speeded up the men in the education by having sleep me sex twenty and their use even if you have more victim the and it works just takes more time because a three time detection will tell you to wait more because you have more memory that is use.
sony and how it looks like say we have a good game about we don't have that much i'm just really the twinge of we have a deal for lipitor another technique on. basically are you have the attack of young and so on the right have become the norm and you do your magic locate these pages what measure right times and so on and in the end you just have to base of us have the standard yeller your the idea that.
so the tech use a rather so i would say but the world of speeding proven that we didn't actually follow up with what's wrong way will be to have more random pages in which he saw the noise will not affect your guess or the probabilities lower that happens and those things you can also use more.
in one guest page try so have we done than see already because you might have for example court we look at it called pages that all have that secrets you can just use many of the right the only thing is you cannot use the same page as if you have two times when the singer guess the new creates this emerging opportunity to have a false positives who need different pages to all. of the same the uncertainty or the same secret.
now is will see a cool attack the problem is it's still quite limited saw one problem is we don't have any control over the victim memory rights are really really have to rely on how these pages are or what the layout of these pages in our and also hot where the sea could actually he is we need to.
find these pages so there is no control but some control would actually help a lot we didn't really investigated how we can do that crossed the un and then of course it's a leak right so you still need a vulnerability to exploit the base of us for example the secret for ghats that's not enough but last year i mean why. as a lot of for a lot of talks a lot of the publication of a warmer even hear it to congress clementine and done in the present the will have a j s a basic the show that it's possible in jobs we saw no let's say a week. hope that we were optimistic that we could do more and then microsoft basically enabled me to the publication will we are noticed for windows eight point one in ten crossed courses. it's these able to again so he thought enabled anymore.
but let's aid would have been cool but it didn't go that well.
so for the next to be called a depressed market to try to take a step further.
so in this attack were going to. combine the dedication us the such an attack which will have more in order to exploit markets have that much as new browser from just kept without making use of any software books.
or all if you consider if you don't consider to patients over book.
i'm so we're going to link to secrets. and we're going to use the depression to do this. the secret is. he put the pointer it's a location to data we control and second a secret is a coat pointer and that's a you need it does to secrets are needed but that too. together create a fake object in our memory but then we have a problem because this fake project will allow us to do arbitrary reads an artery rights in memory. but we have a problem just a strip of course doesn't allow us to create references to this fake object is just in data so will use romer to flip a bit in a pointer and point this point a to ar fake object and then we're basically we can take off a process.
so in contrast to came in this attack a we want only be using the probing for existing pages in memory will soon as we can.
but many pilates the data of the a different from. in some way i'm and this is not really unlikely if you think about it every time you do i owe to something you want to attack than your manipulate manipulating memory in this process and in this crisis from javascript so. it's even more a city.
some and this allows us to not only pro from for secrets that just happen to be in pages that we can leak but we can trust me pages that just contained a sequence that we want to lick so as quite a bit more powerful.
but still there are some problems with this the. the secret that we want to link might not be somewhere because we want to leave us is probably somewhere in the page which contains other information that we don't know and then we kind of kroft the page to leave the secret so we need to find a way to. kind of encode the secrets into a memory page or said that we can retrieve the secrets again so. so the secrets a paid in many places we want to leave should content only the secret and that are known to us and so this could be that the because this data was written by us into it at the space of the victim or it's just data that we know. yeah the data that we know the contents off in some way. and there's a second problem we might want to leave a secret which just too much and trippi so much and happy that we cannot possibly a brute force the whole all the possible secrets are for this we have found some ways to get around this and the leak secrets.
to flee from the first we are so we tried was a record alignment probing in this. this case. we manipulate the victim into creating a memory page are putting the secret somewhere across many page boundaries in this way we can.
in this way we can only place we can partially the secret in one. in one. round and then when we. we have to get effect into a creative every page with the secret. slightly more of the secret in one page and so on and so on until we leave the whole secrets.
second primitive we the. i tried was a recall partial reuse where we assume that the the yet the victim has a secret somewhere and then we write data and for example in in a buffered that was previously used to store in secret and we write the night in his buffer. and of right only part of the secrets and then again and entropy the again such as and be a slow enough to to look it up.
the the first of these to predict if us that a moment probing is what we're going to use the to leak the code address in this case.
and we're going to make use of. i just get there. compiler so every modern process has a compiler compiling javascript to native coat and for every chunk that's translated in my age. and the the function epilogue said the last part of that france's code is all it looks the same except for one thing many a code that less so. and what we did was a great loss of the justice for functions which are just. just too big to fit into one memory page such that the code address spends multiple pages and then.
well normally the congress is nineteen but so it wouldn't mean we would need to buy to memory in this case we need only sixteen and leave. and yet so. so what are we in this way we can in one sweep we can leap to be part of the address and in seconds we can begin to compete. i fell you. so now we have a coat pointer.
but we still need to look at what point are and there's a problem with this we didn't find the situation where we could leak the point to directly using the too primitive four and at the point or has quite a lot of and the so this is the next sample of he pointer in a modest edge.
there are some exercise randomness on understand the twenty four bit of randomness and if we only look at that part the we need sixty four gigabytes of memory just to try everyone every every possibility and we need to multiply this by a bit. it's a to get redundancy because there is noise and but if we look at how point actually looks like there's also some kind of was lots of known determinism which actually in increases the the entropy of the point of a quite a bit and yet. we don't have hundreds of terabytes memory probe so we needed the to find something else. we could improve is a bit that we found another site channel so if you have had lots of a race.
every one megabyte the browser will ask the operating system for an extra megabytes of memory. and then the first object that fits into the new decade of.
one megabyte. it will take longer to allocate and that's something you can detect so then we have the timing subtle and then we can reduce entropy to twenty bits but we don't the all already your needs are these four gigabytes of memory so that's also not.
nearly good enough and so we had to find something else wealth but the front of thing else something very much like that at the intuition is very much like the that of the birth a problem which.
and in which you are in a very. in a surprisingly small group of people the chances of.
people sharing the same birthday is actually becomes pretty high. more to more than you would if we think it faster than you would think that if the and intuition behind this is that you're not comparing one person birthday with a group of other people with other people actually comparing everybody's birthday with everybody else is worth it and when you think about. but it's this is exactly what memory that the family the station or routine do it does as well it compress every page with every other page so how can we exploit this impacts what we're going to assume that we don't have one secret to leak.
but. lots of secrets and then we have lots of a gases and then there's a yet caught compare every guest with every secrets and then you get. we need to weigh less hairy. so. so in practice the finesse secrets and and you kind of need as you don't get as many different justice to actually get the match. so how do we exploit this in practice well we have the this a look at lots of objects and week that the city other such a we gotta.
the list of objectives which half are probably on one on a megabyte boundary and then we look at the larger a which of course is in practice just memory pages and then we put a reference to a point or two each object in disarray. so. there's one point or from every page so these very precious kind of and codes to address as of the of the objects and those pages are we're going to throw for and on the other end.
were using websites are a which allows us to complete the control the but a binary contents of memory. young to creates references to. objects which are one hundred and twenty eight megabytes apart and recreate the contents of the the of the the pages that the. the contents of the heart would look like they were in the rate. so so you can see that the secret pages are close together and one might parts pro pages great range of range across the entire everest possible outer space. that that might possibly use an animal there's a hit and then we get our keep us going to a home.
belonged to a an object will be control the data.
so now we have the only information terrific object and now we're going to use row hammer to create a reference to this object to. all of us to use it without the object is a tighter a different objectives we make which allows us to leslie control.
yet reader writes the and are at a space.
so does dr a that just this a tighter a objects this fake object we recreate in a job as if they were already know the address off and a new. the next justice for a as appointed to it and then at the request is in such a way that if we flip a bit the pointer will point to are objecting to set off the array.
and we're going to use the road however attack. yes like to know that the last year. some of you might have seen the government just talk him. we were able to reproduce. their findings and. don't understand. and use it. for an utter.
in the armour attack the problem is that did our memory. users to pass the pastor's to store memory store data and when you have to when you read it the capacitors are drained so and it is the prices are starting rose because they're drain there has to be some kind of cash which doesn't lose.
it's felt use of which is as a starter graham before. but it's only a limited amount of memory so when the american trawler it's nice to read a different row that has to be written back to these capacitors and a different row is rats to the. the buffer cash. the problem is that this for some interference and if you just increase session at a specific locations than a.
and now. done after a while some bits may flip in neighbouring rose and as. what we used to flip a bit in the pointer allowing us to get the reference to the subject and esfi taking a toll of over the process. so that's the second attack on the third attack were people what to call for force way we actually are also using row hammer in combination with the the patient but the different way want using the depression as a sum for such annoying.
more. but we will be using it to make program or more and more useful. expectation from it. our target will be the the the. so on are in our attack an attacker will. being controlled one version machine and all. take over another for such a machine on the same system.
so i said the. romar is a yeah roma's very powerful attack but it's it's also quite difficult to exploit because you can probe bits but it's not really don't really control which physical bits memory are vulnerable to it. and if you bring forbids the that you have to do the data that's the data that's the being corrupt it has to be useful to you so you have yeah yeah you kind of have a problem of getting the right data into the right location for you to explain. but so. it's unpredictable it in which physical page the fed will happen and it's and predictable on in which location in this page. it might happen. afflicting freight the console for the first part for you so a given that you can flip a bit in some page on the same in some occasion in the page.
the phone for able you the ability to get a not very page you know the victim has and put it in location where you can flip but another thing to mention us have withdrawn hammer if you discover you can flip a bit somewhere it's very likely you can. and for but again and again and again and again mr. i.
yes or so we're going to the. look for ages that we want to fix them that we want to flip and an. make sure that these pages are put into a location where we can flip this fits so we thought memory the patient is a kind of a.
and the attractive way of doing this a we thought now. we're working on the windiest an attack and we thought well what if we were so if we do rome or find a bit flip them what if the if we find the page that we were want to flip a bit we just replicate that the same content of his face and wait for windows. i'm to merge them and hope are are located at our page would be the location it with merced to but sadly enough on windows when doesn't look as a new page and combat and points the old the of locations did a new patient however. but we found that on linux with a great pronounce it but merging it been so and it had some other. i have had some other things that are contagious to us for example the next a trice to fifa. perspective cute if a physical memory to the. to first machine hosts for efficiency say. so it which makes makes it easier for us to do rome and find it flips and also makes it easier for us to. to make sure that the these but flips occurring hormone memory and not in someone else's memory which wouldn't want to corrupt the system before we can exploit of course the press the system before he can exploit it. so so once we know we can flip a bit that's useful to us we replicate the continents and then wait for place them too much memory and the we can knowing it just the in a deterministic way but our case symbol much to our. eight. and then we do rome again and then we can exploit the target for them.
so one example how would that this was by attacking the author rescues file of rescues files usually contain the public use. and he's probably keys are not supposed to the that yet they don't have to be kept secret the eye but lots of you have probably have loved to their public key to get up and their public so. a rare and what we see here is a in yellow we see the so this is our say public he and a yellow we see the r.s.a. much less the basics before in kohat.
and of course we know we're not supposed to factor ice this much of this because then we can get the property but in read here we have that. the the characters which contain a season one bit that when flipped will remain six basically for a coded but were able to factor ice the the much of this the. within one minute so. that's what we did.
for a bit in the. in the much of this factor ice and then reconstructed property and log in to.
has had. we have a second example where. or we target g p g got to the to exploit the updates mechanism in oregon to. so. this is a two stage of the tech first for the sources that list file to redirect the updates the repository two of the domain name we control. and. we also corrupt a bit in the duty during to for the signing key to the that we can that we construct. and then we can back door it off. and then we come back door. of purchase the being insoles so you have a demo for this as well. i will.
first this attack. so what you see here is the.
machine running both attacker for to machine and affection for to machine. in the top right corner there's the victim will minute. so top left there are some the book information. the bottom part is the the access log off of a major piece of debris prostitutes or for that we control and the middle part. this is used to create the a fake. great the fake fact so no nothing happened yet let's get this one. so this is all fine but now we're going to flip a bit in the sources that list file.
and then when we do get a bit again. and that will be an error. because now it will connect to.
the are positive of course a.
this step doesn't have to be the. done but this just to show that he had the the that now connects to the first two are across the front of and we have to wait for a while to find a bit.
that we can exploit to corrupt a g.p.. and when we have found s..
we can reconstruct the property and create a new package with a new signing he.
in. the advantage. three. when the the. the. when a great is run.
first we do a less still were ok but then after that. they are. market is for certain. a you tube.
so in conclusion i think i'm a firm how i hope the we have to convince you that many dictation can be dangerous if you're thinking about the employer deploying it think like you to think again and again.
i think again and and maybe conclude well maybe that's just decided that i thank you very much. the house has said we have time for restaurants if you have questions please come forward to one of those four microphones. does the internet have a question for you.
but i'm no question right now ok we should we have a question on the microphone on my left side in the front face and the speak loudly into the microphone as we can hear you have people even i would like to ask how does it apply for large pages so i think. the only example said small pages floyd kilobytes so how does this apply to mayor by pages for example those so the girl said bridge merging the boys large they just but the actually sadly it was good for us but sadly the the the great also bridge working.
prioritise us merging over huge pages and so actually we create huge pay just the start and to do the row her part that's the consecutive memory i think but when kind of same page merging.
it finds a page which is identical in sight this huge page it will break up the huge page and merge anyway so that is actually the book worth worst the case scenario ok see . great think you then in the next question would be right behind your thinking about the process of the place itself doesn't use hashish order to switch the speed of to comparing or some protection regime may be even more which is to cash in the timing as. before impact of that process of bringing the background is so we didn't do the research on of the latency but i think it does use some form of rushing both of the knicks in windows.
yes and the next question place and while before you ask a question to please ask the audience to remain quiet at this point i think you. sue these it takes to me the day you will require the a famine the attack a phone or at least have interacted with access to the virtual machine hosted on the same the host as the target machines right. ok so what are the implications for a you have to say we could be m. or whatever environment i'm thinking of them to stop virtualization were actually have the virtue of guests are or have been used for interactive access and so you run javascript in a browser or whatever because i. i'm like every week are being approached by companies trying to sell us a desktop virtualization so the idea of running that are gives a complete new home.
the large open door for a foreign member was spreading across a virtual kind computers right if they have at this the best opportunities asian so our second attack the us market there was a daughter were just that so there we could leak information because when justin.
does very difficult position. not only for for what not for for two machines but also for its own processes so and windows as disabled it but if you run windows on the high profile is there were due to patient this yet again unable to know you have the same problem. thank you and then i have a question here on the right place to you and some of the problem if you are so.
i knew boehner book if you have both e.c.c. memory and and x. and any computer graphics secrets from did implication. i'm so i haven't seen a practical attack with just a memory on rome or i don't know that so. i'm and i guess if you if you after putting threats and you don't need to pay that or you put some randomness in that it was impossible to guess than i say doesn't have much you can leap from that point on but it's something i think it's.
the asian bird than an application developer to be aware that their memory paid even to be even be aware of the content they out of of their program that's from most of the time very much lower level stuff that yeah occasion developers have no. shouldn't have to have any concerns about so i think this is really up to the the the operating system an adviser fund this too. she was yesterday. a. thank you and not back comes when you merges the pages you can have more of you can have two in those examples you can have more of them could you know which space will be the one that will be the last one. so i was into it because it would be good stead it's still one new controls and can think that beats and called you know if you have like five the ensign everyone every because the same page so it is an of the complicated said the. so in cape s.m.s. the all this fee and that gets mertz to but the us exception if you first emerged to pay just and they are put in a different so it's first marriage just already merge pages and then that registered all this fear.
i'm and so that the so the attack because harder if you're the second film and started to flip things you need to be the first ones sold and they will merge into will not necessarily but that becomes a bit harder because so what you could do s. if so it so the emerging happens because.
first the files are in the page cash so if you can. if the files are not yet in the page cash in the victim because no one has tried to log in for user for a long time. you might be able to first trip to producing our own at a space wait for to be duplicated than log in to sh. and and as essential loaded into page question and gets mercy europe are you in because you're merged already and. thank you and questioning in the front yes of it if i understand correctly them the utecht works only if you know if you detect the time difference between when the company on right happens and when it does not wouldn't be able to have implementations of the duplications this summer.
but if you should timing edit so there's no real difference so the love that the copyright takes time so there's no yeah that's probably not know yet so there's always going to be a time difference because you don't want to have artificial the you don't want to artificially.
the slow every right operation that's just what is the threat to the possible to do it. if timing is not against training you have to all the right operations you have to slow them down as well alight when this is not feasible in the end.
thank you there's a question from the internet. yes the question is can this be applied for a long piece can lead them. but the so looking the the complete confidence or breaking them are. he doesn't say is on the question. i suppose is about leaving them for memory and if you can find a way to for example first load them in said it really depends so that we the it takes some effort to find the situation so if lots of a lot of the.
the opportunity to find find situations where you can take beta that this really difficult. it just takes time to find right the front row the right circumstances because it's just so much you can explore so it's so we didn't. find the so we didn't look for. situation where we could look to the keys. so i wouldn't say it's the. the impossible i do think that some that are some crypto locations really make air try to. not keep the private keys him or me longer than needed so the i wouldn't know maybe you can try and find out.
you create and then we have a last question over here please may be you have some advice for the little school programs i think the second and example you said for example the age of the occasion used i think it was when i was ten was better they did its first copy the peach. to be duplicated new free page and then pointed the two pages to be dedicated to their and in you want to it was so that they just point one page to the other and drop drop the page thought the microsoft approaches hear more safe yet so so i don't know if they were aware of this but. the in this case how many there were no in this case of course and and are certainly some approaches are.
art make it harder and some projects make it easier of course the relocation doesn't prevent us from we can data that the would help. yet with help maybe with with the making romer harder although we also have a our group also as a paper on the road in rome or on android where we don't make use of really the patient with a metal make use of a. difference and mechanism in order to control look where many pages the are. get the relocate the inferno. do we can't do anything because we have to we would have to change the memory architecture but maybe you can know the published some advice is what what you do better with for example memory deification what you found you for in your research is just as an idea.
yeah said said there are some the medications the the we don't know of us are my but they always have some a performance penalty drawbacks and so i don't know whether they will be implemented because our are.
send their it's a tough unable to it. oh ok by me at the very we have to thank you so much so please help me and think continue on a bike for one hundred.