YoVDO

Wrangling with the Ghost - An Inside Story of Mitigating Speculative Execution Side Channel Vulnerabilities

Offered By: Black Hat via YouTube

Tags

Black Hat Courses Software Development Courses Cybersecurity Courses Software Security Courses CPU Architecture Courses Meltdown Courses Spectre Courses

Course Description

Overview

Explore Microsoft's approach to researching and mitigating speculative execution side channel vulnerabilities in this Black Hat conference presentation. Delve into the company's collaborative efforts, including bringing in experts from across Microsoft and hiring an industry specialist to accelerate understanding of these issues. Learn about the taxonomy created to design robust mitigations, covering topics such as speculation primitives, windowing gadgets, and disclosure primitives. Examine the four components of speculation techniques and their relevance to software security models. Discover the mitigation tactics developed, including speculation barriers, CPU core isolation, and split user and kernel page tables. Gain insights into new variants and mitigations, and access valuable resources on Microsoft's Speculative Execution Side Channel Bounty program.

Syllabus

Intro
Exploring a new vulnerability class Microsoft first learned about these issues in June, 2017 when a CPU partner notified us
Why does Microsoft care about these issues?
Parallelism and speculation
Out-of-order execution
General definition of speculative execution
Spectre and Meltdown
Spectre (variant 1): conditional branches
Spectre (variant 2): indirect branches
Meltdown (variant 3): exception deferral
Why create a taxonomy? • Designing robust mitigations requires a systematic approach
1. Gaining speculation: speculation primitives
2. Maintaining speculation: windowing gadgets
Observing the results: disclosure primitives . Finally the attacker needs to read the results from the side channel • Example: check if a cache line was loaded
The four components of speculation techniques
Relevance to software security models
Defining our mitigation tactics The systematization we developed provides the basis for defining our mitigation tactics
Speculation barrier via execution serializing instruction
Security domain CPU core isolation
Indirect branch speculation barrier on demand & mode change
Split user and kernel page tables (KVA Shadow)
Decrease browser timer precision
Mitigation relationship to attack scenarios & primitives
New variants & mitigations
Resources • Microsoft Speculative Execution Side Channel Bounty


Taught by

Black Hat

Related Courses

Attack on Titan M, Reloaded - Vulnerability Research on a Modern Security Chip
Black Hat via YouTube Attacks From a New Front Door in 4G & 5G Mobile Networks
Black Hat via YouTube AAD Joined Machines - The New Lateral Movement
Black Hat via YouTube Better Privacy Through Offense - How to Build a Privacy Red Team
Black Hat via YouTube Whip the Whisperer - Simulating Side Channel Leakage
Black Hat via YouTube