0 00:00:00,000 --> 00:00:30,000 Dear viewer, these subtitles were generated by a machine via the service Trint and therefore are (very) buggy. If you are capable, please help us to create good quality subtitles: https://c3subtitles.de/talk/1264 Thanks! 1 00:00:23,160 --> 00:00:25,289 You probably remember the meltdown 2 00:00:25,290 --> 00:00:27,789 attacks in 2000, 3 00:00:27,790 --> 00:00:29,849 18, and it 4 00:00:29,850 --> 00:00:32,309 was a pretty big flaw 5 00:00:32,310 --> 00:00:34,709 in modern use and the 6 00:00:34,710 --> 00:00:37,329 abuse that came afterwards or got fixed. 7 00:00:37,330 --> 00:00:40,409 They probably they seem to be fixed 8 00:00:40,410 --> 00:00:42,359 and the problem meltdown seems to be 9 00:00:42,360 --> 00:00:44,879 solved. Well, Michael Moritz 10 00:00:44,880 --> 00:00:47,189 and Danielle, they will show us that this 11 00:00:47,190 --> 00:00:49,169 is not the case. 12 00:00:49,170 --> 00:00:51,299 A new attack named Somebody 13 00:00:51,300 --> 00:00:53,579 Lode is possible. 14 00:00:53,580 --> 00:00:55,669 And in the following hour, we'll 15 00:00:55,670 --> 00:00:57,449 learn all about it. 16 00:00:57,450 --> 00:00:59,279 Please give a really warm round of 17 00:00:59,280 --> 00:01:01,649 applause to Moritz, 18 00:01:01,650 --> 00:01:02,700 Michael and Daniel. 19 00:01:10,320 --> 00:01:11,909 Thank you for this introduction. 20 00:01:11,910 --> 00:01:14,009 Welcome, everyone, to our 21 00:01:14,010 --> 00:01:16,109 talk about this some below at 22 00:01:16,110 --> 00:01:17,369 Tech. 23 00:01:17,370 --> 00:01:19,859 So my name is Smith and Spots. 24 00:01:19,860 --> 00:01:21,929 I'm a postdoc at Qatar University 25 00:01:21,930 --> 00:01:24,419 of Technology in Austria. 26 00:01:24,420 --> 00:01:26,049 So you can find me on Twitter. 27 00:01:26,050 --> 00:01:27,449 You can write me an email. 28 00:01:27,450 --> 00:01:29,879 I will be here the rest of the Congress 29 00:01:29,880 --> 00:01:31,979 anyway. So if you're interested in 30 00:01:31,980 --> 00:01:34,079 these topics or anything around that, 31 00:01:34,080 --> 00:01:36,179 just come talk to me. 32 00:01:36,180 --> 00:01:37,349 Can I have a nice discussion? 33 00:01:39,150 --> 00:01:40,079 My name is small. 34 00:01:40,080 --> 00:01:42,179 That slip. I'm a B D candidate in the 35 00:01:42,180 --> 00:01:44,459 same office as Michael and Danielle. 36 00:01:44,460 --> 00:01:45,789 You can also reach me on Twitter. 37 00:01:45,790 --> 00:01:47,159 I'll just come and talk to me. 38 00:01:48,210 --> 00:01:50,819 Yeah. And my name is Tanya Cruz and 39 00:01:50,820 --> 00:01:52,269 I. Yeah, I don't know. 40 00:01:52,270 --> 00:01:54,329 I don't have to repeat all of this. 41 00:01:54,330 --> 00:01:56,509 No. But before we dove in, we signed 42 00:01:56,510 --> 00:01:56,909 a loan. 43 00:01:56,910 --> 00:01:58,349 We will stop to some mullets. 44 00:01:58,350 --> 00:02:00,549 Wait a second. I edited last night. 45 00:02:00,550 --> 00:02:02,729 You know, you cannot just let it slide 46 00:02:02,730 --> 00:02:04,319 unless it's important. 47 00:02:04,320 --> 00:02:07,289 I mean, it's it's right after Christmas. 48 00:02:07,290 --> 00:02:08,290 Right. And we all. 49 00:02:10,750 --> 00:02:11,729 Come on. 50 00:02:11,730 --> 00:02:13,029 Oh, come on. 51 00:02:13,030 --> 00:02:14,389 You're kidding. 52 00:02:14,390 --> 00:02:16,989 And then last year, last year at CCC, 53 00:02:16,990 --> 00:02:19,059 we also had this Christmas themed 54 00:02:19,060 --> 00:02:20,009 talk. Right. 55 00:02:20,010 --> 00:02:21,699 And now we all hear this still ringing in 56 00:02:21,700 --> 00:02:23,649 the years. And and this. 57 00:02:23,650 --> 00:02:25,749 This was a really nice talk, I think, as 58 00:02:25,750 --> 00:02:27,759 well. And we presented a lot of new 59 00:02:27,760 --> 00:02:30,249 spectra and modem variance there. 60 00:02:30,250 --> 00:02:32,439 Maybe not as dangerous as Zombieland, 61 00:02:32,440 --> 00:02:34,659 but still, I think, interesting. 62 00:02:34,660 --> 00:02:36,849 And when we when we presented this, this 63 00:02:36,850 --> 00:02:39,069 was uploaded to YouTube afterwards. 64 00:02:39,070 --> 00:02:41,109 And I was running around in a suit at 65 00:02:41,110 --> 00:02:43,269 that point and someone wrote ditched the 66 00:02:43,270 --> 00:02:44,319 suit, please. 67 00:02:44,320 --> 00:02:45,789 He looked so uncomfortable. 68 00:02:45,790 --> 00:02:47,679 And today, I have a T-shirt. 69 00:02:47,680 --> 00:02:49,089 That's much better. 70 00:02:49,090 --> 00:02:50,049 All right. 71 00:02:50,050 --> 00:02:52,269 And we presented in this talk, 72 00:02:52,270 --> 00:02:54,699 we presented a 73 00:02:54,700 --> 00:02:56,769 tree, a tree, a system that has Asian 74 00:02:56,770 --> 00:02:59,179 tree. And you can see all the different 75 00:02:59,180 --> 00:03:00,549 attack variants here. 76 00:03:00,550 --> 00:03:02,709 Spectra type attacks, made down type 77 00:03:02,710 --> 00:03:04,749 attacks. And yeah. 78 00:03:04,750 --> 00:03:06,519 So the question is, how does this all 79 00:03:06,520 --> 00:03:08,079 relate to zombie logic? 80 00:03:08,080 --> 00:03:10,419 And to start that, I 81 00:03:10,420 --> 00:03:12,909 think we will just present 82 00:03:12,910 --> 00:03:14,520 Specter in a nutshell. 83 00:03:15,940 --> 00:03:16,940 Yes. 84 00:03:17,740 --> 00:03:20,559 And I think what 85 00:03:20,560 --> 00:03:21,839 that's picked in a nutshell, yes. 86 00:03:21,840 --> 00:03:24,219 Yes. And maybe maybe 87 00:03:24,220 --> 00:03:26,319 something more. There was also this this 88 00:03:26,320 --> 00:03:27,849 song about Specter. 89 00:03:27,850 --> 00:03:30,279 Do you remember this song about Specter? 90 00:03:30,280 --> 00:03:31,869 I think they also had a movie with that 91 00:03:31,870 --> 00:03:32,839 title. 92 00:03:32,840 --> 00:03:33,840 Mm hmm. Yeah. 93 00:03:46,270 --> 00:03:48,659 Yeah, this is about the most the most 94 00:03:48,660 --> 00:03:50,339 technical explanation that you would get 95 00:03:50,340 --> 00:03:52,349 about Specter today, because the relation 96 00:03:52,350 --> 00:03:53,849 from Specter to. 97 00:03:53,850 --> 00:03:55,739 Oh, come on down here then we load is not 98 00:03:55,740 --> 00:03:58,409 here to give a technical talk, not some 99 00:03:58,410 --> 00:03:59,819 goofing around here. 100 00:03:59,820 --> 00:04:01,889 So maybe we we need some background 101 00:04:01,890 --> 00:04:02,939 first. OK. 102 00:04:02,940 --> 00:04:05,069 Have a really technical talk. 103 00:04:05,070 --> 00:04:05,759 Right. 104 00:04:05,760 --> 00:04:08,519 So can you explain micro architecture? 105 00:04:08,520 --> 00:04:10,889 I mean, of course I can. 106 00:04:10,890 --> 00:04:12,869 I mean, it's really easy. 107 00:04:12,870 --> 00:04:13,980 So we all know we have a. 108 00:04:15,010 --> 00:04:17,609 And then we have some software that runs 109 00:04:17,610 --> 00:04:18,778 on DCP. 110 00:04:18,779 --> 00:04:20,819 That's what we always do. 111 00:04:20,820 --> 00:04:23,179 And the software has these 112 00:04:23,180 --> 00:04:25,109 eyes. I can use this instruction set 113 00:04:25,110 --> 00:04:27,789 architecture like a X 86. 114 00:04:27,790 --> 00:04:29,729 So is application can use all the 115 00:04:29,730 --> 00:04:31,379 instructions defined by its instruction 116 00:04:31,380 --> 00:04:33,599 set architecture at the CPA will 117 00:04:33,600 --> 00:04:34,559 execute stuff. 118 00:04:34,560 --> 00:04:36,299 And of course, this review has to 119 00:04:36,300 --> 00:04:37,649 implement these instructions that 120 00:04:37,650 --> 00:04:39,809 architecture to actually execute 121 00:04:39,810 --> 00:04:40,559 the instruction. 122 00:04:40,560 --> 00:04:42,149 This is what we call the micro 123 00:04:42,150 --> 00:04:44,019 architecture could be, for example, an 124 00:04:44,020 --> 00:04:46,079 intel core C on 125 00:04:46,080 --> 00:04:48,209 or some EMT rising and 126 00:04:48,210 --> 00:04:49,289 stuff like that. 127 00:04:49,290 --> 00:04:51,039 And C views are really easy. 128 00:04:51,040 --> 00:04:52,589 I learnt it in my bachelor. 129 00:04:52,590 --> 00:04:54,539 So when you want to execute a program, 130 00:04:54,540 --> 00:04:56,549 that's just a few steps that the C view 131 00:04:56,550 --> 00:04:57,689 has to do. 132 00:04:57,690 --> 00:05:00,059 So first it finishes the instruction, 133 00:05:00,060 --> 00:05:02,729 it decodes the instruction, it executes 134 00:05:02,730 --> 00:05:04,789 the instruction, and then when it's 135 00:05:04,790 --> 00:05:06,539 finished executing it right. 136 00:05:06,540 --> 00:05:07,679 Spec the result. 137 00:05:07,680 --> 00:05:09,149 Yeah, it's really easy to see. 138 00:05:09,150 --> 00:05:11,009 Yes, but this is a very high level. 139 00:05:11,010 --> 00:05:12,979 I think we should go a bit more into 140 00:05:12,980 --> 00:05:14,639 details if you're asking for that. 141 00:05:16,320 --> 00:05:18,689 So maybe to go into details, 142 00:05:18,690 --> 00:05:21,239 we should look what these boxes 143 00:05:21,240 --> 00:05:22,889 actually do. Let's start with the front 144 00:05:22,890 --> 00:05:24,059 end in the front end. 145 00:05:24,060 --> 00:05:26,429 We will have some part that decodes 146 00:05:26,430 --> 00:05:28,559 the instructions that we send 147 00:05:28,560 --> 00:05:29,560 to the CPA. 148 00:05:30,420 --> 00:05:32,849 There is already a lot of 149 00:05:32,850 --> 00:05:35,039 parallelism in there. 150 00:05:35,040 --> 00:05:37,169 And also we have a branch predictor which 151 00:05:37,170 --> 00:05:39,359 tells us which 152 00:05:39,360 --> 00:05:41,699 micro is up codes 153 00:05:41,700 --> 00:05:44,469 we should execute next. 154 00:05:44,470 --> 00:05:46,649 There is a cache for that 155 00:05:46,650 --> 00:05:48,869 and we have some looks that 156 00:05:48,870 --> 00:05:50,969 combines all of this and then we have 157 00:05:50,970 --> 00:05:53,399 an allocation queue which determines 158 00:05:53,400 --> 00:05:55,469 what the next instruction will be and 159 00:05:55,470 --> 00:05:57,269 sent that onwards. 160 00:05:57,270 --> 00:05:58,679 We also have an instruction cache. 161 00:05:58,680 --> 00:05:59,699 Of course, we need to get the 162 00:05:59,700 --> 00:06:01,619 instructions from somewhere and of 163 00:06:01,620 --> 00:06:03,809 course, the instruction translation, look 164 00:06:03,810 --> 00:06:05,089 aside for the I.T. 165 00:06:05,090 --> 00:06:07,169 to be connected to that. 166 00:06:07,170 --> 00:06:09,719 This one basically translates 167 00:06:09,720 --> 00:06:11,860 addresses from virtually to physical. 168 00:06:13,500 --> 00:06:14,699 Yes. 169 00:06:14,700 --> 00:06:17,279 The next step would be the execution 170 00:06:17,280 --> 00:06:19,439 engine in the execution 171 00:06:19,440 --> 00:06:21,689 engine. We have a scheduler 172 00:06:21,690 --> 00:06:24,359 and the report above the reorder buffer. 173 00:06:24,360 --> 00:06:26,069 Although it is called re order buffer, it 174 00:06:26,070 --> 00:06:28,379 actually contains all the code, 175 00:06:28,380 --> 00:06:30,959 all the microbes in order 176 00:06:30,960 --> 00:06:33,149 in exactly the order in which they should 177 00:06:33,150 --> 00:06:35,009 be executed. 178 00:06:35,010 --> 00:06:36,449 It's called me auto buffer because the 179 00:06:36,450 --> 00:06:38,549 scheduler just picks them as soon 180 00:06:38,550 --> 00:06:40,649 as they are ready and then schedules 181 00:06:40,650 --> 00:06:42,809 them on one of the execution 182 00:06:42,810 --> 00:06:44,249 units. For instance, there are some for 183 00:06:44,250 --> 00:06:46,559 the ACLU there, some for loading data. 184 00:06:46,560 --> 00:06:48,359 Some for storing data. 185 00:06:48,360 --> 00:06:50,579 And yeah, it just 186 00:06:50,580 --> 00:06:52,949 schedules them as soon as possible. 187 00:06:52,950 --> 00:06:54,959 And then they are executed there. 188 00:06:54,960 --> 00:06:56,729 And as soon as they are finished 189 00:06:56,730 --> 00:06:58,829 executing, they will be retired from 190 00:06:58,830 --> 00:07:00,029 the reorder buffer. 191 00:07:00,030 --> 00:07:02,039 And that means that they will become 192 00:07:02,040 --> 00:07:04,169 architecturally visible to all the 193 00:07:04,170 --> 00:07:05,170 software. 194 00:07:05,790 --> 00:07:08,179 And then something fails. 195 00:07:08,180 --> 00:07:10,409 Yeah. If something fails. 196 00:07:10,410 --> 00:07:11,489 If something fails. 197 00:07:11,490 --> 00:07:13,109 You mean the CPO exception? 198 00:07:13,110 --> 00:07:14,009 For instance? Yes. 199 00:07:14,010 --> 00:07:16,799 Yes. Then, of course, 200 00:07:16,800 --> 00:07:18,599 the exception has to be raised. 201 00:07:18,600 --> 00:07:20,909 And this happens at retirement. 202 00:07:20,910 --> 00:07:23,009 So first the execution unit finishes 203 00:07:23,010 --> 00:07:24,719 the work and then the exception is 204 00:07:24,720 --> 00:07:26,879 raised. And all all the things that the 205 00:07:26,880 --> 00:07:28,179 execution unit did. 206 00:07:28,180 --> 00:07:29,489 I just kicked out. 207 00:07:29,490 --> 00:07:30,490 Just thrown away. 208 00:07:32,460 --> 00:07:34,919 So then we go to the memory subsystem. 209 00:07:34,920 --> 00:07:36,539 Of course, if we want to make changes, we 210 00:07:36,540 --> 00:07:38,549 don't want to keep them in some internal 211 00:07:38,550 --> 00:07:40,589 registers. We want to store them 212 00:07:40,590 --> 00:07:42,179 somewhere, maybe load data from 213 00:07:42,180 --> 00:07:43,829 somewhere. And for that, we have to load 214 00:07:43,830 --> 00:07:45,269 buffer and store buffer 215 00:07:46,500 --> 00:07:48,029 and the load buffer and store buffer. 216 00:07:48,030 --> 00:07:49,799 They are then connected to the cache, 217 00:07:49,800 --> 00:07:52,019 that one data cache and 218 00:07:52,020 --> 00:07:53,849 we again have A to B to translate 219 00:07:53,850 --> 00:07:55,919 virtually to physical addresses and 220 00:07:55,920 --> 00:07:58,469 the line infinite buffer 221 00:07:58,470 --> 00:08:00,599 to fill cache lines in the 222 00:08:00,600 --> 00:08:02,759 L1 module for some other 223 00:08:02,760 --> 00:08:04,499 purposes. But we will get to that later 224 00:08:04,500 --> 00:08:05,500 on. 225 00:08:05,790 --> 00:08:08,039 Yes. And caches. I think I also 226 00:08:08,040 --> 00:08:09,269 talked about it. 227 00:08:09,270 --> 00:08:10,709 I said, well, we've heard that, yes, 228 00:08:10,710 --> 00:08:12,809 caches are pretty easy. 229 00:08:12,810 --> 00:08:13,979 For instance, you have a simple 230 00:08:13,980 --> 00:08:16,069 application just accessing variable 231 00:08:16,070 --> 00:08:18,059 AI twice the first time. 232 00:08:18,060 --> 00:08:19,439 It's not in the cache. 233 00:08:19,440 --> 00:08:21,149 So we have a cache, miss. 234 00:08:21,150 --> 00:08:23,219 So the CBO has to ask the main memory, 235 00:08:23,220 --> 00:08:25,289 please give me whatever is stored at this 236 00:08:25,290 --> 00:08:26,279 address. 237 00:08:26,280 --> 00:08:27,869 The main memory would respond with the 238 00:08:27,870 --> 00:08:30,149 value and stored in the cache. 239 00:08:30,150 --> 00:08:32,158 So the second time you try to access this 240 00:08:32,159 --> 00:08:34,349 variable, it's already in the cache. 241 00:08:34,350 --> 00:08:35,668 So it's a cache hit. 242 00:08:35,669 --> 00:08:37,379 And this is much faster. 243 00:08:37,380 --> 00:08:39,928 So if it's a cache, miss, it's slow 244 00:08:39,929 --> 00:08:41,548 because we need a theorem access. 245 00:08:41,549 --> 00:08:43,168 On the other hand, if it's already in the 246 00:08:43,169 --> 00:08:45,479 cache, it's fast. 247 00:08:45,480 --> 00:08:47,969 And if you have a high resolution timer, 248 00:08:47,970 --> 00:08:50,159 you can just measure that by accessing 249 00:08:50,160 --> 00:08:52,469 and measuring how long it takes to access 250 00:08:52,470 --> 00:08:54,149 the address. Can you really do that? 251 00:08:54,150 --> 00:08:55,909 Yes. I implemented that. 252 00:08:55,910 --> 00:08:58,889 And thus we can see around 60 cycles. 253 00:08:58,890 --> 00:09:01,079 If the data is stored in the cache 254 00:09:01,080 --> 00:09:03,539 and around 320 sites, 255 00:09:03,540 --> 00:09:05,519 if it's a cache, miss, and if we have to 256 00:09:05,520 --> 00:09:06,479 load it from men. 257 00:09:06,480 --> 00:09:08,549 Oh, wait, I remember something. 258 00:09:08,550 --> 00:09:10,589 So we learn something at university about 259 00:09:10,590 --> 00:09:13,109 this. Caches and cache hits and misses 260 00:09:13,110 --> 00:09:15,899 that. We can use that for attacks. 261 00:09:15,900 --> 00:09:18,179 So there was this flash and reload tech. 262 00:09:18,180 --> 00:09:20,519 But we have two applications, an attacker 263 00:09:20,520 --> 00:09:21,599 and a victim. 264 00:09:21,600 --> 00:09:23,639 We have our cash and we have some shared 265 00:09:23,640 --> 00:09:25,769 memory. For example, a shared library 266 00:09:25,770 --> 00:09:27,479 like the lip seat. 267 00:09:27,480 --> 00:09:29,939 And if you have memory isn't a cash, 268 00:09:29,940 --> 00:09:31,199 it's in the cache for all the 269 00:09:31,200 --> 00:09:33,059 applications that use it. 270 00:09:33,060 --> 00:09:35,279 So if we have, for 271 00:09:35,280 --> 00:09:37,739 example, an attacker 272 00:09:37,740 --> 00:09:39,809 that flushes it from the cache, it's 273 00:09:39,810 --> 00:09:42,209 also flush for all the implications 274 00:09:42,210 --> 00:09:43,259 from the cache. 275 00:09:43,260 --> 00:09:45,749 So here are my cache has like four 276 00:09:45,750 --> 00:09:47,219 sets, three or four parts. 277 00:09:47,220 --> 00:09:48,779 And the shared memories in there, it was 278 00:09:48,780 --> 00:09:49,799 used before. 279 00:09:49,800 --> 00:09:51,959 So as an attacker, I can simply 280 00:09:51,960 --> 00:09:53,459 flash it from the cache. 281 00:09:53,460 --> 00:09:54,959 That's not in the cache anymore. 282 00:09:54,960 --> 00:09:56,519 It's not cached anymore. 283 00:09:56,520 --> 00:09:58,799 Then the attacker can simply wait 284 00:09:58,800 --> 00:10:00,509 until the victim is scheduled. 285 00:10:00,510 --> 00:10:02,399 And if the victim accesses the sharp 286 00:10:02,400 --> 00:10:04,499 memory, it'll of course, be 287 00:10:04,500 --> 00:10:05,849 in the cache again. That happens 288 00:10:05,850 --> 00:10:08,159 transparently, as you just explained. 289 00:10:09,210 --> 00:10:11,129 And then as an attacker again, when a 290 00:10:11,130 --> 00:10:13,379 tech has scheduled, it can simply 291 00:10:13,380 --> 00:10:15,449 access to shed memory and measure 292 00:10:15,450 --> 00:10:17,519 the time it takes and 293 00:10:17,520 --> 00:10:20,219 from the time the attacker can infer 294 00:10:20,220 --> 00:10:21,509 whether it's in the cache. 295 00:10:21,510 --> 00:10:23,639 If this access is fast and then 296 00:10:23,640 --> 00:10:25,649 the attacker knows that the victim access 297 00:10:25,650 --> 00:10:27,739 to shared memory and if the victim 298 00:10:27,740 --> 00:10:29,339 is slow, it was not access. 299 00:10:29,340 --> 00:10:31,409 In the meantime, and 300 00:10:31,410 --> 00:10:34,029 it has to be loaded to the cache again 301 00:10:34,030 --> 00:10:34,319 yet. 302 00:10:34,320 --> 00:10:35,549 Really simple. 303 00:10:35,550 --> 00:10:37,529 Yes. You paid attention in my lecture. 304 00:10:37,530 --> 00:10:38,609 I see. 305 00:10:38,610 --> 00:10:40,619 But actually, there are some more details 306 00:10:40,620 --> 00:10:43,499 that we might want to show here. 307 00:10:43,500 --> 00:10:45,659 So if we look at the cache, how 308 00:10:45,660 --> 00:10:48,509 a cache actually works, the cash today 309 00:10:48,510 --> 00:10:50,759 works not by just having these cash 310 00:10:50,760 --> 00:10:52,829 lines, but it divides 311 00:10:52,830 --> 00:10:55,259 these storage locations also 312 00:10:55,260 --> 00:10:57,989 into so-called ways 313 00:10:57,990 --> 00:10:59,879 and they grope these ways into a cash 314 00:10:59,880 --> 00:11:01,949 set. So instead of a cash line, we now 315 00:11:01,950 --> 00:11:03,599 have a cash set. 316 00:11:03,600 --> 00:11:05,759 And the index the cash index 317 00:11:05,760 --> 00:11:07,949 now determines which cash set 318 00:11:07,950 --> 00:11:10,289 it is and not which cash line. 319 00:11:10,290 --> 00:11:12,079 So you have multiple congruent look. 320 00:11:12,080 --> 00:11:14,719 Haitians for data, 321 00:11:14,720 --> 00:11:16,129 the question then is, of course, how do 322 00:11:16,130 --> 00:11:17,449 you find the right data? 323 00:11:17,450 --> 00:11:18,859 If you want to look something up in the 324 00:11:18,860 --> 00:11:21,559 cache and for that you take the remaining 325 00:11:21,560 --> 00:11:23,809 bits. So the lowest bits are the offset. 326 00:11:23,810 --> 00:11:26,359 Then we have any bids for the index 327 00:11:26,360 --> 00:11:27,899 and the remaining parts. 328 00:11:27,900 --> 00:11:28,900 Maybe the. 329 00:11:29,720 --> 00:11:32,269 The physics. Page number 330 00:11:32,270 --> 00:11:33,499 is used as a tag. 331 00:11:34,550 --> 00:11:36,319 And this tag is then used for the 332 00:11:36,320 --> 00:11:37,219 comparison. 333 00:11:37,220 --> 00:11:39,049 And if one of the tax matches, we can 334 00:11:39,050 --> 00:11:40,789 directly return the data. 335 00:11:40,790 --> 00:11:42,919 I prefer my simple cash. 336 00:11:42,920 --> 00:11:43,920 It's a lot easier. 337 00:11:45,140 --> 00:11:47,599 So if we combine the cash, the deck 338 00:11:47,600 --> 00:11:49,879 that Michael showed us with the thing 339 00:11:49,880 --> 00:11:51,499 that Daniel told us in the beginning, 340 00:11:51,500 --> 00:11:53,599 that except to say I only handled 341 00:11:53,600 --> 00:11:55,699 when an instruction is retired, we 342 00:11:55,700 --> 00:11:57,649 can build the Middletown attack. 343 00:11:57,650 --> 00:11:59,059 So let's talk about Milton. 344 00:11:59,060 --> 00:12:01,099 In the beginning, because this is an 345 00:12:01,100 --> 00:12:02,509 attack that we build up on. 346 00:12:02,510 --> 00:12:04,489 Yes. Moments, I think, for Milton. 347 00:12:04,490 --> 00:12:06,679 I mean, we already saw Spector 348 00:12:06,680 --> 00:12:07,840 hadn't made that night. 349 00:12:09,260 --> 00:12:11,359 I think that was a song about marathon. 350 00:12:11,360 --> 00:12:12,360 Wasn't the. 351 00:12:27,070 --> 00:12:28,899 It's not about the marathon attack. 352 00:12:28,900 --> 00:12:30,719 No, I. 353 00:12:30,720 --> 00:12:32,799 Dave. They sing about it and it's clearly 354 00:12:32,800 --> 00:12:34,929 related to some serious. 355 00:12:34,930 --> 00:12:37,179 Yes. But let's get back to the real 356 00:12:37,180 --> 00:12:39,249 impact. So it's really 357 00:12:39,250 --> 00:12:40,449 simple. 358 00:12:40,450 --> 00:12:42,459 We just access an address. 359 00:12:42,460 --> 00:12:44,649 We are not allowed to access, 360 00:12:44,650 --> 00:12:46,629 which makes an application crash. 361 00:12:46,630 --> 00:12:47,950 But we can take care of that. 362 00:12:49,120 --> 00:12:51,969 So a page full exemption happens. 363 00:12:51,970 --> 00:12:54,219 And what we do now, we use this value 364 00:12:54,220 --> 00:12:56,529 that we read which illegally read. 365 00:12:56,530 --> 00:12:58,899 But it's still executed that way 366 00:12:58,900 --> 00:13:01,119 and encoded in our lookup 367 00:13:01,120 --> 00:13:03,219 table in the cache. 368 00:13:03,220 --> 00:13:05,109 So here the value is okay. 369 00:13:05,110 --> 00:13:07,479 So what we do is we access the memory 370 00:13:07,480 --> 00:13:09,979 location on the left off to use a memory 371 00:13:09,980 --> 00:13:10,980 where a case, 372 00:13:12,340 --> 00:13:14,499 which means this value is loaded 373 00:13:14,500 --> 00:13:15,669 into the cache. 374 00:13:15,670 --> 00:13:17,859 And now what we can do is after we 375 00:13:17,860 --> 00:13:19,959 executed this illegal instruction 376 00:13:19,960 --> 00:13:22,089 and recovered from default, we 377 00:13:22,090 --> 00:13:24,059 can just mount the flash and reload the 378 00:13:24,060 --> 00:13:26,259 tag on all the possibilities 379 00:13:26,260 --> 00:13:27,689 of the alphabet. 380 00:13:27,690 --> 00:13:29,949 Yeah, let's let the K will quick cash 381 00:13:29,950 --> 00:13:32,249 hit so we know we read the value. 382 00:13:32,250 --> 00:13:32,839 Okay. 383 00:13:32,840 --> 00:13:34,449 Yes, this is nice, but this doesn't 384 00:13:34,450 --> 00:13:36,609 really explain why this actually 385 00:13:36,610 --> 00:13:38,619 works. So let's look at the micro 386 00:13:38,620 --> 00:13:39,699 architecture again. 387 00:13:39,700 --> 00:13:40,599 The men don't attack. 388 00:13:40,600 --> 00:13:42,969 Actually, the instruction that performs 389 00:13:42,970 --> 00:13:45,699 them out on attack is just 390 00:13:45,700 --> 00:13:46,609 one instruction. 391 00:13:46,610 --> 00:13:48,399 One operation that loads from a kind of 392 00:13:48,400 --> 00:13:50,189 address moves something into a Reggie's 393 00:13:50,190 --> 00:13:51,489 register. That's it. 394 00:13:51,490 --> 00:13:53,289 That's the entire Melton operation. 395 00:13:53,290 --> 00:13:55,569 Now we have our value in a register 396 00:13:55,570 --> 00:13:57,249 and now we can do with it whatever we 397 00:13:57,250 --> 00:13:59,019 like. We can transmit it through the cash 398 00:13:59,020 --> 00:14:01,209 if we like, but we could use any other 399 00:14:01,210 --> 00:14:02,709 way. The men don't attack. 400 00:14:02,710 --> 00:14:04,809 Is this reading from the kind of address 401 00:14:04,810 --> 00:14:06,969 that actually ends up in our 402 00:14:06,970 --> 00:14:09,209 register under our control? 403 00:14:09,210 --> 00:14:11,059 Now, this enters the report above. 404 00:14:11,060 --> 00:14:13,149 It will be scheduled on a load data 405 00:14:13,150 --> 00:14:15,129 execution unit and then it will go to the 406 00:14:15,130 --> 00:14:16,329 load buffer in the load buffer. 407 00:14:16,330 --> 00:14:18,399 We will have an entry and this entry has 408 00:14:18,400 --> 00:14:20,469 to store approximately something like 409 00:14:20,470 --> 00:14:21,389 the physical page. 410 00:14:21,390 --> 00:14:23,319 No. The virtual page number for the 411 00:14:23,320 --> 00:14:24,699 virtual address. 412 00:14:24,700 --> 00:14:27,309 The offset, which is the same for 413 00:14:27,310 --> 00:14:28,789 virtual and physical pages. 414 00:14:28,790 --> 00:14:31,629 Lowest twelve bits, something like that. 415 00:14:31,630 --> 00:14:33,189 And register number. 416 00:14:33,190 --> 00:14:35,139 If you're familiar with register names 417 00:14:35,140 --> 00:14:37,329 like Ari X I'd be RC Ex 418 00:14:37,330 --> 00:14:38,859 and so on. 419 00:14:38,860 --> 00:14:41,559 Those are just variable names 420 00:14:41,560 --> 00:14:43,099 that are predefined. 421 00:14:43,100 --> 00:14:45,699 There's actually a set of 160 422 00:14:45,700 --> 00:14:47,759 registers and it with the process, 423 00:14:47,760 --> 00:14:49,090 so we just pick one of them 424 00:14:50,230 --> 00:14:52,090 independent of your variable name 425 00:14:53,200 --> 00:14:55,209 and then guess we access the load buffer 426 00:14:55,210 --> 00:14:57,399 here and in the next step we will do look 427 00:14:57,400 --> 00:14:59,559 up for this memory 428 00:14:59,560 --> 00:15:01,749 location in. 429 00:15:01,750 --> 00:15:03,699 Oh sorry. We first have to update the 430 00:15:03,700 --> 00:15:05,799 load buffer. Of course we have to get a 431 00:15:05,800 --> 00:15:06,699 new register. 432 00:15:06,700 --> 00:15:08,169 Right. This is the old values. 433 00:15:08,170 --> 00:15:10,809 The new values are marked in red. 434 00:15:10,810 --> 00:15:11,949 The register number. 435 00:15:11,950 --> 00:15:13,929 The offset and the virtual page number 436 00:15:13,930 --> 00:15:14,829 are updated. 437 00:15:14,830 --> 00:15:16,539 The virtual page number is not used for 438 00:15:16,540 --> 00:15:18,239 the lookup in one store. 439 00:15:18,240 --> 00:15:19,289 But then. 440 00:15:19,290 --> 00:15:21,249 We only use the lowest twelve bits, the 441 00:15:21,250 --> 00:15:22,359 offset here. 442 00:15:22,360 --> 00:15:24,419 And then what happens next is we do 443 00:15:24,420 --> 00:15:26,479 the lookup in the store buffer in the 444 00:15:26,480 --> 00:15:28,269 A1 data cache in the left. 445 00:15:28,270 --> 00:15:30,759 And also in the DTA, maybe we check 446 00:15:30,760 --> 00:15:32,169 what is the physical address. 447 00:15:32,170 --> 00:15:34,539 We get this from the DTA. 448 00:15:34,540 --> 00:15:36,369 Now in the next step we would look up in 449 00:15:36,370 --> 00:15:37,359 the detail b. 450 00:15:37,360 --> 00:15:38,799 So what does this entry say? 451 00:15:38,800 --> 00:15:40,419 And it says, oh yeah, I have a physical 452 00:15:40,420 --> 00:15:42,789 page. No, it's present 453 00:15:42,790 --> 00:15:44,919 and it's not user accessible, 454 00:15:44,920 --> 00:15:46,119 but the fast pass. 455 00:15:46,120 --> 00:15:48,249 What the process I expect is always 456 00:15:48,250 --> 00:15:50,739 that this is a valid address and it was 457 00:15:50,740 --> 00:15:52,239 in the fast path. 458 00:15:52,240 --> 00:15:55,299 Copy this physical address up here 459 00:15:55,300 --> 00:15:57,339 at the same time realize that this is not 460 00:15:57,340 --> 00:15:59,229 good. I shouldn't be doing this. 461 00:15:59,230 --> 00:16:01,299 But also I mean the virtual address 462 00:16:01,300 --> 00:16:03,579 matches. The physical address matches. 463 00:16:03,580 --> 00:16:05,709 Why wouldn't I return the data to the 464 00:16:05,710 --> 00:16:07,899 register and then the data ends 465 00:16:07,900 --> 00:16:08,829 up in the register. 466 00:16:08,830 --> 00:16:10,779 That's the message on attack on a micro 467 00:16:10,780 --> 00:16:12,969 architectural level. 468 00:16:12,970 --> 00:16:15,039 So how fast is this 469 00:16:15,040 --> 00:16:16,869 attack? This is one question and the 470 00:16:16,870 --> 00:16:19,209 other is also why 471 00:16:19,210 --> 00:16:20,499 does the processor do this? 472 00:16:20,500 --> 00:16:21,849 And there is actually a patent 473 00:16:23,110 --> 00:16:24,909 or multiple patents actually writing 474 00:16:24,910 --> 00:16:27,009 about this. And it says if 475 00:16:27,010 --> 00:16:29,289 a fault occurs with respect to the load 476 00:16:29,290 --> 00:16:31,689 operation, it is marked as valid 477 00:16:31,690 --> 00:16:33,279 and complete it. 478 00:16:33,280 --> 00:16:34,869 So in these cases, the processor 479 00:16:34,870 --> 00:16:37,159 deliberately sets this to valid and 480 00:16:37,160 --> 00:16:39,579 completed because it knows the results 481 00:16:39,580 --> 00:16:41,529 will be thrown away anyway. 482 00:16:41,530 --> 00:16:43,419 So why not let it succeed? 483 00:16:43,420 --> 00:16:45,669 So how fast is this attack? 484 00:16:45,670 --> 00:16:47,229 Actually, it's pretty fast. 485 00:16:47,230 --> 00:16:49,329 So it's five hundred and fifty kilobytes 486 00:16:49,330 --> 00:16:51,729 per second anti-terror raid. 487 00:16:51,730 --> 00:16:53,679 It's only zero point zero. 488 00:16:53,680 --> 00:16:55,699 Zero three percent. 489 00:16:55,700 --> 00:16:56,829 Yeah, I can't confirm that. 490 00:16:56,830 --> 00:16:59,049 So I also implemented that and I 491 00:16:59,050 --> 00:17:00,879 put the secret into a cache line of known 492 00:17:00,880 --> 00:17:02,469 secret in column memory. 493 00:17:02,470 --> 00:17:03,969 And then when I tried to leaked it with 494 00:17:03,970 --> 00:17:06,029 dispatch on attack, I've just seen 495 00:17:06,030 --> 00:17:08,098 that. And I get the values and or as a 496 00:17:08,099 --> 00:17:10,209 piece or X X X X is the 497 00:17:10,210 --> 00:17:12,429 secret I bought and there have been 498 00:17:12,430 --> 00:17:13,989 some nice, I guess. 499 00:17:13,990 --> 00:17:15,639 So it's a bit noisy as you say. 500 00:17:15,640 --> 00:17:17,259 It isn't like this decelerate from 501 00:17:17,260 --> 00:17:18,279 before. 502 00:17:18,280 --> 00:17:19,529 Yeah. I'm not exactly sure what this 503 00:17:19,530 --> 00:17:22,059 noise and actually entail. 504 00:17:22,060 --> 00:17:23,828 Explains that in more detail in the 505 00:17:23,829 --> 00:17:24,999 security advisory. 506 00:17:25,000 --> 00:17:27,059 So. For instance, on some 507 00:17:27,060 --> 00:17:29,449 implementations, speculatively probing 508 00:17:29,450 --> 00:17:31,879 memory will only pass data 509 00:17:31,880 --> 00:17:34,009 onto subsequent operations 510 00:17:34,010 --> 00:17:36,379 if the resident if its resident 511 00:17:36,380 --> 00:17:38,469 in the lowest level data cache deal won 512 00:17:38,470 --> 00:17:40,729 cash. As we've seen now, this can allow 513 00:17:40,730 --> 00:17:42,649 the data in question to be queried, but a 514 00:17:42,650 --> 00:17:44,779 malicious application leading to 515 00:17:44,780 --> 00:17:46,909 a side channel that reveals supervisor 516 00:17:46,910 --> 00:17:48,139 data void. 517 00:17:48,140 --> 00:17:49,519 I'm not sure it's correct. 518 00:17:49,520 --> 00:17:51,319 For me, it also works on the level of 519 00:17:51,320 --> 00:17:52,879 free cash that they've lost. 520 00:17:52,880 --> 00:17:55,549 I only have one, but it works. 521 00:17:55,550 --> 00:17:57,349 I implemented that. You tried it. 522 00:17:57,350 --> 00:17:59,599 And it's also it's not as fast 523 00:17:59,600 --> 00:18:02,299 anymore. That's just around 10 kilobytes. 524 00:18:02,300 --> 00:18:04,489 The error rate is ten times as 525 00:18:04,490 --> 00:18:06,799 high as before, but I'm still at work, 526 00:18:06,800 --> 00:18:09,169 so I removed it from the one cache. 527 00:18:09,170 --> 00:18:10,609 Just have it in there. Free cash. 528 00:18:10,610 --> 00:18:13,299 My secret ex again in current memory 529 00:18:13,300 --> 00:18:14,359 and I tried to dig it. 530 00:18:14,360 --> 00:18:15,929 I get the extra miles. 531 00:18:15,930 --> 00:18:17,329 Look, Dex used as well. 532 00:18:17,330 --> 00:18:18,299 But it's also the X. 533 00:18:18,300 --> 00:18:20,479 Here are some X's in there 534 00:18:20,480 --> 00:18:22,559 and if there are more access than 535 00:18:22,560 --> 00:18:23,739 other letters. But still. 536 00:18:25,390 --> 00:18:26,749 But I can see the secret. 537 00:18:26,750 --> 00:18:27,169 But. 538 00:18:27,170 --> 00:18:28,789 But, but how can you get rid of that? 539 00:18:28,790 --> 00:18:30,499 So if you read API, I don't know. 540 00:18:30,500 --> 00:18:32,569 How can I get rid of it? 541 00:18:32,570 --> 00:18:34,529 And I assume I need to get rid of them. 542 00:18:35,870 --> 00:18:36,870 I can't hear anything. 543 00:18:37,940 --> 00:18:40,039 Not nice ice canceling headphones to 544 00:18:40,040 --> 00:18:41,269 get rid of the noise. 545 00:18:41,270 --> 00:18:42,219 Yes. No, it's not. 546 00:18:42,220 --> 00:18:44,539 No, you just throw statistics on this. 547 00:18:44,540 --> 00:18:46,309 That's basically the message here. 548 00:18:46,310 --> 00:18:48,469 Just throws statistics on that and 549 00:18:48,470 --> 00:18:49,580 it will be fine. 550 00:18:51,990 --> 00:18:53,389 Makes sense. 551 00:18:53,390 --> 00:18:55,669 And even if I think about what happened 552 00:18:55,670 --> 00:18:57,679 last year. So we presented the Melton 553 00:18:57,680 --> 00:18:59,849 attack at Black Head and that we had one 554 00:18:59,850 --> 00:19:01,669 slide because we did one additional 555 00:19:01,670 --> 00:19:03,230 experiment because we said 556 00:19:04,340 --> 00:19:06,649 L1 is not a requirement, 557 00:19:06,650 --> 00:19:08,929 because we can use uncatchable memory 558 00:19:08,930 --> 00:19:11,179 where we mark pages as uncatchable 559 00:19:11,180 --> 00:19:12,649 in the page tables. 560 00:19:12,650 --> 00:19:14,749 So the CB was not allowed to load them 561 00:19:14,750 --> 00:19:16,669 into the cache where it. 562 00:19:16,670 --> 00:19:18,379 But if I do that, it doesn't work. 563 00:19:18,380 --> 00:19:21,219 So if I remove it from the free as well 564 00:19:21,220 --> 00:19:23,989 and only have a diagram out my secret ex 565 00:19:23,990 --> 00:19:26,059 and I try that, I don't get 566 00:19:26,060 --> 00:19:28,249 it at all. I just get random 567 00:19:28,250 --> 00:19:30,229 noise. You did a lot of noise. 568 00:19:30,230 --> 00:19:31,729 Did you read this light? 569 00:19:31,730 --> 00:19:33,679 No. It just said something about not in 570 00:19:33,680 --> 00:19:34,519 the cache. 571 00:19:34,520 --> 00:19:36,589 Yeah, but there was more on this light. 572 00:19:36,590 --> 00:19:38,809 So I or as it can at least tell them that 573 00:19:38,810 --> 00:19:41,119 read on. Only if we have a legitimate 574 00:19:41,120 --> 00:19:43,729 access on the sibling hyper friend. 575 00:19:43,730 --> 00:19:46,459 So this is a legit access 576 00:19:46,460 --> 00:19:48,349 to this memory location that you try to 577 00:19:48,350 --> 00:19:49,849 leak. Did you try it that way. 578 00:19:49,850 --> 00:19:51,889 So you mean I have to leak it and in the 579 00:19:51,890 --> 00:19:53,629 meantime have from the treatment access 580 00:19:53,630 --> 00:19:54,629 from somewhere else? Yes. 581 00:19:54,630 --> 00:19:56,179 Then you can just grab it from the other 582 00:19:56,180 --> 00:19:57,209 one. Huh. 583 00:19:57,210 --> 00:19:59,349 But that works, don't you? 584 00:19:59,350 --> 00:20:01,399 I really should continue reading after 585 00:20:01,400 --> 00:20:02,539 the first find. 586 00:20:02,540 --> 00:20:03,540 Or maybe that helps. 587 00:20:04,490 --> 00:20:06,529 So OK. There's some noise in the air. 588 00:20:06,530 --> 00:20:08,779 Yep. That works and investing. 589 00:20:08,780 --> 00:20:11,029 Some people remember what we read, 590 00:20:11,030 --> 00:20:13,189 what we wrote in the paper back then, 591 00:20:13,190 --> 00:20:14,269 which I want to quote. 592 00:20:14,270 --> 00:20:16,159 We suspect that meltdown reached the 593 00:20:16,160 --> 00:20:18,499 value from the landfill buffers 594 00:20:18,500 --> 00:20:20,749 as to fill buffers, a shift between frets 595 00:20:20,750 --> 00:20:22,219 running on the same core. 596 00:20:22,220 --> 00:20:24,139 The read to the same address within the 597 00:20:24,140 --> 00:20:26,359 Melton attack could be served from 598 00:20:26,360 --> 00:20:28,399 one of the fill buffers allowing the 599 00:20:28,400 --> 00:20:29,400 attack to succeed. 600 00:20:30,410 --> 00:20:32,899 However, really further investigations 601 00:20:32,900 --> 00:20:35,839 on this matter open for future work. 602 00:20:35,840 --> 00:20:37,969 I don't like descendants like you 603 00:20:37,970 --> 00:20:39,079 always need to stuff. 604 00:20:39,080 --> 00:20:41,339 You don't want to do it for future you. 605 00:20:41,340 --> 00:20:42,340 Yeah. Fuck you. 606 00:20:43,420 --> 00:20:45,169 Yeah, but I can understand that at this 607 00:20:45,170 --> 00:20:47,479 point. We had some kind of mental 608 00:20:47,480 --> 00:20:49,579 resource exhaustion already, but all 609 00:20:49,580 --> 00:20:50,989 this new stuff there. 610 00:20:50,990 --> 00:20:53,429 Okay. So maybe back to the technical 611 00:20:53,430 --> 00:20:54,409 details. Right. 612 00:20:54,410 --> 00:20:56,029 We want to understand why this works. 613 00:20:56,030 --> 00:20:57,769 Right. And if we look at this diagram 614 00:20:57,770 --> 00:20:59,599 again, it pretty much is the same as 615 00:20:59,600 --> 00:21:01,609 before. We have our load operation. 616 00:21:01,610 --> 00:21:03,259 It goes through the reorder buffer, 617 00:21:03,260 --> 00:21:05,359 through the scheduler to the load data 618 00:21:05,360 --> 00:21:07,579 execution port and then has an entry 619 00:21:07,580 --> 00:21:08,659 in the load buffer. 620 00:21:08,660 --> 00:21:10,579 And then we will still update the same 621 00:21:10,580 --> 00:21:12,499 entries. Everything's the same so far, 622 00:21:12,500 --> 00:21:14,659 but now we know that it is not 623 00:21:14,660 --> 00:21:16,089 in the one data cache. 624 00:21:16,090 --> 00:21:18,019 So even if we do look up there, we are 625 00:21:18,020 --> 00:21:19,879 sure that we won't find it there. 626 00:21:19,880 --> 00:21:21,439 But there are other locations where we 627 00:21:21,440 --> 00:21:23,419 can still get it from, and that's my 628 00:21:23,420 --> 00:21:25,219 maiden uncatchable works. 629 00:21:25,220 --> 00:21:27,500 It just gets it from a different buffer. 630 00:21:30,200 --> 00:21:31,759 Yeah. What else could we do with this? 631 00:21:31,760 --> 00:21:33,079 I mean, future work should probably 632 00:21:33,080 --> 00:21:34,080 investigate that. 633 00:21:35,210 --> 00:21:36,379 Future work, of course. 634 00:21:36,380 --> 00:21:36,959 Yeah. Yes. 635 00:21:36,960 --> 00:21:38,059 Yes. Sure. 636 00:21:38,060 --> 00:21:40,129 I mean, at some point you're 637 00:21:40,130 --> 00:21:42,289 at this point where the future you 638 00:21:42,290 --> 00:21:44,059 hope becomes present, you and you 639 00:21:44,060 --> 00:21:45,829 actually have to do this stuff to set 640 00:21:45,830 --> 00:21:47,659 this to be future work. 641 00:21:47,660 --> 00:21:49,759 So, yes, at some point we arrived at this 642 00:21:49,760 --> 00:21:51,289 point where we said, OK, we have to do 643 00:21:51,290 --> 00:21:53,269 this future work here. 644 00:21:53,270 --> 00:21:55,369 Yes. And maybe also here 645 00:21:55,370 --> 00:21:56,869 is a good point. 646 00:21:56,870 --> 00:21:59,179 During all these works 647 00:21:59,180 --> 00:22:01,279 that we that we published here 648 00:22:01,280 --> 00:22:03,679 in this area, Meltdown Specters 649 00:22:03,680 --> 00:22:06,049 on build, what we learned 650 00:22:06,050 --> 00:22:08,119 was that actually 651 00:22:08,120 --> 00:22:09,619 there is no noise. 652 00:22:09,620 --> 00:22:11,659 And this has become pretty much a mantra 653 00:22:11,660 --> 00:22:12,619 in our group. 654 00:22:12,620 --> 00:22:14,899 Every time someone says, oh, 655 00:22:14,900 --> 00:22:16,939 there's a lot of noise in his experiment, 656 00:22:16,940 --> 00:22:18,469 there is no noise. 657 00:22:18,470 --> 00:22:20,779 Noise is just someone else's 658 00:22:20,780 --> 00:22:22,309 data. 659 00:22:22,310 --> 00:22:24,439 So what do you say is we should analyze 660 00:22:24,440 --> 00:22:25,819 the noise? Oh, yeah. 661 00:22:25,820 --> 00:22:28,519 Because maybe it's something interesting. 662 00:22:28,520 --> 00:22:31,309 So maybe we do it in some scientific 663 00:22:31,310 --> 00:22:32,929 mathematical way. 664 00:22:32,930 --> 00:22:34,099 It's like a slam. 665 00:22:34,100 --> 00:22:36,289 I hear I can noise is someone else's 666 00:22:36,290 --> 00:22:37,249 data. 667 00:22:37,250 --> 00:22:39,109 And we take the Lima sphere off of 668 00:22:39,110 --> 00:22:40,759 meltdown, because if you have a meltdown 669 00:22:40,760 --> 00:22:42,449 in this noise and we let the meltdown 670 00:22:42,450 --> 00:22:43,999 hit, I could go to nothing. 671 00:22:44,000 --> 00:22:46,159 Then we are left with the noise. 672 00:22:46,160 --> 00:22:47,179 Right. 673 00:22:47,180 --> 00:22:49,249 So I don't think this is an appropriate 674 00:22:49,250 --> 00:22:50,329 use of limits. 675 00:22:50,330 --> 00:22:51,979 I don't think it works well. 676 00:22:51,980 --> 00:22:53,719 It looks science. 677 00:22:53,720 --> 00:22:54,649 Yes, it does. 678 00:22:54,650 --> 00:22:57,199 But so 679 00:22:57,200 --> 00:22:59,419 from the deep dove put interstates is 680 00:22:59,420 --> 00:23:01,969 filled by us, may retain stale 681 00:23:01,970 --> 00:23:04,069 data from prior memory 682 00:23:04,070 --> 00:23:06,199 requests until a new memory 683 00:23:06,200 --> 00:23:08,419 crests overrides to fill above 684 00:23:08,420 --> 00:23:10,909 like Daniel showed in the animation. 685 00:23:10,910 --> 00:23:13,249 Under certain conditions, 686 00:23:13,250 --> 00:23:14,779 the field best buffer may be 687 00:23:14,780 --> 00:23:16,999 speculatively for what data? 688 00:23:17,000 --> 00:23:18,499 Including stale data. 689 00:23:18,500 --> 00:23:20,719 So under certain conditions we can 690 00:23:20,720 --> 00:23:23,329 read what someone else 691 00:23:23,330 --> 00:23:24,330 some else 692 00:23:25,430 --> 00:23:27,770 instruction or program read before 693 00:23:29,790 --> 00:23:31,849 include to a load operation that 694 00:23:31,850 --> 00:23:34,189 will cause a fold or assist. 695 00:23:34,190 --> 00:23:35,809 So we just need a load operation that 696 00:23:35,810 --> 00:23:37,999 falls. And with that, we can dictate a 697 00:23:38,000 --> 00:23:39,289 way to assist. What is that? 698 00:23:39,290 --> 00:23:40,809 That sounds confusing. 699 00:23:40,810 --> 00:23:42,679 Let let let's look at that with an 700 00:23:42,680 --> 00:23:43,839 experiment right there. 701 00:23:43,840 --> 00:23:45,109 Scientists. 702 00:23:45,110 --> 00:23:47,449 So let's look at a simple page 703 00:23:47,450 --> 00:23:49,609 here. And space contains cache lines, as 704 00:23:49,610 --> 00:23:51,019 you explained before. 705 00:23:51,020 --> 00:23:53,179 And then we have some virtual mapping to 706 00:23:53,180 --> 00:23:54,679 this page. 707 00:23:54,680 --> 00:23:56,539 And if you remember meltdown, as we had 708 00:23:56,540 --> 00:23:58,639 before, then we has this faulting load 709 00:23:58,640 --> 00:24:00,139 on this mapping because it was a kernel 710 00:24:00,140 --> 00:24:02,329 address. It folded there and it was 711 00:24:02,330 --> 00:24:04,399 like the scenario of meltdown. 712 00:24:04,400 --> 00:24:07,039 But now we need some complex situation 713 00:24:07,040 --> 00:24:07,969 or something. 714 00:24:07,970 --> 00:24:10,729 So let's map this physically page again 715 00:24:10,730 --> 00:24:12,579 with a different virtual address. 716 00:24:12,580 --> 00:24:14,719 So we have different mapping and then we 717 00:24:14,720 --> 00:24:17,149 do something complicated for 718 00:24:17,150 --> 00:24:19,249 you. So we have one access 719 00:24:19,250 --> 00:24:21,319 that's folding and you have a different 720 00:24:21,320 --> 00:24:23,689 access in parallel to the same 721 00:24:23,690 --> 00:24:25,489 cache line that removes it from the 722 00:24:25,490 --> 00:24:27,579 cache. The same thing we want to access 723 00:24:27,580 --> 00:24:28,129 in the kitchen. 724 00:24:28,130 --> 00:24:30,299 Like what cash do then 725 00:24:30,300 --> 00:24:32,719 put it return might get out of resources 726 00:24:32,720 --> 00:24:35,059 stairs like it was super confusing. 727 00:24:35,060 --> 00:24:37,579 So that that's a certain 728 00:24:37,580 --> 00:24:38,119 condition. 729 00:24:38,120 --> 00:24:40,279 I would say, okay, so maybe 730 00:24:40,280 --> 00:24:42,169 we should also look at the zombie load 731 00:24:42,170 --> 00:24:44,299 cash zombie load case 732 00:24:44,300 --> 00:24:46,729 in more detail in the micro architecture 733 00:24:46,730 --> 00:24:48,349 again and then the micro architecture. 734 00:24:48,350 --> 00:24:50,869 We start again with the same single 735 00:24:50,870 --> 00:24:52,549 instruction. It's all the same. 736 00:24:52,550 --> 00:24:54,739 The difference between these attacks 737 00:24:54,740 --> 00:24:56,839 lies in the setup of the micro 738 00:24:56,840 --> 00:24:59,059 architecture. Not in this specific 739 00:24:59,060 --> 00:25:01,339 instruction that is executed. 740 00:25:01,340 --> 00:25:03,679 And what we see here is that we again 741 00:25:03,680 --> 00:25:05,629 go through the same path and this time 742 00:25:05,630 --> 00:25:08,989 the load but for entry is again updated. 743 00:25:08,990 --> 00:25:10,729 And again, this part is not used for look 744 00:25:10,730 --> 00:25:12,229 at mean. The other one is still a buffer 745 00:25:12,230 --> 00:25:14,329 and line food buffer to look 746 00:25:14,330 --> 00:25:16,189 up happens. But here now there is a 747 00:25:16,190 --> 00:25:18,679 complex load situation, 748 00:25:18,680 --> 00:25:20,719 as Mika just described. 749 00:25:20,720 --> 00:25:22,879 So the process I is I'd much 750 00:25:22,880 --> 00:25:24,649 I'm not sure how to resolve that right. 751 00:25:24,650 --> 00:25:27,559 And says I will stop this immediately. 752 00:25:27,560 --> 00:25:29,239 And now we have an interesting problem 753 00:25:29,240 --> 00:25:31,399 here, because what happens, the 754 00:25:31,400 --> 00:25:33,709 execution part still has to 755 00:25:33,710 --> 00:25:34,609 do something. 756 00:25:34,610 --> 00:25:36,739 It still has to finish something and it 757 00:25:36,740 --> 00:25:39,269 will finish as early as possible. 758 00:25:39,270 --> 00:25:41,359 And now, I mean, we have a pen, 759 00:25:41,360 --> 00:25:43,459 we have a cash line that matches. 760 00:25:43,460 --> 00:25:45,529 So why not return this one? 761 00:25:45,530 --> 00:25:47,959 And then we can just read any data 762 00:25:47,960 --> 00:25:50,689 that matches in the lowest few bits. 763 00:25:50,690 --> 00:25:51,859 Very nice. 764 00:25:51,860 --> 00:25:54,139 So this is basically use after free 765 00:25:54,140 --> 00:25:55,369 in the load buffer. 766 00:25:55,370 --> 00:25:56,659 This is a software problem in the 767 00:25:56,660 --> 00:25:57,660 hardware now. 768 00:25:59,270 --> 00:26:00,270 Great thing. 769 00:26:01,100 --> 00:26:03,199 But how do we didn't get the data out 770 00:26:03,200 --> 00:26:05,569 of that? I mean still it dies, 771 00:26:05,570 --> 00:26:06,619 right? 772 00:26:06,620 --> 00:26:08,299 Yeah, but it's the same thing as in 773 00:26:08,300 --> 00:26:10,669 meltdown. So instead of accessing 774 00:26:10,670 --> 00:26:12,709 the kernel address, which just have a 775 00:26:12,710 --> 00:26:14,509 folding load with a complex load 776 00:26:14,510 --> 00:26:16,969 situation, it's the same thing. 777 00:26:16,970 --> 00:26:19,369 And then again we encode the value 778 00:26:19,370 --> 00:26:21,439 in the cache, use, flash and reload 779 00:26:21,440 --> 00:26:23,539 to look it up and then we know exactly 780 00:26:23,540 --> 00:26:25,009 what was written there. 781 00:26:25,010 --> 00:26:27,169 Okay. So I can I can do that so 782 00:26:27,170 --> 00:26:28,859 I can really build up. 783 00:26:28,860 --> 00:26:31,029 Starting this year, I think I can get 784 00:26:31,030 --> 00:26:33,419 to this complex situation here actually 785 00:26:33,420 --> 00:26:35,949 in software, so if I look at my 786 00:26:35,950 --> 00:26:38,099 my application, I have a special ed space 787 00:26:38,100 --> 00:26:40,149 fuze the space and column space. 788 00:26:40,150 --> 00:26:42,539 If I allocate some physical space 789 00:26:42,540 --> 00:26:44,829 and physic memory, I get a mapping 790 00:26:44,830 --> 00:26:47,259 and user space and 791 00:26:47,260 --> 00:26:49,059 then I need a second mapping. 792 00:26:49,060 --> 00:26:50,519 How do I get that? 793 00:26:50,520 --> 00:26:51,549 It's a nice thing. 794 00:26:51,550 --> 00:26:52,789 Really convenient. 795 00:26:52,790 --> 00:26:54,579 The color maps, the entire physical 796 00:26:54,580 --> 00:26:56,499 memory as well in the dark physically 797 00:26:56,500 --> 00:26:58,749 map. And so for every physically 798 00:26:58,750 --> 00:27:00,809 page I have, that's also 799 00:27:00,810 --> 00:27:02,919 a colored page that maps this 800 00:27:02,920 --> 00:27:04,719 physically page. So I have the situation 801 00:27:04,720 --> 00:27:05,919 as before here. 802 00:27:05,920 --> 00:27:07,789 Also, the physical memory and the virtual 803 00:27:07,790 --> 00:27:10,359 memory are not the same size then? 804 00:27:10,360 --> 00:27:11,360 No, of course not. 805 00:27:12,100 --> 00:27:13,809 Western memories are not larger than 806 00:27:13,810 --> 00:27:15,939 that. But with that I have 807 00:27:15,940 --> 00:27:17,739 one physically page mapped with an 808 00:27:17,740 --> 00:27:20,229 accessible page and map of an address 809 00:27:20,230 --> 00:27:21,189 I cannot access. 810 00:27:21,190 --> 00:27:22,999 That's one of the variants. 811 00:27:23,000 --> 00:27:24,039 Variant one. 812 00:27:24,040 --> 00:27:26,109 What's the easiest to come up with? 813 00:27:26,110 --> 00:27:27,779 I also have another where if they're in 814 00:27:27,780 --> 00:27:29,979 three so 815 00:27:29,980 --> 00:27:32,139 I have this physical memory, I can map 816 00:27:32,140 --> 00:27:33,999 a page and use a space simple allocate a 817 00:27:34,000 --> 00:27:36,559 page and then I use 818 00:27:36,560 --> 00:27:37,629 shared memory. 819 00:27:37,630 --> 00:27:40,009 If I've shared memory with myself, 820 00:27:40,010 --> 00:27:41,469 I share the space with myself. 821 00:27:41,470 --> 00:27:43,419 I have two addresses to the same. 822 00:27:43,420 --> 00:27:45,249 Wait, wait, wait. Shared memory that 823 00:27:45,250 --> 00:27:47,019 shouldn't fault. 824 00:27:47,020 --> 00:27:49,239 Yes, that's correct. 825 00:27:49,240 --> 00:27:50,240 So 826 00:27:51,610 --> 00:27:52,629 it still does. 827 00:27:52,630 --> 00:27:54,489 There's a nice trick with that. 828 00:27:54,490 --> 00:27:56,589 So of course, like I can access that. 829 00:27:56,590 --> 00:27:57,639 It's my shared memory. 830 00:27:57,640 --> 00:27:59,259 I set it up. 831 00:27:59,260 --> 00:28:01,419 But something 832 00:28:01,420 --> 00:28:03,519 really interesting in the sea view, this 833 00:28:03,520 --> 00:28:06,199 so-called micro code assists, 834 00:28:06,200 --> 00:28:08,319 if you have the instruction stream 835 00:28:08,320 --> 00:28:11,139 that comes in, it has to be decoded. 836 00:28:11,140 --> 00:28:12,849 We have a decoder that can decode a lot 837 00:28:12,850 --> 00:28:15,169 of things to 838 00:28:15,170 --> 00:28:17,259 micro ops and these microbes then go 839 00:28:17,260 --> 00:28:19,299 to the max sum and to the back end. 840 00:28:19,300 --> 00:28:21,549 And we we had that before I 841 00:28:21,550 --> 00:28:22,939 listened to what you said. 842 00:28:22,940 --> 00:28:25,149 So, yes, we have that decoder going 843 00:28:25,150 --> 00:28:28,209 on back and scheduler blah, 844 00:28:28,210 --> 00:28:31,059 but sometimes just something complicated. 845 00:28:31,060 --> 00:28:32,799 So maybe the the code can't decode 846 00:28:32,800 --> 00:28:35,049 something because it's really complex and 847 00:28:35,050 --> 00:28:37,119 it needs some assistance for that. 848 00:28:37,120 --> 00:28:39,249 And micro code assist and it goes to the 849 00:28:39,250 --> 00:28:41,799 micro code wrong to source software 850 00:28:41,800 --> 00:28:43,929 program software sequences that can 851 00:28:43,930 --> 00:28:46,209 handle certain things in the CPO 852 00:28:46,210 --> 00:28:47,899 and this micro code room. 853 00:28:47,900 --> 00:28:49,959 Then it's the microbes that 854 00:28:49,960 --> 00:28:51,959 are used in the back at heart. 855 00:28:51,960 --> 00:28:53,559 I was not in my finger. 856 00:28:53,560 --> 00:28:56,109 No, this was interesting, complicated 857 00:28:56,110 --> 00:28:57,129 things here. 858 00:28:57,130 --> 00:28:59,379 So this for really rare cases. 859 00:28:59,380 --> 00:29:00,369 So that shouldn't happen. 860 00:29:00,370 --> 00:29:02,409 A lot of time because this is really 861 00:29:02,410 --> 00:29:04,869 expensive has to period from 862 00:29:04,870 --> 00:29:07,369 insert microbes into the schedule 863 00:29:07,370 --> 00:29:08,949 is really complicated. 864 00:29:08,950 --> 00:29:11,049 Is that kind of a fault in the 865 00:29:11,050 --> 00:29:12,789 micro architecture? A micro architectural 866 00:29:12,790 --> 00:29:15,129 fault is happens, 867 00:29:15,130 --> 00:29:17,199 for example, in some cases. 868 00:29:17,200 --> 00:29:18,789 But one of the examples is when setting 869 00:29:18,790 --> 00:29:20,979 the exist or the dirty bit in a beach 870 00:29:20,980 --> 00:29:21,879 table entry. 871 00:29:21,880 --> 00:29:23,979 So when I first exacerbates than 872 00:29:23,980 --> 00:29:26,019 this micro architectural fault happens, 873 00:29:26,020 --> 00:29:28,029 it needs an assist. 874 00:29:28,030 --> 00:29:30,129 And then if 875 00:29:30,130 --> 00:29:32,199 we do that the first time, then it's the 876 00:29:32,200 --> 00:29:33,200 fault. 877 00:29:33,600 --> 00:29:35,709 And and I surfing on windows, it's 878 00:29:35,710 --> 00:29:37,379 regularly reset. 879 00:29:37,380 --> 00:29:39,939 Yes. So we always have a foldable final 880 00:29:39,940 --> 00:29:40,689 seconds. 881 00:29:40,690 --> 00:29:42,239 All this stuff about the zombie load to 882 00:29:42,240 --> 00:29:45,279 take. I think we also want to 883 00:29:45,280 --> 00:29:47,109 think about something else here, because 884 00:29:47,110 --> 00:29:49,749 for Specter, there was a movie and a song 885 00:29:49,750 --> 00:29:51,819 from Motown. No, no, no, no, no. 886 00:29:51,820 --> 00:29:52,820 Come on. 887 00:29:53,470 --> 00:29:55,599 There's no one below. Just a few seconds, 888 00:29:55,600 --> 00:29:56,600 maybe. 889 00:29:58,280 --> 00:29:59,420 Everyone knows that. 890 00:30:11,080 --> 00:30:13,369 I see knives. 891 00:30:13,370 --> 00:30:16,199 I feel knives. 892 00:30:16,200 --> 00:30:17,409 That's the. 893 00:30:17,410 --> 00:30:18,409 That's the origin, I guess. 894 00:30:18,410 --> 00:30:21,019 I know, though, it's completely 895 00:30:21,020 --> 00:30:22,020 fight. 896 00:30:26,090 --> 00:30:28,419 Larry King from the 897 00:30:28,420 --> 00:30:30,839 film and 898 00:30:30,840 --> 00:30:33,440 car mom made. 899 00:30:34,630 --> 00:30:36,290 That's no 900 00:30:38,020 --> 00:30:39,489 show day. 901 00:30:39,490 --> 00:30:41,229 I mean, I'm sure this is your estimate. 902 00:30:43,830 --> 00:30:45,090 I got this from the Internet. 903 00:30:49,100 --> 00:30:50,100 And 904 00:30:51,940 --> 00:30:53,889 this is the start. 905 00:30:53,890 --> 00:30:55,660 OK. We're doing a talk here. 906 00:31:03,650 --> 00:31:05,239 We can continue playing it, if you like. 907 00:31:08,440 --> 00:31:10,609 Maybe later we we need to discuss 908 00:31:10,610 --> 00:31:11,539 things. Yes. 909 00:31:11,540 --> 00:31:13,789 So what can we actually attack 910 00:31:13,790 --> 00:31:15,619 which some reload? So what we know is we 911 00:31:15,620 --> 00:31:17,749 can leak data on the same 912 00:31:17,750 --> 00:31:19,789 and from the sibling hyper friend. 913 00:31:19,790 --> 00:31:21,499 So what we can do is we can attack 914 00:31:21,500 --> 00:31:23,179 different applications running on the 915 00:31:23,180 --> 00:31:25,339 system. We can attack the operating 916 00:31:25,340 --> 00:31:27,549 system. We can attack SGX 917 00:31:27,550 --> 00:31:30,499 English. We can attack virtual machines. 918 00:31:30,500 --> 00:31:32,419 We can also take the hypervisor running 919 00:31:32,420 --> 00:31:34,189 on the system from within the virtual 920 00:31:34,190 --> 00:31:34,639 machines. 921 00:31:34,640 --> 00:31:36,559 Is really powerful, but we still have a 922 00:31:36,560 --> 00:31:38,629 problem there. So for a meltdown, 923 00:31:38,630 --> 00:31:41,149 it was really easy to provide the entire 924 00:31:41,150 --> 00:31:42,919 virtual address, leaked the data from 925 00:31:42,920 --> 00:31:44,809 there for foreshadow. 926 00:31:44,810 --> 00:31:46,579 You can provide the physical address. 927 00:31:46,580 --> 00:31:48,919 You leaked the data from there, fall 928 00:31:48,920 --> 00:31:50,279 all the different attack. 929 00:31:50,280 --> 00:31:52,459 You can at least specify the page 930 00:31:52,460 --> 00:31:55,309 offset for some cloud. 931 00:31:55,310 --> 00:31:57,619 You can only specify like a few bits 932 00:31:57,620 --> 00:31:59,009 here in the cache line what two leaks? 933 00:31:59,010 --> 00:32:01,179 It has no control 934 00:32:01,180 --> 00:32:03,079 that you can you can't really mountain 935 00:32:03,080 --> 00:32:04,159 and take with that. 936 00:32:04,160 --> 00:32:05,169 That's it. 937 00:32:05,170 --> 00:32:06,170 Yeah. 938 00:32:06,800 --> 00:32:07,800 So we end here. 939 00:32:09,050 --> 00:32:09,989 It's impossible. 940 00:32:09,990 --> 00:32:12,059 No. It's not impossible. 941 00:32:12,060 --> 00:32:13,369 It's possible. 942 00:32:13,370 --> 00:32:15,439 So what we can do is we call it the 943 00:32:15,440 --> 00:32:17,269 so-called domino attack. 944 00:32:17,270 --> 00:32:19,579 And so what we do, we read one bite. 945 00:32:19,580 --> 00:32:22,039 And what we then do is we use to least 946 00:32:22,040 --> 00:32:24,949 significant for bits as a mask 947 00:32:24,950 --> 00:32:26,819 and match that to the next value that we 948 00:32:26,820 --> 00:32:27,889 are going to read. 949 00:32:27,890 --> 00:32:30,469 And if they overlap and are the same, 950 00:32:30,470 --> 00:32:32,569 we know that this second byte 951 00:32:32,570 --> 00:32:34,489 belongs to the first bite and we can 952 00:32:34,490 --> 00:32:36,649 continue and continue and read many, many 953 00:32:36,650 --> 00:32:38,569 bytes following after each other. 954 00:32:38,570 --> 00:32:41,569 So despite you saying we have no control, 955 00:32:41,570 --> 00:32:43,509 we have pretty much control. 956 00:32:43,510 --> 00:32:44,479 That's nice. 957 00:32:44,480 --> 00:32:46,909 So I really implemented that 958 00:32:46,910 --> 00:32:47,839 time on time. 959 00:32:47,840 --> 00:32:48,840 I hope it works. 960 00:32:50,210 --> 00:32:51,210 Let's see. 961 00:32:52,430 --> 00:32:54,859 So I need a credit 962 00:32:54,860 --> 00:32:56,059 card pin from. 963 00:32:56,060 --> 00:32:57,469 We don't see anything yet. 964 00:32:57,470 --> 00:32:58,470 I know. I know. 965 00:32:59,630 --> 00:33:00,999 Oh, no. Oh. 966 00:33:01,000 --> 00:33:02,359 Oh, no. What is my password? 967 00:33:02,360 --> 00:33:03,779 Oh, it's secure, right? 968 00:33:03,780 --> 00:33:04,780 Yeah. 969 00:33:07,520 --> 00:33:09,199 No one tries to one that password. 970 00:33:11,780 --> 00:33:12,459 OK. 971 00:33:12,460 --> 00:33:15,319 So where's mine? 972 00:33:15,320 --> 00:33:16,730 I have your justice. 973 00:33:18,580 --> 00:33:19,499 Yes. 974 00:33:19,500 --> 00:33:20,659 OK. Passcode. 975 00:33:20,660 --> 00:33:21,959 What is it? 976 00:33:21,960 --> 00:33:23,989 Oh, it's just starts all my secure 977 00:33:23,990 --> 00:33:25,309 passwords in there. 978 00:33:25,310 --> 00:33:27,339 OK. And you use a pin for that? 979 00:33:27,340 --> 00:33:27,589 Yes. 980 00:33:27,590 --> 00:33:29,130 My credit card number that 981 00:33:30,350 --> 00:33:32,509 anyone wants to give me that four 982 00:33:32,510 --> 00:33:34,639 digit red card pin and I can 983 00:33:34,640 --> 00:33:35,529 try to leak that here. 984 00:33:35,530 --> 00:33:36,530 Yeah. Yeah. 985 00:33:38,050 --> 00:33:39,289 Oh no, that's boring one. 986 00:33:39,290 --> 00:33:40,909 No one has one, two, three, four is a 987 00:33:40,910 --> 00:33:42,109 credit card pin. I hope. 988 00:33:43,340 --> 00:33:45,349 And it runs inside a virtual machine 989 00:33:45,350 --> 00:33:47,269 without internet so nothing can leak 990 00:33:47,270 --> 00:33:49,039 here. Different code one 2. 991 00:33:49,040 --> 00:33:51,499 It looks states if we do that. 992 00:33:51,500 --> 00:33:52,500 Anyone else? 993 00:33:54,110 --> 00:33:55,759 1 3 3 7. 994 00:33:55,760 --> 00:33:57,409 Let's see. I think one. 995 00:33:57,410 --> 00:33:59,749 Well, you can do multiple meanings. 996 00:33:59,750 --> 00:34:01,609 Free seven. 997 00:34:01,610 --> 00:34:03,469 Nice size life leakage. 998 00:34:03,470 --> 00:34:05,269 Although it's not a VM without any 999 00:34:05,270 --> 00:34:07,309 internet connection, without anything. 1000 00:34:07,310 --> 00:34:09,589 Just some, you know, leaking the things 1001 00:34:09,590 --> 00:34:11,479 I input inside my virtual machine from 1002 00:34:11,480 --> 00:34:12,349 the outside. 1003 00:34:12,350 --> 00:34:13,729 If you do that again with a different 1004 00:34:13,730 --> 00:34:14,499 number. 1005 00:34:14,500 --> 00:34:15,829 Yeah. Because no one believes that. 1006 00:34:15,830 --> 00:34:16,729 Right. 1007 00:34:16,730 --> 00:34:17,730 Yeah. Uh. 1008 00:34:19,400 --> 00:34:20,400 Okay. 1009 00:34:21,520 --> 00:34:22,520 Let's see. 1010 00:34:23,370 --> 00:34:24,469 No. No. 1011 00:34:25,600 --> 00:34:26,600 Anyone? 1012 00:34:27,550 --> 00:34:28,359 Twelve. 1013 00:34:28,360 --> 00:34:29,360 Eighty. 1014 00:34:30,179 --> 00:34:32,948 Well, eighty. 1015 00:34:32,949 --> 00:34:33,839 Yeah. 1016 00:34:33,840 --> 00:34:34,809 Does that really work? 1017 00:34:34,810 --> 00:34:36,819 Know I can actually still date those. 1018 00:34:36,820 --> 00:34:37,820 Nice. 1019 00:34:43,510 --> 00:34:45,039 So the question is, what else can we do 1020 00:34:45,040 --> 00:34:46,040 with that? 1021 00:34:46,750 --> 00:34:48,579 Can you do something else? 1022 00:34:48,580 --> 00:34:50,289 I don't know. Did you prepare any other 1023 00:34:50,290 --> 00:34:52,769 demos? I mean, trying to slides again, 1024 00:34:52,770 --> 00:34:55,039 you go back to the slides 1025 00:34:55,040 --> 00:34:56,040 there. 1026 00:34:56,570 --> 00:34:58,009 So only this one demo. 1027 00:34:58,010 --> 00:34:59,519 Oh, they find another one. 1028 00:34:59,520 --> 00:35:00,489 OK. 1029 00:35:00,490 --> 00:35:02,429 Wait a second. I find this very odd. 1030 00:35:02,430 --> 00:35:04,479 Right. There's very good 1 and 3. 1031 00:35:04,480 --> 00:35:05,889 Isn't that odd? 1032 00:35:05,890 --> 00:35:08,079 No. We used to try and system now 1033 00:35:08,080 --> 00:35:09,880 to count binary system. 1034 00:35:12,380 --> 00:35:13,839 OK, whatever. 1035 00:35:13,840 --> 00:35:15,039 No, we shouldn't skip here. 1036 00:35:15,040 --> 00:35:17,889 So we have different tech hub models. 1037 00:35:17,890 --> 00:35:19,960 On the one hand, the very end one as a 1038 00:35:21,270 --> 00:35:22,839 privilege to take care of where we have 1039 00:35:22,840 --> 00:35:24,009 to colonel everything and stuff like 1040 00:35:24,010 --> 00:35:27,399 this. We can do this on Windows and Linux 1041 00:35:27,400 --> 00:35:29,019 for the macro code assist for variant 1042 00:35:29,020 --> 00:35:30,020 free. 1043 00:35:30,760 --> 00:35:32,939 We can also do that as an unprivileged 1044 00:35:32,940 --> 00:35:34,839 attack on windows because it keeps the 1045 00:35:34,840 --> 00:35:35,809 bit in the beach state. 1046 00:35:35,810 --> 00:35:37,319 Let's cross platform is nice. 1047 00:35:37,320 --> 00:35:38,229 Yes. Okay. 1048 00:35:38,230 --> 00:35:39,279 How fast is it? 1049 00:35:39,280 --> 00:35:41,139 It's five point three kilobytes per 1050 00:35:41,140 --> 00:35:43,239 second for variant 1 and it's a worm and 1051 00:35:43,240 --> 00:35:44,289 free seven point. 1052 00:35:44,290 --> 00:35:45,699 So that's not so impressive. 1053 00:35:45,700 --> 00:35:47,769 I mean, if I want to make a logo and a 1054 00:35:47,770 --> 00:35:48,989 Web site and everything, this one, 1055 00:35:50,710 --> 00:35:52,149 we need to get better than that. 1056 00:35:52,150 --> 00:35:53,829 But it's a bit bad right now. 1057 00:35:53,830 --> 00:35:56,219 We should still mitigate that, right? 1058 00:35:56,220 --> 00:35:58,089 Yeah, yeah. Yeah. So the things we can do 1059 00:35:58,090 --> 00:35:59,859 is like disable hyper threading. 1060 00:35:59,860 --> 00:36:01,689 Yeah. No, it's not like that type of 1061 00:36:01,690 --> 00:36:03,839 friends or we can disable that groups get 1062 00:36:03,840 --> 00:36:05,589 willingness. Maureen, how about this. 1063 00:36:05,590 --> 00:36:07,809 So how to implement it can also 1064 00:36:07,810 --> 00:36:09,939 override the mike rocket, the issue of 1065 00:36:09,940 --> 00:36:12,159 micro architectural buffers so that 1066 00:36:12,160 --> 00:36:14,019 if the data's not there anymore, we can't 1067 00:36:14,020 --> 00:36:16,259 leak. It's us might be over at 1068 00:36:16,260 --> 00:36:17,369 justice instruction. 1069 00:36:17,370 --> 00:36:18,309 I was updated. 1070 00:36:18,310 --> 00:36:20,029 That overrides all the buffers. 1071 00:36:20,030 --> 00:36:22,159 Just a bit of cost. 1072 00:36:22,160 --> 00:36:24,039 That was a software sequences that can 1073 00:36:24,040 --> 00:36:25,029 evict all the buffer. 1074 00:36:25,030 --> 00:36:26,929 So there's no data there anymore which 1075 00:36:26,930 --> 00:36:28,479 aren't wiped out because the software 1076 00:36:28,480 --> 00:36:29,559 shouldn't see the buffer. 1077 00:36:29,560 --> 00:36:31,749 OK, then we buy and use abuse land 1078 00:36:31,750 --> 00:36:33,519 use issues which are not affected 1079 00:36:33,520 --> 00:36:35,439 anymore. That's a good thing. 1080 00:36:35,440 --> 00:36:37,749 So a ninth generation like the Coffee 1081 00:36:37,750 --> 00:36:39,639 Lake and then the Cascade Lake. 1082 00:36:39,640 --> 00:36:41,409 So Ethan says on the website, like it 1083 00:36:41,410 --> 00:36:43,629 fixes smart, unfortunate or real fallout. 1084 00:36:43,630 --> 00:36:45,309 I mean, PDX empty some. 1085 00:36:45,310 --> 00:36:47,439 So all these attacks there, are you 1086 00:36:47,440 --> 00:36:48,669 copied this from the Web site? 1087 00:36:48,670 --> 00:36:50,169 Yeah, it's from the website. 1088 00:36:50,170 --> 00:36:51,999 Why is that? There's just zombie load in 1089 00:36:52,000 --> 00:36:54,099 there. Oh, I don't know. 1090 00:36:54,100 --> 00:36:55,709 Well, I didn't say anything about. 1091 00:36:55,710 --> 00:36:57,429 So we don't know. Maybe it's fake. 1092 00:36:58,870 --> 00:37:00,359 We'll see. 1093 00:37:00,360 --> 00:37:02,679 We'll see. OK. 1094 00:37:02,680 --> 00:37:04,839 So if we go back to 1095 00:37:04,840 --> 00:37:07,069 the timeline, we have been working on 1096 00:37:07,070 --> 00:37:09,129 attacks in this direction already in 1097 00:37:09,130 --> 00:37:11,229 twenty sixteen in 1098 00:37:11,230 --> 00:37:13,269 the kinds of patch was actually a 1099 00:37:13,270 --> 00:37:15,369 mitigation for a related attack. 1100 00:37:15,370 --> 00:37:17,609 And we published this on May 4, 1101 00:37:17,610 --> 00:37:18,610 May the 4th. 1102 00:37:20,740 --> 00:37:22,329 And yeah. 1103 00:37:22,330 --> 00:37:24,579 And in June, John Horn reports 1104 00:37:24,580 --> 00:37:25,539 the Melton attack. 1105 00:37:25,540 --> 00:37:27,609 And later this year, we 1106 00:37:27,610 --> 00:37:29,259 also reported independently that the 1107 00:37:29,260 --> 00:37:31,089 multiple much later, though. 1108 00:37:31,090 --> 00:37:32,090 Yes. 1109 00:37:32,440 --> 00:37:33,519 Yes. 1110 00:37:33,520 --> 00:37:35,679 So in February 15, 1111 00:37:35,680 --> 00:37:37,779 we reported Meltdown Uncatchable 1112 00:37:37,780 --> 00:37:39,699 because Intel said, no, you can only from 1113 00:37:39,700 --> 00:37:41,289 league one and we said no, you cannot 1114 00:37:41,290 --> 00:37:42,869 only leak from L1. 1115 00:37:42,870 --> 00:37:45,549 So we implemented this proof of concept. 1116 00:37:45,550 --> 00:37:47,019 Yeah, we had quite some e-mails 1117 00:37:47,020 --> 00:37:48,319 exchanged. 1118 00:37:48,320 --> 00:37:49,319 I'll take you around the mainland. 1119 00:37:49,320 --> 00:37:51,129 More nice than the Senate again on 1120 00:37:51,130 --> 00:37:53,559 Monday. It was so difficult to convince 1121 00:37:53,560 --> 00:37:55,719 our core authority actually that we 1122 00:37:55,720 --> 00:37:57,819 can leak data that is not 1123 00:37:57,820 --> 00:37:59,199 in the one cache. 1124 00:37:59,200 --> 00:38:00,879 But finally, before the paper was 1125 00:38:00,880 --> 00:38:03,069 submitted, actually, we were 1126 00:38:03,070 --> 00:38:05,229 able to convince them where they 1127 00:38:05,230 --> 00:38:06,230 were having things talked out 1128 00:38:07,330 --> 00:38:09,459 and it was explained as landfill 1129 00:38:09,460 --> 00:38:09,889 powerfully. 1130 00:38:09,890 --> 00:38:10,599 Kitchen. 1131 00:38:10,600 --> 00:38:12,249 Yes, it may. It May 14th. 1132 00:38:12,250 --> 00:38:14,139 We reported zombie load, then on April 1133 00:38:14,140 --> 00:38:16,150 12th in 2019. 1134 00:38:17,410 --> 00:38:19,359 Zombie load went public shortly 1135 00:38:19,360 --> 00:38:21,399 afterwards because it was already under 1136 00:38:21,400 --> 00:38:23,589 embargo for a long time. 1137 00:38:23,590 --> 00:38:25,929 The part of me and at the same day 1138 00:38:25,930 --> 00:38:28,189 there was this new sea buse announced 1139 00:38:28,190 --> 00:38:29,889 just in time. 1140 00:38:29,890 --> 00:38:31,989 So I bought a new Seaview because 1141 00:38:31,990 --> 00:38:33,319 I wanted to be safe. 1142 00:38:33,320 --> 00:38:34,510 So everything is fine? 1143 00:38:35,860 --> 00:38:37,989 Well, it's 1144 00:38:37,990 --> 00:38:38,929 still fine. 1145 00:38:38,930 --> 00:38:41,019 No, I. Well, it's 1146 00:38:41,020 --> 00:38:43,629 fine. Everything is fine, I assure. 1147 00:38:43,630 --> 00:38:45,699 So I'm not sure 1148 00:38:45,700 --> 00:38:46,809 everything is fine. 1149 00:38:46,810 --> 00:38:48,159 Maybe we have a problem like. 1150 00:38:50,870 --> 00:38:53,089 Maybe different question, which 1151 00:38:53,090 --> 00:38:55,909 some know variance works despite. 1152 00:38:55,910 --> 00:38:58,309 Yes, Miss Mitigations, where one 1153 00:38:58,310 --> 00:39:00,359 in free. Where in two? 1154 00:39:00,360 --> 00:39:01,360 None of that. 1155 00:39:03,620 --> 00:39:05,479 I want to use the choker. 1156 00:39:05,480 --> 00:39:06,480 You don't have any junkers. 1157 00:39:10,790 --> 00:39:13,219 So Danielle tried to it was fake 1158 00:39:13,220 --> 00:39:15,249 take take nothing on. 1159 00:39:15,250 --> 00:39:17,199 No, no. 1160 00:39:17,200 --> 00:39:19,129 I we go we're very into it. 1161 00:39:19,130 --> 00:39:20,130 Last question. 1162 00:39:21,060 --> 00:39:22,060 And 1163 00:39:23,150 --> 00:39:25,469 yes, we had 1164 00:39:25,470 --> 00:39:26,819 to wait a second. 1165 00:39:26,820 --> 00:39:29,219 He told me that there is no Varian too, 1166 00:39:29,220 --> 00:39:31,019 yet it was a joke. 1167 00:39:31,020 --> 00:39:33,129 You really ought to try and 1168 00:39:33,130 --> 00:39:34,199 carry system. 1169 00:39:34,200 --> 00:39:35,869 It's not even a word. 1170 00:39:37,650 --> 00:39:38,639 I'm a bit confused. 1171 00:39:38,640 --> 00:39:40,169 Yes, actually, a variant to us or we 1172 00:39:40,170 --> 00:39:42,149 count in normal numbers like everyone 1173 00:39:42,150 --> 00:39:44,939 else. And if you go back to this, 1174 00:39:44,940 --> 00:39:46,409 we have this small town set up and then 1175 00:39:46,410 --> 00:39:48,299 we have certain conditions set up with 1176 00:39:48,300 --> 00:39:50,039 the double mapping of one page. 1177 00:39:50,040 --> 00:39:51,749 But this isn't so complex. 1178 00:39:51,750 --> 00:39:53,309 Yes, it was too complex for you. 1179 00:39:53,310 --> 00:39:54,629 So you simplified that. 1180 00:39:54,630 --> 00:39:56,369 I didn't understand it when I came back 1181 00:39:56,370 --> 00:39:57,269 from holiday. 1182 00:39:57,270 --> 00:39:58,270 That's no joke. 1183 00:39:59,260 --> 00:40:01,789 So you suppressed all the exceptions, 1184 00:40:01,790 --> 00:40:02,889 56. Yes. 1185 00:40:02,890 --> 00:40:04,259 Transactions. So you don't see any 1186 00:40:04,260 --> 00:40:05,249 exception there. 1187 00:40:05,250 --> 00:40:07,409 And then you decided to say, like, oh, 1188 00:40:07,410 --> 00:40:08,719 you have to mappings to. 1189 00:40:08,720 --> 00:40:10,099 Why do I need a custom mapping? 1190 00:40:10,100 --> 00:40:11,769 I mean, it's the same physical address. 1191 00:40:11,770 --> 00:40:14,089 So I can just use one address. 1192 00:40:14,090 --> 00:40:16,529 You let you use the same address 1193 00:40:16,530 --> 00:40:18,719 here. And then I wrote that for 1194 00:40:18,720 --> 00:40:19,720 lines 1195 00:40:21,050 --> 00:40:23,229 where it works, where this 1196 00:40:23,230 --> 00:40:25,889 band has used 1197 00:40:25,890 --> 00:40:27,599 the transaction at here. 1198 00:40:27,600 --> 00:40:30,209 With that can happen with data conflicts 1199 00:40:30,210 --> 00:40:32,399 and TSX, many different resource 1200 00:40:32,400 --> 00:40:34,639 exhaustion. Again, a to many 1201 00:40:34,640 --> 00:40:36,689 one state. Are there certain instructions 1202 00:40:36,690 --> 00:40:38,909 like I owe on this calls and synchronous 1203 00:40:38,910 --> 00:40:40,999 exceptions that can also bought 1204 00:40:41,000 --> 00:40:41,999 a transaction there? 1205 00:40:42,000 --> 00:40:44,099 Yeah. And Intel also 1206 00:40:44,100 --> 00:40:46,859 gave out a statement that asynchronous 1207 00:40:46,860 --> 00:40:49,229 events that can occurred during 1208 00:40:49,230 --> 00:40:51,270 a transaction execution. 1209 00:40:52,450 --> 00:40:54,119 If if this happens and leads to a 1210 00:40:54,120 --> 00:40:56,349 transaction board, this is a 1211 00:40:56,350 --> 00:40:58,739 yes. This is, for instance, an interrupt. 1212 00:40:58,740 --> 00:41:00,899 Then this might be a 1213 00:41:00,900 --> 00:41:02,069 problem. 1214 00:41:02,070 --> 00:41:03,809 So what is really happening? 1215 00:41:03,810 --> 00:41:05,909 Because in the code, which just exits one 1216 00:41:05,910 --> 00:41:08,039 address, we allowed to access and then 1217 00:41:08,040 --> 00:41:09,299 we enter transaction. 1218 00:41:09,300 --> 00:41:12,599 So what we do is we start in transaction. 1219 00:41:12,600 --> 00:41:14,939 We want to load our first address, 1220 00:41:14,940 --> 00:41:16,949 which is our IP address. 1221 00:41:16,950 --> 00:41:18,089 This would be executed. 1222 00:41:18,090 --> 00:41:19,469 And the value that we read from that 1223 00:41:19,470 --> 00:41:21,569 would pass to our oracle to load it 1224 00:41:21,570 --> 00:41:22,570 into the cash. 1225 00:41:23,550 --> 00:41:25,439 So this is executed. 1226 00:41:25,440 --> 00:41:27,809 If it returns the value, we access 1227 00:41:27,810 --> 00:41:30,149 the address in the cash enter transaction 1228 00:41:30,150 --> 00:41:32,009 ends and everything is fine. 1229 00:41:32,010 --> 00:41:33,900 So why does this leak, 1230 00:41:34,950 --> 00:41:37,019 like Danielle said, with asynchronous 1231 00:41:37,020 --> 00:41:39,299 supports, which we do not cost by our 1232 00:41:39,300 --> 00:41:41,999 own code within our transaction? 1233 00:41:42,000 --> 00:41:44,039 Something can go wrong. 1234 00:41:44,040 --> 00:41:46,079 So in this case, when we start loading 1235 00:41:46,080 --> 00:41:48,239 this address and this is still happening, 1236 00:41:49,740 --> 00:41:51,689 at some point in time, an interrupt can 1237 00:41:51,690 --> 00:41:52,589 occur like an enemy. 1238 00:41:52,590 --> 00:41:54,809 Right. And when this happens, 1239 00:41:54,810 --> 00:41:57,309 this transaction has to be imported. 1240 00:41:58,310 --> 00:42:00,389 And now the load address, the 1241 00:42:00,390 --> 00:42:02,759 load execution also needs to be imported. 1242 00:42:02,760 --> 00:42:04,859 And now picks up a stale value 1243 00:42:04,860 --> 00:42:06,629 from the landfill buffet, for instance, 1244 00:42:06,630 --> 00:42:08,789 from the load ports and leaks 1245 00:42:08,790 --> 00:42:10,889 that which we then can recover. 1246 00:42:11,940 --> 00:42:14,099 But this is a bit slow 1247 00:42:14,100 --> 00:42:16,109 because we need to wait for an eye to 1248 00:42:16,110 --> 00:42:18,179 occur, hitting the execution 1249 00:42:18,180 --> 00:42:19,289 at the right time. 1250 00:42:19,290 --> 00:42:21,989 So what we now do is ask the previous 1251 00:42:21,990 --> 00:42:24,689 variance. We used to flash instruction 1252 00:42:24,690 --> 00:42:26,819 because there we induce a 1253 00:42:26,820 --> 00:42:29,039 conflict in the cash line. 1254 00:42:29,040 --> 00:42:30,479 So what is happening now? 1255 00:42:30,480 --> 00:42:32,489 We dispatched a flash instruction. 1256 00:42:32,490 --> 00:42:34,169 We stopped our transaction. 1257 00:42:34,170 --> 00:42:35,190 We stopped our load 1258 00:42:36,420 --> 00:42:37,829 and executes it. 1259 00:42:37,830 --> 00:42:40,559 This induces a complex situation 1260 00:42:40,560 --> 00:42:43,409 which causes the transaction to a port 1261 00:42:43,410 --> 00:42:45,659 allowing to leak with our load, which 1262 00:42:45,660 --> 00:42:48,029 is now faulting to our 1263 00:42:48,030 --> 00:42:50,549 exit to recover our data. 1264 00:42:50,550 --> 00:42:52,209 And this is very nice because this very 1265 00:42:52,210 --> 00:42:54,439 up to now only relies on Deus 1266 00:42:54,440 --> 00:42:56,129 Ex. No complicated setup, nothing 1267 00:42:56,130 --> 00:42:58,229 anymore. So as long as you have sex, 1268 00:42:58,230 --> 00:42:59,719 you can leak data. 1269 00:42:59,720 --> 00:43:01,409 OK. But how fast is this? 1270 00:43:01,410 --> 00:43:02,609 Is this now better? 1271 00:43:02,610 --> 00:43:04,469 Yes. This is very nice because now is 1272 00:43:04,470 --> 00:43:05,929 this really fast? 1273 00:43:05,930 --> 00:43:07,259 Up to the point that kilobytes per 1274 00:43:07,260 --> 00:43:09,269 second. That's already a lot faster. 1275 00:43:09,270 --> 00:43:11,549 Yeah, I think we can really use that 1276 00:43:11,550 --> 00:43:12,749 to spy on something. 1277 00:43:12,750 --> 00:43:14,669 Wait a second. If it's that fast, could 1278 00:43:14,670 --> 00:43:16,589 you leak something like some something 1279 00:43:16,590 --> 00:43:18,929 with a higher frequency with like a song. 1280 00:43:18,930 --> 00:43:20,969 A song? Yeah. 1281 00:43:20,970 --> 00:43:23,039 Maybe we can leak a song. 1282 00:43:23,040 --> 00:43:25,249 But you didn't like the song, though, 1283 00:43:25,250 --> 00:43:25,529 right? 1284 00:43:25,530 --> 00:43:28,199 No, no I I made it a bit 1285 00:43:28,200 --> 00:43:29,459 faster. 1286 00:43:29,460 --> 00:43:30,959 Faster. 1287 00:43:30,960 --> 00:43:31,979 Sure. 1288 00:43:31,980 --> 00:43:34,579 So we can't see it though. 1289 00:43:34,580 --> 00:43:35,960 I know. It's just the song. 1290 00:43:41,060 --> 00:43:43,029 No more money sounds. 1291 00:43:43,030 --> 00:43:44,479 No. This does not sound. 1292 00:43:44,480 --> 00:43:45,469 No. No. 1293 00:43:45,470 --> 00:43:46,470 Strong words. 1294 00:43:47,730 --> 00:43:49,159 Or do you want to do with that now? 1295 00:43:49,160 --> 00:43:50,509 You want to leak this? 1296 00:43:50,510 --> 00:43:51,589 Yes. 1297 00:43:51,590 --> 00:43:53,839 I'm going to do that with the new 1298 00:43:53,840 --> 00:43:55,399 player, OK? 1299 00:43:55,400 --> 00:43:56,579 With a muted player. 1300 00:43:56,580 --> 00:43:58,699 With a muted player. And then I run some 1301 00:43:58,700 --> 00:43:59,700 below. 1302 00:43:59,990 --> 00:44:02,149 At the same time, you still can't 1303 00:44:02,150 --> 00:44:03,150 see anything. No. 1304 00:44:04,730 --> 00:44:06,799 And then 1305 00:44:06,800 --> 00:44:08,989 it should be able to pick up all 1306 00:44:08,990 --> 00:44:10,639 the things I play. 1307 00:44:10,640 --> 00:44:11,759 Okay. 1308 00:44:11,760 --> 00:44:12,760 And. 1309 00:44:15,450 --> 00:44:17,699 And then we get and played 1310 00:44:17,700 --> 00:44:19,459 at life. I mean, this as you said, 1311 00:44:19,460 --> 00:44:21,169 there's a lot of noise for this attack, 1312 00:44:21,170 --> 00:44:23,899 right? So it will be very noisy then. 1313 00:44:23,900 --> 00:44:24,900 So 1314 00:44:26,090 --> 00:44:27,249 I can play here, 1315 00:44:29,130 --> 00:44:30,320 OK? And I can't. 1316 00:44:32,990 --> 00:44:33,990 Here. 1317 00:44:34,880 --> 00:44:36,699 Let's see. It might be a bit noisy. 1318 00:44:38,270 --> 00:44:39,270 See if it works. 1319 00:44:53,220 --> 00:44:55,659 It sounds a bit like a metal version 1320 00:44:55,660 --> 00:44:56,660 out there. 1321 00:45:00,020 --> 00:45:01,279 But you can imagine. 1322 00:45:01,280 --> 00:45:03,129 I think we can sell this as the zombie 1323 00:45:03,130 --> 00:45:04,440 load filter. Yes. 1324 00:45:05,680 --> 00:45:08,359 It's really great. But imagine if you 1325 00:45:08,360 --> 00:45:10,399 spy on a Skype call like that, so you'll 1326 00:45:10,400 --> 00:45:12,539 still understand a few young 1327 00:45:12,540 --> 00:45:13,099 words. 1328 00:45:13,100 --> 00:45:14,789 So far, the timeline we reported zombie 1329 00:45:14,790 --> 00:45:17,119 load on April 12th and then on 1330 00:45:17,120 --> 00:45:19,219 April 24, we reported very 1331 00:45:19,220 --> 00:45:21,379 up to we showed that it works 1332 00:45:21,380 --> 00:45:23,539 on a new CB use that shouldn't be 1333 00:45:23,540 --> 00:45:24,539 vulnerable anymore. 1334 00:45:24,540 --> 00:45:26,419 Yeah. That was just before the embargo 1335 00:45:26,420 --> 00:45:27,329 ended. 1336 00:45:27,330 --> 00:45:28,759 That was fun. 1337 00:45:28,760 --> 00:45:30,930 Yeah. I mean, we have always had 1338 00:45:31,940 --> 00:45:33,020 another embargo 1339 00:45:34,040 --> 00:45:35,049 on Senator. 1340 00:45:35,050 --> 00:45:36,179 Yeah. 1341 00:45:36,180 --> 00:45:37,699 We this variant, of course. 1342 00:45:37,700 --> 00:45:39,379 Yes. Which was quite funny because we had 1343 00:45:39,380 --> 00:45:40,969 these if that's in a take your coat off 1344 00:45:40,970 --> 00:45:42,199 the paper and just 1345 00:45:43,340 --> 00:45:45,469 variant on the same 1346 00:45:45,470 --> 00:45:47,559 day when formula was disclosed 1347 00:45:47,560 --> 00:45:49,819 to the new MVS resistance abuse 1348 00:45:49,820 --> 00:45:50,389 came out. 1349 00:45:50,390 --> 00:45:52,789 So you can actually buy them. 1350 00:45:52,790 --> 00:45:54,109 Yes. 1351 00:45:54,110 --> 00:45:56,419 We also reported on May 16 that the 1352 00:45:56,420 --> 00:45:58,489 VW and software sequences are 1353 00:45:58,490 --> 00:45:59,569 insufficient. There's still some 1354 00:45:59,570 --> 00:46:01,669 remaining leakage. It still makes tax a 1355 00:46:01,670 --> 00:46:03,259 lot harder. 1356 00:46:03,260 --> 00:46:05,239 But yes, this is also entirely 1357 00:46:05,240 --> 00:46:06,259 documented. This. 1358 00:46:06,260 --> 00:46:07,339 So does this. No. Yes. 1359 00:46:07,340 --> 00:46:09,569 And only last month the very into was 1360 00:46:09,570 --> 00:46:10,459 disclosed. Yeah. We have that 1361 00:46:10,460 --> 00:46:11,499 accomplished. Oh yeah. 1362 00:46:11,500 --> 00:46:12,500 All right. 1363 00:46:13,230 --> 00:46:15,289 I came. It's one I'd be on a movie 1364 00:46:15,290 --> 00:46:16,459 poster. Yeah. 1365 00:46:16,460 --> 00:46:18,519 But as this way. Am I actually 1366 00:46:18,520 --> 00:46:20,629 here. No I don't. 1367 00:46:20,630 --> 00:46:22,699 But actually. So the 1368 00:46:22,700 --> 00:46:24,589 process with Intel improved quite a lot 1369 00:46:24,590 --> 00:46:27,379 over over the last year. 1370 00:46:27,380 --> 00:46:29,449 They invested a lot of effort into 1371 00:46:29,450 --> 00:46:30,709 improving their processes. 1372 00:46:30,710 --> 00:46:32,779 And I think by now I'm really happy 1373 00:46:32,780 --> 00:46:34,879 to to work with them. 1374 00:46:34,880 --> 00:46:36,619 And they I think they are also quite 1375 00:46:36,620 --> 00:46:38,629 happy because they send us a beer and we 1376 00:46:38,630 --> 00:46:40,589 are. We were so happy about that and so 1377 00:46:40,590 --> 00:46:42,829 excited. And we didn't have time 1378 00:46:42,830 --> 00:46:43,849 until last weekend. 1379 00:46:43,850 --> 00:46:45,559 And then we finally had the beer. 1380 00:46:45,560 --> 00:46:47,779 And that was also very 1381 00:46:47,780 --> 00:46:49,579 nice anyway. 1382 00:46:49,580 --> 00:46:51,589 But wait a minute. 1383 00:46:51,590 --> 00:46:53,689 So the TSA attack, the 1384 00:46:53,690 --> 00:46:56,029 very end to is just to use X 1385 00:46:56,030 --> 00:46:57,049 over leak. 1386 00:46:57,050 --> 00:46:58,050 Yes. 1387 00:46:59,090 --> 00:47:01,159 Like I said earlier, when you go 1388 00:47:01,160 --> 00:47:03,259 back one year, we had some slides 1389 00:47:03,260 --> 00:47:04,339 at Black Head again. 1390 00:47:04,340 --> 00:47:07,189 Yes. Where we had this code. 1391 00:47:07,190 --> 00:47:09,409 Oh. And if I look at this code, 1392 00:47:09,410 --> 00:47:10,909 it looks the same as before. 1393 00:47:10,910 --> 00:47:11,989 It looks the same. Yes. 1394 00:47:11,990 --> 00:47:13,129 Just without the flash. 1395 00:47:13,130 --> 00:47:14,449 So if I just wait. 1396 00:47:14,450 --> 00:47:16,939 But it's like this is basically 1397 00:47:16,940 --> 00:47:18,379 just our code from GitHub. 1398 00:47:18,380 --> 00:47:20,599 We had this on GitHub and on the slides 1399 00:47:20,600 --> 00:47:21,609 for one year. 1400 00:47:21,610 --> 00:47:23,239 Yes. And it was right in the mouth on 1401 00:47:23,240 --> 00:47:23,819 paper. 1402 00:47:23,820 --> 00:47:25,519 Yeah. Mm hmm. 1403 00:47:25,520 --> 00:47:27,009 Yeah. Not not good. 1404 00:47:27,010 --> 00:47:29,659 So but no one tries so abuses 1405 00:47:29,660 --> 00:47:31,369 on getting them. Yes mate. 1406 00:47:31,370 --> 00:47:32,569 Maybe you should also fix it. 1407 00:47:32,570 --> 00:47:34,129 I mean it's really easy, right. 1408 00:47:34,130 --> 00:47:35,299 What about the mitigation. 1409 00:47:35,300 --> 00:47:36,319 Yes. Yes. 1410 00:47:36,320 --> 00:47:38,389 If you don't have to use X anymore, 1411 00:47:38,390 --> 00:47:39,769 then you can't have that to use that 1412 00:47:39,770 --> 00:47:41,809 support. So super easy fix, right? 1413 00:47:41,810 --> 00:47:42,860 No, no kidding. 1414 00:47:43,910 --> 00:47:45,979 No, actually, that's one of 1415 00:47:45,980 --> 00:47:48,109 the mitigation is you can just disable in 1416 00:47:48,110 --> 00:47:50,929 gluteus X and that's the default 1417 00:47:50,930 --> 00:47:53,659 after the latest micro code update 1418 00:47:53,660 --> 00:47:55,219 where when you try to run the attack 1419 00:47:55,220 --> 00:47:56,569 again, it doesn't work. And then you have 1420 00:47:56,570 --> 00:47:58,759 to figure out some performance penalty. 1421 00:47:58,760 --> 00:48:00,829 Yes. But on the other hand, we also 1422 00:48:00,830 --> 00:48:02,689 have to be top of you to override the 1423 00:48:02,690 --> 00:48:04,219 affected buffers as before. 1424 00:48:05,450 --> 00:48:07,609 But unfortunately, 1425 00:48:07,610 --> 00:48:09,259 they do not work reliable. 1426 00:48:09,260 --> 00:48:10,769 Also not the softer segments. 1427 00:48:10,770 --> 00:48:13,039 So under certain conditions, 1428 00:48:13,040 --> 00:48:15,349 you can still get leakage despite having 1429 00:48:15,350 --> 00:48:16,309 just mitigations. 1430 00:48:16,310 --> 00:48:17,429 But is this. 1431 00:48:17,430 --> 00:48:18,529 Yeah. 1432 00:48:18,530 --> 00:48:20,059 So about this scheme, you get any 1433 00:48:20,060 --> 00:48:21,979 insights from that? 1434 00:48:21,980 --> 00:48:24,319 I mean, so for some we load it again, 1435 00:48:24,320 --> 00:48:26,479 falls in the category of trans and 1436 00:48:26,480 --> 00:48:28,369 execution attacks is a meltdown type 1437 00:48:28,370 --> 00:48:31,029 attack. It uses default stair. 1438 00:48:31,030 --> 00:48:32,659 You can't classify the different variants 1439 00:48:32,660 --> 00:48:34,399 on the fault you will. 1440 00:48:34,400 --> 00:48:36,019 So we have to space fault for variance. 1441 00:48:36,020 --> 00:48:37,789 One, we have to micro court assistance, 1442 00:48:37,790 --> 00:48:40,069 micro architectural faults for variant 1443 00:48:40,070 --> 00:48:41,299 2 and variant 3. 1444 00:48:41,300 --> 00:48:42,589 One is to T.A. 1445 00:48:42,590 --> 00:48:44,599 the TSX support, which is not a visible 1446 00:48:44,600 --> 00:48:46,549 fault but a micro architectural fault, 1447 00:48:46,550 --> 00:48:48,889 and also that the microphone assist 1448 00:48:48,890 --> 00:48:51,439 for this axis and dirty pit. 1449 00:48:51,440 --> 00:48:53,179 And as we've presented last year, we've 1450 00:48:53,180 --> 00:48:55,199 put this up on the Web site like trends 1451 00:48:55,200 --> 00:48:56,119 in that fail. 1452 00:48:56,120 --> 00:48:57,839 So you can play around with that. 1453 00:48:57,840 --> 00:48:59,989 See what kind of attacks have 1454 00:48:59,990 --> 00:49:01,339 been explored already. 1455 00:49:01,340 --> 00:49:03,379 Yes. And know that I inside this here. 1456 00:49:03,380 --> 00:49:05,169 So we have this memory based site. 1457 00:49:05,170 --> 00:49:07,789 Send the text for quite some years now 1458 00:49:07,790 --> 00:49:09,349 where we look at addresses and then you 1459 00:49:09,350 --> 00:49:11,609 see the addresses, exits or not, we can 1460 00:49:11,610 --> 00:49:13,429 infer the instruction pointer. 1461 00:49:13,430 --> 00:49:15,409 Then we had this meltdown attack where we 1462 00:49:15,410 --> 00:49:17,039 had an address and we actually got the 1463 00:49:17,040 --> 00:49:19,729 data from this address was completely new 1464 00:49:19,730 --> 00:49:21,619 and it looked like a bit different. 1465 00:49:21,620 --> 00:49:23,399 And now with the state assembly with some 1466 00:49:23,400 --> 00:49:25,699 details here, we have the missing link 1467 00:49:25,700 --> 00:49:27,829 here between that, because now we 1468 00:49:27,830 --> 00:49:29,299 know when we had the sudden instruction 1469 00:49:29,300 --> 00:49:31,399 pointer, then we get the data so we can't 1470 00:49:31,400 --> 00:49:33,019 specify the address of the data we want 1471 00:49:33,020 --> 00:49:34,669 to leak. But a sudden instruction by 1472 00:49:34,670 --> 00:49:36,899 that, we simply get the data 1473 00:49:36,900 --> 00:49:39,169 and we have seen some nice triangle 1474 00:49:39,170 --> 00:49:41,269 that combines all these things 1475 00:49:41,270 --> 00:49:44,269 and gives us more powerful primitives. 1476 00:49:44,270 --> 00:49:46,279 So what are the lessons that we've 1477 00:49:46,280 --> 00:49:48,409 learned? So when Milton Inspector came 1478 00:49:48,410 --> 00:49:50,479 out for us, it was like Spector's head 1479 00:49:50,480 --> 00:49:52,669 of state of the long program problem 1480 00:49:52,670 --> 00:49:54,679 we have to take care of and for meltdown, 1481 00:49:54,680 --> 00:49:55,939 everything is fixed. 1482 00:49:55,940 --> 00:49:58,249 But by now we've seen much more Milton 1483 00:49:58,250 --> 00:49:59,339 type attacks. 1484 00:49:59,340 --> 00:50:01,019 Inspect the type of text. 1485 00:50:01,020 --> 00:50:03,659 Yes. So we were on that assessment. 1486 00:50:03,660 --> 00:50:05,159 If you want to play around with that. 1487 00:50:05,160 --> 00:50:06,689 So everything is always on GitHub, all 1488 00:50:06,690 --> 00:50:07,799 the variants. 1489 00:50:07,800 --> 00:50:09,479 So you can try yourself to see if you can 1490 00:50:09,480 --> 00:50:12,059 reproduce that and build your own nice. 1491 00:50:12,060 --> 00:50:14,189 So maybe load music, photos or stuff 1492 00:50:14,190 --> 00:50:15,329 like that. 1493 00:50:15,330 --> 00:50:17,429 And also in 2019, there were other 1494 00:50:17,430 --> 00:50:18,929 papers in the same space. 1495 00:50:18,930 --> 00:50:20,349 That was the fall out paper and the 1496 00:50:20,350 --> 00:50:22,889 little paper which also 1497 00:50:22,890 --> 00:50:25,739 presented a text in this area. 1498 00:50:25,740 --> 00:50:27,899 So to conclude, I would talk 1499 00:50:27,900 --> 00:50:29,969 trends and execution attacks are now the 1500 00:50:29,970 --> 00:50:31,889 gift that keeps on giving. 1501 00:50:31,890 --> 00:50:34,059 Yes. And as we have seen, the of miles on 1502 00:50:34,060 --> 00:50:36,299 a text is a lot larger than previously 1503 00:50:36,300 --> 00:50:37,949 expected us. So we feel like it's only 1504 00:50:37,950 --> 00:50:40,009 one. But we now have several of them 1505 00:50:40,010 --> 00:50:41,999 out of town type of text that we know 1506 00:50:42,000 --> 00:50:43,079 there might be more. 1507 00:50:43,080 --> 00:50:46,229 Yes. And sip use our deterministic 1508 00:50:46,230 --> 00:50:47,230 largely. 1509 00:50:48,090 --> 00:50:49,079 There is no noise. 1510 00:50:49,080 --> 00:50:51,419 If you see noise, then usually it means 1511 00:50:51,420 --> 00:50:53,519 it's data from somebody 1512 00:50:53,520 --> 00:50:54,900 else. And now 1513 00:50:56,080 --> 00:50:58,139 do we still have time for the remaining 1514 00:50:58,140 --> 00:50:59,140 part of the song? 1515 00:51:09,000 --> 00:51:11,409 See here and 1516 00:51:11,410 --> 00:51:13,659 we can chat. 1517 00:51:13,660 --> 00:51:14,770 He is. 1518 00:51:28,010 --> 00:51:30,229 Speak 1519 00:51:30,230 --> 00:51:31,230 for 1520 00:51:32,940 --> 00:51:35,559 sway and smile. 1521 00:51:35,560 --> 00:51:38,229 Say it, leave these 1522 00:51:38,230 --> 00:51:39,230 notes. 1523 00:51:51,490 --> 00:51:53,339 So we want to thank the moderate label 1524 00:51:53,340 --> 00:51:55,449 for seeing the song for us and on 1525 00:51:55,450 --> 00:51:57,159 to all of you. We want to thank all of 1526 00:51:57,160 --> 00:51:59,289 you for being here. 1527 00:51:59,290 --> 00:52:01,979 Thank you. And we are open for questions 1528 00:52:01,980 --> 00:52:03,159 about. 1529 00:52:11,470 --> 00:52:13,029 Thank you very much. 1530 00:52:13,030 --> 00:52:15,189 We have some time left 1531 00:52:15,190 --> 00:52:17,349 for questions, so please let up at the 1532 00:52:17,350 --> 00:52:18,639 microphones. 1533 00:52:18,640 --> 00:52:20,899 If you have questions, 1534 00:52:20,900 --> 00:52:22,779 the fashions from the Internets. 1535 00:52:22,780 --> 00:52:24,369 That's really nice signal. 1536 00:52:24,370 --> 00:52:25,370 And so please 1537 00:52:26,650 --> 00:52:28,869 can use this record as a text with 1538 00:52:28,870 --> 00:52:30,819 poll monitoring tools, simple your 1539 00:52:30,820 --> 00:52:32,919 fragrances, memory apps 1540 00:52:32,920 --> 00:52:34,630 or other free accessible tools. 1541 00:52:37,030 --> 00:52:38,919 I don't think there is a tool tailor to 1542 00:52:38,920 --> 00:52:41,159 detect those attacks. 1543 00:52:41,160 --> 00:52:42,820 Certainly you would see 1544 00:52:44,110 --> 00:52:46,119 with with the current pox that we have, 1545 00:52:46,120 --> 00:52:48,429 you would see significant 1546 00:52:48,430 --> 00:52:50,649 CPO utilization and probably 1547 00:52:50,650 --> 00:52:51,969 also a lot of memory traffic. 1548 00:52:53,680 --> 00:52:54,699 Other than that. 1549 00:52:54,700 --> 00:52:56,919 So there are not nodes dedicated to it so 1550 00:52:56,920 --> 00:52:57,920 far. 1551 00:52:58,540 --> 00:53:00,009 But also I think it's better to just 1552 00:53:00,010 --> 00:53:02,079 patch these vulnerabilities than to 1553 00:53:02,080 --> 00:53:03,099 try to detect them. 1554 00:53:05,440 --> 00:53:07,300 Thank you. Microphone four, please. 1555 00:53:08,440 --> 00:53:10,719 In the time line with the 1556 00:53:10,720 --> 00:53:13,119 that you reported 1557 00:53:13,120 --> 00:53:15,579 variant to at the very end though 1558 00:53:15,580 --> 00:53:17,769 you already had band one and free the 1559 00:53:17,770 --> 00:53:20,259 way it is our numbering. 1560 00:53:20,260 --> 00:53:22,419 So we actually had very time to write 1561 00:53:22,420 --> 00:53:24,069 in the beginning when we reported it, but 1562 00:53:24,070 --> 00:53:25,070 we only discovered 1563 00:53:26,290 --> 00:53:28,419 very briefly before 1564 00:53:28,420 --> 00:53:30,759 the embargo ended that it actually 1565 00:53:30,760 --> 00:53:31,259 behave. 1566 00:53:31,260 --> 00:53:32,719 So are two key moments. 1567 00:53:32,720 --> 00:53:35,019 So in April we reported 1568 00:53:35,020 --> 00:53:37,209 beer and wine free and then two 1569 00:53:37,210 --> 00:53:39,549 weeks later on April 1570 00:53:39,550 --> 00:53:42,459 24, we reported variant free. 1571 00:53:42,460 --> 00:53:44,789 We're into a sorry. Yeah, but 1572 00:53:44,790 --> 00:53:47,079 for Cascade Lake, we really wanted 1573 00:53:47,080 --> 00:53:48,489 to buy a view. 1574 00:53:48,490 --> 00:53:50,769 But university budget 1575 00:53:50,770 --> 00:53:53,139 is limited. So I didn't do that 1576 00:53:53,140 --> 00:53:54,609 before the embargo ended. 1577 00:53:54,610 --> 00:53:57,039 I ordered one online to test it. 1578 00:53:57,040 --> 00:53:59,159 Also, if you wasn't available. 1579 00:53:59,160 --> 00:54:01,269 Yes. So that was apparently an 1580 00:54:01,270 --> 00:54:04,009 accident of the cloud provider. 1581 00:54:04,010 --> 00:54:05,329 We suspect. 1582 00:54:05,330 --> 00:54:06,249 Yeah. We just like that. 1583 00:54:06,250 --> 00:54:08,589 We should not have been able to 1584 00:54:08,590 --> 00:54:10,959 actually buy one before May 14. 1585 00:54:10,960 --> 00:54:12,529 Yes, course. That was the announcement of 1586 00:54:12,530 --> 00:54:13,329 the Seaview. 1587 00:54:13,330 --> 00:54:15,609 Yes. And when we were able 1588 00:54:15,610 --> 00:54:17,709 to mount the attack on Cascade 1589 00:54:17,710 --> 00:54:20,049 Lake, which they assumed is 1590 00:54:20,050 --> 00:54:22,509 not affected by MVS type of decks, 1591 00:54:22,510 --> 00:54:24,729 things got busy again 1592 00:54:24,730 --> 00:54:27,039 because now we have an embargo ending 1593 00:54:27,040 --> 00:54:28,119 in four days. 1594 00:54:28,120 --> 00:54:30,469 And there's a new variant that still 1595 00:54:30,470 --> 00:54:32,769 is capable of leaking data on the newest 1596 00:54:32,770 --> 00:54:33,939 ship used they. 1597 00:54:33,940 --> 00:54:35,919 So previously, none of the books showed 1598 00:54:35,920 --> 00:54:38,199 that there is a difference in the micro 1599 00:54:38,200 --> 00:54:40,119 architectural behavior between those 1600 00:54:40,120 --> 00:54:42,399 variants so that the TSX 1601 00:54:42,400 --> 00:54:43,629 transaction, the transaction or the 1602 00:54:43,630 --> 00:54:45,909 board, the asynchronous a board 1603 00:54:45,910 --> 00:54:47,739 behaves differently was only known at 1604 00:54:47,740 --> 00:54:48,740 that point. 1605 00:54:51,730 --> 00:54:53,659 OK. Question answer it or you still have 1606 00:54:53,660 --> 00:54:54,660 one more. 1607 00:54:55,520 --> 00:54:57,649 OK. Thank you. We have more questions 1608 00:54:57,650 --> 00:54:59,479 from the signal angel or somebody 1609 00:54:59,480 --> 00:55:00,979 lighting up at microphone one, please. 1610 00:55:02,540 --> 00:55:04,699 May we ask, do we have any other 1611 00:55:04,700 --> 00:55:06,469 embargo going on right now? 1612 00:55:10,340 --> 00:55:11,340 I don't know. 1613 00:55:15,300 --> 00:55:17,379 All right. So I don't see any 1614 00:55:17,380 --> 00:55:19,570 other people, any other 1615 00:55:20,680 --> 00:55:22,239 guys lining up at the microphone. 1616 00:55:22,240 --> 00:55:23,769 So thanks again. 1617 00:55:23,770 --> 00:55:25,839 Round warm of all round of applause 1618 00:55:25,840 --> 00:55:27,520 for those three.