Play all

Intro

Exploring a new vulnerability class Microsoft first learned about these issues in June, 2017 when a CPU partner notified us

Why does Microsoft care about these issues?

Parallelism and speculation

Out-of-order execution

General definition of speculative execution

Spectre and Meltdown

Spectre (variant 1): conditional branches

Spectre (variant 2): indirect branches

Meltdown (variant 3): exception deferral

Why create a taxonomy? • Designing robust mitigations requires a systematic approach

1. Gaining speculation: speculation primitives

2. Maintaining speculation: windowing gadgets

Observing the results: disclosure primitives . Finally the attacker needs to read the results from the side channel • Example: check if a cache line was loaded

The four components of speculation techniques

Relevance to software security models

Defining our mitigation tactics The systematization we developed provides the basis for defining our mitigation tactics

Speculation barrier via execution serializing instruction

Security domain CPU core isolation

Indirect branch speculation barrier on demand & mode change

Split user and kernel page tables (KVA Shadow)

Decrease browser timer precision

Mitigation relationship to attack scenarios & primitives

New variants & mitigations

Resources • Microsoft Speculative Execution Side Channel Bounty

Description:

Explore Microsoft's approach to researching and mitigating speculative execution side channel vulnerabilities in this Black Hat conference presentation. Delve into the company's collaborative efforts, including bringing in experts from across Microsoft and hiring an industry specialist to accelerate understanding of these issues. Learn about the taxonomy created to design robust mitigations, covering topics such as speculation primitives, windowing gadgets, and disclosure primitives. Examine the four components of speculation techniques and their relevance to software security models. Discover the mitigation tactics developed, including speculation barriers, CPU core isolation, and split user and kernel page tables. Gain insights into new variants and mitigations, and access valuable resources on Microsoft's Speculative Execution Side Channel Bounty program.

Wrangling with the Ghost - An Inside Story of Mitigating Speculative Execution Side Channel Vulnerabilities

Black Hat

Add to list

#Conference Talks #Black Hat #Programming #Software Development #Information Security (InfoSec) #Cybersecurity #Software Security #Computer Science #Computer Architecture #CPU Architecture #Computer Security #Meltdown #Spectre

0:00 / 0:00