![]() The ability to manipulate and measure various processor caches is critical to reliable exploitation. The table below adds additional context to each attack variant that we will reference throughout this post. From a defensive perspective, we focus on each of these capabilities independently, breaking them down to determine if we can find strong correlations between an active attack and the hardware performance counters. Spectre and Meltdown require two fundamental capabilities to work: speculative execution and cache side-channels. ![]() This is why we chose to use them for control-flow integrity, and why they are an exciting opportunity for detecting attacks like Spectre and Meltdown on all operating systems. They also exhibit very low performance overhead. Additional features exist to generate an interrupt when counters reach a limit giving us the ability to perform additional analysis.īecause these resources are handled completely in the CPU, they are naturally cross-platform and fundamentally the same on Linux, Windows, and macOS. There are dozens of events available and processors can be programmed from the kernel to monotonically count events with near-zero overhead. Just as we are inspired by the number of researchers that have contributed findings on hardware attacks, we hope to similarly stimulate conversations about promising defensive measures for these new classes of vulnerabilities that are likely to exist for years to come.Īll processors affected by Spectre and Meltdown provide flexible mechanisms for counting hardware events such as cache flushes and branch mispredictions. This post summarizes our current research into detecting side-channel and speculative execution attacks, which remains ongoing as we continue to learn more about attacks like Spectre and Meltdown. We then presented our work in 2016 at BlackHat USA. Based on their research and our experience in CPU performance, we hypothesized that many hardware and software flaws can be detected using a combination of heuristic-driven interrupts and instruction sequence verification based on these hardware counters. Inspired by the groundbreaking works of Yuan et al and Anders Fogh, CPU performance counters for security policy enforcement is at the core of this strategy. Over the years, our research in vulnerabilities has shaped our exploit prevention strategy. Given the impact and technical challenge inherent within these vulnerabilities, we quickly dove into the details to investigate potential detection and prevention strategies to ensure the Endgame product is robust against these new kinds of hardware attacks. These new vulnerability classes consisted of two distinct flaws named Spectre and Meltdown. Last week, a blog post by Jann Horn of Google and the release of two white papers by multiple researchers set off a frenzy of public panic and speculation. See Elastic Security to learn more about our integrated security solutions.įor several years, security researchers have been working on a new type of hardware attack that exploits cache side-effects and speculative execution to perform privileged memory disclosure. Editor’s Note: Elastic joined forces with Endgame in October 2019, and has migrated some of the Endgame blog content to.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |