commit 598b78c6520ac7cc72e7d2b614e05a793d31088b
parent f2680abdfbc3434ee62ba86d97062027a012959b
Author: Alex Balgavy <alex@balgavy.eu>
Date: Thu, 4 Nov 2021 21:16:12 +0100
Update hwsec & ACN notes
Diffstat:
7 files changed, 207 insertions(+), 0 deletions(-)
diff --git a/content/acn-notes/_index.md b/content/acn-notes/_index.md
@@ -4,3 +4,4 @@ title = 'Advanced Computer Networks'
# Advanced Computer Networks
1. [Intro](intro)
+2. [Networking basics](networking-basics)
diff --git a/content/acn-notes/networking-basics/berkeley-sockets.png b/content/acn-notes/networking-basics/berkeley-sockets.png
Binary files differ.
diff --git a/content/acn-notes/networking-basics/index.md b/content/acn-notes/networking-basics/index.md
@@ -0,0 +1,97 @@
++++
+title = 'Networking basics'
++++
+
+# Networking basics
+## Domain name system (DNS)
+People can't remember IPs, need names that are easy to remember.
+
+Before DNS, you just had a hosts file that was periodically updated via FTP.
+
+DNS:
+- distributed, so no centralization and good scalability
+- simple client/server architecture via UDP port 53
+- hierarchical namespace:
+ - root name server by ICANN
+ - responsible for root zone file -- lists TLDs and who owns them
+ - 13 root servers, globally replicated
+ - contacted when names can't be resolved locally
+ - top-level domains managed by Verisign and others
+
+Resolving a name via recursive DNS query, e.g. "www.google.com"
+- query local DNS server (e.g. dns.vu.nl)
+- no entry found, go to root
+- root says to contact "com" nameserver
+- query "com" NS for "www.google.com"
+- "com" NS says to contact "ns1.google.com"
+- query "ns1.google.com" for "www.google.com"
+- "ns1.google.com" returns IP address
+
+DNS types:
+- A (IPv4), AAAA (IPv6): DNS resolution
+- CNAME: look for alias
+- NS: query for DNS responsible for partial name
+- MX: look for mail server
+
+## Socket and TCP
+Berkeley sockets:
+
+
+
+Transmission control protocol (TCP):
+- uses a three-way handshake
+
+
+
+TCP functionality:
+- reliable delivery: integrity check (header checksum), packet retransmission when lost (sequence number), packet reordering
+- flow control: receiver not overrun by sender
+- congestion control: network not overrun by sender
+
+## IP routing
+IP addresses made up of 32 bits, in groups of 8.
+Contain network identifier (IP prefix), subnet identifier, host identifier.
+
+CIDR notation: 10.0.0.1/24
+- first 24 bits for network identifier
+- rest for host identifier
+- alternative subnet mask notation: 255.255.255.0
+
+Generating forwarding tables:
+- control plane: routers use distributed protocol to exchange messages and compute shortest paths to other routers
+ - OSPF: within domain. routers exchange link-state messages to learn topology, each router uses Dijkstra's to get shortest path, and generates forwarding table entries
+ - BGP: between autonomous systems.
+
+MPLS: multiprotocol label switching
+- uses a label field, which routers use to forward traffic
+- useful for traffic engineering (optimization, performance improvement, etc.)
+
+## Ethernet and ARP
+Switched Ethernet:
+- switching creates Ethernet segments and forwards frames between them based on MAC address
+- Ethernet MAC address: 6 bytes, unique among all network adapters, managed by IEEE
+- switches forward/broadcast/drop frames based on switch table
+- switches don't need MAC address - they operate transparently to hosts
+- generating table:
+ - learn new MAC interface mappings through incoming frames
+ - if destination MAC unknown, broadcast frame on all interfaces except the one where the frame originated
+- store-and-forward: packets received in full, buffered, then forwarded onto output link
+- cut-through: when lookup is done, can receive and send packet at the same time (reduces latency, but can't do integrity check)
+- redundancy without loops: use logical spanning tree (STP), automatically rebuild on failure
+ - with loops, you'd get packets bouncing around constantly
+- traffic isolation: VLAN
+ - network manager partitions ports into subsets, assigns to VLANs
+ - ports in same VLAN form broadcast domain, ports on different VLANs routed through internal router in switch
+ - switches connected on trunk ports belonging to all VLANs
+
+ARP: obtaining destination MAC address
+- ARP query: ask host with IP to respond with MAC address
+- ARP reply: MAC address response sent
+- ARP table is cached locally
+
+## Network address translation (NAT)
+NAT: way to map IP address space into another, used to mask network changes and prevent running out of IPv4 addresses
+
+From the outside, your IP is the address of your router.
+When your router gets traffic, it sends it to the appropriate host on the local network.
diff --git a/content/acn-notes/networking-basics/tcp.png b/content/acn-notes/networking-basics/tcp.png
Binary files differ.
diff --git a/content/hwsec-notes/_index.md b/content/hwsec-notes/_index.md
@@ -4,3 +4,4 @@ title = 'Hardware security'
# Hardware security
1. [DRAM (physical memory)](dram-physical-memory)
+2. [CPUs](cpus)
diff --git a/content/hwsec-notes/cpus.md b/content/hwsec-notes/cpus.md
@@ -0,0 +1,61 @@
++++
+title = 'CPUs'
++++
+# CPUs
+## CPU caches
+Caches: add fast-path access to memory
+- shared across programs like memory
+- great for performance, bad for security
+
+Basic RELOAD attack: you can determine which function is being executed using a timing side channel -- a function that was already executed will be in the cache, so faster.
+
+Important properties:
+- size: three levels, with L1 smallest and L3 largest (shared across all cores)
+- inclusivity: a line in level X also in X+1
+
+Addressing:
+- caches divided in sets, each address can only go to its own set
+- cache line lookup on memory access:
+ - if present, hit. if not, miss → fill it in.
+ - if set full, replace
+ - replacement policy: most often least recently used
+ - reverse engineering the policy:
+ - implement simulator for textbook replacement policies
+ - run accesses through simulator & real caches
+ - compare hit and misses to find best policy match
+- indexing: policy to select target cache set given memory address
+- tagging: how to select cache line within cache set given memory address
+ - practical implementations use physical address to identify cache line in set (tag)
+ - virtual address have problems: e.g. multiple virtual addresses map to single physical address, or vice versa
+- L1: VIPT (virt index, phys tag), 64 sets, 8 ways. bits 6-11 decide the set, shared between virt and phys page.
+- L2: PIPT, 1024 sets, 4 ways. bits 6-14 decide set
+- L3: sliced PIPT, 2048 sets per core, 16 ways, bits 6-16 decide set
+ - L3 is partitioned in slices, one per core, accessed via ring bus
+
+## Timing cache attack
+Threat model
+- control of victim: measurement is synchronous, but assumes we can control and time when victim executes
+- no control: fewer assumptions on attacker, but measurement is async
+
+Flushing the cache: `clflush` (x86)
+- flushes given memory location in entire cache hierarchy
+- if attacker doesn't have access to target memory location, need more sophisticated cache eviction strategy
+
+Observing cache activity: FLUSH+RELOAD
+- threat model: victim and attacker share target code/data
+- attacker can selectively flush a desired shared location from cache, then reload the target location
+- measuring access times, can determine whether the victim accesses a memory address
+
+## Cache attacks on hardware
+for FLUSH+RELOAD, victim hardware unit must:
+- use cache
+- share memory with attacker-controlled software
+- must access secrets
+
+Rogue Data Cache Load (Meltdown): flush+reload attack
+- user process accesses kernel memory location
+- MMU raises exception and page fault handler kills off process
+- but out-of-order execution (OoOE) read secret and filled cache line
+- the reload 'sees' the filled cache line in the timing difference
+- avoiding termination: transactional memory (TSX) suppresses exceptions, use that
+- reducing noise: prefetcher in OoOE may fill extra cache lines, but usually doesn't operate across pages. also randomize accesses during reload state.
diff --git a/content/hwsec-notes/dram-physical-memory.md b/content/hwsec-notes/dram-physical-memory.md
@@ -65,3 +65,50 @@ Timing side channel: "something" leaks depending on how fast the operation is
- can be done remotely, software-only. but cannot look at data bits, cannot easily reconstruct address selection functions.
You can also probe the bus directly using an oscilloscope, and send requests for very different physical addresses.
+## Rowhammer
+DRAM defect on memory modules.
+
+Under certain conditions, the capacitors quickly leak charge, causing bits to flip.
+All the attacker has to do from software is activate the same rows numerous times within a refresh interval.
+
+If you repeatedly access row 0 and 2 in the same bank (aggressor rows), the capacitors in the middle row (row 1, victim row) leak charge and the data is corrupted.
+
+Can be useful for e.g. privilege escalation, flipping bits in page tables.
+
+Mitigations:
+- hardware:
+ - ECC memory: automatically correct bit flips
+ - target row refresh: refresh neighboring rows of rows being hammered
+- software:
+ - disable features: pagemap for unprivileged users, disable DMA allocators, memory deduplication
+ - other mitigations (ZebRAM, Drammer, Hammertime)
+
+ECC memory:
+- data bus has 72 bits instead of 64
+- ECC bits have info for error correction
+- ECC function is secret, part of memory controller
+- figuring it out:
+ - probe the pins -- possible, but expensive
+ - inject errors on bus, monitor behavior of ECC implementation (choose pins to make sure that short-circuiting flips a bit)
+ - using data patterns, recover full ECC function
+
+## Cold boot attack
+Thread model: stolen laptop, DRAM holds secrets
+
+DRAM cells keep charge for a while even if not refreshed, especially if cold.
+
+Steps:
+1. Cool down DIMMs with a spray
+2. Shut down laptop
+3. USB-boot into malicious OS, or move DIMM
+4. Read any sensitive data
+
+Mitigation: data scrambling -- memory controller randomizes data encoding when writing data to DRAM.
+## Address translation
+MMU: multiple address spaces
+- virtualize physical memory
+- flexible memory management
+- isolation and protection
+
+Program the MMU using page tables.
+Modern architectures use four-level page tables (PML4).
