DOCSLIB.ORG

Rage Against the Machine Clear: a Systematic Analysis of Machine Clears and Their Implications for Transient Execution Attacks

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

Rage Against the Machine Clear: A Systematic Analysis of Machine Clears and Their Implications for Transient Execution Attacks Hany Ragab∗ Enrico Barberis∗ Herbert Bos Cristiano Giuffrida [email protected] [email protected] [email protected] [email protected] Vrije Universiteit Amsterdam Amsterdam, The Netherlands ∗Equal contribution joint first authors Abstract 80, 83]. Building mostly on well-known causes of transient execution, such as branch mispredictions or aborting Intel Since the discovery of the Spectre and Meltdown vulnera- TSX transactions, such variants violate many security bound- bilities, transient execution attacks have increasingly gained aries, allowing attackers to obtain access to unauthorized data, momentum. However, while the community has investigated divert control flow, or inject values in transiently executed several variants to trigger attacks during transient execution, code. Nonetheless, little effort has been made to systemat- much less attention has been devoted to the analysis of the ically investigate the root causes of what Intel refers to as root causes of transient execution itself. Most attack vari- bad speculation [36]—the conditions that cause the CPU to ants simply build on well-known root causes, such as branch discard already issued micro-operations (µOps) and render misprediction and aborts of Intel TSX—which are no longer them transient. As a result, our understanding of these root supported on many recent processors. causes, as well as their security implications, is still limited. In this paper, we tackle the problem from a new perspective, In this paper, we systematically examine such causes with a closely examining the different root causes of transient exe- focus on a major, largely unexplored class of bad speculation. cution rather than focusing on new attacks based on known In particular, Intel [36] identifies two general causes of bad transient windows. Our analysis specifically focuses on the speculation (and transient execution)—branch misprediction class of transient execution based on machine clears (MC), and machine clears. Upon detecting branch mispredictions, reverse engineering previously unexplored root causes such the CPU needs to squash all the µOps executed in the the as Floating Point MC, Self-Modifying Code MC, Memory mispredicted branches. Such occurrences, in a wide variety Ordering MC, and Memory Disambiguation MC. We show of forms and manifestations, have been extensively examined these events not only originate new transient execution win- in the existing literature on transient execution attacks [12,13, dows that widen the horizon for known attacks, but also yield 33,41,42,44,49]. The same cannot be said for machine clears, entirely new attack primitives to inject transient values (Float- a class of bad speculation that relies on a full flush of the ing Point Value Injection or FPVI) and executing stale code processor pipeline to restart from the last retired instruction. (Speculative Code Store Bypass or SCSB). We present an In this paper, we therefore focus on the systematic exploration end-to-end FPVI exploit on the latest Mozilla SpiderMonkey of machine clears, their behavior, and security implications. JavaScript engine with all the mitigations enabled, disclosing arbitrary memory in the browser through attacker-controlled Specifically, by reverse engineering this undocumented and transiently-injected floating-point results. We also pro- class of bad speculation, we closely examine four previously pose mitigations for both attack primitives and evaluate their unexplored sources of machine clears (and thus transient exe- performance impact. Finally, as a by-product of our analysis, cution), related to floating points, self-modifying code, mem- we present a new root cause-based classification of all known ory ordering, and memory disambiguation. We show attackers transient execution paths. can exploit such causes to originate new transient execution windows with unique characteristics. For instance, attackers can exploit Floating Point Machine Clear events to embed 1 Introduction attacks in transient execution windows that require no train- ing or special (in many cases disabled) features such as Intel Since the public disclosure of the Meltdown and Spectre vul- TSX. Besides providing a general framework to run existing nerabilities in 2018, researchers have investigated ways to use and future attacks in a variety of transient execution windows transient execution windows for crafting several new attack with different constraints and leakage rates, our analysis also variants [8–13,30,41,44, 49,60,64,66,68,69,72,75 –77,79, uncovered new attack primitives based on machine clears. In particular, we show that Self-Modifying Code Machine Modifying Code Machine Clear (SMC MC), Memory Clear events allow attackers to transiently execute stale code, Ordering Machine Clear (MO MC), and Memory Dis- while Floating Point Machine Clear events allow them to in- ambiguation Machine Clear (MD MC). ject transient values in victim code. We term these primitives Speculative Code Store Bypass (SCSB) and Floating Point • We present two novel machine clear-based transient exe- Value Injection (FPVI), respectively. The former is loosely cution attack primitives (FPVI and SCSB) and an end-to- related to Speculative Store Bypass (SSB) [56, 83], but al- end FPVI exploit disclosing arbitrary memory in Firefox. lows attackers to transiently reference stale code rather than • We propose and evaluate possible mitigations. data. The latter is loosely related to Load Value Injection (LVI) [72], but allows attackers to inject transient values by • We propose a new root-cause based classification of all controlling operands of floating-point operations rather than the known transient execution paths. triggering victim page faults or microcode assists. We also discuss possible gadgets for exploitation in applications such Code, exploit demo, and additional information are avail- as JIT engines. For instance, we found that developers follow- able at https://www.vusec.net/projects/fpvi-scsb. ing instructions detailed in the Intel optimization manual [36] ad litteram could easily introduce SCSB gadgets in their ap- 2 Background plications. In addition, we show that attackers controlling JIT’ed code can easily inject FPVI gadgets and craft arbitrary 2.1 IEEE-754 Denormal Numbers memory reads, even from JavaScript in a modern browser using NaN-boxing such as Mozilla Firefox [54]. Modern processors implement a Floating Point Unit (FPU). Moreover, since existing mitigations cannot hinder our To represent floating point numbers, the IEEE-754 stan- primitives, we implement new mitigations to eliminate the dard [1] distinguishes three components (Fig.1). First, the uncovered attack surface. As shown in our evaluation, SCSB most significant bit serves as the sign bit s. The next w bits can be efficiently mitigated with serializing instructions in the contain a biased exponent e. For instance, for double precision practical cases of interest such as JavaScript engines. FPVI 64-bit floating point numbers, e is 11 bits long and the bias can be mitigated using transient execution barriers between is 211−1 − 1 = 1023 (i.e., 2w−1 − 1). The value e is computed the source of injection and its transmit gadgets, either inserted by adding the real exponent ereal to the bias, which ensures by the programmer or by the compiler. We implemented the that e is a positive number even if the real exponent is neg- general compiler-based mitigation in LLVM [46], measuring ative. The remaining bits are used for the mantissa m. The an overhead of 32% / 53% on SPECfp 2006/2017 (geomean). combination of these components represents the value. As While not limited to Intel, our analysis does build on a vari- an example, suppose the sign bit s = 1, the biased exponent ety of performance counters available in different generations e = 100000000112 = 102710 so that ereal = 1027−1023 = 4, of Intel CPUs but not on other architectures. Nevertheless, and the mantissa m = 0111000:::0. In that case,the corre- 4 we show that our insights into the root causes of bad specu- sponding decimal value is −1 · 2 · (1 + 0:01112). We refer to lation also generalize to other architectures, by successfully such numbers as normal numbers, as they are in the normal- repeating our transient execution leakage experiments (we ized form with an implicit leading 1 present in the mantissa. originally designed for Intel) on AMD. Finally, armed with a deeper understanding of the root causes of transient execution, we also present a new classi- fication for the resulting paths. Existing classifications [12] are entirely attack-centric, focusing on classes of Spectre- or Meltdown-like attacks and blending together (common) Figure 1: Fields of a 64 bits IEEE 754 double causes of transient execution with their uses (i.e., what at- tackers can do with them). Such classifications cannot easily If e = 0 and m 6= 0, the CPU treats the value as a denormal accommodate the new transient execution paths presented in value. In this case, the leading 1 becomes a leading 0 instead, this paper. For this reason, we propose a new orthogonal, root while the exponent becomes the minimal value of 2 − 2w−1, cause-centric classification, much closer to the sources of bad so that, with s = 1, e = 0 and m = 0111000:::0, the result- speculation identified by the chip vendors themselves. ing value for a double precision number is −1 · 2−1022 · (0 + Summarizing, we make the following contributions: 0:01112). This additional representation is intended to allow a • We systematically explore the root causes of transient gradual underflow when values get closer to 0. In 64-bits float- execution and closely examine the major, largely unex- ing point numbers, the smallest unbiased exponent is -1022, plored machine clear-based class. To this end, we present making it impossible to represent a number with an exponent the reverse engineering and security analysis of causes of -1023 or lower. In contrast, a denormal number can repre- such as Floating Point Machine Clear (FP MC), Self- sent this number by appending enough leading zeroes to the mantissa until the minimal exponent is obtained.
Recommended publications
  • Differential Fuzzing the Webassembly

    Differential Fuzzing the Webassembly

    Master’s Programme in Security and Cloud Computing Differential Fuzzing the WebAssembly Master’s Thesis Gilang Mentari Hamidy MASTER’S THESIS Aalto University - EURECOM MASTER’STHESIS 2020 Differential Fuzzing the WebAssembly Fuzzing Différentiel le WebAssembly Gilang Mentari Hamidy This thesis is a public document and does not contain any confidential information. Cette thèse est un document public et ne contient aucun information confidentielle. Thesis submitted in partial fulfillment of the requirements for the degree of Master of Science in Technology. Antibes, 27 July 2020 Supervisor: Prof. Davide Balzarotti, EURECOM Co-Supervisor: Prof. Jan-Erik Ekberg, Aalto University Copyright © 2020 Gilang Mentari Hamidy Aalto University - School of Science EURECOM Master’s Programme in Security and Cloud Computing Abstract Author Gilang Mentari Hamidy Title Differential Fuzzing the WebAssembly School School of Science Degree programme Master of Science Major Security and Cloud Computing (SECCLO) Code SCI3084 Supervisor Prof. Davide Balzarotti, EURECOM Prof. Jan-Erik Ekberg, Aalto University Level Master’s thesis Date 27 July 2020 Pages 133 Language English Abstract WebAssembly, colloquially known as Wasm, is a specification for an intermediate representation that is suitable for the web environment, particularly in the client-side. It provides a machine abstraction and hardware-agnostic instruction sets, where a high-level programming language can target the compilation to the Wasm instead of specific hardware architecture. The JavaScript engine implements the Wasm specification and recompiles the Wasm instruction to the target machine instruction where the program is executed. Technically, Wasm is similar to a popular virtual machine bytecode, such as Java Virtual Machine (JVM) or Microsoft Intermediate Language (MSIL).
  • Rich Media Web Application Development I Week 1 Developing Rich Media Apps Today’S Topics

    Rich Media Web Application Development I Week 1 Developing Rich Media Apps Today’S Topics

    IGME-330 Rich Media Web Application Development I Week 1 Developing Rich Media Apps Today’s topics • Tools we’ll use – what’s the IDE we’ll be using? (hint: none) • This class is about “Rich Media” – we’ll need a “Rich client” – what’s that? • Rich media Plug-ins v. Native browser support for rich media • Who’s in charge of the HTML5 browser API? (hint: no one!) • Where did HTML5 come from? • What are the capabilities of an HTML5 browser? • Browser layout engines • JavaScript Engines Tools we’ll use • Browsers: • Google Chrome - assignments will be graded on Chrome • Safari • Firefox • Text Editor of your choice – no IDE necessary • Adobe Brackets (available in the labs) • Notepad++ on Windows (available in the labs) • BBEdit or TextWrangler on Mac • Others: Atom, Sublime • Documentation: • https://developer.mozilla.org/en-US/docs/Web/API/Document_Object_Model • https://developer.mozilla.org/en-US/docs/Web/API/Canvas_API/Tutorial • https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide What is a “Rich Client” • A traditional “web 1.0” application needs to refresh the entire page if there is even the smallest change to it. • A “rich client” application can update just part of the page without having to reload the entire page. This makes it act like a desktop application - see Gmail, Flickr, Facebook, ... Rich Client programming in a web browser • Two choices: • Use a plug-in like Flash, Silverlight, Java, or ActiveX • Use the built-in JavaScript functionality of modern web browsers to access the native DOM (Document Object Model) of HTML5 compliant web browsers.
  • Flash Player and Linux

    Flash Player and Linux

    Flash Player and Linux Ed Costello Engineering Manager Adobe Flash Player Tinic Uro Sr. Software Engineer Adobe Flash Player 2007 Adobe Systems Incorporated. All Rights Reserved. Overview . History and Evolution of Flash Player . Flash Player 9 and Linux . On the Horizon 2 2007 Adobe Systems Incorporated. All Rights Reserved. Flash on the Web: Yesterday 3 2006 Adobe Systems Incorporated. All Rights Reserved. Flash on the Web: Today 4 2006 Adobe Systems Incorporated. All Rights Reserved. A Brief History of Flash Player Flash Flash Flash Flash Linux Player 5 Player 6 Player 7 Player 9 Feb 2001 Dec 2002 May 2004 Jan 2007 Win/ Flash Flash Flash Flash Flash Flash Flash Mac Player 3 Player 4 Player 5 Player 6 Player 7 Player 8 Player 9 Sep 1998 Jun 1999 Aug 2000 Mar 2002 Sep 2003 Aug 2005 Jun 2006 … Vector Animation Interactivity “RIAs” Developers Expressive Performance & Video & Standards Simple Actions, ActionScript Components, ActionScript Filters, ActionScript 3.0, Movie Clips, 1.0 Video (H.263) 2.0 Blend Modes, New virtual Motion Tween, (ECMAScript High-!delity machine MP3 ed. 3), text, Streaming Video (ON2) video 5 2007 Adobe Systems Incorporated. All Rights Reserved. Widest Reach . Ubiquitous, cross-platform, rich media and rich internet application runtime . Installed on 98% of internet- connected desktops1 . Consistently reaches 80% penetration within 12 months of release2 . Flash Player 9 reached 80%+ penetration in <9 months . YUM-savvy updater to support rapid/consistent Linux penetration 1. Source: Millward-Brown September 2006. Mature Market data. 2. Source: NPD plug-in penetration study 6 2007 Adobe Systems Incorporated. All Rights Reserved.
  • Efficiently Mitigating Transient Execution Attacks Using the Unmapped Speculation Contract Jonathan Behrens, Anton Cao, Cel Skeggs, Adam Belay, M

    Efficiently Mitigating Transient Execution Attacks Using the Unmapped Speculation Contract Jonathan Behrens, Anton Cao, Cel Skeggs, Adam Belay, M

    Efficiently Mitigating Transient Execution Attacks using the Unmapped Speculation Contract Jonathan Behrens, Anton Cao, Cel Skeggs, Adam Belay, M. Frans Kaashoek, and Nickolai Zeldovich, MIT CSAIL https://www.usenix.org/conference/osdi20/presentation/behrens This paper is included in the Proceedings of the 14th USENIX Symposium on Operating Systems Design and Implementation November 4–6, 2020 978-1-939133-19-9 Open access to the Proceedings of the 14th USENIX Symposium on Operating Systems Design and Implementation is sponsored by USENIX Efficiently Mitigating Transient Execution Attacks using the Unmapped Speculation Contract Jonathan Behrens, Anton Cao, Cel Skeggs, Adam Belay, M. Frans Kaashoek, and Nickolai Zeldovich MIT CSAIL Abstract designers have implemented a range of mitigations to defeat transient execution attacks, including state flushing, selectively Today’s kernels pay a performance penalty for mitigations— preventing speculative execution, and removing observation such as KPTI, retpoline, return stack stuffing, speculation channels [5]. These mitigations impose performance over- barriers—to protect against transient execution side-channel heads (see §2): some of the mitigations must be applied at attacks such as Meltdown [21] and Spectre [16]. each privilege mode transition (e.g., system call entry and exit), To address this performance penalty, this paper articulates and some must be applied to all running code (e.g., retpolines the unmapped speculation contract, an observation that mem- for all indirect jumps). In some cases, they are so expensive ory that isn’t mapped in a page table cannot be leaked through that OS vendors have decided to leave them disabled by de- transient execution. To demonstrate the value of this contract, fault [2, 22].
  • Class-Action Lawsuit

    Class-Action Lawsuit

    Case 3:20-cv-00863-SI Document 1 Filed 05/29/20 Page 1 of 279 Steve D. Larson, OSB No. 863540 Email: [email protected] Jennifer S. Wagner, OSB No. 024470 Email: [email protected] STOLL STOLL BERNE LOKTING & SHLACHTER P.C. 209 SW Oak Street, Suite 500 Portland, Oregon 97204 Telephone: (503) 227-1600 Attorneys for Plaintiffs [Additional Counsel Listed on Signature Page.] UNITED STATES DISTRICT COURT DISTRICT OF OREGON PORTLAND DIVISION BLUE PEAK HOSTING, LLC, PAMELA Case No. GREEN, TITI RICAFORT, MARGARITE SIMPSON, and MICHAEL NELSON, on behalf of CLASS ACTION ALLEGATION themselves and all others similarly situated, COMPLAINT Plaintiffs, DEMAND FOR JURY TRIAL v. INTEL CORPORATION, a Delaware corporation, Defendant. CLASS ACTION ALLEGATION COMPLAINT Case 3:20-cv-00863-SI Document 1 Filed 05/29/20 Page 2 of 279 Plaintiffs Blue Peak Hosting, LLC, Pamela Green, Titi Ricafort, Margarite Sampson, and Michael Nelson, individually and on behalf of the members of the Class defined below, allege the following against Defendant Intel Corporation (“Intel” or “the Company”), based upon personal knowledge with respect to themselves and on information and belief derived from, among other things, the investigation of counsel and review of public documents as to all other matters. INTRODUCTION 1. Despite Intel’s intentional concealment of specific design choices that it long knew rendered its central processing units (“CPUs” or “processors”) unsecure, it was only in January 2018 that it was first revealed to the public that Intel’s CPUs have significant security vulnerabilities that gave unauthorized program instructions access to protected data. 2. A CPU is the “brain” in every computer and mobile device and processes all of the essential applications, including the handling of confidential information such as passwords and encryption keys.
  • Behavioural Analysis of Tracing JIT Compiler Embedded in the Methodical Accelerator Design Software

    Behavioural Analysis of Tracing JIT Compiler Embedded in the Methodical Accelerator Design Software

    Scuola Politecnica e delle Scienze di Base Corso di Laurea Magistrale in Ingegneria Informatica Tesi di laurea magistrale in Calcolatori Elettronici II Behavioural Analysis of Tracing JIT Compiler Embedded in the Methodical Accelerator Design Software Anno Accademico 2018/2019 CERN-THESIS-2019-152 //2019 relatori Ch.mo prof. Nicola Mazzocca Ch.mo prof. Pasquale Arpaia correlatore Ing. Laurent Deniau PhD candidato Dario d’Andrea matr. M63000695 Acknowledgements Firstly, I would like to thank my supervisor at CERN, Laurent Deniau, for his daily support and his useful suggestions throughout the work described in this thesis. I would like to express my gratitude to both my university supervisors, Nicola Mazzocca and Pasquale Arpaia, for their helpfulness during this work and for their support during the past years at university. I feel privileged of being allowed to work with such inspiring mentors. This thesis would not have been possible without the help from the community of the LuaJIT project including all the useful insights contained in its mailing list, specially by its author, Mike Pall, who worked for many years accomplishing an amazing job. A special acknowledgement should be addressed to my family. I thank my father Guido and my mother Leda who guided me with love during my education and my life. I am grateful to my brother Fabio, my grandmother Tina, and my uncle Nicola, for their support during the past years. I also want to remember my uncle Bruno who inspired me for my academic career. I wish to express my deepest gratitude to Alicia for her unconditional encour- agement.
  • Mozilla Source Tree Docs Release 50.0A1

    Mozilla Source Tree Docs Release 50.0A1

    Mozilla Source Tree Docs Release 50.0a1 August 02, 2016 Contents 1 SSL Error Reporting 1 2 Firefox 3 3 Telemetry Experiments 11 4 Build System 17 5 WebIDL 83 6 Graphics 85 7 Firefox for Android 87 8 Indices and tables 99 9 Localization 101 10 mach 105 11 CloudSync 113 12 TaskCluster Task-Graph Generation 119 13 Crash Manager 133 14 Telemetry 137 15 Crash Reporter 207 16 Supbrocess Module 211 17 Toolkit modules 215 18 Add-on Manager 221 19 Linting 227 20 Indices and tables 233 21 Mozilla ESLint Plugin 235 i 22 Python Packages 239 23 Managing Documentation 375 24 Indices and tables 377 Python Module Index 379 ii CHAPTER 1 SSL Error Reporting With the introduction of HPKP, it becomes useful to be able to capture data on pin violations. SSL Error Reporting is an opt-in mechanism to allow users to send data on such violations to mozilla. 1.1 Payload Format An example report: { "hostname":"example.com", "port":443, "timestamp":1413490449, "errorCode":-16384, "failedCertChain":[ ], "userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0", "version":1, "build":"20141022164419", "product":"Firefox", "channel":"default" } Where the data represents the following: “hostname” The name of the host the connection was being made to. “port” The TCP port the connection was being made to. “timestamp” The (local) time at which the report was generated. Seconds since 1 Jan 1970, UTC. “errorCode” The error code. This is the error code from certificate veri- fication. Here’s a small list of the most commonly-encountered errors: https://wiki.mozilla.org/SecurityEngineering/x509Certs#Error_Codes_in_Firefox In theory many of the errors from sslerr.h, secerr.h, and pkixnss.h could be encountered.
  • Comparing Javascript Engines

    Comparing Javascript Engines

    Comparing Javascript Engines Xiang Pan, Shaker Islam, Connor Schnaith Background: Drive-by Downloads 1. Visiting a malicious website 2. Executing malicious javascript 3. Spraying the heap 4. Exploiting a certain vulnerability 5. Downloading malware 6. Executing malware Background: Drive-by Downloads 1. Visiting a malicious website 2. Executing malicious javascript 3. Spraying the heap 4. Exploiting a certain vulnerability 5. Downloading malware 6. Executing malware Background: Drive-by Downloads Background: Drive-by Downloads Setup: Making the prototype null while in the prototype creates a pointer to something random in the heap. Background: Drive-by Downloads Environment: gc( ) is a function call specific to Firefox, so the attacker would want to spray the heap with an exploit specific to firefox. Background: Drive-by Downloads Obfuscation: If the browser executing the javascript it firefox,the code will proceed to the return statement. Any other browser will exit with an error due to an unrecognized call to gc( ). Background: Drive-by Downloads Download: The return will be to a random location in the heap and due to heap-spraying it will cause shell code to be executed. Background: Goal of Our Project ● The goal is to decode obfuscated scripts by triggering javascript events ● The problem is when triggering events, some errors, resulting from disparity of different engines or some other reasons, may occur and terminate the progress ● We need to find ways to eliminate the errors and Ex 1therefore generate more de-obfuscated scripts <script> function f(){ //some codes gc(); var x=unescape(‘%u4149%u1982%u90 […]’)); eval(x); } </script> Ex 2 <script type="text/javascript" src="/includes/jquery/jquery.js"></script> Project Overview - Part One ● Modify WebKit engine so that it can generate error informations.
  • Understanding and Mitigating Attacks Targeting Web Browsers

    Understanding and Mitigating Attacks Targeting Web Browsers

    Understanding and Mitigating Attacks Targeting Web Browsers A Dissertation presented in partial fulfillment of the requirements for the degree of Doctor of Philosophy in the field of Information Assurance by Ahmet Salih Buyukkayhan Northeastern University Khoury College of Computer Sciences Boston, Massachusetts April 2019 To my family, teachers and mentors. i Contents List of Figures v List of Tables vii Acknowledgments viii Abstract of the Dissertation ix 1 Introduction 1 1.1 Structure of the Thesis . .2 2 Background 4 2.1 Browser Extensions . .4 2.1.1 Firefox Extensions . .5 2.1.2 Extension Security . .7 2.2 Vulnerabilities in Web Applications . .9 2.2.1 Vulnerability Reward Programs and Platforms . .9 2.2.2 XSS Vulnerabilities . 10 2.2.3 XSS Defenses . 12 3 CrossFire: Firefox Extension-Reuse Vulnerabilities 14 3.1 Overview . 14 3.2 Threat Model . 15 3.3 Design . 16 3.3.1 Vulnerability Analysis . 17 3.3.2 Exploit Generation . 19 3.3.3 Example Vulnerabilities . 20 3.4 Implementation . 23 3.5 Evaluation . 23 3.5.1 Vulnerabilities in Top Extensions . 23 3.5.2 Random Sample Study of Extensions . 25 3.5.3 Performance & Manual Effort . 27 ii 3.5.4 Case Study: Submitting an Extension to Mozilla Add-ons Repository . 28 3.5.5 Jetpack Extensions. 30 3.5.6 Implications on Extension Vetting Procedures . 31 3.6 Summary . 31 4 SENTINEL: Securing Legacy Firefox Extensions 33 4.1 Overview . 33 4.2 Threat Model . 34 4.3 Design . 35 4.3.1 Intercepting XPCOM Operations . 36 4.3.2 Intercepting XUL Document Manipulations .
  • LVI-LFB: Scenarios 3 & 4

    LVI-LFB: Scenarios 3 & 4

    WHITEPAPER Security Load Value Injection in the Line Fill Buffers: How to Hijack Control Flow without Spectre www.bitdefender.com Contents Abstract .............................................................................................................................3 Introduction .......................................................................................................................3 Recap – Meltdown, Spectre & MDS .................................................................................4 Meltdown .................................................................................................................................4 Spectre ..................................................................................................................................... 4 Microarchitectural Data Sampling .......................................................................................... 5 Load Value Injection in the Line Fill Buffers ....................................................................5 Exploiting LVI-LFB: scenarios 3 & 4..................................................................................7 Real-life exploit ..................................................................................................................7 Mitigations .........................................................................................................................8 Conclusions .......................................................................................................................9
  • A Little on V8 and Webassembly

    A Little on V8 and Webassembly

    A Little on V8 and WebAssembly An V8 Engine Perspective Ben L. Titzer WebAssembly Runtime TLM Background ● A bit about me ● A bit about V8 and JavaScript ● A bit about virtual machines Some history ● JavaScript ⇒ asm.js (2013) ● asm.js ⇒ wasm prototypes (2014-2015) ● prototypes ⇒ production (2015-2017) This talk mostly ● production ⇒ maturity (2017- ) ● maturity ⇒ future (2019- ) WebAssembly in a nutshell ● Low-level bytecode designed to be fast to verify and compile ○ Explicit non-goal: fast to interpret ● Static types, argument counts, direct/indirect calls, no overloaded operations ● Unit of code is a module ○ Globals, data initialization, functions ○ Imports, exports WebAssembly module example header: 8 magic bytes types: TypeDecl[] ● Binary format imports: ImportDecl[] ● Type declarations funcdecl: FuncDecl[] ● Imports: tables: TableDecl[] ○ Types memories: MemoryDecl[] ○ Functions globals: GlobalVar[] ○ Globals exports: ExportDecl[] ○ Memory ○ Tables code: FunctionBody[] ● Tables, memories data: Data[] ● Global variables ● Exports ● Function bodies (bytecode) WebAssembly bytecode example func: (i32, i32)->i32 get_local[0] ● Typed if[i32] ● Stack machine get_local[0] ● Structured control flow i32.load_mem[8] ● One large flat memory else ● Low-level memory operations get_local[1] ● Low-level arithmetic i32.load_mem[12] end i32.const[42] i32.add end Anatomy of a Wasm engine ● Load and validate wasm bytecode ● Allocate internal data structures ● Execute: compile or interpret wasm bytecode ● JavaScript API integration ● Memory management
  • Nashorn: Articles, Documents, Slides and Videos

    Nashorn: Articles, Documents, Slides and Videos

    Nashorn: Articles, Documents, Slides and Videos Documents Nashorn User Guide Java Platform, Standard Edition Nashorn User's Guide javax.script Guide Scripting Programming Guide Nashorn JSR-223 Engine Notes Nashorn Extensions Rhino Migration Guide Using Rhino JSR-223 engine with JDK8 Articles Nashorn: The New Rhino on the Block JDK8 + Facebook React: Rendering single page apps on the server Debugger for JDK8’s Nashorn JavaScript in IntelliJ IDEA 13.1 Running Node.js applications on the JVM with Nashorn and Java 8 Writing JavaFX apps using Javascript with the Java 8 Nashorn engine Poor mans live editor... How Java 8 handles JavaScript - A look inside The New Nashorn compiler Nashorn JavaScript Engine JavaFX with Nashorn Canvas example Drabo Constantin: Nashorn Application with NetBeans 8 Fixing Java Nashorn __proto__ Debugging Nashorn javaScript in Netbeans Benjamin Winterberg: Java 8 Nashorn Tutorial Benjamin Winterberg: Using Backbone.js with Nashorn Benjamin Winterberg: Writing Nashorn Command-Line Scripts with Nake GemFire functions with Java 8, Nashorn and Groovy JavaScript engine benchmarks: Nashorn vs V8 vs Spidermonkey Adam Bien: Java 8 + Nashorn Scripting + Mustache = Static Page Generator Adam Bien: Listing All Environment Variables ...With Java 8 And JavaScript Adam Bien: Monitoring GlassFish With Java8 And Nashorn Nashorn - The Combined Power of Java and JavaScript in JDK 8 Nashorn: JavaScript made great in Java 8 Embedding Nashorn And Pass Java Objects To Javascript Java 8: Compiling Lambda Expressions in The New Nashorn JS