Presented at
Black Hat USA 2014,
Aug. 7, 2014, 5 p.m.
(60 minutes).
Often a solution from one area helps solve problems in a completely different field. In this session, we will show you how Intel CPU improvements designed to speed up computations have boosted security by creating a flexible memory monitor capable of detecting and reversing unauthorized memory changes.
Modern CPUs support the detection and resolution of memory conflicts between multiple threads that access the same data: This is called the Transactional Synchronisation Extension (TSX) in modern Intel CPUs. Hardware-supported TSX technology (represented by XBEGIN and XEND instructions) helps avoid expensive software locks. Instead, TSX can automatically detect read/write memory conflicts and roll back corresponding RAM changes.
We will show how TSX capabilities can be used for security. A special security thread reads protected RAM cells (data or code) in TSX mode; any other (potentially malicious) thread writing to the same cells will cause the CPU to abort the transaction. The abort context can be attributed to the address of the unauthorized memory write and to the instruction that caused it.
We will discuss the following practical security scenarios:
- Detecting unwanted memory accesses by suspicious threads and rolling them back (for example, in a HIPS system to verify if the code is malicious)
- Detecting the execution of suspected shell code (with the rollback of all RAM changes the code performed)
- Detecting memory changes with TSX but without the rollback capability. This could be highly useful for kernel and hypervisor self-protection (such as Microsoft PatchGuard).
We will show a demo of TSX detecting malicious RAM modifications. There are three leading security benefits of using TSX to monitor protected memory areas:
- Fully flexible via read accesses made by the security thread
- Operates in hardware, leading to minimal overhead
- Provides automatic rollback of memory changes (which is prohibitively expensive in software)
We will also discuss potential problems - for example, a DoS attack on TSX to exhaust the Level 1 cache.
Presenters:
-
Igor Muttik
- McAfee / Intel
Igor Muttik (PhD) is a Senior Principal Architect with McAfee Labs (Part of Intel Security) in the UK. He started researching computer malware in 1980s when the anti-virus industry was in its infancy. Igor holds a PhD degree in physics and mathematics from the Moscow State University. His research is currently focused on protecting mobile/IoT devices and hardware-assisted security technologies. He is a regular speaker at major international security conferences (RSA, DEF CON and many others) and a member of CARO.
-
Alex Nayshtut
- Intel
Working for Intel since 2001, Alex held several engineering and product management positions. In his current role, Alex is a Security and Cloud Architect in the Business Client Platform Division. Alex received his Bachelor of Science in Information Systems Engineering from the Ben-Gurion University of the Negev in Israel and holds Information Systems Security Architecture Professional certification (CISSP-ISSAP) as well as a line of additional professional certifications in Information Security domain. His expertise is in Security and Connectivity domain -specializing in Identity and Access management and Data Protection. Alex has vast experience presenting at Intel internal conferences and training courses.In addition, Alex evangelizes and practices innovation - he authored 20 filed US patents.
Links:
Similar Presentations: