Preface:
Hello, I’m Jay Chou.
What’s the first thing that comes to mind when you think about cyberattack techniques?
Is a DDoS?
Is it SQL injection, XSS?
Stack overflow, RCE (remote code execution)?
These are the most common cyber attack techniques, basically network, software, code, programs, things like that.
This is understandable, computer network security, not related to this, but also related to what?
In addition to these, there are some imaginative ways to attack. They may be related to time, vibration, frequency, temperature and other physical related elements. After reading, you will definitely be amazed!
These are different from the traditional software security direction, but from other aspects of the network attack, called side channel attack, also called side channel attack.
Memory frozen
Please consider a question: if the computer suddenly power, the memory of the data will be lost in a moment?
Memory Everyone knows that a computer can’t run without this thing, where program instructions and data are stored. But do you know how a memory stick stores data?
See those black patches in the picture? That’s where memory sticks store data: memory particles.
Inside the memory grain are vlsI’s densely packed memory cells, each holding one bit:
The core component in this cell is a capacitor, and the capacitor has a voltage. If the voltage is within a certain range, the cell is 1, otherwise it is 0. Through countless such cells, constitute gigabit-level storage space.
But if you’ve studied physics, you know that a capacitor is an unstable device. Over time, the charge will leak out, and if left unchecked, the voltage in the memory will eventually go to zero, and the data in memory will be inaccurate.
Therefore, when the memory is working, it is necessary to periodically refresh the data and charge the capacitor. Generally, it takes a charge at most 64ms to save the accuracy of the data.
Ok, so with the background on memory, we return to the question we asked at the beginning of this section: Does the computer suddenly lose all data in memory when it suddenly loses power?
The data in the memory is carried by the capacitor, which is an electronic component. It takes time for the capacitor to charge and discharge, so it can be a bold guess that it takes time for all the data in the memory to disappear even if the power is off.
Someone abroad imagination rich, did an experiment, test memory power, the data inside the passage of time, disappear.
It is not convenient to observe ordinary data, so it is most direct to use pictures. In the experiment, a picture of Mona Lisa was loaded into memory, and then the power was cut off. Then, the changes of this picture after different time were calculated:
It can be seen that within 5s after the power failure, the image data can not be seen with the naked eye, and it has little influence on the image data after 30s. It can be seen vaguely after 1 minute, and completely invisible after 5 minutes.
More importantly, if the temperature is lower, the charge in the capacitor will escape more slowly. The following table compares the data error rate of the test memory module under normal and frozen conditions
As shown above, the red box is at minus 50 degrees Celsius, and the blue box is at minus 50 degrees Celsius. As you can see, the data error rate is zero after one minute of freezing, and even after 300 seconds (5 minutes), the error rate is a staggering 0.0095%.
So a new kind of attack has emerged: using memory freezing to extract data from memory sticks.
What data is in memory? The password keys for many programs may be stored in memory, typically the Windows boot password.
Think your computer is safe if it’s turned off? Not so!
Fuse and ghost
We should be familiar with fuse breaker and ghost vulnerability attacks. When they just broke out in 2017, they captured the headlines of numerous media, showing their wide influence.
Before we talk about this bug, let’s read a story.
Those of you who have studied the constitution of a computer probably know that the CPU has two important characteristics: branch prediction and out-of-order execution.
In the execution of the decision branch (such as if decision), the CPU will be based on its own “experience” to determine which branch it is likely to walk into later, so as to perform some of the branch instructions in advance, this is called branch prediction.
In addition, when the CPU executes some instructions, it may not execute the next one in accordance with the sequence, but may pre-execute some instructions that the CPU thinks can be executed in advance and have nothing to do with the program flow, which is called out-of-order execution.
But the CPU thinks it can be executed in advance, so can it really be executed in advance? The execution may have no effect on the process of the program itself, but will there be any side effects?
I’ll leave that for a moment, but let’s look at another concept: caching.
CPU execution programs need to communicate frequently with memory to read or write data. Memory, however, is much slower to respond than the CPU, so the CPU creates an internal cache to store the most recently used data, avoiding the need to access the memory every time and improving efficiency.
Therefore, there is a time difference between reading a data from memory and reading it from cache.
Fuse and Ghost took advantage of this to launch a system attack.
If you want to read data from the operating system kernel, but because of the system security mechanism, the application cannot directly access the kernel space, but this vulnerability can help you to read data from the kernel space.
The following program is executed dozens of times, each time the x is less than 16, each time into the same branch, training the CPU, let it gain some “experience”, let it think < 16 is the most likely to execute the branch, and then enable out-of-order execution, execute the instruction in the branch x < 16 in advance.
void bad_guy(int x) { if (x < 16) { temp &= array2[array1[x] * 512]; }}Copy the codeLet’s see, in the example above, the x < 16 branch accesses memory through array1. If x suddenly has a large number, the memory addresses accessed through array1[x] overflow into kernel space.
The effect of out-of-order execution is to precompute array1[x] * 512 and use it as a subscript to access the contents of array2 array, which is then loaded from the memory into the CPU cache.
Suddenly, a parameter greater than 16 comes in, and its pre-execution command is in vain.
Then, the CPU discovers that x is greater than 16 and should not go to the branch, and the work described above is useless.
It did nothing, but it did one thing: it moved the subscript of Array2 from memory to cache.
By accessing each element of array2 in turn, you can know the previous subscript, and further infer the value of that kernel space.
Then, by constantly changing the input of X, you can know the data of any kernel address space.
This is the core idea of the fuse and ghost vulnerability: infer kernel data through branch prediction + out-of-order execution + cache memory access time differences.
Timing attacks
Fuse break and ghost actually use the time difference between CPU accessing memory and cache to reveal information, so as to realize data leakage. That is to say, the core of using is the physical quantity time.
Another classic attack using time is the timing attack.
For example, if you want to write a function in C to determine whether the entered password is correct, you might write:
bool check_passwd(char* input) { bool result = false; const char* passwd = "XiaoBaiGe2021"; if (input) { if (strlen(input) ! = strlen(passwd)) { return false; } const char* p1 = input; const char* p2 = passwd; while (*p1 && *p2) { if (*p1 == *p2) { p1++; p2++; } else { break; } } if (*p1 == '\0' && *p2 == '\0') { result = true; } } return result; }Copy the codeIn this function, the length comparison is performed before the formal string comparison. If the length is different, the comparison is not needed to save time.
But what appears to be a clever move may actually provide information to attackers.
By entering strings of different lengths, and discovering that the program takes different amounts of time to verify, an attacker might guess the length of the real password.
In the subsequent validation process, starting to compare each bit of the string bit by bit may seem fine at first glance, but the same problem is that if the first bit of the comparison is wrong, the program exits very early, and if the comparison takes a relatively long time, then the first few bits of the password may be correct.
Isn’t it amazing how quickly a password can be cracked with this information and a lot of trial and error? This is a real case of what happened.
Regular expression
Regular expressions are widely used in the fields of string verification, text extraction, formatting and parsing, etc. Almost all mainstream programming languages have corresponding libraries.
But do you know how a regular expression parsing engine works, and how passing in certain strings can cause the parsing engine to fall into a huge computational trap?
An important school of regular expression parsing engines is based on NFA, which is a kind of state machine. As the parsing engine parses character by character, the state machine may have a different next state. Since there are many next states for each state, the parsing engine may keep going down this link until it finds a match.
Here’s an example from white Hat on Web Security:
Here is a regular expression: ^(a+)+$
If you type four characters ‘aaaa’, the parsing engine will run like this:
It has only 16 paths, and it can be taken very quickly.
However, if the input character A is greatly increased, the execution path will explode.
As you can see, as the string length increases, the time taken begins to double. What happens if you type 64 characters a?
CPU spinning, program unresponsive, denial of service attack DOS!
Surprisingly, you can make the server unresponsive just by typing a regular expression string.
【 Technical Document & white Hat on Web Security HD electronic version 】
conclusion
The above is today to introduce some side channel attack technology.
In addition to these cases, information such as CPU utilization, frequency of CPU electrical signals, etc., can also reveal a lot of valuable information. Side channel attack technology is not just the black technology in the movie, but the attack that might happen in real life.