Hi everyone, this is Jay Chou.
When it comes to cyber attack techniques, what is the first thing that comes to your mind?
Is it DDoS ?
Is it SQL injection, XSS ?
Or stack overflow, RCE (remote code execution)?
These most common network attack techniques are basically related to the network, software, code, and programs.
This is easy to understand. Computer network security is not related to this, but to what else?
Today, I would like to introduce to you the attack technology. In addition to these, there are some ways to open up your mind. They may be time, vibration, frequency, temperature, etc. After reading it, you will definitely be dumbfounded!
These are different from the traditional software security direction, but from other sides of the network attack, called side channel attack , also called side channel attack .
Memory freezing
Please think about a question: If the computer suddenly loses power, will the data in the memory disappear instantly?
Everyone knows that memory is inseparable from the operation of a computer. Program instructions and data are stored here, but do you know the principle of data storage in memory sticks?
Do you see the black things in the picture? That is where the memory stores data: 16177bc9c7bf2b memory particles.
In the memory particles, there are very large scale integrated circuits, which are densely packed storage cells, and each cell stores a bit:
The core component in this cell is a capacitor, and the capacitor has a voltage. If the voltage is within a certain range, this cell will be 1, otherwise it will be 0. Through countless such cells, a gigabyte-level storage space is formed.
But everyone who has studied physics should know that a capacitor is an unstable component. With the passage of time, the charge will leak. If it is not controlled, the voltage in the memory stick will eventually become 0, and the data in the memory will be lost. It's accurate.
Therefore, when the memory is working, it is necessary to refresh the data regularly and charge the capacitor. Generally, it is necessary to charge once at most 64ms to save the accuracy of the data.
Alright, the background knowledge of memory has been explained, and now I come back to the question mentioned at the beginning of this section: computer is suddenly powered off, does the data in the memory disappear in an instant?
The data in the memory is carried by electronic components such as capacitors. It takes time to charge and discharge the capacitor, so you can boldly guess that even if the power is turned off, it will take time for all the data in the memory to disappear.
Some people abroad had a big brainstorm and conducted an experiment to test how the data in the memory stick disappeared with the passage of time after a power failure.
Ordinary data is inconvenient to observe. The picture is the most direct. In the experiment, a picture of Mona Lisa is loaded into the memory, then the power is turned off, and then the change of this picture after different time is calculated:
It can be seen that within 5s after the power is off, the picture data will not change with the naked eye. After 30s, it will have little effect. It will be faintly visible after one minute and completely invisible after 5 minutes.
And more importantly, if the temperature decreases, the charge leakage rate in the capacitor will be slower. The following table is a comparison of the data error rate of the test memory module under normal and frozen conditions.
As shown in the figure above, the red box is not frozen, and the blue box is at minus 50 degrees Celsius. It can be seen that in the frozen condition, the error rate of the data is 0 after one minute, even in 300 seconds (5 minutes). ), the error rate is only an astonishing 0.0095%.
Therefore, a new attack method has emerged: the memory freezing method can extract data from the memory stick.
What data is in the memory? The password keys of many programs may exist in the memory, the most typical one is the Windows power-on password.
Think it’s safe to shut down the computer? This is not the case!
Fuse and ghost
We should not be unfamiliar with circuit breakers and ghost vulnerability attacks. When they just broke out in 2017, they occupied the headlines of countless media, showing their wide influence.
Before telling this loophole, please read a story.
Friends who have studied the principles of computer composition may know that CPU has two important characteristics: branch prediction and out-of-order execution.
When the execution reaches the judgment branch (such as if judgment), the CPU will judge according to its own "experience", which branch may be taken in a while, so as to execute some instructions of this branch in advance. This is called branch prediction.
In addition, when the CPU executes some instructions, it may not execute the next one in order, but may pre-execute some instructions that the CPU thinks can be executed in advance and are irrelevant to the program flow. This is called out-of-order execution.
But if the CPU thinks it can be executed in advance, can it really be executed in advance? The execution may not affect the flow of the program itself, but will there be any side effects?
Let’s leave this question for a while, let’s look at another concept first: cache.
The CPU needs to communicate with the memory frequently to execute programs, read data or write data. But the response speed of the memory is much slower than that of the CPU, so the CPU adds a cache inside it, and puts the recently used data here to avoid accessing from the memory every time and improve work efficiency.
Therefore, there is a difference in time between reading a data from the memory and reading from the cache.
Fuse and Ghost use this point to carry out system attacks.
Suppose you want to read the kernel data of the operating system, but because of the system security mechanism, the application program cannot directly access the kernel space, but this vulnerability can help you read the kernel space data.
The following program is executed dozens of times, and each time the incoming x is less than 16, each time it enters the same branch, trains the CPU, and lets it gain some "experience", so that it thinks that <16 is a high probability. Execute the branch, and then enable out-of-order execution, and execute the instructions in the branch x <16 in advance.
void bad_guy(int x) {
if (x < 16) {
temp &= array2[array1[x] * 512];
}
}Let’s take a look. In the above example, the branch of x <16 will access the memory through the array of array1. Assuming that x suddenly comes to a large number, the memory address accessed through array1[x] overflows into the kernel space. NS.
As a consequence of out-of-order execution, array1[x] * 512 will be calculated in advance and used as a subscript to access the contents of the array2 array, and then this content will be loaded from the memory bar to the CPU cache.
Suddenly, a parameter greater than 16 came in abruptly, and the instructions it executed ahead of time were wasted.
Then, the CPU found out that x was greater than 16 this time, and should not go to this branch. The above-described section of work was done in vain.
Although it was done in vain, it did one thing: it moved the piece of data corresponding to the subscript of the array2 array from the memory to the cache.
Then visit each element of the array2 array in turn, you can know the subscript just now, and then you can further infer the value of the kernel space.
Then continuously changing the input of x, you can know the data of any kernel address space.
This is the core idea of fuse and ghost vulnerabilities: infer kernel data through branch prediction + out-of-order execution + cache memory access time difference.
Timing attack
Fuse and ghost actually use the time difference between CPU access memory and cache access to reveal information, thereby realizing data leakage, that is to say, the core used is the physical quantity time
Another classic attack method that uses time is a timing attack.
To give you an example, if you want to write a function in C language to determine whether the entered password is correct, someone might write:
bool check_passwd(char* input) {
bool result = false;
const char* passwd = "XiaoBaiGe2021";
if (input) {
if (strlen(input) != strlen(passwd)) {
return false;
}
const char* p1 = input;
const char* p2 = passwd;
while (*p1 && *p2) {
if (*p1 == *p2) {
p1++;
p2++;
} else {
break;
}
}
if (*p1 == '\0' && *p2 == '\0') {
result = true;
}
}
return result;
}In the above function, the length is compared before the formal string comparison. If the lengths are all different, there is no need to compare, which saves time.
But this seemingly clever approach may actually provide an information reference for the attacker.
By entering strings of different lengths, it is found that the time it takes to verify the program is different, and the attacker may guess the length of the real password.
In the following verification process, start to compare each bit of the string bit by bit. At first glance, there is no problem, but the same problem, if the first bit compares wrong, the program exits early, and if the comparison time is relatively Longer, it means that the first few digits of the password may be correct.
Through this information, and then continue to try, the password can be cracked in a short time, does it feel incredible? This is a real case that has happened.
Regular expression
Regular expressions are widely used in the fields of string verification, text extraction, formatting and parsing, and basically all mainstream programming languages have corresponding libraries.
But do you know how the regular expression parsing engine works? Do you know that if you pass in some specific strings, the parsing engine may fall into a huge calculation trap?
An important genre of regular expression parsing engines is based on NFA, which is a state machine. With the character-by-character analysis of the parsing engine, the state machine may have a different next state. Since each state has many next states, the parsing engine may continue to advance on this link until it finds a match.
For example, the example mentioned in the book "White Hat Talks about Web Security"
Click below to receive "White Hat Talks about Web Security" HD PDF version
There is a regular expression like this: ^(a+)+$
If you enter four characters'aaaa', the execution process of the parsing engine is like this:
It has only 16 paths, and it will be completed soon.
However, if the input character a increases by a large amount, the execution path will increase sharply.
It can be seen that as the length of the subsequent string increases, the time spent starts to increase by a factor of two. If you enter 64 characters a, what will be the consequences?
The CPU flies, the program loses response, and the service denial of service attacks DOS!
Unexpectedly, if you just enter a regular expression string, you can make the server unresponsive.
Click below to receive "White Hat Talks about Web Security" HD PDF version
Summarize
The above are some of the side-channel attack techniques introduced to you today.
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用。你还可以使用@来通知其他用户。