This website uses cookies to ensure you get the best experience on our website. Learn more

36C3 - Practical Cache Attacks from the Network and Bad Cat Puns - Russian (русский) translation

x

36C3 - Practical Cache Attacks from the Network and Bad Cat Puns - Russian (русский) translation





Our research shows that network-based cache side-channel attacks are a realistic threat. Cache attacks have been traditionally used to leak sensitive data on a local setting (e.g., from an attacker-controlled virtual machine to a victim virtual machine that share the CPU cache on a cloud platform). With our attack called NetCAT, we show this threat extends to untrusted clients over the network, which can now leak sensitive data such as keystrokes in a SSH session from remote servers with no local access. The root cause of the vulnerability is a recent Intel feature called DDIO, which grants network devices and other peripherals access to the CPU cache. Originally, intended as a performance optimization in fast networks, we show DDIO has severe security implications, exposing servers in local untrusted networks to remote side-channel attacks.

Increased peripheral performance is causing strain on the memory subsystem of modern processors. For example, available DRAM throughput can no longer sustain the traffic of a modern network card. Scrambling to deliver the promised performance, instead of transferring peripheral data to and from DRAM, modern Intel processors perform I/O operations directly on the Last Level Cache (LLC). While Direct Cache Access (DCA) instead of Direct Memory Access (DMA) is a sensible performance optimization, it is unfortunately implemented without care for security, as the LLC is now shared between the CPU and all the attached devices, including the network card.

In this talk, we present the first security analysis of DDIO. Based on our analysis, we present NetCAT, the first network-based cache attack on the processor’s last-level cache of a remote machine. We show that NetCAT can break confidentiality of a SSH session from a third machine without any malicious software running on the remote server or client. The attacker machine does this by solely sending network packets to the remote server. netcat is also a famous utility that hackers and system administrators use to send information over the network. NetCAT is a pun on being able to read data from the network without cooperation from the other machine on the network. However, we received very mixed reactions on that pun. More details on this in the talk.

The vulnerability was acknowledged by Intel with a bounty and CVE-2019-11184 was assigned to track this issue. The public disclosure was on September 10, 2019.

Michael Kurth

x

36C3 - Practical Cache Attacks from the Network and Bad Cat Puns





Our research shows that network-based cache side-channel attacks are a realistic threat. Cache attacks have been traditionally used to leak sensitive data on a local setting (e.g., from an attacker-controlled virtual machine to a victim virtual machine that share the CPU cache on a cloud platform). With our attack called NetCAT, we show this threat extends to untrusted clients over the network, which can now leak sensitive data such as keystrokes in a SSH session from remote servers with no local access. The root cause of the vulnerability is a recent Intel feature called DDIO, which grants network devices and other peripherals access to the CPU cache. Originally, intended as a performance optimization in fast networks, we show DDIO has severe security implications, exposing servers in local untrusted networks to remote side-channel attacks.

Increased peripheral performance is causing strain on the memory subsystem of modern processors. For example, available DRAM throughput can no longer sustain the traffic of a modern network card. Scrambling to deliver the promised performance, instead of transferring peripheral data to and from DRAM, modern Intel processors perform I/O operations directly on the Last Level Cache (LLC). While Direct Cache Access (DCA) instead of Direct Memory Access (DMA) is a sensible performance optimization, it is unfortunately implemented without care for security, as the LLC is now shared between the CPU and all the attached devices, including the network card.

In this talk, we present the first security analysis of DDIO. Based on our analysis, we present NetCAT, the first network-based cache attack on the processor’s last-level cache of a remote machine. We show that NetCAT can break confidentiality of a SSH session from a third machine without any malicious software running on the remote server or client. The attacker machine does this by solely sending network packets to the remote server. netcat is also a famous utility that hackers and system administrators use to send information over the network. NetCAT is a pun on being able to read data from the network without cooperation from the other machine on the network. However, we received very mixed reactions on that pun. More details on this in the talk.

The vulnerability was acknowledged by Intel with a bounty and CVE-2019-11184 was assigned to track this issue. The public disclosure was on September 10, 2019.

Michael Kurth

x

36C3 - Practical Cache Attacks from the Network and Bad Cat Puns - deutsche Übersetzung





Our research shows that network-based cache side-channel attacks are a realistic threat. Cache attacks have been traditionally used to leak sensitive data on a local setting (e.g., from an attacker-controlled virtual machine to a victim virtual machine that share the CPU cache on a cloud platform). With our attack called NetCAT, we show this threat extends to untrusted clients over the network, which can now leak sensitive data such as keystrokes in a SSH session from remote servers with no local access. The root cause of the vulnerability is a recent Intel feature called DDIO, which grants network devices and other peripherals access to the CPU cache. Originally, intended as a performance optimization in fast networks, we show DDIO has severe security implications, exposing servers in local untrusted networks to remote side-channel attacks.

Increased peripheral performance is causing strain on the memory subsystem of modern processors. For example, available DRAM throughput can no longer sustain the traffic of a modern network card. Scrambling to deliver the promised performance, instead of transferring peripheral data to and from DRAM, modern Intel processors perform I/O operations directly on the Last Level Cache (LLC). While Direct Cache Access (DCA) instead of Direct Memory Access (DMA) is a sensible performance optimization, it is unfortunately implemented without care for security, as the LLC is now shared between the CPU and all the attached devices, including the network card.

In this talk, we present the first security analysis of DDIO. Based on our analysis, we present NetCAT, the first network-based cache attack on the processor’s last-level cache of a remote machine. We show that NetCAT can break confidentiality of a SSH session from a third machine without any malicious software running on the remote server or client. The attacker machine does this by solely sending network packets to the remote server. netcat is also a famous utility that hackers and system administrators use to send information over the network. NetCAT is a pun on being able to read data from the network without cooperation from the other machine on the network. However, we received very mixed reactions on that pun. More details on this in the talk.

The vulnerability was acknowledged by Intel with a bounty and CVE-2019-11184 was assigned to track this issue. The public disclosure was on September 10, 2019.

Michael Kurth

x

Day 2: Critical Decentralisation Cluster (36c3)

Talk timestamps in the description.

The Critical Decentralisation Cluster on the Chaos Communication Congress (36C3) is an area and grouping of similar minded projects, which are offering workshops and host a space to critically discuss the future of decentralisation. The cluster on 36C3 is organised by RIAT and the Monero Community. We also host other assemblies in the categories Pri vacy & Anonymity, Coded Cultures and Open Hardware.




0:00:00 - 0:25:35 : Introduction / Funding models of FOSS (Diego Salazar)

0:25:52 - 0:52:28 : The sharp forks we follow (OmeGak)

0:53:33 - 1:27:16 : The Secret Truecrypt Audit from the BSI (Hanno Böck)

1:53:10 - 2:10:35 : P2P Trading in Cryptoanarchy / BISQ (m52go)

2:26:50 - 2:44:55 : Monero's Adaptive Blockweight Approach to Scaling (Francisco Cabañas)

2:48:19 - 3:20:46 : Nym (Harry Halpin)

3:24:20 - 3:54:58 : Digital Integrity of the Human Person (Alexis)

3:57:02 - 4:12:30 : cyber~Congress (Sergei)

4:24:05 - 4:36:30 : KYC & Crypto-AML Tools (polto)

4:45:40 - 5:15:50 : Parallel Polis, Temporary autonomous zones (Juraj Bednar)

5:46:15 - 6:12:10 : Mandelbot:HAB Open Source Ecotecture & Horizontalism (Scott Beibin)

6:16:50 - 6:46:40 : Adding Namecoin to Tor Browser (Jeremy Rand)

7:11:35 - 7:28:07 : Fair Data Society (Gregor Zavcer)

7:29:14 - 7:32:45 : Open Data PSI (vavoida)

7:33:28 - 8:01:52 : State of Secure Messaging: The Case for OTR (Sophia Celi)

8:10:42 - 8:46:15 : Building an (Actual) Alternative (Deanna MacDonald)
x

36C3 - Uncover, Understand, Own - Regaining Control Over Your AMD CPU





The AMD Platform Security Processor (PSP) is a dedicated ARM CPU inside your AMD processor and runs undocumented, proprietary firmware provided by AMD.

It is a processor inside your processor that you don't control. It is essential for system startup. In fact, in runs before the main processor is even started and is responsible for bootstrapping all other components.

This talk presents our efforts investigating the PSP internals and functionality and how you can better understand it.

Our talk is divided into three parts:

The first part covers the firmware structure of the PSP and how we analyzed this proprietary firmware. We will demonstrate how to extract and replace individual firmware components of the PSP and how to observe the PSP during boot.

The second part covers the functionality of the PSP and how it interacts with other components of the x86 CPU like the DRAM controller or System Management Unit (SMU). We will present our method to gain access to the, otherwise hidden, debug output.

The talk concludes with a security analysis of the PSP firmware.
We will demonstrate how to provide custom firmare to run on the PSP and introduce our toolchain that helps building custom applications for the PSP.

This talk documents the PSP firmware's proprietary filesystem and provides insights into reverse-engineering such a deeply embedded system. It further sheds light on how we might regain trust in AMD CPUs despite the delicate nature of the PSP.


Robert Buhren Alexander Eichner Christian Werling

36C3 - phyphox: Using smartphone sensors for physics experiments - deutsche Übersetzung



An open source project for education, research and tinkering

Modern smartphones offer a whole range of sensors like magnetometers, accelerometers or gyroscopes. The open source app phyphox, developed at the RWTH Aachen University, repurposes these sensors as measuring instruments in physics education.

When put into a salad spinner, the phone can acquire the relation of centripetal acceleration and angular velocity. Its barometer can be used to measure the velocity of an elevator. And when using two phones, it is easy to determine the speed of sound with a very simple method.

In this talk, I will show these possibilities in demonstration experiments, discuss available sensors and their limitations and introduce interfaces to integrate phyphox into other projects.

In this talk, the developer of the app phyphox at the RWTH Aachen University will first introduce how sensors in smartphones can be used to enable experimentation and data acquisition in physics teaching with several demonstrations on stage. Available sensors and their limitations will be discussed along with interfaces allowing the integration of phyphox into other project, either as a means to access sensor data or to display data from other sources.

The app is open source under the GNU GPLv3 licence and available for Android (>=4.0) and iOS (>=8.0). It is designed around experiment configurations for physics education at school and university, allowing for a quick setup with a single tap. At the same time, these configurations may be modified by any user to set up customized sensor configurations along with data analysis and data visualization, defined in an XML format. These configurations are Turing complete and can easily be transferred via QR codes, so an experienced user (teacher) can create a specific configuration and allow less experienced users (students) to use it with ease.

Sebastian Staacks

36C3 - From Managerial Feudalism to the Revolt of the Caring Classes - deutsche Übersetzung



David Graeber

One apparent paradox of the digitisation of work is that while productivity in manufacturing is skyrocketing, productivity in caring professions (health, education) is actually declining - sparking a global wave of labour struggle. Existing economic paradigms blind us to understanding how economies have come to be organised. We meed an entirely new discipline, based on a different set of values.



David Graeber

36C3 - Warum die Card10 kein Medizinprodukt ist - english translation



Was müssen Medizinproduktehersteller einhalten (und was nicht)?

Es soll grundlegend erklärt werden, nach welchen Kriterien Medizinprodukte entwickelt werden. Dazu werden die wichtigsten Regularien (Gesetze, Normen, ...) vorgestellt die von den Medizinprodukteherstellern eingehalten werden müssen. Diese regeln, was die Hersteller umsetzen müssen (und was nicht).
Hier wird auch die Frage beantwortet, warum beispielsweise die Apple-Watch (oder genauer gesagt nur zwei Apps) ein Medizinprodukt sind aber die card10 nicht.



Dieser Vortrag gibt Antworten auf die folgenden Fragen:

Was ist denn überhaupt ein Medizinprodukt?
Was steht dazu im Gesetz?
Was haben Normen damit zu tun?
Was tun die Hersteller überlicherweise um diese Anforderungen umzusetzen?
Wie sieht ein typischer Entwicklungsprozess aus?
Wie sieht es mit Security und Safety aus?
Warum sind Innovationen so schwer?
Was passiert nach der Entwicklung?
Wer überwacht das alles?


Es wird Schwerpunktmäßig die EU betrachtet um die Dauer des Vortrags nicht zu sprengen.

Phil

36C3 - Server Infrastructure for Global Rebellion - deutsche Übersetzung





In this talk Julian will outline his work as sysadmin, systems and security architect for the climate and environmental defense movement Extinction Rebellion. Responsible for 30 server deployments in 11 months, including a community hub spanning dozens of national teams (some of which operate in extremely hostile conditions), he will show why community-owned free and open source infrastructure is mission-critical for the growth, success and safety of global civil disobedience movements.

An extension of an earlier talk at C-Base Berlin, Julian will give an overview of his own discoveries, platform choices, successes and mistakes meeting the needs of 5-figure at-risk server memberships, from geo-political and legal challenges, to arrest opsec and uptime resilience in the face of powerful adversaries driving attacks on infrastructure and seized activist devices spanning many countries before and during periods of mass civil disobedience. In particular the talk is a call for all sysadmins, opsec and infosec professionals and enthusiasts to rise up and join the fight for current and future generations of all life.

Julian Oliver

36C3 - Hacking the Media: Geflüchtete schmuggeln, Nazis torten, Pässe fälschen - english translatio



Warum wir zivilen Ungehorsam und Subversion mehr brauchen denn je

Ein lustiger Rückblick über die Aktionen des Peng Kollektivs.

Cop Map zu Polizeigewalt, MaskID zum Überwachungsstaat und Gesichtserkennung, Adblocker zur Werbeindustrie, CFRO zum Finanzsystem, Deutschland geht klauen zu Lieferketten und der Aufbau der Bewegung Seebrücke zur Entkriminalisierung der Seenotrettung sind nur ein Bruchteil der Aktionen, die seit dem letzten Besuch 2015 hier noch nicht präsentiert wurden.

Eine Tour de Force durch Momente zivilen Ungehorsams und Subversion, wobei wir uns selbst nicht zu ernst nehmen und vor allem darauf abzielen, mit den sozialen Bewegungen zusammen zu arbeiten.

Eine Stunde geballte Kommunikationsguerilla, lustige Medienaktionen, aber auch ein Einblick in mögliche Denkweisen und Aktionsmöglichkeiten, die andere machen können. Was ist heutzutage möglich und was ist vor allem nötig?

Conny Runner Ronny Sommer

x

Auto-executabe Fileless 'IconResource' Payload with Responder 3.0.0 & desktop.ini - 0day Attack

Check out: - for more.


`attrib +s +h desktop.ini`
`attrib +s secrets`

This fileless payload sends a request back to the attacker, the attacker then poisons the request using a tool (Responder), which can be executed on just about any windows machine with the latest patches, this payload is undectable by AVs and IDS systems. Simply blocking MDNS & LLMNR requests will not prevent such attacks, this is one benefit over previous versions of Responder. Available @

The issue with this payload is Windows keeps the file/directory attributes set by previous owner, so hidden files from a different system will remain hidden files on a different system etc.

The attributes being exploited in this demo are the +h & +s flags. (Hidden file attribute & System file attribute) This will allow the desktop.ini file to fetch the 'IconResource' variable set within the malicious desktop.ini file, while remaining completely hidden. Even enabling Show Hidden Files will not show the auto executing payload.

More info coming very soon!


NOTE: - We are sorry for the cursor issue;///

36C3 - Getting software right with properties, generated tests, and proofs - deutsche Übersetzung



Evolve your hack into robust software!

How do we write software that works - or rather, how do we ensure it's correct once it's written? We can just try it out and run it, and see if it works on a few examples. If the program was correct to begin with, that's great - but if it's not, we're going to miss bugs. Bugs that might crash our computer, make it vulnerable to attacks, stop the factory, endanger lives, or just leave us unsatisfied. This talk is about techniques every programmer can use to avoid large classes of bugs. You think about general properties of the things in your code, verify them through automatically generated tests, and (when it's particularly critical) proofs. This is a surprisingly fun and satisfying experience, and any programmer can do it. You need just a bit of high school math (which we'll refresh in the talk) to get started.


This talk is specifically about accessible techniques: Almost any program, function, or entity has a few interesting properties, and teasing them out will enhance your understanding of what is going on in your software. The next trick is to write out the property in your programming language. People with lots of time and budget can write down enough properties to form a complete specification of the security- and safety-critical parts of a system and prove that they hold for their system. In the talk, we'll instead focus on a dead-simple technique called QuickCheck. (Your programming language almost certainly has a QuickCheck library you can use.) QuickCheck - from the code describing the property - will automatically generate as many test cases as you want, run them, and produce counterexamples for failures. QuickCheck is amazingly effective at flushing out those corner cases that elude traditional unit tests. Finally, for simple properties of pure functions, we can also attempt a proof using simple algebra. The results are a wonderful feeling of satisfaction, and a sound sleep.


Mike Sperber

Shares

x

Check Also

x

Menu