Hallo Du!
Bevor du loslegst den Talk zu transkribieren, sieh dir bitte noch einmal unseren Style Guide an: https://wiki.c3subtitles.de/de:styleguide. Solltest du Fragen haben, dann kannst du uns gerne direkt fragen oder unter https://webirc.hackint.org/#irc://hackint.org/#subtitles erreichen.
Bitte vergiss nicht deinen Fortschritt im Fortschrittsbalken auf der Seite des Talks einzutragen.
Vielen Dank für dein Engagement!

Hey you!
Prior to transcribing, please look at your style guide: https://wiki.c3subtitles.de/en:styleguide. If you have some questions you can either ask us personally or write us at https://webirc.hackint.org/#irc://hackint.org/#subtitles.
Please don't forget to mark your progress in the progress bar at the talk's website.
Thank you very much for your commitment!

========================================================================



 You probably remember the meltdown attacks in 2000, 18, and it was a pretty big flaw in modern use and the abuse that came afterwards or got fixed. They probably they seem to be fixed and the problem meltdown seems to be solved. Well, Michael Moritz and Danielle, they will show us that this is not the case. A new attack named Somebody Lode is possible. And in the following hour, we'll learn all about it. Please give a really warm round of applause to Moritz, Michael and Daniel. Thank you for this introduction. Welcome, everyone, to our talk about this some below at Tech. So my name is Smith and Spots. I'm a postdoc at Qatar University of Technology in Austria. So you can find me on Twitter. You can write me an email. I will be here the rest of the Congress anyway. So if you're interested in these topics or anything around that, just come talk to me. Can I have a nice discussion? My name is small. That slip. I'm a B D candidate in the same office as Michael and Danielle. You can also reach me on Twitter. I'll just come and talk to me. Yeah. And my name is Tanya Cruz and I. Yeah, I don't know. I don't have to repeat all of this. No. But before we dove in, we signed a loan. We will stop to some mullets. Wait a second. I edited last night. You know, you cannot just let it slide unless it's important. I mean, it's it's right after Christmas. Right. And we all. Come on. Oh, come on. You're kidding. And then last year, last year at CCC, we also had this Christmas themed talk. Right. And now we all hear this still ringing in the years. And and this. This was a really nice talk, I think, as well. And we presented a lot of new spectra and modem variance there. Maybe not as dangerous as Zombieland, but still, I think, interesting. And when we when we presented this, this was uploaded to YouTube afterwards. And I was running around in a suit at that point and someone wrote ditched the suit, please. He looked so uncomfortable. And today, I have a T-shirt. That's much better. Al
l right. And we presented in this talk, we presented a tree, a tree, a system that has Asian tree. And you can see all the different attack variants here. Spectra type attacks, made down type attacks. And yeah. So the question is, how does this all relate to zombie logic? And to start that, I think we will just present Specter in a nutshell. Yes. And I think what that's picked in a nutshell, yes. Yes. And maybe maybe something more. There was also this this song about Specter. Do you remember this song about Specter? I think they also had a movie with that title. Mm hmm. Yeah. Yeah, this is about the most the most technical explanation that you would get about Specter today, because the relation from Specter to. Oh, come on down here then we load is not here to give a technical talk, not some goofing around here. So maybe we we need some background first. OK. Have a really technical talk. Right. So can you explain micro architecture? I mean, of course I can. I mean, it's really easy. So we all know we have a. And then we have some software that runs on DCP. That's what we always do. And the software has these eyes. I can use this instruction set architecture like a X 86. So is application can use all the instructions defined by its instruction set architecture at the CPA will execute stuff. And of course, this review has to implement these instructions that architecture to actually execute the instruction. This is what we call the micro architecture could be, for example, an intel core C on or some EMT rising and stuff like that. And C views are really easy. I learnt it in my bachelor. So when you want to execute a program, that's just a few steps that the C view has to do. So first it finishes the instruction, it decodes the instruction, it executes the instruction, and then when it's finished executing it right. Spec the result. Yeah, it's really easy to see. Yes, but this is a very high level. I think we should go a bit more into details if you're asking for that
. So maybe to go into details, we should look what these boxes actually do. Let's start with the front end in the front end. We will have some part that decodes the instructions that we send to the CPA. There is already a lot of parallelism in there. And also we have a branch predictor which tells us which micro is up codes we should execute next. There is a cache for that and we have some looks that combines all of this and then we have an allocation queue which determines what the next instruction will be and sent that onwards. We also have an instruction cache. Of course, we need to get the instructions from somewhere and of course, the instruction translation, look aside for the I.T. to be connected to that. This one basically translates addresses from virtually to physical. Yes. The next step would be the execution engine in the execution engine. We have a scheduler and the report above the reorder buffer. Although it is called re order buffer, it actually contains all the code, all the microbes in order in exactly the order in which they should be executed. It's called me auto buffer because the scheduler just picks them as soon as they are ready and then schedules them on one of the execution units. For instance, there are some for the ACLU there, some for loading data. Some for storing data. And yeah, it just schedules them as soon as possible. And then they are executed there. And as soon as they are finished executing, they will be retired from the reorder buffer. And that means that they will become architecturally visible to all the software. And then something fails. Yeah. If something fails. If something fails. You mean the CPO exception? For instance? Yes. Yes. Then, of course, the exception has to be raised. And this happens at retirement. So first the execution unit finishes the work and then the exception is raised. And all all the things that the execution unit did. I just kicked out. Just thrown away. So then we go to the memory subsystem. Of cou
rse, if we want to make changes, we don't want to keep them in some internal registers. We want to store them somewhere, maybe load data from somewhere. And for that, we have to load buffer and store buffer and the load buffer and store buffer. They are then connected to the cache, that one data cache and we again have A to B to translate virtually to physical addresses and the line infinite buffer to fill cache lines in the L1 module for some other purposes. But we will get to that later on. Yes. And caches. I think I also talked about it. I said, well, we've heard that, yes, caches are pretty easy. For instance, you have a simple application just accessing variable AI twice the first time. It's not in the cache. So we have a cache, miss. So the CBO has to ask the main memory, please give me whatever is stored at this address. The main memory would respond with the value and stored in the cache. So the second time you try to access this variable, it's already in the cache. So it's a cache hit. And this is much faster. So if it's a cache, miss, it's slow because we need a theorem access. On the other hand, if it's already in the cache, it's fast. And if you have a high resolution timer, you can just measure that by accessing and measuring how long it takes to access the address. Can you really do that? Yes. I implemented that. And thus we can see around 60 cycles. If the data is stored in the cache and around 320 sites, if it's a cache, miss, and if we have to load it from men. Oh, wait, I remember something. So we learn something at university about this. Caches and cache hits and misses that. We can use that for attacks. So there was this flash and reload tech. But we have two applications, an attacker and a victim. We have our cash and we have some shared memory. For example, a shared library like the lip seat. And if you have memory isn't a cash, it's in the cache for all the applications that use it. So if we have, for example, an attacker that flushes it from 
the cache, it's also flush for all the implications from the cache. So here are my cache has like four sets, three or four parts. And the shared memories in there, it was used before. So as an attacker, I can simply flash it from the cache. That's not in the cache anymore. It's not cached anymore. Then the attacker can simply wait until the victim is scheduled. And if the victim accesses the sharp memory, it'll of course, be in the cache again. That happens transparently, as you just explained. And then as an attacker again, when a tech has scheduled, it can simply access to shed memory and measure the time it takes and from the time the attacker can infer whether it's in the cache. If this access is fast and then the attacker knows that the victim access to shared memory and if the victim is slow, it was not access. In the meantime, and it has to be loaded to the cache again yet. Really simple. Yes. You paid attention in my lecture. I see. But actually, there are some more details that we might want to show here. So if we look at the cache, how a cache actually works, the cash today works not by just having these cash lines, but it divides these storage locations also into so-called ways and they grope these ways into a cash set. So instead of a cash line, we now have a cash set. And the index the cash index now determines which cash set it is and not which cash line. So you have multiple congruent look. Haitians for data, the question then is, of course, how do you find the right data? If you want to look something up in the cache and for that you take the remaining bits. So the lowest bits are the offset. Then we have any bids for the index and the remaining parts. Maybe the. The physics. Page number is used as a tag. And this tag is then used for the comparison. And if one of the tax matches, we can directly return the data. I prefer my simple cash. It's a lot easier. So if we combine the cash, the deck that Michael showed us with the thing that Daniel told us i
n the beginning, that except to say I only handled when an instruction is retired, we can build the Middletown attack. So let's talk about Milton. In the beginning, because this is an attack that we build up on. Yes. Moments, I think, for Milton. I mean, we already saw Spector hadn't made that night. I think that was a song about marathon. Wasn't the. It's not about the marathon attack. No, I. Dave. They sing about it and it's clearly related to some serious. Yes. But let's get back to the real impact. So it's really simple. We just access an address. We are not allowed to access, which makes an application crash. But we can take care of that. So a page full exemption happens. And what we do now, we use this value that we read which illegally read. But it's still executed that way and encoded in our lookup table in the cache. So here the value is okay. So what we do is we access the memory location on the left off to use a memory where a case, which means this value is loaded into the cache. And now what we can do is after we executed this illegal instruction and recovered from default, we can just mount the flash and reload the tag on all the possibilities of the alphabet. Yeah, let's let the K will quick cash hit so we know we read the value. Okay. Yes, this is nice, but this doesn't really explain why this actually works. So let's look at the micro architecture again. The men don't attack. Actually, the instruction that performs them out on attack is just one instruction. One operation that loads from a kind of address moves something into a Reggie's register. That's it. That's the entire Melton operation. Now we have our value in a register and now we can do with it whatever we like. We can transmit it through the cash if we like, but we could use any other way. The men don't attack. Is this reading from the kind of address that actually ends up in our register under our control? Now, this enters the report above. It will be scheduled on a load data execution un
it and then it will go to the load buffer in the load buffer. We will have an entry and this entry has to store approximately something like the physical page. No. The virtual page number for the virtual address. The offset, which is the same for virtual and physical pages. Lowest twelve bits, something like that. And register number. If you're familiar with register names like Ari X I'd be RC Ex and so on. Those are just variable names that are predefined. There's actually a set of 160 registers and it with the process, so we just pick one of them independent of your variable name and then guess we access the load buffer here and in the next step we will do look up for this memory location in. Oh sorry. We first have to update the load buffer. Of course we have to get a new register. Right. This is the old values. The new values are marked in red. The register number. The offset and the virtual page number are updated. The virtual page number is not used for the lookup in one store. But then. We only use the lowest twelve bits, the offset here. And then what happens next is we do the lookup in the store buffer in the A1 data cache in the left. And also in the DTA, maybe we check what is the physical address. We get this from the DTA. Now in the next step we would look up in the detail b. So what does this entry say? And it says, oh yeah, I have a physical page. No, it's present and it's not user accessible, but the fast pass. What the process I expect is always that this is a valid address and it was in the fast path. Copy this physical address up here at the same time realize that this is not good. I shouldn't be doing this. But also I mean the virtual address matches. The physical address matches. Why wouldn't I return the data to the register and then the data ends up in the register. That's the message on attack on a micro architectural level. So how fast is this attack? This is one question and the other is also why does the processor do this? And there is act
ually a patent or multiple patents actually writing about this. And it says if a fault occurs with respect to the load operation, it is marked as valid and complete it. So in these cases, the processor deliberately sets this to valid and completed because it knows the results will be thrown away anyway. So why not let it succeed? So how fast is this attack? Actually, it's pretty fast. So it's five hundred and fifty kilobytes per second anti-terror raid. It's only zero point zero. Zero three percent. Yeah, I can't confirm that. So I also implemented that and I put the secret into a cache line of known secret in column memory. And then when I tried to leaked it with dispatch on attack, I've just seen that. And I get the values and or as a piece or X X X X is the secret I bought and there have been some nice, I guess. So it's a bit noisy as you say. It isn't like this decelerate from before. Yeah. I'm not exactly sure what this noise and actually entail. Explains that in more detail in the security advisory. So. For instance, on some implementations, speculatively probing memory will only pass data onto subsequent operations if the resident if its resident in the lowest level data cache deal won cash. As we've seen now, this can allow the data in question to be queried, but a malicious application leading to a side channel that reveals supervisor data void. I'm not sure it's correct. For me, it also works on the level of free cash that they've lost. I only have one, but it works. I implemented that. You tried it. And it's also it's not as fast anymore. That's just around 10 kilobytes. The error rate is ten times as high as before, but I'm still at work, so I removed it from the one cache. Just have it in there. Free cash. My secret ex again in current memory and I tried to dig it. I get the extra miles. Look, Dex used as well. But it's also the X. Here are some X's in there and if there are more access than other letters. But still. But I can see the secret. But. But, 
but how can you get rid of that? So if you read API, I don't know. How can I get rid of it? And I assume I need to get rid of them. I can't hear anything. Not nice ice canceling headphones to get rid of the noise. Yes. No, it's not. No, you just throw statistics on this. That's basically the message here. Just throws statistics on that and it will be fine. Makes sense. And even if I think about what happened last year. So we presented the Melton attack at Black Head and that we had one slide because we did one additional experiment because we said L1 is not a requirement, because we can use uncatchable memory where we mark pages as uncatchable in the page tables. So the CB was not allowed to load them into the cache where it. But if I do that, it doesn't work. So if I remove it from the free as well and only have a diagram out my secret ex and I try that, I don't get it at all. I just get random noise. You did a lot of noise. Did you read this light? No. It just said something about not in the cache. Yeah, but there was more on this light. So I or as it can at least tell them that read on. Only if we have a legitimate access on the sibling hyper friend. So this is a legit access to this memory location that you try to leak. Did you try it that way. So you mean I have to leak it and in the meantime have from the treatment access from somewhere else? Yes. Then you can just grab it from the other one. Huh. But that works, don't you? I really should continue reading after the first find. Or maybe that helps. So OK. There's some noise in the air. Yep. That works and investing. Some people remember what we read, what we wrote in the paper back then, which I want to quote. We suspect that meltdown reached the value from the landfill buffers as to fill buffers, a shift between frets running on the same core. The read to the same address within the Melton attack could be served from one of the fill buffers allowing the attack to succeed. However, really further investigation
s on this matter open for future work. I don't like descendants like you always need to stuff. You don't want to do it for future you. Yeah. Fuck you. Yeah, but I can understand that at this point. We had some kind of mental resource exhaustion already, but all this new stuff there. Okay. So maybe back to the technical details. Right. We want to understand why this works. Right. And if we look at this diagram again, it pretty much is the same as before. We have our load operation. It goes through the reorder buffer, through the scheduler to the load data execution port and then has an entry in the load buffer. And then we will still update the same entries. Everything's the same so far, but now we know that it is not in the one data cache. So even if we do look up there, we are sure that we won't find it there. But there are other locations where we can still get it from, and that's my maiden uncatchable works. It just gets it from a different buffer. Yeah. What else could we do with this? I mean, future work should probably investigate that. Future work, of course. Yeah. Yes. Yes. Sure. I mean, at some point you're at this point where the future you hope becomes present, you and you actually have to do this stuff to set this to be future work. So, yes, at some point we arrived at this point where we said, OK, we have to do this future work here. Yes. And maybe also here is a good point. During all these works that we that we published here in this area, Meltdown Specters on build, what we learned was that actually there is no noise. And this has become pretty much a mantra in our group. Every time someone says, oh, there's a lot of noise in his experiment, there is no noise. Noise is just someone else's data. So what do you say is we should analyze the noise? Oh, yeah. Because maybe it's something interesting. So maybe we do it in some scientific mathematical way. It's like a slam. I hear I can noise is someone else's data. And we take the Lima sphere off of meltdo
wn, because if you have a meltdown in this noise and we let the meltdown hit, I could go to nothing. Then we are left with the noise. Right. So I don't think this is an appropriate use of limits. I don't think it works well. It looks science. Yes, it does. But so from the deep dove put interstates is filled by us, may retain stale data from prior memory requests until a new memory crests overrides to fill above like Daniel showed in the animation. Under certain conditions, the field best buffer may be speculatively for what data? Including stale data. So under certain conditions we can read what someone else some else instruction or program read before include to a load operation that will cause a fold or assist. So we just need a load operation that falls. And with that, we can dictate a way to assist. What is that? That sounds confusing. Let let let's look at that with an experiment right there. Scientists. So let's look at a simple page here. And space contains cache lines, as you explained before. And then we have some virtual mapping to this page. And if you remember meltdown, as we had before, then we has this faulting load on this mapping because it was a kernel address. It folded there and it was like the scenario of meltdown. But now we need some complex situation or something. So let's map this physically page again with a different virtual address. So we have different mapping and then we do something complicated for you. So we have one access that's folding and you have a different access in parallel to the same cache line that removes it from the cache. The same thing we want to access in the kitchen. Like what cash do then put it return might get out of resources stairs like it was super confusing. So that that's a certain condition. I would say, okay, so maybe we should also look at the zombie load cash zombie load case in more detail in the micro architecture again and then the micro architecture. We start again with the same single instruction. It's
 all the same. The difference between these attacks lies in the setup of the micro architecture. Not in this specific instruction that is executed. And what we see here is that we again go through the same path and this time the load but for entry is again updated. And again, this part is not used for look at mean. The other one is still a buffer and line food buffer to look up happens. But here now there is a complex load situation, as Mika just described. So the process I is I'd much I'm not sure how to resolve that right. And says I will stop this immediately. And now we have an interesting problem here, because what happens, the execution part still has to do something. It still has to finish something and it will finish as early as possible. And now, I mean, we have a pen, we have a cash line that matches. So why not return this one? And then we can just read any data that matches in the lowest few bits. Very nice. So this is basically use after free in the load buffer. This is a software problem in the hardware now. Great thing. But how do we didn't get the data out of that? I mean still it dies, right? Yeah, but it's the same thing as in meltdown. So instead of accessing the kernel address, which just have a folding load with a complex load situation, it's the same thing. And then again we encode the value in the cache, use, flash and reload to look it up and then we know exactly what was written there. Okay. So I can I can do that so I can really build up. Starting this year, I think I can get to this complex situation here actually in software, so if I look at my my application, I have a special ed space fuze the space and column space. If I allocate some physical space and physic memory, I get a mapping and user space and then I need a second mapping. How do I get that? It's a nice thing. Really convenient. The color maps, the entire physical memory as well in the dark physically map. And so for every physically page I have, that's also a colored page that
 maps this physically page. So I have the situation as before here. Also, the physical memory and the virtual memory are not the same size then? No, of course not. Western memories are not larger than that. But with that I have one physically page mapped with an accessible page and map of an address I cannot access. That's one of the variants. Variant one. What's the easiest to come up with? I also have another where if they're in three so I have this physical memory, I can map a page and use a space simple allocate a page and then I use shared memory. If I've shared memory with myself, I share the space with myself. I have two addresses to the same. Wait, wait, wait. Shared memory that shouldn't fault. Yes, that's correct. So it still does. There's a nice trick with that. So of course, like I can access that. It's my shared memory. I set it up. But something really interesting in the sea view, this so-called micro code assists, if you have the instruction stream that comes in, it has to be decoded. We have a decoder that can decode a lot of things to micro ops and these microbes then go to the max sum and to the back end. And we we had that before I listened to what you said. So, yes, we have that decoder going on back and scheduler blah, but sometimes just something complicated. So maybe the the code can't decode something because it's really complex and it needs some assistance for that. And micro code assist and it goes to the micro code wrong to source software program software sequences that can handle certain things in the CPO and this micro code room. Then it's the microbes that are used in the back at heart. I was not in my finger. No, this was interesting, complicated things here. So this for really rare cases. So that shouldn't happen. A lot of time because this is really expensive has to period from insert microbes into the schedule is really complicated. Is that kind of a fault in the micro architecture? A micro architectural fault is happens, for examp
le, in some cases. But one of the examples is when setting the exist or the dirty bit in a beach table entry. So when I first exacerbates than this micro architectural fault happens, it needs an assist. And then if we do that the first time, then it's the fault. And and I surfing on windows, it's regularly reset. Yes. So we always have a foldable final seconds. All this stuff about the zombie load to take. I think we also want to think about something else here, because for Specter, there was a movie and a song from Motown. No, no, no, no, no. Come on. There's no one below. Just a few seconds, maybe. Everyone knows that. I see knives. I feel knives. That's the. That's the origin, I guess. I know, though, it's completely fight. Larry King from the film and car mom made. That's no show day. I mean, I'm sure this is your estimate. I got this from the Internet. And this is the start. OK. We're doing a talk here. We can continue playing it, if you like. Maybe later we we need to discuss things. Yes. So what can we actually attack which some reload? So what we know is we can leak data on the same and from the sibling hyper friend. So what we can do is we can attack different applications running on the system. We can attack the operating system. We can attack SGX English. We can attack virtual machines. We can also take the hypervisor running on the system from within the virtual machines. Is really powerful, but we still have a problem there. So for a meltdown, it was really easy to provide the entire virtual address, leaked the data from there for foreshadow. You can provide the physical address. You leaked the data from there, fall all the different attack. You can at least specify the page offset for some cloud. You can only specify like a few bits here in the cache line what two leaks? It has no control that you can you can't really mountain and take with that. That's it. Yeah. So we end here. It's impossible. No. It's not impossible. It's possible. So what we can do
 is we call it the so-called domino attack. And so what we do, we read one bite. And what we then do is we use to least significant for bits as a mask and match that to the next value that we are going to read. And if they overlap and are the same, we know that this second byte belongs to the first bite and we can continue and continue and read many, many bytes following after each other. So despite you saying we have no control, we have pretty much control. That's nice. So I really implemented that time on time. I hope it works. Let's see. So I need a credit card pin from. We don't see anything yet. I know. I know. Oh, no. Oh. Oh, no. What is my password? Oh, it's secure, right? Yeah. No one tries to one that password. OK. So where's mine? I have your justice. Yes. OK. Passcode. What is it? Oh, it's just starts all my secure passwords in there. OK. And you use a pin for that? Yes. My credit card number that anyone wants to give me that four digit red card pin and I can try to leak that here. Yeah. Yeah. Oh no, that's boring one. No one has one, two, three, four is a credit card pin. I hope. And it runs inside a virtual machine without internet so nothing can leak here. Different code one 2. It looks states if we do that. Anyone else? 1 3 3 7. Let's see. I think one. Well, you can do multiple meanings. Free seven. Nice size life leakage. Although it's not a VM without any internet connection, without anything. Just some, you know, leaking the things I input inside my virtual machine from the outside. If you do that again with a different number. Yeah. Because no one believes that. Right. Yeah. Uh. Okay. Let's see. No. No. Anyone? Twelve. Eighty. Well, eighty. Yeah. Does that really work? Know I can actually still date those. Nice. So the question is, what else can we do with that? Can you do something else? I don't know. Did you prepare any other demos? I mean, trying to slides again, you go back to the slides there. So only this one demo. Oh, they find another one.
 OK. Wait a second. I find this very odd. Right. There's very good 1 and 3. Isn't that odd? No. We used to try and system now to count binary system. OK, whatever. No, we shouldn't skip here. So we have different tech hub models. On the one hand, the very end one as a privilege to take care of where we have to colonel everything and stuff like this. We can do this on Windows and Linux for the macro code assist for variant free. We can also do that as an unprivileged attack on windows because it keeps the bit in the beach state. Let's cross platform is nice. Yes. Okay. How fast is it? It's five point three kilobytes per second for variant 1 and it's a worm and free seven point. So that's not so impressive. I mean, if I want to make a logo and a Web site and everything, this one, we need to get better than that. But it's a bit bad right now. We should still mitigate that, right? Yeah, yeah. Yeah. So the things we can do is like disable hyper threading. Yeah. No, it's not like that type of friends or we can disable that groups get willingness. Maureen, how about this. So how to implement it can also override the mike rocket, the issue of micro architectural buffers so that if the data's not there anymore, we can't leak. It's us might be over at justice instruction. I was updated. That overrides all the buffers. Just a bit of cost. That was a software sequences that can evict all the buffer. So there's no data there anymore which aren't wiped out because the software shouldn't see the buffer. OK, then we buy and use abuse land use issues which are not affected anymore. That's a good thing. So a ninth generation like the Coffee Lake and then the Cascade Lake. So Ethan says on the website, like it fixes smart, unfortunate or real fallout. I mean, PDX empty some. So all these attacks there, are you copied this from the Web site? Yeah, it's from the website. Why is that? There's just zombie load in there. Oh, I don't know. Well, I didn't say anything about. So we don't know
. Maybe it's fake. We'll see. We'll see. OK. So if we go back to the timeline, we have been working on attacks in this direction already in twenty sixteen in the kinds of patch was actually a mitigation for a related attack. And we published this on May 4, May the 4th. And yeah. And in June, John Horn reports the Melton attack. And later this year, we also reported independently that the multiple much later, though. Yes. Yes. So in February 15, we reported Meltdown Uncatchable because Intel said, no, you can only from league one and we said no, you cannot only leak from L1. So we implemented this proof of concept. Yeah, we had quite some e-mails exchanged. I'll take you around the mainland. More nice than the Senate again on Monday. It was so difficult to convince our core authority actually that we can leak data that is not in the one cache. But finally, before the paper was submitted, actually, we were able to convince them where they were having things talked out and it was explained as landfill powerfully. Kitchen. Yes, it may. It May 14th. We reported zombie load, then on April 12th in 2019. Zombie load went public shortly afterwards because it was already under embargo for a long time. The part of me and at the same day there was this new sea buse announced just in time. So I bought a new Seaview because I wanted to be safe. So everything is fine? Well, it's still fine. No, I. Well, it's fine. Everything is fine, I assure. So I'm not sure everything is fine. Maybe we have a problem like. Maybe different question, which some know variance works despite. Yes, Miss Mitigations, where one in free. Where in two? None of that. I want to use the choker. You don't have any junkers. So Danielle tried to it was fake take take nothing on. No, no. I we go we're very into it. Last question. And yes, we had to wait a second. He told me that there is no Varian too, yet it was a joke. You really ought to try and carry system. It's not even a word. I'm a bit confused. Yes, act
ually, a variant to us or we count in normal numbers like everyone else. And if you go back to this, we have this small town set up and then we have certain conditions set up with the double mapping of one page. But this isn't so complex. Yes, it was too complex for you. So you simplified that. I didn't understand it when I came back from holiday. That's no joke. So you suppressed all the exceptions, 56. Yes. Transactions. So you don't see any exception there. And then you decided to say, like, oh, you have to mappings to. Why do I need a custom mapping? I mean, it's the same physical address. So I can just use one address. You let you use the same address here. And then I wrote that for lines where it works, where this band has used the transaction at here. With that can happen with data conflicts and TSX, many different resource exhaustion. Again, a to many one state. Are there certain instructions like I owe on this calls and synchronous exceptions that can also bought a transaction there? Yeah. And Intel also gave out a statement that asynchronous events that can occurred during a transaction execution. If if this happens and leads to a transaction board, this is a yes. This is, for instance, an interrupt. Then this might be a problem. So what is really happening? Because in the code, which just exits one address, we allowed to access and then we enter transaction. So what we do is we start in transaction. We want to load our first address, which is our IP address. This would be executed. And the value that we read from that would pass to our oracle to load it into the cash. So this is executed. If it returns the value, we access the address in the cash enter transaction ends and everything is fine. So why does this leak, like Danielle said, with asynchronous supports, which we do not cost by our own code within our transaction? Something can go wrong. So in this case, when we start loading this address and this is still happening, at some point in time, an inte
rrupt can occur like an enemy. Right. And when this happens, this transaction has to be imported. And now the load address, the load execution also needs to be imported. And now picks up a stale value from the landfill buffet, for instance, from the load ports and leaks that which we then can recover. But this is a bit slow because we need to wait for an eye to occur, hitting the execution at the right time. So what we now do is ask the previous variance. We used to flash instruction because there we induce a conflict in the cash line. So what is happening now? We dispatched a flash instruction. We stopped our transaction. We stopped our load and executes it. This induces a complex situation which causes the transaction to a port allowing to leak with our load, which is now faulting to our exit to recover our data. And this is very nice because this very up to now only relies on Deus Ex. No complicated setup, nothing anymore. So as long as you have sex, you can leak data. OK. But how fast is this? Is this now better? Yes. This is very nice because now is this really fast? Up to the point that kilobytes per second. That's already a lot faster. Yeah, I think we can really use that to spy on something. Wait a second. If it's that fast, could you leak something like some something with a higher frequency with like a song. A song? Yeah. Maybe we can leak a song. But you didn't like the song, though, right? No, no I I made it a bit faster. Faster. Sure. So we can't see it though. I know. It's just the song. No more money sounds. No. This does not sound. No. No. Strong words. Or do you want to do with that now? You want to leak this? Yes. I'm going to do that with the new player, OK? With a muted player. With a muted player. And then I run some below. At the same time, you still can't see anything. No. And then it should be able to pick up all the things I play. Okay. And. And then we get and played at life. I mean, this as you said, there's a lot of noise for this attack,
 right? So it will be very noisy then. So I can play here, OK? And I can't. Here. Let's see. It might be a bit noisy. See if it works. It sounds a bit like a metal version out there. But you can imagine. I think we can sell this as the zombie load filter. Yes. It's really great. But imagine if you spy on a Skype call like that, so you'll still understand a few young words. So far, the timeline we reported zombie load on April 12th and then on April 24, we reported very up to we showed that it works on a new CB use that shouldn't be vulnerable anymore. Yeah. That was just before the embargo ended. That was fun. Yeah. I mean, we have always had another embargo on Senator. Yeah. We this variant, of course. Yes. Which was quite funny because we had these if that's in a take your coat off the paper and just variant on the same day when formula was disclosed to the new MVS resistance abuse came out. So you can actually buy them. Yes. We also reported on May 16 that the VW and software sequences are insufficient. There's still some remaining leakage. It still makes tax a lot harder. But yes, this is also entirely documented. This. So does this. No. Yes. And only last month the very into was disclosed. Yeah. We have that accomplished. Oh yeah. All right. I came. It's one I'd be on a movie poster. Yeah. But as this way. Am I actually here. No I don't. But actually. So the process with Intel improved quite a lot over over the last year. They invested a lot of effort into improving their processes. And I think by now I'm really happy to to work with them. And they I think they are also quite happy because they send us a beer and we are. We were so happy about that and so excited. And we didn't have time until last weekend. And then we finally had the beer. And that was also very nice anyway. But wait a minute. So the TSA attack, the very end to is just to use X over leak. Yes. Like I said earlier, when you go back one year, we had some slides at Black Head again. Yes. Where we
 had this code. Oh. And if I look at this code, it looks the same as before. It looks the same. Yes. Just without the flash. So if I just wait. But it's like this is basically just our code from GitHub. We had this on GitHub and on the slides for one year. Yes. And it was right in the mouth on paper. Yeah. Mm hmm. Yeah. Not not good. So but no one tries so abuses on getting them. Yes mate. Maybe you should also fix it. I mean it's really easy, right. What about the mitigation. Yes. Yes. If you don't have to use X anymore, then you can't have that to use that support. So super easy fix, right? No, no kidding. No, actually, that's one of the mitigation is you can just disable in gluteus X and that's the default after the latest micro code update where when you try to run the attack again, it doesn't work. And then you have to figure out some performance penalty. Yes. But on the other hand, we also have to be top of you to override the affected buffers as before. But unfortunately, they do not work reliable. Also not the softer segments. So under certain conditions, you can still get leakage despite having just mitigations. But is this. Yeah. So about this scheme, you get any insights from that? I mean, so for some we load it again, falls in the category of trans and execution attacks is a meltdown type attack. It uses default stair. You can't classify the different variants on the fault you will. So we have to space fault for variance. One, we have to micro court assistance, micro architectural faults for variant 2 and variant 3. One is to T.A. the TSX support, which is not a visible fault but a micro architectural fault, and also that the microphone assist for this axis and dirty pit. And as we've presented last year, we've put this up on the Web site like trends in that fail. So you can play around with that. See what kind of attacks have been explored already. Yes. And know that I inside this here. So we have this memory based site. Send the text for quite some yea
rs now where we look at addresses and then you see the addresses, exits or not, we can infer the instruction pointer. Then we had this meltdown attack where we had an address and we actually got the data from this address was completely new and it looked like a bit different. And now with the state assembly with some details here, we have the missing link here between that, because now we know when we had the sudden instruction pointer, then we get the data so we can't specify the address of the data we want to leak. But a sudden instruction by that, we simply get the data and we have seen some nice triangle that combines all these things and gives us more powerful primitives. So what are the lessons that we've learned? So when Milton Inspector came out for us, it was like Spector's head of state of the long program problem we have to take care of and for meltdown, everything is fixed. But by now we've seen much more Milton type attacks. Inspect the type of text. Yes. So we were on that assessment. If you want to play around with that. So everything is always on GitHub, all the variants. So you can try yourself to see if you can reproduce that and build your own nice. So maybe load music, photos or stuff like that. And also in 2019, there were other papers in the same space. That was the fall out paper and the little paper which also presented a text in this area. So to conclude, I would talk trends and execution attacks are now the gift that keeps on giving. Yes. And as we have seen, the of miles on a text is a lot larger than previously expected us. So we feel like it's only one. But we now have several of them out of town type of text that we know there might be more. Yes. And sip use our deterministic largely. There is no noise. If you see noise, then usually it means it's data from somebody else. And now do we still have time for the remaining part of the song? See here and we can chat. He is. Speak for sway and smile. Say it, leave these notes. So we want to t
hank the moderate label for seeing the song for us and on to all of you. We want to thank all of you for being here. Thank you. And we are open for questions about. Thank you very much. We have some time left for questions, so please let up at the microphones. If you have questions, the fashions from the Internets. That's really nice signal. And so please can use this record as a text with poll monitoring tools, simple your fragrances, memory apps or other free accessible tools. I don't think there is a tool tailor to detect those attacks. Certainly you would see with with the current pox that we have, you would see significant CPO utilization and probably also a lot of memory traffic. Other than that. So there are not nodes dedicated to it so far. But also I think it's better to just patch these vulnerabilities than to try to detect them. Thank you. Microphone four, please. In the time line with the that you reported variant to at the very end though you already had band one and free the way it is our numbering. So we actually had very time to write in the beginning when we reported it, but we only discovered very briefly before the embargo ended that it actually behave. So are two key moments. So in April we reported beer and wine free and then two weeks later on April 24, we reported variant free. We're into a sorry. Yeah, but for Cascade Lake, we really wanted to buy a view. But university budget is limited. So I didn't do that before the embargo ended. I ordered one online to test it. Also, if you wasn't available. Yes. So that was apparently an accident of the cloud provider. We suspect. Yeah. We just like that. We should not have been able to actually buy one before May 14. Yes, course. That was the announcement of the Seaview. Yes. And when we were able to mount the attack on Cascade Lake, which they assumed is not affected by MVS type of decks, things got busy again because now we have an embargo ending in four days. And there's a new variant that still is 
capable of leaking data on the newest ship used they. So previously, none of the books showed that there is a difference in the micro architectural behavior between those variants so that the TSX transaction, the transaction or the board, the asynchronous a board behaves differently was only known at that point. OK. Question answer it or you still have one more. OK. Thank you. We have more questions from the signal angel or somebody lighting up at microphone one, please. May we ask, do we have any other embargo going on right now? I don't know. All right. So I don't see any other people, any other guys lining up at the microphone. So thanks again. Round warm of all round of applause for those three.