Overview
Explore the intricacies of inter-VM data exfiltration through cache timing covert channels on x86 multi-core systems in this 46-minute conference talk from NorthSec. Delve into the imperfections of shared resource isolation in x86 architecture that enable covert communication between co-located Virtual Machines. Learn how non-privileged applications can establish hidden data transfer channels and reverse shells, bypassing standard access control mechanisms. Discover key concepts and techniques, including cache line encoding/decoding, hardware pre-fetching logic manipulation, exploitation of the 'clflush' instruction, and high-precision inter-VM synchronization. Examine a practical VM-to-VM reverse shell example, bandwidth measurement results, detection methods, and potential countermeasures. Gain insights into shared resources, cache timing modulation, physical address mapping, and forward error correction techniques used in these covert channels.
Syllabus
Intro
Cache Timing Covert Channel
Disclaimer
The problem
I was caught
I did a video
Outline of the talk
Shared resources
Multiple socket
Cache line
Cache timing modulation
Demo
Test Program
Test Results
BIOS Prefetcher
Solution
Userspace
Physical Address
KSM
No synchronization primitive
Phase lock loop
CLflush
The Client
Monotonic Pulse
Timers
Jitter
Compensation
Results
Synchronization
Recap
Original experiment
CPU usage
Reverse shell example
Forward error correction
ReedSolomon
Reverse Shell
Disable KSM
Disable CL Flourish
Where Counters
Heuristic
Taught by
NorthSec