CREATING A SPIDER GOAT: USING TRANSACTIONAL MEMORY SUPPORT FOR SECURITY

Black Hat USA 2014

Presented by: Igor Muttik, Alex Nayshtut
Date: Thursday August 07, 2014
Time: 17:00 - 18:00
Location: South Seas E

Often a solution from one area helps solve problems in a completely different field. In this session, we will show you how Intel CPU improvements designed to speed up computations have boosted security by creating a flexible memory monitor capable of detecting and reversing unauthorized memory changes.

Modern CPUs support the detection and resolution of memory conflicts between multiple threads that access the same data: This is called the Transactional Synchronisation Extension (TSX) in modern Intel CPUs. Hardware-supported TSX technology (represented by XBEGIN and XEND instructions) helps avoid expensive software locks. Instead, TSX can automatically detect read/write memory conflicts and roll back corresponding RAM changes.

We will show how TSX capabilities can be used for security. A special security thread reads protected RAM cells (data or code) in TSX mode; any other (potentially malicious) thread writing to the same cells will cause the CPU to abort the transaction. The abort context can be attributed to the address of the unauthorized memory write and to the instruction that caused it.

We will discuss the following practical security scenarios:

We will show a demo of TSX detecting malicious RAM modifications. There are three leading security benefits of using TSX to monitor protected memory areas:

We will also discuss potential problems - for example, a DoS attack on TSX to exhaust the Level 1 cache.

Igor Muttik

Igor Muttik (PhD) is a Senior Principal Architect with McAfee Labs (Part of Intel Security) in the UK. He started researching computer malware in 1980s when the anti-virus industry was in its infancy. Igor holds a PhD degree in physics and mathematics from the Moscow State University. His research is currently focused on protecting mobile/IoT devices and hardware-assisted security technologies. He is a regular speaker at major international security conferences (RSA, DEF CON and many others) and a member of CARO.

Alex Nayshtut

Working for Intel since 2001, Alex held several engineering and product management positions. In his current role, Alex is a Security and Cloud Architect in the Business Client Platform Division. Alex received his Bachelor of Science in Information Systems Engineering from the Ben-Gurion University of the Negev in Israel and holds Information Systems Security Architecture Professional certification (CISSP-ISSAP) as well as a line of additional professional certifications in Information Security domain. His expertise is in Security and Connectivity domain -specializing in Identity and Access management and Data Protection. Alex has vast experience presenting at Intel internal conferences and training courses.In addition, Alex evangelizes and practices innovation - he authored 20 filed US patents.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats