Microarchitecture Exploitation


Software Exploitation.

Modern CPUs are impressive feats of engineering effort. Consistently offering performance improvements every generation, but how? This module explores security vulnerabilities that can lurk hidden, below the assembly, in CPU architecture itself!

Note: Meltdown challenges must be performed inside the VM!


Lectures and Reading


Challenges

Get started with a binary that side-channels itself!

A binary that side-channels itself, now using multiple pages.

Measure memory access timings to leak the flag via a side-channel.

Perform a full flush and reload side-channel attack!

This binary never reads the flag bytes.. or does it?

Locate the flag in memory using shellcode after all references to it have been DESTROYED, you will only have access to the "exit" system call. You will need a creative way of locating the flag's address in your process!

Use a speculative bounds check bypass which accesses a page mapped in userspace to leak the flag.

Use a speculative indirect call which accesses a page mapped in userspace to leak the flag.

Use a cache side channel triggered through y85 shellcode which accesses a page mapped in userspace to leak the flag.

Use a Spectre v1 channel triggered through y85 shellcode which accesses a page mapped in userspace to leak the flag.

Use a Spectre v2 side channel triggered through y85 shellcode which accesses a page mapped in userspace to leak the flag.

Use meltdown to read the flag from the kernel module's memory. Note - This challenge must be executed inside the VM!

Leak the flag via meltdown from another process after getting the address of its task_struct from the kernel module and using it to find and walk its page tables. Note - This challenge must be executed inside the VM!


30-Day Scoreboard:

This scoreboard reflects solves for challenges in this module after the module launched in this dojo.

7-Day | 30-Day | All-Time

Rank Hacker Badges Score