Microarchitecture Exploitation


System Security

Modern CPUs are impressive feats of engineering effort. Consistently offering performance improvements every generation, but how? This module explores security vulnerabilities that can lurk hidden, below the assembly, in CPU architecture itself!


Lectures and Reading


Challenges

Get started with a binary that side-channels itself!

A binary that side-channels itself, now using multiple pages.

Measure memory access timings to leak the flag via a side-channel.

Perform a full flush and reload side-channel attack!

This binary never reads the flag bytes.. or does it?

Perform a flush and reload attack to obtain the flag.

Locate the flag in memory using shellcode, you will only have access to the "exit" system call.

Locate the flag in memory using shellcode after all references to it have been DESTROYED, you will only have access to the "exit" system call. You will need a creative way of locating the flag's address in your process!

Use a speculative bounds check bypass which accesses a page mapped in userspace to leak the flag.

Use a speculative indirect call which accesses a page mapped in userspace to leak the flag.

Use a cache side channel triggered through y85 shellcode which accesses a page mapped in userspace to leak the flag.

Use a Spectre v1 channel triggered through y85 shellcode which accesses a page mapped in userspace to leak the flag.

Use a Spectre v2 side channel triggered through y85 shellcode which accesses a page mapped in userspace to leak the flag.

Use meltdown to read the flag from the kernel module's memory.

Leak the flag via meltdown from another process after getting the address of its task_struct from the kernel module and using it to find and walk its page tables.


30-Day Scoreboard:

This scoreboard reflects solves for challenges in this module after the module launched in this dojo.

Rank Hacker Badges Score