-------------[ Advanced Userland and Hypervisors From the Ground Up ]------------- This week our guest lecturers gave us insights into the layers above the kernel---and partially bypassing the kernel---and below the kernel, virtualizing it, but also trapping into it on some hypervisor-level events. Find the slides in http://www.cs.dartmouth.edu/~sergey/cs258/guest_lectures/ ----------[ Rob Graham's Masscan ]---------- https://github.com/robertdavidgraham/masscan/ (if you get interested in Masscan, we can set it up for you to run, and help coordinate with the Dartmouth IT so that they don't block your scans) ----------[ Misc papers mentioned ]---------- "ShadowWalker" rootkit, de-syncronyzing iTLB and dTLB to present different physical pages from the same virtual address when used in a JMP/CALL-like instruction vs a MOV-like instruction: http://phrack.org/issues/63/8.html https://www.blackhat.com/presentations/bh-jp-05/bh-jp-05-sparks-butler.pdf video: https://www.youtube.com/watch?v=hcr35ddvjHI Jacob explained how this technique broke when STLB got introduced, an extra shared layer mixing iTLB and dTLB lookup paths. https://www.blackhat.com/docs/us-14/materials/us-14-Torrey-MoRE-Shadow-Walker-The-Progression-Of-TLB-Splitting-On-x86-WP.pdf https://www.blackhat.com/docs/us-14/materials/us-14-Torrey-MoRE-Shadow-Walker-The-Progression-Of-TLB-Splitting-On-x86.pdf https://github.com/ainfosec/MoRE --code NoHype minimal hypervisor: https://www.cs.princeton.edu/~jrex/papers/isca10.pdf BareFlank hypervisor source code Jacob mentioned: https://github.com/Bareflank , https://github.com/Bareflank/hypervisor FLUSH+RELOAD attacks: processors' caches as side-channels: https://www.blackhat.com/docs/us-16/materials/us-16-Hornby-Side-Channel-Attacks-On-Everyday-Applications-wp.pdf --summary of previous papers and a working demo for non-cryptographic uses: https://github.com/defuse/flush-reload-attacks --code Memory deduplication attacks: why deduplication is a bad bad idea: http://www.cs.vu.nl/~herbertb/download/papers/dedup-est-machina_sp16.pdf (there is further work on memory deduplication, combined with RowHammer, etc.) KASLR breaks via lates x86 features: https://www.blackhat.com/docs/us-16/materials/us-16-Jang-Breaking-Kernel-Address-Space-Layout-Randomization-KASLR-With-Intel-TSX-wp.pdf https://www.blackhat.com/docs/us-16/materials/us-16-Fogh-Using-Undocumented-CPU-Behaviour-To-See-Into-Kernel-Mode-And-Break-KASLR-In-The-Process.pdf