You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: 2020-09-05-confidence-finals/xaas/README.md
+8-8
Original file line number
Diff line number
Diff line change
@@ -14,26 +14,26 @@ The `/app` directory contains files of interest that are owned by another user:
14
14
*`flag.txt` with permissions "-r--------", and
15
15
*`xaas` with permissions `-r-sr-xr-x`
16
16
17
-
The task is clearly to leak content of the text file by abusing executable.
17
+
The task is clearly to leak content of the text file by abusing the executable.
18
18
19
19
The binary reads the secret from `flag.txt` file at startup and starts a simple service implementing the following commands:
20
20
*`ResizeCommand` to resize an internal buffer,
21
21
*`ReadSecretCommand` to copy an arbitrary slice of the secret into an arbitrary location within the buffer,
22
-
*`ScrambleCommand` to xor an arbitrary slice of the buffer with provided key and store result into new location within the buffer, and
22
+
*`ScrambleCommand` to xor an arbitrary slice of the buffer with provided key and store the result into a new location within the buffer, and
23
23
*`StopCommand` to terminate the service.
24
24
25
25
There are no known programming bugs in the binary and the hint points to hardware issues.
26
26
27
-
Turns-out that Travis Downs posted a blog [Hardware Store Elimination](https://travisdowns.github.io/blog/2020/05/13/intel-zero-opt.html) a few months before the CTF that described an obscure optimization implemented by some Intel CPUs.
28
-
The optimization is that CPU may significantly improve throughput of specific memory operations when operating on blocks of zeros.
27
+
Turns-out that Travis Downs blogged about [Hardware Store Elimination](https://travisdowns.github.io/blog/2020/05/13/intel-zero-opt.html) a few months before the CTF, describing an obscure optimization implemented by some Intel CPUs.
28
+
The optimization allows to significantly improve throughput of specific memory operations on blocks of zeros.
29
29
30
-
The above microarchitectural optimization can be abused as an oracle to leak the secret.
30
+
The above microarchitectural optimization can be abused as an oracle to leak the secret from the analysed service.
Our [solver](solver/solver.cxx) checks the secret byte-by-byte.
35
35
For each position in the secret, all possible 256 xor keys are tested.
36
-
The xor result is replicated multiple time within the buffer, such that we end-up with large block of zeros once the xor key matches the secret byte.
36
+
The xor result is replicated multiple times within the buffer, such that we end-up with a large block of zeros once the xor key matches the secret byte.
37
37
This is sufficient to affect the service performance, such that effect can be observed from another process.
38
38
39
39
And so we can successfully reveal the content of `flag.txt`:
@@ -45,4 +45,4 @@ p4{zero_values_move_faster}
45
45
46
46
While content-dependent optimizations may be risky in general, we cannot think of any practical abuse of _Hardware Store Elimination_ against real-world applications.
47
47
48
-
However Intel found some reasons to disable this with most recent [microcode update](https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00464.html).
48
+
However Intel [reportedly](https://travisdowns.github.io/blog/2021/06/17/rip-zero-opt.html)found some reasons to [disable this optimization](https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00464.html) with the most recent microcode update.
0 commit comments