<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic buffer overflow and caches in Software Archive</title>
    <link>https://community.intel.com/t5/Software-Archive/buffer-overflow-and-caches/m-p/862543#M7755</link>
    <description>&lt;BR /&gt;i have a small doubt concerning the behavior of cache in a buffer overflow attack.&lt;BR /&gt;&lt;BR /&gt;consider the following sequence of events:&lt;BR /&gt;1. suppose stack is in d-cache.&lt;BR /&gt;2. assume no context switch occurs.&lt;BR /&gt;3. return statement causes a return to a location on the stack and %eip points to stack address.&lt;BR /&gt;4. processor looks for stack address(code) in i-cache.&lt;BR /&gt;5. L1 cache miss. bring old stack from L2.&lt;BR /&gt;6. so new stack has not been written back to memory and old stack is loaded into i-cache.&lt;BR /&gt;7. stack coexisting in both d and i cache.&lt;BR /&gt;&lt;BR /&gt;only one of the changes is actually written back.&lt;BR /&gt;moreover since stack in i-cache loaded from L2 cache.&lt;BR /&gt;&lt;BR /&gt;If such a sequence of events occurs then the buffer overflow attack will be foiled possibly with an invalid machine instruction exception.&lt;BR /&gt;is this sequence of events possible?&lt;BR /&gt;&lt;BR /&gt;i understand this can now be handled by removing execute permissions from stack code but otherwise how was this handled in the pentium based systems.&lt;BR /&gt;&lt;BR /&gt;thank you</description>
    <pubDate>Thu, 09 Apr 2009 18:49:14 GMT</pubDate>
    <dc:creator>iamrohitbanga</dc:creator>
    <dc:date>2009-04-09T18:49:14Z</dc:date>
    <item>
      <title>buffer overflow and caches</title>
      <link>https://community.intel.com/t5/Software-Archive/buffer-overflow-and-caches/m-p/862543#M7755</link>
      <description>&lt;BR /&gt;i have a small doubt concerning the behavior of cache in a buffer overflow attack.&lt;BR /&gt;&lt;BR /&gt;consider the following sequence of events:&lt;BR /&gt;1. suppose stack is in d-cache.&lt;BR /&gt;2. assume no context switch occurs.&lt;BR /&gt;3. return statement causes a return to a location on the stack and %eip points to stack address.&lt;BR /&gt;4. processor looks for stack address(code) in i-cache.&lt;BR /&gt;5. L1 cache miss. bring old stack from L2.&lt;BR /&gt;6. so new stack has not been written back to memory and old stack is loaded into i-cache.&lt;BR /&gt;7. stack coexisting in both d and i cache.&lt;BR /&gt;&lt;BR /&gt;only one of the changes is actually written back.&lt;BR /&gt;moreover since stack in i-cache loaded from L2 cache.&lt;BR /&gt;&lt;BR /&gt;If such a sequence of events occurs then the buffer overflow attack will be foiled possibly with an invalid machine instruction exception.&lt;BR /&gt;is this sequence of events possible?&lt;BR /&gt;&lt;BR /&gt;i understand this can now be handled by removing execute permissions from stack code but otherwise how was this handled in the pentium based systems.&lt;BR /&gt;&lt;BR /&gt;thank you</description>
      <pubDate>Thu, 09 Apr 2009 18:49:14 GMT</pubDate>
      <guid>https://community.intel.com/t5/Software-Archive/buffer-overflow-and-caches/m-p/862543#M7755</guid>
      <dc:creator>iamrohitbanga</dc:creator>
      <dc:date>2009-04-09T18:49:14Z</dc:date>
    </item>
    <item>
      <title>Re: buffer overflow and caches</title>
      <link>https://community.intel.com/t5/Software-Archive/buffer-overflow-and-caches/m-p/862544#M7756</link>
      <description>&lt;DIV style="margin:0px;"&gt;
&lt;DIV id="quote_reply" style="width: 100%; margin-top: 5px;"&gt;
&lt;DIV style="margin-left:2px;margin-right:2px;"&gt;Quoting - &lt;A href="https://community.intel.com/en-us/profile/422668"&gt;iamrohitbanga&lt;/A&gt;&lt;/DIV&gt;
&lt;DIV style="background-color:#E5E5E5; padding:5px;border: 1px; border-style: inset;margin-left:2px;margin-right:2px;"&gt;&lt;EM&gt;&lt;BR /&gt;i have a small doubt concerning the behavior of cache in a buffer overflow attack.&lt;BR /&gt;&lt;BR /&gt;consider the following sequence of events:&lt;BR /&gt;1. suppose stack is in d-cache.&lt;BR /&gt;2. assume no context switch occurs.&lt;BR /&gt;3. return statement causes a return to a location on the stack and %eip points to stack address.&lt;BR /&gt;4. processor looks for stack address(code) in i-cache.&lt;BR /&gt;5. L1 cache miss. bring old stack from L2.&lt;BR /&gt;6. so new stack has not been written back to memory and old stack is loaded into i-cache.&lt;BR /&gt;7. stack coexisting in both d and i cache.&lt;BR /&gt;&lt;BR /&gt;only one of the changes is actually written back.&lt;BR /&gt;moreover since stack in i-cache loaded from L2 cache.&lt;BR /&gt;&lt;BR /&gt;If such a sequence of events occurs then the buffer overflow attack will be foiled possibly with an invalid machine instruction exception.&lt;BR /&gt;is this sequence of events possible?&lt;BR /&gt;&lt;BR /&gt;i understand this can now be handled by removing execute permissions from stack code but otherwise how was this handled in the pentium based systems.&lt;BR /&gt;&lt;BR /&gt;thank you&lt;/EM&gt;&lt;/DIV&gt;
&lt;/DIV&gt;
&lt;/DIV&gt;
&lt;P&gt;This is where ring-based protection comes in. Also paging memory model helps to sort this out as this way the stack gets its own set of addresses. So theoretically that means that, if managed correctly, it is possible to have an overflow that does not affect anything else due to this memory model.&lt;/P&gt;
&lt;P&gt;Many operating systems do not use this and "cheat" by using flat memory model. So this is what makes them more vulnerable to stack and buffer overflow attacks.&lt;/P&gt;
&lt;P&gt;Removing execute permissions is not a bad start, but is only a "first step" to protecting the stack. And from what I understand 32-bit Pentium processors do not have hardware DEP or NX bits (maybe I am wrong)&lt;/P&gt;</description>
      <pubDate>Fri, 10 Apr 2009 05:28:27 GMT</pubDate>
      <guid>https://community.intel.com/t5/Software-Archive/buffer-overflow-and-caches/m-p/862544#M7756</guid>
      <dc:creator>Adam</dc:creator>
      <dc:date>2009-04-10T05:28:27Z</dc:date>
    </item>
    <item>
      <title>Re: buffer overflow and caches</title>
      <link>https://community.intel.com/t5/Software-Archive/buffer-overflow-and-caches/m-p/862545#M7757</link>
      <description>OK&lt;BR /&gt;but the more important point is how is it decided what goes into d-cache and what goes into i-cache.&lt;BR /&gt;&lt;BR /&gt;if the operands are assumed to be data then putting them into d-cache, modifying them to contain instructions and jumping to this position would cause a i-cache miss when things are actually cached in d-cache. thus both d-cache and i-cache contain the same data which is inconsistent.&lt;BR /&gt;&lt;BR /&gt;so finally the question is how to decide what should go into d and i cache.&lt;BR /&gt;&lt;BR /&gt;... i just found out that snooping is used to maintain coherency of cache among various processors. it could be used for maintaining coherency between d and i caches as well.&lt;BR /&gt;&lt;A href="http://en.wikipedia.org/wiki/Cache_coherency" target="_blank"&gt;http://en.wikipedia.org/wiki/Cache_coherency&lt;/A&gt;&lt;BR /&gt;is anyone sure of the exact implementation.&lt;BR /&gt;</description>
      <pubDate>Fri, 10 Apr 2009 08:49:11 GMT</pubDate>
      <guid>https://community.intel.com/t5/Software-Archive/buffer-overflow-and-caches/m-p/862545#M7757</guid>
      <dc:creator>iamrohitbanga</dc:creator>
      <dc:date>2009-04-10T08:49:11Z</dc:date>
    </item>
    <item>
      <title>Re: buffer overflow and caches</title>
      <link>https://community.intel.com/t5/Software-Archive/buffer-overflow-and-caches/m-p/862546#M7758</link>
      <description>&lt;DIV style="margin:0px;"&gt;
&lt;DIV id="quote_reply" style="width: 100%; margin-top: 5px;"&gt;
&lt;DIV style="margin-left:2px;margin-right:2px;"&gt;Quoting - &lt;A href="https://community.intel.com/en-us/profile/422668"&gt;iamrohitbanga&lt;/A&gt;&lt;/DIV&gt;
&lt;DIV style="background-color:#E5E5E5; padding:5px;border: 1px; border-style: inset;margin-left:2px;margin-right:2px;"&gt;&lt;EM&gt;OK&lt;BR /&gt;but the more important point is how is it decided what goes into d-cache and what goes into i-cache.&lt;BR /&gt;&lt;BR /&gt;if the operands are assumed to be data then putting them into d-cache, modifying them to contain instructions and jumping to this position would cause a i-cache miss when things are actually cached in d-cache. thus both d-cache and i-cache contain the same data which is inconsistent.&lt;BR /&gt;&lt;BR /&gt;so finally the question is how to decide what should go into d and i cache.&lt;BR /&gt;&lt;BR /&gt;... i just found out that snooping is used to maintain coherency of cache among various processors. it could be used for maintaining coherency between d and i caches as well.&lt;BR /&gt;&lt;A href="http://en.wikipedia.org/wiki/Cache_coherency" target="_blank"&gt;http://en.wikipedia.org/wiki/Cache_coherency&lt;/A&gt;&lt;BR /&gt;is anyone sure of the exact implementation.&lt;BR /&gt;&lt;/EM&gt;&lt;/DIV&gt;
&lt;/DIV&gt;
&lt;/DIV&gt;
&lt;P&gt;Modifying the data in d-cache to turn them into instructions and then trying to execute them will simply not work as the processor does not have a way of "guessing" whether it is an instruction or not. If it tried to do this there would be a security issue. Data can be executed. And this is not necessarily a good thing.&lt;/P&gt;
&lt;P&gt;The best way to solve this is to create a set of NOPs and then modify them. This will ensure that you are modifying the i-cache data and not the data in the d-cache.&lt;/P&gt;
&lt;P&gt;The rest of the question is confusing. If you can provide an example of exactly what you are attempting to do then it will be easy to understand which path to take.&lt;/P&gt;</description>
      <pubDate>Fri, 10 Apr 2009 12:04:32 GMT</pubDate>
      <guid>https://community.intel.com/t5/Software-Archive/buffer-overflow-and-caches/m-p/862546#M7758</guid>
      <dc:creator>Adam</dc:creator>
      <dc:date>2009-04-10T12:04:32Z</dc:date>
    </item>
    <item>
      <title>Re: buffer overflow and caches</title>
      <link>https://community.intel.com/t5/Software-Archive/buffer-overflow-and-caches/m-p/862547#M7759</link>
      <description>&lt;DIV style="margin:0px;"&gt;
&lt;DIV id="quote_reply" style="width: 100%; margin-top: 5px;"&gt;
&lt;DIV style="margin-left:2px;margin-right:2px;"&gt;Quoting - &lt;A href="https://community.intel.com/en-us/profile/405978"&gt;Adam Kachwalla&lt;/A&gt;&lt;/DIV&gt;
&lt;DIV style="background-color:#E5E5E5; padding:5px;border: 1px; border-style: inset;margin-left:2px;margin-right:2px;"&gt;&lt;EM&gt;
&lt;P&gt;Modifying the data in d-cache to turn them into instructions and then trying to execute them will simply not work as the processor does not have a way of "guessing" whether it is an instruction or not. If it tried to do this there would be a security issue. Data can be executed. And this is not necessarily a good thing.&lt;/P&gt;
&lt;P&gt;The best way to solve this is to create a set of NOPs and then modify them. This will ensure that you are modifying the i-cache data and not the data in the d-cache.&lt;/P&gt;
&lt;P&gt;The rest of the question is confusing. If you can provide an example of exactly what you are attempting to do then it will be easy to understand which path to take.&lt;/P&gt;
&lt;/EM&gt;&lt;/DIV&gt;
&lt;/DIV&gt;
&lt;/DIV&gt;
security issue: yes but this protection was not present in earlier pentium based systems (referring to Chapter 10, Computer Systems by Bryant)&lt;BR /&gt;&lt;BR /&gt;what i wish to understand is the strategy adopted in those classes of systems to synchronize data between d and i cache while using a &lt;STRONG&gt;write through&lt;/STRONG&gt; approach.&lt;BR /&gt;&lt;BR /&gt;how to decide which cache i or d should contain data&lt;BR /&gt;&lt;BR /&gt;i'll have to work out an example. it'll take some time.&lt;BR /&gt;&lt;BR /&gt;here's a quick one though&lt;BR /&gt;&lt;BR /&gt;#syntax is gcc based&lt;BR /&gt;mov %esp, %eax&lt;BR /&gt;push $(0x23843443)&lt;BR /&gt;push $(0x23424345)&lt;BR /&gt;.&lt;BR /&gt;.&lt;BR /&gt;.&lt;BR /&gt;#stack is in d-cache now&lt;BR /&gt;jmp (%eax)&lt;BR /&gt;# d-cache miss, bring old stack from L2 cache in i-cache&lt;BR /&gt;# stack is present in both d-cache and i-cache&lt;BR /&gt;# assume DEP not enabled&lt;BR /&gt;&lt;BR /&gt;set of NOPS: yes but i want to understand the cache management scheme for separation of content for d and i cache.&lt;BR /&gt;</description>
      <pubDate>Fri, 10 Apr 2009 13:42:29 GMT</pubDate>
      <guid>https://community.intel.com/t5/Software-Archive/buffer-overflow-and-caches/m-p/862547#M7759</guid>
      <dc:creator>iamrohitbanga</dc:creator>
      <dc:date>2009-04-10T13:42:29Z</dc:date>
    </item>
    <item>
      <title>Re: buffer overflow and caches</title>
      <link>https://community.intel.com/t5/Software-Archive/buffer-overflow-and-caches/m-p/862548#M7760</link>
      <description>&lt;DIV style="margin:0px;"&gt;
&lt;DIV id="quote_reply" style="width: 100%; margin-top: 5px;"&gt;
&lt;DIV style="margin-left:2px;margin-right:2px;"&gt;Quoting - &lt;A href="https://community.intel.com/en-us/profile/422668"&gt;iamrohitbanga&lt;/A&gt;&lt;/DIV&gt;
&lt;DIV style="background-color:#E5E5E5; padding:5px;border: 1px; border-style: inset;margin-left:2px;margin-right:2px;"&gt;&lt;EM&gt; security issue: yes but this protection was not present in earlier pentium based systems (referring to Chapter 10, Computer Systems by Bryant)&lt;BR /&gt;&lt;BR /&gt;what i wish to understand is the strategy adopted in those classes of systems to synchronize data between d and i cache while using a &lt;STRONG&gt;write through&lt;/STRONG&gt; approach.&lt;BR /&gt;&lt;BR /&gt;how to decide which cache i or d should contain data&lt;BR /&gt;&lt;BR /&gt;i'll have to work out an example. it'll take some time.&lt;BR /&gt;&lt;BR /&gt;here's a quick one though&lt;BR /&gt;&lt;BR /&gt;#syntax is gcc based&lt;BR /&gt;mov %esp, %eax&lt;BR /&gt;push $(0x23843443)&lt;BR /&gt;push $(0x23424345)&lt;BR /&gt;.&lt;BR /&gt;.&lt;BR /&gt;.&lt;BR /&gt;#stack is in d-cache now&lt;BR /&gt;jmp (%eax)&lt;BR /&gt;# d-cache miss, bring old stack from L2 cache in i-cache&lt;BR /&gt;# stack is present in both d-cache and i-cache&lt;BR /&gt;# assume DEP not enabled&lt;BR /&gt;&lt;BR /&gt;set of NOPS: yes but i want to understand the cache management scheme for separation of content for d and i cache.&lt;BR /&gt;&lt;/EM&gt;&lt;/DIV&gt;
&lt;/DIV&gt;
&lt;/DIV&gt;
&lt;P&gt;Congratulations on the green belt.&lt;/P&gt;
&lt;P&gt;The protection was software-based. It may not have been as good as it is now, but it is still better than nothing.&lt;/P&gt;
&lt;P&gt;&lt;/P&gt;
&lt;P&gt;The method for cache handling was not the best in the older processors. IIRC it would use data from d-cache as it is referenced by instructions.&lt;/P&gt;
&lt;P&gt;In your example above, it would only worry about the stack in d-cache. OK I'll try and explain this:&lt;/P&gt;
&lt;OL&gt;
&lt;LI&gt;Instruction block loaded into i-cache&lt;/LI&gt;
&lt;LI&gt;Instructions executed in sequential order.&lt;/LI&gt;
&lt;LI&gt;As they reference data that is in RAM, if the item does not exist in d-cache it will try and find it in i-cache.&lt;/LI&gt;
&lt;LI&gt;If not found in i-cache, it will look in RAM.&lt;/LI&gt;
&lt;/OL&gt;
&lt;P&gt;This is basically from what I remember of how they manage what goes into what cache. Some instructions, as a result of this scheme, will of course land in d-cache.&lt;/P&gt;
&lt;P&gt;As for writing back:&lt;/P&gt;
&lt;OL&gt;
&lt;LI&gt;Modifications are recorded in d-cache&lt;/LI&gt;
&lt;LI&gt;When any operation that requires cache flush is performed, the d-cache is written back to RAM.&lt;/LI&gt;
&lt;/OL&gt;
&lt;P&gt;Setting IP to point to a data location, from my understanding, should move the d-cache data into i-cache. This is where the buffer execution vulnerabilities come in.&lt;/P&gt;
&lt;P&gt;All this is how data is loaded into the respective caches. As for how data is written back, I am not exactly sure.&lt;/P&gt;
&lt;P&gt;Strictly speaking the synchronization of caches should be transparent. And it is usually the d-cache that stores modifications and data addresses while the i-cache stores the instructions to be executed only. I think read operations will obtain data from d-cache if it is present in both caches as well.&lt;/P&gt;</description>
      <pubDate>Fri, 10 Apr 2009 23:29:50 GMT</pubDate>
      <guid>https://community.intel.com/t5/Software-Archive/buffer-overflow-and-caches/m-p/862548#M7760</guid>
      <dc:creator>Adam</dc:creator>
      <dc:date>2009-04-10T23:29:50Z</dc:date>
    </item>
    <item>
      <title>Re: buffer overflow and caches</title>
      <link>https://community.intel.com/t5/Software-Archive/buffer-overflow-and-caches/m-p/862549#M7761</link>
      <description>&lt;DIV style="margin:0px;"&gt;&lt;/DIV&gt;
could you cite some references&lt;BR /&gt;</description>
      <pubDate>Sun, 12 Apr 2009 07:04:31 GMT</pubDate>
      <guid>https://community.intel.com/t5/Software-Archive/buffer-overflow-and-caches/m-p/862549#M7761</guid>
      <dc:creator>iamrohitbanga</dc:creator>
      <dc:date>2009-04-12T07:04:31Z</dc:date>
    </item>
  </channel>
</rss>

