当前位置:首页 > 报告详情

一次一个漏洞逐步破坏机密计算.pdf

上传人: 竿*** 编号:981568 2025-11-29 93页 2.13MB

1、#BHUSA BlackHatEventsCompromising Confidential Compromising Confidential ComputeComputeOne bug at a time#BHUSA BlackHatEventsMaxMicrosoft Offensive Research&Security Engineering MORSE Team#BHUSA BlackHatEventsSecurity review of Intel TDXPartnership between Microsoft and Intel4-month teamwork#BHUSA B

2、lackHatEvents1.The TDX Module:technical overview2.Research approach and first findings3.Vulnerability 14.Vulnerability 2#BHUSA BlackHatEventsA change in virtualization architectureStandard Architecture The guests memory and registers are visible to the hypervisorHypervisorGuest1Guest2Cloud ProviderC

3、loud Customers#BHUSA BlackHatEventsA change in virtualization architectureStandard Architecture The guests memory and registers are visible to the hypervisorHypervisorGuest1Guest2Cloud ProviderCloud CustomersAttacker#BHUSA BlackHatEventsA change in virtualization architectureStandard Architecture Th

4、e guests memory and registers are visible to the hypervisorHypervisorGuest1Guest2Cloud ProviderCloud CustomersAttackerTDX Architecture TDX Module:firmware,gatekeeper Memory is encrypted,registers are hiddenTDXHypervisorGuest1Guest2#BHUSA BlackHatEventsA change in virtualization architectureStandard

5、Architecture The guests memory and registers are visible to the hypervisorHypervisorGuest1Guest2Cloud ProviderCloud CustomersAttackerTDX Architecture TDX Module:firmware,gatekeeper Memory is encrypted,registers are hiddenTDXHypervisorGuest1Guest2Attacker#BHUSA BlackHatEventsThe TDX Module Provides c

6、onfidentialityand integrityguarantees to guests Available in future generation CPUs Were very interested in Confidential Computing in Azure Our goal:verify the security of the TDX module#BHUSA BlackHatEvents1.The TDX Module:technical overview2.Research approach and first findings3.Vulnerability 14.V

word格式文档无特别注明外均可编辑修改,预览文件经过压缩,下载原文更清晰!
三个皮匠报告文库所有资源均是客户上传分享,仅供网友学习交流,未经上传用户书面授权,请勿作商用。
根据报告的内容,全文主要内容概括如下: 1. **TDX模块概述**:TDX模块提供机密性和完整性保证,运行在支持TDX的未来一代CPU上,旨在验证TDX模块的安全性。 2. **研究方法与发现**:通过Cornelius仿真器研究TDX模块,发现多个漏洞。 3. **漏洞1**:TDX模块在处理XMM寄存器时未正确进行上下文切换,导致崩溃和机密数据泄露。 4. **漏洞2**:处理器跟踪(PT)功能存在漏洞,允许hypervisor在TDX模块中启用PT,从而覆盖TDX内存并获取数据,实现完全权限提升。 5. **漏洞3**:SEAMCALL指令无条件触发VMEXIT,导致恶意客户可以通过执行SEAMCALL来破坏整个嵌套系统。 6. **影响**:这些漏洞可能影响使用旧版hypervisor运行在新硬件上的系统。 7. **修复**:Intel已修复部分漏洞,微软已更新Hyper-V版本以识别VMEXIT(SEAMCALL)。
**TDX漏洞揭秘** **Intel TDX安全审查** **Cornelius工具探秘**
客服
商务合作
小程序
服务号
折叠