The Experts below are selected from a list of 114 Experts worldwide ranked by ideXlab platform
Wang Qing-xian - One of the best experts on this subject based on the ideXlab platform.
-
Hidden process detection method based on multi-characteristics matching
Journal of Computer Applications, 2011Co-Authors: Wang Qing-xianAbstract:Based on certain detection characteristics of process,hidden process could be uncovered by memory searching.However,malware,with the help of developing Rootkit,could hardly be detected because its feature has been manipulated or virtual memory scan could be invalid,thus increasing the difficulty of detection.In order to address this issue,a new multi-characteristics matching approach was proposed.It was to obtain the whole physical memory image by Page Table Entry(PTE) patching,to extract the key fields from process data structure and construct a template to improve the reliability of characteristics,and to introduce similarity for preventing the detection leakage.The results show that the new detection is effective in the hidden process searching.
Jaehyuk Huh - One of the best experts on this subject based on the ideXlab platform.
-
Subspace Snooping: Exploiting Temporal Sharing Stability for Snoop Reduction
IEEE Transactions on Computers, 2012Co-Authors: Jeongseob Ahn, Daehoon Kim, Jaehong Kim, Jaehyuk HuhAbstract:Although snoop-based coherence protocols provide fast cache-to-cache transfers with a simple and robust coherence mechanism, scaling the protocols has been difficult due to the overheads of broadcast snooping. In this paper, we propose a coherence filtering technique called subspace snooping, which stores the potential sharers of each memory Page in the Page Table Entry. By using the sharer information in the Page Table Entry, coherence transactions for a Page generate snoop requests only to the subset of nodes in the system. However, the coherence subspace of a Page may evolve, as the phases of applications may change or the operating system may migrate threads to different nodes. To adjust subspaces dynamically, subspace snooping supports two different shrinking mechanisms, which remove obsolete nodes from subspaces. Among the two shrinking mechanisms, subspace snooping with safe shrinking can be integrated to any type of coherence protocols and network topologies, as it guarantees that a subspace always contains the precise sharers of a Page. Speculative shrinking breaks the subspace superset property, but achieves better snoop reductions than safe shrinking. We evaluate subspace snooping with Token Coherence on unordered mesh networks. Subspace snooping reduces 58 percent of snoops on average for a set of parallel scientific and server workloads, and 87 percent for our multiprogrammed workloads.
-
PACT - Subspace snooping: filtering snoops with operating system support
Proceedings of the 19th international conference on Parallel architectures and compilation techniques - PACT '10, 2010Co-Authors: Daehoon Kim, Jeongseob Ahn, Jaehong Kim, Jaehyuk HuhAbstract:Although snoop-based coherence protocols provide fast cache-to-cache transfers with a simple and robust coherence mechanism, scaling the protocols has been difficult due to the overheads of broadcast snooping. In this paper, we propose a coherence filtering technique called subspace snooping, which stores the potential sharers of each memory Page in the Page Table Entry. By using the sharer information in the Page Table Entry, coherence transactions for a Page generate snoop requests only to the subset of nodes in the system (subspace). However, the coherence subspace of a Page may evolve, as the phases of applications may change or the operating system may migrate threads to different nodes. To adjust subspaces dynamically, subspace snooping supports a shrinking mechanism, which removes obsolete nodes from subspaces. Subspace snooping can be integrated to any type of coherence protocols and network topologies. As subspace snooping guarantees that a subspace always contains the precise sharers of a Page, it does not restrict the designs of coherence protocols and networks. We evaluate subspace snooping with Token Coherence on un-ordered mesh networks. For scientific and server applications on a 16-core system, subspace snooping reduces 44% of snoops on average.
Manisha Jailia - One of the best experts on this subject based on the ideXlab platform.
-
Concurrency Control Algorithms for Translation Lookaside Buffer
Information and Communication Technology for Competitive Strategies, 2018Co-Authors: Manisha Agarwal, Manisha JailiaAbstract:A multiprocessor which shares the memory among processors and uses multiples translation lookaside buffers (TLBs) can face various problems. One such problem is the problem of inconsistency which may occur when the Page Table Entry (PTE) is updated because of the multiple copies of same Page Table Entry in various TLBs. Commonly, the inconsistency problem exists in virtually tagged caches, which keep Page Table Entry information, like reference bit, dirty bit and protection bit, in every cache line (Agarwal et al Inconsistency in translation lookaside buffer, 2016 [1]). This paper presents concurrency control algorithms for translation lookaside buffer. We focus on algorithms that reduce the access rights to a Page without causing the TLB inconsistency problem.
-
Inconsistency in translation lookaside buffer
2016 International Conference on ICT in Business Industry & Government (ICTBIG), 2016Co-Authors: Manisha Agarwal, Manisha JailiaAbstract:A multiprocessor which shares the memory among processors and uses multiples translation lookaside buffers (TLBs) can face various problems. One such problem is the problem of inconsistency which may occur when the Page Table Entry (PTE) is updated because of the multiple copies of same Page Table Entry in various TLBs. Commonly, the inconsistency problem exists in virtually tagged caches, which keep Page Table Entry information, like reference bit, dirty bit and protection bit, in every cache line. This paper describes the problem of translation lookaside buffer inconsistency in multiprocessors with shared memory. First of all problem statement is given. Then paper presents the argument that inconsistency problem exist even when in cache address translation removes a separate translation lookaside buffer. Later, the TLB inconsistency classification and causes of inconsistency because of operating system operations are discussed.
Zhi Wang - One of the best experts on this subject based on the ideXlab platform.
-
TeleHammer: A Formal Model of Implicit Rowhammer
arXiv: Cryptography and Security, 2019Co-Authors: Zhi Zhang, Yueqiang Cheng, Dongxi Liu, Surya Nepal, Zhi WangAbstract:The rowhammer bug allows an attacker to gain privilege escalation or steal private data. A key requirement of all existing rowhammer attacks is that an attacker must have access to at least part of an exploiTable hammer row. We refer to such rowhammer attacks as PeriHammer. The state-of-the-art software-only defenses against PeriHammer attacks is to make the exploiTable hammer rows beyond the attacker's access permission. In this paper, we question the necessity of the above requirement and propose a new class of rowhammer attacks, termed as TeleHammer. It is a paradigm shift in rowhammer attacks since it crosses privilege boundary to stealthily rowhammer an inaccessible row by implicit DRAM accesses. Such accesses are achieved by abusing inherent features of modern hardware and or software. We propose a generic model to rigorously formalize the necessary conditions to initiate TeleHammer and PeriHammer, respectively. Compared to PeriHammer, TeleHammer can defeat the advanced software-only defenses, stealthy in hiding itself and hard to be mitigated. To demonstrate the practicality of TeleHammer and its advantages, we have created a TeleHammer's instance, called PThammer, which leverages the address-translation feature of modern processors. We observe that a memory access from user space can induce a load of a Level-1 Page-Table Entry (L1PTE) from memory and thus hammer the L1PTE once, although L1PTE is not accessible to us. To achieve a high enough hammering frequency, we flush relevant TLB and cache effectively and efficiently. To this end, we demonstrate PThammer on three different test machines and show that it can cross user-kernel boundary and induce the first bit flips in L1PTEs within 15 minutes of double-sided PThammering. We have exploited PThammer to defeat advanced software-only rowhammer defenses in default system setting.
-
TeleHammer : A Stealthy Cross-Boundary Rowhammer Technique
arXiv: Cryptography and Security, 2019Co-Authors: Zhi Zhang, Yueqiang Cheng, Dongxi Liu, Surya Nepal, Zhi WangAbstract:Rowhammer exploits frequently access specific DRAM rows (i.e., hammer rows) to induce bit flips in their adjacent rows (i.e., victim rows), thus allowing an attacker to gain the privilege escalation or steal the private data. A key requirement of all such attacks is that an attacker must have access to at least part of a hammer row adjacent to sensitive victim rows. We refer to these rowhammer attacks as PeriHammer. The state-of-the-art software-only defences against PeriHammer attacks is to make such hammer rows inaccessible to the attacker. In this paper, we question the necessity of the above requirement and propose a new class of rowhammer attacks, termed as TeleHammer. It is a paradigm shift in rowhammer attacks since it crosses memory boundary to stealthily rowhammer an inaccessible row by virtue of freeloading inherent features of modern hardware and/or software. We propose a generic model to rigorously formalize the necessary conditions to initiate TeleHammer and PeriHammer, respectively. Compared to PeriHammer, TeleHammer can defeat the advanced software-only defenses, stealthy in hiding itself and hard to mitigate. To demonstrate the practicality of TeleHammer and its advantages, we have created a TeleHammer's instance, called PThammer, which leverages the address-translation feature of modern processors. We observe that a memory access can induce a fetch of a Level-1 Page-Table Entry (PTE) from memory and thus cause hammering the PTE once. To achieve a high hammer-frequency, we flush relevant TLB and cache effectively and efficiently. To this end, PThammer can cross user-kernel boundary to rowhammer rows occupied by Level-1 PTEs and induce bit flips in adjacent victim rows that also host Level-1 PTEs. We have exploited PThammer to defeat advanced software-only defenses in bare-metal systems.
Qingxian Wang - One of the best experts on this subject based on the ideXlab platform.
-
Towards a Novel Approach for Hidden Process Detection Based on Physical Memory Scanning
2012 Fourth International Conference on Multimedia Information Networking and Security, 2012Co-Authors: Junhu Zhu, Tianyang Zhou, Qingxian WangAbstract:Leveraging developed root kit, malware could deeply hide its own process and hardly be detected. Based on analyzing various existing detecting technologies, a novel approach for hidden process detection was proposed in this paper. The approach used Page Table Entry patching to traverse physical memory and obtain the raw data, and formulated the characteristic selection constraints to extract reliable process object characteristics, which were used to search process object instances based on string matching in physical memory to form a credible list of processes. The approach could also be used to search other kernel objects on varieties of system platforms. The experimental results show that new detection is effective in hidden process searching.
