{"id":2467,"date":"2022-12-26T17:34:23","date_gmt":"2022-12-26T16:34:23","guid":{"rendered":"https:\/\/ff.mhrooz.xyz\/?p=2467"},"modified":"2023-02-12T23:33:02","modified_gmt":"2023-02-12T22:33:02","slug":"embedded_system_and_security_xue_xi_bi_ji","status":"publish","type":"post","link":"https:\/\/blog.mhrooz.xyz\/index.php\/2022\/12\/26\/embedded_system_and_security_xue_xi_bi_ji\/","title":{"rendered":"Embedded System and Security \u5b66\u4e60\u7b14\u8bb0"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">Chapter 1 Microcontroller Basics<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">1. Components of an embedded system<\/h3>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"997\" height=\"550\" src=\"http:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-26-17.45.49.png\" alt=\"\" class=\"wp-image-2472\" srcset=\"https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-26-17.45.49.png 997w, https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-26-17.45.49-300x165.png 300w, https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-26-17.45.49-768x424.png 768w\" sizes=\"(max-width: 997px) 100vw, 997px\" \/><\/figure><\/div>\n\n\n<ul>\n<li>Processor<\/li>\n<\/ul>\n\n\n\n<ul>\n<li>Memory<\/li>\n<\/ul>\n\n\n\n<ul>\n<li>I\/O Interfaces<\/li>\n<\/ul>\n\n\n\n<ul>\n<li>Peripherals<\/li>\n<\/ul>\n\n\n\n<ul>\n<li>Hardware Security Module<\/li>\n<\/ul>\n\n\n\n<p>HSM is a physical device that provides secure storage and processing of sensitive data, such as cryptographic keys and passwords. HSMs are typically used in environments where high levels of security are required, such as in financial institutions and government agencies.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">2. Components of a microcontroller<\/h3>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img decoding=\"async\" loading=\"lazy\" src=\"http:\/\/iizz.ddns.net:9595\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-26-17.46.26.png\" alt=\"\" class=\"wp-image-2473\" width=\"605\" height=\"336\" srcset=\"https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-26-17.46.26.png 993w, https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-26-17.46.26-300x166.png 300w, https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-26-17.46.26-768x426.png 768w\" sizes=\"(max-width: 605px) 100vw, 605px\" \/><\/figure><\/div>\n\n\n<h4 class=\"wp-block-heading\">(1) CPU<\/h4>\n\n\n\n<ul>\n<li>Cache\/Scratch Pad<\/li>\n<\/ul>\n\n\n\n<ul>\n<li>Interrupt Unit<\/li>\n<\/ul>\n\n\n\n<p>An interrupt unit is a hardware component responsible for managing interrupt requests. An interrupt request is a signal sent by a device or program to the system indicating that it needs to be serviced immediately.<br>When an interrupt request is received, the interrupt unit temporarily stops the current process and <strong>handles the request<\/strong> by injecting a jump to an interrupt handler into the instruction path of the processor.<\/p>\n\n\n\n<ul>\n<li>Debug Unit<\/li>\n<\/ul>\n\n\n\n<p>The debug unit is accessed through a debug port or interface. It allows one to view the system&#8217;s <strong>internal state<\/strong>, including the values of registers, memory locations, and other system variables. It also allows them to set breakpoints and watchpoints, which pause the system&#8217;s execution and inspect its state at specific points in time.<\/p>\n\n\n\n<ul>\n<li>Bus Bridge<\/li>\n<\/ul>\n\n\n\n<p>A bus bridge is a hardware component that is used to connect buses that operate at different speeds or use different protocols. It allows devices that are connected to one bus to communicate with devices that are connected to another bus.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">(2) High Bandwidth Bus<\/h4>\n\n\n\n<p>It is typically used to transfer <strong>large amounts of data<\/strong> between components in the system, such as between the CPU and main memory, between the CPU and high-speed peripherals, or between DMA and main memory.<\/p>\n\n\n\n<ul>\n<li>Memory + MMU + MPU<\/li>\n<\/ul>\n\n\n\n<p>RAM: on-chip volatile memory(erased after power down).<br>ROM: non-volatile memory.<br>Flash, EEPROM, FRAM: non-volatile memory but erasable.<\/p>\n\n\n\n<ul>\n<li>DMA<\/li>\n<\/ul>\n\n\n\n<ul>\n<li>Fast IO<\/li>\n<\/ul>\n\n\n\n<p>PCIe, Ethernet, high-speed USB.<br>External memory interfaces.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">(3) Slow Bus<\/h4>\n\n\n\n<p>Peripherals that do not require a high data transfer rate are typically connected to a slow bus, such as:<\/p>\n\n\n\n<ul>\n<li>Slow I\/O<\/li>\n<\/ul>\n\n\n\n<p>Full-speed USB.<\/p>\n\n\n\n<ul>\n<li>Accelerators<\/li>\n<\/ul>\n\n\n\n<ul>\n<li>AD\/DA<\/li>\n<\/ul>\n\n\n\n<ul>\n<li>Timer<\/li>\n<\/ul>\n\n\n\n<ul>\n<li>Control unit<\/li>\n<\/ul>\n\n\n\n<ul>\n<li>MMI(Man Machine Interface)<\/li>\n<\/ul>\n\n\n\n<p>Interface to displays or keypads.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">3. Registers in Cortex-M<\/h3>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"961\" height=\"610\" src=\"http:\/\/iizz.ddns.net:9595\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-26-18.29.34.png\" alt=\"\" class=\"wp-image-2474\" srcset=\"https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-26-18.29.34.png 961w, https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-26-18.29.34-300x190.png 300w, https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-26-18.29.34-768x487.png 768w\" sizes=\"(max-width: 961px) 100vw, 961px\" \/><\/figure><\/div>\n\n\n<h4 class=\"wp-block-heading\">(1) Relationship between SP, LR and PC<\/h4>\n\n\n\n<p>When a subroutine is called, the current value of the PC is saved in the LR, and the PC is updated to point to the first instruction of the subroutine. At the same time, the SP is typically updated to allocate space on the stack for any local variables or data that the subroutine needs to store.<\/p>\n\n\n\n<p>When the subroutine finishes execution, the program can return to the correct location by loading the value stored in the LR back into the PC. The SP is also typically updated to deallocate the space on the stack that was used by the subroutine.<\/p>\n\n\n\n<blockquote class=\"wp-block-quote\">\n<p>Why is the link register used to store the return address rather than storing it on the stack?<\/p>\n\n\n\n<ul>\n<li>Speed<\/li>\n<\/ul>\n\n\n\n<p>Storing the return address in the LR is faster than storing it on the stack because the LR is a special-purpose register that is dedicated to this purpose and is <strong>accessed directly<\/strong> by the processor. Storing the return address on the stack would require additional memory accesses, which would be slower.<\/p>\n\n\n\n<ul>\n<li>Simplicity<\/li>\n<\/ul>\n\n\n\n<p>Using an LR to store the return address simplifies the process of calling and returning from subroutines because the return address is always stored in the <strong>same place<\/strong>. This makes it easier for the processor to manage subroutine calls and returns and reduces the complexity of the program execution process.<\/p>\n\n\n\n<ul>\n<li>Efficient use of the stack<\/li>\n<\/ul>\n\n\n\n<p>Storing the return address on the stack would use up space on the stack, which is needed to store other data, such as local variables and intermediate results. <\/p>\n<\/blockquote>\n\n\n\n<blockquote class=\"wp-block-quote\">\n<p>Why is the return address pushed onto the stack when we have the link register?<\/p>\n\n\n\n<ul>\n<li>Stack usage<\/li>\n<\/ul>\n\n\n\n<p>The stack is a data structure that is used to store temporary data, such as local variables and intermediate results. Pushing the return address onto the stack can allow the system to use the link register <strong>for other purposes<\/strong>, such as storing temporary data or performing other tasks, without overwriting the return address.<\/p>\n\n\n\n<ul>\n<li>Function calling conventions<\/li>\n<\/ul>\n\n\n\n<p>Pushing the return address onto the stack may be required by <strong>conventions<\/strong> in order to allow the system to properly return from the function or subroutine.<\/p>\n\n\n\n<ul>\n<li>Hardware support<\/li>\n<\/ul>\n\n\n\n<p>Some systems may have hardware support for stack-based function calls and subroutines, which may require the return address to be pushed onto the stack in order to work properly.<\/p>\n<\/blockquote>\n\n\n\n<h3 class=\"wp-block-heading\">4. ARM Assembler Instructions<\/h3>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"760\" height=\"467\" src=\"http:\/\/iizz.ddns.net:9595\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-26-18.51.39.png\" alt=\"\" class=\"wp-image-2478\" srcset=\"https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-26-18.51.39.png 760w, https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-26-18.51.39-300x184.png 300w\" sizes=\"(max-width: 760px) 100vw, 760px\" \/><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\">5. Stack and Heap<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">(1) Role of Stack<\/h4>\n\n\n\n<p>The stack is a data structure that is used to store temporary data. It is called a stack because it operates using the Last In, First Out (LIFO) principle.<\/p>\n\n\n\n<ul>\n<li>Storing <strong>local variables<\/strong> of a function.<\/li>\n<\/ul>\n\n\n\n<ul>\n<li>Implementing function calls and returns<\/li>\n<\/ul>\n\n\n\n<p>Storing the state of the CPU including registers, and current PC (into LR) onto the stack.<\/p>\n\n\n\n<ul>\n<li>Storing function <strong>parameters<\/strong>.<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">(2) Stack Operations<\/h4>\n\n\n\n<p>The stack pointer starts at a high memory address and is decremented during the usage of the stack.<\/p>\n\n\n\n<p><code>PUSH Rx<\/code><\/p>\n\n\n\n<p>The stack pointer is decremented by 4 B (a line on stack). <code>Rx<\/code> is stored in a location where <code>SP<\/code> points.<\/p>\n\n\n\n<p><code>POP Rx<\/code><\/p>\n\n\n\n<p>Data at the memory address stored in <code>SP<\/code> are loaded in <code>Rx<\/code>. The stack pointer is incremented by 4 B.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">(3) Stack Frame Pointer<\/h4>\n\n\n\n<p>A stack frame pointer (FP), on the other hand, is a register that points to the base of the current function&#8217;s stack frame. The stack frame pointer register is used to keep track of the start of the current function&#8217;s stack frame and it is typically used to access the function&#8217;s local variables and parameters.<\/p>\n\n\n\n<p>Using a separate stack frame pointer in addition to the stack pointer allows for more efficient memory management and faster access to local variables and function call information. For example, with a separate stack frame pointer, the compiler can use fixed offsets from the frame pointer to access local variables, which can be faster than calculating the offsets from the stack pointer. Additionally, having a stack frame pointer can make it easier to debug the program and trace the function call stack.<\/p>\n\n\n\n<p>For example, FP can improve speed if a function uses dynamic allocation on the stack, e.g. due to runtime-sized local objects in C++<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">(4) Role of Heap<\/h4>\n\n\n\n<p>The heap is a region of memory that is used for dynamic memory allocation. It is called a heap because it is typically implemented as a tree-based data structure, with the root node at the top of the heap and the leaf nodes at the bottom.<\/p>\n\n\n\n<p>The heap is used to allocate memory at runtime, rather than at compile time, and is typically used for large blocks of memory that are needed for a long period of time. It is managed by the system&#8217;s <strong>memory allocator<\/strong>, which is responsible for allocating (<code>malloc<\/code>, <code>calloc<\/code>) and deallocating memory as needed.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Chapter 2 Debugging<\/h2>\n\n\n\n<p><code>for( uint8_t i = 42; i &gt;= 0; --i);<\/code><\/p>\n\n\n\n<p>This is an endless loop, since for this loop to stop, <code>i <\/code>must equal to <code>-1<\/code>, but<code> i <\/code>is unsigned and will never be <code>-1<\/code>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">1. Debugging<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">(1) Methods<\/h4>\n\n\n\n<ul>\n<li>Changing Code -&gt; Heisenbugs<\/li>\n<\/ul>\n\n\n\n<p>Assertions, <code>print<\/code> statements, live checking(blinking LED)<\/p>\n\n\n\n<blockquote class=\"wp-block-quote\">\n<p>Heisenbugs are particularly challenging to debug because they can be difficult to reproduce and may not always exhibit the same behavior. They may appear and disappear seemingly at random, making it difficult to identify the root cause of the problem.<\/p>\n\n\n\n<p>There are several factors that can contribute to the occurrence of Heisenbugs, including:<\/p>\n\n\n\n<ul>\n<li>Race conditions<\/li>\n<\/ul>\n\n\n\n<p>Heisenbugs can be caused by race conditions, which occur when two or more threads or processes try to access or modify shared resources at the same time.<\/p>\n\n\n\n<ul>\n<li>Timing issues<\/li>\n<\/ul>\n\n\n\n<p>Heisenbugs can also be caused by timing issues, such as when a program relies on the exact timing of certain events or actions.<\/p>\n\n\n\n<ul>\n<li>Interactions with hardware or other software<\/li>\n<\/ul>\n\n\n\n<p>Heisenbugs may also be caused by interactions with hardware or other software, such as when a program relies on certain hardware features or behaves differently when running on different operating systems or hardware configurations.<\/p>\n<\/blockquote>\n\n\n\n<ul>\n<li>Debugger<\/li>\n<\/ul>\n\n\n\n<p>HW or SW debuggers.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">(2) HW Debuggers<\/h4>\n\n\n\n<p>Debuggers are specialized tools used to identify and fix errors or defects in a computer program or system. They provide a range of features that allow the programmer to execute a program line by line, inspect the values of variables and memory locations, and control the execution of the program. Some common features of debuggers include:<\/p>\n\n\n\n<ul>\n<li>Halt After Reset<\/li>\n<\/ul>\n\n\n\n<p>The &#8220;halt after reset&#8221; feature is a setting in a debugger that determines whether the debugger should automatically pause the execution of the program after a reset event. A reset event is a condition that causes the program or system to restart, such as a power cycle or a hardware reset.<\/p>\n\n\n\n<ul>\n<li>Breakpoints<\/li>\n<\/ul>\n\n\n\n<p>Breakpoints allow the programmer to pause the execution of the program at a specific point and examine the state of the system. They can be set at specific lines of code, at certain memory locations, or when a certain function is met.<\/p>\n\n\n\n<ul>\n<li>Watchpoints (Data Address + Value Trigger)<\/li>\n<\/ul>\n\n\n\n<p>Watchpoints allow the programmer to specify variables or memory locations that should be monitored as the program executes. The debugger will automatically pause the program whenever the value of a watched variable or memory location is modified.<\/p>\n\n\n\n<ul>\n<li>Single Stepping<\/li>\n<\/ul>\n\n\n\n<p>Execute single machine code instructions <code>stepi<\/code><\/p>\n\n\n\n<p>Execute single HLL (High-Level Language) statements <code>step<\/code><\/p>\n\n\n\n<ul>\n<li>Trace<\/li>\n<\/ul>\n\n\n\n<p>Program trace: Shows, which instructions are executed and when &#8230;<\/p>\n\n\n\n<p>Data trace: Allows tracing of certain memory contents<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Chapter 3 Interrupts &amp; Exceptions<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">1. Exceptions &amp; Interrupts<\/h3>\n\n\n\n<p>Both temporarily suspend the execution of the current program and transfer control to a special routine called handler. There are several key differences:<\/p>\n\n\n\n<ul>\n<li>Source<\/li>\n<\/ul>\n\n\n\n<p>Interrupts are typically triggered by <strong>external event<\/strong>s, such as a hardware device(keyboard) requesting service or a timer expiring. <\/p>\n\n\n\n<p>Exceptions, on the other hand, are typically triggered by errors or exceptional conditions that occur during the execution of the program, such as <strong>division by zero<\/strong> or an illegal instruction.<\/p>\n\n\n\n<ul>\n<li>Number of auguments<\/li>\n<\/ul>\n\n\n\n<p>Interrupts do not typically have arguments, as they are simply signals to the processor to stop executing the current code and start executing the ISR. Exceptions can have arguments, which are additional pieces of information that are passed to the exception handler along with the exception. These arguments can be used to provide more information about the exception and to help the exception handler determine how to respond to the exception.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">2. Interrupt<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">(1) Interrupt System<\/h4>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img decoding=\"async\" loading=\"lazy\" src=\"http:\/\/iizz.ddns.net:9595\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-26-22.28.14.png\" alt=\"\" class=\"wp-image-2485\" width=\"652\" height=\"278\" srcset=\"https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-26-22.28.14.png 1023w, https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-26-22.28.14-300x128.png 300w, https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-26-22.28.14-768x327.png 768w\" sizes=\"(max-width: 652px) 100vw, 652px\" \/><\/figure><\/div>\n\n\n<ul>\n<li>Interrupt Handler<\/li>\n<\/ul>\n\n\n\n<p>This is a hardware device that receives interrupts from external devices and internal sources and sends them to the processor. The interrupt controller may also prioritize interrupts and determine the order in which they are serviced.<\/p>\n\n\n\n<ul>\n<li>Interrupt Handler \/Service Routine<\/li>\n<\/ul>\n\n\n\n<p>This is a special routine that is executed when an interrupt occurs. The interrupt handler processes the interrupt and may also communicate with the external device or internal source that triggered the interrupt.<\/p>\n\n\n\n<ul>\n<li>Vector Table<\/li>\n<\/ul>\n\n\n\n<p>This is a table that contains the <strong>addresses<\/strong> of the interrupt handlers for each type of interrupt. When an interrupt occurs, the processor looks up the address of the corresponding interrupt handler in the interrupt vector table and <strong>transfers control<\/strong> to it.<\/p>\n\n\n\n<ul>\n<li>Context Save<\/li>\n<\/ul>\n\n\n\n<p>When an interrupt occurs, the CPU typically saves the current values of <strong>8<\/strong> <strong>caller-saved<\/strong> <strong>registers<\/strong>(<code>PC<\/code>, <code>PSR<\/code>, <code>R0-R3<\/code>; <code>R12<\/code>, <code>LR<\/code>) on the stack.<\/p>\n\n\n\n<p>(2) Interrupt Latency<\/p>\n\n\n\n<ul>\n<li>Reasons<\/li>\n<\/ul>\n\n\n\n<p>The delay between an interrupt signal and the execution of the service routine depends on the time to push context to stack, the time for updating the program counter to the service routine, resource conflicts, interrupts with higher priorities, and the longest run time of any multi-cycle non-interruptable instruction.<\/p>\n\n\n\n<ul>\n<li>Measures to reduce latency<\/li>\n<\/ul>\n\n\n\n<p><strong>Tail Chaining<\/strong>: if a 2<sup>nd<\/sup> same or lower priority interrupt arrives during the execution phase of 1<sup>st<\/sup>, the 2<sup>nd<\/sup> interrupt will be executed immediately after the 1<sup>st<\/sup> without 1<sup>st<\/sup>&#8216;s unstacking.<\/p>\n\n\n\n<p><strong>Late Arrival<\/strong>: if a 2<sup>nd<\/sup> higher priority interrupt arrives during the stacking phase of 1<sup>st<\/sup>, the 2<sup>nd<\/sup> interrupt will be executed first.<\/p>\n\n\n\n<p><strong>Pop Preemption<\/strong>: if a 2<sup>nd<\/sup> interrupt arrives during the unstacking phase of 1<sup>st<\/sup>, unstacking will be stopped and the 2<sup>nd<\/sup> interrupt will be executed immediately.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">(3) Types of Interrupts<\/h4>\n\n\n\n<ul>\n<li>Level triggered<\/li>\n<\/ul>\n\n\n\n<p>The peripheral raises the interrupt signal to the interrupt controller. The SW needs to clear the interrupt bit in the peripheral.<\/p>\n\n\n\n<ul>\n<li>Edge triggered<\/li>\n<\/ul>\n\n\n\n<p>The peripheral generates a pulse of a defined length if an interrupt has occurred. The interrupt event has to be stored in the interrupt controller \u2013 If the interrupt is executed the interrupt controller clears the flag.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">(3) Applications<\/h4>\n\n\n\n<p>Wakeup from sleep\/power down mode<\/p>\n\n\n\n<p>Timer Interrupts<\/p>\n\n\n\n<p>Handling of communication peripherals<\/p>\n\n\n\n<p>Handling of coprocessors with long runtimes<\/p>\n\n\n\n<p>Direct Memory Access (DMA)<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">3. Polling<\/h3>\n\n\n\n<p>Polling involves repeatedly checking for the occurrence of an event. It might consume a significant amount of CPU time and have higher latency.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">4. Exceptions<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">(1) Types<\/h4>\n\n\n\n<ul>\n<li>Fault<\/li>\n<\/ul>\n\n\n\n<p>A fault is an exceptional condition that occurs when the program attempts to perform an illegal operation or access memory that it is not allowed to access. Faults are typically handled by the operating system or the processor, which may <strong>fix the problem<\/strong> and restart the program.<\/p>\n\n\n\n<ul>\n<li>Trap<\/li>\n<\/ul>\n\n\n\n<p>A trap <strong>interrupts<\/strong> the normal flow of execution of a program and transfers control to a specific routine or handler. Traps are often used to handle <strong>exceptional<\/strong> conditions, such as divide-by-zero errors or illegal memory accesses, and can be triggered by certain events or conditions.<\/p>\n\n\n\n<ul>\n<li>Abort<\/li>\n<\/ul>\n\n\n\n<p>Abort <strong>terminates<\/strong> a program or process due to an error or exceptional condition. When a program aborts, it stops running and any resources that it was using are released.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">(2) Usage<\/h4>\n\n\n\n<p>Debugging of programming errors<\/p>\n\n\n\n<p>Scheduling in operating systems<\/p>\n\n\n\n<p>Switching between processor modes<\/p>\n\n\n\n<p>Reconfiguring MPU\/MMU settings<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">5. CMSIS (Cortex Microcontroller Software Interface Standard)<\/h3>\n\n\n\n<p>Cortex Microcontroller Software Interface Standard (CMSIS) is a software development framework for microcontrollers based on the Cortex-M processor core. It is developed and maintained by ARM and is intended to simplify and standardize the software interface to the Cortex-M processor core and its peripherals.<\/p>\n\n\n\n<p>CMSIS-Core provides a hardware abstraction layer (HAL): a set of common components, such as device headers, peripheral register definitions, and core peripheral functions that can be used across different Cortex-M-based microcontroller vendors and devices. This allows for a consistent and <strong>standardized<\/strong> way of accessing the hardware resources of a Cortex-M microcontroller, regardless of the specific device or vendor. -&gt; Standardization.<\/p>\n\n\n\n<p>The CMSIS also provides a set of libraries, such as CMSIS-DSP and CMSIS-RTOS, which provide a set of standard functions for digital signal processing and real-time operating systems, respectively. This allows developers to write <strong>portable<\/strong> and <strong>reusable<\/strong> code that can be easily ported between different Cortex-M microcontrollers and development boards. -&gt; Reusability, Faster software development.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img decoding=\"async\" loading=\"lazy\" width=\"1024\" height=\"531\" src=\"http:\/\/iizz.ddns.net:9595\/wp-content\/uploads\/2023\/01\/\u622a\u5c4f2023-01-27-17.01.18-1024x531.png\" alt=\"\" class=\"wp-image-2648\" srcset=\"https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2023\/01\/\u622a\u5c4f2023-01-27-17.01.18-1024x531.png 1024w, https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2023\/01\/\u622a\u5c4f2023-01-27-17.01.18-300x156.png 300w, https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2023\/01\/\u622a\u5c4f2023-01-27-17.01.18-768x398.png 768w, https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2023\/01\/\u622a\u5c4f2023-01-27-17.01.18-1536x797.png 1536w, https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2023\/01\/\u622a\u5c4f2023-01-27-17.01.18-1568x813.png 1568w, https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2023\/01\/\u622a\u5c4f2023-01-27-17.01.18.png 1812w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure><\/div>\n\n\n<ul>\n<li>Startup File <code>startup_&lt;device&gt;.s<\/code> contains<\/li>\n<\/ul>\n\n\n\n<p>The reset handler that is executed after CPU <strong>reset<\/strong> and typically calls SystemInit (defined in system_.c). The setup values for the Main Stack Pointer (<strong>MSP<\/strong>). <strong>Exception<\/strong> vectors with weak functions that implement default routines. <strong>Interrupt<\/strong> vectors that are device specific with weak functions that implement default routines.<\/p>\n\n\n\n<ul>\n<li>System Configuration File <code>system_&lt;device&gt;.c<\/code> contains<\/li>\n<\/ul>\n\n\n\n<p>C functions that help to configure the system properly.<\/p>\n\n\n\n<ul>\n<li>Device Header File <code>&lt;device&gt;.h<\/code> contains<\/li>\n<\/ul>\n\n\n\n<p>Definitions related to the specific chip, e.g. base addresses of the peripherals, interrupt numbers (the lower, the higher the priority is)<\/p>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Chapter 4 Boundary Errors and Control Hijacking Attacks<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">1. Stack-based Buffer Overflow Attack<\/h3>\n\n\n\n<p>C compilers usually arrange the memory as follows:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large is-resized\"><img decoding=\"async\" loading=\"lazy\" src=\"http:\/\/iizz.ddns.net:9595\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-27-17.13.08-1024x865.png\" alt=\"\" class=\"wp-image-2503\" width=\"467\" height=\"394\" srcset=\"https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-27-17.13.08-1024x865.png 1024w, https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-27-17.13.08-300x253.png 300w, https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-27-17.13.08-768x649.png 768w, https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-27-17.13.08.png 1470w\" sizes=\"(max-width: 467px) 100vw, 467px\" \/><\/figure><\/div>\n\n\n<p>A typical (function calls other functions) stack frame looks like this<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img decoding=\"async\" loading=\"lazy\" width=\"1024\" height=\"678\" src=\"http:\/\/iizz.ddns.net:9595\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-27-17.18.20-1024x678.png\" alt=\"\" class=\"wp-image-2504\" srcset=\"https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-27-17.18.20-1024x678.png 1024w, https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-27-17.18.20-300x198.png 300w, https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-27-17.18.20-768x508.png 768w, https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-27-17.18.20-1536x1016.png 1536w, https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-27-17.18.20-2048x1355.png 2048w, https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-27-17.18.20-1568x1037.png 1568w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure><\/div>\n\n\n<blockquote class=\"wp-block-quote\">\n<p>why should stack frame contain the address of the previous frame?<\/p>\n\n\n\n<p>In many computer programs, the call stack is implemented as a linked list, with each stack frame containing a pointer to the previous stack frame. This allows the program to easily access the data associated with the previous function call when a function returns. This is especially important in programs that make frequent use of recursive function calls, as each recursive call creates a new stack frame that needs to be linked to the previous one.<\/p>\n\n\n\n<p>In addition, including a pointer to the previous stack frame in each stack frame can also make it easier to debug the program by providing a record of the sequence of function calls that led to a particular point in the program&#8217;s execution. This can be useful in identifying errors or problems in the program&#8217;s code.<\/p>\n<\/blockquote>\n\n\n\n<h2 class=\"wp-block-heading\">2. Code Reuse Attacks<\/h2>\n\n\n\n<ul>\n<li>Return-Oriented Programming<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large is-resized\"><img decoding=\"async\" loading=\"lazy\" src=\"http:\/\/iizz.ddns.net:9595\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-27-17.33.35-1024x560.png\" alt=\"\" class=\"wp-image-2505\" width=\"643\" height=\"352\" srcset=\"https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-27-17.33.35-1024x560.png 1024w, https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-27-17.33.35-300x164.png 300w, https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-27-17.33.35-768x420.png 768w, https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-27-17.33.35-1536x840.png 1536w, https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-27-17.33.35-2048x1120.png 2048w, https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-27-17.33.35-1568x858.png 1568w\" sizes=\"(max-width: 643px) 100vw, 643px\" \/><\/figure><\/div>\n\n\n<p>The return address can be any RET-like instruction (e.g. pop PC)<\/p>\n\n\n\n<ul>\n<li>Methodology<\/li>\n<\/ul>\n\n\n\n<p>1. Scan common libraries for useful instruction sequences ending in gadget chaining instructions (e.g. ret)<\/p>\n\n\n\n<p>2. Chain instruction sequences using RET instructions in order to form the desired gadgets.<\/p>\n\n\n\n<p>3. Create a payload list of the addresses of the gadgets and any<br>values used for computations.<\/p>\n\n\n\n<p>4. Introduce the payload into the stack.<\/p>\n\n\n\n<p>5. Point the Stack Pointer into the first address of the payload.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">3. Countermeasures<\/h3>\n\n\n\n<ul>\n<li>NX segments<\/li>\n<\/ul>\n\n\n\n<p>Non eXecutable (NX) segments prevent the execution of (injected) code from data segments (e.g. stack)<\/p>\n\n\n\n<ul>\n<li>Canaries<\/li>\n<\/ul>\n\n\n\n<p>The program is terminated if the canary in the stack is corrupted and does not match an expected value.<\/p>\n\n\n\n<ul>\n<li>Shadow Stacks<\/li>\n<\/ul>\n\n\n\n<p>When a function is entered the return address is copied to a different location called the shadow stack.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">4. Other types of Buffer Overflows<\/h3>\n\n\n\n<ul>\n<li>Integer Overflows<\/li>\n<\/ul>\n\n\n\n<p>Integer overflow occurs when a program tries to store a number that is too large to fit within the allocated space for it. In programming languages, integers are usually stored in a fixed number of bits, such as 8 bits for a byte or 32 bits for a word. When an integer value exceeds the maximum value that can be represented by the allocated number of bits, an integer overflow occurs.<\/p>\n\n\n\n<p>For example, consider a program that uses 8-bit integers to store a count of the number of items in a list. If the program tries to store a value greater than 255 (the maximum value that can be represented by an 8-bit integer), an integer overflow will occur. The value stored in the integer will &#8220;wrap around&#8221; to a lower value, resulting in incorrect data being stored in the program.<\/p>\n\n\n\n<p>Consequences of integer overflow can include:<\/p>\n\n\n\n<p><strong>Incorrect results<\/strong>: If an integer overflow causes a program to store an incorrect value, this can lead to incorrect results being produced by the program.<\/p>\n\n\n\n<p><strong>Security vulnerabilities<\/strong>: Integer overflows can also create security vulnerabilities in a program. For example, if an attacker is able to cause an integer overflow in a program that is used to check the validity of user input, they may be able to bypass security checks and gain unauthorized access to a system.<\/p>\n\n\n\n<ul>\n<li>Format String Vunerabilities<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>#include &lt;stdio.h&gt;\n\nint main(int argc, char *argv&#91;]) {\n  char username&#91;128];\n  printf(\"Enter your username: \");\n  scanf(\"%s\", username);\n  printf(\"Welcome, %s!\\n\", username);\n  return 0;\n}<\/code><\/pre>\n\n\n\n<p>An attacker could exploit this vulnerability by entering a special format string as their username, such as &#8220;%s%s%s%s%s%s%s%s%s%s&#8221; or &#8220;%x%x%x%x%x%x%x%x%x%x&#8221;. This would cause the <code>printf()<\/code> function to interpret the format string as a series of <strong>placeholders<\/strong> for values, potentially leading to the disclosure of sensitive information or the execution of arbitrary code. <\/p>\n\n\n\n<p>\u201c%s\u201d reads a string, \u201c%x\u201d reads a hex value. \u201c%n\u201d writes the amount of printed characters to a pointer to an integer (which an attacker can control)<\/p>\n\n\n\n<p>To prevent this type of attack, the program should validate the user input and ensure that it does not contain any special characters or code that could be used to manipulate the format string. For example, the program could use the <code>scanf()<\/code> function to parse the user input and check for invalid characters before passing it to the <code>printf()<\/code> function.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Chapter 5 Memory<\/h2>\n\n\n\n<blockquote class=\"wp-block-quote\">\n<p>The <strong>alignment<\/strong> mechanism ensures that variables larger than one byte can be accessed by hardware through its corresponding halfword, word, and doubleword instructions.<\/p>\n<\/blockquote>\n\n\n\n<p>A simple memory system:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large is-resized\"><img decoding=\"async\" loading=\"lazy\" src=\"http:\/\/iizz.ddns.net:9595\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-27-17.58.28-1024x649.png\" alt=\"\" class=\"wp-image-2506\" width=\"643\" height=\"407\" srcset=\"https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-27-17.58.28-1024x649.png 1024w, https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-27-17.58.28-300x190.png 300w, https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-27-17.58.28-768x487.png 768w, https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-27-17.58.28-1536x973.png 1536w, https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-27-17.58.28-2048x1298.png 2048w, https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-27-17.58.28-1568x994.png 1568w\" sizes=\"(max-width: 643px) 100vw, 643px\" \/><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\">1. Locality Principle of Cache<\/h3>\n\n\n\n<ul>\n<li>Types<\/li>\n<\/ul>\n\n\n\n<p><strong>Temporal<\/strong> locality: This refers to the tendency of a program to access data or instructions that have been <strong>recently accessed<\/strong>. By storing recently used data and instructions in cache memory, a system can improve performance by avoiding the need to access main memory or storage.<\/p>\n\n\n\n<p><strong>Spatial<\/strong> locality: This refers to the tendency of a program to access data or instructions that are located <strong>near each other in memory<\/strong>. By grouping related data and instructions together in cache memory, a system can improve performance by allowing the CPU to access them in a single cache fetch.<\/p>\n\n\n\n<p>By taking advantage of temporal and spatial locality, cache memory systems can significantly improve the performance of a computer system by reducing the number of times the CPU has to access main memory or storage.<\/p>\n\n\n\n<ul>\n<li>Cache controller<\/li>\n<\/ul>\n\n\n\n<p>Cache controller is a hardware component that manages the operation of a cache memory system. The cache controller is responsible for managing the <strong>flow of data<\/strong> between the cache memory and main memory or storage, as well as controlling the allocation and replacement of data in the cache.<\/p>\n\n\n\n<p>The cache controller typically works in conjunction with the CPU and main memory to provide high-speed access to frequently used data and instructions. When the CPU needs to access a piece of data or an instruction, it first checks the cache memory to see if it is available. If the data or instruction is present in the cache, <strong>the cache controller retrieves it and provides it to the CPU<\/strong>. If the data or instruction is not present in the cache, <strong>the cache controller retrieves it from the main memory or storage and stores it in the cache for future use<\/strong>.<\/p>\n\n\n\n<p>The cache controller also manages the <strong>allocation and replacement of data<\/strong> in the cache. When the cache is full and a new piece of data needs to be stored, the cache controller must decide which data to evict from the cache to make room for the new data. This is typically done using a cache replacement algorithm, which determines which data is least likely to be used in the near future and evicts it from the cache.<\/p>\n\n\n\n<ul>\n<li>Pro&#8217;s and Con&#8217;s<\/li>\n<\/ul>\n\n\n\n<p>&#8211; Caches are an attack target<\/p>\n\n\n\n<p>Side channel attacks on cache timing; Encryption of cache contents is difficult<\/p>\n\n\n\n<p>&#8211; Caches cost chip area \u2192 chips become more expensive<\/p>\n\n\n\n<p>+ Power consumption can be reduced through caches<\/p>\n\n\n\n<p>+ Performance is increased<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">2. Memory Access Types &amp; Memory Types in Cortex-M<\/h3>\n\n\n\n<p>Here are some examples of memory access types in the ARM Cortex-M architecture:<\/p>\n\n\n\n<ul>\n<li>Code memory access <\/li>\n<\/ul>\n\n\n\n<p>This type of access is used to read instructions from code memory, which is typically stored in read-only memory (ROM) or flash memory. Code memory access is typically executed in the instruction pipeline and is used to fetch the next instruction to be executed by the CPU.<\/p>\n\n\n\n<ul>\n<li>Data memory access<\/li>\n<\/ul>\n\n\n\n<p>This type of access is used to read from or write to data memory, which is typically stored in random-access memory (RAM). Data memory access is used to access variables, data structures, and other types of data that are used by the program.<\/p>\n\n\n\n<ul>\n<li>Peripheral memory access<\/li>\n<\/ul>\n\n\n\n<p>This type of access is used to access memory-mapped hardware peripherals, such as serial ports, timers, or analog-to-digital converters. Peripheral memory access is typically executed using direct memory access (DMA) and is used to transfer data between the peripherals and memory without involving the CPU.<\/p>\n\n\n\n<ul>\n<li>Special function register (SFR) access<\/li>\n<\/ul>\n\n\n\n<p>This type of access is used to access special-purpose registers that are used to control the operation of the Cortex-M microcontroller. SFR access is typically used to configure the microcontroller&#8217;s operation or to access status information.<\/p>\n\n\n\n<p>Memory types contain Normal, Device, Strongly-ordered, and XN(Execute Never).<\/p>\n\n\n\n<ul>\n<li>Normal (Code and Data Sections)<\/li>\n<\/ul>\n\n\n\n<p>The processor can re-order transactions for efficiency or perform speculative reads.<\/p>\n\n\n\n<ul>\n<li>Device (Peripherals)<\/li>\n<\/ul>\n\n\n\n<p>The processor <strong>preserves<\/strong> transaction order relative to other transactions to the Device or Strongly-ordered memory.<\/p>\n\n\n\n<ul>\n<li>XN (Peripherals)<\/li>\n<\/ul>\n\n\n\n<p>The processor prevents instruction access. A <strong>fault<\/strong> exception is generated only on the execution of an instruction executed from an XN region.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">3. Memory Protection Unit (MPU)<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">(1) Task of MPU<\/h4>\n\n\n\n<p>A memory protection unit (MPU) is a hardware component that is used to control access to memory in a computer system. The MPU is responsible for enforcing memory protection policies, which specify which memory regions can be accessed by which processes or tasks. <\/p>\n\n\n\n<p>MPU is located within the CPU and can only check memory accesses <strong>performed by the CPU<\/strong>. MPU doesn&#8217;t protect actions by DMA peripherals. That is why you should be careful in granting untrusted code access to peripherals.<\/p>\n\n\n\n<p>The MPU works by dividing the memory of a system into a series of memory regions, each with its own set of access permissions. When a process or task attempts to access a memory location, the MPU checks the access permissions for the region that the memory location belongs to and determines whether the access is allowed. If access is not allowed, the MPU generates an exception or fault, which can be handled by the operating system or other software to prevent unauthorized access from occurring.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large is-resized\"><img decoding=\"async\" loading=\"lazy\" src=\"http:\/\/iizz.ddns.net:9595\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-27-18.24.29-1024x552.png\" alt=\"\" class=\"wp-image-2508\" width=\"626\" height=\"337\" srcset=\"https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-27-18.24.29-1024x552.png 1024w, https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-27-18.24.29-300x162.png 300w, https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-27-18.24.29-768x414.png 768w, https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-27-18.24.29-1536x828.png 1536w, https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-27-18.24.29-2048x1103.png 2048w, https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-27-18.24.29-1568x845.png 1568w\" sizes=\"(max-width: 626px) 100vw, 626px\" \/><\/figure><\/div>\n\n\n<ul>\n<li>Memory Properties<\/li>\n<\/ul>\n\n\n\n<p>&#8220;Sharable,&#8221; &#8220;cacheable,&#8221; and &#8220;bufferable&#8221; are terms that are used to describe the behavior of memory in a computer system. These terms are often used in the context of <strong>memory-mapped hardware devices<\/strong>, such as peripherals or I\/O controllers, and can affect the performance and efficiency of the memory system.<\/p>\n\n\n\n<p><strong>Sharable<\/strong>: Memory that is marked as &#8220;sharable&#8221; can be <strong>accessed<\/strong> by multiple devices or processes at the same time. This can improve the performance of the system by allowing multiple devices or processes to share the same memory resources.<\/p>\n\n\n\n<p><strong>Cacheable<\/strong>: Memory that is marked as &#8220;cacheable&#8221; can be <strong>stored<\/strong> in the CPU <strong>cache<\/strong>, which is a high-speed memory system that is used to store frequently accessed data and instructions. Cacheable memory can improve the performance of the system by allowing the CPU to access data and instructions more quickly.<\/p>\n\n\n\n<p><strong>Bufferable<\/strong>: Memory that is marked as &#8220;bufferable&#8221; can be <strong>used<\/strong> as a buffer, which is a temporary storage area used to hold data while it is being transferred between devices or processes. Bufferable memory can improve the performance of the system by allowing data to be transferred more efficiently.<\/p>\n\n\n\n<ul>\n<li>Cache Properties<\/li>\n<\/ul>\n\n\n\n<p>&#8220;Write through&#8221; and &#8220;write back&#8221; are two different caches write policies that can be used to control <strong>how data is written to cache memory <\/strong>in a computer system. These policies can be used with or without the &#8220;allocate&#8221; feature, which determines <strong>whether data is allocated in the cache when it is written<\/strong>.<\/p>\n\n\n\n<p><strong>Write through<\/strong>: In a write through cache, data is written to <strong>both the cache and main memory<\/strong> <strong>when it is updated<\/strong>. This ensures that the data in main memory is always up-to-date, but it can also result in slower write performance because the data must be written to two different locations.<\/p>\n\n\n\n<p><strong>Write back<\/strong>: In a write back cache, data is<strong> only written to the cache<\/strong> <strong>when it is updated<\/strong>. The data is then marked as &#8220;<strong>dirty<\/strong>,&#8221; indicating that it has been <strong>modified in the cache<\/strong> and needs to be written to main memory. <strong>The data is only written to main memory when it is evicted from the cache or when the cache is flushed.<\/strong> This can improve write performance, but it also increases the risk of data loss if the system crashes before the dirty data is written to main memory.<\/p>\n\n\n\n<p><strong>With<\/strong> the &#8220;allocate&#8221; feature: data is automatically allocated in the cache when it is written. This means that data is written to the cache <strong>regardless<\/strong> of whether it is already present in the cache or not.<\/p>\n\n\n\n<p><strong>Without<\/strong> the &#8220;allocate&#8221; feature: data is only written to the cache if it is already present in the cache. If the data is not present in the cache, it is written directly to main memory and <strong>not cached<\/strong>.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">(2) Usage of MPU<\/h4>\n\n\n\n<p>A task in OS normally needs following memory sections: <code>text<\/code> section for code, <code>data<\/code>, <code>bss<\/code> sections for data, and stack.<\/p>\n\n\n\n<p>A possible MPU setup is:<\/p>\n\n\n\n<ul>\n<li>One background region for privilege mode (operating system) <\/li>\n\n\n\n<li>One region for <code>text<\/code> and <code>rodata<\/code> (only r and execute) <\/li>\n\n\n\n<li>One region for <code>data<\/code> and <code>bss<\/code> (r\/w no execute) <\/li>\n\n\n\n<li>One region for task\u2019s stack (r\/w but no execute) <\/li>\n\n\n\n<li>One region for peripherals accessible by this certain task<\/li>\n<\/ul>\n\n\n\n<blockquote class=\"wp-block-quote\">\n<p>How to change settings of MPU?<\/p>\n\n\n\n<p>The settings of a memory protection unit (MPU) can typically be changed using <strong>software<\/strong> commands or by modifying <strong>configuration registers<\/strong> in the MPU hardware.<\/p>\n\n\n\n<p>Here are some general steps that might be used to change the settings of an MPU:<\/p>\n\n\n\n<ul>\n<li>Determine the MPU configuration<\/li>\n<\/ul>\n\n\n\n<p>The first step in changing the MPU settings is to determine the current configuration of the MPU, including the number and size of the memory regions, the access permissions for each region, and any other relevant settings. This information can often be obtained by reading configuration registers or by using a software command to query the MPU.<\/p>\n\n\n\n<ul>\n<li>Modify the MPU configuration<\/li>\n<\/ul>\n\n\n\n<p>Once you have determined the current MPU configuration, you can modify the settings as needed by <strong>writing new values<\/strong> to the appropriate configuration registers or<strong> using software commands<\/strong> to change the settings.<\/p>\n<\/blockquote>\n\n\n\n<blockquote class=\"wp-block-quote\">\n<p>How to program the MPU safely?<\/p>\n\n\n\n<p>Before changing MPU settings all old data and instruction accesses<br>have to be completed. This requires the following instructions:<\/p>\n\n\n\n<ul>\n<li>DSB<\/li>\n<\/ul>\n\n\n\n<p>The Data Synchronization Barrier instruction ensures that outstanding <strong>memory transactions<\/strong> are complete before subsequent instructions execute.<\/p>\n\n\n\n<ul>\n<li>ISB<\/li>\n<\/ul>\n\n\n\n<p>The Instruction Synchronization Barrier ensures that the <strong>effect of all completed memory transactions<\/strong> is recognizable by subsequent instructions.<\/p>\n\n\n\n<p>Then the MPU should be disabled.<\/p>\n\n\n\n<p>Then the MPU registers can be changed.<\/p>\n\n\n\n<p>Afterwards enable the MPU.<\/p>\n<\/blockquote>\n\n\n\n<h3 class=\"wp-block-heading\">4. Memory Management <\/h3>\n\n\n\n<p>Addresses should be independent of the storage location.<\/p>\n\n\n\n<p>Each process should have an own address space.<\/p>\n\n\n\n<p>=&gt; Virtual Memory splits the physical memory into blocks (pages or segments) and assigns these to processes.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img decoding=\"async\" loading=\"lazy\" width=\"1024\" height=\"652\" src=\"http:\/\/iizz.ddns.net:9595\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-27-18.50.09-1024x652.png\" alt=\"\" class=\"wp-image-2511\" srcset=\"https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-27-18.50.09-1024x652.png 1024w, https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-27-18.50.09-300x191.png 300w, https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-27-18.50.09-768x489.png 768w, https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-27-18.50.09-1536x978.png 1536w, https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-27-18.50.09-2048x1304.png 2048w, https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-27-18.50.09-1568x998.png 1568w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure><\/div>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img decoding=\"async\" loading=\"lazy\" width=\"1024\" height=\"662\" src=\"http:\/\/iizz.ddns.net:9595\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-27-18.49.56-1024x662.png\" alt=\"\" class=\"wp-image-2510\" srcset=\"https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-27-18.49.56-1024x662.png 1024w, https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-27-18.49.56-300x194.png 300w, https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-27-18.49.56-768x497.png 768w, https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-27-18.49.56-1536x993.png 1536w, https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-27-18.49.56-2048x1324.png 2048w, https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-27-18.49.56-1568x1014.png 1568w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure><\/div>\n\n\n<h4 class=\"wp-block-heading\">(1) Memory Management Unit<\/h4>\n\n\n\n<p>Not all ARMv7 processors have a MMU!<\/p>\n\n\n\n<p>A Memory Management Unit (MMU) is a hardware component that is responsible for mapping virtual addresses to physical addresses in a computer&#8217;s memory. The MMU performs a number of important tasks, including:<\/p>\n\n\n\n<ul>\n<li>Translating virtual addresses to physical addresses<\/li>\n<\/ul>\n\n\n\n<p>When a program accesses a memory location using a virtual address. The MMU translates this virtual address to a physical address, which is the actual location in memory where the data is stored.<\/p>\n\n\n\n<ul>\n<li>Implementing virtual memory<\/li>\n<\/ul>\n\n\n\n<p>The MMU is also responsible for managing virtual memory, which allows a computer to run programs that are larger than the amount of physical memory (RAM) available on the device. When a program accesses a memory location that is not currently in physical memory, the MMU can swap the data in and out of physical memory as needed, using a portion of the hard drive as an &#8220;overflow&#8221; area for data that does not fit in physical memory.<\/p>\n\n\n\n<ul>\n<li>Additional bookkeeping with status bits<\/li>\n<\/ul>\n\n\n\n<p><em>resident<\/em>: page is in main memory<br><em>dirty<\/em>: has been modified, secondary memory(hard disk) is not yet updated<br><em>referenced<\/em>: this page has been (recently) accessed<\/p>\n\n\n\n<ul>\n<li>Handling memory management tasks<\/li>\n<\/ul>\n\n\n\n<p>The MMU can enforce memory protection and isolation between different programs and processes, and manage the allocation and deallocation of memory resources.<\/p>\n\n\n\n<ul>\n<li>Handling memory-mapped I\/O<\/li>\n<\/ul>\n\n\n\n<p>The MMU can also be used to map I\/O devices into the memory space, allowing programs to access I\/O devices as if they were memory locations. This can simplify the process of accessing hardware devices and improve the performance of some types of I\/O operations.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">(2) Virtual Memory Ststem<\/h4>\n\n\n\n<p>A virtual memory system is a memory management technique that allows a computer to run programs that are larger than the amount of physical memory (RAM) available on the device. It does this by temporarily transferring data from RAM to a portion of the hard drive known as the &#8220;swap space&#8221; or &#8220;paging file.&#8221;<\/p>\n\n\n\n<p>In a virtual memory system, the computer&#8217;s memory is divided into equal-sized blocks called &#8220;pages.&#8221; The operating system maintains a list of which pages are currently in <strong>physical memory<\/strong> and which are stored on the <strong>hard drive<\/strong>. When a program accesses a memory location that is not currently in physical memory <strong>(page fault)<\/strong>, the operating system uses the MMU (Memory Management Unit) to <strong>swap<\/strong> the required page of data into physical memory from the hard drive. If the old data is unchanged, just overwrite. If modified, write back to hard disk. This process is known as &#8220;<strong>paging<\/strong>.&#8221; (most common replacement strategy: <strong>L<\/strong>east <strong>R<\/strong>ecently <strong>U<\/strong>sed)<\/p>\n\n\n\n<p>Virtual memory allows a computer to run multiple programs <strong>concurrently<\/strong> and perform more complex tasks than possible with a limited amount of physical memory. However, it can also have a negative impact on performance, as accessing data from the hard drive is slower than accessing data from RAM.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large is-resized\"><img decoding=\"async\" loading=\"lazy\" src=\"http:\/\/iizz.ddns.net:9595\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-30-10.56.06-1024x616.png\" alt=\"\" class=\"wp-image-2517\" width=\"652\" height=\"391\" srcset=\"https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-30-10.56.06-1024x616.png 1024w, https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-30-10.56.06-300x181.png 300w, https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-30-10.56.06-768x462.png 768w, https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-30-10.56.06-1536x924.png 1536w, https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-30-10.56.06.png 1587w\" sizes=\"(max-width: 652px) 100vw, 652px\" \/><\/figure><\/div>\n\n\n<ul>\n<li>Page Table<\/li>\n<\/ul>\n\n\n\n<p>A page table is a data structure used in a virtual memory system to map virtual addresses to physical addresses in a computer&#8217;s memory. It is typically implemented as a multi-level data structure that allows the operating system to quickly locate the physical memory address <strong>corresponding to<\/strong> a given virtual address.<\/p>\n\n\n\n<p>The page table is typically maintained by the operating system and is used by the MMU (Memory Management Unit) to perform the address translation. It is typically stored in the main memory and is <strong>accessed by the MMU<\/strong> whenever a program accesses a memory location.<\/p>\n\n\n\n<ul>\n<li>Page Base Pointer<\/li>\n<\/ul>\n\n\n\n<p>The page base pointer is a hardware register that is used in some computer architectures to store the address of the beginning of the page table. This allows the MMU (Memory Management Unit) to quickly <strong>access the page table<\/strong> when it needs to perform an address translation.<\/p>\n\n\n\n<p>The MMU uses the page base pointer to locate the page tables stage by stage and then uses the information in the last table to find the physical address corresponding to the virtual address being accessed by the program.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">(3) Size of Page Tables<\/h4>\n\n\n\n<ul>\n<li>Large Page<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large is-resized\"><img decoding=\"async\" loading=\"lazy\" src=\"http:\/\/iizz.ddns.net:9595\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-30-17.22.00-1024x343.png\" alt=\"\" class=\"wp-image-2520\" width=\"586\" height=\"196\" srcset=\"https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-30-17.22.00-1024x343.png 1024w, https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-30-17.22.00-300x100.png 300w, https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-30-17.22.00-768x257.png 768w, https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-30-17.22.00.png 1497w\" sizes=\"(max-width: 586px) 100vw, 586px\" \/><\/figure><\/div>\n\n\n<p><strong>Pro&#8217;s:<\/strong><\/p>\n\n\n\n<p>Fewer page faults: Large pages have more data per page.<\/p>\n\n\n\n<p>Reduced overhead: Large pages require fewer page table entries and less space in the page table, which can reduce the overhead associated with maintaining the page table and improve the overall efficiency of the virtual memory system.<\/p>\n\n\n\n<p><strong>Con&#8217;s:<\/strong><\/p>\n\n\n\n<p>Wasted space: Large pages can result in more wasted space when the program only uses a small portion of the memory covered by the page. This can lead to lower overall memory utilization and increase the amount of swap space needed on the hard drive.<\/p>\n\n\n\n<p>Fragmentation: Large pages can be more prone to fragmentation, as they may be more difficult to allocate in a way that maximizes memory utilization.<\/p>\n\n\n\n<ul>\n<li>Small Page<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large is-resized\"><img decoding=\"async\" loading=\"lazy\" src=\"http:\/\/iizz.ddns.net:9595\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-30-11.00.29-1024x292.png\" alt=\"\" class=\"wp-image-2518\" width=\"653\" height=\"185\" srcset=\"https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-30-11.00.29-1024x292.png 1024w, https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-30-11.00.29-300x86.png 300w, https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-30-11.00.29-768x219.png 768w, https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-30-11.00.29-1536x438.png 1536w, https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-30-11.00.29-1568x447.png 1568w, https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-30-11.00.29.png 1648w\" sizes=\"(max-width: 653px) 100vw, 653px\" \/><\/figure><\/div>\n\n\n<p><strong>Pro&#8217;s:<\/strong><\/p>\n\n\n\n<p>Faster paging: Small pages have fewer data per page.<\/p>\n\n\n\n<p>Improved memory utilization &amp; Reduced fragmentation: Small pages can result in less wasted space and better memory utilization, as the pages can be allocated more precisely to fit the needs of the program.<\/p>\n\n\n\n<p><strong>Con&#8217;s:<\/strong><\/p>\n\n\n\n<p>Increased overhead: Small pages require more page table entries and more space in the page table, which can increase the overhead associated with maintaining the page table and reduce the overall efficiency of the virtual memory system.<\/p>\n\n\n\n<p>Reduced performance: Small pages require more memory accesses to access a given memory location, which can reduce the performance of programs that access a large, contiguous block of memory.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">(4) Translation Look Aside Buffer<\/h4>\n\n\n\n<p>The translation look aside buffer (TLB) is a type of cache located on the CPU or close to it that is used to speed up the translation of virtual memory addresses to physical addresses in a computer&#8217;s main memory.<\/p>\n\n\n\n<p>The TLB is used to store the most recently accessed virtual-to-physical address translations, so that the computer can quickly find the physical address corresponding to a virtual address without having to perform a slower, more resource-intensive translation process. When a program needs to access a particular memory location, the TLB is checked first to see if the translation is already stored there. If it is, the physical address can be retrieved from the TLB and used to access the memory location directly. If the translation is not in the TLB, the computer must perform a slower translation process using the page table.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">5. Cache Side Channel Attack: Flush&amp;Reaccess<\/h3>\n\n\n\n<p>Cache side channel attacks work by analyzing the access patterns of the cache to infer information about the data being processed by the system. For example, an attacker might measure the time it takes to access different locations in the cache, or monitor the power consumption of the system while it is processing data, to infer the content of the data or the operations being performed on it.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img decoding=\"async\" loading=\"lazy\" width=\"1024\" height=\"450\" src=\"http:\/\/iizz.ddns.net:9595\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-30-17.40.05-1024x450.png\" alt=\"\" class=\"wp-image-2521\" srcset=\"https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-30-17.40.05-1024x450.png 1024w, https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-30-17.40.05-300x132.png 300w, https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-30-17.40.05-768x338.png 768w, https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-30-17.40.05-1536x675.png 1536w, https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-30-17.40.05-1568x690.png 1568w, https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-30-17.40.05.png 1585w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure><\/div>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img decoding=\"async\" loading=\"lazy\" width=\"1024\" height=\"364\" src=\"http:\/\/iizz.ddns.net:9595\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-30-17.45.38-1024x364.png\" alt=\"\" class=\"wp-image-2524\" srcset=\"https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-30-17.45.38-1024x364.png 1024w, https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-30-17.45.38-300x107.png 300w, https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-30-17.45.38-768x273.png 768w, https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-30-17.45.38.png 1481w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\">6. Meltdown Attack<\/h3>\n\n\n\n<p>Meltdown works by exploiting a design feature of certain processors that allows processes running on the system to access the memory of the operating system and other processes. This feature, known as <strong>kernel memory sharing<\/strong>, is intended to improve the performance of the system by allowing processes to access memory more quickly and efficiently. However, Meltdown exploits a flaw in the implementation of this feature to allow an attacker to access sensitive data, such as passwords or cryptographic keys, that is stored in the memory of the system.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large is-resized\"><img decoding=\"async\" loading=\"lazy\" src=\"http:\/\/iizz.ddns.net:9595\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-30-17.41.45-1024x328.png\" alt=\"\" class=\"wp-image-2523\" width=\"637\" height=\"203\" srcset=\"https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-30-17.41.45-1024x328.png 1024w, https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-30-17.41.45-300x96.png 300w, https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-30-17.41.45-768x246.png 768w, https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-30-17.41.45.png 1388w\" sizes=\"(max-width: 637px) 100vw, 637px\" \/><\/figure><\/div>\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" loading=\"lazy\" width=\"1024\" height=\"552\" src=\"http:\/\/iizz.ddns.net:9595\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-30-17.51.24-1024x552.png\" alt=\"\" class=\"wp-image-2525\" srcset=\"https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-30-17.51.24-1024x552.png 1024w, https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-30-17.51.24-300x162.png 300w, https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-30-17.51.24-768x414.png 768w, https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2022\/12\/\u622a\u5c4f2022-12-30-17.51.24.png 1529w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">The address of <code>probe_array<\/code> is translated into the same physical address of the kernel array that we want to access. <code>4096B<\/code> is the size of a cache line.<\/figcaption><\/figure>\n\n\n\n<ul>\n<li>Attacker trains the prefetcher with a dedicated program, e.g. a loop <\/li>\n\n\n\n<li>Attack program suddenly<\/li>\n<\/ul>\n\n\n\n<p>accesses a byte at a memory address in kernel space \u2192 CPU prefetcher fetches the data stored at this address in kernel space into cache.<\/p>\n\n\n\n<p>accesses an array with this byte value (<code>4096*data<\/code>) as the index. With different values of <code>data<\/code>, we control different lines of cache.<\/p>\n\n\n\n<ul>\n<li> Then CPU detects that speculation of prefetcher was wrong, and reverts most actions, but Cache data are not deleted <\/li>\n<\/ul>\n\n\n\n<ul>\n<li>Now, the attacker accesses the <strong>complete array<\/strong> and measures access time <\/li>\n<\/ul>\n\n\n\n<ul>\n<li>The access with the shortest access time corresponds to the read byte value (at location <code>4096*data + probe_array<\/code>)<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Chapter 6 Security &amp; Crypto Overview<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">1. Goals<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">(1) Data Integrity<\/h4>\n\n\n\n<ul>\n<li>Protection from <strong>non-authorized<\/strong> and <strong>un-noticed modification<\/strong> of data<\/li>\n<\/ul>\n\n\n\n<p>Measures:<\/p>\n\n\n\n<ul>\n<li>Rules for allowed\/not allowed modification of data.<\/li>\n<\/ul>\n\n\n\n<p><strong>Who<\/strong> can do <strong>what<\/strong> under <strong>which<\/strong> <strong>conditions<\/strong> with <strong>which<\/strong> <strong>object<\/strong><\/p>\n\n\n\n<ul>\n<li>Granting access and control: e.g. r, w, x<\/li>\n\n\n\n<li><strong>Isolation<\/strong>: User domain, Sandboxes, Virtual Machines<\/li>\n\n\n\n<li><strong>Manipulation<\/strong> <strong>detection<\/strong>: checksums, dig. watermarks<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">(1) Message Integrity<\/h4>\n\n\n\n<ul>\n<li>Protection from <strong>non-authorized<\/strong> and <strong>un-noticed modification<\/strong> of message<\/li>\n<\/ul>\n\n\n\n<p>Measures:<\/p>\n\n\n\n<ul>\n<li>Isolation: separate channels<\/li>\n\n\n\n<li>Manipulation detection: checksums, dig. watermarks<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">(2) Confidentiality<\/h4>\n\n\n\n<ul>\n<li>Protection from non-authorized information retrieval<\/li>\n<\/ul>\n\n\n\n<p>Measures:<\/p>\n\n\n\n<ul>\n<li>Rules for allowed\/not allowed information flow. <\/li>\n<\/ul>\n\n\n\n<p><strong>Who<\/strong> can have access to <strong>which<\/strong> <strong>information<\/strong><\/p>\n\n\n\n<ul>\n<li><strong>Encryption<\/strong> of data<\/li>\n\n\n\n<li><strong>Information<\/strong> <strong>Flow<\/strong> <strong>Control <\/strong>through Classification of Objects and Subject<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">(3) Availability<\/h4>\n\n\n\n<ul>\n<li>Protection from non-authorized interference with the usability or correct function of a system<\/li>\n<\/ul>\n\n\n\n<p>Measures:<\/p>\n\n\n\n<ul>\n<li>Determination of <strong>thresholds<\/strong>, e.g. avoid <strong>overloading<\/strong><\/li>\n\n\n\n<li>Obligations for recording and controlling. <\/li>\n<\/ul>\n\n\n\n<p><strong>which<\/strong> access to <strong>which<\/strong> <strong>objects<\/strong> is granted <strong>when<\/strong>, and how many resources are allocated (e.g. memory)<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">(4) Authenticity<\/h4>\n\n\n\n<ul>\n<li>proof of the identity of an object\/subject<\/li>\n<\/ul>\n\n\n\n<p>Measures:<\/p>\n\n\n\n<ul>\n<li>Rules for unique identification of subjects and objects<\/li>\n<\/ul>\n\n\n\n<p>passwords, keys, biometrics, smartcards<\/p>\n\n\n\n<ul>\n<li>Methods for proving the correctness of identities<\/li>\n<\/ul>\n\n\n\n<p>Certificates, Credentials, Token.<\/p>\n\n\n\n<p>Challenge\/Response Protocols.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">(5) Accountability<\/h4>\n\n\n\n<ul>\n<li><strong>Non-repudiation<\/strong>. Protection from disclaiming that a performed activity was not carried out. <\/li>\n<\/ul>\n\n\n\n<p>Measures:<\/p>\n\n\n\n<ul>\n<li>Each action is bounded to the subject performing it: Signature<\/li>\n\n\n\n<li>Each action and the corresponding time is<strong> recorded into log files<\/strong><\/li>\n\n\n\n<li>Perform <strong>auditing<\/strong><\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">(6) Privacy<\/h4>\n\n\n\n<ul>\n<li>Protection of personal data and any data regarding the<br>private sphere to ensure the right of self-<strong>determination<\/strong><\/li>\n<\/ul>\n\n\n\n<p>Measures:<\/p>\n\n\n\n<ul>\n<li>Rules for avoidance or <strong>minimization<\/strong> of recorded data<\/li>\n<\/ul>\n\n\n\n<ul>\n<li>Define the <strong>purpose<\/strong> of use<\/li>\n<\/ul>\n\n\n\n<ul>\n<li>Data <strong>aggregation<\/strong>: k-Anonymity Methods<\/li>\n<\/ul>\n\n\n\n<ul>\n<li><strong>Pseudonyms<\/strong>: the identity is known to a Trusted Third Party only<\/li>\n<\/ul>\n\n\n\n<ul>\n<li><strong>Non-Traceability<\/strong>: variable Pseudonyms<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">2. Comparision<\/h3>\n\n\n\n<ul>\n<li>symmetric encryption &amp; MAC<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"934\" height=\"312\" src=\"http:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2023\/02\/\u622a\u5c4f2023-02-12-22.47.27.png\" alt=\"\" class=\"wp-image-2759\" srcset=\"https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2023\/02\/\u622a\u5c4f2023-02-12-22.47.27.png 934w, https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2023\/02\/\u622a\u5c4f2023-02-12-22.47.27-300x100.png 300w, https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2023\/02\/\u622a\u5c4f2023-02-12-22.47.27-768x257.png 768w\" sizes=\"(max-width: 934px) 100vw, 934px\" \/><\/figure><\/div>\n\n\n<ul>\n<li>asymmetric encryption &amp; digital signatures<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img decoding=\"async\" loading=\"lazy\" src=\"http:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2023\/02\/\u622a\u5c4f2023-02-12-22.50.30.png\" alt=\"\" class=\"wp-image-2761\" width=\"446\" height=\"173\" srcset=\"https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2023\/02\/\u622a\u5c4f2023-02-12-22.50.30.png 823w, https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2023\/02\/\u622a\u5c4f2023-02-12-22.50.30-300x117.png 300w, https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2023\/02\/\u622a\u5c4f2023-02-12-22.50.30-768x300.png 768w\" sizes=\"(max-width: 446px) 100vw, 446px\" \/><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\">3. Common Ciphers<\/h3>\n\n\n\n<ul>\n<li>Symmetric Block Ciphers: AES, DES, MAC<\/li>\n\n\n\n<li>Asymmetric Cryptography: RSA, Signature(DSA)<\/li>\n\n\n\n<li>Hash Functions: SHA2, SHA256, SHA512<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Chapter 7 Memory Protection &amp; Encrypted SW Updates<\/h2>\n\n\n\n<p>Memory encryption is the process of encrypting data that is stored in a computer&#8217;s internal and external memory. This is done to protect the data from being accessed by unauthorized parties.<\/p>\n\n\n\n<p>Memory encryption is typically implemented at the <strong>hardware<\/strong> level, using specialized <strong>chips<\/strong> or circuits that are built into the computer&#8217;s <strong>memory<\/strong> module. These chips or circuits are responsible for encrypting and decrypting the data as it is being written to and read from the memory.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">1. Encryption of Internal Memory(RAM)<\/h3>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img decoding=\"async\" loading=\"lazy\" width=\"1024\" height=\"582\" src=\"http:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2023\/01\/\u622a\u5c4f2023-01-09-18.23.31-1024x582.png\" alt=\"\" class=\"wp-image-2605\" srcset=\"https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2023\/01\/\u622a\u5c4f2023-01-09-18.23.31-1024x582.png 1024w, https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2023\/01\/\u622a\u5c4f2023-01-09-18.23.31-300x171.png 300w, https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2023\/01\/\u622a\u5c4f2023-01-09-18.23.31-768x437.png 768w, https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2023\/01\/\u622a\u5c4f2023-01-09-18.23.31-1536x873.png 1536w, https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2023\/01\/\u622a\u5c4f2023-01-09-18.23.31-1568x891.png 1568w, https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2023\/01\/\u622a\u5c4f2023-01-09-18.23.31.png 1826w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\">2. Encryption of External Memory<\/h3>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img decoding=\"async\" loading=\"lazy\" width=\"1024\" height=\"573\" src=\"http:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2023\/01\/\u622a\u5c4f2023-01-09-18.27.34-1024x573.png\" alt=\"\" class=\"wp-image-2608\" srcset=\"https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2023\/01\/\u622a\u5c4f2023-01-09-18.27.34-1024x573.png 1024w, https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2023\/01\/\u622a\u5c4f2023-01-09-18.27.34-300x168.png 300w, https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2023\/01\/\u622a\u5c4f2023-01-09-18.27.34-768x430.png 768w, https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2023\/01\/\u622a\u5c4f2023-01-09-18.27.34-1536x860.png 1536w, https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2023\/01\/\u622a\u5c4f2023-01-09-18.27.34-1568x878.png 1568w, https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2023\/01\/\u622a\u5c4f2023-01-09-18.27.34.png 1894w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure><\/div>\n\n\n<p>First, DMA transfers external data into the module Crypto, where the data is decrypted. The key is stored in non-volatile memory or obtained by physical unclonable function.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">3. Encryption Basics<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">(1) ECB(electronic code book)<\/h4>\n\n\n\n<p>In ECB, all blocks are encrypted independently with the same key. (like looking up a dictionary) Same blocks result in same ciphertext blocks, therefore data patterns in long message are not hidden.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">(2) Tweakable Cyphers<\/h4>\n\n\n\n<p>Tweakable ciphers are cryptographic algorithms that allow the user to specify a &#8220;tweak&#8221; value that can be used to modify the encryption or decryption process. The tweak value is typically a small piece of <strong>additional input<\/strong>, such as a sequence of bits or a short string, that is<strong> combined <\/strong>with the <strong>plaintext<\/strong> or <strong>key<\/strong> to produce a modified version of the algorithm.<\/p>\n\n\n\n<p>For example, to encrypt Salary, we tweak the employee&#8217;s Name: <\/p>\n\n\n\n<p><code>Encrypt(Name XOR Salary) XOR Name<\/code><\/p>\n\n\n\n<p>In this way, we solve the problem in ECB that the same Salary results in the same ciphertext. But we still have a vulnerability in which the attacker can see whether the Salary is changed.<\/p>\n\n\n\n<p>Here are some specific examples of tweakable ciphers where the memory is split into sectors (there may be many blocks in one sector), and same data in different sectors result in different ciphertext.<\/p>\n\n\n\n<h5 class=\"wp-block-heading\">&lt;1&gt; ESSIV(encrypted salt-sector initialization vector)<\/h5>\n\n\n\n<ul>\n<li>Master key is <strong>hashed<\/strong>.<\/li>\n\n\n\n<li>Sector number is <strong>encrypted<\/strong> with hash value.<\/li>\n<\/ul>\n\n\n\n<ul>\n<li>But blocks are dependent, which reduces the performance&#8230;<\/li>\n<\/ul>\n\n\n\n<h5 class=\"wp-block-heading\">&lt;2&gt; XEX<\/h5>\n\n\n\n<ul>\n<li>E_k(i) is derived from sector number, which is the same through n blocks.<\/li>\n\n\n\n<li>\\alpha^j makes X_i,j different for every block.<\/li>\n<\/ul>\n\n\n\n<ul>\n<li>BUT, only works well when the size of each sector is a multiple of block size&#8230;<\/li>\n<\/ul>\n\n\n\n<h5 class=\"wp-block-heading\">&lt;3> XTS (XEX-based)<\/h5>\n\n\n\n<p>XTS uses padding, which makes itself works well when sector size is not a multiple of block size.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img decoding=\"async\" loading=\"lazy\" width=\"1024\" height=\"678\" src=\"http:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2023\/01\/\u622a\u5c4f2023-01-09-18.52.40-1024x678.png\" alt=\"\" class=\"wp-image-2613\" srcset=\"https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2023\/01\/\u622a\u5c4f2023-01-09-18.52.40-1024x678.png 1024w, https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2023\/01\/\u622a\u5c4f2023-01-09-18.52.40-300x199.png 300w, https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2023\/01\/\u622a\u5c4f2023-01-09-18.52.40-768x508.png 768w, https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2023\/01\/\u622a\u5c4f2023-01-09-18.52.40-1536x1017.png 1536w, https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2023\/01\/\u622a\u5c4f2023-01-09-18.52.40-1568x1038.png 1568w, https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2023\/01\/\u622a\u5c4f2023-01-09-18.52.40.png 1644w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure><\/div>\n\n\n<ul>\n<li>m &lt; len(block)<\/li>\n\n\n\n<li>We steal some ciphertext from the last block and pad it to plaintext of block n.<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">(3) Consequences of external memory encryption<\/h4>\n\n\n\n<ul>\n<li>Latency for external bus accesses increases<\/li>\n<\/ul>\n\n\n\n<p>Data must be decrypted before usage.<\/p>\n\n\n\n<p>Whole blocks (typically 128 bit) must be read before decryption can start.<\/p>\n\n\n\n<p>If a single bit is changed in a block, the whole block must be encrypted and written back.<\/p>\n\n\n\n<ul>\n<li>More internal resources needed<\/li>\n<\/ul>\n\n\n\n<p>More RAM to buffer code (if SW en\/decryption is used, the complete software should be buffered).<\/p>\n\n\n\n<p>DMA helps to fetch external data.<\/p>\n\n\n\n<ul>\n<li>Power consumption is increased.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">4. Encrypted Software Updates<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">(1) CBC mode<\/h4>\n\n\n\n<ul>\n<li>No enough integrity &amp; authentication&#8230;<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">(2) AES CBC-MAC<\/h4>\n\n\n\n<ul>\n<li>Two keys for two encryption: firmware &amp; MAC<\/li>\n\n\n\n<li>BUT, two times are not efficient&#8230;<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">(3) Authenticated Encryption: GCM<\/h4>\n\n\n\n<ul>\n<li>Integrity: tag would be changed<\/li>\n\n\n\n<li>Authenticity: only key owner can generate tag<\/li>\n\n\n\n<li>Confidentiality: encryption using AES-CTR<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Chapter 8 Side Channel Attacks<\/h2>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large is-resized\"><img decoding=\"async\" loading=\"lazy\" src=\"http:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2023\/02\/\u622a\u5c4f2023-02-12-22.53.53-1024x610.png\" alt=\"\" class=\"wp-image-2764\" width=\"589\" height=\"351\" srcset=\"https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2023\/02\/\u622a\u5c4f2023-02-12-22.53.53-1024x610.png 1024w, https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2023\/02\/\u622a\u5c4f2023-02-12-22.53.53-300x179.png 300w, https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2023\/02\/\u622a\u5c4f2023-02-12-22.53.53-768x457.png 768w, https:\/\/blog.mhrooz.xyz\/wp-content\/uploads\/2023\/02\/\u622a\u5c4f2023-02-12-22.53.53.png 1070w\" sizes=\"(max-width: 589px) 100vw, 589px\" \/><\/figure><\/div>\n\n\n<blockquote class=\"wp-block-quote\">\n<p>A fault attack is a type of security attack in which an attacker deliberately induces faults or errors in a system in order to compromise its security.<\/p>\n\n\n\n<p>Goals of fault attacks are:<\/p>\n\n\n\n<ul>\n<li>Bypass password checks (e.g. PIN)<\/li>\n\n\n\n<li>Overwriting values (e.g. counters or money values)<\/li>\n\n\n\n<li>Extraction of secrets (e.g. differential fault attacks on RSA or AES)<\/li>\n<\/ul>\n\n\n\n<ul>\n<li>No Goal: Destroying the system!<\/li>\n<\/ul>\n<\/blockquote>\n\n\n\n<h3 class=\"wp-block-heading\">1. Types of Side Channel Attacks<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">(1) Timing<\/h4>\n\n\n\n<p>The attacker uses the differences in <strong>processing time<\/strong> to infer information about the system&#8217;s internal state or the key.<\/p>\n\n\n\n<p>For example, in AES:<\/p>\n\n\n\n<ul>\n<li>Timing attack through branches<\/li>\n<\/ul>\n\n\n\n<p>If-statements in xtime, loops depending on key<\/p>\n\n\n\n<ul>\n<li>Timing attack through cached memory access<\/li>\n<\/ul>\n\n\n\n<p>SubBytes table lookups, T-tables<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">(2) Power<\/h4>\n\n\n\n<ul>\n<li>Differential power analysis (mostly on symmetric cyphers)<\/li>\n<\/ul>\n\n\n\n<p>The attacker measures a system&#8217;s power consumption while performing a set of operations, such as encryption or decryption, and <strong>compares<\/strong> the power consumption between two or more operations. (<strong>correlation<\/strong>).<\/p>\n\n\n\n<p>For example, differential power analysis on AES.<\/p>\n\n\n\n<ul>\n<li>Simple power analysis (mostly on asymmetric cyphers)<\/li>\n<\/ul>\n\n\n\n<p>The attacker measures the power consumption of a system while it performs a <strong>single<\/strong> operation, such as encryption or decryption, and uses power consumption results to infer information about the system&#8217;s internal state or the key.<\/p>\n\n\n\n<p>For example, simple power analysis on <strong>Square and Multiply Algorithm<\/strong><\/p>\n\n\n\n<h4 class=\"wp-block-heading\">(3) Radiation<\/h4>\n\n\n\n<p>Signal level reveals whether registers are used.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">2. Caches and MMU based attacks<\/h3>\n\n\n\n<ul>\n<li>Time driven<\/li>\n<\/ul>\n\n\n\n<p>An attacker is able to measure time over complete encryptions and builds a timing <strong>profile<\/strong> with a known key.<\/p>\n\n\n\n<ul>\n<li>Access driven<\/li>\n<\/ul>\n\n\n\n<p>Flush+Reload. If time is short, victim process has accessed <strong>data<\/strong> in meantime<\/p>\n\n\n\n<ul>\n<li>Trace driven<\/li>\n<\/ul>\n\n\n\n<p>An attacker observes the timing behavior of a processor. Timing is different if <strong>cache hits or misses<\/strong> occur. An attacker can infer which <strong>locations<\/strong> are stored in the cache memory and which ones are not.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Chapter 9 Trusted Computing<\/h2>\n\n\n\n<p>TPM and DICE are both based on asymmetric cryptography based on RSA and Certificates \/ Challenge Response Protocol.<\/p>\n\n\n\n<ul>\n<li>TPM<\/li>\n<\/ul>\n\n\n\n<p>a dedicated Hardware security processor using <strong>HW<\/strong> <strong>separation<\/strong><\/p>\n\n\n\n<ul>\n<li>DICE<\/li>\n<\/ul>\n\n\n\n<p>low cost software using <strong>temporal<\/strong> <strong>separation<\/strong><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">1. DICE<\/h3>\n\n\n\n<ul>\n<li>UDS (unique device secret)<\/li>\n\n\n\n<li>DICE Boot Code (root of trust)<\/li>\n\n\n\n<li>KDF (key derivation function)<\/li>\n\n\n\n<li>k0=CDI (compound device identifier)<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Chapter 1 Microcontroller Basics 1. Components of an em<a class=\"more-link\" href=\"https:\/\/blog.mhrooz.xyz\/index.php\/2022\/12\/26\/embedded_system_and_security_xue_xi_bi_ji\/\">\u7ee7\u7eed\u9605\u8bfb<span class=\"screen-reader-text\">&#8220;Embedded System and Security \u5b66\u4e60\u7b14\u8bb0&#8221;<\/span><\/a><\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[49],"tags":[],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/blog.mhrooz.xyz\/index.php\/wp-json\/wp\/v2\/posts\/2467"}],"collection":[{"href":"https:\/\/blog.mhrooz.xyz\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.mhrooz.xyz\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.mhrooz.xyz\/index.php\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.mhrooz.xyz\/index.php\/wp-json\/wp\/v2\/comments?post=2467"}],"version-history":[{"count":27,"href":"https:\/\/blog.mhrooz.xyz\/index.php\/wp-json\/wp\/v2\/posts\/2467\/revisions"}],"predecessor-version":[{"id":2765,"href":"https:\/\/blog.mhrooz.xyz\/index.php\/wp-json\/wp\/v2\/posts\/2467\/revisions\/2765"}],"wp:attachment":[{"href":"https:\/\/blog.mhrooz.xyz\/index.php\/wp-json\/wp\/v2\/media?parent=2467"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.mhrooz.xyz\/index.php\/wp-json\/wp\/v2\/categories?post=2467"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.mhrooz.xyz\/index.php\/wp-json\/wp\/v2\/tags?post=2467"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}