2 research outputs found
A Way Around UMIP and Descriptor-Table Exiting via TSX-based Side-Channel Attack
Nowadays, in operating systems, numerous protection mechanisms prevent or
limit the user-mode applications to access the kernel's internal information.
This is regularly carried out by software-based defenses such as Address Space
Layout Randomization (ASLR) and Kernel ASLR (KASLR). They play pronounced roles
when the security of sandboxed applications such as Web-browser are considered.
Armed with arbitrary write access in the kernel memory, if these protections
are bypassed, an attacker could find a suitable Where to Write in order to get
an elevation of privilege or maliciously execute codes in ring 0. In this
paper, we introduce a reliable method based on Transactional Synchronization
Extensions (TSX) side-channel attacks to reveal the address of the Global
Descriptor Table (GDT) and Interrupt Descriptor Table (IDT). We indicate that
by detecting these addresses, an attack could be executed to sidestep the
Intel's User-Mode Instruction Prevention (UMIP) and the Hypervisor-based
mitigation and, consequently, neutralized them. The introduced attack is
successfully performed after the most recent patches for Meltdown and Spectre.
Moreover, the implementation of the proposed attack on different platforms,
including the latest releases of Microsoft Windows, Linux, and, Mac OSX with
the latest generation of Intel processors, shows that the attack is
independent of the Operating System implementation. We demonstrate that a
combination of this method with call-gate mechanism (available in modern
processors) in a chain of attacks will eventually lead to a full system
compromise despite the limitations of a super-secure sandboxed environment in
the presence of Windows's proprietary Virtualization Based Security (VBS).
Finally, we suggest the software-based mitigation to avoid these attacks with
an acceptable cost
Unlucky Explorer: A Complete non-Overlapping Map Exploration
Nowadays, the field of Artificial Intelligence in Computer Games (AI in
Games) is going to be more alluring since computer games challenge many aspects
of AI with a wide range of problems, particularly general problems. One of
these kinds of problems is Exploration, which states that an unknown
environment must be explored by one or several agents. In this work, we have
first introduced the Maze Dash puzzle as an exploration problem where the agent
must find a Hamiltonian Path visiting all the cells. Then, we have investigated
to find suitable methods by a focus on Monte-Carlo Tree Search (MCTS) and SAT
to solve this puzzle quickly and accurately. An optimization has been applied
to the proposed MCTS algorithm to obtain a promising result. Also, since the
prefabricated test cases of this puzzle are not large enough to assay the
proposed method, we have proposed and employed a technique to generate solvable
test cases to evaluate the approaches. Eventually, the MCTS-based method has
been assessed by the auto-generated test cases and compared with our
implemented SAT approach that is considered a good rival. Our comparison
indicates that the MCTS-based approach is an up-and-coming method that could
cope with the test cases with small and medium sizes with faster run-time
compared to SAT. However, for certain discussed reasons, including the features
of the problem, tree search organization, and also the approach of MCTS in the
Simulation step, MCTS takes more time to execute in Large size scenarios.
Consequently, we have found the bottleneck for the MCTS-based method in
significant test cases that could be improved in two real-world problems