Microarchitectural Security Reading Group

In this reading group, we shall look into matters affecting the security of processors at architectural and microarchitectural levels. We shall look at how design decisions, optimizations and implementations have allowed attackers to leak information from such systems. At the same time, we shall look at how such attacks have been formally modelled, and defenses at various levels: architectural and theoretical.

We meet weekly on Thursday from 15:15 to 16:00 in BC 129.

Program

Date Paper Related Presenter
19/09 Introduction  
  1. Falsafi
26/09 Flush + Reload: a High Resolution, Low Noise, L3 Cache Side-Channel [17] [5], [9], [10], [13], [14], [21]
  1. Kurmus
03/10 Are Coherence Protocol States Vulnerable to Information Leakage? [16] [12], [18], [31], [40] Atri Bhattacharya
10/10 Jump over ASLR: Attacking branch predictors to bypass ASLR. [19] [22] Uros Tedic
17/10 An analysis of covert timing channels [33] [4], [26], [34] Dina Mahmoud
24/10 Meltdown: Reading Kernel Memory from User Space. [35] [2], [3], [24], [25], [29] Matteo Rizzo
31/10 Speculator: A Tool to Analyze Speculative Execution Attacks and Mitigations. [39] [27], [30] Andrea Manbretti
07/11 Spectre Attacks: Exploiting Speculative Execution. [36] [38] Atri Bhattacharya
14/11 Drammer: Deterministric Rowhammer Attacks on Mobile Platforms [41]   Ognjen Glamocanin
21/11 DAWG: A Defense Against Cache Timing Attacks in Speculative Execution Processors. [20]   Dina Mahmoud
28/11 A Low Latency and Provably Non-Interfering Approach to Secure Networks-On-Chip [15]   Uros Tedic
05/12 CheckMate: Automated Synthesis of Hardware Exploits and Security Litmus Tests [8] [32] Mirjana Stojilovic
12/12 InvisiSpec: Making Speculative Execution Invisible in the Cache Hierarchy [6] [23], [28] Atri Bhattacharya
? SMoTherSpectre: exploiting speculative execution through port contention [37] [7] TBD

References

[1]Ruskin, J. (n.d.). the Task of the Referee. The Works of John Ruskin, 217–229. https://doi.org/10.1017/CBO9780511696107.020
[2]Van Bulck, J., Minkin, M., Weisse, O., Genkin, D., Kasikci, B., Piessens, F., … Leuven, K. (2018). Foreshadow: Extracting the Keys to the Intel SGX Kingdom with Transient Out-of-Order Execution. Proceedings of the 27th USENIX Security Symposium, 991–1008.
[3]Weisse, O., Bulck, J. Van, Minkin, M., Genkin, D., Kasikci, B., Piessens, F., … Yarom, Y. (2018). Foreshadow-NG: Breaking the Virtual Memory Abstraction with Transient Out-of-Order Execution. White Paper.
[4]Wang, Z., & Lee, R. B. (2006). Covert and side channels due to processor architecture. Proceedings - Annual Computer Security Applications Conference, ACSAC, 473–482. https://doi.org/10.1109/ACSAC.2006.20
[5]Osvik, D. A., Shamir, A., & Tromer, E. (2006). Cache attacks and counter-measures: The case of AES. Lecture Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), 3960 LNCS, 1–20. https://doi.org/10.1007/11605805_1
[6]Yan, M., Choi, J., Skarlatos, D., Morrison, A., Fletcher, C. W., & Torrellas, J. (2018). InvisiSpec : Making Speculative Execution Invisible in the Cache Hierarchy. MICRO. https://doi.org/10.1109/MICRO.2018.00042
[7]Schwarz, M., Schwarzl, M., Lipp, M., & Gruss, D. (2018). NetSpectre : Read Arbitrary Memory over Network. (July).
[8]Trippel, C., Lustig, D., & Martonosi, M. (2018). CheckMate : Automated Synthesis of Hardware Exploits and Security Litmus Tests. MICRO 2018, 51th Annual IEEE/ACM International Symposium on Microarchitecture, 1–14. https://doi.org/10.1109/MICRO.2018.00081
[9]Green, M., Rodrigues-Lima, L., Zankl, A., Irazoqui, G., Heyszl, J., & Eisenbarth, T. (2017). AutoLock: Why Cache Attacks on ARM Are Harder Than You Think. Retrieved from http://arxiv.org/abs/1703.09763
[10]Yarom, Y., Genkin, D., & Heninger, N. (2017). CacheBleed: a timing attack on OpenSSL constant-time RSA. Journal of Cryptographic Engineering. https://doi.org/10.1007/s13389-017-0152-y
[11]Weichbrodt, N., Kurmus, A., Pietzuch, P., & Kapitza, R. (2016). AsyncShock: Exploiting synchronisation bugs in intel SGX enclaves. Lecture Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics). https://doi.org/10.1007/978-3-319-45744-4_22
[12]Canella, C., Van Bulck, J., Schwarz, M., Lipp, M., von Berg, B., Ortner, P., … Gruss, D. (2018). A Systematic Evaluation of Transient Execution Attacks and Defenses. Retrieved from http://arxiv.org/abs/1811.05441
[13]Koeune, F. J.-J. Q. (1999). A timing attack against Rijndael. Group.
[14]Percival, C. (2005). Cache missing for fun and profit. BSDCan 2005.
[15]Wassel, H. M. G., Gao, Y., Oberg, J. K., Huffmire, T., Kastner, R., Chong, F. T., & Sherwood, T. (2013). SurfNoC:A Low Latency and Provably Non-Interfering Approach to Secure Networks-On-Chip. ACM SIGARCH Computer Architecture News, 41(3), 583. https://doi.org/10.1145/2508148.2485972
[16]Yao, F., Doroslovacki, M., & Venkataramani, G. (2018). Are Coherence Protocol States Vulnerable to Information Leakage? Proceedings - International Symposium on High-Performance Computer Architecture, 2018-Febru, 168–179. https://doi.org/10.1109/HPCA.2018.00024
[17]Yarom, Y., & Falkner, K. (2014). Flush + Reload: a High Resolution, Low Noise, L3 Cache Side-Channel Attack. USENIX Security 2014. https://doi.org/Report 2013/448
[18]Ge, Q., Yarom, Y., Li, F., & Heiser, G. (2016). Your Processor Leaks Information - and There’s Nothing You Can Do About It. Retrieved from http://arxiv.org/abs/1612.04474
[19]Evtyushkin, D., Ponomarev, D., & Abu-Ghazaleh, N. (2016). Jump over ASLR: Attacking branch predictors to bypass ASLR. Proceedings of the Annual International Symposium on Microarchitecture, MICRO. https://doi.org/10.1109/MICRO.2016.7783743
[20]Kiriansky, V., Lebedev, I., Amarasinghe, S., Devadas, S., Emer, J., Csail, M. I. T., & Csail, N. M. I. T. (2018). DAWG : A Defense Against Cache Timing Attacks in Speculative Execution Processors. https://doi.org/10.1109/MICRO.2018.00083
[21]Van Bulck, J., Weichbrodt, N., Kapitza, R., Piessens, F., & Strackx, R. (2017). Telling Your Secrets Without Page Faults: Stealthy Page Table-based Attacks on Enclaved Execution. Proceedings of the 26th USENIX Conference on Security Symposium, 1041–1056. Retrieved from http://dl.acm.org/citation.cfm?id=3241189.3241271
[22]Hund, R., Willems, C., & Holz, T. (2013). Practical timing side channel attacks against kernel space ASLR. Proceedings - IEEE Symposium on Security and Privacy, 191–205. https://doi.org/10.1109/SP.2013.23
[23]Koruyeh, E. M., Shirazi, S. H. A., Khasawneh, K. N., Song, C., & Abu-Ghazaleh, N. (2019). SPECCFI: Mitigating Spectre Attacks using CFI Informed Speculation. Retrieved from http://arxiv.org/abs/1906.01345
[24]Schwarz, M., Lipp, M., Moghimi, D., Van Bulck, J., Stecklina, J., Prescher, T., & Gruss, D. (2019). ZombieLoad: Cross-Privilege-Boundary Data Sampling. Retrieved from http://arxiv.org/abs/1905.05726
[25]Schwarz, M., Canella, C., Giner, L., & Gruss, D. (2019). Store-to-Leak Forwarding: Leaking Data on Meltdown-resistant CPUs. Retrieved from http://arxiv.org/abs/1905.05725
[26]Song, D. X., Wagner, D., & Tian, X. (2001). Timing Analysis of Keystrokes and Timing Attacks on SSH. USENIX Security Symposium. Retrieved from http://www.usenix.org
[27]Disselkoen, C., Jeffrey, A., & Riely, J. (2019). The Code That Never Ran : Modeling Attacks on Speculative Evaluation. 1238–1255. https://doi.org/10.1109/SP.2019.00047
[28]Ofir Weisse, Ian Neal, Kevin Loughlin, Thomas Wenisch, B. K. (2019). NDA : Preventing Speculative Execution Attacks at Their Source. MICRO 2019, 4–10.
[29]Schaik, S. Van, Milburn, A., Österlund, S., Frigo, P., Maisuradze, G., Razavi, K., … Giuffrida, C. (n.d.). RIDL : Rogue In-Flight Data Load.
[30]Guarnieri, M., Köpf, B., Morales, J. F., Reineke, J., & Sánchez, A. (2018). SPECTECTOR: Principled Detection of Speculative Information Flows. 1–17. Retrieved from http://arxiv.org/abs/1812.08639
[31]Ben Gras, Kaveh Razavi, Herbert Bos, & Cristiano Giuffrida. (2018). Translation Leak-aside Buffer: Defeating Cache Side-channel Protections with TLB Attacks. Usenix Security. Retrieved from https://www.usenix.org/conference/usenixsecurity18/presentation/gras
[32]Trippel, C., Lustig, D., & Martonosi, M. (2018). MeltdownPrime and SpectrePrime: Automatically-Synthesized Attacks Exploiting Invalidation-Based Coherence Protocols. Retrieved from http://arxiv.org/abs/1802.03802
[33]Wray, J. C. (1991). An analysis of covert timing channels. Journal of Computer Security, 1(3–4), 219–232. https://doi.org/10.3233/JCS-1992-13-403
[34]Ge, Q., Yarom, Y., Li, F., & Heiser, G. (2016). Your Processor Leaks Information - and There’s Nothing You Can Do About It. Retrieved from http://arxiv.org/abs/1612.04474
[35]Lipp, M., Schwarz, M., Gruss, D., Prescher, T., Haas, W., Fogh, A., … Hamburg, M. (2018). Meltdown: Reading Kernel Memory from User Space. 27th {USENIX} Security Symposium ({USENIX} Security 18).
[36]Kocher, P., Horn, J., Fogh, A., and Daniel Genkin, Gruss, D., Haas, W., … Yarom, Y. (2019). Spectre Attacks: Exploiting Speculative Execution. 40th IEEE Symposium on Security and Privacy (S&P’19).
[37]Bhattacharyya et al. SMoTherSpectre: exploiting speculative execution through port contention.
[38]Maisuradze, Giorgi, and Christian Rossow. "ret2spec: Speculative execution using return stack buffers." Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. ACM, 2018.
[39]Mambretti, A., Neugschwandtner, M., Sorniotti, A., Engin Kirda, Robertson, W., & Kurmus, A. (2018). Speculator : A Tool to Analyze Speculative Execution Attacks and Mitigations. Retrieved from https://andreamambretti.com/files/papers/acsac2019_speculator.pdf
[40]Yan, M., Sprabery, R., Gopireddy, B., Fletcher, C., Campbell, R., & Torrellas, J. (2019). Attack Directories, Not Caches: Side-Channel Attacks in a Non-Inclusive World. SP - IEEE Symposium on Security and Privacy, (Llc), 1–17.
[41]Victor van der Veen, Yanick Fratantonio, Martina Lindorfer, Daniel Gruss, Clémentine Maurice, Giovanni Vigna, Herbert Bos, Kaveh Razavi, Cristiano Giuffrida. (2016) Drammer: Deterministic Rowhammer Attacks on Mobile Platforms. https://doi.org/10.1145/2976749.2978406