58 research outputs found
Reviving Meltdown 3a
Since the initial discovery of Meltdown and Spectre in 2017, different
variants of these attacks have been discovered. One often overlooked variant is
Meltdown 3a, also known as Meltdown-CPL-REG. Even though Meltdown-CPL-REG was
initially discovered in 2018, the available information regarding the
vulnerability is still sparse. In this paper, we analyze Meltdown-CPL-REG on 19
different CPUs from different vendors using an automated tool. We observe that
the impact is more diverse than documented and differs from CPU to CPU.
Surprisingly, while the newest Intel CPUs do not seem affected by
Meltdown-CPL-REG, the newest available AMD CPUs (Zen3+) are still affected by
the vulnerability. Furthermore, given our attack primitive CounterLeak, we show
that besides up-to-date patches, Meltdown-CPL-REG can still be exploited as we
reenable performance-counter-based attacks on cryptographic algorithms, break
KASLR, and mount Spectre attacks. Although Meltdown-CPL-REG is not as powerful
as other transient-execution attacks, its attack surface should not be
underestimated.Comment: published at ESORICS 202
New Covert and Side Channels Based on Retirement
Intel processors utilize the retirement to orderly retire the micro-ops that
have been executed out of order. To enhance retirement utilization, the
retirement is dynamically shared between two logical cores on the same physical
core. However, this shared retirement mechanism creates a potential
vulnerability wherein an attacker can exploit the competition for retirement to
infer the data of a victim on another logical core on the same physical core.
Based on this leakage, we propose two new covert channels: the Different
Instructions (DI) covert channel using different instructions for information
transmission, and the Same Instructions (SI) covert channel using the same
instructions to transmit information. The DI covert channel can achieve 98.5%
accuracy with a bandwidth of 1450 Kbps, while the SI covert channel can achieve
94.85% accuracy with a bandwidth of 483.33 Kbps. Furthermore, this paper
explores additional applications of retirement: Firstly, retirement is applied
to Spectre attacks, resulting in a new variant of Spectre v1, which can achieve
94.17% accuracy with a bandwidth of 29 Kbps; Secondly, retirement is leveraged
to infer the programs being executed by the victim, which can infer 10 integer
benchmarks of SPEC with 89.28% accuracy. Finally, we discuss possible
protection against new covert channels.Comment: 13 pages and 17 figure
Cache Attacks and Defenses
In the digital age, as our daily lives depend heavily on interconnected computing devices, information security has become a crucial concern. The continuous exchange of data between devices over the Internet exposes our information vulnerable to potential security breaches. Yet, even with measures in place to protect devices, computing equipment inadvertently leaks information through side-channels, which emerge as byproducts of computational activities. One particular source of such side channels is the cache, a vital component of modern processors that enhances computational speed by storing frequently accessed data from random access memory (RAM). Due to their limited capacity, caches often need to be shared among concurrently running applications, resulting in vulnerabilities. Cache side-channel attacks, which exploit such vulnerabilities, have received significant attention due to their ability to stealthily compromise information confidentiality and the challenge in detecting and countering them. Consequently, numerous defense strategies have been proposed to mitigate these attacks. This thesis explores these defense strategies against cache side-channels, assesses their effectiveness, and identifies any potential vulnerabilities that could be used to undermine the effectiveness of these defense strategies. The first contribution of this thesis is a software framework to assess the security of secure cache designs. We show that while most secure caches are protected from eviction-set-based attacks, they are vulnerable to occupancybased attacks, which works just as well as eviction-set-based attacks, and therefore should be taken into account when designing and evaluating secure caches. Our second contribution presents a method that utilizes speculative execution to enable high-resolution attacks on low-resolution timers, a common cache attack countermeasure adopted by web browsers. We demonstrate that our technique not only allows for high-resolution attacks to be performed on low-resolution timers, but is also Turing-complete and is capable of performing robust calculations on cache states. Through this research, we uncover a new attack vector on low-resolution timers. By exposing this vulnerability, we hope to prompt the necessary measures to address the issue and enhance the security of systems in the future. Our third contribution is a survey, paired with experimental assessment of cache side-channel attack detection techniques using hardware performance counters. We show that, despite numerous claims regarding their efficacy, most detection techniques fail to perform proper evaluation of their performance, leaving them vulnerable to more advanced attacks. We identify and outline these shortcomings, and furnish experimental evidence to corroborate our findings. Furthermore, we demonstrate a new attack that is capable of compromising these detection methods. Our aim is to bring attention to these shortcomings and provide insights that can aid in the development of more robust cache side-channel attack detection techniques. This thesis contributes to a deeper comprehension of cache side-channel attacks and their potential effects on information security. Furthermore, it offers valuable insights into the efficacy of existing mitigation approaches and detection methods, while identifying areas for future research and development to better safeguard our computing devices and data from these insidious attacks.Thesis (MPhil) -- University of Adelaide, School of Computer and Mathematical Sciences, 202
Design of secure and robust cognitive system for malware detection
Machine learning based malware detection techniques rely on grayscale images
of malware and tends to classify malware based on the distribution of textures
in graycale images. Albeit the advancement and promising results shown by
machine learning techniques, attackers can exploit the vulnerabilities by
generating adversarial samples. Adversarial samples are generated by
intelligently crafting and adding perturbations to the input samples. There
exists majority of the software based adversarial attacks and defenses. To
defend against the adversaries, the existing malware detection based on machine
learning and grayscale images needs a preprocessing for the adversarial data.
This can cause an additional overhead and can prolong the real-time malware
detection. So, as an alternative to this, we explore RRAM (Resistive Random
Access Memory) based defense against adversaries. Therefore, the aim of this
thesis is to address the above mentioned critical system security issues. The
above mentioned challenges are addressed by demonstrating proposed techniques
to design a secure and robust cognitive system. First, a novel technique to
detect stealthy malware is proposed. The technique uses malware binary images
and then extract different features from the same and then employ different
ML-classifiers on the dataset thus obtained. Results demonstrate that this
technique is successful in differentiating classes of malware based on the
features extracted. Secondly, I demonstrate the effects of adversarial attacks
on a reconfigurable RRAM-neuromorphic architecture with different learning
algorithms and device characteristics. I also propose an integrated solution
for mitigating the effects of the adversarial attack using the reconfigurable
RRAM architecture.Comment: arXiv admin note: substantial text overlap with arXiv:2104.0665
- …