Grand Pwning Unit:Accelerating Microarchitectural Attacks with the GPU

Dark silicon is pushing processor vendors to add more specialized units such as accelerators to commodity processor chips. Unfortunately this is done without enough care to security. In this paper we look at the security implications of integrated Graphical Processor Units (GPUs) found in almost all mobile processors. We demonstrate that GPUs, already widely employed to accelerate a variety of benign applications such as image rendering, can also be used to 'accelerate' microarchitectural attacks (i.e., making them more effective) on commodity platforms. In particular, we show that an attacker can build all the necessary primitives for performing effective GPU-based microarchitectural attacks and that these primitives are all exposed to the web through standardized browser extensions, allowing side-channel and Rowhammer attacks from JavaScript. These attacks bypass state-of-the-art mitigations and advance existing CPU-based attacks: we show the first end-to-end microarchitectural compromise of a browser running on a mobile phone in under two minutes by orchestrating our GPU primitives. While powerful, these GPU primitives are not easy to implement due to undocumented hardware features. We describe novel reverse engineering techniques for peeking into the previously unknown cache architecture and replacement policy of the Adreno 330, an integrated GPU found in many common mobile platforms. This information is necessary when building shader programs implementing our GPU primitives. We conclude by discussing mitigations against GPU-enabled attackers

Exploiting Hardware from Software:An attack-surface analysis

In recent years we observed a deepening integration between hardware and software; we now have dedicated hardware for all sorts of applications and software heavily optimized for the underlying hardware. And while this allowed modern systems to keep up with the increasing demand for performance, this new paradigm came at the cost of a more complex hardware-software stack. Unfortunately, between the cracks of these two domains, we notice a new class of attacks gaining momentum: software-based hardware attacks. As the name suggests, these attacks target underlying hardware vulnerabilities while being leveraged from software—notorious examples being the Rowhammer bug, Spectre, and Meltdown. In this thesis, we perform an in-depth attack surface analysis of different software-based hardware vulnerabilities while revisiting some of the assumptions upon which the current attacks and defenses are built. More specifically, we deepen the understanding of the DRAM Rowhammer bug from various perspectives: we show how it represents a serious threat to various targets such as mobile devices, web browsers, and Deep Neural Networks; and, we demonstrate that the silver-bullet defense introduced on DDR4 devices against the issue—in-DRAM Target Row Refresh—does not prevent an attacker from triggering bit-flips on millions of devices previously deemed safe. On top of that, we investigate the effectiveness of hardware defenses introduced against the recent Spectre bug and show how those deployed to prevent cross-privilege Spectre attacks are incomplete, allowing attackers to build new exploits