CacheZoom: How SGX Amplifies The Power of Cache Attacks

In modern computing environments, hardware resources are commonly shared, and parallel computation is widely used. Parallel tasks can cause privacy and security problems if proper isolation is not enforced. Intel proposed SGX to create a trusted execution environment within the processor. SGX relies on the hardware, and claims runtime protection even if the OS and other software components are malicious. However, SGX disregards side-channel attacks. We introduce a powerful cache side-channel attack that provides system adversaries a high resolution channel. Our attack tool named CacheZoom is able to virtually track all memory accesses of SGX enclaves with high spatial and temporal precision. As proof of concept, we demonstrate AES key recovery attacks on commonly used implementations including those that were believed to be resistant in previous scenarios. Our results show that SGX cannot protect critical data sensitive computations, and efficient AES key recovery is possible in a practical environment. In contrast to previous works which require hundreds of measurements, this is the first cache side-channel attack on a real system that can recover AES keys with a minimal number of measurements. We can successfully recover AES keys from T-Table based implementations with as few as ten measurements.Comment: Accepted at Conference on Cryptographic Hardware and Embedded Systems (CHES '17

A rapid non-destructive DNA extraction method for insects and other arthropods

Preparation of arthropods for morphological identification often damages or destroys DNA within the specimen. Conversely, DNA extraction methods often destroy the external physical characteristics essential for morphological identification. We have developed a rapid, simple and non-destructive DNA extraction technique for arthropod specimens. This technique was tested on four arthropod orders, using specimens that were fresh, preserved by air drying, stored in ethanol, or collected with sticky or propylene glycol traps. The technique could be completed in twenty minutes for Coleoptera, Diptera and Hemiptera, and two minutes for the subclass Acarina, without significant distortion, discolouration, or other damage to the specimens

Inter- and intralimb adaptations to a sensory perturbation during activation of the serotonin system after a low spinal cord transection in neonatal rats

Activation of the serotonin system has been shown to induce locomotor activity following a spinal cord transection. This study examines how the isolated spinal cord adapts to a sensory perturbation during activation of the serotonergic system. Real-time and persistent effects of a perturbation were examined in intact and spinal transected newborn rats. Rats received a spinal surgery (sham or low thoracic transection) on postnatal day 1 and were tested 9 days later. At test, subjects were treated with the serotonergic receptor agonist quipazine (3.0 mg/kg) to induce stepping behavior. Half of the subjects experienced range of motion (ROM) restriction during stepping, while the other half did not. Differences in stepping behavior (interlimb coordination) and limb trajectories (intralimb coordination) were found to occur in both intact and spinal subjects. Adaptations were seen in the forelimbs and hindlimbs. Also, real-time and persistent effects of ROM restriction (following removal of the perturbation) were seen in ROM-restricted subjects. This study demonstrates the sensitivity of the isolated spinal cord to sensory feedback in conjunction with serotonin modulation

Inter- and intralimb adaptations to a sensory perturbation during activation of the serotonin system after a low spinal cord transection in neonatal rats

Activation of the serotonin system has been shown to induce locomotor activity following a spinal cord transection. This study examines how the isolated spinal cord adapts to a sensory perturbation during activation of the serotonergic system. Real-time and persistent effects of a perturbation were examined in intact and spinal transected newborn rats. Rats received a spinal surgery (sham or low thoracic transection) on postnatal day 1 and were tested 9 days later. At test, subjects were treated with the serotonergic receptor agonist quipazine (3.0 mg/kg) to induce stepping behavior. Half of the subjects experienced range of motion (ROM) restriction during stepping, while the other half did not. Differences in stepping behavior (interlimb coordination) and limb trajectories (intralimb coordination) were found to occur in both intact and spinal subjects. Adaptations were seen in the forelimbs and hindlimbs. Also, real-time and persistent effects of ROM restriction (following removal of the perturbation) were seen in ROM-restricted subjects. This study demonstrates the sensitivity of the isolated spinal cord to sensory feedback in conjunction with serotonin modulation

ELISA: ELiciting ISA of Raw Binaries for Fine-grained Code and Data Separation

Static binary analysis techniques are widely used to reconstruct the behavior and discover vulnerabilities in software when source code is not available. To avoid errors due to mis-interpreting data as machine instructions (or vice-versa), disassemblers and static analysis tools must precisely infer the boundaries between code and data. However, this information is often not readily available. Worse, compilers may embed small chunks of data inside the code section. Most state of the art approaches to separate code and data are rooted on recursive traversal disassembly, with severe limitations when dealing with indirect control instructions. We propose ELISA, a technique to separate code from data and ease the static analysis of executable files. ELISA leverages supervised sequential learning techniques to locate the code section(s) boundaries of header-less binary files, and to predict the instruction boundaries inside the identified code section. As a preliminary step, if the Instruction Set Architecture (ISA) of the binary is unknown, ELISA leverages a logistic regression model to identify the correct ISA from the file content. We provide a comprehensive evaluation on a dataset of executables compiled for different ISAs, and we show that our method is capable to identify code sections with a byte-level accuracy (F1 score) ranging from 98.13% to over 99.9% depending on the ISA. Fine-grained separation of code from embedded data on x86, x86-64 and ARM executables is accomplished with an accuracy of over 99.9%

Targeted Automatic Integer Overflow Discovery Using Goal-Directed Conditional Branch Enforcement

We present a new technique and system, DIODE, for auto- matically generating inputs that trigger overflows at memory allocation sites. DIODE is designed to identify relevant sanity checks that inputs must satisfy to trigger overflows at target memory allocation sites, then generate inputs that satisfy these sanity checks to successfully trigger the overflow. DIODE works with off-the-shelf, production x86 binaries. Our results show that, for our benchmark set of applications, and for every target memory allocation site exercised by our seed inputs (which the applications process correctly with no overflows), either 1) DIODE is able to generate an input that triggers an overflow at that site or 2) there is no input that would trigger an overflow for the observed target expression at that site.United States. Defense Advanced Research Projects Agency (Grant FA8650-11-C-7192