ret2spec: Speculative Execution Using Return Stack Buffers

Speculative execution is an optimization technique that has been part of CPUs for over a decade. It predicts the outcome and target of branch instructions to avoid stalling the execution pipeline. However, until recently, the security implications of speculative code execution have not been studied. In this paper, we investigate a special type of branch predictor that is responsible for predicting return addresses. To the best of our knowledge, we are the first to study return address predictors and their consequences for the security of modern software. In our work, we show how return stack buffers (RSBs), the core unit of return address predictors, can be used to trigger misspeculations. Based on this knowledge, we propose two new attack variants using RSBs that give attackers similar capabilities as the documented Spectre attacks. We show how local attackers can gain arbitrary speculative code execution across processes, e.g., to leak passwords another user enters on a shared system. Our evaluation showed that the recent Spectre countermeasures deployed in operating systems can also cover such RSB-based cross-process attacks. Yet we then demonstrate that attackers can trigger misspeculation in JIT environments in order to leak arbitrary memory content of browser processes. Reading outside the sandboxed memory region with JIT-compiled code is still possible with 80\% accuracy on average.Comment: Updating to the cam-ready version and adding reference to the original pape

Verifying RISC-V Physical Memory Protection

We formally verify an open-source hardware implementation of physical memory protection (PMP) in RISC-V, which is a standard feature used for memory isolation in security critical systems such as the Keystone trusted execution environment. PMP provides per-hardware-thread machine-mode control registers that specify the access privileges for physical memory regions. We first formalize the functional property of the PMP rules based on the RISC-V ISA manual. Then, we use the LIME tool to translate an open-source implementation of the PMP hardware module written in Chisel to the UCLID5 formal verification language. We encode the formal specification in UCLID5 and verify the functional correctness of the hardware. This is an initial effort towards verifying the Keystone framework, where the trusted computing base (TCB) relies on PMP to provide security guarantees such as integrity and confidentiality.Comment: SECRISC-V 2019 Worksho

Pentimento: Data Remanence in Cloud FPGAs

Cloud FPGAs strike an alluring balance between computational efficiency, energy efficiency, and cost. It is the flexibility of the FPGA architecture that enables these benefits, but that very same flexibility that exposes new security vulnerabilities. We show that a remote attacker can recover "FPGA pentimenti" - long-removed secret data belonging to a prior user of a cloud FPGA. The sensitive data constituting an FPGA pentimento is an analog imprint from bias temperature instability (BTI) effects on the underlying transistors. We demonstrate how this slight degradation can be measured using a time-to-digital (TDC) converter when an adversary programs one into the target cloud FPGA. This technique allows an attacker to ascertain previously safe information on cloud FPGAs, even after it is no longer explicitly present. Notably, it can allow an attacker who knows a non-secret "skeleton" (the physical structure, but not the contents) of the victim's design to (1) extract proprietary details from an encrypted FPGA design image available on the AWS marketplace and (2) recover data loaded at runtime by a previous user of a cloud FPGA using a known design. Our experiments show that BTI degradation (burn-in) and recovery are measurable and constitute a security threat to commercial cloud FPGAs.Comment: 17 Pages, 8 Figure

Sanctorum: A lightweight security monitor for secure enclaves

Enclaves have emerged as a particularly compelling primitive to implement trusted execution environments: strongly isolated sensitive user-mode processes in a largely untrusted software environment. While the threat models employed by various enclave systems differ, the high-level guarantees they offer are essentially the same: attestation of an enclave's initial state, as well as a guarantee of enclave integrity and privacy in the presence of an adversary. This work describes Sanctorum, a small trusted code base (TCB), consisting of a generic enclave-capable system, which is sufficient to implement secure enclaves akin to the primitive offered by Intel's SGX. While enclaves may be implemented via unconditionally trusted hardware and microcode, as it is the case in SGX, we employ a smaller TCB principally consisting of authenticated, privileged software, which may be replaced or patched as needed. Sanctorum implements a formally verified specification for generic enclaves on an in-order multiprocessor system meeting baseline security requirements, e.g., the MIT Sanctum processor and the Keystone enclave framework. Sanctorum requires trustworthy hardware including a random number generator, a private cryptographic key pair derived via a secure bootstrapping protocol, and a robust isolation primitive to safeguard sensitive information. Sanctorum's threat model is informed by the threat model of the isolation primitive, and is suitable for adding enclaves to a variety of processor systems.Comment: 6 page

On Subnormal Floating Point and Abnormal Timing

Abstract—We identify a timing channel in the floating point instructions of modern x86 processors: the running time of floating point addition and multiplication instructions can vary by two orders of magnitude depending on their operands. We develop a benchmark measuring the timing variability of floating point operations and report on its results. We use floating point data timing variability to demonstrate practi-cal attacks on the security of the Firefox browser (versions 23 through 27) and the Fuzz differentially private database. Finally, we initiate the study of mitigations to floating point data timing channels with libfixedtimefixedpoint, a new fixed-point, constant-time math library. Modern floating point standards and implementations are sophisticated, complex, and subtle, a fact that has not been sufficiently recognized by the security community. More work is needed to assess the implications of the use of floating point instructions in security-relevant software. I

An Online Survey of the Perceptions of Clinical and Non-Clinical Professionals on Healthcare for Non-Communicable Diseases and COVID-19 Measures During the Pandemic in Malaysia

Objectives: This study assesses the opinions of health professionals in Malaysia on the disruption of non-communicable disease (NCD) services during the COVID-19 pandemic from March 2020 to January 2022. Methods: We conducted a cross-sectional online survey with 191 non-clinical public health workers and clinical health service workers in Malaysia from November 2021 to January 2022. Participants were recruited by the Malaysian Ministry of Health using major networks including key experts and practitioners. Secondary respondents were subsequently enrolled through snowballing. Results: The most notable issues raised by the survey participants relate to NCD service disruption, the redirection of NCD care resources, and NCD care being overburdened post-pandemic. Respondents also reported accounts of resilience and prompt reaction from the healthcare system, as well as calls for innovation. Conclusion: Most respondents perceived that the challenges arising from COVID-19 were mostly managed well by the healthcare system, which was able to provide the necessary services to NCD patients during this health emergency. However, the study identifies gaps in the health system response and preparedness capacity, and highlights solutions for strengthening NCD services

An Online Survey of the Perceptions of Clinical Professionals on Healthcare for Non-Communicable Diseases and Covid-19 Measures During the Pandemic in Malaysia

El material suplementario del artículo puede ser encontrado de manera online en: https://www.ssph-journal.org/articles/10.3389/ijph.2023.1605861/full#supplementary-material Este artículo está sujeto a una licencia CC BY 4.0.Objectives: This study assesses the opinions of health professionals in Malaysia on the disruption of non-communicable disease (NCD) services during the COVID-19 pandemic from March 2020 to January 2022. Methods: We conducted a cross-sectional online survey with 191 non-clinical public health workers and clinical health service workers in Malaysia from November 2021 to January 2022. Participants were recruited by the Malaysian Ministry of Health using major networks including key experts and practitioners. Secondary respondents were subsequently enrolled through snowballing. Results: The most notable issues raised by the survey participants relate to NCD service disruption, the redirection of NCD care resources, and NCD care being overburdened post-pandemic. Respondents also reported accounts of resilience and prompt reaction from the healthcare system, as well as calls for innovation. Conclusion: Most respondents perceived that the challenges arising from COVID-19 were mostly managed well by the healthcare system, which was able to provide the necessary services to NCD patients during this health emergency. However, the study identifies gaps in the health system response and preparedness capacity, and highlights solutions for strengthening NCD services.Peer reviewe

Exploring key-stakeholder perceptions on non-communicable disease care during the COVID-19 pandemic in Kenya

Este artículo está sujeto a una licencia CC BY 4.0Introduction: over one third of total Disability-Adjusted-Life-Years lost in Kenya are due to non-communicable diseases (NCD). In response, the Government declared significant commitment towards improving NCD care. The COVID-19 pandemic increased the burden on the already overstretched health systems in Kenya. The aims of this study are to assess whether health care providers perceived NCD care to be optimal during the pandemic and explore how to improve responses to future emergencies. Methods: this cross-sectional online survey included healthcare personnel with non-clinical roles (public health workers and policy-makers) and those delivering health care (doctors and nurses). Respondents were recruited between May and September 2021 by random sampling, completed by snowball sampling. Results: among 236 participants (42% in clinical, 58% in non-clinical roles) there was an overall consensus between respondents on NCD care being disrupted and compromised during the pandemic in Kenya. Detracted supplies, funding, and technical resources affected the continuity of NCDs response, despite government efforts. Respondents agreed that the enhanced personnel capacity and competencies to manage COVID-19 patients were positive, but noted a lack of guidance for redirecting care for chronic diseases, and advocated for digital innovation as a solution. Conclusion: this paper explores the perceptions of key stakeholders involved in the management of NCDs in Kenya to improve planning for future emergency responses. Gaps were identified in health system response and preparedness capacity during the pandemic including the perceived need to strengthen NCD services, with solutions offered to guide resilience efforts to protect the health system from disruption.Peer reviewe

Trusted Systems for Uncertain Times

When software is designed, even with security in mind, assumptions are made about the details of hardware behavior. Unfortunately, the correctness of such assumptions can be critical to the desired security properties. In this dissertation we first demonstrate how incorrect assumptions about the hardware abstraction lead to side-channels that threaten modern software security, and second we propose a principled method of timing channel defense for modern web browsers.We show how performance variations in floating-point math instructions enable the first demonstrated instruction-data timing side-channel on commodity hardware. We use this side-channel in two case studies to prove its viability. First, we redesign a previous attack on an older version of the Firefox web browser to violate the Same Origin Policy. Second, we break the guarantees of a differentially private database designed to resist timing attacks. We show how the timing side-channel arises from hardware optimization decisions that have been well understood in the architecture, numerical analysis, and game-engine communities, but largely ignored in security.Using a detailed measurement and analysis of floating-point performance, we examine the progress and potential of defenses against floating-point timing side-channels. We find that all deployed defensive schemes for desktop web browsers were insufficient, and most are still vulnerable. Using the same analysis methods, we show how a proposed defensive scheme makes incorrect assumptions about the hardware features it leverages, negating its guarantees.As a possible remediation to the problem of floating-point timing side-channels, we present libfixedtimefixedpoint as an alternative to floating-point. It provides a fixed-point implementation of most available floating-point operations and is designed to run in constant time regardless of the input values.Finally, we discuss structural problems in modern web browser design that make them amenable to all timing attacks. Adapting solutions from parallel problems solved by early trusted operating systems projects, we propose a modified browser architecture providing a provable defensive guarantee against all timing attacks. We then demonstrate the viability of this scheme by prototyping aspects of the architecture in a modified web browser