26 research outputs found
ret2spec: Speculative Execution Using Return Stack Buffers
Speculative execution is an optimization technique that has been part of CPUs
for over a decade. It predicts the outcome and target of branch instructions to
avoid stalling the execution pipeline. However, until recently, the security
implications of speculative code execution have not been studied.
In this paper, we investigate a special type of branch predictor that is
responsible for predicting return addresses. To the best of our knowledge, we
are the first to study return address predictors and their consequences for the
security of modern software. In our work, we show how return stack buffers
(RSBs), the core unit of return address predictors, can be used to trigger
misspeculations. Based on this knowledge, we propose two new attack variants
using RSBs that give attackers similar capabilities as the documented Spectre
attacks. We show how local attackers can gain arbitrary speculative code
execution across processes, e.g., to leak passwords another user enters on a
shared system. Our evaluation showed that the recent Spectre countermeasures
deployed in operating systems can also cover such RSB-based cross-process
attacks. Yet we then demonstrate that attackers can trigger misspeculation in
JIT environments in order to leak arbitrary memory content of browser
processes. Reading outside the sandboxed memory region with JIT-compiled code
is still possible with 80\% accuracy on average.Comment: Updating to the cam-ready version and adding reference to the
original pape
Verifying RISC-V Physical Memory Protection
We formally verify an open-source hardware implementation of physical memory
protection (PMP) in RISC-V, which is a standard feature used for memory
isolation in security critical systems such as the Keystone trusted execution
environment. PMP provides per-hardware-thread machine-mode control registers
that specify the access privileges for physical memory regions. We first
formalize the functional property of the PMP rules based on the RISC-V ISA
manual. Then, we use the LIME tool to translate an open-source implementation
of the PMP hardware module written in Chisel to the UCLID5 formal verification
language. We encode the formal specification in UCLID5 and verify the
functional correctness of the hardware. This is an initial effort towards
verifying the Keystone framework, where the trusted computing base (TCB) relies
on PMP to provide security guarantees such as integrity and confidentiality.Comment: SECRISC-V 2019 Worksho
Pentimento: Data Remanence in Cloud FPGAs
Cloud FPGAs strike an alluring balance between computational efficiency,
energy efficiency, and cost. It is the flexibility of the FPGA architecture
that enables these benefits, but that very same flexibility that exposes new
security vulnerabilities. We show that a remote attacker can recover "FPGA
pentimenti" - long-removed secret data belonging to a prior user of a cloud
FPGA. The sensitive data constituting an FPGA pentimento is an analog imprint
from bias temperature instability (BTI) effects on the underlying transistors.
We demonstrate how this slight degradation can be measured using a
time-to-digital (TDC) converter when an adversary programs one into the target
cloud FPGA.
This technique allows an attacker to ascertain previously safe information on
cloud FPGAs, even after it is no longer explicitly present. Notably, it can
allow an attacker who knows a non-secret "skeleton" (the physical structure,
but not the contents) of the victim's design to (1) extract proprietary details
from an encrypted FPGA design image available on the AWS marketplace and (2)
recover data loaded at runtime by a previous user of a cloud FPGA using a known
design. Our experiments show that BTI degradation (burn-in) and recovery are
measurable and constitute a security threat to commercial cloud FPGAs.Comment: 17 Pages, 8 Figure
Sanctorum: A lightweight security monitor for secure enclaves
Enclaves have emerged as a particularly compelling primitive to implement
trusted execution environments: strongly isolated sensitive user-mode processes
in a largely untrusted software environment. While the threat models employed
by various enclave systems differ, the high-level guarantees they offer are
essentially the same: attestation of an enclave's initial state, as well as a
guarantee of enclave integrity and privacy in the presence of an adversary.
This work describes Sanctorum, a small trusted code base (TCB), consisting of
a generic enclave-capable system, which is sufficient to implement secure
enclaves akin to the primitive offered by Intel's SGX. While enclaves may be
implemented via unconditionally trusted hardware and microcode, as it is the
case in SGX, we employ a smaller TCB principally consisting of authenticated,
privileged software, which may be replaced or patched as needed. Sanctorum
implements a formally verified specification for generic enclaves on an
in-order multiprocessor system meeting baseline security requirements, e.g.,
the MIT Sanctum processor and the Keystone enclave framework. Sanctorum
requires trustworthy hardware including a random number generator, a private
cryptographic key pair derived via a secure bootstrapping protocol, and a
robust isolation primitive to safeguard sensitive information. Sanctorum's
threat model is informed by the threat model of the isolation primitive, and is
suitable for adding enclaves to a variety of processor systems.Comment: 6 page
On Subnormal Floating Point and Abnormal Timing
Abstract—We identify a timing channel in the floating point instructions of modern x86 processors: the running time of floating point addition and multiplication instructions can vary by two orders of magnitude depending on their operands. We develop a benchmark measuring the timing variability of floating point operations and report on its results. We use floating point data timing variability to demonstrate practi-cal attacks on the security of the Firefox browser (versions 23 through 27) and the Fuzz differentially private database. Finally, we initiate the study of mitigations to floating point data timing channels with libfixedtimefixedpoint, a new fixed-point, constant-time math library. Modern floating point standards and implementations are sophisticated, complex, and subtle, a fact that has not been sufficiently recognized by the security community. More work is needed to assess the implications of the use of floating point instructions in security-relevant software. I
An Online Survey of the Perceptions of Clinical and Non-Clinical Professionals on Healthcare for Non-Communicable Diseases and COVID-19 Measures During the Pandemic in Malaysia
Objectives: This study assesses the opinions of health professionals in Malaysia on the disruption of non-communicable disease (NCD) services during the COVID-19 pandemic from March 2020 to January 2022. Methods: We conducted a cross-sectional online survey with 191 non-clinical public health workers and clinical health service workers in Malaysia from November 2021 to January 2022. Participants were recruited by the Malaysian Ministry of Health using major networks including key experts and practitioners. Secondary respondents were subsequently enrolled through snowballing. Results: The most notable issues raised by the survey participants relate to NCD service disruption, the redirection of NCD care resources, and NCD care being overburdened post-pandemic. Respondents also reported accounts of resilience and prompt reaction from the healthcare system, as well as calls for innovation. Conclusion: Most respondents perceived that the challenges arising from COVID-19 were mostly managed well by the healthcare system, which was able to provide the necessary services to NCD patients during this health emergency. However, the study identifies gaps in the health system response and preparedness capacity, and highlights solutions for strengthening NCD services
An Online Survey of the Perceptions of Clinical Professionals on Healthcare for Non-Communicable Diseases and Covid-19 Measures During the Pandemic in Malaysia
El material suplementario del artÃculo puede ser encontrado de manera online en: https://www.ssph-journal.org/articles/10.3389/ijph.2023.1605861/full#supplementary-material
Este artÃculo está sujeto a una licencia CC BY 4.0.Objectives: This study assesses the opinions of health professionals in Malaysia on the disruption of non-communicable disease (NCD) services during the COVID-19 pandemic from March 2020 to January 2022.
Methods: We conducted a cross-sectional online survey with 191 non-clinical public health workers and clinical health service workers in Malaysia from November 2021 to January 2022. Participants were recruited by the Malaysian Ministry of Health using major networks including key experts and practitioners. Secondary respondents were subsequently enrolled through snowballing.
Results: The most notable issues raised by the survey participants relate to NCD service disruption, the redirection of NCD care resources, and NCD care being overburdened post-pandemic. Respondents also reported accounts of resilience and prompt reaction from the healthcare system, as well as calls for innovation.
Conclusion: Most respondents perceived that the challenges arising from COVID-19 were mostly managed well by the healthcare system, which was able to provide the necessary services to NCD patients during this health emergency. However, the study identifies gaps in the health system response and preparedness capacity, and highlights solutions for strengthening NCD services.Peer reviewe
Exploring key-stakeholder perceptions on non-communicable disease care during the COVID-19 pandemic in Kenya
Este artÃculo está sujeto a una licencia CC BY 4.0Introduction: over one third of total Disability-Adjusted-Life-Years lost in Kenya are due to non-communicable diseases (NCD). In response, the Government declared significant commitment towards improving NCD care. The COVID-19 pandemic increased the burden on the already overstretched health systems in Kenya. The aims of this study are to assess whether health care providers perceived NCD care to be optimal during the pandemic and explore how to improve responses to future emergencies.
Methods: this cross-sectional online survey included healthcare personnel with non-clinical roles (public health workers and policy-makers) and those delivering health care (doctors and nurses). Respondents were recruited between May and September 2021 by random sampling, completed by snowball sampling.
Results: among 236 participants (42% in clinical, 58% in non-clinical roles) there was an overall consensus between respondents on NCD care being disrupted and compromised during the pandemic in Kenya. Detracted supplies, funding, and technical resources affected the continuity of NCDs response, despite government efforts. Respondents agreed that the enhanced personnel capacity and competencies to manage COVID-19 patients were positive, but noted a lack of guidance for redirecting care for chronic diseases, and advocated for digital innovation as a solution.
Conclusion: this paper explores the perceptions of key stakeholders involved in the management of NCDs in Kenya to improve planning for future emergency responses. Gaps were identified in health system response and preparedness capacity during the pandemic including the perceived need to strengthen NCD services, with solutions offered to guide resilience efforts to protect the health system from disruption.Peer reviewe
Trusted Systems for Uncertain Times
When software is designed, even with security in mind, assumptions are made about the details of hardware behavior. Unfortunately, the correctness of such assumptions can be critical to the desired security properties. In this dissertation we first demonstrate how incorrect assumptions about the hardware abstraction lead to side-channels that threaten modern software security, and second we propose a principled method of timing channel defense for modern web browsers.We show how performance variations in floating-point math instructions enable the first demonstrated instruction-data timing side-channel on commodity hardware. We use this side-channel in two case studies to prove its viability. First, we redesign a previous attack on an older version of the Firefox web browser to violate the Same Origin Policy. Second, we break the guarantees of a differentially private database designed to resist timing attacks. We show how the timing side-channel arises from hardware optimization decisions that have been well understood in the architecture, numerical analysis, and game-engine communities, but largely ignored in security.Using a detailed measurement and analysis of floating-point performance, we examine the progress and potential of defenses against floating-point timing side-channels. We find that all deployed defensive schemes for desktop web browsers were insufficient, and most are still vulnerable. Using the same analysis methods, we show how a proposed defensive scheme makes incorrect assumptions about the hardware features it leverages, negating its guarantees.As a possible remediation to the problem of floating-point timing side-channels, we present libfixedtimefixedpoint as an alternative to floating-point. It provides a fixed-point implementation of most available floating-point operations and is designed to run in constant time regardless of the input values.Finally, we discuss structural problems in modern web browser design that make them amenable to all timing attacks. Adapting solutions from parallel problems solved by early trusted operating systems projects, we propose a modified browser architecture providing a provable defensive guarantee against all timing attacks. We then demonstrate the viability of this scheme by prototyping aspects of the architecture in a modified web browser