Grand Pwning Unit:Accelerating Microarchitectural Attacks with the GPU

Dark silicon is pushing processor vendors to add more specialized units such as accelerators to commodity processor chips. Unfortunately this is done without enough care to security. In this paper we look at the security implications of integrated Graphical Processor Units (GPUs) found in almost all mobile processors. We demonstrate that GPUs, already widely employed to accelerate a variety of benign applications such as image rendering, can also be used to 'accelerate' microarchitectural attacks (i.e., making them more effective) on commodity platforms. In particular, we show that an attacker can build all the necessary primitives for performing effective GPU-based microarchitectural attacks and that these primitives are all exposed to the web through standardized browser extensions, allowing side-channel and Rowhammer attacks from JavaScript. These attacks bypass state-of-the-art mitigations and advance existing CPU-based attacks: we show the first end-to-end microarchitectural compromise of a browser running on a mobile phone in under two minutes by orchestrating our GPU primitives. While powerful, these GPU primitives are not easy to implement due to undocumented hardware features. We describe novel reverse engineering techniques for peeking into the previously unknown cache architecture and replacement policy of the Adreno 330, an integrated GPU found in many common mobile platforms. This information is necessary when building shader programs implementing our GPU primitives. We conclude by discussing mitigations against GPU-enabled attackers

Augmenting Inertial Motion Capture with SLAM Using EKF and SRUKF Data Fusion Algorithms

Inertial motion capture systems widely use low-cost IMUs to obtain the orientation of human body segments, but these sensors alone are unable to estimate link positions. Therefore, this research used a SLAM method in conjunction with inertial data fusion to estimate link positions. SLAM is a method that tracks a target in a reconstructed map of the environment using a camera. This paper proposes quaternion-based extended and square-root unscented Kalman filters (EKF & SRUKF) algorithms for pose estimation. The Kalman filters use measurements based on SLAM position data, multi-link biomechanical constraints, and vertical referencing to correct errors. In addition to the sensor biases, the fusion algorithm is capable of estimating link geometries, allowing the imposing of biomechanical constraints without a priori knowledge of sensor positions. An optical tracking system is used as a reference of ground-truth to experimentally evaluate the performance of the proposed algorithm in various scenarios of human arm movements. The proposed algorithms achieve up to 5.87 (cm) and 1.1 (deg) accuracy in position and attitude estimation. Compared to the EKF, the SRUKF algorithm presents a smoother and higher convergence rate but is 2.4 times more computationally demanding. After convergence, the SRUKF is up to 17% less and 36% more accurate than the EKF in position and attitude estimation, respectively. Using an absolute position measurement method instead of SLAM produced 80% and 40%, in the case of EKF, and 60% and 6%, in the case of SRUKF, less error in position and attitude estimation, respectively.Comment: 8 pages, 8 figures, 4 tables, 21 reference

Comparing Two Inferior Oblique Weakening Procedures: Disinsertion versus Myectomy

Purpose: To compare two methods for treating inferior oblique overaction (IOOA): disinsertion versus myectomy of the muscle. Methods: In this prospective interventional case series, patients were randomly assigned to undergo either IO myectomy or disinsertion. The changes in vertical and horizontal deviations following these two surgical procedures were evaluated. The postoperative IO function of grade 0 or +1 and the fundus extorsion of grade 0 or +1 was considered as the successful outcome. Results: Thirty-six patients (50 eyes) with a mean age of 12.67 ± 4.05 years were included. In the myectomy group, the mean preoperative hyperdeviation in adduction was 29.5 ± 9.32 prism diopter (PD), which decreased to 9.15 ± 7.86 PD after surgery (P = 0.001). In the disinsertion group, these measurements were 32.73 ± 12.42 and 12.65 ± 9.34 PD before and after the surgery, respectively (P = 0.001). The success rate of surgery based on the IOOA grading was 87.4% and 92.3% in the myectomy and disinsertion groups, respectively (P = 0.780). The successful correction rate of abnormal fundus torsion was 91.6% in the myectomy and 88.4% in the disinsertion group (P = 0.821). In comparison, 48% of the cases in the myectomy group and 50% in the disinsertion group were within the normal range of torsional position postoperatively (P = 0.786). There was no statistically significant difference in terms of changes in the horizontal or vertical deviations, V-pattern, and dissociated vertical deviation between the two groups. Conclusion: Both surgical techniques seem to be effective for treatment of inferior oblique muscle overaction

Prebaked µVMs: Scalable, Instant VM Startup for IaaS Clouds

Abstract-IaaS clouds promise instantaneously available resources to elastic applications. In practice, however, virtual machine (VM) startup times are in the order of several minutes, or at best, several tens of seconds, negatively impacting the elasticity of applications like Web servers that need to scale out to handle dynamically increasing load. VM startup time is strongly influenced by booting the VM's operating system. In this work, we propose using so-called prebaked µVMs to speed up VM startup. µVMs are snapshots of minimal VMs that can be quickly resumed and then configured to application needs by hot-plugging resources. To serve µVMs, we extend our VM boot cache service, Squirrel, allowing to store µVMs for large numbers of VM images on the hosts of a data center. Our experiments show that µVMs can start up in less than one second on a standard file system. Using 1000+ VM images from a production cloud, we show that the respective µVMs can be stored in a compressed and deduplicated file system within 50 GB storage per host, while starting up within 2-3 seconds on average

TRRespass: Exploiting the Many Sides of Target Row Refresh

After a plethora of high-profile RowHammer attacks, CPU and DRAM vendors scrambled to deliver what was meant to be the definitive hardware solution against the RowHammer problem: Target Row Refresh (TRR). A common belief among practitioners is that, for the latest generation of DDR4 systems that are protected by TRR, RowHammer is no longer an issue in practice. However, in reality, very little is known about TRR. In this paper, we demystify the inner workings of TRR and debunk its security guarantees. We show that what is advertised as a single mitigation mechanism is actually a series of different solutions coalesced under the umbrella term TRR. We inspect and disclose, via a deep analysis, different existing TRR solutions and demonstrate that modern implementations operate entirely inside DRAM chips. Despite the difficulties of analyzing in-DRAM mitigations, we describe novel techniques for gaining insights into the operation of these mitigation mechanisms. These insights allow us to build TRRespass, a scalable black-box RowHammer fuzzer. TRRespass shows that even the latest generation DDR4 chips with in-DRAM TRR, immune to all known RowHammer attacks, are often still vulnerable to new TRR-aware variants of RowHammer that we develop. In particular, TRRespass finds that, on modern DDR4 modules, RowHammer is still possible when many aggressor rows are used (as many as 19 in some cases), with a method we generally refer to as Many-sided RowHammer. Overall, our analysis shows that 13 out of the 42 modules from all three major DRAM vendors are vulnerable to our TRR-aware RowHammer access patterns, and thus one can still mount existing state-of-the-art RowHammer attacks. In addition to DDR4, we also experiment with LPDDR4 chips and show that they are susceptible to RowHammer bit flips too. Our results provide concrete evidence that the pursuit of better RowHammer mitigations must continue.Comment: 16 pages, 16 figures, in proceedings IEEE S&P 202

SpyHammer: Using RowHammer to Remotely Spy on Temperature

RowHammer is a DRAM vulnerability that can cause bit errors in a victim DRAM row by just accessing its neighboring DRAM rows at a high-enough rate. Recent studies demonstrate that new DRAM devices are becoming increasingly more vulnerable to RowHammer, and many works demonstrate system-level attacks for privilege escalation or information leakage. In this work, we leverage two key observations about RowHammer characteristics to spy on DRAM temperature: 1) RowHammer-induced bit error rate consistently increases (or decreases) as the temperature increases, and 2) some DRAM cells that are vulnerable to RowHammer cause bit errors only at a particular temperature. Based on these observations, we propose a new RowHammer attack, called SpyHammer, that spies on the temperature of critical systems such as industrial production lines, vehicles, and medical systems. SpyHammer is the first practical attack that can spy on DRAM temperature. SpyHammer can spy on absolute temperature with an error of less than 2.5 {\deg}C at the 90th percentile of tested temperature points, for 12 real DRAM modules from 4 main manufacturers

Quality of Life among Persons with HIV/AIDS in Iran: Internal Reliability and Validity of an International Instrument and Associated Factors

The purpose of this cross-sectional study on 191 HIV/AIDS patient was to prepare the first Persian translation of complete WHOQOL-HIV instrument, evaluate its reliability and validity, and apply it to determine quality of life and its associated factors in Tehran, Iran. Student's t-test was used to compare quality of life between groups. Mean Cronbach's α of facets in all six domains of instrument were more than 0.6 indicating good reliability. Item/total corrected correlations coefficients had a lower limit of more than 0.5 in all facets except for association between energy and fatigue facet and physical domain. Compared to younger participants, patients older than 35 years had significantly lower scores in overall quality of life (P = 0.003), social relationships (P = 0.021), and spirituality/religion/personal beliefs (P = 0.024). Unemployed patients had significantly lower scores in overall quality of life (P = 0.01), level of independence (P = 0.004), and environment (P = 0.001) compared to employed participants. This study demonstrated that the standard, complete WHOQOL-HIV 120 instrument translated into Farsi and evaluated among Iranian participants provides a reliable and valid basis for future research on quality of life for HIV and other patients in Iran