Processor Microarchitecture Security

As computer systems grow more and more complicated, various optimizations can unintentionally introduce security vulnerabilities in these systems. The vulnerabilities can lead to user information and data being compromised or stolen. In particular, the ending of both Moore\u27s law and Dennard scaling motivate the design of more exotic microarchitectural optimizations to extract more performance -- further exacerbating the security vulnerabilities. The performance optimizations often focus on sharing or re-using of hardware components within a processor, between different users or programs. Because of the sharing of the hardware, unintentional information leakage channels, through the shared components, can be created. Microarchitectural attacks, such as the high-profile Spectre and Meltdown attacks or the cache covert channels that they leverage, have demonstrated major vulnerabilities of modern computer architectures due to the microarchitectural~optimizations. Key components of processor microarchitectures are processor caches used for achieving high memory bandwidth and low latency for frequently accessed data. With frequently accessed data being brought and stored in caches, memory latency can be significantly reduced when data is fetched from the cache, as opposed to being fetched from the main memory. With limited processor chip area, however, the cache size cannot be very large. Thus, modern processors adopt a cache hierarchy with multiple levels of caches, where the cache close to processor is faster but smaller, and the cache far from processor is slower but larger. This leads to a fundamental property of modern processors: {\em the latency of accessing data in different cache levels and in main memory is different}. As a result, the timing of memory operations when fetching data from different cache levels, e.g., the timing of fetching data from closest-to-processor L1 cache vs. from main memory, can reveal secret-dependent information if attacker is able to observe the timing of these accesses and correlate them to the operation of the victim\u27s code. Further, due to limited size of the caches, memory accesses by a victim may displace attacker\u27s data from the cache, and with knowledge, or reverse-engineering, of the cache architecture, the attacker can learn some information about victim\u27s data based on the modifications to the state of the cache -- which can be observed by the timing~measurements. Caches are not only structures in the processor that can suffer from security vulnerabilities. As an essential mechanism to achieving high performance, cache-like structures are used pervasively in various processor components, such as the translation lookaside buffer (TLB) and processor frontend. Consequently, the vulnerabilities due to timing differences of accessing data in caches or cache-like structures affect many components of the~processor. The main goal of this dissertation is the {\em design of high performance and secure computer architectures}. Since the sophisticated hardware components such as caches, TLBs, value predictors, and processor frontend are critical to ensure high performance, realizing this goal requires developing fundamental techniques to guarantee security in the presence of timing differences of different processor operations. Furthermore, effective defence mechanisms can be only developed after developing a formal and systematic understanding of all the possible attacks that timing side-channels can lead to. To realize the research goals, the main main contributions of this dissertation~are: \begin{itemize}[noitemsep] \item Design and evaluation of a novel three-step cache timing model to understand theoretical vulnerabilities in caches \item Development of a benchmark suite that can test if processor caches or secure cache designs are vulnerable to certain theoretical vulnerabilities. \item Development of a timing vulnerability model to test TLBs and design of hardware defenses for the TLBs to address newly found vulnerabilities. \item Analysis of value predictor attacks and design of defenses for value predictors. \item Evaluation of vulnerabilities in processor frontends based on timing differences in the operation of the frontends. \item Development of a design-time security verification framework for secure processor architectures, using information flow tracking methods. \end{itemize} \newpage This dissertation combines the theoretical modeling and practical benchmarking analysis to help evaluate susceptibility of different architectures and microarchitectures to timing attacks on caches, TLBs, value predictors and processor frontend. Although cache timing side-channel attacks have been studied for more than a decade, there is no evidence that the previously-known attacks exhaustively cover all possible attacks. One of the initial research directions covered by this dissertation was to develop a model for cache timing attacks, which can help lead towards discovering all possible cache timing attacks. The proposed three-step cache timing vulnerability model provides a means to enumerate all possible interactions between the victim and attacker who are sharing a cache-like structure, producing the complete set of theoretical timing vulnerabilities. This dissertation also covers new theoretical cache timing attacks that are unknown prior to being found by the model. To make the advances in security not only theoretical, this dissertation also covers design of a benchmarking suite that runs on commodity processors and helps evaluate their cache\u27s susceptibility to attacks, as well as can run on simulators to test potential or future cache designs. As the dissertation later demonstrates, the three-step timing vulnerability model can be naturally applied to any cache-like structures such as TLBs, and the dissertation encompasses a three-step model for TLBs, uncovering of theoretical new TLB attacks, and proposals for defenses. Building on success of analyzing caches and TLBs for new timing attacks, this dissertation then discusses follow-on research on evaluation and uncovering of new timing vulnerabilities in processor frontends. Since security analysis should be applied not just to existing processor microarchitectural features, the dissertation further analyzes possible future features such as value predictors. Although not currently in use, value predictors are actively being researched and proposed for addition into future microarchitectures. This dissertation shows, however, that they are vulnerable to attacks. Lastly, based on findings of the security issues with existing and proposed processor features, this dissertation explores how to better design secure processors from ground up, and presents a design-time security verification framework for secure processor architectures, using information flow tracking methods

Analysis of Secure Caches using a Three-Step Model for Timing-Based Attacks

Many secure cache designs have been proposed in literature with the aim of mitigating different types of cache timing-based attacks. However, there has so far been no systematic analysis of how these secure cache designs can, or cannot, protect against different types of the timing-based attacks. To provide a means of analyzing the caches, this paper presents a novel three-step modeling approach that is used to exhaustively enumerate all the possible cache timing-based vulnerabilities. The model covers not only attacks that leverage cache accesses or flushes from the local processor core, but also attacks that leverage changes in the cache state due to the cache coherence protocol actions from remote cores. Moreover, both conventional attacks and speculative execution attacks are considered. With the list of all possible cache timing vulnerabilities derived from the three-step model, this work further manually analyzes each of the existing secure cache designs to show which types of timing-based side-channel vulnerabilities each secure cache can mitigate. Based on the security analysis of the existing secure cache designs using the new three-step model, this paper further summarizes different techniques gleaned from the secure cache designs and their ability help mitigate different types of cache timing-based vulnerabilities

Pre-Trained Language Models Augmented with Synthetic Scanpaths for Natural Language Understanding

Human gaze data offer cognitive information that reflects natural language comprehension. Indeed, augmenting language models with human scanpaths has proven beneficial for a range of NLP tasks, including language understanding. However, the applicability of this approach is hampered because the abundance of text corpora is contrasted by a scarcity of gaze data. Although models for the generation of human-like scanpaths during reading have been developed, the potential of synthetic gaze data across NLP tasks remains largely unexplored. We develop a model that integrates synthetic scanpath generation with a scanpath-augmented language model, eliminating the need for human gaze data. Since the model's error gradient can be propagated throughout all parts of the model, the scanpath generator can be fine-tuned to downstream tasks. We find that the proposed model not only outperforms the underlying language model, but achieves a performance that is comparable to a language model augmented with real human gaze data. Our code is publicly available.Comment: Pre-print for EMNLP 202

Eyettention: An Attention-based Dual-Sequence Model for Predicting Human Scanpaths during Reading

Eye movements during reading offer insights into both the reader's cognitive processes and the characteristics of the text that is being read. Hence, the analysis of scanpaths in reading have attracted increasing attention across fields, ranging from cognitive science over linguistics to computer science. In particular, eye-tracking-while-reading data has been argued to bear the potential to make machine-learning-based language models exhibit a more human-like linguistic behavior. However, one of the main challenges in modeling human scanpaths in reading is their dual-sequence nature: the words are ordered following the grammatical rules of the language, whereas the fixations are chronologically ordered. As humans do not strictly read from left-to-right, but rather skip or refixate words and regress to previous words, the alignment of the linguistic and the temporal sequence is non-trivial. In this paper, we develop Eyettention, the first dual-sequence model that simultaneously processes the sequence of words and the chronological sequence of fixations. The alignment of the two sequences is achieved by a cross-sequence attention mechanism. We show that Eyettention outperforms state-of-the-art models in predicting scanpaths. We provide an extensive within- and across-data set evaluation on different languages. An ablation study and qualitative analysis support an in-depth understanding of the model's behavior

Case Report: Isolated facial and trigeminal nerve palsy without ataxia in anti-GQ1b antibody syndrome secondary to Mycoplasma pneumonia

The presence of anti-GQ1b antibodies in serum or cerebrospinal fluid is a diagnostic indicator of the Miller–Fisher variant of Guillain–Barré syndrome (GBS), whereas anti-GQ1b antibody syndrome is rarely presented as acute bilateral pain in the cheeks and masticatory muscle fatigue without ophthalmoplegia, ataxia, or limb weakness. Here, we report a case of a female patient diagnosed with GBS characterized only by the involvement of the facial and trigeminal nerves who was positive for serum anti-GQ1b antibodies secondary to Mycoplasma pneumoniae infection. The patient was treated with macrolide antibiotics and neurotrophic drugs, and her symptoms were significantly alleviated after 1 month. This case indicates a new clinical presentation of GBS and anti-GQ1b antibody syndrome with a differential diagnosis of multiple cranial nerve damage of which neurological physicians should be aware. Positive anti-GQ1b antibodies secondary to infection were observed in this case, and antibiotic treatment resulted in a favorable prognosis. The specific underlying mechanism requires further investigation

Metabolic health phenotype better predicts subclinical atherosclerosis than body mass index-based obesity phenotype in the non-alcoholic fatty liver disease population

BackgroundNon-alcoholic fatty liver disease (NAFLD), especially lean NAFLD is associated with an increased risk of atherosclerotic cardiovascular disease (CVD). It is not currently known which clinical phenotypes of NAFLD contribute most to individual subclinical atherosclerosis risk. We examined the relationship between body mass index (BMI), the metabolically healthy status, and subclinical atherosclerosis in the NAFLD population.MethodsData from asymptomatic NAFLD subjects who participated in a routine health check-up examination were collected. Participants were stratified by BMI (cutoff values: 24.0–27.9 kg/m2 for overweight and ≥28.0 kg/m2 for obesity) and metabolic status, which was defined by Adult Treatment Panel III criteria. Subclinical atherosclerosis was evaluated by brachial-ankle pulse wave velocity (baPWV) in 27,738 participants and by carotid plaque in 14,323 participants.ResultsWithin each BMI strata, metabolically unhealthy subjects had a significantly higher prevalence of subclinical atherosclerosis than metabolically healthy subjects, whereas fewer differences were observed across subjects within the same metabolic category. When BMI and metabolic status were assessed together, a metabolically unhealthy status was the main contributor to the association of clinical phenotypes with the subclinical atherosclerosis burden (all p < 0.001). When BMI and metabolic abnormalities were assessed separately, the incidence of subclinical disease did not increase across BMI categories; however, it increased with an increase in the number of metabolic abnormalities (0, 1, 2 and ≥3).ConclusionA metabolically healthy status in NAFLD patients was closely correlated with subclinical atherosclerosis, beyond that of the BMI-based obesity phenotype. The application of metabolic phenotyping strategies could enable more precise classification in evaluating cardiovascular risk in NAFLD

Clinical Characteristics and Short-Term Prognosis of Autoimmune Encephalitis: A Single-Center Cohort Study in Changsha, China

Background and Purpose: The incidence and prevalence of autoimmune encephalitis is gradually increasing. This retrospective observational study primarily aimed to analyze the clinical characteristics of autoimmune encephalitis patients in the Second Xiangya Hospital and report patient prognoses after immunotherapy.Methods: The clinical data of 86 patients who were diagnosed with autoimmune encephalitis from October 2014 to September 2018 were collected, and their corresponding clinical characteristics, laboratory examination, treatment, and outcome data analyzed.Results: In our study, 72 patients (83.7%) were positive for anti-NMDAR (N-methyl-D-aspartate receptor) antibody; 5 patients (6%) for anti-GABABR (γ-aminobutyric acid receptor-A); 4 patients (4.7%) for anti-LGI1 (leucine-rich, glioma inactivated 1); 3 patients (3.5%) for anti-Caspr2 (contactin-associated protein-like 2) (1 patient was positive for both anti-LGI1 and anti-Caspr2 antibodies); and 3 patients (3.5%) for onconeural antibodies. Among the 86 patients diagnosed as having autoimmune encephalitis, 50% showed acute disease onset (≤2 weeks). The most common inducing factor was fever or cold (17/86, 19.8%). The main clinical symptoms included, among others, psychiatric disturbances (82.5%), epilepsy (60.5%), autonomic dysfunction (58.1%), sleep disorders (45.3%), consciousness disorders (45.3%), and speech disorders (46.5%). No significant correlation between ICU admission rates and CSF or serum antibody scores was observed. However, CSF antibody scores of (+ + +) and (++) were associated with longer lengths of hospitalization (p < 0.05) and a higher CSF WBC count when compared with CSF antibody scores of (+) in patients with anti-NMDAR encephalitis (p < 0.05). Additionally, there was no significant correlation between mRS score difference on admission and discharge (after immunotherapy) and age, sex, and choice of immune treatment, while immune therapy taken within 15 days from onset was more inclined to be associated with an mRS score difference ≥2 after immunotherapy in patients with anti-NMDAR encephalitis (p = 0.006).Conclusions: Autoimmune encephalitis has an acute or sub-acute onset and presents with psychotic symptoms, epilepsy, and autonomic dysfunction. The sex ratio in anti-NMDAR encephalitis was nearly balanced. Infection was a major factor inducing anti-NMDAR encephalitis, and the CSF antibody scores could be helpful in determining its prognosis since these scores showed associations with hospitalization duration and CSF WBC counts

Survey of Approaches and Techniques for Security Verification of Computer Systems

This paper surveys the landscape of security verification approaches and techniques for computer systems at various levels: from a software-application level all the way to the physical hardware level. Different existing projects are compared, based on the tools used and security aspects being examined. Since many systems require both hardware and software components to work together to provide the system\u27s promised security protections, it is not sufficient to verify just the software levels or just the hardware levels in a mutually exclusive fashion. This survey especially highlights system levels that are verified by the different existing projects and presents to the readers the state of the art in hardware and software system security verification. Few approaches come close to providing full-system verification, and there is still much room for improvement

Prevalence and Characterization of Staphylococcus aureus Isolated From Women and Children in Guangzhou, China

The prevalent Staphylococcus aureus clones and antibiotic susceptibility profiles are known to change dynamically and geographically; however, recent S. aureus strains causing infections in women and children in China have not been characterized. In this study, we analyzed the molecular epidemiology and antimicrobial resistance of S. aureus isolated from patients in four centers for women and children in Guangzhou, China. In total, 131 S. aureus isolates (100 from children and 31 from women) were analyzed by spa typing, multi-locus sequence typing, virulence gene and antimicrobial resistance profiling, staphylococcal chromosomal cassette mec typing, and mutation analyses of rpoB. A total of 58 spa types, 27 sequence types (STs), and 10 clonal complexes (CCs) were identified. While CC59 (ST59-IV, 48.8%; ST338-III, 35.7%) and CC45 (ST45-IV, 100%) were the major clones (84.4%) among MRSA isolates, CC5 (ST188, 24.3%; ST1, 21.6%) and CC398 (ST398, 70%) were the major ones (70.1%) among MSSA isolates. ST338-MRSA-III mostly found in pus but hardly in respiratory tract samples while ST45-MRSA-IV was on the opposite, even though they both found in blood and cerebrospinal fluid sample frequently. Staphylococcal enterotoxin genes seb-seq-sek were strongly associated with ST59 and ST338, while sec was associated with ST45, ST121, ST22, and ST30. All ST338, ST1232, and SCCmec III isolates carried lukF/S-PV genes. A total of 80% of ST338 isolates were resistant to erythromycin, clindamycin, and tetracycline. All ST45 isolates exhibited intermediate or complete resistance to rifampicin. In total, 481 HIS/ASN mutations in rpoB were found in rifampicin-resistant or intermediate-resistant isolates. ST338-III and ST45-IV emerged as two of three major clones in MRSA isolates from women and children in Guangzhou, China, though ST59-MRSA-IV remained the most prevalent MRSA clone. Clonal distribution of S. aureus varied, depending on the specimen source. Virulence genes and antibiograms were closely associated with the clonal lineage. These results clarified the molecular epidemiology of S. aureus from women and children in Guangzhou, China, and provide critical information for the control and treatment of S. aureus infections

The origin of human pathogenicity and biological interactions in Chaetothyriales

Fungi in the order Chaetothyriales are renowned for their ability to cause human infections. Nevertheless, they are not regarded as primary pathogens, but rather as opportunists with a natural habitat in the environment. Extremotolerance is a major trend in the order, but quite diferent from black yeasts in Capnodiales which focus on endurance, an important additional parameter is advancing toxin management. In the ancestral ecology of rock colonization, the association with metabolite-producing lichens is signifcant. Ant-association, dealing with pheromones and repellents, is another mainstay in the order. The phylogenetically derived family, Herpotrichiellaceae, shows dual ecology in monoaromatic hydrocarbon assimilation and the ability to cause disease in humans and cold-blooded vertebrates. In this study, data on ecology, phylogeny, and genomics were collected and analyzed in order to support this hypothesis on the evolutionary route of the species of Chaetothyriales. Comparing the ribosomal tree with that of enzymes involved in toluene degradation, a signifcant expansion of cytochromes is observed and the toluene catabolism is found to be complete in some of the Herpotrichiellaceae. This might enhance human systemic infection. However, since most species have to be traumatically inoculated in order to cause disease, their invasive potential is categorized as opportunism. Only in chromoblastomycosis, true pathogenicity might be surmised. The criterion would be the possible escape of agents of vertebrate disease from the host, enabling dispersal of adapted genotypes to subsequent generations.info:eu-repo/semantics/publishedVersio