128 research outputs found
Practical Enclave Malware with Intel SGX
Modern CPU architectures offer strong isolation guarantees towards user
applications in the form of enclaves. For instance, Intel's threat model for
SGX assumes fully trusted enclaves, yet there is an ongoing debate on whether
this threat model is realistic. In particular, it is unclear to what extent
enclave malware could harm a system. In this work, we practically demonstrate
the first enclave malware which fully and stealthily impersonates its host
application. Together with poorly-deployed application isolation on personal
computers, such malware can not only steal or encrypt documents for extortion,
but also act on the user's behalf, e.g., sending phishing emails or mounting
denial-of-service attacks. Our SGX-ROP attack uses new TSX-based
memory-disclosure primitive and a write-anything-anywhere primitive to
construct a code-reuse attack from within an enclave which is then
inadvertently executed by the host application. With SGX-ROP, we bypass ASLR,
stack canaries, and address sanitizer. We demonstrate that instead of
protecting users from harm, SGX currently poses a security threat, facilitating
so-called super-malware with ready-to-hit exploits. With our results, we seek
to demystify the enclave malware threat and lay solid ground for future
research on and defense against enclave malware
Graphene deflectometry for sensing molecular processes at the nanoscale
Single-molecule sensing is at the core of modern biophysics and nanoscale
science, from revolutionizing healthcare through rapid, low-cost sequencing to
understanding various physical, chemical, and biological processes at their
most basic level. However, important processes at the molecular scale are often
too fast for the detection bandwidth or otherwise outside the detection
sensitivity. Moreover, most envisioned biophysical applications are at room
temperature, which further limits detection due to significant thermal noise.
Here, we theoretically demonstrate reliable transduction of forces into
electronic currents via locally suspended graphene nanoribbons subject to
ultra-low flexural deflection. The decay of electronic couplings with distance
magnifies the effect of the deflection, giving rise to measurable electronic
current changes even in aqueous solution. Due to thermal fluctuations, the
characteristic charge carrier transmission peak follows a generalized Voigt
profile, behavior which is reflected in the optimized sensor. The intrinsic
sensitivity is less than 7 fN/, allowing for the detection
of ultra-weak and fast processes at room temperature. Graphene deflectometry
thus presents new opportunities in the sensing and detection of molecular-scale
processes, from ion dynamics to DNA sequencing and protein folding, in their
native environment
Relaxation-limited electronic currents in extended reservoir simulations
Open-system approaches are gaining traction in the simulation of charge
transport in nanoscale and molecular electronic devices. In particular,
"extended reservoir" simulations, where explicit reservoir degrees of freedom
are present, allow for the computation of both real-time and steady-state
properties but require relaxation of the extended reservoirs. The strength of
this relaxation, , influences the conductance, giving rise to a
"turnover" behavior analogous to Kramers' turnover in chemical reaction rates.
We derive explicit, general expressions for the weak and strong relaxation
limits. For weak relaxation, the conductance increases linearly with
and every electronic state of the total explicit system contributes to the
electronic current according to its "reduced" weight in the two extended
reservoir regions. Essentially, this represents two conductors in series -- one
at each interface with the implicit reservoirs that provide the relaxation. For
strong relaxation, a "dual" expression -- one with the same functional form --
results, except now proportional to and dependent on the system of
interest's electronic states, reflecting that the strong relaxation is
localizing electrons in the extended reservoirs. Higher order behavior (e.g.,
or ) can occur when there is a gap in the frequency
spectrum. Moreover, inhomogeneity in the frequency spacing can give rise to a
pseudo-plateau regime. These findings yield a physically motivated approach to
diagnosing numerical simulations and understanding the influence of relaxation,
and we examine their occurrence in both simple models and a realistic,
fluctuating graphene nanoribbon.Comment: 6 pages, 3 figure
Landauer's formula with finite-time relaxation: Kramers' crossover in electronic transport
Landauer's formula is the standard theoretical tool to examine ballistic
transport in nano- and meso-scale junctions, but it necessitates that any
variation of the junction with time must be slow compared to characteristic
times of the system, e.g., the relaxation time of local excitations. Transport
through structurally dynamic junctions is, however, increasingly of interest
for sensing, harnessing fluctuations, and real-time control. Here, we calculate
the steady-state current when relaxation of electrons in the reservoirs is
present and demonstrate that it gives rise to three regimes of behavior: weak
relaxation gives a contact-limited current; strong relaxation localizes
electrons, distorting their natural dynamics and reducing the current; and in
an intermediate regime the Landauer view of the system only is recovered. We
also demonstrate that a simple equation of motion emerges, which is suitable
for efficiently simulating time-dependent transport.Comment: 16 pages, 5 figure
Master Equations for Electron Transport: The Limits of the Markovian Limit
Master equations are increasingly popular for the simulation of
time-dependent electronic transport in nanoscale devices. Several recent
Markovian approaches use "extended reservoirs" - explicit degrees of freedom
associated with the electrodes - distinguishing them from many previous classes
of master equations. Starting from a Lindblad equation, we develop a common
foundation for these approaches. Due to the incorporation of explicit electrode
states, these methods do not require a large bias or even "true Markovianity"
of the reservoirs. Nonetheless, their predictions are only physically relevant
when the Markovian relaxation is weaker than the thermal broadening and when
the extended reservoirs are "sufficiently large," in a sense that we quantify.
These considerations hold despite complete positivity and respect for Pauli
exclusion at any relaxation strength.Comment: Accepted version. To appear in The Journal of Chemical Physic
Software-based Microarchitectural Attacks
Modern processors are highly optimized systems where every single cycle of
computation time matters. Many optimizations depend on the data that is being
processed. Software-based microarchitectural attacks exploit effects of these
optimizations. Microarchitectural side-channel attacks leak secrets from
cryptographic computations, from general purpose computations, or from the
kernel. This leakage even persists across all common isolation boundaries, such
as processes, containers, and virtual machines. Microarchitectural fault
attacks exploit the physical imperfections of modern computer systems.
Shrinking process technology introduces effects between isolated hardware
elements that can be exploited by attackers to take control of the entire
system. These attacks are especially interesting in scenarios where the
attacker is unprivileged or even sandboxed.
In this thesis, we focus on microarchitectural attacks and defenses on
commodity systems. We investigate known and new side channels and show that
microarchitectural attacks can be fully automated. Furthermore, we show that
these attacks can be mounted in highly restricted environments such as
sandboxed JavaScript code in websites. We show that microarchitectural attacks
exist on any modern computer system, including mobile devices (e.g.,
smartphones), personal computers, and commercial cloud systems. This thesis
consists of two parts. In the first part, we provide background on modern
processor architectures and discuss state-of-the-art attacks and defenses in
the area of microarchitectural side-channel attacks and microarchitectural
fault attacks. In the second part, a selection of our papers are provided
without modification from their original publications. I have co-authored these
papers, which have subsequently been anonymously peer-reviewed, accepted, and
presented at renowned international conferences.Comment: PhD Thesis. Graz University of Technology. June, 201
Store-to-Leak Forwarding: Leaking Data on Meltdown-resistant CPUs (Updated and Extended Version)
Meltdown and Spectre exploit microarchitectural changes the CPU makes during
transient out-of-order execution. Using side-channel techniques, these attacks
enable leaking arbitrary data from memory. As state-of-the-art software
mitigations for Meltdown may incur significant performance overheads, they are
only seen as a temporary solution. Thus, software mitigations are disabled on
more recent processors, which are not susceptible to Meltdown anymore.
In this paper, we show that Meltdown-like attacks are still possible on
recent CPUs which are not vulnerable to the original Meltdown attack. We show
that the store buffer - a microarchitectural optimization to reduce the latency
for data stores - in combination with the TLB enables powerful attacks. We
present several ASLRrelated attacks, including a KASLR break from unprivileged
applications, and breaking ASLR from JavaScript. We can also mount side-channel
attacks, breaking the atomicity of TSX, and monitoring control flow of the
kernel. Furthermore, when combined with a simple Spectre gadget, we can leak
arbitrary data from memory. Our paper shows that Meltdown-like attacks are
still possible, and software fixes are still necessary to ensure proper
isolation between the kernel and user space.
This updated extended version of the original paper includes new results and
explanations on the root cause of the vulnerability and shows how it is
different to MDS attacks like Fallout
ARMageddon: Cache Attacks on Mobile Devices
In the last 10 years, cache attacks on Intel x86 CPUs have gained increasing
attention among the scientific community and powerful techniques to exploit
cache side channels have been developed. However, modern smartphones use one or
more multi-core ARM CPUs that have a different cache organization and
instruction set than Intel x86 CPUs. So far, no cross-core cache attacks have
been demonstrated on non-rooted Android smartphones. In this work, we
demonstrate how to solve key challenges to perform the most powerful cross-core
cache attacks Prime+Probe, Flush+Reload, Evict+Reload, and Flush+Flush on
non-rooted ARM-based devices without any privileges. Based on our techniques,
we demonstrate covert channels that outperform state-of-the-art covert channels
on Android by several orders of magnitude. Moreover, we present attacks to
monitor tap and swipe events as well as keystrokes, and even derive the lengths
of words entered on the touchscreen. Eventually, we are the first to attack
cryptographic primitives implemented in Java. Our attacks work across CPUs and
can even monitor cache activity in the ARM TrustZone from the normal world. The
techniques we present can be used to attack hundreds of millions of Android
devices.Comment: Original publication in the Proceedings of the 25th Annual USENIX
Security Symposium (USENIX Security 2016).
https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/lip
DRAMA: Exploiting DRAM Addressing for Cross-CPU Attacks
In cloud computing environments, multiple tenants are often co-located on the
same multi-processor system. Thus, preventing information leakage between
tenants is crucial. While the hypervisor enforces software isolation, shared
hardware, such as the CPU cache or memory bus, can leak sensitive information.
For security reasons, shared memory between tenants is typically disabled.
Furthermore, tenants often do not share a physical CPU. In this setting, cache
attacks do not work and only a slow cross-CPU covert channel over the memory
bus is known. In contrast, we demonstrate a high-speed covert channel as well
as the first side-channel attack working across processors and without any
shared memory. To build these attacks, we use the undocumented DRAM address
mappings.
We present two methods to reverse engineer the mapping of memory addresses to
DRAM channels, ranks, and banks. One uses physical probing of the memory bus,
the other runs entirely in software and is fully automated. Using this mapping,
we introduce DRAMA attacks, a novel class of attacks that exploit the DRAM row
buffer that is shared, even in multi-processor systems. Thus, our attacks work
in the most restrictive environments. First, we build a covert channel with a
capacity of up to 2 Mbps, which is three to four orders of magnitude faster
than memory-bus-based channels. Second, we build a side-channel template attack
that can automatically locate and monitor memory accesses. Third, we show how
using the DRAM mappings improves existing attacks and in particular enables
practical Rowhammer attacks on DDR4.Comment: Original publication in the Proceedings of the 25th Annual USENIX
Security Symposium (USENIX Security 2016).
https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/pess
ZombieLoad: Cross-Privilege-Boundary Data Sampling
In early 2018, Meltdown first showed how to read arbitrary kernel memory from
user space by exploiting side-effects from transient instructions. While this
attack has been mitigated through stronger isolation boundaries between user
and kernel space, Meltdown inspired an entirely new class of fault-driven
transient execution attacks. Particularly, over the past year, Meltdown-type
attacks have been extended to not only leak data from the L1 cache but also
from various other microarchitectural structures, including the FPU register
file and store buffer.
In this paper, we present the ZombieLoad attack which uncovers a novel
Meltdown-type effect in the processor's previously unexplored fill-buffer
logic. Our analysis shows that faulting load instructions (i.e., loads that
have to be re-issued for either architectural or microarchitectural reasons)
may transiently dereference unauthorized destinations previously brought into
the fill buffer by the current or a sibling logical CPU. Hence, we report data
leakage of recently loaded stale values across logical cores. We demonstrate
ZombieLoad's effectiveness in a multitude of practical attack scenarios across
CPU privilege rings, OS processes, virtual machines, and SGX enclaves. We
discuss both short and long-term mitigation approaches and arrive at the
conclusion that disabling hyperthreading is the only possible workaround to
prevent this extremely powerful attack on current processors
- …