Software-based microarchitectural attacks
-
Daniel Gruss
Daniel Gruss studied Computer Science at Graz University of Technology. In 2017, he finished his PhD with distinction in less than 3 years. He has been involved in teaching operating system undergraduate courses since 2010. Daniel’s research focuses on software-based side-channel attacks that exploit timing differences in hardware and operating systems. He implemented the first remote fault attack running in a website, known as Rowhammer.js. He frequently speaks at top international venues, such as Black Hat, Usenix Security, IEEE S&P, ACM CCS, Chaos Communication Congress, and others. His research team was one of the teams that found the Meltdown and Spectre bugs published in early 2018.
Abstract
Modern processors are highly optimized systems where every single cycle of computation time matters. Many optimizations depend on the data that is being processed. Microarchitectural attacks leak this data (side channels) or exploit physical imperfections to take control of the entire system (fault attacks). In my thesis (D. Gruss. Software-based Microarchitectural Attacks. PhD thesis, Graz University of Technology, 2017), I improved over state of the art in microarchitectural attacks and defenses in three dimensions. I cover these briefly in this summary. First, I show that attacks can be fully automated. Second, I present several novel previously unknown side channels. Third, I show that attacks can be mounted in highly restricted environments such as sandboxed JavaScript code in websites, and on any computer system including smartphones, tablets, personal computers, and commercial cloud systems. These results formed one of the corner stones for attacks like Meltdown (M. Lipp et al. Meltdown: Reading kernel memory from user space. In USENIX Security Symposium, 2018) and Spectre (P. Kocher et al. Spectre attacks: Exploiting speculative execution. In S&P, 2019) which were discovered months after the thesis was concluded.
About the author
Daniel Gruss studied Computer Science at Graz University of Technology. In 2017, he finished his PhD with distinction in less than 3 years. He has been involved in teaching operating system undergraduate courses since 2010. Daniel’s research focuses on software-based side-channel attacks that exploit timing differences in hardware and operating systems. He implemented the first remote fault attack running in a website, known as Rowhammer.js. He frequently speaks at top international venues, such as Black Hat, Usenix Security, IEEE S&P, ACM CCS, Chaos Communication Congress, and others. His research team was one of the teams that found the Meltdown and Spectre bugs published in early 2018.
References
1. D. Gruss. Software-based Microarchitectural Attacks. PhD thesis, Graz University of Technology, 2017.Suche in Google Scholar
2. D. Gruss, D. Bidner, and S. Mangard. Practical memory deduplication attacks in sandboxed JavaScript. In ESORICS, 2015.10.1007/978-3-319-24174-6_6Suche in Google Scholar
3. D. Gruss, J. Lettner, F. Schuster, O. Ohrimenko, I. Haller, and M. Costa. Strong and Efficient Cache Side-Channel Protection using Hardware Transactional Memory. In USENIX Security Symposium, 2017.Suche in Google Scholar
4. D. Gruss, M. Lipp, M. Schwarz, R. Fellner, C. Maurice, and S. Mangard. Kaslr is dead: Long live kaslr. In ESSoS, 2017.10.1007/978-3-319-62105-0_11Suche in Google Scholar
5. D. Gruss, C. Maurice, A. Fogh, M. Lipp, and S. Mangard. Prefetch Side-Channel Attacks: Bypassing SMAP and Kernel ASLR. In CCS, 2016.10.1145/2976749.2978356Suche in Google Scholar
6. D. Gruss, C. Maurice, and S. Mangard. Rowhammer.js: A Remote Software-Induced Fault Attack in JavaScript. In DIMVA, 2016.10.1007/978-3-319-40667-1_15Suche in Google Scholar
7. D. Gruss, C. Maurice, K. Wagner, and S. Mangard. Flush+Flush: A Fast and Stealthy Cache Attack. In DIMVA, 2016.10.1007/978-3-319-40667-1_14Suche in Google Scholar
8. D. Gruss, R. Spreitzer, and S. Mangard. Cache Template Attacks: Automating Attacks on Inclusive Last-Level Caches. In USENIX Security Symposium, 2015.Suche in Google Scholar
9. R. Hund, C. Willems, and T. Holz. Practical Timing Side Channel Attacks against Kernel Space ASLR. In S&P, 2013.10.1109/SP.2013.23Suche in Google Scholar
10. N. Karimi, A. K. Kanuparthi, X. Wang, O. Sinanoglu, and R. Karri. Magic: Malicious aging in circuits/cores. ACM Transactions on Architecture and Code Optimization (TACO), 12(1), 2015.10.1145/2724718Suche in Google Scholar
11. Y. Kim, R. Daly, J. Kim, C. Fallin, J. H. Lee, D. Lee, C. Wilkerson, K. Lai, and O. Mutlu. Flipping bits in memory without accessing them: An experimental study of DRAM disturbance errors. In ISCA, 2014.10.1109/ISCA.2014.6853210Suche in Google Scholar
12. P. Kocher, J. Horn, A. Fogh, D. Genkin, D. Gruss, W. Haas, M. Hamburg, M. Lipp, S. Mangard, T. Prescher, M. Schwarz, and Y. Yarom. Spectre attacks: Exploiting speculative execution. In S&P, 2019.10.1109/SP.2019.00002Suche in Google Scholar
13. P. C. Kocher. Timing Attacks on Implementations of Diffe-Hellman, RSA, DSS, and Other Systems. In Crypto, 1996.10.1007/3-540-68697-5_9Suche in Google Scholar
14. M. Lipp, D. Gruss, R. Spreitzer, C. Maurice, and S. Mangard, ARMageddon: Cache Attacks on Mobile Devices. In USENIX Security Symposium, 2016.Suche in Google Scholar
15. M. Lipp, M. Schwarz, D. Gruss, T. Prescher, W. Haas, S. Mangard, P. Kocher, D. Genkin, Y. Yarom, and M. Hamburg. Meltdown: Reading kernel memory from user space. In USENIX Security Symposium, 2018.Suche in Google Scholar
16. C. Maurice, M. Weber, M. Schwarz, L. Giner, D. Gruss, C. Alberto Boano, S. Mangard, and K. Römer. Hello from the Other Side: SSH over Robust Cache Covert Channels in the Cloud. In NDSS, 2017.10.14722/ndss.2017.23294Suche in Google Scholar
17. Y. Oren, V. P. Kemerlis, S. Sethumadhavan, and A. D. Keromytis. The Spy in the Sandbox: Practical Cache Attacks in JavaScript and their Implications. In CCS, 2015.10.1145/2810103.2813708Suche in Google Scholar
18. D. A. Osvik, A. Shamir, and E. Tromer. Cache Attacks and Countermeasures: the Case of AES. In CT-RSA, 2006.10.1007/11605805_1Suche in Google Scholar
19. P. Pessl, D. Gruss, C. Maurice, M. Schwarz, and S. Mangard. DRAMA: Exploiting DRAM Addressing for Cross-CPU Attacks. In USENIX Security Symposium, 2016.Suche in Google Scholar
20. K. Razavi, B. Gras, E. Bosman, B. Preneel, C. Giuffrida, and H. Bos. Flip Feng Shui: Hammering a Needle in the Software Stack. In USENIX Security Symposium, 2016.Suche in Google Scholar
21. M. Schwarz, D. Gruss, S. Weiser, C. Maurice, and S. Mangard. Malware Guard Extension: Using SGX to Conceal Cache Attacks. In DIMVA, 2017.10.1007/978-3-319-60876-1_1Suche in Google Scholar
22. M. Schwarz, C. Maurice, D. Gruss, and S. Mangard. Fantastic Timers and Where to Find Them: High-Resolution Microarchitectural Attacks in JavaScript. In FC, 2017.10.1007/978-3-319-70972-7_13Suche in Google Scholar
23. M. Seaborn and T. Dullien. Exploiting the DRAM rowhammer bug to gain kernel privileges. In Black Hat Briefings, 2015.Suche in Google Scholar
24. K. Suzaki, K. Iijima, T. Yagi, and C. Artho. Memory Deduplication as a Threat to the Guest OS. In EuroSec, 2011.10.1145/1972551.1972552Suche in Google Scholar
25. V. van der Veen, Y. Fratantonio, M. Lindorfer, D. Gruss, C. Maurice, G. Vigna, H. Bos, K. Razavi, and C. Giuffrida. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms. In CCS, 2016.Suche in Google Scholar
26. Y. Yarom and K. Falkner. Flush+Reload: a High Resolution, Low Noise, L3 Cache Side-Channel Attack. In USENIX Security Symposium, 2014.Suche in Google Scholar
27. Y. Zhang, A. Juels, M. K. Reiter, and T. Ristenpart. Cross-Tenant Side-Channel Attacks in PaaS Clouds. In CCS, 2014.10.1145/2660267.2660356Suche in Google Scholar
© 2018 Walter de Gruyter GmbH, Berlin/Boston
Artikel in diesem Heft
- Frontmatter
- Editorial
- Application of blockchain technology
- Research Papers
- Message exchange on base of a blockchain-based layered architecture
- Mapping the sea of opportunities: Blockchain in supply chain and logistics
- OriginStamp: A blockchain-backed system for decentralized trusted timestamping
- On-chain vs. off-chain storage for supply- and blockchain integration
- Brokerless inter-domain virtual network embedding: A blockchain-based approach
- A Peer-to-peer Purchase and Rental Smart Contract-based Application (PuRSCA)
- Current Research Projects
- The Berlin Big Data Center (BBDC)
- ScaDS Dresden/Leipzig – A competence center for collaborative big data research
- Distinguished Dissertations
- Software-based microarchitectural attacks
Artikel in diesem Heft
- Frontmatter
- Editorial
- Application of blockchain technology
- Research Papers
- Message exchange on base of a blockchain-based layered architecture
- Mapping the sea of opportunities: Blockchain in supply chain and logistics
- OriginStamp: A blockchain-backed system for decentralized trusted timestamping
- On-chain vs. off-chain storage for supply- and blockchain integration
- Brokerless inter-domain virtual network embedding: A blockchain-based approach
- A Peer-to-peer Purchase and Rental Smart Contract-based Application (PuRSCA)
- Current Research Projects
- The Berlin Big Data Center (BBDC)
- ScaDS Dresden/Leipzig – A competence center for collaborative big data research
- Distinguished Dissertations
- Software-based microarchitectural attacks
