Abstract
Modern processors are highly optimized systems where every single cycle of computation time matters. Many optimizations depend on the data that is being processed. Microarchitectural attacks leak this data (side channels) or exploit physical imperfections to take control of the entire system (fault attacks). In my thesis (D. Gruss. Software-based Microarchitectural Attacks. PhD thesis, Graz University of Technology, 2017), I improved over state of the art in microarchitectural attacks and defenses in three dimensions. I cover these briefly in this summary. First, I show that attacks can be fully automated. Second, I present several novel previously unknown side channels. Third, I show that attacks can be mounted in highly restricted environments such as sandboxed JavaScript code in websites, and on any computer system including smartphones, tablets, personal computers, and commercial cloud systems. These results formed one of the corner stones for attacks like Meltdown (M. Lipp et al. Meltdown: Reading kernel memory from user space. In USENIX Security Symposium, 2018) and Spectre (P. Kocher et al. Spectre attacks: Exploiting speculative execution. In S&P, 2019) which were discovered months after the thesis was concluded.
About the author
Daniel Gruss studied Computer Science at Graz University of Technology. In 2017, he finished his PhD with distinction in less than 3 years. He has been involved in teaching operating system undergraduate courses since 2010. Daniel’s research focuses on software-based side-channel attacks that exploit timing differences in hardware and operating systems. He implemented the first remote fault attack running in a website, known as Rowhammer.js. He frequently speaks at top international venues, such as Black Hat, Usenix Security, IEEE S&P, ACM CCS, Chaos Communication Congress, and others. His research team was one of the teams that found the Meltdown and Spectre bugs published in early 2018.
References
1. D. Gruss. Software-based Microarchitectural Attacks. PhD thesis, Graz University of Technology, 2017.Search in Google Scholar
2. D. Gruss, D. Bidner, and S. Mangard. Practical memory deduplication attacks in sandboxed JavaScript. In ESORICS, 2015.10.1007/978-3-319-24174-6_6Search in Google Scholar
3. D. Gruss, J. Lettner, F. Schuster, O. Ohrimenko, I. Haller, and M. Costa. Strong and Efficient Cache Side-Channel Protection using Hardware Transactional Memory. In USENIX Security Symposium, 2017.Search in Google Scholar
4. D. Gruss, M. Lipp, M. Schwarz, R. Fellner, C. Maurice, and S. Mangard. Kaslr is dead: Long live kaslr. In ESSoS, 2017.10.1007/978-3-319-62105-0_11Search in Google Scholar
5. D. Gruss, C. Maurice, A. Fogh, M. Lipp, and S. Mangard. Prefetch Side-Channel Attacks: Bypassing SMAP and Kernel ASLR. In CCS, 2016.10.1145/2976749.2978356Search in Google Scholar
6. D. Gruss, C. Maurice, and S. Mangard. Rowhammer.js: A Remote Software-Induced Fault Attack in JavaScript. In DIMVA, 2016.10.1007/978-3-319-40667-1_15Search in Google Scholar
7. D. Gruss, C. Maurice, K. Wagner, and S. Mangard. Flush+Flush: A Fast and Stealthy Cache Attack. In DIMVA, 2016.10.1007/978-3-319-40667-1_14Search in Google Scholar
8. D. Gruss, R. Spreitzer, and S. Mangard. Cache Template Attacks: Automating Attacks on Inclusive Last-Level Caches. In USENIX Security Symposium, 2015.Search in Google Scholar
9. R. Hund, C. Willems, and T. Holz. Practical Timing Side Channel Attacks against Kernel Space ASLR. In S&P, 2013.10.1109/SP.2013.23Search in Google Scholar
10. N. Karimi, A. K. Kanuparthi, X. Wang, O. Sinanoglu, and R. Karri. Magic: Malicious aging in circuits/cores. ACM Transactions on Architecture and Code Optimization (TACO), 12(1), 2015.10.1145/2724718Search in Google Scholar
11. Y. Kim, R. Daly, J. Kim, C. Fallin, J. H. Lee, D. Lee, C. Wilkerson, K. Lai, and O. Mutlu. Flipping bits in memory without accessing them: An experimental study of DRAM disturbance errors. In ISCA, 2014.10.1109/ISCA.2014.6853210Search in Google Scholar
12. P. Kocher, J. Horn, A. Fogh, D. Genkin, D. Gruss, W. Haas, M. Hamburg, M. Lipp, S. Mangard, T. Prescher, M. Schwarz, and Y. Yarom. Spectre attacks: Exploiting speculative execution. In S&P, 2019.10.1109/SP.2019.00002Search in Google Scholar
13. P. C. Kocher. Timing Attacks on Implementations of Diffe-Hellman, RSA, DSS, and Other Systems. In Crypto, 1996.10.1007/3-540-68697-5_9Search in Google Scholar
14. M. Lipp, D. Gruss, R. Spreitzer, C. Maurice, and S. Mangard, ARMageddon: Cache Attacks on Mobile Devices. In USENIX Security Symposium, 2016.Search in Google Scholar
15. M. Lipp, M. Schwarz, D. Gruss, T. Prescher, W. Haas, S. Mangard, P. Kocher, D. Genkin, Y. Yarom, and M. Hamburg. Meltdown: Reading kernel memory from user space. In USENIX Security Symposium, 2018.Search in Google Scholar
16. C. Maurice, M. Weber, M. Schwarz, L. Giner, D. Gruss, C. Alberto Boano, S. Mangard, and K. Römer. Hello from the Other Side: SSH over Robust Cache Covert Channels in the Cloud. In NDSS, 2017.10.14722/ndss.2017.23294Search in Google Scholar
17. Y. Oren, V. P. Kemerlis, S. Sethumadhavan, and A. D. Keromytis. The Spy in the Sandbox: Practical Cache Attacks in JavaScript and their Implications. In CCS, 2015.10.1145/2810103.2813708Search in Google Scholar
18. D. A. Osvik, A. Shamir, and E. Tromer. Cache Attacks and Countermeasures: the Case of AES. In CT-RSA, 2006.10.1007/11605805_1Search in Google Scholar
19. P. Pessl, D. Gruss, C. Maurice, M. Schwarz, and S. Mangard. DRAMA: Exploiting DRAM Addressing for Cross-CPU Attacks. In USENIX Security Symposium, 2016.Search in Google Scholar
20. K. Razavi, B. Gras, E. Bosman, B. Preneel, C. Giuffrida, and H. Bos. Flip Feng Shui: Hammering a Needle in the Software Stack. In USENIX Security Symposium, 2016.Search in Google Scholar
21. M. Schwarz, D. Gruss, S. Weiser, C. Maurice, and S. Mangard. Malware Guard Extension: Using SGX to Conceal Cache Attacks. In DIMVA, 2017.10.1007/978-3-319-60876-1_1Search in Google Scholar
22. M. Schwarz, C. Maurice, D. Gruss, and S. Mangard. Fantastic Timers and Where to Find Them: High-Resolution Microarchitectural Attacks in JavaScript. In FC, 2017.10.1007/978-3-319-70972-7_13Search in Google Scholar
23. M. Seaborn and T. Dullien. Exploiting the DRAM rowhammer bug to gain kernel privileges. In Black Hat Briefings, 2015.Search in Google Scholar
24. K. Suzaki, K. Iijima, T. Yagi, and C. Artho. Memory Deduplication as a Threat to the Guest OS. In EuroSec, 2011.10.1145/1972551.1972552Search in Google Scholar
25. V. van der Veen, Y. Fratantonio, M. Lindorfer, D. Gruss, C. Maurice, G. Vigna, H. Bos, K. Razavi, and C. Giuffrida. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms. In CCS, 2016.Search in Google Scholar
26. Y. Yarom and K. Falkner. Flush+Reload: a High Resolution, Low Noise, L3 Cache Side-Channel Attack. In USENIX Security Symposium, 2014.Search in Google Scholar
27. Y. Zhang, A. Juels, M. K. Reiter, and T. Ristenpart. Cross-Tenant Side-Channel Attacks in PaaS Clouds. In CCS, 2014.10.1145/2660267.2660356Search in Google Scholar
© 2018 Walter de Gruyter GmbH, Berlin/Boston
