Skip to content
Licensed Unlicensed Requires Authentication Published by De Gruyter Oldenbourg November 20, 2018

Software-based microarchitectural attacks

  • Daniel Gruss

    Daniel Gruss studied Computer Science at Graz University of Technology. In 2017, he finished his PhD with distinction in less than 3 years. He has been involved in teaching operating system undergraduate courses since 2010. Daniel’s research focuses on software-based side-channel attacks that exploit timing differences in hardware and operating systems. He implemented the first remote fault attack running in a website, known as Rowhammer.js. He frequently speaks at top international venues, such as Black Hat, Usenix Security, IEEE S&P, ACM CCS, Chaos Communication Congress, and others. His research team was one of the teams that found the Meltdown and Spectre bugs published in early 2018.

    EMAIL logo

Abstract

Modern processors are highly optimized systems where every single cycle of computation time matters. Many optimizations depend on the data that is being processed. Microarchitectural attacks leak this data (side channels) or exploit physical imperfections to take control of the entire system (fault attacks). In my thesis (D. Gruss. Software-based Microarchitectural Attacks. PhD thesis, Graz University of Technology, 2017), I improved over state of the art in microarchitectural attacks and defenses in three dimensions. I cover these briefly in this summary. First, I show that attacks can be fully automated. Second, I present several novel previously unknown side channels. Third, I show that attacks can be mounted in highly restricted environments such as sandboxed JavaScript code in websites, and on any computer system including smartphones, tablets, personal computers, and commercial cloud systems. These results formed one of the corner stones for attacks like Meltdown (M. Lipp et al. Meltdown: Reading kernel memory from user space. In USENIX Security Symposium, 2018) and Spectre (P. Kocher et al. Spectre attacks: Exploiting speculative execution. In S&P, 2019) which were discovered months after the thesis was concluded.

ACM CCS:

About the author

Daniel Gruss

Daniel Gruss studied Computer Science at Graz University of Technology. In 2017, he finished his PhD with distinction in less than 3 years. He has been involved in teaching operating system undergraduate courses since 2010. Daniel’s research focuses on software-based side-channel attacks that exploit timing differences in hardware and operating systems. He implemented the first remote fault attack running in a website, known as Rowhammer.js. He frequently speaks at top international venues, such as Black Hat, Usenix Security, IEEE S&P, ACM CCS, Chaos Communication Congress, and others. His research team was one of the teams that found the Meltdown and Spectre bugs published in early 2018.

References

1. D. Gruss. Software-based Microarchitectural Attacks. PhD thesis, Graz University of Technology, 2017.Search in Google Scholar

2. D. Gruss, D. Bidner, and S. Mangard. Practical memory deduplication attacks in sandboxed JavaScript. In ESORICS, 2015.10.1007/978-3-319-24174-6_6Search in Google Scholar

3. D. Gruss, J. Lettner, F. Schuster, O. Ohrimenko, I. Haller, and M. Costa. Strong and Efficient Cache Side-Channel Protection using Hardware Transactional Memory. In USENIX Security Symposium, 2017.Search in Google Scholar

4. D. Gruss, M. Lipp, M. Schwarz, R. Fellner, C. Maurice, and S. Mangard. Kaslr is dead: Long live kaslr. In ESSoS, 2017.10.1007/978-3-319-62105-0_11Search in Google Scholar

5. D. Gruss, C. Maurice, A. Fogh, M. Lipp, and S. Mangard. Prefetch Side-Channel Attacks: Bypassing SMAP and Kernel ASLR. In CCS, 2016.10.1145/2976749.2978356Search in Google Scholar

6. D. Gruss, C. Maurice, and S. Mangard. Rowhammer.js: A Remote Software-Induced Fault Attack in JavaScript. In DIMVA, 2016.10.1007/978-3-319-40667-1_15Search in Google Scholar

7. D. Gruss, C. Maurice, K. Wagner, and S. Mangard. Flush+Flush: A Fast and Stealthy Cache Attack. In DIMVA, 2016.10.1007/978-3-319-40667-1_14Search in Google Scholar

8. D. Gruss, R. Spreitzer, and S. Mangard. Cache Template Attacks: Automating Attacks on Inclusive Last-Level Caches. In USENIX Security Symposium, 2015.Search in Google Scholar

9. R. Hund, C. Willems, and T. Holz. Practical Timing Side Channel Attacks against Kernel Space ASLR. In S&P, 2013.10.1109/SP.2013.23Search in Google Scholar

10. N. Karimi, A. K. Kanuparthi, X. Wang, O. Sinanoglu, and R. Karri. Magic: Malicious aging in circuits/cores. ACM Transactions on Architecture and Code Optimization (TACO), 12(1), 2015.10.1145/2724718Search in Google Scholar

11. Y. Kim, R. Daly, J. Kim, C. Fallin, J. H. Lee, D. Lee, C. Wilkerson, K. Lai, and O. Mutlu. Flipping bits in memory without accessing them: An experimental study of DRAM disturbance errors. In ISCA, 2014.10.1109/ISCA.2014.6853210Search in Google Scholar

12. P. Kocher, J. Horn, A. Fogh, D. Genkin, D. Gruss, W. Haas, M. Hamburg, M. Lipp, S. Mangard, T. Prescher, M. Schwarz, and Y. Yarom. Spectre attacks: Exploiting speculative execution. In S&P, 2019.10.1109/SP.2019.00002Search in Google Scholar

13. P. C. Kocher. Timing Attacks on Implementations of Diffe-Hellman, RSA, DSS, and Other Systems. In Crypto, 1996.10.1007/3-540-68697-5_9Search in Google Scholar

14. M. Lipp, D. Gruss, R. Spreitzer, C. Maurice, and S. Mangard, ARMageddon: Cache Attacks on Mobile Devices. In USENIX Security Symposium, 2016.Search in Google Scholar

15. M. Lipp, M. Schwarz, D. Gruss, T. Prescher, W. Haas, S. Mangard, P. Kocher, D. Genkin, Y. Yarom, and M. Hamburg. Meltdown: Reading kernel memory from user space. In USENIX Security Symposium, 2018.Search in Google Scholar

16. C. Maurice, M. Weber, M. Schwarz, L. Giner, D. Gruss, C. Alberto Boano, S. Mangard, and K. Römer. Hello from the Other Side: SSH over Robust Cache Covert Channels in the Cloud. In NDSS, 2017.10.14722/ndss.2017.23294Search in Google Scholar

17. Y. Oren, V. P. Kemerlis, S. Sethumadhavan, and A. D. Keromytis. The Spy in the Sandbox: Practical Cache Attacks in JavaScript and their Implications. In CCS, 2015.10.1145/2810103.2813708Search in Google Scholar

18. D. A. Osvik, A. Shamir, and E. Tromer. Cache Attacks and Countermeasures: the Case of AES. In CT-RSA, 2006.10.1007/11605805_1Search in Google Scholar

19. P. Pessl, D. Gruss, C. Maurice, M. Schwarz, and S. Mangard. DRAMA: Exploiting DRAM Addressing for Cross-CPU Attacks. In USENIX Security Symposium, 2016.Search in Google Scholar

20. K. Razavi, B. Gras, E. Bosman, B. Preneel, C. Giuffrida, and H. Bos. Flip Feng Shui: Hammering a Needle in the Software Stack. In USENIX Security Symposium, 2016.Search in Google Scholar

21. M. Schwarz, D. Gruss, S. Weiser, C. Maurice, and S. Mangard. Malware Guard Extension: Using SGX to Conceal Cache Attacks. In DIMVA, 2017.10.1007/978-3-319-60876-1_1Search in Google Scholar

22. M. Schwarz, C. Maurice, D. Gruss, and S. Mangard. Fantastic Timers and Where to Find Them: High-Resolution Microarchitectural Attacks in JavaScript. In FC, 2017.10.1007/978-3-319-70972-7_13Search in Google Scholar

23. M. Seaborn and T. Dullien. Exploiting the DRAM rowhammer bug to gain kernel privileges. In Black Hat Briefings, 2015.Search in Google Scholar

24. K. Suzaki, K. Iijima, T. Yagi, and C. Artho. Memory Deduplication as a Threat to the Guest OS. In EuroSec, 2011.10.1145/1972551.1972552Search in Google Scholar

25. V. van der Veen, Y. Fratantonio, M. Lindorfer, D. Gruss, C. Maurice, G. Vigna, H. Bos, K. Razavi, and C. Giuffrida. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms. In CCS, 2016.Search in Google Scholar

26. Y. Yarom and K. Falkner. Flush+Reload: a High Resolution, Low Noise, L3 Cache Side-Channel Attack. In USENIX Security Symposium, 2014.Search in Google Scholar

27. Y. Zhang, A. Juels, M. K. Reiter, and T. Ristenpart. Cross-Tenant Side-Channel Attacks in PaaS Clouds. In CCS, 2014.10.1145/2660267.2660356Search in Google Scholar

Received: 2018-11-11
Accepted: 2018-11-11
Published Online: 2018-11-20
Published in Print: 2018-12-19

© 2018 Walter de Gruyter GmbH, Berlin/Boston

Downloaded on 3.3.2024 from https://www.degruyter.com/document/doi/10.1515/itit-2018-0034/html
Scroll to top button