Jump to ContentJump to Main Navigation
Show Summary Details
More options …

it - Information Technology

Methods and Applications of Informatics and Information Technology

Editor-in-Chief: Conrad, Stefan / Molitor, Paul

6 Issues per year

See all formats and pricing
More options …
Volume 60, Issue 5-6


Software-based microarchitectural attacks

Daniel Gruss
  • Corresponding author
  • Graz University of Technology, Institute of Applied Information Processing and Communications, Inffeldgasse 16a, 8010 Graz, Austria
  • Email
  • Other articles by this author:
  • De Gruyter OnlineGoogle Scholar
Published Online: 2018-11-20 | DOI: https://doi.org/10.1515/itit-2018-0034


Modern processors are highly optimized systems where every single cycle of computation time matters. Many optimizations depend on the data that is being processed. Microarchitectural attacks leak this data (side channels) or exploit physical imperfections to take control of the entire system (fault attacks). In my thesis (D. Gruss. Software-based Microarchitectural Attacks. PhD thesis, Graz University of Technology, 2017), I improved over state of the art in microarchitectural attacks and defenses in three dimensions. I cover these briefly in this summary. First, I show that attacks can be fully automated. Second, I present several novel previously unknown side channels. Third, I show that attacks can be mounted in highly restricted environments such as sandboxed JavaScript code in websites, and on any computer system including smartphones, tablets, personal computers, and commercial cloud systems. These results formed one of the corner stones for attacks like Meltdown (M. Lipp et al. Meltdown: Reading kernel memory from user space. In USENIX Security Symposium, 2018) and Spectre (P. Kocher et al. Spectre attacks: Exploiting speculative execution. In S&P, 2019) which were discovered months after the thesis was concluded.

Keywords: Side-Channel Attacks; Operating Systems Security

ACM CCS: Security and privacyOperating systems security


  • 1.

    D. Gruss. Software-based Microarchitectural Attacks. PhD thesis, Graz University of Technology, 2017.Google Scholar

  • 2.

    D. Gruss, D. Bidner, and S. Mangard. Practical memory deduplication attacks in sandboxed JavaScript. In ESORICS, 2015.Google Scholar

  • 3.

    D. Gruss, J. Lettner, F. Schuster, O. Ohrimenko, I. Haller, and M. Costa. Strong and Efficient Cache Side-Channel Protection using Hardware Transactional Memory. In USENIX Security Symposium, 2017.Google Scholar

  • 4.

    D. Gruss, M. Lipp, M. Schwarz, R. Fellner, C. Maurice, and S. Mangard. Kaslr is dead: Long live kaslr. In ESSoS, 2017.Google Scholar

  • 5.

    D. Gruss, C. Maurice, A. Fogh, M. Lipp, and S. Mangard. Prefetch Side-Channel Attacks: Bypassing SMAP and Kernel ASLR. In CCS, 2016.Google Scholar

  • 6.

    D. Gruss, C. Maurice, and S. Mangard. Rowhammer.js: A Remote Software-Induced Fault Attack in JavaScript. In DIMVA, 2016.Google Scholar

  • 7.

    D. Gruss, C. Maurice, K. Wagner, and S. Mangard. Flush+Flush: A Fast and Stealthy Cache Attack. In DIMVA, 2016.Google Scholar

  • 8.

    D. Gruss, R. Spreitzer, and S. Mangard. Cache Template Attacks: Automating Attacks on Inclusive Last-Level Caches. In USENIX Security Symposium, 2015.Google Scholar

  • 9.

    R. Hund, C. Willems, and T. Holz. Practical Timing Side Channel Attacks against Kernel Space ASLR. In S&P, 2013.Google Scholar

  • 10.

    N. Karimi, A. K. Kanuparthi, X. Wang, O. Sinanoglu, and R. Karri. Magic: Malicious aging in circuits/cores. ACM Transactions on Architecture and Code Optimization (TACO), 12(1), 2015.Google Scholar

  • 11.

    Y. Kim, R. Daly, J. Kim, C. Fallin, J. H. Lee, D. Lee, C. Wilkerson, K. Lai, and O. Mutlu. Flipping bits in memory without accessing them: An experimental study of DRAM disturbance errors. In ISCA, 2014.Google Scholar

  • 12.

    P. Kocher, J. Horn, A. Fogh, D. Genkin, D. Gruss, W. Haas, M. Hamburg, M. Lipp, S. Mangard, T. Prescher, M. Schwarz, and Y. Yarom. Spectre attacks: Exploiting speculative execution. In S&P, 2019.Google Scholar

  • 13.

    P. C. Kocher. Timing Attacks on Implementations of Diffe-Hellman, RSA, DSS, and Other Systems. In Crypto, 1996.Google Scholar

  • 14.

    M. Lipp, D. Gruss, R. Spreitzer, C. Maurice, and S. Mangard, ARMageddon: Cache Attacks on Mobile Devices. In USENIX Security Symposium, 2016.Google Scholar

  • 15.

    M. Lipp, M. Schwarz, D. Gruss, T. Prescher, W. Haas, S. Mangard, P. Kocher, D. Genkin, Y. Yarom, and M. Hamburg. Meltdown: Reading kernel memory from user space. In USENIX Security Symposium, 2018.Google Scholar

  • 16.

    C. Maurice, M. Weber, M. Schwarz, L. Giner, D. Gruss, C. Alberto Boano, S. Mangard, and K. Römer. Hello from the Other Side: SSH over Robust Cache Covert Channels in the Cloud. In NDSS, 2017.Google Scholar

  • 17.

    Y. Oren, V. P. Kemerlis, S. Sethumadhavan, and A. D. Keromytis. The Spy in the Sandbox: Practical Cache Attacks in JavaScript and their Implications. In CCS, 2015.Google Scholar

  • 18.

    D. A. Osvik, A. Shamir, and E. Tromer. Cache Attacks and Countermeasures: the Case of AES. In CT-RSA, 2006.Google Scholar

  • 19.

    P. Pessl, D. Gruss, C. Maurice, M. Schwarz, and S. Mangard. DRAMA: Exploiting DRAM Addressing for Cross-CPU Attacks. In USENIX Security Symposium, 2016.Google Scholar

  • 20.

    K. Razavi, B. Gras, E. Bosman, B. Preneel, C. Giuffrida, and H. Bos. Flip Feng Shui: Hammering a Needle in the Software Stack. In USENIX Security Symposium, 2016.Google Scholar

  • 21.

    M. Schwarz, D. Gruss, S. Weiser, C. Maurice, and S. Mangard. Malware Guard Extension: Using SGX to Conceal Cache Attacks. In DIMVA, 2017.Google Scholar

  • 22.

    M. Schwarz, C. Maurice, D. Gruss, and S. Mangard. Fantastic Timers and Where to Find Them: High-Resolution Microarchitectural Attacks in JavaScript. In FC, 2017.

  • 23.

    M. Seaborn and T. Dullien. Exploiting the DRAM rowhammer bug to gain kernel privileges. In Black Hat Briefings, 2015.Google Scholar

  • 24.

    K. Suzaki, K. Iijima, T. Yagi, and C. Artho. Memory Deduplication as a Threat to the Guest OS. In EuroSec, 2011.Google Scholar

  • 25.

    V. van der Veen, Y. Fratantonio, M. Lindorfer, D. Gruss, C. Maurice, G. Vigna, H. Bos, K. Razavi, and C. Giuffrida. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms. In CCS, 2016.Google Scholar

  • 26.

    Y. Yarom and K. Falkner. Flush+Reload: a High Resolution, Low Noise, L3 Cache Side-Channel Attack. In USENIX Security Symposium, 2014.Google Scholar

  • 27.

    Y. Zhang, A. Juels, M. K. Reiter, and T. Ristenpart. Cross-Tenant Side-Channel Attacks in PaaS Clouds. In CCS, 2014.Google Scholar

About the article

Daniel Gruss

Daniel Gruss studied Computer Science at Graz University of Technology. In 2017, he finished his PhD with distinction in less than 3 years. He has been involved in teaching operating system undergraduate courses since 2010. Daniel’s research focuses on software-based side-channel attacks that exploit timing differences in hardware and operating systems. He implemented the first remote fault attack running in a website, known as Rowhammer.js. He frequently speaks at top international venues, such as Black Hat, Usenix Security, IEEE S&P, ACM CCS, Chaos Communication Congress, and others. His research team was one of the teams that found the Meltdown and Spectre bugs published in early 2018.

Received: 2018-11-11

Accepted: 2018-11-11

Published Online: 2018-11-20

Published in Print: 2018-12-19

Citation Information: it - Information Technology, Volume 60, Issue 5-6, Pages 335–341, ISSN (Online) 2196-7032, ISSN (Print) 1611-2776, DOI: https://doi.org/10.1515/itit-2018-0034.

Export Citation

© 2018 Walter de Gruyter GmbH, Berlin/Boston.Get Permission

Comments (0)

Please log in or register to comment.
Log in