Presented at
Black Hat Asia 2020 Virtual,
Oct. 1, 2020, 2:20 p.m.
(40 minutes).
In recent years, we have seen that optimizations in processors often enable new microarchitectural side channels. The severity of side-channel attacks varies widely, from small annoyances for which developers have to introduce workarounds in software, to highly critical attacks leaking arbitrary memory contents. While new attacks pop up regularly, finding defenses is not a trivial task.<br />
<br />
In this talk, we first briefly overview the state of the art of microarchitectural attacks and defenses. We then assume that we have a futuristic CPU which magically hides all microarchitectural side effects, rendering all known attacks useless. Even in this thought experiment, we show that such attacks are not dead. In fact, we present ways of mounting well-known microarchitectural attacks without relying on any hardware effects, making these attacks hardware agnostic.<br />
<br />
We show that attack primitives exploiting the hardware can be shifted to the software level, making these attacks easier to mount and independent of the CPU. The attacks that we present work on Windows, Linux, and Android, both on x86 and ARM processors. We show that we can build a high-speed covert channel, break ASLR on Windows 10, leak highly sensitive information for targeted extortion and spam campaigns, and respond to system activity with UI redressing attacks. We demo an attack on the generation of temporary passwords on vulnerable cryptographic implementations.<br />
<br />
The CVE for this vulnerability is CVE-2019-5489.
Presenters:
-
Trishita Tiwari
- PhD Student, Cornell University
Trishita Tiwari is PhD student at Cornell University working on micro-architechtural security with Prof. Edward Suh. She just received her bachelors from Boston University where she was a Trustee Scholar, and graduated Summa Cum Laude in May 2019. There, she was a part of NISLab, where she worked with Prof. Ari Trachtenberg on various aspects of Cyber Security. Her recent research involved cache-based side-channel attacks, finding malicious uses of the Alt-Svc HTTP header (undergraduate thesis), and attacks on the Network Time Protocol (NTP). Her previous work included exploiting network side-channels on Android, creating a distributed web miner for Ethereum, and detecting anomalies to identify compromised VMs in the cloud. Till now, she has had her undergraduate work, including various first author publications, at conferences and workshops at IEEE Big Data 17, CSCML 18, ACM CCS'18, IEEE CNS 19, USENIX WOOT'19, and ACM CCS'19.
-
Michael Schwarz
- InfoSec Researcher, CISPA Helmholtz Center for Information Security
<span>Michael Schwarz is a tenure-track faculty at the Helmholtz Center for Information Security (CISPA) in Saarbrücken, Germany, with a focus on microarchitectural side-channel attacks and system security. He obtained his PhD with the title "Software-based Side-Channel Attacks and Defenses in Restricted Environments" in 2019 from Graz University of Technology (advised by Daniel Gruss). He holds two master's degrees, one in computer science and one in software engineering with a strong focus on security. He is a regular speaker at both academic and hacker conferences (Black Hat, CCC, Blue Hat, etc.). He was part of one of the research teams that found the Meltdown, Spectre, Fallout, and LVI vulnerabilities, as well as the ZombieLoad vulnerability. He was also part of the KAISER patch, the basis for Meltdown countermeasures now deployed in every modern operating system under names such as KPTI or KVA Shadow.</span>
-
Erik Kraft
- InfoSec Student, Graz University of Technology
<div>Erik Kraft is a master's student in Information and Computer Engineering at Graz University of Technology focusing on secure and correct systems. Besides his studies, he works as a freelancer on IoT security projects. In the past, he has been invited to teach computer science courses on undergraduate level. He was a speaker at RuhrSec 2019, where he presented his research on software-based side channels.</div>
-
Daniel Gruss
- InfoSec Professor, Graz University of Technology
Daniel Gruss (@lavados) is an Assistant Professor at Graz University
of Technology. He finished his PhD with distinction in less than 3
years. He has been involved in teaching operating system undergraduate
courses since 2010. Daniel's research focuses on side channels and
transient execution attacks. He implemented the first remote fault
attack running in a website, known as Rowhammer.js. His research team was one of the teams that found the Meltdown and Spectre bugs published in early 2018. He frequently speaks at top international venues.
Links:
Similar Presentations: