Secure Page Fusion with VUsion

Oliverio, Marco; Bos, Herbert; Razavi, Kaveh; Giuffrida, Cristiano

doi:10.1145/3132747.3132781

Cited by 21 publications

(15 citation statements)

References 27 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Computing minimal, or at least small, eviction sets provides an essential primitive for removing or placing arbitrary data in the cache, which is essential for LLC cache attacks (Prime+Probe [4], Evict+Reload [23], etc. ), for DRAM fault attacks (such as Rowhammer [24], [2], which break the separation between security domains), for memory-deduplication attacks (such as VUSION [25]), as well as for the recent Meltdown [26] and Spectre [3] attacks (which use the cache to leak data across boundaries and to increase the number of speculatively executed instructions).…”

Section: Related Workmentioning

confidence: 99%

Theory and Practice of Finding Eviction Sets

Vila

Köpf

Morales

2019

2019 IEEE Symposium on Security and Privacy (SP)

View full text Add to dashboard Cite

Many micro-architectural attacks rely on the capability of an attacker to efficiently find small eviction sets: groups of virtual addresses that map to the same cache set. This capability has become a decisive primitive for cache sidechannel, rowhammer, and speculative execution attacks. Despite their importance, algorithms for finding small eviction sets have not been systematically studied in the literature.In this paper, we perform such a systematic study. We begin by formalizing the problem and analyzing the probability that a set of random virtual addresses is an eviction set. We then present novel algorithms, based on ideas from threshold group testing, that reduce random eviction sets to their minimal core in linear time, improving over the quadratic state-of-the-art.We complement the theoretical analysis of our algorithms with a rigorous empirical evaluation in which we identify and isolate factors that affect their reliability in practice, such as adaptive cache replacement strategies and TLB thrashing. Our results indicate that our algorithms enable finding small eviction sets much faster than before, and under conditions where this was previously deemed impractical.• We give the first formalization and analysis of the problem of finding eviction sets. We study different variants of the problem, corresponding to different goals, for example, "evicting a specific cache set", and "evicting an arbitrary cache set". For these goals, we express the probability that a set of Virtual Address Page Offset PT PD PDPT PML4 9 9 9 9 12 CR3 + Physical Address PML4E PDPTE PDE PTE

show abstract

Section: Related Workmentioning

confidence: 99%

Theory and Practice of Finding Eviction Sets

Vila

Köpf

Morales

2019

2019 IEEE Symposium on Security and Privacy (SP)

View full text Add to dashboard Cite

show abstract

“…Side channels have been widely studied when implemented natively from the CPU [6], [18], [30], [35], [39], [40], [52]. In recent years, however, researchers have relaxed the threat model by demonstrating remote attacks from a malicious JavaScript-enabled website [18], [38].…”

Section: A Side-channel Attacksmentioning

confidence: 99%

Grand Pwning Unit: Accelerating Microarchitectural Attacks with the GPU

Frigo

Giuffrida

Bos

et al. 2018

2018 IEEE Symposium on Security and Privacy (SP)

Self Cite

102

View full text Add to dashboard Cite

Dark silicon is pushing processor vendors to add more specialized units such as accelerators to commodity processor chips. Unfortunately this is done without enough care to security. In this paper we look at the security implications of integrated Graphical Processor Units (GPUs) found in almost all mobile processors. We demonstrate that GPUs, already widely employed to accelerate a variety of benign applications such as image rendering, can also be used to "accelerate" microarchitectural attacks (i.e., making them more effective) on commodity platforms. In particular, we show that an attacker can build all the necessary primitives for performing effective GPU-based microarchitectural attacks and that these primitives are all exposed to the web through standardized browser extensions, allowing side-channel and Rowhammer attacks from JavaScript. These attacks bypass state-of-the-art mitigations and advance existing CPU-based attacks: we show the first end-toend microarchitectural compromise of a browser running on a mobile phone in under two minutes by orchestrating our GPU primitives. While powerful, these GPU primitives are not easy to implement due to undocumented hardware features. We describe novel reverse engineering techniques for peeking into the previously unknown cache architecture and replacement policy of the Adreno 330, an integrated GPU found in many common mobile platforms. This information is necessary when building shader programs implementing our GPU primitives. We conclude by discussing mitigations against GPU-enabled attackers.

show abstract

“…On the other hand, it enables different types of side-channels [21,10] that might compromise the confidentiality. Different solutions have been researched [24,14,9,16] so, depending on the adversary model of a cloud provider, memory deduplication can be used without the need to sacrifice security.…”

Section: Memory Deduplicationmentioning

confidence: 99%