• Corpus ID: 17260866

AutoLock: Why Cache Attacks on ARM Are Harder Than You Think

@inproceedings{Green2017AutoLockWC,
  title={AutoLock: Why Cache Attacks on ARM Are Harder Than You Think},
  author={Marc Green and Leandro Rodrigues Lima and Andreas Zankl and Gorka Irazoqui Apecechea and Johann Heyszl and Thomas Eisenbarth},
  booktitle={USENIX Security Symposium},
  year={2017}
}
Attacks on the microarchitecture of modern processors have become a practical threat to security and privacy in desktop and cloud computing. Recently, cache attacks have successfully been demonstrated on ARM based mobile devices, suggesting they are as vulnerable as their desktop or server counterparts. In this work, we show that previous literature might have left an overly pessimistic conclusion of ARM's security as we unveil AutoLock: an internal performance enhancement found in inclusive… 
CacheShield: Detecting Cache Attacks through Self-Observation
TLDR
This work proposes CacheShield, a tool to protect legacy code by self-monitoring its execution and detecting the presence of microarchitectural attacks, which can be run by users and does not require alteration of the OS or hypervisor, while previously proposed software-based countermeasures require cooperation from the hypervisor.
Virtual Platform to Analyze the Security of a System on Chip at Microarchitectural Level
TLDR
The main objective is to create a virtual and open platform that simulates the behavior of microarchitectural features and their interactions with the peripherals, like accelerators and memories in emerging technologies, to analyze the attacks relying on the hardware vulnerabilities of themicroarchitectures of CPUs and SoCs.
Triggering Rowhammer Hardware Faults on ARM: A Revisit
TLDR
A thorough study of the unprivileged ARMv8-A cache maintenance instructions is provided and two previously overlooked reasons to support their use in rowhammer attacks are given and a previously undiscovered instruction is presented that can be exploited to trigger the roWhammer bug on many ARM-based devices.
A Survey of Microarchitectural Side-channel Vulnerabilities, Attacks, and Defenses in Cryptography
TLDR
This article systematize microarchitectural side channels with a focus on attacks and defenses in cryptographic applications, and conducts a large-scale evaluation on popular cryptographic applications in the real world to analyze the severity, practicality, and impact of side-channel vulnerabilities.
Systematic Analysis of Randomization-based Protected Cache Architectures
TLDR
This paper consolidates existing randomization-based secure caches into a generic cache model, and comprehensively analyze the security of existing designs, including CEASER-S and SCATTERCACHE, by mapping them to instances of this model.
Unveiling your keystrokes: A Cache-based Side-channel Attack on Graphics Libraries
TLDR
The execution time of shared libraries as the side-channel is considered, and a completely automated technique to discover and select exploitable side-channels on shared graphics libraries is showcased, achieving high precision in terms of inferring the sensitive information entered on desktop and Android platforms.
An exploration of effective fuzzing for side‐channel cache leakage
TLDR
This paper proposes a test‐generation methodology, which, in both timing‐based and access‐based dimensions, systematically discovers the cache side‐channel leakage of an arbitrary software program.
Translation Leak-aside Buffer: Defeating Cache Side-channel Protections with TLB Attacks
TLDR
It is shown for the first time that hardware translation lookaside buffers (TLBs) can be abused to leak fine-grained information about a victim's activity even when CPU cache activity is guarded by state-of-the-art cache side-channel protections, such as CAT and TSX.
Understanding the Security of ARM Debugging Features
TLDR
This paper performs a comprehensive security analysis of the ARM debugging features, and summarizes the security and vulnerability implications, and craft Nailgun attack, which obtains sensitive information and achieves arbitrary payload execution in a high-privileged mode from a low-privilege mode via misusing the debugging features.
SoK: Hardware Security Support for Trustworthy Execution
TLDR
This paper systematizes hardware mechanisms providing trusted execution environments (TEEs), support for integrity checking and memory safety and widespread uses of hardware roots of trust through the lens of abstraction and finds that these abstractions can both obscure information that is needed for security enforcement, as well as reveal information that needs to be kept secret, leading to vulnerabilities.
...
1
2
3
...

References

SHOWING 1-10 OF 81 REFERENCES
ARMageddon: Cache Attacks on Mobile Devices
TLDR
This work demonstrates how to solve key challenges to perform the most powerful cross-core cache attacks Prime+Probe, Flush+ Reload, Evict+Reload, and Flush-Flush on non-rooted ARM-based devices without any privileges.
Return-Oriented Flush-Reload Side Channels on ARM and Their Implications for Android Devices
TLDR
A novel construction of flush-reload side channels on last-level caches of ARM processors, which, particularly, exploits return-oriented programming techniques to reload instructions is demonstrated.
The Spy in the Sandbox: Practical Cache Attacks in JavaScript and their Implications
TLDR
This attack, which is an extension to the last-level cache attacks of Liu et al., allows a remote adversary to recover information belonging to other processes, users, and even virtual machines running on the same physical host with the victim web browser.
Advances on Access-Driven Cache Attacks on AES
TLDR
This work shows that access-driven cache-based attacks are becoming easier to understand and analyze, and when such attacks are mounted against systems performing AES, only a very limited number of encryptions are required to recover the whole key with a high probability of success.
Cache Attacks and Countermeasures: The Case of AES
TLDR
An extremely strong type of attack is demonstrated, which requires knowledge of neither the specific plaintexts nor ciphertexts, and works by merely monitoring the effect of the cryptographic process on the cache.
New cache designs for thwarting software cache-based side channel attacks
TLDR
The results show that the new cache designs with built-in security can defend against cache-based side channel attacks in general-rather than only specific attacks on a given cryptographic algorithm-with very little performance degradation and hardware cost.
Rowhammer.js: A Remote Software-Induced Fault Attack in JavaScript
TLDR
This work shows that caches can be forced into fast cache eviction to trigger the Rowhammer bug with only regular memory accesses, and demonstrates a fully automated attack that requires nothing but a website with JavaScript to trigger faults on remote hardware.
S$A: A Shared Cache Attack That Works across Cores and Defies VM Sandboxing -- and Its Application to AES
TLDR
A fine-grain cross-core cache attack that exploits access time variations on the last level cache and can be customized to work virtually at any cache level/size is introduced.
TruSpy: Cache Side-Channel Information Leakage from the Secure World on ARM Devices
TLDR
TruSpy is presented, the first study of timingbased cache side-channel information leakage of TrustZone, and it is demonstrated that it is possible for a normal world attacker to steal a fine-grained secret from the secure world using a timing-based cacheside-channel.
Differential Cache-Collision Timing Attacks on AES with Applications to Embedded CPUs
TLDR
This paper proposes a new type of cache-collision timing attacks on software implementations of AES based on the MDS property of the linear code providing the diffusion matrix used in the MixColumns transform, a chosen-plaintext attack where pairs of AES executions are treated differentially.
...
1
2
3
4
5
...