In an earlier blog post, we argued that computer architects working on security problems should follow security conferences. In this post, we highlight some of the recent results from this year’s events that may be of interest to our community. While security conferences encompass many topics and typically accept more papers than architecture conferences, several sessions are usually dedicated to architecture, hardware and systems related security. Recently, the number of such papers has been increasing. Specifically, we will focus on three conferences from 2020: IEEE S&P, Usenix Security Symposium and NDSS.
IEEE Security and Privacy 2020
The premier security conference – IEEE Symposium on Security and Privacy (S&P) – had its 41st edition this year and was held as a virtual event on May 18-20, 2020. Interestingly, the very first session of S&P’20 was on microarchitectural security and featured four papers. Spectactor introduced the semantic notion of speculative non-interference and developed an algorithm based on symbolic execution to automatically prove speculative non-interference and detect violations to protect from transient execution attacks. NetCatdemonstrated how Data-Direct I/O technology used in recent processors can be exploited to mount network-based Prime+Probe cache side channel attacks. This attack demonstrates that sharing microarchitectural resources with peripherals that are exposed to malicious inputs can have serious security implications. SPECCFI integrat
A session on rowhammer attacks also featured four papers. RAMBleed demonstrated that the attacker can perform rowhammer-style bit flips in its own memory and consequently deduce the memory values in neighboring rows belonging to other processes, making this a threat not only to integrity, but also to confidentiality of systems. The second paper in the rowhammer session proposed an end-to-end methodology to generate worst case attack scenarios to detect if DRAM chips employed by the cloud providers are vulnerable to rowhammer. On a defense side, the third paperdescribed how to detect rowhammer attacks using EM signals by identifying hammering-correlated sideband patterns in the spectrum of the DRAM clock signals. To conclude the rowhammer session, TRRespass debunked the security guarantees of Target Row Refresh – a recent mechanism in DDR4 chips to prevent rowhammer attacks. The authors performed deep analysis of TRR and then proceeded with TRR-aware attack modification to bypass TRR protections. This paper received the Best Paper Award at the conference.
The hardware security session featured three papers. Transys presented a tool for translating security critical properties written for one hardware design to analogous properties for a different design. C3APSULe demonstrated that powering FPGAs, CPUs and GPUs using a common power supply unit can be exploited to create covert channels between these independent boards. This is important for systems that use FPGAs as hardware accelerators. ICAS presented a layout-level security analysis tool that takes as an input a set of metrics that represent a challenge of inserting a hardware trojan into the circuit, the set of attacks of interest, and the IC layout. The tool then reports the number of ways in which a trojan can be inserted into this circuit.
Finally, we mention several papers from other sessions. Plundervolt used a privileged voltage scaling interface to attack the integrity of computations inside SGX enclaves by inducing predictable faults inside a processor package. Mitigating this attack may require microcode updates or hardware changes. SEIMI demonstrated a creative way to defend from memory corruption attacks by using SMAP (Supervisor-Mode Execution Prevention) hardware feature that was originally introduced for preventing the kernel from accessing user space pages. The key idea of this paper is to run user code in the privileged mode and to store sensitive data in the user space. Cornucopia introduced a lightweight capability revocation mechanism for CHERI capability-based system. As these examples demonstrate, a significant fraction of S&P’20 program could be of interest to our community.
USENIX Security Symposium 2020
USENIX Security Symposium is scheduled to take place in August 2020, but most papers are already available online since they have been accepted throughout the year. Again, we highlight the ones that are relevant to computer architecture researchers.
On the attack side, RELOAD+REFRESH demonstra
On the defense side, PHMon described a programmable security monitor with expressive monitoring rules and flexible actions. The authors demonstrated their design on four case studies: a shadow stack, a hardware-accelerated fuzzer, an information leakage monitor and a hardware-accelerated debugger. HybCache proposed a partitioned cache design to prevent side-channels in trusted execution environments. The idea is to dedicate a small number of ways for isolated execution and use these ways in a fully-associative manner.
Network and Distributed Systems Security Symposium (NDSS) 2020
NDSS 2020 took place in San Diego in February. Several papers in the program appear to be of interest to our community. PhantomCache presen
In summary, a significant amount of research relevant to computer architects is published in security conferences every year, we hope that this blog post will be helpful in keeping up with this body of work. Another top security conference – CCS – is scheduled to take place in November 2020, we will overview architecture-relevant contributions from CCS in a future post.