More Like this

1. LVI: Hijacking Transient Execution through Microarchitectural Load Value Injection

   Van Bulck, Jo ; Moghimi, Daniel ; Schwarz, Michael ; Lipp, Moritz ; Minkin, Marina ; Genkin, Daniel ; Yarom, Yuval ; Sunar, Berk ; Gruss, Daniel ; Piessens, Frank ( September 2021 , 2020 IEEE Symposium on Security and Privacy)

   null (Ed.)

   The recent Spectre attack first showed how to inject incorrect branch targets into a victim domain by poisoning microarchitectural branch prediction history. In this paper, we generalize injection-based methodologies to the memory hierarchy by directly injecting incorrect, attacker-controlled values into a victim's transient execution. We propose Load Value Injection (LVI) as an innovative technique to reversely exploit Meltdown-type microarchitectural data leakage. LVI abuses that faulting or assisted loads, executed by a legitimate victim program, may transiently use dummy values or poisoned data from various microarchitectural buffers, before eventually being re-issued by the processor. We show how LVI gadgets allow to expose victim secrets and hijack transient control flow. We practically demonstrate LVI in several proof-of-concept attacks against Intel SGX enclaves, and we discuss implications for traditional user process and kernel isolation. State-of-the-art Meltdown and Spectre defenses, including widespread silicon-level and microcode mitigations, are orthogonal to our novel LVI techniques. LVI drastically widens the spectrum of incorrect transient paths. Fully mitigating our attacks requires serializing the processor pipeline with lfence instructions after possibly every memory load. Additionally and even worse, due to implicit loads, certain instructions have to be blacklisted, including the ubiquitous x86 ret instruction. Intel plans compiler and assembler-based full mitigations that will allow at least SGX enclave programs to remain secure on LVI-vulnerable systems. Depending on the application and optimization strategy, we observe extensive overheads of factor 2 to 19 for prototype implementations of the full mitigation. 

   more » « less
2. Detecting Privileged Side-Channel Attacks in Shielded Execution with Déjà Vu

   https://doi.org/10.1145/3052973.3053007  

   Chen, Sanchuan ; Zhang, Xiaokuan ; Reiter, Michael K. ; Zhang, Yinqian ( April 2017 , ACM Asia Conference on Computer & Communications Security 2017)

   Intel Software Guard Extension (SGX) protects the confidentiality and integrity of an unprivileged program running inside a secure enclave from a privileged attacker who has full control of the entire operating system (OS). Program execution inside this enclave is therefore referred to as shielded. Unfortunately, shielded execution does not protect programs from side-channel attacks by a privileged attacker. For instance, it has been shown that by changing page table entries of memory pages used by shielded execution, a malicious OS kernel could observe memory page accesses from the execution and hence infer a wide range of sensitive information about it. In fact, this page-fault side channel is only an instance of a category of side-channel attacks, here called privileged side-channel attacks, in which privileged attackers frequently preempt the shielded execution to obtain fine-grained side-channel observations. In this paper, we present Déjà Vu, a software framework that enables a shielded execution to detect such privileged side-channel attacks. Specifically, we build into shielded execution the ability to check program execution time at the granularity of paths in its control-flow graph. To provide a trustworthy source of time measurement, Déjà Vu implements a novel software reference clock that is protected by Intel Transactional Synchronization Extensions (TSX), a hardware implementation of transactional memory. Evaluations show that Déjà Vu effectively detects side-channel attacks against shielded execution and against the reference clock itself. 

   more » « less
3. Towards Cloud-based Infrastructure for Post-Quantum Cryptography Side-channel Attack Analysis

   Teague, Tristen ; Mahzabin, Mayeesha ; Nelson, Alexander ; Andrews, David ; Huang, Miaoqing ( September 2023 , 2023 IEEE Design Methodologies Conference)

   Post-quantum cryptography (PQC) refers to cryptographic algorithms that are thought to be secure against a cryptanalytic attack by a quantum computer. Before PQC algorithms can be widely deployed to replace the current standards such as the RSA algorithm, they need to be rigorously evaluated theoretically and practically. In this work, we present a cloud-based infrastructure being developed for performing side-channel analysis on PQC algorithms for the research community. Multiple types of side-channel attacks, such as timing attacks, power attacks, and electromagnetic attacks can be applied on different types of devices, such as FPGA devices and microcontrollers. An automated tool flow is being developed that can run executables on the target devices, collect traces (e.g., power consumption waveforms and electromagnetic radiation signals), perform leakage assessment (using Test Vector Leakage Assessment), and generate analysis reports. Remote users access the infrastructure through a web portal by uploading the hardware or software implementations of cryptographic algorithms. Side-channel attack and leakage analysis are performed on the given implementation. Finally, the user is informed for downloading the analysis report from the portal. 

   more » « less
4. Signature Correction Attack on Dilithium Signature Scheme

   https://doi.org/10.1109/EuroSP53844.2022.00046  

   Islam, Saad ; Mus, Koksal ; Singh, Richa ; Schaumont, Patrick ; Sunar, Berk ( June 2022 , IEEE 7th European Symposium on Security and Privacy (EuroS&P))

   Motivated by the rise of quantum computers, existing public-key cryptosystems are expected to be replaced by post-quantum schemes in the next decade in billions of devices. To facilitate the transition, NIST is running a standardization process which is currently in its final Round. Only three digital signature schemes are left in the competition, among which Dilithium and Falcon are the ones based on lattices. Besides security and performance, significant attention has been given to resistance against implementation attacks that target side-channel leakage or fault injection response. Classical fault attacks on signature schemes make use of pairs of faulty and correct signatures to recover the secret key which only works on deterministic schemes. To counter such attacks, Dilithium offers a randomized version which makes each signature unique, even when signing identical messages. In this work, we introduce a novel Signature Correction Attack which not only applies to the deterministic version but also to the randomized version of Dilithium and is effective even on constant-time implementations using AVX2 instructions. The Signature Correction Attack exploits the mathematical structure of Dilithium to recover the secret key bits by using faulty signatures and the public-key. It can work for any fault mechanism which can induce single bit-flips. For demonstration, we are using Rowhammer induced faults. Thus, our attack does not require any physical access or special privileges, and hence could be also implemented on shared cloud servers. Using Rowhammer attack, we inject bit flips into the secret key s1 of Dilithium, which results in incorrect signatures being generated by the signing algorithm. Since we can find the correct signature using our Signature Correction algorithm, we can use the difference between the correct and incorrect signatures to infer the location and value of the flipped bit without needing a correct and faulty pair. To quantify the reduction in the security level, we perform a thorough classical and quantum security analysis of Dilithium and successfully recover 1,851 bits out of 3,072 bits of secret key $s_{1}$ for security level 2. Fully recovered bits are used to reduce the dimension of the lattice whereas partially recovered coefficients are used to to reduce the norm of the secret key coefficients. Further analysis for both primal and dual attacks shows that the lattice strength against quantum attackers is reduced from 2128 to 281 while the strength against classical attackers is reduced from 2141 to 289. Hence, the Signature Correction Attack may be employed to achieve a practical attack on Dilithium (security level 2) as proposed in Round 3 of the NIST post-quantum standardization process. 

   more » « less
5. Time and Order: Towards Automatically Identifying Side-Channel Vulnerabilities in Enclave Binaries

   Wang, Wubing ; Zhang, Yinqian ; Lin, Zhiqiang ( January 2019 , International Symposium on Research in Attacks, Intrusions and Defenses)

   While Intel SGX provides confidentiality and integrity guarantees to programs running inside enclaves, side channels remain a primary concern of SGX security. Previous works have broadly considered the side-channel attacks against SGX enclaves at the levels of pages, caches, and branches, using a variety of attack vectors and techniques. Most of these studies have only exploited the “order” attribute of the memory access patterns (e.g., sequences of page accesses) as side channels. However, the other attribute of memory access patterns, “time”, which characterizes the interval between two specific memory accesses, is mostly unexplored. In this paper, we present ANABLEPS, a tool to automate the detection of side-channel vulnerabilities in enclave binaries, considering both order and time. ANABLEPS leverages concolic execution and fuzzing techniques to generate input sets for an arbitrary enclave program, constructing extended dynamic control-flow graph representation of execution traces using Intel PT, and automatically analyzing and identifying side-channel vulnerabilities using graph analysis. 

   more » « less