#speculativeexecution — Public Fediverse posts

G. Hu and R. Lee, "Protecting Cache States Against Both Speculative Execution Attacks and Side-channel Attacks"¹

Cache side-channel attacks and speculative execution attacks that leak information through cache states are stealthy and dangerous attacks on hardware that must be mitigated. Unfortunately, defenses proposed for cache side-channel attacks do not mitigate all cache-based speculative execution attacks and vice versa. Since both classes of attacks must be addressed, we propose comprehensive cache architectures to do this.
We show a framework to analyze the security of a secure cache. We identify same-domain speculative execution attacks, and show they evade cache side-channel defenses. We present new hardware security mechanisms that address target attacks and reduce performance overhead. We design two Speculative and Timing Attack Resilient (STAR) caches that defeat both cache side-channel attacks and cache-based speculative execution attacks. These comprehensive defenses have low performance overhead of 6.6% and 8.8%.

#arXiv #ResearchPapers #SideChannelAttacks #Microarchitecture #SpeculativeExecution
__
¹ https://arxiv.org/abs/2302.00732

G. Hu and R. Lee, "Protecting Cache States Against Both Speculative Execution Attacks and Side-channel Attacks"¹

Cache side-channel attacks and speculative execution attacks that leak information through cache states are stealthy and dangerous attacks on hardware that must be mitigated. Unfortunately, defenses proposed for cache side-channel attacks do not mitigate all cache-based speculative execution attacks and vice versa. Since both classes of attacks must be addressed, we propose comprehensive cache architectures to do this.
We show a framework to analyze the security of a secure cache. We identify same-domain speculative execution attacks, and show they evade cache side-channel defenses. We present new hardware security mechanisms that address target attacks and reduce performance overhead. We design two Speculative and Timing Attack Resilient (STAR) caches that defeat both cache side-channel attacks and cache-based speculative execution attacks. These comprehensive defenses have low performance overhead of 6.6% and 8.8%.

#arXiv #ResearchPapers #SideChannelAttacks #Microarchitecture #SpeculativeExecution
__
¹ https://arxiv.org/abs/2302.00732

You might by now have heard of "Downfall"¹, yet another speculative execution attack on Intel processors.

The mitigations are going to cost another 50% performance on "selected workloads" which, by Murphy's, will inevitably be yours.

I quote something I find really rather irritating:

"
[Q] Can I disable the mitigation if my workload does not use Gather?

[A] This is a bad idea. Even if your workload does not use vector instructions, modern CPUs rely on vector registers to optimize common operations, such as copying memory and switching register content, which leaks data to untrusted code exploiting Gather.
"

No, you can freely decide to ignore microcode mitigations if you know what you are doing. There are thousands of reasons why you should not continue piling up Intel's microcode fixes on your machines and performance is indeed one of them.

This attack is based on the "gather" part of the "scatter-gather" SIMD algorithms, these are pretty ubiquitous if you have ever done HPC and, well, if your HPC machine is one telnet away from the Internet then you have a bigger problem than microcode².

Now, please understand, perhaps "for once and for all", that these attacks have a very simple "root cause": in the 1990s pretty much every processor manufacturer on the planet decided that performance trumped everything else and, therefore, went down (unprotected) speculative execution³.

This means that it cannot be fixed within current architectures.

#SpeculativeExecution #NamedVulnerabilities #Downfall #Hype #MitigationsDoneWrong

__
¹ https://downfall.page
² I used to manage an HPC network in the 1990s, I was hacked by, of all places, Intel in Israel (Haifa), no I cannot discuss this further, yes, I detected them.
³ If you read the literature you will discover that even IBM mainframe processors went down that route (hint, hint).

Quite a long list this time spanning sophisticated semiconductor properties (generating electricity from heat), some "cyberspace" legal arguments, an interesting attack against automatic speaker verification, a design "fixing" speculative execution¹, a family of low-latency ciphers, randomness in Cisco ASA (yes!), anonymising stories with privacy guarantees (thought-provoking for sure), ChatGPT fun, malicious IPFS, and a little something about the perception of privacy (also thought-provoking).

Here's the shortlist:

* "Semiconductor Thermal and Electrical Properties Decoupled by Localized Phonon Resonances"
* "On-chip wavelength division multiplexing filters using extremely efficient gate-driven silicon microring resonator array"
* "Space Cybersecurity Norms"
* "Malafide: a novel adversarial convolutive noise attack against deepfake and spoofing detection systems"
* "SafeBet: Secure, Simple, and Fast Speculative Execution"
* "Introducing two Low-Latency Cipher Families: Sonic and SuperSonic"
* "Randomness of random in Cisco ASA"
* "What If Alice Wants Her Story Told?"
* "Check Me If You Can: Detecting ChatGPT-Generated Academic Writing using CheckGPT"
* "What's inside a node? Malicious IPFS nodes under the magnifying glass"
* ""My sex-related data is more sensitive than my financial data and I want the same level of security and privacy": User Risk Perceptions and Protective Actions in Female-oriented Technologies"

#Photonics #SemiconductorEngineering #Cybersecurity #AdversarialConvolutiveAttacks #SpeculativeExecution #LowLatencyCiphers #Randomness #Privacy #Anonymity #ChatGPT #IPFS

__
¹ to me it is just memory tagging "done wrong" but I am putting it forward just in case it is my unconscious bias talking.

The time has come to talk of many things… today's selection is again quite varied covering topics from ChatGPT security to CHERI allocators via near-ultrasound attacks on Alexa, issues with Signal groups and a fascinating "automatic repair" for speculative execution attacks with a smattering of Belgian remote voting!

* "Beyond the Safeguards: Exploring the Security Risks of ChatGPT"
* "DNN-Defender: An in-DRAM Deep Neural Network Defense Mechanism for Adversarial Weight Attack"
* "ChargeX: Exploring State Switching Attack on Electric Vehicle Charging Systems"
* "Picking a CHERI Allocator: Security and Performance Considerations"
* "Analyzing and Improving Eligibility Verifiability of the Proposed Belgian Remote Voting System"
* "Comprehensively Analyzing the Impact of Cyberattacks on Power Grids"
* "NUANCE: Near Ultrasound Attack On Networked Communication Environments"
* "Automatic and Incremental Repair for Speculative Information Leaks"
* "Poster: No safety in numbers: traffic analysis of sealed-sender groups in Signal"

#arXiv #ResearchPapers #ChatGPT #SpeculativeExecution #Signal #Alexa #PowerGrids #CHERI #DNN #BelgiumRemoteVoting

For those interested in the number of ways Intel's SGX has been broken there is now a fine site:

https://sgx.fail

The introduction to the site reads:

Intel's Software Guard Extension (SGX) promises an isolated execution environment, protected from all software running on the machine. In the past few years, however, SGX has come under heavy fire, threatened by numerous side channel attacks. With Intel repeatedly patching SGX to regain security, we set out to explore the effectiveness of SGX's update mechanisms to prevent attacks on real-world deployments.

More specifically, we survey and categorize various SGX attacks, their applicability to different SGX architectures, as well as the information they leak. We then explored the effectiveness of SGX's update mechanisms in preventing attacks on two real-word deployments, the SECRET network and PowerDVD. In both cases, we show that these vendors are unable to meet the security goals originally envisioned for their products, presumably due to SGX's long update timelines and the complexities of a manual update process. This forces vendors to make a difficult security vs. usability trade off, resulting in security compromises.

#SGX #TrustedEnclaves #SpeculativeExecution #Intel #PowerDVD #

H. Xiao and S. Ainsworth, "Hacky Racers: Exploiting Instruction-Level Parallelism to Generate Stealthy Fine-Grained Timers"¹

Side-channel attacks pose serious threats to many security models, especially sandbox-based browsers. While transient-execution side channels in out-of-order processors have previously been blamed for vulnerabilities such as Spectre and Meltdown, we show that in fact, the capability of out-of-order execution itself to cause mayhem is far more general.
We develop Hacky Racers, a new type of timing gadget that uses instruction-level parallelism, another key feature of out-of-order execution, to measure arbitrary fine-grained timing differences, even in the presence of highly restricted JavaScript sandbox environments. While such environments try to mitigate timing side channels by reducing timer precision and removing language features such as SharedArrayBuffer that can be used to indirectly generate timers via thread-level parallelism, no such restrictions can be designed to limit Hacky Racers. We also design versions of Hacky Racers that require no misspeculation whatsoever, demonstrating that transient execution is not the only threat to security from modern microarchitectural performance optimization.
We use Hacky Racers to construct novel backwards-in-time Spectre gadgets, which break many hardware countermeasures in the literature by leaking secrets before misspeculation is discovered. We also use them to generate the first known last-level cache eviction set generator in JavaScript that does not require SharedArrayBuffer support.

#arXiv #ResearchPapers #OutOfOrderExecution #Spectre #Meltdown #SpeculativeExecution

__
¹ https://arxiv.org/abs/2211.14647

Quite a long list this time spanning sophisticated semiconductor properties (generating electricity from heat), some "cyberspace" legal arguments, an interesting attack against automatic speaker verification, a design "fixing" speculative execution¹, a family of low-latency ciphers, randomness in Cisco ASA (yes!), anonymising stories with privacy guarantees (thought-provoking for sure), ChatGPT fun, malicious IPFS, and a little something about the perception of privacy (also thought-provoking).

Here's the shortlist:

* "Semiconductor Thermal and Electrical Properties Decoupled by Localized Phonon Resonances"
* "On-chip wavelength division multiplexing filters using extremely efficient gate-driven silicon microring resonator array"
* "Space Cybersecurity Norms"
* "Malafide: a novel adversarial convolutive noise attack against deepfake and spoofing detection systems"
* "SafeBet: Secure, Simple, and Fast Speculative Execution"
* "Introducing two Low-Latency Cipher Families: Sonic and SuperSonic"
* "Randomness of random in Cisco ASA"
* "What If Alice Wants Her Story Told?"
* "Check Me If You Can: Detecting ChatGPT-Generated Academic Writing using CheckGPT"
* "What's inside a node? Malicious IPFS nodes under the magnifying glass"
* ""My sex-related data is more sensitive than my financial data and I want the same level of security and privacy": User Risk Perceptions and Protective Actions in Female-oriented Technologies"

#Photonics #SemiconductorEngineering #Cybersecurity #AdversarialConvolutiveAttacks #SpeculativeExecution #LowLatencyCiphers #Randomness #Privacy #Anonymity #ChatGPT #IPFS

__
¹ to me it is just memory tagging "done wrong" but I am putting it forward just in case it is my unconscious bias talking.

Quite a long list this time spanning sophisticated semiconductor properties (generating electricity from heat), some "cyberspace" legal arguments, an interesting attack against automatic speaker verification, a design "fixing" speculative execution¹, a family of low-latency ciphers, randomness in Cisco ASA (yes!), anonymising stories with privacy guarantees (thought-provoking for sure), ChatGPT fun, malicious IPFS, and a little something about the perception of privacy (also thought-provoking).

Here's the shortlist:

* "Semiconductor Thermal and Electrical Properties Decoupled by Localized Phonon Resonances"
* "On-chip wavelength division multiplexing filters using extremely efficient gate-driven silicon microring resonator array"
* "Space Cybersecurity Norms"
* "Malafide: a novel adversarial convolutive noise attack against deepfake and spoofing detection systems"
* "SafeBet: Secure, Simple, and Fast Speculative Execution"
* "Introducing two Low-Latency Cipher Families: Sonic and SuperSonic"
* "Randomness of random in Cisco ASA"
* "What If Alice Wants Her Story Told?"
* "Check Me If You Can: Detecting ChatGPT-Generated Academic Writing using CheckGPT"
* "What's inside a node? Malicious IPFS nodes under the magnifying glass"
* ""My sex-related data is more sensitive than my financial data and I want the same level of security and privacy": User Risk Perceptions and Protective Actions in Female-oriented Technologies"

#Photonics #SemiconductorEngineering #Cybersecurity #AdversarialConvolutiveAttacks #SpeculativeExecution #LowLatencyCiphers #Randomness #Privacy #Anonymity #ChatGPT #IPFS

__
¹ to me it is just memory tagging "done wrong" but I am putting it forward just in case it is my unconscious bias talking.

Quite a long list this time spanning sophisticated semiconductor properties (generating electricity from heat), some "cyberspace" legal arguments, an interesting attack against automatic speaker verification, a design "fixing" speculative execution¹, a family of low-latency ciphers, randomness in Cisco ASA (yes!), anonymising stories with privacy guarantees (thought-provoking for sure), ChatGPT fun, malicious IPFS, and a little something about the perception of privacy (also thought-provoking).

Here's the shortlist:

* "Semiconductor Thermal and Electrical Properties Decoupled by Localized Phonon Resonances"
* "On-chip wavelength division multiplexing filters using extremely efficient gate-driven silicon microring resonator array"
* "Space Cybersecurity Norms"
* "Malafide: a novel adversarial convolutive noise attack against deepfake and spoofing detection systems"
* "SafeBet: Secure, Simple, and Fast Speculative Execution"
* "Introducing two Low-Latency Cipher Families: Sonic and SuperSonic"
* "Randomness of random in Cisco ASA"
* "What If Alice Wants Her Story Told?"
* "Check Me If You Can: Detecting ChatGPT-Generated Academic Writing using CheckGPT"
* "What's inside a node? Malicious IPFS nodes under the magnifying glass"
* ""My sex-related data is more sensitive than my financial data and I want the same level of security and privacy": User Risk Perceptions and Protective Actions in Female-oriented Technologies"

#Photonics #SemiconductorEngineering #Cybersecurity #AdversarialConvolutiveAttacks #SpeculativeExecution #LowLatencyCiphers #Randomness #Privacy #Anonymity #ChatGPT #IPFS

__
¹ to me it is just memory tagging "done wrong" but I am putting it forward just in case it is my unconscious bias talking.

Quite a long list this time spanning sophisticated semiconductor properties (generating electricity from heat), some "cyberspace" legal arguments, an interesting attack against automatic speaker verification, a design "fixing" speculative execution¹, a family of low-latency ciphers, randomness in Cisco ASA (yes!), anonymising stories with privacy guarantees (thought-provoking for sure), ChatGPT fun, malicious IPFS, and a little something about the perception of privacy (also thought-provoking).

Here's the shortlist:

* "Semiconductor Thermal and Electrical Properties Decoupled by Localized Phonon Resonances"
* "On-chip wavelength division multiplexing filters using extremely efficient gate-driven silicon microring resonator array"
* "Space Cybersecurity Norms"
* "Malafide: a novel adversarial convolutive noise attack against deepfake and spoofing detection systems"
* "SafeBet: Secure, Simple, and Fast Speculative Execution"
* "Introducing two Low-Latency Cipher Families: Sonic and SuperSonic"
* "Randomness of random in Cisco ASA"
* "What If Alice Wants Her Story Told?"
* "Check Me If You Can: Detecting ChatGPT-Generated Academic Writing using CheckGPT"
* "What's inside a node? Malicious IPFS nodes under the magnifying glass"
* ""My sex-related data is more sensitive than my financial data and I want the same level of security and privacy": User Risk Perceptions and Protective Actions in Female-oriented Technologies"

#Photonics #SemiconductorEngineering #Cybersecurity #AdversarialConvolutiveAttacks #SpeculativeExecution #LowLatencyCiphers #Randomness #Privacy #Anonymity #ChatGPT #IPFS

__
¹ to me it is just memory tagging "done wrong" but I am putting it forward just in case it is my unconscious bias talking.

For those interested in the number of ways Intel's SGX has been broken there is now a fine site:

https://sgx.fail

The introduction to the site reads:

Intel's Software Guard Extension (SGX) promises an isolated execution environment, protected from all software running on the machine. In the past few years, however, SGX has come under heavy fire, threatened by numerous side channel attacks. With Intel repeatedly patching SGX to regain security, we set out to explore the effectiveness of SGX's update mechanisms to prevent attacks on real-world deployments.

More specifically, we survey and categorize various SGX attacks, their applicability to different SGX architectures, as well as the information they leak. We then explored the effectiveness of SGX's update mechanisms in preventing attacks on two real-word deployments, the SECRET network and PowerDVD. In both cases, we show that these vendors are unable to meet the security goals originally envisioned for their products, presumably due to SGX's long update timelines and the complexities of a manual update process. This forces vendors to make a difficult security vs. usability trade off, resulting in security compromises.

#SGX #TrustedEnclaves #SpeculativeExecution #Intel #PowerDVD #

For those interested in the number of ways Intel's SGX has been broken there is now a fine site:

https://sgx.fail

The introduction to the site reads:

Intel's Software Guard Extension (SGX) promises an isolated execution environment, protected from all software running on the machine. In the past few years, however, SGX has come under heavy fire, threatened by numerous side channel attacks. With Intel repeatedly patching SGX to regain security, we set out to explore the effectiveness of SGX's update mechanisms to prevent attacks on real-world deployments.

More specifically, we survey and categorize various SGX attacks, their applicability to different SGX architectures, as well as the information they leak. We then explored the effectiveness of SGX's update mechanisms in preventing attacks on two real-word deployments, the SECRET network and PowerDVD. In both cases, we show that these vendors are unable to meet the security goals originally envisioned for their products, presumably due to SGX's long update timelines and the complexities of a manual update process. This forces vendors to make a difficult security vs. usability trade off, resulting in security compromises.

#SGX #TrustedEnclaves #SpeculativeExecution #Intel #PowerDVD #

For those interested in the number of ways Intel's SGX has been broken there is now a fine site:

https://sgx.fail

The introduction to the site reads:

Intel's Software Guard Extension (SGX) promises an isolated execution environment, protected from all software running on the machine. In the past few years, however, SGX has come under heavy fire, threatened by numerous side channel attacks. With Intel repeatedly patching SGX to regain security, we set out to explore the effectiveness of SGX's update mechanisms to prevent attacks on real-world deployments.

More specifically, we survey and categorize various SGX attacks, their applicability to different SGX architectures, as well as the information they leak. We then explored the effectiveness of SGX's update mechanisms in preventing attacks on two real-word deployments, the SECRET network and PowerDVD. In both cases, we show that these vendors are unable to meet the security goals originally envisioned for their products, presumably due to SGX's long update timelines and the complexities of a manual update process. This forces vendors to make a difficult security vs. usability trade off, resulting in security compromises.

#SGX #TrustedEnclaves #SpeculativeExecution #Intel #PowerDVD #

For those interested in the number of ways Intel's SGX has been broken there is now a fine site:

https://sgx.fail

The introduction to the site reads:

Intel's Software Guard Extension (SGX) promises an isolated execution environment, protected from all software running on the machine. In the past few years, however, SGX has come under heavy fire, threatened by numerous side channel attacks. With Intel repeatedly patching SGX to regain security, we set out to explore the effectiveness of SGX's update mechanisms to prevent attacks on real-world deployments.

More specifically, we survey and categorize various SGX attacks, their applicability to different SGX architectures, as well as the information they leak. We then explored the effectiveness of SGX's update mechanisms in preventing attacks on two real-word deployments, the SECRET network and PowerDVD. In both cases, we show that these vendors are unable to meet the security goals originally envisioned for their products, presumably due to SGX's long update timelines and the complexities of a manual update process. This forces vendors to make a difficult security vs. usability trade off, resulting in security compromises.

#SGX #TrustedEnclaves #SpeculativeExecution #Intel #PowerDVD #