Microarchitectural Attacks On Ubiquitous Systems – MIAOUS

The MIAOUS project relied primarily on an empirical research approach, focused on designing, implementing, and evaluating attacks and countermeasures on real hardware. For the reverse engineering of microarchitectural components, we used fine-grained timing measurements and hardware performance counters to characterize the behavior of undocumented or poorly documented components. In the context of browser-based attacks, we conducted a thorough analysis of the countermeasures implemented by major browsers over time, and assessed their effectiveness against various attack primitives. Finally, for the study of constant-time software, we compared several program analysis approaches by evaluating their ability to detect real-world vulnerabilities. This systematic methodology enabled us to produce robust and reproducible results, while ensuring comprehensive coverage of the attack surface under study.

The ANR MIAOUS project addressed a central cybersecurity challenge: understanding how modern processors, through their internal optimizations, can unintentionally leak sensitive data. These so-called microarchitectural vulnerabilities are difficult to detect and mitigate because they lie at the intersection of hardware and software. The project yielded major contributions along three complementary research axes.

1. Reverse engineering of microarchitectural components

The project contributed to a better characterization of several internal processor components—such as branch predictors, cache way predictors, and prefetchers—which are often poorly or not documented at all. These studies led to the development of new attack primitives or improvements to existing techniques. For example, the reverse engineering of AMD's cache way predictors revealed vulnerabilities that could be exploited to bypass protections like ASLR.

Another major contribution was the enhancement of the Flush+Flush technique, making it significantly more precise and enabling advanced characterization of hardware prefetchers. These results have deepened our understanding of the hardware attack surface and the risks associated with undocumented processor optimizations.

2. Browser-based attacks and privacy impact

A second focus of the project explored whether such vulnerabilities could be exploited remotely through web browsers. Although technically challenging, these attacks have shown that it is possible to retrieve sensitive information without privileged access. An original aspect of the project was to investigate how these side channels could be leveraged for device or user identification—known as fingerprinting. Innovative methods were developed to identify CPU generations, distinguish GPUs, and even profile a machine’s power consumption. These findings demonstrate that microarchitectural leakages, which are largely unaffected by software updates, pose long-term threats to user privacy.

3. Software hardening and vulnerability detection

Lastly, the project addressed software-level protections against such attacks, focusing on the concept of constant-time programming—where a program’s behavior must not depend on secret data. The project evaluated existing analysis tools and showed that many fail to detect critical vulnerabilities. To address this, a unified benchmark was proposed to provide a more realistic evaluation and foster improvement of these tools.

Conclusion

By combining hardware reverse engineering, remote attack scenarios, and software analysis, the MIAOUS project significantly advanced our understanding and mitigation of microarchitectural leakages. It helped bridge the communities of hardware security, software security, and privacy, shedding light on emerging technical and societal risks.

Following MIAOUS, a new international collaboration was initiated through the ANR PRCI project FACADES, in partnership with Saarland University and the CISPA research center in Germany. This project extends our work on microarchitectural attacks from the browser, with a continued focus on their implications for user privacy. In parallel, our research is now increasingly centered on the software side—particularly on securing sensitive code through constant-time programming. It has become clear that any microarchitectural component is, or will eventually be, vulnerable to side-channel attacks. In this context, we choose to focus our efforts on the software layer, where we have more control and greater leverage to detect and mitigate vulnerabilities.

A Systematic Evaluation of Automated Tools for Side-Channel Vulnerabilities Detection in Cryptographic Libraries
Antoine Geimer, Mathéo Vergnolle, Frédéric Recoules, Lesly-Ann Daniel, Sébastien Bardin, Clémentine Maurice.
ACM Conference on Computer and Communications Security (CCS'23)

The Finger in the Power: How to Fingerprint PCs by Monitoring Their Power Consumption
Marina Botvinnik, Tomer Laor, Thomas Rokicki, Clémentine Maurice, Yossi Oren.
20th Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA'23)

Characterizing Prefetchers using CacheObserver
Guillaume Didier, Clémentine Maurice, Antoine Geimer, Walid J. Ghandour.
34th International Symposium on Computer Architecture and High Performance Computing (IEEE SBAC-PAD'22)

CPU Port Contention Without SMT
Thomas Rokicki, Clémentine Maurice, Michael Schwarz.
27th European Symposium on Research in Computer Security (ESORICS'22)

Port Contention Goes Portable: Port Contention Side Channels in Web Browsers
Thomas Rokicki, Clémentine Maurice, Marina Botvinnik, Yossi Oren.
17th ACM ASIA Conference on Computer and Communications Security (ASIACCS'22)

DrawnApart: A Device Identification Technique based on Remote GPU Fingerprinting
Tomer Laor, Naif Mehanna, Antonin Durey, Vitaly Dyadyuk, Pierre Laperdrix, Clémentine Maurice, Yossi Oren, Romain Rouvoy, Walter Rudametkin, Yuval Yarom.
Network and Distributed System Security Symposium 2022 (NDSS'22)

SoK: In Search of Lost Time: A Review of JavaScript’s Timers in Browsers
Thomas Rokicki, Clémentine Maurice, Pierre Laperdrix.
6th IEEE European Symposium on Security and Privacy (EuroS&P'21)

Calibration Done Right: Noiseless Flush+Flush Attacks
Guillaume Didier, Clémentine Maurice.
18th Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA'21)

Nethammer: Inducing Rowhammer Faults through Network Requests
Moritz Lipp, Misiker Tadesse Aga, Michael Schwarz, Daniel Gruss, Clémentine Maurice, Lukas Raab, Lukas Lamster.
Workshop on the Security of Software/Hardware Interfaces (SILM'20, co-located with EuroS&P 2020)

Take A Way: Exploring the Security Implications of AMD's Cache Way Predictors
Moritz Lipp, Vedad Hadžic, Michael Schwarz, Arthur Perais, Clémentine Maurice, Daniel Gruss.
15th ACM ASIA Conference on Computer and Communications Security (ASIACCS'20)

Branch Prediction Attack on Blinded Scalar Multiplication
Sarani Bhattacharya, Clémentine Maurice, Shivam Bhasin, Debdeep Mukhopadhyay
IEEE Transactions on Computers, vol. 69, no. 5, pp. 633-648, 1 May 2020

Hardware is often considered as an abstract layer that behaves correctly, executing instructions and giving an output. However, side effects due to software implementation and its execution on actual hardware can cause information leakage from side channels, resulting in critical vulnerabilities impacting both the security and privacy of these systems

The MIAOUS project targets in particular information leakage that does not require any physical proximity to devices and that is due to processor microarchitecture, as well as the constructions of novel countermeasures.

The main goal of this project is to propose a generic framework to provide a better understanding of the attack surface for microarchitectural attacks, both on the hardware and on the software side, and the tools to close the attack surface.