Microarchitectural Attacks On Ubiquitous Systems – MIAOUS

This project is mostly based on empirical research, as we intend to develop attacks and countermeasures on actual hardware. We will use generic and systematic procedures to ensure that this research is broadly applicable to different hardware generations - as well as future ones - and that the attack surface has been thoroughly explored. We will use mathematical tools and methods such as statistics and machine learning when appropriate.

We reverse-enginered the following microarchitectural components:
- Intel branch predictors. We used performance counters to obtain a model of the predictor. While it was not possible to obtain a complete model, experiments on recent processors showed that it was possible to obtain a better approximation of the model than the ones considered in the side-channel attack literature.
- AMD L1 cache way predictors. Using a timing attack, we were able to reverse engineer this predictor on microarchitectures ranging from 2011 to 2019. Using this knowledge, we were able to develop two new side-channel attack primitives on L1 to build a covert channel, attack on user-space and kernel-space ASLR, and attacks on vulnerable cryptographic implementations.
- Intel CPU interconnect. We performed series of fine-grained measurements to reverse-engineer the interconnect. By taking into account the role of this component as well as cache coherence in cache attacks, we improved the Flush+Flush attack, making it practically noiseless and as fast as Flush+Reload.

We also focused on timing attacks in browsers, and in particular we studied the impact of the changes that were made to JavaScript timers. We found out that, while the isolation recently provided by browsers is able to thwart some classes of attacks (e.g., some speculative execution attacks), the browsers are in fact more vulnerable to hardware contention-based timing attacks now that they were a few years ago.

We continue exploring the impact of microarchitectural attacks in browsers.

SoK: In Search of Lost Time: A Review of JavaScript’s Timers in Browsers
Thomas Rokicki, Clémentine Maurice, Pierre Laperdrix.
6th IEEE European Symposium on Security and Privacy (EuroS&P'21)

Calibration Done Right: Noiseless Flush+Flush Attacks
Guillaume Didier, Clémentine Maurice.
18th Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA'21)

Nethammer: Inducing Rowhammer Faults through Network Requests
Moritz Lipp, Misiker Tadesse Aga, Michael Schwarz, Daniel Gruss, Clémentine Maurice, Lukas Raab, Lukas Lamster.
Workshop on the Security of Software/Hardware Interfaces (SILM'20, co-located with EuroS&P 2020)

Take A Way: Exploring the Security Implications of AMD's Cache Way Predictors
Moritz Lipp, Vedad Hadžic, Michael Schwarz, Arthur Perais, Clémentine Maurice, Daniel Gruss.
15th ACM ASIA Conference on Computer and Communications Security (ASIACCS'20)

Branch Prediction Attack on Blinded Scalar Multiplication
Sarani Bhattacharya, Clémentine Maurice, Shivam Bhasin, Debdeep Mukhopadhyay
IEEE Transactions on Computers, vol. 69, no. 5, pp. 633-648, 1 May 2020

Hardware is often considered as an abstract layer that behaves correctly, executing instructions and giving an output. However, side effects due to software implementation and its execution on actual hardware can cause information leakage from side channels, resulting in critical vulnerabilities impacting both the security and privacy of these systems

The MIAOUS project targets in particular information leakage that does not require any physical proximity to devices and that is due to processor microarchitecture, as well as the constructions of novel countermeasures.

The main goal of this project is to propose a generic framework to provide a better understanding of the attack surface for microarchitectural attacks, both on the hardware and on the software side, and the tools to close the attack surface.