Search

Your search keyword '"Piessens, Frank"' showing total 36 results
Start Over Author "Piessens, Frank" Publisher ieee
36 results on '"Piessens, Frank"'

1. CHERI-TrEE: Flexible enclaves on capability machines

Author

Van Strydonck, Thomas, Noorman, Job, Jackson, Jennifer, Alves Dias, Leonardo, Vanderstraeten, Robin, Oswald, David, Piessens, Frank, Devriese, Dominique, Noorman, Job, Jackson, Jennifer, Alves Dias, Leonardo, Vanderstraeten, Robin, Oswald, David, Piessens, Frank, and Devriese, Dominique

Subjects
ARM Morello, enclaves, capability machines, trusted execution, CHERI, CHERI-RISC-V, TEE
Abstract

This paper studies the integration of two successful hardware-supported security mechanisms: capabilities and enclaved execution. Capabilities are a powerful and flexible security mechanism for implementing fine-grained memory access control and compartmentalizing untrusted or buggy software components. Capabilities have a long history but have gained significant momentum recently, as evidenced by ARM’s experimental Morello processor that supports the Capability Hardware Enhanced RISC Instructions (CHERI). Enclaved execution is a popular mechanism for dynamically creating Trusted Execution Environments (TEEs), called enclaves. Enclaves are isolated execution contexts that protect the integrity and confidentiality of software in the enclave (even against compromised system software) and that support attestation. Integrating capabilities and enclaved execution in a single processor is challenging because they overlap partially in their security objectives, and a clean integration should unify the way in which these overlapping objectives are achieved. In addition, it is not obvious how attestation should interact with capabilities. In this paper, we propose CHERI-TrEE: a novel design for a processor that cleanly integrates support for both capabilities and enclaved execution. CHERI-TrEE targets low-end embedded systems without virtual memory. We show that CHERI-TrEE is greater than the sum of its parts by showing how it naturally supports useful features that have traditionally been hard to support in enclaved execution, like dynamically growing and shrinking enclaves, non-contiguous and nested enclaves, sharing of memory between enclaves etc. We implement our proposal both in hardware on a RISC-V processor, as well as in a small software hypervisor on top of ARM Morello, and evaluate impact on performance and hardware resources. ispartof: pages:1143-1159 ispartof: Proceedings of the 8th IEEE European Symposium on Security and Privacy pages:1143-1159 ispartof: 8th IEEE European Symposium on Security and Privacy location:Delft date:3 Jul - 7 Jun 2023 status: published

Published
2023

3. CHERI-TrEE: Flexible enclaves on capability machines

Author

Van Strydonck, Thomas, primary, Noorman, Job, additional, Jackson, Jennifer, additional, Alves Dias, Leonardo, additional, Vanderstraeten, Robin, additional, Oswald, David, additional, Piessens, Frank, additional, and Devriese, Dominique, additional

Published
2023
Full Text
View/download PDF

15. Plundervolt: How a Little Bit of Undervolting Can Create a Lot of Trouble.

Author

Murdock, Kit, Oswald, David, Garcia, Flavio D., Van Bulck, Jo, Piessens, Frank, and Gruss, Daniel

Abstract

Historically, fault injection was the realm of adversaries with physical access. This changed when research revealed that remote attackers could use software to inject faults. Plundervolt is a new software-based attack on Intel's trusted execution technology (SGX). Plundervolt can break cryptography and inject memory-safety bugs into secure code. [ABSTRACT FROM AUTHOR]

Published
2020
Full Text
View/download PDF

18. Breaking Virtual Memory Protection and the SGX Ecosystem with Foreshadow.

Author

Van Bulck, Jo, Minkin, Marina, Weisse, Ofir, Genkin, Daniel, Kasikci, Baris, Piessens, Frank, Silberstein, Mark, Wenisch, Thomas F., Yarom, Yuval, and Strackx, Raoul

Subjects
ECOSYSTEMS, MEMORY, PUNCHED card systems
Abstract

Foreshadow is a speculative execution attack that allows adversaries to subvert the security guarantees of Intel's Software Guard eXtensions (SGX). Foreshadow allows access to data across process boundaries, and allows virtual machines (VMs) to read the physical memory belonging to other VMs or the hypervisor. [ABSTRACT FROM AUTHOR]

Published
2019
Full Text
View/download PDF

31. Protected Web Components: Hiding Sensitive Information in the Shadows.

Author

De Ryck, Philippe, Nikiforakis, Nick, Desmet, Lieven, Piessens, Frank, and Joosen, Wouter

Subjects
WEB-based user interfaces, COMPUTER security, COMPUTER systems, INFORMATION technology, JAVASCRIPT programming language, PROGRAMMING languages
Abstract

Most modern Web applications depend on the integration of code from third-party providers, such as JavaScript libraries and advertisements. Because the included code runs within the page's security context, it represents an attractive attack target, allowing the compromise of numerous Web applications through a single attack vector (such as a malicious advertisement). Such opportunistic attackers aim to execute low-profile, nontargeted, widely applicable data-gathering attacks, such as the silent extraction of user-specific data and authentication credentials. In this article, the authors show that third-party code inclusion is rampant, even in privacy-sensitive applications such as online password managers, thereby potentially exposing the user's most sensitive data to attackers. They propose protected Web components, which leverage the newly proposed Web components, repurposing them to protect private data against opportunistic attacks, by hiding static data in the Document Object Model (DOM) and isolating sensitive interactive elements within a component. This article is part of a special issue on IT security. [ABSTRACT FROM AUTHOR]

Published
2015
Full Text
View/download PDF

34. On the Workings and Current Practices of Web-Based Device Fingerprinting.

Author

Nikiforakis, Nick, Kapravelos, Alexandros, Joosen, Wouter, Kruegel, Christopher, Piessens, Frank, and Vigna, Giovanni

Abstract

By analyzing the code of three popular browser-fingerprinting code providers, the authors reveal the techniques that allow websites to track users without client-side identifiers. They expose questionable practices, such as the circumvention of HTTP proxies to discover a user's real IP address and the installation of intrusive browser plug-ins. In addition, they measure the adoption of fingerprinting on the Web and evaluate user-agent-spoofing browser extensions, showing that current commercial approaches can bypass the extensions and take advantage of their shortcomings. [ABSTRACT FROM PUBLISHER]

Published
2014
Full Text
View/download PDF

36. Provable Protection against Web Application Vulnerabilities Related to Session Data Dependencies.

Author

Desmet, Lieven, Verbaeten, Pierre, Joosen, Wouter, and Piessens, Frank

Subjects
COMPUTER security, APPLICATION software security measures, WEB services, COMPUTER debugging software, BUSINESS software, COMPUTER file sharing, SECURITY systems
Abstract

Web applications are widely adopted and their correct functioning is mission critical for many businesses, At the same time, Web applications tend to be error prone and implementation vulnerabilities are readily and commonly exploited by attackers. The design of countermeasures that detect or prevent such vulnerabilities or protect against their exploitation is an important research challenge for the fields of software engineering and security engineering. In this paper, we focus on one specific type of implementation vulnerability, namely, broken dependencies on session data. This vulnerability can lead to a variety of erroneous behavior at runtime and can easily be triggered by a malicious user by applying attack techniques such as forceful browsing, This paper shows how to guarantee the absence of runtime errors due to broken dependencies on session data in Web applications. The proposed solution combines development-time program annotation, static verification, and runtime checking to provably protect against broken data dependencies. We have developed a prototype implementation of our approach, building on the JML annotation language and the existing static verification tool ESC/Java2, and we successfully applied our approach to a representative J2EE-based e-commerce application. We show that the annotation overhead is very small, that the performance of the fully automatic static verification is acceptable, and that the performance overhead of the runtime checking is limited. [ABSTRACT FROM AUTHOR]

Published
2008
Full Text
View/download PDF

Catalog

Books, media, physical & digital resources
See catalog results