Your search keyword '"Piessens, Frank"' showing total 764 results

1. Libra: Architectural Support For Principled, Secure And Efficient Balanced Execution On High-End Processors (Extended Version)

Author

Winderix, Hans, Bognar, Marton, Daniel, Lesly-Ann, and Piessens, Frank

Subjects

Computer Science - Cryptography and Security

Abstract

Control-flow leakage (CFL) attacks enable an attacker to expose control-flow decisions of a victim program via side-channel observations. Linearization (i.e., elimination) of secret-dependent control flow is the main countermeasure against these attacks, yet it comes at a non-negligible cost. Conversely, balancing secret-dependent branches often incurs a smaller overhead, but is notoriously insecure on high-end processors. Hence, linearization has been widely believed to be the only effective countermeasure against CFL attacks. In this paper, we challenge this belief and investigate an unexplored alternative: how to securely balance secret-dependent branches on higher-end processors? We propose Libra, a generic and principled hardware-software codesign to efficiently address CFL on high-end processors. We perform a systematic classification of hardware primitives leaking control flow from the literature, and provide guidelines to handle them with our design. Importantly, Libra enables secure control-flow balancing without the need to disable performance-critical hardware such as the instruction cache and the prefetcher. We formalize the semantics of Libra and propose a code transformation algorithm for securing programs, which we prove correct and secure. Finally, we implement and evaluate Libra on an out-of-order RISC-V processor, showing performance overhead on par with insecure balanced code, and outperforming state-of-the-art linearized code by 19.3%.

Published

2024

2. ProSpeCT: Provably Secure Speculation for the Constant-Time Policy (Extended version)

Author

Daniel, Lesly-Ann, Bognar, Marton, Noorman, Job, Bardin, Sébastien, Rezk, Tamara, and Piessens, Frank

Subjects

Computer Science - Cryptography and Security, Computer Science - Hardware Architecture

Abstract

We propose ProSpeCT, a generic formal processor model providing provably secure speculation for the constant-time policy. For constant-time programs under a non-speculative semantics, ProSpeCT guarantees that speculative and out-of-order execution cause no microarchitectural leaks. This guarantee is achieved by tracking secrets in the processor pipeline and ensuring that they do not influence the microarchitectural state during speculative execution. Our formalization covers a broad class of speculation mechanisms, generalizing prior work. As a result, our security proof covers all known Spectre attacks, including load value injection (LVI) attacks. In addition to the formal model, we provide a prototype hardware implementation of ProSpeCT on a RISC-V processor and show evidence of its low impact on hardware cost, performance, and required software changes. In particular, the experimental evaluation confirms our expectation that for a compliant constant-time binary, enabling ProSpeCT incurs no performance overhead., Comment: Technical report for our paper accepted at the 32nd USENIX Security Symposium (2023), 56 pages

Published

2023

3. End-to-End Security for Distributed Event-Driven Enclave Applications on Heterogeneous TEEs

Author

Scopelliti, Gianluca, Pouyanrad, Sepideh, Noorman, Job, Alder, Fritz, Baumann, Christoph, Piessens, Frank, and Mühlberg, Jan Tobias

Subjects

Computer Science - Cryptography and Security

Abstract

This paper presents an approach to provide strong assurance of the secure execution of distributed event-driven applications on shared infrastructures, while relying on a small Trusted Computing Base. We build upon and extend security primitives provided by Trusted Execution Environments (TEEs) to guarantee authenticity and integrity properties of applications, and to secure control of input and output devices. More specifically, we guarantee that if an output is produced by the application, it was allowed to be produced by the application's source code based on an authentic trace of inputs. We present an integrated open-source framework to develop, deploy, and use such applications across heterogeneous TEEs. Beyond authenticity and integrity, our framework optionally provides confidentiality and a notion of availability, and facilitates software development at a high level of abstraction over the platform-specific TEE layer. We support event-driven programming to develop distributed enclave applications in Rust and C for heterogeneous TEE, including Intel SGX, ARM TrustZone and Sancus. In this article we discuss the workings of our approach, the extensions we made to the Sancus processor, and the integration of our development model with commercial TEEs. Our evaluation of security and performance aspects show that TEEs, together with our programming model, form a basis for powerful security architectures for dependable systems in domains such as Industrial Control Systems and the Internet of Things, illustrating our framework's unique suitability for a broad range of use cases which combine cloud processing, mobile and edge devices, and lightweight sensing and actuation., Comment: 41 pages main text + 4 pages appendix, first co-authorship between Gianluca Scopelliti and Sepideh Pouyanrad, source code available at https://github.com/AuthenticExecution

Published

2022

4. Automated Fuzzing of Automotive Control Units

Author

Werquin, Timothy, Hubrechtsen, Mathijs, Thangarajan, Ashok, Piessens, Frank, and Muehlberg, Jan Tobias

Subjects

Computer Science - Cryptography and Security, Electrical Engineering and Systems Science - Systems and Control

Abstract

Modern vehicles are governed by a network of Electronic Control Units (ECUs), which are programmed to sense inputs from the driver and the environment, to process these inputs, and to control actuators that, e.g., regulate the engine or even control the steering system. ECUs within a vehicle communicate via automotive bus systems such as the Controller Area Network (CAN), and beyond the vehicles boundaries through upcoming vehicle-to-vehicle and vehicle-to-infrastructure channels. Approaches to manipulate the communication between ECUs for the purpose of security testing and reverse-engineering of vehicular functions have been presented in the past, all of which struggle with automating the detection of system change in response to message injection. In this paper we present our findings with fuzzing CAN networks, in particular while observing individual ECUs with a sensor harness. The harness detects physical responses, which we then use in a oracle functions to inform the fuzzing process. We systematically define fuzzers, fuzzing configurations and oracle functions for testing ECUs. We evaluate our approach based on case studies of commercial instrument clusters and with an experimental framework for CAN authentication. Our results show that the approach is capable of identifying interesting ECU states with a high level of automation. Our approach is applicable in distributed cyber-physical systems beyond automotive computing., Comment: Appeared in 2019 International Workshop on Attacks and Defenses for Internet-of-Things (ADIoT) / International Workshop on the Secure Internet of Things (SIoT)

Published

2021

5. Abstract Congruence Criteria for Weak Bisimilarity

Author

Tsampas, Stelios, Williams, Christian, Nuyts, Andreas, Devriese, Dominique, and Piessens, Frank

Subjects

Computer Science - Logic in Computer Science, Mathematics - Category Theory

Abstract

We introduce three general compositionality criteria over operational semantics and prove that, when all three are satisfied together, they guarantee weak bisimulation being a congruence. Our work is founded upon Turi and Plotkin's mathematical operational semantics and the coalgebraic approach to weak bisimulation by Brengos. We demonstrate each criterion with various examples of success and failure and establish a formal connection with the simply WB cool rule format of Bloom and van Glabbeek. In addition, we show that the three criteria induce lax models in the sense of Bonchi et al.

Published

2020

6. CapablePtrs: Securely Compiling Partial Programs Using the Pointers-as-Capabilities Principle

Author

El-Korashy, Akram, Tsampas, Stelios, Patrignani, Marco, Devriese, Dominique, Garg, Deepak, and Piessens, Frank

Subjects

Computer Science - Programming Languages, Computer Science - Cryptography and Security

Abstract

Capability machines such as CHERI provide memory capabilities that can be used by compilers to provide security benefits for compiled code (e.g., memory safety). The existing C to CHERI compiler, for example, achieves memory safety by following a principle called "pointers as capabilities" (PAC). Informally, PAC says that a compiler should represent a source language pointer as a machine code capability. But the security properties of PAC compilers are not yet well understood. We show that memory safety is only one aspect, and that PAC compilers can provide significant additional security guarantees for partial programs: the compiler can provide security guarantees for a compilation unit, even if that compilation unit is later linked to attacker-provided machine code. As such, this paper is the first to study the security of PAC compilers for partial programs formally. We prove for a model of such a compiler that it is fully abstract. The proof uses a novel proof technique (dubbed TrICL, read trickle), which should be of broad interest because it reuses the whole-program compiler correctness relation for full abstraction, thus saving work. We also implement our scheme for C on CHERI, show that we can compile legacy C code with minimal changes, and show that the performance overhead of compiled code is roughly proportional to the number of cross-compilation-unit function calls.

Published

2020

7. A categorical approach to secure compilation

Author

Tsampas, Stelios, Nuyts, Andreas, Devriese, Dominique, and Piessens, Frank

Subjects

Computer Science - Programming Languages, Computer Science - Logic in Computer Science

Abstract

We introduce a novel approach to secure compilation based on maps of distributive laws. We demonstrate through four examples that the coherence criterion for maps of distributive laws can potentially be a viable alternative for compiler security instead of full abstraction, which is the preservation and reflection of contextual equivalence. To that end, we also make use of the well-behavedness properties of distributive laws to construct a categorical argument for the contextual connotations of bisimilarity., Comment: Accepted in Coalgebraic Methods in Computer Science, ver. 2020

Published

2020

8. CopyCat: Controlled Instruction-Level Attacks on Enclaves

Author

Moghimi, Daniel, Van Bulck, Jo, Heninger, Nadia, Piessens, Frank, and Sunar, Berk

Subjects

Computer Science - Cryptography and Security

Abstract

The adversarial model presented by trusted execution environments (TEEs) has prompted researchers to investigate unusual attack vectors. One particularly powerful class of controlled-channel attacks abuses page-table modifications to reliably track enclave memory accesses at a page-level granularity. In contrast to noisy microarchitectural timing leakage, this line of deterministic controlled-channel attacks abuses indispensable architectural interfaces and hence cannot be mitigated by tweaking microarchitectural resources. We propose an innovative controlled-channel attack, named CopyCat, that deterministically counts the number of instructions executed within a single enclave code page. We show that combining the instruction counts harvested by CopyCat with traditional, coarse-grained page-level leakage allows the accurate reconstruction of enclave control flow at a maximal instruction-level granularity. CopyCat can identify intra-page and intra-cache line branch decisions that ultimately may only differ in a single instruction, underscoring that even extremely subtle control flow deviations can be deterministically leaked from secure enclaves. We demonstrate the improved resolution and practicality of CopyCat on Intel SGX in an extensive study of single-trace and deterministic attacks against cryptographic implementations, and give novel algorithmic attacks to perform single-trace key extraction that exploit subtle vulnerabilities in the latest versions of widely-used cryptographic libraries. Our findings highlight the importance of stricter verification of cryptographic implementations, especially in the context of TEEs., Comment: This paper will be presented at USENIX Security Symposium 2020. Please cite this work as: Daniel Moghimi, Jo Van Bulck, Nadia Heninger, Frank Piessens, Berk Sunar, "CopyCat: Controlled Instruction-Level Attacks on Enclaves" in Proceedings of the 29th USENIX Security Symposium, Boston, MA, August 2020

Published

2020

9. Gavial: Programming the web with multi-tier FRP

Author

Reynders, Bob, Piessens, Frank, and Devriese, Dominique

Subjects

Computer Science - Programming Languages

Abstract

Developing web applications requires dealing with their distributed nature and the natural asynchronicity of user input and network communication. For facilitating this, different researchers have explored the combination of a multi-tier programming language and functional reactive programming. However, existing proposals take this approach only part of the way (some parts of the application remain imperative) or remain naive, with no regard for avoiding glitches across network communication, network traffic overhead, compatibility with common APIs like XMLHttpRequest etc. In this paper, we present Gavial: the first mature design and implementation of multi-tier FRP that allows constructing an entire web application as a functionally reactive program. By applying a number of new ideas, we demonstrate that multi-tier FRP can in fact deal realistically with important practical aspects of building web applications. At the same time, we retain the declarative nature of FRP, where behaviors and events have an intuitive, compositional semantics and a clear dependency structure.

Published

2020

10. Provably Secure Isolation for Interruptible Enclaved Execution on Small Microprocessors: Extended Version

Author

Busi, Matteo, Noorman, Job, Van Bulck, Jo, Galletta, Letterio, Degano, Pierpaolo, Mühlberg, Jan Tobias, and Piessens, Frank

Subjects

Computer Science - Cryptography and Security

Abstract

Computer systems often provide hardware support for isolation mechanisms like privilege levels, virtual memory, or enclaved execution. Over the past years, several successful software-based side-channel attacks have been developed that break, or at least significantly weaken the isolation that these mechanisms offer. Extending a processor with new architectural or micro-architectural features, brings a risk of introducing new such side-channel attacks. This paper studies the problem of extending a processor with new features without weakening the security of the isolation mechanisms that the processor offers. We propose to use full abstraction as a formal criterion for the security of a processor extension, and we instantiate that criterion to the concrete case of extending a microprocessor that supports enclaved execution with secure interruptibility of these enclaves. This is a very relevant instantiation as several recent papers have shown that interruptibility of enclaves leads to a variety of software-based side-channel attacks. We propose a design for interruptible enclaves, and prove that it satisfies our security criterion. We also implement the design on an open-source enclave-enabled microprocessor, and evaluate the cost of our design in terms of performance and hardware size., Comment: Extended version of the paper "Provably Secure Isolation for Interruptible Enclaved Execution on Small Microprocessors"

Published

2020

11. Fallout: Reading Kernel Writes From User Space

Author

Minkin, Marina, Moghimi, Daniel, Lipp, Moritz, Schwarz, Michael, Van Bulck, Jo, Genkin, Daniel, Gruss, Daniel, Piessens, Frank, Sunar, Berk, and Yarom, Yuval

Subjects

Computer Science - Cryptography and Security, Computer Science - Hardware Architecture

Abstract

Recently, out-of-order execution, an important performance optimization in modern high-end processors, has been revealed to pose a significant security threat, allowing information leaks across security domains. In particular, the Meltdown attack leaks information from the operating system kernel to user space, completely eroding the security of the system. To address this and similar attacks, without incurring the performance costs of software countermeasures, Intel includes hardware-based defenses in its recent Coffee Lake R processors. In this work, we show that the recent hardware defenses are not sufficient. Specifically, we present Fallout, a new transient execution attack that leaks information from a previously unexplored microarchitectural component called the store buffer. We show how unprivileged user processes can exploit Fallout to reconstruct privileged information recently written by the kernel. We further show how Fallout can be used to bypass kernel address space randomization. Finally, we identify and explore microcode assists as a hitherto ignored cause of transient execution. Fallout affects all processor generations we have tested. However, we notice a worrying regression, where the newer Coffee Lake R processors are more vulnerable to Fallout than older generations.

Published

2019

12. A Systematic Evaluation of Transient Execution Attacks and Defenses

Author

Canella, Claudio, Van Bulck, Jo, Schwarz, Michael, Lipp, Moritz, von Berg, Benjamin, Ortner, Philipp, Piessens, Frank, Evtyushkin, Dmitry, and Gruss, Daniel

Subjects

Computer Science - Cryptography and Security

Abstract

Research on transient execution attacks including Spectre and Meltdown showed that exception or branch misprediction events might leave secret-dependent traces in the CPU's microarchitectural state. This observation led to a proliferation of new Spectre and Meltdown attack variants and even more ad-hoc defenses (e.g., microcode and software patches). Both the industry and academia are now focusing on finding effective defenses for known issues. However, we only have limited insight on residual attack surface and the completeness of the proposed defenses. In this paper, we present a systematization of transient execution attacks. Our systematization uncovers 6 (new) transient execution attacks that have been overlooked and not been investigated so far: 2 new exploitable Meltdown effects: Meltdown-PK (Protection Key Bypass) on Intel, and Meltdown-BND (Bounds Check Bypass) on Intel and AMD; and 4 new Spectre mistraining strategies. We evaluate the attacks in our classification tree through proof-of-concept implementations on 3 major CPU vendors (Intel, AMD, ARM). Our systematization yields a more complete picture of the attack surface and allows for a more systematic evaluation of defenses. Through this systematic evaluation, we discover that most defenses, including deployed ones, cannot fully mitigate all attack variants.

Published

2018

13. The Heisenberg Defense: Proactively Defending SGX Enclaves against Page-Table-Based Side-Channel Attacks

Author

Strackx, Raoul and Piessens, Frank

Subjects

Computer Science - Cryptography and Security

Abstract

Protected-module architectures (PMAs) have been proposed to provide strong isolation guarantees, even on top of a compromised system. Unfortunately, Intel SGX -- the only publicly available high-end PMA -- has been shown to only provide limited isolation. An attacker controlling the untrusted page tables, can learn enclave secrets by observing its page access patterns. Fortifying existing protected-module architectures in a real-world setting against side-channel attacks is an extremely difficult task as system software (hypervisor, operating system, ...) needs to remain in full control over the underlying hardware. Most state-of-the-art solutions propose a reactive defense that monitors for signs of an attack. Such approaches unfortunately cannot detect the most novel attacks, suffer from false-positives, and place an extraordinary heavy burden on enclave-developers when an attack is detected. We present Heisenberg, a proactive defense that provides complete protection against page table based side channels. We guarantee that any attack will either be prevented or detected automatically before {\em any} sensitive information leaks. Consequently, Heisenberg can always securely resume enclave execution -- even when the attacker is still present in the system. We present two implementations. Heisenberg-HW relies on very limited hardware features to defend against page-table-based attacks. We use the x86/SGX platform as an example, but the same approach can be applied when protected-module architectures are ported to different platforms as well. Heisenberg-SW avoids these hardware modifications and can readily be applied. Unfortunately, it's reliance on Intel Transactional Synchronization Extensions (TSX) may lead to significant performance overhead under real-life conditions.

Published

2017

14. Modular, Fully-abstract Compilation by Approximate Back-translation

Author

Devriese, Dominique, Patrignani, Marco, Piessens, Frank, and Keuchel, Steven

Subjects

Computer Science - Programming Languages

Abstract

A compiler is fully-abstract if the compilation from source language programs to target language programs reflects and preserves behavioural equivalence. Such compilers have important security benefits, as they limit the power of an attacker interacting with the program in the target language to that of an attacker interacting with the program in the source language. Proving compiler full-abstraction is, however, rather complicated. A common proof technique is based on the back-translation of target-level program contexts to behaviourally-equivalent source-level contexts. However, constructing such a back- translation is problematic when the source language is not strong enough to embed an encoding of the target language. For instance, when compiling from STLC to ULC, the lack of recursive types in the former prevents such a back-translation. We propose a general and elegant solution for this problem. The key insight is that it suffices to construct an approximate back-translation. The approximation is only accurate up to a certain number of steps and conservative beyond that, in the sense that the context generated by the back-translation may diverge when the original would not, but not vice versa. Based on this insight, we describe a general technique for proving compiler full-abstraction and demonstrate it on a compiler from STLC to ULC. The proof uses asymmetric cross-language logical relations and makes innovative use of step-indexing to express the relation between a context and its approximate back-translation. The proof extends easily to common compiler patterns such as modular compilation and it, to the best of our knowledge, it is the first compiler full abstraction proof to have been fully mechanised in Coq. We believe this proof technique can scale to challenging settings and enable simpler, more scalable proofs of compiler full-abstraction.

Published

2017

15. Side-Channel Attacks: A Short Tour

Author

Piessens, Frank, primary and van Oorschot, Paul C., additional

Published

2024

16. On Modular and Fully-Abstract Compilation -- Technical Appendix

Author

Patrignani, Marco, Devriese, Dominique, and Piessens, Frank

Subjects

Computer Science - Programming Languages

Abstract

Secure compilation studies compilers that generate target-level components that are as secure as their source-level counterparts. Full abstraction is the most widely-proven property when defining a secure compiler. A compiler is modular if it allows different components to be compiled independently and then to be linked together to form a whole program. Unfortunately, many existing fully-abstract compilers to untyped machine code are not modular. So, while fully-abstractly compiled components are secure from malicious attackers, if they are linked against each other the resulting component may become vulnerable to attacks. This paper studies how to devise modular, fully-abstract compilers. It first analyses the attacks arising when compiled programs are linked together, identifying security threats that are due to linking. Then, it defines a compiler from an object-based language with method calls and dynamic memory allocation to untyped assembly language extended with a memory isolation mechanism. The paper provides a proof sketch that the defined compiler is fully-abstract and modular, so its output can be linked together without introducing security violations., Comment: technical report

Published

2016

17. Robust authentication for automotive control networks through covert channels

Author

Vanderhallen, Stien, Van Bulck, Jo, Piessens, Frank, and Mühlberg, Jan Tobias

Published

2021

18. Featherweight VeriFast

Author

Jacobs, Bart, Vogels, Frédéric, and Piessens, Frank

Subjects

Computer Science - Logic in Computer Science

Abstract

VeriFast is a leading research prototype tool for the sound modular verification of safety and correctness properties of single-threaded and multithreaded C and Java programs. It has been used as a vehicle for exploration and validation of novel program verification techniques and for industrial case studies; it has served well at a number of program verification competitions; and it has been used for teaching by multiple teachers independent of the authors. However, until now, while VeriFast's operation has been described informally in a number of publications, and specific verification techniques have been formalized, a clear and precise exposition of how VeriFast works has not yet appeared. In this article we present for the first time a formal definition and soundness proof of a core subset of the VeriFast program verification approach. The exposition aims to be both accessible and rigorous: the text is based on lecture notes for a graduate course on program verification, and it is backed by an executable machine-readable definition and machine-checked soundness proof in Coq.

Published

2015

19. Improving Privacy Through Fast Passive Wi-Fi Scanning

Author

Goovaerts, Frederik, Acar, Gunes, Galvez, Rafael, Piessens, Frank, Vanhoef, Mathy, Goos, Gerhard, Founding Editor, Hartmanis, Juris, Founding Editor, Bertino, Elisa, Editorial Board Member, Gao, Wen, Editorial Board Member, Steffen, Bernhard, Editorial Board Member, Woeginger, Gerhard, Editorial Board Member, Yung, Moti, Editorial Board Member, Askarov, Aslan, editor, Hansen, René Rydhof, editor, and Rafnsson, Willard, editor

Published

2019

20. On the effectiveness of virtualization-based security

Author

Gadaleta, Francesco, Strackx, Raoul, Nikiforakis, Nick, Piessens, Frank, and Joosen, Wouter

Subjects

Computer Science - Cryptography and Security

Abstract

Protecting commodity operating systems and applications against malware and targeted attacks has proven to be difficult. In recent years, virtualization has received attention from security researchers who utilize it to harden existing systems and provide strong security guarantees. This has lead to interesting use cases such as cloud computing where possibly sensitive data is processed on remote, third party systems. The migration and processing of data in remote servers, poses new technical and legal questions, such as which security measures should be taken to protect this data or how can it be proven that execution of code wasn't tampered with. In this paper we focus on technological aspects. We discuss the various possibilities of security within the virtualization layer and we use as a case study \HelloRootkitty{}, a lightweight invariance-enforcing framework which allows an operating system to recover from kernel-level attacks. In addition to \HelloRootkitty{}, we also explore the use of special hardware chips as a way of further protecting and guaranteeing the integrity of a virtualized system., Comment: 12 pages, 07-10 May 2012, Max Planck Institute IT Security, Freiburg (Germany)

Published

2014

21. Off-Limits: Abusing Legacy x86 Memory Segmentation to Spy on Enclaved Execution

Author

Gyselinck, Jago, Van Bulck, Jo, Piessens, Frank, Strackx, Raoul, Hutchison, David, Editorial Board Member, Kanade, Takeo, Editorial Board Member, Kittler, Josef, Editorial Board Member, Kleinberg, Jon M., Editorial Board Member, Mattern, Friedemann, Editorial Board Member, Mitchell, John C., Editorial Board Member, Naor, Moni, Editorial Board Member, Pandu Rangan, C., Editorial Board Member, Steffen, Bernhard, Editorial Board Member, Terzopoulos, Demetri, Editorial Board Member, Tygar, Doug, Editorial Board Member, Weikum, Gerhard, Series Editor, Goos, Gerhard, Founding Editor, Hartmanis, Juris, Founding Editor, Payer, Mathias, editor, Rashid, Awais, editor, and Such, Jose M., editor

Published

2018

22. Elmsvuur: A Multi-tier Version of Elm and its Time-Traveling Debugger

Author

Horemans, Jeff, Reynders, Bob, Devriese, Dominique, Piessens, Frank, Hutchison, David, Series Editor, Kanade, Takeo, Series Editor, Kittler, Josef, Series Editor, Kleinberg, Jon M., Series Editor, Mattern, Friedemann, Series Editor, Mitchell, John C., Series Editor, Naor, Moni, Series Editor, Pandu Rangan, C., Series Editor, Steffen, Bernhard, Series Editor, Terzopoulos, Demetri, Series Editor, Tygar, Doug, Series Editor, Weikum, Gerhard, Series Editor, Wang, Meng, editor, and Owens, Scott, editor

Published

2018

23. Tracking Information Flow via Delayed Output : Addressing Privacy in IoT and Emailing Apps

Author

Bastys, Iulia, Piessens, Frank, Sabelfeld, Andrei, Hutchison, David, Series Editor, Kanade, Takeo, Series Editor, Kittler, Josef, Series Editor, Kleinberg, Jon M., Series Editor, Mattern, Friedemann, Series Editor, Mitchell, John C., Series Editor, Naor, Moni, Series Editor, Pandu Rangan, C., Series Editor, Steffen, Bernhard, Series Editor, Terzopoulos, Demetri, Series Editor, Tygar, Doug, Series Editor, Weikum, Gerhard, Series Editor, and Gruschka, Nils, editor

Published

2018

24. Transient Execution Attacks

Author

Piessens, Frank, primary

Published

2023

25. A Categorical Approach to Secure Compilation

Author

Tsampas, Stelios, primary, Nuyts, Andreas, additional, Devriese, Dominique, additional, and Piessens, Frank, additional

Published

2020

26. A Principled Approach to Tracking Information Flow in the Presence of Libraries

Author

Hedin, Daniel, Sjösten, Alexander, Piessens, Frank, Sabelfeld, Andrei, Hutchison, David, Series editor, Kanade, Takeo, Series editor, Kittler, Josef, Series editor, Kleinberg, Jon M., Series editor, Mattern, Friedemann, Series editor, Mitchell, John C., Series editor, Naor, Moni, Series editor, Pandu Rangan, C., Series editor, Steffen, Bernhard, Series editor, Terzopoulos, Demetri, Series editor, Tygar, Doug, Series editor, Weikum, Gerhard, Series editor, Maffei, Matteo, editor, and Ryan, Mark, editor

Published

2017

27. Automatically Generating Secure Wrappers for SGX Enclaves from Separation Logic Specifications

Author

van Ginkel, Neline, Strackx, Raoul, Piessens, Frank, Hutchison, David, Series editor, Kanade, Takeo, Series editor, Kittler, Josef, Series editor, Kleinberg, Jon M., Series editor, Mattern, Friedemann, Series editor, Mitchell, John C., Series editor, Naor, Moni, Series editor, Pandu Rangan, C., Series editor, Steffen, Bernhard, Series editor, Terzopoulos, Demetri, Series editor, Tygar, Doug, Series editor, Weikum, Gerhard, Series editor, and Chang, Bor-Yuh Evan, editor

Published

2017

28. Authentic Execution of Distributed Event-Driven Applications with a Small TCB

Author

Noorman, Job, Mühlberg, Jan Tobias, Piessens, Frank, Hutchison, David, Series editor, Kanade, Takeo, Series editor, Kittler, Josef, Series editor, Kleinberg, Jon M., Series editor, Mattern, Friedemann, Series editor, Mitchell, John C., Series editor, Naor, Moni, Series editor, Pandu Rangan, C., Series editor, Steffen, Bernhard, Series editor, Terzopoulos, Demetri, Series editor, Tygar, Doug, Series editor, Weikum, Gerhard, Series editor, Livraga, Giovanni, editor, and Mitchell, Chris, editor

Published

2017

29. Exploring the Ecosystem of Malicious Domain Registrations in the .eu TLD

Author

Vissers, Thomas, Spooren, Jan, Agten, Pieter, Jumpertz, Dirk, Janssen, Peter, Van Wesemael, Marc, Piessens, Frank, Joosen, Wouter, Desmet, Lieven, Hutchison, David, Series editor, Kanade, Takeo, Series editor, Kittler, Josef, Series editor, Kleinberg, Jon M., Series editor, Mattern, Friedemann, Series editor, Mitchell, John C., Series editor, Naor, Moni, Series editor, Pandu Rangan, C., Series editor, Steffen, Bernhard, Series editor, Terzopoulos, Demetri, Series editor, Tygar, Doug, Series editor, Weikum, Gerhard, Series editor, Dacier, Marc, editor, Bailey, Michael, editor, Polychronakis, Michalis, editor, and Antonakakis, Manos, editor

Published

2017

30. CHERI-TrEE: Flexible enclaves on capability machines

Author

Van Strydonck, Thomas, Noorman, Job, Jackson, Jennifer, Alves Dias, Leonardo, Vanderstraeten, Robin, Oswald, David, Piessens, Frank, Devriese, Dominique, Noorman, Job, Jackson, Jennifer, Alves Dias, Leonardo, Vanderstraeten, Robin, Oswald, David, Piessens, Frank, and Devriese, Dominique

Subjects

ARM Morello, enclaves, capability machines, trusted execution, CHERI, CHERI-RISC-V, TEE

Abstract

This paper studies the integration of two successful hardware-supported security mechanisms: capabilities and enclaved execution. Capabilities are a powerful and flexible security mechanism for implementing fine-grained memory access control and compartmentalizing untrusted or buggy software components. Capabilities have a long history but have gained significant momentum recently, as evidenced by ARM’s experimental Morello processor that supports the Capability Hardware Enhanced RISC Instructions (CHERI). Enclaved execution is a popular mechanism for dynamically creating Trusted Execution Environments (TEEs), called enclaves. Enclaves are isolated execution contexts that protect the integrity and confidentiality of software in the enclave (even against compromised system software) and that support attestation. Integrating capabilities and enclaved execution in a single processor is challenging because they overlap partially in their security objectives, and a clean integration should unify the way in which these overlapping objectives are achieved. In addition, it is not obvious how attestation should interact with capabilities. In this paper, we propose CHERI-TrEE: a novel design for a processor that cleanly integrates support for both capabilities and enclaved execution. CHERI-TrEE targets low-end embedded systems without virtual memory. We show that CHERI-TrEE is greater than the sum of its parts by showing how it naturally supports useful features that have traditionally been hard to support in enclaved execution, like dynamically growing and shrinking enclaves, non-contiguous and nested enclaves, sharing of memory between enclaves etc. We implement our proposal both in hardware on a RISC-V processor, as well as in a small software hypervisor on top of ARM Morello, and evaluate impact on performance and hardware resources. ispartof: pages:1143-1159 ispartof: Proceedings of the 8th IEEE European Symposium on Security and Privacy pages:1143-1159 ispartof: 8th IEEE European Symposium on Security and Privacy location:Delft date:3 Jul - 7 Jun 2023 status: published

Published

2023

31. MicroProfiler: Principled Side-Channel Mitigation through Microarchitectural Profiling

Author

Bognar, Marton, primary, Winderix, Hans, additional, Van Bulck, Jo, additional, and Piessens, Frank, additional

Published

2023

32. CHERI-TrEE: Flexible enclaves on capability machines

Author

Van Strydonck, Thomas, primary, Noorman, Job, additional, Jackson, Jennifer, additional, Alves Dias, Leonardo, additional, Vanderstraeten, Robin, additional, Oswald, David, additional, Piessens, Frank, additional, and Devriese, Dominique, additional

Published

2023

33. The Browser as a Platform

Author

Ryck, Philippe De, Desmet, Lieven, Piessens, Frank, Johns, Martin, Zdonik, Stan, Series editor, Shekhar, Shashi, Series editor, Katz, Jonathan, Series editor, Wu, Xindong, Series editor, Jain, Lakhmi C., Series editor, Padua, David, Series editor, Shen, Xuemin (Sherman), Series editor, Furht, Borko, Series editor, Subrahmanian, V.S., Series editor, Hebert, Martial, Series editor, Ikeuchi, Katsushi, Series editor, Siciliano, Bruno, Series editor, Jajodia, Sushil, Series editor, Lee, Newton, Series editor, De Ryck, Philippe, Desmet, Lieven, Piessens, Frank, and Johns, Martin

Published

2014

34. Attacks on the Client-Side Context

Author

Ryck, Philippe De, Desmet, Lieven, Piessens, Frank, Johns, Martin, Zdonik, Stan, Series editor, Shekhar, Shashi, Series editor, Katz, Jonathan, Series editor, Wu, Xindong, Series editor, Jain, Lakhmi C., Series editor, Padua, David, Series editor, Shen, Xuemin (Sherman), Series editor, Furht, Borko, Series editor, Subrahmanian, V.S., Series editor, Hebert, Martial, Series editor, Ikeuchi, Katsushi, Series editor, Siciliano, Bruno, Series editor, Jajodia, Sushil, Series editor, Lee, Newton, Series editor, De Ryck, Philippe, Desmet, Lieven, Piessens, Frank, and Johns, Martin

Published

2014

35. Attacks on the Client Device

Author

Ryck, Philippe De, Desmet, Lieven, Piessens, Frank, Johns, Martin, Zdonik, Stan, Series editor, Shekhar, Shashi, Series editor, Katz, Jonathan, Series editor, Wu, Xindong, Series editor, Jain, Lakhmi C., Series editor, Padua, David, Series editor, Shen, Xuemin (Sherman), Series editor, Furht, Borko, Series editor, Subrahmanian, V.S., Series editor, Hebert, Martial, Series editor, Ikeuchi, Katsushi, Series editor, Siciliano, Bruno, Series editor, Jajodia, Sushil, Series editor, Lee, Newton, Series editor, De Ryck, Philippe, Desmet, Lieven, Piessens, Frank, and Johns, Martin

Published

2014

36. Attacks on the User’s Session

Author

Ryck, Philippe De, Desmet, Lieven, Piessens, Frank, Johns, Martin, Zdonik, Stan, Series editor, Shekhar, Shashi, Series editor, Katz, Jonathan, Series editor, Wu, Xindong, Series editor, Jain, Lakhmi C., Series editor, Padua, David, Series editor, Shen, Xuemin (Sherman), Series editor, Furht, Borko, Series editor, Subrahmanian, V.S., Series editor, Hebert, Martial, Series editor, Ikeuchi, Katsushi, Series editor, Siciliano, Bruno, Series editor, Jajodia, Sushil, Series editor, Lee, Newton, Series editor, De Ryck, Philippe, Desmet, Lieven, Piessens, Frank, and Johns, Martin

Published

2014

37. Attacks on the Network

Author

Ryck, Philippe De, Desmet, Lieven, Piessens, Frank, Johns, Martin, Zdonik, Stan, Series editor, Shekhar, Shashi, Series editor, Katz, Jonathan, Series editor, Wu, Xindong, Series editor, Jain, Lakhmi C., Series editor, Padua, David, Series editor, Shen, Xuemin (Sherman), Series editor, Furht, Borko, Series editor, Subrahmanian, V.S., Series editor, Hebert, Martial, Series editor, Ikeuchi, Katsushi, Series editor, Siciliano, Bruno, Series editor, Jajodia, Sushil, Series editor, Lee, Newton, Series editor, De Ryck, Philippe, Desmet, Lieven, Piessens, Frank, and Johns, Martin

Published

2014

38. Attacks on the Browser’s Requests

Author

Ryck, Philippe De, Desmet, Lieven, Piessens, Frank, Johns, Martin, Zdonik, Stan, Series editor, Shekhar, Shashi, Series editor, Katz, Jonathan, Series editor, Wu, Xindong, Series editor, Jain, Lakhmi C., Series editor, Padua, David, Series editor, Shen, Xuemin (Sherman), Series editor, Furht, Borko, Series editor, Subrahmanian, V.S., Series editor, Hebert, Martial, Series editor, Ikeuchi, Katsushi, Series editor, Siciliano, Bruno, Series editor, Jajodia, Sushil, Series editor, Lee, Newton, Series editor, De Ryck, Philippe, Desmet, Lieven, Piessens, Frank, and Johns, Martin

Published

2014

39. Improving Client-Side Web Security

Author

Ryck, Philippe De, Desmet, Lieven, Piessens, Frank, Johns, Martin, Zdonik, Stan, Series editor, Shekhar, Shashi, Series editor, Katz, Jonathan, Series editor, Wu, Xindong, Series editor, Jain, Lakhmi C., Series editor, Padua, David, Series editor, Shen, Xuemin (Sherman), Series editor, Furht, Borko, Series editor, Subrahmanian, V.S., Series editor, Hebert, Martial, Series editor, Ikeuchi, Katsushi, Series editor, Siciliano, Bruno, Series editor, Jajodia, Sushil, Series editor, Lee, Newton, Series editor, De Ryck, Philippe, Desmet, Lieven, Piessens, Frank, and Johns, Martin

Published

2014

40. How Attackers Threaten the Web

Author

Ryck, Philippe De, Desmet, Lieven, Piessens, Frank, Johns, Martin, Zdonik, Stan, Series editor, Shekhar, Shashi, Series editor, Katz, Jonathan, Series editor, Wu, Xindong, Series editor, Jain, Lakhmi C., Series editor, Padua, David, Series editor, Shen, Xuemin (Sherman), Series editor, Furht, Borko, Series editor, Subrahmanian, V.S., Series editor, Hebert, Martial, Series editor, Ikeuchi, Katsushi, Series editor, Siciliano, Bruno, Series editor, Jajodia, Sushil, Series editor, Lee, Newton, Series editor, De Ryck, Philippe, Desmet, Lieven, Piessens, Frank, and Johns, Martin

Published

2014

41. The Relevance of Client-Side Web Security

Author

Ryck, Philippe De, Desmet, Lieven, Piessens, Frank, Johns, Martin, Zdonik, Stan, Series editor, Shekhar, Shashi, Series editor, Katz, Jonathan, Series editor, Wu, Xindong, Series editor, Jain, Lakhmi C., Series editor, Padua, David, Series editor, Shen, Xuemin (Sherman), Series editor, Furht, Borko, Series editor, Subrahmanian, V.S., Series editor, Hebert, Martial, Series editor, Ikeuchi, Katsushi, Series editor, Siciliano, Bruno, Series editor, Jajodia, Sushil, Series editor, Lee, Newton, Series editor, De Ryck, Philippe, Desmet, Lieven, Piessens, Frank, and Johns, Martin

Published

2014

42. Traditional Building Blocks of the Web

Author

Ryck, Philippe De, Desmet, Lieven, Piessens, Frank, Johns, Martin, Zdonik, Stan, Series editor, Shekhar, Shashi, Series editor, Katz, Jonathan, Series editor, Wu, Xindong, Series editor, Jain, Lakhmi C., Series editor, Padua, David, Series editor, Shen, Xuemin (Sherman), Series editor, Furht, Borko, Series editor, Subrahmanian, V.S., Series editor, Hebert, Martial, Series editor, Ikeuchi, Katsushi, Series editor, Siciliano, Bruno, Series editor, Jajodia, Sushil, Series editor, Lee, Newton, Series editor, De Ryck, Philippe, Desmet, Lieven, Piessens, Frank, and Johns, Martin

Published

2014

43. An Implementation of a High Assurance Smart Meter Using Protected Module Architectures

Author

Mühlberg, Jan Tobias, Cleemput, Sara, Mustafa, Mustafa A., Van Bulck, Jo, Preneel, Bart, Piessens, Frank, Hutchison, David, Series editor, Kanade, Takeo, Series editor, Kittler, Josef, Series editor, Kleinberg, Jon M., Series editor, Mattern, Friedemann, Series editor, Mitchell, John C., Series editor, Naor, Moni, Series editor, Pandu Rangan, C., Series editor, Steffen, Bernhard, Series editor, Terzopoulos, Demetri, Series editor, Tygar, Doug, Series editor, Weikum, Gerhard, Series editor, Foresti, Sara, editor, and Lopez, Javier, editor

Published

2016

44. Let’s Face It: Faceted Values for Taint Tracking

Author

Schoepe, Daniel, Balliu, Musard, Piessens, Frank, Sabelfeld, Andrei, Hutchison, David, Series editor, Kanade, Takeo, Series editor, Kittler, Josef, Series editor, Kleinberg, Jon M., Series editor, Mattern, Friedemann, Series editor, Mitchell, John C., Series editor, Naor, Moni, Series editor, Pandu Rangan, C., Series editor, Steffen, Bernhard, Series editor, Terzopoulos, Demetri, Series editor, Tygar, Doug, Series editor, Weikum, Gerhard, Series editor, Askoxylakis, Ioannis, editor, Ioannidis, Sotiris, editor, Katsikas, Sokratis, editor, and Meadows, Catherine, editor

Published

2016

45. Improving Privacy Through Fast Passive Wi-Fi Scanning

Author

Goovaerts, Frederik, primary, Acar, Gunes, additional, Galvez, Rafael, additional, Piessens, Frank, additional, and Vanhoef, Mathy, additional

Published

2019

46. Sound, Modular and Compositional Verification of the Input/Output Behavior of Programs

Author

Penninckx, Willem, Jacobs, Bart, Piessens, Frank, Hutchison, David, Series editor, Kanade, Takeo, Series editor, Kittler, Josef, Series editor, Kleinberg, Jon M., Series editor, Mattern, Friedemann, Series editor, Mitchell, John C., Series editor, Naor, Moni, Series editor, Pandu Rangan, C., Series editor, Steffen, Bernhard, Series editor, Terzopoulos, Demetri, Series editor, Tygar, Doug, Series editor, Weikum, Gerhard, Series editor, and Vitek, Jan, editor

Published

2015

47. Lightweight and Flexible Trust Assessment Modules for the Internet of Things

Author

Mühlberg, Jan Tobias, Noorman, Job, Piessens, Frank, Hutchison, David, Editorial Board Member, Kanade, Takeo, Editorial Board Member, Kittler, Josef, Editorial Board Member, Kleinberg, Jon M., Editorial Board Member, Mattern, Friedemann, Editorial Board Member, Mitchell, John C., Editorial Board Member, Naor, Moni, Editorial Board Member, Pandu Rangan, C., Editorial Board Member, Terzopoulos, Demetri, Editorial Board Member, Tygar, Doug, Editorial Board Member, Weikum, Gerhard, Series Editor, Goos, Gerhard, Founding Editor, Hartmanis, Juris, Founding Editor, Pernul, Günther, editor, Y A Ryan, Peter, editor, and Weippl, Edgar, editor

Published

2015

48. Secure Resource Sharing for Embedded Protected Module Architectures

Author

Van Bulck, Jo, Noorman, Job, Mühlberg, Jan Tobias, Piessens, Frank, Hutchison, David, Series editor, Kanade, Takeo, Series editor, Kittler, Josef, Series editor, Kleinberg, Jon M., Series editor, Mattern, Friedemann, Series editor, Mitchell, John C., Series editor, Naor, Moni, Series editor, Pandu Rangan, C., Series editor, Steffen, Bernhard, Series editor, Terzopoulos, Demetri, Series editor, Tygar, Doug, Series editor, Weikum, Gerhard, Series editor, Akram, Raja Naeem, editor, and Jajodia, Sushil, editor

Published

2015

49. Learning Assertions to Verify Linked-List Programs

Author

Mühlberg, Jan Tobias, White, David H., Dodds, Mike, Lüttgen, Gerald, Piessens, Frank, Hutchison, David, Series editor, Kanade, Takeo, Series editor, Kittler, Josef, Series editor, Kleinberg, Jon M., Series editor, Mattern, Friedemann, Series editor, Mitchell, John C., Series editor, Naor, Moni, Series editor, Pandu Rangan, C., Series editor, Steffen, Bernhard, Series editor, Terzopoulos, Demetri, Series editor, Tygar, Doug, Series editor, Weikum, Gerhard, Series editor, Calinescu, Radu, editor, and Rumpe, Bernhard, editor

Published

2015

50. End-to-End Security for Distributed Event-Driven Enclave Applications on Heterogeneous TEEs

Author

Scopelliti, Gianluca, primary, Pouyanrad, Sepideh, additional, Noorman, Job, additional, Alder, Fritz, additional, Baumann, Christoph, additional, Piessens, Frank, additional, and Mühlberg, Jan Tobias, additional

Published

2023