Your search keyword '"side channels"' showing total 186 results

1. Semi-automated and Easily Interpretable Side-Channel Analysis for Modern JavaScript

Author

Fayolle, Iliana, Wichelmann, Jan, Köhl, Anja, Rudametkin, Walter, Eisenbarth, Thomas, Maurice, Clémentine, Goos, Gerhard, Series Editor, Hartmanis, Juris, Founding Editor, Bertino, Elisa, Editorial Board Member, Gao, Wen, Editorial Board Member, Steffen, Bernhard, Editorial Board Member, Yung, Moti, Editorial Board Member, Kohlweiss, Markulf, editor, Di Pietro, Roberto, editor, and Beresford, Alastair, editor

Published

2025

2. Revealing CNN Architectures via Side-Channel Analysis in Dataflow-based Inference Accelerators.

Author

Weerasena, Hansika and Mishra, Prabhat

Subjects

CONVOLUTIONAL neural networks, IMAGE recognition (Computer vision), AUTONOMOUS vehicles, DIAGNOSIS

Abstract

Convolutional Neural Networks (CNNs) are widely used in various domains, including image recognition, medical diagnosis and autonomous driving. Recent advances in dataflow-based CNN accelerators have enabled CNN inference in resource-constrained edge devices. These dataflow accelerators utilize inherent data reuse of convolution layers to process CNN models efficiently. Concealing the architecture of CNN models is critical for privacy and security. This article evaluates memory-based side-channel information to recover CNN architectures from dataflow-based CNN inference accelerators. The proposed attack exploits spatial and temporal data reuse of the dataflow mapping on CNN accelerators and architectural hints to recover the structure of CNN models. Experimental results demonstrate that our proposed side-channel attack can recover the structures of popular CNN models, namely, Lenet, Alexnet, VGGnet16, and YOLOv2. [ABSTRACT FROM AUTHOR]

Published

2024

3. Beat the Heat: Syscall Attack Detection via Thermal Side Channel.

Author

Vasilas, Teodora, Bacila, Claudiu, and Brad, Remus

Subjects

MACHINE learning, ELECTRONIC equipment, WEB browsing, DETECTORS, NOISE

Abstract

As the complexity and integration of electronic devices increase, understanding and mitigating side-channel vulnerabilities will remain a critical area of cybersecurity research. The new and intriguing software-based thermal side-channel attacks and countermeasures use thermal emissions from a device to extract or defend sensitive information, by reading information from the built-in thermal sensors via software. This work extends the Hot-n-Cold anomaly detection technique, applying it in circumstances much closer to the real-world computational environments by detecting irregularities in the Linux command behavior through CPU temperature monitoring. The novelty of this approach lies in the introduction of five types of noise across the CPU, including moving files, performing extended math computations, playing songs, and browsing the web while the attack detector is running. We employed Hot-n-Cold to monitor core temperatures on three types of CPUs utilizing two commonly used Linux terminal commands, ls and chmod. The results show a high correlation, approaching 0.96, between the original Linux command and a crafted command, augmented with vulnerable system calls. Additionally, a Machine Learning algorithm was used to classify whether a thermal trace is augmented or not, with an accuracy of up to 88%. This research demonstrates the potential for detecting attacks through thermal sensors even when there are different types of noise in the CPU, simulating a real-world scenario. [ABSTRACT FROM AUTHOR]

Published

2024

4. 3D printer audio and vibration side channel dataset for vulnerability research in additive manufacturing securityzenodo.org

Author

Christos Madamopoulos and Nektarios Georgios Tsoutsos

Subjects

Side channels, Side channel attacks, Additive manufacturing, 3D printing, Cyber physical systems, Cybersecurity, Computer applications to medicine. Medical informatics, R858-859.7, Science (General), Q1-390

Abstract

This dataset provides a comprehensive set of side channels from fused deposition modeling 3D printers in order to enable the research in the security of additive manufacturing processes against side channel attacks. These attacks exploit indirect signal emanations from physical processes to extract information about a system. Our data was collected using two different methods (iPhone app and Teensy 4.0 sensor system) on two different 3D printers (Bambu Lab P1P and A1 mini), and consists of two types of data, audio data in the form of the recording of the 3D printer's sound while printing, and vibration data in the form of the linear acceleration in the cartesian coordinates. The dataset includes data from 12 different 3D objects that cover a wide variety of movements made while 3D printing. Along with the side channels this dataset includes the source computer-aided design files of the objects, as well as .gcode and .3mf files used by the printers.

Published

2024

5. Contention-Based Threats Between Single-Tenant Cloud FPGA Instances

Author

Giechaskiel, Ilias, Tian, Shanquan, Szefer, Jakub, Szefer, Jakub, editor, and Tessier, Russell, editor

Published

2024

6. Joint Eavesdropping on the BB84 Decoy State Protocol with an Arbitrary Passive Light-source Side Channel.

Author

Babukhin, D. V. and Sych, D. V.

Abstract

Passive light-source side channel in quantum key distribution (QKD) provides additional information to an eavesdropper via various non-operational degrees of freedom of the optical signal. The currently known explicit eavesdropping strategies aimed at additional information gain from the passive light-source side channel were limited to the attack on the side channel and the operational degree of freedom separately. As a result, their efficiency is far from being optimal. Here we provide the joint eavesdropping strategy on both operational degree of freedom and the passive light-source side channel of the generic form, and develop a method to calculate the corresponding secret key rate. In particular, we use the optimal phase-covariant cloning of the signal photon state followed by a joint collective measurement of the side channel and the operational degree of freedom. To estimate security under the explicit attack strategy, we develop an "effective error" method and demonstrate it on the BB84 protocol with decoy states. Our work extends the practical analysis of QKD protocols with the light-source side channels and can be used as a tool for the analysis of realistic eavesdropping methods. [ABSTRACT FROM AUTHOR]

Published

2024

7. Generic SCARE: reverse engineering without knowing the algorithm nor the machine.

Author

Lashermes, Ronan and Le Bouder, Hélène

Abstract

We introduce a novel side-channel-based reverse engineering technique capable of reconstructing a procedure solely from inputs, outputs, and traces of execution. Beyond generic restrictions, we do not assume any prior knowledge of the procedure or the chip it operates on. These restrictions confine our analysis to 8-bit RISC constant-time software implementations. Specifically we demonstrate with simulated traces the theoretical feasibility of reconstructing a symmetric cryptographic cipher, even in scenarios where traces are sampled with information loss and noise, such as when measuring the power consumption of the chip. [ABSTRACT FROM AUTHOR]

Published

2024

8. Declining geomorphic diversity and potential adaptive management opportunities on a highly regulated reach of the Bighorn River, Montana.

Author

Foster, Melissa A., Godaire, Jeanne E., Hilldale, Robert C., Bradley, D. Nathan, and Boyd, Karin

Abstract

Rivers downstream from dams often experience decreased flow variability and disrupted sediment transport. We investigated a highly regulated 35.5-kilometre reach of the Bighorn River, downstream from Yellowtail Dam, emplaced in 1965. This dam created a thriving trout fishery, but more recently, side channel networks and habitat diminished. We document how the Bighorn River's anabranching morphology responded to flow regulation and a near cessation of sediment supply. Geomorphic diversity drastically decreased since 1939 and the Bighorn River abandoned numerous side channels. By 1980, geomorphic loss slowed, and the river became laterally static. The 1980 river and side channel network could represent the maximum areal extent of a downscaled morphology, maintained through restoration and adaptive management. However, side channel restoration alone will not return natural alluvial processes to this river reach. The Bighorn River needs sediment to reinstate dynamic lateral movement, even within a downscaled morphology. Sediment augmentation is an option, but more complex to implement on rivers where potential downstream impacts and landowners must be considered. The decline of geomorphic diversity and potential adaptive management solutions on the Bighorn River has wide applicability to numerous dammed rivers, where similar changes to the flow and sediment transport regime are common. [ABSTRACT FROM AUTHOR]

Published

2024

9. Beat the Heat: Syscall Attack Detection via Thermal Side Channel

Author

Teodora Vasilas, Claudiu Bacila, and Remus Brad

Subjects

Linux OS, thermal sensors, syscalls, side channels, security, Information technology, T58.5-58.64

Abstract

As the complexity and integration of electronic devices increase, understanding and mitigating side-channel vulnerabilities will remain a critical area of cybersecurity research. The new and intriguing software-based thermal side-channel attacks and countermeasures use thermal emissions from a device to extract or defend sensitive information, by reading information from the built-in thermal sensors via software. This work extends the Hot-n-Cold anomaly detection technique, applying it in circumstances much closer to the real-world computational environments by detecting irregularities in the Linux command behavior through CPU temperature monitoring. The novelty of this approach lies in the introduction of five types of noise across the CPU, including moving files, performing extended math computations, playing songs, and browsing the web while the attack detector is running. We employed Hot-n-Cold to monitor core temperatures on three types of CPUs utilizing two commonly used Linux terminal commands, ls and chmod. The results show a high correlation, approaching 0.96, between the original Linux command and a crafted command, augmented with vulnerable system calls. Additionally, a Machine Learning algorithm was used to classify whether a thermal trace is augmented or not, with an accuracy of up to 88%. This research demonstrates the potential for detecting attacks through thermal sensors even when there are different types of noise in the CPU, simulating a real-world scenario.

Published

2024

10. Embedded Watermarks

Author

Tehranipoor, Mark, Pundir, Nitin, Vashistha, Nidish, Farahmandi, Farimah, Tehranipoor, Mark, Pundir, Nitin, Vashistha, Nidish, and Farahmandi, Farimah

Published

2023

11. CPU Port Contention Without SMT

Author

Rokicki, Thomas, Maurice, Clémentine, Schwarz, Michael, Goos, Gerhard, Founding Editor, Hartmanis, Juris, Founding Editor, Bertino, Elisa, Editorial Board Member, Gao, Wen, Editorial Board Member, Steffen, Bernhard, Editorial Board Member, Yung, Moti, Editorial Board Member, Atluri, Vijayalakshmi, editor, Di Pietro, Roberto, editor, Jensen, Christian D., editor, and Meng, Weizhi, editor

Published

2022

12. Black-box security : measuring black-box information leakage via machine learning

Author

Cherubin, Giovanni

Subjects

005.8, Black-box security, Machine learning, Leakage, Side channels, Privacy, Traffic analysis, Universal consistency

Abstract

Determining how much information about a secret is leaked by a system is one of the most fundamental questions in security and privacy. It gives roots to several fields, such as Cryptography and side channel studies, and it has countless applications, ranging from network traffic analysis attacks to program analysis. In this manuscript, we wish to measure the leakage (or security) of a system, considered as a black-box: we assume no knowledge of its internals, and we base our estimates on examples of secret inputs and respective outputs. We refer to this practice as Black-box security, which can be used whenever the system cannot be modelled formally (e.g., because its internals are too complex). Black-box security methods have been historically based on classical Statistics ideas, which although caused strong limitations: they required observing at least one example for each input-output combination, which does not scale to large real-world systems (e.g., they need several millions examples for a 10 bits input and 10 bits output), nor to those with continuous output. We here introduce new principles for Black-box security estimation, which originate from the Machine Learning (ML) theory. They are based on the following observation: measuring the leakage of a system is equivalent to estimating the error of an ML rule from a particular class: the universally consistent rules. This gives access to several new Black-box security estimators, which scale to large realworld systems, requiring fewer examples than previous methods. This also allows bringing from the ML literature: impossibility results, and the idea of features to improve an estimator's convergence. We apply these techniques to real-world problems, such as i) user location data, obfuscated with location-privacy mechanisms, and ii) for measuring the security of defences against a major traffic analysis attack, Webpage Fingerprinting (WF). Notably, the latter constitutes, to the best of our knowledge, the first security estimation method for generic WF defences, after roughly 15 years since this attack's introduction. We also suggest several extensions of the framework (e.g., continuous secret input space, and more general classes of adversaries), some of which inspired by recent advances in the ML theory (Conformal Prediction), and we envision future applications for our methods (e.g., Membership Inference attacks, and generic ML-based attacks).

Published

2019

13. Classifying Co-resident Computer Programs Using Information Revealed by Resource Contention.

Author

Langehaug, Tor, Borghetti, Brett, and Graham, Scott

Subjects

COMPUTER software, COMPUTER architecture, INFORMATION resources, MODERN architecture, COMPUTER security

Abstract

Modern computer architectures are complex, containing numerous components that can unintentionally reveal system operating properties. Defensive security professionals seek to minimize this kind of exposure while adversaries can leverage the data to attain an advantage. This article presents a novel covert interrogator program technique using light-weight sensor programs to target integer, floating point, and memory units within a computer's architecture to collect data that can be used to match a running program to a known set of programs with up to 100% accuracy under simultaneous multithreading conditions. This technique is applicable to a broad spectrum of architectural components, does not rely on specific vulnerabilities, nor requires elevated privileges. Furthermore, this research demonstrates the technique in a system with operating system containers intended to provide isolation guarantees that limit a user's ability to observe the activity of other users. In essence, this research exploits observable noise that is present whenever a program executes on a modern computer. This article presents interrogator program design considerations, a machine learning approach to identify models with high classification accuracy, and measures the effectiveness of the approach under a variety of program execution scenarios. [ABSTRACT FROM AUTHOR]

Published

2023

14. Detecting control system misbehavior by fingerprinting programmable logic controller functionality

Author

Stockman, Melissa, Dwivedi, Dipankar, Gentz, Reinhard, and Peisert, Sean

Subjects

Information and Computing Sciences, Engineering, Engineering Practice and Education, programmable logic controller, cybersecurity, side channels, cyber-physical systems, machine learning, Computation Theory and Mathematics, Civil Engineering

Abstract

In recent years, attacks such as the Stuxnet malware have demonstrated that cyberattacks against control systems cause extensive damage. These attacks can result in physical damage to the networked systems under their control. In this paper, we discuss our approach for detecting such attacks by distinguishing between programs running on a programmable logic controller (PLC) without having to monitor communications. Using power signatures generated by an attached, high-frequency power measurement device, we can identify what a PLC is doing and when an attack may have altered what the PLC should be doing. To accomplish this, we generated labeled data for testing our methods and applied feature engineering techniques and machine learning models. The results demonstrate that Random Forests and Convolutional Neural Networks classify programs with up to 98% accuracy for major program differences and 84% accuracy for minor differences. Our results can be used for both online and offline applications.

Published

2019

15. Detecting control system misbehavior by fingerprinting programmable logic controller functionality

Author

Stockman, M, Dwivedi, D, Gentz, R, and Peisert, S

Subjects

programmable logic controller, cybersecurity, side channels, cyber-physical systems, machine learning, Computation Theory and Mathematics, Civil Engineering

Abstract

In recent years, attacks such as the Stuxnet malware have demonstrated that cyberattacks against control systems cause extensive damage. These attacks can result in physical damage to the networked systems under their control. In this paper, we discuss our approach for detecting such attacks by distinguishing between programs running on a programmable logic controller (PLC) without having to monitor communications. Using power signatures generated by an attached, high-frequency power measurement device, we can identify what a PLC is doing and when an attack may have altered what the PLC should be doing. To accomplish this, we generated labeled data for testing our methods and applied feature engineering techniques and machine learning models. The results demonstrate that Random Forests and Convolutional Neural Networks classify programs with up to 98% accuracy for major program differences and 84% accuracy for minor differences. Our results can be used for both online and offline applications.

Published

2019

16. Attestation Waves: Platform Trust via Remote Power Analysis

Author

Delgado-Lozano, Ignacio M., Martínez-Rodríguez, Macarena C., Bakas, Alexandros, Brumley, Billy Bob, Michalas, Antonis, Goos, Gerhard, Founding Editor, Hartmanis, Juris, Founding Editor, Bertino, Elisa, Editorial Board Member, Gao, Wen, Editorial Board Member, Steffen, Bernhard, Editorial Board Member, Woeginger, Gerhard, Editorial Board Member, Yung, Moti, Editorial Board Member, Conti, Mauro, editor, Stevens, Marc, editor, and Krenn, Stephan, editor

Published

2021

17. An Investigation of Microarchitectural Cache-Based Side-Channel Attacks from a Digital Forensic Perspective: Methods of Exploits and Countermeasures

Author

Montasari, Reza, Tait, Bobby, Jahankhani, Hamid, Carroll, Fiona, Masys, Anthony J., Series Editor, Bichler, Gisela, Advisory Editor, Bourlai, Thirimachos, Advisory Editor, Johnson, Chris, Advisory Editor, Karampelas, Panagiotis, Advisory Editor, Leuprecht, Christian, Advisory Editor, Morse, Edward C., Advisory Editor, Skillicorn, David, Advisory Editor, Yamagata, Yoshiki, Advisory Editor, Montasari, Reza, editor, and Jahankhani, Hamid, editor

Published

2021

18. Game of Drones - Detecting Spying Drones Using Time Domain Analysis

Author

Nassi, Ben, Ben-Netanel, Raz, Shamir, Adi, Elovici, Yuval, Goos, Gerhard, Founding Editor, Hartmanis, Juris, Founding Editor, Bertino, Elisa, Editorial Board Member, Gao, Wen, Editorial Board Member, Steffen, Bernhard, Editorial Board Member, Woeginger, Gerhard, Editorial Board Member, Yung, Moti, Editorial Board Member, Dolev, Shlomi, editor, Margalit, Oded, editor, Pinkas, Benny, editor, and Schwarzmann, Alexander, editor

Published

2021

19. Leakage-Resilient Authenticated Encryption from Leakage-Resilient Pseudorandom Functions

Author

Krämer, Juliane, Struck, Patrick, Goos, Gerhard, Founding Editor, Hartmanis, Juris, Founding Editor, Bertino, Elisa, Editorial Board Member, Gao, Wen, Editorial Board Member, Steffen, Bernhard, Editorial Board Member, Woeginger, Gerhard, Editorial Board Member, Yung, Moti, Editorial Board Member, Bertoni, Guido Marco, editor, and Regazzoni, Francesco, editor

Published

2021

20. 3D printer audio and vibration side channel dataset for vulnerability research in additive manufacturing security.

Author

Madamopoulos C and Tsoutsos NG

Abstract

This dataset provides a comprehensive set of side channels from fused deposition modeling 3D printers in order to enable the research in the security of additive manufacturing processes against side channel attacks. These attacks exploit indirect signal emanations from physical processes to extract information about a system. Our data was collected using two different methods (iPhone app and Teensy 4.0 sensor system) on two different 3D printers (Bambu Lab P1P and A1 mini), and consists of two types of data, audio data in the form of the recording of the 3D printer's sound while printing, and vibration data in the form of the linear acceleration in the cartesian coordinates. The dataset includes data from 12 different 3D objects that cover a wide variety of movements made while 3D printing. Along with the side channels this dataset includes the source computer-aided design files of the objects, as well as .gcode and .3mf files used by the printers., (© 2024 The Author(s).)

Published

2024

21. Identification of Abnormal Functioning of Devices of Cyber-Physical Systems

Author

Semenov, V. V., Sukhoparov, M. E., Lebedev, I. S., Goos, Gerhard, Founding Editor, Hartmanis, Juris, Founding Editor, Bertino, Elisa, Editorial Board Member, Gao, Wen, Editorial Board Member, Steffen, Bernhard, Editorial Board Member, Woeginger, Gerhard, Editorial Board Member, Yung, Moti, Editorial Board Member, Galinina, Olga, editor, Andreev, Sergey, editor, Balandin, Sergey, editor, and Koucheryavy, Yevgeni, editor

Published

2020

22. A Systematic Appraisal of Side Channel Evaluation Strategies

Author

Azouaoui, Melissa, Bellizia, Davide, Buhan, Ileana, Debande, Nicolas, Duval, Sèbastien, Giraud, Christophe, Jaulmes, Èliane, Koeune, François, Oswald, Elisabeth, Standaert, François-Xavier, Whitnall, Carolyn, Goos, Gerhard, Founding Editor, Hartmanis, Juris, Founding Editor, Bertino, Elisa, Editorial Board Member, Gao, Wen, Editorial Board Member, Steffen, Bernhard, Editorial Board Member, Woeginger, Gerhard, Editorial Board Member, Yung, Moti, Editorial Board Member, van der Merwe, Thyla, editor, Mitchell, Chris, editor, and Mehrnezhad, Maryam, editor

Published

2020

23. Automatic Detection and Repair of Transition- Based Leakage in Software Binaries

Author

Athanasiou, Konstantinos, Wahl, Thomas, Ding, A. Adam, Fei, Yunsi, Goos, Gerhard, Founding Editor, Hartmanis, Juris, Founding Editor, Bertino, Elisa, Editorial Board Member, Gao, Wen, Editorial Board Member, Steffen, Bernhard, Editorial Board Member, Woeginger, Gerhard, Editorial Board Member, Yung, Moti, Editorial Board Member, Christakis, Maria, editor, Polikarpova, Nadia, editor, Duggirala, Parasara Sridhar, editor, and Schrammel, Peter, editor

Published

2020

24. Validation of Abstract Side-Channel Models for Computer Architectures

Author

Nemati, Hamed, Buiras, Pablo, Lindner, Andreas, Guanciale, Roberto, Jacobs, Swen, Goos, Gerhard, Founding Editor, Hartmanis, Juris, Founding Editor, Bertino, Elisa, Editorial Board Member, Gao, Wen, Editorial Board Member, Steffen, Bernhard, Editorial Board Member, Woeginger, Gerhard, Editorial Board Member, Yung, Moti, Editorial Board Member, Lahiri, Shuvendu K., editor, and Wang, Chao, editor

Published

2020

25. Quantifying Information Leakage Using Model Counting Constraint Solvers

Author

Bultan, Tevfik, Goos, Gerhard, Founding Editor, Hartmanis, Juris, Founding Editor, Bertino, Elisa, Editorial Board Member, Gao, Wen, Editorial Board Member, Steffen, Bernhard, Editorial Board Member, Woeginger, Gerhard, Editorial Board Member, Yung, Moti, Editorial Board Member, Chakraborty, Supratik, editor, and Navas, Jorge A., editor

Published

2020

26. Evaluation of Cache Attacks on Arm Processors and Secure Caches.

Author

Deng, Shuwen, Matyunin, Nikolay, Xiong, Wenjie, Katzenbeisser, Stefan, and Szefer, Jakub

Subjects

*ARM microprocessors, *CACHE memory, *RADIO frequency

Abstract

Timing-based side and covert channels in processor caches continue to be a threat to modern computers. This work shows for the first time, a systematic, large-scale analysis of Arm devices and the detailed results of attacks the processors are vulnerable to. Compared to x86, Arm uses different architectures, microarchitectural implementations, cache replacement policies, etc., which affects how attacks can be launched, and how security testing for the vulnerabilities should be done. To evaluate security, this paper presents security benchmarks specifically developed for testing Arm processors and their caches. The benchmarks are evaluated with sensitivity tests, which examine how sensitive the benchmarks are to having a correct configuration in the testing phase. Further, to evaluate a large number of devices, this work leverages a novel approach of using a cloud-based Arm device testbed for architectural and security research on timing channels and runs the benchmarks on 34 different physical devices. In parallel, there has been much interest in secure caches to defend the various attacks. Consequently, this paper also investigates secure cache architectures using proposed benchmarks. Especially, this paper implements and evaluates secure PL and RF caches, showing the security of PL and RF caches, but also uncovers new weaknesses. [ABSTRACT FROM AUTHOR]

Published

2022

27. Leaking Secrets Through Modern Branch Predictors in the Speculative World.

Author

Chowdhuryy, Md Hafizul Islam and Yao, Fan

Subjects

*COMPUTER systems, *SPECULATION, *TRANSIENT analysis, *SQUASHES

Abstract

Transient execution attacks that exploit speculation have raised significant concerns in computer systems. Typically, branch predictors are leveraged to trigger mis-speculation in transient execution attacks. In this work, we demonstrate a new class of speculation-based attacks that targets the branch prediction unit (BPU). We find that speculative resolution of conditional branches (i.e., in nested speculation) alter the states of pattern history table (PHT) in modern processors, which are not restored after the corresponding branches are later squashed. Such characteristic allows attackers to exploit the BPU as the secret transmitting medium in transient execution attacks. To evaluate the discovered vulnerability, we build a novel attack framework, BranchSpectre, that enables exfiltration of unintended secrets through observing speculative PHT updates (in the form of covert and side channels). We further investigate the PHT collision mechanism in the history-based predictor and the branch prediction mode transitions in Intel processors. Built upon such knowledge, we implement an ultra-high speed covert channel (BranchSpectre-cc) as well as two side channels (i.e., BranchSpectre-v1 and BranchSpectre-v2) that merely rely on BPU for mis-speculation trigger and secret inference in the speculative domain. Notably, BranchSpectre side channels can take advantage of much simpler code patterns than those used in Spectre attacks. We present an extensive BranchSpectre code gadget analysis on a set of popular real-world application code bases followed by a demonstration of side channel attack on OpenSSL. The evaluation results show substantially wider existence and higher exploitability of BranchSpectre code patterns in real-world software. Finally, we discuss several secure branch prediction mechanisms that can mitigate transient execution attacks exploiting modern branch predictors. [ABSTRACT FROM AUTHOR]

Published

2022

28. NeuralD: Detecting Indistinguishability Violations of Oblivious RAM With Neural Distinguishers.

Author

Ma, Pingchuan, Liu, Zhibo, Yuan, Yuanyuan, and Wang, Shuai

Abstract

Adversaries can deduce confidential information processed by a program by analyzing its memory access patterns. Oblivious RAM (ORAM) converts a sequence of program memory accesses to an oblivious form, hence preventing adversarial inference. In recent years, a flourishing growth of sophisticated and effective ORAM protocols has occurred. Nonetheless, due to the complexity of these protocols, some of them contain defects in their implementations or even in their design, jeopardizing their obliviousness when processing certain memory access sequences. In this paper, we present NeuralD, a practical tool for testing ORAM protocols and detecting violations of their stated obliviousness. We train a neural distinguisher to form a probabilistic testing oracle capable of determining with a bounded high probability if a pair of ORAM inputs violates the obliviousness guarantee. NeuralD incorporates a set of techniques and optimizations to provide a highly effective and practical testing pipeline. Additionally, it features a delta debugging-like method to minimize error-triggering inputs (i.e., counterexamples) — developers can use these counterexamples to debug their ORAM protocols and identify root problems. NeuralD is evaluated using well-known ORAM protocols and real-world ORAM applications (e.g., secure key-value storage). Within a few minutes, NeuralD can detect subtle violations of stated obliviousness. [ABSTRACT FROM AUTHOR]

Published

2022

29. A compiler and verifier for page access oblivious computation

Author

Sinha, Rohit, Rajamani, Sriram, and Seshia, Sanjit A

Subjects

Enclave Programs, Secure Systems, Confidentiality, Side Channels

Abstract

Trusted hardware primitives such as Intel’s SGX instructions provide applications with a protected address space, called an enclave, for trusted code and data. However, building enclaves that preserve confidentiality of sensitive data continues to be a challenge. The developer must not only avoid leaking secrets via the enclave’s outputs but also prevent leaks via side channels induced by interactions with the untrusted platform. Recent attacks have demonstrated that simply observing the page faults incurred during an enclave’s execution can reveal its secrets if the enclave makes data accesses or control flow decisions based on secret values. To address this problem, a developer needs compilers to automatically produce confidential programs, and verification tools to certify the absence of secret-dependent page access patterns (a property that we formalize as page-access obliviousness). To that end, we implement an efficient compiler for a type and memory-safe language, a compiler pass that enforces page-access obliviousness with low runtime overheads, and an automatic, modular verifier that certifies page-access obliviousness at the machine-code level, thus removing the compiler from our trusted computing base. We evaluate this toolchain on several machine learning algorithms and image processing routines that we run within SGX enclaves.

Published

2017

30. Faulty Point Unit: ABI Poisoning Attacks on Trusted Execution Environments.

Author

ALDER, FRITZ, VAN BULCK, JO, SPIELMAN, JESSE, OSWALD, DAVID, and PIESSENS, FRANK

Subjects

MACHINE learning, COMPILERS (Computer programs), PROGRAMMING software

Abstract

This article analyzes a previously overlooked attack surface that allows unprivileged adversaries to impact floating-point computations in enclaves through the Application Binary Interface (ABI). In a comprehensive study across 7 industry-standard and research enclave shielding runtimes for Intel Software Guard Extensions (SGX), we show that control and state registers of the x87 Floating-Point Unit (FPU) and Intel Streaming SIMD Extensions are not always properly sanitized on enclave entry. We furthermore show that this attack goes beyond the x86 architecture and can also affect RISC-V enclaves. Focusing on SGX, we abuse the adversary's control over precision and rounding modes as an ABI fault injection primitive to corrupt enclaved floating-point operations. Our analysis reveals that this is especially relevant for applications that use the older x87 FPU, which is still under certain conditions used by modern compilers. We exemplify the potential impact of ABI quality-degradation attacks for enclaved machine learning and for the SPEC benchmarks. We then explore the impact on confidentiality, showing that control over exception masks can be abused as a controlled channel to recover enclaved multiplication operands. Our findings, affecting 5 of 7 studied SGX runtimes and one RISC-V runtime, demonstrate the challenges of implementing high-assurance trusted execution across computing architectures. [ABSTRACT FROM AUTHOR]

Published

2022

31. Sponges Resist Leakage: The Case of Authenticated Encryption

Author

Degabriele, Jean Paul, Janson, Christian, Struck, Patrick, Goos, Gerhard, Founding Editor, Hartmanis, Juris, Founding Editor, Bertino, Elisa, Editorial Board Member, Gao, Wen, Editorial Board Member, Steffen, Bernhard, Editorial Board Member, Woeginger, Gerhard, Editorial Board Member, Yung, Moti, Editorial Board Member, Galbraith, Steven D., editor, and Moriai, Shiho, editor

Published

2019

32. Efficient Information-Flow Verification Under Speculative Execution

Author

Bloem, Roderick, Jacobs, Swen, Vizel, Yakir, Goos, Gerhard, Founding Editor, Hartmanis, Juris, Founding Editor, Bertino, Elisa, Editorial Board Member, Gao, Wen, Editorial Board Member, Steffen, Bernhard, Editorial Board Member, Woeginger, Gerhard, Editorial Board Member, Yung, Moti, Editorial Board Member, Chen, Yu-Fang, editor, Cheng, Chih-Hong, editor, and Esparza, Javier, editor

Published

2019

33. Assessment of the Key-Reuse Resilience of NewHope

Author

Bauer, Aurélie, Gilbert, Henri, Renault, Guénaël, Rossi, Mélissa, Hutchison, David, Series Editor, Kanade, Takeo, Series Editor, Kittler, Josef, Series Editor, Kleinberg, Jon M., Series Editor, Mattern, Friedemann, Series Editor, Mitchell, John C., Series Editor, Naor, Moni, Series Editor, Pandu Rangan, C., Series Editor, Steffen, Bernhard, Series Editor, Terzopoulos, Demetri, Series Editor, Tygar, Doug, Series Editor, and Matsui, Mitsuru, editor

Published

2019

34. Protecting Cloud-Based CIs: Covert Channel Vulnerabilities at the Resource Level

Author

Vateva-Gurova, Tsvetoslava, Manzoor, Salman, Trapero, Ruben, Suri, Neeraj, Hutchison, David, Series Editor, Kanade, Takeo, Series Editor, Kittler, Josef, Series Editor, Kleinberg, Jon M., Series Editor, Mattern, Friedemann, Series Editor, Mitchell, John C., Series Editor, Naor, Moni, Series Editor, Pandu Rangan, C., Series Editor, Steffen, Bernhard, Series Editor, Terzopoulos, Demetri, Series Editor, Tygar, Doug, Series Editor, Fournaris, Apostolos P., editor, Lampropoulos, Konstantinos, editor, and Marín Tordera, Eva, editor

Published

2019

35. Inferring UI States of Mobile Applications Through Power Side Channel Exploitation

Author

Guo, Yao, Ma, Junming, Wu, Wenjun, Chen, Xiangqun, Akan, Ozgur, Series Editor, Bellavista, Paolo, Series Editor, Cao, Jiannong, Series Editor, Coulson, Geoffrey, Series Editor, Dressler, Falko, Series Editor, Ferrari, Domenico, Series Editor, Gerla, Mario, Series Editor, Kobayashi, Hisashi, Series Editor, Palazzo, Sergio, Series Editor, Sahni, Sartaj, Series Editor, Shen, Xuemin (Sherman), Series Editor, Stan, Mircea, Series Editor, Xiaohua, Jia, Series Editor, Zomaya, Albert Y., Series Editor, Beyah, Raheem, editor, Chang, Bing, editor, Li, Yingjiu, editor, and Zhu, Sencun, editor

Published

2018

36. Quantitative estimation of side-channel leaks with neural networks.

Author

Tizpaz-Niari, Saeid, Černý, Pavol, Sankaranarayanan, Sriram, and Trivedi, Ashutosh

Subjects

*ARTIFICIAL neural networks, *ALGORITHMS, *TRACE analysis, *SYNTAX (Grammar), *INFORMATION networks

Abstract

Information leaks via side channels remain a challenging problem to guarantee confidentiality. Static analysis is a prevalent approach for detecting side channels. However, the side-channel analysis poses challenges to the static techniques since they arise from non-functional aspects of systems and require an analysis of multiple traces. In addition, the outcome of static analysis is usually restricted to binary answers. In practice, real-world applications may need to disclose some aspects of the confidential information to ensure desired functionality. Therefore, quantification techniques are necessary to evaluate the resulting threats. In this paper, we propose a dynamic analysis technique to detect and quantify side channels. Our novel approach is to split the problem into two tasks. First, we learn a timing model of the program as a neural network. While the program implements the functionality, the neural network models the non-functional property that does not exist in the syntax or semantics of programs. Second, we analyze the neural network to quantify information leaks. As demonstrated in our experiments, both of these tasks are feasible in practice—making the approach a significant improvement over state-of-the-art side channel detectors and quantifiers. Thus, our key technical contributions are (a) a binarized neural network architecture that enables side-channel discovery and (b) a novel MILP-based counting algorithm to estimate the side-channel strength. On a set of benchmarks, we show that neural network models the timing of programs with thousands of methods precisely. We also show that neural networks with thousands of neurons can be efficiently analyzed to quantify information leaks via timing side channels. [ABSTRACT FROM AUTHOR]

Published

2021

37. Gimli : A Cross-Platform Permutation

Author

Bernstein, Daniel J., Kölbl, Stefan, Lucks, Stefan, Massolino, Pedro Maat Costa, Mendel, Florian, Nawaz, Kashif, Schneider, Tobias, Schwabe, Peter, Standaert, François-Xavier, Todo, Yosuke, Viguier, Benoît, Hutchison, David, Series editor, Kanade, Takeo, Series editor, Kittler, Josef, Series editor, Kleinberg, Jon M., Series editor, Mattern, Friedemann, Series editor, Mitchell, John C., Series editor, Naor, Moni, Series editor, Pandu Rangan, C., Series editor, Steffen, Bernhard, Series editor, Terzopoulos, Demetri, Series editor, Tygar, Doug, Series editor, Weikum, Gerhard, Series editor, Fischer, Wieland, editor, and Homma, Naofumi, editor

Published

2017

38. LAZARUS: Practical Side-Channel Resilient Kernel-Space Randomization

Author

Gens, David, Arias, Orlando, Sullivan, Dean, Liebchen, Christopher, Jin, Yier, Sadeghi, Ahmad-Reza, Hutchison, David, Series editor, Kanade, Takeo, Series editor, Kittler, Josef, Series editor, Kleinberg, Jon M., Series editor, Mattern, Friedemann, Series editor, Mitchell, John C., Series editor, Naor, Moni, Series editor, Pandu Rangan, C., Series editor, Steffen, Bernhard, Series editor, Terzopoulos, Demetri, Series editor, Tygar, Doug, Series editor, Weikum, Gerhard, Series editor, Dacier, Marc, editor, Bailey, Michael, editor, Polychronakis, Michalis, editor, and Antonakakis, Manos, editor

Published

2017

39. Moving Target Defense Mechanism for Side-Channel Attacks.

Author

Vuppala, Satyanarayana, Mady, Alie El-Din, and Kuenzi, Adam

Abstract

In this paper, we present a side-channel resilient moving target defense mechanism against power-/electromagnetic-based side-channel attacks. Recent countermeasures use fresh rekeying after every encryption/decryption process; this causes major overhead in synchronizing the communicating parties. In contrast to previous work, our mechanism integrates fresh rekeying and masking techniques at an interval, where these techniques are driven by the maximum number of side-channel leakage traces required toward a successful embedded attack. Hence, the mechanism tracks the effect of attacks on the number of traces, and consequently applies rekeying at suitable intervals to reduce the computational/communication overhead, while increasing the attack cost. The mechanism scalability was evaluated against an advanced attack model based on machine learning methods that reduces significantly the number of traces required for a successful attack under masking implementation. [ABSTRACT FROM AUTHOR]

Published

2020

40. EMFORCED: EM-Based Fingerprinting Framework for Remarked and Cloned Counterfeit IC Detection Using Machine Learning Classification.

Author

Stern, Andrew, Botero, Ulbert, Rahman, Fahim, Forte, Domenic, and Tehranipoor, Mark

Subjects

FISHER discriminant analysis, INTEGRATED circuit design, FORGERY, MICROPROCESSORS, PRINCIPAL components analysis, CRYOELECTRONICS, INTEGRATED circuits

Abstract

Electronics supply chain vulnerabilities have broadened in scope over the past two decades. With nearly all integrated circuit (IC) design companies relinquishing their fabrication, packaging, and test facilities, they are forced to rely upon companies from around the world to produce their ICs. This dependence leaves the electronics supply chain open to counterfeiting activities. In this article, we propose an electromagnetic (EM)-based fingerprinting framework, called EMFORCED, to detect remarked and cloned counterfeit ICs. Here, we demonstrate the benefits of using naturally occurring EM side channels to identify the IC design layout without decapsulating the chip under test. Enabling only the clock, $V_{\mathrm{ dd}}$ , and ground pins allows us to generate a design-specific fingerprint that is dependent upon the physical parameters of the chip under test. EMFORCED leverages the EM emissions from the clock distribution network to create a holistic, design-level, fingerprint, including both temporal information and spatial information. We utilize the fingerprint information of functionally similar 8051-series microprocessors from three vendors and perform unsupervised (principal component analysis) and supervised (linear discriminant analysis) machine learning methods on all ICs to determine their intravendor and intervendor similarities. We acquired ICs from multiple dates and lot codes along with variants acquired from the gray market and analyzed them for authenticity using physical inspection and X-ray tomography. Statistical analysis and machine learning techniques are used to demonstrate the reference-free and reference-inclusive classification methods based on EMFORCED measurements. We demonstrate the classification accuracies of 99.46% and 100% for unsupervised and supervised approaches, respectively. [ABSTRACT FROM AUTHOR]

Published

2020

41. Counting Keys in Parallel After a Side Channel Attack

Author

Martin, Daniel P., O’Connell, Jonathan F., Oswald, Elisabeth, Stam, Martijn, Hutchison, David, Series editor, Kanade, Takeo, Series editor, Kittler, Josef, Series editor, Kleinberg, Jon M., Series editor, Mattern, Friedemann, Series editor, Mitchell, John C., Series editor, Naor, Moni, Series editor, Pandu Rangan, C., Series editor, Steffen, Bernhard, Series editor, Terzopoulos, Demetri, Series editor, Tygar, Doug, Series editor, Weikum, Gerhard, Series editor, Iwata, Tetsu, editor, and Cheon, Jung Hee, editor

Published

2015

42. A Leakage Resilient MAC

Author

Martin, Daniel P., Oswald, Elisabeth, Stam, Martijn, Wójcik, Marcin, Hutchison, David, Series editor, Kanade, Takeo, Series editor, Kittler, Josef, Series editor, Kleinberg, Jon M., Series editor, Mattern, Friedemann, Series editor, Mitchell, John C., Series editor, Naor, Moni, Series editor, Pandu Rangan, C., Series editor, Steffen, Bernhard, Series editor, Terzopoulos, Demetri, Series editor, Tygar, Doug, Series editor, Weikum, Gerhard, Series editor, and Groth, Jens, editor

Published

2015

43. Dynamically Provisioning Isolation in Hierarchical Architectures

Author

Falzon, Kevin, Bodden, Eric, Hutchison, David, Series editor, Kanade, Takeo, Series editor, Kittler, Josef, Series editor, Kleinberg, Jon M., Series editor, Mattern, Friedemann, Series editor, Mitchell, John C., Series editor, Naor, Moni, Series editor, Pandu Rangan, C., Series editor, Steffen, Bernhard, Series editor, Terzopoulos, Demetri, Series editor, Tygar, Doug, Series editor, Weikum, Gerhard, Series editor, Lopez, Javier, editor, and Mitchell, Chris J., editor

Published

2015

44. The Temperature Side Channel and Heating Fault Attacks

Author

Hutter, Michael, Schmidt, Jörn-Marc, Hutchison, David, Series editor, Kanade, Takeo, Series editor, Kittler, Josef, Series editor, Kleinberg, Jon M., Series editor, Kobsa, Alfred, Series editor, Mattern, Friedemann, Series editor, Mitchell, John C., Series editor, Naor, Moni, Series editor, Nierstrasz, Oscar, Series editor, Pandu Rangan, C., Series editor, Steffen, Bernhard, Series editor, Terzopoulos, Demetri, Series editor, Tygar, Doug, Series editor, Weikum, Gerhard, Series editor, Francillon, Aurélien, editor, and Rohatgi, Pankaj, editor

Published

2014

45. A characterization of side channel development.

Author

Denderen, R. Pepijn, Schielen, Ralph M. J., Straatsma, Menno W., Kleinhans, Maarten G., and Hulscher, Suzanne J. M. H.

Subjects

FLOOD risk, RIVERS, SEDIMENTS

Abstract

Side channels are commonly constructed to reduce the flood risk or to increase the ecological value of a river. Such artificial side channels generally aggrade. We categorize the development of side channels based on the sediment that is deposited in these channels. Based on this categorization, we determine the main mechanisms that affect their development, and we propose an initial framework on how to predict the long‐term development of side channels. The results can be used to design, operate, and maintain side channel systems. [ABSTRACT FROM AUTHOR]

Published

2019

46. Digital Audio Signature for 3D Printing Integrity.

Author

Belikovetsky, Sofia, Solewicz, Yosef A., Yampolskiy, Mark, Toh, Jinghui, and Elovici, Yuval

Abstract

Additive manufacturing (AM, or 3D printing) is a novel manufacturing technology that has been adopted in industrial and consumer settings. However, the reliance of this technology on computerization has raised various security concerns. In this paper, we address issues associated with sabotage via tampering during the 3D printing process by presenting an approach that can verify the integrity of a 3D printed object. Our approach operates on acoustic side-channel emanations generated by the 3D printer’s stepper motors, which results in a non-intrusive and real-time validation process that is difficult to compromise. The proposed approach constitutes two algorithms. The first algorithm is used to generate a master audio fingerprint for the verifiable unaltered printing process. The second algorithm is applied when the same 3D object is printed again, and this algorithm validates the monitored 3D printing process by assessing the similarity of its audio signature with the master audio fingerprint. To evaluate the quality of the proposed thresholds, we identify the detectability thresholds for the following minimal tampering primitives: insertion, deletion, replacement, and modification of a single tool path command. By detecting the deviation at the time of occurrence, we can stop the printing process for compromised objects, thus saving time and preventing material waste. We discuss various factors that impact the method, such as background noise, audio device changes, and different audio recorder positions. [ABSTRACT FROM AUTHOR]

Published

2019

47. Android Security Permissions – Can We Trust Them?

Author

Orthacker, Clemens, Teufl, Peter, Kraxberger, Stefan, Lackner, Günther, Gissing, Michael, Marsalek, Alexander, Leibetseder, Johannes, Prevenhueber, Oliver, Akan, Ozgur, Series editor, Bellavista, Paolo, Series editor, Cao, Jiannong, Series editor, Dressler, Falko, Series editor, Ferrari, Domenico, Series editor, Gerla, Mario, Series editor, Kobayashi, Hisashi, Series editor, Palazzo, Sergio, Series editor, Sahni, Sartaj, Series editor, Shen, Xuemin (Sherman), Series editor, Stan, Mircea, Series editor, Xiaohua, Jia, Series editor, Zomaya, Albert, Series editor, Coulson, Geoffrey, Series editor, Prasad, Ramjee, editor, Farkas, Károly, editor, Schmidt, Andreas U., editor, Lioy, Antonio, editor, Russello, Giovanni, editor, and Luccio, Flaminia L., editor

Published

2012

48. Security Implications of Crosstalk in Switching CMOS Gates

Author

Dyrkolbotn, Geir Olav, Wold, Knut, Snekkenes, Einar, Hutchison, David, Series editor, Kanade, Takeo, Series editor, Kittler, Josef, Series editor, Kleinberg, Jon M., Series editor, Mattern, Friedemann, Series editor, Mitchell, John C., Series editor, Naor, Moni, Series editor, Nierstrasz, Oscar, Series editor, Pandu Rangan, C., Series editor, Steffen, Bernhard, Series editor, Sudan, Madhu, Series editor, Terzopoulos, Demetri, Series editor, Tygar, Doug, Series editor, Vardi, Moshe Y., Series editor, Weikum, Gerhard, Series editor, Burmester, Mike, editor, Tsudik, Gene, editor, Magliveras, Spyros, editor, and Ilić, Ivana, editor

Published

2011

49. The Danger of Minimum Exposures: Understanding Cross-App Information Leaks on iOS through Multi-Side-Channel Learning.

Author

Wang Z, Guan J, Wang X, Wang W, Xing L, and Alharbi F

Abstract

Research on side-channel leaks has long been focusing on the information exposure from a single channel (memory, network traffic, power, etc.). Less studied is the risk of learning from multiple side channels related to a target activity (e.g., website visits) even when individual channels are not informative enough for an effective attack. Although the prior research made the first step on this direction, inferring the operations of foreground apps on iOS from a set of global statistics, still less clear are how to determine the maximum information leaks from all target-related side channels on a system, what can be learnt about the target from such leaks and most importantly, how to control information leaks from the whole system, not just from an individual channel. To answer these fundamental questions, we performed the first systematic study on multi-channel inference, focusing on iOS as the first step. Our research is based upon a novel attack technique, called Mischief, which given a set of potential side channels related to a target activity (e.g., foreground apps), utilizes probabilistic search to approximate an optimal subset of the channels exposing most information, as measured by Merit Score, a metric for correlation-based feature selection. On such an optimal subset, an inference attack is modeled as a multivariate time series classification problem, so the state-of-the-art deep-learning based solution, InceptionTime in particular, can be applied to achieve the best possible outcome. Mischief is found to work effectively on today's iOS (16.2), identifying foreground apps, website visits, sensitive IoT operations (e.g., opening the door) with a high confidence, even in an open-world scenario, which demonstrates that the protection Apple puts in place against the known attack is inadequate. Also importantly, this new understanding enables us to develop more comprehensive protection, which could elevate today's side-channel research from suppressing leaks from individual channels to controlling information exposure across the whole system.

Published

2023

50. A Directive Antenna Based on Conducting Disks for Detecting Unintentional EM Emissions at Large Distances.

Author

Juyal, Prateek, Adibelli, Sinan, Sehatbakhsh, Nader, and Zajic, Alenka

Subjects

*DIRECTIONAL antennas, *PLANAR antennas, *ELECTROMAGNETIC coupling, *ALUMINUM sheets, *ANTENNA arrays

Abstract

This paper proposes a novel high-gain planar antenna design that consists of conducting metallic disks suspended on air and operates at 1 GHz. The antenna is designed for receiving the unintentional electromagnetic emanations generated by one or multiple embedded, “smart” electronic systems. The antenna consists of two layers of slotted conducting metal disks suspended on air and placed above the ground plane using teflon screws. The circular disks are designed to operate in higher order ${TM}_{12}$ mode. The screws’ location is the electric field nulls along the disk radius. The upper layer is $2 \times 2$ array of slotted circular disks electromagnetically coupled by the lower identical disk which is fed directly by a single coaxial feed. The complete fabrication of the antenna is done using aluminum metal sheets and involves no use of the dielectric substrate. The antenna has a peak gain of 19 dBi with impedance bandwidth ($S_{11}\le -6$ dB) of 6.7%. The simple and cost-effective design can be easily scaled to higher frequencies. [ABSTRACT FROM AUTHOR]

Published

2018