Lend Me Your Ear: Passive Remote Physical Side Channels on PCs
We show that built-in sensors in commodity PCs, such as microphones, inadvertently capture electromagnetic side-channel leakage from ongoing computation. Moreover, this information is often conveyed by supposedly-benign channels such as audio recordings and common Voice-over-IP applications, even after lossy compression.
We analyze the computation-dependent leakage captured by internal microphones, and empirically demonstrate its efficacy for attacks. In one scenario, an attacker steals the secret ECDSA signing keys of the counterparty in a voice call. In another, the attacker detects what web page their counterparty is loading. In the third scenario, a player in the Counter-Strike online multiplayer game can detect a hidden opponent waiting in ambush, by analyzing how the 3D rendering done by the opponent’s computer induces faint but detectable signals into the opponent’s audio feed.
USENIX Security '19 Technical Sessions
The full Proceedings published by USENIX for the conference are available for download below. Individual papers can also be downloaded from the presentation page.
The Restoration of Early UNIX Artifacts
The history of the development of UNIX has been well documented, and over the past decade or so, efforts have been made to find and conserve the software and docu- mentation artifacts from the earliest period of UNIX his- tory. This paper details the work that has been done to restore the artifacts from this time to working order and the lessons learned from this work.
SoK: Make JIT-Spray Great Again
In this paper, we survey and systematize the jungle of JIT compilers of major (client-side) programs, and provide a categorization of offensive techniques for abusing JIT compilation. Thereby, we present techniques used in academic as well as in non-academic works which try to break various defenses against memory-corruption vulnerabilities. Additionally, we discuss what mitigations arouse to harden JIT compilers to impede exploitation by skilled attackers wanting to abuse Just-In-Time compilers.
The benefits and costs of writing a POSIX kernel in a high-level language
The paper contributes Biscuit, a kernel written in Go that implements enough of POSIX (virtual memory, mmap, TCP/IP sockets, a logging file system, poll, etc.) to execute significant applications. Biscuit makes lib- eral use of Go’s HLL features (closures, channels, maps, interfaces, garbage collected heap allocation), which sub- jectively made programming easier. The most challenging puzzle was handling the possibility of running out of ker- nel heap memory; Biscuit benefited from the analyzability of Go source to address this challenge.
Good enough to run nginx.
Guarder: A Tunable Secure Allocator
Due to the on-going threats posed by heap vulnerabilities, we design a novel secure allocator --- Guarder --- to defeat these vulnerabilities. Guarder is different from existing secure allocators in the following aspects. Existing allocators either have low/zero randomization entropy, or cannot provide stable security guarantees, where their entropies vary by object size classes, execution phases, inputs, or applications. Guarder ensures the desired randomization entropy, and provides an unprecedented level of security guarantee by combining all security features of existing allocators, with overhead that is comparable to performance-oriented allocators.
Source doesn’t appear live yet: https://github.com/UTSASRG/Guarder
This work illustrates two novel techniques to bypass these mitigations. The two techniques leverage the attack surface exposed by the script interpreters commonly accessible within the browser. The first technique, pointer inference, is used to find the memory address of a string of shellcode within the Adobe Flash Player’s ActionScript interpreter despite ASLR. The second technique, JIT spraying, is used to write shellcode to executable memory, bypassing DEP protections, by leveraging predictable behaviors of the ActionScript JIT compiler. Previous attacks are examined and future research directions are discussed.
USENIX Security 2017 Technical Sessions
Lots more papers to read.
WOOT 2017 Workshop Program
It’s over, but you can read papers and slides. Several really good talks.
SCONE: Secure Linux Containers with Intel SGX
We describe SCONE, a secure container mechanism for Docker that uses the SGX trusted execution support of Intel CPUs to protect container processes from out- side attacks. The design of SCONE leads to (i) a small trusted computing base (TCB) and (ii) a low performance overhead
DRAMA: Exploiting DRAM Addressing for Cross-CPU Attacks
The never ending wormhole of RAM attacks continues, now with high speed covert channels.
ARMageddon: Cache Attacks on Mobile Devices
Investigating the Origins of RSA Keys
Primality testing is an imprecise practice, leading to detectable biases in the survivors that can be used for fingerprinting.
Another reason to prefer public key systems with simple key generation.