Lend Me Your Ear: Passive Remote Physical Side Channels on PCs
https://www.usenix.org/conference/usenixsecurity22/presentation/genkin [www.usenix.org]
2024-01-18 17:35
tags:
audio
crypto
gaming
hardware
paper
security
sidechannel
We show that built-in sensors in commodity PCs, such as microphones, inadvertently capture electromagnetic side-channel leakage from ongoing computation. Moreover, this information is often conveyed by supposedly-benign channels such as audio recordings and common Voice-over-IP applications, even after lossy compression.
Thus, we show, it is possible to conduct physical side-channel attacks on computation by remote and purely passive analysis of commonly-shared channels. These attacks require neither physical proximity (which could be mitigated by distance and shielding), nor the ability to run code on the target or configure its hardware. Consequently, we argue, physical side channels on PCs can no longer be excluded from remote-attack threat models.
We analyze the computation-dependent leakage captured by internal microphones, and empirically demonstrate its efficacy for attacks. In one scenario, an attacker steals the secret ECDSA signing keys of the counterparty in a voice call. In another, the attacker detects what web page their counterparty is loading. In the third scenario, a player in the Counter-Strike online multiplayer game can detect a hidden opponent waiting in ambush, by analyzing how the 3D rendering done by the opponent’s computer induces faint but detectable signals into the opponent’s audio feed.
paper: https://faculty.cc.gatech.edu/~genkin/papers/lendear.pdf
FreeBSD on Firecracker
https://www.usenix.org/publications/loginonline/freebsd-firecracker [www.usenix.org]
2023-08-24 15:14
tags:
freebsd
perf
programming
systems
virtualization
Experiences porting FreeBSD 14 to run on the Firecracker VMM
source: L
Lend Me Your Ear: Passive Remote Physical Side Channels on PCs
https://www.usenix.org/system/files/sec22summer_genkin.pdf [www.usenix.org]
2022-05-06 00:55
tags:
crypto
exploit
opsec
paper
pdf
security
sidechannel
systems
We show that built-in sensors in commodity PCs, such as microphones, inadvertently capture electromagnetic side-channel leakage from ongoing computation. Moreover, this information is often conveyed by supposedly-benign channels such as audio recordings and common Voice-over-IP applications, even after lossy compression.
We analyze the computation-dependent leakage captured by internal microphones, and empirically demonstrate its efficacy for attacks. In one scenario, an attacker steals the secret ECDSA signing keys of the counterparty in a voice call. In another, the attacker detects what web page their counterparty is loading. In the third scenario, a player in the Counter-Strike online multiplayer game can detect a hidden opponent waiting in ambush, by analyzing how the 3D rendering done by the opponent’s computer induces faint but detectable signals into the opponent’s audio feed.
USENIX Security '19 Technical Sessions
https://www.usenix.org/conference/usenixsecurity19/technical-sessions [www.usenix.org]
2019-09-29 17:05
tags:
archive
paper
pdf
security
video
The full Proceedings published by USENIX for the conference are available for download below. Individual papers can also be downloaded from the presentation page.
The Restoration of Early UNIX Artifacts
https://www.usenix.org/legacy/event/usenix09/tech/full_papers/toomey/toomey.pdf [www.usenix.org]
2018-12-26 18:04
tags:
investigation
pdf
retro
unix
The history of the development of UNIX has been well documented, and over the past decade or so, efforts have been made to find and conserve the software and docu- mentation artifacts from the earliest period of UNIX his- tory. This paper details the work that has been done to restore the artifacts from this time to working order and the lessons learned from this work.
source: grugq
SoK: Make JIT-Spray Great Again
https://www.usenix.org/system/files/conference/woot18/woot18-paper-gawlik.pdf [www.usenix.org]
2018-11-15 21:01
tags:
browser
defense
exploit
javascript
jit
paper
pdf
security
In this paper, we survey and systematize the jungle of JIT compilers of major (client-side) programs, and provide a categorization of offensive techniques for abusing JIT compilation. Thereby, we present techniques used in academic as well as in non-academic works which try to break various defenses against memory-corruption vulnerabilities. Additionally, we discuss what mitigations arouse to harden JIT compilers to impede exploitation by skilled attackers wanting to abuse Just-In-Time compilers.
The benefits and costs of writing a POSIX kernel in a high-level language
https://www.usenix.org/conference/osdi18/presentation/cutler [www.usenix.org]
2018-10-09 02:54
tags:
garbage-collection
go
paper
pdf
perf
systems
The paper contributes Biscuit, a kernel written in Go that implements enough of POSIX (virtual memory, mmap, TCP/IP sockets, a logging file system, poll, etc.) to execute significant applications. Biscuit makes lib- eral use of Go’s HLL features (closures, channels, maps, interfaces, garbage collected heap allocation), which sub- jectively made programming easier. The most challenging puzzle was handling the possibility of running out of ker- nel heap memory; Biscuit benefited from the analyzability of Go source to address this challenge.
Good enough to run nginx.
https://github.com/mit-pdos/biscuit
source: HN
Guarder: A Tunable Secure Allocator
https://www.usenix.org/conference/usenixsecurity18/presentation/silvestro [www.usenix.org]
2018-10-06 23:04
tags:
defense
malloc
paper
pdf
random
security
Due to the on-going threats posed by heap vulnerabilities, we design a novel secure allocator --- Guarder --- to defeat these vulnerabilities. Guarder is different from existing secure allocators in the following aspects. Existing allocators either have low/zero randomization entropy, or cannot provide stable security guarantees, where their entropies vary by object size classes, execution phases, inputs, or applications. Guarder ensures the desired randomization entropy, and provides an unprecedented level of security guarantee by combining all security features of existing allocators, with overhead that is comparable to performance-oriented allocators.
Source doesn’t appear live yet: https://github.com/UTSASRG/Guarder
source: L
Interpreter Exploitation
https://www.usenix.org/legacy/event/woot10/tech/full_papers/Blazakis.pdf [www.usenix.org]
2017-12-07 19:36
tags:
browser
defense
exploit
jit
paper
pdf
programming
security
This work illustrates two novel techniques to bypass these mitigations. The two techniques leverage the attack surface exposed by the script interpreters commonly accessible within the browser. The first technique, pointer inference, is used to find the memory address of a string of shellcode within the Adobe Flash Player’s ActionScript interpreter despite ASLR. The second technique, JIT spraying, is used to write shellcode to executable memory, bypassing DEP protections, by leveraging predictable behaviors of the ActionScript JIT compiler. Previous attacks are examined and future research directions are discussed.
source: grugq
USENIX Security 2017 Technical Sessions
https://www.usenix.org/conference/usenixsecurity17/technical-sessions [www.usenix.org]
2017-08-19 21:45
tags:
archive
defense
exploit
paper
pdf
security
systems
Lots more papers to read.
WOOT 2017 Workshop Program
https://www.usenix.org/conference/woot17/workshop-program [www.usenix.org]
2017-08-16 15:45
tags:
archive
defense
exploit
paper
pdf
security
systems
It’s over, but you can read papers and slides. Several really good talks.
SCONE: Secure Linux Containers with Intel SGX
https://www.usenix.org/system/files/conference/osdi16/osdi16-arnautov.pdf [www.usenix.org]
2017-02-18 16:57
tags:
cpu
defense
linux
paper
pdf
security
systems
virtualization
We describe SCONE, a secure container mechanism for Docker that uses the SGX trusted execution support of Intel CPUs to protect container processes from out- side attacks. The design of SCONE leads to (i) a small trusted computing base (TCB) and (ii) a low performance overhead
source: solar
DRAMA: Exploiting DRAM Addressing for Cross-CPU Attacks
https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/pessl [www.usenix.org]
2016-11-13 23:25
tags:
cpu
exploit
hardware
paper
pdf
security
video
The never ending wormhole of RAM attacks continues, now with high speed covert channels.
ARMageddon: Cache Attacks on Mobile Devices
https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/lipp [www.usenix.org]
2016-11-04 23:46
tags:
cpu
exploit
hardware
paper
pdf
security
video
Investigating the Origins of RSA Keys
https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/svenda [www.usenix.org]
2016-11-04 00:33
tags:
crypto
math
paper
pdf
random
security
Primality testing is an imprecise practice, leading to detectable biases in the survivors that can be used for fingerprinting.
Another reason to prefer public key systems with simple key generation.