News
Next Seminar on 27.10.2021
Written on 21.10.2021 14:12 by Stella Wohnig
Dear All,
The next seminar(s) take place on 27.10. at 14:00.
Session A: (RA3,4)
Christoph Steuer - Jonathan Busch - Jonas Büchner
https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09
Meeting-ID: 967 8620 5841
Kenncode: BT!u5=
Session B:
no talk this week
Session A:
14:00-14:30
Speaker: Christoph Steuer
Type of talk: Bachelor Intro
Advisor: Sven Bugiel
Title: Seamless installation of Trustlets with third-party application in Android
Research Area: RA4
Abstract:
In the modern world, the need for trusted computing is increasing. Whether it be cryptography, access control or credential validation, being able to trust a piece of software to do what it is supposed to do and not leak sensitive information is a very important step towards a more secure world.
From the hardware side, there are several platforms to support trusted computing, with technologies such as Intel Software Guard Extensions (Intel-SGX), Arm TrustZone or AMD Secure Encrypted Virtualization(SEV). However, this support has to be utilized by software to become useful to the end user.
In Android, there is support for the Trusted Execution Environment OP-TEE, however the range of operations of trusted computing is severely limited due to the infeasibility for applications to ship custom Trusted Applications as there is no support during the app installation process to handle them. In case of OP-TEE, users attempting to install trusted applications first need to have access to a root shell. However, unlike on other commonly used Linux distributions, obtaining root privileges on Android is a complex and made difficult operation that, if attempted by inexperienced people, has a non-negligible chance to fail and potentially make the installed operating system inoperable. The only trusted computing that applications installed without root have access to comes in form of features of Android such as key store that function as Application Programming Interface(API) to pre-defined trusted applications.
The goal of the thesis is to extend the Android app installation process to allow for installation of Trusted Applications for OP-TEE without compromising currently available security guarantees.
14:30-15:00
Speaker: Jonathan Busch
Type of talk: Bachelor Intro
Advisor: Dr. Michael Schwarz
Title: Power-ups for Chromium: Facilitate Side-Channel Research
Research Area: RA3
Abstract: In recent years, side-channel based attacks have gained more and more importance. Instead of exploiting bugs, these novel attacks use side effects caused by software or hardware to infer secret information.
Low-level programming languages such as C or C++ are predominantly used to develop side-channel exploits, since they allow for controlling and measuring the microarchitectural state.
However, access to these low-level functions is not available for every programming language. For instance, JavaScript lacks some crucial functions used in side-channel attacks. Instead, one must use highly laborious workarounds to realize the same attacks. This makes testing, whether a newly found side-channel attack works in JavaScript, a time-consuming task.
In this work, we add low-level functions to Chromium’s JavaScript engine in order to facilitate this process. This allows researchers to build proof-of-concept scripts to check, whether a new side-channel attack is feasible in JavaScript, to avoid developing expensive workarounds in vain. Additionally, we provide proof-of-concepts of well-known side-channel-based attacks such as Flush+Reload and Spectre utilizing our extended version of Chromium.
15:00-15:30
Speaker: Jonas Büchner
Type of talk: Bachelor Final
Advisor: Dr. Michael Schwarz
Title: (M)WAIT for It: Secret MONITORing using CPU Features
Research Area: RA3
Abstract: There is a plethora of attacks on the microarchitecture of current CPUs, of which side channels are among the most important. They not only leak cryptographic keys, but are used as building block of the powerful Meltdown and Spectre attacks. Prominent examples of side channels, like Flush+Reload or Prime+Probe, exploit the timing differences between cache hits and cache misses. While these are well-demonstrated and strong attack primitives, they are inherently limited. By relying on the execution and timing of their own cache operations, they are susceptible to noise and, even more importantly, suffer from a "blind window": if a victim access occurs during the reloading phase, they cannot observe it.
We overcome this with the MONITOR/MWAIT instructions that are contained in the SSE3 extensions of all modern x86 CPUs. This pair of instructions is meant for power management and thread optimization. Its primary use is to wait for a change on a monitored address range and continue execution once a write, or other triggering events, occur. While this aims at lock acquisition and synchronization, it seems to be meant to be exploited. We construct a side-channel from the native behaviour of this instruction pair by using it on victim addresses.
This thesis presents a new deterministic side-channel primitive that does not rely on caches. It is more robust than common cache side channels and allows for monitoring victim memory without ever missing an access. We demonstrate its usability in proof-of-concept controlled-channel attacks against Intel's Software Guard Extensions, achieving an attack accuracy of 100%. We furthermore construct a double-fetch detection mechanism which reliably detects double-fetches above a threshold of a few thousand cycles. Finally, we evaluate the use of our primitive as a covert channel, indicating resistance of most systems against this attack.