Moritz Lipp
YOU?
Author Swipe
View article: Finding and Exploiting CPU Features using MSR Templating
Finding and Exploiting CPU Features using MSR Templating Open
To ensure backward compatibility while adding new features to CPUs, CPU vendors enable a limited CPU configuration via so-called model-specific registers (MSRs). These MSRs have been introduced for various features, such as debugging, perf…
View article: Remote Memory-Deduplication Attacks
Remote Memory-Deduplication Attacks Open
Memory utilization can be reduced by merging identical memory blocks into copy-on-write mappings. Previous work showed that this so-called memory deduplication can be exploited in local attacks to break ASLR, spy on other programs,and dete…
View article: PLATYPUS: Software-based Power Side-Channel Attacks on x86
PLATYPUS: Software-based Power Side-Channel Attacks on x86 Open
Power side-channel attacks exploit variations in power consumption to extract secrets from a device, e.g., cryptographic keys. Prior attacks typically required physical access to the target device and specialized equipment such as probes a…
View article: Take A Way: Exploring the Security Implications of AMD's Cache Way Predictors
Take A Way: Exploring the Security Implications of AMD's Cache Way Predictors Open
To optimize the energy consumption and performance of their CPUs, AMD introduced a way predictor for the L1-data (L1D) cache to predict in which cache way a certain address is located. Consequently, only this way is accessed, significantly…
View article: Nethammer: Inducing Rowhammer Faults through Network Requests
Nethammer: Inducing Rowhammer Faults through Network Requests Open
A fundamental assumption in software security is that memory contents do not change unless there is a legitimate deliberate modification. Classical fault attacks show that this assumption does not hold if the attacker has physical access. …
View article: ConTExT: A Generic Approach for Mitigating Spectre
ConTExT: A Generic Approach for Mitigating Spectre Open
Out-of-order execution and speculative execution are among the biggest contributors to performance and efficiency of modern processors.However, they are inconsiderate, leaking secret data during the transient execution of instructions.Many…
View article: ZombieLoad
ZombieLoad Open
In early 2018, Meltdown first showed how to read arbitrary kernel memory from user space by exploiting side-effects from transient instructions. While this attack has been mitigated through stronger isolation boundaries between user and ke…
View article: Fallout
Fallout Open
sponsorship: This work has been supported by the Austrian Research Promotion Agency (FFG) via the project ESPRESSO, which is funded by the Province of Styria and the Business Promotion Agencies of Styria and Carinthia. It was also supporte…
View article: A Systematic Evaluation of Transient Execution Attacks and Defenses
A Systematic Evaluation of Transient Execution Attacks and Defenses Open
Research on transient execution attacks including Spectre and Meltdown showed that exception or branch misprediction events might leave secret-dependent traces in the CPU's microarchitectural state. This observation led to a proliferation …
View article: Fallout: Reading Kernel Writes From User Space
Fallout: Reading Kernel Writes From User Space Open
Recently, out-of-order execution, an important performance optimization in modern high-end processors, has been revealed to pose a significant security threat, allowing information leaks across security domains. In particular, the Meltdown…
View article: ConTExT: Leakage-Free Transient Execution
ConTExT: Leakage-Free Transient Execution Open
Out-of-order execution and speculative execution are among the biggest contributors to performance and efficiency of modern processors. However, they are inconsiderate, leaking secret data during the transient execution of instructions. Ma…
View article: ZombieLoad: Cross-Privilege-Boundary Data Sampling
ZombieLoad: Cross-Privilege-Boundary Data Sampling Open
In early 2018, Meltdown first showed how to read arbitrary kernel memory from user space by exploiting side-effects from transient instructions. While this attack has been mitigated through stronger isolation boundaries between user and ke…
View article: Spectre Attacks: Exploiting Speculative Execution
Spectre Attacks: Exploiting Speculative Execution Open
Modern processors use branch prediction and speculative execution to maximize performance. For example, if the destination of a branch depends on a memory value that is in the process of being read, CPUs will try guess the destination and …
View article: A Systematic Evaluation of Transient Execution Attacks and Defenses
A Systematic Evaluation of Transient Execution Attacks and Defenses Open
Research on transient execution attacks including Spectre and Meltdown showed that exception or branch misprediction events might leave secret-dependent traces in the CPU's microarchitectural state. This observation led to a proliferation …
View article: Automated Detection, Exploitation, and Elimination of Double-Fetch Bugs using Modern CPU Features
Automated Detection, Exploitation, and Elimination of Double-Fetch Bugs using Modern CPU Features Open
Double-fetch bugs are a special type of race condition, where an unprivileged execution thread is able to change a memory location between the time-of-check and time-of-use of a privileged execution thread. If an unprivileged attacker chan…
View article: Another Flip in the Wall of Rowhammer Defenses
Another Flip in the Wall of Rowhammer Defenses Open
The Rowhammer bug allows unauthorized modification of bits in DRAM cells from unprivileged software, enabling powerful privilege-escalation attacks. Sophisticated Rowhammer countermeasures have been presented, aiming at mitigating the Rowh…
View article: Meltdown
Meltdown Open
The security of computer systems fundamentally relies on memory isolation, e.g., kernel address ranges are marked as non-accessible and are protected from user access. In this paper, we present Meltdown. Meltdown exploits side effects of o…
View article: KeyDrown: Eliminating Software-Based Keystroke Timing Side-Channel Attacks
KeyDrown: Eliminating Software-Based Keystroke Timing Side-Channel Attacks Open
Besides cryptographic secrets, software-based side-channel attacks also leak sensitive user input. The most accurate attacks exploit cache timings or interrupt information to monitor keystroke timings and subsequently infer typed words and…
View article: JavaScript Zero: Real JavaScript and Zero Side-Channel Attacks
JavaScript Zero: Real JavaScript and Zero Side-Channel Attacks Open
Modern web browsers are ubiquitously used by billions of users, connecting them to the world wide web.From the other side, web browsers do not only provide a unified interface for businesses to reach customers, but they also provide a unif…
View article: KeyDrown: Eliminating Keystroke Timing Side-Channel Attacks
KeyDrown: Eliminating Keystroke Timing Side-Channel Attacks Open
Besides cryptographic secrets, side-channel attacks also leak sensitive user input. The most accurate attacks exploit cache timings or interrupt information to monitor keystroke timings and subsequently infer typed words and sentences. Pre…
View article: Prefetch Side-Channel Attacks
Prefetch Side-Channel Attacks Open
Modern operating systems use hardware support to protect against control flow hijacking attacks such as code-injection\n\t\t\tattacks. Typically, write access to executable pages is prevented and kernel mode execution is restricted to kern…
View article: Armageddon: Cache Attacks On Mobile Devices
Armageddon: Cache Attacks On Mobile Devices Open
In the last 10 years, cache attacks on Intel x86 CPUs have gained increasing attention among the scientific community and powerful techniques to exploit cache side channels have been developed. However, modern smartphones use one or more m…
View article: ARMageddon: Last-Level Cache Attacks on Mobile Devices
ARMageddon: Last-Level Cache Attacks on Mobile Devices Open
In the last 10 years cache attacks on Intel CPUs have gained increasing attention among the scientific community. More specifically, powerful techniques to exploit the cache side channel have been developed. However, so far only a few inve…
View article: ARMageddon: Cache Attacks on Mobile Devices
ARMageddon: Cache Attacks on Mobile Devices Open
In the last 10 years, cache attacks on Intel x86 CPUs have gained increasing attention among the scientific community and powerful techniques to exploit cache side channels have been developed. However, modern smartphones use one or more m…