-
Towards Practical Fabrication Stage Attacks Using Interrupt-Resilient Hardware Trojans
Authors:
Athanasios Moschos,
Fabian Monrose,
Angelos D. Keromytis
Abstract:
We introduce a new class of hardware trojans called interrupt-resilient trojans (IRTs). Our work is motivated by the observation that hardware trojan attacks on CPUs, even under favorable attack scenarios (e.g., an attacker with local system access), are affected by unpredictability due to non-deterministic context switching events. As we confirm experimentally, these events can lead to race condi…
▽ More
We introduce a new class of hardware trojans called interrupt-resilient trojans (IRTs). Our work is motivated by the observation that hardware trojan attacks on CPUs, even under favorable attack scenarios (e.g., an attacker with local system access), are affected by unpredictability due to non-deterministic context switching events. As we confirm experimentally, these events can lead to race conditions between trigger signals and the CPU events targeted by the trojan payloads (e.g., a CPU memory access), thus affecting the reliability of the attacks. Our work shows that interrupt-resilient trojans can successfully address the problem of non-deterministic triggering in CPUs, thereby providing high reliability guarantees in the implementation of sophisticated hardware trojan attacks. Specifically, we successfully utilize IRTs in different attack scenarios against a Linux-capable CPU design and showcase its resilience against context-switching events. More importantly, we show that our design allows for seamless integration during fabrication stage attacks.We evaluate different strategies for the implementation of our attacks on a tape-out ready high-speed RISC-V microarchitecture in a 28nm commercial technology process and successfully implement them with an average overhead delay of only 20 picoseconds, while leaving the sign-off characteristics of the layout intact. In doing so, we challenge the common wisdom regarding the low flexibility of late supply chain stages (e.g., fabrication) for the insertion of powerful trojans. To promote further research on microprocessor trojans, we open-source our designs and provide the accompanying supporting software logic.
△ Less
Submitted 2 May, 2024; v1 submitted 15 March, 2024;
originally announced March 2024.
-
Redirect2Own: Protecting the Intellectual Property of User-uploaded Content through Off-site Indirect Access
Authors:
Georgios Kontaxis,
Angelos D. Keromytis,
Georgios Portokalidis
Abstract:
Social networking services have attracted millions of users, including individuals, professionals, and companies, that upload massive amounts of content, such as text, pictures, and video, every day. Content creators retain the intellectual property (IP) rights on the content they share with these networks, however, very frequently they implicitly grant them, a sometimes, overly broad license to u…
▽ More
Social networking services have attracted millions of users, including individuals, professionals, and companies, that upload massive amounts of content, such as text, pictures, and video, every day. Content creators retain the intellectual property (IP) rights on the content they share with these networks, however, very frequently they implicitly grant them, a sometimes, overly broad license to use that content, which enables the services to use it in possibly undesirable ways. For instance, Facebook claims a transferable, sub-licensable, royalty-free, worldwide license on all user-provided content. Professional content creators, like photographers, are particularly affected. In this paper we propose a design for decoupling user data from social networking services without any loss of functionality for the users. Our design suggests that user data are kept off the social networking service, in third parties that enable the hosting of user-generated content under terms of service and overall environment (e.g., a different location) that better suit the user's needs and wishes. At the same time, indirection schemata are seamlessly integrated in the social networking service, without any cooperation from the server side necessary, so that users can transparently access the off-site data just as they would if hosted in-site. We have implemented our design as an extension for the Chrome Web browser, called Redirect2Own, and show that it incurs negligible overhead on accessing 'redirected' content. We offer the extension as free software and its code as an open-source project.
△ Less
Submitted 10 October, 2018;
originally announced October 2018.
-
Tug-of-War: Observations on Unified Content Handling
Authors:
Theofilos Petsios,
Adrian Tang,
Dimitris Mitropoulos,
Salvatore Stolfo,
Angelos D. Keromytis,
Suman Jana
Abstract:
Modern applications and Operating Systems vary greatly with respect to how they register and identify different types of content. These discrepancies lead to exploits and inconsistencies in user experience. In this paper, we highlight the issues arising in the modern content handling ecosystem, and examine how the operating system can be used to achieve unified and consistent content identificatio…
▽ More
Modern applications and Operating Systems vary greatly with respect to how they register and identify different types of content. These discrepancies lead to exploits and inconsistencies in user experience. In this paper, we highlight the issues arising in the modern content handling ecosystem, and examine how the operating system can be used to achieve unified and consistent content identification.
△ Less
Submitted 29 August, 2017;
originally announced August 2017.
-
SlowFuzz: Automated Domain-Independent Detection of Algorithmic Complexity Vulnerabilities
Authors:
Theofilos Petsios,
Jason Zhao,
Angelos D. Keromytis,
Suman Jana
Abstract:
Algorithmic complexity vulnerabilities occur when the worst-case time/space complexity of an application is significantly higher than the respective average case for particular user-controlled inputs. When such conditions are met, an attacker can launch Denial-of-Service attacks against a vulnerable application by providing inputs that trigger the worst-case behavior. Such attacks have been known…
▽ More
Algorithmic complexity vulnerabilities occur when the worst-case time/space complexity of an application is significantly higher than the respective average case for particular user-controlled inputs. When such conditions are met, an attacker can launch Denial-of-Service attacks against a vulnerable application by providing inputs that trigger the worst-case behavior. Such attacks have been known to have serious effects on production systems, take down entire websites, or lead to bypasses of Web Application Firewalls.
Unfortunately, existing detection mechanisms for algorithmic complexity vulnerabilities are domain-specific and often require significant manual effort. In this paper, we design, implement, and evaluate SlowFuzz, a domain-independent framework for automatically finding algorithmic complexity vulnerabilities. SlowFuzz automatically finds inputs that trigger worst-case algorithmic behavior in the tested binary. SlowFuzz uses resource-usage-guided evolutionary search techniques to automatically find inputs that maximize computational resource utilization for a given application.
△ Less
Submitted 28 August, 2017;
originally announced August 2017.
-
The Spy in the Sandbox -- Practical Cache Attacks in Javascript
Authors:
Yossef Oren,
Vasileios P. Kemerlis,
Simha Sethumadhavan,
Angelos D. Keromytis
Abstract:
We present the first micro-architectural side-channel attack which runs entirely in the browser. In contrast to other works in this genre, this attack does not require the attacker to install any software on the victim's machine -- to facilitate the attack, the victim needs only to browse to an untrusted webpage with attacker-controlled content. This makes the attack model highly scalable and extr…
▽ More
We present the first micro-architectural side-channel attack which runs entirely in the browser. In contrast to other works in this genre, this attack does not require the attacker to install any software on the victim's machine -- to facilitate the attack, the victim needs only to browse to an untrusted webpage with attacker-controlled content. This makes the attack model highly scalable and extremely relevant and practical to today's web, especially since most desktop browsers currently accessing the Internet are vulnerable to this attack. Our attack, which is an extension of the last-level cache attacks of Yarom et al., allows a remote adversary recover information belonging to other processes, other users and even other virtual machines running on the same physical host as the victim web browser. We describe the fundamentals behind our attack, evaluate its performance using a high bandwidth covert channel and finally use it to construct a system-wide mouse/network activity logger. Defending against this attack is possible, but the required countermeasures can exact an impractical cost on other benign uses of the web browser and of the computer.
△ Less
Submitted 1 March, 2015; v1 submitted 25 February, 2015;
originally announced February 2015.
-
The Bandwidth Exchange Architecture
Authors:
David Michael Turner,
Vassilis Prevelakis,
Angelos D. Keromytis
Abstract:
New applications for the Internet such as video on demand, grid computing etc. depend on the availability of high bandwidth connections with acceptable Quality of Service (QoS). There appears to be, therefore, a requirement for a market where bandwidth-related transactions can take place. For this market to be effective, it must be efficient for both the provider (seller) and the user (buyer) of…
▽ More
New applications for the Internet such as video on demand, grid computing etc. depend on the availability of high bandwidth connections with acceptable Quality of Service (QoS). There appears to be, therefore, a requirement for a market where bandwidth-related transactions can take place. For this market to be effective, it must be efficient for both the provider (seller) and the user (buyer) of the bandwidth. This implies that: (a) the buyer must have a wide choice of providers that operate in a competitive environment, (b) the seller must be assured that a QoS transaction will be paid by the customer, and (c) the QoS transaction establishment must have low overheads so that it may be used by individual customers without a significant burden to the provider.
In order to satisfy these requirements, we propose a framework that allows customers to purchase bandwidth using an open market where providers advertise links and capacities and customers bid for these services. The model is close to that of a commodities market that offers both advance bookings (futures) and a spot market. We explore the mechanisms that can support such a model.
△ Less
Submitted 3 April, 2005;
originally announced April 2005.
