To attend SILM 2020, the links to the Zoom meetings and Slack workspace are available for logged-in attendees only in IEEE Euro S&P website. If you have any problem to login, please follow the instructions provided on this webpage.
Timezone CEST – Europe/Rome (UTC +02:00)
Welcome session — 14:00-14:15 CEST – Guillaume Hiet
14:00-14:15 | Workshop introduction |
Session 1 — 14:15-15:25 CEST – Session Chair : Guillaume Hiet
14:15-15:00 | Invited talk – Adventures with Hardware-Based Control-Flow Tracing by Trent Jaeger [slides] |
15:00-15:25 | Reverse Engineering the Stream Prefetcher for Profit by Aditya Rohan (Indian Institute of Technology Kanpur), Biswabandan Panda (Indian Institute of Technology Kanpur) and Prakhar Agarwal (India Tower Research) [video] [slides] [article] |
Break — 15:25-15:40 CEST
Session 2 — 15:40-16:50 CEST – Session Chair : Ludovic Mé
15:40-16:05 | CHERI Macaroons: Efficient, host-based access control for cyber-physical systems by Michael Dodson (University of Cambridge), Alastair Beresford (University of Cambridge), Alexander Richardson (University of Cambridge), Jessica Clarke (University of Cambridge) and Robert N. M. Watson (University of Cambridge) [video] [slides] [article] |
16:05-16:50 | Invited talk – Nailgun: Breaking Arm TrustZone via Misusing Debugging Features by Fengwei Zhang [video] [slides] |
Break — 16:50-17:05 CEST
Session 3 — 17:05-18:20 CEST – Session Chair : Frédéric Tronel
17:05-17:30 | NOP-Oriented Programming: Should we Care? by Pierre-Yves Péneau (Inria), Ludovic Claudepierre (Inria), Damien Hardy (Inria) and Erven Rohou (INRIA) [video] [slides] [article] |
17:30-17:55 | REHAD: Using Low-Frequency Reconfigurable Hardware for Cache Side-Channel Attacks Detection by Yuxiao Mao (LAAS-CNRS), Vincent Migliore (LAAS-CNRS), Vincent Nicomette (LAAS-CNRS) [video] [slides] [article] |
17:55-18:20 | Nethammer: Inducing Rowhammer Faults through Network Requests by Moritz Lipp (Graz University of Technology), Michael Schwarz (Graz University of Technology), Lukas Raab (Graz University of Technology), Lukas Lamster (Graz University of Technology), Misiker Tadesse Aga (University of Michigan), Clémentine Maurice (Univ Rennes, CNRS, IRISA) and Daniel Gruss (Graz University of Technology) [video] [slides] [article] |
Closing remarks — 18:20 CEST
Invited Talks
Fengwei Zhang – Nailgun: Breaking Arm TrustZone via Misusing Debugging Features
Bio: Dr. Fengwei Zhang is the Director of the COMPASS (COMPuter And Systems Security) Lab and Associate Professor at the Department of Computer Science and Engineering at Southern University of Science and Technology (SUSTech), China. He came to SUSTech from Wayne State University, USA, where he was an Assistant Professor at Department of Computer Science from 2015 to 2019. He received his Ph.D. degree in computer science from George Mason University in 2015. His research interests are in the areas of systems security, with a focus on trustworthy execution, hardware-assisted security, transparent malware debugging, transportation security, and plausible deniability encryption. He published over 40 conferences/journal papers, including IEEE S&P, USENIX Security, and NDSS. He has served as Program Committee at top conferences including IEEE S&P and ACM CCS. He is a recipient of the Distinguished Paper Award in ACSAC 2017 and a Runner-up Best Paper Award in IEEE/IFIP DSN 2020. His high-quality work received several NSF Awards in the USA. | |
Abstract: Processors nowadays are consistently equipped with debugging features to facilitate the program debugging and analysis. Although the debugging architecture has been presented for years, the security of the debugging features is under-examined since it normally requires physical access to use these features in the traditional debugging model. Arm introduces a new debugging model that requires no physical access since Armv7. In this new debugging model, a host processor is able to pause and debug another target processor on the same chip (inter-processor debugging). The idea of Nailgun attack is to misuse the debugging architecture with the inter-processor debugging since recent Arm systems allow the debug host to pause and debug the target even when the target owns a higher privilege. Our experiments discover a number of vulnerable devices including IoT devices like Raspberry PI, all commercial Arm-based cloud platforms, and mobile phones from Huawei, Motorola, and Xiaomi. For further verification, we show that Nailgun attack can be used to access the Secure Configuration Register (which is only accessible in the secure state) on Raspberry PI and extract the fingerprint image stored in the secure memory of a mobile phone with a non-secure kernel module. |
Trent Jaeger – Adventures with Hardware-Based Control-Flow Tracing
Bio: Trent Jaeger is a Professor in the Computer Science and Engineering Department at The Pennsylvania State University. Trent’s primary research interests are systems and software security. He has published over 150 research papers and the book, “Operating Systems Security,” which has been taught in universities worldwide. Trent has made significant contributions to the Linux community, including mandatory access control, integrity measurement, process tracing, and namespace services. Trent currently serves the computer security research community on the Executive Committee of ACM SIGSAC as Past Chair, as Steering Committee Chair of NDSS, on editorial boards of the Communications of the ACM and the IEEE Security & Privacy, and on the Academic Advisory Board of the UK’s Cyber Body of Knowledge project. | |
Abstract: Control-flow tracing is a relatively recent hardware feature that is designed to aid in debugging and failure diagnosis by recording the minimal information necessary to reconstruct complete control-flow traces of running programs. Obtaining accurate control flows reliably is also a useful feature for computer security; researchers have pointed out that exploits often violate expected control flows. In this talk, we will discuss applying one of the control-flow tracing implementations, Intel Processor Trace (PT), to enforce security policies, such as control-flow integrity and context-sensitive access control. We find that using Intel PT to enforce such policies enables stronger security guarantees than software-based techniques for a comparable overhead. We will also examine opportunities for security-directed hardware implementations to improve performance while retaining such guarantees. |
Accepted Papers
- Nethammer: Inducing Rowhammer Faults through Network Requests by Moritz Lipp (Graz University of Technology), Michael Schwarz (Graz University of Technology), Lukas Raab (Graz University of Technology), Lukas Lamster (Graz University of Technology), Misiker Tadesse Aga (University of Michigan), Clémentine Maurice (Univ Rennes, CNRS, IRISA) and Daniel Gruss (Graz University of Technology)
- Reverse Engineering the Stream Prefetcher for Profit by Aditya Rohan (Indian Institute of Technology Kanpur), Biswabandan Panda (Indian Institute of Technology Kanpur) and Prakhar Agarwal (India Tower Research)
- CHERI Macaroons: Efficient, host-based access control for cyber-physical systems by Michael Dodson (University of Cambridge), Alastair Beresford (University of Cambridge), Alexander Richardson (University of Cambridge), Jessica Clarke (University of Cambridge) and Robert N. M. Watson (University of Cambridge)
- NOP-Oriented Programming: Should we Care? by Pierre-Yves Péneau (Inria), Ludovic Claudepierre (Inria), Damien Hardy (Inria) and Erven Rohou (INRIA)
- REHAD: Using Low-Frequency Reconfigurable Hardware for Cache Side-Channel Attacks Detection by Yuxiao Mao (LAAS-CNRS), Vincent Migliore (LAAS-CNRS), Vincent Nicomette (LAAS-CNRS)