Session Chair: Sohrab Aftabjahani, Intel

Tuesday, June 28, 2022 | Time: 10:00 - 11:00

Location: Int'l Ballroom C

• ^**27. iTimed: Cache Attacks on the Apple A10 Fusion SoC
  Gregor Haas, Seetal Potluri and Aydin Aysu
  Abstract: This paper proposes the first cache timing sidechannel attack on one of Apple’s mobile devices. Utilizing a recent, permanent exploit named checkm8, we reverse engineered Apple’s BootROM and created a powerful toolkit for running arbitrary hardware security experiments on Apple’s in-house designed ARM systems-on-a-chip (SoC). Using this toolkit, we then implement an access-driven cache timing attack (in the style of PRIME+PROBE) as a proof-of-concept illustrator. The advanced hardware control enabled by our toolkit allowed us to reverse-engineer key microarchitectural details of the Apple A10 Fusion’s memory hierarchy. We find that the SoC employs a randomized cache-line replacement policy as well as a hardware-based L1 prefetcher. We propose statistical innovations which specifically account for these hardware structures and thus further the state-of-the-art in cache timing attacks. We find that our access-driven attack, at best, can reduce the security of OpenSSL AES-128 by 50 more bits than a straightforward adaptation of PRIME+PROBE, while requiring only half as many side channel measurement traces.


• 89. Morpheus II: A RISC-V Security Extension for Protecting Vulnerable Software and Hardware
  Austin Harris, Tarunesh Verma, Shijia Wei, Lauren Biernacki, Alex Kisil, Misiker Tadesse Aga, Valeria Bertacco, Baris Kasikci, Mohit Tiwari and Todd Austin
  Abstract: Morpheus II is a secure processor designed to prevent control flow attacks. Morpheus II strengthens the defenses of the Morpheus [1] processor, by deploying always-on encryption to obfuscate code and pointers along with runtime churn to thwart side-channel attacks. Focusing on Remote Code Execution attacks, we modified the RISCV Rocket core to support always-encrypted code and code pointers with negligible performance impact and less than 2% area overhead. Morpheus II was deployed running a web server interface to a mock medical database on AWS F1 instances, where it was red-teamed for three months by over 500 security researchers. No vulnerabilities were discovered in Morpheus II. In addition, we evaluated Morpheus II against a range of CWE attack classes including a Blind ROP attack on the web server. We show that Morpheus II defenses increase Blind ROP probe time for gadgets from weeks to likely thousands of years.


• 11. Automated Detection of Spectre and Meltdown Attacks using Explainable Machine Learning
  Zhixin Pan and Prabhat Mishra
  Abstract: Spectre and Meltdown attacks exploit security vulnerabilities of advanced architectural features to access inherently concealed memory data without authorization. Existing defense mechanisms have three major drawbacks: (i) they can be fooled by obfuscation techniques, (ii) the lack of transparency severely limits their applicability, and (iii) it can introduce unacceptable performance degradation. In this paper, we propose a novel detection scheme based on explainable machine learning to address these fundamental challenges. Specifically, this paper makes three important contributions. (1) Our work is the first attempt in applying explainable machine learning for Spectre and Meltdown attack detection. (2) Our proposed method utilizes the temporal differences of hardware events in sequential timestamps instead of overall statistics, which contributes to the robustness of ML models against evasive attacks. (3) Extensive experimental evaluation demonstrates that our approach can significantly improve detection efficiency (38.4% on average) compared to stateof-the-art techniques.

^** HOST 2022 Best Paper Nominee