Paper Discussion

In each discussion session, we will discuss 5 papers around a same topic. The discussion of each paper will be led by 2 students (who take the graduate version of the course, i.e., 6.5950). Throughout the semester, each student will only lead the discussion once. The papers to be discussed are selected from top security and computer architecture conferences, covering broad hardware security topics representing the state of the art.

For the presenters, please check Piazza posts for knowing when you will present which paper. As you prepare for the presentation, make sure to refer to our detailed paper reading guidance for how to read a hardware security paper, what is required for the presentation, and how your presentation will be graded.

For the audience, we encourage you to pick a paper to read before each discussion session and ask questions during the Q&A of that paper, as well as other papers. Based on the quality of the questions, we will give bonus points toward your final grades. Audience and presenters will also be invited to vote how much you like each paper (e.g., should it get a “Best Paper Award”?). It would be fun and we are curious about your opinions on them!

Papers

Modern Side-Channel Attacks (March 10)

• Theory and Practice of Finding Eviction Sets

• Port Contention for Fun and Profit

• Hertzbleed: Turning Power Side-Channel Attacks into Remote Timing Attacks on x86

• Foreshadow: Extracting the Keys to the Intel SGX Kingdom with Transient Out-of-Order Execution

• Phantom: Exploiting Decoder-detectable Mispredictions

• Augury: Using Data Memory-Dependent Prefetchers to Leak Data at Rest

• Opening Pandora’s Box: A Systematic Study of New Ways Microarchitecture Can Leak Private Data

Physical Attacks (April 7)

• PThammer: Cross-User-Kernel-Boundary Rowhammer through Implicit Accesses

• RowPress Vulnerability in Modern DRAM Chips

• ProTRR: Principled yet Optimal In-DRAM Target Row Refresh

• CLKSCREW: Exposing the Perils of Security-Oblivious Energy Management

• SRAM Has No Chill: Exploiting Power Domain Separation to Steal On-Chip Secrets

• One Glitch to Rule Them All: Fault Injection Attacks Against AMD’s Secure Encrypted Virtualization

• Eddie: Em-based detection of deviations in program execution

Hardware Support for Software Safety (April 30)

• The CHERI capability model: Revisiting RISC in an age of risk

• PACMem: Enforcing Spatial and Temporal Memory Safety via ARM Pointer Authentication

• Secure Program Execution via Dynamic Information Flow Tracking

• Leaky Cauldron on the Dark Land: Understanding Memory Side-Channel Hazards in SGX

• Speculative Probing: Hacking Blind in the Spectre Era

• WHEN GOOD KERNEL DEFENSES GO BAD: Reliable and Stable Kernel Exploits via Defense-Amplified TLB Side-Channel Leaks

• SecureCells: A Secure Compartmentalized Architecture

Fuzzing and Formal Verification (May 7)

• SiliFuzz: Fuzzing CPUs by Proxy

• Cascade: CPU Fuzzing via Intricate Program Generation

• SpecDoctor: Differential Fuzz Testing to Find Transient Execution Vulnerabilities

• SPECS: A Lightweight Runtime Mechanism for Protecting Software from Security-Critical Processor Bugs

• Revizor: Testing Black-Box CPUs against Speculation Contracts

• Complete Information Flow Tracking from the Gates Up

• Security Verification of Low-Trust Architectures

TEE Designs (May 12)

• Sanctum: Minimal Hardware Extensions for Strong Software Isolation

• Keystone: An Open Framework for Architecting Trusted Execution Environments

• Enabling Realms with the Arm Confidential Compute Architecture

• Scalable Memory Protection in the PENGLAI Enclave

• Leaky Cauldron on the Dark Land: Understanding Memory Side-Channel Hazards in SGX

• CIPHERLEAKS: Breaking Constant-time Cryptography on AMD SEV via the Ciphertext Side Channel

• SoK: SGX.Fail: How Stuff Gets eXposed

Potpourri

• It’s all in your head(set): Side-channel attacks on AR/VR systems

• Exploration of Power Side-Channel Vulnerabilities in Quantum Computer Controllers

• Information flow control in machine learning through modular model architecture

• DIVA: A reliable substrate for deep submicron microarchitecture design

• Understanding Silent Data Corruptions in a Large Production CPU Population

• Everywhere All at Once: Co-Location Attacks on Public Cloud FaaS