Skip to main content Link Menu Expand (external link) Document Search Copy Copied
6.5950/6.5951

Looking to use our course materials?

There are two things you won’t want to miss:

  • Our lab handouts can be found here.
  • The lab starter code and deployment instructions can be found here.

For instructors

There are two things you won’t want to miss:

  • Our lab handouts can be found here.
  • The lab starter code and deployment instructions can be found here.

Reach out to our team at hw-sec-lab-dev at mit.edu before using our code in your course. We can provide the instructor’s solutions, a starter gradebook, and grading scripts.

For self-learners

We receive many requests from self-learners who want to use these materials outside of a formal course setting. Due to limited teaching resources, we are not able to accommodate individual self-learner support. In particular, we cannot provide machine access, TA support, or instructor solutions.

However, we are happy to share as much information as we can about our infrastructure and setup so that you can build your own platform and adapt the labs for self-study.

The following labs can be performed on your own laptop or machine, either with container support or by running directly on an operating system:

  • Lab 0. C Crash Course
  • Lab 1. Website Fingerprinting
  • Lab 6. CPU Fuzzing
  • Lab 7. CPU Verification

Lab 2. Cache Attacks

We use the following server machine specification:

Intel Xeon Gold 5220R. 2.20GHz, 24.75MB Cache, with 2 threads per physical core (SMT)

Each student is assigned two logical threads that are mapped to the same physical core so they can perform cache attacks on the private L2 cache. You will need to check the SMT and cache configuration to determine whether this is feasible on your machine. If SMT is not supported, you can consider performing the attack on the L3 cache. A few papers discuss this setting, though it is more challenging than our lab setup:

  • Fangfei Liu, Yuval Yarom, Qian Ge, Gernot Heiser, and Ruby B. Lee. “Last-Level Cache Side-Channel Attacks are Practical.” In 2015 IEEE Symposium on Security and Privacy (SP), pp. 605–622, 2015.
  • Mengjia Yan, Benjamin G. Gorden, Dmitry Ponomarev, and Ruby B. Lee. “Attack Directories, Not Caches: Side Channel Attacks in a Non-Inclusive World.” In 2019 IEEE Symposium on Security and Privacy (SP), pp. 888–904, 2019.
  • Zirui Neil Zhao, Adam Morrison, Christopher W. Fletcher, and Josep Torrellas. “Last-Level Cache Side-Channel Attacks Are Feasible in the Modern Public Cloud.” In Proceedings of the 29th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 2 (ASPLOS ‘24), pp. 878–892, 2024.

For ARM processors, the L2 cache may not be inclusive, and you should expect to tweak your attack accordingly.

Lab 3. Spectre Attacks & Lab 5. ASLR Bypasses

We use 2 Dell desktop machines with the following specification to host around 100 students:

Dell desktop, 4 Core, Intel i5-3470, 3.20GHz, no SMT

These attacks do not have strict hardware requirements, and we believe you can use most existing computers. The setup requires a customized kernel module, which we do not currently provide. We may consider open-sourcing it in the future so that self-learners can install this module on their own machines.

Lab 4. Rowhammer Attacks

We use the following machine specification.

Refurbished Dell Optiplex 7010 from Amazon

CPU configuration: Intel(R) Core(TM) i5-3570 CPUs

DRAM configuration: a single 4GB Hynix HMT351U6CFR8C-H9 DIMM.

More generally, we found that all DDR3 modules we tested from the Ivy Bridge era were vulnerable to some extent. Keep in mind that the bank mapping functions may differ across CPU generations, DRAM sizes, and bank configurations, so the bank-ID derivation figure used in our lab may not generalize to other machines.

You can look at Table II of the following paper to find configurations that match your machine:

  • Kevin K. Chang, Dimin Niu, Zeshan Chishti, Ashish R. Alameldeen, Chris Wilkerson, Yoongu Kim, and Onur Mutlu. “DRAMDig: A Knowledge-Assisted Tool to Uncover DRAM Address Mappings.” Proceedings of the 57th ACM/IEEE Design Automation Conference (DAC), 2020. PDF: https://arxiv.org/pdf/2004.02354.pdf

Alternatively, you can buy a refurbished Dell Optiplex 7010. We have found that these systems work with the lab out of the box, and we use them ourselves to run the labs, though your mileage may vary.