Paper Discussion

In each discussion session, we will discuss 5 papers around one particular topic. The discussion of each paper will be led by 2 students (who take the graduate version of the course, i.e., 6.5950). Throughout the semester, each student will only lead the discussion once. The papers to be discussed are selected from top security and computer architecture conferences, covering broad hardware security topics representing the state of the art.

For the presenters, please check Piazza posts for knowing when you will present which paper. As you prepare for the presentation, make sure to refer to our detailed paper reading guidance for how to read a hardware security paper, what is required for the presentation, and how your presentation will be graded.

For the audience, we encourage you to pick a paper to read before each discussion session and ask questions during the Q&A of that paper, as well as other papers. Based on the quality of the questions, we will give bonus points toward your final grades.

Papers

Below is a list of papers that were discussed in last year’s offering of the course. We will release the list of papers for this year’s offering on the week of March 17, before spring break.

Modern Side-Channel Attacks (April 15)

• Theory and Practice of Finding Eviction Sets

• Port Contention for Fun and Profit

• Hertzbleed: Turning Power Side-Channel Attacks into Remote Timing Attacks on x86

• Foreshadow: Extracting the Keys to the Intel SGX Kingdom with Transient Out-of-Order Execution

• Phantom: Exploiting Decoder-detectable Mispredictions

• Augury: Using Data Memory-Dependent Prefetchers to Leak Data at Rest

• Opening Pandora’s Box: A Systematic Study of New Ways Microarchitecture Can Leak Private Data

Physical Attacks (April 22)

• PThammer: Cross-User-Kernel-Boundary Rowhammer through Implicit Accesses

• RowPress Vulnerability in Modern DRAM Chips

• ProTRR: Principled yet Optimal In-DRAM Target Row Refresh

• CLKSCREW: Exposing the Perils of Security-Oblivious Energy Management

• SRAM Has No Chill: Exploiting Power Domain Separation to Steal On-Chip Secrets

• One Glitch to Rule Them All: Fault Injection Attacks Against AMD’s Secure Encrypted Virtualization

• Pentimento: Data Remanence in Cloud FPGAs

Hardware Support for Software Safety (April 27)

• The CHERI capability model: Revisiting RISC in an age of risk

• PACMem: Enforcing Spatial and Temporal Memory Safety via ARM Pointer Authentication

• Secure Program Execution via Dynamic Information Flow Tracking

• Leaky Cauldron on the Dark Land: Understanding Memory Side-Channel Hazards in SGX

• Speculative Probing: Hacking Blind in the Spectre Era

• WHEN GOOD KERNEL DEFENSES GO BAD: Reliable and Stable Kernel Exploits via Defense-Amplified TLB Side-Channel Leaks

• SecureCells: A Secure Compartmentalized Architecture

Fuzzing and Formal Verification (April 29)

• SiliFuzz: Fuzzing CPUs by Proxy

• Cascade: CPU Fuzzing via Intricate Program Generation

• SpecDoctor: Differential Fuzz Testing to Find Transient Execution Vulnerabilities

• SPECS: A Lightweight Runtime Mechanism for Protecting Software from Security-Critical Processor Bugs

• Revizor: Testing Black-Box CPUs against Speculation Contracts

• Complete Information Flow Tracking from the Gates Up

• Security Verification of Low-Trust Architectures