Paper Discussion

In each discussion session, we will discuss 5 papers around one particular topic. The discussion of each paper will be led by 2 students (who take the graduate version of the course, i.e., 6.5950). Throughout the semester, each student will only lead the discussion once. The papers to be discussed are selected from top security and computer architecture conferences, covering broad hardware security topics representing the state of the art.

For the presenters, please check Piazza posts for knowing when you will present which paper. As you prepare for the presentation, make sure to refer to our detailed paper reading guidance for how to read a hardware security paper, what is required for the presentation, and how your presentation will be graded.

For the audience, we encourage you to pick a paper to read before each discussion session and ask questions during the Q&A of that paper, as well as other papers. Based on the quality of the questions, we will give bonus points toward your final grades.

Papers

Modern Side-Channel Attacks (April 15)

• Prime+Probe 1, JavaScript 0: Overcoming Browser-based Side-Channel Defenses

• Theory and Practice of Finding Eviction Sets

• Port Contention for Fun and Profit

• Augury: Using Data Memory-Dependent Prefetchers to Leak Data at Rest

• ÆPIC Leak: Architecturally Leaking Uninitialized Data from the Microarchitecture

• Hertzbleed: Turning Power Side-Channel Attacks into Remote Timing Attacks on x86

Physical Attacks (April 22)

• CLKSCREW: Exposing the Perils of Security-Oblivious Energy Management

• SRAM Has No Chill: Exploiting Power Domain Separation to Steal On-Chip Secrets

• Eddie: Em-based detection of deviations in program execution

• One Glitch to Rule Them All: Fault Injection Attacks Against AMD’s Secure Encrypted Virtualization

• ProTRR: Principled yet Optimal In-DRAM Target Row Refresh

• QPRAC: Towards Secure and Practical PRAC-based Rowhammer Mitigation using Priority Queues

Hardware Support for Software Safety (April 27)

• Speculative Probing: Hacking Blind in the Spectre Era

• WHEN GOOD KERNEL DEFENSES GO BAD: Reliable and Stable Kernel Exploits via Defense-Amplified TLB Side-Channel Leaks

• An Analysis of Speculative Type Confusion Vulnerabilities in the Wild

• The CHERI capability model: Revisiting RISC in an age of risk

• SecureCells: A Secure Compartmentalized Architecture

• PACMem: Enforcing Spatial and Temporal Memory Safety via ARM Pointer Authentication

Fuzzing and Formal Verification (April 29)

• SiliFuzz: Fuzzing CPUs by Proxy

• Cascade: CPU Fuzzing via Intricate Program Generation

• SpecDoctor: Differential Fuzz Testing to Find Transient Execution Vulnerabilities

• Revizor: Testing Black-Box CPUs against Speculation Contracts

• SPECS: A Lightweight Runtime Mechanism for Protecting Software from Security-Critical Processor Bugs

• MileSan: Detecting Exploitable Microarchitectural Leakage via Differential Hardware-Software Taint Tracking

TEE Designs + Potpourri (May 4)

• Sanctum: Minimal Hardware Extensions for Strong Software Isolation

• Keystone: An Open Framework for Architecting Trusted Execution Environments

• Leaky Cauldron on the Dark Land: Understanding Memory Side-Channel Hazards in SGX

• CIPHERLEAKS: Breaking Constant-time Cryptography on AMD SEV via the Ciphertext Side Channel