(u)arch Security

Tier 1 Conference

• S&P (Oakland) IEEE Symposium on Security and Privacy
• CCS ACM Conference on Computer and Communications Security
• Security USENIX Security Symposium
• NDSS ISOC Network and Distributed System Security Symposium

from Security Conference Ranking and Statistic

Why start at 2018? Because Meltdownm, Spectre and MDS emerged, open a new era of (micro-)architectural security.

2023

IEEE S&P

... TO BE ADD More

ACM CCS

... TO BE ADD More

USENIX Security

• BunnyHop: Exploiting the Instruction Prefetcher | USENIX
• NVLeak: Off-Chip Side-Channel Attacks via Non-Volatile Memory Systems | USENIX
• (M)WAIT for It: Bridging the Gap between Microarchitectural and Architectural Side Channels | USENIX
• Side-Channel Attacks on Optane Persistent Memory | USENIX
• ClepsydraCache -- Preventing Cache Attacks with Time-Based Evictions | USENIX
• CacheQL: Quantifying and Localizing Cache Side-Channel Vulnerabilities in Production Software | USENIX
• The Gates of Time: Improving Cache Attacks with Transient Execution | USENIX
• Oops..! I Glitched It Again! How to Multi-Glitch the Glitching-Protections on ARM TrustZone-M | USENIX
• Understanding RDMA Microarchitecture Resources for Performance Isolation | USENIX

NDSS

... TO BE ADD More

---

2022

IEEE S&P

• vSGX: Virtualizing SGX Enclaves on AMD SEV | IEEE Conference Publication | IEEE Xplore
• A Systematic Look at Ciphertext Side Channels on AMD SEV-SNP | IEEE Conference Publication | IEEE Xplore
• RT-TEE: Real-time System Availability for Cyber-physical Systems using ARM TrustZone | IEEE Conference Publication | IEEE Xplore
• A Secret-Free Hypervisor: Rethinking Isolation in the Age of Speculative Vulnerabilities | IEEE Conference Publication | IEEE Xplore
• Smile: Secure Memory Introspection for Live Enclave | IEEE Conference Publication | IEEE Xplore
• SoK: Practical Foundations for Software Spectre Defenses | IEEE Conference Publication | IEEE Xplore
• SpecHammer: Combining Spectre and Rowhammer for New Speculative Attacks | IEEE Conference Publication | IEEE Xplore
• BLACKSMITH: Scalable Rowhammering in the Frequency Domain | IEEE Conference Publication | IEEE Xplore
• Spook.js: Attacking Chrome Strict Site Isolation via Speculative Execution | IEEE Conference Publication | IEEE Xplore
• BLACKSMITH: Scalable Rowhammering in the Frequency Domain | IEEE Conference Publication | IEEE Xplore
• ProTRR: Principled yet Optimal In-DRAM Target Row Refresh | IEEE Conference Publication | IEEE Xplore
• Graphics Peeping Unit: Exploiting EM Side-Channel Information of GPUs to Eavesdrop on Your Neighbors | IEEE Conference Publication | IEEE Xplore
• Adversarial Prefetch: New Cross-Core Cache Side Channel Attacks | IEEE Conference Publication | IEEE Xplore
• Finding and Exploiting CPU Features using MSR Templating | IEEE Conference Publication | IEEE Xplore
• Augury: Using Data Memory-Dependent Prefetchers to Leak Data at Rest | IEEE Conference Publication | IEEE Xplore
• MeshUp: Stateless Cache Side-channel Attack on CPU Mesh | IEEE Conference Publication | IEEE Xplore
• Mind the Gap: Studying the Insecurity of Provably Secure Embedded Trusted Execution Architectures | IEEE Conference Publication | IEEE Xplore
• Hardening Circuit-Design IP Against Reverse-Engineering Attacks | IEEE Conference Publication | IEEE Xplore

ACM CCS

• ATTRITION: Attacking Static Hardware Trojan Detection Techniques Using Reinforcement Learning
• Automatic Detection of Speculative Execution Combinations
• CETIS: Retrofitting Intel CET for Generic and Efficient Intra-process Memory Isolation
• Cerberus: A Formal Approach to Secure and Efficient Enclave Memory Sharing
• Discovering IoT Physical Channel Vulnerabilities
• Frequency Throttling Side-Channel Attack
• HammerScope: Observing DRAM Power Consumption Using Rowhammer
• HyperDbg: Reinventing Hardware-Assisted Debugging
• Low-Latency Hardware Private Circuits
• Microarchitectural Leakage Templates and Their Application to Cache-Based Side Channels
• On the Success Rate of Side-Channel Attacks on Masked Implementations
• PACMem: Enforcing Spatial and Temporal Memory Safety via ARM Pointer Authentication
• PalanTír: Optimizing Attack Provenance with Hardware-enhanced System Observability
• Power Contracts: Provably Complete Power Leakage Models for Processors
• SpecDoctor: Differential Fuzz Testing to Find Transient Execution Vulnerabilities
• StrongBox: A GPU TEE on Arm Endpoints
• What Your Firmware Tells You Is Not How You Should Emulate It: A Specification-Guided Approach for Firmware Emulation
• When Frodo Flips: End-to-End Key Recovery on FrodoKEM via Rowhammer

USENIX Security

• SecSMT: Securing SMT Processors against Contention-Based Covert Channels | USENIX
• Rapid Prototyping for Microarchitectural Attacks | USENIX
• Can one hear the shape of a neural network?: Snooping the GPU via Magnetic Side Channel | USENIX
• AMD Prefetch Attacks through Power and Time | USENIX
• Elasticlave: An Efficient Memory Model for Enclaves | USENIX
• Hiding in Plain Sight? On the Efficacy of Power Side Channel-Based Control Flow Monitoring | USENIX
• SGXLock: Towards Efficiently Establishing Mutual Distrust Between Host Application and Enclave for SGX | USENIX
• Lend Me Your Ear: Passive Remote Physical Side Channels on PCs | USENIX
• Fuzzware: Using Precise MMIO Modeling for Effective Firmware Fuzzing | USENIX
• HyperDegrade: From GHz to MHz Effective CPU Frequencies | USENIX
• RapidPatch: Firmware Hotpatching for Real-Time Embedded Devices | USENIX
• GAROTA: Generalized Active Root-Of-Trust Architecture (for Tiny Embedded Devices) | USENIX
• ReZone: Disarming TrustZone with TEE Privilege Reduction | USENIX
• Double Trouble: Combined Heterogeneous Attacks on Non-Inclusive Cache Hierarchies | USENIX
• Trust Dies in Darkness: Shedding Light on Samsung's TrustZone Keymaster Design | USENIX
• TLB;DR: Enhancing TLB-based Attacks with TLB Desynchronized Reverse Engineering | USENIX
• Minefield: A Software-only Protection for SGX Enclaves against DVFS Attacks | USENIX
• In-Kernel Control-Flow Integrity on Commodity OSes using ARM Pointer Authentication | USENIX
• Branch History Injection: On the Effectiveness of Hardware Mitigations Against Cross-Privilege Spectre-v2 Attacks | USENIX
• Targeted Deanonymization via the Cache Side Channel: Attacks and Defenses | USENIX
• A Hardware-Software Co-design for Efficient Intra-Enclave Isolation | USENIX
• Drifuzz: Harvesting Bugs in Device Drivers from Golden Seeds | USENIX
• Fuzzing Hardware Like Software | USENIX
• ÆPIC Leak: Architecturally Leaking Uninitialized Data from the Microarchitecture | USENIX
• Hertzbleed: Turning Power Side-Channel Attacks Into Remote Timing Attacks on x86 | USENIX
• Piranha: A GPU Platform for Secure Computation | USENIX
• Binoculars: Contention-Based Side-Channel Attacks Exploiting the Page Walker | USENIX
• CellIFT: Leveraging Cells for Scalable and Precise Dynamic Information Flow Tracking in RTL | USENIX
• SGXFuzz: Efficiently Synthesizing Nested Structures for SGX Enclave Fuzzing | USENIX
• Composable Cachelets: Protecting Enclaves from Cache Side-Channel Attacks | USENIX
• Don't Mesh Around: Side-Channel Attacks and Mitigations on Mesh Interconnects | USENIX

NDSS

• FANDEMIC: Firmware Attack Construction and Deployment on Power Management Integrated Circuit and Impacts on IoT Applications - NDSS Symposium
• Hybrid Trust Multi-party Computation with Trusted Execution Environment - NDSS Symposium
• SynthCT: Towards Portable Constant-Time Code - NDSS Symposium
• Chunked-Cache: On-Demand and Scalable Cache Isolation for Security Architectures - NDSS Symposium
• Remote Memory-Deduplication Attacks - NDSS Symposium
• DRAWN APART: A Device Identification Technique based on Remote GPU Fingerprinting - NDSS Symposium
• Kasper: Scanning for Generalized Transient Execution Gadgets in the Linux Kernel - NDSS Symposium
• Semantic-Informed Driver Fuzzing Without Both the Hardware Devices and the Emulators - NDSS Symposium
• D-Box: DMA-enabled Compartmentalization for Embedded Applications - NDSS Symposium

2021

IEEE S&P

• Invisible Probe: Timing Attacks with PCIe Congestion Side-channel | IEEE Conference Publication | IEEE Xplore
• CacheOut: Leaking Data on Intel CPUs via Cache Evictions | IEEE Conference Publication | IEEE Xplore
• PLATYPUS: Software-based Power Side-Channel Attacks on x86 | IEEE Conference Publication | IEEE Xplore
• Randomized Last-Level Caches Are Still Vulnerable to Cache Side-Channel Attacks! But We Can Fix It | IEEE Conference Publication | IEEE Xplore
• Systematic Analysis of Randomization-based Protected Cache Architectures | IEEE Conference Publication | IEEE Xplore
• DifuzzRTL: Differential Fuzz Testing to Find CPU Bugs | IEEE Conference Publication | IEEE Xplore
• CrossTalk: Speculative Data Leaks Across Cores Are Real | IEEE Conference Publication | IEEE Xplore
• High-Assurance Cryptography in the Spectre Era | IEEE Conference Publication | IEEE Xplore

ACM CCS

• Exorcising Spectres with Secure Compilers
• SNIPUZZ: Black-box Fuzzing of IoT Firmware via Message Snippet Inference
• PPE Circuits for Rational Polynomials
• CROSSLINE: Breaking ``Security-by-Crash'' based Memory Isolation in AMD SEV
• Hardware Support to Improve Fuzzing Performance and Precision
• Constantine: Automatic Side-Channel Resistance Using Efficient Control and Data Flow Linearization
• PalmTree: Learning an Assembly Language Model for Instruction Embedding
• HyperFuzzer: An Efficient Hybrid Fuzzer For Virtual CPUs
• Aion: Enabling Open Systems through Strong Availability Guarantees for Enclaves
• Prime+Scope: Overcoming the Observer Effect for High-Precision Cache Contention Attacks
• SmashEx: Smashing SGX Enclaves Using Exceptions

USENIX Security

• An Analysis of Speculative Type Confusion Vulnerabilities in the Wild | USENIX
• Virtual Secure Platform: A Five-Stage Pipeline Processor over TFHE | USENIX
• VoltPillager: Hardware-based fault injection attacks against Intel SGX Enclaves using the SVID voltage scaling interface | USENIX
• CURE: A Security Architecture with CUstomizable and Resilient Enclaves | USENIX
• On the Design and Misuse of Microcoded (Embedded) Processors — A Cautionary Note | USENIX
• Automatic Extraction of Secrets from the Transistor Jungle using Laser-Assisted Side-Channel Attacks | USENIX
• Lord of the Ring(s): Side Channel Attacks on the CPU On-Chip Ring Interconnect Are Practical | USENIX
• Coco: Co-Design and Co-Verification of Masked Software Implementations on CPUs | USENIX
• SMASH: Synchronized Many-sided Rowhammer Attacks from JavaScript | USENIX
• Prime+Probe 1, JavaScript 0: Overcoming Browser-based Side-Channel Defenses | USENIX
• Swivel: Hardening WebAssembly against Spectre | USENIX
• DOLMA: Securing Speculation with the Principle of Transient Non-Observability | USENIX
• CIPHERLEAKS: Breaking Constant-time Cryptography on AMD SEV via the Ciphertext Side Channel | USENIX
• Cross-VM and Cross-Processor Covert Channels Exploiting Processor Idle Power Management | USENIX
• Frontal Attack: Leaking Control-Flow in SGX via the CPU Frontend | USENIX

NDSS

• PhantomCache: Obfuscating Cache Conflicts with Localized Randomization - NDSS Symposium
• SpecTaint: Speculative Taint Analysis for Discovering Spectre Gadgets - NDSS Symposium
• Hunting the Haunter — Efficient Relational Symbolic Execution for Spectre with Haunted RelSE - NDSS Symposium
• From Library Portability to Para-rehosting: Natively Executing Microcontroller Software on Commodity Hardware - NDSS Symposium

2020

IEEE S&P

• Spectector: Principled Detection of Speculative Information Flows | IEEE Conference Publication | IEEE Xplore
• NetCAT: Practical Cache Attacks from the Network | IEEE Conference Publication | IEEE Xplore
• SpecCFI: Mitigating Spectre Attacks using CFI Informed Speculation | IEEE Conference Publication | IEEE Xplore
• LVI: Hijacking Transient Execution through Microarchitectural Load Value Injection | IEEE Conference Publication | IEEE Xplore
• RAMBleed: Reading Bits in Memory Without Accessing Them | IEEE Conference Publication | IEEE Xplore
• Are We Susceptible to Rowhammer? An End-to-End Methodology for Cloud Providers | IEEE Conference Publication | IEEE Xplore
• Leveraging EM Side-Channel Information to Detect Rowhammer Attacks | IEEE Conference Publication | IEEE Xplore
• TRRespass: Exploiting the Many Sides of Target Row Refresh | IEEE Conference Publication | IEEE Xplore
• SoK: Understanding the Prevailing Security Vulnerabilities in TrustZone-assisted TEE Systems | IEEE Conference Publication | IEEE Xplore
• Enabling Rack-scale Confidential Computing using Heterogeneous Trusted Execution Environment | IEEE Conference Publication | IEEE Xplore
• Plundervolt: Software-based Fault Injection Attacks against Intel SGX | IEEE Conference Publication | IEEE Xplore
• Transys: Leveraging Common Security Properties Across Hardware Designs | IEEE Conference Publication | IEEE Xplore
• C3APSULe: Cross-FPGA Covert-Channel Attacks through Power Supply Unit Leakage | IEEE Conference Publication | IEEE Xplore
• ICAS: an Extensible Framework for Estimating the Susceptibility of IC Layouts to Additive Trojans | IEEE Conference Publication | IEEE Xplore

ACM CCS

• InSpectre: Breaking and Fixing Microarchitectural Vulnerabilities by Formal Analysis
• TRUSTORE: Side-Channel Resistant Storage for SGX using Intel Hybrid CPU-FPGA
• FirmRay: Detecting BLE Link Layer Vulnerabilities from Configurations in Bare-Metal Firmware
• Cache-in-the-Middle (CITM) Attacks : Manipulating Sensitive Data in Isolated Execution Environments
• Speculative Probing: Hacking Blind in the Spectre Era
• SNI-in-the-head: Protecting MPC-in-the-head Protocols against Side-channel Analysis
• Déjà vu: Side-channel analysis of Mozilla’s NSS

USENIX Security

• Civet: An Efficient Java Partitioning Framework for Hardware Enclaves | USENIX
• PHMon: A Programmable Hardware Monitor and Its Security Use Cases | USENIX
• BesFS: A POSIX Filesystem for Enclaves with a Mechanized Safety Proof | USENIX
• Cache Telepathy: Leveraging Shared Resource Attacks to Learn DNN Architectures | USENIX
• HybCache: Hybrid Side-Channel-Resilient Caches for Trusted Execution Environments | USENIX
• TPM-FAIL: TPM meets Timing and Lattice Attacks | USENIX
• P2IM: Scalable and Hardware-independent Firmware Testing via Automatic Peripheral Interface Modeling | USENIX
• An Off-Chip Attack on Hardware Enclaves via the Memory Bus | USENIX
• PARTEMU: Enabling Dynamic Analysis of Real-World TrustZone Software Using Emulation | USENIX
• HALucinator: Firmware Re-hosting Through Abstraction Layer Emulation | USENIX
• BigMAC: Fine-Grained Policy Analysis of Android Firmware | USENIX
• SpecFuzz: Bringing Spectre-type vulnerabilities to the surface | USENIX
• The Unpatchable Silicon: A Full Break of the Bitstream Encryption of Xilinx 7-Series FPGAs | USENIX
• RELOAD+REFRESH: Abusing Cache Replacement Policies to Perform Stealthy Cache Attacks | USENIX
• FIRMSCOPE: Automatic Uncovering of Privilege-Escalation Vulnerabilities in Pre-Installed Apps in Android Firmware | USENIX
• TeeRex: Discovery and Exploitation of Memory Corruption Vulnerabilities in SGX Enclaves | USENIX
• Medusa: Microarchitectural Data Leakage via Automated Attack Synthesis | USENIX
• V0LTpwn: Attacking x86 Processor Integrity from Software | USENIX
• COUNTERFOIL: Verifying Provenance of Integrated Circuits using Intrinsic Package Fingerprints and Inexpensive Cameras | USENIX

NDSS

• µRAI: Securing Embedded Systems with Return Address Integrity - NDSS Symposium
• ABSynthe: Automatic Blackbox Side-channel Synthesis on Commodity Microarchitectures - NDSS Symposium
• PhantomCache: Obfuscating Cache Conflicts with Localized Randomization - NDSS Symposium
• Mind the Portability: A Warriors Guide through Realistic Profiled Side-channel Analysis - NDSS Symposium
• SPEECHMINER: A Framework for Investigating and Measuring Speculative Execution Vulnerabilities - NDSS Symposium
• ConTExT: A Generic Approach for Mitigating Spectre - NDSS Symposium

2019

IEEE S&P

• Spectre Attacks: Exploiting Speculative Execution | IEEE Conference Publication | IEEE Xplore
• SoK: The Challenges, Pitfalls, and Perils of Using Hardware Performance Counters for Security | IEEE Conference Publication | IEEE Xplore
• Theory and Practice of Finding Eviction Sets | IEEE Conference Publication | IEEE Xplore
• Exploiting Correcting Codes: On the Effectiveness of ECC Memory Against Rowhammer Attacks | IEEE Conference Publication | IEEE Xplore
• Self-Encrypting Deception: Weaknesses in the Encryption of Solid State Drives | IEEE Conference Publication | IEEE Xplore
• RIDL: Rogue In-Flight Data Load | IEEE Conference Publication | IEEE Xplore
• The 9 Lives of Bleichenbacher's CAT: New Cache ATtacks on TLS Implementations | IEEE Conference Publication | IEEE Xplore
• CaSym: Cache Aware Symbolic Execution for Side Channel Detection and Mitigation | IEEE Conference Publication | IEEE Xplore
• The Code That Never Ran: Modeling Attacks on Speculative Evaluation | IEEE Conference Publication | IEEE Xplore

ACM CCS

• A Tale of Two Worlds: Assessing the Vulnerability of Enclave Shielding Runtimes
• DeMiCPU: Device Fingerprinting with Magnetic Signals Radiated by CPU
• Fallout: Leaking Data on Meltdown-resistant CPUs
• OPERA: Open Remote Attestation for Intel’s Secure Enclaves
• Page Cache Attacks
• SecTEE: A Software-based Approach to Secure Enclave Architecture Using TEE
• Towards Memory Safe Enclave Programming with Rust-SGX
• VeriSketch: Synthesizing Secure Hardware Designs with Timing-Sensitive Information Flow Properties
• VoltJockey: Breaching TrustZone by Software-Controlled Voltage Manipulation over Multi-core Frequencies
• Your Cache Has Fallen: Cache-Poisoned Denial-of-Service Attack
• ZombieLoad: Cross-Privilege-Boundary Data Sampling

USENIX Security

• Robust Website Fingerprinting Through the Cache Occupancy Channel | USENIX
• HardFails: Insights into Software-Exploitable Hardware Bugs | USENIX
• A Systematic Evaluation of Transient Execution Attacks and Defenses | USENIX
• Terminal Brain Damage: Exposing the Graceless Degradation in Deep Neural Networks Under Hardware Fault Attacks | USENIX

NDSS

• Data Oblivious ISA Extensions for Side Channel-Resistant and High Performance Computing - NDSS Symposium
• TIMBER-V: Tag-Isolated Memory Bringing Fine-grained Enclaves to RISC-V - NDSS Symposium
• TEE-aided Write Protection Against Privileged Data Tampering - NDSS Symposium
• ExSpectre: Hiding Malware in Speculative Execution - NDSS Symposium
• SANCTUARY: ARMing TrustZone with User-space Enclaves - NDSS Symposium
• OBFUSCURO: A Commodity Obfuscation Engine on Intel SGX - NDSS Symposium

2018

IEEE S&P

• Grand Pwning Unit: Accelerating Microarchitectural Attacks with the GPU | IEEE Conference Publication | IEEE Xplore
• FPGA-Based Remote Power Side-Channel Attacks | IEEE Conference Publication | IEEE Xplore
• Another Flip in the Wall of Rowhammer Defenses | IEEE Conference Publication | IEEE Xplore
• EnclaveDB: A Secure Database Using SGX | IEEE Conference Publication | IEEE Xplore

ACM CCS

• Unveiling Hardware-based Data Prefetcher, a Hidden Source of Information Leakage
• HyperFlow: A High-Assurance Processor Architecture for Practical Timing-Safe Information Flow Security
• Ohm’, s Law in Data Centers: A Voltage Side Channel for Timing Power Attacks
• Lord of the x86 Rings: A Portable User Mode Privilege Separation Architecture on x86
• Practical state recovery attacks against legacy RNG implementations
• ret2spec: Speculative Execution Using Return Stack Buffers
• Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic
• Rendered Insecure: GPU side channel attacks are practical
• An Exploratory Analysis of Microcode as a Building Block for System Defenses

USENIX Security

• Meltdown: Reading Kernel Memory from User Space | USENIX
• Foreshadow: Extracting the Keys to the Intel SGX Kingdom with Transient Out-of-Order Execution | USENIX
• Translation Leak-aside Buffer: Defeating Cache Side-channel Protections with TLB Attacks | USENIX

NDSS

• What You Corrupt Is Not What You Crash: Challenges in Fuzzing Embedded Devices. Marius Muench (EURECOM)
• ZeroTrace : Oblivious Memory Primitives from Intel SGX
• Securing Real-Time Microcontroller Systems through Customized Memory View Switching
• OBLIVIATE: A Data Oblivious Filesystem for Intel SGX

Before 2018

IEEE S&P

... TO BE ADD More

ACM CCS

... TO BE ADD More

USENIX Security

• Towards Practical Tools for Side Channel Aware Software Engineering: 'Grey Box' Modelling for Instruction Leakages | USENIX
• Strong and Efficient Cache Side-Channel Protection using Hardware Transactional Memory | USENIX
• CacheD: Identifying Cache-Based Timing Channels in Production Software | USENIX
  ... TO BE ADD More

NDSS

... TO BE ADD More

References

• Security Conference Ranking and Statistic
• Systematizing SoK
• MattPD/cpplinks: A categorized list of C++ resources.