In this program, you will learn about more advanced attacks in the space of side-channel security: transient-execution attacks and fault attacks. In the first course. we will focus on transient execution (and speculative execution) and how it can introduce data (not meta-data!) leakage. We will use side channels to exfiltrate data and transmit it to an attacker-controlled application. We will learn about the most prominent of transient-execution attacks: Meltdown, Spectre, Foreshadow, and ZombieLoad. These attacks are so powerful that they can leak arbitrary secret data, including cryptographic keys, all without physical access. In a set of small exercises, you will implement some of these attacks. You will understand the connection between these attacks and side-channel attacks. You will gain deep understanding of the microarchitecture of modern processors, out-of-order execution pipelines, transient-execution attacks and potential mitigations against them.
In the second course, we will then focus more on fault attacks, in particular Rowhammer and Plundervolt. These attacks go beyond leaking information but instead we will manipulate data. These fault injection mechanisms are triggered purely from software and allows us to manipulate control flow, secret keys, and system security mechanisms, to fully subvert systems and bring them under our control. You will understand how these attacks can be mounted, and how they can be mitigated to allow you to develop hardware and software resilient to transient-execution and fault attacks. As an advanced topic in this block, we will also mount software-based differential power analysis attacks (DPA), following a similar methodology as for the physical side-channel attacks, leaking cryptographic keys. Again we will disucss what the countermeasures against these attacks are.
In both courses, you will practically apply the acquired skills in simple exercises based on measurements you perform on your own computer or measurements we obtained from physical devices, that we provide to you. Both courses require programming skills (C, C++, Python). We will provide you with the knowledge required beyond these, including basics on operating systems, computer architecture, and hardware design.
Daniel Gruss is an internationally renowned expert in side-channel research and has written many seminal works in this field and presented them at renowned international conferences, especially on transient-execution attacks that affected the entire industry and defenses that have been implemented in all operating systems.
