Project
Towards trusted execution environments with secure microarchitectures
The act of executing a program on a computing platform produces inadvertent
side effects that depend on the data being processed. Microarchitectural side-
channel attacks leverage the side effects stemming from interference in sharedhardware components to extract potentially sensitive data. Arguably the most
important class of microarchitectural side-channel attacks are cache attacks,
which target the shared cache hierarchy. This thesis advances the understanding
of the capabilities of cache attacks in conventional and novel execution contexts.
In addition, it contributes to the defensive landscape through a critical security
assessment of promising, low-overhead mitigations.
The first line of research explored in this dissertation concerns advanced cache
attack techniques. Our first contribution is the development of Prime+Scope, a
low-requirement and cross-core cache contention attack that delivers the highest
temporal precision to date. Our second contribution is a thorough exploration of
the cache attack surface in emerging heterogeneous computing platforms, where
an attacker may have access to one or more hardware accelerators. We show how
a malicious FPGA accelerator may not just accelerate legitimate computations
but also attacks, while consuming a negligible amount of resources.
The second line of research targeted by this dissertation advances the state
of the art of cache attack mitigations. To this end, it critically examines two
influential, transparent and low-overhead countermeasure classes. First, we
perform a systematic analysis of cache randomization, which is a hardware
countermeasure that injects entropy into the address-to-index mapping of the
cache. Second, we study the effectiveness of restricting the availability of high-
precision sources of time. Our findings indicate that minuscule timing differences
can be converted and amplified to sidestep this restriction, ultimately enablingeven a human observer to distinguish between a single cache hit or cache miss.