What you will learn
- Ability to find software and hardware design patterns that may expose secrets via transient execution.
- Understand risks associated with transient-execution attacks and how these can be mitigated.
- How hardware faults can be used in attacks.
- How fault attacks on modern computers can be mitigated.
In this program, you will learn about more advanced attacks in the space of side-channel security: transient-execution attacks and fault attacks. In the first course. we will focus on transient execution (and speculative execution) and how it can introduce data (not meta-data!) leakage. We will use side channels to exfiltrate data and transmit it to an attacker-controlled application. We will learn about the most prominent of transient-execution attacks: Meltdown, Spectre, Foreshadow, and ZombieLoad. These attacks are so powerful that they can leak arbitrary secret data, including cryptographic keys, all without physical access. In a set of small exercises, you will implement some of these attacks. You will understand the connection between these attacks and side-channel attacks. You will gain deep understanding of the microarchitecture of modern processors, out-of-order execution pipelines, transient-execution attacks and potential mitigations against them.
In the second course, we will then focus more on fault attacks, in particular Rowhammer and Plundervolt. These attacks go beyond leaking information but instead we will manipulate data. These fault injection mechanisms are triggered purely from software and allows us to manipulate control flow, secret keys, and system security mechanisms, to fully subvert systems and bring them under our control. You will understand how these attacks can be mounted, and how they can be mitigated to allow you to develop hardware and software resilient to transient-execution and fault attacks. As an advanced topic in this block, we will also mount software-based differential power analysis attacks (DPA), following a similar methodology as for the physical side-channel attacks, leaking cryptographic keys. Again we will disucss what the countermeasures against these attacks are.
In both courses, you will practically apply the acquired skills in simple exercises based on measurements you perform on your own computer or measurements we obtained from physical devices, that we provide to you. Both courses require programming skills (C, C++, Python). We will provide you with the knowledge required beyond these, including basics on operating systems, computer architecture, and hardware design.
Daniel Gruss is an internationally renowned expert in side-channel research and has written many seminal works in this field and presented them at renowned international conferences, especially on transient-execution attacks that affected the entire industry and defenses that have been implemented in all operating systems.
Courses in this program
TUGrazX's Side Channel Security – Transient Execution and Fault Attacks Professional Certificate
- Started Jan 24, 20233–4 hours per week, for 10 weeks
Beyond software-based side-channel attacks there is a new class of attacks called transient-execution attacks. These attacks go beyond leaking meta-data and directly retrieve secret data but they use side channels as an data exfiltration mechanism to transmit the secret data to an attacker-controlled application. We will look at the most prominent of these attacks: Meltdown, Spectre, Foreshadow, and ZombieLoad. You will implement some of these attacks yourself and learn how to mitigate them.
- Starts Apr 11, 20233–4 hours per week, for 10 weeks
Fault attacks (sometimes also called active side-channel attacks ) are a very powerful means that goes beyond just leaking secrets from an application or device, to actively manipulating it. We will look at fault attacks that can be triggered from software, namely Rowhammer and Plundervolt. We will also learn that some transient-execution attacks have some similarities to fault attacks. You will implement some of these attacks yourself and learn how they are mitigated.
- This course is particularly beneficial if you work in or pursue a career as an offensive security engineer, security architect, embedded software engineer, research scientist, cryptologist, or blockchain engineer.
- Expertise on side-channel discovery and mitigation is relevant to most computer technology companies today, including companies like Qualcomm, Nvidia, Intel, Arm, Apple, AMD, Microsoft, PayPal, and Facebook.
- Expertise in side channel security will also advance your skills in vulnerability discovery and mitigation, penetration testing, threat modeling, and risk assessment.
- You will acquire new knowledge mainly on cache side channels, power side channels, and side-channel mitigations in hardware and software.
Meet your instructor from Graz University of Technology (TUGrazX)
Experts from TUGrazX committed to teaching online learning