We have shared TLBleed with several operating system projects, in order for them to be able to implement mitigations if desired. As a result of seeing TLBleed, OpenBSD decided to disable Hyperthreading by default. This has prompted some speculation that TLBleed is a spectre-like attack, but that is not the case. OpenBSD also realizes the exact impact of TLBleed. There has been significant news coverage: TheRegister (and this one), ArsTechnica, bleepingcomputer, ZDnet, Techrepublic, TechTarget, ITwire, tweakers, and a personal favorite, the SecurityNow Podcast episode 669 (mp3, show notes, youtube).
The full paper will be online soon.
This year, TLBleed will be presented at Blackhat USA. TLBleed is a new side channel attack that exploits the TLB rather than CPU caches to infer activity from a co-resident hyperthread, the full details of which we have not yet released.
Hope to see you in Vegas!
Network infrastructure attacks are a growing threat, and are addressed by a budding VUSec research project.
KPN recently published the fifth European Cyber Security Perspectives – edition 2018. It features an article detailing an early version of an active research project of VUsec, called Packet Origin Fidelity (POF), a detection method of network infrastructure attacks.
Full announcement and brochure here.
At ICTOPEN 2018, the Dutch Cyber Security best Research Papers (DCSRP) Award was awarded to AnC. Ben Gras went there to give a talk as one of the five nominees and – the jury of Prof. Dr. Konrad Rieck, Prof. Evangelos Markatos and Dr. Richard Clayton had decided – receive the award. Full story here.
Or: if you can’t do the time, don’t do the crime
Several days ago, we released a technical report entitled Benchmarking Crimes: An Emerging Threat in Systems Security. The paper was intended for publication at a security conference but was rejected at multiple venues. To let our work be a supporting piece of evidence and analysis for the community to build on, we share our work with the community as a technical report, and we publish it on Arxiv.org.
The results are as revealing as they are damning: we formulate 22 different benchmarking crimes, each of which violates the results of a benchmark in a minor or major fashion. We survey 50 different systems security defense papers. We include papers published by this group in that selection. To gauge reliability, the survey is performed twice – we let two independent readers perform this survey. Their findings are consistent: in this wide study of accepted papers at top systems security venues, all papers had committed benchmarking crimes in some number and degree of egregiousness.
Most of these are recent papers (2015), but a significant fraction are from 2010. This longitudinal component of the study tells us that not only are benchmarking crimes widespread, but also no better in modern papers than in older ones.
This raises the question of how we can trust benchmarks in research results. We hope our work will contribute to an improvement in this situation.
The Register has coverage.
There has been significant media coverage over the CPU flaws known as meltdown and spectre. In the wake of one of our researchers, using only public information and speculation, reproducing the bug before the embargo got lifted, the vusec group has been asked to comment in several pieces, including tweakers.net, wired.com, volkskrant.nl, nos.nl, HBO Vice news tonight (video), news.com.au.
Recently (announcement here), Kaveh and Ben gave a talk at Hardwear.io about trusting the abstractions we think of when we program applications and kernels. We combine the very different Flip Feng Shui (rogue writing) and AnC (ASLR side channel leaking secrets) projects into a single assumptions-challenging talk.
Again, recorded talk here.
Drammer won first 2017 CSAW prize in the category Applied Research Best Paper Award.
Luckily, Victor was there to receive this award on behalf of the Drammer team!
To quote the CSAW site:
Accepted papers are presented by one of the student authors in poster-format during CSAW Finals. Industry experts serving as judges evaluate the originality, relevance, and accuracy of the research.
With eligibility limited to previously published papers, this competition has a reputation for drawing some of the best doctoral security research worldwide.
vusec is proud of this academic and industry recognition.
Prof. Herbert Bos, Prof. Michel van Eeten, and Prof. Bart Jacobs on the 24th released a joint Dutch statement and proposal on the inadequacy of academic cybersecurity funding in The Netherlands. Funding that is up to 50x higher in neighboring countries is causing a drain of talented researchers away from The Netherlands.
Cybersecurity Investment Proposal
The proposal calls for the development of a three-pronged strategy to maintain the high academic standard of Dutch research organizations, funded by in total a budget of €100 million over 10 years, in a combination of public and private investment.
- €40M (public): fund open tenders for non-permanent PhD and postdoc projects, where both pure-CS and interdisciplinary proposals will be considered. Examples might be legal, medical and organizational fields.
- €20M (public): a budget of €2M/year for which universities may apply to either (a) hire permanent staff for a newly appointed cybersecurity professor; or (b) retain staff, done by a cybersecurity professor with at least 5 years proven record, to establish areas of new research.
- €40M (private): The establishment of a pool of inter-organizational cybersecurity experts. The organizations will be a combination of research, government and industrial organizations that host the members. These members will then share knowledge, deepen knowledge (by following an external or industrial PhD program), and provide operational expertise in emergencies.
This proposal was covered in Computable last week and Prof. Bos was a guest on BNR News Radio at 06:00 AM this morning for discussion.
Update: recorded talk here.
Kaveh and Ben will present Flip Feng Shui and AnC at hardwear.io this thursday . We’re combining these projects to a talk reflecting that hardware isn’t as trustworthy as we always assume. See Conference day 1, 16:00 on http://hardwear.io/schedule.php. We’re looking forward to seeing you there!