Category Archives: press

TLBleed in the news

We have shared TLBleed with several operating system projects, in order for them to be able to implement mitigations if desired. As a result of seeing TLBleed, OpenBSD decided to disable Hyperthreading by default. This has prompted some speculation that TLBleed is a spectre-like attack, but that is not the case. OpenBSD also realizes the exact impact of TLBleed. There has been significant news coverage: TheRegister (and this one), ArsTechnica, bleepingcomputer, ZDnet, Techrepublic, TechTarget, ITwire, tweakers, and a personal favorite, the SecurityNow Podcast episode 669 (mp3, show notes, youtube).

The full paper will be online soon.

GLitch hits the news

GLitch, our JS-based Rowhammer exploit that takes advantage of GPU acceleration to trigger bit flips and get control over the Firefox browser on Android made it to the news. After respecting the 90 days disclosure policy we finally went live on May 3 releasing all the details of our attack.

The research got quite some interest from the security community on Twitter and it got covered in two detailed articles on Wired and ArsTechnica. After this, it got picked up by other news outlets such as DecipherTweakers, The Hacker News and others.

While the great interest for the research people did not really like the demo video. The reason is attributed to the background music.
Oh well… ¯\_(ツ)_/¯

Fortifying Anemic Dutch Cybersecurity Investment

Brain Drain

Prof. Herbert Bos, Prof. Michel van Eeten, and Prof.  Bart Jacobs on the 24th released a joint Dutch statement and proposal on the inadequacy of academic cybersecurity funding in The Netherlands. Funding that is up to 50x higher in neighboring countries is causing a drain of talented researchers away from The Netherlands.

Cybersecurity Investment Proposal

The proposal calls for the development of a three-pronged strategy to maintain the high academic standard of Dutch research organizations, funded by in total a budget of €100 million over 10 years, in a combination of public and private investment.

  1. €40M (public): fund open tenders for non-permanent PhD and postdoc projects, where both pure-CS and interdisciplinary proposals will be considered. Examples might be legal, medical and organizational fields.
  2. €20M (public): a budget of €2M/year for which universities may apply to either (a) hire permanent staff for a newly appointed cybersecurity professor; or (b) retain staff, done by a cybersecurity professor with at least 5 years proven record, to establish areas of new research.
  3. €40M (private): The establishment of a pool of inter-organizational cybersecurity experts. The organizations will be a combination of research, government and industrial organizations that host the members. These members will then share knowledge, deepen knowledge (by following an external or industrial PhD program), and provide operational expertise in emergencies.

Coverage

This proposal was covered in Computable last week and Prof. Bos was a guest on BNR News Radio at 06:00 AM this morning for discussion.

ASLR^Cache or AnC: A MMU Sidechannel breaking ASLR from Javascript, and media coverage

Today we announce ASLR^Cache, a MMU sidechannel exploiting a micro-architectural property of all modern CPU models. This signal is even visible from Javascript and breaks ASLR in sandboxed environments. The name ASLR^Cache (or simply AnC) is a reference to the fact that ASLR and CPU caches are mutually exclusive on modern architectures. For more information, please see our AnC project page.

Press outlets and other organisations have picked up on this work: wiredarstechnica, ACM Tech NewsNCSCbleepingcomputer.comTom’s Hardwaresecurity.nltheregistertweakers.netdigitaljournal.comCSO Australiahackadayslashdotsecurityweek.comheise.detheinquirer.netitnews.com.au, eejournal.comhabrahabr.ruimpress.co.jppaper.li, boingboing.net.

Also some of our favourite podcasts picked it up: securitynow episode 600,  ISC Internet Storm Center podcast, risky.biz episode #444.

Drammer in the news

Drammer was presented at CCS 2016 3 weeks ago. Our work shows that the Rowhammer hardware vulnerability is prevalent on mobile devices and that attackers can exploit it in a deterministic manner (a la Flip Feng Shui).

Press, Vendor Coverage & Discussion

After initial coverage in the form of two written articles by Ars Technica and WIRED, and a podcast from Security Now!, Drammer was quickly picked up by the mainstream press. International items include:  Daily Mail, PCWorld, SoftpediaSlashdotTech TimesThe RegisterFossbytes, The InquirerDigital JournalHack ReadSC Magazine, Threatpost, BetaNewsGamenguide, TechTarget, BleepingComputer, NDTV, On the Wire, and InvestorPlace.

Other local items popped up in Argentina (Segu-info), Austria (Der Standard), Belgium (DeMorgen), China (Freebuff, Sohu, EEPW), Czech Republic (Svět Androida), Denmark (Version2), France (Silicon, Le Monde Informatique, Informanews), Germany (Der Spiegel, Golem.de, Pro-Linux, Crn.de, JAXenter, Computer Bild , t3n Magazine, Netzwelt.de), Hungary (HWSW), Italy (Repubblica.it, Punto Informatico, Gadgetblog.it, Tutto Android), Mexico (PCWorld Mexico), The Netherlands (NU.nl, Tweakers.net, Crimesite), Norway (Digi.no), Poland (eGospodarka, Softonet, PCLab.pl, Dobreprogramy, PC Format, Telix.pl), Russia (Хакер, Securitylab.ru), Slovakia (Živé.sk), Spain (López Dóriga, CSO, El Android libre), Switzerland (Neue Zürcher Zeitung), Taiwan (iThome), Turkey (Teknokulis, CHIP, Webtekno), and Ukraine (KO).

Bruce Schneier linked to our project page and we made it to the front page of The Hacker News. Shortly after, Drammer prompted Rowhammer mitigation efforts on LWN and was discussed by Linus Torvalds on Alan Cox’ Google Plus post. We caused a spike in Google queries for Rowhammer, approaching its popularity from 2015, when Google’s Project Zero released the Rowhammer-based exploit.

The Drammer paper (pdf) was accessed over 25k times, while our github repository received 913 unique views and 83 unique clones.

Drammer made an appearance on Dutch national television in an episode of De Universiteit van Nederland (“The University of The Netherlands”).