Rowhammer, the DRAM vulnerability that was supposedly fixed in DDR4 is not fixed in DDR4. The TRRespass attack shows that DIMMs from all 3 major vendors (good for 95% of the market) are still vulnerable. The news appeared in different international media (see the writeup on NakedSecurity) and in the Netherlands in de Volkskrant. There was a short interview on Radio 1 (22:51 h).
Recently graduated Harry King just won the (university-wide) best bachelor thesis award for his thesis on “Development Tools &
Techniques for a More Robust Operating System”. For his thesis project he built an operating system kernel from scratch in Ada. The implementation in Ada allowed him to formally verify the OS components.
When the dust settled, “RIDL: Rogue In-Flight Data Load”, the
paper that was published at Security & Privacy in May and that shows a new class of speculative execution attacks that can leak any “in-flight” data from Intel CPUs won the second place
prize for Best Applied Research at CSAW ’19.
See also: “Much Ado about RIDL“.
The RIDL saga that started in September 2018 lingers on. A new embargo and a new set of insufficient patches, and it isn’t over yet. Excellent coverage by Kim Zetter in the New York Times.
In addition there were many other outlets covering this:
The ECCploit paper by Lucian Cojocar won the Distinguished Practical Paper Award at IEEE Security & Privacy 2019.
After a long embargo period of 9 months we made our paper RIDL: Rogue In-Flight Data Load available to the general public. RIDL introduces a new class of speculative execution attacks that can leak any “in-flight” data available in the CPU.
More information (including some nice demo videos) are available at https://mdsattacks.com. We have also released a tool that you can use to see how vulnerable your computer is to different speculative execution attacks.
On the 12th of March, Herbert provided his view on the NatWest pilot of authorizing payments by means of fingerprints instead of PIN on BNR (Business News Radio). Many thanks to VUSec Slack chat for the long discussion on this topic 😉
VUSec researcher Pietro Frigo won the Code Blue Young Researcher Award and because he is now rich, he promises to buy us all drinks for the remainder of his Ph.D. The corresponding paper (“Grand Pwning Unit“) shows how to use the GPU to boost microarchitectural attacks (such as cache side channels and Rowhammer). Here is a picture of the lucky winner:
Best paper award for Andrei at RAID 2018.