422 lines
14 KiB
BibTeX
422 lines
14 KiB
BibTeX
%%%
|
||
% Spectre Attacks
|
||
%%%
|
||
|
||
%% Meltdown Paper
|
||
% https://spectreattack.com
|
||
@InProceedings{meltdown,
|
||
author = "Moritz Lipp and Michael Schwarz and Daniel Gruss and
|
||
Thomas Prescher and Werner Haas and Anders Fogh and
|
||
Jann Horn and Stefan Mangard and Paul Kocher and Daniel
|
||
Genkin and Yuval Yarom and Mike Hamburg",
|
||
title = "Meltdown: Reading Kernel Memory from User Space",
|
||
booktitle = "27th {USENIX} Security Symposium ({USENIX} Security
|
||
18)",
|
||
date = "2018",
|
||
}
|
||
|
||
%% Spectre Paper
|
||
% https://spectreattack.com
|
||
@InProceedings{spectre,
|
||
author = "Paul Kocher and Jann Horn and Anders Fogh and Daniel
|
||
Genkin and Daniel Gruss and Werner Haas and Mike
|
||
Hamburg and Moritz Lipp and Stefan Mangard and Thomas
|
||
Prescher and Michael Schwarz and Yuval Yarom",
|
||
title = "Spectre Attacks: Exploiting Speculative Execution",
|
||
booktitle = "40th {IEEE} Symposium on Security and Privacy
|
||
{(S\&P'19)}",
|
||
date = "2019",
|
||
}
|
||
|
||
%% SpectreRSB Paper
|
||
% https://www.usenix.org/conference/woot18/presentation/koruyeh
|
||
@InProceedings{spectreRsb,
|
||
author = "Esmaeil Mohammadian Koruyeh and Khaled N. Khasawneh
|
||
and Chengyu Song and Nael Abu-Ghazaleh",
|
||
title = "Spectre Returns! Speculation Attacks using the Return
|
||
Stack Buffer",
|
||
booktitle = "12th {USENIX} Workshop on Offensive Technologies
|
||
({WOOT} 18)",
|
||
date = "2018",
|
||
publisher = "USENIX Association",
|
||
}
|
||
|
||
%% Another spectre targeting returns
|
||
@InProceedings{ret2spec,
|
||
title = "{ret2spec}: Speculative execution using return stack
|
||
buffers",
|
||
author = "Giorgi Maisuradze and Christian Rossow",
|
||
booktitle = "Proceedings of the 2018 {ACM} {SIGSAC} Conference on
|
||
Computer and Communications Security",
|
||
pages = "2109--2122",
|
||
date = "2018",
|
||
}
|
||
|
||
%% Another spectre targeting returns
|
||
@InProceedings{spring,
|
||
title = "{Spring}: Spectre Returning in the Browser with
|
||
Speculative Load Queuing and Deep Stacks",
|
||
author = "Johannes Wikner and Cristiano Giuffrida and Herbert
|
||
Bos and Kaveh Razavi",
|
||
booktitle = "{WOOT}",
|
||
date = "2022-05",
|
||
URL = "https://comsec.ethz.ch/wp-content/files/spring_woot22.pdf
|
||
URL=https://comsec.ethz.ch/research/microarch/spring",
|
||
urldate = "2022-08-20",
|
||
}
|
||
|
||
%% AMD Spectre Mitigation
|
||
@Manual{amdSpectreMitigation,
|
||
author = "{AMD}",
|
||
title = "Software Techniques For Managing Speculation on {AMD}
|
||
Processors",
|
||
URL = "https://developer.amd.com/wp-content/resources/90343-B_SoftwareTechniquesforManagingSpeculation_WP_7-18Update_FNL.pdf",
|
||
date = "2022-07-14",
|
||
}
|
||
|
||
%% Linus on IBRS and that retpoline is better
|
||
@Online{retpolineOverIbrs,
|
||
author = "Linus Torvalds",
|
||
title = "x86/enter: Create macros to restrict/unrestrict
|
||
Indirect Branch Speculation",
|
||
date = "2018-01-21",
|
||
publisher = "LWN",
|
||
URL = "https://lwn.net/Articles/745112/",
|
||
urldate = "2022-07-24",
|
||
}
|
||
|
||
%% Retpoline Paper Intel
|
||
@Manual{retpolineIntel,
|
||
title = "{Retpoline}: A Branch Target Injection Mitigation",
|
||
author = "{Intel Corporation}",
|
||
date = "2018-06",
|
||
URL = "https://www.intel.com/content/dam/develop/external/us/en/documents/retpoline-a-branch-target-injection-mitigation.pdf",
|
||
urldate = "2022-07-24",
|
||
}
|
||
|
||
%% Retpoline Paper Google
|
||
@InProceedings{retpolineGoogle,
|
||
title = "{Retpoline}: a software construct for preventing
|
||
branch-target-injection",
|
||
author = "Paul Turner",
|
||
date = "2018",
|
||
URL = "https://support.google.com/faqs/answer/7625886",
|
||
urldate = "2022-07-24",
|
||
}
|
||
|
||
%% Spectre V1 Mitiagation GCC
|
||
@Online{spectreV1Mitigation,
|
||
author = "H. J. Lu",
|
||
title = "x86: {CVE-2017-5715}, aka Spectre",
|
||
date = "2018-01-07",
|
||
URL = "https://gcc.gnu.org/legacy-ml/gcc-patches/2018-01/msg00422.html",
|
||
urldate = "2022-07-24",
|
||
}
|
||
|
||
%% Straight Line Speculation Whitepaper
|
||
@InProceedings{straightLineSpeculation,
|
||
title = "Straight-Line Speculation Whitepaper",
|
||
author = "{ARM}",
|
||
date = "2020-06",
|
||
URL = "https://developer.arm.com/documentation/102825/0100/?lang=en",
|
||
urldate = "2022-07-24",
|
||
}
|
||
|
||
%% Stright Line Speculation Mitigation Kernel
|
||
@Online{straightLineSpeculationMitigationKernel,
|
||
author = "Peter Zijlstra",
|
||
title = "{[PATCH} v2 0/6] x86: Add stright-line-speculation
|
||
mitigations",
|
||
date = "2021-12-04",
|
||
URL = "https://lwn.net/ml/linux-kernel/20211204134338.760603010@infradead.org/",
|
||
urldate = "2022-07-24",
|
||
}
|
||
|
||
%% Stright Line Speculation Mitigation GCC
|
||
@Online{straightLineSpeculationMitigationGcc,
|
||
author = "Matthew Malcomson",
|
||
title = "Straight Line Speculation {(SLS)} mitigation.",
|
||
date = "2020-06-08",
|
||
URL = "https://gcc.gnu.org/pipermail/gcc-patches/2020-June/547520.html",
|
||
urldate = "2022-07-26",
|
||
}
|
||
|
||
%% Stright Line Speculation Mitigation LLVM
|
||
@Online{straightLineSpeculationMitigationLlvm,
|
||
author = "Kristof Beyls",
|
||
title = "[llvm-dev] Mitigating straight-line speculation
|
||
vulnerability { CVE-2020-13844}",
|
||
date = "2020-01-08",
|
||
URL = "https://lists.llvm.org/pipermail/llvm-dev/2020-June/142109.html",
|
||
urldate = "2022-07-26",
|
||
}
|
||
|
||
%% Revers engineering related to spectre
|
||
@Online{projectZero,
|
||
author = "{Project Zero Team}",
|
||
title = "Reading privileged memory with a side-channel",
|
||
date = "2018-01-03",
|
||
URL = "https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html",
|
||
urldate = "2022-07-26",
|
||
}
|
||
|
||
@InProceedings{bhi,
|
||
author = "Enrico Barberis and Pietro Frigo and Marius Muench and
|
||
Herbert Bos and Cristiano Giuffrida",
|
||
title = "Branch {History} {Injection}: {On} the {Effectiveness}
|
||
of {Hardware} {Mitigations} {Against}
|
||
{Cross}-{Privilege} {Spectre}-v2 {Attacks}",
|
||
URL = "Paper=http://download.vusec.net/papers/bhi-spectre-bhb_sec22.pdf
|
||
Web=https://www.vusec.net/projects/bhi-spectre-bhb
|
||
Code=https://github.com/vusec/bhi-spectre-bhb",
|
||
booktitle = "{USENIX} {Security}",
|
||
date = "2022-08",
|
||
}
|
||
|
||
%%%
|
||
% Retbleed
|
||
%%%
|
||
|
||
%% Paper
|
||
@InProceedings{retbleed,
|
||
author = "Johannes Wikner and Kaveh Razavi",
|
||
title = "{Retbleed}: Arbitrary Speculative Code Execution with
|
||
Return Instructions",
|
||
booktitle = "31th {USENIX} Security Symposium ({USENIX} Security
|
||
22)",
|
||
date = "2022-07-12",
|
||
}
|
||
|
||
%% Code Repository
|
||
@Online{retbleedRepo,
|
||
author = "Johannes Wikner and Kaveh Razavi",
|
||
title = "{RETBleed} Artifact",
|
||
date = "2022-07-12",
|
||
publisher = "GitHub",
|
||
journal = "GitHub repository",
|
||
URL = "https://github.com/comsec-group/retbleed",
|
||
urldate = "2022-07-22",
|
||
commit = "23d87ad7094292653f71192566a95cf45d4fbcc9",
|
||
}
|
||
|
||
%% Addendum
|
||
@InProceedings{retbleedAddendum,
|
||
author = "Johannes Wikner and Daniël Trujillo and Kaveh
|
||
Razavi",
|
||
title = "Addendum to {Retbleed}: Arbitrary Speculative Code
|
||
Execution with Return Instructions",
|
||
date = "2022-07",
|
||
}
|
||
|
||
%% Mitigation Merge Message
|
||
@Online{retbleedMitigation,
|
||
author = "Linus Torvalds",
|
||
title = "Merge tag 'x86\_bugs\_retbleed'",
|
||
date = "2022",
|
||
publisher = "Linux Kernel Source Tree",
|
||
URL = "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ce114c866860",
|
||
urldate = "2022-07-23",
|
||
commit = "ce114c866860aa9eae3f50974efc68241186ba60",
|
||
}
|
||
|
||
%% Intel Alternative Mitigation Message
|
||
@Online{retbleedNewMitigation,
|
||
author = "Thomas Gleixner",
|
||
title = "x86/retbleed: Call depth tracking mitigation",
|
||
date = "2022-07-17",
|
||
publisher = "LWN",
|
||
URL = "https://lwn.net/ml/linux-kernel/20220716230344.239749011@linutronix.de/",
|
||
urldate = "2022-07-23",
|
||
}
|
||
|
||
%% AMD Mitigation
|
||
@Online{retbleedAmdMitigationI,
|
||
author = "{AMD}",
|
||
title = "{AMD} {CPU} Branch Type Confusion",
|
||
date = "2022-07-12",
|
||
URL = "https://www.amd.com/system/files/documents/technical-guidance-for-mitigating-branch-type-confusion_v7_20220712.pdf",
|
||
urldate = "2022-07-25",
|
||
}
|
||
|
||
https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1037
|
||
|
||
@Manual{retbleedAmdMitigationII,
|
||
author = "{AMD}",
|
||
title = "Technical Guidance For Mitigating Branch Type
|
||
Confusion",
|
||
date = "2022-07-12",
|
||
URL = "https://www.amd.com/system/files/documents/technical-guidance-for-mitigating-branch-type-confusion_v7_20220712.pdf",
|
||
urldate = "2022-07-25",
|
||
}
|
||
|
||
%% Intel Mitigation
|
||
@Manual{retbleedIntelMitigation,
|
||
author = "Intel",
|
||
title = "Return Stack Buffer Underflow / {CVE-2022-29901},
|
||
{CVE-2022-28693} / {INTEL-SA-00702}",
|
||
date = "2022-07-05",
|
||
publisher = "Intel",
|
||
URL = "https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/return-stack-buffer-underflow.html",
|
||
urldate = "2022-07-25",
|
||
}
|
||
|
||
%% ARM hardware mitigation mechanisms
|
||
@Manual{armFeatures,
|
||
author = "{Arm}",
|
||
title = "Feature names in A-profile architecture",
|
||
date = "2021",
|
||
URL = "https://developer.arm.com/downloads/-/exploration-tools/feature-names-for-a-profile",
|
||
urldate = "2022-08-20",
|
||
}
|
||
|
||
%%%
|
||
% Cache Attacks
|
||
%%%
|
||
|
||
%% Flush + Flush Paper
|
||
@InProceedings{flushAndFlush,
|
||
title = "{Flush+Flush}: a fast and stealthy cache attack",
|
||
author = "Daniel Gruss and Cl{\'e}mentine Maurice and Klaus
|
||
Wagner and Stefan Mangard",
|
||
booktitle = "International Conference on Detection of Intrusions
|
||
and Malware , and Vulnerability Assessment",
|
||
pages = "279--299",
|
||
date = "2016",
|
||
organization = "Springer",
|
||
}
|
||
|
||
%% Flush + Reload Paper
|
||
% https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/yarom
|
||
@InProceedings{flushAndReload,
|
||
author = "Yuval Yarom and Katrina Falkner",
|
||
title = "{FLUSH+RELOAD}: A High Resolution, Low Noise, {L3}
|
||
Cache { Side-Channel} Attack",
|
||
booktitle = "23rd {USENIX} Security Symposium {(USENIX} Securityj
|
||
14)",
|
||
date = "2014",
|
||
pages = "719--732",
|
||
publisher = "USENIX Association",
|
||
}
|
||
|
||
%% ???
|
||
@InProceedings{hund2013practical,
|
||
title = "Practical timing side channel attacks against kernel
|
||
space {ASLR}",
|
||
author = "Ralf Hund and Carsten Willems and Thorsten Holz",
|
||
booktitle = "2013 {IEEE} Symposium on Security and Privacy",
|
||
pages = "191--205",
|
||
date = "2013",
|
||
organization = "IEEE",
|
||
}
|
||
|
||
%% ???
|
||
@InProceedings{osvik2006cache,
|
||
title = "Cache attacks and countermeasures: the case of {AES}",
|
||
author = "Dag Arne Osvik and Adi Shamir and Eran Tromer",
|
||
booktitle = "Cryptographers’ track at the {RSA} conference",
|
||
pages = "1--20",
|
||
date = "2006",
|
||
organization = "Springer",
|
||
}
|
||
|
||
%%%
|
||
% MISC Stuff
|
||
%%%
|
||
|
||
%% Byte UnixBench Benchmark
|
||
@Online{byteUnixBench,
|
||
author = "kdlucas",
|
||
title = "{Byte-UnixBench}",
|
||
date = "2022",
|
||
publisher = "GitHub",
|
||
journal = "GitHub repository",
|
||
URL = "https://github.com/kdlucas/byte-unixbench",
|
||
urldate = "2022-07-23",
|
||
commit = "e477bc034137f994f2bbaba52952ca6e1de53856",
|
||
}
|
||
|
||
%% Chip Info on Haswell
|
||
@Online{haswellChipWiki,
|
||
author = "{Chip Wiki}",
|
||
title = "Haswell - Microarchitectures - Intel",
|
||
date = "2022",
|
||
URL = "https://en.wikichip.org/wiki/intel/microarchitectures/haswell_(client)",
|
||
urldate = "2022-07-14",
|
||
}
|
||
|
||
@InProceedings{preventConvertChannel,
|
||
title = "Prevention of microarchitectural covert channels on an
|
||
open-source 64-bit {RISC-V} core",
|
||
author = "Nils Wistoff and Moritz Schneider and Frank K
|
||
G{\"u}rkaynak and Luca Benini and Gernot Heiser",
|
||
journal = "arXiv preprint arXiv:2005.02193",
|
||
date = "2020",
|
||
}
|
||
|
||
%%%
|
||
% Sites
|
||
%%%
|
||
|
||
%% ComSec
|
||
@Online{comSec,
|
||
title = "{ComSec}: Computer Security Group",
|
||
date = "2022",
|
||
URL = "https://comsec.ethz.ch/",
|
||
urldate = "2022-07-23",
|
||
}
|
||
|
||
%% Kernel.org
|
||
@Online{linuxKernel,
|
||
title = "The Linux Kernel Archives",
|
||
date = "2022",
|
||
URL = "https://www.kernel.org/",
|
||
urldate = "2022-07-23",
|
||
}
|
||
|
||
%%%
|
||
% CPU Mechanisms
|
||
%%%
|
||
|
||
@Manual{ibpb,
|
||
author = "{Intel}",
|
||
title = "Indirect Branch Predictor Barrier",
|
||
date = "2018-03-01",
|
||
URL = "https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/indirect-branch-predictor-barrier.html",
|
||
urldate = "2022-08-20",
|
||
}
|
||
|
||
@Manual{ibrs,
|
||
author = "{Intel}",
|
||
title = "Indirect Branch Restricted Speculation",
|
||
date = "2018-01-03",
|
||
URL = "https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/indirect-branch-restricted-speculation.html",
|
||
urldate = "2022-08-20",
|
||
}
|
||
|
||
@InProceedings{ret2dir,
|
||
title = "{ret2dir}: Rethinking kernel isolation",
|
||
author = "Vasileios P Kemerlis and Michalis Polychronakis and
|
||
Angelos D Keromytis",
|
||
booktitle = "23rd {USENIX} Security Symposium {(USENIX} Security
|
||
14)",
|
||
pages = "957--972",
|
||
date = "2014",
|
||
}
|
||
|
||
@Manual{stibp,
|
||
author = "{AMD}",
|
||
title = "Indiredct Branch Control Extension",
|
||
URL = "https://developer.amd.com/wp-content/resources/Architecture_Guidelines_Update_Indirect_Branch_Control.pdf",
|
||
urldate = "2022-08-20",
|
||
}
|
||
|
||
@Manual{agnerFogManual,
|
||
author = "Agner Fog",
|
||
title = "3. The microarchitecture of Intel, {AMD} and {VIA}
|
||
{CPUs}: An optimization guide for assembly programmers
|
||
and compiler makers",
|
||
date = "2022-06-11",
|
||
URL = "https://www.agner.org/optimize/microarchitecture.pdf",
|
||
urldate = "2022-08-20",
|
||
}
|