Link Search Menu Expand Document
6.888

Course Notes and Reading List

All content on this website, including the calendar, is subject to change.

Highlighted rows are days where paper summaries should be submitted.

Table of contents

  1. Introduction
  2. Side Channels + Transient Execution Attacks
  3. Side Channel Defenses
  4. Physical Attacks
  5. Secure Hardware
  6. Rowhammer
  7. Memory Safety
  8. Miscellaneous

Introduction

Date Readings Notes

Mon Jan 31

Optional: Introduction to Security for Computer Architecture

pdf

Wed Feb 2

Optional: Han et al. A Bad Dream: Subverting Trusted Platform Module While You Are Sleeping. Usenix Security’18

Optional: Wojtczuk et al. Attacking Intel TXT® via SINIT code execution hijacking. 2011

pdf

Fri Feb 4

Optional: Mindshare: Hardware Reversing with the TP-LINK TL-WR841N Router

pdf

Side Channels + Transient Execution Attacks

Date Readings Notes

Mon Feb 7

Qian et al. A survey of microarchitectural timing attacks and countermeasures on contemporary hardware. Journal of Cryptographic Engineering (2018).

Optional: Genkin et al. Synesthesia: Detecting Screen Content via Remote Acoustic Side Channels

pdf

Wed Feb 9

Percival, Colin. Cache missing for fun and profit. (2005).

Optional: Yarom et al. FLUSH+RELOAD: a high resolution, low noise, L3 cache side-channel attack. USENIX Security. 2014.

Optional: Liu et al. Last-level cache side-channel attacks are practical. S&P, 2015.

pdf

Mon Feb 14

Summary Required: Vicarte et al. Opening Pandora’s Box: A Systematic Study of New Ways Microarchitecture Can Leak Private Data

pptx

Wed Feb 16

Kocher et al. Spectre attacks: Exploiting speculative execution. S&P. 2019.

pdf

Fri Feb 18

pdf

Wed Feb 23

Summary Required: An Analysis of Speculative Type Confusion Vulnerabilities in the Wild, USENIX’21

pdf

Side Channel Defenses

Date Readings Notes

Mon Feb 28

Summary Required: Narayan et al. Swivel: Hardening WebAssembly against Spectre

Optional: Canella et al. A systematic evaluation of transient execution attacks and defenses. USENIX Security. 2019.

Optional: Speculative Load Hardening, LLVM

Wed Mar 2

Tiwari et al. Complete information flow tracking from the gates up. ASPLOS. 2009.

Guarnieri et al. Hardware-Software Contracts for Secure Speculation. arXiv preprint. 2020.

pdf

Mon Mar 7

Summary Required: MIRAGE: Mitigating Conflict-Based Cache Attacks with a Practical Fully-Associative Design

Optional: Yu et al. Speculative Taint Tracking (STT) A Comprehensive Protection for Speculatively Accessed Data. MICRO. 2019.

Physical Attacks

Date Readings Notes

Wed Mar 9

Optional: I, For One, Welcome Our New Power Analysis Overlords (BlackHat 2018)

pdf

Mon Mar 14

Summary Required: PLATYPUS: Software-based Power Side-Channel Attacks on x86; SP’21

Optional: Zhao et al. FPGA-based remote power side-channel attacks. S&P. 2018.

Secure Hardware

Date Readings Notes

Wed Mar 16

Costan et al. Intel SGX Explained. IACR. 2016.

Focus on the following sections:

  • Section 2
  • Section 3.4-3.8
  • Section 5-5.3

pdf

Mon Mar 28

Mutlu et al. RowHammer: A retrospective. IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems (2019).

Optional: Kim et al. Revisiting RowHammer: An Experimental Analysis of Modern DRAM Devices and Mitigation Techniques. ISCA. 2020.

pdf

Wed Mar 30

Summary Required: SRAM Has No Chill: Exploiting Power Domain Separation to Steal On-chip Secrets, ASPLOS’22

Rowhammer

Date Readings Notes

Mon Apr 4

Summary Required: Pthammer: Cross-user-kernel-boundary rowhammer through implicit accesses

Optional: Kwong et al. Rambleed: Reading bits in memory without accessing them. S&P. 2020.

Optional: Islam et al. SPOILER: Speculative Load Hazards Boost Rowhammer and Cache Attacks. USENIX. 2019.

Mon Apr 11

Summary Required: Park et al. Graphene: Strong yet Lightweight Row Hammer Protection. MICRO. 2020.

Optional: Cojocar et al. Exploiting correcting codes: On the effectiveness of ECC memory against Rowhammer attacks. S&P. 2019.

Memory Safety

Date Readings Notes

Wed Apr 13

Szekeres et al. SoK: Eternal war in memory. S&P. 2013.

Optional: Pointer Authentication on ARMv8.3

Optional: Oleksenko et al. Intel MPX Explained: A Cross-layer Analysis of the Intel MPX System Stack. SIGMETRICS. 2018.

pdf

Wed Apr 20

Summary Required: Göktas et al. Speculative Probing: Hacking Blind in the Spectre Era

Wed Apr 27

Summary Required: Woodruff et al. The CHERI capability model: Revisiting RISC in an age of risk. ISCA. 2014.

Optional: Xia et al. Cherivoke: Characterising pointer revocation using cheri capabilities for temporal memory safety. MICRO. 2019.

Miscellaneous

Date Readings Notes

Mon May 2

Revizor: Testing Black-box CPUs against Speculation Contracts, ASPLOS’22

pdf

Mon May 9

Summary Required: Uncovering Hidden Instructions in ARMv8-A Implementations

Optional: Breaking the x86 Instruction Set