paper

Paper-Reading-List

Security Papers

Posted by luobobo on July 1, 2023

“Learn to read papers and develop my taste.”

How to Read a Paper

The THREE-PASS APPROACH

  1. The first pass [about 5-10 min]
    • title, abstract, and introduction
    • section and sub-section headings
    • conclusions
  2. The second pass [about one hour]
    • read carefully, ignore details such as proof
    • figures, diagrams, and illustrations
    • mark unread references
  3. The third pass [about four to five hours for beginner]
    • virtually re-implement the paper
    • identify and challenge every assumption in every statement

Side-Channel Attacks (Cache)

  1. (22 S&P) Adversarial Prefetch: New Cross-Core Cache Side Channel Attacks
  2. (21 CCS) Prime+Scope: Overcoming the Observer Effect for High-Precision Cache Contention Attacks
  3. (17 USENIX) Prime+Abort: A Timer-Free High-Precision L3 Cache Attack using Intel TSX
  4. (15 S&P) Prime+Probe: Last-Level Cache Side-Channel Attacks are Practical
  5. (16 DIMVA) Flush+Flush: A Fast and Stealthy Cache Attack
  6. (14 USENIX) FLUSH+RELOAD: a High Resolution, Low Noise, L3 Cache Side-Channel Attack
  7. (15 USENIX) Cache Template Attacks: Automating Attacks on Inclusive Last-Level Caches

Side-Channel Attacks (Other)

  1. (19 S&P) Attack Directories, Not Caches:Side-Channel Attacks in a Non-Inclusive World
  2. (16 USENIX) DRAMA: Exploiting DRAM Addressing for Cross-CPU Attacks
  3. (21 USENIX) Lord of the Ring(s): Side Channel Attacks on the CPU On-Chip Ring Interconnect Are Practical
  4. (22 USENIX) AMD Prefetch Attacks through Power and Time

Fuzzing-Based

  1. (22 S&P) Finding and Exploiting CPU Features using MSR Templating
  2. (21 USENIX) Osiris: Automated Discovery of Microarchitectural Side Channels
  3. (17 Blackhat) Breaking the x86 ISA

Reverse-engineer Microarchitecture

  1. (22 USENIX) TLB;DR: Enhancing TLB-based Attacks with TLB Desynchronized Reverse Engineering
  2. BHI
  3. RETBLEED
  4. Attack Directories
  5. Lord of the Rings

Meltdown & Variants

  1. (22 USENIX) Repurposing Segmentation as a Practical LVI-NULL Mitigation in SGX
  2. (20 S&P) LVI: Hijacking Transient Execution through Microarchitectural Load Value Injection
  3. (21 EuroSec) Transient Execution of Non-Canonical Accesses
  4. (20 USENIX) Medusa: Microarchitectural Data Leakage via Automated Attack Synthesis
  5. (19 S&P) Meltdown: Reading Kernel Memory from User Space

Spectre & Variants

  1. (22 USENIX) RETBLEED: Arbitrary Speculative Code Execution with Return Instructions
  2. (22 USENIX) Branch History Injection: On the Effectiveness of Hardware Mitigations Against Cross-Privilege Spectre-v2 Attacks
  3. (19 USENIX) A Systematic Evaluation of Transient Execution Attacks and Defenses
  4. (18 CCS) ret2spec: Speculative Execution Using Return Stack Buffers
  5. (18 USENIX) Spectre Attacks: Exploiting Speculative Execution

Other Transient Execution Attacks

  1. (21 USENIX) Rage Against the Machine Clear: A Systematic Analysis of Machine Clears and Their Implications for Transient Execution Attacks
  2. (21 S&P) CROSSTALK: Speculative Data Leaks Across Cores Are Real
  3. (19 S&P) RIDL: Rogue In-Flight Data Load
  4. (19 CCS) Fallout: Leaking Data on Meltdown-resistant CPUs
  5. (20 FC) Speculative Dereferencing: Reviving Foreshadow (Extended Version)
  6. (19 CCS) ZombieLoad: Cross-Privilege-Boundary Data Sampling
  7. (21 S&P) CacheOut: Leaking Data on Intel CPUs via Cache Evictions

DVFS-Based

  1. (22 USENIX) Hertzbleed: Turning Power Side-Channel Attacks Into Remote Timing Attacks on x86
  2. (22 USENIX) Minefield: A Software-only Protection for SGX Enclaves against DVFS Attacks
  3. (20 S&P) Plundervolt: Software-based Fault Injection Attacks against Intel SGX
  4. (21 S&P) PLATYPUS: Software-based Power Side-Channel Attacks on x86

Rowhammer

  1. (20 IEEE Trans. Comput.)RowHammer: A Retrospective

AMD TEE (SEV):

  1. (23 USENIX) Cipherfix: Mitigating Ciphertext Side-Channel Attacks in Software
  2. (22 S&P) A Systematic Look at Ciphertext Side Channels on AMD SEV-SNP
  3. AMD SEV-SNP
  4. (21 USENIX) CipherLeaks: Breaking Constant-time Cryptography on AMD SEV via the Ciphertext Side Channel
  5. (21 CCS) CROSS LINE: Breaking “Security-by-Crash” based Memory Isolation in AMD SEV
  6. (18 EuroSec) SEVered: Subverting AMD’s Virtual Machine Encryption
  7. (20 S&P) SEVurity: No Security Without Integrity Breaking Integrity-Free Memory Encryption with Minimal Assumptions

Intel TEE (SGX):

  1. ÆPIC Leak: Architecturally Leaking Uninitialized Data from the Microarchitecture
  2. (21 CCS) SmashEx: Smashing SGX Enclaves Using Exceptions
  3. (21 USENIX) Frontal Attack: Leaking Control-Flow in SGX via the CPU Frontend
  4. (17 USENIX) Telling Your Secrets Without Page Faults: Stealthy Page Table-Based Attacks on Enclaved Execution
  5. (18 SPACE) Tutorial: Uncovering and Mitigating Side-Channel Leakage in Intel SGX Enclaves
  6. (17 SysTEX) SGX-Step: A Practical Attack Framework for Precise Enclave Execution Control
  7. Intel SGX Explained
  8. (17 DIMVA) Malware Guard Extension: Using SGX to Conceal Cache Attacks

Microarchitectural Attack in Browsers

  1. (22 S&P) Spook.js: Attacking Chrome Strict Site Isolation via Speculative Execution
  2. (17 ESORICS) Practical Keystroke Timing Attacks in Sandboxed JavaScript
  3. (16 DIMVA) Rowhammer.js: A Remote Software-Induced Fault Attack in JavaScript
  4. (17 FC) Fantastic Timers and Where to Find Them: High-Resolution Microarchitectural Attacks in JavaScript

Defence

  1. (16 RAID) CloudRadar: A Real-Time Side-Channel Attack Detection System in Clouds
  2. (16 ESSoS) HexPADS: a platform to detect “stealth” attacks

Others & SoK:

  1. (22 USENIX) Rapid Prototyping for Microarchitectural Attacks
  2. (13 S&P) SoK: Eternal War in Memory
  3. (21 USENIX) ExpRace: Exploiting Kernel Races through Raising Interrupts
FRIENDS