HybriDIFT at ICCAD and muCFI at CCS

In October, COMSEC presented HybriDIFT at ICCAD 2024 and muCFI at CCS 2024. HybriDIFT shows how to scale hardware dynamic IFT to large memories by specially treating implicit flows in the design. HybriDIFT is the first dynamic IFT solution that can scale to a serious RISC-V core such as OpenC910. muCFI introduces a new security…

Cascade and ZenHammer at USENIX Security

COMSEC presented two papers at USENIX Security 2024 this month. Cascade shows that generating highly randomized but valid programs is highly effective in finding bugs in open-source RISC-V CPUs. In fact, it finds more bugs than all previous hardware fuzzers combined! ZenHammer shows how one can trigger bit flips from AMD Zen-based CPUs. ZenHammer triggered…

HiFi-DRAM at ISCA

COMSEC presented HiFi-DRAM at the top ISCA conference in Buenos Aires. We used Scanning Electron Microscopy (SEM) with Field Ion Beam (FIB) to reverse engineer sense amplifier designs in commodity DDR4 and DDR5 chips from all major DRAM vendors. HiFi-DRAM shows that many critical assumptions made by DRAM researchers unfortunately do not hold up in…

Inception at USENIX Security

Inception is a new class of transient execution attacks which we made public in August during USENIX Security. Inception can leak arbitrary memory from the kernel on all AMD Zen CPUs including the latest Zen 4 CPU. Due to its impact, Inception was featured on ETH news and many tech and popular news outlets. Examples…

REGA at S&P

COMSEC had one presentation at the flagship S&P conference this year. REGA shows how to build a stateless and scalable in-DRAM Rowhammer mitigation by cleanly separating the duties of DRAM’s sense amplifiers. REGA also includes the first open source model of a modern DRAM chip called REM.

Presentation at MICRO

Flavien Solt presented his paper at MICRO’22 conference on how design validation and testing tools can be improved using a novel categorization of existing errata documents. More information can be found here.

USENIX Security presentations

COMSEC has two presentations this week at the annual USENIX Security conference. CellIFT shows a novel approach for scalable Information Flow Tracking (IFT) in RTL. CellIFT is open source and ready to be used on in many new projects that can benefit from IFT, such as finding hardware vulnerabilities. Retbleed shows that return instructions leak information…

Retbleed in the news

We disclosed Retbleed during July patch Tuesday. Retbleed shows that similar to indirect branches, return instructions leak sensitive information during speculative execution. Retbleed was covered in an ETH news article and many news items in popular media such as WIRED, Ars Technica, The Register, Watson, Heise and podcasts such as Security Now!

Two presentations at S&P

COMSEC has two presentations this week at the annual S&P conference. Blacksmith shows that all TRR mitigations deployed in (LP)DDR4 devices are vulnerable to non-uniform access patterns and ProTRR shows how one can build a space-refresh optimal in-DRAM TRR mitigation with principled security guarantees. We also have a paper called Spring at the co-located WOOT…

Blacksmith in the news

Our recent efforts in the area of DRAM Security resulted in the discovery of new non-uniform access patterns that can bypass all currently deployed TRR mitigations on recent (LP)DDR4 devices and revive Rowhammer attacks on new devices. Citing the paper: “after almost a decade of research and deployed in-DRAM mitigations, we are perhaps in a…