Skip to content

Commit

Permalink
README: update SGX-Step papers.
Browse files Browse the repository at this point in the history
  • Loading branch information
jovanbulck committed Sep 2, 2023
1 parent 7151a72 commit fc5cf19
Showing 1 changed file with 23 additions and 22 deletions.
45 changes: 23 additions & 22 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -341,42 +341,43 @@ a pull request if your project uses SGX-Step but is not included below.

| Title | Publication details | Source code | SGX-Step features used |
| ---------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------- | ------------------------------------------------------- |
| AEX-Notify: Thwarting Precise Single-Stepping Attacks through Interrupt Awareness for Intel SGX Enclaves | [USEC23](https://jovanbulck.github.io/files/usenix23-aexnotify.pdf) | [link](https://github.com/intel/linux-sgx/blob/master/sdk/trts/linux/trts_mitigation.S) | Single-Stepping, PTE A/D
| BunnyHop: Exploiting the Instruction Prefetcher | [USEC23](https://www.usenix.org/system/files/usenixsecurity23-zhang-zhiyuan-bunnyhop.pdf) | - | Single-stepping |
| Downfall: Exploiting Speculative Data Gathering | [USEC23](https://www.usenix.org/system/files/usenixsecurity23-moghimi.pdf) | - | Single-stepping, zero-stepping |
| AEX-Notify: Thwarting Precise Single-Stepping Attacks through Interrupt Awareness for Intel SGX Enclaves | [USEC23](https://jovanbulck.github.io/files/usenix23-aexnotify.pdf) | [GitHub (SGX SDK mitigation)](https://github.com/intel/linux-sgx/blob/master/sdk/trts/linux/trts_mitigation.S) | Single-Stepping, PTE A/D
| BunnyHop: Exploiting the Instruction Prefetcher | [USEC23](https://www.usenix.org/system/files/usenixsecurity23-zhang-zhiyuan-bunnyhop.pdf) | [GitHub (non-SGX PoC)](https://github.com/0xADE1A1DE/BunnyHop) | Single-stepping, PTE A/D |
| Downfall: Exploiting Speculative Data Gathering | [USEC23](https://www.usenix.org/system/files/usenixsecurity23-moghimi.pdf) | [GitHub (non-SGX PoC)](https://github.com/flowyroll/downfall/tree/main/POC) | Single-stepping, zero-stepping |
| All Your PC Are Belong to Us: Exploiting Non-control-Transfer Instruction BTB Updates for Dynamic PC Extraction | [ISCA23](https://dl.acm.org/doi/pdf/10.1145/3579371.3589100?casa_token=Q5jf5nOgiLIAAAAA:cT0ltJh7vk943buODuR4oMFKmuhg2Tp-djFm2kUu6DzlxtBhNhEw2WteRggn0k99D7ft-P6pluVrFA) | - | Single-stepping |
| Cache-timing attack against HQC | [IACR23](https://eprint.iacr.org/2023/102.pdf) | - | Single-stepping, PTE A/D |
| FaultMorse: An automated controlled-channel attack via longest recurring sequence | [ComSec23](https://www.sciencedirect.com/science/article/pii/S0167404822003959) | [link](https://github.com/Ezekiel-1998/FaultMorse) | Page fault |
| Cache-timing attack against HQC | [CHES23](https://eprint.iacr.org/2023/102.pdf) | - | Single-stepping, PTE A/D |
| FaultMorse: An automated controlled-channel attack via longest recurring sequence | [ComSec23](https://www.sciencedirect.com/science/article/pii/S0167404822003959) | [GitHub (post processing)](https://github.com/Ezekiel-1998/FaultMorse) | Page fault |
| On (the Lack of) Code Confidentiality in Trusted Execution Environments | [arXiv22](https://arxiv.org/pdf/2212.07899.pdf) | - | Single-stepping |
| AEPIC Leak: Architecturally Leaking Uninitialized Data from the Microarchitecture | [USEC22](https://www.usenix.org/system/files/sec22-borrello.pdf) | [link](https://github.com/IAIK/AEPIC) | Single-Stepping, PTE A/D |
| AEPIC Leak: Architecturally Leaking Uninitialized Data from the Microarchitecture | [USEC22](https://www.usenix.org/system/files/sec22-borrello.pdf) | [GitHub (full)](https://github.com/IAIK/AEPIC) | Single-Stepping, PTE A/D |
| MoLE: Mitigation of Side-channel Attacks against SGX via Dynamic Data Location Escape | [ACSAC22](https://dl.acm.org/doi/fullHtml/10.1145/3564625.3568002) | - | Single-Stepping, page fault, transient execution |
| WIP: Interrupt Attack on TEE-Protected Robotic Vehicles | [NDSS22](https://www.ndss-symposium.org/wp-content/uploads/autosec2022_23001_paper.pdf) | - | Single-stepping, multi-stepping |
| WIP: Interrupt Attack on TEE-Protected Robotic Vehicles | [AutoSec22](https://www.ndss-symposium.org/wp-content/uploads/autosec2022_23001_paper.pdf) | - | Single-stepping, multi-stepping |
| Towards Self-monitoring Enclaves: Side-Channel Detection Using Performance Counters | [NordSec22](https://link.springer.com/chapter/10.1007/978-3-031-22295-5_7) | - | Page fault, LVI. |
| ENCLYZER: Automated Analysis of Transient Data Leaks on Intel SGX | [SEED22](https://ieeexplore.ieee.org/document/9935016) | [link](https://github.com/bloaryth/enclyser) | Page-table manipulation |
| ENCLYZER: Automated Analysis of Transient Data Leaks on Intel SGX | [SEED22](https://ieeexplore.ieee.org/document/9935016) | [GitHub (full)](https://github.com/bloaryth/enclyser) | Page-table manipulation |
| Side-Channeling the Kalyna Key Expansion | [CT-RSA22](https://cs.adelaide.edu.au/~yval/pdfs/ChuengsatiansupGYZ22.pdf) | - | Single-Stepping, PTE A/D |
| Rapid Prototyping for Microarchitectural Attacks | [USENIX22](https://www.usenix.org/system/files/sec22summer_easdon.pdf) | [link](https://github.com/libtea/frameworks) | Single-stepping, page fault, PTE A/D, etc. |
| Util::Lookup: Exploiting Key Decoding in Cryptographic Libraries | [CCS21](https://dl.acm.org/doi/abs/10.1145/3460120.3484783) | [link](https://github.com/UzL-ITS/util-lookup) | Single-Stepping, PTE A/D |
| Rapid Prototyping for Microarchitectural Attacks | [USENIX22](https://www.usenix.org/system/files/sec22summer_easdon.pdf) | [GitHub (full)](https://github.com/libtea/frameworks) | Single-stepping, page fault, PTE A/D, etc. |
| Util::Lookup: Exploiting Key Decoding in Cryptographic Libraries | [CCS21](https://dl.acm.org/doi/abs/10.1145/3460120.3484783) | [GitHub (full)](https://github.com/UzL-ITS/util-lookup) | Single-Stepping, PTE A/D |
| SmashEx: Smashing SGX Enclaves Using Exceptions | [CCS21](https://dl.acm.org/doi/pdf/10.1145/3460120.3484821) | - | Single-Stepping |
| Online Template Attacks: Revisited | [CHES21](https://tches.iacr.org/index.php/TCHES/article/view/8967/8545) | [link](https://zenodo.org/record/4680071) | Single-stepping, page fault, PTE A/D |
| Online Template Attacks: Revisited | [CHES21](https://tches.iacr.org/index.php/TCHES/article/view/8967/8545) | [Zenodo (simulation)](https://zenodo.org/record/4680071) | Single-stepping, page fault, PTE A/D |
| Aion Attacks: Manipulating Software Timers in Trusted Execution Environment | [DIMVA21](http://individual.utoronto.ca/shengjiexu/publication/whuang-dimva2021-aion_v2.pdf) | - | Single-stepping, interrupts(?) |
| Platypus: Software-based Power Side-Channel Attacks on x86 | [S&P21](https://platypusattack.com/platypus.pdf) | [link](https://github.com/0xhilbert/Platypus) | Single-stepping, zero-stepping |
| Platypus: Software-based Power Side-Channel Attacks on x86 | [S&P21](https://platypusattack.com/platypus.pdf) | [GitHub (simulated PoC)](https://github.com/0xhilbert/Platypus) | Single-stepping, zero-stepping |
| CrossTalk: Speculative Data Leaks Across Cores Are Real | [S&P21](https://download.vusec.net/papers/crosstalk_sp21.pdf) | - | Single-stepping, page fault |
| Frontal Attack: Leaking Control-Flow in SGX via the CPU Frontend | [USEC21](https://www.usenix.org/system/files/sec21-puddu.pdf) | [link](https://github.com/dn0sar/frontal_poc) | Single-stepping interrupt latency, PTE A/D |
| SpeechMiner: A Framework for Investigating andMeasuring Speculative Execution Vulnerabilities | [NDSS20](https://www.ndss-symposium.org/wp-content/uploads/2020/02/23105-paper.pdf) | [link](https://github.com/teecert/SpeechMiner) | Page-table manipulation |
| Frontal Attack: Leaking Control-Flow in SGX via the CPU Frontend | [USEC21](https://www.usenix.org/system/files/sec21-puddu.pdf) | [GitHub (full, artifact evaluated)](https://github.com/dn0sar/frontal_poc) | Single-stepping interrupt latency, PTE A/D |
| PThammer: Cross-User-Kernel-Boundary Rowhammer through Implicit Accesses | - | [MICRO20](https://arxiv.org/pdf/2007.08707v2.pdf) | Page table walk |
| SpeechMiner: A Framework for Investigating andMeasuring Speculative Execution Vulnerabilities | [NDSS20](https://www.ndss-symposium.org/wp-content/uploads/2020/02/23105-paper.pdf) | [GitHub (full)](https://github.com/teecert/SpeechMiner) | Page-table manipulation |
| Déjà Vu: Side-Channel Analysis of Mozilla's NSS | [CCS20](https://dl.acm.org/doi/pdf/10.1145/3372297.3421761) | - | Page fault |
| From A to Z: Projective coordinates leakage in the wild | [CHES20](https://eprint.iacr.org/2020/432.pdf) | - | Page fault |
| LVI: Hijacking Transient Execution through Microarchitectural Load Value Injection | [S&P20](https://lviattack.eu/lvi.pdf) | [link](https://github.com/jovanbulck/sgx-step-lvi/tree/master/app/lvi) | Single-stepping, page-table manipulation |
| LVI: Hijacking Transient Execution through Microarchitectural Load Value Injection | [S&P20](https://lviattack.eu/lvi.pdf) | [GitHub (PoC)](https://github.com/jovanbulck/sgx-step-lvi/tree/master/app/lvi) | Single-stepping, page-table manipulation |
| CopyCat: Controlled Instruction-Level Attacks on Enclaves | [USEC20](https://arxiv.org/pdf/2002.08437.pdf) | - | Single-stepping, page fault, PTE A/D |
| When one vulnerable primitive turns viral: Novel single-trace attacks on ECDSA and RSA | [CHES20](https://eprint.iacr.org/2020/055.pdf) | - | Single-stepping, page fault, PTE A/D |
| Big Numbers - Big Troubles: Systematically Analyzing Nonce Leakage in (EC)DSA Implementations | [USEC20](https://www.usenix.org/system/files/sec20summer_weiser_prepub_0.pdf) | - | Page fault |
| Plundervolt: Software-based Fault Injection Attacks against Intel SGX | [S&P20](https://plundervolt.com/doc/plundervolt.pdf) | [link](https://github.com/KitMurdock/plundervolt) | Privileged interrupt/call gates, MSR |
| Plundervolt: Software-based Fault Injection Attacks against Intel SGX | [S&P20](https://plundervolt.com/doc/plundervolt.pdf) | [GitHub (full)](https://github.com/KitMurdock/plundervolt) | Privileged interrupt/call gates, MSR |
| Bluethunder: A 2-level Directional Predictor Based Side-Channel Attack against SGX | [CHES20](https://heartever.github.io/files/bluethunder_sgx_ches.pdf) | - | Single-stepping |
| Fallout: Leaking Data on Meltdown-resistant CPUs | [CCS19](https://mdsattacks.com/files/fallout.pdf) | - | PTE A/D |
| A Tale of Two Worlds: Assessing the Vulnerability of Enclave Shielding Runtimes | [CCS19](https://people.cs.kuleuven.be/~jo.vanbulck/ccs19-tale.pdf) | [link](https://github.com/jovanbulck/0xbadc0de) | Single-stepping, page fault, PTE A/D |
| ZombieLoad: Cross-Privilege-Boundary Data Sampling | [CCS19](https://zombieloadattack.com/zombieload.pdf) | [link](https://github.com/IAIK/ZombieLoad/) | Single-stepping, zero-stepping, page-table manipulation |
| A Tale of Two Worlds: Assessing the Vulnerability of Enclave Shielding Runtimes | [CCS19](https://people.cs.kuleuven.be/~jo.vanbulck/ccs19-tale.pdf) | [GitHub (full)](https://github.com/jovanbulck/0xbadc0de) | Single-stepping, page fault, PTE A/D |
| ZombieLoad: Cross-Privilege-Boundary Data Sampling | [CCS19](https://zombieloadattack.com/zombieload.pdf) | [GitHub (PoC)](https://github.com/IAIK/ZombieLoad/) | Single-stepping, zero-stepping, page-table manipulation |
| SPOILER: Speculative Load Hazards Boost Rowhammer and Cache Attacks | [USEC19](https://arxiv.org/pdf/1903.00446.pdf) | - | Single-stepping interrupt latency |
| Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic | [CCS18](https://people.cs.kuleuven.be/~jo.vanbulck/ccs18.pdf) | [link](https://github.com/jovanbulck/nemesis) | Single-stepping interrupt latency, page fault, PTE A/D |
| Foreshadow: Extracting the Keys to the Intel SGX Kingdom with Transient Out-of-Order Execution | [USEC18](https://foreshadowattack.eu/foreshadow.pdf) | [link](https://github.com/jovanbulck/sgx-step/tree/master/app/foreshadow) | Single-stepping, zero-stepping, page-table manipulation |
| Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic | [CCS18](https://people.cs.kuleuven.be/~jo.vanbulck/ccs18.pdf) | [GitHub (full)](https://github.com/jovanbulck/nemesis) | Single-stepping interrupt latency, page fault, PTE A/D |
| Foreshadow: Extracting the Keys to the Intel SGX Kingdom with Transient Out-of-Order Execution | [USEC18](https://foreshadowattack.eu/foreshadow.pdf) | [GitHub (PoC)](https://github.com/jovanbulck/sgx-step/tree/master/app/foreshadow) | Single-stepping, zero-stepping, page-table manipulation |
| Single Trace Attack Against RSA Key Generation in Intel SGX SSL | [AsiaCCS18](https://rspreitzer.github.io/publications/proc/asiaccs-2018-paper-1.pdf) | - | Page fault |
| Off-Limits: Abusing Legacy x86 Memory Segmentation to Spy on Enclaved Execution | [ESSoS18](https://people.cs.kuleuven.be/~jo.vanbulck/essos18.pdf) | [link](https://distrinet.cs.kuleuven.be/software/off-limits/) | Single-stepping, IA32 segmentation, page fault |
| SGX-Step: A Practical Attack Framework for Precise Enclave Execution Control | [SysTEX17](https://people.cs.kuleuven.be/~jo.vanbulck/systex17.pdf) | [link](https://github.com/jovanbulck/sgx-step/tree/master/app/bench) | Single-stepping, page fault, PTE A/D |
| Off-Limits: Abusing Legacy x86 Memory Segmentation to Spy on Enclaved Execution | [ESSoS18](https://people.cs.kuleuven.be/~jo.vanbulck/essos18.pdf) | [link (full, artifact evaluated)](https://distrinet.cs.kuleuven.be/software/off-limits/) | Single-stepping, IA32 segmentation, page fault |
| SGX-Step: A Practical Attack Framework for Precise Enclave Execution Control | [SysTEX17](https://people.cs.kuleuven.be/~jo.vanbulck/systex17.pdf) | [GitHub (full)](https://github.com/jovanbulck/sgx-step/tree/master/app/bench) | Single-stepping, page fault, PTE A/D |

0 comments on commit fc5cf19

Please sign in to comment.