diff --git a/README.md b/README.md index ccc4255..405df03 100644 --- a/README.md +++ b/README.md @@ -341,42 +341,43 @@ a pull request if your project uses SGX-Step but is not included below. | Title | Publication details | Source code | SGX-Step features used | | ---------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------- | ------------------------------------------------------- | -| AEX-Notify: Thwarting Precise Single-Stepping Attacks through Interrupt Awareness for Intel SGX Enclaves | [USEC23](https://jovanbulck.github.io/files/usenix23-aexnotify.pdf) | [link](https://github.com/intel/linux-sgx/blob/master/sdk/trts/linux/trts_mitigation.S) | Single-Stepping, PTE A/D -| BunnyHop: Exploiting the Instruction Prefetcher | [USEC23](https://www.usenix.org/system/files/usenixsecurity23-zhang-zhiyuan-bunnyhop.pdf) | - | Single-stepping | -| Downfall: Exploiting Speculative Data Gathering | [USEC23](https://www.usenix.org/system/files/usenixsecurity23-moghimi.pdf) | - | Single-stepping, zero-stepping | +| AEX-Notify: Thwarting Precise Single-Stepping Attacks through Interrupt Awareness for Intel SGX Enclaves | [USEC23](https://jovanbulck.github.io/files/usenix23-aexnotify.pdf) | [GitHub (SGX SDK mitigation)](https://github.com/intel/linux-sgx/blob/master/sdk/trts/linux/trts_mitigation.S) | Single-Stepping, PTE A/D +| BunnyHop: Exploiting the Instruction Prefetcher | [USEC23](https://www.usenix.org/system/files/usenixsecurity23-zhang-zhiyuan-bunnyhop.pdf) | [GitHub (non-SGX PoC)](https://github.com/0xADE1A1DE/BunnyHop) | Single-stepping, PTE A/D | +| Downfall: Exploiting Speculative Data Gathering | [USEC23](https://www.usenix.org/system/files/usenixsecurity23-moghimi.pdf) | [GitHub (non-SGX PoC)](https://github.com/flowyroll/downfall/tree/main/POC) | Single-stepping, zero-stepping | | All Your PC Are Belong to Us: Exploiting Non-control-Transfer Instruction BTB Updates for Dynamic PC Extraction | [ISCA23](https://dl.acm.org/doi/pdf/10.1145/3579371.3589100?casa_token=Q5jf5nOgiLIAAAAA:cT0ltJh7vk943buODuR4oMFKmuhg2Tp-djFm2kUu6DzlxtBhNhEw2WteRggn0k99D7ft-P6pluVrFA) | - | Single-stepping | -| Cache-timing attack against HQC | [IACR23](https://eprint.iacr.org/2023/102.pdf) | - | Single-stepping, PTE A/D | -| FaultMorse: An automated controlled-channel attack via longest recurring sequence | [ComSec23](https://www.sciencedirect.com/science/article/pii/S0167404822003959) | [link](https://github.com/Ezekiel-1998/FaultMorse) | Page fault | +| Cache-timing attack against HQC | [CHES23](https://eprint.iacr.org/2023/102.pdf) | - | Single-stepping, PTE A/D | +| FaultMorse: An automated controlled-channel attack via longest recurring sequence | [ComSec23](https://www.sciencedirect.com/science/article/pii/S0167404822003959) | [GitHub (post processing)](https://github.com/Ezekiel-1998/FaultMorse) | Page fault | | On (the Lack of) Code Confidentiality in Trusted Execution Environments | [arXiv22](https://arxiv.org/pdf/2212.07899.pdf) | - | Single-stepping | -| AEPIC Leak: Architecturally Leaking Uninitialized Data from the Microarchitecture | [USEC22](https://www.usenix.org/system/files/sec22-borrello.pdf) | [link](https://github.com/IAIK/AEPIC) | Single-Stepping, PTE A/D | +| AEPIC Leak: Architecturally Leaking Uninitialized Data from the Microarchitecture | [USEC22](https://www.usenix.org/system/files/sec22-borrello.pdf) | [GitHub (full)](https://github.com/IAIK/AEPIC) | Single-Stepping, PTE A/D | | MoLE: Mitigation of Side-channel Attacks against SGX via Dynamic Data Location Escape | [ACSAC22](https://dl.acm.org/doi/fullHtml/10.1145/3564625.3568002) | - | Single-Stepping, page fault, transient execution | -| WIP: Interrupt Attack on TEE-Protected Robotic Vehicles | [NDSS22](https://www.ndss-symposium.org/wp-content/uploads/autosec2022_23001_paper.pdf) | - | Single-stepping, multi-stepping | +| WIP: Interrupt Attack on TEE-Protected Robotic Vehicles | [AutoSec22](https://www.ndss-symposium.org/wp-content/uploads/autosec2022_23001_paper.pdf) | - | Single-stepping, multi-stepping | | Towards Self-monitoring Enclaves: Side-Channel Detection Using Performance Counters | [NordSec22](https://link.springer.com/chapter/10.1007/978-3-031-22295-5_7) | - | Page fault, LVI. | -| ENCLYZER: Automated Analysis of Transient Data Leaks on Intel SGX | [SEED22](https://ieeexplore.ieee.org/document/9935016) | [link](https://github.com/bloaryth/enclyser) | Page-table manipulation | +| ENCLYZER: Automated Analysis of Transient Data Leaks on Intel SGX | [SEED22](https://ieeexplore.ieee.org/document/9935016) | [GitHub (full)](https://github.com/bloaryth/enclyser) | Page-table manipulation | | Side-Channeling the Kalyna Key Expansion | [CT-RSA22](https://cs.adelaide.edu.au/~yval/pdfs/ChuengsatiansupGYZ22.pdf) | - | Single-Stepping, PTE A/D | -| Rapid Prototyping for Microarchitectural Attacks | [USENIX22](https://www.usenix.org/system/files/sec22summer_easdon.pdf) | [link](https://github.com/libtea/frameworks) | Single-stepping, page fault, PTE A/D, etc. | -| Util::Lookup: Exploiting Key Decoding in Cryptographic Libraries | [CCS21](https://dl.acm.org/doi/abs/10.1145/3460120.3484783) | [link](https://github.com/UzL-ITS/util-lookup) | Single-Stepping, PTE A/D | +| Rapid Prototyping for Microarchitectural Attacks | [USENIX22](https://www.usenix.org/system/files/sec22summer_easdon.pdf) | [GitHub (full)](https://github.com/libtea/frameworks) | Single-stepping, page fault, PTE A/D, etc. | +| Util::Lookup: Exploiting Key Decoding in Cryptographic Libraries | [CCS21](https://dl.acm.org/doi/abs/10.1145/3460120.3484783) | [GitHub (full)](https://github.com/UzL-ITS/util-lookup) | Single-Stepping, PTE A/D | | SmashEx: Smashing SGX Enclaves Using Exceptions | [CCS21](https://dl.acm.org/doi/pdf/10.1145/3460120.3484821) | - | Single-Stepping | -| Online Template Attacks: Revisited | [CHES21](https://tches.iacr.org/index.php/TCHES/article/view/8967/8545) | [link](https://zenodo.org/record/4680071) | Single-stepping, page fault, PTE A/D | +| Online Template Attacks: Revisited | [CHES21](https://tches.iacr.org/index.php/TCHES/article/view/8967/8545) | [Zenodo (simulation)](https://zenodo.org/record/4680071) | Single-stepping, page fault, PTE A/D | | Aion Attacks: Manipulating Software Timers in Trusted Execution Environment | [DIMVA21](http://individual.utoronto.ca/shengjiexu/publication/whuang-dimva2021-aion_v2.pdf) | - | Single-stepping, interrupts(?) | -| Platypus: Software-based Power Side-Channel Attacks on x86 | [S&P21](https://platypusattack.com/platypus.pdf) | [link](https://github.com/0xhilbert/Platypus) | Single-stepping, zero-stepping | +| Platypus: Software-based Power Side-Channel Attacks on x86 | [S&P21](https://platypusattack.com/platypus.pdf) | [GitHub (simulated PoC)](https://github.com/0xhilbert/Platypus) | Single-stepping, zero-stepping | | CrossTalk: Speculative Data Leaks Across Cores Are Real | [S&P21](https://download.vusec.net/papers/crosstalk_sp21.pdf) | - | Single-stepping, page fault | -| Frontal Attack: Leaking Control-Flow in SGX via the CPU Frontend | [USEC21](https://www.usenix.org/system/files/sec21-puddu.pdf) | [link](https://github.com/dn0sar/frontal_poc) | Single-stepping interrupt latency, PTE A/D | -| SpeechMiner: A Framework for Investigating andMeasuring Speculative Execution Vulnerabilities | [NDSS20](https://www.ndss-symposium.org/wp-content/uploads/2020/02/23105-paper.pdf) | [link](https://github.com/teecert/SpeechMiner) | Page-table manipulation | +| Frontal Attack: Leaking Control-Flow in SGX via the CPU Frontend | [USEC21](https://www.usenix.org/system/files/sec21-puddu.pdf) | [GitHub (full, artifact evaluated)](https://github.com/dn0sar/frontal_poc) | Single-stepping interrupt latency, PTE A/D | +| PThammer: Cross-User-Kernel-Boundary Rowhammer through Implicit Accesses | - | [MICRO20](https://arxiv.org/pdf/2007.08707v2.pdf) | Page table walk | +| SpeechMiner: A Framework for Investigating andMeasuring Speculative Execution Vulnerabilities | [NDSS20](https://www.ndss-symposium.org/wp-content/uploads/2020/02/23105-paper.pdf) | [GitHub (full)](https://github.com/teecert/SpeechMiner) | Page-table manipulation | | Déjà Vu: Side-Channel Analysis of Mozilla's NSS | [CCS20](https://dl.acm.org/doi/pdf/10.1145/3372297.3421761) | - | Page fault | | From A to Z: Projective coordinates leakage in the wild | [CHES20](https://eprint.iacr.org/2020/432.pdf) | - | Page fault | -| LVI: Hijacking Transient Execution through Microarchitectural Load Value Injection | [S&P20](https://lviattack.eu/lvi.pdf) | [link](https://github.com/jovanbulck/sgx-step-lvi/tree/master/app/lvi) | Single-stepping, page-table manipulation | +| LVI: Hijacking Transient Execution through Microarchitectural Load Value Injection | [S&P20](https://lviattack.eu/lvi.pdf) | [GitHub (PoC)](https://github.com/jovanbulck/sgx-step-lvi/tree/master/app/lvi) | Single-stepping, page-table manipulation | | CopyCat: Controlled Instruction-Level Attacks on Enclaves | [USEC20](https://arxiv.org/pdf/2002.08437.pdf) | - | Single-stepping, page fault, PTE A/D | | When one vulnerable primitive turns viral: Novel single-trace attacks on ECDSA and RSA | [CHES20](https://eprint.iacr.org/2020/055.pdf) | - | Single-stepping, page fault, PTE A/D | | Big Numbers - Big Troubles: Systematically Analyzing Nonce Leakage in (EC)DSA Implementations | [USEC20](https://www.usenix.org/system/files/sec20summer_weiser_prepub_0.pdf) | - | Page fault | -| Plundervolt: Software-based Fault Injection Attacks against Intel SGX | [S&P20](https://plundervolt.com/doc/plundervolt.pdf) | [link](https://github.com/KitMurdock/plundervolt) | Privileged interrupt/call gates, MSR | +| Plundervolt: Software-based Fault Injection Attacks against Intel SGX | [S&P20](https://plundervolt.com/doc/plundervolt.pdf) | [GitHub (full)](https://github.com/KitMurdock/plundervolt) | Privileged interrupt/call gates, MSR | | Bluethunder: A 2-level Directional Predictor Based Side-Channel Attack against SGX | [CHES20](https://heartever.github.io/files/bluethunder_sgx_ches.pdf) | - | Single-stepping | | Fallout: Leaking Data on Meltdown-resistant CPUs | [CCS19](https://mdsattacks.com/files/fallout.pdf) | - | PTE A/D | -| A Tale of Two Worlds: Assessing the Vulnerability of Enclave Shielding Runtimes | [CCS19](https://people.cs.kuleuven.be/~jo.vanbulck/ccs19-tale.pdf) | [link](https://github.com/jovanbulck/0xbadc0de) | Single-stepping, page fault, PTE A/D | -| ZombieLoad: Cross-Privilege-Boundary Data Sampling | [CCS19](https://zombieloadattack.com/zombieload.pdf) | [link](https://github.com/IAIK/ZombieLoad/) | Single-stepping, zero-stepping, page-table manipulation | +| A Tale of Two Worlds: Assessing the Vulnerability of Enclave Shielding Runtimes | [CCS19](https://people.cs.kuleuven.be/~jo.vanbulck/ccs19-tale.pdf) | [GitHub (full)](https://github.com/jovanbulck/0xbadc0de) | Single-stepping, page fault, PTE A/D | +| ZombieLoad: Cross-Privilege-Boundary Data Sampling | [CCS19](https://zombieloadattack.com/zombieload.pdf) | [GitHub (PoC)](https://github.com/IAIK/ZombieLoad/) | Single-stepping, zero-stepping, page-table manipulation | | SPOILER: Speculative Load Hazards Boost Rowhammer and Cache Attacks | [USEC19](https://arxiv.org/pdf/1903.00446.pdf) | - | Single-stepping interrupt latency | -| Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic | [CCS18](https://people.cs.kuleuven.be/~jo.vanbulck/ccs18.pdf) | [link](https://github.com/jovanbulck/nemesis) | Single-stepping interrupt latency, page fault, PTE A/D | -| Foreshadow: Extracting the Keys to the Intel SGX Kingdom with Transient Out-of-Order Execution | [USEC18](https://foreshadowattack.eu/foreshadow.pdf) | [link](https://github.com/jovanbulck/sgx-step/tree/master/app/foreshadow) | Single-stepping, zero-stepping, page-table manipulation | +| Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic | [CCS18](https://people.cs.kuleuven.be/~jo.vanbulck/ccs18.pdf) | [GitHub (full)](https://github.com/jovanbulck/nemesis) | Single-stepping interrupt latency, page fault, PTE A/D | +| Foreshadow: Extracting the Keys to the Intel SGX Kingdom with Transient Out-of-Order Execution | [USEC18](https://foreshadowattack.eu/foreshadow.pdf) | [GitHub (PoC)](https://github.com/jovanbulck/sgx-step/tree/master/app/foreshadow) | Single-stepping, zero-stepping, page-table manipulation | | Single Trace Attack Against RSA Key Generation in Intel SGX SSL | [AsiaCCS18](https://rspreitzer.github.io/publications/proc/asiaccs-2018-paper-1.pdf) | - | Page fault | -| Off-Limits: Abusing Legacy x86 Memory Segmentation to Spy on Enclaved Execution | [ESSoS18](https://people.cs.kuleuven.be/~jo.vanbulck/essos18.pdf) | [link](https://distrinet.cs.kuleuven.be/software/off-limits/) | Single-stepping, IA32 segmentation, page fault | -| SGX-Step: A Practical Attack Framework for Precise Enclave Execution Control | [SysTEX17](https://people.cs.kuleuven.be/~jo.vanbulck/systex17.pdf) | [link](https://github.com/jovanbulck/sgx-step/tree/master/app/bench) | Single-stepping, page fault, PTE A/D | +| Off-Limits: Abusing Legacy x86 Memory Segmentation to Spy on Enclaved Execution | [ESSoS18](https://people.cs.kuleuven.be/~jo.vanbulck/essos18.pdf) | [link (full, artifact evaluated)](https://distrinet.cs.kuleuven.be/software/off-limits/) | Single-stepping, IA32 segmentation, page fault | +| SGX-Step: A Practical Attack Framework for Precise Enclave Execution Control | [SysTEX17](https://people.cs.kuleuven.be/~jo.vanbulck/systex17.pdf) | [GitHub (full)](https://github.com/jovanbulck/sgx-step/tree/master/app/bench) | Single-stepping, page fault, PTE A/D |