add thesis.bib

1 files changed, 374 insertions, 6 deletions

diff --git a/thesis.bib b/thesis.bib
index 0f83a48..cf53a59 100644
--- a/thesis.bib
+++ b/thesis.bib
@@ -1,10 +1,378 @@
-@misc{systematic,
-	title={A Systematic Evaluation of Transient Execution Attacks and Defenses},
-	author={Claudio Canella and Jo Van Bulck and Michael Schwarz and Moritz Lipp and Benjamin von Berg and Philipp Ortner and Frank Piessens and Dmitry Evtyushkin and Daniel Gruss},
+@article{systematic,
+  author    = {Claudio Canella and
+               Jo Van Bulck and
+               Michael Schwarz and
+               Moritz Lipp and
+               Benjamin von Berg and
+               Philipp Ortner and
+               Frank Piessens and
+               Dmitry Evtyushkin and
+               Daniel Gruss},
+  title     = {A Systematic Evaluation of Transient Execution Attacks and Defenses},
+  journal   = {CoRR},
+  volume    = {abs/1811.05441},
+  year      = {2018},
+  url       = {http://arxiv.org/abs/1811.05441},
+  archivePrefix = {arXiv},
+  eprint    = {1811.05441},
+  timestamp = {Sat, 24 Nov 2018 17:52:00 +0100},
+  biburl    = {https://dblp.org/rec/bib/journals/corr/abs-1811-05441},
+  bibsource = {dblp computer science bibliography, https://dblp.org}
+}
+
+@inproceedings{meltdown,
+ author = {Moritz Lipp and Michael Schwarz and Daniel Gruss and Thomas Prescher and Werner Haas and Anders Fogh and Jann Horn and Stefan Mangard and Paul Kocher and Daniel Genkin and Yuval Yarom and Mike Hamburg},
+ title = {Meltdown: Reading Kernel Memory from User Space},
+ booktitle = {27th {USENIX} Security Symposium ({USENIX} Security 18)},
+ year = {2018},
+}
+
+@inproceedings{spectre,
+ author = {Paul Kocher and Jann Horn and Anders Fogh and and Daniel Genkin and Daniel Gruss and Werner Haas and Mike Hamburg and Moritz Lipp and Stefan Mangard and Thomas Prescher and Michael Schwarz and Yuval Yarom},
+ title = {Spectre Attacks: Exploiting Speculative Execution},
+ booktitle = {40th IEEE Symposium on Security and Privacy (S\&P'19)},
+ year = {2019},
+}
+
+@inproceedings{foreshadow,
+    author = {Van Bulck, Jo and Minkin, Marina and Weisse, Ofir and Genkin, Daniel and Kasikci, Baris and
+              Piessens, Frank and Silberstein, Mark and Wenisch, Thomas F. and Yarom, Yuval and Strackx, Raoul},
+    title = {Foreshadow: Extracting the Keys to the {Intel SGX} Kingdom with Transient Out-of-Order Execution},
+    booktitle = {Proceedings of the 27th {USENIX} Security Symposium},
+    year = {2018},
+    month = {August},
+    publisher = {{USENIX} Association},
+    note={See also technical report Foreshadow-NG~\cite{weisse2018foreshadowNG}}
+}
+
+@article{foreshadowNG,
+  title={{Foreshadow-NG}: Breaking the Virtual Memory Abstraction with Transient Out-of-Order Execution},
+  author={Weisse, Ofir and Van Bulck, Jo and Minkin, Marina and  Genkin, Daniel and Kasikci, Baris and
+              Piessens, Frank and Silberstein, Mark and Strackx, Raoul and Wenisch, Thomas F. and Yarom, Yuval},
+  journal={Technical report},
+  year={2018},
+  note={See also {USENIX} Security paper Foreshadow~\cite{vanbulck2018foreshadow}}
+}
+
+@article{netspectre,
+  author    = {Michael Schwarz and
+               Martin Schwarzl and
+               Moritz Lipp and
+               Daniel Gruss},
+  title     = {NetSpectre: Read Arbitrary Memory over Network},
+  journal   = {CoRR},
+  volume    = {abs/1807.10535},
+  year      = {2018},
+  url       = {http://arxiv.org/abs/1807.10535},
+  archivePrefix = {arXiv},
+  eprint    = {1807.10535},
+  timestamp = {Mon, 13 Aug 2018 16:46:22 +0200},
+  biburl    = {https://dblp.org/rec/bib/journals/corr/abs-1807-10535},
+  bibsource = {dblp computer science bibliography, https://dblp.org}
+}
+
+@article{sgxpectre,
+  author    = {Guoxing Chen and
+               Sanchuan Chen and
+               Yuan Xiao and
+               Yinqian Zhang and
+               Zhiqiang Lin and
+               Ten H. Lai},
+  title     = {SgxPectre Attacks: Leaking Enclave Secrets via Speculative Execution},
+  journal   = {CoRR},
+  volume    = {abs/1802.09085},
+  year      = {2018},
+  url       = {http://arxiv.org/abs/1802.09085},
+  archivePrefix = {arXiv},
+  eprint    = {1802.09085},
+  timestamp = {Mon, 13 Aug 2018 16:48:38 +0200},
+  biburl    = {https://dblp.org/rec/bib/journals/corr/abs-1802-09085},
+  bibsource = {dblp computer science bibliography, https://dblp.org}
+}
+
+@online{sgx,
+	url={https://software.intel.com/en-us/sgx},
+	title={Intel Software Guard Extensions (Intel SGX)},
+}
+
+@online{l1tf,
+	title={Deep Dive: Intel Analysis of L1 Terminal Fault},
+	url={https://software.intel.com/security-software-guidance/insights/deep-dive-intel-analysis-l1-terminal-fault},
+	year={2018},
+}
+
+@inproceedings{branchscope,
+ author = {Evtyushkin, Dmitry and Riley, Ryan and Abu-Ghazaleh, Nael CSE and ECE and Ponomarev, Dmitry},
+ title = {BranchScope: A New Side-Channel Attack on Directional Branch Predictor},
+ booktitle = {Proceedings of the Twenty-Third International Conference on Architectural Support for Programming Languages and Operating Systems},
+ series = {ASPLOS '18},
+ year = {2018},
+ isbn = {978-1-4503-4911-6},
+ location = {Williamsburg, VA, USA},
+ pages = {693--707},
+ numpages = {15},
+ url = {http://doi.acm.org/10.1145/3173162.3173204},
+ doi = {10.1145/3173162.3173204},
+ acmid = {3173204},
+ publisher = {ACM},
+ address = {New York, NY, USA},
+ keywords = {SGX, attack, branch predictor, microarchitecture security, performance counters, side-channel, timing attacks},
+}
+
+@inproceedings{flushreload,
+  title={FLUSH+RELOAD: a high resolution, low noise, L3 cache side-channel attack},
+  author={Yarom, Yuval and Falkner, Katrina},
+  booktitle={23rd $\{$USENIX$\}$ Security Symposium ($\{$USENIX$\}$ Security 14)},
+  pages={719--732},
+  year={2014}
+}
+
+@online{spec-store-bypass,
+	title={speculative execution, variant 4: speculative store bypass},
+	author={Jann Horn},
+	url={https://bugs.chromium.org/p/project-zero/issues/detail?id=1528},
+	year={2018}
+}
+
+@online{store-load-forwarding,
+	title={Store-to-Load Forwarding and Memory Disambiguation in x86 Processors},
+	author={Henry Wong},
+	year={2014},
+	url={http://blog.stuffedcow.net/2014/01/x86-memory-disambiguation/}
+}
+
+
+@inproceedings{kaiser,
+  title={Kaslr is dead: long live kaslr},
+  author={Gruss, Daniel and Lipp, Moritz and Schwarz, Michael and Fellner, Richard and Maurice, Cl{\'e}mentine and Mangard, Stefan},
+  booktitle={International Symposium on Engineering Secure Software and Systems},
+  pages={161--176},
+  year={2017},
+  organization={Springer}
+}
+
+@online{retpoline,
+  title = {Retpoline: a software construct for preventing branch-target-injection},
+  url = {https://support.google.com/faqs/answer/7625886},
+  author = {Paul Turner},
+  year = {2018},
+}
+
+@online{spec-load-hardening,
+	title={RFC: Speculative Load Hardening (a Spectre variant #1 mitigation)},
+	author={Chandler Carruth},
 	year={2018},
-	eprint={1811.05441},
-	archivePrefix={arXiv},
-	primaryClass={cs.CR}
+	month={March},
+	url={https://lists.llvm.org/pipermail/llvm-dev/2018-March/122085.html}
+}
+
+% looks like there's some useful references
+
+@article{safespec,
+  author    = {Khaled N. Khasawneh and
+               Esmaeil Mohammadian Koruyeh and
+               Chengyu Song and
+               Dmitry Evtyushkin and
+               Dmitry Ponomarev and
+               Nael B. Abu{-}Ghazaleh},
+  title     = {SafeSpec: Banishing the Spectre of a Meltdown with Leakage-Free Speculation},
+  journal   = {CoRR},
+  volume    = {abs/1806.05179},
+  year      = {2018},
+  url       = {http://arxiv.org/abs/1806.05179},
+  archivePrefix = {arXiv},
+  eprint    = {1806.05179},
+  timestamp = {Mon, 13 Aug 2018 16:48:54 +0200},
+  biburl    = {https://dblp.org/rec/bib/journals/corr/abs-1806-05179},
+  bibsource = {dblp computer science bibliography, https://dblp.org}
+}
+
+@INPROCEEDINGS{invisispec,
+author={M. {Yan} and J. {Choi} and D. {Skarlatos} and A. {Morrison} and C. {Fletcher} and J. {Torrellas}},
+booktitle={2018 51st Annual IEEE/ACM International Symposium on Microarchitecture (MICRO)},
+title={InvisiSpec: Making Speculative Execution Invisible in the Cache Hierarchy},
+year={2018},
+volume={},
+number={},
+pages={428-441},
+keywords={cache storage;cryptography;microprocessor chips;multiprocessing systems;parallel architectures;program compilers;speculative execution invisible;side channel attacks;speculative execution attacks;microarchitectural state;hardware speculation attacks;InvisiSpec blocks microarchitectural;multiprocessor data cache hierarchy;unsafe speculative loads;speculative buffer;futuristic attacks;Spectre attacks;execution slowdown;memory consistency;Hardware;Load modeling;Receivers;Coherence;Security;Monitoring;Transient analysis;hardware security;speculation;side channel;memory hierarchy},
+doi={10.1109/MICRO.2018.00042},
+ISSN={},
+month={Oct},}
+
+@INPROCEEDINGS{dawg,
+author={V. {Kiriansky} and I. {Lebedev} and S. {Amarasinghe} and S. {Devadas} and J. {Emer}},
+booktitle={2018 51st Annual IEEE/ACM International Symposium on Microarchitecture (MICRO)},
+title={DAWG: A Defense Against Cache Timing Attacks in Speculative Execution Processors},
+year={2018},
+volume={},
+number={},
+pages={974-987},
+keywords={cache storage;security of data;cache timing attacks;dynamically allocated way guard;Intels Cache Allocation Technology;memory caches;generic mechanism;cache state covert channel;entire attack surface;patch specific attacks;existing defense mechanisms;exfiltration channel;cache tag state;speculative processor architectures;channel attacks;speculative execution processors;cache subsystem;minimal modifications;service mechanisms;set associative structure;DAWG;Receivers;Program processors;Security;Transmitters;Metadata;Hardware;cache partitioning;side channel attacks;speculative execution},
+doi={10.1109/MICRO.2018.00083},
+ISSN={},
+month={Oct},}
+
+@inproceedings{context-sensitive-fencing,
+  title={Context-Sensitive Fencing: Securing Speculative Execution via Microcode Customization},
+  author={Taram, Mohammadkazem and Venkat, Ashish and Tullsen, Dean},
+  booktitle={Proceedings of the Twenty-Fourth International Conference on Architectural Support for Programming Languages and Operating Systems},
+  year={2019}
+}
+
+@inproceedings{context-sensitive-decoding,
+  title={Mobilizing the micro-ops: Exploiting context sensitive decoding for security and energy efficiency},
+  author={Taram, Mohammadkazem and Venkat, Ashish and Tullsen, Dean},
+  booktitle={2018 ACM/IEEE 45th Annual International Symposium on Computer Architecture (ISCA)},
+  pages={624--637},
+  year={2018},
+  organization={IEEE}
+}
+
+@article{csd-gomactech,
+  title={Fast and Efficient Deployment of Security Defenses Via Context Sensitive Decoding},
+  author={Taram, Mohammadkazem and Tullsen, Dean and Venkat, Ashish and Homayoun, Houman and PD, Sai Manoj}
+}
+
+@article{spec-buffer-overflow,
+  author    = {Vladimir Kiriansky and
+               Carl Waldspurger},
+  title     = {Speculative Buffer Overflows: Attacks and Defenses},
+  journal   = {CoRR},
+  volume    = {abs/1807.03757},
+  year      = {2018},
+  url       = {http://arxiv.org/abs/1807.03757},
+  archivePrefix = {arXiv},
+  eprint    = {1807.03757},
+  timestamp = {Mon, 13 Aug 2018 16:48:44 +0200},
+  biburl    = {https://dblp.org/rec/bib/journals/corr/abs-1807-03757},
+  bibsource = {dblp computer science bibliography, https://dblp.org}
+}
+
+% https://www.usenix.org/conference/woot18/presentation/koruyeh
+@inproceedings{spectre-returns,
+  title={Spectre returns! speculation attacks using the return stack buffer},
+  author={Koruyeh, Esmaeil Mohammadian and Khasawneh, Khaled N and Song, Chengyu and Abu-Ghazaleh, Nael},
+  booktitle={12th $\{$USENIX$\}$ Workshop on Offensive Technologies ($\{$WOOT$\}$ 18)},
+  year={2018}
+}
+
+@inproceedings{ret2spec,
+ author = {Maisuradze, Giorgi and Rossow, Christian},
+ title = {Ret2Spec: Speculative Execution Using Return Stack Buffers},
+ booktitle = {Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security},
+ series = {CCS '18},
+ year = {2018},
+ isbn = {978-1-4503-5693-0},
+ location = {Toronto, Canada},
+ pages = {2109--2122},
+ numpages = {14},
+ url = {http://doi.acm.org/10.1145/3243734.3243761},
+ doi = {10.1145/3243734.3243761},
+ acmid = {3243761},
+ publisher = {ACM},
+ address = {New York, NY, USA},
+ keywords = {hardware security, javascript, side channel attacks},
+}
+
+@article{lazyfp,
+   author = {{Stecklina}, J. and {Prescher}, T.},
+    title = "{LazyFP: Leaking FPU Register State using Microarchitectural Side-Channels}",
+  journal = {ArXiv e-prints},
+archivePrefix = "arXiv",
+   eprint = {1806.07480},
+ primaryClass = "cs.OS",
+ keywords = {Computer Science - Operating Systems, Computer Science - Hardware Architecture, Computer Science - Cryptography and Security},
+     year = 2018,
+    month = jun,
+   adsurl = {http://adsabs.harvard.edu/abs/2018arXiv180607480S},
+  adsnote = {Provided by the SAO/NASA Astrophysics Data System}
+}
+
+@inproceedings{Shen:2018:RCF:3243734.3278522,
+ author = {Shen, Zhuojia and Zhou, Jie and Ojha, Divya and Criswell, John},
+ title = {Restricting Control Flow During Speculative Execution},
+ booktitle = {Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security},
+ series = {CCS '18},
+ year = {2018},
+ isbn = {978-1-4503-5693-0},
+ location = {Toronto, Canada},
+ pages = {2297--2299},
+ numpages = {3},
+ url = {http://doi.acm.org/10.1145/3243734.3278522},
+ doi = {10.1145/3243734.3278522},
+ acmid = {3278522},
+ publisher = {ACM},
+ address = {New York, NY, USA},
+ keywords = {side-channel defenses, spectre attacks, speculative execution},
+}
+
+@article{spectrum,
+  title={Spectrum: Classifying, Replicating and Mitigating Spectre Attacks on a Speculating RISC-V Microarchitecture},
+  author={Gonzalez, Abraham and Korpan, Ben and Younis, Ed and Zhao, Jerry}
+}
+
+@phdthesis{boom,
+    Author = {Celio, Christopher},
+    Title = {A Highly Productive Implementation of an Out-of-Order Processor Generator},
+    School = {EECS Department, University of California, Berkeley},
+    Year = {2018},
+    Month = {Dec},
+    URL = {http://www2.eecs.berkeley.edu/Pubs/TechRpts/2018/EECS-2018-151.html},
+    Number = {UCB/EECS-2018-151},
+    Abstract = {General-purpose serial-thread performance gains have become more difficult for industry to realize due to the slowing down of process improvements. In this new regime of poor process scaling, continued performance improvement relies on a number of small-scale micro- architectural enhancements. However, software simulator-based models, which computer architecture research has largely relied upon, may not be well-suited for evaluating ideas at the necessary fidelity.
+
+To facilitate architecture research during this fallow period of Moore’s Law, we propose using processor simulators built from synthesizable processor designs. This thesis describes the design of a synthesizable, industry-competitive processor built on recent advancements in open-source hardware: we leverage the new open-source RISC-V instruction set architecture, the new Chisel hardware construction language, and the Rocket-chip processor generator.
+
+Our processor generator is called BOOM, and it designed for use in education, research, and industry. Like most contemporary high-performance cores, BOOM is superscalar (able to execute multiple instructions per cycle) and out-of-order (able to execute instructions as their dependencies are resolved and not restricted to their program order).
+The BOOM generator was implemented using the Chisel hardware construction language, allowing for the rapid implementation of parameterized designs. The Chisel description generates synthesizable implementations of BOOM that can target both FPGAs and ASIC tool-flows. The BOOM effort culminated in a test chip that was fabricated in the TSMC 28 nm HPM process (high performance mobile) using the foundry-provided standard-cell library and memory compiler.
+
+This thesis highlights two aspects of the BOOM design: its industry-competitive branch prediction and its configurable execution datapath. The remainder of the thesis discusses the BOOM tape-out, which was performed by two graduate students and demonstrated the ability to quickly adapt the design to the physical design issues that arose.}
+}
+
+@misc{cryptoeprint:2018:808,
+    author = {Jiyong Yu and Lucas Hsiung and Mohamad El Hajj and Christopher W. Fletcher},
+    title = {Data Oblivious ISA Extensions for Side Channel-Resistant and High Performance Computing},
+    howpublished = {Cryptology ePrint Archive, Report 2018/808},
+    year = {2018},
+    note = {\url{https://eprint.iacr.org/2018/808}},
+}
+
+% looks useful...
+@INPROCEEDINGS{poisonivy,
+	author={T. S. {Lehman} and A. D. {Hilton} and B. C. {Lee}},
+	booktitle={2016 49th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO)},
+	title={PoisonIvy: Safe speculation for secure memory},
+	year={2016},
+	volume={},
+	number={},
+	pages={1-13},
+	keywords={cryptography;PoisonIvy;safe speculation;secure memory;encryption;integrity trees;physical attacks;integrity verification latency;address-based side-channels;memory intensive workloads;Radiation detectors;Program processors;Encryption;Toxicology;Metadata},
+	doi={10.1109/MICRO.2016.7783741},
+	ISSN={},
+	month={Oct},
+}
+
+% related article
+@article{ge2018survey,
+  title={A survey of microarchitectural timing attacks and countermeasures on contemporary hardware},
+  author={Ge, Qian and Yarom, Yuval and Cock, David and Heiser, Gernot},
+  journal={Journal of Cryptographic Engineering},
+  volume={8},
+  number={1},
+  pages={1--27},
+  year={2018},
+  publisher={Springer}
+}
+
+% about multiplier timing
+@inproceedings{andrysco2015subnormal,
+  title={On subnormal floating point and abnormal timing},
+  author={Andrysco, Marc and Kohlbrenner, David and Mowery, Keaton and Jhala, Ranjit and Lerner, Sorin and Shacham, Hovav},
+  booktitle={2015 IEEE Symposium on Security and Privacy},
+  pages={623--639},
+  year={2015},
+  organization={IEEE}
 }
 
 % vim:ts=4:sw=4