We demonstrate both attacks by extracting key bits during RSA operations in Gnu PG on a state-of-the-art non-inclusive Intel Skylake-X server.
Beyond Credential Stuffing: Password Similarity Models using Neural Networks Bijeeta Pal (Cornell University), Tal Daniel (Technion), Rahul Chatterjee (Cornell University), Thomas Ristenpart (Cornell Tech) Attackers increasingly use passwords leaked from one website to compromise associated accounts on other websites.
This attack works with minimal assumptions: the adversary does not need to share any virtual memory with the victim, nor run on the same processor core.
We also show the first high-bandwidth Evict Reload attack on the same hardware.
We then use our model of the FAPI to precisely define central security properties.
In an attempt to prove these properties, we uncover partly severe attacks, breaking authentication, authorization, and session integrity properties.Such targeted attacks work because users reuse, or pick similar, passwords for different websites.We recast one of the core technical challenges underlying targeted attacks as the task of modeling similarity of human-chosen passwords.We show how to learn good password similarity models using a compilation of 1.4 billion leaked email, password pairs.Using our trained models of password similarity, we exhibit the most damaging targeted attack to date.We conduct extensive experiments and benchmark the learning model with state-of-the-art static and dynamic clone search approaches.We show that the learned representation is more robust and significantly outperforms existing methods against changes introduced by obfuscation and optimizations.Forced by regulations and industry demand, banks worldwide are working to open their customers' online banking accounts to third-party services via web-based APIs.By using these so-called Open Banking APIs, third-party companies, such as Fin Techs, are able to read information about and initiate payments from their users' bank accounts.Attack Directories, Not Caches: Side Channel Attacks in a Non-Inclusive World Mengjia Yan (University of Illinois at Urbana Champaign), Read Sprabery (University of Illinois at Urbana Champaign), Bhargava Gopireddy (University of Illinois at Urbana Champaign), Christopher Fletcher (University of Illinois at Urbana Champaign), Roy Campbell (University of Illinois at Urbana Champaign), Josep Torrellas (University of Illinois at Urbana Champaign) Although clouds have strong virtual memory isolation guarantees, cache attacks stemming from shared caches have proved to be a large security problem.However, despite the past effectiveness of cache attacks, their viability has recently been called into question on modern systems, due to trends in cache hierarchy design moving away from inclusive cache hierarchies.