proposal draft 1

2025-03-07 01:12:28 +01:00 · 2025-03-07 01:12:28 +01:00 · d080a2352d
commit d080a2352d
parent 172da4ca29
10 changed files with 249 additions and 307 deletions
--- a/proposal/edit.fish
+++ b/proposal/edit.fish
@ -0,0 +1,10 @@
 #!/usr/bin/env fish
 latexmk -pdf -pvc &>/dev/null &
 set bg $last_pid
 papers main.pdf &>/dev/null &
 set bg $bg $last_pid
 hx main.tex
 echo $bg
 kill -9 $bg
--- a/proposal/main.aux
+++ b/proposal/main.aux
@ -1,29 +1,29 @@
 \relax 
-\citation{DBLP:conf/sc/AndreadisVMI18}
+\citation{tugraz:tlbsidechannel}
 \citation{tugraz:tlbsidechannel}
 \citation{tugraz:tlbsidechannel}
 \citation{tugraz:tlbsidechannel}
 \@writefile{toc}{\contentsline {section}{\numberline {1}Introduction}{2}{}\protected@file@percent }
 \newlabel{sec:introduction}{{1}{2}{}{}{}}
-\citation{DBLP:conf/sc/AndreadisVMI18}
+\@writefile{toc}{\contentsline {section}{\numberline {2}Background}{2}{}\protected@file@percent }
-\citation{DBLP:conf/sc/AndreadisVMI18}
+\newlabel{sec:background}{{2}{2}{}{}{}}
-\citation{DBLP:conf/sc/AndreadisVMI18}
+\citation{tugraz:tlbsidechannel}
-\citation{DBLP:conf/sc/AndreadisVMI18}
+\citation{tugraz:prefetch}
-\@writefile{toc}{\contentsline {section}{\numberline {2}Background}{3}{}\protected@file@percent }
+\citation{tugraz:tlbsidechannel}
 \newlabel{sec:background}{{2}{3}{}{}{}}
 \@writefile{toc}{\contentsline {section}{\numberline {3}Problem}{3}{}\protected@file@percent }
 \newlabel{sec:problem}{{3}{3}{}{}{}}
 \@writefile{toc}{\contentsline {section}{\numberline {4}Related Work}{3}{}\protected@file@percent }
 \newlabel{sec:related}{{4}{3}{}{}{}}
 \@writefile{toc}{\contentsline {section}{\numberline {5}Research Question(s)}{3}{}\protected@file@percent }
 \newlabel{sec:researchq}{{5}{3}{}{}{}}
-\citation{DBLP:conf/sc/AndreadisVMI18}
+\@writefile{toc}{\contentsline {section}{\numberline {6}Approach}{3}{}\protected@file@percent }
-\citation{DBLP:conf/sc/AndreadisVMI18}
+\newlabel{sec:approach}{{6}{3}{}{}{}}
-\@writefile{toc}{\contentsline {section}{\numberline {6}Approach}{4}{}\protected@file@percent }
+\@writefile{toc}{\contentsline {section}{\numberline {7}Plan}{3}{}\protected@file@percent }
-\newlabel{sec:approach}{{6}{4}{}{}{}}
+\newlabel{sec:plan}{{7}{3}{}{}{}}
-\@writefile{toc}{\contentsline {section}{\numberline {7}Plan}{4}{}\protected@file@percent }
+\@writefile{toc}{\contentsline {section}{\numberline {8}Conclusion}{3}{}\protected@file@percent }
-\newlabel{sec:plan}{{7}{4}{}{}{}}
+\newlabel{sec:conclusion}{{8}{3}{}{}{}}
 \citation{DBLP:conf/sc/AndreadisVMI18}
 \bibstyle{abbrv}
 \bibdata{main}
-\bibcite{DBLP:conf/sc/AndreadisVMI18}{1}
+\bibcite{tugraz:prefetch}{1}
-\@writefile{toc}{\contentsline {section}{\numberline {8}Conclusion}{5}{}\protected@file@percent }
+\bibcite{tugraz:tlbsidechannel}{2}
 \newlabel{sec:conclusion}{{8}{5}{}{}{}}
 \gdef \@abspage@last{5}
--- a/proposal/main.bbl
+++ b/proposal/main.bbl
@ -1,11 +1,20 @@
 \begin{thebibliography}{1}
-\bibitem{DBLP:conf/sc/AndreadisVMI18}
+\bibitem{tugraz:prefetch}
-G.~Andreadis, L.~Versluis, F.~Mastenbroek, and A.~Iosup.
+D.~Gruss, C.~Maurice, A.~Fogh, M.~Lipp, and S.~Mangard.
-\newblock A reference architecture for datacenter scheduling: design,
+\newblock Prefetch side-channel attacks: Bypassing smap and kernel aslr.
-  validation, and experiments.
+\newblock In {\em Proceedings of the 2016 ACM SIGSAC Conference on Computer and
-\newblock In {\em Proceedings of the International Conference for High
+  Communications Security}, CCS '16, page 368–379, New York, NY, USA, 2016.
-  Performance Computing, Networking, Storage, and Analysis, {SC} 2018, Dallas,
+  Association for Computing Machinery.
-  TX, USA, November 11-16, 2018}, pages 37:1--37:15. {IEEE} / {ACM}, 2018.
+
 \bibitem{tugraz:tlbsidechannel}
 L.~Maar, L.~Giner, D.~Gruss, and S.~Mangard.
 \newblock When good kernel defenses go bad: Reliable and stable kernel exploits
  via defense-amplified tlb side-channel leaks.
 \newblock In {\em Proceedings of the 34rd USENIX Security Symposium},
  Proceedings of the 34rd USENIX Security Symposium, United States, Aug. 2025.
  USENIX Association.
 \newblock 34th USENIX Security Symposium : USENIX Security 2025, USENIX'25 ;
  Conference date: 13-08-2025 Through 15-08-2025.
 \end{thebibliography}
--- a/proposal/main.bib
+++ b/proposal/main.bib
@ -1,54 +1,103 @@
@inproceedings{tugraz:tlbsidechannel,
 	title = "When Good Kernel Defenses Go Bad: Reliable and Stable Kernel
 	         Exploits via Defense-Amplified TLB Side-Channel Leaks",
 	abstract = "Over the past decade, the Linux kernel has seen a significant
 	            number of memory-safety vulnerabilities. However, exploiting
 	            these vulnerabilities becomes substantially harder as defenses
 	            increase. A fundamental defense of the Linux kernel is the
 	            randomization of memory locations for security-critical objects,
 	            which greatly limits or prevents exploitation.In this paper, we
 	            show that we can exploit side-channel leakage in defenses to leak
 	            the locations of security-critical kernel objects. These location
 	            disclosure attacks enable successful exploitations on the latest
 	            Linux kernel, facilitating reliable and stable system compromise
 	            both with re-enabled and new exploit techniques. To identify
 	            side-channel leakages of defenses, we systematically analyze 127
 	            defenses. Based on this analysis, we show that enabling any of 3
 	            defenses – enforcing strict memory permissions or virtualizing
 	            the kernel heap or kernel stack – allows us to obtain
 	            fine-grained TLB contention patterns via an Evict+Reload TLB
 	            side-channel attack. We combine these patterns with kernel
 	            allocator massaging to present location disclosure attacks,
 	            leaking the locations of kernel objects, i.e., heap objects, page
 	            tables, and stacks. To demonstrate the practicality of these
 	            attacks, we evaluate them on recent Intel CPUs and multiple
 	            kernel versions, with a runtime of 0.3 s to 17.8 s and almost no
 	            false positives. Since these attacks work due to side-channel
 	            leakage in defenses, we argue that the virtual stack defense
 	            makes the system less secure.",
 	author = "Lukas Maar and Lukas Giner and Daniel Gruss and Stefan Mangard",
 	year = "2025",
 	month = aug,
 	day = "13",
 	language = "English",
 	series = "Proceedings of the 34rd USENIX Security Symposium",
 	publisher = "USENIX Association",
 	booktitle = "Proceedings of the 34rd USENIX Security Symposium",
 	address = "United States",
 	note = "34th USENIX Security Symposium : USENIX Security 2025, USENIX'25 ;
 	        Conference date: 13-08-2025 Through 15-08-2025",
 	url = "https://www.usenix.org/conference/usenixsecurity25",
 }
@inproceedings{tugraz:prefetch,
 	author = {Gruss, Daniel and Maurice, Clementine and Fogh, Anders and Lipp,
 	          Moritz and Mangard, Stefan},
 	title = {Prefetch Side-Channel Attacks: Bypassing SMAP and Kernel ASLR},
 	year = {2016},
 	isbn = {9781450341394},
 	publisher = {Association for Computing Machinery},
 	address = {New York, NY, USA},
 	url = {https://doi.org/10.1145/2976749.2978356},
 	doi = {10.1145/2976749.2978356},
 	abstract = {Modern operating systems use hardware support to protect against
 	            control-flow hijacking attacks such as code-injection attacks.
 	            Typically, write access to executable pages is prevented and
 	            kernel mode execution is restricted to kernel code pages only.
 	            However, current CPUs provide no protection against code-reuse
 	            attacks like ROP. ASLR is used to prevent these attacks by making
 	            all addresses unpredictable for an attacker. Hence, the kernel
 	            security relies fundamentally on preventing access to address
 	            information. We introduce Prefetch Side-Channel Attacks, a new
 	            class of generic attacks exploiting major weaknesses in prefetch
 	            instructions. This allows unprivileged attackers to obtain
 	            address information and thus compromise the entire system by
 	            defeating SMAP, SMEP, and kernel ASLR. Prefetch can fetch
 	            inaccessible privileged memory into various caches on Intel x86.
 	            It also leaks the translation-level for virtual addresses on both
 	            Intel x86 and ARMv8-A. We build three attacks exploiting these
 	            properties. Our first attack retrieves an exact image of the full
 	            paging hierarchy of a process, defeating both user space and
 	            kernel space ASLR. Our second attack resolves virtual to physical
 	            addresses to bypass SMAP on 64-bit Linux systems, enabling
 	            ret2dir attacks. We demonstrate this from unprivileged user
 	            programs on Linux and inside Amazon EC2 virtual machines. Finally
 	            , we demonstrate how to defeat kernel ASLR on Windows 10,
 	            enabling ROP attacks on kernel and driver binary code. We propose
 	            a new form of strong kernel isolation to protect commodity
 	            systems incuring an overhead of only 0.06-5.09\%.},
 	booktitle = {Proceedings of the 2016 ACM SIGSAC Conference on Computer and
 	             Communications Security},
 	pages = {368–379},
 	numpages = {12},
 	keywords = {timing attacks, kernel vulnerabilities, ASLR},
 	location = {Vienna, Austria},
 	series = {CCS '16},
 }
@inproceedings{DBLP:conf/sc/AndreadisVMI18,
-  author    = {Georgios Andreadis and
+	author = {Georgios Andreadis and Laurens Versluis and Fabian Mastenbroek and
               Laurens Versluis and
               Fabian Mastenbroek and
 	          Alexandru Iosup},
-  title     = {A reference architecture for datacenter scheduling: design, validation,
+	title = {A reference architecture for datacenter scheduling: design,
-               and experiments},
+	         validation, and experiments},
-  booktitle = {Proceedings of the International Conference for High Performance Computing,
+	booktitle = {Proceedings of the International Conference for High
-               Networking, Storage, and Analysis, {SC} 2018, Dallas, TX, USA, November
+	             Performance Computing, Networking, Storage, and Analysis, {SC}
-               11-16, 2018},
+	             2018, Dallas, TX, USA, November 11-16, 2018},
 	pages = {37:1--37:15},
 	publisher = {{IEEE} / {ACM}},
 	year = {2018},
 	url = {http://dl.acm.org/citation.cfm?id=3291706},
 	timestamp = {Mon, 12 Nov 2018 09:20:44 +0100},
 	biburl = {https://dblp.org/rec/conf/sc/AndreadisVMI18.bib},
-  bibsource = {dblp computer science bibliography, https://dblp.org}
+	bibsource = {dblp computer science bibliography, https://dblp.org},
 }
@misc{techblog:latex,
  author = {{Overleaf Team}},
  title = {Learn {LaTeX} in 30 minutes},
  howpublished = {Tech blog},
  url = {https://www.overleaf.com/learn/latex/Learn_LaTeX_in_30_minutes},
  year = {2019}, 
  note = {[Online; accessed Mar 10, 2020] \url{https://www.overleaf.com/learn/latex/Learn_LaTeX_in_30_minutes}}
 }
@misc{techrep:latex,
  author = {Tobias Oetiker and
     Hubert Partl and 
     Irene Hyna and 
     Elisabeth Schlegl},
  title = {The Not So Short Introduction to {LaTeX} 2$\epsilon$, or: {LaTeX} in 139 minutes},
  howpublished = {Tech report, Version 6.3, March 26},
  url = {https://tobi.oetiker.ch/lshort/lshort.pdf},
  year = {2018}, 
  note = {[Online; accessed Mar 10, 2020] \url{https://tobi.oetiker.ch/lshort/lshort.pdf}}
 }
@book{research:book/SharpPW02,
 author = {John A. Sharp and
    John Peters and 
    Keith Howard},
 title = {The Management of a Student Research Project},
 location = {UK},
 publisher = {Gower Publishing Limited},
 edition = {3rd Ed.},
 year = {2002}
 }
--- a/proposal/main.blg
+++ b/proposal/main.blg
@ -3,44 +3,44 @@ Capacity: max_strings=200000, hash_size=200000, hash_prime=170003
 The top-level auxiliary file: main.aux
 The style file: abbrv.bst
 Database file #1: main.bib
-You've used 1 entry,
+You've used 2 entries,
            2118 wiz_defined-function locations,
-            504 strings with 4108 characters,
+            513 strings with 4415 characters,
-and the built_in function-call counts, 596 in all, are:
+and the built_in function-call counts, 964 in all, are:
-= -- 62
+= -- 100
-> -- 23
+> -- 51
 < -- 1
-+ -- 10
+ -- 20
- -- 8
+- -- 18
-* -- 39
+* -- 61
-:= -- 89
+:= -- 153
-add.period$ -- 4
+add.period$ -- 9
-call.type$ -- 1
+call.type$ -- 2
-change.case$ -- 7
+change.case$ -- 15
 chr.to.int$ -- 0
-cite$ -- 1
+cite$ -- 2
-duplicate$ -- 25
+duplicate$ -- 47
-empty$ -- 46
+empty$ -- 63
-format.name$ -- 8
+format.name$ -- 18
-if$ -- 134
+if$ -- 216
 int.to.chr$ -- 0
-int.to.str$ -- 1
+int.to.str$ -- 2
-missing$ -- 1
+missing$ -- 2
-newline$ -- 8
+newline$ -- 14
-num.names$ -- 2
+num.names$ -- 4
-pop$ -- 9
+pop$ -- 16
 preamble$ -- 1
-purify$ -- 6
+purify$ -- 13
 quote$ -- 0
-skip$ -- 22
+skip$ -- 39
 stack$ -- 0
-substring$ -- 49
+substring$ -- 28
-swap$ -- 13
+swap$ -- 21
 text.length$ -- 1
 text.prefix$ -- 0
 top$ -- 0
-type$ -- 4
+type$ -- 8
 warning$ -- 0
 while$ -- 5
-width$ -- 2
+width$ -- 3
-write$ -- 14
+write$ -- 31
--- a/proposal/main.fdb_latexmk
+++ b/proposal/main.fdb_latexmk
@ -1,13 +1,13 @@
 # Fdb version 4
-["bibtex main"] 1741223955.57465 "main.aux" "main.bbl" "main" 1741225267.56298 0
+["bibtex main"] 1741306293.87047 "main.aux" "main.bbl" "main" 1741306316.85271 0
-  "./main.bib" 1741221334.70223 1868 5b2bdf54dcb36f3ab85ee28144f01ecd ""
+  "./main.bib" 1741300748.35763 5994 20ecd8928290a142157e6ef9ab868528 ""
  "/nix/store/sc5p4q3ajvk3586nnrj1iw87698zpgwl-texlive-2024-env-texmfdist/bibtex/bst/base/abbrv.bst" 1 20329 b5fed53e10044d0f8112183785c759b1 ""
-  "main.aux" 1741225267.43109 1511 d615d7b8ba80f63ebee999e912e93468 "pdflatex"
+  "main.aux" 1741306316.72594 1447 10cffe4eef06f62f5e51bec1bd406974 "pdflatex"
  (generated)
  "main.bbl"
  "main.blg"
  (rewritten before read)
-["pdflatex"] 1741225267.25675 "main.tex" "main.pdf" "main" 1741225267.56313 0
+["pdflatex"] 1741306316.55798 "main.tex" "main.pdf" "main" 1741306316.85287 0
  "/nix/store/5dm6aqic0wy847ly9l1ag6h5v0rf9d7h-texlive-2024-env/share/texmf-var/fonts/map/pdftex/updmap/pdftex.map" 1 5475591 eb11ed3587e589f3f1b3bc88e82cac41 ""
  "/nix/store/5dm6aqic0wy847ly9l1ag6h5v0rf9d7h-texlive-2024-env/share/texmf-var/web2c/pdftex/pdflatex.fmt" 1 3326170 79d3a032a85b260f6299df810badd0e7 ""
  "/nix/store/5dm6aqic0wy847ly9l1ag6h5v0rf9d7h-texlive-2024-env/share/texmf-var/web2c/texmf.cnf" 1 43655 26b3ce848be7a4d9decb9b7c0f40cd25 ""
@ -17,29 +17,21 @@
  "/nix/store/sc5p4q3ajvk3586nnrj1iw87698zpgwl-texlive-2024-env-texmfdist/fonts/tfm/public/cm/cmmi12.tfm" 1 1524 4414a8315f39513458b80dfc63bff03a ""
  "/nix/store/sc5p4q3ajvk3586nnrj1iw87698zpgwl-texlive-2024-env-texmfdist/fonts/tfm/public/cm/cmmi6.tfm" 1 1512 f21f83efb36853c0b70002322c1ab3ad ""
  "/nix/store/sc5p4q3ajvk3586nnrj1iw87698zpgwl-texlive-2024-env-texmfdist/fonts/tfm/public/cm/cmmi8.tfm" 1 1520 eccf95517727cb11801f4f1aee3a21b4 ""
  "/nix/store/sc5p4q3ajvk3586nnrj1iw87698zpgwl-texlive-2024-env-texmfdist/fonts/tfm/public/cm/cmmi9.tfm" 1 1524 d89e2d087a9828407a196f428428ef4a ""
  "/nix/store/sc5p4q3ajvk3586nnrj1iw87698zpgwl-texlive-2024-env-texmfdist/fonts/tfm/public/cm/cmr10.tfm" 1 1296 45809c5a464d5f32c8f98ba97c1bb47f ""
  "/nix/store/sc5p4q3ajvk3586nnrj1iw87698zpgwl-texlive-2024-env-texmfdist/fonts/tfm/public/cm/cmr12.tfm" 1 1288 655e228510b4c2a1abe905c368440826 ""
  "/nix/store/sc5p4q3ajvk3586nnrj1iw87698zpgwl-texlive-2024-env-texmfdist/fonts/tfm/public/cm/cmr17.tfm" 1 1292 296a67155bdbfc32aa9c636f21e91433 ""
  "/nix/store/sc5p4q3ajvk3586nnrj1iw87698zpgwl-texlive-2024-env-texmfdist/fonts/tfm/public/cm/cmr6.tfm" 1 1300 b62933e007d01cfd073f79b963c01526 ""
  "/nix/store/sc5p4q3ajvk3586nnrj1iw87698zpgwl-texlive-2024-env-texmfdist/fonts/tfm/public/cm/cmr8.tfm" 1 1292 21c1c5bfeaebccffdb478fd231a0997d ""
  "/nix/store/sc5p4q3ajvk3586nnrj1iw87698zpgwl-texlive-2024-env-texmfdist/fonts/tfm/public/cm/cmr9.tfm" 1 1292 6b21b9c2c7bebb38aa2273f7ca0fb3af ""
  "/nix/store/sc5p4q3ajvk3586nnrj1iw87698zpgwl-texlive-2024-env-texmfdist/fonts/tfm/public/cm/cmsy10.tfm" 1 1124 6c73e740cf17375f03eec0ee63599741 ""
  "/nix/store/sc5p4q3ajvk3586nnrj1iw87698zpgwl-texlive-2024-env-texmfdist/fonts/tfm/public/cm/cmsy6.tfm" 1 1116 933a60c408fc0a863a92debe84b2d294 ""
  "/nix/store/sc5p4q3ajvk3586nnrj1iw87698zpgwl-texlive-2024-env-texmfdist/fonts/tfm/public/cm/cmsy8.tfm" 1 1120 8b7d695260f3cff42e636090a8002094 ""
  "/nix/store/sc5p4q3ajvk3586nnrj1iw87698zpgwl-texlive-2024-env-texmfdist/fonts/tfm/public/cm/cmsy9.tfm" 1 1116 25a7bf822c58caf309a702ef79f4afbb ""
  "/nix/store/sc5p4q3ajvk3586nnrj1iw87698zpgwl-texlive-2024-env-texmfdist/fonts/tfm/public/cm/cmti10.tfm" 1 1480 aa8e34af0eb6a2941b776984cf1dfdc4 ""
  "/nix/store/sc5p4q3ajvk3586nnrj1iw87698zpgwl-texlive-2024-env-texmfdist/fonts/tfm/public/cm/cmtt10.tfm" 1 768 1321e9409b4137d6fb428ac9dc956269 ""
  "/nix/store/sc5p4q3ajvk3586nnrj1iw87698zpgwl-texlive-2024-env-texmfdist/fonts/tfm/public/cm/cmtt9.tfm" 1 764 c98a2af25c99b73a368cf7336e255190 ""
  "/nix/store/sc5p4q3ajvk3586nnrj1iw87698zpgwl-texlive-2024-env-texmfdist/fonts/type1/public/amsfonts/cm/cmbx12.pfb" 1 32080 340ef9bf63678554ee606688e7b5339d ""
  "/nix/store/sc5p4q3ajvk3586nnrj1iw87698zpgwl-texlive-2024-env-texmfdist/fonts/type1/public/amsfonts/cm/cmr10.pfb" 1 35752 024fb6c41858982481f6968b5fc26508 ""
  "/nix/store/sc5p4q3ajvk3586nnrj1iw87698zpgwl-texlive-2024-env-texmfdist/fonts/type1/public/amsfonts/cm/cmr12.pfb" 1 32722 d7379af29a190c3f453aba36302ff5a9 ""
  "/nix/store/sc5p4q3ajvk3586nnrj1iw87698zpgwl-texlive-2024-env-texmfdist/fonts/type1/public/amsfonts/cm/cmr6.pfb" 1 32734 69e00a6b65cedb993666e42eedb3d48f ""
  "/nix/store/sc5p4q3ajvk3586nnrj1iw87698zpgwl-texlive-2024-env-texmfdist/fonts/type1/public/amsfonts/cm/cmr8.pfb" 1 32726 0a1aea6fcd6468ee2cf64d891f5c43c8 ""
  "/nix/store/sc5p4q3ajvk3586nnrj1iw87698zpgwl-texlive-2024-env-texmfdist/fonts/type1/public/amsfonts/cm/cmr9.pfb" 1 33993 9b89b85fd2d9df0482bd47194d1d3bf3 ""
  "/nix/store/sc5p4q3ajvk3586nnrj1iw87698zpgwl-texlive-2024-env-texmfdist/fonts/type1/public/amsfonts/cm/cmti10.pfb" 1 37944 359e864bd06cde3b1cf57bb20757fb06 ""
  "/nix/store/sc5p4q3ajvk3586nnrj1iw87698zpgwl-texlive-2024-env-texmfdist/fonts/type1/public/amsfonts/cm/cmtt10.pfb" 1 31099 c85edf1dd5b9e826d67c9c7293b6786c ""
  "/nix/store/sc5p4q3ajvk3586nnrj1iw87698zpgwl-texlive-2024-env-texmfdist/fonts/type1/public/amsfonts/cm/cmtt9.pfb" 1 29078 718ea4567ceff944262b0f5b0800e1d9 ""
  "/nix/store/sc5p4q3ajvk3586nnrj1iw87698zpgwl-texlive-2024-env-texmfdist/tex/context/base/mkii/supp-pdf.mkii" 1 71627 94eb9990bed73c364d7f53f960cc8c5b ""
  "/nix/store/sc5p4q3ajvk3586nnrj1iw87698zpgwl-texlive-2024-env-texmfdist/tex/latex/base/article.cls" 1 20144 67a5f8e0f9e445e8ec6834e595cebdc9 ""
  "/nix/store/sc5p4q3ajvk3586nnrj1iw87698zpgwl-texlive-2024-env-texmfdist/tex/latex/base/size11.clo" 1 8464 6b4d01be31907866396cf4ac23881d2d ""
@ -53,9 +45,9 @@
  "/nix/store/sc5p4q3ajvk3586nnrj1iw87698zpgwl-texlive-2024-env-texmfdist/tex/latex/l3backend/l3backend-pdftex.def" 1 29785 9f93ab201fe5dd053afcc6c1bcf7d266 ""
  "/nix/store/sc5p4q3ajvk3586nnrj1iw87698zpgwl-texlive-2024-env-texmfdist/tex/latex/latexconfig/epstopdf-sys.cfg" 1 678 4792914a8f45be57bb98413425e4c7af ""
  "/nix/store/sc5p4q3ajvk3586nnrj1iw87698zpgwl-texlive-2024-env-texmfdist/tex/latex/url/url.sty" 1 12796 8edb7d69a20b857904dd0ea757c14ec9 ""
-  "main.aux" 1741225267.43109 1511 d615d7b8ba80f63ebee999e912e93468 "pdflatex"
+  "main.aux" 1741306316.72594 1447 10cffe4eef06f62f5e51bec1bd406974 "pdflatex"
-  "main.bbl" 1741223955.62265 472 78c3e100d23a7d8d353aba352d4f0d55 "bibtex main"
+  "main.bbl" 1741306293.92193 907 24c88f01a5ad15ab5cd74ab57b2d58ad "bibtex main"
-  "main.tex" 1741225265.76609 9564 0123fa100069de1b5e4e27665b834d56 ""
+  "main.tex" 1741306315.50194 6087 57935cc8b2dab22c2348dbd759064421 ""
  (generated)
  "main.aux"
  "main.log"
--- a/proposal/main.fls
+++ b/proposal/main.fls
@ -57,10 +57,6 @@ INPUT /nix/store/sc5p4q3ajvk3586nnrj1iw87698zpgwl-texlive-2024-env-texmfdist/fon
 INPUT /nix/store/sc5p4q3ajvk3586nnrj1iw87698zpgwl-texlive-2024-env-texmfdist/fonts/tfm/public/cm/cmti10.tfm
 OUTPUT main.pdf
 INPUT /nix/store/5dm6aqic0wy847ly9l1ag6h5v0rf9d7h-texlive-2024-env/share/texmf-var/fonts/map/pdftex/updmap/pdftex.map
 INPUT /nix/store/sc5p4q3ajvk3586nnrj1iw87698zpgwl-texlive-2024-env-texmfdist/fonts/tfm/public/cm/cmr9.tfm
 INPUT /nix/store/sc5p4q3ajvk3586nnrj1iw87698zpgwl-texlive-2024-env-texmfdist/fonts/tfm/public/cm/cmmi9.tfm
 INPUT /nix/store/sc5p4q3ajvk3586nnrj1iw87698zpgwl-texlive-2024-env-texmfdist/fonts/tfm/public/cm/cmsy9.tfm
 INPUT /nix/store/sc5p4q3ajvk3586nnrj1iw87698zpgwl-texlive-2024-env-texmfdist/fonts/tfm/public/cm/cmtt9.tfm
 INPUT /nix/store/sc5p4q3ajvk3586nnrj1iw87698zpgwl-texlive-2024-env-texmfdist/fonts/tfm/public/cm/cmtt10.tfm
 INPUT ./main.bbl
 INPUT ./main.bbl
@ -69,9 +65,5 @@ INPUT main.aux
 INPUT /nix/store/sc5p4q3ajvk3586nnrj1iw87698zpgwl-texlive-2024-env-texmfdist/fonts/type1/public/amsfonts/cm/cmbx12.pfb
 INPUT /nix/store/sc5p4q3ajvk3586nnrj1iw87698zpgwl-texlive-2024-env-texmfdist/fonts/type1/public/amsfonts/cm/cmr10.pfb
 INPUT /nix/store/sc5p4q3ajvk3586nnrj1iw87698zpgwl-texlive-2024-env-texmfdist/fonts/type1/public/amsfonts/cm/cmr12.pfb
 INPUT /nix/store/sc5p4q3ajvk3586nnrj1iw87698zpgwl-texlive-2024-env-texmfdist/fonts/type1/public/amsfonts/cm/cmr6.pfb
 INPUT /nix/store/sc5p4q3ajvk3586nnrj1iw87698zpgwl-texlive-2024-env-texmfdist/fonts/type1/public/amsfonts/cm/cmr8.pfb
 INPUT /nix/store/sc5p4q3ajvk3586nnrj1iw87698zpgwl-texlive-2024-env-texmfdist/fonts/type1/public/amsfonts/cm/cmr9.pfb
 INPUT /nix/store/sc5p4q3ajvk3586nnrj1iw87698zpgwl-texlive-2024-env-texmfdist/fonts/type1/public/amsfonts/cm/cmti10.pfb
 INPUT /nix/store/sc5p4q3ajvk3586nnrj1iw87698zpgwl-texlive-2024-env-texmfdist/fonts/type1/public/amsfonts/cm/cmtt10.pfb
 INPUT /nix/store/sc5p4q3ajvk3586nnrj1iw87698zpgwl-texlive-2024-env-texmfdist/fonts/type1/public/amsfonts/cm/cmtt9.pfb
--- a/proposal/main.log
+++ b/proposal/main.log
@ -1,4 +1,4 @@
-This is pdfTeX, Version 3.141592653-2.6-1.40.26 (TeX Live 2024/nixos.org) (preloaded format=pdflatex 1980.1.1)  6 MAR 2025 02:41
+This is pdfTeX, Version 3.141592653-2.6-1.40.26 (TeX Live 2024/nixos.org) (preloaded format=pdflatex 1980.1.1)  7 MAR 2025 01:11
 entering extended mode
 restricted \write18 enabled.
 %&-line parsing enabled.
@ -127,19 +127,54 @@ LaTeX Font Info:    External font `cmex10' loaded for size
 {/nix/store/5dm6aqic0wy847ly9l1ag6h5v0rf9d7h-texlive-2024-env/share/texmf-var/f
 onts/map/pdftex/updmap/pdftex.map}]
-LaTeX Font Info:    External font `cmex10' loaded for size
+Underfull \hbox (badness 10000) in paragraph at lines 63--64
 (Font)              <9> on input line 103.
 LaTeX Font Info:    External font `cmex10' loaded for size
 (Font)              <5> on input line 103.
 [2]
 Underfull \hbox (badness 10000) in paragraph at lines 146--147
 []
-Underfull \hbox (badness 10000) in paragraph at lines 146--147
+Underfull \hbox (badness 10000) in paragraph at lines 66--67
 []
 Underfull \hbox (badness 10000) in paragraph at lines 69--70
 []
 Underfull \hbox (badness 10000) in paragraph at lines 71--72
 []
 Underfull \hbox (badness 10000) in paragraph at lines 74--75
 []
 [2]
 Underfull \hbox (badness 10000) in paragraph at lines 77--79
 []
 Underfull \hbox (badness 10000) in paragraph at lines 81--82
 []
 Underfull \hbox (badness 10000) in paragraph at lines 84--85
 []
 Underfull \hbox (badness 10000) in paragraph at lines 88--90
 []
 Underfull \hbox (badness 10000) in paragraph at lines 92--93
 []
@ -156,30 +191,25 @@ L3 programming layer <2024-10-09>
 ***********
 ) 
 Here is how much of TeX's memory you used:
- 1417 strings out of 473579
+ 1405 strings out of 473579
- 24274 string characters out of 5705100
+ 24079 string characters out of 5705100
- 414738 words of memory out of 5000000
+ 413741 words of memory out of 5000000
- 24338 multiletter control sequences out of 15000+600000
+ 24330 multiletter control sequences out of 15000+600000
- 564227 words of font info for 57 fonts, out of 8000000 for 9000
+ 563148 words of font info for 53 fonts, out of 8000000 for 9000
 1141 hyphenation exceptions out of 8191
- 57i,8n,65p,459b,355s stack positions out of 10000i,1000n,20000p,200000b,200000s
+ 57i,6n,65p,933b,243s stack positions out of 10000i,1000n,20000p,200000b,200000s
 </nix/store/sc5p4q3ajvk3586nnrj1iw87698zpgwl-texlive-2024-env-texmfdist/fonts
 /type1/public/amsfonts/cm/cmbx12.pfb></nix/store/sc5p4q3ajvk3586nnrj1iw87698zpg
 wl-texlive-2024-env-texmfdist/fonts/type1/public/amsfonts/cm/cmr10.pfb></nix/st
 ore/sc5p4q3ajvk3586nnrj1iw87698zpgwl-texlive-2024-env-texmfdist/fonts/type1/pub
 lic/amsfonts/cm/cmr12.pfb></nix/store/sc5p4q3ajvk3586nnrj1iw87698zpgwl-texlive-
-2024-env-texmfdist/fonts/type1/public/amsfonts/cm/cmr6.pfb></nix/store/sc5p4q3a
+2024-env-texmfdist/fonts/type1/public/amsfonts/cm/cmti10.pfb></nix/store/sc5p4q
-jvk3586nnrj1iw87698zpgwl-texlive-2024-env-texmfdist/fonts/type1/public/amsfonts
+3ajvk3586nnrj1iw87698zpgwl-texlive-2024-env-texmfdist/fonts/type1/public/amsfon
-/cm/cmr8.pfb></nix/store/sc5p4q3ajvk3586nnrj1iw87698zpgwl-texlive-2024-env-texm
+ts/cm/cmtt10.pfb>
-fdist/fonts/type1/public/amsfonts/cm/cmr9.pfb></nix/store/sc5p4q3ajvk3586nnrj1i
+Output written on main.pdf (5 pages, 91430 bytes).
 w87698zpgwl-texlive-2024-env-texmfdist/fonts/type1/public/amsfonts/cm/cmti10.pf
 b></nix/store/sc5p4q3ajvk3586nnrj1iw87698zpgwl-texlive-2024-env-texmfdist/fonts
 /type1/public/amsfonts/cm/cmtt10.pfb></nix/store/sc5p4q3ajvk3586nnrj1iw87698zpg
 wl-texlive-2024-env-texmfdist/fonts/type1/public/amsfonts/cm/cmtt9.pfb>
 Output written on main.pdf (5 pages, 135135 bytes).
 PDF statistics:
- 65 PDF objects out of 1000 (max. 8388607)
+ 45 PDF objects out of 1000 (max. 8388607)
- 39 compressed objects within 1 object stream
+ 27 compressed objects within 1 object stream
 0 named destinations out of 1000 (max. 500000)
 1 words of extra memory for PDF output out of 10000 (max. 10000000)
--- a/proposal/main.pdf
+++ b/proposal/main.pdf
--- a/proposal/main.tex
+++ b/proposal/main.tex
@ -60,178 +60,38 @@ Vrije Universiteit Amsterdam
 \newpage
 \section*{Abstract}
-
+We will reproduce parts of Maar et al. \cite{tugraz:tlbsidechannel} and use them to perform a location disclosure attack on security critical kernel data structures. This will allow for further attacks which would usually be prevented by ASLR. To do so we will use kernel defenses that change the page mappings to 4kB and exploit a TLB side channel along with allocator massaging to leak the page-aligned address of critical data structures. We then further deduce precise addresses as well as performing error checking to improve success rate. \\
 Explain here the context, problem, prior work, your own approach, and expected impact if the project is successful. The word count is a maximum of 250. 
 Note:
 \begin{enumerate}
    \item This can be seen as a short summary of the combined Introduction and Conclusion sections.
 \end{enumerate}
 \section{Introduction} \label{sec:introduction}
-
+The goal of the project is to expose the location of security critical data structures such as the \texttt{cred} struct which would usually be prevented through (Kernel) ASLR. To do so we will use one of the technique presented in prior work by Maar et al. \cite{tugraz:tlbsidechannel} using TLB contention patterns caused by certain kernel defenses in combination with allocator massaging and in the process reproduce a subset of their findings. We will demonstrate the attack on an 8th Gen or newer Intel CPU and a 6.8 kernel. Depending on other factors, more systems may be evalutated. \\
 Explain the research project. Also include here the personal value you hope to derive from this project.
 Explain at least:
 \begin{enumerate}
    \item The context of this research project. How broad do you see the impact of a good result? (Will you change the world? The science of Europe? The industry of the Netherlands?)
    \item The key terms addressed in this research project. You will expand on this element in Section~\ref{sec:background}.
    \item The main problem addressed in this research project. You will expand on this element in Section~\ref{sec:problem}.
    \item The key prior work related to this research project. You will expand on this element in Section~\ref{sec:related}.
    \item The main research question, possibly paraphrased. You will expand on this element in Section~\ref{sec:researchq}. (If possible, also indicate the core of the approach, or an insight that can lead to it. You will expand on this element in Section~\ref{sec:approach}.)
    \item The expected contribution of this research, for the scientific community and/or for your employer. You will expand on this element in Sections~\ref{sec:researchq}, \ref{sec:approach}, and~\ref{sec:plan}.
    \item Expected contribution of this research, for yourself. How will this project develop you? How will it develop your career?
 \end{enumerate}
 For example, consider the project leading to publication~\cite{DBLP:conf/sc/AndreadisVMI18}:
 \begin{enumerate}
    \item Context: datacenters, the backbone of cloud computing and our digital economy.
    \item Key terms: datacenters, scheduling, reference architecture.
    \item Problem: understanding and improving the process of scheduling in datacenters.
    \item Key prior work: research on scheduling in large-scale systems, scheduling practices in Big Tech companies (Google, Microsoft, Alibaba, etc.)
    \item Main research question: How to design a good abstraction for datacenter scheduling? Key insight: a unified reference architecture is a good  abstraction for the scheduling process.
    \item Expected contribution, community: a survey, a reference architecture, an analysis of existing systems as mapped to the new reference architecture, a simulator implementing the reference architecture as the scientific instrument, experiments in simulation, description of a process for others to use the reference architecture, analysis of threats to validity. 
    Plus: a technical report accompanying the publication\footnote{The technical report is published as open science: \url{https://arxiv.org/pdf/1808.04224.pdf}}, various public talks, etc. (The team also went for and obtained the ACM reproducibility badge, which among others requires publishing FOS software and FAIR data.)
    \item Expected contribution, personal: development into an independent researcher.
 \end{enumerate}
 \section{Background} \label{sec:background}
 Under usual circumstances kernel objects are memory mapped to 2MB pages, however Maar et al. \cite{tugraz:tlbsidechannel} identify 3 kernel defenses which change the memory mapping (partially) to 4kB. With this an attacker can ensure the target object is located in one of those 4kB mappings and loaded into the TLB. Then using access primitives creates a TLB contention pattern, based on which the page-aligned address of the target can be inferred and further the exact address of the target can be deduced.\\
-Explain the key concepts needed to understand this work.
+The 3 kernel defenses are \texttt{CONFIG\_STRICT\_MODULE\_RWX}, \texttt{CONFIG\_SLAB\_VIRTUAL} and \\ \texttt{CONFIG\_VMAP\_STACK}. As the name suggests the last one only changes the mapping of the stack to 4kB and therefore only allows leakage of the kernel stack which is not interesting to us. \texttt{CONFIG\_STRICT\_MODULE\_RWX} is more interesting, however Maar et al. \cite{tugraz:tlbsidechannel} were unable to reliably leak the \texttt{cred} struct specifically using this exploit. This leaves \texttt{CONFIG\_SLAB\_VIRTUAL} which is a kernel defense introduced in the patched kernel for the Google KernelCTF. Other than \texttt{CONFIG\_STRICT\_MODULE\_RWX} this changes the entire heap mapping to 4kB instead of just the area around a loaded module. This potentially increases TLB noise but achieving a near 100\% success rate should still be possible with use of error correction. \\
 See also Section~II of ~\cite{DBLP:conf/sc/AndreadisVMI18}.
 \section{Problem} \label{sec:problem}
-
+KASLR as a defense obfuscates the location of security critical objects which could be used in many exploits if exposed. If we are able to find a stable exploit to expose the location of these objections and therefore partially break KASLR many attacks previously prevented by it become possible again. In this use case, specifically data-only attacks greatly benefit from the potential data leaked here. \\
 Explain in this section the main problem addressed in this work. The goal is to emphasize the value of a research project that addresses the problem. See also Sections~I and~III.A of~\cite{DBLP:conf/sc/AndreadisVMI18}.
 Notes:
 \begin{enumerate}
 \item 
 Define the scope of the problem.
 \item
 Refer back to the background~(see Section~\ref{sec:background}) for key terms.
 \end{enumerate}
 \section{Related Work} \label{sec:related}
-
+Maar et al. \cite{tugraz:tlbsidechannel} is clearly related as my work will be largely reproducing a subset of this work and provide everything required to use it for further data-only attacks. \\
-Explain in this section related work on the problem explained in Section~\ref{sec:problem}. The goal is to emphasize the extent and the key elements of related work. 
+Further Gruss et al. \cite{tugraz:prefetch} may be relevant as it is used to distinguish mapped pages without violating access permissions. \\
 See also Sections~I and~VII of~\cite{DBLP:conf/sc/AndreadisVMI18}.
 Notes:
 \begin{enumerate}
 \item 
 At this stage of your research career, this part will include a brief survey of the state-of-the-art, guided by the project supervisor. 
 \item 
 Review and summarize the related work. What is known already? What should be known but isn't? 
 \end{enumerate}
 \section{Research Question(s)} \label{sec:researchq}
-
+We invastigate the location disclosure attacks presented in Maar et al \cite{tugraz:tlbsidechannel} and investigate if we can provide a simple, usable disclosure attack to leak the location of security critical data structures which can be chained with further attacks. \\
 Explain in this section the core research of the project. The goal is to show that the research is sufficiently balanced and broad. See also Sections~I and the short formulations (e.g., ``we investigate...'') in the following sections of~\cite{DBLP:conf/sc/AndreadisVMI18}. \\ \\
 Notes:
 \begin{enumerate}
 \item 
 Formulate the main research question. 
 \item 
 Define the scope of the project. Typically, the scope of the project is much smaller than the scope of the problem (defined in Section~\ref{sec:problem}).
 \item 
 Define detailed research questions. For each, explain at least: \textit{Why?}, \textit{Why important?}, and \textit{Why challenging?}
 \end{enumerate}
 \section{Approach} \label{sec:approach}
 In the first step we will analyze the most feasible way to leak the information of interest. Then we will attempt to perform such a disclosure attack on interesting data structures in a way which can be used in combination with follow-up attacks. If possible a last step may involve testing the attack on later kernels or different hardware. \\
 Explain in this section how you anticipate you can answer the question(s) formulated in Section~\ref{sec:researchq}. The goal is to show that the research is feasible. For this reason, this section is mainly methodological; the pragmatic plans on how to complete all this work follow, in Section~\ref{sec:plan}. See, for example, Sections~I (overview) and~V.A (experiment design) of~\cite{DBLP:conf/sc/AndreadisVMI18}.
 Notes:
 \begin{enumerate}
 \item 
 Describe the approach, for each research question. Emphasis on method(s) -- What? Expected contribution.
 \item 
 Introduce intuition about the key innovation and/or conceptual contribution.
 \item 
 Try to explain why the approach would work. Explain the expected technical contribution.
 \end{enumerate}
 \section{Plan} \label{sec:plan}
-
+The first step is mostly theoretical, however it may be necessary to reexamine the decisions made if further challenges arise in later steps. \\
-Explain in this section how you expect to complete the parts defined in Section~\ref{sec:approach}. The goal is to show the work is feasible in the allocated time.
+The next step will be performed on provided hardware, preferrably using VMs but if this proves impossible also on bare metal following the steps learned in the setups of the VM. \\
 \
 Notes:
 \begin{enumerate}
 \item 
 Understand this is a preliminary plan.
 \item 
 Try to define at least the large components of the project. To do this, discuss with the project supervisor and/or consult a good article published recently in the field. For the running example, consult~\cite{DBLP:conf/sc/AndreadisVMI18}.
 \item
 Try to plan tasks with a granularity of at most one week, and ideally with a granularity of a day. Try to make the near-future tasks SMART. Plan tasks long into the future of the project as \textit{slack}. 
 \item
 Try to attach milestones and key deliverables to the most important tasks. Make sure deliverables include the final report (or article) and at least one presentation (hopefully, in a major scientific venue).
 \item
 Revisit the plans as soon as you complete a task, but especially after the first few tasks of a kind, e.g., a literature review task (you read a new article), a design iteration (you made or improved a design), an implementation task (you coded a new feature), an experiment task (you conducted one experiment).
 \end{enumerate}
 \newpage
 For the running example, the research plan included:
 \begin{verbatim}
 ```
 I plan to take the first two research questions in one step, since
 they are closely related:
 To build a representative abstraction, I need to survey the 
 existing approaches in the field. This way, the validation step 
 is combined with the design step. This combined stage I
 intend to work on in the coming three months, and 
 have a first report on my results ready by late January 2017.
 After this stage is completed, I will begin integrating it in the
 OpenDC project [n.b., the simulator].
 Because I can imagine that this step will take a 
 substantial amount of time,  I plan to have produced a first, 
 full prototype of this integration by May 2017.
 I will try to keep the paper writing process parallel to 
 these two stages as much as possible. However, knowing that 
 this is difficult, I am allocating the time from June to
 July of 2017 to tie together the pieces and get 
 this paper ready for publication.
 ```
 \end{verbatim}
 \section{Conclusion} \label{sec:conclusion}
 We will use a kernel defense to force 4kB page mapping for security critical data structures. Then we will use kernel allocator massaging and a TLB side channel to leak their location despite KASLR being enabled. We will further use error correction to attempt to provide a stable exploit which can be used for further exploits. \\
-Revisit the context, problem statement, related work, and research design. See, for example, Section~VIII of~\cite{DBLP:conf/sc/AndreadisVMI18}.
+\newpage
 % For more on bibliography styles, see 
 % https://www.overleaf.com/learn/latex/Bibtex_bibliography_styles
 \bibliographystyle{abbrv}