@inproceedings{tugraz:tlbsidechannel,
	title = "When Good Kernel Defenses Go Bad: Reliable and Stable Kernel
	         Exploits via Defense-Amplified TLB Side-Channel Leaks",
	abstract = "Over the past decade, the Linux kernel has seen a significant
	            number of memory-safety vulnerabilities. However, exploiting
	            these vulnerabilities becomes substantially harder as defenses
	            increase. A fundamental defense of the Linux kernel is the
	            randomization of memory locations for security-critical objects,
	            which greatly limits or prevents exploitation.In this paper, we
	            show that we can exploit side-channel leakage in defenses to leak
	            the locations of security-critical kernel objects. These location
	            disclosure attacks enable successful exploitations on the latest
	            Linux kernel, facilitating reliable and stable system compromise
	            both with re-enabled and new exploit techniques. To identify
	            side-channel leakages of defenses, we systematically analyze 127
	            defenses. Based on this analysis, we show that enabling any of 3
	            defenses – enforcing strict memory permissions or virtualizing
	            the kernel heap or kernel stack – allows us to obtain
	            fine-grained TLB contention patterns via an Evict+Reload TLB
	            side-channel attack. We combine these patterns with kernel
	            allocator massaging to present location disclosure attacks,
	            leaking the locations of kernel objects, i.e., heap objects, page
	            tables, and stacks. To demonstrate the practicality of these
	            attacks, we evaluate them on recent Intel CPUs and multiple
	            kernel versions, with a runtime of 0.3 s to 17.8 s and almost no
	            false positives. Since these attacks work due to side-channel
	            leakage in defenses, we argue that the virtual stack defense
	            makes the system less secure.",
	author = "Lukas Maar and Lukas Giner and Daniel Gruss and Stefan Mangard",
	year = "2025",
	month = aug,
	day = "13",
	language = "English",
	series = "Proceedings of the 34rd USENIX Security Symposium",
	publisher = "USENIX Association",
	booktitle = "Proceedings of the 34rd USENIX Security Symposium",
	address = "United States",
	note = "34th USENIX Security Symposium : USENIX Security 2025, USENIX'25 ;
	        Conference date: 13-08-2025 Through 15-08-2025",
	url = "https://www.usenix.org/conference/usenixsecurity25",
}

@inproceedings{tugraz:prefetch,
	author = {Gruss, Daniel and Maurice, Clementine and Fogh, Anders and Lipp,
	          Moritz and Mangard, Stefan},
	title = {Prefetch Side-Channel Attacks: Bypassing SMAP and Kernel ASLR},
	year = {2016},
	isbn = {9781450341394},
	publisher = {Association for Computing Machinery},
	address = {New York, NY, USA},
	url = {https://doi.org/10.1145/2976749.2978356},
	doi = {10.1145/2976749.2978356},
	abstract = {Modern operating systems use hardware support to protect against
	            control-flow hijacking attacks such as code-injection attacks.
	            Typically, write access to executable pages is prevented and
	            kernel mode execution is restricted to kernel code pages only.
	            However, current CPUs provide no protection against code-reuse
	            attacks like ROP. ASLR is used to prevent these attacks by making
	            all addresses unpredictable for an attacker. Hence, the kernel
	            security relies fundamentally on preventing access to address
	            information. We introduce Prefetch Side-Channel Attacks, a new
	            class of generic attacks exploiting major weaknesses in prefetch
	            instructions. This allows unprivileged attackers to obtain
	            address information and thus compromise the entire system by
	            defeating SMAP, SMEP, and kernel ASLR. Prefetch can fetch
	            inaccessible privileged memory into various caches on Intel x86.
	            It also leaks the translation-level for virtual addresses on both
	            Intel x86 and ARMv8-A. We build three attacks exploiting these
	            properties. Our first attack retrieves an exact image of the full
	            paging hierarchy of a process, defeating both user space and
	            kernel space ASLR. Our second attack resolves virtual to physical
	            addresses to bypass SMAP on 64-bit Linux systems, enabling
	            ret2dir attacks. We demonstrate this from unprivileged user
	            programs on Linux and inside Amazon EC2 virtual machines. Finally
	            , we demonstrate how to defeat kernel ASLR on Windows 10,
	            enabling ROP attacks on kernel and driver binary code. We propose
	            a new form of strong kernel isolation to protect commodity
	            systems incuring an overhead of only 0.06-5.09\%.},
	booktitle = {Proceedings of the 2016 ACM SIGSAC Conference on Computer and
	             Communications Security},
	pages = {368–379},
	numpages = {12},
	keywords = {timing attacks, kernel vulnerabilities, ASLR},
	location = {Vienna, Austria},
	series = {CCS '16},
}

@inproceedings{DBLP:conf/sc/AndreadisVMI18,
	author = {Georgios Andreadis and Laurens Versluis and Fabian Mastenbroek and
	          Alexandru Iosup},
	title = {A reference architecture for datacenter scheduling: design,
	         validation, and experiments},
	booktitle = {Proceedings of the International Conference for High
	             Performance Computing, Networking, Storage, and Analysis, {SC}
	             2018, Dallas, TX, USA, November 11-16, 2018},
	pages = {37:1--37:15},
	publisher = {{IEEE} / {ACM}},
	year = {2018},
	url = {http://dl.acm.org/citation.cfm?id=3291706},
	timestamp = {Mon, 12 Nov 2018 09:20:44 +0100},
	biburl = {https://dblp.org/rec/conf/sc/AndreadisVMI18.bib},
	bibsource = {dblp computer science bibliography, https://dblp.org},
}