To exploit software, attackers must understand how hardware works. Classic exploits like control flow hijacks require malicious code to tamper with ISA-visible state-like return addresses on a stack. More recent attacks like Spectre and Meltdown leverage knowledge of microarchitectural details like speculative execution and caching eviction strategies. Attacks like Foreshadow demonstrate that even hardware-based isolation environments like SGX are vulnerable to software-level exploitation of hardware-level state.
This course will provide an overview of how malicious software can abuse hardware knowledge. First, we will discuss how to break ISA-level control flow integrity using simple buffer overflows and progressively more advanced attacks like return-oriented programming. Next, we will discuss hardware-assisted mechanisms for preventing control flow subversion (e.g., shadow stacks and kBouncer). The course will then transition to a discussion of microarchitectural attacks and defenses. We will examine classic side channel attacks like PRIME+PROBE; after an introduction to SGX and TrustZone, the course will discuss how these isolation mechanisms can be broken using knowledge of their microarchitectural implementations.
James Mickens is a professor of computer science at Harvard University. His research focuses on the performance, security, and robustness of web services and other datacenter-scale computations. Mickens received a B.S. degree in computer science from the Georgia Institute of Technology, and a Ph.D. in computer science from the University of Michigan. Before coming to Harvard, he spent seven years as a researcher at Microsoft; he was also a visiting professor at MIT.