Slot 4

Software-level Attacks on Architectural and Microarchitectural State
James Mickens, Harvard University, United States


To exploit software, attackers must understand how hardware works. Classic exploits like control flow hijacks require malicious code to tamper with ISA-visible state-like return addresses on a stack. More recent attacks like Spectre and Meltdown leverage knowledge of microarchitectural details like speculative execution and caching eviction strategies. Attacks like Foreshadow demonstrate that even hardware-based isolation environments like SGX are vulnerable to software-level exploitation of hardware-level state.

This course will provide an overview of how malicious software can abuse hardware knowledge. First, we will discuss how to break ISA-level control flow integrity using simple buffer overflows and progressively more advanced attacks like return-oriented programming. Next, we will discuss hardware-assisted mechanisms for preventing control flow subversion (e.g., shadow stacks and kBouncer). The course will then transition to a discussion of microarchitectural attacks and defenses. We will examine classic side channel attacks like PRIME+PROBE; after an introduction to SGX and TrustZone, the course will discuss how these isolation mechanisms can be broken using knowledge of their microarchitectural implementations.


James Mickens is a professor of computer science at Harvard University. His research focuses on the performance, security, and robustness of web services and other datacenter-scale computations. Mickens received a B.S. degree in computer science from the Georgia Institute of Technology, and a Ph.D. in computer science from the University of Michigan. Before coming to Harvard, he spent seven years as a researcher at Microsoft; he was also a visiting professor at MIT.

  Back to course info