Ben Gras has been in this group since 2015. He has worked on software reliability, defensive research projects, and most recently, offensive research. Offensive research was most noticeably making cross-VM Rowhammer exploitation reliable and a cache-based MMU sidechannel attack.
In feb-july of 2017 he did a research internship with Cisco in the security research group in Knoxville, TN, where he developed an anti-router malware detection protocol, countering network infrastructure attacks.
He is presently pursuing a PhD in mischief.
[Abstract]
==========
This talk presents a novel cache side-channel attack on the memory management unit (MMU) of contemporary processors. This attack, which we call ASLR^Cache or AnC for short, allows us to break 64-bit ASLR in the browser from JavaScript. With AnC in place, attackers no longer need to leak pointers before engaging in for example control-flow diversion attacks. Unlike existing side-channel attacks on ASLR, AnC is not easy to mitigate due to its hardware-only nature.
AnC relies on the fact that during address translation, MMU's page table walk end up in the processor's data caches. This research is the first publication to find and confirm this fact. This allows a cache attack compromising ASLR.
We show how we can perform AnC even from Javascript, which made it necessary to find a accurate memory access timing mechanism, previously unavailable. We found 2 and have working POCs for Firefox and Chrome. New for POC, we also develop a measurement noise reducing technique.