Security is an overlooked component in our computer architecture education. I often get the following questions from undergraduate students and junior PhD students: “I have a strong interest in hardware security, but how shall I start learning or teaching myself about this research topic?” and “I know I like computer architecture, but how can I know whether I will enjoy hardware security research or not?”
This article provides a starter kit for students who want to learn more about computer architecture security research. These resources are collected based on my own learning experience and are far from comprehensive. I divide these resources into two parts. The first part lists and acknowledges existing efforts in the community. The second part introduces and releases five hands-on lab assignments on hardware attacks and defenses. We design the labs as CTF (capture-the-flag) challenges to help students learn computer architecture security for fun.
Existing Highly Appreciated Efforts
It is exciting to see that many colleagues have made impressive efforts to help prepare our students to enter this research domain. Here is a short list of existing resources that I found very useful. Note that this list does not include survey papers and advanced materials, but primarily focuses on the basics. I try to come up with a lightweight starter kit and meanwhile cover different types of resources.
- The book “Security Basics for Computer Architects” by Ruby Lee could serve as great introductory material for students who want to understand basic security concepts. The book “Principles of Secure Processor Architecture Design” by Jakub Szefer provides a relatively comprehensive overview of academic and commercial secure processor architectures.
- The 118-page article “Intel SGX Explained” by Victor Costan and Srinivas Devadas is a nice read for anyone who wants to understand how to design secure processors. Instead of being very specific to Intel SGX, the article covers basic crypto primitives and advanced system primitives, and shows how these primitives can be applied to design secure processors.
- The Dead Drop lab developed by Chris Fletcher is the first-ever hands-on material for anyone who wants to try cache-based covert channel attacks on real processors. The lab is designed open-ended so that students can have a lot of fun by trying all possible tricks to improve the performance of their attacks.
- The MAD (micro-architecture attacks and defenses) Tutorial (co-located with ISCA’22) organized by Chris Fletcher, Mohit Tiwari, Mengjia Yan, and Moin Qureshi. The tutorial provides a series of insightful keynotes and talks. In addition, the tutorial is unique because it hosts a small CTF (capture the flag) competition to help attendees learn side channel attacks on-site. This year, we had 26 teams participating and 3 teams capturing all the flags.
The Release of Five Hands-on Labs
No one would disagree that the best way to learn programming is to get your hands dirty and start coding by hand. This is even more true for studying security. Computer Security courses (with a primary focus on software security) usually feature a series of lab assignments for students to learn the fundamentals of computer security by attacking vulnerable software systems. I have seen students “suffer” from these lab assignments, and meanwhile enjoy the process so much that they actually learn a lot. We hope to develop such lab assignments for learning hardware security.
As a team with my students, we started working on the lab development in 2021. We now have 5 lab assignments covering multiple important computer architecture security topics. Most labs are designed as CTF (capture the flag) challenges. We tested these labs in Spring 2022 with a group of 16 MIT undergraduate and MEng students. Almost everyone completes all the labs with some help from the TA via office hours and piazza. As the labs are relatively mature, we think it is a good time to open-source these lab materials so that everyone in the community can benefit from them. All the materials can be found on the MIT 6.888 Secure Hardware Design Lab page.
A brief overview of the five labs is listed below.
- Cache side channels: The end goal of this lab is to guide the students through the process of implementing a highly reliable Prime+Probe cache attack. The lab warms up students to get familiar with basic attack primitives, implements the baseline attacks, and ends with a capture-the-flag challenge, where the students will try to steal a secret from 3 different victim binaries with increasing difficulty.
- Speculative execution attacks: This lab sets up an environment for the students to implement their own Spectre attacks to leak secrets from kernel address space to user space. The full lab includes 3 CTF challenges with varying difficulty levels. To conquer the last CTF challenge, the students need to come up with a smart strategy to manipulate speculation windows.
- ML-assisted website fingerprinting: In this lab, the students will use machine learning to assist a side channel attack in performing a website fingerprint attack. The lab focuses on how to design effective post-processing techniques to analyze side-channel traces and handle system noises. The lab is inspired by our recent ISCA’22 paper “There’s Always A Bigger Fish”. We let the students implement a cache-based attack and then guide them to figure out that the majority of the attack’s signals come from system interrupts.
- RowHammer: Rowhammer sounds simple on paper, but is difficult in practice. We design the lab in two parts to make Rowhammer attacks more approachable. In Part 1, the students take a shortcut to observe bitflips in the wild as we provide them with the physical addresses of vulnerable rows. In Part 2, the students will extend their knowledge of DRAM geometry fundamentals, find vulnerable rows by themselves, and conduct an end-to-end Rowhammer attack.
- ASLR Bypass: As suggested in the recent paper from our group PACMAN Attack, it is essential to study the compound threat model of memory corruption vulnerabilities and micro-architectural vulnerabilities, instead of treating them separately. This lab gives an example for studying this compound threat model. The lab first teaches the student the basic ROP attacks, and then guides the students to use a prefetch side channel attack to bypass ASLR to make the ROP attacks work.
We are delighted to share the resources with the community.
- For course instructors: We would be excited if you are interested in incorporating the lab assignments into your courses. We could offer help, such as providing tips on setting up the infrastructure, supplying scripts we used for grading the labs, and sharing the list of commonly asked questions from students and the answers to address them.
- For individuals: Since we will use the same set of labs for future iterations of the secure hardware design course at MIT, we will not release any solutions. Feel free to email us if you want to try these lab assignments.
If you are using our labs, please acknowledge the following students for developing and thoroughly testing these labs: Joseph Ravichandran, Peter Deutsch, Jack Cook, Miguel Gomez-Garcia, Miles Dai, Yuheng Yang, Mengyuan Li, Weon Taek Na. We are currently working on further extending the lab suite. The lab development team can be reached at firstname.lastname@example.org
About the Author: Mengjia Yan is an Assistant Professor at MIT’s EECS Department and a member of CSAIL. She received her Ph.D. degree from the University of Illinois at Urbana-Champaign (UIUC). Her research interest lies in the areas of computer architecture and hardware security.
Disclaimer: These posts are written by individual contributors to share their thoughts on the Computer Architecture Today blog for the benefit of the community. Any views or opinions represented in this blog are personal, belong solely to the blog author and do not represent those of ACM SIGARCH or its parent organization, ACM.