Talk: Software Security Challenges in the Era of Modern Hardware

LIVE STREAM: https://uwmadison.zoom.us/j/91087258748?pwd=UGNCc3VaTHhNMU5uQnZtd0VOMElZQT09

Abstract: Today’s hardware cannot keep secrets. Indeed, the past two decades have seen the discovery of a slew of attacks where an adversary exploits hardware features to leak software’s sensitive data. These attacks have shaken the foundations of computer security and caused a major disruption in the software industry. Fortunately, there has been a saving grace, namely the widespread adoption of models that have enabled developers to build secure software while comprehensively preventing hardware vulnerabilities.

In this talk, I will present two new classes of vulnerabilities that fundamentally undermine these prevailing models for building secure software. In the first part, I will demonstrate that the current constant-time programming model is insufficient to guarantee constant-time execution. In the second part, I will demonstrate that the current resource partitioning model is insufficient to guarantee software isolation. Finally, I will provide an overview of my future research plans for enabling the design of more secure software and hardware systems.

Bio: Riccardo Paccagnella is a PhD candidate in Computer Science at the University of Illinois Urbana-Champaign. His research is in system and hardware security. Riccardo is a recipient of a Distinguished Reviewer Award at the IEEE S&P 2021 Shadow PC, a Siebel Scholars Award, and a Chirag Foundation Graduate Fellowship. His work has been covered by national and international press — including Ars Technica, New Scientist, and Wired — and recognized with prestigious awards, including a MICRO Top Picks 2023 distinction, the Pwnie 2022 Award for Best Cryptographic Attack, the CSAW 2022 Applied Research Competition Best Paper Runner-up Award, a Pwnie 2021 Nomination for Most Innovative Research, and a CSLSC 2022 Best Presentation Award. In light of his research, the cryptographic community and several companies (including Cloudflare, Microsoft, Intel, AMD, Ampere, ARM) have taken action that includes patching cryptographic libraries, issuing security advisories, and creating new guidance for writing secure cryptographic code.