CPSRC Seminar - Software Exploitation: Hardware is the New Black

Speaker Name: 
Cristiano Giuffrida
Speaker Title: 
Speaker Organization: 
Vrije Universiteit Amsterdam
Start Time: 
Friday, May 17, 2019 - 1:30pm
End Time: 
Friday, May 17, 2019 - 3:00pm
E2 506
Alvaro Cardenas and Ricardo Sanfelice



What would the world be like if software had no bugs? Software systems

would be impenetrable and our data shielded from prying eyes? Not

quite. In this talk, I will present evidence that reliable attacks

targeting even "perfect" software are a realistic threat. Such attacks

exploit properties of modern hardware to completely subvert a system,

even in absence of software or configuration bugs. To substantiate

this claim, I will illustrate practical attacks in real-world systems

settings, such as browsers, clouds, and mobile. The implications are

worrisome. Even bug-free (say formally verified) software can be

successfully targeted by a relatively low-effort attacker. Moreover,

state-of-the-art security defenses, which have proven useful to raise

the bar against traditional software exploitation techniques, are

completely ineffective against such attacks. It is time to revisit our

assumptions on realistic adversarial models and investigate defenses

that consider threats in the entire hardware/software stack. Pandora's

box has been opened.



Cristiano Giuffrida is a Tenured Assistant Professor in the Computer

Science Department at the Vrije Universiteit Amsterdam. His research

interests span across several aspects of computer systems, with a

strong focus on systems security. He received a Ph.D. Cum Laude from

the Vrije Universiteit Amsterdam under the supervision of Andy

Tanenbaum in 2014. He was awarded the Roger Needham Award at EuroSys

and the Dennis M. Ritchie Award at SOSP for the best Ph.D. Dissertation

in Computer Systems in 2015 (Europe and worldwide). He was awarded a

VENI grant (the Dutch Equivalent of a NSF CAREER Award, PhD+3) in

2017. He has served on the program committee of a number of top

systems and security venues, such as SOSP, OSDI, EuroSys, S&P, CCS,

NDSS, and USENIX Security.