Time protection: the missing OS abstraction Ge et al., EuroSys'19 Ever since the prominent emergence of timing-based microarchitectural attacks (e.g. Spectre, Meltdown, and friends) I’ve been wondering what we can do about them. When a side-channel is based on observing improved performance, a solution that removes the improved performance can work, but is clearly undesirable. … Continue reading Time protection: the missing OS abstraction
Author: adriancolyer
Venture Partner with Accel in London, author of 'The Morning Paper'
Master of web puppets: abusing web browsers for persistent and stealthy computation
Master of web puppets: abusing web browsers for persistent and stealthy computation Papadopoulus et al., NDSS'19 UPDATE 2019-04-14: An author update has been published for this paper which details that with current browser versions, ServiceWorkers can only stay alive for about a minute after the user navigates away from the site. This mitigates the main … Continue reading Master of web puppets: abusing web browsers for persistent and stealthy computation
Don’t trust the locals: investigating the prevalence of persistent client-side cross-site scripting in the wild
Don’t trust the locals: investigating the prevalence of persistent client-side cross-site scripting in the wild Steffens et al., NDSS'19 Does your web application make use of local storage? If so, then like many developers you may well be making the assumption that when you read from local storage, it will only contain the data that … Continue reading Don’t trust the locals: investigating the prevalence of persistent client-side cross-site scripting in the wild
How bad can it git? Characterizing secret leakage in public GitHub repositories
How bad can it git? Characterizing secret leakage in public GitHub repositories Meli et al., NDSS'19 On the one hand you might say there’s no new news here. We know that developers shouldn’t commit secrets, and we know that secrets leaked to GitHub can be discovered and exploited very quickly. On the other hand, this … Continue reading How bad can it git? Characterizing secret leakage in public GitHub repositories
Ginseng: keeping secrets in registers when you distrust the operating system
Ginseng: keeping secrets in registers when you distrust the operating system Yun & Zhong et al., NDSS'19 Suppose you did go to the extreme length of establishing an unconditional root of trust for your system, even then, unless every subsequent piece of code you load is also fully trusted (e.g., formally verified) then you’re open … Continue reading Ginseng: keeping secrets in registers when you distrust the operating system
Establishing software root of trust unconditionally
Establishing software root of trust unconditionally Gligor & Woo, NDSS'19 The authors won a best paper award for this work at NDSS this year. The main result is quite something, but as you might expect the lines of argument are detailed and not always easy to follow (and certainly not critically!) for non-experts like me. … Continue reading Establishing software root of trust unconditionally
The crux of voice (in)security: a brain study of speaker legitimacy detection
The crux of voice (in)security: a brain study of speaker legitimacy detection Neupane et al., NDSS'19 The key results of this paper are easy to understand, but the implications are going to take us a long time to unravel. Speech morphing (voice morphing) is the process of translating a speaker’s voice to sound like a … Continue reading The crux of voice (in)security: a brain study of speaker legitimacy detection
Calvin: fast distributed transactions for partitioned database systems
Calvin: fast distributed transactions for partitioned database systems Thomson et al., SIGMOD'12 Earlier this week we looked at Amazon’s Aurora. Today it’s the turn of Calvin, which is notably used by FaunaDB (strictly “_FaunaDB uses patent-pending technology inspired by Calvin...”). As the paper title suggests, the goal of Calvin is to put the ACID back … Continue reading Calvin: fast distributed transactions for partitioned database systems
Amazon Aurora: on avoiding distributed consensus for I/Os, commits, and membership changes
Amazon Aurora: on avoiding distributed consensus for I/Os, commits, and membership changes, Verbitski et al., SIGMOD’18 This is a follow-up to the paper we looked at earlier this week on the design of Amazon Aurora. I’m going to assume a level of background knowledge from that work and skip over the parts of this paper … Continue reading Amazon Aurora: on avoiding distributed consensus for I/Os, commits, and membership changes
Amazon Aurora: design considerations for high throughput cloud-native relational databases
Amazon Aurora: design considerations for high throughput cloud-native relational databases Verbitski et al., SIGMOD'17 Werner Vogels recently published a blog post describing Amazon Aurora as their fastest growing service ever. That post provides a high level overview of Aurora and then links to two SIGMOD papers for further details. Also of note is the recent … Continue reading Amazon Aurora: design considerations for high throughput cloud-native relational databases
the morning paper 