Incorporate new research that's been published since I stopped working on this

[defuse]

Here's a list of titles I found on Google Scholar which may be relevant. Basically, I searched for Flush+Reload and clicked a bunch of stuff, then found the PaaS paper and found everything that cited it. Read all of these papers' abstracts and decide which ones deserve a closer look and which ones should be read in entirety.

(filtered into categories below)

[defuse]

[moved]

[defuse]

When going through these, keep #8 in mind to make sure we come up with a definition that captures all F+R attacks.

[defuse]

I should also look at the proceedings list for upcoming conferences, e.g. Oakland '16 since that stuff probably isn't in Google Scholar yet.

[defuse]

Upcoming in IEEE S&P '16:

• Cache Storage Channels: Alias-Driven Attacks and Verified Countermeasures
• Inferring User Routes and Locations using Zero-Permission Mobile Sensors
• No Pardon for the Interruption: New Inference Attacks on Android Through Interrupt Timing Analysis
• Dedup Est Machina: Memory Deduplication as an Advanced Exploitation Vector

[defuse]

I just read the abstract and conclusion to "Cache Template Attacks: Automating Attacks on Inclusive Last-Level Caches" and I think it might blow our work completely out of the water.

[defuse]

Cache template attacks is cool, but what we're doing is different in important ways.

[defuse]

I still need to read the abstract of all of these. -.-

[defuse]

Definitely Read 100% and Cite:

• The Spy in the Sandbox -- Practical Cache Attacks in Javascript
• Cache Template Attacks: Automating Attacks on Inclusive Last-Level Caches
• Cross-Tenant Side-Channel Attacks in PaaS Clouds
• ARMageddon: Last-Level Cache Attacks on Mobile Devices

Closer Look (and cite unless the closer look determines it doesn't need to be):

• Practical Memory Deduplication Attacks in Sandboxed Javascript ("... but also specific user activities, for instance, whether the user has specific websites currently opened.")
• Controlled-Channel Attacks: Deterministic Side Channels for Untrusted Operating Systems
• Know Thy Neighbor: Crypto Library Detection in Cloud (might demonstrate version-of-software leaking which leads to better targetted exploits).
• CATalyst: Defeating Last-Level Cache Side Channel Attacks in Cloud Computing
• On Subnormal Floating Point and Abnormal Timing -- find out what their example attacks are.
• Evolution of Attacks, Threat Models, and Solutions for Virtualized Systems -- might be a better thing to cite for defense survey.

Defense:

Not Relevant Enough, Don't Cite:

• Process for the separation of water from ethanol
• Rigorous Analysis of Software Countermeasures against Cache Attacks
• CacheAudit: A Tool for the Static Analysis of Cache Side Channels
• Lucky 13 Strikes Back
• A Placement Vulnerability Study in Multi-Tenant Public Clouds
• A Faster and More Realistic Flush+Reload Attack on AES
• PandA: Pairings and Arithmetic
• ANVIL: Software-Based Protection Against Next-Generation Rowhammer Attacks -- Rowhammer uses the same CPU instructions as Flush+Reload which is why this might be relevant.
• Intel SGX Explained
• Sparse representation of implicit flows with applications to side-channel detection
• DROWN: Breaking TLS using SSLv2
• A Measurement Study on Co-residence Threat inside the Cloud
• How to Break XML Encryption – Automatically
• The Cloud Needs a Reputation System
• Cache Side-Channel Attack to Recover Plaintext against Datagram TLS
• Towards a Comprehensive Model of Isolation for Mitigating Illicit Channels
• Amplifying Side Channels Through Performance Degradation
• Thermal Covert Channels on Multi-core Platforms
• A Dependable Coarse-Grain Reconfigurable Multicore Array
• Reverse Engineering Intel DRAM Addressing and Exploitation

Attacks, but we're explicitly not trying to cite all Flush+Reload attacks:

• Wait a Minute! A fast, Cross-VM Attack on AES
• Exploring Instruction Cache Analysis
• Seriously, get off my cloud! Cross-VM RSA Key Recovery in a Public Cloud
• On the Applicability of a Cache Side-Channel Attack on ECDSA Signatures: The Flush+Reload attack on the point multiplication in ECDSA signature generation process
• CacheBleed: A Timing Attack on OpenSSL Constant Time RSA

Explicitly not citing all defense mechanisms:

• Scheduler-based Defenses against Cross-VM Side-channels
• Düppel: retrofitting commodity operating systems to mitigate cache side channels in the cloud
• Thwarting Cache Side-Channel Attacks Through Dynamic Software Diversity
• Robust and Efficient Elimination of Cache and Timing Side Channels
• HexPADS: a platform to detect "stealth" attacks
• Disruptive prefetching: impact on side-channel attacks and cache designs
• Can randomized mapping secure instruction caches from side-channel attacks?
• Mitigating Multi-Tenancy Risks in IaaS Cloud Through Constraints-Driven Virtual Resource Scheduling
• Nomad: Mitigating Arbitrary Cloud Side Channels via Provider-Assisted Migration
• Random Fill Cache Architecture
• Real time detection of cache-based side channels using Hardware Performance Counters
• A software approach to defeating side channels in last-level caches

Stuff I'm interested in reading but not required now:

• Request and Conquer: Exposing Cross-Origin Resource Size
• S$A: A Shared Cache Attack That Works across Cores and Defies VM Sandboxing -- and Its Application to AES
• Reverse Engineering Intel Last-Level Cache Complex Addressing Using Performance Counters
• Systematic Reverse Engineering of Cache Slice Selection in Intel Processors
• Understanding contention-based channels and using them for defense
• Flush+Flush: A Stealthier Last-Level Cache Attack
• Last-Level Cache Side-Channel Attacks are Practical
• Flush, Gauss, and Reload -- A Cache Attack on the BLISS Lattice-Based Signature Scheme
• Preventing Your Faults From Telling Your Secrets: Defenses Against Pigeonhole Attacks
• Rowhammer.js: A Remote Software-Induced Fault Attack in JavaScript
• Jackpot Stealing Information From Large Caches via Huge Pages
• A High-Resolution Side-Channel Attack on Last-Level Cache
• A New Prime and Probe Cache Side-Channel Attack for Cloud Computing
• Dedup Est Machina: Memory Deduplication as an Advanced Exploitation Vector -- WOAH!

Everything else:

• CAIN: Silently Breaking ASLR in the Cloud

[defuse]

Ok, there's tickets for each of the individual tasks I have to do (or decide not to do), so closing this.