Wartungsarbeiten vom 22.06.–06.07.26: Der Dienst ist eingeschränkt, Änderungen werden nicht übernommen.
Maintenance from 22.06.–06.07.26: Service limited, any changes made will not be saved.

Informatik/Technik

Dauerhafte URI für die Sektionhttps://epub.uni-luebeck.de/handle/zhb_hl/4

Listen

Auflistung Informatik/Technik nach Instituten/Kliniken "Institut für IT-Sicherheit"

Oder geben Sie die ersten Buchstaben ein:
Gerade angezeigt 1 - 4 von 4
  • Item
  • Item
    Security analysis of confidential VMs on modern server architectures
    (2025-06-24) Wilke, Luca
    Cloud computing has transformed data management and IT practices for organizations and individuals alike, offering unmatched scalability, flexibility, and cost-efficiency. However, it comes with privacy concerns, as the cloud service providers can access all processed data. Trusted Execution Environments (TEEs) are one potential solution, offering a new form of isolation that even locks out the infrastructure operator. Attacks from any software component outside the TEE are thwarted by novel access restrictions while physical attacks are prevented by memory encryption. Even the operating system or hypervisor cannot overcome these restrictions. With Intel SGX, Intel TDX, and AMD SEV-SNP, both major x86 CPU vendors offer TEEs on their server CPUs. This thesis scrutinizes the extent to which the current TEE generation delivers on their security promises. We start this thesis by describing the isolation mechanisms implemented by SGX, TDX, and SEV-SNP. Building on these insights, we demonstrate that the trend to use deterministic memory encryption without integrity or freshness has several shortcomings. We show that monitoring deterministic ciphertexts for changes allows leaking information about the plaintext, which we exploit on SEV-SNP. SGX and TDX prevent straightforward exploitation by restricting software attackers from reading and writing the ciphertext, while SEV-SNP only restricts writing. Next, we challenge the security of such access restrictions by showing that an attacker with brief physical access to the memory modules can create aliases in the address space that bypass these safeguards. We exploit this on SEV-SNP to re-enable write access for software attackers, culminating in a devastating attack that forges attestation reports, undermining all trust in SEV-SNP. On SGX and TDX, such attacks are mitigated by a dedicated alias check at boot time. Finally, we examine the security of VM-based TEEs against single-stepping attacks, which allow instruction-granular tracing and have led to numerous high-stakes attacks on SGX. We show that SEV-SNP is also vulnerable to single-stepping and provide a software framework enabling easy access to single-stepping on SEV for future research. Next, we analyze the single-stepping security of Intel TDX, which comes with a built-in mitigation comprising a detection heuristic and a prevention mode. We uncover a flaw in the heuristic that stops the activation of the prevention mode, thereby re-enabling single-stepping on TDX. Furthermore, we unveil an inherent flaw in the prevention mode that leaks fine-grained information about the control flow.
  • Item
    Security and confidentiality on shared computational resources
    (2026-06) Bruhns, Ida Dorothee
    The distinction between local and remote computing is increasingly blurred as modern computation relies extensively on the use of shared resources. Pervasive sharing of computational resources is evident in many use cases such as cloud computing, where computational tasks are outsourced to remote servers. Addition- ally, rented servers, Virtual Private Networks (VPNs), and even web browsers often rely on shared hardware infrastructure. While the benefits of shared computing resources, such as scalability and cost- effectiveness, are well-documented, this trend also introduces novel security risks. The reliance on shared hardware infrastructure creates opportunities for unautho- rized access, data breaches, and other malicious activities. One very prominent example of sharing both hardware and data are machine learning applications. The use of machine learning applications is rapidly increasing in almost every part of our lives, which includes granting them access to highly sensitive information like health or credit data. At the same time, the models that are used grow larger and larger, necessitating substantial computational resources. This surge in resource consumption has led to a rise in outsourcing both training and inference processes, resulting in the processing of sensitive data on untrusted machines. In this thesis, we examine how to protect data in distributed machine learning systems. In particular, we look at outsourced computations on a machine with a Trusted Execution Environment (TEE) and a fast processing unit, such as a Graphics Processing Unit (GPU). I examined the SLALOM protocol, a seminal work in privacy-preserving inference. In this theses I present a new method, CARNIVAL, to significantly speed up the preprocessing phase. CARNIVAL leverages the pseudo- randomness of the Subset sum problem to enable efficient outsourcing during the preprocessing phase. The findings from the performance benchmarks demonstrate that CARNIVAL is a promising candidate for real-world implementations. A second possibility to continue working with the SLALOM framework, DASH, is introduced briefly. It builds on arithmetic Garbled Circuits (GCs) in combination with a TEE.
  • Item
    Software defenses against CPU side-channels
    (2024) Wichelmann, Jan

KONTAKT

Universität zu Lübeck
Zentrale Hochschulbibliothek - Haus 60
Ratzeburger Allee 160
23562 Lübeck
Tel. +49 451 3101 2201
Fax +49 451 3101 2204


IMPRESSUM

DATENSCHUTZ

BARIEREFREIHEIT

Feedback schicken

Cookie-Einstellungen