I recently found an exploitable timing leak in the reference implementation of Kyber (ML-KEM), the soon-to-be NIST standard for post-quantum key encapsulation. Let’s see if you can spot it in the source code - msg is secret:

There's a new kind of vibing I call "code vibing", where you fully give in to writing terrible code yourself, by hand, and have LLMs race to praise how much rizz it has

late to the party - same handle, butterflies, bluer skies

About 250 scientists from 31 countries have signed another open letter https://t.co/5SChCDci8Y criticizing the latest EU #chatcontrol draft https://t.co/gUMoBNXSdy. The letter confirms 2 earlier letters from July 2023 https://t.co/mYePVHOk02 and May 2024

Speaking of constant-time tools: how usable are they? Are they used by devs in the field? Takeaways: - Write. Better. Documentation. - Make secret-annotation low friction - Make output understandable - Consider integration in CI flows ["These results must be false", by @faulst]

Statistical tests are great to detect timing leaks in cryptographic implementations. But which statistical test to use in practice? How to trade off false positive and false negative errors? W/ experiments on real-world TLS libraries. [Great power=great leakage, by @MDunsche]

👏 Division 👏 is 👏 not 👏 constant 👏 time 👏 Still, div instruction found in HQC (Round 4 PQC KEM), for several compiler flags. Leak too small for end-to-end timing exploit, but co-located attackers can amplify w/ port contention. [Divide and Surrender, by R. L Schröder]

Here's some quick maths: RSA+PKCS#1 v1.5 = Bleichenbacher "Isn't Bleichenbacher's attack >25y old?" Yup! Still, Kerberos on Windows vulnerable due to non-constant time unpadding. Message recovery w/ Flush+Reload attack. Noisy, but works! [Windows into the past, by M. Shagam]

Given a CPU model, how can we find its variable-time instructions? This paper: fuzzzzz 1) generate input programs & operands w/ fuzzer 2) simulate program w/ CPU model & extract edge graphs 3) where edge graphs differ: root cause of timing difference [WhisperFuzz, by P. Borkar]

CPUs contain bugs. Let's fuzz them! Observation: input programs of existing CPU fuzzers mostly terminate rapidly. Cascade finds programs that are complex (to cover interesting cases) and valid (so they are long). CPU fails to execute = bug found! [Cascade, by @FlavienSolt]

Dating apps encourage users to share info (incl. sensitive info!) for matching quality. Unfortunately, apps may also leak information which users are not aware they are sharing. Some apps even leak exact locations of users. [Swipe Left for identity theft, @VictorLePochat]

Final day of @USENIXSecurity, final day of low-fidelity compression of years of work into 280 characters! #usesec24

LLM services like ChatGPT update replies token by token. Packets are not padded - so packet lengths reveal token lengths. How to go from token lengths to leaking the exact replies? There's a good tool for that: LLMs! [What was your prompt, by Y. Mirsky] #usesec24

How low can you go? We've seen side channels using (several!) CPU caches. Also using DRAM memory. How about... HDD/SSD? Observation: fsync takes longer if other processes use fsync. W/ PoC attacks on sqlite, website fingerprinting, keystroke timing. [Sync+Sync] #usesec24

If it - looks like a TEE - behaves like a TEE - smells like a TEE ... can it be attacked like a TEE? Put on your attacker hat (🎩) & learn how TI's MSP430 "IP Encapsulation" feature is vulnerable to TEE attacks (+new ones!) [IP Exposure, by @martonbognar] #usesec24

The indirect branch predictor (IBP) is an important uarch component (Spectre v2!) This paper reverse engineers all IBP internals: - understand existing attacks & improve precision - reveal how Intel's defenses are exactly implemented [Indirector, by L. Yi] #usesec24

With Dynamic Inter-app Component Sharing, Android apps can load code of *other apps* into their address space. So with cache attacks, apps can spy on other apps' control flow. Case study: spy on navigation app and infer the route taken! [Peep with a mirror, by D. Gao]

$NVDA in 2024: flush with cash. Also $NVDA in 2024: flush with cache. And the security community is investing! This work reverse engineers the interaction of NVDA GPUs w/ the cache hierarchy, and presents timer-free cache attacks. [Invalidate+Compare, by Z. Zhang] #usesec24

At times, @USENIXSecurity feels like the Olympics. Top talent. Opening ceremony. Many countries. Multiple tracks. Disciplines. Awards. Sponsors. Missing: Opinionated online coverage. Solution: Some more live-tweeting. Let's go! #usesec24

Rowhammer (RH) exploits typically target PTEs or sudo, motivating spot defenses for these targets. Q: is RH more generally useful? A: yup! For specific victim code gadgets (~200 in Linux kernel). PoC dumps kernel memory at 83 bps. [Go go gadget hammer, by Y. Tobah] #usesec24

Does Rowhammer work on AMD? "Does the CPU matter for a DRAM issue?" Yup: tailoring needed for DRAM mappings, cache bypass, synchronization & high activation rates. "Does it work?" What do you think? 🔨🔨🔨 [Zen and the art of DRAM butchering - sorry, ZenHammer - by @pjattke]