We conduct extensive experiments and benchmark the learning model with state-of-the-art static and dynamic clone search approaches.
We show that the learned representation is more robust and significantly outperforms existing methods against changes introduced by obfuscation and optimizations.
In this paper, we reverse engineer the structure of the directory in a sliced, non-inclusive cache hierarchy, and prove that the directory can be used to bootstrap conflict-based cache attacks on the last-level cache.
We design the first cross-core Prime Probe attack on non-inclusive caches.
We show how to learn good password similarity models using a compilation of 1.4 billion leaked email, password pairs.
Using our trained models of password similarity, we exhibit the most damaging targeted attack to date.This attack works with minimal assumptions: the adversary does not need to share any virtual memory with the victim, nor run on the same processor core.We also show the first high-bandwidth Evict Reload attack on the same hardware.We develop mitigations against these attacks and finally are able to formally prove the security of a fixed version of the FAPI.Although financial applications are high-stakes environments, this work is the first to formally analyze and, importantly, verify an Open Banking security profile.It only needs assembly code as input and does not require any prior knowledge such as the correct mapping between assembly functions.It can find and incorporate rich semantic relationships among tokens appearing in assembly code.In this paper, we perform a rigorous, systematic formal analysis of the security of the FAPI, based on an existing comprehensive model of the web infrastructure - the Web Infrastructure Model (WIM) proposed by Fett, Küsters, and Schmitz.To this end, we first develop a precise model of the FAPI in the WIM, including different profiles for read-only and read-write access, different flows, different types of clients, and different combinations of security features, capturing the complex interactions in a web-based environment.We then use our model of the FAPI to precisely define central security properties.In an attempt to prove these properties, we uncover partly severe attacks, breaking authentication, authorization, and session integrity properties.