# Finding the next-side channel attack: Topics

## Organizational

- Sponsor bug bounties (+2)
- Industry Academic program – engage NSF, IARPA, DOD – Lead consortium.
- Partner with industry
- Rewards for finding vulnerabilities

## Research

- Formal methods — use them to assert/prove safety/security properties (See Azer’s example about how this could be useful — many other examples/opportunities exist) (+7)
- RISC-V Extensions (speculation/OOB research) (+4)
- Sponsoring academic research (+3)
- Register Tagging (+2)
- TLB timing analysis (+2)
- Reverse engineer existing designs (+1)
- Architecture extensions (+1)
- Feedback loop: Machine description, simulation, inspection (JTAG), verification (+1)
- Modeling existing varch designs (cycle accurate analysis) (+1)
- Modeling interconnects, cores, and other gunk
- Review existing research papers
- Transmeta was right
- Predictor analysis
- Describing Implementation Behaviors

## Testing

- Fuzzing (+2)
- Fuzzers that search for nondeterministic behavior due to speculation (+2)
- Randomisation (+1)
- Writing scanners and code coverage tooling (+1)
- Examining Time (Instruction latency, etc.) (+1)
- Unit tests for non-deterministic processor features (+1)
- Tracing Extensions (+1)
- Create software/hardware testbed with contests to penetrate

## Hardware

- Detecting exploits (+3)
- Given a known workload like a VM, use CPU virt extensions to introspect the VM and stop activities that veer away from the known workload (+2)
- Open hardware (+1)
- Require Publication — vendors think security by obscurity is OK (+1)
- Build open hardware/software/FPGA — Node, OS, Cloud (+1)
- Measuring mitigations
- Accelerated simulators
- Covert channels are great to estimate the capacity of a side channel; minimizing covert channel throughput can therefore help to minimize how much goes through a side channel. This can influence the practicality of side channels.
- Try to make optimizations adaptive and scalable, so that we can adapt and scale with respect to an ever improving adversary
- Make the interference between different processes more inert… add inertia to the cache way assignments, etc.

## Userspace

- Talking with app developers about their assumptions (memory ordering, etc.) (+3)
- Educate more on the topics/technologies/exploits. the more people who know what to look for will help identify issues (+3)
- Const-time software randomization techniques like ASLR (+1)
- Strong Typing – develop languages that allow decorations for code
- Identify specific application domains and let those applications dictate the hardware/security research.