-
What All the PHUZZ Is About: A Coverage-guided Fuzzer for Finding Vulnerabilities in PHP Web Applications
Authors:
Sebastian Neef,
Lorenz Kleissner,
Jean-Pierre Seifert
Abstract:
Coverage-guided fuzz testing has received significant attention from the research community, with a strong focus on binary applications, greatly disregarding other targets, such as web applications. The importance of the World Wide Web in everyone's life cannot be overstated, and to this day, many web applications are developed in PHP. In this work, we address the challenges of applying coverage-g…
▽ More
Coverage-guided fuzz testing has received significant attention from the research community, with a strong focus on binary applications, greatly disregarding other targets, such as web applications. The importance of the World Wide Web in everyone's life cannot be overstated, and to this day, many web applications are developed in PHP. In this work, we address the challenges of applying coverage-guided fuzzing to PHP web applications and introduce PHUZZ, a modular fuzzing framework for PHP web applications. PHUZZ uses novel approaches to detect more client-side and server-side vulnerability classes than state-of-the-art related work, including SQL injections, remote command injections, insecure deserialization, path traversal, external entity injection, cross-site scripting, and open redirection. We evaluate PHUZZ on a diverse set of artificial and real-world web applications with known and unknown vulnerabilities, and compare it against a variety of state-of-the-art fuzzers. In order to show PHUZZ' effectiveness, we fuzz over 1,000 API endpoints of the 115 most popular WordPress plugins, resulting in over 20 security issues and 2 new CVE-IDs. Finally, we make the framework publicly available to motivate and encourage further research on web application fuzz testing.
△ Less
Submitted 10 June, 2024;
originally announced June 2024.
-
Cold molecular ions via autoionization below the dissociation limit
Authors:
Sascha Schaller,
Johannes Seifert,
Giacomo Valtolina,
André Fielicke,
Boris G. Sartakov,
Gerard Meijer
Abstract:
Several diatomic transition metal oxides, rare-earth metal oxides and fluorides have the unusual property that their bond dissociation energy is larger than their ionization energy. In these molecules, bound levels above the ionization energy can be populated via strong, resonant transitions from the ground state. The only relevant decay channel of these levels is autoionization; predissociation i…
▽ More
Several diatomic transition metal oxides, rare-earth metal oxides and fluorides have the unusual property that their bond dissociation energy is larger than their ionization energy. In these molecules, bound levels above the ionization energy can be populated via strong, resonant transitions from the ground state. The only relevant decay channel of these levels is autoionization; predissociation is energetically not possible and radiative decay is many orders of magnitude slower. Starting from translationally cold neutral molecules, translationally cold molecular ions can thus be produced with very high efficiency. By populating bound levels just above the ionization energy, internally cold molecular ions, exclusively occupying the lowest rotational level, are produced. This is experimentally shown here for the dysprosium monoxide molecule, DyO, for which the lowest bond dissociation energy is determined to be 0.0831(6) eV above the ionization energy.
△ Less
Submitted 5 June, 2024;
originally announced June 2024.
-
Whispering Pixels: Exploiting Uninitialized Register Accesses in Modern GPUs
Authors:
Frederik Dermot Pustelnik,
Xhani Marvin Saß,
Jean-Pierre Seifert
Abstract:
Graphic Processing Units (GPUs) have transcended their traditional use-case of rendering graphics and nowadays also serve as a powerful platform for accelerating ubiquitous, non-graphical rendering tasks. One prominent task is inference of neural networks, which process vast amounts of personal data, such as audio, text or images. Thus, GPUs became integral components for handling vast amounts of…
▽ More
Graphic Processing Units (GPUs) have transcended their traditional use-case of rendering graphics and nowadays also serve as a powerful platform for accelerating ubiquitous, non-graphical rendering tasks. One prominent task is inference of neural networks, which process vast amounts of personal data, such as audio, text or images. Thus, GPUs became integral components for handling vast amounts of potentially confidential data, which has awakened the interest of security researchers. This lead to the discovery of various vulnerabilities in GPUs in recent years. In this paper, we uncover yet another vulnerability class in GPUs: We found that some GPU implementations lack proper register initialization routines before shader execution, leading to unintended register content leakage of previously executed shader kernels. We showcase the existence of the aforementioned vulnerability on products of 3 major vendors - Apple, NVIDIA and Qualcomm. The vulnerability poses unique challenges to an adversary due to opaque scheduling and register remap** algorithms present in the GPU firmware, complicating the reconstruction of leaked data. In order to illustrate the real-world impact of this flaw, we showcase how these challenges can be solved for attacking various workloads on the GPU. First, we showcase how uninitialized registers leak arbitrary pixel data processed by fragment shaders. We further implement information leakage attacks on intermediate data of Convolutional Neural Networks (CNNs) and present the attack's capability to leak and reconstruct the output of Large Language Models (LLMs).
△ Less
Submitted 16 January, 2024;
originally announced January 2024.
-
Wavelength-multiplexed Multi-mode EUV Reflection Ptychography based on Automatic-Differentiation
Authors:
Yifeng Shao,
Sven Weerdenburg,
Jacob Seifert,
H. Paul Urbach,
Allard P. Mosk,
Wim Coene
Abstract:
Ptychographic extreme ultraviolet (EUV) diffractive imaging has emerged as a promising candidate for the next-generation metrology solutions in the semiconductor industry, as it can image wafer samples in reflection geometry at the nanoscale. This technique has surged attention recently, owing to the significant progress in high-harmonic generation (HHG) EUV sources and advancements in both hardwa…
▽ More
Ptychographic extreme ultraviolet (EUV) diffractive imaging has emerged as a promising candidate for the next-generation metrology solutions in the semiconductor industry, as it can image wafer samples in reflection geometry at the nanoscale. This technique has surged attention recently, owing to the significant progress in high-harmonic generation (HHG) EUV sources and advancements in both hardware and software for computation.
In this study, a novel algorithm is introduced and tested, which enables wavelength-multiplexed reconstruction that enhances the measurement throughput and introduces data diversity, allowing the accurate characterisation of sample structures. To tackle the inherent instabilities of the HHG source, a modal approach was adopted, which represents the cross-density function of the illumination by a series of mutually incoherent and independent spatial modes.
The proposed algorithm was implemented on a mainstream machine learning platform, which leverages automatic differentiation to manage the drastic growth in model complexity and expedites the computation using GPU acceleration. By optimising over 200 million parameters, we demonstrate the algorithm's capacity to accommodate experimental uncertainties and achieve a resolution approaching the diffraction limit in reflection geometry. The reconstruction of wafer samples with 20-nm heigh patterned gold structures on a silicon substrate highlights our ability to handle complex physical interrelations involving a multitude of parameters. These results establish ptychography as an efficient and accurate metrology tool.
△ Less
Submitted 24 November, 2023;
originally announced November 2023.
-
Noise-robust latent vector reconstruction in ptychography using deep generative models
Authors:
Jacob Seifert,
Yifeng Shao,
Allard P. Mosk
Abstract:
Computational imaging is increasingly vital for a broad spectrum of applications, ranging from biological to material sciences. This includes applications where the object is known and sufficiently sparse, allowing it to be described with a reduced number of parameters. When no explicit parameterization is available, a deep generative model can be trained to represent an object in a low-dimensiona…
▽ More
Computational imaging is increasingly vital for a broad spectrum of applications, ranging from biological to material sciences. This includes applications where the object is known and sufficiently sparse, allowing it to be described with a reduced number of parameters. When no explicit parameterization is available, a deep generative model can be trained to represent an object in a low-dimensional latent space. In this paper, we harness this dimensionality reduction capability of autoencoders to search for the object solution within the latent space rather than the object space. We demonstrate a novel approach to ptychographic image reconstruction by integrating a deep generative model obtained from a pre-trained autoencoder within an Automatic Differentiation Ptychography (ADP) framework. This approach enables the retrieval of objects from highly ill-posed diffraction patterns, offering an effective method for noise-robust latent vector reconstruction in ptychography. Moreover, the map** into a low-dimensional latent space allows us to visualize the optimization landscape, which provides insight into the convexity and convergence behavior of the inverse problem. With this work, we aim to facilitate new applications for sparse computational imaging such as when low radiation doses or rapid reconstructions are essential.
△ Less
Submitted 14 January, 2024; v1 submitted 18 October, 2023;
originally announced November 2023.
-
Modulation to the Rescue: Identifying Sub-Circuitry in the Transistor Morass for Targeted Analysis
Authors:
Xhani Marvin Saß,
Thilo Krachenfels,
Frederik Dermot Pustelnik,
Jean-Pierre Seifert,
Christian Große,
Frank Altmann
Abstract:
Physical attacks form one of the most severe threats against secure computing platforms. Their criticality arises from their corresponding threat model: By, e.g., passively measuring an integrated circuit's (IC's) environment during a security-related operation, internal secrets may be disclosed. Furthermore, by actively disturbing the physical runtime environment of an IC, an adversary can cause…
▽ More
Physical attacks form one of the most severe threats against secure computing platforms. Their criticality arises from their corresponding threat model: By, e.g., passively measuring an integrated circuit's (IC's) environment during a security-related operation, internal secrets may be disclosed. Furthermore, by actively disturbing the physical runtime environment of an IC, an adversary can cause a specific, exploitable misbehavior. The set of physical attacks consists of techniques that apply either globally or locally. When compared to global techniques, local techniques exhibit a much higher precision, hence having the potential to be used in advanced attack scenarios. However, using physical techniques with additional spatial dependency expands the parameter search space exponentially. In this work, we present and compare two techniques, namely laser logic state imaging (LLSI) and lock-in thermography (LIT), that can be used to discover sub-circuitry of an entirely unknown IC based on optical and thermal principles. We show that the time required to identify specific regions can be drastically reduced, thus lowering the complexity of physical attacks requiring positional information. Our case study on an Intel H610 Platform Controller Hub showcases that, depending on the targeted voltage rail, our technique reduces the search space by around 90 to 98 percent.
△ Less
Submitted 18 September, 2023;
originally announced September 2023.
-
Maximum-likelihood estimation in ptychography in the presence of Poisson-Gaussian noise statistics
Authors:
Jacob Seifert,
Yifeng Shao,
Rens van Dam,
Dorian Bouchet,
Tristan van Leeuwen,
Allard P. Mosk
Abstract:
Optical measurements often exhibit mixed Poisson-Gaussian noise statistics, which hampers image quality, particularly under low signal-to-noise ratio (SNR) conditions. Computational imaging falls short in such situations when solely Poissonian noise statistics are assumed. In response to this challenge, we define a loss function that explicitly incorporates this mixed noise nature. By using maximu…
▽ More
Optical measurements often exhibit mixed Poisson-Gaussian noise statistics, which hampers image quality, particularly under low signal-to-noise ratio (SNR) conditions. Computational imaging falls short in such situations when solely Poissonian noise statistics are assumed. In response to this challenge, we define a loss function that explicitly incorporates this mixed noise nature. By using maximum-likelihood estimation, we devise a practical method to account for camera readout noise in gradient-based ptychography optimization. Our results, based on both experimental and numerical data, demonstrate that this approach outperforms the conventional one, enabling enhanced image reconstruction quality under challenging noise conditions through a straightforward methodological adjustment.
△ Less
Submitted 11 October, 2023; v1 submitted 3 August, 2023;
originally announced August 2023.
-
Nanoscale rheology: Dynamic Mechanical Analysis over a broad and continuous frequency range using Photothermal Actuation Atomic Force Microscopy
Authors:
Alba R. Piacenti,
Casey Adam,
Nicholas Hawkins,
Ryan Wagner,
Jacob Seifert,
Yukinori Taniguchi,
Roger Proksch,
Sonia Contera
Abstract:
Polymeric materials are widely used in industries ranging from automotive to biomedical. Their mechanical properties play a crucial role in their application and function and arise from the nanoscale structures and interactions of their constitutive polymer molecules. Polymeric materials behave viscoelastically, i.e. their mechanical responses depend on the time scale of the measurements; quantify…
▽ More
Polymeric materials are widely used in industries ranging from automotive to biomedical. Their mechanical properties play a crucial role in their application and function and arise from the nanoscale structures and interactions of their constitutive polymer molecules. Polymeric materials behave viscoelastically, i.e. their mechanical responses depend on the time scale of the measurements; quantifying these time-dependent rheological properties at the nanoscale is relevant to develop, for example, accurate models and simulations of those materials, which are needed for advanced industrial applications. In this paper, an atomic force microscopy (AFM) method based on the photothermal actuation of an AFM cantilever is developed to quantify the nanoscale loss tangent, storage modulus, and loss modulus of polymeric materials. The method is then validated on a styrene-butadiene rubber (SBR), demonstrating the method's ability to quantify nanoscale viscoelasticity over a continuous frequency range up to five orders of magnitude (0.2 Hz to 20,200 Hz). Furthermore, this method is combined with AFM viscoelastic map** obtained with amplitude-modulation frequency-modulation (AM-FM) AFM, enabling the extension of viscoelastic quantification over an even broader frequency range, and demonstrating that the novel technique synergizes with preexisting AFM techniques for quantitative measurement of viscoelastic properties. The method presented here introduces a way to characterize the viscoelasticity of polymeric materials, and soft matter in general at the nanoscale, for any application.
△ Less
Submitted 31 July, 2023;
originally announced July 2023.
-
faulTPM: Exposing AMD fTPMs' Deepest Secrets
Authors:
Hans Niklas Jacob,
Christian Werling,
Robert Buhren,
Jean-Pierre Seifert
Abstract:
Trusted Platform Modules constitute an integral building block of modern security features. Moreover, as Windows 11 made a TPM 2.0 mandatory, they are subject to an ever-increasing academic challenge. While discrete TPMs - as found in higher-end systems - have been susceptible to attacks on their exposed communication interface, more common firmware TPMs (fTPMs) are immune to this attack vector as…
▽ More
Trusted Platform Modules constitute an integral building block of modern security features. Moreover, as Windows 11 made a TPM 2.0 mandatory, they are subject to an ever-increasing academic challenge. While discrete TPMs - as found in higher-end systems - have been susceptible to attacks on their exposed communication interface, more common firmware TPMs (fTPMs) are immune to this attack vector as they do not communicate with the CPU via an exposed bus. In this paper, we analyze a new class of attacks against fTPMs: Attacking their Trusted Execution Environment can lead to a full TPM state compromise. We experimentally verify this attack by compromising the AMD Secure Processor, which constitutes the TEE for AMD's fTPMs. In contrast to previous dTPM sniffing attacks, this vulnerability exposes the complete internal TPM state of the fTPM. It allows us to extract any cryptographic material stored or sealed by the fTPM regardless of authentication mechanisms such as Platform Configuration Register validation or passphrases with anti-hammering protection. First, we demonstrate the impact of our findings by - to the best of our knowledge - enabling the first attack against Full Disk Encryption solutions backed by an fTPM. Furthermore, we lay out how any application relying solely on the security properties of the TPM - like Bitlocker's TPM- only protector - can be defeated by an attacker with 2-3 hours of physical access to the target device. Lastly, we analyze the impact of our attack on FDE solutions protected by a TPM and PIN strategy. While a naive implementation also leaves the disk completely unprotected, we find that BitLocker's FDE implementation withholds some protection depending on the complexity of the used PIN. Our results show that when an fTPM's internal state is compromised, a TPM and PIN strategy for FDE is less secure than TPM-less protection with a reasonable passphrase.
△ Less
Submitted 2 May, 2023; v1 submitted 28 April, 2023;
originally announced April 2023.
-
Good Gottesman-Kitaev-Preskill codes from the NTRU cryptosystem
Authors:
Jonathan Conrad,
Jens Eisert,
Jean-Pierre Seifert
Abstract:
We introduce a new class of random Gottesman-Kitaev-Preskill (GKP) codes derived from the cryptanalysis of the so-called NTRU cryptosystem. The derived codes are good in that they exhibit constant rate and average distance scaling $Δ\propto \sqrt{n}$ with high probability, where $n$ is the number of bosonic modes, which is a distance scaling equivalent to that of a GKP code obtained by concatenati…
▽ More
We introduce a new class of random Gottesman-Kitaev-Preskill (GKP) codes derived from the cryptanalysis of the so-called NTRU cryptosystem. The derived codes are good in that they exhibit constant rate and average distance scaling $Δ\propto \sqrt{n}$ with high probability, where $n$ is the number of bosonic modes, which is a distance scaling equivalent to that of a GKP code obtained by concatenating single mode GKP codes into a qubit-quantum error correcting code with linear distance. The derived class of NTRU-GKP codes has the additional property that decoding for a stochastic displacement noise model is equivalent to decrypting the NTRU cryptosystem, such that every random instance of the code naturally comes with an efficient decoder. This construction highlights how the GKP code bridges aspects of classical error correction, quantum error correction as well as post-quantum cryptography. We underscore this connection by discussing the computational hardness of decoding GKP codes and propose, as a new application, a simple public key quantum communication protocol with security inherited from the NTRU cryptosystem.
△ Less
Submitted 1 July, 2024; v1 submitted 4 March, 2023;
originally announced March 2023.
-
An in-principle super-polynomial quantum advantage for approximating combinatorial optimization problems via computational learning theory
Authors:
Niklas Pirnay,
Vincent Ulitzsch,
Frederik Wilde,
Jens Eisert,
Jean-Pierre Seifert
Abstract:
Combinatorial optimization - a field of research addressing problems that feature strongly in a wealth of scientific and industrial contexts - has been identified as one of the core potential fields of applicability of quantum computers. It is still unclear, however, to what extent quantum algorithms can actually outperform classical algorithms for this type of problems. In this work, by resorting…
▽ More
Combinatorial optimization - a field of research addressing problems that feature strongly in a wealth of scientific and industrial contexts - has been identified as one of the core potential fields of applicability of quantum computers. It is still unclear, however, to what extent quantum algorithms can actually outperform classical algorithms for this type of problems. In this work, by resorting to computational learning theory and cryptographic notions, we prove that quantum computers feature an in-principle super-polynomial advantage over classical computers in approximating solutions to combinatorial optimization problems. Specifically, building on seminal work by Kearns and Valiant and introducing a new reduction, we identify special types of problems that are hard for classical computers to approximate up to polynomial factors. At the same time, we give a quantum algorithm that can efficiently approximate the optimal solution within a polynomial factor. The core of the quantum advantage discovered in this work is ultimately borrowed from Shor's quantum algorithm for factoring. Concretely, we prove a super-polynomial advantage for approximating special instances of the so-called integer programming problem. In doing so, we provide an explicit end-to-end construction for advantage bearing instances. This result shows that quantum devices have, in principle, the power to approximate combinatorial optimization solutions beyond the reach of classical efficient algorithms. Our results also give clear guidance on how to construct such advantage-bearing problem instances.
△ Less
Submitted 13 February, 2024; v1 submitted 16 December, 2022;
originally announced December 2022.
-
A super-polynomial quantum-classical separation for density modelling
Authors:
Niklas Pirnay,
Ryan Sweke,
Jens Eisert,
Jean-Pierre Seifert
Abstract:
Density modelling is the task of learning an unknown probability density function from samples, and is one of the central problems of unsupervised machine learning. In this work, we show that there exists a density modelling problem for which fault-tolerant quantum computers can offer a super-polynomial advantage over classical learning algorithms, given standard cryptographic assumptions. Along t…
▽ More
Density modelling is the task of learning an unknown probability density function from samples, and is one of the central problems of unsupervised machine learning. In this work, we show that there exists a density modelling problem for which fault-tolerant quantum computers can offer a super-polynomial advantage over classical learning algorithms, given standard cryptographic assumptions. Along the way, we provide a variety of additional results and insights, of potential interest for proving future distribution learning separations between quantum and classical learning algorithms. Specifically, we (a) provide an overview of the relationships between hardness results in supervised learning and distribution learning, and (b) show that any weak pseudo-random function can be used to construct a classically hard density modelling problem. The latter result opens up the possibility of proving quantum-classical separations for density modelling based on weaker assumptions than those necessary for pseudo-random functions.
△ Less
Submitted 26 October, 2022;
originally announced October 2022.
-
EM-Fault It Yourself: Building a Replicable EMFI Setup for Desktop and Server Hardware
Authors:
Niclas Kühnapfel,
Robert Buhren,
Hans Niklas Jacob,
Thilo Krachenfels,
Christian Werling,
Jean-Pierre Seifert
Abstract:
EMFI has become a popular fault injection (FI) technique due to its ability to inject faults precisely considering timing and location. Recently, ARM, RISC-V, and even x86 processing units in different packages were shown to be vulnerable to electromagnetic fault injection (EMFI) attacks. However, past publications lack a detailed description of the entire attack setup, hindering researchers and c…
▽ More
EMFI has become a popular fault injection (FI) technique due to its ability to inject faults precisely considering timing and location. Recently, ARM, RISC-V, and even x86 processing units in different packages were shown to be vulnerable to electromagnetic fault injection (EMFI) attacks. However, past publications lack a detailed description of the entire attack setup, hindering researchers and companies from easily replicating the presented attacks on their devices. In this work, we first show how to build an automated EMFI setup with high scanning resolution and good repeatability that is large enough to attack modern desktop and server CPUs. We structurally lay out all details on mechanics, hardware, and software along with this paper. Second, we use our setup to attack a deeply embedded security co-processor in modern AMD systems on a chip (SoCs), the AMD Secure Processor (AMD-SP). Using a previously published code execution exploit, we run two custom payloads on the AMD-SP that utilize the SoC to different degrees. We then visualize these fault locations on SoC photographs allowing us to reason about the SoC's components under attack. Finally, we show that the signature verification process of one of the first executed firmware parts is susceptible to EMFI attacks, undermining the security architecture of the entire SoC. To the best of our knowledge, this is the first reported EMFI attack against an AMD desktop CPU.
△ Less
Submitted 20 September, 2022;
originally announced September 2022.
-
A single $T$-gate makes distribution learning hard
Authors:
Marcel Hinsche,
Marios Ioannou,
Alexander Nietner,
Jonas Haferkamp,
Yihui Quek,
Dominik Hangleiter,
Jean-Pierre Seifert,
Jens Eisert,
Ryan Sweke
Abstract:
The task of learning a probability distribution from samples is ubiquitous across the natural sciences. The output distributions of local quantum circuits form a particularly interesting class of distributions, of key importance both to quantum advantage proposals and a variety of quantum machine learning algorithms. In this work, we provide an extensive characterization of the learnability of the…
▽ More
The task of learning a probability distribution from samples is ubiquitous across the natural sciences. The output distributions of local quantum circuits form a particularly interesting class of distributions, of key importance both to quantum advantage proposals and a variety of quantum machine learning algorithms. In this work, we provide an extensive characterization of the learnability of the output distributions of local quantum circuits. Our first result yields insight into the relationship between the efficient learnability and the efficient simulatability of these distributions. Specifically, we prove that the density modelling problem associated with Clifford circuits can be efficiently solved, while for depth $d=n^{Ω(1)}$ circuits the injection of a single $T$-gate into the circuit renders this problem hard. This result shows that efficient simulatability does not imply efficient learnability. Our second set of results provides insight into the potential and limitations of quantum generative modelling algorithms. We first show that the generative modelling problem associated with depth $d=n^{Ω(1)}$ local quantum circuits is hard for any learning algorithm, classical or quantum. As a consequence, one cannot use a quantum algorithm to gain a practical advantage for this task. We then show that, for a wide variety of the most practically relevant learning algorithms -- including hybrid-quantum classical algorithms -- even the generative modelling problem associated with depth $d=ω(\log(n))$ Clifford circuits is hard. This result places limitations on the applicability of near-term hybrid quantum-classical generative modelling algorithms.
△ Less
Submitted 7 July, 2022;
originally announced July 2022.
-
Sensor fusion in ptychography
Authors:
Kira A. M. Maathuis,
Jacob Seifert,
Allard P. Mosk
Abstract:
Ptychography is a lensless, computational imaging method that utilises diffraction patterns to determine the amplitude and phase of an object. In transmission ptychography, the diffraction patterns are recorded by a detector positioned along the optical axis downstream of the object. The light scattered at the highest diffraction angle carries information about the finest structures of the object.…
▽ More
Ptychography is a lensless, computational imaging method that utilises diffraction patterns to determine the amplitude and phase of an object. In transmission ptychography, the diffraction patterns are recorded by a detector positioned along the optical axis downstream of the object. The light scattered at the highest diffraction angle carries information about the finest structures of the object. We present a setup to simultaneously capture a signal near the optical axis and a signal scattered at high diffraction angles. Moreover, we present an algorithm based on a shifted angular spectrum method and automatic differentiation that utilises this recorded signal. By jointly reconstructing the object from the resulting low and high diffraction angle images, the resolution of the reconstructed image is improved remarkably. The effective numerical aperture of the compound sensor is determined by the maximum diffraction angle captured by the off axis sensor.
△ Less
Submitted 3 January, 2023; v1 submitted 18 March, 2022;
originally announced March 2022.
-
Spectroscopic characterization of singlet-triplet doorway states of aluminum monofluoride
Authors:
Nicole Walter,
Johannes Seifert,
Stefan Truppe,
Hanns Christian Schewe,
Boris Sartakov,
Gerard Meijer
Abstract:
Aluminum monofluoride (AlF) possesses highly favorable properties for laser cooling, both via the A$^1Π$ and a$^3Π$ states. Determining efficient pathways between the singlet and the triplet manifold of electronic states will be advantageous for future experiments at ultralow temperatures. The lowest rotational levels of the A$^1Π, v=6$ and b$^3Σ^+, v=5$ states of AlF are nearly iso-energetic and…
▽ More
Aluminum monofluoride (AlF) possesses highly favorable properties for laser cooling, both via the A$^1Π$ and a$^3Π$ states. Determining efficient pathways between the singlet and the triplet manifold of electronic states will be advantageous for future experiments at ultralow temperatures. The lowest rotational levels of the A$^1Π, v=6$ and b$^3Σ^+, v=5$ states of AlF are nearly iso-energetic and interact via spin-orbit coupling. These levels thus have a strongly mixed spin-character and provide a singlet-triplet doorway. We here present a hyperfine resolved spectroscopic study of the A$^1Π, v=6$ // b$^3Σ^+, v=5$ perturbed system in a jet-cooled, pulsed molecular beam. From a fit to the observed energies of the hyperfine levels, the fine and hyperfine structure parameters of the coupled states, their relative energies as well as the spin-orbit interaction parameter are determined. The standard deviation of the fit is about 15 MHz. We experimentally determine the radiative lifetimes of selected hyperfine levels by time-delayed ionization, Lamb dip spectroscopy and accurate measurements of the transition lineshapes. The measured lifetimes range between 2 ns and 200 ns, determined by the degree of singlet-triplet mixing for each level.
△ Less
Submitted 16 February, 2022;
originally announced February 2022.
-
Spectroscopic characterization of the a$^3Π$ state of aluminum monofluoride
Authors:
Nicole Walter,
Maximilian Doppelbauer,
Silvio Marx,
Johannes Seifert,
Xiangyue Liu,
Jesús Pérez Ríos,
Boris Sartakov,
Stefan Truppe,
Gerard Meijer
Abstract:
Spectroscopic studies of aluminum monofluoride (AlF) have revealed its highly favorable properties for direct laser cooling. All $Q$ lines of the strong A$^1Π$ $\leftarrow$ X$^1Σ^+$ transition around 227~nm are rotationally closed and thereby suitable for the main cooling cycle. The same holds for the narrow, spin-forbidden a$^3Π$ $\leftarrow$ X$^1Σ^+$ transition around 367 nm which has a recoil l…
▽ More
Spectroscopic studies of aluminum monofluoride (AlF) have revealed its highly favorable properties for direct laser cooling. All $Q$ lines of the strong A$^1Π$ $\leftarrow$ X$^1Σ^+$ transition around 227~nm are rotationally closed and thereby suitable for the main cooling cycle. The same holds for the narrow, spin-forbidden a$^3Π$ $\leftarrow$ X$^1Σ^+$ transition around 367 nm which has a recoil limit in the micro Kelvin range.
We here report on the spectroscopic characterization of the lowest rotational levels in the a$^3Π$ state of AlF for $v=0-8$ using a jet-cooled, pulsed molecular beam. An accidental AC Stark shift is observed on the a$^3Π_0, v=4$ $\leftarrow$ X$^1Σ^+, v=4$ band. By using time-delayed ionization for state-selective detection of the molecules in the metastable a$^3Π$ state at different points along the molecular beam, the radiative lifetime of the a$^3Π_1, v=0, J=1$ level is experimentally determined as $τ=1.89 \pm 0.15$~ms. A laser/radio-frequency multiple resonance ionization scheme is employed to determine the hyperfine splittings in the a$^3Π_1, v=5$ level. The experimentally derived hyperfine parameters are compared to the outcome of quantum chemistry calculations. A spectral line with a width of 1.27 kHz is recorded between hyperfine levels in the a$^3Π, v=0$ state. These measurements benchmark the electronic potential of the a$^3Π$ state and yield accurate values for the photon scattering rate and for the elements of the Franck-Condon matrix of the a$^3Π$ $-$ X$^1Σ^+$ system.
△ Less
Submitted 16 February, 2022; v1 submitted 17 December, 2021;
originally announced December 2021.
-
Learning Classical Readout Quantum PUFs based on single-qubit gates
Authors:
Niklas Pirnay,
Anna Pappa,
Jean-Pierre Seifert
Abstract:
Physical Unclonable Functions (PUFs) have been proposed as a way to identify and authenticate electronic devices. Recently, several ideas have been presented that aim to achieve the same for quantum devices. Some of these constructions apply single-qubit gates in order to provide a secure fingerprint of the quantum device. In this work, we formalize the class of Classical Readout Quantum PUFs (CR-…
▽ More
Physical Unclonable Functions (PUFs) have been proposed as a way to identify and authenticate electronic devices. Recently, several ideas have been presented that aim to achieve the same for quantum devices. Some of these constructions apply single-qubit gates in order to provide a secure fingerprint of the quantum device. In this work, we formalize the class of Classical Readout Quantum PUFs (CR-QPUFs) using the statistical query (SQ) model and explicitly show insufficient security for CR-QPUFs based on single qubit rotation gates, when the adversary has SQ access to the CR-QPUF. We demonstrate how a malicious party can learn the CR-QPUF characteristics and forge the signature of a quantum device through a modelling attack using a simple regression of low-degree polynomials. The proposed modelling attack was successfully implemented in a real-world scenario on real IBM Q quantum machines. We thoroughly discuss the prospects and problems of CR-QPUFs where quantum device imperfections are used as a secure fingerprint.
△ Less
Submitted 16 May, 2022; v1 submitted 13 December, 2021;
originally announced December 2021.
-
Learnability of the output distributions of local quantum circuits
Authors:
Marcel Hinsche,
Marios Ioannou,
Alexander Nietner,
Jonas Haferkamp,
Yihui Quek,
Dominik Hangleiter,
Jean-Pierre Seifert,
Jens Eisert,
Ryan Sweke
Abstract:
There is currently a large interest in understanding the potential advantages quantum devices can offer for probabilistic modelling. In this work we investigate, within two different oracle models, the probably approximately correct (PAC) learnability of quantum circuit Born machines, i.e., the output distributions of local quantum circuits. We first show a negative result, namely, that the output…
▽ More
There is currently a large interest in understanding the potential advantages quantum devices can offer for probabilistic modelling. In this work we investigate, within two different oracle models, the probably approximately correct (PAC) learnability of quantum circuit Born machines, i.e., the output distributions of local quantum circuits. We first show a negative result, namely, that the output distributions of super-logarithmic depth Clifford circuits are not sample-efficiently learnable in the statistical query model, i.e., when given query access to empirical expectation values of bounded functions over the sample space. This immediately implies the hardness, for both quantum and classical algorithms, of learning from statistical queries the output distributions of local quantum circuits using any gate set which includes the Clifford group. As many practical generative modelling algorithms use statistical queries -- including those for training quantum circuit Born machines -- our result is broadly applicable and strongly limits the possibility of a meaningful quantum advantage for learning the output distributions of local quantum circuits. As a positive result, we show that in a more powerful oracle model, namely when directly given access to samples, the output distributions of local Clifford circuits are computationally efficiently PAC learnable by a classical learner. Our results are equally applicable to the problems of learning an algorithm for generating samples from the target distribution (generative modelling) and learning an algorithm for evaluating its probabilities (density modelling). They provide the first rigorous insights into the learnability of output distributions of local quantum circuits from the probabilistic modelling perspective.
△ Less
Submitted 11 October, 2021;
originally announced October 2021.
-
VIA: Analyzing Device Interfaces of Protected Virtual Machines
Authors:
Felicitas Hetzelt,
Martin Radev,
Robert Buhren,
Mathias Morbitzer,
Jean-Pierre Seifert
Abstract:
Both AMD and Intel have presented technologies for confidential computing in cloud environments. The proposed solutions - AMD SEV (-ES, -SNP) and Intel TDX - protect Virtual Machines (VMs) against attacks from higher privileged layers through memory encryption and integrity protection. This model of computation draws a new trust boundary between virtual devices and the VM, which in so far lacks th…
▽ More
Both AMD and Intel have presented technologies for confidential computing in cloud environments. The proposed solutions - AMD SEV (-ES, -SNP) and Intel TDX - protect Virtual Machines (VMs) against attacks from higher privileged layers through memory encryption and integrity protection. This model of computation draws a new trust boundary between virtual devices and the VM, which in so far lacks thorough examination. In this paper, we therefore present an analysis of the virtual device interface and discuss several attack vectors against a protected VM. Further, we develop and evaluate VIA, an automated analysis tool to detect cases of improper sanitization of input recieved via the virtual device interface. VIA improves upon existing approaches for the automated analysis of device interfaces in the following aspects: (i) support for virtualization relevant buses, (ii) efficient Direct Memory Access (DMA) support and (iii) performance. VIA builds upon the Linux Kernel Library and clang's libfuzzer to fuzz the communication between the driver and the device via MMIO, PIO, and DMA. An evaluation of VIA shows that it performs 570 executions per second on average and improves performance compared to existing approaches by an average factor of 2706. Using VIA, we analyzed 22 drivers in Linux 5.10.0-rc6, thereby uncovering 50 bugs and initiating multiple patches to the virtual device driver interface of Linux. To prove our findings criticality under the threat model of AMD SEV and Intel TDX, we showcase three exemplary attacks based on the bugs found. The attacks enable a malicious hypervisor to corrupt the memory and gain code execution in protected VMs with SEV-ES and are theoretically applicable to SEV-SNP and TDX.
△ Less
Submitted 22 September, 2021;
originally announced September 2021.
-
Machine-Learning Side-Channel Attacks on the GALACTICS Constant-Time Implementation of BLISS
Authors:
Soundes Marzougui,
Nils Wisiol,
Patrick Gersch,
Juliane Krämer,
Jean-Pierre Seifert
Abstract:
Due to the advancing development of quantum computers, practical attacks on conventional public-key cryptography may become feasible in the next few decades. To address this risk, post-quantum schemes that are secure against quantum attacks are being developed.
Lattice-based algorithms are promising replacements for conventional schemes, with BLISS being one of the earliest post-quantum signatur…
▽ More
Due to the advancing development of quantum computers, practical attacks on conventional public-key cryptography may become feasible in the next few decades. To address this risk, post-quantum schemes that are secure against quantum attacks are being developed.
Lattice-based algorithms are promising replacements for conventional schemes, with BLISS being one of the earliest post-quantum signature schemes in this family. However, required subroutines such as Gaussian sampling have been demonstrated to be a risk for the security of BLISS, since implementing Gaussian sampling both efficient and secure with respect to physical attacks is highly challenging.
This paper presents three related power side-channel attacks on GALACTICS, the latest constant-time implementation of BLISS. All attacks are based on leakages we identified in the Gaussian sampling and signing algorithm of GALACTICS.
To run the attack, a profiling phase on a device identical to the device under attack is required to train machine learning classifiers.
In the attack phase, the leakages of GALACTICS enable the trained classifiers to predict sensitive internal information with high accuracy, paving the road for three different key recovery attacks.
We demonstrate the leakages by running GALACTICS on a Cortex-M4 and provide proof-of-concept data and implementation for all our attacks.
△ Less
Submitted 8 June, 2022; v1 submitted 20 September, 2021;
originally announced September 2021.
-
The Forgotten Threat of Voltage Glitching: A Case Study on Nvidia Tegra X2 SoCs
Authors:
Otto Bittner,
Thilo Krachenfels,
Andreas Galauner,
Jean-Pierre Seifert
Abstract:
Voltage fault injection (FI) is a well-known attack technique that can be used to force faulty behavior in processors during their operation. Glitching the supply voltage can cause data value corruption, skip security checks, or enable protected code paths. At the same time, modern systems on a chip (SoCs) are used in security-critical applications, such as self-driving cars and autonomous machine…
▽ More
Voltage fault injection (FI) is a well-known attack technique that can be used to force faulty behavior in processors during their operation. Glitching the supply voltage can cause data value corruption, skip security checks, or enable protected code paths. At the same time, modern systems on a chip (SoCs) are used in security-critical applications, such as self-driving cars and autonomous machines. Since these embedded devices are often physically accessible by attackers, vendors must consider device tampering in their threat models. However, while the threat of voltage FI is known since the early 2000s, it seems as if vendors still forget to integrate countermeasures. This work shows how the entire boot security of an Nvidia SoC, used in Tesla's autopilot and Mercedes-Benz's infotainment system, can be circumvented using voltage FI. We uncover a hidden bootloader that is only available to the manufacturer for testing purposes and disabled by fuses in shipped products. We demonstrate how to re-enable this bootloader using FI to gain code execution with the highest privileges, enabling us to extract the bootloader's firmware and decryption keys used in later boot stages. Using a hardware implant, an adversary might misuse the hidden bootloader to bypass trusted code execution even during the system's regular operation.
△ Less
Submitted 16 August, 2021; v1 submitted 13 August, 2021;
originally announced August 2021.
-
One Glitch to Rule Them All: Fault Injection Attacks Against AMD's Secure Encrypted Virtualization
Authors:
Robert Buhren,
Hans Niklas Jacob,
Thilo Krachenfels,
Jean-Pierre Seifert
Abstract:
AMD Secure Encrypted Virtualization (SEV) offers protection mechanisms for virtual machines in untrusted environments through memory and register encryption. To separate security-sensitive operations from software executing on the main x86 cores, SEV leverages the AMD Secure Processor (AMD-SP). This paper introduces a new approach to attack SEV-protected virtual machines (VMs) by targeting the AMD…
▽ More
AMD Secure Encrypted Virtualization (SEV) offers protection mechanisms for virtual machines in untrusted environments through memory and register encryption. To separate security-sensitive operations from software executing on the main x86 cores, SEV leverages the AMD Secure Processor (AMD-SP). This paper introduces a new approach to attack SEV-protected virtual machines (VMs) by targeting the AMD-SP. We present a voltage glitching attack that allows an attacker to execute custom payloads on the AMD-SPs of all microarchitectures that support SEV currently on the market (Zen 1, Zen 2, and Zen 3). The presented methods allow us to deploy a custom SEV firmware on the AMD-SP, which enables an adversary to decrypt a VM's memory. Furthermore, using our approach, we can extract endorsement keys of SEV-enabled CPUs, which allows us to fake attestation reports or to pose as a valid target for VM migration without requiring physical access to the target host. Moreover, we reverse-engineered the Versioned Chip Endorsement Key (VCEK) mechanism introduced with SEV Secure Nested Paging (SEV-SNP). The VCEK binds the endorsement keys to the firmware version of TCB components relevant for SEV. Building on the ability to extract the endorsement keys, we show how to derive valid VCEKs for arbitrary firmware versions. With our findings, we prove that SEV cannot adequately protect confidential data in cloud environments from insider attackers, such as rogue administrators, on currently available CPUs.
△ Less
Submitted 26 August, 2021; v1 submitted 10 August, 2021;
originally announced August 2021.
-
Trojan Awakener: Detecting Dormant Malicious Hardware Using Laser Logic State Imaging (Extended Version)
Authors:
Thilo Krachenfels,
Jean-Pierre Seifert,
Shahin Tajik
Abstract:
The threat of hardware Trojans (HTs) and their detection is a widely studied field. While the effort for inserting a Trojan into an application-specific integrated circuit (ASIC) can be considered relatively high, especially when trusting the chip manufacturer, programmable hardware is vulnerable to Trojan insertion even after the product has been shipped or during usage. At the same time, detecti…
▽ More
The threat of hardware Trojans (HTs) and their detection is a widely studied field. While the effort for inserting a Trojan into an application-specific integrated circuit (ASIC) can be considered relatively high, especially when trusting the chip manufacturer, programmable hardware is vulnerable to Trojan insertion even after the product has been shipped or during usage. At the same time, detecting dormant HTs with small or zero-overhead triggers and payloads on these platforms is still a challenging task, as the Trojan might not get activated during the chip verification using logical testing or physical measurements. In this work, we present a novel Trojan detection approach based on a technique known from integrated circuit (IC) failure analysis, capable of detecting virtually all classes of dormant Trojans. Using laser logic state imaging (LLSI), we show how supply voltage modulations can awaken inactive Trojans, making them detectable using laser voltage imaging techniques. Therefore, our technique does not require triggering the Trojan. To support our claims, we present three case studies on 28 and 20 SRAM- and flash-based field-programmable gate arrays (FPGAs). We demonstrate how to detect with high confidence small changes in sequential and combinatorial logic as well as in the routing configuration of FPGAs in a non-invasive manner. Finally, we discuss the practical applicability of our approach on dormant analog Trojans in ASICs.
△ Less
Submitted 2 February, 2023; v1 submitted 21 July, 2021;
originally announced July 2021.
-
Automatic Extraction of Secrets from the Transistor Jungle using Laser-Assisted Side-Channel Attacks
Authors:
Thilo Krachenfels,
Tuba Kiyan,
Shahin Tajik,
Jean-Pierre Seifert
Abstract:
The security of modern electronic devices relies on secret keys stored on secure hardware modules as the root-of-trust (RoT). Extracting those keys would break the security of the entire system. As shown before, sophisticated side-channel analysis (SCA) attacks, using chip failure analysis (FA) techniques, can extract data from on-chip memory cells. However, since the chip's layout is unknown to t…
▽ More
The security of modern electronic devices relies on secret keys stored on secure hardware modules as the root-of-trust (RoT). Extracting those keys would break the security of the entire system. As shown before, sophisticated side-channel analysis (SCA) attacks, using chip failure analysis (FA) techniques, can extract data from on-chip memory cells. However, since the chip's layout is unknown to the adversary in practice, secret key localization and reverse engineering are onerous tasks. Consequently, hardware vendors commonly believe that the ever-growing physical complexity of the integrated circuit (IC) designs can be a natural barrier against potential adversaries. In this work, we present a novel approach that can extract the secret key without any knowledge of the IC's layout, and independent from the employed memory technology as key storage. We automate the -- traditionally very labor-intensive -- reverse engineering and data extraction process. To that end, we demonstrate that black-box measurements captured using laser-assisted SCA techniques from a training device with known key can be used to profile the device for a later key prediction on other victim devices with unknown keys. To showcase the potential of our approach, we target keys on three different hardware platforms, which are utilized as RoT in different products.
△ Less
Submitted 23 February, 2021;
originally announced February 2021.
-
Optimizing illumination for precise multi-parameter estimations in coherent diffractive imaging
Authors:
Dorian Bouchet,
Jacob Seifert,
Allard P. Mosk
Abstract:
Coherent diffractive imaging (CDI) is widely used to characterize structured samples from measurements of diffracting intensity patterns. We introduce a numerical framework to quantify the precision that can be achieved when estimating any given set of parameters characterizing the sample from measured data. The approach, based on the calculation of the Fisher information matrix, provides a clear…
▽ More
Coherent diffractive imaging (CDI) is widely used to characterize structured samples from measurements of diffracting intensity patterns. We introduce a numerical framework to quantify the precision that can be achieved when estimating any given set of parameters characterizing the sample from measured data. The approach, based on the calculation of the Fisher information matrix, provides a clear benchmark to assess the performance of CDI methods. Moreover, by optimizing the Fisher information metric using deep learning optimization libraries, we demonstrate how to identify the optimal illumination scheme that minimizes the estimation error under specified experimental constrains. This work paves the way for an efficient characterization of structured samples at the sub-wavelength scale.
△ Less
Submitted 7 January, 2021; v1 submitted 7 October, 2020;
originally announced October 2020.
-
Efficient and flexible approach to ptychography using an optimization framework based on automatic differentiation
Authors:
Jacob Seifert,
Dorian Bouchet,
Lars Loetgering,
Allard P. Mosk
Abstract:
Ptychography is a lensless imaging method that allows for wavefront sensing and phase-sensitive microscopy from a set of diffraction patterns. Recently, it has been shown that the optimization task in ptychography can be achieved via automatic differentiation (AD). Here, we propose an open-access AD-based framework implemented with TensorFlow, a popular machine learning library. Using simulations,…
▽ More
Ptychography is a lensless imaging method that allows for wavefront sensing and phase-sensitive microscopy from a set of diffraction patterns. Recently, it has been shown that the optimization task in ptychography can be achieved via automatic differentiation (AD). Here, we propose an open-access AD-based framework implemented with TensorFlow, a popular machine learning library. Using simulations, we show that our AD-based framework performs comparably to a state-of-the-art implementation of the momentum-accelerated ptychographic iterative engine (mPIE) in terms of reconstruction speed and quality. AD-based approaches provide great flexibility, as we demonstrate by setting the reconstruction distance as a trainable parameter. Lastly, we experimentally demonstrate that our framework faithfully reconstructs a biological specimen.
△ Less
Submitted 12 January, 2021; v1 submitted 5 October, 2020;
originally announced October 2020.
-
Real-World Snapshots vs. Theory: Questioning the t-Probing Security Model
Authors:
Thilo Krachenfels,
Fatemeh Ganji,
Amir Moradi,
Shahin Tajik,
Jean-Pierre Seifert
Abstract:
Due to its sound theoretical basis and practical efficiency, masking has become the most prominent countermeasure to protect cryptographic implementations against physical side-channel attacks (SCAs). The core idea of masking is to randomly split every sensitive intermediate variable during computation into at least t+1 shares, where t denotes the maximum number of shares that are allowed to be ob…
▽ More
Due to its sound theoretical basis and practical efficiency, masking has become the most prominent countermeasure to protect cryptographic implementations against physical side-channel attacks (SCAs). The core idea of masking is to randomly split every sensitive intermediate variable during computation into at least t+1 shares, where t denotes the maximum number of shares that are allowed to be observed by an adversary without learning any sensitive information. In other words, it is assumed that the adversary is bounded either by the possessed number of probes (e.g., microprobe needles) or by the order of statistical analyses while conducting higher-order SCA attacks (e.g., differential power analysis). Such bounded models are employed to prove the SCA security of the corresponding implementations. Consequently, it is believed that given a sufficiently large number of shares, the vast majority of known SCA attacks are mitigated. In this work, we present a novel laser-assisted SCA technique, called Laser Logic State Imaging (LLSI), which offers an unlimited number of contactless probes, and therefore, violates the probing security model assumption. This technique enables us to take snapshots of hardware implementations, i.e., extract the logical state of all registers at any arbitrary clock cycle with a single measurement. To validate this, we mount our attack on masked AES hardware implementations and practically demonstrate the extraction of the full-length key in two different scenarios. First, we assume that the location of the registers (key and/or state) is known, and hence, their content can be directly read by a single snapshot. Second, we consider an implementation with unknown register locations, where we make use of multiple snapshots and a SAT solver to reveal the secrets.
△ Less
Submitted 9 September, 2020;
originally announced September 2020.
-
On the Quantum versus Classical Learnability of Discrete Distributions
Authors:
Ryan Sweke,
Jean-Pierre Seifert,
Dominik Hangleiter,
Jens Eisert
Abstract:
Here we study the comparative power of classical and quantum learners for generative modelling within the Probably Approximately Correct (PAC) framework. More specifically we consider the following task: Given samples from some unknown discrete probability distribution, output with high probability an efficient algorithm for generating new samples from a good approximation of the original distribu…
▽ More
Here we study the comparative power of classical and quantum learners for generative modelling within the Probably Approximately Correct (PAC) framework. More specifically we consider the following task: Given samples from some unknown discrete probability distribution, output with high probability an efficient algorithm for generating new samples from a good approximation of the original distribution. Our primary result is the explicit construction of a class of discrete probability distributions which, under the decisional Diffie-Hellman assumption, is provably not efficiently PAC learnable by a classical generative modelling algorithm, but for which we construct an efficient quantum learner. This class of distributions therefore provides a concrete example of a generative modelling problem for which quantum learners exhibit a provable advantage over classical learning algorithms. In addition, we discuss techniques for proving classical generative modelling hardness results, as well as the relationship between the PAC learnability of Boolean functions and the PAC learnability of discrete probability distributions.
△ Less
Submitted 9 March, 2021; v1 submitted 28 July, 2020;
originally announced July 2020.
-
Evaluation of Low-Cost Thermal Laser Stimulation for Data Extraction and Key Readout
Authors:
Thilo Krachenfels,
Heiko Lohrke,
Jean-Pierre Seifert,
Enrico Dietz,
Sven Frohmann,
Heinz-Wilhelm Hübers
Abstract:
Recent attacks using thermal laser stimulation (TLS) have shown that it is possible to extract cryptographic keys from the battery-backed memory on state-of-the-art field-programmable gate arrays (FPGAs). However, the professional failure analysis microscopes usually employed for these attacks cost in the order of 500k to 1M dollars. In this work, we evaluate the use of a cheaper commercial laser…
▽ More
Recent attacks using thermal laser stimulation (TLS) have shown that it is possible to extract cryptographic keys from the battery-backed memory on state-of-the-art field-programmable gate arrays (FPGAs). However, the professional failure analysis microscopes usually employed for these attacks cost in the order of 500k to 1M dollars. In this work, we evaluate the use of a cheaper commercial laser fault injection station retrofitted with a suitable amplifier and light source to enable TLS. We demonstrate that TLS attacks are possible at a hardware cost of around 100k dollars. This constitutes a reduction of the resources required by the attacker by a factor of at least five. We showcase two actual attacks: data extraction from the SRAM memory of a low-power microcontroller and decryption key extraction from a 20-nm technology FPGA device. The strengths and weaknesses of our low-cost approach are then discussed in comparison with the conventional failure analysis equipment approach. In general, this work demonstrates that TLS backside attacks are available at a much lower cost than previously expected.
△ Less
Submitted 11 June, 2020;
originally announced June 2020.
-
Insecure Until Proven Updated: Analyzing AMD SEV's Remote Attestation
Authors:
Robert Buhren,
Christian Werling,
Jean-Pierre Seifert
Abstract:
Customers of cloud services have to trust the cloud providers, as they control the building blocks that form the cloud. This includes the hypervisor enabling the sharing of a single hardware platform among multiple tenants. AMD Secure Encrypted Virtualization (SEV) claims a new level of protection in cloud scenarios. AMD SEV encrypts the main memory of virtual machines with VM-specific keys, there…
▽ More
Customers of cloud services have to trust the cloud providers, as they control the building blocks that form the cloud. This includes the hypervisor enabling the sharing of a single hardware platform among multiple tenants. AMD Secure Encrypted Virtualization (SEV) claims a new level of protection in cloud scenarios. AMD SEV encrypts the main memory of virtual machines with VM-specific keys, thereby denying the higher-privileged hypervisor access to a guest's memory. To enable the cloud customer to verify the correct deployment of his virtual machine, SEV additionally introduces a remote attestation protocol.This paper analyzes the firmware components that implement the SEV remote attestation protocol on the current AMD Epyc Naples CPU series. We demonstrate that it is possible to extract critical CPU-specific keys that are fundamental for the security of the remote attestation protocol.Building on the extracted keys, we propose attacks that allow a malicious cloud provider a complete circumvention of the SEV protection mechanisms. Although the underlying firmware issues were already fixed by AMD, we show that the current series of AMD Epyc CPUs, i.e., the Naples series, does not prevent the installation of previous firmware versions. We show that the severity of our proposed attacks is very high as no purely software-based mitigations are possible. This effectively renders the SEV technology on current AMD Epyc CPUs useless when confronted with an untrusted cloud provider. To overcome these issues, we also propose robust changes to the SEV design that allow future generations of the SEV technology to mitigate the proposed attacks.
△ Less
Submitted 2 September, 2019; v1 submitted 30 August, 2019;
originally announced August 2019.
-
Influence of composition and heating schedules on compatibility of FeCrAl alloys with high-temperature steam
Authors:
Chongchong Tang,
Adrian Jianu,
Martin Steinbrueck,
Mirco Grosse,
Alfons Weisenburger,
Hans Juergen Seifert
Abstract:
FeCrAl alloys are proposed and being intensively investigated as alternative accident tolerant fuel (ATF) cladding for nuclear fission application. Herein, the influence of major alloy elements (Cr and Al), reactive element effect and heating schedules on the oxidation behavior of FeCrAl alloys in steam up to 1500°C was examined. In case of transient ramp tests, catastrophic oxidation, i.e. rapid…
▽ More
FeCrAl alloys are proposed and being intensively investigated as alternative accident tolerant fuel (ATF) cladding for nuclear fission application. Herein, the influence of major alloy elements (Cr and Al), reactive element effect and heating schedules on the oxidation behavior of FeCrAl alloys in steam up to 1500°C was examined. In case of transient ramp tests, catastrophic oxidation, i.e. rapid and complete consumption of the alloy, occurred during temperature ramp up to above 1200°C for specific alloys. The maximum compatible temperature of FeCrAl alloys in steam increases with raising Cr and Al content, decreasing heating rates during ramp period and do** of yttrium. Isothermal oxidation resulted in catastrophic oxidation at 1400°C for all examined alloys. However, formation of a protective alumina scale at 1500°C was ascertained despite partial melting. The occurrence of catastrophic oxidation seems to be controlled by dynamic competitive mechanisms between mass transfer of Al from the substrate and transport of oxidizing gas through the scale both toward the metal/oxide scale interface.
△ Less
Submitted 5 December, 2018;
originally announced December 2018.
-
RNNIDS: Enhancing Network Intrusion Detection Systems through Deep Learning
Authors:
Soroush M. Sohi,
Jean-Pierre Seifert,
Fatemeh Ganji
Abstract:
Security of information passing through the Internet is threatened by today's most advanced malware ranging from orchestrated botnets to simpler polymorphic worms. These threats, as examples of zero-day attacks, are able to change their behavior several times in the early phases of their existence to bypass the network intrusion detection systems (NIDS). In fact, even well-designed, and frequently…
▽ More
Security of information passing through the Internet is threatened by today's most advanced malware ranging from orchestrated botnets to simpler polymorphic worms. These threats, as examples of zero-day attacks, are able to change their behavior several times in the early phases of their existence to bypass the network intrusion detection systems (NIDS). In fact, even well-designed, and frequently-updated signature-based NIDS cannot detect the zero-day treats due to the lack of an adequate signature database, adaptive to intelligent attacks on the Internet. More importantly, having an NIDS, it should be tested on malicious traffic dataset that not only represents known attacks, but also can to some extent reflect the characteristics of unknown, zero-day attacks. Generating such traffic is identified in the literature as one of the main obstacles for evaluating the effectiveness of NIDS. To address these issues, we introduce RNNIDS that applies Recurrent Neural Networks (RNNs) to find complex patterns in attacks and generate similar ones. In this regard, for the first time, we demonstrate that RNNs are helpful to generate new, unseen mutants of attacks as well as synthetic signatures from the most advanced malware to improve the intrusion detection rate. Besides, to further enhance the design of an NIDS, RNNs can be employed to generate malicious datasets containing, e.g., unseen mutants of a malware. To evaluate the feasibility of our approaches, we conduct extensive experiments by incorporating publicly available datasets, where we show a considerable improvement in the detection rate of an off-the-shelf NIDS (up to 16.67%).
△ Less
Submitted 20 December, 2020; v1 submitted 9 July, 2018;
originally announced July 2018.
-
Static Exploration of Taint-Style Vulnerabilities Found by Fuzzing
Authors:
Bhargava Shastry,
Federico Maggi,
Fabian Yamaguchi,
Konrad Rieck,
Jean-Pierre Seifert
Abstract:
Taint-style vulnerabilities comprise a majority of fuzzer discovered program faults. These vulnerabilities usually manifest as memory access violations caused by tainted program input. Although fuzzers have helped uncover a majority of taint-style vulnerabilities in software to date, they are limited by (i) extent of test coverage; and (ii) the availability of fuzzable test cases. Therefore, fuzzi…
▽ More
Taint-style vulnerabilities comprise a majority of fuzzer discovered program faults. These vulnerabilities usually manifest as memory access violations caused by tainted program input. Although fuzzers have helped uncover a majority of taint-style vulnerabilities in software to date, they are limited by (i) extent of test coverage; and (ii) the availability of fuzzable test cases. Therefore, fuzzing alone cannot provide a high assurance that all taint-style vulnerabilities have been uncovered. In this paper, we use static template matching to find recurrences of fuzzer-discovered vulnerabilities. To compensate for the inherent incompleteness of template matching, we implement a simple yet effective match-ranking algorithm that uses test coverage data to focus attention on those matches that comprise untested code. We prototype our approach using the Clang/LLVM compiler toolchain and use it in conjunction with afl-fuzz, a modern coverage-guided fuzzer. Using a case study carried out on the Open vSwitch codebase, we show that our prototype uncovers corner cases in modules that lack a fuzzable test harness. Our work demonstrates that static analysis can effectively complement fuzz testing, and is a useful addition to the security assessment tool-set. Furthermore, our techniques hold promise for increasing the effectiveness of program analysis and testing, and serve as a building block for a hybrid vulnerability discovery framework.
△ Less
Submitted 1 June, 2017;
originally announced June 2017.
-
Hindered nematic alignment of hematite spindles in viscoelastic matrices
Authors:
Annemarie Nack,
Julian Seifert,
Christopher Passow,
Joachim Wagner
Abstract:
The viscoelastic behavior of composites consisting of spindle-shaped hematite particles in poly-N-isopropylacrylamide hydrogels is investigated both, by means of rheological oscillatory shear experiments, and the field-induced alignment of these mesoscale, anisotropic particles in external magnetic fields. Due to their magnetic moment and magnetic anisotropy hematite spindles align with their long…
▽ More
The viscoelastic behavior of composites consisting of spindle-shaped hematite particles in poly-N-isopropylacrylamide hydrogels is investigated both, by means of rheological oscillatory shear experiments, and the field-induced alignment of these mesoscale, anisotropic particles in external magnetic fields. Due to their magnetic moment and magnetic anisotropy hematite spindles align with their long axis perpendicular to the direction of an external magnetic field. The field induced torque acting on the magnetic particles leads to an elastic deformation of the hydrogel matrix. Thus, the field-dependent orientational distribution functions of anisotropic particles acting as microrheological probes depend on the elastic modulus of the hydrogel matrix. The orientational distribution functions are determined by means of Small Angle X-ray Scattering experiments in presence of external magnetic fields. With increasing elasticity of the hydrogels, tuned via the polymer volume fraction and the crosslinking density, the field-induced alignment of these anisotropic, magnetic particles is progressively hindered. The microrheological results are in accordance to macrorheological experiments indicating increasing elasticity with increasing flux density of an external field.
△ Less
Submitted 19 April, 2017;
originally announced April 2017.
-
Leveraging Flawed Tutorials for Seeding Large-Scale Web Vulnerability Discovery
Authors:
Tommi Unruh,
Bhargava Shastry,
Malte Skoruppa,
Federico Maggi,
Konrad Rieck,
Jean-Pierre Seifert,
Fabian Yamaguchi
Abstract:
The Web is replete with tutorial-style content on how to accomplish programming tasks. Unfortunately, even top-ranked tutorials suffer from severe security vulnerabilities, such as cross-site scripting (XSS), and SQL injection (SQLi). Assuming that these tutorials influence real-world software development, we hypothesize that code snippets from popular tutorials can be used to bootstrap vulnerabil…
▽ More
The Web is replete with tutorial-style content on how to accomplish programming tasks. Unfortunately, even top-ranked tutorials suffer from severe security vulnerabilities, such as cross-site scripting (XSS), and SQL injection (SQLi). Assuming that these tutorials influence real-world software development, we hypothesize that code snippets from popular tutorials can be used to bootstrap vulnerability discovery at scale. To validate our hypothesis, we propose a semi-automated approach to find recurring vulnerabilities starting from a handful of top-ranked tutorials that contain vulnerable code snippets. We evaluate our approach by performing an analysis of tens of thousands of open-source web applications to check if vulnerabilities originating in the selected tutorials recur. Our analysis framework has been running on a standard PC, analyzed 64,415 PHP codebases hosted on GitHub thus far, and found a total of 117 vulnerabilities that have a strong syntactic similarity to vulnerable code snippets present in popular tutorials. In addition to shedding light on the anecdotal belief that programmers reuse web tutorial code in an ad hoc manner, our study finds disconcerting evidence of insufficiently reviewed tutorials compromising the security of open-source projects. Moreover, our findings testify to the feasibility of large-scale vulnerability discovery using poorly written tutorials as a starting point.
△ Less
Submitted 10 April, 2017;
originally announced April 2017.
-
Disorder Dependent Valley Properties in Monolayer WSe2
Authors:
Kha Tran,
Akshay Singh,
Joe Seifert,
Yi** Wang,
Kai Hao,
**g-Kai Huang,
Lain-Jong Li,
Takashi Taniguchi,
Kenji Watanabe,
Xiaoqin Li
Abstract:
We investigate the effect on disorder potential on exciton valley polarization and valley coherence in monolayer WSe2. By analyzing polarization properties of photoluminescence, the valley coherence (VC) and valley polarization (VP) is quantified across the inhomogeneously broadened exciton resonance. We find that disorder plays a critical role in the exciton VC, while minimally affecting VP. For…
▽ More
We investigate the effect on disorder potential on exciton valley polarization and valley coherence in monolayer WSe2. By analyzing polarization properties of photoluminescence, the valley coherence (VC) and valley polarization (VP) is quantified across the inhomogeneously broadened exciton resonance. We find that disorder plays a critical role in the exciton VC, while minimally affecting VP. For different monolayer samples with disorder characterized by their Stokes Shift (SS), VC decreases in samples with higher SS while VP again remains unchanged. These two methods consistently demonstrate that VC as defined by the degree of linearly polarized photoluminescence is more sensitive to disorder potential, motivating further theoretical studies.
△ Less
Submitted 28 August, 2017; v1 submitted 24 March, 2017;
originally announced March 2017.
-
Fault Attacks on Encrypted General Purpose Compute Platforms
Authors:
Robert Buhren,
Shay Gueron,
Jan Nordholz,
Jean-Pierre Seifert,
Julian Vetter
Abstract:
Adversaries with physical access to a target platform can perform cold boot or DMA attacks to extract sensitive data from the RAM. In response, several main-memory encryption schemes have been proposed to prevent such attacks. Also hardware vendors have acknowledged the threat and already announced respective hardware extensions. Intel's SGX and AMD's SME will provide means to encrypt parts of the…
▽ More
Adversaries with physical access to a target platform can perform cold boot or DMA attacks to extract sensitive data from the RAM. In response, several main-memory encryption schemes have been proposed to prevent such attacks. Also hardware vendors have acknowledged the threat and already announced respective hardware extensions. Intel's SGX and AMD's SME will provide means to encrypt parts of the RAM to protect security-relevant assets that reside there. Encrypting the RAM will protect the user's content against passive eavesdrop**. However, the level of protection it provides in scenarios that involve an adversary who is not only able to read from RAM but can also change content in RAM is less clear. Obviously, encryption offers some protection against such an "active" adversary: from the ciphertext the adversary cannot see what value is changed in the plaintext, nor predict the system behaviour based on the changes. But is this enough to prevent an active adversary from performing malicious tasks? This paper addresses the open research question whether encryption alone is a dependable protection mechanism in practice when considering an active adversary. To this end, we first build a software based memory encryption solution on a desktop system which mimics AMD's SME. Subsequently, we demonstrate a proof-of-concept fault attack on this system, by which we are able to extract the private RSA key of a GnuPG user. Our work suggests that transparent memory encryption is not enough to prevent active attacks.
△ Less
Submitted 12 December, 2016;
originally announced December 2016.
-
Reins to the Cloud: Compromising Cloud Systems via the Data Plane
Authors:
Kashyap Thimmaraju,
Bhargava Shastry,
Tobias Fiebig,
Felicitas Hetzelt,
Jean-Pierre Seifert,
Anja Feldmann,
Stefan Schmid
Abstract:
Virtual switches have become popular among cloud operating systems to interconnect virtual machines in a more flexible manner. However, this paper demonstrates that virtual switches introduce new attack surfaces in cloud setups, whose effects can be disastrous. Our analysis shows that these vulnerabilities are caused by: (1) inappropriate security assumptions (privileged virtual switch execution i…
▽ More
Virtual switches have become popular among cloud operating systems to interconnect virtual machines in a more flexible manner. However, this paper demonstrates that virtual switches introduce new attack surfaces in cloud setups, whose effects can be disastrous. Our analysis shows that these vulnerabilities are caused by: (1) inappropriate security assumptions (privileged virtual switch execution in kernel and user space), (2) the logical centralization of such networks (e.g., OpenStack or SDN), (3) the presence of bi-directional communication channels between data plane systems and the centralized controller, and (4) non-standard protocol parsers.
Our work highlights the need to accommodate the data plane(s) in our threat models. In particular, it forces us to revisit today's assumption that the data plane can only be compromised by a sophisticated attacker: we show that compromising the data plane of modern computer networks can actually be performed by a very simple attacker with limited resources only and at low cost (i.e., at the cost of renting a virtual machine in the Cloud). As a case study, we fuzzed only 2\% of the code-base of a production quality virtual switch's packet processor (namely OvS), identifying serious vulnerabilities leading to unauthenticated remote code execution. In particular, we present the "rein worm" which allows us to fully compromise test-setups in less than 100 seconds. We also evaluate the performance overhead of existing mitigations such as ASLR, PIEs, and unconditional stack canaries on OvS. We find that while applying these countermeasures in kernel-space incurs a significant overhead, in user-space the performance overhead is negligible.
△ Less
Submitted 10 February, 2017; v1 submitted 27 October, 2016;
originally announced October 2016.
-
Long-Lived Valley Polarization of Intra-Valley Trions in Monolayer WSe2
Authors:
Akshay Singh,
Kha Tran,
Mirco Kolarczik,
Joe Seifert,
Yi** Wang,
Kai Hao,
Dennis Pleskot,
Nathaniel M. Gabor,
Sophia Helmrich,
Nina Owschimikow,
Ulrike Woggon,
Xiaoqin Li
Abstract:
We investigate valley dynamics associated with trions in monolayer tungsten diselenide (WSe2) using polarization resolved two-color pump-probe spectroscopy. When tuning the pump and probe energy across the trion resonance, distinct trion valley polarization dynamics are observed as a function of energy and attributed to the intra-valley and inter-valley trions in monolayer WSe2. We observe no deca…
▽ More
We investigate valley dynamics associated with trions in monolayer tungsten diselenide (WSe2) using polarization resolved two-color pump-probe spectroscopy. When tuning the pump and probe energy across the trion resonance, distinct trion valley polarization dynamics are observed as a function of energy and attributed to the intra-valley and inter-valley trions in monolayer WSe2. We observe no decay of a near-unity valley polarization associated with the intra-valley trions during ~ 25 ps, while the valley polarization of the inter-valley trions exhibits a fast decay of ~ 4 ps. Furthermore, we show that resonant excitation is a prerequisite for observing the long-lived valley polarization associated with the intra-valley trion. The exceptionally robust valley polarization associated with resonantly created intra-valley trions discovered here may be explored for future valleytronic applications such as valley Hall effects.
△ Less
Submitted 2 January, 2017; v1 submitted 29 July, 2016;
originally announced August 2016.
-
Practical Attacks Against Privacy and Availability in 4G/LTE Mobile Communication Systems
Authors:
Altaf Shaik,
Ravishankar Borgaonkar,
N. Asokan,
Valtteri Niemi,
Jean-Pierre Seifert
Abstract:
Mobile communication systems now constitute an essential part of life throughout the world. Fourth generation "Long Term Evolution" (LTE) mobile communication networks are being deployed. The LTE suite of specifications is considered to be significantly better than its predecessors not only in terms of functionality but also with respect to security and privacy for subscribers.
We carefully anal…
▽ More
Mobile communication systems now constitute an essential part of life throughout the world. Fourth generation "Long Term Evolution" (LTE) mobile communication networks are being deployed. The LTE suite of specifications is considered to be significantly better than its predecessors not only in terms of functionality but also with respect to security and privacy for subscribers.
We carefully analyzed LTE access network protocol specifications and uncovered several vulnerabilities. Using commercial LTE mobile devices in real LTE networks, we demonstrate inexpensive, and practical attacks exploiting these vulnerabilities. Our first class of attacks consists of three different ways of making an LTE device leak its location: A semi-passive attacker can locate an LTE device within a 2 sq.km area within a city whereas an active attacker can precisely locate an LTE device using GPS co-ordinates or trilateration via cell-tower signal strength information. Our second class of attacks can persistently deny some or all services to a target LTE device. To the best of our knowledge, our work constitutes the first publicly reported practical attacks against LTE access network protocols.
We present several countermeasures to resist our specific attacks. We also discuss possible trade-offs that may explain why these vulnerabilities exist and recommend that safety margins introduced into future specifications to address such trade-offs should incorporate greater agility to accommodate subsequent changes in the trade-off equilibrium.
△ Less
Submitted 7 August, 2017; v1 submitted 26 October, 2015;
originally announced October 2015.
-
Towards Vulnerability Discovery Using Staged Program Analysis
Authors:
Bhargava Shastry,
Fabian Yamaguchi,
Konrad Rieck,
Jean-Pierre Seifert
Abstract:
Eliminating vulnerabilities from low-level code is vital for securing software. Static analysis is a promising approach for discovering vulnerabilities since it can provide developers early feedback on the code they write. But, it presents multiple challenges not the least of which is understanding what makes a bug exploitable and conveying this information to the developer. In this paper, we pres…
▽ More
Eliminating vulnerabilities from low-level code is vital for securing software. Static analysis is a promising approach for discovering vulnerabilities since it can provide developers early feedback on the code they write. But, it presents multiple challenges not the least of which is understanding what makes a bug exploitable and conveying this information to the developer. In this paper, we present the design and implementation of a practical vulnerability assessment framework, called Melange. Melange performs data and control flow analysis to diagnose potential security bugs, and outputs well-formatted bug reports that help developers understand and fix security bugs. Based on the intuition that real-world vulnerabilities manifest themselves across multiple parts of a program, Melange performs both local and global analyses. To scale up to large programs, global analysis is demand-driven. Our prototype detects multiple vulnerability classes in C and C++ code including type confusion, and garbage memory reads. We have evaluated Melange extensively. Our case studies show that Melange scales up to large codebases such as Chromium, is easy-to-use, and most importantly, capable of discovering vulnerabilities in real-world code. Our findings indicate that static analysis is a viable reinforcement to the software testing tool set.
△ Less
Submitted 6 April, 2016; v1 submitted 19 August, 2015;
originally announced August 2015.
-
Trion Formation Dynamics in Monolayer Transition Metal Dichalcogenides
Authors:
Akshay Singh,
Galan Moody,
Kha Tran,
Marie Scott,
Vincent Overbeck,
Gunnar Berghäuser,
John Schaibley,
Edward J. Seifert,
Dennis Pleskot,
Nathaniel M. Gabor,
Jiaqiang Yan,
David G. Mandrus,
Marten Richter,
Ermin Malic,
Xiaodong Xu,
Xiaoqin Li
Abstract:
We report charged exciton (trion) formation dynamics in doped monolayer transition metal dichalcogenides (TMDs), specifically molybdenum diselenide (MoSe2), using resonant two-color pump-probe spectroscopy. When resonantly pum** the exciton transition, trions are generated on a picosecond timescale through exciton-electron interaction. As the pump energy is tuned from the high energy to low ener…
▽ More
We report charged exciton (trion) formation dynamics in doped monolayer transition metal dichalcogenides (TMDs), specifically molybdenum diselenide (MoSe2), using resonant two-color pump-probe spectroscopy. When resonantly pum** the exciton transition, trions are generated on a picosecond timescale through exciton-electron interaction. As the pump energy is tuned from the high energy to low energy side of the inhomogeneously broadened exciton resonance, the trion formation time increases by ~ 50%. This feature can be explained by the existence of both localized and delocalized excitons in a disordered potential and suggests the existence of an exciton mobility edge in TMDs. The quasiparticle formation and conversion processes are important for interpreting photoluminescence and photoconductivity in TMDs.
△ Less
Submitted 16 December, 2015; v1 submitted 16 July, 2015;
originally announced July 2015.
-
A First Look at Firefox OS Security
Authors:
Daniel Defreez,
Bhargava Shastry,
Hao Chen,
Jean-Pierre Seifert
Abstract:
With Firefox OS, Mozilla is making a serious push for an HTML5-based mobile platform. In order to assuage security concerns over providing hardware access to web applications, Mozilla has introduced a number of mechanisms that make the security landscape of Firefox OS distinct from both the desktop web and other mobile operating systems. From an application security perspective, the two most signi…
▽ More
With Firefox OS, Mozilla is making a serious push for an HTML5-based mobile platform. In order to assuage security concerns over providing hardware access to web applications, Mozilla has introduced a number of mechanisms that make the security landscape of Firefox OS distinct from both the desktop web and other mobile operating systems. From an application security perspective, the two most significant of these mechanisms are the the introduction of a default Content Security Policy and code review in the market. This paper describes how lightweight static analysis can augment these mechanisms to find vulnerabilities which have otherwise been missed. We provide examples of privileged applications in the market that contain vulnerabilities that can be automatically detected.
In addition to these findings, we show some of the challenges that occur when desktop software is repurposed for a mobile operating system. In particular, we argue that the caching of certificate overrides across applications--a known problem in Firefox OS--generates a counter-intuitive user experience that detracts from the security of the system.
△ Less
Submitted 28 October, 2014;
originally announced October 2014.
-
R & D for Future Zeplin
Authors:
R. Bisset,
M. J. Carson,
H. Chagani,
D. B. Cline,
E. J. Daw,
T. Ferbel,
J. Gao,
Y. S. Gao,
V. A. Kudryavtsev,
P. K. Lightfoot,
P. Majewski,
J. Maxin,
J. Miller,
W. C. Ooi,
M. Robinson,
G. Salinas,
U. Schroeder,
J. Seifert,
F. Sergiampietri,
W. Skulski,
P. F. Smith,
N. J. C. Spooner,
J. Toke,
H. Wang,
J. T. White
, et al. (2 additional authors not shown)
Abstract:
We propose a new concept for a very low background multi-ton liquid xenon Dark Matter experiment. The detector consists of two concentric spheres and a charge readout device in the centre. Xenon between the two spheres forms a self-shield and veto device. The inner surface of the central sphere is coated with CsI to form an internal photocathode with minimum of 2πcoverage for any event in the ac…
▽ More
We propose a new concept for a very low background multi-ton liquid xenon Dark Matter experiment. The detector consists of two concentric spheres and a charge readout device in the centre. Xenon between the two spheres forms a self-shield and veto device. The inner surface of the central sphere is coated with CsI to form an internal photocathode with minimum of 2πcoverage for any event in the active volume. Photoelectrons from the CsI photocathode drift toward the charge readout micro-structure in the centre of the detector. Both scintillation and ionisation are measured simultaneously for background rejection and 3-D event map**. In addition to external shielding, the low background is achieved by eliminating PMTs and by using low radioactivity pure materials throughout the detector. We present detailed calculations of the charge readout system and design details. The detector is expected to probe the full SUSY parameter space.
△ Less
Submitted 15 May, 2007;
originally announced May 2007.
