Events & News

The ZISC center has published its annual report for 2024.

During this year, ZISC continued to work on its core mission which is work on significant and fundamental information security and privacy problems together with is industry partners. Particular topics of focus this year included the research on sovereign smartphone platform, email phishing in large organizations, security of messaging applications and cloud storage, future Internet architecture, formal verification of security protocols, privacy and security aspects of AI technologies, among others.

A noteworthy highlight during 2024 was our 20 years ZISC celebration with a special event and a networking Apero at ETH Zurich’s Audi Max and Dozentenfoyer. In the event, Prof. Srdjan Capkun, the Chair of the center, provided a brief history of the center and an overview of its main achievements. The keynote speaker of the event was Prof. Adi Shamir who is a Turing-award winner and one of the founders of modern cryptography. In addition, the audience received research talks from Prof. Kenny Paterson and Prof. Florian Tramèr, both from ETH Zurich and part of the ZISC faculty. The industry talk of the event was given by Mona Vij from Intel Labs, who is a wellknow expert in the topics of secure cloud computing and trusted execution environments. Finally, the event included a panel discussion hosted by Srdjan Capkun. The discussion touched upon many challenging and controversial topics, including surveillance and interception of encrypted communication, existential risks of AI, and practical usefulness of quantum key distribution. The day was closed with a networking Apero at the Dozentenfoyer of ETH Zurich.

The ZISC Center is also proud to support the Center of Computer Science Education (ABZ) of ETH Zurich. The ABZ was established with the goal to introduce computer science as a subject into school education with its main activities being developing text-books and online platforms for teaching computer science on all levels of schools and testing them in school, training teachers, popularization of computer science in the whole society, and supporting pupils for different CS competitions.

You can read our full report here.

The ZISC center thanks its partners and collaborators and is looking forward to 2025!

Researchers from the SPY Lab led by Professor Florian Tramèr along with collaborators have succeeded in extracting secret information on the large language model behind ChatGPT. The team responsibly disclosed the results of their “model stealing attack” to OpenAI. Following the disclosure, the company immediately implemented countermeasures to protect the model.

This work represents the first successful attempt at learning some information about the parameters of an LLM chatbot. In other words: the attack shows that popular chatbots like ChatGPT are susceptible to revealing secret information about the underlying model’s parameters. Although this information was limited, attacks in the future might be even more sophisticated—and therefore more dangerous.

In essence, the attack recovers the last ‘layer’ of the target model, which is the mapping that the LLM applies to its internal state to produce the next word to be predicted. This represents a very small fraction of the total number of parameters of the model, as modern LLMs can have over a hundred layers. However, in a typical LLM architecture, all these layers are the same size. So, recovering the last layer hints at how ‘wide’ the model is, meaning how many weights each of the model’s layers has. And in turn, this reveals something about the overall model size, because a model’s width and depth typically grow proportionally.

The attack relies on simple linear algebra and information publicly available in OpenAI’s API, which is used to accelerate the attack. Overall, the attack cost amounted to just 800 US dollars in queries to ChatGPT.

After a responsible disclosure, OpenAI confirmed that the extracted parameters were correct. The company went on to make changes to its API to render the attack more expensive, albeit not impossible.

You can read an extended article here and find the paper and process here.

Over the past decade, hardware manufacturers have introduced special support to enable cloud users to safely perform computation on untrusted cloud deployments. This technology, called confidential computing, provides cloud users with guarantees about the applications that they execute and confidentiality and integrity for the data. Currently, confidential computing is employed across various sectors including finance, healthcare, and government, where the need to maintain data privacy and integrity is paramount.

State-of-the art confidential computing solutions Intel TDX and AMD SEV-SNP allow users to create confidential VMs that are managed by a cloud-provider controlled software called the hypervisor. Researchers from the SECTRS group have now discovered a new class of attacks, dubbed Ahoi attacks, that exploit vulnerabilities in the notification framework in Intel TDX and AMD SEV-SNP. Specifically, the cloud-provider controlled hypervisor sends malicious notifications (called interrupts) to the confidential VMs to compromise their security (see the explainer video). Using this vulnerability the researchers demonstrate two concrete attacks: Heckler and WeSee.

When a confidential VM receives an interrupt, it executes a corresponding interrupt handler that performs interrupt-specific tasks (e.g., updating memory values, setting global state). In Heckler, the researchers use legacy interrupts in confidential VMs to arbitrarily trigger interrupt handlers that change the global state of a security-sensitive application. For example, they demonstrate an attack on Intel TDX and AMD SEV-SNP that bypasses the authentication flow in the confidential VMs to gain uncontrolled access to all code and data. The researchers responsibly reported these vulnerabilities to Intel and AMD. The hardware vendors acknowledged the report and the vulnerabilities are tracked under 2 CVEs :  CVE-2024-25744, CVE-2024-25743. For more details check out the paper to appear at USENIX Security ’24 below.

With the second attack, called WeSee, the researchers demonstrate attacks using vulnerabilities in a newly introduced interrupt (#VC) for AMD SEV-SNP. With the new interrupt, AMD SEV-SNP also introduces a new handler for #VC. The researchers show that a malicious hypervisor can build expressive attacks by arbitrarily injecting #VC to the confidential VM. For example, with WeSee the researchers build an attack that allows the attacker to gain complete privileged control of the confidential VM. The researchers responsibly disclosed the vulnerability to AMD who acknowledged the attack. The vulnerability is tracked under CVE-2024-25742. For more details check out the paper to appear at IEEE S&P ’24 below.

These attacks highlight the need to carefully examine both legacy and newly added features for confidential computing. Ahoi attacks show the need to revamp the long-ignored notification frameworks of these confidential computing solutions. In light of these attacks, hardware vendors should rethink this vital notification framework and introduce native primitives for secure notification delivery to CVMs.

To know more read the full news article here.