Events & News

ZISC organizes a number events. The annual ZISC Workshop brings together leading experts to present and discuss their latest research results on a chosen information security and privacy topics. The weekly ZISC Lunch Seminar presentations illustrate the research done at the affiliated research groups and invite exciting speakers from other research institutes and companies.

Latest News

Stealing Part of a Production Language Model

Researchers from the SPY Lab led by Professor Florian Tramèr along with collaborators have succeeded in extracting secret information on the large language model behind ChatGPT. The team responsibly disclosed the results of their “model stealing attack” to OpenAI. Following the disclosure, the company immediately implemented countermeasures to protect the model.

This work represents the first successful attempt at learning some information about the parameters of an LLM chatbot. In other words: the attack shows that popular chatbots like ChatGPT are susceptible to revealing secret information about the underlying model’s parameters. Although this information was limited, attacks in the future might be even more sophisticated—and therefore more dangerous.

In essence, the attack recovers the last ‘layer’ of the target model, which is the mapping that the LLM applies to its internal state to produce the next word to be predicted. This represents a very small fraction of the total number of parameters of the model, as modern LLMs can have over a hundred layers. However, in a typical LLM architecture, all these layers are the same size. So, recovering the last layer hints at how ‘wide’ the model is, meaning how many weights each of the model’s layers has. And in turn, this reveals something about the overall model size, because a model’s width and depth typically grow proportionally.

The attack relies on simple linear algebra and information publicly available in OpenAI’s API, which is used to accelerate the attack. Overall, the attack cost amounted to just 800 US dollars in queries to ChatGPT.

After a responsible disclosure, OpenAI confirmed that the extracted parameters were correct. The company went on to make changes to its API to render the attack more expensive, albeit not impossible.

You can read an extended article here and find the paper and process here.

Artificial Bugs for Enhanced Cybersecurity

One-fifth of all cyberattacks target the financial sector, a share that is widely expected to rise. As cyberattacks become more frequent, the quantification and measurement of cyber risk and uncertainty will become pressing issues for policymakers.

ZISC supported research from Hans Gersbach and Fikri Pitsuwan that discusses the benefits of ‘bug bounty’ programmes, in which external agents are invited to search for a system’s vulnerabilities (bugs) in exchange for rewards (bounty). The researchers describe how the programmes work, illustrate various ways to implement them, and suggest augmenting existing programmes by inserting artificial bugs to enhance the incentives.

Read the whole article here or dive even deeper and read the whole research paper: Artificial Bugs for Bug Bounty.

 

Image 1

Prof. Dr. Hans Gersbach, ETH Zürich
Image 2

Fikri Pitsuwan, Cornell University

 

 

 

 

 

Schwarz Group is the latest ZISC partner

ETH President Joël Mesot and Reinhold Geilsdörfer, Managing Director of the Dieter Schwarz Foundation. (Photograph: Valeriano Di Domenico)

Schwarz Group is the latest partner of the ZISC center. With almost 600,000 employees in more than 30 different countries, the Schwarz Group is among the top retail groups in the world. Based in Neckarsulm, Germany, its pillars in food retailing are Lidl and Kaufland.

Schwarz Digits as IT and digital division offers compelling products and services, which comply with Germany’s strict data protection standards. Its brands include STACKIT, which offers scalable innovative cloud services with European data security standards, and XM Cyber, which is a leading provider of hybrid cloud security solutions such as continuous threat exposure management systems.

The ZISC partnership of Schwarz Group is part of a larger collaboration between ETH Zurich and Dieter Schwarz Foundation, who have signed a far-​reaching letter of intent to establish a new teaching and research centre for responsible digital transformation with a global reach. Thanks to the foundation’s donations, new professorships are to be created both in Zurich and on the foundation’s teaching campus in Heilbronn.

The collaboration between ETH Zurich and Dieter Schwarz Foundation focuses on topics such as artificial intelligence, cybersecurity, bioinformatics and the circular economy. “International collaboration is needed more than ever in these areas,” says Joel Mesot (ETH President). It is precisely this kind of networking that the teaching campus in Heilbronn aims to foster. The ZISC center takes the lead in driving the cybersecurity dimension.

The Zurich Information and Security Center is very proud of this new collaboration and excited to bring these plans to life.

More details can be found from the following article here.

 

Ahoi Attacks: Disrupting TEEs with Malicious Notifications

Over the past decade, hardware manufacturers have introduced special support to enable cloud users to safely perform computation on untrusted cloud deployments. This technology, called confidential computing, provides cloud users with guarantees about the applications that they execute and confidentiality and integrity for the data. Currently, confidential computing is employed across various sectors including finance, healthcare, and government, where the need to maintain data privacy and integrity is paramount.

State-of-the art confidential computing solutions Intel TDX and AMD SEV-SNP allow users to create confidential VMs that are managed by a cloud-provider controlled software called the hypervisor. Researchers from the SECTRS group have now discovered a new class of attacks, dubbed Ahoi attacks, that exploit vulnerabilities in the notification framework in Intel TDX and AMD SEV-SNP. Specifically, the cloud-provider controlled hypervisor sends malicious notifications (called interrupts) to the confidential VMs to compromise their security (see the explainer video). Using this vulnerability the researchers demonstrate two concrete attacks: Heckler and WeSee.

When a confidential VM receives an interrupt, it executes a corresponding interrupt handler that performs interrupt-specific tasks (e.g., updating memory values, setting global state). In Heckler, the researchers use legacy interrupts in confidential VMs to arbitrarily trigger interrupt handlers that change the global state of a security-sensitive application. For example, they demonstrate an attack on Intel TDX and AMD SEV-SNP that bypasses the authentication flow in the confidential VMs to gain uncontrolled access to all code and data. The researchers responsibly reported these vulnerabilities to Intel and AMD. The hardware vendors acknowledged the report and the vulnerabilities are tracked under 2 CVEs :  CVE-2024-25744, CVE-2024-25743. For more details check out the paper to appear at USENIX Security ’24 below.

HECKLER: Breaking Confidential VMs with Malicious Interrupts
Benedict Schlüter, Supraja Sridhara, Mark Kuhne, Andrin Bertschi, Shweta Shinde

With the second attack, called WeSee, the researchers demonstrate attacks using vulnerabilities in a newly introduced interrupt (#VC) for AMD SEV-SNP. With the new interrupt, AMD SEV-SNP also introduces a new handler for #VC. The researchers show that a malicious hypervisor can build expressive attacks by arbitrarily injecting #VC to the confidential VM. For example, with WeSee the researchers build an attack that allows the attacker to gain complete privileged control of the confidential VM. The researchers responsibly disclosed the vulnerability to AMD who acknowledged the attack. The vulnerability is tracked under CVE-2024-25742. For more details check out the paper to appear at IEEE S&P ’24 below.

WeSee: Using Malicious #VC Interrupts to Break AMD SEV-SNP
Benedict Schlüter, Supraja Sridhara, Andrin Bertschi, Shweta Shinde

These attacks highlight the need to carefully examine both legacy and newly added features for confidential computing. Ahoi attacks show the need to revamp the long-ignored notification frameworks of these confidential computing solutions. In light of these attacks, hardware vendors should rethink this vital notification framework and introduce native primitives for secure notification delivery to CVMs.

To know more read the full news article here.

Professor Ueli Maurer chosen as SATW member

For his fundamental contributions to cryptography and information security, Professor Ueli Maurer from the Institute of Theoretical Computer Science has been appointed Full Member of the Swiss Academy of Engineering Sciences (SATW).

The Swiss Academy of Engineering Sciences SATW is the most important network of experts for engineering sciences in Switzerland and is in contact with the highest Swiss bodies for science, politics and industry. The network comprises elected individual members, member organisations and experts. Individual members are outstanding experts from the fields of education, research, commerce and industry and politics.

Ueli Maurer is Full Professor of Computer Science at the Department of Computer Science at ETH Zurich. He heads the Information Security and Cryptography research group at the Institute of Theoretical Computer Science. Maurer’s research interests include information security, the theory and applications of cryptography, applications like digital signatures, public-​key infrastructures, digital payment systems, and e-​voting, the management of trust and digital evidence, mathematical security proofs, theoretical computer science, discrete mathematics, and information theory.

Congratulations!

 

 

 

 

 

 

 

 

You can reed the whole article here.