Events & News

ZISC organizes a number events. The annual ZISC Workshop brings together leading experts to present and discuss their latest research results on a chosen information security and privacy topics. The weekly ZISC Lunch Seminar presentations illustrate the research done at the affiliated research groups and invite exciting speakers from other research institutes and companies.

Latest News

Schwarz Group is the latest ZISC partner

ETH President Joël Mesot and Reinhold Geilsdörfer, Managing Director of the Dieter Schwarz Foundation. (Photograph: Valeriano Di Domenico)

Schwarz Group is the latest partner of the ZISC center. With almost 600,000 employees in more than 30 different countries, the Schwarz Group is among the top retail groups in the world. Based in Neckarsulm, Germany, its pillars in food retailing are Lidl and Kaufland.

Schwarz Digits as IT and digital division offers compelling products and services, which comply with Germany’s strict data protection standards. Its brands include STACKIT, which offers scalable innovative cloud services with European data security standards, and XM Cyber, which is a leading provider of hybrid cloud security solutions such as continuous threat exposure management systems.

The ZISC partnership of Schwarz Group is part of a larger collaboration between ETH Zurich and Dieter Schwarz Foundation, who have signed a far-​reaching letter of intent to establish a new teaching and research centre for responsible digital transformation with a global reach. Thanks to the foundation’s donations, new professorships are to be created both in Zurich and on the foundation’s teaching campus in Heilbronn.

The collaboration between ETH Zurich and Dieter Schwarz Foundation focuses on topics such as artificial intelligence, cybersecurity, bioinformatics and the circular economy. “International collaboration is needed more than ever in these areas,” says Joel Mesot (ETH President). It is precisely this kind of networking that the teaching campus in Heilbronn aims to foster. The ZISC center takes the lead in driving the cybersecurity dimension.

The Zurich Information and Security Center is very proud of this new collaboration and excited to bring these plans to life.

More details can be found from the following article here.

 

Ahoi Attacks: Disrupting TEEs with Malicious Notifications

Over the past decade, hardware manufacturers have introduced special support to enable cloud users to safely perform computation on untrusted cloud deployments. This technology, called confidential computing, provides cloud users with guarantees about the applications that they execute and confidentiality and integrity for the data. Currently, confidential computing is employed across various sectors including finance, healthcare, and government, where the need to maintain data privacy and integrity is paramount.

State-of-the art confidential computing solutions Intel TDX and AMD SEV-SNP allow users to create confidential VMs that are managed by a cloud-provider controlled software called the hypervisor. Researchers from the SECTRS group have now discovered a new class of attacks, dubbed Ahoi attacks, that exploit vulnerabilities in the notification framework in Intel TDX and AMD SEV-SNP. Specifically, the cloud-provider controlled hypervisor sends malicious notifications (called interrupts) to the confidential VMs to compromise their security (see the explainer video). Using this vulnerability the researchers demonstrate two concrete attacks: Heckler and WeSee.

When a confidential VM receives an interrupt, it executes a corresponding interrupt handler that performs interrupt-specific tasks (e.g., updating memory values, setting global state). In Heckler, the researchers use legacy interrupts in confidential VMs to arbitrarily trigger interrupt handlers that change the global state of a security-sensitive application. For example, they demonstrate an attack on Intel TDX and AMD SEV-SNP that bypasses the authentication flow in the confidential VMs to gain uncontrolled access to all code and data. The researchers responsibly reported these vulnerabilities to Intel and AMD. The hardware vendors acknowledged the report and the vulnerabilities are tracked under 2 CVEs :  CVE-2024-25744, CVE-2024-25743. For more details check out the paper to appear at USENIX Security ’24 below.

HECKLER: Breaking Confidential VMs with Malicious Interrupts
Benedict Schlüter, Supraja Sridhara, Mark Kuhne, Andrin Bertschi, Shweta Shinde

With the second attack, called WeSee, the researchers demonstrate attacks using vulnerabilities in a newly introduced interrupt (#VC) for AMD SEV-SNP. With the new interrupt, AMD SEV-SNP also introduces a new handler for #VC. The researchers show that a malicious hypervisor can build expressive attacks by arbitrarily injecting #VC to the confidential VM. For example, with WeSee the researchers build an attack that allows the attacker to gain complete privileged control of the confidential VM. The researchers responsibly disclosed the vulnerability to AMD who acknowledged the attack. The vulnerability is tracked under CVE-2024-25742. For more details check out the paper to appear at IEEE S&P ’24 below.

WeSee: Using Malicious #VC Interrupts to Break AMD SEV-SNP
Benedict Schlüter, Supraja Sridhara, Andrin Bertschi, Shweta Shinde

These attacks highlight the need to carefully examine both legacy and newly added features for confidential computing. Ahoi attacks show the need to revamp the long-ignored notification frameworks of these confidential computing solutions. In light of these attacks, hardware vendors should rethink this vital notification framework and introduce native primitives for secure notification delivery to CVMs.

To know more read the full news article here.

Professor Ueli Maurer chosen as SATW member

For his fundamental contributions to cryptography and information security, Professor Ueli Maurer from the Institute of Theoretical Computer Science has been appointed Full Member of the Swiss Academy of Engineering Sciences (SATW).

The Swiss Academy of Engineering Sciences SATW is the most important network of experts for engineering sciences in Switzerland and is in contact with the highest Swiss bodies for science, politics and industry. The network comprises elected individual members, member organisations and experts. Individual members are outstanding experts from the fields of education, research, commerce and industry and politics.

Ueli Maurer is Full Professor of Computer Science at the Department of Computer Science at ETH Zurich. He heads the Information Security and Cryptography research group at the Institute of Theoretical Computer Science. Maurer’s research interests include information security, the theory and applications of cryptography, applications like digital signatures, public-​key infrastructures, digital payment systems, and e-​voting, the management of trust and digital evidence, mathematical security proofs, theoretical computer science, discrete mathematics, and information theory.

Congratulations!

 

 

 

 

 

 

 

 

You can reed the whole article here.

Impressions from the ZISC 20-years anniversary celebration!

Zurich Information Security and Privacy Center (ZISC) was established in 2003 to bring academia and industry together to address the information security challenges of tomorrow. Today, this mission remains more relevant than ever.

On March 6, 2024, we celebrated the 20 years of the ZISC center with a special event and a networking Apero at ETH Zurich’s Audi Max and Dozentenfoyer.

In the event, Prof. Srdjan Capkun, the Chair of the center, provided a brief history of the center and an overview of its main achievements. This talk included many research highlights contributed by ZISC researchers over the years.

 
The keynote speaker of the event was Prof. Adi Shamir who is a Turing-award winner and one of the founders of modern cryptography. Adi Shamir has made numerous significant contributions to the fields of information security and privacy. In this event he was talking about his latest work regarding attacks on AI models.

In addition, the audience received research talks from Prof. Kenny Paterson and Prof. Florian Tramèr, both from ETH Zurich and part of the ZISC faculty. Kenny Paterson is a renowned expert in applied cryptography and his talk focused on attacks on end-to-end encrypted cloud storage systems. Florian Tramèr is an expert in AI security and privacy. His talk included fascinating examples of security issues in large language models.

The industry talk of the event was given by Mona Vij from Intel Labs. She is well-know experts in the topics of secure cloud computing and trusted execution environments. Her talk provided valuable insights on where the industry is heading with these important technologies.

Finally, the event included a panel discussion hosted by Srdjan Capkun. The panelists included Kenny Paterson, Mona Vij, Adi Shamir and Florian Schütz, who is the Director of the Swiss National Cyber Security center, acting there as a contact point for politicians, media and the general public in various matters of cyber security. The panel discussion touched upon many challenging and controversial topics, including surveillance and interception of encrypted communication, existential risks of AI, and practical usefulness of quantum key distribution.

The event was hosted by Dr. Kari Kostiainen who is the Director of ZISC center.

The evening ended with a networking Apero at the Dozentenfoyer of ETH Zurich. The ZISC center would like to thank all the people who joined us for this special celebration. The ZISC center would also like to thank its sponsors for all the support over the past 20 years. Thank you!