2023

• ISCA 2023

  • ISA-Grid: Architecture of Fine-grained Privilege Control for Instructions and Registers

  • Metior: A Comprehensive Model to Evaluate Obfuscating Side-Channel Defense Schemes

  • Doppelganger Loads: A Safe, Complexity-Effective Optimization for Secure Speculation Schemes

  • Pensieve: Microarchitectural Modeling for Security Evaluation

  • All your PC are belong to us: Exploiting Non-control-transfer Instruction BTB Updates for Dynamic PC Extraction

• ASPLOS 2023

  • AfterImage: Leaking Control Flow and Tracking Load Operations via the Hardware Prefetcher

  • Hacky Racers: Exploiting Instruction-Level Parallelism to Generate Stealthy Fine-Grained Timers

  • Untangle: A Principled Framework to Design Low-Leakage, High-Performance Dynamic Partitioning Schemes

• S&P 2023

  • SQUIP: Exploiting the Scheduler Queue Contention Side Channel

2022

• MICRO 2022

  • CRONUS: Fault-Isolated, Secure and High-Performance Heterogeneous Computing for Trusted Execution Environments

  • Revisiting Residue Codes for Modern Memories

  • PageORAM: An Efficient DRAM Page Aware ORAM Strategy

  • AQUA: Scalable Rowhammer Mitigation by Quarantining Aggressor Rows at Runtime

  • SwiftDir: Secure Cache Coherence Without Overprotection

  • Leaky Way: A Conflict-Based Cache Covert Channel Bypassing Set Associativity

  • Eager Memory Cryptography in Caches

  • Self-Reinforcing Memoization for Cryptography Calculations in Secure Memory Systems

• ISCA 2022

  • Securing GPU via region-based bounds checking

  • Axiomatic Hardware-Software Contracts for Security

    • codes

  • PPMLAC: High Performance Chipset Architecture for Secure Multi-Party Computation

  • INSPIRE: In-Storage Private Information Retrieval via Protocol and Architecture Co-design

  • SoftVN: Efficient Memory Protection via Software-Provided Version Numbers

  • CraterLake: A Hardware Accelerator for Efficient Unbounded Computation on Encrypted Data

  • PS-ORAM: Efficient Crash Consistency Support for Oblivious RAM on NVM

  • There's Always a Bigger Fish: A Clarifying Analysis of a Machine-Learning-Assisted Side-Channel Attack

  • MOESI-prime: Preventing Coherence-Induced Hammering in Commodity Workloads

  • PACMAN: Attacking ARM Pointer Authentication with Speculative Execution

    • website

  • MGX: Near-Zero Overhead Memory Protection for Data-Intensive Accelerators

  • Hydra: Enabling Low-Overhead Mitigation of Row-Hammer at Ultra-Low Thresholds via Hybrid Tracking

  • BTS: An Accelerator for Bootstrappable Fully Homomorphic Encryption

• HPCA 2022

  • Leaky Frontends: Security Vulnerabilities in Processor Frontends

    • codes

  • DPrime+DAbort: A High-Precision and Timer-Free Directory-Based Side-Channel Attack in Non-Inclusive Cache Hierarchies using Intel TSX

  • Abusing Cache Line Dirty States to Leak Information in Commercial Processors

    • codes

  • unXpec: Breaking Undo-Based Safe Speculation

    • codes
    • slides

  • Adaptive Security Support for Heterogeneous Memory on GPUs

  • TNPU: Supporting Trusted Execution with Tree-Less Integrity Protection for Neural Processing Unit

    • slides

  • SecNDP: Secure Near-Data Processing with Untrusted Memory

  • HyBP: Hybrid Isolation-Randomization Secure Branch Predictor

  • IR-ORAM: Path Access Type Based Memory Intensity Reduction for Path-ORAM

  • SafeGuard: Reducing the Security Risk from Row-Hammer via Low-Cost Integrity Protection

• ASPLOS 2022

  • Pinned Loads: Taming Speculative Loads in Secure Processors

    • codes

  • DAGguise: Mitigating Memory Timing Side Channels

    • codes
    • slides

  • SRAM Has No Chill: Exploiting Power Domain Separation to Steal On-chip Secrets

  • Randomized Row-Swap: Mitigating Row Hammer by Breaking Spatial Correlation Between Aggressor and Victim Rows

    • slides

  • ShEF: Shielded Enclaves for Cloud FPGAs

  • Invisible Bits: Hiding Secret Messages in SRAM’s Analog Domain

• CCS 2022

  • ATTRITION: Attacking Static Hardware Trojan Detection Techniques Using Reinforcement Learning

  • Automatic Detection of Speculative Execution Combinations

  • Cache Refinement Type for Side-Channel Detection of Cryptographic Software

  • Microarchitectural Leakage Templates and Their Application to Cache-Based Side Channels

• S&P 2022

  • A Secret-Free Hypervisor: Rethinking Isolation in the Age of Speculative Vulnerabilities

  • SoK: Practical Foundations for Software Spectre Defenses

  • Graphics Peeping Unit: Exploiting EM Side-Channel Information of GPUs to Eavesdrop on Your Neighbors

  • Adversarial Prefetch: New Cross-Core Cache Side Channel Attacks

  • Finding and Exploiting CPU Features using MSR Templating

  • Augury: Using Data Memory-Dependent Prefetchers to Leak Data at Rest

  • MeshUp: Stateless Cache Side-channel Attack on CPU Mesh

    • codes

  • Graphics Peeping Unit: Exploiting EM Side-Channel Information of GPUs to Eavesdrop on Your Neighbors

  • SpecHammer: Combining Spectre and Rowhammer for New Speculative Attacks

  • Spook.js: Attacking Chrome Strict Site Isolation via Speculative Execution

• SEC 2022

  • Hiding in Plain Sight? On the Efficacy of Power Side Channel-Based Control Flow Monitoring

  • Hertzbleed: Turning Power Side-Channel Attacks Into Remote Timing Attacks on x86

  • Binoculars: Contention-Based Side-Channel Attacks Exploiting the Page Walker

  • Jenny: Securing Syscalls for PKU-based Memory Isolation Systems

  • Branch History Injection: On the Effectiveness of Hardware Mitigations Against Cross-Privilege Spectre-v2 Attacks

  • TLB;DR: Enhancing TLB-based Attacks with TLB Desynchronized Reverse Engineering

  • Double Trouble: Combined Heterogeneous Attacks on Non-Inclusive Cache Hierarchies

    • codes

  • SecSMT: Securing SMT Processors against Contention-Based Covert Channels

  • AMD Prefetch Attacks through Power and Time

  • Rapid Prototyping for Microarchitectural Attacks

  • Targeted Deanonymization via the Cache Side Channel: Attacks and Defenses

  • HyperDegrade: From GHz to MHz Effective CPU Frequencies

  • Don't Mesh Around: Side-Channel Attacks and Mitigations on Mesh Interconnects

  • Composable Cachelets: Protecting Enclaves from Cache Side-Channel Attacks

  • RETBLEED: Arbitrary Speculative Code Execution with Return Instructions

  • Can one hear the shape of a neural network?: Snooping the GPU via Magnetic Side Channel

• NDSS 2022

  • Remote Memory-Deduplication Attacks

  • Chunked-Cache: On-Demand and Scalable Cache Isolation for Security Architectures

  • KASPER: Scanning for Generalized Transient Execution Gadgets in the Linux

2021

• MICRO 2021

  • UC-Check: Characterizing Micro-Operation Caches in x86 Processors and Implications in Security and Performance

    • codes

  • Network-on-Chip Microarchitecture-Based Covert Channel in GPUs

  • Validation of Side-Channel Models via Observation Refinement

  • GhostMinion: A Strictness-Ordered Cache System for Spectre Mitigation

  • Speculative Privacy Tracking (SPT): Leaking Information From Speculative Execution Without Compromising Privacy

• ISCA 2021

  • Opening Pandora's Box: A Systematic Study of New Ways Microarchitecture Can Leak Private Data

  • I See Dead μops: Leaking Secrets via Intel/AMD Micro-Op Caches

  • TimeCache: Using Time to Eliminate Cache Side Channels when Sharing Software

  • IntroSpectre: A Pre-Silicon Framework for Discovery and Analysis of Transient Execution Vulnerabilities

  • Maya: Using Formal Control to Obfuscate Power Side Channels

  • Demystifying the System Vulnerability Stack: Transient Fault Effects Across the Layers

  • No-FAT: Architectural Support for Low Overhead Memory Safety Checks

  • Leaky Buddies: Cross-Component Covert Channels on Integrated CPU-GPU Systems

  • IChannels: Exploiting Current Management Mechanisms to Create Covert Channels in Modern Processors

  • ZeRØ: Zero-Overhead Resilient Operation Under Pointer Integrity Attacks

• ASPLOS 2021

  • PIBE: Practical Kernel Control-Flow Hardening with Profile-Guided Indirect Branch Elimination

  • Computing with Time: Microarchitectural Weird Machines

  • HerQules: Securing Programs via Hardware-Enforced Message Queues

  • Speculative Interference Attacks: Breaking Invisible Speculation Schemes

  • Jamais Vu: Thwarting Microarchitectural Replay Attacks

  • Streamline: A Fast, Flushless Cache Covert-Channel Attack by Enabling Asynchronous Collusion

• HPCA 2021

  • Common Counters: Compressed Encryption Counters for Secure GPU Memory

  • Streamline Ring ORAM Accesses through Spatial and Temporal Optimization

  • New Models for Understanding and Reasoning about Speculative Execution Attacks

  • Heat Behind the Meter: A Hidden Threat of Thermal Attacks in Edge Colocation Data Centers

  • Trident: A Hybrid Correlation-Collision GPU Cache Timing Attack for AES Key Recovery

• CCS 2021

  • Prime+Scope: Overcoming the Observer Effect for High-Precision Cache Contention Attacks

  • Exorcising Spectres with Secure Compilers

• SEC 2021

  • Lord of the Ring(s): Side Channel Attacks on the CPU On-Chip Ring Interconnect Are Practical

  • Cross-VM and Cross-Processor Covert Channels Exploiting Processor Idle Power Management

  • Database Reconstruction from Noisy Volumes: A Cache Side-Channel Attack on SQLite

  • MIRAGE: Mitigating Conflict-Based Cache Attacks with a Practical Fully-Associative Design

  • DOLMA: Securing Speculation with the Principle of Transient Non-Observability

  • Osiris: Automated Discovery of Microarchitectural Side Channels

  • Swivel: Hardening WebAssembly against Spectre

  • Rage Against the Machine Clear: A Systematic Analysis of Machine Clears and Their Implications for Transient Execution Attacks

• S&P 2021

  • Invisible Probe: Timing Attacks with PCIe Congestion Side-channel

  • CacheOut: Leaking Data on Intel CPUs via Cache Evictions

  • PLATYPUS: Software-based Power Side-Channel Attacks on x86

  • Randomized Last-Level Caches Are Still Vulnerable to Cache Side-Channel Attacks! But We Can Fix It

  • Systematic Analysis of Randomization-Based Protected Cache Architectures

  • CrossTalk: Speculative Data Leaks Across Cores Are Real

  • Hardware-Software Contracts for Secure Speculation

  • High-Assurance Cryptography in the Spectre Era

• NDSS 2021

  • PhantomCache: Obfuscating Cache Conflicts with Localized Randomization

  • SpecTaint: Speculative Taint Analysis for Discovering Spectre Gadgets

  • Hunting the Haunter — Efficient Relational Symbolic Execution for Spectre with Haunted RelSE