(u)arch Security
Research(Micro-)Architectural Security Papers
Tier 1 Conference
- S&P (Oakland) IEEE Symposium on Security and Privacy
- CCS ACM Conference on Computer and Communications Security
- Security USENIX Security Symposium
- NDSS ISOC Network and Distributed System Security Symposium
Why start at 2018? Because Meltdownm, Spectre and MDS emerged, open a new era of (micro-)architectural security.
2023
IEEE S&P
... TO BE ADD More
ACM CCS
... TO BE ADD More
USENIX Security
- BunnyHop: Exploiting the Instruction Prefetcher | USENIX
- NVLeak: Off-Chip Side-Channel Attacks via Non-Volatile Memory Systems | USENIX
- (M)WAIT for It: Bridging the Gap between Microarchitectural and Architectural Side Channels | USENIX
- Side-Channel Attacks on Optane Persistent Memory | USENIX
- ClepsydraCache -- Preventing Cache Attacks with Time-Based Evictions | USENIX
- CacheQL: Quantifying and Localizing Cache Side-Channel Vulnerabilities in Production Software | USENIX
- The Gates of Time: Improving Cache Attacks with Transient Execution | USENIX
- Oops..! I Glitched It Again! How to Multi-Glitch the Glitching-Protections on ARM TrustZone-M | USENIX
- Understanding RDMA Microarchitecture Resources for Performance Isolation | USENIX
NDSS
... TO BE ADD More
2022
IEEE S&P
- vSGX: Virtualizing SGX Enclaves on AMD SEV | IEEE Conference Publication | IEEE Xplore
- A Systematic Look at Ciphertext Side Channels on AMD SEV-SNP | IEEE Conference Publication | IEEE Xplore
- RT-TEE: Real-time System Availability for Cyber-physical Systems using ARM TrustZone | IEEE Conference Publication | IEEE Xplore
- A Secret-Free Hypervisor: Rethinking Isolation in the Age of Speculative Vulnerabilities | IEEE Conference Publication | IEEE Xplore
- Smile: Secure Memory Introspection for Live Enclave | IEEE Conference Publication | IEEE Xplore
- SoK: Practical Foundations for Software Spectre Defenses | IEEE Conference Publication | IEEE Xplore
- SpecHammer: Combining Spectre and Rowhammer for New Speculative Attacks | IEEE Conference Publication | IEEE Xplore
- BLACKSMITH: Scalable Rowhammering in the Frequency Domain | IEEE Conference Publication | IEEE Xplore
- Spook.js: Attacking Chrome Strict Site Isolation via Speculative Execution | IEEE Conference Publication | IEEE Xplore
- BLACKSMITH: Scalable Rowhammering in the Frequency Domain | IEEE Conference Publication | IEEE Xplore
- ProTRR: Principled yet Optimal In-DRAM Target Row Refresh | IEEE Conference Publication | IEEE Xplore
- Graphics Peeping Unit: Exploiting EM Side-Channel Information of GPUs to Eavesdrop on Your Neighbors | IEEE Conference Publication | IEEE Xplore
- Adversarial Prefetch: New Cross-Core Cache Side Channel Attacks | IEEE Conference Publication | IEEE Xplore
- Finding and Exploiting CPU Features using MSR Templating | IEEE Conference Publication | IEEE Xplore
- Augury: Using Data Memory-Dependent Prefetchers to Leak Data at Rest | IEEE Conference Publication | IEEE Xplore
- MeshUp: Stateless Cache Side-channel Attack on CPU Mesh | IEEE Conference Publication | IEEE Xplore
- Mind the Gap: Studying the Insecurity of Provably Secure Embedded Trusted Execution Architectures | IEEE Conference Publication | IEEE Xplore
- Hardening Circuit-Design IP Against Reverse-Engineering Attacks | IEEE Conference Publication | IEEE Xplore
ACM CCS
- ATTRITION: Attacking Static Hardware Trojan Detection Techniques Using Reinforcement Learning
- Automatic Detection of Speculative Execution Combinations
- CETIS: Retrofitting Intel CET for Generic and Efficient Intra-process Memory Isolation
- Cerberus: A Formal Approach to Secure and Efficient Enclave Memory Sharing
- Discovering IoT Physical Channel Vulnerabilities
- Frequency Throttling Side-Channel Attack
- HammerScope: Observing DRAM Power Consumption Using Rowhammer
- HyperDbg: Reinventing Hardware-Assisted Debugging
- Low-Latency Hardware Private Circuits
- Microarchitectural Leakage Templates and Their Application to Cache-Based Side Channels
- On the Success Rate of Side-Channel Attacks on Masked Implementations
- PACMem: Enforcing Spatial and Temporal Memory Safety via ARM Pointer Authentication
- PalanTír: Optimizing Attack Provenance with Hardware-enhanced System Observability
- Power Contracts: Provably Complete Power Leakage Models for Processors
- SpecDoctor: Differential Fuzz Testing to Find Transient Execution Vulnerabilities
- StrongBox: A GPU TEE on Arm Endpoints
- What Your Firmware Tells You Is Not How You Should Emulate It: A Specification-Guided Approach for Firmware Emulation
- When Frodo Flips: End-to-End Key Recovery on FrodoKEM via Rowhammer
USENIX Security
- SecSMT: Securing SMT Processors against Contention-Based Covert Channels | USENIX
- Rapid Prototyping for Microarchitectural Attacks | USENIX
- Can one hear the shape of a neural network?: Snooping the GPU via Magnetic Side Channel | USENIX
- AMD Prefetch Attacks through Power and Time | USENIX
- Elasticlave: An Efficient Memory Model for Enclaves | USENIX
- Hiding in Plain Sight? On the Efficacy of Power Side Channel-Based Control Flow Monitoring | USENIX
- SGXLock: Towards Efficiently Establishing Mutual Distrust Between Host Application and Enclave for SGX | USENIX
- Lend Me Your Ear: Passive Remote Physical Side Channels on PCs | USENIX
- Fuzzware: Using Precise MMIO Modeling for Effective Firmware Fuzzing | USENIX
- HyperDegrade: From GHz to MHz Effective CPU Frequencies | USENIX
- RapidPatch: Firmware Hotpatching for Real-Time Embedded Devices | USENIX
- GAROTA: Generalized Active Root-Of-Trust Architecture (for Tiny Embedded Devices) | USENIX
- ReZone: Disarming TrustZone with TEE Privilege Reduction | USENIX
- Double Trouble: Combined Heterogeneous Attacks on Non-Inclusive Cache Hierarchies | USENIX
- Trust Dies in Darkness: Shedding Light on Samsung's TrustZone Keymaster Design | USENIX
- TLB;DR: Enhancing TLB-based Attacks with TLB Desynchronized Reverse Engineering | USENIX
- Minefield: A Software-only Protection for SGX Enclaves against DVFS Attacks | USENIX
- In-Kernel Control-Flow Integrity on Commodity OSes using ARM Pointer Authentication | USENIX
- Branch History Injection: On the Effectiveness of Hardware Mitigations Against Cross-Privilege Spectre-v2 Attacks | USENIX
- Targeted Deanonymization via the Cache Side Channel: Attacks and Defenses | USENIX
- A Hardware-Software Co-design for Efficient Intra-Enclave Isolation | USENIX
- Drifuzz: Harvesting Bugs in Device Drivers from Golden Seeds | USENIX
- Fuzzing Hardware Like Software | USENIX
- ÆPIC Leak: Architecturally Leaking Uninitialized Data from the Microarchitecture | USENIX
- Hertzbleed: Turning Power Side-Channel Attacks Into Remote Timing Attacks on x86 | USENIX
- Piranha: A GPU Platform for Secure Computation | USENIX
- Binoculars: Contention-Based Side-Channel Attacks Exploiting the Page Walker | USENIX
- CellIFT: Leveraging Cells for Scalable and Precise Dynamic Information Flow Tracking in RTL | USENIX
- SGXFuzz: Efficiently Synthesizing Nested Structures for SGX Enclave Fuzzing | USENIX
- Composable Cachelets: Protecting Enclaves from Cache Side-Channel Attacks | USENIX
- Don't Mesh Around: Side-Channel Attacks and Mitigations on Mesh Interconnects | USENIX
NDSS
- FANDEMIC: Firmware Attack Construction and Deployment on Power Management Integrated Circuit and Impacts on IoT Applications - NDSS Symposium
- Hybrid Trust Multi-party Computation with Trusted Execution Environment - NDSS Symposium
- SynthCT: Towards Portable Constant-Time Code - NDSS Symposium
- Chunked-Cache: On-Demand and Scalable Cache Isolation for Security Architectures - NDSS Symposium
- Remote Memory-Deduplication Attacks - NDSS Symposium
- DRAWN APART: A Device Identification Technique based on Remote GPU Fingerprinting - NDSS Symposium
- Kasper: Scanning for Generalized Transient Execution Gadgets in the Linux Kernel - NDSS Symposium
- Semantic-Informed Driver Fuzzing Without Both the Hardware Devices and the Emulators - NDSS Symposium
- D-Box: DMA-enabled Compartmentalization for Embedded Applications - NDSS Symposium
2021
IEEE S&P
- Invisible Probe: Timing Attacks with PCIe Congestion Side-channel | IEEE Conference Publication | IEEE Xplore
- CacheOut: Leaking Data on Intel CPUs via Cache Evictions | IEEE Conference Publication | IEEE Xplore
- PLATYPUS: Software-based Power Side-Channel Attacks on x86 | IEEE Conference Publication | IEEE Xplore
- Randomized Last-Level Caches Are Still Vulnerable to Cache Side-Channel Attacks! But We Can Fix It | IEEE Conference Publication | IEEE Xplore
- Systematic Analysis of Randomization-based Protected Cache Architectures | IEEE Conference Publication | IEEE Xplore
- DifuzzRTL: Differential Fuzz Testing to Find CPU Bugs | IEEE Conference Publication | IEEE Xplore
- CrossTalk: Speculative Data Leaks Across Cores Are Real | IEEE Conference Publication | IEEE Xplore
- High-Assurance Cryptography in the Spectre Era | IEEE Conference Publication | IEEE Xplore
ACM CCS
- Exorcising Spectres with Secure Compilers
- SNIPUZZ: Black-box Fuzzing of IoT Firmware via Message Snippet Inference
- PPE Circuits for Rational Polynomials
- CROSSLINE: Breaking ``Security-by-Crash'' based Memory Isolation in AMD SEV
- Hardware Support to Improve Fuzzing Performance and Precision
- Constantine: Automatic Side-Channel Resistance Using Efficient Control and Data Flow Linearization
- PalmTree: Learning an Assembly Language Model for Instruction Embedding
- HyperFuzzer: An Efficient Hybrid Fuzzer For Virtual CPUs
- Aion: Enabling Open Systems through Strong Availability Guarantees for Enclaves
- Prime+Scope: Overcoming the Observer Effect for High-Precision Cache Contention Attacks
- SmashEx: Smashing SGX Enclaves Using Exceptions
USENIX Security
- An Analysis of Speculative Type Confusion Vulnerabilities in the Wild | USENIX
- Virtual Secure Platform: A Five-Stage Pipeline Processor over TFHE | USENIX
- VoltPillager: Hardware-based fault injection attacks against Intel SGX Enclaves using the SVID voltage scaling interface | USENIX
- CURE: A Security Architecture with CUstomizable and Resilient Enclaves | USENIX
- On the Design and Misuse of Microcoded (Embedded) Processors — A Cautionary Note | USENIX
- Automatic Extraction of Secrets from the Transistor Jungle using Laser-Assisted Side-Channel Attacks | USENIX
- Lord of the Ring(s): Side Channel Attacks on the CPU On-Chip Ring Interconnect Are Practical | USENIX
- Coco: Co-Design and Co-Verification of Masked Software Implementations on CPUs | USENIX
- SMASH: Synchronized Many-sided Rowhammer Attacks from JavaScript | USENIX
- Prime+Probe 1, JavaScript 0: Overcoming Browser-based Side-Channel Defenses | USENIX
- Swivel: Hardening WebAssembly against Spectre | USENIX
- DOLMA: Securing Speculation with the Principle of Transient Non-Observability | USENIX
- CIPHERLEAKS: Breaking Constant-time Cryptography on AMD SEV via the Ciphertext Side Channel | USENIX
- Cross-VM and Cross-Processor Covert Channels Exploiting Processor Idle Power Management | USENIX
- Frontal Attack: Leaking Control-Flow in SGX via the CPU Frontend | USENIX
NDSS
- PhantomCache: Obfuscating Cache Conflicts with Localized Randomization - NDSS Symposium
- SpecTaint: Speculative Taint Analysis for Discovering Spectre Gadgets - NDSS Symposium
- Hunting the Haunter — Efficient Relational Symbolic Execution for Spectre with Haunted RelSE - NDSS Symposium
- From Library Portability to Para-rehosting: Natively Executing Microcontroller Software on Commodity Hardware - NDSS Symposium
2020
IEEE S&P
- Spectector: Principled Detection of Speculative Information Flows | IEEE Conference Publication | IEEE Xplore
- NetCAT: Practical Cache Attacks from the Network | IEEE Conference Publication | IEEE Xplore
- SpecCFI: Mitigating Spectre Attacks using CFI Informed Speculation | IEEE Conference Publication | IEEE Xplore
- LVI: Hijacking Transient Execution through Microarchitectural Load Value Injection | IEEE Conference Publication | IEEE Xplore
- RAMBleed: Reading Bits in Memory Without Accessing Them | IEEE Conference Publication | IEEE Xplore
- Are We Susceptible to Rowhammer? An End-to-End Methodology for Cloud Providers | IEEE Conference Publication | IEEE Xplore
- Leveraging EM Side-Channel Information to Detect Rowhammer Attacks | IEEE Conference Publication | IEEE Xplore
- TRRespass: Exploiting the Many Sides of Target Row Refresh | IEEE Conference Publication | IEEE Xplore
- SoK: Understanding the Prevailing Security Vulnerabilities in TrustZone-assisted TEE Systems | IEEE Conference Publication | IEEE Xplore
- Enabling Rack-scale Confidential Computing using Heterogeneous Trusted Execution Environment | IEEE Conference Publication | IEEE Xplore
- Plundervolt: Software-based Fault Injection Attacks against Intel SGX | IEEE Conference Publication | IEEE Xplore
- Transys: Leveraging Common Security Properties Across Hardware Designs | IEEE Conference Publication | IEEE Xplore
- C3APSULe: Cross-FPGA Covert-Channel Attacks through Power Supply Unit Leakage | IEEE Conference Publication | IEEE Xplore
- ICAS: an Extensible Framework for Estimating the Susceptibility of IC Layouts to Additive Trojans | IEEE Conference Publication | IEEE Xplore
ACM CCS
- InSpectre: Breaking and Fixing Microarchitectural Vulnerabilities by Formal Analysis
- TRUSTORE: Side-Channel Resistant Storage for SGX using Intel Hybrid CPU-FPGA
- FirmRay: Detecting BLE Link Layer Vulnerabilities from Configurations in Bare-Metal Firmware
- Cache-in-the-Middle (CITM) Attacks : Manipulating Sensitive Data in Isolated Execution Environments
- Speculative Probing: Hacking Blind in the Spectre Era
- SNI-in-the-head: Protecting MPC-in-the-head Protocols against Side-channel Analysis
- Déjà vu: Side-channel analysis of Mozilla’s NSS
USENIX Security
- Civet: An Efficient Java Partitioning Framework for Hardware Enclaves | USENIX
- PHMon: A Programmable Hardware Monitor and Its Security Use Cases | USENIX
- BesFS: A POSIX Filesystem for Enclaves with a Mechanized Safety Proof | USENIX
- Cache Telepathy: Leveraging Shared Resource Attacks to Learn DNN Architectures | USENIX
- HybCache: Hybrid Side-Channel-Resilient Caches for Trusted Execution Environments | USENIX
- TPM-FAIL: TPM meets Timing and Lattice Attacks | USENIX
- P2IM: Scalable and Hardware-independent Firmware Testing via Automatic Peripheral Interface Modeling | USENIX
- An Off-Chip Attack on Hardware Enclaves via the Memory Bus | USENIX
- PARTEMU: Enabling Dynamic Analysis of Real-World TrustZone Software Using Emulation | USENIX
- HALucinator: Firmware Re-hosting Through Abstraction Layer Emulation | USENIX
- BigMAC: Fine-Grained Policy Analysis of Android Firmware | USENIX
- SpecFuzz: Bringing Spectre-type vulnerabilities to the surface | USENIX
- The Unpatchable Silicon: A Full Break of the Bitstream Encryption of Xilinx 7-Series FPGAs | USENIX
- RELOAD+REFRESH: Abusing Cache Replacement Policies to Perform Stealthy Cache Attacks | USENIX
- FIRMSCOPE: Automatic Uncovering of Privilege-Escalation Vulnerabilities in Pre-Installed Apps in Android Firmware | USENIX
- TeeRex: Discovery and Exploitation of Memory Corruption Vulnerabilities in SGX Enclaves | USENIX
- Medusa: Microarchitectural Data Leakage via Automated Attack Synthesis | USENIX
- V0LTpwn: Attacking x86 Processor Integrity from Software | USENIX
- COUNTERFOIL: Verifying Provenance of Integrated Circuits using Intrinsic Package Fingerprints and Inexpensive Cameras | USENIX
NDSS
- µRAI: Securing Embedded Systems with Return Address Integrity - NDSS Symposium
- ABSynthe: Automatic Blackbox Side-channel Synthesis on Commodity Microarchitectures - NDSS Symposium
- PhantomCache: Obfuscating Cache Conflicts with Localized Randomization - NDSS Symposium
- Mind the Portability: A Warriors Guide through Realistic Profiled Side-channel Analysis - NDSS Symposium
- SPEECHMINER: A Framework for Investigating and Measuring Speculative Execution Vulnerabilities - NDSS Symposium
- ConTExT: A Generic Approach for Mitigating Spectre - NDSS Symposium
2019
IEEE S&P
- Spectre Attacks: Exploiting Speculative Execution | IEEE Conference Publication | IEEE Xplore
- SoK: The Challenges, Pitfalls, and Perils of Using Hardware Performance Counters for Security | IEEE Conference Publication | IEEE Xplore
- Theory and Practice of Finding Eviction Sets | IEEE Conference Publication | IEEE Xplore
- Exploiting Correcting Codes: On the Effectiveness of ECC Memory Against Rowhammer Attacks | IEEE Conference Publication | IEEE Xplore
- Self-Encrypting Deception: Weaknesses in the Encryption of Solid State Drives | IEEE Conference Publication | IEEE Xplore
- RIDL: Rogue In-Flight Data Load | IEEE Conference Publication | IEEE Xplore
- The 9 Lives of Bleichenbacher's CAT: New Cache ATtacks on TLS Implementations | IEEE Conference Publication | IEEE Xplore
- CaSym: Cache Aware Symbolic Execution for Side Channel Detection and Mitigation | IEEE Conference Publication | IEEE Xplore
- The Code That Never Ran: Modeling Attacks on Speculative Evaluation | IEEE Conference Publication | IEEE Xplore
ACM CCS
- A Tale of Two Worlds: Assessing the Vulnerability of Enclave Shielding Runtimes
- DeMiCPU: Device Fingerprinting with Magnetic Signals Radiated by CPU
- Fallout: Leaking Data on Meltdown-resistant CPUs
- OPERA: Open Remote Attestation for Intel’s Secure Enclaves
- Page Cache Attacks
- SecTEE: A Software-based Approach to Secure Enclave Architecture Using TEE
- Towards Memory Safe Enclave Programming with Rust-SGX
- VeriSketch: Synthesizing Secure Hardware Designs with Timing-Sensitive Information Flow Properties
- VoltJockey: Breaching TrustZone by Software-Controlled Voltage Manipulation over Multi-core Frequencies
- Your Cache Has Fallen: Cache-Poisoned Denial-of-Service Attack
- ZombieLoad: Cross-Privilege-Boundary Data Sampling
USENIX Security
- Robust Website Fingerprinting Through the Cache Occupancy Channel | USENIX
- HardFails: Insights into Software-Exploitable Hardware Bugs | USENIX
- A Systematic Evaluation of Transient Execution Attacks and Defenses | USENIX
- Terminal Brain Damage: Exposing the Graceless Degradation in Deep Neural Networks Under Hardware Fault Attacks | USENIX
NDSS
- Data Oblivious ISA Extensions for Side Channel-Resistant and High Performance Computing - NDSS Symposium
- TIMBER-V: Tag-Isolated Memory Bringing Fine-grained Enclaves to RISC-V - NDSS Symposium
- TEE-aided Write Protection Against Privileged Data Tampering - NDSS Symposium
- ExSpectre: Hiding Malware in Speculative Execution - NDSS Symposium
- SANCTUARY: ARMing TrustZone with User-space Enclaves - NDSS Symposium
- OBFUSCURO: A Commodity Obfuscation Engine on Intel SGX - NDSS Symposium
2018
IEEE S&P
- Grand Pwning Unit: Accelerating Microarchitectural Attacks with the GPU | IEEE Conference Publication | IEEE Xplore
- FPGA-Based Remote Power Side-Channel Attacks | IEEE Conference Publication | IEEE Xplore
- Another Flip in the Wall of Rowhammer Defenses | IEEE Conference Publication | IEEE Xplore
- EnclaveDB: A Secure Database Using SGX | IEEE Conference Publication | IEEE Xplore
ACM CCS
- Unveiling Hardware-based Data Prefetcher, a Hidden Source of Information Leakage
- HyperFlow: A High-Assurance Processor Architecture for Practical Timing-Safe Information Flow Security
- Ohm’, s Law in Data Centers: A Voltage Side Channel for Timing Power Attacks
- Lord of the x86 Rings: A Portable User Mode Privilege Separation Architecture on x86
- Practical state recovery attacks against legacy RNG implementations
- ret2spec: Speculative Execution Using Return Stack Buffers
- Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic
- Rendered Insecure: GPU side channel attacks are practical
- An Exploratory Analysis of Microcode as a Building Block for System Defenses
USENIX Security
- Meltdown: Reading Kernel Memory from User Space | USENIX
- Foreshadow: Extracting the Keys to the Intel SGX Kingdom with Transient Out-of-Order Execution | USENIX
- Translation Leak-aside Buffer: Defeating Cache Side-channel Protections with TLB Attacks | USENIX
NDSS
- What You Corrupt Is Not What You Crash: Challenges in Fuzzing Embedded Devices. Marius Muench (EURECOM)
- ZeroTrace : Oblivious Memory Primitives from Intel SGX
- Securing Real-Time Microcontroller Systems through Customized Memory View Switching
- OBLIVIATE: A Data Oblivious Filesystem for Intel SGX
Before 2018
IEEE S&P
... TO BE ADD More
ACM CCS
... TO BE ADD More
USENIX Security
- Towards Practical Tools for Side Channel Aware Software Engineering: 'Grey Box' Modelling for Instruction Leakages | USENIX
- Strong and Efficient Cache Side-Channel Protection using Hardware Transactional Memory | USENIX
- CacheD: Identifying Cache-Based Timing Channels in Production Software | USENIX
... TO BE ADD More
NDSS
... TO BE ADD More