Spectre v2 is back again! Disclosing "Training Solo": 3 new self-training attack classes, 2 end-to-end exploits, and 2 new hardware issues that break domain isolation even when implemented perfectly. Joint work by @SanWieb @c_giuffrida:

RT @hammertux: [1/3] Turns out those old MDS gadgets have new life. In our latest paper at @IEEESSP , we show how attackers can construct….

Congratulations to @vustudsec for becoming the first the first Student CyberSecurity Association registered in the Netherlands! And happy to see so many members doing well in our Computer Security Master!

RT @herbertbos: In the last @vu5ec presentation at @USENIXSecurity, @hanyrax discusses GhostRace and explains how attackers can exploit spe….

RT @herbertbos: @bjohannesmeyer presenting our Einstein paper that shows that automating data-only attacks can be easy:. .

RT @herbertbos: @victor_duta presenting the SafeFetch paper about protecting against double fetches:. @vu5ec .@c_g….

RT @herbertbos: Happy to report that our InSpectreGadget paper won a Distinguished Paper award at @USENIXSecurity:. .

Today at #SP24, @fcgorter presents Sticky Tags. We uncover performance/security issues in prior ARM MTE schemes based on random tagging (+ a new speculative oracle) and show how to address them with a new deterministic MTE scheme for spatial memory safety:

Our SafeFetch paper @USENIXSecurity is online! Thanks to an optimized in-kernel cache, SafeFetch provides comprehensive protection against double-fetch bugs at a fraction of the cost of prior solutions. Joint work by @victor_duta, Mitchel, @c_giuffrida:.

RT @EKouwe: Do you love low-level systems hacking? And would you like to work at a top systems security research group in Amsterdam? At @vu….

Branch History Injection (BHI) is back! Disclosing Native BHI, bypassing deployed Spectre-v2/BHI mitigations (e.g., eBPF=off) to leak arbitrary kernel/host memory (e.g., root password hash below). Joint work by @SanWieb @HBitmasks @herbertbos @c_giuffrida:

How do synchronization primitives work during speculative execution? THEY DON'T!.Disclosing #GhostRace (paper @USENIXSecurity). We turn all arch. race-free critical regions of OS/Hypervisors into Speculative Race Conditions. Joint work @vu5ec @IBMResearch:

RT @EKouwe: Do you have any interesting work in progress in systems security? Negative results? Cool student projects? EuroSec is the perfe….

RT @EuroSecWorkshop: Excited to announce the CfP for #EuroSec2024 — please submit your finest ideas! Deadline: February 14, 2024. #EuroSecW….

RT @andreafioraldi: New paper with @borrello_pietro @dcdelia @balzarot @lquerzoni @c_giuffrida!."Predictive Context-sensitive Fuzzing".intr….

Disclosing #SLAM, aka how to combine Spectre and Intel LAM (& co.) to leak kernel memory on future CPUs (demo below). Thousands of exploitable "unmasked" (or pointer chasing) gadgets in the Linux kernel. Joint work by @MatheHertogh @SanWieb @c_giuffrida:

RT @c_giuffrida: Come work with us in beautiful Amsterdam! We have a new faculty position in Security research @VUamsterdam. The specific r….

Our Quarantine @RAID_Conference paper is online! Quarantine enforces strict CPU core-based isolation to mitigate transient execution attacks vs. cloud VMs. Joint work by Mathé Hertogh @manuwiesinger @sirmc @nSinusR Nadav Amit @herbertbos @c_giuffrida:

Our FloatZone paper @USENIXSecurity is online: a branchless memory sanitizer that efficiently catches buffer overflows (+ use-after-frees) with floating-point underflows! Joint work by @fcgorter @enrico_barberis @teemperor @EKouwe @c_giuffrida @herbertbos:

Our uncontained paper @USENIXSecurity is online! Find out how the Linux kernel is the "container of" several type confusion bugs, detected by our sanitizer & static analyzer. Joint work by @JakobKoschel @borrello_pietro @dcdelia @herbertbos @c_giuffrida: