Rootsec Research Group

Microarchitectural Side-channel Attacks and System Security

Our research group at the CISPA Helmholtz Center for Information Security is working on the low-level security of modern computer systems, focusing on microarchitectural and side-channel attacks and defenses. The research includes the security of CPUs, operating systems, and trusted execution environments.

Side Channels

CPU Security

System Security

View Publications Meet the Team

Our Topics

We investigate fundamental security challenges at the hardware and system level. Our work focuses on discovering and mitigating vulnerabilities in processors, memory systems, and low-level system software.

Side-Channel Attacks

# Extracting Secrets Through Observable Behavior

Every operation your computer performs leaves subtle traces - tiny variations in timing, power consumption, or electromagnetic emissions. Side-channel attacks exploit these observable side effects to extract sensitive information like encryption keys, passwords, and private data without directly breaking cryptographic algorithms.

What we do: We discover novel side-channel vulnerabilities through cache timing analysis, power analysis, and other measurement techniques, then develop defenses to prevent information leakage.

Research contributions:

  • Cache-based side channels: Analysis of CPU cache behavior for extracting cryptographic keys and breaching isolation boundaries
  • Cross-domain leakage: Research on side channels that cross security boundaries between processes, VMs, and trusted execution environments

Microarchitectural Security

# Exploiting CPU Design Vulnerabilities

Modern processors are incredibly complex, using techniques like speculative execution, branch prediction, and out-of-order execution to maximize performance. However, these optimizations create security vulnerabilities at the microarchitectural level that can be exploited to bypass fundamental security boundaries and access privileged information.

What we do: We analyze CPU microarchitecture to discover design-level vulnerabilities in speculative execution, memory ordering, and privilege isolation, then collaborate with manufacturers to develop hardware and software mitigations.

Research contributions:

  • GhostWrite: A vulnerability in RISC-V processors affecting speculative execution security
  • CacheWarp: Cache-based attacks on AMD SEV enabling privilege escalation
  • Transient execution attacks: Research on speculative execution vulnerabilities across x86, ARM, and RISC-V architectures
  • Microarchitectural isolation: Analysis of vulnerabilities affecting sandboxes, virtual machines, and trusted execution environments

DRAM Security

# Memory Reliability and Security

Computer memory consists of a grid of electrical cells. Rowhammer attacks exploit a reliability issue in DRAM where repeatedly accessing specific memory rows can induce bit flips in adjacent rows. These bit flips can be leveraged to compromise system security.

What we do: We study Rowhammer attacks and develop defenses and simulation tools to protect memory integrity.

Research contributions:

  • Hammulator: An open-source simulation framework for prototyping and testing Rowhammer exploits and defenses
  • Rowhammer mitigation bypasses: Research on circumventing Rowhammer mitigations such as TRR (Target Row Refresh)
  • Cache slice function reverse engineering: Methods for determining physical address mappings in modern processors

System Security

# Tools, Defenses, and System-Level Security Analysis

We develop security tools, compiler-based defenses, and mitigation techniques for system-level vulnerabilities. Our research spans from low-level system software to browser security.

What we do: We develop security tools, analyze system-level attack surfaces, and create mitigation techniques for emerging threats.

Research contributions:

  • IRQGuard: Defenses against interrupt-based timing attacks
  • Compiler-based security: Automated code hardening and vulnerability prevention techniques
  • HyperDbg: Debugging framework for low-level security analysis
  • Switchpoline: Mitigations for speculative execution attacks
  • Peripheral Instinct: Security analysis of WebHID and WebUSB APIs
  • CSS-based tracking: Research on fingerprinting techniques using Cascading Style Sheets
  • Browser timing attacks: Analysis of microarchitectural side channels in browser environments

News

San Francisco, USA

We are at S&P!

We will present our work “Rapid Reversing of Non-Linear CPU Cache Slice Functions: Unlocking Physical Address Leakage” at the IEEE Symposium on Security and Privacy (S&P) 2025 in San Francisco, USA.
2025-05-14
Sydney, AUS

We are at WWW!

We will present our work “Peripheral Instinct: How External Devices Breach Browser Sandboxes” at the ACM Web Conference (WWW) 2025 in Sydney, Australia.
2025-04-27
NDSS Artifact Award

We won the Distinguished Artifact Award at NDSS!

Our paper “Cascading Spy Sheets: Exploiting the Complexity of Modern CSS for Email and Browser Fingerprinting” won the Distinguished Artifact Award at the Network and Distributed System Security Symposium (NDSS) 2025 in San Diego, USA.
Read More 2025-02-27

Our Research

0
Publications This Year
0
Top-tier Publications
0
Total Publications

Recent Publications

InstrSem: Automatically and Generically Inferring Semantics of (Undocumented) CPU Instructions
Lorenz Hetterich, Fabian Thomas, Tristan Hornetz, Michael Schwarz
USENIX Security Baltimore, Maryland, USA, August 12-14, 2026
PDF
SNPeek: Side-Channel Analysis for Privacy Applications on Confidential VMs
Ruiyi Zhang, Albert Cheu, Adria Gascon, Daniel Moghimi, Phillipp Schoppmann, Michael Schwarz, Octavian Suciu
NDSS San Diego, CA, USA, February 23-27, 2026
PDF
Zero-Store Elimination and its Implications on the SIKE Cryptosystem
Lukas Gerlach, Niklas Flentje, Michael Schwarz
uASC Leuven, Belgium, February 3, 2026
PDF
ExfilState: Automated Discovery of Timer-Free Cache Side Channels on ARM CPUs
Fabian Thomas, Michael Torres, Daniel Moghimi, Michael Schwarz
CCS Taipei, Taiwan, October 13-17, 2025
PDF GITHUB
RISCover: Automatic Discovery of User-exploitable Architectural Security Vulnerabilities in Closed-Source RISC-V CPUs
Fabian Thomas, Eric García Arribas, Lorenz Hetterich, Daniel Weber, Lukas Gerlach, Ruiyi Zhang, Michael Schwarz
CCS Taipei, Taiwan, October 13-17, 2025
PDF GITHUB INFO

Latest from Our Blog

# The StackWarp Vulnerability

StackWarp is a security vulnerability that exploits a synchronization bug present in all AMD Zen 1–5 processors. In the context of SEV-SNP, this flaw allows malicious VM hosts to manipulate the guest VM’s stack pointer. This enables hijacking of both control and data flow, allowing an attacker to achieve remote code execution and privilege escalation inside a confidential VM.

StackWarp: Exploiting Stack Layout Vulnerabilities in Modern Processors
Ruiyi Zhang
January 14, 2026
CPU Security Trusted Execution Environments

Interested in working with us?

We are always looking for talented and motivated students to join our team. If you are interested in working with us, please check out our open positions or reach out to us directly. We look forward to hearing from you!