Sitemap
A list of all the posts and pages found on the site. For you robots out there, there is an XML version available for digesting as well.
Pages
Posts
portfolio
publications
Ragnar: Exploring Volatile-Channel Vulnerabilities on RDMA NIC
Published in 62nd ACM/IEEE Design Automation Conference (DAC'25), 2025
With the surge in data computation, Remote Direct Memory Access (RDMA) becomes crucial to offering low-latency and high-throughput communication for data centers, but it faces new security threats. This paper presents Ragnar, a comprehensive suite of hardware-contention-based volatile-channel attacks leveraging the under-explored security vulnerabilities in RDMA hardware. Through comprehensive microbenchmark reverse engineering, we analyze RDMA NICs at multiple granularity levels and then construct covert-channel attacks, achieving 3.2x the bandwidth of state-of-the-art RDMA-targeted attacks on CX-5. We apply side-channel attacks on real-world distributed databases and disaggregated memory, where we successfully fingerprint operations and recover sensitive address data with 95.6% accuracy.
Drow: Training-Free Load Speculative Execution Attacks on Apple Silicon
Published in 2nd Microarchitecture Security Conference (uASC'26), 2026
Traditional speculative attacks rely on training hardware predictors, limiting practicality. We present Drow, exploiting blind bypassing on Apple silicon, where loads speculatively bypass stores without training. This primitive circumvents mistraining defenses to hijack data and control flow. Drow achieves $16.3\times$ higher bandwidth than prior art, enabling practical exploits including cross-page browser leakage,ASLR/KASLR bypassing, and PAC circumvention.