2nd Microarchitecture Security Conference (uASC '26)

February 3, 2026 at KU Leuven, Belgium

All accepted full papers have gone through double-blind peer review. The conference proceedings of µASC will be published by Ruhr University Bochum in an issue of the Proceedings of the Microarchitecture Security Conference. With a Gold Open Access status, all papers published in the proceedings are immediately and freely available on the day of the conference.

Conference Program

08:00 to 08:45

Registration

08:45 to 09:00

Welcome and awards

09:00 to 10:00

Keynote

Warp Speed Security: Integrity, Confidentiality, and the Microarchitecture in Between

Speaker: Michael Schwarz (CISPA Helmholtz Center for Information Security)

Abstract: Confidential virtual machines promise a clean contract: strong isolation, integrity, and confidentiality, even against a malicious hypervisor. AMD SEV-SNP is a flagship example of this vision, aiming to deliver these guarantees without sacrificing cloud realities such as simultaneous multithreading (SMT).

This keynote revisits AMD SEV-SNP through the lens of its microarchitectural attack surface. We begin with CacheWarp, which showed how cache-management mechanisms can be repurposed into precise, software-only fault attacks that violate SEV-SNP's integrity guarantees, and then highlight a recent architectural issue demonstrating that even the CPU frontend is part of the attack surface, where undocumented behavior allows a sibling hyperthread to deterministically influence guest state on fully patched Zen CPUs. Together, these examples show how easily integrity can be overlooked, despite being essential for confidentiality. Broadening the view, we draw on insights from SNPeek to show that even when integrity holds, microarchitectural side channels remain powerful enough to systematically measure and exploit information leakage in real-world workloads running inside confidential VMs. Overall, the talk argues that performance optimizations repeatedly cross abstraction boundaries, reintroducing shared state and visibility that threat models quietly exclude, and does so in a way that is concrete, occasionally uncomfortable, and hopefully entertaining.

Bio: Michael Schwarz is a tenured faculty at the CISPA Helmholtz Center for Information Security. He was part of the discovery of multiple seminal CPU vulnerabilities, including Meltdown, Spectre, LVI, PLATYPUS, ZombieLoad, ÆPIC Leak, CacheWarp, Collide+Power, and GhostWrite. He was also instrumental in the KAISER patch, which forms the basis for Meltdown countermeasures (KPTI) in modern operating systems.

10:00 to 10:30

Break

10:30 to 11:30

Session 1: That confused core

Session chair: TBA

MicroSpark: Testing Voltage Glitches on Intel Microcode
Federico Cerutti (Università degli Studi di Brescia), Alvise de Faveri Tron, Cristiano Giuffrida (Vrije Universiteit Amsterdam)

General Store: Speculative Address Translation in x86 Processors
Yanik Kleibrink (Technical University of Darmstadt), Anirban Chakraborty (Max Planck Institute for Security and Privacy), Yuval Yarom (Ruhr University Bochum)

Zero-Store Elimination and its Implications on the SIKE Cryptosystem
Lukas Gerlach (CISPA Helmholtz Center for Information Security), Niklas Flentje (Saarland University), Michael Schwarz (CISPA Helmholtz Center for Information Security)

11:30 to 12:00

Session 2: WIP

Session chair: TBA

DROW: Training-Free Load Speculative Execution Attacks on Apple Silicon
Yuchen Fan, Yu Jin, Chang Liu, Minghong Sun (Tsinghua University), Tingting Yin (Independent Researcher), Shuwen Deng (Tsinghua University, Zhongguancun Laboratory)

Flush-based Cache Attacks on Modern / Multi-Socket x86 systems
Guillaume Didier (Saarland University), Augustin Lucas (Univ. Rennes, Inria, IRISA, Département d'Informatique, ENS de Lyon), Thomas Rokicki (CentraleSupélec, Inria, CNRS, IRISA)

μ-ops, I Did it Again: A Second Look at Port Assignment on Intel CPUs
Yarin Oziel, Tomer Laor, Shlomi Levy (Ben-Gurion University of the Negev), Clémentine Maurice (Univ. Lille, CNRS, Inria), Yossi Oren (Ben-Gurion University of the Negev), Thomas Rokicki (CentraleSupélec, Inria, CNRS, IRISA), Gabriel Scalosub (Ben-Gurion University of the Negev)

12:00 to 13:00

Lunch

13:00 to 14:00

Session 3: Brave new defense

Session chair: TBA

BROL: Cache-Only Execution for Software Protection
Ruben Mechelinck, Stijn Volckaert (DistriNet, KU Leuven)

SplittingSecrets: A Compiler-Based Defense for Preventing Data Memory-Dependent Prefetcher Side-Channels
Reshabh K Sharma, Dan Grossman, David Kohlbrenner (University of Washington)

WeMu: Effective and Scalable Emulation of Microarchitectural Weird Machines
Dries Vanspauwen (DistriNet, KU Leuven), Lesly-Ann Daniel (EURECOM and DistriNet, KU Leuven), Jo Van Bulck (DistriNet, KU Leuven)

14:00 to 14:40

Session 4: Talks

Session chair: TBA

Automated Synthesis of Instruction-Centric Leakage Contracts
Elvira Moreno (Universidad Politécnica de Madrid & IMDEA Software Institute), Tiziano Marinaro (CISPA Helmholtz Center for Information Security & Saarland University), Ryan Williams (Northeastern University), Marco Patrignani (University of Trento), Roberto Guanciale, Hamed Nemati (KTH Royal Institute of Technology), Marco Guarnieri (IMDEA Software Institute)

Debugging the Un-Debuggable: Advanced Debugging Techniques for Microarchitectural Security Tooling
Anna Pätschke (University of Luebeck), Daan Vanoverloop (KU Leuven), Jan Wichelmann (University of Luebeck), Jo Van Bulck (DistriNet, KU Leuven)

No Time To Leak: Exposing Timer-Free Cache-State Leaks on ARM CPUs
Fabian Thomas (CISPA Helmholtz Center for Information Security), Michael Torres, Daniel Moghimi (Google), Michael Schwarz (CISPA Helmholtz Center for Information Security)

Rain: Transiently Leaking Data from Public Clouds Using Old Vulnerabilities
Mathé Hertogh, Dave Quakkelaar, Thijs Raymakers, Mahesh Hari Sarma (Vrije Universiteit Amsterdam), Marius Muench (University of Birmingham), Herbert Bos, Erik van der Kouwe (Vrije Universiteit Amsterdam)

14:40 to 15:00

Break

15:00 to 16:00

Session 5: When memory serves not so well

Session chair: TBA

Knock-Knock: Black-Box, Platform-Agnostic DRAM Address-Mapping Reverse Engineering
Antoine Plin (GeorgiaTech, ESILV and CentraleSupélec, Inria, CNRS, IRISA), Lorenzo Casalino, Thomas Rokicki, Ruben Salvador (CentraleSupélec, Inria, CNRS, IRISA)

Physical Memory Please: Practical Memory-Aliasing Attacks on RISC-V PMP
Antonis Louka (DistriNet, KU Leuven), Jesse De Meulemeester (COSIC, KU Leuven), Steven Keuchel (DistriNet, KU Leuven), Ingrid Verbauwhede (COSIC, KU Leuven), Jo Van Bulck (DistriNet, KU Leuven)

SLasH-DSA: Breaking SLH-DSA Using an Extensible End-To-End Rowhammer Framework
Jeremy Boy (University of Luebeck), Antoon Purnal (Google), Anna Pätschke (University of Luebeck), Luca Wilke (Microsoft Research), Thomas Eisenbarth (University of Luebeck)

16:00 to 17:00

Poster session

Cheap Tricks, Real Threats: Fault Injection on Databuses with Low-Cost Tools
Philipp Mackensen, Paul Zinselmeyer, Dina Hesse, Veelasha Moonsamy (Ruhr University Bochum)

Entropy-Coupled CLFLUSH for Secure Cache Flushing Against Timing-Based Attacks
Samiksha Verma (Indian Institute of Technology Bombay), Virendra Singh (Indian Institute of Technology Mumbai)

Hardware Cost Evaluation in Microarchitecture Security
Jesse De Meulemeester, Quinten Norga, Frank Piessens, Ingrid Verbauwhede, Marton Bognar (KU Leuven)

16:00 to 17:00

Steering committee meeting

17:00 to 18:30

Social event

Walk in the historical city center of Leuven.