Our PhD students, Carina Fiedler, Sudheendra Neela (@vmcall) and Hannes Weissteiner (@hweissi) attended the NDSS Symposium 2026 in San Diego, California, this week to present their papers!

Check them out 👇

Carina Fiedler: Memory Band-Aid: A Principled Rowhammer Defense-in-Depth
https://www.ndss-symposium.org/ndss-paper/memory-band-aid-a-principled-rowhammer-defense-in-depth/

Sudheendra Neela: Eviction Notice: Reviving and Advancing Page Cache Attacks
https://www.ndss-symposium.org/ndss-paper/eviction-notice-reviving-and-advancing-page-cache-attacks/

Hannes Weissteiner: Continuous User Behavior Monitoring using DNS Cache Timing Attacks
https://www.ndss-symposium.org/ndss-paper/continuous-user-behavior-monitoring-using-dns-cache-timing-attacks/

I'm looking forward to presenting my paper, "Continuous User Behavior Monitoring using DNS Cache Timing Attacks" at NDSS next week!
We mount an Evict+Reload-style attack on the local DNS cache, detecting recently accessed domains and evicting to continuously monitor new accesses.

Our attack works from native code, even across virtual machines and containers.
We also run the attack in the browser from a malicious website, using JavaScript or even scriptless HTML+CSS.
Most underlying primitives are OS-agnostic!

Read the paper here: https://hannesweissteiner.com/publications/dmt/

Thanks to Roland Czerny, @silent_bits, @notbobbytables , Johanna Ullrich and @lavados for the amazing collaboration!

Interesting paper upcoming in NDSS'26: "Continuous User Behavior Monitoring using DNS Cache Timing Attacks", by @hweissi, Roland Czerny, Simone Franza, @notbobbytables, Johanna Ullrich and @lavados

https://tugraz.elsevierpure.com/ws/portalfiles/portal/102463797/dmt.pdf

If I understand correctly, the privacy implications discussed here might actually be worse depending on the country, and mitigations by vendors should take a higher priority. What comes to my mind is that monitoring accessed domains and timings through DNS cache even despite security countermeasures like VPNs is a very desirable attack vector by state-level attackers (i.e., in authoritarian surveillance states) where the consequences of such a breach of privacy go beyond mere advertisements or extortion and can include direct threats to the user's freedom and/or safety (e.g. if they access an "undesirable" website blocked by the censor). In existing realities, if a state-level attacker wants to find out if a security- and privacy-conscious (e.g. VPN or TOR-using) user X accessed a blocked website Y, they usually resort to setting up honeypots, hoping that a user accesses the honeypot version of a website and exposes themselves through entering personal information or broader fingerprinting. This DNS cache timing attack however removes the need for that, since the state attacker can simply use a website they control (which can be any popular government website widely used by the citizens) to perform a Javascript-based or a scriptless version of the attack to collect data on which users access "undesirable" websites, which can be further used for social profiling and persecution. I wonder if we'll see real-world usages of such an attack (I hope not).

Hi everyone! I'm excited to announce that my first first-author paper has been accepted at NDSS 2026 🥳, to be held at San Diego, California, USA. If you're attending #NDSS2026 this year and are working on systems security, let me know - it'd be awesome to meet up!

Eviction Notice: Reviving and Advancing Page Cache Attacks

@vmcall, Jonas Juffinger, Lukas Maar, @lavados

all of us from @isec_tugraz, at TU Graz, Austria.

In the paper, we revive practical attacks on the Linux page cache and also provide a systematic classification & understanding of primitives which interact with page cache. This understanding helps us advance page cache attacks, including speeding up previously known mechanisms by six orders of magnitude.

I have a small technical write up on my website if you're interested to check it out: https://snee.la/posts/eviction-notice/

Paper available here: https://snee.la/pdf/pubs/eviction-notice.pdf

Our artifacts have been evaluated to be available, functional, and reproducible, so feel free to try the code out on your Linux box: https://github.com/isec-tugraz/Eviction-Notice

Join us tomorrow for the InfoSec + SSD Christmas special, featuring real-world exploits, live hacking of various targets, information leaks, file formats, and a review of the year in security. This event tends to be somewhere between Lecture, Magic Show, Comedy, and Mr. Robot.

📅 December 17th, 2025 | 17:30
📍 Lecture Hall HS i13, Inffeldgasse 16b

To enhance your experience, we're happy to announce that coincidentally a Mulled Wine Stand is happening right in front of HS i13 at the same time, so see you there!

I am happy to announce that my first paper has been accepted at USENIX Security!

We propose TEEcorrelate, a mitigation that statistically decorrelates reported performance counters from real ones during TEE execution.
It protects against fine-grained performance-counter attacks on TEE's, while keeping coarse-grained trends intact for legitimate use cases.

https://hannesweissteiner.com/pdfs/teecorrelate.pdf

Thanks to Fabian Rauscher, @supersingular, Jonas Juffinger, @notbobbytables, Jan Wichelmann, Thomas Eisenbarth and @lavados for the great collaboration!

Announcing #CounterSEVeillance, a novel attack on AMD SEV-SNP inferring control-flow information and operand properties from performance-counter data with single-instruction resolution.
We present 4 case studies with attacks on RSA, TOTP verification and HQC.
Thanks to @hweissi, @supersingular and @lavados for the amazing collaboration!
You can read the full paper (to appear at #NDSS2025) here: https://stefangast.eu/papers/counterseveillance.pdf