Boru Chen

Boru Chen

CS Ph.D. Student at Berkeley

Posts by Collection

project

Evict+Skip: A High-Bandwidth, Non-Shared-Page Cache Covert Channel Attack

Streamline, a paper published in ASPLOS 2021, introduced an asynchronous framework to construct high-bandwidth covert-channels. However, it required that the sender and the receiver had to share the virtual memory, which made it less general. In order to figure this out, we proposed a brand new high-bandwidth covert-channel, which leveraged the directory conflicts of non-inclusive machine and the universal feature of Prime+Probe Attack.

publications

GoFetch: Breaking Constant-Time Cryptographic Implementations Using Data Memory-Dependent Prefetchers

Boru Chen, Yingchen Wang, Pradyumna Shome, Christopher W. Fletcher, David Kohlbrenner, Riccardo Paccagnella, Daniel Genkin

Published in USENIX Security, 2024 (Full Paper | Code | bibtex)

Pwnie Award -- Best Cryptographic Attack

GoFetch is a microarchitectural side-channel attack that can extract secret keys from constant-time cryptographic implementations via data memory-dependent prefetchers (DMPs). We show that DMPs are present in many Apple CPUs and pose a real threat to multiple cryptographic implementations, allowing us to extract keys from OpenSSL Diffie-Hellman, Go RSA, as well as CRYSTALS Kyber and Dilithium.

Controlled Preemption: Amplifying Side-Channel Attacks from Userspace

Yongye Zhu, Boru Chen, Zirui Neil Zhao, Christopher W. Fletcher

Published in ASPLOS, 2025 (Full Paper | Code | bibtex)

Controlled Preemption studies the responsiveness and fairness of OS thread schedulers, which naturally provides a preemption window where the attacker thread can interleave its execution with a victim thread at a temporally fine-grained level (i.e. single step the victim thread).

Peek-a-Walk: Leaking Secrets via Page Walk Side Channels

Alan Wang, Boru Chen, Yingchen Wang, Christopher W. Fletcher, Daniel Genkin, David Kohlbrenner, Riccardo Paccagnella

Published in IEEE S&P (Oakland), 2025 (Full Paper | Code | bibtex)

Peek-a-Walk is a microarchitectural side-channel attack that leaks secrets from the page walk process. This amplifies an attacker’s bit leakage capabilities (up to 42 of the 64 secret bits) in scenarios where secrets are dereferenced microarchitecturally.

µSTT: Microarchitecture Design for Speculative Taint Tracking

Boru Chen, Rutvik Choudhary, Kaustubh Khulbe, Archie Lee, Adam Morrison, Christopher W. Fletcher

Published in ICCD, 2025 (Full Paper | Code | bibtex)

µSTT analyzed the hardware complexity of the state-of-the-art hardware-based Spectre mitigation–Speculative Taint Tracking (STT)–identifying two key challenges: (1) logic delay of the taint propagation; (2) area overhead from instruction delaying. Two new mechanisms, Age Matrix and impede micro-op, are proposed to address these challenges.

talks

teaching