Ruiyi Zhang

101 posts

Ruiyi Zhang

@Rayiizzz

Microarchitectural Security | PhD Candidate at CISPA | Ex Research Intern @Google | #StackWarp #CacheWarp

Katılım Ağustos 2019

226 Takip Edilen549 Takipçiler

Sabitlenmiş Tweet

Ruiyi Zhang@Rayiizzz·15 Oca

Today we reveal StackWarp: a new CPU vulnerability exploiting a synchronization bug in AMD’s stack engine across Zen 1–5 CPUs. It enables deterministic manipulation of Confidential VM's stack pointer, allowing RCE and privilege escalation via both control- and data-flow hijacking

English

179

1.4K

146.4K

Ruiyi Zhang@Rayiizzz·16 Oca

@CPUGenius11 yes, a microcode update

English

2.3K

Matthew@CPUGenius11·16 Oca

@Rayiizzz Is this patchable in a microcode update or no?

English

2.4K

Ruiyi Zhang@Rayiizzz·15 Oca

English

179

1.4K

146.4K

Ruiyi Zhang@Rayiizzz·16 Oca

@robertomasymas @weber_daniel @fth0mas @misc0110 I’m leaning toward it being an implementation bug. Regardless, it’s patched now, and CVMs are more secure.

English

Roberto Tomás C 🍉@robertomasymas·16 Oca

@Rayiizzz @weber_daniel @fth0mas @misc0110 This seems so tightly controlled as to suggest it might be a government back door

English

Ruiyi Zhang@Rayiizzz·16 Oca

@JustWantToQ1 That's correct. As I noted in the quote, while the bug exists on Zen 1-5, it only becomes a security vulnerability for confidential VMs.

English

285

Voidwalker@JustWantToQ1·16 Oca

@Rayiizzz I don't mean to take away from your work btw. Just trying not to scare people.

English

314

Ruiyi Zhang@Rayiizzz·16 Oca

If an SMT sibling disables it, the RSP delta becomes 'frozen' and is only released to a future execution context when the bit is toggled again. While the underlying bug exists across Zen 1-5, it only poses a security risk in specific scenarios, like within confidential computing.

English

721

Ruiyi Zhang@Rayiizzz·16 Oca

To clear up some confusion: the root cause lies in the stack engine, a CPU frontend optimization that manages the Stack Pointer (RSP) to reduce backend overhead. We discovered that an undocumented MSR bit acts as a toggle for this optimization. (1/2)

Ruiyi Zhang@Rayiizzz

English

9.4K

Ruiyi Zhang retweetledi

SecurityWeek@SecurityWeek·15 Oca

New StackWarp Attack Threatens Confidential VMs on AMD Processors securityweek.com/new-stackwarp-…

English

1.7K

Ruiyi Zhang@Rayiizzz·16 Oca

@offby1security Sounds awesome, would love to!

English

4.1K

Off By One Security@offby1security·16 Oca

@Rayiizzz Interesting work! We'd love to have you as a guest on the Off By One Security channel to walk us through this if you'd be interested!? Viewers love the low level vulnerability research topics. @OffByOneSecurity" target="_blank" rel="nofollow noopener">youtube.com/@OffByOneSecur…

English

7.5K

Ruiyi Zhang@Rayiizzz·16 Oca

@Void_The_Null We disclosed this vulnerability to AMD in March 2025 and embargo is over as of today. AMD already released a microcode patch to mitigate it :)

English

4.3K

DataBoySu@Void_The_Null·16 Oca

@Rayiizzz Wait, is this vulnerability live? That's serious for AMD users and equally impressive that you managed to reveal it. Congrats!

English

4.2K

Ruiyi Zhang@Rayiizzz·15 Oca

Blogpost: roots.ec/blog/stackwarp/

English

5.7K

Ruiyi Zhang@Rayiizzz·15 Oca

For more details on the discovery process and our findings, we refer to our research paper, which is published at USENIX Security 2026. paper: stackwarpattack.com github: github.com/cispa/StackWarp \cc Tristan Hornetz, @weber_daniel, @fth0mas, @misc0110

English

7.6K

Ruiyi Zhang retweetledi

Kav@kavehrazavi·12 Oca

The program for uASC'26 is online uasc.cc/program.html We have some very interesting papers which are already available, so be sure to check them out. Better yet, join us in Leuven next month to listen to the authors! Registration is still open and free but seats are limited.

English

687

Ruiyi Zhang retweetledi

Shweta Shinde@shw3ta_shinde·11 Ağu

🔓 Heracles @acm_ccs'25: Breaking AMD’s Confidential Computing! We show that the hypervisor can read and move hardware-encrypted memory on AMD SEV-SNP. We build a chosen-plaintext oracle to leak kernel memory, auth keys, and cookies from "confidential" VMs heracles-attack.github.io

English

2.1K

Ruiyi Zhang@Rayiizzz·4 Haz

@lyq_sqsp Congrats!

English

101

itewqq@lyq_sqsp·4 Haz

Just defended my doctoral dissertation, I’m a f*cking Doctor now 🥵

English

Ruiyi Zhang retweetledi

Kav@kavehrazavi·20 May

I am chairing the second edition of the microarchitecture security conference (uASC'26). Paper deadline for the first cycle is July 15. Please spread the word, submit, and/or join us in charming Leuven in February 2026! More info: uasc.cc

English

1.5K

Ruiyi Zhang retweetledi

Kav@kavehrazavi·13 May

long embargo, but there is a demo with good music at least: youtu.be/jrsOvaN7PaA

YouTube

Sandro@sparchatus

Disclosing Branch Predictor Race Conditions (BPRC), a new class of vulnerabilities where asynchronous branch predictor operations violate hardware-enforced privilege and context separation in virtually all recent Intel CPUs. @wiknerj @kavehrazavi : comsec.ethz.ch/bprc

English

1.1K

Ruiyi Zhang retweetledi

Seres István András@Istvan_A_Seres·23 Nis

✅ Write constant-time crypto code ☠️ Compiler introduces timing side-channels Do Compilers Break Constant-time Guarantees? fc25.ifca.ai/preproceedings… TL;DR: Yes!🥲 👏👏👏Great work @misc0110 & team!

English

1.7K

Ruiyi Zhang retweetledi

Matteo Rizzo@_MatteoRizzo·3 Şub

github.com/google/securit… Our newest research project is finally public! We can load malicious microcode on Zen1-Zen4 CPUs!

English

275

806

122.9K

Ruiyi Zhang retweetledi

Daniel Weber@weber_daniel·11 Ara

Super excited to present our (L. Niemann, @____salmon____, @jan__reineke, @misc0110) newest paper at #ACSAC2024! We show how modern CPU hardware can be leveraged to stop side-channel attacks almost instantly (~200 CPU cycles)! Code/Paper: github.com/cispa/IRQGuard

English

4.1K

Ruiyi Zhang retweetledi

Andreas Kogler@0xhilbert·13 Eki

Excited to announce the release of the Rapid Data Analysis (RDA) framework! RDA streamlines side-channel analysis with plotting, processing, and analysis tools—usable directly from the terminal or in scripts. Check it out: github.com/0xhilbert/rda #SideChannel

English

2.4K

Keşfet

@CPUGenius11 @robertomasymas @weber_daniel @fth0mas @misc0110 @JustWantToQ1 @offby1security @Void_The_Null