About Me
Hi, I am Stephan van Schaik (IPA: /ˈsteːfɑn vɑn sxaɪk/, or approximately close in pronunciation would be stay fawn fawn psych), and I am currently a self-employed Principal Consultant at Van Schaik LLC. As a Principal Consultant, my goal is to cultivate and maintain a strong relationship with my clients, and to coordinate and communicate with them to better understand their exact needs, such that I can provide them with strategic advice, supported by my expertise in the domain of software development and computer systems security. In particular, I help them develop and implement transformative and innovative high-quality software for their complex challenges, and oversee the successful delivery thereof.
I received my Ph.D. in Computer Science and Engineering (CSE) at the University of Michigan, advised by Daniel Genkin. My research focused on computer systems security, more specifically on CPU micro-architectural attacks on Intel primarily, but also on AMD and Arm CPUs; how these attacks jeopardize the security of Trusted Execution Environments or confidential compute products such as Intel SGX; and how both CPU vendors and TEE application developers can harden their products against such attacks. If you are interested in reading more about this topic, you can find my publications about this below.
In general, I like to get a thorough and deep understanding of low-level systems that others prefer to treat as black boxes. As such, I am interested in reverse engineering CPU architectures (Intel, AMD and Arm), operating systems, hypervisors, BIOS/UEFI implementations, hardware protocols, etc. Some of my favorite tools to acquire this knowledge are debugging/tracing tools (gdb, strace, LD_PRELOAD, but also the underlying APIs such as ptrace), disassemblers/decompilers (IDA, ILSpy, objdump), protocol analysis tools (Wireshark) and binary instrumentation tools (DynamoRIO). Furthermore, I am interested in exploring un(der)documented features, such as the various micro-architectural components found in contemporary CPUs, such as page table and translation caches, line fill buffers, etc. As part of my work on Micro-architectural Data Sampling (MDS) and Rogue In-Flight Data Load (RIDL), I created an interactive datagram to explain some of these micro-architectural components and what the role is of each of these components in an Intel Skylake CPU. In addition, I have also performed extensive work on reverse engineering the various properties of page table and translation caches in numerous CPUs (see the paper and the RevAnC tool).
Furthermore, I have more than ten years of experience with programming Rust, Python and C with a strong focus on cross-platform development. More specifically, I have developed software targeting Microsoft Windows, Linux, MacOS, iOS, BSD, WebAssembly, UEFI, 16-bit real mode and the STM32F1. I have used Rust since 2013, originally to write a compiler during my bachelor's compiler construction course, but have been using Rust for the majority of my projects ever since. In particular, I have used Rust to solve complex challenges involving multi-threading, asynchronous programming and large data sets. I also have extensive experience with the x86(-64), Arm and AArch64 assembly languages both for programming purposes as well as reverse engineering existing software, and I am also somewhat familiar with the MIPS and RISC-V assembly languages as well as LLVM IR.
From time to time, I also like to play around with GPU programming and I have experience with graphics programming at both a high-level (Vulkan, WebGPU, OpenGL and the acompanying shading languages GLSL and WGSL) as well as at a low-level (I am familiar with the i915 internals on Linux). I am also experienced with hooking OpenGL and Vulkan calls, as well as writing Vulkan layers to render game overlays.
If time allows, I might write a couple blog posts about these topics on my website.
Contact
You can find me on:
Publications
ECC.fail: Mounting Rowhammer Attacks on DDR4 Servers with ECC Memory
Nureddin Kamadan, Walter Wang, Stephan van Schaik, Christina Garman, Daniel Genkin, Yuval Yarom.
Appeared in USENIX Security '25 (August 15, 2025).
Slice+Slice Baby: Generating Last-Level Cache Eviction Sets in the Blink of an Eye
Bradley Morgan, Gal Horowitz, Sioli O'Connell, Stephan van Schaik, Chitchanok Chuengsatiansup, Daniel Genkin, Olaf Maennel, Paul Montague, Eyal Ronen, and Yuval Yarom.
Appeared in IEEE S&P '25 (May 14, 2025).
SledgeHammer: Amplifying Rowhammer via Bank-level Parallelism
Ingab Kang, Walter Wang, Jason Kim, Stephan van Schaik, Youssef Tobah, Daniel Genkin, Andrew Kwong and Yuval Yarom.
Appeared in USENIX Security '24 (August 14, 2024).
iLeakage: Browser-based Timerless Speculative Execution Attacks on Apple Devices
Jason Kim, Stephan van Schaik, Daniel Genkin and Yuval Yarom.
More information can be found at https://ileakage.com (October 25, 2023).
Appeared in ACM CCS '23 (November 28, 2023).
Hot Pixels: Frequency, Power, and Temperature Attacks on GPUs and Arm SoCs
Hritvik Taneja, Jason Kim, Jie Jeff Xu, Stephan van Schaik, Daniel Genkin and Yuval Yarom
Appeared in USENIX Security '23 (August 11, 2023).
SoK: SGX.Fail: How Stuff Gets eXposed
Stephan van Schaik, Alex Seto, Thomas Yurek, Adam Batori, Bader AlBassam, Christina Garman, Daniel Genkin, Andrew Miller, Eyal Ronen and Yuval Yarom
More information can be found at https://sgx.fail/ (November 29, 2022).
Presented the paper at IEEE S&P 2024 in San Francisco, CA, USA (May 22, 2024).
SGAxe: How SGX Fails in Practice
Stephan van Schaik, Andrew Kwong, Daniel Genkin and Yuval Yarom
More information can be found at https://sgaxe.com/ (June 9, 2020).
CacheOut: Leaking Data on Intel CPUs via Cache Evictions
Stephan van Schaik, Marina Minkin, Andrew Kwong, Daniel Genkin and Yuval Yarom
More information can be found at https://cacheoutattack.com (January 27, 2020).
Presented the paper at IEEE S&P 2021 (May 24, 2021).
RIDL: Rogue In-Flight Data Load
Stephan van Schaik, Alyssa Milburn, Sebastian Österlund, Pietro Frigo, Giorgi Maisuradze, Kaveh Razavi, Herbert Bos, Cristiano Giuffrida
More information can be found at https://mdsattacks.com (May 14, 2019).
Awarded with the Intel Bounty Reward.
Presented the paper at IEEE S&P 2019 in San Francisco, CA, USA (May 20, 2019).
Presented the poster at the Cybersecurity and Privacy (CySeP) Summer School in Stockholm, Sweden (June 13, 2019).
Presented the talk at OFFZONE 2019 in Moscow, Russia (June 17-18, 2019).
Presented the talk at HITB+ CyberWeek 2019 in Abu Dhabi, UAE (October 17, 2019).
Presented the poster at CSAW '19 in Valence, France and won the 2nd place award for Applied Research (November 7-8 2019).
Read the paper - View the slides - Watch the presentation - View the code
Addendum 1 to RIDL: Rogue In-Flight Data Load
Addendum 2 to RIDL: Rogue In-Flight Data Load
Malicious Management Unit: Why Stopping Cache Attacks in Software is Harder Than You Think
Stephan van Schaik, Cristiano Giuffrida, Herbert Bos and Kaveh Razavi
Presented the paper at USENIX Security 2018 in Balitmore, MD, USA (August 15, 2018).
Read the paper - View the slides - Watch the presentation - View the code
RevAnC: A Framework for Reverse Engineering Hardware Page Table Caches
Stephan van Schaik, Kaveh Razavi, Ben Gras, Herbert Bos and Cristiano Giuffrida
Presented the paper at EuroSec 2017 (Workshop) in Belgrade, Serbia (April 23, 2017).
Employment
Ph.D. Computer Science & Engineering at University of Michigan (January 2020 - May 2025)
Advisor: Daniel Genkin
Dissertation: Future-proofing Trusted Execution Environments Against the Emerging Threats of Speculative Execution
Ph.D. Computer System Security at VU Amsterdam (May 2018 - January 2020)
Transitioned to University of Michigan.
Advisors: Kaveh Razavi, Cristiano Giuffrida and Herbert Bos
Teaching Assistant: Kernel Programming (2018 - 2019) and Hardware Security (2018).
Teaching Assistant at VU Amsterdam (January 2018)
Courses: Compiler Construction.
System Engineer at Whitebox Systems (January 2017 - October 2017)
Developed the Trusted Boot Module (TBM), a hardware component implemented using the STM32F1 microcontroller to manage and store keys and to verify signed software images in order to prevent attackers from tampering with the software.
Teaching Assistant at University of Amsterdam (September 2012 - March 2016)
Courses: Computer Architecture & Organisation (2013 - 2015), Image Processing (2014), Parallel Programming (2013), Data Structures (2013 - 2014), Introduction to Programming (2012 - 2013), Modern Databases (2015 - 2016), Multimedia (2013 - 2014), Net-Centric Computing (2013), Numerical Recipes (2015 - 2016), Functional Programming (2012 - 2015) and Statistical Reasoning (2014 - 2015).
Tutor at University of Amsterdam (September 2015 - January 2016)
Discussing and monitoring the progress of students as well as assisting students with auxiliary resources they require during their study.
Bring your own Device at University of Amsterdam (February 2014 - September 2015)
Documented and assisted the installation process of Linux Ubuntu and additional software for first year undergraduates.
Security Analysis at University of Amsterdam (July 2012 - August 2012)
Documented and reported various vulnerabilities in both Datanose and Blackboard.
Education
Ph.D. Computer Science & Engineering at University of Michigan (January 2020 - May 2025)
Advisor: Daniel Genkin
Dissertation: Future-proofing Trusted Execution Environments Against the Emerging Threats of Speculative Execution
Ph.D. Computer System Security at VU Amsterdam i(May 2018 - January 2020)
Transitioned to University of Michigan.
Advisors: Kaveh Razavi, Cristiano Giuffrida and Herbert Bos
Teaching Assistant: Kernel Programming (2018 - 2019) and Hardware Security (2018).
MSc. Computer Science (Computer Systems Security) (September 2015 - May 2018)
VU Amsterdam & Universiteit van Amsterdam (joint degree)
Graduated cum laude under supervision of Kaveh Razavi, Cristiano Giuffrida and Herbert Bos.
Malicious Management Unit: Why Stopping Cache Attacks in Software is Harder Than You Think
BSc. Computing Science (September 2011 - August 2015)
Universiteit van Amsterdam
Graduated under supervision of Toto van Inge.
CVEs
- L1D Eviction Sampling (L1DES) (CVE-2020-0549)
- Vector Register Sampling (VRS) (CVE-2020-0548)
- Transactional Asynchronous Abort (TAA) (CVE-2019-11135)
- Microarchitectural Data Sampling Uncacheable Memory (MDSUM) (CVE-2019-11091)
- Microarchitectural Fill Buffer Data Sampling (MFBDS) (CVE-2018-12130)
- Microarchitectural Load Port Data Sampling (MLPDS) (CVE-2018-12127)