Stephan van Schaik
About Me
Hi, I am Stephan van Schaik (IPA: /ˈsteːfɑn vɑn sxaɪk/). I'm currently doing research into computer systems security, more specifically micro-architectural attacks involving the CPU. Generally, I like delving into the low-level areas of computer science such as computer architecture, operating system development, concurrency, embedded hardware, etc.
Contact
You can find me on:
Publications
SGAxe: How SGX Fails in Practice
Stephan van Schaik, Andrew Kwong, Daniel Genkin and Yuval Yarom
More information can be found at https://sgaxe.com (Jun 9, 2020).
CacheOut: Leaking Data on Intel CPUs via Cache Evictions
Stephan van Schaik, Marina Minkin, Andrew Kwong, Daniel Genkin and Yuval Yarom
More information can be found at https://cacheoutattack.com (January 27, 2020).
RIDL: Rogue In-Flight Data Load
Stephan van Schaik, Alyssa Milburn, Sebastian Österlund, Pietro Frigo, Giorgi Maisuradze, Kaveh Razavi, Herbert Bos, Cristiano Giuffrida
More information can be found at https://www.mdsattacks.com (May 14, 2019).
Awarded with the Intel Bounty Reward.
Presented the paper at S&P 2019 in San Francisco, CA, USA (May 20, 2019).
Presented the poster at the Cybersecurity and Privacy (CySeP) Summer School in Stockholm, Sweden (June 13, 2019).
Presented the talk at OFFZONE 2019 in Moscow, Russia (June 17-18, 2019).
Presented the talk at HITB+ CyberWeek 2019 in Abu Dhabi, UAE (October 17, 2019).
Presented the poster at CSAW '19 in Valence, France and won the 2nd place award of €500 for Applied Research (November 7-8 2019).
Read the Paper - View the Slides - Watch the Presentation - View the Code
Addendum 1 to RIDL: Rogue In-Flight Data Load
Stephan van Schaik, Alyssa Milburn, Sebastian Österlund, Pietro Frigo, Giorgi Maisuradze, Kaveh Razavi, Herbert Bos, Cristiano Giuffrida
More information can be found at https://www.mdsattacks.com (Nov 12, 2019).
Addendum 2 to RIDL: Rogue In-Flight Data Load
Stephan van Schaik, Alyssa Milburn, Sebastian Österlund, Pietro Frigo, Giorgi Maisuradze, Kaveh Razavi, Herbert Bos, Cristiano Giuffrida
More information can be found at https://www.mdsattacks.com (Jan 27, 2020).
Malicious Management Unit: Why Stopping Cache Attacks in Software is Harder Than You Think (August 2018)
Stephan van Schaik, Cristiano Giuffrida, Herbert Bos and Kaveh Razavi
Presented the paper at USENIX Security 2018 in Baltimore, MD, USA (August 15, 2018).
Read the Paper - View the Slides - Watch the Presentation - View the Code
RevAnC: A Framework for Reverse Engineering Hardware Page Table Caches
Stephan van Schaik, Kaveh Razavi, Ben Gras, Herbert Bos, Cristiano Giuffrida
Presented the paper at EuroSec 2017 (Workshop) in Belgrade, Serbia (April 23, 2017).
Employment
Ph.D. Computer System Security at VU Amsterdam (May 2018 - January 2020)
RIDL: Rogue In-Flight Data Load
Courses: Kernel Programming (2018 - 2019) and Hardware Security (2018)
Teaching Assistant at VU Amsterdam (January 2018)
Course: Compiler Construction
System Engineer at Whitebox Systems (January 2017 - October 2017)
Developed the Trusted Boot Module (TBM), a hardware component implemented using the STM32F1 microcontroller to manage and store keys and to verify signed software images in order to prevent attackers from tampering with the software.
Teaching Assistant at University of Amsterdam (September 2012 - March 2016)
Courses: Computer Architecture & Organisation (2013 - 2015), Image Processing (2014), Parallel Programming (2013), Data Structures (2013 - 2014), Introduction to Programming (2012 - 2013), Modern Databases (2015 - 2016), Multimedia (2013 - 2014), Net-Centric Computing (2013), Numerical Recipes (2015 - 2016), Functional Programming (2012 - 2015) and Statistical Reasoning (2014 - 2015).
Tutor at University of Amsterdam (September 2015 - January 2016)
Discussing and monitoring the progress of students as well as assisting students with auxiliary resources they require during their study.
Bring your own Device at University of Amsterdam (February 2014 - September 2015)
Documented and assisted the installation process of Linux Ubuntu and additional software for first year undergraduates.
Security Analysis at University of Amsterdam (July 2012 - August 2012)
Documented and reported various vulnerabilities in both Datanose and Blackboard.
Education
MSc. Computer Science (Computer Systems Security) (September 2015 - May 2018)
VU Amsterdam
Graduated cum laude under supervision of Kaveh Razavi, Cristiano Giuffrida and Herbert Bos.
Malicious Management Unit: Why Stopping Cache Attacks in Software is Harder Than You Think
BSc. Computer Science (September 2011 - August 2015)
Universiteit van Amsterdam
Graduated under supervision of Toto van Inge.
Projects
U-Boot SPI Driver for Allwinner SoCs
While the Allwinner SoCs have support for booting from SPI NOR flash, one of the limitations was that there was simply no U-Boot SPI driver. While working at Whitebox Systems, we needed support for booting from SPI NOR flash for one of our projects. We found back then that everything else was already in place, except for the SPI driver itself.
To implement the SPI driver, we mostly based our code on the existing implementation in the Linux source code, as well as a manual describing the register mapping used for the various SPI interfaces on the various SoCs. We then wrote and prototyped a SPI driver for U-Boot. Once we confirmed that we could read, write and erase the SPI NOR flash attached, we set up U-Boot SPL and applied some soldering hacks to boot U-Boot and eventually the Linux kernel directly from SPI NOR flash.
We then made sure the driver had full support for other SoCs as well by testing it on the H2+ Orange Pi Zero, the A20 OLinuXino LIME 2, the A64 Pine64+ and the A64 OLinuXino. The driver ended up in U-Boot mainline, and also led to new OLinuXino boards that now ship with SPI NOR flash.
Vulnerabilities
L1D Eviction Sampling (L1DES) (CVE-2020-0549)
Vector Register Sampling (VRS) (CVE-2020-0548)
Transactional Asynchronous Abort (TAA) (CVE-2019-11135)
Microarchitectural Data Sampling Uncacheable Memory (MDSUM) (CVE-2019-11091)
Microarchitectural Fill Buffer Data Sampling (MFBDS) (CVE-2018-12130)
Microarchitectural Load Port Data Sampling (MLPDS) (CVE-2018-12127)