I’m a postdoctoral researcher at the department of Computer Science of ETH Zurich in the System Security group.
I received my PhD from ETH Zurich in 2023, advised by Srdjan Čapkun. My PhD thesis can be found below.
My research focuses on hardware security, particularly improving and testing the limits of trusted execution environments. I enjoy working at the interface between hardware and software, uncovering the capabilities of privileged attackers, and exploring side-channel information leakage. Besides hardware security, I’m interested in computer architecture and system design in mobile and disaggregated computing.
I was a research intern at VMware Research in the Summer of 2017.
I hold an M.Sc. in computer science from ETH Zurich and a B.Eng. (cum laude) in computer engineering from Politecnico di Milano.
2026
    Nicolas Dutly, Friederike Groschupp, 
Ivan Puddu, Kari Kostiainen, Srdjan Capkun
    
2026 IEEE Symposium on Security and Privacy (SP) 
    
    
    
    
    
        
    
    
        @misc{dutly2025aexnstep,
      title={AEX-NStep: Probabilistic Interrupt Counting Attacks on Intel SGX}, 
      author={Nicolas Dutly and Friederike Groschupp and Ivan Puddu and Kari Kostiainen and Srdjan Capkun},
      booktitle = {2026 IEEE Symposium on Security and Privacy (SP)},
      year={2026},
      eprint={2510.14675},
      archivePrefix={arXiv},
      primaryClass={cs.CR},
      url={https://arxiv.org/abs/2510.14675}, 
}
        
        
        To mitigate interrupt-based stepping attacks (notably using SGX-Step), Intel introduced AEX-Notify, an ISA extension to Intel SGX that aims to prevent deterministic single-stepping. In this work, we introduce AEX-NStep, the first interrupt counting attack on AEX-Notify-enabled Enclaves. We show that deterministic single-stepping is not required for interrupt counting attacks to be practical and that, therefore, AEX-Notify does not entirely prevent such attacks. We specifically show that one of AEX-Notify's security guarantees, obfuscated forward progress, does not hold, and we introduce two new probabilistic interrupt counting attacks. We use these attacks to construct a practical ECDSA key leakage attack on an AEX-Notify-enabled SGX enclave. Our results extend the original security analysis of AEX-Notify and inform the design of future mitigations.
    
 
2025
    Moritz Schneider, Daniele Lain, 
Ivan Puddu, Nicolas Dutly, Srdjan Capkun
    
Asia CCS '25 
    
    
    
        
             Best Paper Award 
        
    
    
    
    
    
        
    
    
        @inproceedings{schneider2025breakingbad,
      author = {Schneider, Moritz and Lain, Daniele and Puddu, Ivan and Dutly, Nicolas and Capkun, Srdjan},
      title = {Breaking Bad: How Compilers Break Constant-Time~Implementations},
      year = {2025},
      isbn = {9798400714108},
      publisher = {Association for Computing Machinery},
      address = {New York, NY, USA},
      doi = {10.1145/3708821.3733909},
      booktitle = {Proceedings of the 20th ACM Asia Conference on Computer and Communications Security},
      pages = {1690-1706},
      numpages = {17},
      keywords = {Constant time code, cryptographic implementations, compilers},
      series = {ASIA CCS '25}
}
        
        
        The implementations of most hardened cryptographic libraries use defensive programming techniques for side-channel resistance. These techniques are usually specified as guidelines to developers on specific code patterns to use or avoid. Examples include performing arithmetic operations to choose between two variables instead of executing a secret-dependent branch. However, such techniques are only meaningful if they persist across compilation. In this paper, we investigate how optimizations used by modern compilers break the protections introduced by defensive programming techniques. Specifically, how compilers break high-level constant-time implementations used to mitigate timing side-channel attacks. We run a large-scale experiment to see if such compiler-induced issues manifest in state-of-the-art cryptographic libraries. We develop a tool that can profile virtually any architecture, and we use it to run trace-based dynamic analysis on 44,604 different targets. Particularly, we focus on the most widely deployed cryptographic libraries, which aim to provide side-channel resistance. We are able to evaluate whether their claims hold across various CPU architectures, including x86-64, x86-i386, armv7, aarch64, RISC-V, and MIPS-32. Our large-scale study reveals that several compiler-induced secret-dependent operations occur within some of the most highly regarded hardened cryptographic libraries. To the best of our knowledge, such findings represent the first time these issues have been observed in the wild. One of the key takeaways of this paper is that the state-of-the-art defensive programming techniques employed for side-channel resistance are still inadequate, incomplete, and bound to fail when paired with the optimizations that compilers continuously introduce.
    
 
2024
    Ivan Puddu, Moritz Schneider, Daniele Lain, Stefano Boschetto, Srdjan Čapkun
    
2024 IEEE Symposium on Security and Privacy (SP) 
    
    
    
    
    
        
    
    
        @inproceedings{PudduCodeleak,
  author = {Ivan Puddu and Moritz Schneider and Daniele Lain and Stefano Boschetto and Srdjan \v{C}apkun},
  booktitle = {2024 IEEE Symposium on Security and Privacy (SP)},
  title = {On (the Lack of) Code Confidentiality in Trusted Execution Environments},
  year = {2024},
  volume = {},
  issn = {2375-1207},
  pages = {213-213},
  keywords = {trusted execution environment;tee;wasm;side channels;intel sgx;amd sev;code confidentiality;confidential computing},
  url = {https://doi.ieeecomputersociety.org/10.1109/SP54263.2024.00259},
  publisher = {IEEE Computer Society},
  address = {Los Alamitos, CA, USA},
  month = {may}
}
        
        
        Trusted Execution Environments (TEEs) have been proposed as a solution to protect code confidentiality in scenarios where computation is outsourced to an untrusted operator. We study the resilience of such solutions to side-channel attacks in two commonly deployed scenarios: when the confidential code is a native binary that is shipped and executed within a TEE and when the confidential code is an intermediate representation (IR) executed on top of a runtime within a TEE. We show that executing IR code such as WASM bytecode on a runtime executing in a TEE leaks most IR instructions with high accuracy and therefore reveals the confidential code. Contrary to IR execution, native execution is much less susceptible to leakage and largely resists even the most powerful side-channel attacks. We evaluate native execution leakage in Intel SGX and AMD SEV and experimentally demonstrate end-to-end instruction extraction on Intel SGX, with WASM bytecode as IR executed within two popular WASM runtimes: WAMR and wasmi. Our experiments show that IR code leakage from such systems is practical and therefore question the security claims of several commercial solutions which rely on TEEs+WASM for code confidentiality.
    
 
 
2023
    Irina Calciu, M. Talha Imran, 
Ivan Puddu, Sanidhya Kashyap, Hasan Al Maruf, Onur Mutlu, Aasheesh Kolli
    
ACM SIGOPS Operating Systems Review '23 
    
    
    
    
    
        
    
    
        @article{cc_disag_calciu,
    author = {Calciu, Irina and Imran, M. Talha and Puddu, Ivan and Kashyap, Sanidhya and Al Maruf, Hasan and Mutlu, Onur and Kolli, Aasheesh},
    title = {Using Local Cache Coherence for Disaggregated Memory Systems},
    year = {2023},
    issue_date = {June 2023},
    publisher = {Association for Computing Machinery},
    address = {New York, NY, USA},
    volume = {57},
    number = {1},
    issn = {0163-5980},
    url = {https://doi.org/10.1145/3606557.3606561},
    doi = {10.1145/3606557.3606561},
    journal = {SIGOPS Oper. Syst. Rev.},
    month = {jun},
    pages = {21–28},
    numpages = {8}
}
        
        
        Disaggregated memory provides many cost savings and resource provisioning benefits for current datacenters, but software systems enabling disaggregated memory access result in high performance penalties. These systems require intrusive code changes to port applications for disaggregated memory or employ slow virtual memory mechanisms to avoid code changes. Such mechanisms result in high overhead page faults to access remote data and high dirty data amplification when tracking changes to cached data at page-granularity. In this paper, we propose a fundamentally new approach for disaggregated memory systems, based on the observation that we can use local cache coherence to track applications' memory accesses transparently, without code changes, at cache-line granularity. This simple idea (1) eliminates page faults from the application critical path when accessing remote data, and (2) decouples the application memory access tracking from the virtual memory page size, enabling cache-line granularity dirty data tracking and eviction. Using this observation, we implemented a new software runtime for disaggregated memory that improves average memory access time and reduces dirty data amplification1
    
 
2022
    Friederike Groschupp, Mark Kuhne, Moritz Schneider, 
Ivan Puddu, Shweta Shinde, Srdjan Capkun
    
arXiv preprint (arXiv:2211.05206) 
    
    
    
    
    
        
    
    
        @misc{teetime,
  doi = {10.48550/ARXIV.2211.05206},
  url = {https://arxiv.org/abs/2211.05206},
  author = {Groschupp, Friederike and Kuhne, Mark and Schneider, Moritz and Puddu, Ivan and Shinde, Shweta and Capkun, Srdjan},
  keywords = {Cryptography and Security (cs.CR), FOS: Computer and information sciences, FOS: Computer and information sciences},
  title = {It's TEEtime: Bringing User Sovereignty to Smartphones},
  publisher = {arXiv},
  year = {2022},
  copyright = {arXiv.org perpetual, non-exclusive license}
}
        
        
        The majority of smartphones either run iOS or Android operating systems. This has created two distinct ecosystems largely controlled by Apple and Google - they dictate which applications can run, how they run, and what kind of phone resources they can access. Barring some exceptions in Android where different phone manufacturers may have influence, users, developers, and governments are left with little control. Specifically, users need to entrust their security and privacy to OS vendors and accept the functionality constraints they impose. Given the wide use of Android and iOS, immediately leaving these ecosystems is not practical, except in niche application areas. In this work, we propose a new smartphone architecture that securely transfers the control over the smartphone back to the users while maintaining compatibility with the existing smartphone ecosystems. Our architecture, named TEEtime, is based on ARMv8 and implements novel, TEE-based, resource and interrupt isolation mechanisms which allow the users to flexibly choose which resources (including peripherals) to dedicate to different isolated domains, namely, to legacy OSs and to user's proprietary software. We show the feasibility of our design by implementing a prototype of TEEtime on an ARM emulator.
    
 
2021
    Ivan Puddu, Moritz Schneider, Miro Haller, Srdjan Čapkun
    
30th USENIX Security Symposium (USENIX Security '21) 
    
        
             Artifact Evaluated: Passed 
        
    
    
    
    
    
    
    
        
    
    
        @inproceedings{puddu2021frontal,
  author = {Ivan Puddu and Moritz Schneider and Miro Haller and Srdjan \v{C}apkun},
  title = {Frontal Attack: Leaking {Control-Flow} in {SGX} via the {CPU} Frontend},
  booktitle = {30th USENIX Security Symposium (USENIX Security 21)},
  year = {2021},
  isbn = {978-1-939133-24-3},
  pages = {663--680},
  url = {https://www.usenix.org/conference/usenixsecurity21/presentation/puddu},
  publisher = {USENIX Association},
  month = aug,
}
        
        
        We introduce a new timing side-channel attack on Intel CPU processors. Our Frontal attack attack exploits timing differences that arise from how the CPU frontend fetches and processes instructions while being interrupted. In particular, we observe that in modern Intel CPUs, some instructions' execution times will depend on which operations precede and succeed them, and on their virtual addresses. Unlike previous attacks that could only profile branches if they contained different code or had known branch targets, the Frontal attack attack allows the adversary to distinguish between instruction-wise identical branches. As the attack requires OS capabilities to set the interrupts, we use it to exploit SGX enclaves. Our attack further demonstrates that secret-dependent branches should not be used even alongside defenses to current controlled-channel attacks. We show that the adversary can use the Frontal attack attack to extract a secret from an SGX enclave if that secret was used as a branching condition for two instruction-wise identical branches. We successfully tested the attack on all the available Intel CPUs with SGX (until 10th gen) and used it to leak information from two commonly used cryptographic libraries.
    
 
 
    Friederike Groschupp, Moritz Schneider, 
Ivan Puddu, Shweta Shinde, Srdjan Capkun
    
arXiv preprint (arXiv:2102.02743) 
    
    
    
    
    
        
    
    
        @misc{sovereign_smartphone,
  doi = {10.48550/ARXIV.2102.02743},
  url = {https://arxiv.org/abs/2102.02743},
  author = {Groschupp, Friederike and Schneider, Moritz and Puddu, Ivan and Shinde, Shweta and Capkun, Srdjan},
  keywords = {Cryptography and Security (cs.CR), FOS: Computer and information sciences, FOS: Computer and information sciences},
  title = {Sovereign Smartphone: To Enjoy Freedom We Have to Control Our Phones},
  publisher = {arXiv},
  year = {2021},
  copyright = {arXiv.org perpetual, non-exclusive license}
}
        
        
        The majority of smartphones either run iOS or Android operating systems. This has created two distinct ecosystems largely controlled by Apple and Google - they dictate which applications can run, how they run, and what kind of phone resources they can access. Barring some exceptions in Android where different phone manufacturers may have influence, users, developers, and governments are left with little to no choice. Specifically, users need to entrust their security and privacy to OS vendors and accept the functionality constraints they impose. Given the wide use of Android and iOS, immediately leaving these ecosystems is not practical, except in niche application areas. In this work, we draw attention to the magnitude of this problem and why it is an undesirable situation. As an alternative, we advocate the development of a new smartphone architecture that securely transfers the control back to the users while maintaining compatibility with the rich existing smartphone ecosystems. We propose and analyze one such design based on advances in trusted execution environments for ARM and RISC-V.
    
 
    Moritz Schneider, Aritra Dhar, 
Ivan Puddu, Kari Kostiainen, Srdjan Čapkun
    
IACR Transactions on Cryptographic Hardware and Embedded Systems (CHES '21) 
    
    
    
    
    
        
    
    
        @article{composite_enclaves,
    title={Composite Enclaves: Towards Disaggregated Trusted Execution},
    volume={2022},
    url={https://tches.iacr.org/index.php/TCHES/article/view/9309},
    DOI={10.46586/tches.v2022.i1.630-656},
    number={1},
    journal={IACR Transactions on Cryptographic Hardware and Embedded Systems},
    author={Schneider, Moritz and Dhar, Aritra and Puddu, Ivan and Kostiainen, Kari and Čapkun, Srdjan},
    year={2021},
    month={Nov.},
    pages={630–656}
}
        
        
        The ever-rising computation demand is forcing the move from the CPU to heterogeneous specialized hardware, which is readily available across modern datacenters through disaggregated infrastructure. On the other hand, trusted execution environments (TEEs), one of the most promising recent developments in hardware security, can only protect code confined in the CPU, limiting TEEs’ potential and applicability to a handful of applications. We observe that the TEEs’ hardware trusted computing base (TCB) is fixed at design time, which in practice leads to using untrusted software to employ peripherals in TEEs. Based on this observation, we propose composite enclaves with a configurable hardware and software TCB, allowing enclaves access to multiple computing and IO resources. Finally, we present two case studies of composite enclaves: i) an FPGA platform based on RISC-V Keystone connected to emulated peripherals and sensors, and ii) a large-scale accelerator. These case studies showcase a flexible but small TCB (2.5 KLoC for IO peripherals and drivers), with a low-performance overhead (only around 220 additional cycles for a context switch), thus demonstrating the feasibility of our approach and showing that it can work with a wide range of specialized hardware.
    
 
    Lois Orosa, Yaohua Wang, Mohammad Sadrosadati, Jeremie S. Kim, Minesh Patel, 
Ivan Puddu, Haocong Luo, Kaveh Razavi, Juan Gómez-Luna, Hasan Hassan, Nika Mansouri-Ghiasi, Saugata Ghose, Onur Mutlu
    
ACM/IEEE 48th Annual International Symposium on Computer Architecture (ISCA '21) 
    
    
    
    
    
        
    
    
        @inproceedings{codic,
  author={Orosa, Lois and Wang, Yaohua and Sadrosadati, Mohammad and Kim, Jeremie S. and Patel, Minesh and Puddu, Ivan and Luo, Haocong and Razavi, Kaveh and Gómez-Luna, Juan and Hassan, Hasan and Mansouri-Ghiasi, Nika and Ghose, Saugata and Mutlu, Onur},
  booktitle={2021 ACM/IEEE 48th Annual International Symposium on Computer Architecture (ISCA)}, 
  title={CODIC: A Low-Cost Substrate for Enabling Custom In-DRAM Functionalities and Optimizations}, 
  year={2021},
  volume={},
  number={},
  pages={484-497},
  doi={10.1109/ISCA52012.2021.00045}
}
        
        
        DRAM is the dominant main memory technology used in modern computing systems. Computing systems implement a memory controller that interfaces with DRAM via DRAM commands. DRAM executes the given commands using internal components (e.g., access transistors, sense amplifiers) that are orchestrated by DRAM internal timings, which are fixed for each DRAM command. Unfortunately, the use of fixed internal timings limits the types of operations that DRAM can perform and hinders the implementation of new functionalities and custom mechanisms that improve DRAM reliability, performance and energy. To overcome these limitations, we propose enabling programmable DRAM internal timings for controlling in-DRAM components. To this end, we design CODIC, a new low-cost DRAM substrate that enables fine-grained control over four previously fixed internal DRAM timings that are key to many DRAM operations. We implement CODIC with only minimal changes to the DRAM chip and the DDRx interface. To demonstrate the potential of CODIC, we propose two new CODIC-based security mechanisms that outperform state-of-the-art mechanisms in several ways: (1) a new DRAM Physical Unclonable Function (PUF) that is more robust and has significantly higher throughput than state-of-the-art DRAM PUFs, and (2) the first cold boot attack prevention mechanism that does not introduce any performance or energy overheads at runtime.
    
 
    Jawad Haj-Yahya, Jeremie S. Kim, A. Giray Yağlıkçı, 
Ivan Puddu, Lois Orosa, Juan Gómez Luna, Mohammed Alser, Onur Mutlu
    
ACM/IEEE 48th Annual International Symposium on Computer Architecture (ISCA '21) 
    
    
    
    
    
        
    
    
        @inproceedings{ichannels,
  author={Haj-Yahya, Jawad and Kim, Jeremie S. and Yağlıkçı, A. Giray and Puddu, Ivan and Orosa, Lois and Gómez Luna, Juan and Alser, Mohammed and Mutlu, Onur},
  booktitle={2021 ACM/IEEE 48th Annual International Symposium on Computer Architecture (ISCA)}, 
  title={IChannels: Exploiting Current Management Mechanisms to Create Covert Channels in Modern Processors}, 
  year={2021},
  volume={},
  number={},
  pages={985-998},
  doi={10.1109/ISCA52012.2021.00081}
}
        
        
        To operate efficiently across a wide range of workloads with varying power requirements, a modern processor applies different current management mechanisms, which briefly throttle instruction execution while they adjust voltage and frequency to accommodate for power-hungry instructions (PHIs) in the instruction stream. Doing so 1) reduces the power consumption of non-PHI instructions in typical workloads and 2) optimizes system voltage regulators’ cost and area for the common use case while limiting current consumption when executing PHIs.However, these mechanisms may compromise a system’s confidentiality guarantees. In particular, we observe that multilevel side-effects of throttling mechanisms, due to PHI-related current management mechanisms, can be detected by two different software contexts (i.e., sender and receiver) running on 1) the same hardware thread, 2) co-located Simultaneous Multi-Threading (SMT) threads, and 3) different physical cores.Based on these new observations on current management mechanisms, we develop a new set of covert channels, IChannels, and demonstrate them in real modern Intel processors (which span more than 70% of the entire client and server processor market). Our analysis shows that IChannels provides more than 24× the channel capacity of state-of-the-art power management covert channels. We propose practical and effective mitigations to each covert channel in IChannels by leveraging the insights we gain through a rigorous characterization of real systems.
    
 
    Irina Calciu, M. Talha Imran, 
Ivan Puddu, Sanidhya Kashyap, Hasan Al Maruf, Onur Mutlu, Aasheesh Kolli
    
Proceedings of the 26th ACM International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS '21) 
    
        
             Artifacts Available v1.1 
        
    
        
             Artifacts Evaluated – Functional v1.1 
        
    
        
             Results Reproduced v1.1 
        
    
    
    
    
    
    
    
        
    
    
        @inproceedings{rethinking_software_runtimes,
    author = {Calciu, Irina and Imran, M. Talha and Puddu, Ivan and Kashyap, Sanidhya and Maruf, Hasan Al and Mutlu, Onur and Kolli, Aasheesh},
    title = {Rethinking Software Runtimes for Disaggregated Memory},
    year = {2021},
    isbn = {9781450383172},
    publisher = {Association for Computing Machinery},
    address = {New York, NY, USA},
    url = {https://doi.org/10.1145/3445814.3446713},
    doi = {10.1145/3445814.3446713},
    abstract = {Disaggregated memory can address resource provisioning inefficiencies in current datacenters. Multiple software runtimes for disaggregated memory have been proposed in an attempt to make disaggregated memory practical. These systems rely on the virtual memory subsystem to transparently offer disaggregated memory to applications using a local memory abstraction. Unfortunately, using virtual memory for disaggregation has multiple limitations, including high overhead that comes from the use of page faults to identify what data to fetch and cache locally, and high dirty data amplification that comes from the use of page-granularity for tracking changes to the cached data (4KB or higher). In this paper, we propose a fundamentally new approach to designing software runtimes for disaggregated memory that addresses these limitations. Our main observation is that we can use cache coherence instead of virtual memory for tracking applications' memory accesses transparently, at cache-line granularity. This simple idea (1) eliminates page faults from the application critical path when accessing remote data, and (2) decouples the application memory access tracking from the virtual memory page size, enabling cache-line granularity dirty data tracking and eviction. Using this observation, we implemented a new software runtime for disaggregated memory that improves average memory access time by 1.7-5X and reduces dirty data amplification by 2-10X, compared to state-of-the-art systems.},
    booktitle = {Proceedings of the 26th ACM International Conference on Architectural Support for Programming Languages and Operating Systems},
    pages = {79–92},
    numpages = {14},
    keywords = {cache coherence, disaggregated memory, remote memory},
    location = {Virtual, USA},
    series = {ASPLOS '21}
}
        

Disaggregated memory can address resource provisioning inefficiencies in current datacenters. Multiple software runtimes for disaggregated memory have been proposed in an attempt to make disaggregated memory practical. These systems rely on the virtual memory subsystem to transparently offer disaggregated memory to applications using a local memory abstraction. Unfortunately, using virtual memory for disaggregation has multiple limitations, including high overhead that comes from the use of page faults to identify what data to fetch and cache locally, and high dirty data amplification that comes from the use of page-granularity for tracking changes to the cached data (4KB or higher). In this paper, we propose a fundamentally new approach to designing software runtimes for disaggregated memory that addresses these limitations. Our main observation is that we can use cache coherence instead of virtual memory for tracking applications' memory accesses transparently, at cache-line granularity. This simple idea (1) eliminates page faults from the application critical path when accessing remote data, and (2) decouples the application memory access tracking from the virtual memory page size, enabling cache-line granularity dirty data tracking and eviction. Using this observation, we implemented a new software runtime for disaggregated memory that improves average memory access time by 1.7-5X and reduces dirty data amplification by 2-10X, compared to state-of-the-art systems.
    
 
2020
    Aritra Dhar, 
Ivan Puddu, Kari Kostiainen, Srdjan Capkun
    
Proceedings of the Tenth ACM Conference on Data and Application Security and Privacy (CODASPY '20) 
    
    
    
        
             Best Paper Award 
        
    
    
    
    
    
        
    
    
        @inproceedings{proximiTEE,
  author = {Dhar, Aritra and Puddu, Ivan and Kostiainen, Kari and Capkun, Srdjan},
  title = {ProximiTEE: Hardened SGX Attestation by Proximity Verification},
  year = {2020},
  isbn = {9781450371070},
  publisher = {Association for Computing Machinery},
  address = {New York, NY, USA},
  url = {https://doi.org/10.1145/3374664.3375726},
  doi = {10.1145/3374664.3375726},
  booktitle = {Proceedings of the Tenth ACM Conference on Data and Application Security and Privacy},
  pages = {5–16},
  numpages = {12},
  location = {New Orleans, LA, USA},
  series = {CODASPY '20}
}
        
        
        Intel SGX enables protected enclaves on untrusted computing platforms. An important part of SGX is its remote attestation mechanism that allows a remote verifier to check that the expected enclave was correctly initialized before provisioning secrets to it. However, SGX attestation is vulnerable to relay attacks where the attacker, using malicious software on the target platform, redirects the attestation and therefore the provisioning of confidential data to a platform that he physically controls. Although relay attacks have been known for a long time, their consequences have not been carefully examined. In this paper, we analyze relay attacks and show that redirection increases the adversary's abilities to compromise the enclave in several ways, enabling for instance physical and digital side-channel attacks that would not be otherwise possible.We propose ProximiTEE, a novel solution to prevent relay attacks. Our solution is based on a trusted embedded device that is attached to the target platform. Our device verifies the proximity of the attested enclave, thus allowing attestation to the intended enclave regardless of malicious software, such as a compromised OS, on the target platform. The device also performs periodic proximity verification which enables secure enclave revocation by detaching the device. Although proximity verification has been proposed as a defense against relay attacks before, this paper is the first to experimentally demonstrate that it can be secure and reliable for TEEs like SGX. Additionally, we consider a stronger adversary that has obtained leaked SGX attestation keys and emulates an enclave on the target platform. To address such emulation attacks, we propose a second solution where the target platform is securely initialized by booting it from the attached embedded device.
    
 
2019
    Irina Calciu, 
Ivan Puddu, Aasheesh Kolli, Andreas Nowatzyk, Jayneel Gandhi, Onur Mutlu, Pratap Subrahmanyam
    
Proceedings of the Workshop on Hot Topics in Operating Systems (HotOS '19) 
    
    
    
    
    
        
    
    
        @inproceedings{pberry,
    author = {Calciu, Irina and Puddu, Ivan and Kolli, Aasheesh and Nowatzyk, Andreas and Gandhi, Jayneel and Mutlu, Onur and Subrahmanyam, Pratap},
    title = {Project PBerry: FPGA Acceleration for Remote Memory},
    year = {2019},
    isbn = {9781450367271},
    publisher = {Association for Computing Machinery},
    address = {New York, NY, USA},
    url = {https://doi.org/10.1145/3317550.3321424},
    doi = {10.1145/3317550.3321424},
    abstract = {Recent research efforts propose remote memory systems that pool memory from multiple hosts. These systems rely on the virtual memory subsystem to track application memory accesses and transparently offer remote memory to applications. We outline several limitations of this approach, such as page fault overheads and dirty data amplification. Instead, we argue for a fundamentally different approach: leverage the local host's cache coherence traffic to track application memory accesses at cache line granularity. Our approach uses emerging cache-coherent FPGAs to expose cache coherence events to the operating system. This approach not only accelerates remote memory systems by reducing dirty data amplification and by eliminating page faults, but also enables other use cases, such as live virtual machine migration, unified virtual memory, security and code analysis. All of these use cases open up many promising research directions.},
    booktitle = {Proceedings of the Workshop on Hot Topics in Operating Systems},
    pages = {127–135},
    numpages = {9},
    keywords = {cache coherence, FPGA, remote memory},
    location = {Bertinoro, Italy},
    series = {HotOS '19}
}
        

Recent research efforts propose remote memory systems that pool memory from multiple hosts. These systems rely on the virtual memory subsystem to track application memory accesses and transparently offer remote memory to applications. We outline several limitations of this approach, such as page fault overheads and dirty data amplification. Instead, we argue for a fundamentally different approach: leverage the local host's cache coherence traffic to track application memory accesses at cache line granularity. Our approach uses emerging cache-coherent FPGAs to expose cache coherence events to the operating system. This approach not only accelerates remote memory systems by reducing dirty data amplification and by eliminating page faults, but also enables other use cases, such as live virtual machine migration, unified virtual memory, security and code analysis. All of these use cases open up many promising research directions.
    
 
    Ivan Puddu, Daniele Lain, Moritz Schneider, Elizaveta Tretiakova, Sinisa Matetic, Srdjan Capkun
    
arXiv preprint (arXiv:1903.00449) 
    
    
    
    
    
        
    
    
        @misc{teevil,
  doi = {10.48550/ARXIV.1903.00449},
  url = {https://arxiv.org/abs/1903.00449},
  author = {Puddu, Ivan and Lain, Daniele and Schneider, Moritz and Tretiakova, Elizaveta and Matetic, Sinisa and Capkun, Srdjan},
  keywords = {Cryptography and Security (cs.CR), FOS: Computer and information sciences, FOS: Computer and information sciences},
  title = {TEEvil: Identity Lease via Trusted Execution Environments},
  publisher = {arXiv},
  year = {2019},
  copyright = {arXiv.org perpetual, non-exclusive license}
}
        
        
        We investigate identity lease, a new type of service in which users lease their identities to third parties by providing them with full or restricted access to their online accounts or credentials. We discuss how identity lease could be abused to subvert the digital society, facilitating the spread of fake news and subverting electronic voting by enabling the sale of votes. We show that the emergence of Trusted Execution Environments and anonymous cryptocurrencies, for the first time, allows the implementation of such a lease service while guaranteeing fairness, plausible deniability and anonymity, therefore shielding the users and account renters from prosecution. To show that such a service can be practically implemented, we build an example service that we call TEEvil leveraging Intel SGX and ZCash. Finally, we discuss defense mechanisms and challenges in the mitigation of identity lease services.
    
 
 
2018
    Patrick Leu, 
Ivan Puddu, Aanjhan Ranganathan, Srdjan Capkun
    
Proceedings of the 11th ACM Conference on Security & Privacy in Wireless and Mobile Networks (WiSec '18) 
    
    
    
    
    
        
    
    
        @inproceedings{lora_leak,
  author    = {Patrick Leu and
               Ivan Puddu and
               Aanjhan Ranganathan and
               Srdjan Capkun},
  title     = {I Send, Therefore {I} Leak: Information Leakage in Low-Power Wide
               Area Networks},
  booktitle = {Proceedings of the 11th {ACM} Conference on Security {\&} Privacy
               in Wireless and Mobile Networks, WiSec 2018, Stockholm, Sweden, June
               18-20, 2018},
  pages     = {23--33},
  year      = {2018},
  crossref  = {DBLP:conf/wisec/2018},
  url       = {http://doi.acm.org/10.1145/3212480.3212508},
  doi       = {10.1145/3212480.3212508},
  timestamp = {Mon, 02 Jul 2018 08:35:05 +0200},
  biburl    = {https://dblp.org/rec/bib/conf/wisec/LeuPRC18},
  bibsource = {dblp computer science bibliography, https://dblp.org}
}
        
        
        Low-power wide area networks (LPWANs), such as LoRa, are fast emerging as the preferred networking technology for large-scale Internet of Things deployments (e.g., smart cities). Due to long communication range and ultra low power consumption, LPWAN-enabled sensors are today being deployed in a variety of application scenarios where sensitive information is wirelessly transmitted. In this work, we study the privacy guarantees of LPWANs, in particular LoRa. We show that, although the event-based duty cycling of radio communication, i.e., transmission of radio signals only when an event occurs, saves power, it inherently leaks information. This information leakage is independent of the implemented crypto primitives. We identify two types of information leakage and show that it is hard to completely prevent leakage without incurring significant additional communication and computation costs.
    
 
2017
    Ivan Puddu, Alexandra Dmitrienko, Srdjan Capkun
    
ePrint Archive: Report 2017/106 
    
    
    
    
    
        
    
    
        @misc{muchain,
      author = {Ivan Puddu and Alexandra Dmitrienko and Srdjan Capkun},
      title = {$\mu$chain: How to Forget without Hard Forks},
      howpublished = {Cryptology ePrint Archive, Paper 2017/106},
      year = {2017},
      note = {\url{https://eprint.iacr.org/2017/106}},
      url = {https://eprint.iacr.org/2017/106}
}
        
        
        In this paper, we explore an idea of making (proof-of-work) blockchains mutable. We propose and implement chain, a mutable blockchain, that enables modifications of blockchain history. Blockchains are, by common definition, distributed and immutable data structures that store a history of events, such as transactions in a digital currency system. While the very idea of mutable event history may seem controversial at a first glance, we show that chain does not undermine security guarantees provided by immutable blockchains. In particular, all mutations in our system are controlled by fiat, enforced by consensus and are verifiable in the same way as regular transactions. At the same time, chain provides a solution to a number of challenging problems, such as the patching of vulnerable smart contracts and removal of abusive content from blockchain history. It also gives rise to new blockchain applications that were not possible with immutable blockchains. For instance, governments and companies could now maintain registers of citizens and customers, while preserving their legislated rights to be forgotten. Banks could consider  consolidation of cryptocurrency with traditional payments, which is hard to achieve without the ability to revert transactions. To further illustrate the power of chain on more concrete examples, we present two new applications, the collaborative recommendation system with the ability to censor inappropriate content, and a time-lock encryption mechanism that provides a method to decrypt messages after a certain deadline has passed.
    
 
 
 
Selected Talks
  - 
    Uncovering runtime trust in commercial TEE attestation protocols 
 Invited talk @ IBM Zurich - July 2023
 
- 
    TEE Tales: From TEEtime to TEEs attestation shortcoming 
 Invited talk @ Google (Sunnyvale Campus) - June 2023
 
- 
    Securing Cloud Deployments for the International Committee of the Red Cross
 @ AMLD Days ‘22 - March 2022
 
- 
    Frontal Attack: Leaking Control-Flow in SGX via the CPU Frontend
 @ ZISC Lunch Seminar -  November 2021
 
- 
    Frontal Attack: Leaking Control-Flow in SGX via the CPU Frontend
 @ USENIX Security ‘21 - August 2021
 
Service
Overall, I reviewed more than 100 papers either as a reviewer or sub-reviewer for the following conferences and journals:
PC:
IEEE S&P (2023),
SysTex (2023),
ASIACCS-SBC (2021)
Sub-reviewer:
IEEE S&P (2024, 2022, 2021, 2019, 2018),
NDSS (2024, 2023, 2022, 2021, 2020, 2018),
ACM CCS (2021),
USENIX Security (2024, 2022, 2018, 2017),
ASPLOS (2018),
IEEE/ACM MICRO (2017),
ISCA (2017),
ASIACCS (2023),
FC (2022, 2018),
Mobicom (2023,2021, 2018),
IEEE WIFS (2020),
IEEE DSN (2019),
IEEE Micro Top Picks (2018),
RAID (2018),
ACNS (2017),
ACM Transactions on Storage (2017)
From 2019 to 2021 I was a peer-to-peer counselor in the counselling team of AVETH, the association for scientific staff at ETH Zurich. Through this role, I helped several doctoral students and postdocs on academic, administrative, and personal issues.
PhD Thesis
@phdthesis{pdh_thesis_puddu,
	copyright = {In Copyright - Non-Commercial Use Permitted},
	year = {2023},
	type = {Doctoral Thesis},
	author = {Puddu, Ivan},
	size = {219 p.},
	keywords = {Hardware Security; Trusted Execution Environments; Side channel attacks; System security},
	language = {en},
	address = {Zurich},
	publisher = {ETH Zurich},
	DOI = {10.3929/ethz-b-000610177},
	title = {Understanding the Capabilities of Privileged Attackers Against Trusted Execution Environments},
	school = {ETH Zurich}
}
Our lives today rely on the secure operation of computers in a diverse set of sectors, from energy to medicine. However, today's computers execute software bloated with complexity. Their large codebases provide a rich and versatile system, but most functionalities are often not needed in their target applications. This increases the trusted computing base (TCB) – the software and hardware that needs to be trusted for the system to work correctly. A large TCB is undesirable, as it gives attackers a higher likelihood to find and exploit vulnerabilities.  Most of this complexity comes from the system software, that is, the operating system (OS) and the hypervisor. Despite this, the system software's codebase cannot generally be removed from the TCB, as it executes with the highest privileges.
Thanks to additional hardware primitives, Trusted Execution Environments (TEEs) break this paradigm, allowing even system software to be removed from the TCB. Most CPU manufacturers and architectures support some form of TEE: they can be found on Intel and AMD CPUs, as well as on ARM and RISC-V architectures. Their advent is promising, as they aim to let applications operate securely both when the (more privileged) system software is malicious and when a physical attacker can tamper with the system. Arguably, however, the guarantees that can be provided against such a strong and privileged attacker are not fully understood and often lead to TEE designs that make compromises invalidating the protections that they aim to provide. For example, previous work shows that the OS can abuse the CPU memory management interface to get notified when the TEE accesses attacker-specified memory regions, breaking data confidentiality. Understanding the capabilities of privileged attackers thus leads to more accurate designs and a more secure computing environment for everyone.
In this thesis, we contribute to the efforts of understanding the capabilities of privileged attackers in the context of TEEs in four main directions. First, we develop the Frontal attack, which shows that leveraging the OS to issue interrupts frequently leads to the CPU exposing detailed instruction execution timings, which can be used as a side channel. This side channel is detailed enough to leak encryption keys from a TEE and thus break data confidentiality. Second, we show that current commercial TEEs struggle to provide code confidentiality against a privileged attacker. Notably, we observe that using interpreters or JIT compilers inside TEEs – a popular choice due to their convenience and flexibility – leaks significantly more confidential instructions compared to a baseline where native instructions are used instead.
The third and fourth contributions relate to attestation protocols, which are used to verify that a TEE is protecting a given application. We emphasize the impact of previously neglected aspects in attestation protocols in both these contributions. In the third contribution, we highlight that relay attacks, while once thought to be tolerable given the TEE protections, enhance the capabilities of a privileged attacker. Finally, in the fourth contribution, we show that current attestation protocols implicitly assume trust in the TEE manufacturer at runtime – despite the manufacturers often claiming otherwise. While this implicit trust in the TEE manufacturer is often overlooked, our analysis shows that it is a concrete threat in practice and should thus be accounted for in future attestation protocols.
Accepted on the recommendation of:
Supervised Students
I supervised the following students in their master’s thesis, bachelor’s thesis, and semester projects:
Master’s Thesis:
  - Nicolas Dutly, Stefano Boschetto
Master’s Semester Project:
  - Nicolas Dutly, Gina Stoffel, Tobias Oberdörfer, Uroš Tešić
Bachelor’s Thesis:
Patents