Tsinghua PhD Students' Groundbreaking Achievement at NDSS 2026
In a remarkable feat for Chinese higher education, two PhD students from Tsinghua University's Department of Computer Science and Technology (DCST), Rong Kaiyuan and Fang Junqi, have clinched the prestigious Distinguished Paper Award at the 33rd Network and Distributed System Security (NDSS) Symposium 2026. Their paper, titled "OCCUPY+PROBE: Cross-Privilege Branch Target Buffer Side-Channel Attacks at Instruction Granularity," supervised by Professor Dongsheng Wang from the High Performance Computing Institute, was announced on March 6, 2026. This accolade underscores Tsinghua's dominance in cybersecurity research, spotlighting the talent nurtured within its world-class programs.
The NDSS symposium, held February 23-27 in San Diego, California, is one of the top four conferences globally in network and system security, endorsed as an A-class event by the China Computer Federation (CCF). With an acceptance rate of just 17.89%, the award highlights the exceptional innovation from these young researchers, who are affiliated with both Tsinghua and the Zhongguancun Laboratory.
Understanding the Branch Target Buffer and Its Vulnerabilities
The Branch Target Buffer (BTB) is a critical hardware component in modern processors like Intel Core series (9th to 14th generations), designed to accelerate performance by caching branch instruction addresses and targets for quick prediction. However, this shared resource has long been a target for side-channel attacks, where attackers infer sensitive data through timing or access patterns without direct memory access.
Prior BTB attacks fell into two categories: access-based, which rely on shared BTB entries between user and kernel modes but fail against hardware isolation introduced in Intel's 11th generation and later; and eviction-based, which detect branch presence at set-level but lack the precision for instruction-level granularity. Tsinghua's team reverse-engineered the BTB's offset-related update mechanisms, uncovering four distinct behaviors, including a 'Direct Replacement' (DR) mode where kernel branches overwrite user entries despite isolation.
The OCCUPY+PROBE Attack: A Step-by-Step Breakdown
The core innovation, OCCUPY+PROBE, is an eviction-based side-channel attack executed entirely from user space on the same logical core as the victim kernel process. Here's how it works:
- Occupy Phase (User Mode): The attacker crafts a 'occupy branch' whose address matches the victim kernel branch's last byte for BTB indexing, inserting a controlled entry.
- Victim Execution (Kernel Mode): When the kernel executes the secret-dependent branch (e.g., if taken), it triggers DR, replacing the occupy entry if indices, tags, and offsets align.
- Probe Phase (User Mode): Using an aliased 'probe branch,' the attacker measures instruction cache prefetch timing. A hit indicates replacement (branch taken); a miss means no replacement (not taken).
This achieves unprecedented instruction-level resolution, resisting mitigations like Confusing Dummy Branches (CDB).
Impressive Evaluation Results Across Intel Generations
Tested on Intel Core i7-9700, i9-10850K, i7-11700K, i7-12700K, i9-13900K, and i9-14900K (both P-cores and E-cores), the attack boasts 96.4%-100% accuracy in kernel branch leakage without CDB, and 91.9%-100% with it. In a real-world demonstration, it recovered an RSA private key (dp, dq components) from the Linux Kernel Crypto API's mpi_powm function with 98.6% mean accuracy (standard error 4.7%). Additionally, it extracted kernel branch tags to break Kernel Address Space Layout Randomization (KASLR) on the i7-11700K with 97.5% success, narrowing the address space significantly.
These results outperform prior techniques like BTB PRIME+PROBE, which degrade to ~48.9% under CDB due to coarse granularity.
Tsinghua's Stellar Track Record in Cybersecurity
Tsinghua University consistently leads global rankings in computer science and cybersecurity. In CSRankings 2026, it ties for first with Shanghai Jiao Tong University, and ranks second worldwide for computer science per some metrics. The DCST has a history of NDSS accolades, including recent Distinguished Papers on BGP hijacking by Yihao Chen and DNS bailiwick issues by Chaoyi Lu, both earning top honors or artifact badges in 2026. This builds on past wins like USENIX Security Distinguished Paper Awards.
For aspiring researchers, Tsinghua's programs offer cutting-edge labs like Zhongguancun and collaborations fostering breakthroughs. Explore research jobs or postdoc opportunities in China via AcademicJobs.com.
Real-World Implications for Processor Security
This research exposes persistent risks in commodity hardware, where kernel cryptographic operations (e.g., in filesystems, IPSec) become vulnerable. Attackers could decrypt data or forge signatures, amplifying threats in cloud environments or secure enclaves. As Intel dominates servers and desktops, mitigations must balance security and performance.
The team's responsible disclosure to Intel emphasizes ethical hacking's role in hardening systems. Learn more in the full paper at NDSS Proceedings.
Proposed Defenses and Future Directions
Mitigations include hardware changes like privilege bits in BTB entries or context-switch flushes (costly), and software approaches such as data-oblivious code or running crypto on E-cores (DR-free). Tsinghua suggests hybrid strategies for immediate protection.
- Hardware: Record privilege domain in BTB tags.
- Software: Eliminate secret branches; use efficient cores for sensitive ops.
Looking ahead, as processors evolve with hybrid cores and AI accelerators, side-channel research will intensify. China's cybersecurity push positions Tsinghua at the forefront.
Tsinghua's Role in China's Cybersecurity Ecosystem
Tsinghua tops cybersecurity rankings in China, alongside Peking and SJTU. Government initiatives like the National Cybersecurity Talent Base amplify such talents. For students eyeing higher ed in China, Tsinghua exemplifies rigorous PhD training yielding global impact. Check academic CV tips for applications.
Expert Perspectives and Industry Reactions
NDSS PC chairs praised the paper's novelty in evading modern mitigations. Industry experts note urgency for Intel patches, echoing past Spectre/Meltdown responses. Tsinghua's GitHub PoC (https://github.com/CPU-Security/OccupyProbe) aids verification.
In China, this bolsters national cyber resilience amid rising threats. Visit Tsinghua announcement for official details.
Opportunities and Advice for Aspiring Cybersecurity Researchers
This award inspires PhD aspirants. Prof. Wang's guidance highlights mentorship's value. Pursue research assistant roles or faculty positions at top Chinese unis. Tailor your path with career advice.
Photo by Zhu Edward on Unsplash
Looking Ahead: Cybersecurity's Future in Higher Education
Tsinghua's success signals China's ascent in cyber research. With quantum threats looming, expect more innovations. Rate professors at Rate My Professor, browse higher ed jobs, or seek university jobs. Share insights in comments below.