Introduction to Software Side Channels and Mitigations
Course start: 3. ноември 2025
Introduction to Software Side Channels and Mitigations
Daniel Gruß
This course is part of a MOOC series: Side-Channel Security: Understanding and Defending Against Side Channels and Fault Attacks
Scientific classification:
Course start: 3. ноември 2025
Introduction to Software Side Channels and Mitigations
Daniel Gruß
This course is part of a MOOC series: Side-Channel Security: Understanding and Defending Against Side Channels and Fault Attacks
-
Scope: 5 units
-
Effort: 2 hours/week
-
Current participants: 12
-
Licence: CC BY 4.0
-
Course start: 3. ноември 2025
-
Course end: -
-
Current status: Upcoming course
-
Available languages:
Course details
Course content
Side channels exist in the real world, but they also exist in computers and can be exploited directly from software. This is a substantial computer security problem today, that we need to learn about to be able to stop attacks. In this course, you will learn and practice basic software-based side channels and understand the thought process to utilize a side channel. You will then learn how to mitigate or avoid side channels in software.
Learning goals
After completing this course, you will:
- be able to spot side-channel leakage in simple programmes
- be able to use software-based side channels to extract secret information
- be able to connect these security risks with methods to mitigate and close side channels in software
Prerequisites
No formal prerequisites, but it is expected that you already have started to build up your side-channel security mindset, for instance via the corresponding iMooX course.
Course schedule
There are 5 parts (episodes+exercises) in this course:
- Episode 1: Raiders of the Lost Account
Manuel loses access to his online account. In a search to recover it, the flat mates discover how to get from small variations in the execution to a side-channel attack on the PIN entry.
- Episode 2: Memory
Claudio runs a course grading server. Our flat mates set out to find a flaw in it and discover a new means of attacking software, by flushing and reloading memory (the so-called Flush+Reload attack).
- Episode 3: Not on my Watch
Lukas and Andreas miss a deadline and use Flush+Reload to still get a signature on their assignments even though the deadline has passed.
- Episode 4: Justice Leak
Claudio's course grading server corrupts an assignment, leading to an unfair zero points for some flat mates. They try to get justice and their points back, by using Flush+Reload again.
- Episode 5: Flush+Reload: Endgame
With all these attacks, and specific mitigations against them, the flatmates discuss possible generic mitigations against Flush+Reload.
Certificate
For actively participating in the course you will receive an automatic certificate which includes your name, the course name as well as the completed lessons. We want to point out that this certificate merely confirms that you answered at least 75% of the self-assessment questions correctly.
Licence
This work is licensed under Creative Commons - 4.0 International (CC BY 4.0)
Additional content
Discussion
If you prefer a more instant means of communication compared to the iMooX forum you can join our official community on Discord. Just visit https://discord.gg/rrbazVdAN9 and join SCS's Discord server!
Discussion Guidelines
Both Discord and the discussion forums are where you can express thoughts, develop ideas, and engage with classmates and instructors. Please review discussion postings before posting your own to avoid redundancy. When adding a forum post, mark it as a Question or a Discussion. Questions raise issues that need answers, whereas Discussions share ideas and start conversations. Do not post solutions or links to solutions to quiz questions or homework assignments anywhere. Give your message a meaningful title. Use common writing practices for online communication. Participation on Discord and in the discussion forums is voluntary, but we encourage participation to get to know everyone else taking the course. We, the instructors and TAs, will answer your questions on both platforms of course.
Academic Policy
The course follows the academic policy of TU Graz.
Course Instructor
Daniel Gruß
Daniel Gruß (@lavados) is a University Professor at Graz University of Technology. He loves teaching and research of system-level topics, including side channels and transient execution attacks. He implemented the first remote fault attack running in a website, known as Rowhammer.js. His research team was one of the teams that found the Meltdown and Spectre bugs, published in early 2018. In 2023, he received an ERC Starting Grant to research the sustainability of security. He frequently speaks at top international venues.
Partners
