Our goal is to protect trusted systems by reducing the probability of compromise and increasing the cost of crafting exploits, while staying within performance budgets and usability requirements.


Cyber-attacks are estimated to cost the world economy more than $400 billion annually. From botnets to advanced persistent threats to targeted attacks, system vulnerabilities in combination with a successful exploit can grant an attacker unauthorized access to a computing system, entailing the possibility to exfiltrate sensitive data of valuable individuals or companies, incapacitate critical infrastructures, or compromise code repositories to spread to new targets.

Zero-day exploits can be used to leverage unknown vulnerabilities in order to gain access, in a stealthy way, to systems believed to be secure. And they are very valuable, being traded for considerable sums in the upper six-digit range, which reflects the months of work that it takes highly skilled professionals to develop a working exploit.

Our group

We focus on systems security research, looking both at novel attacks and defenses to prevent systems from bein exploited. We use methods such as program analysis and fuzzing, and develop tools to aid ourselves and the systems security community in our research. We are particularly interested in the security of operating systems, programming languages, and the software/hardware interface.

Visit and subscribe to our blog to stay up-to-date with our latest research.


System Security Blog

Spear Attacks - Transient Bypass of Go Bound Checks

Read more

System Security Blog

SPEAR attacks - Stack Smashing Protector Bypass Use Case

Read more

IBM Research Blog

On the (In)security of ElGamal in OpenPGP

Read more

Proactive defense

To address the increasingly complex task of securing modern systems, we follow a three-pronged strategy:

Finding vulnerabilities and exploiting them

We find novel classes of attacks, and deepen our collective knowledge of existing attacks and exploitation, to guide prevention efforts.

Preventing vulnerabilities and their exploitation

We either remove bugs, or prevent them from being reachable, or harden systems such that attackers cannot make craft an exploit.

Methods and Tools

To support the previous two categories, we develop new methods and tools that help in finding and preventing vulnerabilities, as well as measurement and evaluation of the security posture of a system.

Featured Projects


Transient Execution Attacks

At the boundary between software and hardware, transient execution attacks on modern CPUs open a new attack surface on today’s complex systems. We find novel attacks, deepen our knowledge of exploitation of these attacks, and develop tooling to support prevention efforts.

Learn more


Linux Attack Surface Reduction

We develop techniques to reduce the attack surface of today’s complex OSes, ubiquitous in the cloud and mobile platforms.

Learn more

Publications and Research Areas

System Security Analysis


Collaborations are fundamental to successful research projects. The researchers working on Systems security at IBM come from academic backgrounds, and foster collaborations with academia and industry.



ETH logo
EPFL logo
Eurecom logo
Armasuisse logo


  1. A. Mambretti, M. Neugschwandtner, A., E. Kirda, W. Robertson, A. Kurmus
    Speculator: A Tool to Analyze Speculative Execution Attacks and Mitigations
    To appear in: Proceedings of the 35th Annual Computer Security Applications Conference (ACSAC’19).
  2. A. Bhattacharyya, A. Sandulescu, M. Neugschwandtner, A. Sorniotti, B. Falsafi, M. Payer, A. Kurmus
    SMoTherSpectre: exploiting speculative execution through port contention
    To appear in: Proceedings of the 26th ACM Conference on Computer and Communications Security (ACM CCS’19) 2019.
  3. A. Mambretti, A. Sandulescu, M. Neugschwandtner, A. Sorniotti, A. Kurmus
    Two methods for exploiting speculative control flow hijacks
    In: Proceedings of the 13th USENIX Workshop on Offensive Technologies (WOOT’19) 2019.
  4. M. Neugschwandtner, A. Sorniotti, A. Kurmus
    Memory Categorization: Separating Attacker-Controlled Data
    In: Proceedings of the 16th Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA’19) 2019.
  5. A. Kurmus, N. Ioannou, M. Neugschwandtner, N. Papandreou, T. Parnel
    Is there a ‘rowhammer’ for MLC NAND flash SSDs? An analysis of filesystem attack vectors
    In: Proceedings of the Workshop on Offensive Technologies (WOOT’17) 2017.
  6. N. Weichbrodt, A. Kurmus, P. Pietzuch, Rüdiger Kapitza
    AsyncShock: Exploiting synchronisation bugs in Intel SGX enclaves
    In: Proceedings of the European Symposium on Research in Computer Security (ESORICS’16) 2016.
  7. M. Neugschwandtner, A. Beitler, A. Kurmus
    A transparent defense against USB eavesdropping attacks
    In: Proceedings of the 9th European Workshop on System Security (EUROSEC’16) 2016.
  8. M. Neugschwandtner, C. Mulliner, W. Robertson, E. Kirda
    Runtime Integrity Checking for Exploit Mitigation on Lightweight Embedded Devices
    In: Proceedings of the International Conference on Trust and Trustworthy Computing (TRUST’16) 2016.
  9. C. Mulliner, M. Neugschwandtner
    Breaking Payloads with Runtime Code Stripping and Image Freezing
    In: Proceedings of 18th Black Hat USA, 2015.
  10. M. Neugschwandtner, P. Milani Comparetti, I. Haller, H. Bos
    Nanoprobing Binaries for Buffer Overreads
    In: Proceedings of the ACM Conference on Data and Application Security and Privacy (CODASPY’15) 2015.
  11. A. Kurmus, R. Zippel
    A Tale of Two Kernels: Towards Ending Kernel Hardening Wars with Split Kernel
    In: Proceedings of the ACM Conference on Computer and Communications Security (CCS’14) 2014.
  12. A. Kurmus, S. Dechand, R. Kapitza
    Quantifiable Run-time Kernel Attack Surface Reduction
    In: Proceedings of the 10th International Conference on Detection of Intrusions and Malware, Vulnerability Assessment (DIMVA’14) 2014.
  13. [13] J. Zaddach, A. Kurmus, D. Balzarotti, E.-O. Blass, A. Francillon, T. Goodspeed, M. Gupta, I. Koltsidas
    Implementation and Implications of a Stealth Hard-Drive Backdoor
    In: Proceedings of Annual Computer Security Applications Conference (ACSAC’13) Best student paper award, 2013.
  14. A. Kurmus, R. Tartler, D. Dorneanu, B. Heinloth, V. Rothberg, A. Ruprecht, W. Schröder-Preikschat, D. Lohmann and R. Kapitza
    Attack Surface Metrics and Automated Compile-Time OS Kernel Tailoring
    In: Proceedings of the 20th Network and Distributed System Security Symposium (NDSS’13) 2013.
  15. A. Kurmus, A. Sorniotti, R. Kapitza
    Attack Surface Reduction For Commodity OS Kernels
    In: Proceedings of the 4th European Workshop on System Security (EUROSEC’11) 2011.