About

David Kohlbrenner is an Assistant Professor in the Paul G. Allen School of Computer Science & Engineering at the University of Washington. His research interests span software security, systems, and hardware architecture, with a particular focus on the impact of hardware design on high-level software security. Prior to his current position, he was a post-doctoral researcher with Dawn Song and the ADEPT lab at UC Berkeley, and he completed his Ph.D. with Hovav Shacham at UC San Diego. Kohlbrenner's work emphasizes understanding and improving the security of computing systems through innovative hardware and software approaches.

Research topics

• Computer Science
• Computer Security
• Operating system
• Embedded system
• World Wide Web
• Distributed computing
• Programming language

Selected publications

• Unencrypted Flying Objects: Security Lessons from University Small Satellite Developers and Their Code

  ArXiv.org · 2025-05-14

  preprintOpen access

  Satellites face a multitude of security risks that set them apart from hardware on Earth. Small satellites may face additional challenges, as they are often developed on a budget and by amateur organizations or universities that do not consider security. We explore the security practices and preferences of small satellite teams, particularly university satellite teams, to understand what barriers exist to building satellites securely. We interviewed 8 university satellite club leaders across 4 clubs in the U.S. and perform a code audit of 3 of these clubs' code repositories. We find that security practices vary widely across teams, but all teams studied had vulnerabilities available to an unprivileged, ground-based attacker. Participants foresee many risks of unsecured small satellites and indicate security shortcomings in industry and government. Lastly, we identify a set of considerations for how to build future small satellites securely, in amateur organizations and beyond.

  PublisherOA PDFDOI

• Enabling Confidential I/O on RISC-V Without Hardware Modifications

  2025-10-13 · 1 citations

  articleOpen accessSenior author

  Despite the increasing complexity of operating systems and drivers, TEEs have been a reasonable option for protecting security-critical software from certain adversaries. However, increasing complexity and heterogeneity characterize the hardware side, too, with designers relying on accelerators and sensors to continue delivering performance gains and novel features. These accelerators and sensors often handle data which should be secured in some way; system integrators would therefore like to enforce confidentiality, integrity, or availability properties on them. Confidential I/O systems are able to enforce these properties at some performance cost, and can be built on top of various standard isolation primitives. Prior work has built such systems primarily on Intel and ARMv8 CPUs, but comparable functionality is currently missing on emerging RISC-V platforms.

  PublisherDOI

• Pixnapping: Bringing Pixel Stealing out of the Stone Age

  2025-11-19 · 2 citations

  articleOpen access

  Pixel stealing attacks enable malicious websites to leak sensitive content displayed in victim websites. The idea, introduced by Stone in 2013, is to embed victim websites in iframes and use SVG filters to compute on, and create side channels as a function of, those websites' pixels. Fortunately, despite the danger, pixel stealing attacks are all but mitigated today thanks to websites and web browsers heavily restricting iframes and cross-origin cookie sharing.

  PublisherOA PDFDOI

• Peek-a-Walk: Leaking Secrets via Page Walk Side Channels

  2025-05-12 · 5 citations

  article

  Microarchitectural side-channel attacks are an insidious threat to program security. An emerging class of these attacks constructs gadgets that dereference the contents of data memory directly. This is caused by optimizations, such as speculative execution and data-memory prefetching, that can guess (incorrectly) that the program is performing a pointer chase. In theory, this is devastating for security, as dereferencing a secret seemingly leaks it over memory-based side channels, e.g., through the cache. In practice, it is not. Since most secrets do not look like valid pointers, their dereference typically fails and does not leak anything. In this paper, we introduce the page walk side channel (PWSC), a new attack that can leak information even when an invalid pointer is dereferenced. In particular, given a 64-bit secret that passes the address canonicality check, PWSC can leak all remaining bits of the secret except for the low-order 6 bits, without making any assumptions on what these bits look like. We demonstrate how PWSC amplifies leakage in scenarios exploiting speculative execution and data-memory prefetching. For speculative execution, we show that PWSC, combined with Intel's LAM feature, can be exploited to leak nearly all of physical memory and that even without LAM, PWSC can be used to leak Dilithium secret keys. For data-memory prefetching, we reverse engineer the semantics of Intel's data-memory dependent prefetcher (DMP) and show how this DMP and PWSC can be combined to break security in an intra-process sandbox setting.

  PublisherDOI

• Pentimento: Data Remanence in Cloud FPGAs

  2024-04-22 · 2 citations

  articleOpen access

  Remote attackers can recover "FPGA pentimento" - long-removed data belonging to a prior user or proprietary design image on a cloud FPGA. Just as a pentimento of a painting can be exposed by infrared imaging, FPGA pentimentos can be exposed by signal timing sensors. The data constituting an FPGA pentimento is imprinted on the device through bias temperature instability effects on the underlying transistors. Measuring this degradation using a time-to-digital converter allows an attacker to (1) extract proprietary details or keys from an encrypted FPGA design image available on the AWS marketplace and (2) recover information from a previous user of a cloud-FPGA. These threat models are validated on AWS F1, with successful AES key recovery under one model.

  PublisherDOI

• Avoiding Instruction-Centric Microarchitectural Timing Channels Via Binary-Code Transformations

  2024-04-22 · 3 citations

  articleOpen accessSenior author

  With the end of Moore's Law-based scaling, novel microarchitectural optimizations are being patented, researched, and implemented at an increasing rate. Previous research has examined recently published patents and papers and demonstrated ways these upcoming optimizations present new security risks via novel side channels. As these side channels are introduced by microarchitectural optimization, they are not generically solvable in source code.

  PublisherDOI

• GPU.zip: On the Side-Channel Implications of Hardware-Based Graphical Data Compression

  2024-05-19 · 10 citations

  article

  Compression is a widely-deployed optimization that reduces data movement throughout modern computing stacks. Unfortunately, it is also a well-known source of side-channel leakage capable of leaking (potentially) fine-grained functions of the underlying data. There has, however, been a saving grace. Compression is typically software visible. Thus, software can "opt out" of harm’s way by disabling compression when sensitive data is involved, and tailor mitigations to known, public compression algorithms.This paper challenges the above conventional wisdom by demonstrating the existence of, and exploiting, software-transparent uses of compression. Specifically, we find that integrated GPUs from Intel and AMD vendors compress graphical data in vendor-specific and undocumented ways—even when software does not specifically request compression. Compression induces data-dependent DRAM traffic and cache utilization, which can be measured through side-channel analysis. We show the efficacy of this side channel by performing cross-origin SVG filter pixel stealing attacks through the browser.

  PublisherDOI

• Pentimento: Data Remanence in Cloud FPGAs

  arXiv (Cornell University) · 2023-03-31

  preprintOpen access

  Cloud FPGAs strike an alluring balance between computational efficiency, energy efficiency, and cost. It is the flexibility of the FPGA architecture that enables these benefits, but that very same flexibility that exposes new security vulnerabilities. We show that a remote attacker can recover "FPGA pentimenti" - long-removed secret data belonging to a prior user of a cloud FPGA. The sensitive data constituting an FPGA pentimento is an analog imprint from bias temperature instability (BTI) effects on the underlying transistors. We demonstrate how this slight degradation can be measured using a time-to-digital (TDC) converter when an adversary programs one into the target cloud FPGA. This technique allows an attacker to ascertain previously safe information on cloud FPGAs, even after it is no longer explicitly present. Notably, it can allow an attacker who knows a non-secret "skeleton" (the physical structure, but not the contents) of the victim's design to (1) extract proprietary details from an encrypted FPGA design image available on the AWS marketplace and (2) recover data loaded at runtime by a previous user of a cloud FPGA using a known design. Our experiments show that BTI degradation (burn-in) and recovery are measurable and constitute a security threat to commercial cloud FPGAs.

  PublisherOA PDFDOI

• DVFS Frequently Leaks Secrets: Hertzbleed Attacks Beyond SIKE, Cryptography, and CPU-Only Data

  2023-05-01 · 16 citations

  article

  The recent Hertzbleed disclosure demonstrates how remote-timing analysis can reveal secret information previously only accessible to local-power analysis. At worst, this constitutes a fundamental break in the constant-time programming principles and the many deployed programs that rely on them. But all hope is not lost. Hertzbleed relies on a coarse-grained, noisy channel that is difficult to exploit. Indeed, the Hertzbleed paper required a bespoke cryptanalysis to attack a specific cryptosystem (SIKE). Thus, it remains unclear if Hertzbleed represents a threat to the broader security ecosystem.In this paper, we demonstrate that Hertzbleed’s effects are wide ranging, not only affecting cryptosystems beyond SIKE, but also programs beyond cryptography, and even computations occurring outside the CPU cores. First, we demonstrate how latent gadgets in other cryptosystem implementations— specifically "constant-time" ECDSA and Classic McEliece— can be combined with existing cryptanalysis to bootstrap Hertzbleed attacks on those cryptosystems. Second, we demonstrate how power consumption on the integrated GPU influences frequency on the CPU—and how this can be used to perform the first cross-origin pixel stealing attacks leveraging "constant-time" SVG filters on Google Chrome.

  PublisherDOI

• Hertzbleed: Turning Power Side-Channel Attacks Into Remote Timing Attacks on x86

  IEEE Micro · 2023 · 37 citations

  Senior authorCorresponding
  • Computer Science
  • Computer Science
  • Computer Security

  Power side-channel attacks exploit data-dependent variations in a CPU’s power consumption to leak secrets. In this article, we show that on modern CPUs, power side-channel attacks can be turned into timing attacks that can be mounted without access to any power measurement interface. This discovery exploits how, under certain circumstances, the dynamic frequency scaling of modern x86 CPU depends on the current power consumption (and hence, data). We demonstrate that this “frequency side channel” is a real threat to the security of cryptographic software. First, we reverse engineer the dependency between data, power, and frequency on a modern x86 CPU—finding, among other things, that differences as small as a set bit’s position in a word can be distinguished through frequency changes. Second, we describe a novel chosen-ciphertext attack against (constant-time implementations of) supersingular isogeny key encapsulation that allows full key extraction via remote timing.

  PublisherDOI

Frequent coauthors

• Dayeol Lee

  11 shared

• Krste Asanović

  University of California, Berkeley

  11 shared

• Dawn Song

  11 shared

• Shweta Shinde

  7 shared

• Hovav Shacham

  The University of Texas at Austin

  7 shared

• Alina Oprea

  Universidad del Noreste

  6 shared

• Nataliia Bielova

  6 shared

• M. June Flanders

  University of Washington

  6 shared

Education

• Ph.D.

  UC San Diego

• Other

  UC Berkeley