pwn.college - Microarchitecture Exploitation - DCTLV2025

Name of Training: Microarchitecture Exploitation 
Trainer(s): Yan Shoshitaishvili, Connor Nelson, Robert Wasinger, Adam Doupé
Dates:  August 11-12, 2025
Time: 8:00 am to 5:00 pm PT 
Venue: Las Vegas Convention Center
Cost: $2000

Course Description: 

Course Outline:

• Microarchitectural Foundations
  •  Architecture vs. microarchitecture, pipeline overview
  • Memory hierarchy: L1/L2/L3 caches, cache lines, coherence
• Cache Fundamentals & Timing Primitives
  • Cache hits/misses, eviction, replacement policies
  • High-resolution timers, rdtsc, fencing instructions
• Cache-Based Side-Channels
  •  Flush + Reload mechanics
  • Evict + Time and Prime + Probe variants
• Speculative Execution & Transient Instructions
  • Out-of-order pipelines, reservation stations, reorder buffers
  • Fencing, serialization, and speculation barriers
• Branch Prediction Internals
  • Local/global history tables, perceptrons, indirect-branch predictors
  • Poisoning and mistraining strategies
• Spectre Variant 1 (Conditional Misprediction)
  • Gadget hunting, bounds-check bypass pattern
  • Exploit orchestration and noise reduction techniques
• Spectre Variant 2 (Indirect Branch Target Injection)
  • RSB/BPB internals, trampoline gadgets
  • Kernel vs. user-space attack surfaces
• Meltdown (Fault-Driven Transient Reads)
  • Permission checks, page-fault racing, exception suppression
  • Translating kernel addresses to physical leaks
• Mitigations & Defenses
  • KPTI, retpolines, lfence hardening, cache partitioning
  • Hardware fixes and their performance costs
• Attack Engineering & Automation

  • Reliable measurement pipelines, statistical filtering

  • Ethics, disclosure, and real-world case studies

Difficulty Level:

Intermediate. Designed for students who already feel comfortable reading x86-64 assembly, writing C, using GDB, and working in a Linux shell. No prior hardware-security background is assumed.

Suggested Prerequisites:

• Working knowledge of C or C++.
• Ability to read and write basic x86-64 assembly.
• Prior experience with classic memory-corruption or binary-exploitation techniques is helpful but not required.

What Students Should Bring: 

• A laptop with a modern web browser that can connect to the Internet. All labs will be available in a browser-based environment, so no additional software installation is required.
• It may be helpful to create a free account on https://pwn.college before the training, and get some quick familiarity with the platform at https://pwn.college/welcome, but this is not required.
• A willingness to learn and experiment with new concepts.

Trainer(s) Bio:

Zardus (Yan Shoshitaishvili, PhD)

Zardus has been part of the DEF CON community since DEF CON 9 (2001) and part of the Shellphish CTF team since DEF CON 17 (2009). He ran DEF CON CTF for four years (2018-2021) with Order of the Overflow, and successfully captained Shellphish through the participation in the DARPA Cyber Grand Challenge, in which they won third place and a spot in history (but not in the Smithsonian). Now he is an Associate Professor of Computer Science at Arizona State University and co-founder of pwn.college, where he has taught tens of thousands of students how to hack.

kanak (Connor Nelson, PhD)

Connor is a DEF CON veteran and has been part of the DEF CON CTF community since 2015. He has been a member of the Shellphish CTF team since 2018, and has competed in numerous CTFs around the world. He is the chief architect and co-founder of pwn.college, where he has helped design and deliver education to tens of thousands of students. His research primarily focuses on the intersection between CTF and education, and he has published several papers on the topic.

robwaz (Robert Wasinger)

Robert is the Principal Microarchitecture Curriculum Developer at pwn.college, where he leads the creation, maintenance, and delivery of advanced educational content on microarchitecture exploitation, among numerous other cybersecurity topics. Known for his engaging lectures on YouTube and Twitch, Robert famously insists that the man page is always the ultimate source of truth, firmly believing that no question lies beyond the reach of man. When not meticulously dissecting exploits, you'll likely find him helping students with their toughest questions on the pwn.college Discord server.

adamd (Adam Doupé, PhD)

Adam is equal parts hacker and educator, seamlessly blending exploits and insights. With deep roots in DEF CON culture, he ran the renowned DEF CON CTF with Order of the Overflow from 2018 to 2021, after competing in several editions with Shellphish. As Director of Arizona State University's Center for Cybersecurity & Trusted Foundations (CTF), he unearths vulnerabilities—including multiple CVEs in Apple's core OS—and transforms complex security topics into digestible, engaging lessons. Winner of the NSF CAREER Award and the ASU Fulton Best Teacher Award, he brings an infectious enthusiasm to cybersecurity education that resonates with both seasoned hackers and new learners alike.

Registration Terms and Conditions: 

Trainings are refundable before July 8, 2025, minus a non-refundable processing fee of $250.

Trainings are non-refundable after July 8, 2025.

Training tickets may be transferred. Please email us at training@defcon.org for specifics.

If a training does not reach the minimum registration requirement, it may be cancelled. In the event the training you choose is cancelled, you will be provided the option of receiving a full refund or transferring to another training (subject to availability).

Failure to attend the training without prior written notification, will be considered a no-show. No refund will be given.

By purchasing this ticket you agree to abide by the DEF CON Training Code of Conduct and the registration terms and conditions listed above.

Several breaks will be included throughout the day. Please note that food is not included.

All courses come with a certificate of completion, contingent upon attendance at all course sessions.