MIT’s Secure Hardware Design Class (6.5950/6.5951) is an open-source course that teaches students both how to attack modern CPUs and design architectures resilient to those attacks. Students gain hands-on experience hacking real processors and are taught various state-of-the-art hardware attacks and defenses.
This course is the culmination of multiple years of work. Browse our story here.
Secure Hardware Design is the culmination of years of effort by a team of students. Say “hello” to the people behind it!
Our course philosophy involves three pillars- Think, Play, Do.
In Lecture, we encourage students to think critically about hardware security as a part of greater systems. Our lectures are designed to guide critical thinking and engagement with the research literature.
|Hardware support for software security
|Tools for security assurance
The 🔨 icon means this lecture features an in-class demo.
Please send requests for powerpoint files to Mengjia.
In Recitation, we encourage students to play with the course materials through interactive hands-on games. Our recitations consist of interactive learning sessions, leveraging the Capture-the-Flag (CTF) format for friendly competitions amongst students. Students team up and work with their peers to conquer various challenges together.
|A brief refresher on C/ C++ syntax and useful features.
|Cache Attack Recitation
|A visual overview of prime+probe on a custom RISC-V CPU.
|Physical Attacks Recitation
|Students work together to implement a timing side channel against real microcontrollers.
|RISC-V System Programming Recitation
|Overview of the privileged ISA specification for RISC-V with emphasis on exception handling and interrupt conditions.
|Formal Verification Recitation
|Students learn the basics of formal verification techniques.
In Labs, students have a chance to actually put the concepts from class to work. The attack labs involve implementing attacks taught in class on real hardware. No simulators, no trickery, no nonsense. Real implementations on real hardware.
Every year, we update our course to reflect the ever-changing landscape of research in the hardware security world. All of these labs are open-source and free to use. Just shoot us an email at
hw-sec-lab-dev at mit dot edu before doing so, so we can give you the instructor’s solutions and starter gradebook. If you do use our materials in your class, make sure to attribute us on your class webpage.
|Cache Side Channels
|x86_64 Linux server. Some tuning required. We use Cascade Lake.
|x86_64 Linux server.
|Any modern web browser (Chrome, Firefox, Safari).
|x86_64 Linux server. Some tuning to match your hardware required.
|x86_64 Linux server.
|x86_64 Linux server.
Students start with building primitives to measure cache access latencies and examine microarchitecture details. Next, they will implement Prime+Probe on a modern cache hierarchy, requiring a thorough understanding of cache geometry. Finally, they implement a covert channel chat client, demonstrating mastery over creating contention on set associative structures.
Students implement a Flush+Reload attack against shared memory between userspace and kernelspace. Then, they extend their attack to work under speculation in increasingly difficult exploitation scenarios to leak kernel memory back to userspace.
Students learn the essential steps towards implementing Rowhammer in the wild. We guide the students to go through the two level address translation: virtual address -> physical address -> DRAM location. The students are first given the physical address of vulnerable rows and hammer rows and they will quickly see bit flips in the wild. Then the students are asked to reverse engineering some missing pieces of DRAM banking functions to search for unknown vulnerable rows.
Students defeat ASLR using a variety of attacks including using both OS and microarchitectural side channels. Then, they implement a code reuse attack (ROP) using the leaked ASLR slide.
This is our capstone open-ended design project. Students are tasked with discovering bugs in a real CPU RTL design by implementing system software and creating a custom instruction fuzzer. They are free to implement this fuzzer however they’d like, so long as it can capture processor exceptions and discover backdoors automatically.