Antoine Plin, class of 2026 at ESILV and a participant in the Parcours Recherche (Research Track), presented his research paper “Knock-Knock: Black-Box, Platform-Agnostic DRAM Address-Mapping Reverse Engineering” at the Microarchitecture Security Conference (uASC) 2026, held in Leuven, Belgium.
This presentation was delivered at an international conference on microarchitectural security research.
The annual uASC conference
The annual uASC conference is recognised as a leading international forum for advancing understanding of microarchitectural security. It brings together researchers and experts from academia and industry to present and discuss recent advances related to hardware security, side-channel analysis, and microarchitecture-level attacks and defences.
The proceedings of uASC are published by Ruhr University Bochum as part of the Proceedings of the Microarchitecture Security Conference.
With its Diamond Open Access model, all accepted papers are freely and immediately available to the research community at the start of the conference, ensuring broad dissemination and accessibility of the presented work.
Research Conducted During an Inria Master’s Internship
The paper was developed during a Master’s summer research internship at Inria, where Antoine Plin worked on the challenge of reverse-engineering DRAM (dynamic random access memory, is defined as a type of volatile memory that stores each bit of data in a separate capacitor, requiring periodic refresh to maintain the information due to capacitor charge leakage) address mappings in modern Systems-on-Chip (SoCs).
These systems rely on undocumented linear address-scrambling functions that obscure the relationship between physical memory addresses and DRAM components such as banks and rows.
While this obfuscation can limit certain attack vectors, it also complicates DRAM-aware performance optimizations and restricts proactive security analysis, particularly for DRAM-based vulnerabilities such as Rowhammer.
Previous approaches to this problem have largely been heuristic-based, partial, and computationally expensive, making them impractical for comprehensive recovery on modern platforms. The research presented at uASC addresses these limitations by establishing a rigorous theoretical framework grounded in linear algebra.
A Linear Algebraic and Platform-Agnostic Approach
The proposed work formulates the reverse-engineering problem using linear algebra over the finite field GF(2). By characterising the timing fingerprints produced by row-buffer conflicts, the study demonstrates a formal relationship between the DRAM bank addressing matrix and an empirically constructed matrix of physical addresses.
Based on this characterisation, the paper introduces an automated, noise-robust, and fully platform-agnostic algorithm that, in polynomial time, recovers the complete DRAM bank mask basis, representing a significant improvement over previous exponential-time methods.
The model is further extended to support complex row mappings through new hardware-based hypotheses, enabling the automatic recovery of row address bases without human-guided intervention.
Experimental evaluations across a range of embedded and server-class architectures demonstrate 99% recall and accuracy on all tested platforms. Notably, the Knock-Knock method completes in only a few minutes, even on systems equipped with more than 500 GB of DRAM, underscoring its scalability and practical relevance.
ESILV’s research projects are conducted under guidance and support
This research was conducted under the mentorship of Lorenzo Casalino, Thomas Rokicki, and Rubén Salvador, whose guidance supported the project from its early experimental phases through to its presentation at an international conference. Their supervision contributed both to the scientific quality of the work and to the development of Antoine’s research skills.
Antoine Plin’s contribution reflects the objectives of ESILV’s Parcours Recherche, which prepares students for academic research, doctoral studies, and research-oriented careers in industry.
Through immersion in research projects led by faculty members of the De Vinci Research Centre, students acquire key competencies in R&D project management, scientific literature analysis, experimental methodology, and scientific communication.
Learn more about ESILV’s research strategy