Lukas Maar

About Me:

Hey and welcome to my site. I am a security and vulnerability researcher from Austria. I defended my PhD titled Kernel Security in the Wild at the Institute of Information Security (former IAIK), Graz University of Technology, supervised by Stefan Mangard. My research focuses on system security, with a particular focus on kernel attacks and defenses, side-channel attacks targeting the kernel, and Android kernel security.

Interests

System Security
Kernel Attacks and Defenses
Side-Channel Attacks
Android Kernel Security

Education

PhD in Computer Science, 2025
Graz University of Technology
MSc in Electrical Engineering, 2022
Graz University of Technology
BSc in Computer Science, 2022
Graz University of Technology
BSc in Electrical Engineering, 2018
Graz University of Technology

Blog

2026

Privilege Escalation via a Page Use-After-Free in Qualcomm's AI Accelerator Linux Kernel Driver
Lukas Maar
Info GitHub

Bug class: A memory mapping lifetime bug in Qualcomm's QAIC AI accelerator driver leaves stale page-table state behind.
Exploit path: The stale mapping survives after the original physical backing memory is freed, creating a page-level use after free that I reclaim with pipe_buffer metadata and turn into local privilege escalation.
Virtualized research: By virtualizing the relevant QAIC driver path in QEMU, I could continue kernel-exploitation experiments on Linux v6.18 without access to the accelerator hardware.

From KernelSnitch to Practical msg_msg/pipe_buffer Heap KASLR Leaks
Lukas Maar
Info GitHub

Portable Core Leak: KernelSnitch is a software-only timing side channel that leaks mm_struct-backed page locations without relying on a memory-safety bug, with its POC having a near-100% success rate.
Practical pivot: Combined with cross-cache reuse, this core yields practical msg_msg/pipe_buffer heap KASLR leaks: above 98% on desktop kernels and KernelCTF instances, and practical on the Android kernel.
Security implication: This leakage class remains exploitable under MTE because it avoids invalid tagged accesses, and the core leak can also recover the tag of tagged kernel mm_struct addresses.

Publications

2026

Clone2Pwn: A Systematic Security Analysis of Data Migration Tools in the Android Ecosystem
Florian Draschbacher, Lukas Maar, Lorenz Schumm, Rene Denifl, Lukas Treffner, Stefan Mangard
European Symposium on Research in Computer Security (ESORICS) 2026
CVE-2025-15515, CVE-2025-21060, CVE-2025-21061, CVE-2025-21062, CVE-2025-21064, CVE-2025-21078, CVE-2025-27387
Info BibTex GitHub

@inproceedings{Draschbacher2026Clone2Pwn,
  author = {Florian Draschbacher and Lukas Maar and Lorenz Schumm and Rene Denifl and Lukas Treffner and Stefan Mangard},
  booktitle = {{ESORICS}},
  title = {{Clone2Pwn: A Systematic Security Analysis of Data Migration Tools in the Android Ecosystem}},
  year = {2026}
}

Eviction Notice: Reviving and Advancing Page Cache Attacks
Sudheendra Raghav Neela, Jonas Juffinger, Lukas Maar, Daniel Gruss
Network and Distributed System Security (NDSS) 2026
Artifacts evaluated: Available, Functional, Reproduced CVE-2025-21691
Info BibTex GitHub Zenodo

In this paper, we revive page cache attacks and provide a systematic classification of primitives which interact with the page cache. This helps us advance page cache attacks, including speeding up previously known mechanisms by six orders of magnitude.

@inproceedings{Neela2026EvictionNotive,
  author = {Sudheendra Raghav Neela and Jonas Juffinger and Lukas Maar and Daniel Gruss},
  booktitle = {{NDSS}},
  title = {{Eviction Notice: Reviving and Advancing Page Cache Attacks}},
  year = {2026}
}

2025

Kernel Security in the Wild
Lukas Maar
PhD Thesis
Gesellschaft der Informatik Dissertation Award Nominee
Info BibTex Slides

@phdthesis{Maar2025KernelSecurityInTheWild,
  author = {Lukas Maar},
  title = {{Kernel Security in the Wild}},
  year = {2025},
  school = {Graz University of Technology},
  type = {PhD thesis}
}

The Doom of Device Drivers: Your Android Device (Most Likely) has N-Day Kernel Vulnerabilities
Lukas Maar, Florian Draschbacher, Lorenz Schumm, Ernesto Martínez García, Stefan Mangard
USENIX Security Symposium 2025
Info BibTex Slides Poster

In this paper, we examine the security of Android devices against n-day exploitation. First, we identify kernel drivers accessible to untrusted apps, revealing a broader-than-expected kernel attack surface. Using public sources like git history, we then identify n-day vulnerabilities in these drivers. Finally, we perform a patch analysis that shows many remain unpatched for extended periods. This enables malicious actors to exploit n-days instead of relying on costly zero-days.

@inproceedings{Maar2025DeviceDrivers,
  author = {Lukas Maar and Florian Draschbacher and Lorenz Schumm and Ernesto Martinez Garcia and Stefan Mangard},
  booktitle = {{USENIX Security}},
  title = {{The Doom of Device Drivers: Your Android Device (Most Likely) has N-Day Kernel Vulnerabilities}},
  year = {2025}
}

When Good Kernel Defenses Go Bad: Reliable and Stable Kernel Exploits via Defense-Amplified TLB Side-Channel Leaks
Lukas Maar, Lukas Giner, Daniel Gruss, Stefan Mangard
USENIX Security Symposium 2025
Artifacts evaluated: Available, Functional, Reproduced
Info BibTex GitHub Zenodo Slides Poster Black Hat USA Nullcon Berlin

In this paper, we show how side-channel leakage in kernel defenses can expose the locations of security-critical kernel objects, enabling reliable kernel exploitation. We show that fine-graining the object's memory mapping by enabling any of three defenses exposes exploitable TLB contention patterns observable via a side channel. Combined with kernel allocator massaging, this allows location disclosure attacks, revealing the locations of kernel heap objects, page tables and stacks.

@inproceedings{Maar2025LocationDisclosures,
  author = {Lukas Maar and Lukas Giner and Daniel Gruss and Stefan Mangard},
  booktitle = {{USENIX Security}},
  title = {{When Good Kernel Defenses Go Bad: Reliable and Stable Kernel Exploits via Defense-Amplified TLB Side-Channel Leaks}},
  year = {2025}
}

ChoiceJacking: Compromising Mobile Devices through Malicious Chargers like a Decade ago
Florian Draschbacher, Lukas Maar, Mathias Oberhuber, Stefan Mangard
USENIX Security Symposium 2025
Artifacts evaluated: Available CVE-2024-20900, CVE-2024-43085, CVE-2025-24193, CVE-2024-54096
Info BibTex Zenodo Black Hat Asia

In this paper, we introduce ChoiceJacking, a novel USB-based attack exploiting the flawed assumption that attackers cannot inject input events during data connection establishment. Our platform-agnostic attack enables a malicious charger to spoof user input, enabling data transfer on Android and iOS. Testing across devices from 8 vendors reveals critical USB security flaws, allowing sensitive file access, even from locked devices in some cases.

@inproceedings{Draschbacher2025ChoiceJacking,
  author = {Florian Draschbacher and Lukas Maar and Mathias Oberhuber and Stefan Mangard},
  booktitle = {{USENIX Security}},
  title = {{ChoiceJacking: Compromising Mobile Devices through Malicious Chargers like a Decade ago}},
  year = {2025}
}

Cryptographic Least Privilege Enforcement for Scalable Memory Isolation
Martin Unterguggenberger, David Schrammel, Lukas Maar, Lukas Lamster, Vedad Hadzic, Stefan Mangard
IEEE International Symposium on Hardware Oriented Security and Trust (HOST) 2025
Info BibTex

In this paper, we present Cryptographic Least Privilege Enforcement (CLPE), a lightweight ISA extension using Message Authentication Codes (MACs) to enforce fine-grained memory isolation in C/C++ systems. CLPE enhances security with minimal performance overhead while maintaining compatibility with legacy software.

@inproceedings{Unterguggenberger2025CLPE,
  author = {Martin Unterguggenberger and David Schrammel and Lukas Maar and Lukas Lamster and Vedad Hadzic and Stefan Mangard},
  booktitle = {{HOST}},
  title = {{Cryptographic Least Privilege Enforcement for Scalable Memory Isolation}},
  year = {2025}
}

KernelSnitch: Side-Channel Attacks on Kernel Data Structures
Lukas Maar, Jonas Juffinger, Thomas Steinbauer, Daniel Gruss, Stefan Mangard
Network and Distributed System Security (NDSS) 2025
Artifacts evaluated: Available, Functional, Reproduced Pwnie Award Nominee
Info BibTex GitHub Slides Black Hat Asia Nullcon Berlin

In this paper, we introduce KernelSnitch, a novel hardware-agnostic side-channel attack that exploits timing variations in kernel data structures like hash tables and trees to leak sensitive information. We demonstrate leakage amplification approaches to make this side channel exploitable from user space. Through a kernel heap pointer leak, covert channel and activity monitoring, we demonstrate practical attacks.

@inproceedings{Maar2025KernelSnitch,
  author = {Lukas Maar and Jonas Juffinger and Thomas Steinbauer and Daniel Gruss and Stefan Mangard},
  booktitle = {{NDSS}},
  title = {{KernelSnitch: Side-Channel Attacks on Kernel Data Structures}},
  year = {2025}
}

Power-Related Side-Channel Attacks using the Android Sensor Framework
Mathias Oberhuber, Martin Unterguggenberger, Lukas Maar, Andreas Kogler, Stefan Mangard
Network and Distributed System Security (NDSS) 2025
Info BibTex

In this paper, we uncover novel power-related side channels in Android devices by analyzing unprivileged sensors. Through extensive evaluations and case studies, we demonstrate attacks such as pixel stealing and AES key leakage.

@inproceedings{Oberhuber2025PowerAndroidSensor,
  author = {Mathias Oberhuber and Martin Unterguggenberger and Lukas Maar and Andreas Kogler and Stefan Mangard},
  booktitle = {{NDSS}},
  title = {{Power-Related Side-Channel Attacks using the Android Sensor Framework}},
  year = {2025}
}

2024

Manifest Problems: Analyzing Code Transparency for Android Application Bundles
Florian Draschbacher, Lukas Maar
Annual Computer Security Applications Conference (ACSAC) 2024
Artifacts evaluated: Available, Functional, Reproduced CVE-2023-21387
Info BibTex GitHub

In this paper, we present the first security analysis of Code Transparency for Android Application Bundles (AAB). Our analysis uncovers significant shortcomings in Code Transparency, leaving developers unprotected against supply chain attacks enabled by AAB.

@inproceedings{Draschbacher2024ManifestProblems,
  author = {Florian Draschbacher and Lukas Maar},
  booktitle = {{ACSAC}},
  title = {{Manifest Problems: Analyzing Code Transparency for Android Application Bundles}},
  year = {2024}
}

Defects-in-Depth: Analyzing the Integration of Effective Defenses against One-Day Exploits in Android Kernels
Lukas Maar, Florian Draschbacher, Lukas Lamster, Stefan Mangard
USENIX Security Symposium 2024
Artifacts evaluated: Available, Functional, Reproduced
Info BibTex GitHub Slides

In this paper, we present Defects-in-Depth, a two-fold analysis of the security of downstreamed Android kernels from the top device vendors. Initially, we analyze one-day exploits and kernel defense-in-depth mechanisms, allowing us to quantify the level of security that can be reached with these defenses. We then analyze the effectiveness and inclusion of the defenses in downstreamed Android kernels and found that the level of security that is actually reached is severely lacking.

@inproceedings{Maar2024DefectsInDepth,
  author = {Lukas Maar and Florian Draschbacher and Lukas Lamster and Stefan Mangard},
  booktitle = {{USENIX Security}},
  title = {{Defects-in-Depth: Analyzing the Integration of Effective Defenses against One-Day Exploits in Android Kernels}},
  year = {2024}
}

SLUBStick: Arbitrary Memory Writes through Practical Software Cross-Cache Attacks within the Linux Kernel
Lukas Maar, Stefan Gast, Martin Unterguggenberger, Mathias Oberhuber, Stefan Mangard
USENIX Security Symposium 2024
Artifacts evaluated: Available, Functional, Reproduced CSAW'24 Europe Applied Research Competition (ARC) Finalist
Info BibTex Poster GitHub Slides

In this paper, we present SLUBStick, which provides a practical solution for converting a kernel heap vulnerability into a physical arbitrary r/w primitive with state-of-the-art kernel defenses enabled. Initially, SLUBStick exploits a timing side-channel on the SLUB allocator to reliably perform cross-cache reuse. SLUBStick then exploits code patterns in the kernel to convert a limited write (due to a heap vulnerability) into a page-manipulation primitive, enabling the physical arbitrary r/w primitive.

@inproceedings{Maar2024SLUBStick,
  author = {Lukas Maar and Stefan Gast and Martin Unterguggenberger and Mathias Oberhuber and Stefan Mangard},
  booktitle = {{USENIX Security}},
  title = {{SLUBStick: Arbitrary Memory Writes through Practical Software Cross-Cache Attacks within the Linux Kernel}},
  year = {2024}
}

Beyond the Edges of Kernel Control-Flow Hijacking Protection with HEK-CFI
Lukas Maar, Pascal Nasahl, Stefan Mangard
ACM ASIA Conference on Computer and Communications Security (AsiaCCS) 2024
Info BibTex Slides

In this paper, we present HEK-CFI, a novel approach leveraging Intel CET to protect control-flow data during system events, function pointers, operation table pointers, and return addresses. We implement and evaluate a HEK-CFI proof-of-concept, demonstrating reasonable performance overhead while providing superior protection compared to other kernel CFI schemes.

@inproceedings{Maar2024HEKCFI,
  author = {Lukas Maar and Pascal Nasahl and Stefan Mangard},
  booktitle = {{AsiaCCS}},
  title = {{Beyond the Edges of Kernel Control-Flow Hijacking Protection with HEK-CFI}},
  year = {2024}
}

Remote Scheduler Contention Attacks
Stefan Gast, Jonas Juffinger, Lukas Maar, Christoph Royer, Andreas Kogler, Daniel Gruss
Financial Cryptography (FC) 2024
Info BibTex

In this paper, we present scheduler contention on AMD Zen 3 and Zen 4, demonstrating an inter-keystroke timing and a JavaScript covert-channel attack.

@inproceedings{Gast2024Remote,
  author = {Stefan Gast and Jonas Juffinger and Lukas Maar and Christoph Royer and Andreas Kogler and Daniel Gruss},
  booktitle = {{FC}},
  title = {{Remote Scheduler Contention Attacks}},
  year = {2024}
}

2023

DOPE: DOmain Protection Enforcement with PKS
Lukas Maar, Martin Schwarzl, Fabian Rauscher, Daniel Gruss, Stefan Mangard
Annual Computer Security Applications Conference (ACSAC) 2023
Artifacts evaluated: Functional
Info BibTex GitHub Slides

In this paper, we present DOPE, a novel approach leveraging Intel PKS to protect sensitive data from data-oriented attacks. We implement and evaluate a DOPE proof-of-concept, demonstrating reasonable performance overhead while providing superior protection compared to other kernel data protection schemes.

@inproceedings{Maar2023DOPE,
  author = {Lukas Maar and Martin Schwarzl and Fabian Rauscher and Daniel Gruss and Stefan Mangard},
  booktitle = {{ACSAC}},
  title = {{DOPE: DOmain Protection Enforcement with PKS}},
  year = {2023}
}

Talks

2026

Kernel Security in the Wild
Lukas Maar
Gesellschaft der Informatik Dissertation Award

2025

Kernel Security in the Wild
Lukas Maar
PhD Thesis

Derandomizing Kernel Object Locations with Software- and Hardware-Induced Side Channels
Lukas Maar
Nullcon Berlin 2025
Website Recording

The Doom of Device Drivers: Your Android Device (Most Likely) has N-Day Kernel Vulnerabilities
Lukas Maar
USENIX Security 2025
Website

When Good Kernel Defenses Go Bad: Reliable and Stable Kernel Exploits via Defense-Amplified TLB Side-Channel Leaks
Lukas Maar
USENIX Security 2025
Website

Derandomizing the Location of Security-Critical Kernel Objects in the Linux Kernel
Lukas Maar, Lukas Giner
Black Hat USA 2025
Website Recording

KernelSnitch: Leaking Kernel Heap Pointers by Exploiting Software-Induced Side-Channel Leakage of Kernel Hash Tables
Lukas Maar, Jonas Juffinger
Black Hat Asia 2025
Website Recording

Watch Your Phone: Novel USB-Based File Access Attacks Against Mobile Devices
Florian Draschbacher, Lukas Maar
Black Hat Asia 2025
Website Recording

KernelSnitch: Side-Channel Attacks on Kernel Data Structures
Lukas Maar
Network and Distributed System Security (NDSS) 2025
Website Recording

2024

SLUBStick: Arbitrary Memory Writes through Practical Software Cross-Cache Attacks within the Linux Kernel
Lukas Maar
CSAW Europe Applied Research Competition (ARC) 2024

Defects-in-Depth: Analyzing the Integration of Effective Defenses against One-Day Exploits in Android Kernels
Lukas Maar
USENIX Security Symposium 2024
Website Recording

SLUBStick: Arbitrary Memory Writes through Practical Software Cross-Cache Attacks within the Linux Kernel
Lukas Maar
USENIX Security Symposium 2024
Website Recording

Beyond the Edges of Kernel Control-Flow Hijacking Protection with HEK-CFI
Lukas Maar
ACM ASIA Conference on Computer and Communications Security (AsiaCCS) 2024

2023

DOPE: DOmain Protection Enforcement with PKS
Lukas Maar
Annual Computer Security Applications Conference (ACSAC) 2023
Website

Awards and CVEs

2026

Gesellschaft der Informatik Dissertation Award Nominee
Kernel Security in the Wild

2025

CVE-2025-15515, CVE-2025-21060, CVE-2025-21061, CVE-2025-21062, CVE-2025-21064, CVE-2025-21078, CVE-2025-27387
Clone2Pwn: A Systematic Security Analysis of Data Migration Tools in the Android Ecosystem

CVE-2025-21691
Eviction Notice: Reviving and Advancing Page Cache Attacks

Pwnie Award Nominee for Most Underhyped Research
KernelSnitch: Side-Channel Attacks on Kernel Data Structures

CVE-2024-54096, CVE-2024-20900, CVE-2024-43085, CVE-2025-24193
ChoiceJacking: Compromising Mobile Devices through Malicious Chargers like a Decade ago

2024

CSAW'24 Europe Applied Research Competition (ARC) Finalist
SLUBStick: Arbitrary Memory Writes through Practical Software Cross-Cache Attacks within the Linux Kernel

2023

CVE-2023-21387
Manifest Problems: Analyzing Code Transparency for Android Application Bundles