Linke Song

PhD Student in Computer Systems Organization

Institute of Information Engineering, University of Chinese Academy of Sciences

Beijing, China · [email protected] · GitHub · CV (EN) · CV (中文)

I am a PhD candidate at UCAS / IIE, transferred from the master's track in 2024. I work under the supervision of Prof. Wei Song and Prof. Wenhao Wang. My research lies in computer systems security — operating systems, virtualization, and trusted execution environments. I build practical systems that make confidential computing more secure and scalable.

I am an enthusiastic self-learner. Since 2022 I have been systematically rebuilding my CS foundations, guided by csdiy.wiki and documented in my course notes.

NaCRE is approaching its final stage. I am actively seeking industry internship opportunities in the following areas:

Agent systems
KV cache infrastructure
AI agent containers and sandboxing

If you find my work relevant, I would be delighted to hear from you — thank you! 🙏

Education

PhD, Computer Systems Organization

University of Chinese Academy of Sciences, Institute of Information Engineering

Transferred from master's track · Advisor: Prof. Wei Song, Prof. Wenhao Wang

2024 – now

M.Eng, Cyberspace Security

University of Chinese Academy of Sciences, Institute of Information Engineering

Advisor: Prof. Wenhao Wang · GPA 3.83 / 4.00

2022 – 2024

B.Eng, Cyberspace Security

University of Chinese Academy of Sciences

Advisor: Prof. Wenhao Wang, Prof. Dongdai Lin · GPA 3.70 / 4.00 (Top 30%)

2018 – 2022

Teaching

Teaching Assistant, Digital Circuits Fall 2025

Undergraduate course, School of Cyber Science and Technology, University of Chinese Academy of Sciences

Research Projects

NaCRE: Native Confidential Containers on RISC-V 2025.5 – present

Role: solo | C · OpenSBI · Linux Kernel · RunC · Qemu | code | Working prototype; preparing for arXiv

Problem: Existing confidential containers repurpose hardware mechanisms not designed for containers, sacrificing native-ness. Arm CCA treats containers as TEE workloads with large contiguous memory — no primitives purpose-built for native confidential containers.
Approach: Reused RISC-V PMP with bitmap + MMU modifications to protect page-table pages and data pages without fragmenting Linux's native memory allocation — containers stay ordinary processes.
vs. Existing: No virtualization/confidential-computing hardware dependency (unlike Kata/gVisor). Introduces a new hardware abstraction layer for containers; native Linux allocation with targeted hardening, no invasive kernel patches.
Security: Container lifecycle protection integrated into the full address-allocation pipeline.
Performance: Near-zero overhead vs. native Docker on compute-intensive tasks; under 2× slowdown on memory-intensive tasks — significantly better than microVM approaches.
My role: Sole developer — hardware ISA primitives, Linux kernel critical-path patching (preserving RSS counter semantics), OpenSBI integration, eCall interface and protocol design.

LLM Side-Channel Attack on KV Cache 2024.6 – 2025.4

Problem: KV cache reuse in LLM serving systems creates a timing side channel — TTFT reductions reveal victim prompt overlap. Found exploitable in SGLang (prefix sharing) and GPT-Cache (semantic similarity).
Approach: In SGLang, a single shared token with Llama 3.1 8B/70B yields measurable latency drop. Designed token-by-token prompt recovery; overcame GPU voltage/frequency noise with a countermeasure, achieving 99% TPR.
GPT-Cache Attack: Discovered a distinct vector — semantically similar queries with identical sensitive info trigger TTFT speedups via similarity-based cache matching.
Defense: Proposed coarse-grained token-sharing defense that expands the attacker's guessing space.
Impact: One of the earliest two teams to report KV-cache privacy risks to SGLang (the other: ByteDance Security Research, same week). Presented at SGLang biweekly meeting (Oct. 19, 2024).
Publication: Submitted to USENIX Security'25, ACM CCS'25; accepted at TIFS'25 (CCF-A journal).

NestedSGX: Nested Enclaves in Confidential VMs 2023.7 – 2024.5

Role: co-lead | Rust · C · Python · Linux Kernel Module · Qemu · AMD SEV-SNP | code | paper

Problem: Confidential VMs face a large TCB in the guest OS. No existing mechanism to establish trusted enclaves inside a CVM while keeping the guest OS out of the TCB.
Approach: Leveraged AMD SEV-SNP VMPL to introduce a lightweight hypervisor within the CVM, de-privileging the guest OS — even a compromised kernel cannot access enclave memory.
Compatibility: Built trusted enclave runtime atop Occlum and Intel SGX SDK, compatible with existing SGX ecosystem — unmodified SGX apps run inside the nested enclave.
Engineering: Modified Linux kernel drivers; wrote in-VM hypervisor in Rust (page faults, error paths, custom trampoline for cross-privilege transitions).
Recognition: 2 AE badges; invited by Asterinas community for online seminar. Submitted to ASPLOS'24, ACM CCS'24; accepted at NDSS'25 (CCF-A conference).

Publications

The Early Bird Catches the Leak: Unveiling Timing Side Channels in LLM Serving Systems

Linke Song, Zixuan Pang (equal contribution), Wenhao Wang*, Zihao Wang, XiaoFeng Wang, Hongbo Chen, Wei Song, Yier Jin, Dan Meng, Rui Hou

TIFS 2025 J.1

The Road to Trust: Building Enclaves within Confidential VMs

Wenhao Wang, Linke Song (first student author), Benshan Mei, Shuang Liu, Shijun Zhao, Shoumeng Yan*, XiaoFeng Wang, Dan Meng, Rui Hou

NDSS 2025 C.1

Skills

Languages C, Rust, Python

Tools Git, Docker, Qemu, OpenSBI, Linux Kernel

Areas Trusted Execution Environments, Operating Systems, Virtualization, Container

Architectures x86, RISC-V