NVIDIA did not arrive at Black Hat 2025 to show off another GPU or AI model. It came to talk about something deeper: how to secure a billion-core ecosystem that no one else on earth has.
In their session, How to Secure a Unique Ecosystem Shipping 1 Billion+ Cores, NVIDIA’s Adam Zabrocki, director of offensive security, and Marko Mitic, system software manager, described how the company moved from a proprietary microcontroller design to a custom RISC-V architecture. The goal was not just performance. It was survival.
“When you ship more than a billion cores, you stop thinking in patches,” Zabrocki said. “You start thinking in proofs.”
From Proprietary to Purpose Built
NVIDIA’s journey began when its internal “Falcon” microcontrollers could no longer scale across data center chips, gaming cards, and automotive systems. Each device demanded a different security model and threat response.
The company redesigned everything around RISC-V, an open instruction set that let engineers add their own security extensions and enforce hardware-level isolation. Every GPU, SoC, and embedded controller now includes up to 40 RISC-V cores that share a unified foundation for trust.
That move gave NVIDIA control over its destiny but also new responsibilities. “When you build your own ecosystem, there is no vendor to blame,” Mitic said. “You are the supply chain.”
Security in Silicon
The Black Hat audience expected talk of exploits and mitigations. What they got instead was a blueprint for engineering trust from the transistor up.
NVIDIA introduced several hardware features that make its RISC-V environment harder to exploit. Among them:
- Pointer masking: Scrambles memory addresses to prevent corruption.
- Control-flow integrity: Stops attackers from hijacking code execution.
- Memory tagging: Assigns colors to memory blocks to detect bugs before they trigger.
Each mechanism exists in hardware, not as a patch. “We stopped layering defenses on top of weak foundations,” Zabrocki explained. “We strengthened the foundation itself.”
The End of Patch and Pray
Traditional software security depends on finding bugs, patching fast, and hoping nothing else breaks. NVIDIA’s approach replaces that cycle with formal verification—mathematical proofs that code behaves as intended.
Critical components such as the immutable boot ROM and separation kernel are written in the SPARK subset of Ada, a language designed for verifiable safety. Tools automatically check contracts between modules, ensuring that memory leaks, null pointers, and other runtime errors cannot occur.
Mitic compared it to aviation. “You cannot patch a jet mid-flight,” he said. “You design it not to fail.”
Isolation as a Security Model
The company also embraced a “multi-partition” design inspired by military-grade MILS architecture. Each RISC-V core runs a separation kernel that divides workloads into secure partitions.
Every partition has its own signed configuration and hardware-enforced boundaries. If one component fails or is compromised, others keep running safely. The system’s smallest elements—firmware controllers inside a GPU—now behave more like independent aircraft compartments than shared cabins.
That isolation model reflects a broader industry shift from reactive security to engineered resilience. As Mitic put it, “We assume compromise and design to contain it.”
Hardware Meets Human Intent
Resilience is not only technical. NVIDIA is using its offensive-security team to test every new extension as if it were a target. Zabrocki, a long-time vulnerability researcher, called it “fuzzing the hardware layer.”
The company now treats hardware verification, secure coding, and penetration testing as a single continuous process. Vulnerabilities discovered during offensive research feed directly into design improvements for the next generation of chips.
“We want attackers inside the lab,” Zabrocki said. “That is how you make the field safer.”
The Bigger Lesson
Black Hat attendees left with a reminder that security no longer begins with software updates or zero-day hunts. It begins in design meetings, where architecture choices decide whether systems will survive the next decade of attacks.
As Zabrocki told the audience, “Patching is what you do when you cannot prove your system is safe. We decided to prove it instead.”
That statement echoed across the conference halls. In a field that still measures progress by response time, NVIDIA offered a different metric: proof time.
