Herbert Bos


Contact Details

Email address
Phone +31 20 598 7746
Office P.416
Mailing address Herbert Bos
Faculty of Science
Dept of Computer Science
Vrije Universiteit Amsterdam
De Boelelaan 1081A
1081 HV, Amsterdam
The Netherlands
PGP  Click here

Herbert Bos is full professor at the Vrije  Universiteit Amsterdam  and co-leads the VUSec Systems Security research group with Cristiano Giuffrida and Kaveh Razavi.

He obtained an ERC Starting Grant to work on reverse engineering and an NWO VICI grant to work on vulnerability detection. These and other systems security topics are still close to his heart. Other research interests include OS design, networking, and dependable systems.

Herbert moved to The Netherlands after approximately four years at the Universiteit Leiden. Before that he obtained his Ph.D. from the Cambridge University Computer Laboratory, followed by a brief stint at KPN Research (now TNO Telecom).


Selected Publications







1 Dowsing for overflows: A guided fuzzer to find buffer boundary violations [PDF] 
USENIX Security 2013, Washington, DC, August 2013.
2 When Slower is Faster: On Heterogeneous Multicores for Reliable Systems [PDF] 
USENIX 2013, San Jose, CA, USA, June 2013.
3 P2PWNED — Modeling and Evaluating the Resilience of Peer-to-Peer Botnets [PDF] 
Security & Privacy (Oakland), San Francisco, California, May 2013
4 Techniques for Efficient In-Memory Checkpointing [PDF] 
Topics in Dependable Systems (HotDep), Farmington, PA, Novermber 2013
5 MemPick: data structure detection in C/C++ binaries [PDF] 
Working Conference on Reverse Engineering (WCRE), Koblenz, Germany, October 2013
6 Who allocated my memory? Detecting custom memory allocators in C binaries [PDF] 
Working Conference on Reverse Engineering (WCRE), Koblenz, Germany, October 2013 →Best Paper!
7 Highly Resilient Peer-to-Peer Botnets Are Here: An Analysis of Gameover Zeus [PDF] 
8th International Conference on Malicious and Unwanted Software (MALWARE’2013), Fajardo, Puerto Rico, October 2013.


1 Prudent Practices for Designing Malware Experiments: Status Quo and Outlook [PDF] 
Security & Privacy (Oakland), San Francisco, California, May 2012
2 Memory Errors: The Past, the Present, and the Future [PDF] 
RAID 2012, Amsterdam, Netherlands, September 2012
3 Body Armor for Binaries: preventing buffer overflows without recompilation [PDF] 
USENIX ATC 2012, Boston, MA, June 2012
4 Keep Net Working – On a Dependable and Fast Networking Stack [PDF] 
Dependable Systems and Networks (DSN), Boston, MA, June 2012
5 Large-Scale Analysis of Malware Downloaders [PDF] 
DIMVA 2012, Heraklion, GR, July 2012
6 System-level Support for Intrusion Recovery [PDF] 
DIMVA 2012, Heraklion, GR, July 2012


1 Minemu: The World’s Fastest Taint Tracker [PDF] 
RAID’11, Menlo Park, California, September 2011
2 Howard: a dynamic excavator for reverse engineering data structures [PDF] 
NDSS’11, San Diego, California, February 2011
3 On Botnets that use DNS for Command and Control [PDF] 
EC2ND’11, Gothenburg, Sweden, September 2011
4 5andnet: Network Traffic Analysis of Malicious Software [PDF] 
Proceedings of the 1st Workshop on Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS) April 10, 2011, Salzburg, Austria
5 System Security Research at VU University Amsterdam [PDF] 
SYSSEC Workshop, Amsterdam, July 2011
6 Application-tailored I/O with Streamline [PDF] (also available here)
ACM Transactions on Computer Systems (TOCS’11), May 2011.


1 Paranoid Android: Versatile Protection For Smartphones [PDF] 
Annual Computer Security Applications Conference (ACSAC’10), Austin, Texas, December 2010
2 DDE: Dynamic Data Structure Excavation [PDF] 
ACM APSYS’10, New Delhi, India, August 2010
3 Pointer tainting still pointless (but we all see the point of tainting) [PDF] 
ACM SIGOPS Operating Systems Review (OSR), 44(3), July 2010
4 Brief Announcement: A Shared Disk on Distributed Storage [PDF] 
PODC’10, Zuerich, July 2010


1 CacheCard: a transparent cache for static and dynamic content on the NIC [PDF] 
Proceedings of ACM/IEEE ANCS, Princeton, NY, Oct. 2009
2 Isolating Faulty Device Drivers [PDF] 
Proceedings of IEEE/IFIP Dependable Systems and Networks (DSN 2009), Lisbon, Portugal, June 2009.
3 Pointless tainting? Evaluating the practicality of pointer tainting [PDF] 
Proceedings of EUROSYS 2009, Nuremberg, Germany, March/April 2009.
4 Mapping and synchronizing streaming applications on Cell processors [PDF] 
Proceedings of HiPEAC 2009, Paphos, Cyprus, January 25-28, 2009


1 Countering IPC Threats in Multiserver Operating Systems [PDF] 
IEEE PRDC, Taipei, Taiwan, December 2008.
2 PipesFS: Fast Linux I/O in the Unix Tradition [PDF] 
Operating Systems Review, Special Issue on the Linux Kernel, July 2008.
3 Future Threats to Future Trust [PDF] 
Conference on the Future of Trust in Computing, July 2008.
4 odel-T: Rethinking the OS for terabit speeds [PDF] 
Proceedings of High-Speed Networks Workshop HSN 2008, Phoenix, AZ, April 2008
5 Eudaemon: Involuntary and On-Demand Emulation Against Zero-Day Exploits [PDF] 
Proceedings of ACM SIGOPS EUROSYS 2008, Glasgow, UK, April, 2008.
6 Beltway buffers: avoiding the OS traffic jam [PDF] 
The 27th IEEE International Conference on Computer Communications (INFOCOM 2008), April 2008, Phoenix, Arizona.
7 Safe Execution of Untrusted Applications on Embedded Network Processors [PDF] 
International Journal of Embedded Systems (IJES), InderScience, Vol.3, No. 4, 2008.


1 Ruler: easy packet matching and rewriting on network processors [PDF] 
Symposium on Architectures for Networking and Communications Systems (ANCS’07)
2 The Age of Data: pinpointing guilty bytes in polymorphic buffer overflows on heap or stack [PDF] 
23rd Annual Computer Security Applications Conference (ACSAC’07), Miami, FLA, December 2007.
3 Tales from the Crypt: fingerprinting attacks on encrypted channels by way of retainting [PDF] 
Proc. of 3rd European Conference on Computer Network Defense (EC2ND), Heraklion, Greece, October, 2007. Note: the paper in the link above has a better layout and more readable figures compared to the paper in the proceedings (we had to convert our latex to word which screwed things up a little). It also contains a few lines of text that were slashed from the paper in the proceedings for space reasons. If you want to know what the paper in the proceedings looks like, click here.
4 component-based coordination language for efficient reconfigurable streaming applications [PDF] 
Proc. of International Conference on Parallel Processing (ICPP’07), Xian, China, Sept. 2007
5 Failure Resilience for Device Drivers [PDF] 
IEEE/IFIP International Conference on Dependable Systems and Networks (IEEE/IFIP DSN’07), Dependable Computing and Communication Track
(William C. Carter award for →best paper), Edinburgh, UK, June 2007.
6 Roadmap to a Failure-Resilient Operating System [PDF] 
“USENIX ;login:”, Volume 32, Number 1, February 2007
7 The Token Based Switch: per-packet access authorisation to optical shortcuts [PDF] 
IFIP Networking, Atlanta, Georgia, May, 2007


1 SP@CE – An SP-based Programming Model for Consumer Electronics Streaming Applications [PDF] 
Languages and Compilers for Parallel Computing (LCPC’06), New Orleans, Louisiana, USA, November, 2006
2 Construction of a Highly Dependable Operating System (preprint) [PDF] 
(Proceedings of EDCC’06, Coimbra, Portugal, October 2006) (accepted for publication)
3 MINIX 3: A Highly Reliable, Self-Repairing Operating System 
(ACM SIGOPS Operating Systems Review, vol. 40, nr. 3, July 2006)
4 Reorganizing UNIX for Reliability (preprint) [PDF] 
(Proceedings of Asia-Pacific Computer Systems Architecture Conference (ACSAC’06), Shangai, China, September, 2006) (accepted for publication)
5 SafeCard: a Gigabit IPS on the network card [PDF] 
(RAID’06, Hamburg, Germany, September 2006)
6 Can We Make Operating Systems Reliable and Secure? 
(IEEE Computer, Vol. 39, No. 5, pp. 44–51, ISSN 0018-9162, May 2006)
7 Supporting Reconfigurable Parallel Multimedia Applications [PDF]
(→distinguished paper, ACM/IFIP/IEEE Euro-Par’06, August 2006)
8 Modular system programming in Minix 3 [PDF]
(“USENIX ;LOGIN:”, Vol 31, No. 2, April 2006)
9 Argos: an Emulator for Fingerprinting Zero-Day Attacks [PDF]
(ACM SIGOPS EUROSYS 2006, Leuven, Begium, April 2006)
10 SweetBait: Zero-Hour Worm Detection and Containment Using Low- and High-Interaction Honeypots 
(Elsevier Computer Networks, Special Issue on Security through Self-Protecting and Self-Healing Systems, 2006)
11 Dynamically extending the Corral with native code for high-speed packet processing [PDF]
(Elsevier Computer NetworksSpecial Issue on Active and Programmable Networks, 50(14), pp. 2444-2461, October 2006)
12 File Size Distribution on UNIX Systems Then and Now [PDF]
(Operating Systems Review, Vol 40, No. 1, January 2006).)


1 Towards software-based signature detection for intrusion prevention on the network card [PDF]
(Proceedings of Eighth International Symposium on Recent Advances in Intrusion Detection (RAID2005), Seattle, Washington, September 2005.)
[Bibtex] [PPT]
2 Network intrusion prevention on the network card [PDF]
(IXA Summit, Hudson, MA, September 2005.)
3 Robust distributed systems – achieving self-management through inference [PDF]
(Proceedings of First International IEEE WoWMoM Workshop on Autonomic Communications and Computing, ACC2005, Taormina, Italy, June 2005.)
4 FPL-3: towards language support for distributed packet processing [PDF]
(Proceedings of IFIP Networking, Waterloo, Ontario, Canada, May 2005 (accepted for publication).)
5 FPL-3e: towards language support for distributed reconfigurable packet processing [PDF]
(Proceedings of SAMOS V: Embedded Computer Systems: Architectures, MOdeling, and Simulation, Lecture Notes in Computer Science, Vol.3553/2005, ISSN 0302-9743, July, 2005.)


1 FFPF: Fairly Fast Packet Filters [PDF]
(Proceedings of 6th Symposium on Operating Systems Design and Implementation (OSDI’2004), San Francisco, CA, December 2004.)
[HTML version] [Bibtex] [PPT]
[Here is also a short FFPF tutorial (powerpoint) – from the Lobster workshop in Stockholm in May 2005]
2 Scalable network monitors for high-speed links: a bottom-up approach [PDF]
(Proceedings of IEEE IPOM 2004, Beijing, China, October 2004.)
3 On the feasibility of using network processors for DNA processing
(Slightly modified version of the NP3 paper, to be published as Chapter 10 in “Network Processor Design, Vol. 3”, Morgan Kaufmann, pp. 10.1 — 10.14, 2004.)
[See also the NP3 paper below]
4 SNMP Plus a Lightweight API for SNAP Handling [PDF]
(Proceedings of IEEE/IFIP Network Operations and Management Symposium (NOMS’04), Seoul, Korea, April, 2004)
5 On the feasibility of using network processors for DNA processing [PDF] 
(Proceedings of NP3, Workshop on Network Processors & Applications, Madrid, Spain, Feb, 2004)
[Bibtex] [PPT]


1 HOKES/POKES: Light-weight resource sharing [PDF]
(Proceedings of ACM SIGBED EMSOFT’03, October 2003, Philadelphia, USA)
2 SCAMPI: A Scalable and Programmable Architecture for Monitoring Gigabit Networks [PDF]
(Proceedings of E2EMon’03, September 2003, Dublin, Ireland)
3 Compiler assistance for safe resource sharing without hardware support
(Compilers for Parallel Computers (CPC), Amsterdam, January 2003)


4 A perspective on how ATM lost Control [PDF]
(ACM SIGCOMM Computer Communication Review, Volume 32, Number 5, November 2002)
5 The OKE Corral: Code Organisation and Reconfiguration at Runtime using Active Linking [PDF] 
(Proceedings of IWAN’2002, Zuerich, December 2002).
6 Safe Kernel Programming in the OKE [PDF]
(Here we explain the OKE in some detail. It is also the preferred OKE paper to cite. Proceedings of IEEE OpenArch’02, New York, June, 2002)
7 Towards Flexible Real-Time Network Monitoring Using a Network Processor.
(Short paper: Proceedings of 3rd USENIX/NLUUG International SANE Conference 2002, pp. 409-410, Maastricht, May, 2002)

2001 and earlier

1 The Open Kernel Environment.
(This is the first presentation of the OKE – OpenSig’2001, London, September, 2001)
2 Elastic Network Control: An Alternative to Active Networks [PDF]
(This paper describes our work on marrying the various approaches to programmable networks in a single, sensible framework. Journal of Communications and Networks, Special Issue on Programmable Routers and Switches, Vol.3, No.2, 2001)
3 Open Extensible Network Control [PDF]
(Journal of Network and Systems Management (JNSM), Vol.8. No.1, March 2000)
4 Elastic Network Control [PDF]
(PhD thesis. Also published as Technical Report No. 483, Cambridge University Computer Laboratory, August 1999)
5 Application-Specific Policies: Beyond the Domain Boundaries [PDF]
(Proceedings IM’99, Boston, USA, May 1999)
[HTML version]
6 Application-specific Behaviour in Distributed Network Control [PDF]
(Proceedings ERSADS’99, Madeira, Portugal, April 1999)
7 Building a Distributed Video Server using Advanced ATM Network Support [PDF]
(Proceedings IFIP/IEEE MMNS’98, Versailles, France, Nov. 1998)
8 ATM Admission Control based on Reservations and Measurements [PDF]
(Proceedings IEEE IPCCC’98, Phoenix, Arizona, Feb. 1998)
9 Efficient Reservations in Open ATM Network Control using Online Measurements [PDF]
(Int. J. of Communication Systems, V11, No. 4, August 1998)
[HTML version]
10 An Active Distributed File Server for Continuous Media
(Proceedings ERSADS’97, Zinal, Switzerland, March 1997)

Conference Papers

Workshop Papers

Journal Papers

Magazine Papers