A binary-level solution for high-frequency code re-randomization.
A binary-level solution against advanced code-reuse attacks.
Secure and efficient multivariant execution for binaries.
A practical context-sensitive CFI solution for binaries.
A binary-level solution against stack-based memory errors.
Binary and Malware Analysis
Disassembly analysis on full-Scale x86/x64 binaries.
Compiler-Agnostic Function Detection
Compiler-agnostic function detection for binaries.
Many-sided Rowhammer to bypass TRR mitigations on DDR4 DRAM chips.
Rowhammer attacks on ECC-enabled systems.
Rowhammer attacks over the network and defenses.
Accelerating microarchitectural attacks with the GPU.
Flip Feng Shui
Cross-VM attacks abusing hardware vulnerabilities.
Deterministic Rowhammer exploitation on mobile devices.
How Google killed two-factor authentication.
Branch History Injection
On the effectiveness of hardware mitigations against cross-privilege Spectre-v2 attacks
Scanning for generalized transient execution gadgets in the Linux kernel.
FPVI & SCSB
Rage against the Machine Clear: A systematic analysis of Machine Clears and their implications for transient execution attacks.
Hacking blind in the Spectre era.
Speculative data leaks across CPU cores are real.
Cache side-channel attacks over the network.
A new class of speculative execution attacks where an attacker can steal any “in-flight” data.
Employing the TLB in a novel sidechannel that doesn’t use the cache.
XLATE (translate) attacks reprogram the MMU to mount an indirect cache attack.
Nowhere to Hide
Thread spraying, allocation oracles, and defenses (MemSentry).
Side channeling the MMU for breaking ASLR in the browser.
Side Channels (Memory Deduplication)
Dedup Est Machina Returns
On the effectiveness of same-domain memory deduplication.
Protecting memory deduplication against side-channel and Rowhammer attacks.
Dedup Est Machina
Memory deduplication as an advanced exploitation vector.
Run-time gadget-discovery framework.
Return-Oriented Programming without information disclosure.
Operating System with Integrated Recovery preventing Inconsistent State.
Software Testing and Sanitizers
Application-aware evolutionary fuzzing.
Kernel Multi-Variant eXecution.
Fast buffer overflow detection without branches.
Scalable use-after-free detection.
Efficient use-after-free detection via direct page table access.
Practical mitigation of uninitialized read vulnerabilities.
Practical type confusion detection.
Validity of Research
Threats to Validity in Security Research
A not-entirely-comprehensive of things you should not do in security research.
Benchmarking crimes in systems security research.
Prudent Practices in Malware Experiments
Prudent practices for designing malware experiments.