Projects

Binary Armoring

CodeArmor

A binary-level solution for high-frequency code re-randomization.

TypeArmor

A binary-level solution against advanced code-reuse attacks.

MvArmor

Secure and efficient multivariant execution for binaries.

PathArmor

A practical context-sensitive CFI solution for binaries.

StackArmor

A binary-level solution against stack-based memory errors.

Binary and Malware Analysis

Disassembly

Disassembly analysis on full-Scale x86/x64 binaries.

Compiler-Agnostic Function Detection

Compiler-agnostic function detection for binaries.

Enviral

Fuzzing the environment for evasive malware analysis.

Hardware Vulnerabilities

SMASH

Synchronized MAny-Sided Hammering from JavaScript.

TRRespass

Many-sided Rowhammer to bypass TRR mitigations on DDR4 DRAM chips.

ECCploit

Rowhammer attacks on ECC-enabled systems.

Throwhammer

Rowhammer attacks over the network and defenses.

GLitch

Accelerating microarchitectural attacks with the GPU.

Flip Feng Shui

Cross-VM attacks abusing hardware vulnerabilities.

Drammer

Deterministic Rowhammer exploitation on mobile devices.

Mobile Security

BAndroid

How Google killed two-factor authentication.

Side Channels

InSpectre Gadget

Inspecting the Residual Attack Surface of Cross-privilege Spectre v2.

GhostRace

Exploiting and Mitigating Speculative Race Conditions.

SLAM

Combining Spectre and Intel LAM (& co.) to leak kernel memory on future CPUs.

Branch History Injection

On the effectiveness of hardware mitigations against cross-privilege Spectre-v2 attacks

Kasper

Scanning for generalized transient execution gadgets in the Linux kernel.

FPVI & SCSB

Rage against the Machine Clear: A systematic analysis of Machine Clears and their implications for transient execution attacks.

BlindSide

Hacking blind in the Spectre era.

CrossTalk

Speculative data leaks across CPU cores are real.

NetCAT

Cache side-channel attacks over the network.

RIDL

A new class of speculative execution attacks where an attacker can steal any “in-flight” data.

TLBleed

Employing the TLB in a novel sidechannel that doesn’t use the cache.

XLATE

XLATE (translate) attacks reprogram the MMU to mount an indirect cache attack.

Nowhere to Hide

Thread spraying, allocation oracles, and defenses (MemSentry).

AnC

Side channeling the MMU for breaking ASLR in the browser.

Side Channels (Memory Deduplication)

Dedup Est Machina Returns

On the effectiveness of same-domain memory deduplication.

VUsion

Protecting memory deduplication against side-channel and Rowhammer attacks.

Dedup Est Machina

Memory deduplication  as an advanced exploitation vector.

Software Exploitation

Newton

Run-time gadget-discovery framework.

PIROP

Return-Oriented Programming without information disclosure.

Software Reliability

OSIRIS

Operating System with Integrated Recovery preventing Inconsistent State.

Software Testing and Sanitizers

VUzzer

Application-aware evolutionary fuzzing.

kMVX

Kernel Multi-Variant eXecution.

Delta Pointers

Fast buffer overflow detection without branches.

DangSan

Scalable use-after-free detection.

DangZero

Efficient use-after-free detection via direct page table access.

FloatZone

Accelerating Memory Error Detection using the Floating Point Unit

SafeInit

Practical mitigation of uninitialized read vulnerabilities.

StickyTags

Spatial Memory Error Mitigation using Persistent Memory Tags

TypeSan

Practical type confusion detection.

uncontained

Uncovering Container Confusion in the Linux Kernel

Validity of Research

Threats to Validity in Security Research

A not-entirely-comprehensive of things you should not do in security research.

Benchmarking Crimes

Benchmarking crimes in systems security research.

Prudent Practices in Malware Experiments

Prudent practices for designing malware experiments.

vusec-logo_large