Herbert Bos
YOU?
Author Swipe
View article: Sticky Tags: Efficient and Deterministic Spatial Memory Error Mitigation using Persistent Memory Tags
Sticky Tags: Efficient and Deterministic Spatial Memory Error Mitigation using Persistent Memory Tags Open
Spatial memory errors such as buffer overflows still rank among the top vulnerabilities in C/C++ programs. Despite much research in the area, the performance overhead of (even partial) mitigations is still too high for practical adoption. …
View article: Triereme: Speeding up hybrid fuzzing through efficient query scheduling
Triereme: Speeding up hybrid fuzzing through efficient query scheduling Open
Hybrid fuzzing, the combination between fuzzing and concolic execution, holds great promise in theory, but has so far failed to deliver all the expected advantages in practice due to its high overhead. The cause is the large amount of time…
View article: Quarantine: Mitigating Transient Execution Attacks with Physical Domain Isolation
Quarantine: Mitigating Transient Execution Attacks with Physical Domain Isolation Open
Since the Spectre and Meltdown disclosure in 2018, the list of new transient execution vulnerabilities that abuse the shared nature of microarchitectural resources on CPU cores has been growing rapidly. In response, vendors keep deploying …
View article: Don’t Look UB: Exposing Sanitizer-Eliding Compiler Optimizations
Don’t Look UB: Exposing Sanitizer-Eliding Compiler Optimizations Open
Sanitizers are widely used compiler features that detect undefined behavior and resulting vulnerabilities by injecting runtime checks into programs. For better performance, sanitizers are often used in conjunction with optimization passes.…
View article: Copy-on-Flip: Hardening ECC Memory Against Rowhammer Attacks
Copy-on-Flip: Hardening ECC Memory Against Rowhammer Attacks Open
Despite nearly decade-long mitigation efforts in academia and industry, the community is yet to find a practical solution to the Rowhammer vulnerability. Comprehensive software mitigations require complex changes to commodity systems, yiel…
View article: Snappy: Efficient Fuzzing with Adaptive and Mutable Snapshots
Snappy: Efficient Fuzzing with Adaptive and Mutable Snapshots Open
Modern coverage-oriented fuzzers play a crucial role in vulnerability finding. While much research focuses on improving the core fuzzing techniques, some fundamental speed bottlenecks, such as the redundant computations incurred by re-exec…
View article: DangZero
DangZero Open
Use-after-free vulnerabilities remain difficult to detect and mitigate, making them a popular source of exploitation. Existing solutions incur impractical performance/memory overhead, require specialized hardware, and/or guarantee only pro…
View article: On the effectiveness of same-domain memory deduplication
On the effectiveness of same-domain memory deduplication Open
Memory deduplication, an OS memory optimization technique that merges identical pages into a single Copy-on-Write (CoW) page, has been shown to be susceptible to a variety of timing side channel attacks, all of which stem from the differen…
View article: Kasper: Scanning for Generalized Transient Execution Gadgets in the Linux Kernel
Kasper: Scanning for Generalized Transient Execution Gadgets in the Linux Kernel Open
Due to the high cost of serializing instructions to mitigate Spectre-like attacks on mispredicted conditional branches (Spectre-PHT), developers of critical software such as the Linux kernel selectively apply such mitigations with annotati…
View article: LeanSym: Efficient Hybrid Fuzzing Through Conservative Constraint Debloating
LeanSym: Efficient Hybrid Fuzzing Through Conservative Constraint Debloating Open
To improve code coverage and flip complex program branches, hybrid fuzzers couple fuzzing with concolic execution. Despite its benefits, this strategy inherits the inherent slowness and memory bloat of concolic execution, due to path explo…
View article: SMASH: Synchronized Many-sided Rowhammer Attacks from JavaScript.
SMASH: Synchronized Many-sided Rowhammer Attacks from JavaScript. Open
Despite their in-DRAM Target Row Refresh (TRR) mitigations, some of the most recent DDR4 modules are still vulnerable to many-sided Rowhammer bit flips. While these bit flips are exploitable from native code, triggering them in the browser…
View article: FIRestarter: Practical Software Crash Recovery with Targeted Library-level Fault Injection
FIRestarter: Practical Software Crash Recovery with Targeted Library-level Fault Injection Open
Despite advances in software testing, many bugs still plague deployed software, leading to crashes and thus service disruption in high-availability production applications. Existing crash recovery solutions are either limited to transient …
View article: CrossTalk: Speculative Data Leaks Across Cores Are Real
CrossTalk: Speculative Data Leaks Across Cores Are Real Open
Recent transient execution attacks have demonstrated that attackers may leak sensitive information across security boundaries on a shared CPU core. Up until now, it seemed possible to prevent this by isolating potential victims and attacke…
View article: CollabFuzz
CollabFuzz Open
In the recent past, there has been lots of work on improving fuzz testing. In prior work, EnFuzz showed that by sharing progress among different fuzzers, they can perform better than the sum of their parts. In this paper, we continue this …
View article: PIBE: practical kernel control-flow hardening with profile-guided indirect branch elimination
PIBE: practical kernel control-flow hardening with profile-guided indirect branch elimination Open
Control-flow hijacking, which allows an attacker to execute arbitrary code, remains a dangerous software vulnerability. Control-flow hijacking in speculated or transient execution is particularly insidious as it allows attackers to leak da…
View article: Rage Against the Machine Clear: A Systematic Analysis of Machine Clears and Their Implications for Transient Execution Attacks
Rage Against the Machine Clear: A Systematic Analysis of Machine Clears and Their Implications for Transient Execution Attacks Open
Since the discovery of the Spectre and Meltdown vulnerabilities, transient execution attacks have increasingly gained momentum. However, while the community has investigated several variants to trigger attacks during transient execution, m…
View article: Cupid : Automatic Fuzzer Selection for Collaborative Fuzzing
Cupid : Automatic Fuzzer Selection for Collaborative Fuzzing Open
Combining the strengths of individual fuzzing methods is an appealing idea to find software faults more efficiently, especially when the computing budget is limited. In prior work, EnFuzz introduced the idea of ensemble fuzzing and devised…
View article: Speculative Probing
Speculative Probing Open
To defeat ASLR or more advanced fine-grained and leakage-resistant code randomization schemes, modern software exploits rely on information disclosure to locate gadgets inside the victim's code. In the absence of such info-leak vulnerabili…
View article: SecurePay: Strengthening Two-Factor Authentication for Arbitrary Transactions
SecurePay: Strengthening Two-Factor Authentication for Arbitrary Transactions Open
Secure transactions on the Internet often rely on two-factor authentication (2FA) using mobile phones. In most existing schemes, the separation between the factors is weak and a compromised phone may be enough to break 2FA. In this paper, …
View article: TagBleed: Breaking KASLR on the Isolated Kernel Address Space using Tagged TLBs
TagBleed: Breaking KASLR on the Isolated Kernel Address Space using Tagged TLBs Open
Kernel Address Space Layout Randomization (KASLR) has been repeatedly targeted by side-channel attacks that exploit a typical unified user/kernel address space organization to disclose randomized kernel addresses. The community has respond…
View article: ParmeSan : Sanitizer-guided greybox fuzzing
ParmeSan : Sanitizer-guided greybox fuzzing Open
One of the key questions when fuzzing is where to look for vulnerabilities. Coverage-guided fuzzers indiscriminately optimize for covering as much code as possible given that bug coverage often correlates with code coverage. Since code cov…
View article: VPS: Excavating High-Level C++ Constructs from Low-Level Binaries to Protect Dynamic Dispatching
VPS: Excavating High-Level C++ Constructs from Low-Level Binaries to Protect Dynamic Dispatching Open
Polymorphism and inheritance make C++ suitable for writing complex software, but significantly increase the attack surface because the implementation relies on virtual function tables (vtables). These vtables contain function pointers that…
View article: D3.3 API, Library and Security Primitives Implementation - Initial
D3.3 API, Library and Security Primitives Implementation - Initial Open
In the deliverable we provide the initial implementation of the UNICORE APIs, along with an initial set of libraries. This set supports multiple applications (nginx, Redis, SQLite) available for the project use cases. We recall the overall…
View article: Table of Contents
Table of Contents Open
Security & Privacy's Editorial Board devotes one special issue each year to highlight selected papers from a conference.The papers in this issue are from the European conference held in Stockholm, Sweden, in 2019.The topics cover many diff…
View article: TRRespass: Exploiting the Many Sides of Target Row Refresh
TRRespass: Exploiting the Many Sides of Target Row Refresh Open
After a plethora of high-profile RowHammer attacks, CPU and DRAM vendors scrambled to deliver what was meant to be the definitive hardware solution against the RowHammer problem: Target Row Refresh (TRR). A common belief among practitioner…
View article: NetCAT: Practical Cache Attacks from the Network
NetCAT: Practical Cache Attacks from the Network Open
Increased peripheral performance is causing strain on the memory subsystem of modern processors. For example, available DRAM throughput can no longer sustain the traffic of a modern network card. Scrambling to deliver the promised performa…
View article: PANDAcap
PANDAcap Open
Full-system, deterministic record and replay has proven to be an invaluable tool for reverse engineering and systems analysis. However, acquiring a full-system recording typically involves signifcant planning and manual effort. This repres…
View article: PANDAcap SSH Honeypot Dataset
PANDAcap SSH Honeypot Dataset Open
This is a dataset of 63 PANDA traces, collected using the PANDAcap framework. The dataset aims to offer a starting point for the analysis of ssh brute force attacks. The traces were collected through the course of approximately 3 days from…
View article: PANDAcap SSH Honeypot Dataset
PANDAcap SSH Honeypot Dataset Open
This is a dataset of 63 PANDA traces, collected using the PANDAcap framework. The dataset aims to offer a starting point for the analysis of ssh brute force attacks. The traces were collected through the course of approximately 3 days from…