This year, VUSec presented 3 papers at DSN. (1) OSIRIS (efficient and consistent whole-OS crash recovery), (2) HSFI (scalable and representative fault injection), (3) MvArmor (secure and efficient MVX with Dune). All the code is open source. Check it out at https://github.com/vusec. OSIRIS was selected for the Best paper session.
Dedup Est Machina in the news
Our Dedup+Rowhammer research made it to various international publications, including The Register, SearchSecurity (with mistakes), Softpedia, TechTarget, Risky Business (http://risky.biz/RB414 @ 13:37), and others.
It also featured on national Dutch radio in BNR Digitaal (from 9:10 onward), De Volkskrant, Tweakers, and a security advisory by NCSC (all Dutch).
The slides from Erik Bosman’s S&P 2016 talk are here.
Dedup Est Machina presented at Oakland
Erik is presenting Dedup Est Machina, a cool new attack (abusing memory deduplication and rowhammer) on Microsoft Edge browser with all defenses up — without a single software bug. See also our demo.
TypeArmor presented at Oakland
Enes and Victor are presenting TypeArmor, our new strict binary-level Control-Flow Integrity (CFI) and Control-Flow Containment (CFC) solution to mitigate advanced code-reuse attacks.
VUSec on Business News Radio
Herbert participated in a panel discussion on Cyber Security on BNR (Business News Radio).
4 papers accepted at USENIX Security
This year, VUSec had 4 papers accepted at USENIX Security. (1) flip feng shui (or how to abuse memory deduplication to make Rowhammer attacks deterministic), (2) an in-depth analysis of disassembly, (3) thread spraying to attack information hiding, and (4) a paper that also “pokes holes into information hiding” and demonstrates that using ASLR/64 to hide safe regions is completely insecure.
Dedup presentation accepted at Black Hat USA
Our work on owning Microsoft Edge by a combination of dedup primitives and rowhammer was accepted for presentation at Black Hat USA in July/August 2016.
BAndroid Vulnerability Coverage
Our work on the BAndroid Vulnerability appeared in The Register: Academics claim Google Android two-factor authentication is breakable. This was slashdotted twice: here and here.
VUSec quoted in NRC, Dutch Newspaper
Quotes in NRC.nl Betalen met je vingerafdruk: drie vragen over biometrisch bankieren (Dutch).
SROP Coverage on LWN
Jonathan Corbet wrote about our work on SROP on LWN: Sigreturn-oriented programming and its mitigation. Also, someone is working on a new patch.