Binary Armoring
CodeArmor
A binary-level solution for high-frequency code re-randomization.
TypeArmor
A binary-level solution against advanced code-reuse attacks.
MvArmor
Secure and efficient multivariant execution for binaries.
PathArmor
A practical context-sensitive CFI solution for binaries.
StackArmor
A binary-level solution against stack-based memory errors.
Binary and Malware Analysis
Disassembly
Disassembly analysis on full-Scale x86/x64 binaries.
Compiler-Agnostic Function Detection
Compiler-agnostic function detection for binaries.
Enviral
Fuzzing the environment for evasive malware analysis.
Hardware Vulnerabilities
SMASH
Synchronized MAny-Sided Hammering from JavaScript.
TRRespass
Many-sided Rowhammer to bypass TRR mitigations on DDR4 DRAM chips.
ECCploit
Rowhammer attacks on ECC-enabled systems.
Throwhammer
Rowhammer attacks over the network and defenses.
GLitch
Accelerating microarchitectural attacks with the GPU.
Flip Feng Shui
Cross-VM attacks abusing hardware vulnerabilities.
Drammer
Deterministic Rowhammer exploitation on mobile devices.
Mobile Security
BAndroid
How Google killed two-factor authentication.
Side Channels
InSpectre Gadget
Inspecting the Residual Attack Surface of Cross-privilege Spectre v2.
GhostRace
Exploiting and Mitigating Speculative Race Conditions.
SLAM
Combining Spectre and Intel LAM (& co.) to leak kernel memory on future CPUs.
Branch History Injection
On the effectiveness of hardware mitigations against cross-privilege Spectre-v2 attacks
Kasper
Scanning for generalized transient execution gadgets in the Linux kernel.
FPVI & SCSB
Rage against the Machine Clear: A systematic analysis of Machine Clears and their implications for transient execution attacks.
BlindSide
Hacking blind in the Spectre era.
CrossTalk
Speculative data leaks across CPU cores are real.
NetCAT
Cache side-channel attacks over the network.
RIDL
A new class of speculative execution attacks where an attacker can steal any “in-flight” data.
TLBleed
Employing the TLB in a novel sidechannel that doesn’t use the cache.
XLATE
XLATE (translate) attacks reprogram the MMU to mount an indirect cache attack.
Nowhere to Hide
Thread spraying, allocation oracles, and defenses (MemSentry).
AnC
Side channeling the MMU for breaking ASLR in the browser.
Side Channels (Memory Deduplication)
Dedup Est Machina Returns
On the effectiveness of same-domain memory deduplication.
VUsion
Protecting memory deduplication against side-channel and Rowhammer attacks.
Dedup Est Machina
Memory deduplication as an advanced exploitation vector.
Software Exploitation
Newton
Run-time gadget-discovery framework.
PIROP
Return-Oriented Programming without information disclosure.
Software Reliability
OSIRIS
Operating System with Integrated Recovery preventing Inconsistent State.
Software Testing and Sanitizers
VUzzer
Application-aware evolutionary fuzzing.
kMVX
Kernel Multi-Variant eXecution.
Delta Pointers
Fast buffer overflow detection without branches.
DangSan
Scalable use-after-free detection.
DangZero
Efficient use-after-free detection via direct page table access.
FloatZone
Accelerating Memory Error Detection using the Floating Point Unit
SafeInit
Practical mitigation of uninitialized read vulnerabilities.
StickyTags
Spatial Memory Error Mitigation using Persistent Memory Tags
TypeSan
Practical type confusion detection.
uncontained
Uncovering Container Confusion in the Linux Kernel
Validity of Research
Threats to Validity in Security Research
A not-entirely-comprehensive of things you should not do in security research.
Benchmarking Crimes
Benchmarking crimes in systems security research.
Prudent Practices in Malware Experiments
Prudent practices for designing malware experiments.
