Some go fast, others are thorough. After a 6 year PhD, 2 year PostDoc, 7 years as AsstProf; 38 top tier papers, 10 graduated PhDs, and 7.5mio in funding, I was awarded tenure
@EPFL_en
. I thank my amazing students and collaborators, you made this possible!
Quick permission comparison for different Android apps.
#SwissCovid
only asks for permissions related to digital contact tracing, nothing more. Full source code:
BLURtooth (CVE-2020-15802) exploits the lack of cross-transport key validation, allowing an attacker to bypass BT and BLE security mechanisms to MITM, impersonate, or establish sessions with arbitrary devices.
Ever wondered about the security of your USB stack? We've explored it and found 10 CVEs on Linux and several crashes on Windows and MacOS with just a bit of fuzzing. Paper is ready, source will come at
#SEC20
: Comments welcome!
Interested in binary rewriting, fuzzing, or sanitization? Introducing RetroWrite, our binary rewriting platform with AFL and ASan compatible transformations. Paper: Source: reproduce our results:
You've been fuzzing and now have 254,000 unique crash seeds? Fear no more, our Igor (reference to Terry Pratchett's Discworld) has got you covered and will reduce the crashes to 48 unique bug clusters. To be presented at
@acm_ccs
Third
#DP3T
real-life test
@vbs_ddps
/
@EPFL_en
. 100 soldiers are testing the beta app for 24 hours in day to day life. To collect ground truth, they exchange business cards (noting time and duration) for each observed contact that we then crosscheck.
@moxie
Have a look at
#DP3T
white papers where we discuss the tradeoffs at length. Data transfer for infected idsis not that bad and no location is needed.
As it turns out, compilers happily spill the index for indirect jumps through a jump table after bounds checking, creating a TOCTTOU race for arbitrary control-flow hijacking. Check out our
@HexHiveEPFL
@IEEESSP
"WarpAttack" paper:
Today we conducted real life experiments
@EPFL_en
to establish ground truth for BLE proximity tracing with our
#DP3T
app to fight
#COVID19
! Thanks to
@vbs_ddps
for subjects,
@CHUVLausanne
for testing yesterday, and
@EPFL_en
for fast ethics turnaround. Now off to crunch data!
Big news:
#DP3T
is going official, with support from
@BAG_OFSP_UFSP
we are working on the official Swiss app for decentralized, privacy-preserving proximity tracing!
Super honored to receive a
@USENIXSecurity
#security24
distinguishing paper award for our work on finding bugs in hypervisors. HyperPill is available at
Rejecting papers is fine. But, as a community, can we agree that any reject *must* include either a paragraph on what is expected for an accept or a reason why the paper is fundamentally flawed? Receiving strong rejects w/o feedback on how to improve is tough.
Today we conducted the second set of
#DP3T
real life experiments
@EPFL_en
with the help of
@vbs_ddps
, collecting both ground truth using our measurement app as well as an alpha test of our decentralized
#COVID19
tracing app for both iOS and Android. Exciting times!
I'm deeply humbled to receive two prestigious European single PI grants this year: an
@ERC_Research
Starting Grant to combine the powers of testing and mitigation and an
@snsf_ch
Eccellenza grant to scale software security testing to massive code bases.
#HexHive
all the way! 🐝🤗
Congratulations to IC professor
@gannimo
on another funding award for 2019: the
@snsf_ch
#Eccellenza
Grant! He will use it to support an open-source project that aims to develop methods for identifying
#software
#security
bugs.
To fuzzing academics: use Magma, a ground truth fuzzing benchmark that detects when your fuzzer reaches, triggers, and detects a bug and introduces a novel time to bug metric to compare to other fuzzers. arXiv paper coming soon. Feedback welcome!
Draft of my open book "Software Security: Principles, Policies, and Protection" available at Intended audience: developers/advanced students. Comments, feedback, and questions very welcome!
Who's using ASan and wants a ~50% performance improvement during fuzzing?
#HexHive
presents FuZZan, ASan optimized for high speed fuzzing, to be presented at
@usenix
ATC20. Source will be up soon! Comments welcome!
A note to my peers reviewing our papers: strongly rejecting a paper because of related work that will be published *after* we get your review is not OK. Please check your timeline. Also, please get past strongly defending your turf, this is exactly how you destroy a community. 😧
After releasing the SDKs earlier this week, we're openly releasing our
#DP3T
prototype applications (with people-friendly UI) for iOS and Android Get them while they are fresh and test them like crazy!
Instead of focusing on binary code similarity (which is NP complete), we focus on code behavior, capturing and abstracting input/output behavior as IO vectors that define what a function does (and not how the code looks like). Preprint:
Major life achievement: on Friday I got up at 1h30 and climbed Mont Blanc from the Tête Rousse in 15hrs. A breathtaking experience that was extremely physically challenging. Several hours of climbing and extended walks on steep glaciers. A day I will always remember. 🧗🏔️
After a short responsible disclosure process and a few leaks, I'm excited to announce that I'll join
@EPFL
this fall. Looking forward to start (and continue) collaborating with all the great faculty at
@ICepfl
.
#HexHive
is going international!
"FuzzGen: Automatic Fuzzer Generation" (synthesizing libFuzzer stubs through reflective full system analysis), jointly between
@ICepfl
#HexHive
and folks at Google has been accepted at
@USENIXSecurity
#SEC20
. Stay tuned for full source and paper.
Happy to announce that
#HexHive
@ICepfl
@EPFL_en
receives an
@ERC_Research
#ERCStG
for researching techniques to protect systems against current and future software vulnerabilities 🤩👩🔬👨🔬👾 Thanks to all who provided feedback on the proposal!
Happy to announce that WOOT'21
@wootsecurity
will be co-located at
@IEEESSP
and in association with
@usenix
in May 2021. Mark your calendar and submit your awesome work Jan27 (abstracts) and Jan29 (papers)---yes, earlier than usual. Details:
@Facebook
First assumption: it's DNS (as DNS servers died and DNS traffic spiked everywhere), but it was BGP! (ht to
@paul_pearce
for the meme).
@Cloudflare
has a neat write-up that's generally accessible
Thank you
@USENIXSecurity
for rejecting our major revision and for delaying the notification by two months. It's gonna be an amazing experience to explain to the students about how the review process is not broken. Very frustrated right now about revisions.
Happy to share the camera ready for MAGMA (for SIGMETRICS'21), a ground truth fuzzing benchmark. Fuzzers are compared based on real bugs on real software, with ground truth. If you're into
#fuzzing
, get in touch and use MAGMA for your evaluation!
Want to protect the backward edge against ROP? CFI is too weak and parallel shadow stacks have security implications. We did a large security/performance study of shadow stacks (and implemented all of them). See the preprint at: We'd love to hear feedback!
Dear reviewer 2: seriously? WTF?
Context: strong reject because we (obviously) do not compare against related work coming out in 3 months from now (>6 months after our submission). Sigh. I'd love for other reviewers to call out such inconsistencies.
Some top tier conferences have a heavy geographical bias. Software engineering leads in diversity while security mostly sticks to the US. We need to start moving!
@NDSSSymposium
@IEEESSP
@USENIXSecurity
live map:
After a long disclosure process we release
#SMoTherSpectre
, a transient execution attack that uses port contention as a side channel (instead of caches) to leak register/memory data. Details: paper: PoC:
Are you working with stubborn aarch64 code? Check out
@cyan_pencil
's upcoming
@USENIXSecurity
#SEC23
paper on efficiently rewriting ARM binaries. Insight: using heuristics for optimization on a safe baseline is key! Comments welcome!
Have you ever wondered what
#fuzzing
is all about? Are you starting research in fuzzing? Join me and let's ride the fuzzing hype train together!
@RAID_Conference
FirmFuzz, deep analysis of embedded firmware, fuzzing exposed web interfaces. This was extremely hard to publish (workshop instead of con) as reviewers wanted us to scale to 1000s of firmwares (darn you
@aurelsec
😉) instead of deep analysis of a few
Reviewers: I see that your approach is novel and that you evaluated it extensively over several years of effort. Why don't you also get this adopted in practice and run some user studies in addition to what you already did?
Gotta love systems/security reviewers 🫶🫶🫶
Interested in finding bugs but ASan is sucking up too much memory and too slow for your x86-64 binaries? FuZZan (presented today at
#ATC20
) will double your throughput. Source: Paper:
Want to learn what the fuzz is all about? We're about to embark on a 4 day
@nullcon
journey on the FuzzTrain. Day 0x01: let's get the engine started and burn those cycles!
We're simulating real-life scenarios, measuring BLE proximity with the help of the Swiss military in ground truth experiments. We'll of course openly release all data after processing!
#DP3T
On one hand I'm answering debug requests about a prototype I opensourced 8 years ago. On the other hand, our Oakland paper gets rejected because all 3 reviewers require us to compare against two competitors that are not even available on request. Why do we even bother? 😩🤔
Despite rejecting our
#ISCA20
paper, I'm happy with the process. We received 5 thoughtful reviews, an extensive 2 paragraph discussion of our rebuttal, and strong suggestions on how to improve. All this despite >400 papers. This encourages me to look more at non-security venues!
I usually stay out of politics on twitter but the current situation requires a statement. I stand with
#BlackLivesMatter
. The massive amount of systematic social injustice was one of the reasons why we left the United States. Stay safe my friends and fight the good fight!
Modest proposal to PC chairs: all missing reviews, after the grace period, will be interpreted as strong accepts. This would curb reviewing delays and help us in the push towards
#PositiveReviewing
😉
This year, we published in SIGMETRICS, ICSE, ISSTA, MICRO, ISCA, and ASPLOS. Some papers were repeatedly harshly rejected from security venues but accepted openly at SE/SYS/ARCH venues. It's easy to reject, as reviewers, let's search for reasons to accept!
#PositiveReviewing
When fuzzers play Doom (or learn to dance Tango). Our paper on automatic state inference through coverage abstraction received the best paper award
@RAID_Conference
. Congrats
@PickleBryne
and
@qiangliu717
!
Interested in exploitation? Check out automatically synthesizing data-only exploits through Block-Oriented Programming from
#CCS18
. Quick intro: and a readme so that you can play with the source:
This is an amazing opportunity for our field to reduce travel. After this is all over we should organize 1-2 yearly networking events to mingle but keep conferences online!
Due to the devloping COVID-19 situation,
#SP20
is being converted into an all-digital conference experience. The dates of the now digital conference will remain the same and more details will be available soon.
Interesting, ML/AI papers are twice as likely to be rejected than software analysis papers
#NDSS2022
. Top area-wise acceptance rates are future internet architectures, security of hardware platforms, cyber-crime, and software/firmware analysis.
After ETHZ and EPFL, CISPA dropped out of
@PeppPt
. Step by step, academics are distancing themselves from the
@PeppPt
centralized "privacy through blind trust" approach and continue their
#PrivacyByDesign
work on
#DP3T
where all designs, trade-offs, and prototypes are public!
Pumped to learn that HAKCs---Hardware Assisted Kernel Compartmentalization won the distinguished paper award
@NDSSSymposium
. This is a first step towards multi-layer, performance-sensitive compartmentalization. Lots more to come in this exciting area!
Our paper "T-Fuzz: fuzzing by program transformation" was accepted to
@IEEESSP
#SP18
. Core idea: when fuzzing, don't limit yourself to input mutation, mutate the program too to trigger deep crashes! Joint
#HexHive
work between Hui,
@Zardus
, and me.
As it turns out, fuzzing IoT devices is challenging due to extremely constrained resources. We explored Cortex-M TrustZone apps to find bugs. And we found them
@IEEESSP
#IEEESP2024
Paper:
Reviewer 2 (of 2): your paper does not compare against $SYSTEM that was published 1 week before the submission deadline, covers a completely different language environment, and solves an orthogonal problem. Strong reject. ♥️♥️♥️
As it turns out, the secure monitor, Android's most trusted component is full of bugs.
@_chli_
and
@0ddc0de
discovered lots of serious issues
@USENIXSecurity
though fuzzing. Paper:
Mentoring other researchers is one of the most fun aspects of my job. This is the response I got form a student close to graduation when asking him about doing a post doc. The response made me incredibly sad. Folks, we need to fix this or we'll lose the next generation!
CCS came out as "Professional negligence":
reviewers do not care, not about the papers, not about the conference, not about co-reviewers, not about the program chairs.
Seems to me like a fairly accurate assessment of most security conferences :(
Great news: over the course of an hour I received notifications that a large grant was accepted, then two papers made it into a top tier conference, and a gift grant came in! 🥳🎉 A little later, at 3:30, I was woken by a crying toddler who thought that it was daytime 🤷♂️🤗😴
Today I received the certificate for our
@NDSSSymposium
distinguished paper award for our paper "Preventing Kernel Hacks with HAKCs". Thanks! 🤗 I also thank the post for their careful treatment of the letter. As we say in 🇱🇮: it looks like a cow was trying to eat it. 🐮💌
We are looking for PhD students, PostDocs, and interns to join us in software and systems security projects. Our focus: {fuzzing, sanitization, mitigations} for {memory corruption, type safety violations, side channels}. Come join the 🐝🐝🐝 Please RT
Wow,
#HexHive
paper
#SMoTherSpectre
finally accepted to
@acm_ccs
(SP->SEC->CCS->CCS) Despite being stronger than PortSmash we struggled convincing reviewers and built a) stronger analysis, b) SMoTher gadget search tool, b) attacks against OpenSSH/SSL. Stay tuned for paper/code!
Research is an upward journey and continuous learning experience. I'm humbled by this nomination and look forward to future endeavors in software security with the goal of protecting systems. A big thank you to all my colleagues, endorsers, and nominator!
@EPFL_en
@ICepfl
🌟Thrilled to introduce the exceptional individuals who have been inducted as ACM Distinguished Members for 2023. Their expertise & commitment to excellence make them invaluable contributors to our shared journey.
Join us in celebrating these inductees! 👏
PSA: CVE-2020-15957 fixed in the
@SwissCovid
backend. Bug would have allowed to ignore signature check when uploading keys, allowing an attacker to sneak in keys. This was not exploited in the wild. Bug was responsibly disclosed by André Cirre.
TFW several papers that build on your work get accepted at top tier venues while your work is going through several major revisions just to be rejected by "that" reviewer again and again 🤷
Believing in numbers and fair evaluation, I've compared RAP and LLVM-CFI. RAP is faster, LLVM-CFI is more precise. RAP is incredibly hard to use and its future is uncertain while LLVM-CFI is just a command line argument away. Details at Comments welcome 🤗
Interested in fuzzing? Wanna talk to the experts? Join us next Wed, May05 at DS3, featuring
@mboehme_
,
@kayseesee
, and
@metr0
. Mark your calendar and register at: (please RT)
You asked for more code,
#DP3T
delivers. We're releasing our current alpha implementations publicly and look for feedback, comments, and reviews! We have Android: iOS: and backend services:
The
@wootsecurity
WOOT'21 program is out with lots of great talks and two amazing keynotes by
@natashenka
and
@sara_rampazzi
. I'm extremely excited and you should all register as soon as we open up!
As always, Herbert's
@NDSSSymposium
#NDSSSymposium2024
keynote blew my mind. Looking at missed opportunities of interactions between hackers and academics, Herbert
@vu5ec
gave us a whirlwind tour of memory corruption and possible mitigations.
Are you fuzzing virtual devices? Check out our
@IEEESSP
paper "ViDeZZo" which brings structural awareness and intra-message dependencies to build up complex state in virtual devices to trigger deep bugs. Paper: Source:
No love for our peripheral fuzzing at Oakland. A new technique and ~50 Linux 0days are apparently not enough these days. We should think about selling the vulns instead, it's more lucrative than publishing papers. (Nah, we'll iterate and try to better explain the advantages.)
Great fun talking about T-Fuzz at
#AsiaCCS18
. Extended presentation: … paper: … source: Questions/collaborations/extensions welcome! (joint HexHive work with Hui Peng and
@Zardus
)
Yay, the book "The Continuing Arms Race: Code-Reuse Attacks and Defenses" where I wrote a couple of chapters in on memory/type safety and code pointer integrity (with Vova) got published:
Today marks my last day in the UCSB SecLab 🏄. It was crazy fun to spend a sabbatical in one of the most amazing security groups. I learned a lot about research and with these impressions I'll head home to the
@HexHiveEPFL
🐝. Santa Barbara and the SecLab will remain in my ❤️ 🤙
Oakland early reject review: "I was unable to gleam any good takeaways from this paper, and it was hard to get through [...] I stopped reading the algorithms partway through, and it's not clear to me what a reader would gain by forcing their way through them."
👏👏👏
Today the
#SwissCovid
app goes live. This marks an important milestone for
#DP3T
and our gargantuan efforts to provide privacy-preserving proximity tracing. Looking forward to seeing many installations!
Interested in doing a PhD
@ICepfl
in Switzerland? I highlight some key constraints and pros/cons about doing a PhD
@EPFL_en
compared to doing a PhD in the US.
Congratulations to
@PrashastSriv
for passing his PhD defense "Practical Methods for Fuzzing Real-world Systems"
@PurdueCS
@PurSecLab
@HexHiveEPFL
! He'll be off to a post doc, so stay tuned for his future publications!
En route to
@USENIXSecurity
and
@defcon
. Our group
@EPFL_en
@ICepfl
will present 6 papers 🤯. Find us to talk about fuzzing 🐰, binary rewriting ❤️, how developers handle undefined behavior 👨🔬👩🔬, or just to banter about software security in general.
Writing grant proposals is not just about money but brainstorming with friends about challenging topics. A grant is much broader than a paper, it's about vision, not just design, implementation, and evaluation. Even if rejected, I learned from each submission.
#AcademicTwitter
Honored to receive an
#FSE2022
distinguishing paper award for our work on effective browser API fuzzing through the analysis of variable interactions. Credit, as always, goes to the hardworking students! Paper is at:
🏆🏆🏆
#FSE2022
ACM SIGSOFT Distinguished Paper Awards have been announced!! Congrats to the authors for their amazing work! 🏆🏆🏆 We will tweet out details about each paper this week.