GET /large file HTTP/1.1: Connection-Based TCP Amplification Attacks

Yepeng Pan, Lars Richter, and Christian Rossow

[Paper] [Code]

WAFFLED: Exploiting Parsing Discrepancies to Bypass Web Application Firewalls

Seyed Ali Akhavani, Bahruz Jabiyev, Ben Kallus, Cem Topcuoglu, Sergey Bratus, and Engin Kirda

[Paper] [Code]

Excuse me, what precise time is it?

Oliver Ettlin

[Video]

Cut To The QUIC: Slashing QUIC's Performance With A Hash DoS

Paul Bottinelli

[Slides] [Code]

High-impact security at the foundations

Understanding the Security Impact of CHERI on the Operating System Kernel

Zhaofeng Li, Jerry Zhang, Joshua Tlatelpa-Agustin, Xiangdong Chen, and Anton Burtsev

[Code] [Paper]

CUDA de Grâce: Owning AI Cloud Infrastructure with GPU Exploits

Valentina Palmiotti and Samuel Lovejoy

[Video]

Defeating KASLR by Doing Nothing at All

Seth Jenkins

[Blog post] [Code]

Build a Fake Phone, Find Real Bugs: Qualcomm GPU Emulation and Fuzzing with LibAFL QEMU

Romain Malmain and Scott Bauer

[Code] [Video]

Rust in Android: move fast and fix things 

Jeff Vander Stoep

[Blog post] [Rust course]

Skynet Starter Kit: From Embodied AI Jailbreak to Remote Takeover of Humanoid Robots

Shipei Qu, Zikai Xu, and Xuangan Xiao

[Video]

Wins and losses with LLMs and security

Scaling agentic architectures for autonomous security testing and offensive operations

Jason Garman, Jake Coyne, and Aaron Brown

[Slides] [Code]

Forced Descent: Google Antigravity Persistent Code Execution Vulnerability

Aaron Portnoy

[Blog post]

Flaw And Order: Finding The Needle In The Haystack Of CodeQL Using LLMs

Simcha Kosman

[Slides] [Blog post] [Code]

Rescuing the Unpoisoned: Efficient Defense against Knowledge Corruption Attacks on RAG Systems

Kim Minseok, Lee Hankook, and Koo Hyungjoon

[Code] [Paper]

Whisper Leak: A novel side-channel attack on remote language models 

Jonathan Bar Or and Geoff McDonald

[Blog post] [Paper] [Code]

Nifty sundries

Format-Preserving Compression-Tolerating Authenticated Encryption for Images

Alexandra Boldyreva, Kaishuo Cheng, and Jehad Hussein

[Slides] [Paper]

Why Quantum Cryptanalysis is Bollocks

Peter Gutmann

[Video] [Slides]

Unmasking Organizations' Security Postures: Insights From Phishing-Resistant Authentication

Fei Liu

[Slides]

Those Who Do Not Learn from Advisories Are Doomed to Repeat Them

Louis Nyffenegger

[Video]

Microsoft-induced security woes

One Token to rule them all - obtaining Global Admin in every Entra ID tenant via Actor tokens

Dirk-jan Mollema

[Blog post]

Turning Microsoft's Login Page into our Phishing Infrastructure

Keanu Nys

[Slides] [Video]

You snooze you lose: RPC-Racer winning RPC endpoints against services

Ron Ben Yizhak

[Slides] [Code] [Video]

Internal Domain Name Collision 2.0

Philippe Caturegli

[Slides] [Video]

Logs are not always as they appear

Source IP Spoofing in Cloud Logs: A Hands-On Look Across AWS, Azure, and GCP

Eliav Livneh

[Video]

I'm in Your Logs Now, Deceiving Your Analysts and Blinding Your EDR

Olaf Hartong

[Slides] [Code]

From Spoofing to Tunneling: New Red Team's Networking Techniques for Initial Access and Evasion

Shu-Hao Tung

[Slides] [Paper] [Video]

Autobots roll out!

Automating software security with LLMs

Tyler Nighswander

[Site] [Code] [Video]

Agents Built From Alloys

Albert Ziegler

[Blog post] [Dataset]

AI Agents for Offsec with Zero False Positives

Brendan Dolan-Gavitt

[Slides]

Are CAPTCHAs Still Bot-hard? Generalized Visual CAPTCHA Solving with Agentic Vision Language Model

Xiwen Teoh, Yun Lin, Siqi Li, Ruofan Liu, Avi Sollomoni, Yaniv Harel, and Jin Song Dong

[Site] [Paper] [Code]

Good vibrations

Invisible Ears at Your Fingertips: Acoustic Eavesdropping via Mouse Sensors

Mohamad Habib Fakih, Rahul Dharmaji, Youssef Mahmoud, Halima Bouzidi, and Mohammad Abdullah Al Faruque

[Site] [Paper]

TimeTravel: Real-time Timing Drift Attack on System Time Using Acoustic Waves

Jianshuo Liu, Hong Li, Haining Wang, Mengjie Sun, Hui Wen, Jinfa Wang, and Limin Sun

[Paper]

Nifty sundries

Crescent library brings privacy to digital identity systems

Christian Paquin, Guru-Vamsi Policharla, and Greg Zaverucha

[Blog post] [Paper] [Code]

Journey to the center of the PSTN: How I became a phone company, and how you can too

Enzo Damato

[Slides] [Video]

Safe Harbor or Hostile Waters: Unveiling the Hidden Perils of the TorchScript Engine in PyTorch

Ji'an Zhou and Lishuo Song

[Slides]

Ghosts in the Machine Check – Conjuring Hardware Failures for Cross-ring Privilege Escalation

Christopher Domas

[Slides] [Code] [Video]

Machine Against the RAG: Jamming Retrieval-Augmented Generation with Blocker Documents

Avital Shafran, Roei Schuster, and Vitaly Shmatikov

[Paper] [Code]

Inverting the Xorshift128+ random number generator

Scott Contini

[Blog post] [Code]

Networking is always tricky

Beyond the Horizon: Uncovering Hosts and Services Behind Misconfigured Firewalls

Qing Deng, Juefei Pu, Zhaowei Tan, Zhiyun Qian, and Srikanth V. Krishnamurthy

[Paper]

0.0.0.0 Day: Exploiting Localhost APIs From The Browser

Avi Lumelsky and Gal Elbaz

[Blog post] [Video]

Local Mess: Covert Web-to-App Tracking via Localhost on Android

Aniketh Girish, Gunes Acar, Narseo Vallina-Rodriguez, Nipuna Weerasekara, and Tim Vlummens

[Website]

Transport Layer Obscurity: Circumventing SNI Censorship on the TLS-Layer

Niklas Niere, Felix Lange, Juraj Somorovsky, and Robert Merget

[Code] [Paper]

Language models large and small

The road to Top 1: How XBOW did it

Nico Waisman

[Blog post]

AI and Secure Code Generation

Dave Aitel and Dan Geer

[Blog post]

A look at CloudFlare’s AI-coded OAuth library

Neil Madden

[Blog post]

How I used o3 to find CVE-2025-37899, a remote zeroday vulnerability in the Linux kernel’s SMB implementation

Sean Heelan

[Blog post] [Code]

Enhancing Secret Detection in Cybersecurity with Small LMs

Danny Lazarev and Erez Harush

[Blog post] [Video]

BAIT: Large Language Model Backdoor Scanning by Inverting Attack Target

Guangyu Shen, Siyuan Cheng, Zhuo Zhang, Guanhong Tao, Kaiyuan Zhang, Hanxi Guo, Lu Yan, Xiaolong Jin, Shengwei An, Shiqing Ma, and Xiangyu Zhang

[Code] [Paper]

When parsing goes right, and when it goes wrong

3DGen: AI-Assisted Generation of Provably Correct Binary Format Parsers

Sarah Fakhoury, Markus Kuppe, Shuvendu K. Lahiri, Tahina Ramananandro, and Nikhil Swamy

[Slides] [Paper]

GDBMiner: Mining Precise Input Grammars on (Almost) Any System

Max Eisele, Johannes Hägele, Christopher Huth, and Andreas Zeller

[Paper] [Code]

Parser Differentials: When Interpretation Becomes a Vulnerability

Joernchen / Joern Schneeweisz

[Slides] [Video]

Inbox Invasion: Exploiting MIME Ambiguities to Evade Email Attachment Detectors

Jiahe Zhang, Jianjun Chen, Qi Wang, Hangyu Zhang, Shengqiang Li, Chuhan Wang, Jianwei Zhuge, and Haixin Duan

[Slides] [Paper] [Code]

Nifty sundries

Impostor Syndrome: Hacking Apple MDMs Using Rogue Device Enrolments

Marcell Molnár and Magdalena Oczadły

[Slides] 

Your Cable, My Antenna: Eavesdropping Serial Communication via Backscatter Signals

Lina Pu, Yu Luo, Song Han, and Junming Diao

[Paper]

GoSonar: Detecting Logical Vulnerabilities in Memory Safe Language Using Inductive Constraint Reasoning

Md Sakib Anwar, Carter Yagemann, and Zhiqiang Lin

[Paper] [Code]

Show Me Your ID(E)!: How APTs Abuse IDEs

Tom Fakterman and Daniel Frank

[Slides] [Video]

Inviter Threat: Managing Security in a new Cloud Deployment Model

Meg Ashby

[Video]

Carrier Tokens—A Game-Changer Towards SMS OTP Free World!

Kazi Wali Ullah

[Slides] [Code] [Video]

Putting it into practice

Homomorphic Encryption across Apple features

Rehan Rishi, Haris Mughees, Fabian Boemer, Karl Tarbe, Nicholas Genise, Akshay Wadia, and Ruiyu Zhu

[Code] [Paper] [Video]

Beyond the Hook: A Technical Deep Dive into Modern Phishing Methodologies

Alexandre Nesic

[Blog] 

How to Backdoor Large Language Models

Shrivu Shankar

[Blog] [Code] 

Buccaneers of the Binary: Plundering Compiler Optimizations for Decompilation Treasure

Zion Leonahenahe Basque

[Code] [Video]

Software Screws Around, Reverse Engineering Finds Out: How Independent, Adversarial Research Informs Government Regulation

Andy Sellars and Michael A. Specter

[Video] [Website]

Understanding things all the way down

PhantomLiDAR: Cross-modality Signal Injection Attacks against LiDAR

Zizhi Jin, Qinhong Jiang, Xuancun Lu, Chen Yan, Xiaoyu Ji, and Wenyuan Xu

[Paper] [Demo Videos]

Full-stack Reverse Engineering of the Original Microsoft Xbox

Markus Gaasedelen

[Video]

Wallbleed: A Memory Disclosure Vulnerability in the Great Firewall of China

Shencha Fan, Jackson Sippe, Sakamoto San, Jade Sheffey, David Fifield, Amir Houmansadr, Elson Wedwards, and Eric Wustrow

[Paper]

Scaling software (in)security

Low-Effort Denial of Service with Recursion

Alexis Challande and Brad Swain

[Paper] [Video]

Is this memory safety here in the room with us?

Thomas Dullien (Halvar Flake)

[Slides] [Video]

How to gain code execution on millions of people and hundreds of popular apps

Eva

[Blog]

Node is a loader

Tom Steele

[Blog]

Mixing up Public and Private Keys in OpenID Connect deployments

Hanno Böck

[Blog] [Code]

Nifty sundries

Will It Run? Fooling EDRs With Command Lines Using Empirical Data

Wietze Beukema

[Tool site] [Code] [Video]

Homoglyph-Based Attacks: Circumventing LLM Detectors

Aldan Creo

[Paper] [Code] [Video]

28 Months Later - The Ongoing Evolution of Russia's Cyber Operations

The Grugq

[Slides] [Podcast interview]

‘It's Not Paranoia If They're Really After You’: When Announcing Deception Technology Can Change Attacker Decisions

Andrew Reeves and Debi Ashenden

[Paper]

Off-Path TCP Hijacking in Wi-Fi Networks: A Packet-Size Side Channel Attack

Ziqiang Wang, Xuewei Feng, Qi Li, Kun Sun, Yuxiang Yang, Mengyuan Li, Ganqiu Du, Ke Xu, and Jianping Wu

[Paper] [Code]

Wins and losses in the Microsoft ecosystem

Pointer Problems - Why We’re Refactoring the Windows Kernel

Joe Bialek

[Video]

Defending off the land

Casey Smith, Jacob Torrey, and Marco Slaviero

[Slides] [Code]

Unveiling the Power of Intune: Leveraging Intune for Breaking Into Your Cloud and On-Premise

Yuya Chudo

[Slides] [Code]

From Simulation to Tenant Takeover

Vaisha Bernard

[Video]

From Convenience to Contagion: The Libarchive Vulnerabilities Lurking in Windows 11

NiNi Chen

[Slides] [Video]

LLM hype continues, as do the security issues

Things we learned about LLMs in 2024

Simon Willison

[Blog]

AI Meets Git: Unmasking Security Flaws in Qodo Merge

Nils Amiet

[Slides] [Video] [Blog]

Suicide Bot: New AI Attack Causes LLM to Provide Potential “Self-Harm” Instructions

Gadi Evron

[Blog]

Diving deep, then diving deeper

Breaking NATO Radio Encryption

Lukas Stennes

[Paper] [Video]

Exploiting File Writes in Hardened Environments

Stefan Schiller

[Blog] [Video]

Hacking yourself a satellite - recovering BEESAT-1

PistonMiner

[Video]

IRIS: Non-Destructive Inspection of Silicon

Andrew 'bunnie' Huang

[Blog] [Paper] [Video]

SQL Injection Isn't Dead

Paul Gerste

[Slides] [Video]

Nifty sundries

What Developers Get for Free?

Louis Nyffenegger

[Video]

Dialing into the Past: RCE via the Fax Machine – Because Why Not?

Rick de Jager and Carlo Meijer

[Video]

Broken isolation - Draining your Credentials from Popular macOS Password Managers

Wojciech Reguła

[Slides] [Video]

I'll Be There for You! Perpetual Availability in the A8 MVX System

André Rösti, Stijn Volckaert, Michael Franz, and Alexios Voulimeneas

[Code] [Paper]

Exploring and Exploiting an Android “Smart POS” Payment Terminal

Jacopo Jannone

[Video]

Edge cases at scale still matter

Works from this theme exploit rarely-occurring issues, but with an internet-wide aperture to end up with impressive results. Look for: mechanising bit-squatting; static code analysis for vulnerabilities across all browser extensions, or across web ecosystems; and how Let’s Encrypt worries about revoking and reissuing 400M certificates in a week.

Going above and beyond

Talks and papers often use state-of-the-art tooling to measure/detect an interesting phenomenon. This theme highlights four works that could have followed that path, but also built robust tooling/research data to help others push the state-of-the-art forward. Look for: large scale collection and remediation of dangling domains and static secret leaks, preventing memory-corruption vulnerabilities across the Android ecosystem, remote timing attack frameworks, and SSH testing at scale.

What goes on behind the curtain can be dangerous

Modern IT systems are composed of many layers. Usually the details at lower levels can be abstracted and safely put out of mind. This theme highlights work that shows that what happens in these oft-ignored places can have significant impacts. See: AWS-internal resources built on your behalf, BGP security weaknesses, stealthy hardware backdoors in access control systems spanning over 15 years, Wi-Fi management plane vulnerabilities, VPN-OS interactions, and a legacy file-system hack in Windows.

Nifty sundries

As always, we wanted to showcase work that didn’t fit into the major themes of this issue. We cover: bypassing voice authentication with only a picture of the victim’s face, racking up bills on locked credit cards, email parsing confusion, scanning IPv6, and a timing attack on remote web clients.

Edge cases at scale still matter

Flipping Bits: Your Credentials Are Certainly Mine

Joohoi and STÖK

[Code] [Video]

Universal Code Execution by Chaining Messages in Browser Extensions

Eugene Lim

[Blog] [Video]

CVE Hunting Made Easy

Eddie Zhang

[Blog] [Code] 

How To Revoke And Replace 400 Million Certificates Without Breaking The Internet

Aaron Gable

[Slides] [Video]

Going above and beyond

Secrets and Shadows: Leveraging Big Data for Vulnerability Discovery at Scale

Bill Demirkapi

[Blog]

Eliminating Memory Safety Vulnerabilities at the Source

Jeff Vander Stoep and Alex Rebert

[Blog]

Listen to the Whispers: Web Timing Attacks that Actually Work

James Kettle

[Slides] [Paper] [Code]

Secure Shells in Shambles

HD Moore and Rob King

[Slides] [Code] [Video]

What goes on behind the curtain can be dangerous

Breaching AWS Accounts Through Shadow Resources

Yakir Kadkoda, Michael Katchinskiy, and Ofek Itach

[Slides] [Code]

Crashing the Party: Vulnerabilities in RPKI Validation

Niklas Vogel, Donika Mirdita, Haya Schulmann, and Michael Waidner

[Slides] [Paper]

MIFARE Classic: exposing the static encrypted nonce variant... and a few hardware backdoors

Philippe Teuwen

[Blog] [Paper] [Code]

Fallen Tower of Babel: Rooting Wireless Mesh Networks by Abusing Heterogeneous Control Protocols

Xin'an Zhou, Zhiyun Qian, Juefei Pu, Qing Deng, Srikanth Krishnamurthy, and Keyu Man

[Slides] [Paper] [Code]

Attacking Connection Tracking Frameworks as used by Virtual Private Networks

Benjamin Mixon-Baca, Jeffrey Knockel, Diwen Xue, Deepak Kapur, Roya Ensafi, and Jed Crandall

[Paper]

MagicDot: A Hacker's Magic Show of Disappearing Dots and Spaces

Or Yair

[Slides] [Blog] [Video] [Code]

Nifty sundries

Can I Hear Your Face? Pervasive Attack on Voice Authentication Systems with a Single Face Image

Nan Jiang, Bangjie Sun, Terence Sim, and Jun Han

[Paper] [Code]

In Wallet We Trust: Bypassing the Digital Wallets Payment Security for Free Shopping

Raja Hasnain Anwar, Syed Rafiul Hussain, and Muhammad Taqi Raza

[Slides] [Paper]

Splitting the Email Atom: Exploiting Parsers to Bypass Access Controls

Gareth Heyes

[Slides] [Paper] [Code]

6Sense: Internet-Wide IPv6 Scanning and its Security Applications

Grant Williams, Mert Erdemir, Amanda Hsu, Shraddha Bhat, Abhishek Bhaskar, Frank Li, and Paul Pearce

[Slides] [Paper] [Code]

SnailLoad: Anyone on the Internet Can Learn What You're Doing

Daniel Gruss and Stefan Gast

[Slides] [Paper]

Conclusions

While we started off 2024 with a modest amount of high-quality works, this has scaled up significantly. As conference publications increase, we do see a slight decline in the number of blogs; there does appear to be some inverse correlation between the two tallies.

We highlighted three themes for this quarter:

1. Rare events that happen at internet-scale have big impacts.
2. Going above and beyond in tooling development.
3. Cross-layer gotchas.

We’re looking forward to seeing how the year closes out with our year in review and the final quarter of 2024. 

Injecting into LLM-adjacent components

Johann Rehberger

[Blog 1] [Blog 2]

Teams of LLM Agents can Exploit Zero-Day Vulnerabilities

Richard Fang, Rohan Bindu, Akul Gupta, Qiusi Zhan, and Daniel Kang

[Paper] 

Project Naptime: Evaluating Offensive Security Capabilities of Large Language Models 

Sergei Glazunov and Mark Brand

[Blog] 

LLMs Cannot Reliably Identify and Reason About Security Vulnerabilities (Yet?): A Comprehensive Evaluation, Framework, and Benchmarks

Saad Ullah, Mingji Han, Saurabh Pujar, Hammond Pearce, Ayse Kivilcim Coskun, and Gianluca Stringhini

[Paper] [Code]

The Impact of Backdoor Poisoning Vulnerabilities on AI-Based Threat Detectors

Dmitrijs Trizna, Luca Demetrio, Battista Biggio, and Fabio Roli

[Slides] [Paper] [Code]

Looking at the whole system

Systems Alchemy: The Transmutation of Hacking

Thaddeus grugq

[Video]

The Boom, the Bust, the Adjust and the Unknown

Maor Shwartz

[Slides]

Poisoning Web-Scale Training Datasets is Practical

Nicholas Carlini, Matthew Jagielski, Christopher A. Choquette-Choo, Daniel Paleka, Will Pearce, Hyrum Anderson, Andreas Terzis, Kurt Thomas, and Florian Tramèr

[Paper]

Intercloud Identities: The Risks and Mitigations of Access Between Cloud Providers

Noam Dahan and Ari Eitan

[Video]

New modalities with which to inflict pain

GPU.zip: On the Side-Channel Implications of Hardware-Based Graphical Data Compression

Yingchen Wang, Riccardo Paccagnella, Zhao Gang, Willy R. Vasquez, David Kohlbrenner, Hovav Shacham, and Christopher W. Fletcher

[Paper]

AquaSonic: Acoustic Manipulation of Underwater Data Center Operations and Resource Management

Jennifer Sheldon, Weidong Zhu, Adnan Abdullah, Sri Hrushikesh Varma Bhupathiraju, Takeshi Sugawara, Kevin Butler, Md Jahidul Islam, and Sara Rampazzi

[Paper] [Video]

Video-Based Cryptanalysis: Extracting Cryptographic Keys from Video Footage of a Device’s Power LED Captured By Standard Video Cameras

Ben Nassi, Etay Iluz, Or Cohen, Ofek Vayner, Dudi Nassi, Boris Zadov, and Yuval Elovici

[Site] [Paper] [Video]

Old components showing the strain

Exploiting Sequence Number Leakage: TCP Hijacking in NAT-Enabled Wi-Fi Networks

Yuxiang Yang, Xuewei Feng, Qi Li, Kun Sun, Ziqiang Wang, and Ke Xu

[Blog] [Paper] 

Reliable Payload Transmission Past the Spoofed TCP Handshake

Yepeng Pan and Christian Rossow

[Paper] [Code]

Parse Me, Baby, One More Time: Bypassing HTML Sanitizer via Parsing Differentials

David Klein and Martin Johns

[Paper] [Code]

Practical Exploitation of Registry Vulnerabilities in the Windows Kernel

Mateusz Jurczyk

[Blog] [Video]

Nifty sundries

An Analysis of Recent Advances in Deepfake Image Detection in an Evolving Threat Landscape

Sifat Muhammad Abdullah, Aravind Cheruvu, Shravya Kanchi, Taejoong Chung, Peng Gao, Murtuza Jadliwala, and Bimal Viswanath

[Code] [Paper]

Tracking illicit phishermen in the deep blue Azure

Jacob Torrey

[Slides] [Code]

SEVeriFast: Minimizing the root of trust for fast startup of SEV microVMs

Benjamin Holmes, Jason Waterman, and Dan Williams

[Paper] [Code]

Certiception: The ADCS Honeypot We Always Wanted

Balthasar Martin and Niklas van Dornick

[Blog] [Code] [Slides]

PrintListener: Uncovering the Vulnerability of Fingerprint Authentication via the Finger Friction Sound

Man Zhou, Shuao Su, Qian Wang, Qi Li, Yuting Zhou, Xiaojing Ma, and Zhengxiong Li

[Paper]

ModelGuard: Information-Theoretic Defense Against Model Extraction Attacks

Minxue Tang, Anna Dai, Louis DiValentin, Aolin Ding, Amin Hass, Neil Zhenqiang Gong, Yiran Chen, and Hai Li

[Paper] [Code]

RECORD: A RECeption-Only Region Determination Attack on LEO Satellite Users

Eric Jedermann, Martin Strohmeier, Vincent Lenders, and Jens Schmitt

[Code] [Paper]

Private web search with Tiptoe

Alexandra Henzinger, Emma Dauterman, Henry Corrigan-Gibbs, and Nickolai Zeldovich

[Slides] [Paper] [Video] [Code]

Can Virtual Reality Protect Users from Keystroke Inference Attacks?

Zhuolin Yang, Zain Sarwar, Iris Hwang, Ronik Bhaskar, Ben Y. Zhao, and Haitao Zheng

[Website] [Paper]

Backtrace in Time: Revealing Attackers’ Sleep Patterns and Days Off in RDP Brute-Force Attacks with Calendar Heatmaps

Andréanne Bergeron

[Code] [Blog] [Video]

Taking another look with a fresh perspective

Breaking HTTP Servers, Proxies, and Load Balancers Using the HTTP Garden

Ben Kallus and Prashant Anantharaman

[Code] [Video]

Compiler Backdooring For Beginners

Marion Marschalek

[Video]

Revisiting 2017: AI and Security, 7 years later

Thomas Dullien

[Video]

Automated Large-Scale Analysis of Cookie Notice Compliance

Ahmed Bouhoula, Karel Kubicek, Amit Zac, Carlos Cotrini, and David Basin

[Paper] [Code Access]

Turning Windows into doors

LSA Whisperer

Evan McBroom

[Slides] [Blog] [Code]

Wishing: Webhook Phishing in Teams

Matthew Eidelberg

[Blog] [Code]

Misconfiguration Manager: Overlooked and Overprivileged

Duane Michael and Chris Thompson

[Slides] [Blog] [Code]

Smoke and Mirrors: How to hide in Microsoft Azure

Aled Mehta and Christian Philipov

[Video]

Nifty sundries

Backdoor in XZ Utils allows RCE: everything you need to know

Andres Freund, Merav Bar, Amitai Cohen, Danielle Aminov, and Russ Cox

[Initial Disclosure] [Wiz Blog] [Timeline]

More Money, Fewer FOSS Security Problems? The Data, Such As It Is

John Speed Meyers, Sara Ann Brackett, and Stewart Scott

[Video]

MUDding Around: Hacking for gold in text-based games

Unix-ninja

[Blog]

DeGPT: Optimizing Decompiler Output with LLM

Peiwei Hu, Ruigang Liang, and Kai Chen

[Paper]

Abusing Images and Sounds for Indirect Instruction Injection in Multi-Modal LLMs

Tsung-Yin Hsieh, Ben Nassi, Vitaly Shmatikov, and Eugene Bagdasaryan

[Slides] [Paper] [Code]

Tree of Attacks: Jailbreaking Black-Box LLMs Automatically

Anay Mehrotra, Manolis Zampetakis, Paul Kassianik, Blaine Nelson, Hyrum Anderson, Yaron Singer, and Amin Karbasi

[Paper] [Code]

Avoiding the basilisk's fangs: State-of-the-art in AI LLM detection

Jacob Torrey

[Slides] [Code] [Video]

Dystopian much: The Rise of the Influence Machines

Nea Paw

[Blog] [Video]

Problems in well-trodden areas

SMTP Smuggling – Spoofing E-mails Worldwide

Timo Longin

[Blog] [Video]

Blind CSS Exfiltration: Exfiltrate unknown web pages

Gareth Heyes

[Slides] [Blog] [Code]

OLE object are still dangerous today – Exploiting Microsoft Office

wh1tc and Zhiniang Peng

[Slides] [Demo Videos]

The Nightmare of Apple’s OTA Update

Mickey Jin

[Slides] [Blog] [Video]

Reflecting on our efforts

Evaluating the Security Posture of Real-World FIDO2 Deployments

Dhruv Kuchhal, Muhammad Saad, Adam Oest, and Frank Li

[Paper]

Talking about Pros and Cons

Jacob Torrey

[Slides] [Video]

NCC Group’s 2022 & 2023 Research Report

NCC Group

[Paper] [Blog]

A 3-Year Tale of Hacking a Pwn2Own Target: The Attacks, Vendor Evolution, and Lessons Learned

Orange Tsai

[Slides] [Video]

Nifty sundries

Breaking "DRM" in Polish trains

MrTick, Redford, and q3k

[Video]

Detection and Blocking with BPF via YAML

Kevin Sheldrake

[Slides] [Code]

AntiFake: Using Adversarial Audio to Prevent Unauthorized Speech Synthesis

Zhiyuan Yu, Shixuan Zhai, and Ning Zhang

[Paper] [Code]

A Good Fishman Knows All the Angles: A Critical Evaluation of Google's Phishing Page Classifier

Changqing Miao, Jianan Feng, Wei You, Wenchang Shi, Jianjun Huang, and Bin Liang

[Paper] [Code]

Spoofing DNS Records by Abusing DHCP DNS Dynamic Updates

Ori David

[Blog] [Code] 

Operation Triangulation: What You Get When Attack iPhones of Researchers

Boris Larin, Leonid Bezvershenko, and Georgy Kucherin

[Blog] [Video]

Password-Stealing without Hacking: Wi-Fi Enabled Practical Keystroke Eavesdropping

Jingyang Hu, Hongbo Wang, Tianyue Zheng, Jingzhi Hu, Zhe Chen, Hongbo Jiang, and Jun Luo

[Paper] [Code]

certmitm: automatic exploitation of TLS certificate validation vulnerabilities

Aapo Oksman

[Slides] [Code] [Video]

Escaping Phishermen Nets: Cryptographic Methods Unveiled in the Fight Against Reverse Proxy Attacks

Ksandros Apostoli

[Blog]

mTLS: When certificate authentication is done wrong

Michael Stepankin

[Slides] [Blog]

Ultrablue: User-friendly Lightweight TPM Remote Attestation over Bluetooth

Nicolas Bouchinet, Loïc Buckwell, and Gabriel Kerneis

[Slides] [Code] [Video]

HECO: Fully Homomorphic Encryption Compiler

Alexander Viand, Patrick Jattke, Miro Haller, and Anwar Hithnawi

[Slides] [Paper] [Code]

[Continued] attack of the side-channels

Freaky Leaky SMS: Extracting User Locations by Analyzing SMS Timings

Evangelos Bitsikas, Theodor Schnitzler, Christina Pöpper, and Aanjhan Ranganathan

[Paper] [Code]

Downfall: Exploiting Speculative Data Gathering

Daniel Moghimi

[Code] [Paper] 

Your Clocks Have Ears – Timing-Based Browser-Based Local Network Port Scanner

Dongsung Kim

[Slides] [Demo] [Video]

Composition is hard in the cloud

Using Cloudflare to bypass Cloudflare

Florian Schweitzer and Stefan Proksch

[Blog] 

The GitHub Actions Worm: Compromising GitHub repositories through the Actions dependency tree

Asaf Greenholts

[Slides] [Blog] [Video]

All You Need is Guest

Michael Bargury

[Slides] [Code]

Nifty sundries

Contactless Overflow: Critical contactless vulnerabilities in NFC readers used in point of sales and ATMs

Josep Pi Rodriguez

[Slides] [Video]

Defender-Pretender: When Windows Defender Updates Become a Security Risk

Omer Attias and Tomer Bar

[Slides] [Code] 

Fuzz target generation using LLMs

Dongge Liu, Jonathan Metzman, and Oliver Chang

[Results] [Report] [Blog]

Route to Bugs: Analyzing the Security of BGP Message Parsing

Daniel dos Santos, Simon Guiot, Stanislav Dashevskyi, Amine Amri, and Oussama Kerro

[Slides] [Code]

It was harder to sniff Bluetooth through my mask during the pandemic…

Xeno Kovah

[Slides] [Data]

IPvSeeYou: Exploiting Leaked Identifiers in IPv6 for Street-Level Geolocation

Erik Rye and Robert Beverly

[Slides] [Paper] [Code]

Device Tracking via Linux’s New TCP Source Port Selection Algorithm

Moshe Kol, Amit Klein, and Yossi Gilad

[Code] [Paper]

zk-creds: Flexible Anonymous Credentials from zkSNARKs and Existing Identity Infrastructure

Michael Rosenberg, Jacob White, Christina Garman, and Ian Miers

[Paper] [Code]

3 Years in China: A Tale of Building a REAL Full Speed Anti-Censorship Router

KaiJern Lau

[Slides] [Code] [Video]

Embedded [in]security

Embedded Threats: A Deep Dive into the Attack Surface and Security Implications of eSIM Technology

Markus Vevier

[Code] [Video]

RPMB, a secret place inside the eMMC

Sergio Prado

[Blog]

Compromising Garmin’s Sport Watches: A Deep Dive into GarminOS and its MonkeyC Virtual Machine

Tao Sauvage

[Blog] [Video] [Slides]

The Impostor Among US(B): Off-Path Injection Attacks on USB Communications

Robert Dumitru, Daniel Genkin, Andrew Wabnitz, and Yuval Yarom

[Code] [Paper]

MagBackdoor: Beware of Your Loudspeaker as A Backdoor For Magnetic Injection Attacks

Tiantian Liu, Feng Lin, Zhangsen Wang, Chao Wang, Zhongjie Ba, Li Lu, Wenyao Xu, and Kui Ren

[Code] [Paper]

Issues at the operating system level

(Windows) Hello from the Other Side

Dirk-jan Mollema

[Slides] [Code]

Every Signature is Broken: On the Insecurity of Microsoft Office’s OOXML Signatures

Simon Rohlmann, Vladislav Mladenov, Christian Mainka, Daniel Hirschberger, and Jörg Schwenk

[Paper] [Code]

Dirty Bin Cache: A New Code Injection Poisoning Binary Translation Cache

Koh Nakagawa

[Slides] [Code]

The Most Dangerous Codec in the World: Finding and Exploiting Vulnerabilities in H.264 Decoders

Willy R. Vasquez, Stephen Checkoway, and Hovav Shacham

[Slides] [Paper] [Code]

Nifty sundries

EverParse: Secure Binary Data Parsers for Everyone

Tahina Ramananandro

[Slides] [Code]

InfinityGauntlet: Expose Smartphone Fingerprint Authentication to Brute-force Attack

Yu Chen, Yang Yu, and Lidong Zhai

[Paper]

It’s (DOM) Clobbering Time: Attack Techniques, Prevalence, and Defenses

Soheil Khodayari and Giancarlo Pellegrino

[Code] [Paper] [Site]

Can you trust ChatGPT’s package recommendations?

Bar Lanyado, Ortal Keizman, and Yair Divinsky

[Blog]

Phoenix Domain Attack: Vulnerable Links in Domain Name Delegation and Revocation

Xiang Li, Baojun Liu, Xuesong Bai, Mingming Zhang, Qifan Zhang, Zhou Li, Haixin Duan, and Qi Li

[Slides] [Paper]

Man-in-the-Middle Attacks without Rogue AP: When WPAs Meet ICMP Redirects

Xuewei Feng, Qi Li, Kun Sun, Yuxiang Yang, and Ke Xu

[Website] [Paper]

Tal Be'ery and Roi Vazan

[Blog] [Video]

Not what you've signed up for: Compromising Real-World LLM-Integrated Applications with Indirect Prompt Injection

Kai Greshake, Sahar Abdelnabi, Shailesh Mishra, Christoph Endres, Thorsten Holz, and Mario Fritz

[Paper] [Code] [Demo Website]

Using ZK Proofs to Fight Disinformation

Trisha Datta and Dan Boneh

[Slides] [Video] [Code] [Blog]

Crypto Agility and Post-Quantum Cryptography @ Google

Stefan Kölbl, Anvita Pandit, Rafael Misoczki, and Sophie Schmieg

[Code] [Video]

Server-side prototype pollution: Black-box detection without the DoS

Gareth Heyes

[Blog] [Slides] [Video]

Phantom of the Pipeline – Abusing Self-Hosted CI/CD Runners

Adnan Khan, Mason Davis, and Matt Jackoski

[Slides] [Code] [Blog]

Framing Frames: Bypassing Wi-Fi Encryption by Manipulating Transmit Queues

Domien Schepers, Aanjhan Ranganathan, and Mathy Vanhoef

[Slides] [Paper] [Video]

Let Me Unwind That For You: Exceptions to Backward-Edge Protection

Victor Duta, Fabian Freyer, Fabio Pagani, Marius Muench, and Cristiano Giuffrida

[Slides] [Paper] [Code]

Protect the System Call, Protect (Most of) the World with BASTION

Christopher Jelesnianski, Mohannad Ismail, Yeongjin Jang, Dan Williams, and Changwoo Min

[Paper]

Interoperability in End-to-End Encrypted Messaging

Esha Ghosh, Paul Grubbs, Julia Len, and Paul Rösler

[Slides] [Paper] [Video]

High Risk Users and Where to Find Them

Masha Sedova

[Paper] [Video]

Why I write my own security tooling

James Forshaw

[Code] [Video]

Polynonce: A tale of a novel ECDSA attack and Bitcoin tears

Marco Macchetti and Nils Amiet

[Blog] [Paper] [Code]

Finding 10x+ Performance Improvements in C++ with CodeQL

Sean Heelan

[Blog] [Code]

Bridging the gap in the static and dynamic analysis of binaries through decompiler tomfoolery!

Zion Basque

[Code] [Video]

Felix Wilhelm

[Slides] [Video]

Announcing GUAC, a great pairing with SLSA (and SBOM)!

Brandon Lum, Mihai Maruseac, Isaac Hepworth, Google Open Source Security Team

[Blog] [Code] [Presentation]

We sign code now

William Woodruff

[Blog] [Code] [Video]

Knockout Win Against TCC - 20+ NEW Ways to Bypass Your MacOS Privacy Mechanisms

Csaba Fitzl and Wojciech Regula

[Slides] 

Farming The Apple Orchards: Living Off The Land Techniques

Cedric Owens and Chris Ross

[Slides] [Video]

LOLBINed — Using Kaspersky Endpoint Security “KES” Installer to Execute Arbitrary Commands

Nasreddine Bencherchali

[Blog] 

POPKORN: Popping Windows Kernel Drivers At Scale

Rajat Gupta, Lukas Patrick Dresel, Noah Spahn, Giovanni Vigna, Christopher Kruegel, and Taesoo Kim

[Paper] [Code]

RC4 Is Still Considered Harmful

James Forshaw

[Blog]

Kerberos’ RC4-HMAC broken in practice: spoofing PACs with MD5 collisions

Tom Tervoort

[Paper] [Slides]

Exploring Ancient Ruins to Find Modern Bugs: Discovering a 0-Day in MS-RPC service

Ophir Harpaz and Stiv Kupchik

[Slides] [Video]

Decentralized Identity Attack Surface

Shaked Reiner

[Blog part 1] [Blog part 2]

Drone Authentication via Acoustic Fingerprint

Yufeng Diao, Yichi Zhang, Guodong Zhao, and Mohamed Khamis

[Slides] [Paper]

On the Implications of Spoofing and Jamming Aviation Datalink Applications

Harshad Sathaye, Guevara Noubir, and Aanjhan Ranganathan

[Slides] [Paper]

{JS-ON: Security-OFF}: Abusing JSON-Based SQL Queries

Noam Moshe

[Slides] [SQLMap patch] [Blog]

Are There Wireless Hidden Cameras Spying on Me?

Jeongyoon Heo, Sangwon Gil, Youngman Jung, Jinmok Kim, Donguk Kim,

Woojin Park, Yongdae Kim, Kang G. Shin, and Choong-Hoon Lee

[Slides] [Paper]

Dilawer Ahmed, Anupam Das, and Fareed Zaffar

[Code] [Paper]

Watching the Watchers: Practical Video Identification Attack in LTE Networks

Sangwook Bae, Mincheol Son, Dongkwan Kim, CheolJun Park, Jiho Lee, Sooel Son, and Yongdae Kim

[Website] [Paper] [Video]

Can one hear the shape of a neural network?: Snooping the GPU via Magnetic Side Channel

Henrique Teles Maia, Chang Xiao, Dingzeyu Li, Eitan Grinspun, and Changxi Zheng

[Slides] [Paper]

LTrack: Stealthy Tracking of Mobile Phones in LTE

Martin Kotuliak, Simon Erni, Patrick Leu, Marc Röschlin, and Srdjan Čapkun

[Slides] [Paper]

IRMA's Idemix core: Understanding the crypto behind selective, unlinkable attribute disclosure

Maja Reissner and Sietse Ringers

[Site] [Code] [Video]

CryptPad: a zero knowledge collaboration platform

Ludovic Dubost

[Code] [Video] [Site]

drand: publicly verifiable randomness explained

Yolan Romailler

[Video] [Code]

A dead man’s full-yet-responsible-disclosure system

Yolan Romailler

[Slides] [Code]

Oops... Code Execution and Content Spoofing: The First Comprehensive Analysis of OpenDocument Signatures

Simon Rohlmann, Christian Mainka, Vladislav Mladenov, and Jörg Schwenk

[Slides] [Paper]

My data in your signed code

Alex Ivkin

[Code] [Video]

Can You Trust a File’s Digital Signature? New Zloader Campaign exploits Microsoft’s Signature Verification

Golan Cohen

[Video] [Blog]

TLS-Anvil: Adapting Combinatorial Testing for TLS Libraries

Marcel Maehren, Philipp Nieting, Sven Hebrok, Robert Merget, Juraj Somorovsky, Jörg Schwenk

[Slides] [Website] [Code]

Arbiter: Bridging the Static and Dynamic Divide in Vulnerability Discovery on Binary Programs

Jayakrishna Vadayath, Moritz Eckert, Kyle Zeng, Nicolaas Weideman, Gokulkrishna Praveen Menon, Yanick Fratantonio, Davide Balzarotti, Adam Doupé, Tiffany Bao, Ruoyu Wang, Christophe Hauser, and Yan Shoshitaishvili

[Paper] [Code]

In Need of 'Pair' Review: Vulnerable Code Contributions by GitHub Copilot

Hammond Pearce, Benjamin Tan, Brendan Dolan-Gavitt, and Baleegh Ahmad

[Slides] [Paper]

Catch Me If You Can: Deterministic Discovery of Race Conditions with Fuzzing

Ned Williamson

[Slides] [Code]

Someone’s Been Messing With My Subnormals!

Brendan Dolan-Gavitt

[Blog]

Attacking AAD by abusing the Sync API: The story behind $40K in bounties

Nestori Syynimaa

[Slides] [Code] [Video]

Towards a Tectonic Traffic Shift? Investigating Apple’s New Relay Network

Patrick Sattler , Juliane Aulbach , Johannes Zirngibl , Georg Carle

 [Paper] 

Hiding malware in Docker Desktop's secret virtual machine

Alex Hope

[Blog] [Video]

Let's Dance in the Cache - Destabilizing Hash Table on Microsoft IIS

Orange Tsai

[Slides] [Blog]

Using Trātṛ to tame Adversarial Synchronization

Yuvraj Patel, Chenhao Ye, Akshat Sinha, Abigail Matthews, Andrea C. Arpaci-Dusseau, Remzi H. Arpaci-Dusseau, and Michael M. Swift

[Slides] [Paper]

Nate Warfield

[Slides]

Evil Never Sleeps: When Wireless Malware Stays On After Turning Off iPhones

Jiska Classen, Alexander Heinrich, Robert Reith, and Matthias Hollick

[Slides] [Paper]

AirTag of the Clones: Shenanigans with Liberated Item Finders

Thomas Roth, Fabian Freyer, Matthias Hollick, and Jiska Classen

[Paper] [Code]

Are Blockchains Decentralised?

Evan Sultanik, Alexander Remie, Felipe Manzano, Trent Brunson, Sam Moelius, Eric Kilmer, Mike Myers, Talley Amir, and Sonya Schriner

[Blog] [Paper] [Audio]

What Log4j teaches us about the Software Supply Chain

Stephen Magill

[Slides] [Video]

Kani Rust Verifier

Daniel Schwartz-Narbonne and Zyad Hassan

[Slides] [Video] [Code]

Cross-Language Attacks

Samuel Mergendahl, Nathan Burow, and Hamed Okhravi

[Paper]

Software Updates Strategies: A Quantitative Evaluation Against Advanced Persistent Threats

Giorgio Di Tizio, Michele Armellini, and Fabio Massacci

[Paper] [Data]

AMD Secure Processor for Confidential Computing Security Review

Cfir Cohen, James Forshaw, Jann Horn, and Mark Brand

[Blog] [Paper]

Living Off the Walled Garden: Abusing the Features of the Early Launch Antimalware Ecosystem

Matt Graebar

[Slides]

A Kernel Hacker Meets Fuchsia OS

Alexander Popov

[Blog] [Video]

Adaptive Multi-objective Optimization in Gray-box Fuzzing

Gen Zhang, Pengfei Wang, Tai Yue, Xiangdong Kong, Shan Huang, Xu Zhou, and Kai Lu

[Paper]

Cooper Knows the Shortest Stave: Finding 134 Bugs in the Binding Code of Scripting Languages with Cooperative Mutation

Xu Peng, Yanhao Wang, Hong Hu, and Purui Su

[Slides] [Paper] [Code]

Bypassing CSP with dangling iframes

Gareth Heyes

[Blog] 

Bypassing Dangling Markup Injection Mitigation Bypass in Chrome

SeungJu Oh

 [Bug report] [Blog]

Pre-hijacked accounts: An Empirical Study of Security Failures in User Account Creation on the Web

Avinash Sudhodanan and Andrew Paverd

[Blog] [Paper]

Diane Dubois

[Slides] [Paper] [Code] [Video]

Put an io_uring on it: Exploiting the Linux Kernel

Valentina Palmiotti

[Blog]

The AMD Branch (Mis)predictor: Where No CPU has Gone Before

Pawel Wieczorkiewicz

[Blog part 1] [Blog part 2]

Dynamic Process Isolation

Martin Schwarzl, Pietro Borrello, Andreas Kogler, Kenton Varda, Thomas Schuster, Daniel Gruss, and Michael Schwarz

[Paper]

Another Brick in the Wall: Uncovering SMM Vulnerabilities in HP Firmware

Itai Liba, and Assaf Carlsbad

[Blog] [Code]

Confidential Containers: Bringing Confidential Computing to the Kubernetes Workload Masses

Samuel Ortiz

[Video]

Kubernetes Meets Confidential Computing - The Different Ways of Scaling Sensitive Workloads

Moritz Eckert

[Video]

Implementing Post-quantum Cryptography for Developers

Julius Hekkala, Kimmo Halunen, and Visa Vallivaara

[Paper]

CMUA-Watermark: A Cross-Model Universal Adversarial Watermark for Combating Deepfakes

Hao Huang, Yongtao Wang, Zhaoyu Chen, Yu Ze Zhang, Yuheng Li, Zhi Tang, Wei Chu, Jingdong Chen, Weisi Lin, and Kai-Kuang Ma

[Paper] [Code]

Leashing the Inner Demons: Self-Detoxification for Language Models

Canwen Xu, Zexue He, Zhankui He, and Julian McAuley

[Paper] [Code]

Fooling the Eyes of Autonomous Vehicles: Robust Physical Adversarial Examples Against Traffic Sign Recognition Systems

Wei Jia, Zhaojun Lu, Haichun Zhang, Zhenglin Liu, Jie Wang, and Gang Qu

[Paper]

Synthetic Disinformation Attacks on Automated Fact Verification Systems

Yibing Du, Antoine Bosselut, Christopher D. Manning

[Paper]

Why No One Pwned Synology at Pwn2Own and Tianfu Cup in 2021

Eugene Lim, and Loke Hui Yi

[Slides]

DRAWN APART: A Device Identification Technique based on Remote GPU Fingerprinting

Tomer Laor, Naif Mehanna, Antonin Durey, Vitaly Dyadyuk, Pierre Laperdrix, Clémentine Maurice, Yossi Oren, Romain Rouvoy, Walter Rudametkin, and Yuval Yarom

[Paper] [Code]

Attacking JavaScript Engines in 2022

Samuel Groß, and Amanda Burnett

[Slides]

Security Analysis of MTE Through Examples

Saar Amar

[Slides] [Video]

An Armful of CHERIs

Saar Amar, Nicholas Joly, David Chisnall, Manuel Costa, Sylvan Clebsch, Wes Filardo, Boris Köpf, Robert Norton-Wright, and Matthew Parkison

[Blog]

Ilia Shumailov, Yiren Zhao, Daniel Bates, Nicolas Papernot, Robert Mullins, and Ross Anderson

[Slides] [Paper] [Video]

How to Use Cheated Cryptography to Overload a Server

Szilárd Pfeiffer

[Slides]

Bestie: Very Practical Searchable Encryption with Forward and Backward Security

Tuanyang Chen, Peng Xu, Wei Wang, Yubo Zheng, Willy Susilo, and Hai Jin

[Paper]

Symgrate: A Symbol Recovery Service for ARM Firmware

Travis Goodspeed & EVM

[Site] 

From Graph Queries to Vulnerabilities in Binary Code

claudiu, fabs, and niko

[Slides]

Fast verified post-quantum software

Daniel J. Bernstein

[Slides]

AIModel-Mutator: Finding Vulnerabilities in TensorFlow

Qian Feng, Zhaofeng Chen, Zhenyu Zhong, Yakun Zhang, Ying Wang, Zheng Huang, Kang Li, Jie Hu and Heng Yin

[Slides]

DAMAS: Control-Data Isolation at Runtime through Dynamic Binary Modification

Camille Le Bon, Erven Rohou, Frederic Tronel, and Guillaume Hiet

[Paper]

Trojan Source: Invisible Vulnerabilities

Nicholas Boucher and Ross Anderson

[Paper] [Code]

Who owns your hybrid Active Directory? Hunting for adversary techniques!

Thirumalai Natarajan Muthiah & Anurag Khanna

[Paper]

Breaking Azure AD joined endpoints in zero-trust environments

Dirk-jan Mollema

[Slides] [Video]

Going Deeper into Schneider Modicon PAC Security

Gao Jian

[Slides] [Video]

New Ways of IPv6 Scanning

Shupeng Gao, Xingru Wu, and Jie Gao

[Slides]

DIY cheap gigabit data diode

Magnus

[Code]

Bridge your service mesh and AWS

Santosh Ananthakrishnan & Harihara K Narayanan

[Slides]

GALILEO: In GPS We Trust?

Áron Szabó, Levente Kovács, and Péter Ligeti

[Slides]

“We wait, because we know you.” Inside the ransomware negotiation economics.

Pepijn Hack & Harihara K Narayanan

[Paper]

Privacy of DNS-over-HTTPS: Requiem for a dream?

Levente Csikor, Himanshu Singh, Min Suk Kang, and Dinil Mon Divakaran

[Slides] 

Sleight of ARM: Demystifying Intel Houdini

Brian Hong

[Slides] [Video]

Episode 1 - 2021/Q3

Thinkst Trends and Takeaways is a show released in conjunction with ThinkstScapes, a written quarterly review of information security research published in both industry and academic venues. Thinkst Labs allocates time to tracking industry research so you don’t have to, specifically looking for novel and unusual work that is impactful--this is not simply a report on bugs or vulnerabilities. Work covered here will include both offensive and defensive topics, and we explore academic publications with the same gusto as industry work. Our target listeners are primarily security practitioners in organizations who are tasked with defending their turf, but offensive-minded folks will also be exposed to new ideas and research we’ve come across.

Full bibliography of referenced works:

Embedded security research

• Precursor: Towards Evidence-Based Trust in Hardware
  • Andrew ‘bunnie’ Huang
  • [Video]
• Kernel Pwning with eBPF: a Love Story
  • Valentina Palmiotti (@chompie1337)
  • [Paper]
• InternalBlue / Frankenstein / Spectra
  • Jan Ruge, Jiska Classen, Francesco Gringoli, and Matthias Hollick
  • [Slides] [Slides] [Video]
• HALucinator: Firmware Re-hosting Through Abstraction Layer Emulation
  • Abraham Clements, Eric Gustafson, Tobias Scharnowski, Paul Grosen, David Fritz, Christopher Kruegel, Giovanni Vigna, Saurabh Bagchi, and Mathias Payer
  • [Slides] [Paper] [Video]
• Device-agnostic Firmware Execution is Possible: A Concolic Execution Approach for Peripheral Emulation
  • Chen Cao, Le Guan, Jiang Ming, and Peng Liu
  • [Paper]
• Remote Timing Attacks on TPMs, AKA TPM-Fail
  • Daniel Moghimi
  • [Slides]
• Breaking VSM by Attacking SecureKernel
  • Saar Amar and Daniel King
  • [Slides]
• Whispers Among the Stars: Perpetrating (and Preventing) Satellite Eavesdropping Attacks
  • James Pavur
  • [Slides] [Video]

Exploiting 'Differences of opinion'

• HTTP/2: The Sequel is Always Worse
  • James Kettle
  • [Paper]
• Differential Fuzzing of x86-64 Instruction Decoders
  • William Woodruff, Niki Carroll, and Sebastiaan Peters
  • [Paper] [Video]
• EtherOops: Exploring Practical Methods to Exploit Ethernet Packet-in-Packet Attacks
  • Ben Seri, Gregory Vichnepolsky, and Yevgeny Yusepovsky
  • [Slides] [Paper]
• Light Commands: Laser-Based Audio Injection on Voice-Controllable Systems
  • Takeshi Sugawara, Benjamin Cyr, Sara Rampazzi, Daniel Genkin, and Kevin Fu
  • [Slides]
• Interpretable Deep Learning Under Fire
  • Xinyang Zhang, Ningfei Wang, Hua Shen, Shouling Ji, Xiapu Luo, and Ting Wang
  • [Slides] [Paper] [Video]
• Hiding Objects from Computer Vision by Exploiting Correlation Biases
  • Yin Minn Pa Pa, Paul Ziegler, and Masaki Kamizono
  • [Slides]
• Disrupting Continuity of Apple’s Wireless Ecosystem Security: New Tracking, DoS, and MitM Attacks on iOS and macOS Through Bluetooth Low Energy, AWDL and Wi-Fi
  • Milan Stute, Alexander Heinrich, Jannik Lorenz, and Matthias Hollick
  • [Paper]

Defence

• Entangled Watermarks as a Defense Against Model Extraction
  • Hengrui Jia, Christopher A. Choquette-Choo, Varun Chandrasekaran, Nicolas Papernot
  • [Paper]
• Hopper: Modeling and Detecting Lateral Movement
  • Grant Ho, Mayank Dhiman, Devdatta Akhawe, Vern Paxson, Stefan Savage, Geoffrey Voelker, and David Wagner
  • [Paper]
• Faking a Factory: Creating and Operating a Realistic Honeypot
  • Charles Perine
  • [Slides] [Paper] [Video]
• Do You Speak My Language? Making Static Analysis Engines Understand Each Other
  • Ibrahim Mohamed and Manuel Fahndrich
  • [Slides]
• Practical Defenses Against Adversarial Machine Learning
  • Ariel Herbert-Voss
  • [Video]

Nifty sundries

• Remote Side-Channel Attacks on Anonymous Transactions
  • Florian Tramer, Dan Boneh, and Kenneth G. Paterson
  • [Paper]
• An Observational Investigation of Reverse Engineers’ Processes
  • Daniel Votipka, Seth Rabin, Kristopher Micinski, Jeffrey Foster, and Michelle Mazurek
  • [Paper] [Video]
• On the Feasibility of Automating Stock Market Manipulation
  • Carter Yagemann, Simon Chung, Erkam Uzun, Sai Ragam, Brendan Saltaformaggio, and Wenke Lee
  • [Paper]
• IoT Skimmer: Energy Market Manipulation through High-Wattage IoT Botnets
  • Tohid Shekari and Raheem Beyah
  • [Slides]
• The Dark Age of Memory Corruption Mitigations in the Spectre Era
  • Andrea Mambretti and Alexandra Sandulescu
  • [Slides]
• Everything Old is New Again: Binary Security of WebAssembly
  • Daniel Mehmann, Johannes Kinder, and Michael Pradel
  • [Slides] [Paper] [Video]
• ProxyLogon is Just the Tip of the Iceberg: A New Attack Surface on Microsoft Exchange Server!
  • Orange Tsai
  • [Slides]

brought to you by 

Most companies find out way too late that they've been breached. Thinkst Canary changes this. Canaries deploy in under 4 minutes and require 0 ongoing admin overhead. They remain silent till they need to chirp, and then, you receive that single alert.

When.it.matters.

Find out why some of the smartest security teams in the world swear by Thinkst Canary https://canary.love