1

No One Drinks From the Firehose: How Organizations Filter and Prioritize Vulnerability Information

The number of published software vulnerabilities is increasing every year. How do organizations stay in control of their attack surface despite their limited staff resources? Prior work has analyzed the overall software vulnerability ecosystem as …

Snappy: Efficient Fuzzing with Adaptive and Mutable Snapshots

Modern coverage-oriented fuzzers play a crucial role in vulnerability finding. While much research focuses on improving the core fuzzing techniques, some fundamental speed bottlenecks, such as the redundant computations incurred by re-executing the …

"I needed to solve their overwhelmness": How System Administration Work was Affected by COVID-19

The ongoing global COVID-19 pandemic made working from home -- wherever working remotely is possible -- the norm for what had previously been office-based jobs across the world. This change in how we work created a challenging situation for system …

DangZero: Efficient Use-After-Free Detection via Direct Page Table Access

Use-after-free vulnerabilities remain difficult to detect and mitigate, making them a popular source of exploitation. Existing solutions incur impractical performance/memory overhead, require specialized hardware, and/or guarantee only protection, …

Branch History Injection: On the Effectiveness of Hardware Mitigations Against Cross-Privilege Spectre-v2 Attacks

Branch Target Injection (BTI or Spectre v2) is one of the most dangerous transient execution vulnerabilities, as it allows an attacker to abuse indirect branch mispredictions to leak sensitive information. Unfortunately, it also has proven difficult …

TLB;DR: Enhancing TLB-based Attacks with TLB Desynchronized Reverse Engineering

Translation Lookaside Buffers, or TLBs, play a vital role in recent microarchitectural attacks. However, unlike CPU caches, we know very little about the exact operation of these essential microarchitectural components. In this paper, we introduce …

Mitigating Information Leakage Vulnerabilities with Type-based Data Isolation

Information leakage vulnerabilities (or simply *info leaks*) such as out-of-bounds/uninitialized reads in the architectural or speculative domain pose a significant security threat, allowing attackers to leak sensitive data such as crypto keys. At …

Kasper: Scanning for Generalized Transient Execution Gadgets in the Linux Kernel

Due to the high cost of serializing instructions to mitigate Spectre-like attacks on mispredicted conditional branches (Spectre-PHT), developers of critical software such as the Linux kernel selectively apply such mitigations with annotations to code …

LeanSym: Efficient Hybrid Fuzzing Through Conservative Constraint Debloating

To improve code coverage and flip complex program branches, hybrid fuzzers couple fuzzing with concolic execution. Despite its benefits, this strategy inherits the inherent slowness and memory bloat of concolic execution, due to path explosion and …