Team:

Bio:

Lucas Davi is assistant professor for computer science at University of Duisburg-Essen, Germany and associated researcher at the Intel Collaborative Research Institute for Secure Computing (ICRI-SC) at TU Darmstadt, Germany. He is also PI in the Collaborative Research Center (Sonderforschungsbereich) CROSSING.

Curriculum Vitae:

YearPosition / Study Program
since 12/2016Assistant Professor for Computer Science at University of Duisburg-Essen
10/2015-11/2016Independent Claude Shannon Research Group Leader for Secure and Trustworthy Systems at TU Darmstadt
07/2015-09/2015Post-Doc at the System Security Lab at TU Darmstadt
06/2013-08/2013Summer Internship at Intel Labs, Portland, OR, USA
01/2011-06/2015Research assistant and PhD student at the Center for Advanced Security Research Darmstadt (CASED) - PhD Thesis: "Code-Reuse Attacks and Defenses"  [PDF]
01/2010-12/2010Research assistant and PhD student of the Horst-Görtz Institute for IT-Security (HGI)
04/2007-12/2009Master of Science in IT-Security at Ruhr-University Bochum
09/2003-01/2007
Diploma (FH) Business Informatics at Neuss University of Applied Science & Apprenticeship IT-Management Assistant at ThyssenKrupp Steel AG, Duisburg
2003Abitur at Michael-Ende Gymnasium Tönisvorst

    Honours and Awards:

    Fields of Research:

    His research focus includes aspects of system security and trusted computing, particularly software exploitation techniques and defenses.

    Publications: show only selected

    Download All Download only selected

    • Jannik Pewny, Philipp Koppe, Lucas Davi, Thorsten Holz: Breaking and Fixing Destructive Code Read Defenses. In: Proc. of 33nd Annual Computer Security Applications Conference (ACSAC). 2017.
    • Thomas Nyman, Jan-Erik Ekberg, Lucas Davi, N. Asokan: CFI CaRE: Hardware-supported Call and Return Enforcement for Commercial Microcontrollers. In: Proc. of 20th International Symposium on Research on Attacks, Intrusions and Defenses (RAID 2017). 2017. Details
    • Ferdinand Brasser, Lucas Davi, David Gens, Christopher Liebchen, Ahmad-Reza Sadeghi: CAn’t Touch This: Software-only Mitigation against Rowhammer Attacks targeting Kernel Memory. In: Proc. of 26th USENIX Security Symposium. 2017. Details
    • Ghada Dessouky, Shaza Zeitouni, Thomas Nyman, Andrew Paverd, Lucas Davi, Patrick Koeberl, N. Asokan, Ahmad-Reza Sadeghi : LO-FAT: Low-Overhead Control Flow ATtestation in Hardware. In: Proc. of 54th Design Automation Conference (DAC). 2017.
    • Rudd, Robert; Skowyra, Richard; Bigelow, David; Dedhia, Veer; Hobson, Thomas; Crane, Stephen; Liebchen, Christopher; Larsen, Per; Davi, Lucas; Franz, Michael; Sadeghi, Ahmad-Reza; Okhravi, Hamed: Address Oblivious Code Reuse: On the Effectiveness of Leakage Resilient Diversity. In: Proc. of 24th Annual Network & Distributed System Security Symposium (NDSS). 2017. Details
    • Davi, Lucas; Gens, David; Liebchen, Christopher; Sadeghi, Ahmad-Reza: PT-Rand: Practical Mitigation of Data-only Attacks against Page Tables. In: Proc. of 24th Annual Network & Distributed System Security Symposium (NDSS). 2017. Details
    • Sullivan, Dean; Arias, Orlando; Davi, Lucas; Sadeghi, Ahmad-Reza; Jin, Yier: Towards a Policy-Agnostic Control-Flow Integrity Implementation. In: Black Hat Europe. 2016.
    • Deshotels, Luke; Deaconescu, Razvan; Chiroiu, Mihai; Davi, Lucas; Enck, William; Sadeghi, Ahmad-Reza: SandScout: Automatic Detection of Flaws in iOS Sandbox Profiles. In: Proc. of 23rd ACM Conference on Computer and Communications Security (CCS). 2016. doi:10.1145/2976749.2978336 Details
    • Abera, Tigist; Asokan, Nadarajah; Davi, Lucas; Ekberg, Jan-Erik; Nyman, Thomas; Paverd, Andrew; Sadeghi, Ahmad-Reza; Tsudik, Gene: C-FLAT: Control-Flow Attestation for Embedded Systems Software. In: Proc. of 23rd ACM Conference on Computer and Communications Security (CCS). 2016. doi:10.1145/2976749.2978358 Details
    • Sullivan, Dean; Arias, Orlando; Davi, Lucas; Larsen, Per; Sadeghi, Ahmad-Reza; Jin, Yier: Strategy Without Tactics: Policy-Agnostic Hardware-Enhanced Control-Flow Integrity. In: Proc. of 53rd Design Automation Conference (DAC). 2016. doi:10.1145/2897937.2898098 Details
    • Lettner, Julian; Kollenda, Benjamin; Homescu, Andrei; Larsen, Per; Schuster, Felix; Davi, Lucas; Sadeghi, Ahmad-Reza; Holz, Thorsten; Franz, Michael: Subversive-C: Abusing and Protecting Dynamic Message Dispatch. In: Proc. of USENIX Annual Technical Conference (ATC). 2016. Details
    • Abera, Tigist; Asokan, Nadarajah; Davi, Lucas; Koushanfar, Farinaz; Praverd, Andrew; Tsudik, Gene; Sadeghi, Ahmad-Reza: Invited - Things, Trouble, Trust: On Building Trust in IoT Systems. In: Proc. of 53rd Design Automation Conference (DAC). 2016. doi:10.1145/2897937.2905020 Details
    • McLaughlin, Stephen; Konstantinou, Charalambos; Wang, Xueyang; Davi, Lucas; Sadeghi, Ahmad-Reza; Maniatakos, Michail; Karri, Ramesh: The Cybersecurity Landscape in Industrial Control Systems. In: Proceedings of the IEEE, Vol 104 (2016) No 5, p. 1039-1057. doi:10.1109/JPROC.2015.2512235
    • Braden, Kjell; Crane, Stephen; Davi, Lucas; Franz, Michael; Larsen, Per; Liebchen, Christopher; Sadeghi, Ahmad-Reza: Leakage-Resilient Layout Randomization for Mobile Devices. In: Proc. of 23rd Annual Network & Distributed System Security Symposium (NDSS). 2016. Details
    • Larsen, Per; Brunthaler, Stefan; Davi, Lucas; Sadeghi, Ahmad-Reza; Franz, Michael: Automated Software Diversity. Morgan & Claypool, 2015. doi:10.2200/S00686ED1V01Y201512SPT014 Details
    • Davi, Lucas; Sadeghi, Ahmad-Reza: Building Secure Defenses Against Code-Reuse Attacks. Springer International Publishing, 2015. (ISBN 978-3-319-25544-6) doi:10.1007/978-3-319-25546-0 Details
    • Crane, Stephen; Volckaert, Stijn; Schuster, Felix; Liebchen, Christopher; Larsen, Per; Davi, Lucas; Sadeghi, Ahmad-Reza; Holz, Thorsten; Sutter, Bjorn De; Franz, Michael: It’s a TRAP: Table Randomization and Protection against Function Reuse Attacks. In: Proc. of 22nd ACM Conference on Computer and Communications Security (CCS). 2015. doi:10.1145/2810103.2813682 Details
    • Conti, Mauro; Crane, Stephen; Davi, Lucas; Franz, Michael; Larsen, Per; Liebchen, Christopher; Negro, Marco; Qunaibit, Mohaned; Sadeghi, Ahmad-Reza: Losing Control: On the Effectiveness of Control-Flow Integrity under Stack Attacks. In: Proc. of 22nd ACM Conference on Computer and Communications Security (CCS). 2015. doi:10.1145/2810103.2813671 Details
    • Crane, Stephen; Liebchen, Christopher; Homescu, Andrei; Davi, Lucas; Larsen, Per; Sadeghi, Ahmad-Reza; Brunthaler, Stefan; Franz, Michael: Return to Where? You Can’t Exploit What You Can’t Find. In: Black Hat USA. 2015. Details
    • Arias, Orlando; Davi, Lucas; Hanreich, Matthias; Jin, Yier; Koeberl, Patrick; Paul, Debayan; Sadeghi, Ahmad-Reza; Sullivan, Dean: HAFIX: Hardware-Assisted Flow Integrity Extension - Best Paper. In: Proc. of 52nd Design Automation Conference (DAC). 2015. doi:10.1145/2744769.2744847 Details
    • Schuster, Felix; Tendyck, Thomas; Liebchen, Christopher; Davi, Lucas; Sadeghi, Ahmad-Reza; Holz, Thorsten: Counterfeit Object-oriented Programming: On the Difficulty of Preventing Code Reuse Attacks in C++ Applications. In: Proc. of 36th IEEE Symposium on Security and Privacy (Oakland). 2015. doi:10.1109/SP.2015.51 Details
    • Crane, Stephen; Liebchen, Christopher; Homescu, Andrei; Davi, Lucas; Larsen, Per; Sadeghi, Ahmad-Reza; Brunthaler, Stefan; Franz, Michael: Readactor: Practical Code Randomization Resilient to Memory Disclosure. In: Proc. of 36th IEEE Symposium on Security and Privacy (Oakland). 2015. doi:10.1109/SP.2015.52 Details
    • Bucicoiu, Mihai; Davi, Lucas; Deaconescu, Razvan; Sadeghi, Ahmad-Reza: XiOS: Extended Application Sandboxing on iOS. In: Proc. of 10th ACM Symposium on Information, Computer and Communications Security (ASIACCS). 2015. doi:10.1145/2714576.2714629 Details
    • Davi, Lucas; Liebchen, Christopher; Sadeghi, Ahmad-Reza; Snow, Kevin; Monrose, Fabian: Isomeron: Code Randomization Resilient to (Just-In-Time) Return-Oriented Programming. In: Proc. of 22nd Annual Network & Distributed System Security Symposium (NDSS). 2015. Details
    • Sadeghi, Ahmad-Reza; Davi, Lucas; Larsen, Per: Securing Legacy Software against Real-World Code-Reuse Exploits: Utopia, Alchemy, or Possible Future? - Keynote. In: Proc. of 10th ACM Symposium on Information, Computer and Communications Security (ASIACCS). 2015. doi:10.1145/2714576.2737090 Details
    • Davi, Lucas; Lehmann, Daniel; Sadeghi, Ahmad-Reza: The Beast is in Your Memory: Return-Oriented Programming Attacks Against Modern Control-Flow Integrity Protection Techniques. In: Black Hat USA. 2014. Details
    • Davi, Lucas; Lehmann, Daniel; Sadeghi, Ahmad-Reza; Monrose, Fabian: Stitching the Gadgets: On the Ineffectiveness of Coarse-Grained Control-Flow Integrity Protection. In: Proc. of 23rd USENIX Security Symposium. 2014. Details
    • Davi, Lucas; Koeberl, Patrick; Sadeghi, Ahmad-Reza: Hardware-Assisted Fine-Grained Control-Flow Integrity: Towards Efficient Protection of Embedded Systems Against Software Exploitation. In: Proc. of 51st Design Automation Conference (DAC) - Special Session: Trusted Mobile Embedded Computing. 2014. doi:10.1145/2593069.2596656 Details
    • Davi, Lucas; Lehmann, Daniel; Sadeghi, Ahmad-Reza; Monrose, Fabian: Stitching the Gadgets: On the Ineffectiveness of Coarse-Grained Control-Flow Integrity Protection, 2014. Details
    • Asokan, N.; Davi, Lucas; Dmitrienko, Alexandra; Heuser, Stephan; Kostiainen, Kari; Reshetova, Elena; Sadeghi, Ahmad-Reza: Mobile Platform Security. Morgan & Claypool, 2013. doi:10.2200/S00555ED1V01Y201312SPT009 Details
    • Stancill, Blaine; Snow, Kevin; Otterness, Nathan; Monrose, Fabian; Davi, Lucas; Sadeghi, Ahmad-Reza: Check My Profile: Leveraging Static Analysis for Fast and Accurate Detection of ROP Gadgets. In: Proc. of 16th Research in Attacks, Intrusions and Defenses (RAID) Symposium. 2013. doi:10.1007/978-3-642-41284-4_4 Details
    • Snow, Kevin; Davi, Lucas; Dmitrienko, Alexandra; Liebchen, Christopher; Monrose, Fabian; Sadeghi, Ahmad-Reza: Just-In-Time Code Reuse: The More Things Change, the More They Stay the Same. In: Black Hat USA. 2013. Details
    • Snow, Kevin; Davi, Lucas; Dmitrienko, Alexandra; Liebchen, Christopher; Monrose, Fabian; Sadeghi, Ahmad-Reza: Just-In-Time Code Reuse: On the Effectiveness of Fine-Grained Address Space Layout Randomization - Best Student Paper Award. In: Proc. of 34th IEEE Symposium on Security and Privacy (Oakland). 2013. doi:10.1109/SP.2013.45 Details
    • Davi, Lucas; Dmitrienko, Alexandra; Nürnberger, Stefan; Sadeghi, Ahmad-Reza: Gadge Me If You Can: Secure and Efficient Ad-hoc Instruction-Level Randomization for x86 and ARM. In: Proc. of 8th ACM Symposium on Information, Computer and Communications Security (ASIACCS). 2013. doi:10.1145/2484313.2484351 Details
    • Werthmann, Tim; Hund, Ralf; Davi, Lucas; Sadeghi, Ahmad-Reza; Holz, Thorsten: PSiOS: Bring Your Own Privacy & Security to iOS Devices - Distinguished Paper Award. In: Proc. of 8th ACM Symposium on Information, Computer and Communications Security (ASIACCS). 2013. doi:10.1145/2484313.2484316 Details
    • Davi, Lucas; Dmitrienko, Alexandra; Liebchen, Christopher; Sadeghi, Ahmad-Reza: Over-the-air Cross-Platform Infection for Breaking mTAN-based Online Banking Authentication. In: BlackHat Abu Dhabi. 2012.
    • Davi, Lucas; Dmitrienko, Alexandra; Nürnberger, Stefan; Sadeghi, Ahmad-Reza: XIFER: A Software Diversity Tool Against Code-Reuse Attacks. In: Proc. of 4th ACM International Workshop on Wireless of the Students, by the Students, for the Students (S3). 2012. Details
    • Davi, Lucas; Dmitrienko, Alexandra; Egele, Manuel; Fischer, Thomas; Holz, Thorsten; Hund, Ralf; Nürnberger, Stefan; Sadeghi, Ahmad-Reza: MoCFI: A Framework to Mitigate Control-Flow Attacks on Smartphones. In: Proc. of 19th Annual Network & Distributed System Security Symposium (NDSS). 2012. Details
    • Bugiel, Sven; Davi, Lucas; Dmitrienko, Alexandra; Fischer, Thomas; Sadeghi, Ahmad-Reza; Shastry, Bhargava: Towards Taming Privilege-Escalation Attacks on Android. In: Proc. of 19th Annual Network & Distributed System Security Symposium (NDSS). 2012. Details
    • Davi, Lucas; Dmitrienko, Alexandra; Kowalski, Christoph; Winandy, Marcel: Trusted Virtual Domains on OKL4: Secure Information Sharing on Smartphones. In: Proc. of 6th ACM Workshop on Scalable Trusted Computing (STC). 2011. doi:10.1145/2046582.2046592 Details
    • Davi, Lucas; Dmitrienko, Alexandra; Egele, Manuel; Fischer, Thomas; Holz, Thorsten; Hund, Ralf; Nürnberger, Stefan; Sadeghi, Ahmad-Reza: POSTER: Control-Flow Integrity for Smartphones. In: Proc. of 18th ACM Conference on Computer and Communications Security (CCS). 2011. doi:10.1145/2046707.2093484 Details
    • Bugiel, Sven; Davi, Lucas; Schulz, Steffen: Scalable Trust Establishment with Software Reputation. In: Proc. of 6th ACM Workshop on Scalable Trusted Computing (STC). 2011. doi:10.1145/2046582.2046587 Details
    • Bugiel, Sven; Davi, Lucas; Dmitrienko, Alexandra; Heuser, Stephan; Sadeghi, Ahmad-Reza; Shastry, Bhargava: Practical and Lightweight Domain Isolation on Android. In: Proc. of 1st ACM Workshop on Security and Privacy in Mobile Devices (SPSM). 2011. doi:10.1145/2046614.2046624 Details
    • Bugiel, Sven; Davi, Lucas; Dmitrienko, Alexandra; Fischer, Thomas; Sadeghi, Ahmad-Reza; Shastry, Bhargava: POSTER: The Quest for Security against Privilege Escalation Attacks on Android. In: Proc. of 18th ACM Conference on Computer and Communications Security (CCS). 2011. doi:10.1145/2046707.2093482 Details
    • Bugiel, Sven; Davi, Lucas; Dmitrienko, Alexandra; Fischer, Thomas; Sadeghi, Ahmad-Reza: XManDroid: A New Android Evolution to Mitigate Privilege Escalation Attacks, 2011. Details
    • Davi, Lucas; Sadeghi, Ahmad-Reza; Winandy, Marcel: ROPdefender: A Detection Tool to Defend Against Return-Oriented Programming Attacks. In: Proc. of 6th ACM Symposium on Information, Computer and Communications Security (ASIACCS). 2011. doi:10.1145/1966913.1966920 Details
    • Davi, Lucas; Dmitrienko, Alexandra; Sadeghi, Ahmad-Reza; Winandy, Marcel: Privilege Escalation Attacks on Android. In: Proc. of 13th Information Security Conference (ISC). 2010. doi:10.1007/978-3-642-18178-8_30 Details
    • Checkoway, Stephen; Davi, Lucas; Dmitrienko, Alexandra; Sadeghi, Ahmad-Reza; Shacham, Hovav; Winandy, Marcel: Return-Oriented Programming without Returns. In: Proc. of 17th ACM conference on Computer and Communications Security (CCS). 2010. doi:10.1145/1866307.1866370 Details
    • Davi, Lucas; Sadeghi, Alexandra Dmitrienko Ahmad-Reza; Winandy, Marcel: Return-Oriented Programming without Returns on ARM, 2010. Details
    • Davi, Lucas; Sadeghi, Ahmad-Reza; Winandy, Marcel: ROPdefender: A Detection Tool to Defend Against Return-Oriented Programming Attacks, 2010. Details
    • Davi, Lucas; Sadeghi, Ahmad-Reza; Winandy, Marcel: Dynamic integrity measurement and attestation: Towards defense against return-oriented programming attacks. In: Proc. of 4th ACM Workshop on Scalable Trusted Computing (STC). 2009. doi:10.1145/1655108.1655117 Details

    Talks:show only selected

    • Lucas Davi: How to Bypass Memory Protection: Evolution of Return-Oriented Programming and Rowhammer Attacks - Invited Talk, Seminar at Università degli Studi di Padova, 05.10.2017, Padova, Italy. Details
    • Lucas Davi: Protecting IoT Devices against Software Exploits - Invited Talk, ITG FA 5.2 Workshop on Smart Cities, 28.09.2017, Lübeck, Germany. Details
    • Lucas Davi: Can Systems ever be Protected against Run-time Attacks? - Invited Talk, Technology Workshop on Embedded and IoT Security, 17.05.2017, Darmstadt.
    • Lucas Davi: Dangerous Bit Flips in Memory: Rowhammer Attacks and Defenses - Keynote, CROSSING Conference 2017 - From Tweets to Quantum, 16.05.2017, Darmstadt.
    • Lucas Davi: Code-Reuse Attacks and Defenses - Lecture, Winter School on Binary Analysis, 22.02.2017, Bochum, Germany. Details
    • Lucas Davi: Control-Flow Attestation of Embedded Systems Software - Invited Talk, Workshop on Hardware Enhancements for Secure Embedded Systems (HESES), 25.01.2017, Stockholm, Sweden. Details
    • Lucas Davi: Protecting Mobile and Embedded Systems Software from Runtime Exploits - Invited Talk, Workshop on Privacy-Aware Mobile Computing (PAMCO), 05.07.2016, Paderborn, Germany.
    • Lucas Davi: The Continuing Arms Race: A Journey in the World of Runtime Exploits and Defenses - Tutorial, 53rd Design Automation Conference (DAC), 05.06.2016, Austin, TX, USA. Details
    • Lucas Davi: On Securing Legacy Software Against Code-Reuse Attacks - Invited Talk, RuhrSec, 29.04.2016, Bochum, Germany. Details
    • Lucas Davi: The Continuing Arms Race in Memory: Return-Oriented Programming Attacks and Defenses - Invited Talk, Computer Science Forum (CS Forum) at Aalto University, 21.04.2016, Helsinki, Finland. Details
    • Lucas Davi, Christopher Liebchen: The Beast in Your Memory: Modern Exploitation Techniques and Defenses - Tutorial, Embedded Systems Week (ESWEEK), 04.10.2015, Amsterdam, Netherlands. Details
    • Lucas Davi, Ahmad-Reza Sadeghi: Modern Runtime Exploitation Techniques and Defenses - Lecture, Summer School on Secure and Trustworthy Computing, 24.09.2015, Bucharest, Romania. Details
    • Lucas Davi: Modern Runtime Attacks and Defenses - Lecture, International Summer School on Smart & Mobile Device Security and Privacy (SMDSP), 03.09.2014, Padova, Italy.
    • Lucas Davi: The Beast is Resting in Your Memory - Invited Talk, Intel Workshop on Cyberphysical and Mobile Security, 10.06.2014, Darmstadt, Germany.
    • Kevin Snow, Lucas Davi: Just-In-Time Code Reuse: The more things change, the more they stay the same, Black Hat USA, 31.07.2013, Las Vegas, USA. Details
    • Lucas Davi: Return-oriented Programming: How to Perform Arbitrary Computation Without Code Injection - Lecture, 5th European Trusted Infrastructure Summer School (ETISS), 09.09.2010, Royal Holloway University of London, GB. Details

    Academic Duties:

    Program Committee Member

    • ASIACCS 2018 - 13th ACM Asia Conference on Computer and Communications Security
    • ROOTS 2017 -  1st Reversing and Offensive-oriented Trends Symposium
    • CARDIS 2017 - 17th Smart Card Research and Advanced Application Conference
    • ACM CCS 2017 - 24th ACM Conference on Computer and Communications Security
    • ACSAC 2017 - 33nd Annual Computer Security Applications Conference
    • CSET 2017 - 10th USENIX Workshop on Cyber Security Experimentation and Test
    • WOOT 2017 - 11th USENIX Workshop on Offensive Technologies
    • EuroSec 2017 - 10th European Workshop on Systems Security
    • DIMVA 2017 - 14th International Conference on Detection of Intrusions and Malware & Vulnerability Assessment
    • MoST 2017 - 6th IEEE Mobile Security Technologies Workshop
    • SEMS 2017 - Workshop on Security for Embedded and Mobile Systems
    • ICDCS 2017 - 37th IEEE International Conference on Distributed Computing Systems
    • ASIACCS 2017 - 12th ACM Asia Conference on Computer and Communications Security
    • SPSM 2016 - 6th Annual ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices
    • ACSAC 2016 - 32nd Annual Computer Security Applications Conference
    • RAID 2016 - 19th International Symposium on Research in Attacks, Intrusions and Defenses
    • DIMVA 2016 - 13th International Conference on Detection of Intrusions and Malware & Vulnerability Assessment
    • EuroSec 2016 - 9th European Workshop on Systems Security
    • ICDCS 2016 - 36th IEEE International Conference on Distributed Computing Systems
    • ACNS 2016 - 14th International Conference on Applied Cryptography and Network Security
    • TrustED 2015 - 5th International Workshop on Trustworthy Embedded Devices
    • WOOT 2015 - 9th USENIX Workshop on Offensive Technologies
    • RAID 2015 - 18th International Symposium on Research in Attacks, Intrusions and Defenses
    • AReS - International Conference on Availability, Reliability and Security, 2012 - 2014

    Poster/Demo (Co-)Chair

    • ASIACCS 2017 - 12th ACM Asia Conference on Computer and Communications Security

    Publications (Co-)Chair

    • PAC 2017 - 1st IEEE Symposium on Privacy-Aware Computing
    • SPSM 2013 - 3rd ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices

    Local Organization Committee

    • CCS 2013 - 20th ACM Conference on Computer and Communications Security
    • ETISS 2011 - 6th European Trusted Infrastructure Summer School