Team

Team:

Prof. Dr.-Ing. Lucas Davi

Lehrstuhlinhaber

Prof. Dr.-Ing. Lucas Davi

Raum:
S-GW 212
Telefon:
+49 201 18-36445
E-Mail:
Sprechstunde:
Do, 16-17 Uhr (Anmeldung erforderlich)
Homepage:
Google Scholar

Zur Person:

Lucas Davi ist Juniorprofessor für Informatik an der Universität Duisburg-Essen. Er ist PI im Sonderforschungsbereich (SFB) CROSSING und dem Exzellenzcluster CASA.

Lebenslauf:

seit 12/2016

Juniorprofessor für Informatik an der Universität Duisburg-Essen

10/2015-11/2016

Independent Claude Shannon Research Group Leader für Sichere und Vertrauenswürdige Systeme an der TU Darmstadt

07/2015-09/2015

Post-Doc am System Security Lab der TU Darmstadt

06/2013-08/2013

Summer Internship bei Intel Labs, Portland, OR, USA

01/2011-06/2015

Wissenschaftlicher Mitarbeiter und Doktorand am Center for Advanced Security Research Darmstadt (CASED) - Titel der Dissertation: "Code-Reuse Attacks and Defenses" [PDF]

01/2010-12/2010

Wissenschaftlicher Mitarbeiter und Doktorand am Horst-Görtz Institut für IT-Sicherheit (HGI)

04/2007-12/2009

Master of Science in IT-Sicherheit an der Ruhr-Universität Bochum

09/2003-01/2007

Diplom (FH) Wirschaftsinformatik an der FOM Neuss & Ausbildung zum Informatikkaufmann bei der ThyssenKrupp Steel AG, Duisburg

2003

Abitur am Michael-Ende Gymnasium Tönisvorst

Ehrungen und Auszeichnungen:

Forschungsgebiete:

Seine Forschung konzentriert sich auf praktische Problemstellungen der Software- und Systemsicherheit. Insbesondere forscht er an sogenannten Laufzeitangriffen (Software Exploits), die Sicherheitslücken in Software ausnutzen, um Schadverhalten auszulösen.

Publikationen:

Filter:
  • Ghada Dessouky; Shaza Zeitouni; Ahmad Ibrahim; Lucas Davi; Ahmad-Reza Sadeghi: CHASE: A Configurable Hardware-Assisted Security Extension for Real-Time Systems. In: Proc. of 38th International Conference On Computer Aided Design (ICCAD). 2019. BIB Download Details
  • Michael Rodler; Wenting Li; Ghassan Karame; Lucas Davi: Sereum: Protecting Existing Smart Contracts Against Re-Entrancy Attacks. In: Proc. of 26th Network and Distributed System Security Symposium (NDSS). 2019. Volltext BIB Download Details

    Recently, a number of existing blockchain systems have witnessed major bugs and vulnerabilities within smart contracts. Although the literature features a number of proposals for securing smart contracts, these proposals mostly focus on proving the correctness or absence of a certain type of vulnerability within a contract, but cannot protect deployed (legacy) contracts from being exploited. In this paper, we address this problem in the context of re-entrancy exploits and propose a novel smart contract security technology, dubbed Sereum (Secure Ethereum), which protects existing, deployed contracts against re-entrancy attacks in a backwards compatible way based on run-time monitoring and validation. Sereum does neither require any modification nor any semantic knowledge of existing contracts. By means of implementation and evaluation using the Ethereum blockchain, we show that Sereum covers the actual execution flow of a smart contract to accurately detect and prevent attacks with a false positive rate as small as 0.06% and with negligible run-time overhead. As a by-product, we develop three advanced re-entrancy attacks to demonstrate the limitations of existing offline vulnerability analysis tools.

  • Sebastian Surminski; Michael Rodler; Lucas Davi: Poster: Automated Evaluation of Fuzzers - Distinguished Technical Poster Award. In: Proc. of 26th Network and Distributed System Security Symposium (NDSS). 2019. Volltext BIB Download Details

    Fuzzing is a well-known technique for automatically testing the robustness of software and its susceptibility to security-critical errors. Recently, many new and improved fuzzers have been presented. One critical aspect of any new fuzzer is its overall performance. However, given that there exist no standardized fuzzing evaluation methodology, we observe significant discrepancy in evaluation results making it highly challenging to  compare fuzzing techniques.

    To tackle this deficiency, we developed a new framework, called FETA, which automatically evaluates fuzzers based on a fixed and comprehensive test set enabling objective and general comparison of performance results. We apply FETA to various recently released academic and non-academic fuzzers, eventually resulting in a large scale evaluation of the current state-of-the-art fuzzing approaches.

  • Ferdinand Brasser; Lucas Davi; Abhijitt Dhavlle; Tommaso Frassetto; Sai Manoj Pudukotai Dinakarrao; Setareh Rafatirad; Ahmad-Reza Sadeghi; Avesta Sasan; Hossein Sayadi; Shaza Zeitouni; Houman Homayoun: Advances and Throwbacks in Hardware-assisted Security - CASES: Special Session - Towards Secure Computer Architecture: Understanding Security Vulnerabilities and Emerging Attacks for Better Defenses. In: Proc. of IEEE International Conference on Compilers, Architecture, and Synthesis for Embedded Systems. IEEE, 2018. Volltext BIB Download Details

    Hardware security architectures and primitives are becoming increasingly important in practice providing trust anchors and trusted execution environment to protect modern software systems. Over the past two decades we have witnessed various hardware security solutions and trends from Trusted Platform Modules (TPM), performance counters for security, ARM's TrustZone, and Physically Unclonable Functions (PUFs), to very recent advances such as Intel's Software Guard Extension (SGX). Unfortunately, these solutions are rarely used by third party developers, make strong trust assumptions (including in manufacturers), are too expensive for small constrained devices, do not easily scale, or suffer from information leakage. Academic research has proposed a variety of solutions, in hardware security architectures, these advancements are rarely deployed in practice.

  • Andrea Biondo; Mauro Conti; Lucas Davi; Tommaso Frassetto; Ahmad-Reza Sadeghi: The Guard's Dilemma: Efficient Code-Reuse Attacks Against Intel SGX. In: Proc. of 27th USENIX Security Symposium. 2018. Volltext BIB Download Details

    Intel Software Guard Extensions (SGX) isolate security-critical code inside a protected memory area called enclave. Previous research on SGX has demonstrated that memory corruption vulnerabilities within enclave code can be exploited to extract secret keys and bypass remote attestation. However, these attacks require kernel privileges, and rely on frequently probing enclave code which results in many enclave crashes. Further, they assume a constant, not randomized memory layout. In this paper, we present novel exploitation techniques against SGX that do not require any enclave crashes and work in the presence of existing SGX randomization approaches such as SGX-Shield. A key contribution of our attacks is that they work under weak adversarial assumptions, e.g., not requiring kernel privileges. In fact, they can be applied to any enclave that is developed with the standard Intel SGX SDK on either Linux or Windows.

  • Yier Jin; Dean Sullivan; Orlando Arias; Ahmad-Reza Sadeghi; Lucas Davi: Hardware Control Flow Integrity. In: Per Larsen; Ahmad-Reza Sadeghi (Hrsg.): The Continuing Arms Race: Code-Reuse Attacks and Defenses. Association for Computing Machinery and Morgan & Claypool, 2018, S. 181-210. doi:10.1145/3129743.3129751 BIB Download Details

    Control-Flow Integrity (CFI) is a promising and general defense against control-flow hijacking with formal underpinnings. A key insight from the extensive research on CFI is that its effectiveness depends on the precision and coverage of a program's Control-Flow Graph (CFG). Since precise CFG generation is highly challenging and often difficult, many CFI schemes rely on brittle heuristics and imprecise, coarse-grained CFGs. Furthermore, comprehensive, fine-grained CFI defenses implemented purely in software incur overheads that are unacceptably high. In this chapter, we first specify a CFI model that captures many known CFI techniques, including stateless and stateful approaches as well as fine-grained and coarse-grained CFI policies.We then design and implement a novel hardwareenhanced CFI. Key to this approach is a set of dedicated CFI instructions that can losslessly enforce any CFG and diverse CFI policies within our model. Moreover, we fully support multi-tasking and shared libraries, prevent various forms of codereuse attacks, and allow code protected with CFI to interoperate with unprotected legacy code. Our prototype implementation on the SPARC LEON3 is highly efficient with a performance overhead of 1.75% on average when applied to several SPECInt2006 benchmarks and 0.5% when applied to EEMBC's CoreMark benchmark.

  • David Gens; Simon Schmitt; Lucas Davi; Ahmad-Reza Sadeghi: K-Miner: Uncovering Memory Corruption in Linux. In: Proc. of 25th Annual Network & Distributed System Security Symposium (NDSS). 2018. Volltext BIB Download Details

    Operating system kernels are appealing attack targets: compromising the kernel usually allows attackers to bypass all deployed security mechanisms and take control over the entire system. Commodity kernels, like Linux, are written in low-level programming languages that offer only limited type and memory-safety guarantees, enabling adversaries to launch sophisticated run-time attacks against the kernel by exploiting memory-corruption vulnerabilities. Many defenses have been proposed to protect operating systems at run time, such as control-flow integrity (CFI). However, the goal of these run-time monitors is to prevent exploitation as a symptom of memory corruption, rather than eliminating the underlying root cause, i.e., bugs in the kernel code. While finding bugs can be automated, e.g., using static analysis, all existing approaches are limited to local, intra-procedural checks, and face severe scalability challenges due to the large kernel code base. Consequently, there currently exist no tools for conducting global static analysis of operating system kernels. In this paper, we present K-Miner, a new framework to efficiently analyze large, commodity operating system kernels like Linux. Our novel approach exploits the highly standardized interface structure of the kernel code to enable scalable pointer analysis and conduct global, context-sensitive analysis. Through our inter-procedural analysis we show that K-Miner systematically and reliably uncovers several different classes of memory-corruption vulnerabilities, such as dangling pointers, user-after-free, double-free, and double-lock vulnerabilities. We thoroughly evaluate our extensible analysis framework, which leverages the popular and widely used LLVM compiler suite, for the current Linux kernel and demonstrate its effectiveness by reporting several memory-corruption vulnerabilities.

  • Jannik Pewny; Philipp Koppe; Lucas Davi; Thorsten Holz: Breaking and Fixing Destructive Code Read Defenses. In: Proc. of 33nd Annual Computer Security Applications Conference (ACSAC). 2017. Volltext BIB Download Details

    Just-in-time return-oriented programming (JIT-ROP) is a powerful memory corruption attack that bypasses various forms of code randomization. Execute-only memory (XOM) can potentially prevent these attacks, but requires source code. In contrast, destructive code reads (DCR) provide a trade-off between security and legacy compatibility. The common belief is that DCR provides strong protection if combined with a high-entropy code randomization. The contribution of this paper is twofold: first, we demonstrate that DCR can be bypassed regardless of the underlying code randomization scheme. To this end, we show novel, generic attacks that infer the code layout for highly randomized program code. Second, we present the design and implementation of BGDX (Byte-Granular DCR and XOM), a novel mitigation technique that protects legacy binaries against code-inference attacks. BGDX enforces memory permissions on a byte-granular level allowing us to combine DCR and XOM for legacy, off-the-shelf binaries. Our evaluation shows that BGDX is not only effective, but highly efficient, imposing only a geometric mean performance overhead of 3.95% on SPEC.

  • Thomas Nyman; Jan-Erik Ekberg; Lucas Davi; N. Asokan: CFI CaRE: Hardware-supported Call and Return Enforcement for Commercial Microcontrollers. In: Proc. of 20th International Symposium on Research on Attacks, Intrusions and Defenses (RAID 2017). 2017. Volltext BIB Download Details

    With the increasing scale of deployment of Internet of Things (IoT), concerns about IoT security have become more urgent. In particular, memory corruption attacks play a predominant role as they allow remote compromise of IoT devices. Control-flow integrity (CFI) is a promising and generic defense technique against these attacks. However, given the nature of IoT deployments, existing protection mechanisms for traditional computing environments (including CFI) need to be adapted to the IoT setting. In this paper, we describe the challenges of enabling CFI on microcontroller (MCU) based IoT devices. We then present CaRE, the first interrupt-aware CFI scheme for low-end MCUs. CaRE uses a novel way of protecting the CFI metadata by leveraging TrustZone-M security extensions introduced in the ARMv8-M architecture. Its binary instrumentation approach preserves the memory layout of the target MCU software, allowing pre-built bare-metal binary code to be protected by CaRE. We describe our implementation on a Cortex-M Prototyping System and demonstrate that CaRE is secure while imposing acceptable performance and memory impact.

  • Ferdinand Brasser; Lucas Davi; David Gens; Christopher Liebchen; Ahmad-Reza Sadeghi: CAn’t Touch This: Software-only Mitigation against Rowhammer Attacks targeting Kernel Memory. In: Proc. of 26th USENIX Security Symposium. 2017. Volltext BIB Download Details

    Rowhammer is a hardware bug that can be exploited to implement privilege escalation and remote code execution attacks. Previous proposals on rowhammer mitigations either require hardware changes or follow heuristic-based approaches (based on CPU performance counters). To date, there exists no instant protection against rowhammer attacks on legacy systems.

    In this paper, we present the design and implementation of a practical and efficient software-only defense against rowhammer attacks. Our defense, called CATT, prevents the attacker from leveraging rowhammer to corrupt kernel memory from user mode. To do so, we extend the physical memory allocator of the OS to physically isolate the memory of the kernel and user space. We implemented CATT on x86 and ARM to mitigate rowhammer-based kernel exploits. Our extensive evaluation shows that our mitigation (i) can stop available real-world rowhammer attacks, (ii) imposes virtually no runtime overhead for common user and kernel benchmarks as well as commonly used applications, and (iii) does not affect the stability of the overall system.

  • Ghada Dessouky; Shaza Zeitouni; Thomas Nyman; Andrew Paverd; Lucas Davi; Patrick Koeberl; N. Asokan; Ahmad-Reza Sadeghi : LO-FAT: Low-Overhead Control Flow ATtestation in Hardware. In: Proc. of 54th Design Automation Conference (DAC). 2017. Volltext BIB Download Details

    Attacks targeting software on embedded systems are becoming increasingly prevalent. Remote attestation is a mechanism that allows establishing trust in embedded devices. However, existing attestation schemes are either static and cannot detect control-flow attacks, or require instrumentation of software incurring high performance overheads. To overcome these limitations, we present LO-FAT, the first practical hardware-based approach to control-flow attestation. By leveraging existing processor hardware features and commonly-used IP blocks, our approach enables efficient control-flow attestation without requiring software instrumentation. We show that our proof-of-concept implementation based on a RISC-V SoC incurs no processor stalls and requires reasonable area overhead.

  • Davi, Lucas; Gens, David; Liebchen, Christopher; Sadeghi, Ahmad-Reza: PT-Rand: Practical Mitigation of Data-only Attacks against Page Tables. In: Proc. of 24th Annual Network & Distributed System Security Symposium (NDSS). 2017. Volltext BIB Download Details

    Kernel exploits constitute a powerful attack class allowing attackers to gain full control over a system. Various kernel hardening solutions have been proposed or deployed in practice to protect the kernel against code injection (e.g., DEP) or code-reuse exploits (e.g., CFI). However, the security of all these hardening techniques relies heavily on the assumption that kernel page tables cannot be manipulated, e.g., by means of dataonly attacks. Ensuring kernel page tables integrity is not only essential for kernel security but also a challenging task in practice since existing solutions require hardware trust anchors, costly hypervisors, or inefficient integrity checks. 

    In this paper, we first motivate the importance of protecting kernel page tables by presenting a data-only attack against page tables to bypass the recently released CFI-based (Linux) kernel hardening technique RAP. Thereafter, we present the design and implementation of PT-Rand, the first practical solution to protect kernel page tables that does not suffer from the mentioned deficiencies of previous proposals. PT-Rand randomizes the location of page tables and tackles a number of challenges to ensure that the location of page tables is not leaked. This effectively prevents the attacker from manipulating access permissions of code pages, thereby enabling secure enforcement of kernel exploit mitigation technologies such as CFI. We extensively evaluate our prototype implementation of PT-Rand for the current Linux kernel on the popular Linux distribution Debian and report a low overhead of 0.22% for common benchmarks. Moreover, we combine RAP with PT-Rand to protect RAP against data-only attacks on kernel page tables.

  • Rudd, Robert; Skowyra, Richard; Bigelow, David; Dedhia, Veer; Hobson, Thomas; Crane, Stephen; Liebchen, Christopher; Larsen, Per; Davi, Lucas; Franz, Michael; Sadeghi, Ahmad-Reza; Okhravi, Hamed: Address Oblivious Code Reuse: On the Effectiveness of Leakage Resilient Diversity. In: Proc. of 24th Annual Network & Distributed System Security Symposium (NDSS). 2017. Volltext BIB Download Details

    Memory corruption vulnerabilities not only allow modification of control data and injection of malicious payloads; they also allow adversaries to reconnoiter a diversified program, customize a payload, and ultimately bypass code randomization defenses. In response, researchers have proposed and built various leakage-resilient defenses against code reuse. Leakage-resilient defenses use memory protection techniques to prevent adversaries from directly reading code as well as pointer indirection or encryption techniques to decouple code pointers from the randomized code layout, avoiding indirect leakage. In this paper, we show that although current code pointer protections do prevent leakage per se, they are fundamentally unable to stop code reuse. Specifically, we demonstrate a new class of attacks we call address-oblivious code reuse that bypasses state-of-the-art leakage-resilience techniques by profiling and reusing protected code pointers, without leaking the code layout. We show that an attacker can accurately identify protected code pointers of interest and mount code-reuse attacks at the abstraction level of pointers without requiring any knowledge of code addresses. We analyze the prevalence of opportunities for such attacks in popular code bases and build three real-world exploits against Nginx and Apache to demonstrate their practicality. We analyze recently proposed leakage resilient defenses and show that they are vulnerable to address oblivious code reuse. Our findings indicate that because of the prevalence of code pointers in realistic programs and the fundamental need to expose them to    read    operations (even indirectly), diversity defenses face a fundamental design challenge in mitigating such attacks.

  • Sullivan, Dean; Arias, Orlando; Davi, Lucas; Sadeghi, Ahmad-Reza; Jin, Yier: Towards a Policy-Agnostic Control-Flow Integrity Implementation. In: Black Hat Europe. 2016. BIB Download Details
  • Abera, Tigist; Asokan, Nadarajah; Davi, Lucas; Ekberg, Jan-Erik; Nyman, Thomas; Paverd, Andrew; Sadeghi, Ahmad-Reza; Tsudik, Gene: C-FLAT: Control-Flow Attestation for Embedded Systems Software. In: Proc. of 23rd ACM Conference on Computer and Communications Security (CCS). 2016. doi:10.1145/2976749.2978358 Volltext BIB Download Details

    Remote attestation is a crucial security service particularly relevant to increasingly popular IoT (and other embedded) devices. It allows a trusted party (verifier) to learn the state of a remote, and potentially malware-infected, device (prover). Most existing approaches are static in nature and only check whether benign software is initially loaded on the prover. However, they are vulnerable to runtime attacks that hijack the application's control or data flow, e.g., via return-oriented programming or data-oriented exploits. As a concrete step towards more comprehensive runtime remote attestation, we present the design and implementation of Control-FLow ATtestation (C-FLAT) that enables remote attestation of an application's control-flow path, without requiring the source code. We describe a full prototype implementation of C-FLAT on Raspberry Pi using its ARM TrustZone hardware security extensions. We evaluate C-FLAT's performance using a real-world embedded (cyber-physical) application, and demonstrate its efficacy against control-flow hijacking attacks.

  • Deshotels, Luke; Deaconescu, Razvan; Chiroiu, Mihai; Davi, Lucas; Enck, William; Sadeghi, Ahmad-Reza: SandScout: Automatic Detection of Flaws in iOS Sandbox Profiles. In: Proc. of 23rd ACM Conference on Computer and Communications Security (CCS). 2016. doi:10.1145/2976749.2978336 Volltext BIB Download Details

    Recent literature on iOS security has focused on the malicious potential of third-party applications, demonstrating how developers can bypass application vetting and code-level protections. In addition to these protections, iOS uses a generic sandbox profile called "container" to confine malicious or exploited third-party applications. In this paper, we present the first systematic analysis of the iOS container sandbox profile. We propose the SandScout framework to extract, decompile, formally model, and analyze iOS sandbox profiles as logic-based programs. We use our Prolog-based queries to evaluate file-based security properties of the container sandbox profile for iOS 9.0.2 and discover seven classes of exploitable vulnerabilities. These attacks affect non-jailbroken devices running later versions of iOS. We are working with Apple to resolve these attacks, and we expect that SandScout will play a significant role in the development of sandbox profiles for future versions of iOS.

  • Abera, Tigist; Asokan, Nadarajah; Davi, Lucas; Koushanfar, Farinaz; Praverd, Andrew; Tsudik, Gene; Sadeghi, Ahmad-Reza: Invited - Things, Trouble, Trust: On Building Trust in IoT Systems. In: Proc. of 53rd Design Automation Conference (DAC). 2016. doi:10.1145/2897937.2905020 Volltext BIB Download Details

    The emerging and much-touted Internet of Things (IoT) presents a variety of security and privacy challenges. Prominent among them is the establishment of trust in remote IoT devices, which is typically attained via remote attestation, a distinct security service that aims to ascertain the current state of a potentially compromised remote device. Remote attestation ranges from relatively heavy-weight secure hardware-based techniques, to light-weight software-based ones, and also includes approaches that blend software (e.g., control-flow integrity) and hardware features (e.g., PUFs). In this paper, we survey the landscape of state-of-the-art attestation techniques from the IoT device perspective and argue that most of them have a role to play in IoT trust establishment.

  • Lettner, Julian; Kollenda, Benjamin; Homescu, Andrei; Larsen, Per; Schuster, Felix; Davi, Lucas; Sadeghi, Ahmad-Reza; Holz, Thorsten; Franz, Michael: Subversive-C: Abusing and Protecting Dynamic Message Dispatch. In: Proc. of USENIX Annual Technical Conference (ATC). 2016. Volltext BIB Download Details

    The lower layers in the modern computing infrastructure are written in languages threatened by exploitation of memory management errors. Recently deployed exploit mitigations such as control-flow integrity (CFI) can prevent traditional return-oriented programming (ROP) exploits but are much less effective against newer techniques such as Counterfeit Object-Oriented Programming (COOP) that execute a chain of C++ virtual methods. Since these methods are valid control-flow targets, COOP attacks are hard to distinguish from benign computations. Code randomization is likewise ineffective against COOP. Until now, however, COOP attacks have been limited to vulnerable C++ applications which makes it unclear whether COOP is as general and portable a threat as ROP.

    This paper demonstrates the first COOP-style exploit for Objective-C, the predominant programming language on Apple’s OS X and iOS platforms. We also retrofit the Objective-C runtime with the first practical and efficient defense against our novel attack. Our defense is able to protect complex, real-world software such as iTunes without recompilation. Our performance experiments show that the overhead of our defense is low in practice.

  • Sullivan, Dean; Arias, Orlando; Davi, Lucas; Larsen, Per; Sadeghi, Ahmad-Reza; Jin, Yier: Strategy Without Tactics: Policy-Agnostic Hardware-Enhanced Control-Flow Integrity. In: Proc. of 53rd Design Automation Conference (DAC). 2016. doi:10.1145/2897937.2898098 Volltext BIB Download Details

    Control-flow integrity (CFI) is a general defense against code-reuse exploits that currently constitute a severe threat against diverse computing platforms. Existing CFI solutions (both in software and hardware) suffer from shortcomings such as (i) inefficiency, (ii) security weaknesses, or (iii) are not scalable. In this paper, we present a generic hardware-enhanced CFI scheme that tackles these problems and allows to enforce diverse CFI policies. Our approach fully supports multi-tasking, shared libraries, prevents various forms of code-reuse attacks, and allows CFI protected code and legacy code to co-exist. We evaluate our implementation on SPARC LEON3 and demonstrate its high efficiency.

  • McLaughlin, Stephen; Konstantinou, Charalambos; Wang, Xueyang; Davi, Lucas; Sadeghi, Ahmad-Reza; Maniatakos, Michail; Karri, Ramesh: The Cybersecurity Landscape in Industrial Control Systems. In: Proceedings of the IEEE, Jg. 104 (2016) Nr. 5, S. 1039-1057. doi:10.1109/JPROC.2015.2512235 BIB Download Details
  • Braden, Kjell; Crane, Stephen; Davi, Lucas; Franz, Michael; Larsen, Per; Liebchen, Christopher; Sadeghi, Ahmad-Reza: Leakage-Resilient Layout Randomization for Mobile Devices. In: Proc. of 23rd Annual Network & Distributed System Security Symposium (NDSS). 2016. Volltext BIB Download Details

    Attack techniques based on code reuse continue to enable real-world exploits bypassing all current mitigations. Code randomization defenses greatly improve resilience against code reuse. Unfortunately, sophisticated modern attacks such as JIT-ROP can circumvent randomization by discovering the actual code layout on the target and relocating the attack payload on the fly. Hence, effective code randomization additionally requires that the code layout cannot be leaked to adversaries.

    Previous approaches to leakage-resilient diversity have either relied on hardware features that are not available in all processors, particularly resource-limited processors commonly found in mobile devices, or they have had high memory overheads. We introduce a code randomization technique that avoids these limitations and scales down to mobile and embedded devices: Leakage-Resilient Layout Randomization (LR^2).

    Whereas previous solutions have relied on virtualization, x86 segmentation, or virtual memory support, LR^2 merely requires the underlying processor to enforce a W XOR X policy---a feature that is virtually ubiquitous in modern processors, including mobile and embedded variants. Our evaluation shows that LR^2 provides the same security as existing virtualization-based solutions while avoiding design decisions that would prevent deployment on less capable yet equally vulnerable systems. Although we enforce execute-only permissions in software, LR^2 is as efficient as the best-in-class virtualization-based solution.

  • Davi, Lucas; Sadeghi, Ahmad-Reza: Building Secure Defenses Against Code-Reuse Attacks (3). Springer International Publishing, 2015. (ISBN 978-3-319-25544-6) doi:10.1007/978-3-319-25546-0 BIB Download Details

    This book provides an in-depth look at return-oriented programming attacks. It explores several conventional return-oriented programming attacks and analyzes the effectiveness of defense techniques including address space layout randomization (ASLR) and the control-flow restrictions implemented in security watchdogs such as Microsoft EMET.

    Chapters also explain the principle of control-flow integrity (CFI), highlight the benefits of CFI and discuss its current weaknesses. Several improved and sophisticated return-oriented programming attack techniques such as just-in-time return-oriented programming are presented.

    Building Secure Defenses against Code-Reuse Attacks is an excellent reference tool for researchers, programmers and professionals working in the security field. It provides advanced-level students studying computer science with a comprehensive overview and clear understanding of important runtime attacks.

  • Larsen, Per; Brunthaler, Stefan; Davi, Lucas; Sadeghi, Ahmad-Reza; Franz, Michael: Automated Software Diversity (3). Morgan & Claypool, 2015. doi:10.2200/S00686ED1V01Y201512SPT014 BIB Download Details

    Whereas user-facing applications are often written in modern languages, the firmware, operating system, support libraries, and virtual machines that underpin just about any modern computer system are still written in low-level languages that value flexibility and performance over convenience and safety. Programming errors in low-level code are often exploitable and can, in the worst case, give adversaries unfettered access to the compromised host system.

    This book provides an introduction to and overview of automatic software diversity techniques that, in one way or another, use randomization to greatly increase the difficulty of exploiting the vast amounts of low-level code in existence. Diversity-based defenses are motivated by the observation that a single attack will fail against multiple targets with unique attack surfaces. We introduce the many, often complementary, ways that one can diversify attack surfaces and provide an accessible guide to more than two decades worth of research on the topic. We also discuss techniques used in conjunction with diversity to prevent accidental disclosure of randomized program aspects and present an in-depth case study of one of our own diversification solutions.

  • Conti, Mauro; Crane, Stephen; Davi, Lucas; Franz, Michael; Larsen, Per; Liebchen, Christopher; Negro, Marco; Qunaibit, Mohaned; Sadeghi, Ahmad-Reza: Losing Control: On the Effectiveness of Control-Flow Integrity under Stack Attacks. In: Proc. of 22nd ACM Conference on Computer and Communications Security (CCS). 2015. doi:10.1145/2810103.2813671 Volltext BIB Download Details

    Adversaries exploit memory corruption vulnerabilities to hijack a program's control flow and gain arbitrary code execution. One promising mitigation, control-flow integrity (CFI), has been the subject of extensive research in the past decade. One of the core findings is that adversaries can construct Turing-complete code-reuse attacks against coarse-grained CFI policies because they admit control flows that are not part of the original program. This insight led the research community to focus on fine-grained CFI implementations. In this paper we show how to exploit heap-based vulnerabilities to control the stack contents including security-critical values used to validate control-flow transfers. Our investigation shows that although program analysis and compiler-based mitigations reduce stack-based vulnerabilities, stack-based memory corruption remains an open problem. Using the Chromium web browser we demonstrate real-world attacks against various CFI implementations: 1) against CFI implementations under Windows 32-bit by exploiting unprotected context switches, and 2) against state-of-the-art fine-grained CFI implementations (IFCC and VTV) in the two premier open-source compilers under Unix-like operating systems. Both 32 and 64-bit x86 CFI checks are vulnerable to stack manipulation. Finally, we provide an exploit technique against the latest shadow stack implementation.

  • Crane, Stephen; Volckaert, Stijn; Schuster, Felix; Liebchen, Christopher; Larsen, Per; Davi, Lucas; Sadeghi, Ahmad-Reza; Holz, Thorsten; Sutter, Bjorn De; Franz, Michael: It’s a TRAP: Table Randomization and Protection against Function Reuse Attacks. In: Proc. of 22nd ACM Conference on Computer and Communications Security (CCS). 2015. doi:10.1145/2810103.2813682 Volltext BIB Download Details

    Code-reuse attacks continue to evolve and remain a severe threat to modern software. Recent research has proposed a variety of defenses with differing security, efficiency, and practicality characteristics. Whereas the majority of these solutions focus on specific code-reuse attack variants such as return-oriented programming (ROP), other attack variants that reuse whole functions, such as the classic return-into-libc, have received much less attention. Mitigating function-level code reuse is highly challenging because one needs to distinguish a legitimate call to a function from an illegitimate one. In fact, the recent counterfeit object-oriented programming (COOP) attack demonstrated that the majority of code-reuse defenses can be bypassed by reusing dynamically bound functions, i.e., functions that are accessed through global offset tables and virtual function tables, respectively.

    In this paper, we first significantly improve and simplify the COOP attack. Based on a strong adversarial model, we then present the design and implementation of a comprehensive code-reuse defense which is resilient against reuse of dynamically-bound functions. In particular, we introduce two novel defense techniques: (i) a practical technique to randomize the layout of tables containing code pointers resilient to memory disclosure and (ii) booby trap insertion to mitigate the threat of brute-force attacks iterating over the randomized tables. Booby traps serve the dual purpose of preventing fault-analysis side channels and ensuring that each table has sufficiently many possible permutations. Our detailed evaluation demonstrates that our approach is secure, effective, and practical. We prevent realistic, COOP-style attacks against the Chromium web browser and report an average overhead of 1,1% on the SPEC CPU2006 benchmarks.

  • Crane, Stephen; Liebchen, Christopher; Homescu, Andrei; Davi, Lucas; Larsen, Per; Sadeghi, Ahmad-Reza; Brunthaler, Stefan; Franz, Michael: Return to Where? You Can’t Exploit What You Can’t Find. In: Black Hat USA. 2015. BIB Download Details

    Detecting and preventing exploitation of memory corruption vulnerabilities is highly challenging. Until now, no countermeasure has been able to fully prevent sophisticated exploitation techniques, such as return-oriented programming (ROP). Recent control-flow integrity (CFI) defenses from Google and Microsoft can be bypassed by constructing a ROP payload that adheres to the control-flow constraints or by exploiting implementation flaws. Microsoft’s EMET has less overhead than full CFI, but offers less protection in return, and can be bypassed. Probabilistic countermeasures based on memory layout randomization (such as ASLR) are already in widespread use. However, the Pwn2own competitions have repeatedly demonstrated that attackers can bypass code randomization using memory leaks in browsers.

    To reduce the impact of memory disclosure, recent defenses utilize execute-only memory. In this work we show that execute-only memory is insufficient and that these solutions can still be bypassed. In particular, we show how to determine the code layout by analyzing pointers in the heap and on the stack without ever reading the code.

    On the defensive side, we build a comprehensive yet practical defense called Readactor that counters both direct reading of code and indirect layout disclosure through analysis of code pointers. We employ a thin hypervisor and a kernel patch to utilize true hardware execute-only memory, and prevent direct reading of code in Linux processes. We hide all code pointers in readable memory using a patched version of the LLVM compiler. We deploy a number of techniques to break ROP gadget chains and disorient the adversary. Specifically, we hide code pointers by converting them into direct jumps stored in execute-only memory to prevent indirect layout disclosure.

    Our solution is efficient, because it activates previously unused hardware capabilities in modern x86 processors and is often faster than industry CFI implementations. Our solution is also highly practical; we were able to automatically apply our defense to the Chromium web browser. Finally, our solution is comprehensive; we also protect the dynamically generated code emitted by the V8 JavaScript JIT compiler.

  • Arias, Orlando; Davi, Lucas; Hanreich, Matthias; Jin, Yier; Koeberl, Patrick; Paul, Debayan; Sadeghi, Ahmad-Reza; Sullivan, Dean: HAFIX: Hardware-Assisted Flow Integrity Extension - Best Paper. In: Proc. of 52nd Design Automation Conference (DAC). 2015. doi:10.1145/2744769.2744847 Volltext BIB Download Details

    Code-reuse attacks like return-oriented programming (ROP) pose a severe threat to modern software on diverse processor architectures. Designing practical and secure defenses against code-reuse attacks is highly challenging and currently subject to intense research. However, no secure and practical system-level solutions exist so far, since a large number of proposed defenses have been successfully bypassed. To tackle this attack, we present HAFIX (Hardware-Assisted Flow Integrity eXtension), a defense against code-reuse attacks exploiting backward edges (returns). HAFIX provides fine-grained and practical protection, and serves as an enabling technology for future control-flow integrity instantiations. This paper presents the implementation and evaluation of HAFIX for the Intel Siskiyou Peak and SPARC embedded system architectures, and demonstrates its security and efficiency in code-reuse protection while incurring only 2% performance overhead.

  • Crane, Stephen; Liebchen, Christopher; Homescu, Andrei; Davi, Lucas; Larsen, Per; Sadeghi, Ahmad-Reza; Brunthaler, Stefan; Franz, Michael: Readactor: Practical Code Randomization Resilient to Memory Disclosure. In: Proc. of 36th IEEE Symposium on Security and Privacy (Oakland). 2015. doi:10.1109/SP.2015.52 BIB Download Details

    Code-reuse attacks such as return-oriented programming (ROP) pose a severe threat to modern software. Designing practical and effective defenses against code-reuse attacks is highly challenging. One line of defense builds upon fine-grained code diversification to prevent the adversary from constructing a reliable code-reuse attack. However, all solutions proposed so far are either vulnerable to memory disclosure or are impractical for deployment on commodity systems. In this paper, we address the deficiencies of existing solutions and present the first practical, fine-grained code randomization defense, called Readactor, resilient to both static and dynamic ROP attacks. We distinguish between direct memory disclosure, where the attacker reads code pages, and indirect memory disclosure, where attackers use code pointers on data pages to infer the code layout without reading code pages. Unlike previous work, Readactor resists both types of memory disclosure. Moreover, our technique protects both statically and dynamically generated code. We use a new compiler-based code generation paradigm that uses hardware features provided by modern CPUs to enable execute-only memory and hide code pointers from leakage to the adversary. Finally, our extensive evaluation shows that our approach is practical‐-we protect the entire Google Chromium browser and its V8 JIT compiler‐-and efficient with an average SPEC CPU2006 performance overhead of only 6.4%.

  • Schuster, Felix; Tendyck, Thomas; Liebchen, Christopher; Davi, Lucas; Sadeghi, Ahmad-Reza; Holz, Thorsten: Counterfeit Object-oriented Programming: On the Difficulty of Preventing Code Reuse Attacks in C++ Applications. In: Proc. of 36th IEEE Symposium on Security and Privacy (Oakland). 2015. doi:10.1109/SP.2015.51 BIB Download Details

    Code reuse attacks such as return-oriented programming (ROP) have become prevalent techniques to exploit memory corruption vulnerabilities in software programs. A variety of corresponding defenses has been proposed, of which some have already been successfully bypassed - and the arms race continues. In this paper, we perform a systematic assessment of recently proposed CFI solutions and other defenses against code reuse attacks in the context of C++. We demonstrate that many of these defenses that do not consider object-oriented C++ semantics precisely can be generically bypassed in practice. Our novel attack technique, denoted as counterfeit object-oriented programming (COOP), induces malicious program behavior by only invoking chains of existing C++ virtual functions in a program through corresponding existing call sites. COOP is Turing complete in realistic attack scenarios and we show its viability by developing sophisticated, real-world exploits for Internet Explorer 10 on Windows and Firefox 36 on Linux. Moreover, we show that even recently proposed defenses (CPS, T-VIP, vfGuard, and VTint) that specifically target C++ are vulnerable to COOP. We observe that constructing defenses resilient to COOP that do not require access to source code seems to be challenging. We believe that our investigation and results are helpful contributions to the design and implementation of future defenses against control-flow hijacking attacks.

  • Bucicoiu, Mihai; Davi, Lucas; Deaconescu, Razvan; Sadeghi, Ahmad-Reza: XiOS: Extended Application Sandboxing on iOS. In: Proc. of 10th ACM Symposium on Information, Computer and Communications Security (ASIACCS). 2015. doi:10.1145/2714576.2714629 Volltext BIB Download Details

    Until very recently it was widely believed that iOS malware is effectively blocked by Apple’s vetting process and application sandboxing. However, the newly presented severe malicious app attacks (e.g., Jekyll) succeeded to undermine these protection measures and steal private data, post Twitter messages, send SMS, and make phone calls. Currently, no effective defenses against these attacks are known for iOS. The main goal of this paper is to systematically analyze the recent attacks against iOS sandboxing and provide a practical security framework for iOS app hardening which is fully independent of the Apple’s vetting process and particularly benefits enterprises to protect employees’ iOS devices. The contribution of this paper is twofold: First, we show a new and generalized attack that significantly reduces the complexity of the recent attacks against iOS sandboxing. Second, we present the design and implementation of a novel and efficient iOS app hardening service, XiOS, that enables fine-grained application sandboxing, and mitigates the existing as well as our new attacks. In contrast to previous work in this domain (on iOS security), our approach does not require to jailbreak the device. We demonstrate the efficiency and effectiveness of XiOS by conducting several benchmarks as well as fine-grained policy enforcement on real-world iOS applications

  • Davi, Lucas; Liebchen, Christopher; Sadeghi, Ahmad-Reza; Snow, Kevin; Monrose, Fabian: Isomeron: Code Randomization Resilient to (Just-In-Time) Return-Oriented Programming. In: Proc. of 22nd Annual Network & Distributed System Security Symposium (NDSS). 2015. Volltext BIB Download Details

    Until recently, it was widely believed that code randomization (such as fine-grained ASLR) can effectively mitigate code reuse attacks. However, a recent attack strategy, dubbed just-in-time return oriented programming (JIT-ROP), circumvents code randomization by disclosing the (randomized) content of many memory pages at runtime. In order to remedy this situation, new and improved code randomization defenses have been proposed.

    The contribution of this paper is twofold: first, we conduct a security analysis of a recently proposed fine-grained ASLR scheme that aims at mitigating JIT-ROP based on hiding direct code references in branch instructions. In particular, we demonstrate its weaknesses by constructing a novel JIT-ROP attack that is solely based on exploiting code references residing on the stack and heap. Our attack stresses that designing code randomization schemes resilient to memory disclosure is highly challenging. Second, we present a new and hybrid defense approach, dubbed Isomeron, that combines code randomization with execution-path randomization to mitigate conventional ROP and JIT-ROP attacks. Our reference implementation of Isomeron neither requires source code nor a static analysis phase.

    We evaluated its efficiency based on SPEC benchmarks and discuss its effectiveness against various kinds of code reuse attacks.

  • Sadeghi, Ahmad-Reza; Davi, Lucas; Larsen, Per: Securing Legacy Software against Real-World Code-Reuse Exploits: Utopia, Alchemy, or Possible Future? - Keynote. In: Proc. of 10th ACM Symposium on Information, Computer and Communications Security (ASIACCS). 2015. doi:10.1145/2714576.2737090 Volltext BIB Download Details

    Exploitation of memory-corruption vulnerabilities in widely-used software has been a threat for over two decades and no end seems to be in sight. Since performance and backwards compatibility trump security concerns, popular programs such as web browsers, servers, and office suites still contain large amounts of untrusted legacy code written in error-prone languages such as C and C++. At the same time, modern exploits are evolving quickly and routinely incorporate sophisticated techniques such as code reuse and memory disclosure. As a result, they bypass all widely deployed countermeasures including data execution prevention (DEP) and code randomization such as address space layout randomization (ASLR).

    The good news is that the security community has recently introduced several promising prototype defenses that offer a more principled response to modern exploits. Even though these solutions have improved substantially over time, they are not perfect and weaknesses that allow bypasses are continually being discovered. Moreover, it remains to be seen whether these prototype defenses can be matured and integrated into operating systems, compilers, and other systems software.

    This paper provides a brief overview of current state-of-the-art exploitation and defense techniques against run-time exploits and elaborates on innovative research prototypes that may one day stem the tide of sophisticated exploits. We also provide a brief analysis and categorization of existing defensive techniques and ongoing work in the areas of code randomization and control-flow integrity, and cover both hardware and software-based solutions.

  • Davi, Lucas; Lehmann, Daniel; Sadeghi, Ahmad-Reza; Monrose, Fabian: Stitching the Gadgets: On the Ineffectiveness of Coarse-Grained Control-Flow Integrity Protection. In: Proc. of 23rd USENIX Security Symposium. 2014. Volltext BIB Download Details

    Return-oriented programming (ROP) offers a robust attack technique that has, not surprisingly, been extensively used to exploit bugs in modern software programs (e.g., web browsers and PDF readers). ROP attacks require no code injection, and have already been shown to be powerful enough to bypass fine-grained memory randomization (ASLR) defenses. To counter this ingenious attack strategy, several proposals for enforcement of (coarse-grained) control-flow integrity (CFI) have emerged. The key argument put forth by these works is that coarse-grained CFI policies are sufficient to prevent ROP attacks. As this reasoning has gained traction, ideas put forth in these proposals have even been incorporated into coarse-grained CFI defenses in widely adopted tools (e.g., Microsoft’s EMET framework).

    In this paper, we provide the first comprehensive security analysis of various CFI solutions (covering kBouncer, ROPecker, CFI for COTS binaries, ROPGuard, and Microsoft EMET 4.1). A key contribution is in demonstrating that these techniques can be effectively undermined, even under weak adversarial assumptions. More specifically, we show that with bare minimum assumptions, turing-complete and real-world ROP attacks can still be launched even when the strictest of enforcement policies is in use. To do so, we introduce several new ROP attack primitives, and demonstrate the practicality of our approach by transforming existing real-world exploits into more stealthy attacks that bypass coarse-grained CFI defenses.

  • Davi, Lucas; Lehmann, Daniel; Sadeghi, Ahmad-Reza: The Beast is in Your Memory: Return-Oriented Programming Attacks Against Modern Control-Flow Integrity Protection Techniques. In: Black Hat USA. 2014. Volltext BIB Download Details

    Return-oriented Programming (ROP) is a powerful exploitation technique used in nearly every exploit today. It maliciously combines short code snippets (gadgets) residing in shared libraries and the executable to bypass data execution prevention (DEP). As a consequence, several new control-flow integrity (CFI) mechanisms and tools have been recently proposed to thwart ROP attacks. For instance, kBouncer and ROPGuard both restrict return instructions to target a call-preceded instruction. In addition, ROPecker and kBouncer force the adversary to invoke a long instruction sequence after a pre-defined number of short gadgets thereby preventing an attacker to execute a sequence of ROP gadgets. Some of the proposed mechanisms have already been integrated in Microsoft's Windows EMET tool. In general, these mechanisms significantly reduce the gadget space and make it challenging for an attacker to mount ROP attacks.

    While others have hypothesized or even exploited weaknesses in some of these emerging CFI techniques, we provide the first comprehensive analysis thereof. Specifically, we conducted a security analysis of various recently proposed CFI solutions (including kBouncer, ROPGuard, ROPecker, and CFI for COTS binaries). Our key contribution is in demonstrating that these techniques can be effectively undermined even when all their protection mechanisms are combined. In particular, we transformed existing (publicly available) exploits against Windows (which are detected by Microsoft EMET) into more stealthy attacks that bypass all recently proposed CFI techniques. We show that our performed transformations require no specific assumptions, and demonstrate that a 1MB Windows library (kernel32.dll) is already sufficient to derive a (turing-) complete gadget set using only call-preceded gadgets.

  • Davi, Lucas; Koeberl, Patrick; Sadeghi, Ahmad-Reza: Hardware-Assisted Fine-Grained Control-Flow Integrity: Towards Efficient Protection of Embedded Systems Against Software Exploitation. In: Proc. of 51st Design Automation Conference (DAC) - Special Session: Trusted Mobile Embedded Computing. 2014. doi:10.1145/2593069.2596656 Volltext BIB Download Details

    Embedded systems have become pervasive and are built into a vast number of devices such as sensors, vehicles, mobile and wearable devices. However, due to resource constraints, they fail to provide sufficient security, and are particularly vulnerable to runtime attacks (code injection and ROP). Previous works have proposed the enforcement of control-flow integrity (CFI) as a general defense against runtime attacks. However, existing solutions either suffer from performance overhead or only enforce coarse-grain CFI policies that a sophisticated adversary can undermine. In this paper, we tackle these limitations and present the design of novel security hardware mechanisms to enable fine-grained CFI checks. Our CFI proposal is based on a state model and a per-function CFI label approach. In particular, our CFI policies ensure that function returns can only transfer control to active call sides (i.e., return landing pads of functions currently executing). Further, we restrict indirect calls to target the beginning of a function, and lastly, deploy behavioral heuristics for indirect jumps.

  • Davi, Lucas; Lehmann, Daniel; Sadeghi, Ahmad-Reza; Monrose, Fabian: Stitching the Gadgets: On the Ineffectiveness of Coarse-Grained Control-Flow Integrity Protection, TUD-CS-2014-0800. 2014. Volltext BIB Download Details

    Return-oriented programming (ROP) offers a robust attack technique that has, not surprisingly, been extensively used to exploit bugs in modern software programs (e.g., web browsers and PDF readers). ROP attacks require no code injection, and have already been shown to be powerful enough to bypass fine-grained memory randomization (ASLR) defenses. To counter this ingenious attack strategy, several proposals for enforcement of (coarse-grained) control-flow integrity (CFI) have emerged. The key argument put forth by these works is that coarse-grained CFI policies are sufficient to prevent ROP attacks. As this reasoning has gained traction, ideas put forth in these proposals have even been incorporated into coarse-grained CFI defenses in widely adopted tools (e.g., Microsoft’s EMET framework).

    In this paper, we provide the first comprehensive security analysis of various CFI solutions (covering kBouncer, ROPecker, CFI for COTS binaries, ROPGuard, and Microsoft EMET 4.1). A key contribution is in demonstrating that these techniques can be effectively undermined, even under weak adversarial assumptions. More specifically, we show that with bare minimum assumptions, turing-complete and real-world ROP attacks can still be launched even when the strictest of enforcement policies is in use. To do so, we introduce several new ROP attack primitives, and demonstrate the practicality of our approach by transforming existing real-world exploits into more stealthy attacks that bypass coarse-grained CFI defenses.

  • Asokan, N.; Davi, Lucas; Dmitrienko, Alexandra; Heuser, Stephan; Kostiainen, Kari; Reshetova, Elena; Sadeghi, Ahmad-Reza: Mobile Platform Security (3). Morgan & Claypool, 2013. doi:10.2200/S00555ED1V01Y201312SPT009 BIB Download Details

    Recently, mobile security has garnered considerable interest in both the research community and industry due to the popularity of smartphones. The current smartphone platforms are open systems that allow application development, also for malicious parties. To protect the mobile device, its user, and other mobile ecosystem stakeholders such as network operators, application execution is controlled by a platform security architecture. This book explores how such mobile platform security architectures work. We present a generic model for mobile platform security architectures: the model illustrates commonly used security mechanisms and techniques in mobile devices and allows a systematic comparison of different platforms. We analyze several mobile platforms using the model. In addition, this book explains hardware-security mechanisms typically present in a mobile device. We also discuss enterprise security extensions for mobile platforms and survey recent research in the area of mobile platform security. The objective of this book is to provide a comprehensive overview of the current status of mobile platform security for students, researchers, and practitioners.

  • Stancill, Blaine; Snow, Kevin; Otterness, Nathan; Monrose, Fabian; Davi, Lucas; Sadeghi, Ahmad-Reza: Check My Profile: Leveraging Static Analysis for Fast and Accurate Detection of ROP Gadgets. In: Proc. of 16th Research in Attacks, Intrusions and Defenses (RAID) Symposium. 2013. doi:10.1007/978-3-642-41284-4_4 BIB Download Details

    Return-oriented programming ROP offers a powerful technique for undermining state-of-the-art security mechanisms, including non-executable memory and address space layout randomization. To mitigate this daunting attack strategy, several in-built defensive mechanisms have been proposed. In this work, we instead focus on detection techniques that do not require any modification to end-user platforms. Specifically, we propose a novel framework that efficiently analyzes documents PDF, Office, or HTML files and detects whether they contain a returnoriented programming payload. To do so, we provide advanced techniques for taking memory snapshots of a target application, efficiently transferring the snapshots to a host system, as well as novel static analysis and filtering techniques to identify and profile chains of code pointers referencing ROP gadgets that may even reside in randomized libraries. Our evaluation of over 7,662 benign and 57 malicious documents demonstrate that we can perform such analysis accurately and expeditiously -- with the vast majority of documents analyzed in about 3 seconds.

  • Snow, Kevin; Davi, Lucas; Dmitrienko, Alexandra; Liebchen, Christopher; Monrose, Fabian; Sadeghi, Ahmad-Reza: Just-In-Time Code Reuse: The More Things Change, the More They Stay the Same. In: Black Hat USA. 2013. Volltext BIB Download Details

    Fine-grained address space layout randomization (ASLR) has recently been proposed as a method of efficiently mitigating runtime attacks. In this presentation, we introduce the design and implementation of a framework based on a novel attack strategy, dubbed just-in-time code reuse, which both undermines the benefits of fine-grained ASLR and greatly enhances the ease of exploit development on today’s platforms that combine standard ASLR and DEP (e.g. Windows 8). Specifically, we derail the assumptions embodied in fine-grained ASLR by exploiting the ability to repeatedly abuse a memory disclosure to map an application’s memory layout on-the-fly, dynamically discover API functions and gadgets, and JIT-compile a target program using those gadgets - all within a script environment at the time an exploit is launched. We demonstrate the power of our framework by using it in conjunction with a real-world exploit against Internet Explorer, show its effectiveness in Windows 8, and also provide extensive evaluations that demonstrate the practicality of just-in-time code reuse attacks. Our findings suggest that fine-grained ASLR may not be as promising as first thought.

  • Davi, Lucas; Dmitrienko, Alexandra; Nürnberger, Stefan; Sadeghi, Ahmad-Reza: Gadge Me If You Can: Secure and Efficient Ad-hoc Instruction-Level Randomization for x86 and ARM. In: Proc. of 8th ACM Symposium on Information, Computer and Communications Security (ASIACCS). 2013. doi:10.1145/2484313.2484351 Volltext BIB Download Details

    Code reuse attacks such as return-oriented programming are one of the most powerful threats to contemporary software. ASLR was introduced to impede these attacks by dispersing shared libraries and the executable in memory. However, in practice its entropy is rather low and, more importantly, the leakage of a single address reveals the position of a whole library in memory. The recent mitigation literature followed the route of randomization, applied it at different stages such as source code or the executable binary. However, the code segments still stay in one block. In contrast to previous work, our randomization solution, called XIFER, (1) disperses all code (executable and libraries) across the whole address space, (2) re-randomizes the address space for each run, (3) is compatible to code signing, and (4) does neither require offline static analysis nor source-code. Our prototype implementation supports the Linux ELF file format and covers both mainstream processor architectures x86 and ARM. Our evaluation demonstrates that XIFER performs efficiently at load- and during run-time (1.2% overhead).

  • Snow, Kevin; Davi, Lucas; Dmitrienko, Alexandra; Liebchen, Christopher; Monrose, Fabian; Sadeghi, Ahmad-Reza: Just-In-Time Code Reuse: On the Effectiveness of Fine-Grained Address Space Layout Randomization - Best Student Paper Award. In: Proc. of 34th IEEE Symposium on Security and Privacy (Oakland). 2013. doi:10.1109/SP.2013.45 Volltext BIB Download Details

    Fine-grained address space layout randomization (ASLR) has recently been proposed as a method of efficiently mitigating runtime attacks. In this paper, we introduce the design and implementation of a framework based on a novel attack strategy, dubbed just-in-time code reuse, that undermines the benefits of fine-grained ASLR. Specifically, we derail the assumptions embodied in fine-grained ASLR by exploiting the ability to repeatedly abuse a memory disclosure to map an application’s memory layout on-the-fly, dynamically discover API functions and gadgets, and JIT-compile a target program using those gadgets - all within a script environment at the time an exploit is launched. We demonstrate the power of our framework by using it in conjunction with a real-world exploit against Internet Explorer, and also provide extensive evaluations that demonstrate the practicality of just-in-time code reuse attacks. Our findings suggest that fine-grained ASLR may not be as promising as first thought.

  • Werthmann, Tim; Hund, Ralf; Davi, Lucas; Sadeghi, Ahmad-Reza; Holz, Thorsten: PSiOS: Bring Your Own Privacy & Security to iOS Devices - Distinguished Paper Award. In: Proc. of 8th ACM Symposium on Information, Computer and Communications Security (ASIACCS). 2013. doi:10.1145/2484313.2484316 Volltext BIB Download Details

    Apple iOS is one of the most popular mobile operating systems. As its core security technology, iOS provides application sandboxing but assigns a generic sandboxing profile to every third-party application. However, recent attacks and incidents with benign applications demonstrate that this design decision is vulnerable to crucial privacy and security breaches, allowing applications (either benign or malicious) to access contacts, photos, and device IDs. Moreover, the dynamic character of iOS apps written in Objective-C renders the currently proposed static analysis tools less useful.

    In this paper, we aim to address the open problem of preventing (not only detecting) privacy leaks and simultaneously strengthening security against runtime attacks on iOS. Compared to similar research work on the open Android, realizing such a system for the closed-source iOS is highly involved.

    We present the design and implementation of PSiOS, a tool that features a novel policy enforcement framework for iOS. It provides fine-grained, application-specific, and user/administrator defined sandboxing for each third-party application without requiring access to the application source code. Our reference implementation deploys control-flow integrity based on the recently proposed MoCFI (Mobile CFI) framework that only protects applications against runtime attacks. We evaluated several popular iOS applications (e.g., Facebook, WhatsApp) to demonstrate the efficiency and effectiveness of PSiOS.

  • Davi, Lucas; Dmitrienko, Alexandra; Liebchen, Christopher; Sadeghi, Ahmad-Reza: Over-the-air Cross-Platform Infection for Breaking mTAN-based Online Banking Authentication. In: BlackHat Abu Dhabi. 2012. BIB Download Details
  • Davi, Lucas; Dmitrienko, Alexandra; Nürnberger, Stefan; Sadeghi, Ahmad-Reza: XIFER: A Software Diversity Tool Against Code-Reuse Attacks. In: Proc. of 4th ACM International Workshop on Wireless of the Students, by the Students, for the Students (S3). 2012. Volltext BIB Download Details

    The enormous growth of mobile devices and their app markets has raised many security and privacy concerns. Runtime attacks seem to be a major threat, in particular, code-reuse attacks that do not require any external code injection (e.g., return-to-libc or return-oriented programming).

    We present, for the first time, a code transformation tool that completely mitigates code-reuse attacks by applying software diversity to the binary at runtime. Our tool XIFER (1) randomly diversifies the code of an application over the entire memory for each invocation, (2) requires no source code or any static analysis, (3) can be applied to both Intel x86 and ARM Linux executables, and (4) induces a negligible runtime overhead of only 1% in average.

  • Bugiel, Sven; Davi, Lucas; Dmitrienko, Alexandra; Fischer, Thomas; Sadeghi, Ahmad-Reza; Shastry, Bhargava: Towards Taming Privilege-Escalation Attacks on Android. In: Proc. of 19th Annual Network & Distributed System Security Symposium (NDSS). 2012. Volltext BIB Download Details

    Android’s security framework has been an appealing subject of research in the last few years. Android has been shown to be vulnerable to application-level privilege escalation attacks, such as confused deputy attacks, and more recently, attacks by colluding applications. While most of the proposed approaches aim at solving confused deputy attacks, there is still no solution that simultaneously addresses collusion attacks.

    In this paper, we investigate the problem of designing and implementing a practical security framework for Android to protect against confused deputy and collusion attacks. We realize that defeating collusion attacks calls for a rather system-centric solution as opposed to application-dependent policy enforcement. To support our design decisions, we conduct a heuristic analysis of Android’s system behavior (with popular apps) to identify attack patterns, classify different adversary models, and point out the challenges to be tackled. Then we propose a solution for a system-centric and policy-driven runtime monitoring of communication channels between applications at multiple layers: 1) at the middleware we control IPCs between applications and indirect communication via Android system components. Moreover, inspired by the approach in QUIRE, we establish semantic links between IPCs and enable the reference monitor to verify the call-chain; 2) at the kernel level we realize mandatory access control on the file system (including Unix domain sockets) and local Internet sockets. To allow for runtime, dynamic low-level policy enforcement, we provide a callback channel between the kernel and the middleware. Finally, we evaluate the efficiency and effectiveness of our framework on known confused deputy and collusion attacks, and discuss future directions.

  • Davi, Lucas; Dmitrienko, Alexandra; Egele, Manuel; Fischer, Thomas; Holz, Thorsten; Hund, Ralf; Nürnberger, Stefan; Sadeghi, Ahmad-Reza: MoCFI: A Framework to Mitigate Control-Flow Attacks on Smartphones. In: Proc. of 19th Annual Network & Distributed System Security Symposium (NDSS). 2012. Volltext BIB Download Details

    Runtime and control-flow attacks (such as code injection or return-oriented programming) constitute one of the most severe threats to software programs. These attacks are prevalent and have been recently applied to smartphone applications as well, of which hundreds of thousands are downloaded by users every day. While a framework for control-flow integrity (CFI) enforcement, an approach to prohibit this kind of attacks, exists for the Intel x86 platform, there is no such a solution for smartphones.

    In this paper, we present a novel framework, MoCFI (Mobile CFI), that provides a general countermeasure against control-flow attacks on smartphone platforms by enforcing CFI. We show that CFI on typical smartphone platforms powered by an ARM processor is technically involved due to architectural differences between ARM and Intel x86, as well as the specifics of smartphone OSes. Our framework performs CFI on-the-fly during runtime without requiring the application’s source code. For our reference implementation we chose Apple’s iOS, because it has been an attractive target for control-flow attacks. Nevertheless, our framework is also applicable to other ARM-based devices such as Google’s Android. Our performance evaluation demonstrates that MoCFI is efficient and does not induce notable overhead when applied to popular iOS applications.

  • Bugiel, Sven; Davi, Lucas; Dmitrienko, Alexandra; Fischer, Thomas; Sadeghi, Ahmad-Reza; Shastry, Bhargava: POSTER: The Quest for Security against Privilege Escalation Attacks on Android. In: Proc. of 18th ACM Conference on Computer and Communications Security (CCS). 2011. doi:10.1145/2046707.2093482 Volltext BIB Download Details

    In this paper we present the design and implementation of a security framework that extends the reference monitor of the Android middleware and deploys a mandatory access control on Linux kernel (based on Tomoyo) aiming at detecting and preventing application-level privilege escalation attacks at runtime.

    In contrast to existing solutions, our framework is system-centric, efficient, detects attacks that involve communication channels controlled by both, Android middleware and the Linux kernel (particularly, Binder IPC, Internet sockets and file system). It can prevent known confused deputy attacks without false positives and is also flexible enough to prevent unknown confused deputy attacks and attacks by colluding applications (e.g., Soundcomber) at the cost of a small rate of false positives.

  • Bugiel, Sven; Davi, Lucas; Dmitrienko, Alexandra; Heuser, Stephan; Sadeghi, Ahmad-Reza; Shastry, Bhargava: Practical and Lightweight Domain Isolation on Android. In: Proc. of 1st ACM Workshop on Security and Privacy in Mobile Devices (SPSM). 2011. doi:10.1145/2046614.2046624 Volltext BIB Download Details

    In this paper, we introduce a security framework for practical and lightweight domain isolation on Android to mitigate unauthorized data access and communication among applications of different trust levels (e.g., private and corporate). We present the design and implementation of our framework, TrustDroid, which in contrast to existing solutions enables isolation at different layers of the Android software stack: (1) at the middleware layer to prevent inter-domain application communication and data access, (2) at the kernel layer to enforce mandatory access control on the file system and on Inter-Process Communication (IPC) channels, and (3) at the network layer to mediate network traffic. For instance, (3) allows network data to be only read by a particular domain, or enables basic context-based policies such as preventing Internet access by untrusted applications while an employee is connected to the company’s network.

    Our approach accurately addresses the demands of the business world, namely to isolate data and applications of different trust levels in a practical and lightweight way. Moreover, our solution is the first leveraging mandatory access control with TOMOYO Linux on a real Android device (Nexus One). Our evaluation demonstrates that TrustDroid only adds a negligible overhead, and in contrast to contemporary full virtualization, only minimally affects the battery’s life-time.

  • Bugiel, Sven; Davi, Lucas; Schulz, Steffen: Scalable Trust Establishment with Software Reputation. In: Proc. of 6th ACM Workshop on Scalable Trusted Computing (STC). 2011. doi:10.1145/2046582.2046587 Volltext BIB Download Details

    Users and administrators are often faced with the choice between different software solutions, sometimes even have to assess the security of complete software systems. With sufficient time and resources, such decisions can be based on extensive testing and review. However, in practice this is often too expensive and time consuming.

    In this paper, we present a pragmatic, but scalable approach for the trustworthiness assessment of software programs based on their security history. The approach can be used to, e.g. automatically sort programs in an App store by their security record or to assess the trustworthiness of complex software systems in remote attestation schemes. Our prototype implementation for the popular Debian GNU/Linux system achieves good prediction accuracy for individual programs as well as entire systems.

  • Davi, Lucas; Dmitrienko, Alexandra; Egele, Manuel; Fischer, Thomas; Holz, Thorsten; Hund, Ralf; Nürnberger, Stefan; Sadeghi, Ahmad-Reza: POSTER: Control-Flow Integrity for Smartphones. In: Proc. of 18th ACM Conference on Computer and Communications Security (CCS). 2011. doi:10.1145/2046707.2093484 Volltext BIB Download Details

    Despite extensive research over the last two decades, runtime attacks on software are still prevalent. Recently, smartphones, of which millions are in use today, have become an attractive target for adversaries. However, existing solutions are either ad-hoc or limited in their effectiveness.

    In this poster, we present a general countermeasure against runtime attacks on smartphone platforms. Our approach makes use of control-flow integrity (CFI), and tackles unique challenges of the ARM architecture and smartphone platforms. Our framework and implementation is efficient, since it requires no access to source code, performs CFI enforcement on-the-fly during runtime, and is compatible to memory randomization and code signing/encryption. We chose Apple iPhone for our reference implementation, because it has become an attractive target for runtime attacks. Our performance evaluation on a real iOS device demonstrates that our implementation does not induce any notable overhead when applied to popular iOS applications.

  • Davi, Lucas; Dmitrienko, Alexandra; Kowalski, Christoph; Winandy, Marcel: Trusted Virtual Domains on OKL4: Secure Information Sharing on Smartphones. In: Proc. of 6th ACM Workshop on Scalable Trusted Computing (STC). 2011. doi:10.1145/2046582.2046592 Volltext BIB Download Details

    The flexibility and computing power of modern smartphones to install and execute various applications allows for a rich user experience but also imposes several security concerns. Smartphones that are used both for private and corporate purposes do not separate the data and applications of different security domains, and users are usually too unskilled to deploy and configure extra security mechanisms. Hence, data leakage and unwanted information flow may occur.

    In this paper we present the design and implementation of the Trusted Virtual Domain (TVD) security architecture for smartphones. The TVD concept separates data and applications of different security domains and automates the security configuration on devices. In particular, we build our solution on top of the OKL4 microkernel, which provides the basic isolation properties, and extend it with a framework that realizes the TVD policy enforcement for Android operating systems. Our results show that the TVD security architecture can be built and used on modern smartphones, but there are also limitations that current security kernels like OKL4 have to address to improve the user experience.

  • Bugiel, Sven; Davi, Lucas; Dmitrienko, Alexandra; Fischer, Thomas; Sadeghi, Ahmad-Reza: XManDroid: A New Android Evolution to Mitigate Privilege Escalation Attacks, TR-2011-04. 2011. Volltext BIB Download Details

    Google Android has become a popular mobile operating system which is increasingly deployed by mobile device manufactures for various platforms. Recent attacks show that Android’s permission framework is vulnerable to application-level privilege escalation attacks, i.e., an application may indirectly gain privileges to perform unauthorized actions. The existing proposals for security extensions to Android’s middleware (e.g., Kirin, Saint or TaintDroid) cannot fully and adequately mitigate these attacks or detect Trojans such as Soundminer that exploit covert channels in the Android system.

    In this paper we present the design and implementation of XManDroid (eXtended Monitoring on Android), a security framework that extends the monitoring mechanism of Android to detect and prevent application-level privilege escalation attacks at runtime based on a system-centric system policy. Our implementation dynamically analyzes applications’ transitive permission usage while inducing a minimal performance overhead unnoticeable for the user. Depending on system policy our system representation allows for an effective detection of (covert) channels established through the Android system services and content providers while simultaneously optimizing the rate of false positives. We evaluate the effectiveness of XManDroid on our test suite that simulates known application-level privilege escalation attacks (including Soundminer), and demonstrate successful detection of attacks that use Android’s inter-component communication (ICC) framework (standard for most attacks). We also preformed a usability test to evaluate the impact of XManDroid on the user-experience with third party applications. Moreover, we analyze sources of false positives and discuss how this rate can be further significantly reduced.

  • Davi, Lucas; Sadeghi, Ahmad-Reza; Winandy, Marcel: ROPdefender: A Detection Tool to Defend Against Return-Oriented Programming Attacks. In: Proc. of 6th ACM Symposium on Information, Computer and Communications Security (ASIACCS). 2011. doi:10.1145/1966913.1966920 Volltext BIB Download Details

    Modern runtime attacks increasingly make use of the powerful return-oriented programming (ROP) attack techniques and principles such as recent attacks on Apple iPhone and Acrobat products to name some. These attacks even work under the presence of modern memory protection mechanisms such as data execution prevention (DEP). In this paper, we present our tool, ROPdefender, that dynamically detects conventional ROP attacks (that are based on return instructions). In contrast to existing solutions, ROPdefender can be immediately deployed by end-users, since it does not rely on side information (e.g., source code or debugging information) which are rarely provided in practice. Currently, our tool adds a runtime overhead of 2x which is comparable to similar instrumentation-based tools.

  • Checkoway, Stephen; Davi, Lucas; Dmitrienko, Alexandra; Sadeghi, Ahmad-Reza; Shacham, Hovav; Winandy, Marcel: Return-Oriented Programming without Returns. In: Proc. of 17th ACM conference on Computer and Communications Security (CCS). 2010. doi:10.1145/1866307.1866370 Volltext BIB Download Details

    We show that on both the x86 and ARM architectures it is possible to mount return-oriented programming attacks without using return instructions. Our attacks instead make use of certain instruction sequences that behave like a return, which occur with sufficient frequency in large libraries on (x86) Linux and (ARM) Android to allow creation of Turing-complete gadget sets.

    Because they do not make use of return instructions, our new attacks have negative implications for several recently proposed classes of defense against return-oriented programming: those that detect the too-frequent use of returns in the instruction stream; those that detect violations of the last-in, first-out invariant normally maintained for the return-address stack; and those that modify compilers to produce code that avoids the return instruction.

  • Davi, Lucas; Dmitrienko, Alexandra; Sadeghi, Ahmad-Reza; Winandy, Marcel: Privilege Escalation Attacks on Android. In: Proc. of 13th Information Security Conference (ISC). 2010. doi:10.1007/978-3-642-18178-8_30 BIB Download Details

    Android is a modern and popular software platform for smartphones. Among its predominant features is an advanced security model which is based on application-oriented mandatory access control and sandboxing. This allows developers and users to restrict the execution of an application to the privileges it has (mandatorily) assigned at installation time. The exploitation of vulnerabilities in program code is hence believed to be confined within the privilege boundaries of an application’s sandbox. However, in this paper we show that a privilege escalation attack is possible. We show that a genuine application exploited at runtime or a malicious application can escalate granted permissions. Our results immediately imply that Android’s security model cannot deal with a transitive permission usage attack and Android’s sandbox model fails as a last resort against malware and sophisticated runtime attacks.

  • Davi, Lucas; Sadeghi, Alexandra Dmitrienko Ahmad-Reza; Winandy, Marcel: Return-Oriented Programming without Returns on ARM, HGI-TR-2010-002. 2010. Volltext BIB Download Details

    In this paper we present a novel and general memory-related attack method on ARM-based computing platforms. Our attack deploys the principles of return-oriented programming (ROP), however, in contrast to conventional ROP, it exploits jumps instead of returns, and hence it can not be detected by return address checkers. Although a similar attack has been recently proposed for Intel x86, it was unclear if the attack technique can be deployed to ARM-based computing platforms as well. Developing a jump-based attack on ARM is more involved, because ARM is based on a RSIC architecture which differs in many aspects from Intel's x86 architecture. Nevertheless, we show a Turing-complete attack that can induce arbitrary change of behavior in running programs without requiring code injection. As proof of concept, we instantiate our attack method on the Android platform.

  • Davi, Lucas; Sadeghi, Ahmad-Reza; Winandy, Marcel: ROPdefender: A Detection Tool to Defend Against Return-Oriented Programming Attacks, HGI-TR-2010-001. 2010. Volltext BIB Download Details

    Return-oriented programming (ROP) is a technique that enables an adversary to construct malicious programs with the desired behavior by combining short instruction sequences that already reside in the memory space of a program. ROP attacks have already been demonstrated on various processor architectures ranging from PCs to smartphones and special-purpose systems.

    In this paper, we present our tool, ROPdefender, that dynamically detects conventional ROP attacks (that are based on return instructions) with a reasonable runtime overhead of 2x. In contrast to existing solutions, (i) ROPdefender does not rely on side information (e.g., source code or debugging information) and (ii) it instruments all return instructions issued during program execution including all returns from dynamic libraries, even if the adversary subverts the control flow by other means. Moreover, ROPdefender can handle Unix signals, non-local control transfers, C++ exceptions, lazy binding, and can be applied to multi-threaded applications such as Mozilla Firefox or Acrobat Reader. Finally our implementation supports mainstream operating systems (Windows and Linux) for the Intel x86 architecture. As proof of concept we show that ROPdefender successfully detects recent Acrobat Reader exploits on Windows.

  • Davi, Lucas; Sadeghi, Ahmad-Reza; Winandy, Marcel: Dynamic integrity measurement and attestation: Towards defense against return-oriented programming attacks. In: Proc. of 4th ACM Workshop on Scalable Trusted Computing (STC). 2009. doi:10.1145/1655108.1655117 Volltext BIB Download Details

    Despite the many efforts made in recent years to mitigate runtime attacks such as stack and heap based buffer overflows, these attacks are still a common security concern in today's computing platforms. Attackers have even found new ways to enforce runtime attacks including use of a technique called return-oriented programming. Trusted Computing provides mechanisms to verify the integrity of all executable content in an operating system. But they only provide integrity at load-time and are not able to prevent or detect runtime attacks. To mitigate return-oriented programming attacks, we propose new runtime integrity monitoring techniques that use tracking instrumentation of program binaries based on taint analysis and dynamic tracing. We also describe how these techniques can be employed in a dynamic integrity measurement architecture (DynIMA). In this way we fill the gap between static load-time and dynamic runtime attestation and, in particular, extend trusted computing techniques to effectively defend against return-oriented programming attacks.

Gutachtertätigkeiten:

Programmkomitee Mitglied

  • USENIX SEC 2020 - 29th USENIX Security Symposium
  • NDSS 2020 - 27th Network and Distributed System Security Symposium
  • ASIACCS 2020 - 15th ACM Asia Conference on Computer and Communications Security
  • ACM CCS 2019 - 26th ACM Conference on Computer and Communications Security
  • WOOT 2019 - 13th USENIX Workshop on Offensive Technologies
  • ISC 2019 - 22nd Information Security Conference (ISC)
  • ASIACCS 2019 - 14th ACM Asia Conference on Computer and Communications Security
  • WWW 2019 - 30th The Web Conference
  • NDSS 2019 - 26th Network and Distributed System Security Symposium
  • DATE 2019 - 22nd Conference on Design, Automation and Test in Europe (Track A5 Secure Systems, Circuits, and Architectures)
  • ACM CCS 2018 - 25th ACM Conference on Computer and Communications Security
  • RAID 2018 - 21st International Symposium on Research in Attacks, Intrusions and Defenses
  • ISC 2018 - 21st Information Security Conference (ISC)
  • DIMVA 2018 - 15th International Conference on Detection of Intrusions and Malware & Vulnerability Assessment
  • USENIX SEC 2018 - 27th USENIX Security Symposium
  • ASIACCS 2018 - 13th ACM Asia Conference on Computer and Communications Security
  • ROOTS 2017 -  1st Reversing and Offensive-oriented Trends Symposium
  • CARDIS 2017 - 17th Smart Card Research and Advanced Application Conference
  • ACM CCS 2017 - 24th ACM Conference on Computer and Communications Security
  • ACSAC 2017 - 33nd Annual Computer Security Applications Conference
  • CSET 2017 - 10th USENIX Workshop on Cyber Security Experimentation and Test
  • WOOT 2017 - 11th USENIX Workshop on Offensive Technologies
  • EuroSec 2017 - 10th European Workshop on Systems Security
  • DIMVA 2017 - 14th International Conference on Detection of Intrusions and Malware & Vulnerability Assessment
  • MoST 2017 - 6th IEEE Mobile Security Technologies Workshop
  • SEMS 2017 - Workshop on Security for Embedded and Mobile Systems
  • ICDCS 2017 - 37th IEEE International Conference on Distributed Computing Systems
  • ASIACCS 2017 - 12th ACM Asia Conference on Computer and Communications Security
  • SPSM 2016 - 6th Annual ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices
  • ACSAC 2016 - 32nd Annual Computer Security Applications Conference
  • RAID 2016 - 19th International Symposium on Research in Attacks, Intrusions and Defenses
  • DIMVA 2016 - 13th International Conference on Detection of Intrusions and Malware & Vulnerability Assessment
  • EuroSec 2016 - 9th European Workshop on Systems Security
  • ICDCS 2016 - 36th IEEE International Conference on Distributed Computing Systems
  • ACNS 2016 - 14th International Conference on Applied Cryptography and Network Security
  • TrustED 2015 - 5th International Workshop on Trustworthy Embedded Devices
  • WOOT 2015 - 9th USENIX Workshop on Offensive Technologies
  • RAID 2015 - 18th International Symposium on Research in Attacks, Intrusions and Defenses
  • AReS - International Conference on Availability, Reliability and Security, 2012 - 2014

Editorial Board

  • TOPS - ACM Transactions on Privacy and Security

Poster/Demo (Co-)Chair

  • ASIACCS 2017 - 12th ACM Asia Conference on Computer and Communications Security

Vorträge:

Filter:
  • Lucas Davi: From Control-Flow to Data-Oriented Exploits, CROSSING Summer School on Sustainable Security & Privacy, 13.09.2019, Darmstadt, Germany. Details
  • Lucas Davi: Exploiting Software Errors: From Control-Flow to Data-Oriented Exploits, International Summer School on System Security (S3), 04.09.2019, University of Padua, Italy. Details
  • Organizers: Divya Arora, Ilia Polian, Francesco Regazzoni, Patrick Schaumont: Secure Composition for Hardware Systems, Dagstuhl Seminar, Event 19301, 22.07.2019, Dagstuhl, Germany. Details
  • Lucas Davi: Your Contract is at Risk: Towards Secure Execution of Smart Contracts, Informatik-Kolloquium, 15.07.2019, Julius-Maximilians-Universität (JMU), Würzburg, Germany. Details
  • Lucas Davi: Hardware-Assisted Application Security and Attacks, Huawei Security Technology SAB Summit, 11.07.2019, Munich, Germany. Details
  • Lucas Davi and Ahmad-Reza Sadeghi: Memory Corruption Attacks and Defenses in the Context of Real-World Crypto - Tutorial, Summer School on real-world crypto and privacy, 20.06.2019, Sibenik, Croatia. Details
  • Lucas Davi: Protecting the Immutable: Can We Prevent Re-Entrancy Attacks Against Deployed Smart Contracts? - Lecture, Lecture Series in Distributed Ledgers and Smart Contracts, 05.04.2019, Darmstadt, Germany. Details
  • Lucas Davi: Sereum - Protecting Existing Smart Contracts Against Re-Entrancy Attacks - Invited Talk, CODE Colloquium 2019, 13.03.2019, Universität der Bundeswehr München. Details
  • Lucas Davi: Protecting Existing Smart Contracts Against Attacks - Invited Talk, CYSMICS Picks Workshop, 28.02.2019, UC San Diego, CA, USA. Details
  • Lucas Davi: Sereum: Laufzeitschutz für Smart Contracts gegen Re-Entrancy Angriffe, Future-Camp "Blockchain in der Energiewirtschaft", 18.02.2019, Essen. Details
  • Lucas Davi: Laufzeitschutz für Smart Contracts gegen Re-Entrancy Angriffe, CampusLab - Barmenia-Ringvorlesung, 12.12.2018, Essen. Details
  • Lucas Davi: Verwundbare IT-Systeme: Moderne Angriffstechniken zum Ausnutzen von Software Sicherheitslücken, Lehrerfortbildung Informatik 2018, 15.11.2018, Essen. Details
  • Lucas Davi: Return and Re-Enter: Modern Software Attack Techniques and Defenses - Invited Talk, Cybersecurity Speaker Series at Northeastern University, 31.10.2018, Boston, USA. Details
  • Lucas Davi: Return-Oriented Programming Angriffe auf Browser , ECSM - European Cyber Security Month, 11.10.2018, Essen. Details
  • Lucas Davi: Memory Corruption Attacks Against Intel SGX Shielded Software - Invited Talk, CASES: Special Session - Towards Secure Computer Architecture: Understanding Security Vulnerabilities and Emerging Attacks for Better Defenses, 03.10.2018, Torino. Details
  • Lucas Davi: How to Bypass Memory Protection: Evolution of Return-Oriented Programming and Rowhammer Attacks - Invited Talk, Seminar at Università degli Studi di Padova, 05.10.2017, Padova, Italy. Details
  • Lucas Davi: Protecting IoT Devices against Software Exploits - Invited Talk, ITG FA 5.2 Workshop on Smart Cities, 28.09.2017, Lübeck, Germany. Details
  • Lucas Davi: Cybersicherheit - Wie Hacker die Kontrolle über Software übernehmen, MNU-Herbsttagung 2017, 05.09.2017, TU Dortmund, Germany. Details
  • Lucas Davi: Can Systems ever be Protected against Run-time Attacks? - Invited Talk, Technology Workshop on Embedded and IoT Security, 17.05.2017, Darmstadt. Details
  • Lucas Davi: Dangerous Bit Flips in Memory: Rowhammer Attacks and Defenses - Keynote, CROSSING Conference 2017 - From Tweets to Quantum, 16.05.2017, Darmstadt. Details
  • Lucas Davi: Cybersicherheit - Wie Hacker die Kontrolle über Software übernehmen, “Informatik macht Innovation” - Tag der Informatik, 21.03.2017, Essen, Germany. Details
  • Lucas Davi: Mitigating Software Exploits on Embedded Systems - Invited Talk, NEC Europe Ltd., NEC Laboratories Europe, 15.03.2017, Heidelberg. Details
  • Lucas Davi: Code-Reuse Attacks and Defenses - Lecture, Winter School on Binary Analysis, 22.02.2017, Bochum, Germany. Details
  • Lucas Davi: Control-Flow Attestation of Embedded Systems Software - Invited Talk, Workshop on Hardware Enhancements for Secure Embedded Systems (HESES), 25.01.2017, Stockholm, Sweden. Details
  • Lucas Davi: Protecting Mobile and Embedded Systems Software from Runtime Exploits - Invited Talk, Workshop on Privacy-Aware Mobile Computing (PAMCO), 05.07.2016, Paderborn, Germany. Details
  • Lucas Davi: The Continuing Arms Race: A Journey in the World of Runtime Exploits and Defenses - Tutorial, 53rd Design Automation Conference (DAC), 05.06.2016, Austin, TX, USA. Details
  • Lucas Davi: On Securing Legacy Software Against Code-Reuse Attacks - Invited Talk, RuhrSec, 29.04.2016, Bochum, Germany. Details
  • Lucas Davi: The Continuing Arms Race in Memory: Return-Oriented Programming Attacks and Defenses - Invited Talk, Computer Science Forum (CS Forum) at Aalto University, 21.04.2016, Helsinki, Finland. Details
  • Lucas Davi, Christopher Liebchen: The Beast in Your Memory: Modern Exploitation Techniques and Defenses - Tutorial, Embedded Systems Week (ESWEEK), 04.10.2015, Amsterdam, Netherlands. Details
  • Lucas Davi, Ahmad-Reza Sadeghi: Modern Runtime Exploitation Techniques and Defenses - Lecture, Summer School on Secure and Trustworthy Computing, 24.09.2015, Bucharest, Romania. Details
  • Organizers: U. Erlingsson, T. Holz, P. Larsen, A.-R. Sadeghi: The Continuing Arms Race: Code-Reuse Attacks and Defenses, Dagstuhl Seminar, Event 15294, 15.07.2015, Dagstuhl, Germany. Details
  • Lucas Davi: Modern Runtime Attacks and Defenses - Lecture, International Summer School on Smart & Mobile Device Security and Privacy (SMDSP), 03.09.2014, Padova, Italy. Details
  • Lucas Davi: The Beast is Resting in Your Memory - Invited Talk, Intel Workshop on Cyberphysical and Mobile Security, 10.06.2014, Darmstadt, Germany. Details
  • Kevin Snow, Lucas Davi: Just-In-Time Code Reuse: The more things change, the more they stay the same, Black Hat USA, 31.07.2013, Las Vegas, USA. Details
  • Lucas Davi: Return-oriented Programming: How to Perform Arbitrary Computation Without Code Injection - Lecture, 5th European Trusted Infrastructure Summer School (ETISS), 09.09.2010, Royal Holloway University of London, GB. Details

Weitere Funktionen:

Publications (Co-)Chair

  • PAC 2017 - 1st IEEE Symposium on Privacy-Aware Computing
  • SPSM 2013 - 3rd ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices

Student Travel Grants Komitee

  • NDSS 2019 - 26th Network and Distributed System Security Symposium

Lokales Organisationskomitee Mitglied

  • CCS 2013 - 20th ACM Conference on Computer and Communications Security
  • ETISS 2011 - 6th European Trusted Infrastructure Summer School