Zur Person:

Michael Rodler ist wissenschaftlicher Mitarbeiter am Lehrstuhl für Sichere Software Systeme an der Universität Duisburg-Essen.

Lebenslauf:

seit 08/2017

Wissenschaftlicher Mitarbeiter an der Universität Duisburg-Essen

10/2013 - 06/2017

Masterstudium Informatik an der Technischen Universität Graz (Abschluss mit Dipl.-Ing.)

10/2009 - 07/2013

Studiengang Sichere Informationssysteme an der Fachhochschule Oberösterreich Campus Hagenberg (Abschluss mit BSc)

Ehrungen und Auszeichnungen:

• Finalist Cyber Security Awareness Week (CSAW) Europe 2020
• Distinguished Technical Poster Award at NDSS 2019

Publikationen:

• Rodler, Michael; Li, Wenting; Karame, Ghassan O.; Davi, Lucas: EVMPatch: Timely and Automated Patching of Ethereum Smart Contracts. In: Proc. of 30th USENIX Security Symposium. USENIX Association, Vancouver, B.C., Canada 2021. VolltextBIB DownloadDetails
• Cloosters, Tobias; Rodler, Michael; Davi, Lucas: TeeRex: Discovery and Exploitation of Memory Corruption Vulnerabilities in SGX Enclaves. In: Proc. of 29th USENIX Security Symposium. 2020. PDFVolltextBIB DownloadKurzfassungDetails

  

  Intel's Software Guard Extensions (SGX) introduced new instructions to switch the processor to enclave mode which protects it from introspection. While the enclave mode strongly protects the memory and the state of the processor, it cannot withstand memory corruption errors inside the enclave code. In this paper, we show that the attack surface of SGX enclaves provides new challenges for enclave developers as exploitable memory corruption vulnerabilities are easily introduced into enclave code. We develop TeeRex to automatically analyze enclave binary code for vulnerabilities introduced at the host-to-enclave boundary by means of symbolic execution. Our evaluation on public enclave binaries reveal that many of them suffer from memory corruption errors allowing an attacker to corrupt function pointers or perform arbitrary memory writes. As we will show, TeeRex features a specifically tailored framework for SGX enclaves that allows simple proof-of-concept exploit construction to assess the discovered vulnerabilities. Our findings reveal vulnerabilities in multiple enclaves, including enclaves developed by Intel, Baidu, and WolfSSL, as well as biometric fingerprint software deployed on popular laptop brands.

  Full TextSlidesPresentation Video

• Adepu, Sridhar; Brasser, Ferdinand; Garcia, Luis; Rodler, Michael; Davi, Lucas; Sadeghi, Ahmad-Reza; Zonouz, Saman: Control Behavior Integrity for Distributed Cyber-Physical Systems. In: 11th IEEE/ACM Conference on Cyber-Physical Systems (ICCPS'20). 2020. BIB DownloadDetails
• Rodler, Michael; Li, Wenting; Karame, Ghassan; Davi, Lucas: Sereum: Protecting Existing Smart Contracts Against Re-Entrancy Attacks. In: Proc. of 26th Network and Distributed System Security Symposium (NDSS). 2019. VolltextBIB DownloadKurzfassungDetails

  Recently, a number of existing blockchain systems have witnessed major bugs and vulnerabilities within smart contracts. Although the literature features a number of proposals for securing smart contracts, these proposals mostly focus on proving the correctness or absence of a certain type of vulnerability within a contract, but cannot protect deployed (legacy) contracts from being exploited. In this paper, we address this problem in the context of re-entrancy exploits and propose a novel smart contract security technology, dubbed Sereum (Secure Ethereum), which protects existing, deployed contracts against re-entrancy attacks in a backwards compatible way based on run-time monitoring and validation. Sereum does neither require any modification nor any semantic knowledge of existing contracts. By means of implementation and evaluation using the Ethereum blockchain, we show that Sereum covers the actual execution flow of a smart contract to accurately detect and prevent attacks with a false positive rate as small as 0.06% and with negligible run-time overhead. As a by-product, we develop three advanced re-entrancy attacks to demonstrate the limitations of existing offline vulnerability analysis tools.

• Surminski, Sebastian; Rodler, Michael; Davi, Lucas: Poster: Automated Evaluation of Fuzzers - Distinguished Technical Poster Award. In: Proc. of 26th Network and Distributed System Security Symposium (NDSS). 2019. VolltextBIB DownloadKurzfassungDetails

  Fuzzing is a well-known technique for automatically testing the robustness of software and its susceptibility to security-critical errors. Recently, many new and improved fuzzers have been presented. One critical aspect of any new fuzzer is its overall performance. However, given that there exist no standardized fuzzing evaluation methodology, we observe significant discrepancy in evaluation results making it highly challenging to  compare fuzzing techniques.

  To tackle this deficiency, we developed a new framework, called FETA, which automatically evaluates fuzzers based on a fixed and comprehensive test set enabling objective and general comparison of performance results. We apply FETA to various recently released academic and non-academic fuzzers, eventually resulting in a large scale evaluation of the current state-of-the-art fuzzing approaches.

• Eder, Thomas; Rodler, Michael; Vymazal, Dieter; Zeilinger, Markus: ANANAS - A Framework for Analyzing Android Applications. In: Availability, Reliability and Security (ARES), 2013 Eighth International Conference on (2013). doi:10.1109/ARES.2013.93VolltextBIB DownloadDetails

Vorträge:

• Rodler, Michael: Sereum: Protecting Existing Smart Contracts Against Re-Entrancy Attacks, ACM AFT, 21.10.2019, Zürich. Details
• Rodler, Michael: Sereum: Protecting Existing Smart Contracts Against Re-Entrancy Attacks, Network and Distributed System Security Symposium (NDSS), 27.02.2019, San Diego. Details