Zur Person:

Oussama Draissi ist wissenschaftlicher Mitarbeiter am Lehrstuhl für Systemsicherheit an der Universität Duisburg-Essen. Seine Forschung konzentriert sich auf die Entwicklung von Schutzmechanismen und die Analyse von Schwachstellen in Anwendungen auf verschiedenen Plattformen, darunter der Browser, Smart Contracts und RISC-V.

Lebenslauf:

Seit 06/2022

Wissenschaftlicher Mitarbeiter am Lehrstuhl für Systemsicherheit an der Universität Duisburg-Essen

06/2019 - 05/2022

Wissenschaftliche Hilfskraft am Lehrstuhl für Systemsicherheit an der Universität Duisburg-Essen

10/2019 - 03/2022

Masterstudium Software and Network Engineering an der Universität Duisburg-Essen

12/2017 - 05/2019

Studentische Hilfskraft am Lehrstuhl für Systemsicherheit an der Universität Duisburg-Essen

04/2015 - 05/2019

Bachelorstudium Angewandte Informatik - Systems Engineering an der Universität Duisburg-Essen (Abschluss mit B. Sc.)

Titel der Bachelorarbeit: Evaluation of Automated Advanced Information Leak Exploitation for Memory Corruption Attacks    

Publikationen:

• Cloosters, Tobias; Draissi, Oussama; Willbold, Johannes; Holz, Thorsten; Davi, Lucas: Memory Corruption at the Border of Trusted Execution. In: IEEE Security & Privacy, Jg. 2024 (2024), S. 2-11. doi:10.1109/MSEC.2024.3381439BIB DownloadKurzfassungDetails

  Trusted execution environments provide strong security guarantees, like isolation and confidentiality, but are not immune from memory-safety violations. Our investigation of public trusted execution environment code based on symbolic execution and fuzzing reveals subtle memory safety issues.

• Smolka, Sven; Giesen, Jens-Rene; Winkler, Pascal; Draissi, Oussama; Davi, Lucas; Karame, Ghassan; Pohl, Klaus: Fuzz on the Beach: Fuzzing Solana Smart Contracts. In: Proc. of the 30th ACM SIGSAC Conference on Computer & Communications Security (CCS). ACM, Copenhagen, Denmark 2023. BIB DownloadKurzfassungDetails

  Solana has quickly emerged as a popular platform for building decentralized applications (DApps), such as marketplaces for non- fungible tokens (NFTs). A key reason for its success are Solana’s low transaction fees and high performance, which is achieved in part due to its stateless programming model. Although the litera- ture features extensive tooling support for smart contract security, current solutions are largely tailored for the Ethereum Virtual Ma- chine. Unfortunately, the very stateless nature of Solana’s execution environment introduces novel attack patterns specific to Solana requiring a rethinking for building vulnerability analysis methods. In this paper, we address this gap and propose FuzzDelSol, the first binary-only coverage-guided fuzzing architecture for Solana smart contracts. FuzzDelSol faithfully models runtime specifics such as smart contract interactions. Moreover, since source code is not available for the large majority of Solana contracts, FuzzDelSol operates on the contract’s binary code. Hence, due to the lack of semantic information, we carefully extracted low-level program and state information to develop a diverse set of bug oracles covering all major bug classes in Solana. Our extensive evaluation on 6049 smart contracts shows that FuzzDelSol’s bug oracles finds impactful vulnerabilities with a high precision and recall. To the best of our knowledge, this is the largest evaluation of the security landscape on the Solana mainnet.

• Cloosters, Tobias; Paaßen, David; Wang, Jianqiang; Draissi, Oussama; Jauernig, Patrick; Stapf, Emmanuel; Davi, Lucas; Sadeghi, Ahmad-Reza: RiscyROP: Automated Return-Oriented Programming Attacks on RISC-V and ARM64. In: Proc. of 25th International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2022). Limassol, Cyprus 2022. doi:10.1145/3545948.3545997PDFBIB DownloadDetails