0

Fuzzing@Home: Distributed Fuzzing on Untrusted Heterogeneous Clients (to appear)

DoLTEst: In-depth Downlink Negative Testing Framework for LTE Devices (to appear)

HardsHeap: A Universal and Extensible Framework for Evaluating Secure Allocators

Secure allocators have been extensively studied to mitigate heap vulnerabilities. They employ safe designs and randomized mechanisms to stop or mitigate heap exploitation. Despite extensive research efforts, secure allocators can only be evaluated by …

Preventing Use-After-Free Attacks with Fast Forward Allocation

Memory-unsafe languages are widely used to implement critical systems like kernels and browsers, leading to thousands of memory safety issues every year. A use-after-free bug is a temporal memory error where the program accidentally visits a freed …

Analyzing Qualcomm Hexagon Emulators via Differential Testing

BaseSpec: Comparative Analysis of Baseband Software and Cellular Specifications for L3 Protocols

Cellular basebands play a crucial role in mobile communication. However, it is significantly challenging to assess their security for several reasons. Manual analysis is inevitable because of the obscurity and complexity of baseband firmware; …

Automatic Techniques to Systematically Discover New Heap Exploitation Primitives

Exploitation techniques to abuse metadata of heap allocators have been widely studied because of their generality (i.e., application independence) and powerfulness (i.e., bypassing modern mitigation). However, such techniques are commonly considered …

Compromising the macOS kernel through Safari by chaining six vulnerabilities

Compromising a kernel through a browser is the ultimate goal for offensive security researchers. Because of continuous efforts to eliminate vulnerabilities and introduce various mitigations, a remote kernel exploit from a browser becomes extremely …

Fuzzing JavaScript Engines with Aspect-preserving Mutation

Fuzzing is a practical, widely-deployed technique to find bugs in complex, real-world programs like JavaScript engines. We observed, however, that existing fuzzing approaches, either generative or mutational, fall short in fully harvesting …

REPT: Reverse Debugging of Failures in Deployed Software

Debugging software failures in deployed systems is important because they impact real users and customers. However, debugging such failures is notoriously hard in practice because developers have to rely on limited information such as memory dumps. …