• Publications
  • Influence
Data-Oriented Programming: On the Expressiveness of Non-control Data Attacks
TLDR
We present a systematic technique called data-oriented programming (DOP) to construct expressive non-control data exploits for arbitrary x86 programs and show that such attacks are Turing-complete. Expand
  • 203
  • 32
  • PDF
Preventing Page Faults from Telling Your Secrets
TLDR
We show that the page fault side-channel has sufficient channel capacity to extract bits of encryption keys from commodity implementations of cryptographic routines in OpenSSL and Libgcrypt -- leaking 27% on average and up to 100% of the secret bits in many cases. Expand
  • 143
  • 18
  • PDF
Automatic Generation of Data-Oriented Exploits
TLDR
We develop a new technique called data-flow stitching, which systematically finds ways to join data flows in the program to generate data-oriented exploits. Expand
  • 121
  • 14
  • PDF
Neural Nets Can Learn Function Type Signatures From Binaries
TLDR
We present a new system called EKLAVYA which trains a recurrent neural network to recover function type signatures from disassembled binary code. Expand
  • 64
  • 6
  • PDF
A Look at Targeted Attacks Through the Lense of an NGO
TLDR
We present an empirical analysis of targeted attacks against a human-rights Non-Governmental Organization (NGO) representing a minority living in China. Expand
  • 60
  • 4
  • PDF
Preventing Your Faults From Telling Your Secrets: Defenses Against Pigeonhole Attacks
TLDR
We show that the page fault side-channel has sufficient channel capacity to extract bits of encryption keys from commodity implementations of cryptographic routines in OpenSSL and Libgcrypt --- leaking 27% on average and up to 100% of the secret bits in many cases. Expand
  • 26
  • 3
  • PDF
"The Web/Local" Boundary Is Fuzzy: A Security Study of Chrome's Process-based Sandboxing
TLDR
We show that existing memory vulnerabilities in Chrome's renderer can be used as a stepping-stone to drop executables/scripts in the local file system, install unwanted applications and misuse system sensors. Expand
  • 15
  • 3
  • PDF
One Engine To Serve 'em All: Inferring Taint Rules Without Architectural Semantics
TLDR
We propose an inductive method for taint propagation and develop a universal taint tracking engine that is architecture-agnostic. Expand
  • 9
  • 3
  • PDF
Understanding Rowhammer Attacks through the Lens of a Unified Reference Framework
TLDR
We propose a unified reference framework to systematically analyze rowhammer attacks, discussing about the attack origin and the intended implication, and further providing the methodology for conducting effective rowh ammer attacks. Expand
  • 5
  • 1
  • PDF
Identifying Arbitrary Memory Access Vulnerabilities in Privilege-Separated Software
TLDR
A systematic method to detect vulnerable code that leads to arbitrary memory access in real-world software components and programs, when they are transformed to privilege-separated designs. Expand
  • 5
  • PDF