Other articles

  1. Second factor on VPNs considered harmful

    Due to the risk of "cyber threats", many universities are switching to second factor authentication to log into their VPNs. Many companies moved to second factor for VPN authentication quite some time ago to protect their perimeter from external access. The idea is that users have to provide two factors …

    read more
  2. PhD at EPFL, in Europe

    Every December a lot of prospective students reach out to faculty regarding PhD programs. This is the time where we review the students and assess their skills and potential along many dimensions such as past research, research ideas, engineering capabilities, and systems experience. These discussions along with the submission of …

    read more
  3. Positive reviewing in software security

    Yesterday we concluded the NDSS20 PC meeting. In total, 12% of papers were accepted, 6% now have a short fuse major revision opportunity, in line with other top tier conferences. The PC chairs handled the meeting well, striving for positivity and feedback for the authors. Overall, this was a great …

    read more
  4. The Fuzzing Hype-Train: How Random Testing Triggers Thousands of Crashes

    Software contains bugs and some bugs are exploitable. Mitigations protect our systems in the presence of these vulnerabilities, often stopping the program when detecting a security violation. The alternative is to discover bugs during development and fixing them in the code. Despite massive efforts, finding and reproducing bugs is incredibly …

    read more
  5. SMoTherSpectre: transient execution attacks through port contention

    Side channel attacks such as Spectre or Meltdown allow data leakage from an unwilling process. Until now, transient execution side channel attacks primarily leveraged cache-based side channels to leak information. The very purpose of a cache, that of providing faster access to a subset of data, enables information leakage. While …

    read more
  6. Milkomeda: colliding galaxies or how to repurpose security checks across domains

    On one hand, GPUs expose broad functionality for graphics and machine learning workloads, on the other hand, this functionality may be exploited due to large amounts of unvetted code, complex functionality, and the information gap between user-space application, kernel, and the auxiliary GPU. We introduce a novel framework that allows …

    read more
  7. Automating data-only attacks through Block Oriented Programming (BOP)

    With the rise of strong control-flow defenses such as Control-Flow Integrity (CFI), attackers will increasingly resort to data-only attacks that can be equally powerful. Earlier research demonstrated that data-only attacks can be as devastating as control-flow hijacking attacks. So far, constructing data-only attacks was cumbersome and required deep manual analysis …

    read more

Page 1 / 8 »