Lucas Davi's research while affiliated with University of Duisburg-Essen and other places
What is this page?
This page lists the scientific contributions of an author, who either does not have a ResearchGate profile, or has not yet added these contributions to their profile.
It was automatically created by ResearchGate to create a record of this author's body of work. We create such pages to advance our goal of creating and maintaining the most comprehensive scientific repository possible. In doing so, we process publicly available (personal) data relating to the author as a member of the scientific community.
If you're a ResearchGate member, you can follow this page to keep up with this author's work.
If you are this author, and you don't want us to display this page anymore, please let us know.
It was automatically created by ResearchGate to create a record of this author's body of work. We create such pages to advance our goal of creating and maintaining the most comprehensive scientific repository possible. In doing so, we process publicly available (personal) data relating to the author as a member of the scientific community.
If you're a ResearchGate member, you can follow this page to keep up with this author's work.
If you are this author, and you don't want us to display this page anymore, please let us know.
Publications (97)
Solana has quickly emerged as a popular platform for building decentralized applications (DApps), such as marketplaces for non-fungible tokens (NFTs). A key reason for its success are Solana's low transaction fees and high performance, which is achieved in part due to its stateless programming model. Although the literature features extensive tooli...
Remote attestation allows validating the trustworthiness of a remote device. Existing attestation schemes either require hardware changes, trusted computing components, or rely on strict timing constraints. In this paper, we present a novel remote attestation approach, called DMA’n’Play, that tackles these practical limitations by leveraging DMA (d...
Smart contracts are increasingly being used to manage large numbers of high-value cryptocurrency accounts. There is a strong demand for automated, efficient, and comprehensive methods to detect security vulnerabilities in a given contract. While the literature features a plethora of analysis methods for smart contracts, the existing proposals do no...
Memory safety in complex applications implemented in unsafe programming languages such as C/C++ is still an unresolved problem in practice. Many different types of defenses have been proposed in the past to mitigate this problem. The most promising next step is a tighter integration of the hardware and software level: modern mitigation techniques a...
In spite of their popularity, developing secure smart contracts remains a challenging task. Existing solutions are either impractical as they do not support many complex real-world contracts or leave the burden to developers for fixing bugs. In this paper, we propose the first practical smart contract compiler, called HCC, which automatically inser...
Fuzzing has become one of the most popular techniques to identify bugs in software. To improve the fuzzing process, a plethora of techniques have recently appeared in academic literature. However, evaluating and comparing these techniques is challenging as fuzzers depend on randomness when generating test inputs. Commonly, existing evaluations only...
Fuzzing has become one of the most popular techniques to identify bugs in software. To improve the fuzzing process, a plethora of techniques have recently appeared in academic literature. However, evaluating and comparing these techniques is challenging as fuzzers depend on randomness when generating test inputs. Commonly, existing evaluations only...
Both the shift towards attacks on the microarchitectural CPU level and the ongoing transition towards cloud computing and shared VM hosts have increasingly drawn attention towards cache attacks. In these fields of application, cache side-channels lay the cornerstone that is leveraged by attackers to exfiltrate secret information from the CPU microa...
The field of computer hardware stands at the verge of a revolution driven by recent breakthroughs in emerging nanodevices. 'Nano Security' is a new Priority Program recently approved by DFG, the German Research Council. This initial-stage project initiative at the crossroads of nano-electronics and hardware-oriented security includes 11 projects wi...
Recent attacks exploiting errors in smart contract code had devastating consequences thereby questioning the benefits of this technology. It is currently highly challenging to fix errors and deploy a patched contract in time. Instant patching is especially important since smart contracts are always online due to the distributed nature of blockchain...
Intel's Software Guard Extensions (SGX) introduced new instructions to switch the processor to enclave mode which protects it from introspection. While the enclave mode strongly protects the memory and the state of the processor, it cannot withstand memory corruption errors inside the enclave code. In this paper, we show that the attack surface of...
Just-in-time return-oriented programming (JIT-ROP) is a powerful memory corruption attack that bypasses various forms of code randomization. Execute-only memory (XOM) can potentially prevent these attacks, but requires source code. In contrast, destructive code reads (DCR) provide a trade-off between security and legacy compatibility. The common be...
Modern cars increasingly deploy complex software systems consisting of millions of lines of code that may be subject to cyber attacks. An infamous example is the Jeep hack which allowed an attacker to remotely control the car engine by just exploiting a software bug in the infotainment system. The digitalization and connectivity of modern cars dema...
![Figure 2. Sample contract vulnerable to re-entrancy attacks [10]: the...](profile/Ghassan-Karame/publication/348915398/figure/fig2/AS:985850661851136@1612056522325/Sample-contract-vulnerable-to-re-entrancy-attacks-10-the-upper-parts-shows-the_Q320.jpg)
Cyber-physical control systems, such as industrial control systems (ICS), are increasingly targeted by cyberattacks. Such attacks can potentially cause tremendous damage, affect critical infrastructure or even jeopardize human life when the system does not behave as intended. Cyberattacks, however, are not new and decades of security research have...
![Figure 2. Sample contract vulnerable to re-entrancy attacks [10]: the...](profile/Ghassan-Karame/publication/329705851/figure/fig2/AS:704685207982084@1545021454750/Sample-contract-vulnerable-to-re-entrancy-attacks-10-the-upper-parts-shows-the_Q320.jpg)
Recently, a number of existing blockchain systems have witnessed major bugs and vulnerabilities within smart contracts. Although the literature features a number of proposals for securing smart contracts, these proposals mostly focus on proving the correctness or absence of a certain type of vulnerability within a contract, but cannot protect deplo...
Hardware security architectures and primitives are becoming increasingly important in practice providing trust anchors and trusted execution environment to protect modern software systems. Over the past two decades we have witnessed various hardware security solutions and trends from Trusted Platform Modules (TPM), performance counters for security...
Control-Flow Integrity (CFI) is a promising and general defense against control-flow hijacking with formal underpinnings. A key insight from the extensive research on CFI is that its effectiveness depends on the precision and coverage of a program's Control-Flow Graph (CFG). Since precise CFG generation is highly challenging and often difficult, ma...
Just-in-time return-oriented programming (JIT-ROP) is a powerful memory corruption attack that bypasses various forms of code randomization. Execute-only memory (XOM) can potentially prevent these attacks, but requires source code. In contrast, destructive code reads (DCR) provide a trade-off between security and legacy compatibility. The common be...
With the increasing scale of deployment of Internet of Things (IoT), concerns about IoT security have become more urgent. In particular, memory corruption attacks play a predominant role as they allow remote compromise of IoT devices. Control-flow integrity (CFI) is a promising and generic defense technique against these attacks. However, given the...
Attacks targeting software on embedded systems are becoming increasingly prevalent. Remote attestation is a mechanism that allows establishing trust in embedded devices. However, existing attestation schemes are either static and cannot detect control-flow attacks, or require instrumentation of software incurring high performance overheads. To over...
With the increasing scale of deployment of Internet of Things (IoT), concerns about IoT security have become more urgent. In particular, memory corruption attacks play a predominant role as they allow remote compromise of IoT devices. Control-flow integrity (CFI) is a promising and generic defense technique against these attacks. However, given the...
Attacks targeting software on embedded systems are becoming increasingly prevalent. Remote attestation is a mechanism that allows establishing trust in embedded devices. However, existing attestation schemes are either static and cannot detect control-flow attacks, or require instrumentation of software incurring high performance overheads. To over...
Instruction set randomization (ISR) was initially proposed with the main goal of countering code-injection attacks. However, ISR seems to have lost its appeal since code-injection attacks became less attractive because protection mechanisms such as data execution prevention (DEP) as well as code-reuse attacks became more prevalent. In this paper, w...
Rowhammer is a hardware bug that can be exploited to implement privilege escalation and remote code execution attacks. Previous proposals on rowhammer mitigation either require hardware changes or follow heuristic-based approaches (based on CPU performance counters). To date, there exists no instant protection against rowhammer attacks on legacy sy...
Recent literature on iOS security has focused on the malicious potential of third-party applications, demonstrating how developers can bypass application vetting and code-level protections. In addition to these protections, iOS uses a generic sandbox profile called "container" to confine malicious or exploited third-party applications. In this pape...
Remote attestation is a crucial security service particularly relevant to increasingly popular IoT (and other embedded) devices. It allows a trusted party (verifier) to learn the state of a remote, and potentially malware-infected, device (prover). Most existing approaches are static in nature and only check whether benign software is initially loa...
In order to limit the damage of malware on Mac OS X and iOS, Apple uses sandboxing, a kernel-level security layer that provides tight constraints for system calls. Particularly used for Apple iOS, sandboxing prevents apps from executing potentially dangerous actions, by defining rules in a sandbox profile. Investigating Apple's built-in sandbox pro...
Control-flow integrity (CFI) is a general defense against code-reuse exploits that currently constitute a severe threat against diverse computing platforms. Existing CFI solutions (both in software and hardware) suffer from shortcomings such as (i) inefficiency, (ii) security weaknesses, or (iii) are not scalable. In this paper, we present a generi...
The emerging and much-touted Internet of Things (IoT) presents a variety of security and privacy challenges. Prominent among them is the establishment of trust in remote IoT devices, which is typically attained via remote attestation, a distinct security service that aims to ascertain the current state of a potentially compromised remote device. Re...
Industrial control systems (ICSs) are transitioning from legacy-electromechanical-based systems to modern information and communication technology (ICT)-based systems creating a close coupling between cyber and physical components. In this paper, we explore the ICS cybersecurity landscape including: 1) the key principles and unique aspects of ICS o...
Ever since the emergence of randomizing defenses such as address space layout randomization, ASLR, attackers have shown great creativity in developing methods to circumvent these protections. Known bypasses rely on one of the following strategies: i) target program aspects unaffected by randomization, ii) repeat probing attack until it succeeds by...
The lower layers in the modern computing infrastructure are written in languages threatened by exploitation of memory management errors. Recently deployed exploit mitigations such as control-flow integrity (CFI) can prevent traditional return-oriented programming (ROP) exploits but are much less effective against newer techniques such as Counterfei...
At the core of any approach to software diversity, whether performed manually by programmers or automatically by a compiler or binary rewriter, is a set of randomizing transformations that make functionally equivalent program copies diverge. A second distinguishing factor among approaches is when diversity is introduced in the software life cycle....
In this section we describe our own compile-time diversification engine in sufficient detail. We provide information on implementation details of our transformations. Next, we discuss compiletime diversification scalability and how this affects costs. Finally, we present the results of careful detailed logical evaluation of our system. Using a logi...
While the security and performance implications of diversified software are well understood, several practical concerns remain to be addressed. In addition, existing research has not fully explored the protective qualities of diversified software nor has it reached consensus on how to evaluate the efficacy of software diversity with respect to the...
The life cycle of most software follows a similar trajectory: implementation, compilation, linking, installation, loading, executing, and updating. Variations arise because some types of software, typically scripts, are distributed in source form. Figure 3.7 on page 23 shows how the approaches that we survey fit into the software life cycle. Some a...
Attackers and defenders in cyberspace engage in a continuous arms race. As new attacks appear, new defenses are created in response—leading to increased complexity in both cases. To motivate a study of software diversity, we briefly summarize the evolution and current state of computer security.
Modern runtime exploits perform malicious program actions based on the principle of code-reuse. These attacks require no code injection, bypass widely deployed defense mechanisms, allow Turing-complete computation, can be applied to many processor architectures, and are highly challenging to prevent.
In general, control-flow attacks allow an adversary to subvert the intended execution-flow of a program by exploiting a program error. For instance, a buffer overflow error can be exploited to write data beyond the boundaries of the buffer. As a consequence, an adversary can overwrite critical control-flow information which is located close to the...
The basic observation is that an adversary typically generates an attack vector and aims to simultaneously compromise as many systems as possible using the same attack vector (i.e., one attack payload). To mitigate this so-called ultimate attack, Cohen proposes to diversify a software program into multiple and different instances while each instanc...
In particular, Abadi et al. [2, 4] suggest a label-based CFI approach, where each CFG node is marked with a unique label ID that is placed at the beginning of a BBL. In order to preserve the program’s original semantics, the label is either encoded as an offset into a x86 cache prefetch instruction or as simple data word. Inserting labels into a pr...
Automated Software Diversity
Synthesis Lectures on Information Security, Privacy, and Trust
December 2015, 88 pages, (doi:10.2200/S00686ED1V01Y201512SPT014)
Per Larsen
Immunant, Inc., USA
Stefan Brunthaler
SBA Research, Vienna, Austria
Lucas Davi
Technische Universität Darmstadt, Germany
Ahmad-Reza Sadeghi
Technische Universität Darmstadt, Germany...
Code-reuse attacks continue to evolve and remain a severe threat to modern software. Recent research has proposed a variety of defenses with differing security, efficiency, and practicality characteristics. Whereas the majority of these solutions focus on specific code-reuse attack variants such as return-oriented programming (ROP), other attack va...
Adversaries exploit memory corruption vulnerabilities to hijack a program's control flow and gain arbitrary code execution. One promising mitigation, control-flow integrity (CFI), has been the subject of extensive research in the past decade. One of the core findings is that adversaries can construct Turing-complete code-reuse attacks against coars...
Code-reuse attacks like return-oriented programming (ROP) pose a severe threat to modern software on diverse processor architectures. Designing practical and secure defenses against code-reuse attacks is highly challenging and currently subject to intense research. However, no secure and practical system-level solutions exist so far, since a large...
Code reuse attacks such as return-oriented programming
(ROP) have become prevalent techniques to exploit memory
corruption vulnerabilities in software programs. A variety of
corresponding defenses has been proposed, of which some have
already been successfully bypassed—and the arms race continues.
In this paper, we perform a systematic assessment o...
Code-reuse attacks such as return-oriented programming (ROP) pose a severe threat to modern software. Designing practical and effective defenses against code-reuse attacks is highly challenging. One line of defense builds upon fine-grained code diversification to prevent the adversary from constructing a reliable code-reuse attack. However, all sol...
Until very recently it was widely believed that iOS malware is effectively blocked by Apple's vetting process and application sandboxing. However, the newly presented severe malicious app attacks (e.g., Jekyll) succeeded to undermine these protection measures and steal private data, post Twitter messages, send SMS, and make phone calls. Currently,...
![Figure 1: High-level overview of a JIT-ROP attack [51].](profile/Per-Larsen-3/publication/283846795/figure/fig1/AS:668971258884112@1536506585762/High-level-overview-of-a-JIT-ROP-attack-51_Q320.jpg)
Exploitation of memory-corruption vulnerabilities in widely-used software has been a threat for over two decades and no end seems to be in sight. Since performance and backwards compatibility trump security concerns, popular programs such as web browsers, servers, and office suites still contain large amounts of untrusted legacy code written in err...
This book provides an in-depth look at return-oriented programming attacks. It explores several conventional return-oriented programming attacks and analyzes the effectiveness of defense techniques including address space layout randomization (ASLR) and the control-flow restrictions implemented in security watchdogs such as Microsoft EMET. Chapters...
Code reuse attacks such as return-oriented programming (ROP) are predominant attack techniques that are extensively used to exploit vulnerabilities in modern software programs. ROP maliciously combines short instruction sequences (gadgets) residing in shared libraries and the application's executable to bypass data execution prevention (DEP) and la...
Embedded systems have become pervasive and are built into a vast number of devices such as sensors, vehicles, mobile and wearable devices. However, due to resource constraints, they fail to provide suffcient security, and are particularly vulnerable to runtime attacks (code injection and ROP). Previous works have proposed the enforcement of control...
Recently, various security extensions have been proposed to tackle security and privacy issues of mobile devices. In general, the proposed solutions target different operating systems, platforms, and particularly different layers of the software stack. An abstract view of the different software layers a security extension may target is shown in Fig...
In this chapter, we compare the mobile platforms introduced in Chapter 3. We use the main concepts and design decisions identified as part of the platform security model (Chapter 2) as our comparison points. Although all currently significant mobile platforms support a similar platform security architecture, there are many, sometimes subtle, differ...
In this chapter we describe six mobile platforms and discuss their security architectures with respect to the platform security model introduced in Chapter 2. For our analysis, we have chosen two historically significant mobile platforms, Java ME and Symbian, two currently popular platforms, Android and iOS, and two other mobile platforms, MeeGo an...
Many commercial enterprise security extensions have been deployed to enhance the platform security mechanisms described in Chapter 2. These extensions modify different layers of the mobile platforms (OS kernel, middleware, application layer) to enforce security policies defined by an administrator. Security policies allow the administrator to defin...
As a part of the platform security model description in Chapter 2, we identified two types of hardware security functionalities. First, security mechanisms that are needed by the software-based platform security architecture: platform boot integrity and secure storage. Second, hardware security services that can be used by applications: device iden...
In this chapter, we define a generic model for mobile platform security architectures. Our objective is to use the model to explain commonly used security mechanisms and components in mobile devices. Many aspects of the model are present in all currently noteworthy mobile platforms while others are present only in a subset. The model incorporates h...
Download Free Sample
Recently, mobile security has garnered considerable interest in both the research community and industry due to the popularity of smartphones. The current smartphone platforms are open systems that allow application development, also for malicious parties. To protect the mobile device, its user, and other mobile ecosystem stake...
Return-oriented programming (ROP) offers a powerful technique for undermining state-of-the-art security mechanisms, including non-executable memory and address space layout randomization. To mitigate this daunting attack strategy, several in-built defensive mechanisms have been proposed. In this work, we instead focus on detection techniques that d...
Apple iOS is one of the most popular mobile operating systems. As its core security technology, iOS provides application sandboxing but assigns a generic sandboxing profile to every third-party application. However, recent attacks and incidents with benign applications demonstrate that this design decision is vulnerable to crucial privacy and secur...
Code reuse attacks such as return-oriented programming are one of the most powerful threats to contemporary software. ASLR was introduced to impede these attacks by dispersing shared libraries and the executable in memory. However, in practice its entropy is rather low and, more importantly, the leakage of a single address reveals the position of a...
Fine-grained address space layout randomization (ASLR) has recently been proposed as a method of efficiently mitigating runtime attacks. In this paper, we introduce the design and implementation of a framework based on a novel attack strategy, dubbed just-in-time code reuse, that undermines the benefits of fine-grained ASLR. Specifically, we derail...
Android's security framework has been an appealing sub-ject of research in the last few years. Android has been shown to be vulnerable to application-level privilege esca-lation attacks, such as confused deputy attacks, and more recently, attacks by colluding applications. While most of the proposed approaches aim at solving confused deputy at-tack...
The enormous growth of mobile devices and their app mar-kets has raised many security and privacy concerns. Run-time attacks seem to be a major threat, in particular, code-reuse attacks that do not require any external code injection (e.g., return-to-libc or return-oriented programming). We present, for the first time, a code transformation tool th...
Runtime and control-flow attacks (such as code injec-tion or return-oriented programming) constitute one of the most severe threats to software programs. These attacks are prevalent and have been recently applied to smartphone applications as well, of which hundreds of thousands are downloaded by users every day. While a framework for control-flow...
The flexibility and computing power of modern smartphones to install and execute various applications allows for a rich user experience but also imposes several security concerns. Smartphones that are used both for private and corporate purposes do not separate the data and applications of different security domains, and users are usually too unski...
In this paper we present the design and implementation of a security framework that extends the reference monitor of the Android middleware and deploys a mandatory access control on Linux kernel (based on Tomoyo [9]) aiming at detecting and preventing application-level privilege escalation attacks at runtime. In contrast to existing solutions, our...