Publications

Satellites are the backbone of mission-critical services that enable our modern society to function, for example, GPS. For years, satellites were assumed to be secure because of their indecipherable architectures and the reliance on security by obscurity. However, technological advancements have made these assumptions obsolete, paving the way for potential attacks. Unfortunately, there is no way to collect data on satellite adversarial techniques, hindering the generation of intelligence that leads to the development of countermeasures. In this paper, we present HoneySat, the first high-interaction satellite honeypot framework, capable of convincingly simulating a real-world CubeSat, a type of Small Satellite (SmallSat). To provide evidence of HoneySat’s effectiveness, we surveyed SmallSat operators and deployed HoneySat over the Internet. Our results show that 90% of satellite operators agreed that HoneySat provides a realistic simulation. Additionally, HoneySat successfully deceived adversaries in the wild and collected 22 real-world adversarial interactions. Finally, we performed a hardware-in-the-loop operation where HoneySat successfully communicated with an in-orbit, operational SmallSat mission.

As part of the UEFI standard, System Management Mode (SMM) was introduced on x86 processors to handle critical hardware events. With strict access control to this operating mode, SMM applications run at a high privilege level (known as Ring -2), in which they have (almost) unlimited access to system resources. However, vendors commonly use memory-unsafe system programming languages to develop SMM applications, which makes them vulnerable to memory corruption and an appealing target for attackers. Fuzzing is an effective method for detecting memory corruption vulnerabilities across a wide range of applications. Unfortunately, existing approaches for testing SMM applications lack a UEFI runtime environment to properly support SMM application execution. Without this environment, application data is often not correctly initialized. Once such uninitialized data is accessed during fuzzing, it causes premature exits or unintentional crashes. As a result, existing methods can only explore shallow parts and often produce high false-positive rates. In this paper, we propose SmuFuzz, a fuzzing framework designed to detect vulnerabilities in closed-source SMM applications distributed by vendors. SmuFuzz overcomes prior limitations by partially rehosting SMM applications within a custom infrastructure that provides a fully featured UEFI runtime environment. This infrastructure provides the necessary dependencies and runtime for SMM application preparation, initialization, and finalization. In addition, SmuFuzz automatically infers the complex SMM application input semantics for deep exploration. In our experiment, SmuFuzz achieved 4.45x higher unique basic block coverage compared to state-of-the-art fuzzers. It also found more vulnerabilities while significantly reducing false positives. Using SmuFuzz, we identified 38 new vulnerabilities in firmware from major vendors, all of which were disclosed responsibly.

Bootloaders are critical components in the boot chain of modern systems, responsible for initializing hardware and loading the operating system. This paper presents a comprehensive analysis of memory safety vulnerabilities in popular bootloader implementations.

Video hardware acceleration stacks are complex systems that process video data through specialized hardware units. This paper presents TwinFuzz, a novel differential testing approach designed to discover vulnerabilities in video hardware acceleration stacks.

This paper explores the concept of inter-satellite friendly jamming as a defensive mechanism against malicious interference in satellite constellations.

This paper investigates the feasibility of implementing application sandboxing mechanisms in resource-constrained CubeSat environments for enhanced space mission security.

This paper provides a comprehensive systematization of knowledge on the security of Programmable Logic Controllers (PLCs), analyzing current threats, defenses, and research gaps in industrial control systems.

This paper presents the first comprehensive experimental security analysis of satellite software systems, identifying multiple classes of vulnerabilities and attack vectors.

This paper presents Fuzzware, a framework for effective firmware fuzzing using precise Memory-Mapped I/O (MMIO) modeling techniques.

This paper presents Loki, a novel approach to hardening code obfuscation against automated attacks by incorporating adversarial machine learning techniques.

This paper presents Nyx-net, a novel network fuzzing framework that leverages incremental snapshots to achieve high-performance network protocol testing.

This paper presents Nyx, a greybox hypervisor fuzzing framework that uses fast snapshots and affine types for effective vulnerability discovery in hypervisors.

Technical report providing detailed analysis of hardening code obfuscation techniques against automated reverse engineering attacks.

This paper presents AURORA, a system for automated root cause explanation of software crashes through statistical analysis techniques.

This paper presents HYPER-CUBE, a novel approach for high-dimensional hypervisor fuzzing to discover security vulnerabilities in virtualization systems.

This paper presents IJON, a fuzzing technique for exploring deep state spaces in complex software systems through guided exploration methods.

This paper presents ANTIFUZZ, techniques for impeding fuzzing audits of binary executables to protect software from security analysis.

This paper analyzes the unique challenges in designing exploit mitigations for deeply embedded systems with severe resource constraints.

This presentation reveals hidden debug interfaces and backdoors in Siemens S7 programmable logic controllers, demonstrating novel attack vectors.

This paper presents GRIMOIRE, a fuzzing technique that synthesizes structure while fuzzing to improve coverage and vulnerability discovery.

This presentation provides a detailed security analysis of the QNX real-time operating system commonly used in automotive and embedded systems.

This PhD thesis presents a comprehensive approach to embedded control systems binary security with focus on industrial control system protection.

This paper presents ECFI, an asynchronous control flow integrity mechanism specifically designed for programmable logic controllers.

This work investigates the feasibility of detecting pin control attacks in programmable logic controllers and proposes detection mechanisms.

This paper analyzes the importance of understanding industrial processes for conducting effective attacks against industrial control systems.

This paper presents Shield, a configurable mitigation framework for code-reuse attacks specifically designed for embedded systems.

This paper demonstrates stealth techniques for low-level manipulation of PLC I/O through pin control exploitation methods.

This work presents techniques for designing undetectable rootkits for programmable logic controllers using pin control attacks.

This work demonstrates stealth techniques for on-the-fly manipulation of PLC I/O systems without detection.

This presentation demonstrates advanced persistent threat techniques for evading emulation-based network intrusion detection systems.

This paper analyzes emulation-based network intrusion detection systems and their effectiveness against modern attack techniques.

This presentation outlines Project IRUS, a comprehensive approach to both attacking and defending industrial control systems.

This paper presents a gray-box intrusion detection technique based on deterministic pushdown automata using system-call monitoring.