ThinkstScapes

LLMs ain't making life any easierAbusing Images and Sounds for Indirect Instruction Injection in Multi-Modal LLMsTsung-Yin Hsieh, Ben Nassi, Vitaly Shmatikov, and Eugene Bagdasaryan[Slides] [Paper] [Code]Tree of Attacks: Jailbreaking Black-Box LLMs AutomaticallyAnay Mehrotra, Manolis Zampetakis, Paul Kassianik, Blaine Nelson, Hyrum Anderson, Yaron Singer, and Amin Karbasi[Paper] [Code]Avoiding the basilisk's fangs: State-of-the-art in AI LLM detectionJacob Torrey[Slides] [Code] [Video]Dystopian much: The Rise of the Influence MachinesNea Paw[Blog] [Video]Problems in well-trodden areasSMTP Smuggling – Spoofing E-mails WorldwideTimo Longin[Blog] [Video]Blind CSS Exfiltration: Exfiltrate unknown web pagesGareth Heyes[Slides] [Blog] [Code]OLE object are still dangerous today – Exploiting Microsoft Officewh1tc and Zhiniang Peng[Slides] [Demo Videos]The Nightmare of Apple’s OTA UpdateMickey Jin[Slides] [Blog] [Video]Reflecting on our effortsEvaluating the Security Posture of Real-World FIDO2 DeploymentsDhruv Kuchhal, Muhammad Saad, Adam Oest, and Frank Li[Paper]Talking about Pros and ConsJacob Torrey[Slides] [Video]NCC Group’s 2022 & 2023 Research ReportNCC Group[Paper] [Blog]A 3-Year Tale of Hacking a Pwn2Own Target: The Attacks, Vendor Evolution, and Lessons LearnedOrange Tsai[Slides] [Video]Nifty sundriesBreaking "DRM" in Polish trainsMrTick, Redford, and q3k[Video]Detection and Blocking with BPF via YAMLKevin Sheldrake[Slides] [Code]AntiFake: Using Adversarial Audio to Prevent Unauthorized Speech SynthesisZhiyuan Yu, Shixuan Zhai, and Ning Zhang[Paper] [Code]A Good Fishman Knows All the Angles: A Critical Evaluation of Google's Phishing Page ClassifierChangqing Miao, Jianan Feng, Wei You, Wenchang Shi, Jianjun Huang, and Bin Liang[Paper] [Code]Spoofing DNS Records by Abusing DHCP DNS Dynamic UpdatesOri David[Blog] [Code] Operation Triangulation: What You Get When Attack iPhones of ResearchersBoris Larin, Leonid Bezvershenko, and Georgy Kucherin[Blog] [Video]Password-Stealing without Hacking: Wi-Fi Enabled Practical Keystroke EavesdroppingJingyang Hu, Hongbo Wang, Tianyue Zheng, Jingzhi Hu, Zhe Chen, Hongbo Jiang, and Jun Luo[Paper] [Code]

Cryptography still isn’t easycertmitm: automatic exploitation of TLS certificate validation vulnerabilitiesAapo Oksman[Slides] [Code] [Video]Escaping Phishermen Nets: Cryptographic Methods Unveiled in the Fight Against Reverse Proxy AttacksKsandros Apostoli[Blog]mTLS: When certificate authentication is done wrongMichael Stepankin[Slides] [Blog]Ultrablue: User-friendly Lightweight TPM Remote Attestation over BluetoothNicolas Bouchinet, Loïc Buckwell, and Gabriel Kerneis[Slides] [Code] [Video]HECO: Fully Homomorphic Encryption CompilerAlexander Viand, Patrick Jattke, Miro Haller, and Anwar Hithnawi[Slides] [Paper] [Code][Continued] attack of the side-channelsFreaky Leaky SMS: Extracting User Locations by Analyzing SMS TimingsEvangelos Bitsikas, Theodor Schnitzler, Christina Pöpper, and Aanjhan Ranganathan[Paper] [Code]Downfall: Exploiting Speculative Data GatheringDaniel Moghimi[Code] [Paper] Your Clocks Have Ears – Timing-Based Browser-Based Local Network Port ScannerDongsung Kim[Slides] [Demo] [Video]Composition is hard in the cloudUsing Cloudflare to bypass CloudflareFlorian Schweitzer and Stefan Proksch[Blog] The GitHub Actions Worm: Compromising GitHub repositories through the Actions dependency treeAsaf Greenholts[Slides] [Blog] [Video]All You Need is GuestMichael Bargury[Slides] [Code]Nifty sundriesContactless Overflow: Critical contactless vulnerabilities in NFC readers used in point of sales and ATMsJosep Pi Rodriguez[Slides] [Video]Defender-Pretender: When Windows Defender Updates Become a Security RiskOmer Attias and Tomer Bar[Slides] [Code] Fuzz target generation using LLMsDongge Liu, Jonathan Metzman, and Oliver Chang[Results] [Report] [Blog]Route to Bugs: Analyzing the Security of BGP Message ParsingDaniel dos Santos, Simon Guiot, Stanislav Dashevskyi, Amine Amri, and Oussama Kerro[Slides] [Code]It was harder to sniff Bluetooth through my mask during the pandemic…Xeno Kovah[Slides] [Data]

Privacy in the modern eraIPvSeeYou: Exploiting Leaked Identifiers in IPv6 for Street-Level GeolocationErik Rye and Robert Beverly[Slides] [Paper] [Code]Device Tracking via Linux’s New TCP Source Port Selection AlgorithmMoshe Kol, Amit Klein, and Yossi Gilad[Code] [Paper]zk-creds: Flexible Anonymous Credentials from zkSNARKs and Existing Identity InfrastructureMichael Rosenberg, Jacob White, Christina Garman, and Ian Miers[Paper] [Code]3 Years in China: A Tale of Building a REAL Full Speed Anti-Censorship RouterKaiJern Lau[Slides] [Code] [Video]Embedded [in]securityEmbedded Threats: A Deep Dive into the Attack Surface and Security Implications of eSIM TechnologyMarkus Vevier[Code] [Video]RPMB, a secret place inside the eMMCSergio Prado[Blog]Compromising Garmin’s Sport Watches: A Deep Dive into GarminOS and its MonkeyC Virtual MachineTao Sauvage[Blog] [Video] [Slides]The Impostor Among US(B): Off-Path Injection Attacks on USB CommunicationsRobert Dumitru, Daniel Genkin, Andrew Wabnitz, and Yuval Yarom[Code] [Paper]MagBackdoor: Beware of Your Loudspeaker as A Backdoor For Magnetic Injection AttacksTiantian Liu, Feng Lin, Zhangsen Wang, Chao Wang, Zhongjie Ba, Li Lu, Wenyao Xu, and Kui Ren[Code] [Paper]Issues at the operating system level(Windows) Hello from the Other SideDirk-jan Mollema[Slides] [Code]Every Signature is Broken: On the Insecurity of Microsoft Office’s OOXML SignaturesSimon Rohlmann, Vladislav Mladenov, Christian Mainka, Daniel Hirschberger, and Jörg Schwenk[Paper] [Code]Dirty Bin Cache: A New Code Injection Poisoning Binary Translation CacheKoh Nakagawa[Slides] [Code]The Most Dangerous Codec in the World: Finding and Exploiting Vulnerabilities in H.264 DecodersWilly R. Vasquez, Stephen Checkoway, and Hovav Shacham[Slides] [Paper] [Code]Nifty sundriesEverParse: Secure Binary Data Parsers for EveryoneTahina Ramananandro[Slides] [Code]InfinityGauntlet: Expose Smartphone Fingerprint Authentication to Brute-force AttackYu Chen, Yang Yu, and Lidong Zhai[Paper]It’s (DOM) Clobbering Time: Attack Techniques, Prevalence, and DefensesSoheil Khodayari and Giancarlo Pellegrino[Code] [Paper] [Site]Can you trust ChatGPT’s package recommendations?Bar Lanyado, Ortal Keizman, and Yair Divinsky[Blog]Phoenix Domain Attack: Vulnerable Links in Domain Name Delegation and RevocationXiang Li, Baojun Liu, Xuesong Bai, Mingming Zhang, Qifan Zhang, Zhou Li, Haixin Duan, and Qi Li[Slides] [Paper]Man-in-the-Middle Attacks without Rogue AP: When WPAs Meet ICMP RedirectsXuewei Feng, Qi Li, Kun Sun, Yuxiang Yang, and Ke Xu[Website] [Paper]

Smashing Web3 transaction simulations for fun and profitTal Be'ery and Roi Vazan[Blog] [Video]Not what you've signed up for: Compromising Real-World LLM-Integrated Applications with Indirect Prompt InjectionKai Greshake, Sahar Abdelnabi, Shailesh Mishra, Christoph Endres, Thorsten Holz, and Mario Fritz[Paper] [Code] [Demo Website]Using ZK Proofs to Fight DisinformationTrisha Datta and Dan Boneh[Slides] [Video] [Code] [Blog]Crypto Agility and Post-Quantum Cryptography @ GoogleStefan Kölbl, Anvita Pandit, Rafael Misoczki, and Sophie Schmieg[Code] [Video]Server-side prototype pollution: Black-box detection without the DoSGareth Heyes[Blog] [Slides] [Video]Phantom of the Pipeline – Abusing Self-Hosted CI/CD RunnersAdnan Khan, Mason Davis, and Matt Jackoski[Slides] [Code] [Blog]Framing Frames: Bypassing Wi-Fi Encryption by Manipulating Transmit QueuesDomien Schepers, Aanjhan Ranganathan, and Mathy Vanhoef[Slides] [Paper] [Video]Let Me Unwind That For You: Exceptions to Backward-Edge ProtectionVictor Duta, Fabian Freyer, Fabio Pagani, Marius Muench, and Cristiano Giuffrida[Slides] [Paper] [Code]Protect the System Call, Protect (Most of) the World with BASTIONChristopher Jelesnianski, Mohannad Ismail, Yeongjin Jang, Dan Williams, and Changwoo Min[Paper]Interoperability in End-to-End Encrypted MessagingEsha Ghosh, Paul Grubbs, Julia Len, and Paul Rösler[Slides] [Paper] [Video]High Risk Users and Where to Find ThemMasha Sedova[Paper] [Video]Why I write my own security toolingJames Forshaw[Code] [Video]Polynonce: A tale of a novel ECDSA attack and Bitcoin tearsMarco Macchetti and Nils Amiet[Blog] [Paper] [Code]Finding 10x+ Performance Improvements in C++ with CodeQLSean Heelan[Blog] [Code]Bridging the gap in the static and dynamic analysis of binaries through decompiler tomfoolery!Zion Basque[Code] [Video]

Hacking the Cloud with SAMLFelix Wilhelm[Slides] [Video]Announcing GUAC, a great pairing with SLSA (and SBOM)!Brandon Lum, Mihai Maruseac, Isaac Hepworth, Google Open Source Security Team[Blog] [Code] [Presentation]We sign code nowWilliam Woodruff[Blog] [Code] [Video]Knockout Win Against TCC - 20+ NEW Ways to Bypass Your MacOS Privacy MechanismsCsaba Fitzl and Wojciech Regula[Slides] Farming The Apple Orchards: Living Off The Land TechniquesCedric Owens and Chris Ross[Slides] [Video]LOLBINed — Using Kaspersky Endpoint Security “KES” Installer to Execute Arbitrary CommandsNasreddine Bencherchali[Blog] POPKORN: Popping Windows Kernel Drivers At ScaleRajat Gupta, Lukas Patrick Dresel, Noah Spahn, Giovanni Vigna, Christopher Kruegel, and Taesoo Kim[Paper] [Code]RC4 Is Still Considered HarmfulJames Forshaw[Blog]Kerberos’ RC4-HMAC broken in practice: spoofing PACs with MD5 collisionsTom Tervoort[Paper] [Slides]Exploring Ancient Ruins to Find Modern Bugs: Discovering a 0-Day in MS-RPC serviceOphir Harpaz and Stiv Kupchik[Slides] [Video]Decentralized Identity Attack SurfaceShaked Reiner[Blog part 1] [Blog part 2]Drone Authentication via Acoustic FingerprintYufeng Diao, Yichi Zhang, Guodong Zhao, and Mohamed Khamis[Slides] [Paper]On the Implications of Spoofing and Jamming Aviation Datalink ApplicationsHarshad Sathaye, Guevara Noubir, and Aanjhan Ranganathan[Slides] [Paper]{JS-ON: Security-OFF}: Abusing JSON-Based SQL QueriesNoam Moshe[Slides] [SQLMap patch] [Blog]Are There Wireless Hidden Cameras Spying on Me?Jeongyoon Heo, Sangwon Gil, Youngman Jung, Jinmok Kim, Donguk Kim,Woojin Park, Yongdae Kim, Kang G. Shin, and Choong-Hoon Lee[Slides] [Paper]

Analyzing the Feasibility and Generalizability of Fingerprinting Internet of Things DevicesDilawer Ahmed, Anupam Das, and Fareed Zaffar[Code] [Paper]Watching the Watchers: Practical Video Identification Attack in LTE NetworksSangwook Bae, Mincheol Son, Dongkwan Kim, CheolJun Park, Jiho Lee, Sooel Son, and Yongdae Kim[Website] [Paper] [Video]Can one hear the shape of a neural network?: Snooping the GPU via Magnetic Side ChannelHenrique Teles Maia, Chang Xiao, Dingzeyu Li, Eitan Grinspun, and Changxi Zheng[Slides] [Paper]LTrack: Stealthy Tracking of Mobile Phones in LTEMartin Kotuliak, Simon Erni, Patrick Leu, Marc Röschlin, and Srdjan Čapkun[Slides] [Paper]IRMA's Idemix core: Understanding the crypto behind selective, unlinkable attribute disclosureMaja Reissner and Sietse Ringers[Site] [Code] [Video]CryptPad: a zero knowledge collaboration platformLudovic Dubost[Code] [Video] [Site]drand: publicly verifiable randomness explainedYolan Romailler[Video] [Code]A dead man’s full-yet-responsible-disclosure systemYolan Romailler[Slides] [Code]Oops... Code Execution and Content Spoofing: The First Comprehensive Analysis of OpenDocument SignaturesSimon Rohlmann, Christian Mainka, Vladislav Mladenov, and Jörg Schwenk[Slides] [Paper]My data in your signed codeAlex Ivkin[Code] [Video]Can You Trust a File’s Digital Signature? New Zloader Campaign exploits Microsoft’s Signature VerificationGolan Cohen[Video] [Blog]TLS-Anvil: Adapting Combinatorial Testing for TLS LibrariesMarcel Maehren, Philipp Nieting, Sven Hebrok, Robert Merget, Juraj Somorovsky, Jörg Schwenk[Slides] [Website] [Code]Arbiter: Bridging the Static and Dynamic Divide in Vulnerability Discovery on Binary ProgramsJayakrishna Vadayath, Moritz Eckert, Kyle Zeng, Nicolaas Weideman, Gokulkrishna Praveen Menon, Yanick Fratantonio, Davide Balzarotti, Adam Doupé, Tiffany Bao, Ruoyu Wang, Christophe Hauser, and Yan Shoshitaishvili[Paper] [Code]In Need of 'Pair' Review: Vulnerable Code Contributions by GitHub CopilotHammond Pearce, Benjamin Tan, Brendan Dolan-Gavitt, and Baleegh Ahmad[Slides] [Paper]Catch Me If You Can: Deterministic Discovery of Race Conditions with FuzzingNed Williamson[Slides] [Code]Someone’s Been Messing With My Subnormals!Brendan Dolan-Gavitt[Blog]Attacking AAD by abusing the Sync API: The story behind $40K in bountiesNestori Syynimaa[Slides] [Code] [Video]Towards a Tectonic Traffic Shift? Investigating Apple’s New Relay NetworkPatrick Sattler , Juliane Aulbach , Johannes Zirngibl , Georg Carle [Paper] Hiding malware in Docker Desktop's secret virtual machineAlex Hope[Blog] [Video]Let's Dance in the Cache - Destabilizing Hash Table on Microsoft IISOrange Tsai[Slides] [Blog]Using Trātṛ to tame Adversarial SynchronizationYuvraj Patel, Chenhao Ye, Akshat Sinha, Abigail Matthews, Andrea C. Arpaci-Dusseau, Remzi H. Arpaci-Dusseau, and Michael M. Swift[Slides] [Paper]

I am become loadbalancer, owner of your networkNate Warfield[Slides]Evil Never Sleeps: When Wireless Malware Stays On After Turning Off iPhonesJiska Classen, Alexander Heinrich, Robert Reith, and Matthias Hollick[Slides] [Paper]AirTag of the Clones: Shenanigans with Liberated Item FindersThomas Roth, Fabian Freyer, Matthias Hollick, and Jiska Classen[Paper] [Code]Are Blockchains Decentralised?Evan Sultanik, Alexander Remie, Felipe Manzano, Trent Brunson, Sam Moelius, Eric Kilmer, Mike Myers, Talley Amir, and Sonya Schriner[Blog] [Paper] [Audio]What Log4j teaches us about the Software Supply ChainStephen Magill[Slides] [Video]Kani Rust VerifierDaniel Schwartz-Narbonne and Zyad Hassan[Slides] [Video] [Code]Cross-Language AttacksSamuel Mergendahl, Nathan Burow, and Hamed Okhravi[Paper]Software Updates Strategies: A Quantitative Evaluation Against Advanced Persistent ThreatsGiorgio Di Tizio, Michele Armellini, and Fabio Massacci[Paper] [Data]AMD Secure Processor for Confidential Computing Security ReviewCfir Cohen, James Forshaw, Jann Horn, and Mark Brand[Blog] [Paper]Living Off the Walled Garden: Abusing the Features of the Early Launch Antimalware EcosystemMatt Graebar[Slides]A Kernel Hacker Meets Fuchsia OSAlexander Popov[Blog] [Video]Adaptive Multi-objective Optimization in Gray-box FuzzingGen Zhang, Pengfei Wang, Tai Yue, Xiangdong Kong, Shan Huang, Xu Zhou, and Kai Lu[Paper]Cooper Knows the Shortest Stave: Finding 134 Bugs in the Binding Code of Scripting Languages with Cooperative MutationXu Peng, Yanhao Wang, Hong Hu, and Purui Su[Slides] [Paper] [Code]Bypassing CSP with dangling iframesGareth Heyes[Blog] Bypassing Dangling Markup Injection Mitigation Bypass in ChromeSeungJu Oh [Bug report] [Blog]Pre-hijacked accounts: An Empirical Study of Security Failures in User Account Creation on the WebAvinash Sudhodanan and Andrew Paverd[Blog] [Paper]

Hyntrospect: a fuzzer for Hyper-V devicesDiane Dubois[Slides] [Paper] [Code] [Video]Put an io_uring on it: Exploiting the Linux KernelValentina Palmiotti[Blog]The AMD Branch (Mis)predictor: Where No CPU has Gone BeforePawel Wieczorkiewicz[Blog part 1] [Blog part 2]Dynamic Process IsolationMartin Schwarzl, Pietro Borrello, Andreas Kogler, Kenton Varda, Thomas Schuster, Daniel Gruss, and Michael Schwarz[Paper]Another Brick in the Wall: Uncovering SMM Vulnerabilities in HP FirmwareItai Liba, and Assaf Carlsbad[Blog] [Code]Confidential Containers: Bringing Confidential Computing to the Kubernetes Workload MassesSamuel Ortiz[Video]Kubernetes Meets Confidential Computing - The Different Ways of Scaling Sensitive WorkloadsMoritz Eckert[Video]Implementing Post-quantum Cryptography for DevelopersJulius Hekkala, Kimmo Halunen, and Visa Vallivaara[Paper]CMUA-Watermark: A Cross-Model Universal Adversarial Watermark for Combating DeepfakesHao Huang, Yongtao Wang, Zhaoyu Chen, Yu Ze Zhang, Yuheng Li, Zhi Tang, Wei Chu, Jingdong Chen, Weisi Lin, and Kai-Kuang Ma[Paper] [Code]Leashing the Inner Demons: Self-Detoxification for Language ModelsCanwen Xu, Zexue He, Zhankui He, and Julian McAuley[Paper] [Code]Fooling the Eyes of Autonomous Vehicles: Robust Physical Adversarial Examples Against Traffic Sign Recognition SystemsWei Jia, Zhaojun Lu, Haichun Zhang, Zhenglin Liu, Jie Wang, and Gang Qu[Paper]Synthetic Disinformation Attacks on Automated Fact Verification SystemsYibing Du, Antoine Bosselut, Christopher D. Manning[Paper]Why No One Pwned Synology at Pwn2Own and Tianfu Cup in 2021Eugene Lim, and Loke Hui Yi[Slides]DRAWN APART: A Device Identification Technique based on Remote GPU FingerprintingTomer Laor, Naif Mehanna, Antonin Durey, Vitaly Dyadyuk, Pierre Laperdrix, Clémentine Maurice, Yossi Oren, Romain Rouvoy, Walter Rudametkin, and Yuval Yarom[Paper] [Code]Attacking JavaScript Engines in 2022Samuel Groß, and Amanda Burnett[Slides]Security Analysis of MTE Through ExamplesSaar Amar[Slides] [Video]An Armful of CHERIsSaar Amar, Nicholas Joly, David Chisnall, Manuel Costa, Sylvan Clebsch, Wes Filardo, Boris Köpf, Robert Norton-Wright, and Matthew Parkison[Blog]

Sponge Examples: Energy-Latency Attacks on Neural NetworksIlia Shumailov, Yiren Zhao, Daniel Bates, Nicolas Papernot, Robert Mullins, and Ross Anderson[Slides] [Paper] [Video]How to Use Cheated Cryptography to Overload a ServerSzilárd Pfeiffer[Slides]Bestie: Very Practical Searchable Encryption with Forward and Backward SecurityTuanyang Chen, Peng Xu, Wei Wang, Yubo Zheng, Willy Susilo, and Hai Jin[Paper]Symgrate: A Symbol Recovery Service for ARM FirmwareTravis Goodspeed & EVM[Site] From Graph Queries to Vulnerabilities in Binary Codeclaudiu, fabs, and niko[Slides]Fast verified post-quantum softwareDaniel J. Bernstein[Slides]AIModel-Mutator: Finding Vulnerabilities in TensorFlowQian Feng, Zhaofeng Chen, Zhenyu Zhong, Yakun Zhang, Ying Wang, Zheng Huang, Kang Li, Jie Hu and Heng Yin[Slides]DAMAS: Control-Data Isolation at Runtime through Dynamic Binary ModificationCamille Le Bon, Erven Rohou, Frederic Tronel, and Guillaume Hiet[Paper]Trojan Source: Invisible VulnerabilitiesNicholas Boucher and Ross Anderson[Paper] [Code]Who owns your hybrid Active Directory? Hunting for adversary techniques!Thirumalai Natarajan Muthiah & Anurag Khanna[Paper]Breaking Azure AD joined endpoints in zero-trust environmentsDirk-jan Mollema[Slides] [Video]Going Deeper into Schneider Modicon PAC SecurityGao Jian[Slides] [Video]New Ways of IPv6 ScanningShupeng Gao, Xingru Wu, and Jie Gao[Slides]DIY cheap gigabit data diodeMagnus[Code]Bridge your service mesh and AWSSantosh Ananthakrishnan & Harihara K Narayanan[Slides]GALILEO: In GPS We Trust?Áron Szabó, Levente Kovács, and Péter Ligeti[Slides]“We wait, because we know you.” Inside the ransomware negotiation economics.Pepijn Hack & Harihara K Narayanan[Paper]Privacy of DNS-over-HTTPS: Requiem for a dream?Levente Csikor, Himanshu Singh, Min Suk Kang, and Dinil Mon Divakaran[Slides] Sleight of ARM: Demystifying Intel HoudiniBrian Hong[Slides] [Video]

IntroductionEpisode 1 - 2021/Q3Thinkst Trends and Takeaways is a show released in conjunction with ThinkstScapes, a written quarterly review of information security research published in both industry and academic venues. Thinkst Labs allocates time to tracking industry research so you don’t have to, specifically looking for novel and unusual work that is impactful--this is not simply a report on bugs or vulnerabilities. Work covered here will include both offensive and defensive topics, and we explore academic publications with the same gusto as industry work. Our target listeners are primarily security practitioners in organizations who are tasked with defending their turf, but offensive-minded folks will also be exposed to new ideas and research we’ve come across.Full bibliography of referenced works:Embedded security researchPrecursor: Towards Evidence-Based Trust in HardwareAndrew ‘bunnie’ Huang[Video]Kernel Pwning with eBPF: a Love StoryValentina Palmiotti (@chompie1337)[Paper]InternalBlue / Frankenstein / SpectraJan Ruge, Jiska Classen, Francesco Gringoli, and Matthias Hollick[Slides] [Slides] [Video]HALucinator: Firmware Re-hosting Through Abstraction Layer EmulationAbraham Clements, Eric Gustafson, Tobias Scharnowski, Paul Grosen, David Fritz, Christopher Kruegel, Giovanni Vigna, Saurabh Bagchi, and Mathias Payer[Slides] [Paper] [Video]Device-agnostic Firmware Execution is Possible: A Concolic Execution Approach for Peripheral EmulationChen Cao, Le Guan, Jiang Ming, and Peng Liu[Paper]Remote Timing Attacks on TPMs, AKA TPM-FailDaniel Moghimi[Slides]Breaking VSM by Attacking SecureKernelSaar Amar and Daniel King[Slides]Whispers Among the Stars: Perpetrating (and Preventing) Satellite Eavesdropping AttacksJames Pavur[Slides] [Video]Exploiting 'Differences of opinion'HTTP/2: The Sequel is Always WorseJames Kettle[Paper]Differential Fuzzing of x86-64 Instruction DecodersWilliam Woodruff, Niki Carroll, and Sebastiaan Peters[Paper] [Video]EtherOops: Exploring Practical Methods to Exploit Ethernet Packet-in-Packet AttacksBen Seri, Gregory Vichnepolsky, and Yevgeny Yusepovsky[Slides] [Paper]Light Commands: Laser-Based Audio Injection on Voice-Controllable SystemsTakeshi Sugawara, Benjamin Cyr, Sara Rampazzi, Daniel Genkin, and Kevin Fu[Slides]Interpretable Deep Learning Under FireXinyang Zhang, Ningfei Wang, Hua Shen, Shouling Ji, Xiapu Luo, and Ting Wang[Slides] [Paper] [Video]Hiding Objects from Computer Vision by Exploiting Correlation BiasesYin Minn Pa Pa, Paul Ziegler, and Masaki Kamizono[Slides]Disrupting Continuity of Apple’s Wireless Ecosystem Security: New Tracking, DoS, and MitM Attacks on iOS and macOS Through Bluetooth Low Energy, AWDL and Wi-FiMilan Stute, Alexander Heinrich, Jannik Lorenz, and Matthias Hollick[Paper]DefenceEntangled Watermarks as a Defense Against Model ExtractionHengrui Jia, Christopher A. Choquette-Choo, Varun Chandrasekaran, Nicolas Papernot[Paper]Hopper: Modeling and Detecting Lateral MovementGrant Ho, Mayank Dhiman, Devdatta Akhawe, Vern Paxson, Stefan Savage, Geoffrey Voelker, and David Wagner[Paper]Faking a Factory: Creating and Operating a Realistic HoneypotCharles Perine[Slides] [Paper] [Video]Do You Speak My Language? Making Static Analysis Engines Understand Each OtherIbrahim Mohamed and Manuel Fahndrich[Slides]Practical Defenses Against Adversarial Machine LearningAriel Herbert-Voss[Video]Nifty sundriesRemote Side-Channel Attacks on Anonymous TransactionsFlorian Tramer, Dan Boneh, and Kenneth G. Paterson[Paper]An Observational Investigation of Reverse Engineers’ ProcessesDaniel Votipka, Seth Rabin, Kristopher Micinski, Jeffrey Foster, and Michelle Mazurek[Paper] [Video]On the Feasibility of Automating Stock Market ManipulationCarter Yagemann, Simon Chung, Erkam Uzun, Sai Ragam, Brendan Saltaformaggio, and Wenke Lee[Paper]IoT Skimmer: Energy Market Manipulation through High-Wattage IoT BotnetsTohid Shekari and Raheem Beyah[Slides]The Dark Age of Memory Corruption Mitigations in the Spectre EraAndrea Mambretti and Alexandra Sandulescu[Slides]Everything Old is New Again: Binary Security of WebAssemblyDaniel Mehmann, Johannes Kinder, and Michael Pradel[Slides] [Paper] [Video]ProxyLogon is Just the Tip of the Iceberg: A New Attack Surface on Microsoft Exchange Server!Orange Tsai[Slides]brought to you by Most companies find out way too late that they've been breached. Thinkst Canary changes this. Canaries deploy in under 4 minutes and require 0 ongoing admin overhead. They remain silent till they need to chirp, and then, you receive that single alert.When.it.matters.Find out why some of the smartest security teams in the world swear by Thinkst Canary https://canary.love