AI/ML in security

Injecting into LLM-adjacent components

Johann Rehberger

[Blog 1] [Blog 2]

Teams of LLM Agents can Exploit Zero-Day Vulnerabilities

Richard Fang, Rohan Bindu, Akul Gupta, Qiusi Zhan, and Daniel Kang

[Paper] 

Project Naptime: Evaluating Offensive Security Capabilities of Large Language Models 

Sergei Glazunov and Mark Brand

[Blog] 

LLMs Cannot Reliably Identify and Reason About Security Vulnerabilities (Yet?): A Comprehensive Evaluation, Framework, and Benchmarks

Saad Ullah, Mingji Han, Saurabh Pujar, Hammond Pearce, Ayse Kivilcim Coskun, and Gianluca Stringhini

[Paper] [Code]

The Impact of Backdoor Poisoning Vulnerabilities on AI-Based Threat Detectors

Dmitrijs Trizna, Luca Demetrio, Battista Biggio, and Fabio Roli

[Slides] [Paper] [Code]

Looking at the whole system

Systems Alchemy: The Transmutation of Hacking

Thaddeus grugq

[Video]

The Boom, the Bust, the Adjust and the Unknown

Maor Shwartz

[Slides]

Poisoning Web-Scale Training Datasets is Practical

Nicholas Carlini, Matthew Jagielski, Christopher A. Choquette-Choo, Daniel Paleka, Will Pearce, Hyrum Anderson, Andreas Terzis, Kurt Thomas, and Florian Tramèr

[Paper]

Intercloud Identities: The Risks and Mitigations of Access Between Cloud Providers

Noam Dahan and Ari Eitan

[Video]

New modalities with which to inflict pain

GPU.zip: On the Side-Channel Implications of Hardware-Based Graphical Data Compression

Yingchen Wang, Riccardo Paccagnella, Zhao Gang, Willy R. Vasquez, David Kohlbrenner, Hovav Shacham, and Christopher W. Fletcher

[Paper]

AquaSonic: Acoustic Manipulation of Underwater Data Center Operations and Resource Management

Jennifer Sheldon, Weidong Zhu, Adnan Abdullah, Sri Hrushikesh Varma Bhupathiraju, Takeshi Sugawara, Kevin Butler, Md Jahidul Islam, and Sara Rampazzi

[Paper] [Video]

Video-Based Cryptanalysis: Extracting Cryptographic Keys from Video Footage of a Device’s Power LED Captured By Standard Video Cameras

Ben Nassi, Etay Iluz, Or Cohen, Ofek Vayner, Dudi Nassi, Boris Zadov, and Yuval Elovici

[Site] [Paper] [Video]

Old components showing the strain

Exploiting Sequence Number Leakage: TCP Hijacking in NAT-Enabled Wi-Fi Networks

Yuxiang Yang, Xuewei Feng, Qi Li, Kun Sun, Ziqiang Wang, and Ke Xu

[Blog] [Paper] 

Reliable Payload Transmission Past the Spoofed TCP Handshake

Yepeng Pan and Christian Rossow

[Paper] [Code]

Parse Me, Baby, One More Time: Bypassing HTML Sanitizer via Parsing Differentials

David Klein and Martin Johns

[Paper] [Code]

Practical Exploitation of Registry Vulnerabilities in the Windows Kernel

Mateusz Jurczyk

[Blog] [Video]

Nifty sundries

An Analysis of Recent Advances in Deepfake Image Detection in an Evolving Threat Landscape

Sifat Muhammad Abdullah, Aravind Cheruvu, Shravya Kanchi, Taejoong Chung, Peng Gao, Murtuza Jadliwala, and Bimal Viswanath

[Code] [Paper]

Tracking illicit phishermen in the deep blue Azure

Jacob Torrey

[Slides] [Code]

SEVeriFast: Minimizing the root of trust for fast startup of SEV microVMs

Benjamin Holmes, Jason Waterman, and Dan Williams

[Paper] [Code]

Certiception: The ADCS Honeypot We Always Wanted

Balthasar Martin and Niklas van Dornick

[Blog] [Code] [Slides]