BASS research group

Our research focuses on binary program analysis for automated and semi-automated reverse engineering and vulnerability discovery, as well as other aspects of systems security, including hardware and embedded systems security. We also leverage machine learning where appropriate (through collaboration with our colleagues from the Artificial Intelligence division).

More specifically, our research includes:

New approaches to bridge the gap between static and dynamic program analysis.
Automated verification of low-level firmware code, including IoT and UAV platforms.
Automated verification of boot firmware such as BIOS and UEFI.
Generalizing static program analysis models with machine learning to improve the scalability of current state-of-the-art vulnerability discovery approaches.
FPGA security, in particular, automated reverse engineering to reason about security properties in the context of mixed bitstream/bare-metal code interactions and FPGA-accelerated environments.

news

Jun 28, 2022	Our paper `Harm-Dos` was accepted for publication at RAID’22.
May 10, 2022	Our paper `Arbiter` was accepted for publication at USENIX security ‘22.
May 13, 2021	Our workshop CheckMATE will be collocated with ACM CCS 2021 in Seoul, South Korea! Please check out our CFP.
Apr 10, 2021	Our paper `Bin2Vec` was accepted for publication in Springer’s Cybersecurity journal.

Recent publications

RAID

Harm-DoS: Hash Algorithm Replacement for Mitigating Denial-of-Service Vulnerabilities in Binary Executables

Nicolaas Weideman, Haoda Wang, Tyler Kann, Spencer Zahabizadeh, Wei-Cheng Wu, Rajat Tandon, Jelena Mirkovic, Christophe Hauser,

2022
S&P Workshops

AutoCPS: Control Software Dataset Generation for Semantic Reverse Engineering

Wang, Haoda, Hauser, Christophe, and Garcia, Luis

In 2022 IEEE Security and Privacy Workshops (SPW) 2022

PDF
CCS Workshops

PERFUME: Programmatic Extraction and Refinement for Usability of Mathematical Expression

Weideman, Nicolaas, Felkner, Virginia K., Wu, Wei-Cheng, May, Jonathan, Hauser, Christophe, and Garcia, Luis

In Proceedings of the 2021 Research on Offensive and Defensive Techniques in the Context of Man At The End (MATE) Attacks 2021

PDF
IoTDI

SecDeep: Secure and Performant On-device Deep Learning Inference Framework for Mobile and IoT Devices

Liue, Renju, Garcia, Luis, Liu, Zaoxing, Ou, Botong, and Srivastava, Mani

In Proceedings of the International Conference on Internet of Things Design and Implementation 2021
USENIX

Arbiter: Bridging the Static and Dynamic Divide in Vulnerability Discovery on Binary Programs

Jayakrishna Menon Vadayath, Moritz Eckert, Kyle Zeng, Yanick Fratantonio, Davide Balzarotti, Adam Doupé, Ruoyu Wang, Tiffany Bao, Christophe Hauser, Yan Shoshitaishvili,

USENIX Security Symposium, 2021

PDF
Cybersecurity

Bin2vec: Learning Representations of Binary Executable Programs for Security Tasks

Shushan Arakelyan, Sima Arasteh, Christophe Hauser, Erik Kline, Aram Galstyan,

Springer Cybersecurity Journal, 2021

PDF
USENIX

I Always Feel Like Somebody’s Sensing Me! A Framework to Detect, Identify, and Localize Clandestine Wireless Sensors

Singh, Akash Deep, Garcia, Luis, Noor, Joseph, and Srivastava, Mani

In USENIX Security Symposium 2021
ACSAC

Sleak: Automating Address Space Layout Derandomization

Christophe Hauser,Jayakrishna Menon, Yan Shoshitaishvili, Ruoyu Wang, Giovanni Vigna and Christopher Kruegel,

35th Annual Computer Security Applications Conference (ACSAC) 2019

Abs BIB PDF

We present a novel approach to automatically recover information about the address space layout of remote processes in the presence of Address Space Layout Randomization (ASLR). Our system, dubbed Sleak, performs static analysis and symbolic execution of binary executable programs, and identifies program paths and input parameters leading to partial (i.e., only a few bits) or complete (i.e., the whole address) information disclosure vulnerabilities, revealing addresses of known objects of the target service or application. Sleak takes, as input, the binary executable program, and generates a symbolic expression for each program output that leaks information about the addresses of objects, such as stack variables, heap structures, or function pointers. By comparing these expressions with the concrete output of a remote process executing the same binary program image, our system is able to recover from a few bits to whole addresses of objects of the target application or service. Discovering the address of a single object in the target application is often enough to guess the layout of entire sections of the address space, which can be leveraged by attackers to bypass ASLR.
CODASPY

BootKeeper: Validating Software Integrity Properties on Boot Firmware Images

Ronny Chevalier, Stefano Cristalli, Christophe Hauser, Yan Shoshitaishvili, Ruoyu Wang, Christopher Kruegel, Giovanni Vigna, Danilo Bruschi and Andrea Lanzi,

ACM CODASPY 2019

Abs BIB PDF

Boot firmware, like UEFI-compliant firmware, has been the target of numerous attacks, giving the attacker control over the entire system while being undetected. The measured boot mechanism of a computer platform ensures its integrity by using cryptographic measurements to detect such attacks. This is typically performed by relying on a Trusted Platform Module (TPM). Recent work, however, shows that vendors do not respect the specifications that have been devised to ensure the integrity of the firmware’s loading process. As a result, attackers may bypass such measurement mechanisms and successfully load a modified firmware image while remaining unnoticed. In this paper we introduce BootKeeper, a static analysis approach verifying a set of key security properties on boot firmware images before deployment, to ensure the integrity of the measured boot process. We evaluate BootKeeper against several attacks on common boot firmware implementations and demonstrate its applicability.
LangSec

A binary analysis approach to retrofit security in input parsing routines

Jayakrishna Menon, Christophe Hauser, Yan Shoshitaishvili and Stephen Schwab,

IEEE Security and Privacy Workshops (SPW) 2018

Abs BIB PDF

In spite of numerous attempts to mitigate memory corruption vulnerabilities in low-level code over the years, those remain the most common vector of software exploitation today. A common cause of such vulnerabilities is the presence of errors in string manipulation, which are often found in input parsers, where the format of input data is verified and eventually converted into an internal program representation. This process, if done manually in an ad-hoc manner, is error prone and easily leads to unsafe and potentially exploitable behavior. While principled approaches to input validation exist, such as those based on parser generators (e.g., Lex [20] and Ragel [28]), these require a formalization of the input grammar, which is not always a straightforward process and tends to dissuade programmers. As a result, a large portion of input parsing routines as found in commodity software is still implemented in an ad-hoc way, causing numerous security issues. We propose to address this problem from a post-development perspective, by targeting software presenting security risks in opaque, closed-source environments where software components have already been deployed and integrated, and where re-implementation is not an option (e.g., as part of an embedded device’s proprietary firmware). Our system is able to effectively detect vulnerability patterns in binary software and to retrofit security mechanisms preventing exploitation. In a semi-automated setting, it was able to discover an unknown security bug.