Posts by Collection

Lancet: A Formalization Framework for Crash and Exploit Pathology

Published in USENIX Security Symposium (Security), 2025

Vulnerability and exploit analysis are at the heart of soft- ware security research and practice. However, a formalization framework for dissecting the cause, development, and impact of common software errors has been missing. To address this gap, we introduce Lancet, a formalization framework that reliably tracks three distinct types of ownership within its operational semantics that can be used to identify and differ- entiate between various types of vulnerabilities and exploit primitives even in the presence of memory corruption. Addi- tionally, we developed two downstream tools, FCS and EPF, to demonstrate how security analysts can use Lancet for de- tailed crash and exploit analysis. FCS serves as a fast crash triaging tool, aiding patch synthesis in our winning system in the DARPA AIxCC semi-final, while EPF fingerprints the transition of exploitation primitives to facilitate exploit analy- sis. Experiment results show that both tools are efficient and effective.

Download Paper

A Journey of Windows User Service Bug Hunting

Published: March 01, 2022

This agenda is about the journey of Windows User Service Bug Hunting on Symlink TOCTOU.

Stop! Sandboxing Exploitable Functions and Modules Using In-Kernel Machine Learning

Published: August 08, 2024

In this presentation, we will describe and demo a new technique for detecting and stopping the 0-day exploitation in the Linux kernel. This technique enables the dynamic sandboxing of exploitable functions and modules and thus can be deployed in scenarios where critical service interruption and system reboots are unacceptable. Moreover, it incurs minimal performance overhead and memory footprint. Technically, this on-the-fly sandboxing is achieved through two key innovations: (1) an eBPF-based runtime checking mechanism that ensures code integrity, data integrity, and argument authentication of the rest of the kernel, and (2) embedding machine learning models into the kernel that detects malicious exploitation behaviors originating from the sandboxed functions and modules. In this presentation, we will demo this technique using CVE-2022-0995 as a case study and will share detailed results from our measurements. In a bigger picture, this new technique is envisioned to be applied when (1) loading device drivers from untrusted vendors, (2) detecting in-the-wild exploits of 0-day and n-day vulnerabilities, and (3) preventatively sandboxing kernel code that is of low-quality and has been frequently reported vulnerable over a certain period.

Remote, One-Click, Breaking through Smartphones via a Non Well-Known Remote Attack Surface

Published: August 08, 2024

Instant messaging application (such as iMessage and WhatsApp) is an important remote attack surface for smartphones, often used by spyware as the first step in APT attacks, and has received great attention in the past. Carrier Based video calling, as a native video calling feature of mobile phones, is also a major remote attack surface for smartphones. We have discovered fatal 0-day vulnerabilities in some native Carrier Based video calling of mobile phones, which have been present for at least 7 years. As long as the target accepts our video call invitation, we can exploit these vulnerabilities to remotely obtain code execution permissions for the target phone’s system. In this session, we will introduce this remote attack surface we have discovered and provide a few examples to illustrate the potential issues and impacts that may arise within this attack surface.

Compartmentalizing Vulnerable Kernel Components Without Stopping the Machine

Published: September 16, 2024

Device drivers are relatively low-quality yet take 70% of the kernel codebase. Thus, attackers can exploit vulnerabilities in them. While compartmentalizing vulnerable drivers can enhance security, existing methods are limited, preventing them from being widely deployed: rebooting the system is necessary which inevitably interrupts services. Syzkaller’s data indicates that avg. 7.62 unique kernel panics are reported per day. It means the machine would need multiple reboots in one day to enforce compartmentalization, which is unacceptable. In this talk, we will explore the potential of on-the-fly enforcement, the main challenge of which lies in handling transition hazards - pre-existing objects are untracked and can be misused. We will demo this attack by exploiting CVE-2022-0995, followed by O2C which aims to mitigate transition hazards. O2C has two key technical innovations: 1. software-based compartmentalization using eBPF. 2. embedding an ML model into the kernel, which lacks floating point support. O2C shows negligible overhead and excellent scalability. Detailed measurement results will be presented in the talk and the code is available at https://github.com/a8stract-lab/o2c.

BinWhisper: LLM-Driven Reasoning for Automated Vulnerability Discovery Behind Hall-of-Fame

Published: August 07, 2025

Vulnerability discovery traditionally relies on two primary approaches: manual auditing and fuzzing. Each method possesses distinct strengths and inherent limitations. Manual auditing is good at identifying complex logic flaws due to its reliance on deep contextual understanding and expert insight, ensuring comprehensive analysis; however, this method is labor-intensive, time-consuming, and heavily dependent on specialized knowledge. Conversely, fuzzing offers automation, scalability, and efficiency, yet it may overlook vulnerabilities that require intricate semantic comprehension or encounter limitations in scenarios where fuzzing is infeasible.