Qinrun Dai

Qinrun Dai

Ph.D. student at CU Boulder

Talks and presentations

BinWhisper: LLM-Driven Reasoning for Automated Vulnerability Discovery Behind Hall-of-Fame

August 07, 2025

Briefing, BlackHat USA 2025, Las Vegas

Vulnerability discovery traditionally relies on two primary approaches: manual auditing and fuzzing. Each method possesses distinct strengths and inherent limitations. Manual auditing is good at identifying complex logic flaws due to its reliance on deep contextual understanding and expert insight, ensuring comprehensive analysis; however, this method is labor-intensive, time-consuming, and heavily dependent on specialized knowledge. Conversely, fuzzing offers automation, scalability, and efficiency, yet it may overlook vulnerabilities that require intricate semantic comprehension or encounter limitations in scenarios where fuzzing is infeasible.

Compartmentalizing Vulnerable Kernel Components Without Stopping the Machine

September 16, 2024

Short Topic Presentations, Linux Security Summit 2024 Europe, Vienna, Austria

Device drivers are relatively low-quality yet take 70% of the kernel codebase. Thus, attackers can exploit vulnerabilities in them. While compartmentalizing vulnerable drivers can enhance security, existing methods are limited, preventing them from being widely deployed: rebooting the system is necessary which inevitably interrupts services. Syzkaller’s data indicates that avg. 7.62 unique kernel panics are reported per day. It means the machine would need multiple reboots in one day to enforce compartmentalization, which is unacceptable. In this talk, we will explore the potential of on-the-fly enforcement, the main challenge of which lies in handling transition hazards - pre-existing objects are untracked and can be misused. We will demo this attack by exploiting CVE-2022-0995, followed by O2C which aims to mitigate transition hazards. O2C has two key technical innovations: 1. software-based compartmentalization using eBPF. 2. embedding an ML model into the kernel, which lacks floating point support. O2C shows negligible overhead and excellent scalability. Detailed measurement results will be presented in the talk and the code is available at https://github.com/a8stract-lab/o2c.

Remote, One-Click, Breaking through Smartphones via a Non Well-Known Remote Attack Surface

August 08, 2024

Briefing, BlackHat USA 2024, Las Vegas

Instant messaging application (such as iMessage and WhatsApp) is an important remote attack surface for smartphones, often used by spyware as the first step in APT attacks, and has received great attention in the past. Carrier Based video calling, as a native video calling feature of mobile phones, is also a major remote attack surface for smartphones. We have discovered fatal 0-day vulnerabilities in some native Carrier Based video calling of mobile phones, which have been present for at least 7 years. As long as the target accepts our video call invitation, we can exploit these vulnerabilities to remotely obtain code execution permissions for the target phone’s system. In this session, we will introduce this remote attack surface we have discovered and provide a few examples to illustrate the potential issues and impacts that may arise within this attack surface.

Stop! Sandboxing Exploitable Functions and Modules Using In-Kernel Machine Learning

August 08, 2024

Briefing, BlackHat USA 2024, Las Vegas

In this presentation, we will describe and demo a new technique for detecting and stopping the 0-day exploitation in the Linux kernel. This technique enables the dynamic sandboxing of exploitable functions and modules and thus can be deployed in scenarios where critical service interruption and system reboots are unacceptable. Moreover, it incurs minimal performance overhead and memory footprint. Technically, this on-the-fly sandboxing is achieved through two key innovations: (1) an eBPF-based runtime checking mechanism that ensures code integrity, data integrity, and argument authentication of the rest of the kernel, and (2) embedding machine learning models into the kernel that detects malicious exploitation behaviors originating from the sandboxed functions and modules. In this presentation, we will demo this technique using CVE-2022-0995 as a case study and will share detailed results from our measurements. In a bigger picture, this new technique is envisioned to be applied when (1) loading device drivers from untrusted vendors, (2) detecting in-the-wild exploits of 0-day and n-day vulnerabilities, and (3) preventatively sandboxing kernel code that is of low-quality and has been frequently reported vulnerable over a certain period.