Our new research work “Cerberus” in the area of SPS (Software-defined Programmable Security) is accepted by IEEE S&P’24. This work shows that even with limited resources on existing programmable switches, we can now run multiple concurrent in-network security monitoring tasks so we can defend against diverse, high-volume, and dynamic attacks previous solutions could not handle. Cerberus can actually enhance the concurrency and capacity of programmable switches by an order of magnitude! We’ll release our prototype very soon. Congratulations again for the amazing work, Huancheng!
Release
We are releasing SysFlow: the first programmable zero trust (ZT) framework for system security!
Our SysFlow work will appear in IEEE Transactions on Information Forensics and Security (TIFS) 2023. SysFlow is the first programmable zero trust (ZT) framework for system security! It presents a novel system security development framework for programmable ZT security control of host system activities at runtime. It offers unprecedented and unified programmability for users to achieve their dynamic security needs. Read our paper (here) and try to use our prototype system here. Now you can build your own security applications on top of that!
Hidden Property Abusing (HPA) paper accepted to USENIX Security’21!
We discovered a new type of security issue in Node.js ecosystem (named HPA, Hidden Property Abusing) and developed a new detection and verification tool, Lynx (released here). Congratulations, Feng & Jianwei!
New web vulnerability (SW-XSS) and detection tool released
Our work on discovering a new type of Web vulnerability, namely Service Worker based Cross-Site Scripting (SW-XSS), will appear in ACSAC’20. The artifacts (including VM and new detection tool source code) are also released (check here). Congratulations, Patrick!
SVHunter (from our S&P’20 paper) code released!
SVHunter is a novel tool to pinpoints a wide range of sensitive methods in SDN controllers and create data dependencies to attack these methods. The source code is available here.
See our S&P’20 paper for more details: Feng Xiao, Jinquan Zhang, Jianwei Huang, Guofei Gu, Dinghao Wu, Peng Liu. “Unexpected Data Dependency Creation and Chaining: A New Attack to SDN.” In Proc. of the 41st IEEE Symposium on Security and Privacy (S&P’20), San Francisco, CA, May 2020. [pdf] [bib]
LipFuzzer (from our NDSS’19 paper) code released!
LipFuzzer is a new linguistic knowledge assisted fuzzing approach to assess the security of emerging vApps (e.g., Amazon Alexa, Google Assistant). The source code is now available. Please check out the project page here.
See our NDSS’20 paper for more details: Yangyong Zhang, Lei Xu, Abner Mendoza, Guangliang Yang, Phakpoom Chinprutthiwong, Guofei Gu. “Life after Speech Recognition: Fuzzing Semantic Misinterpretation for Voice Assistant Applications.” In Proc. of the Network and Distributed System Security Symposium (NDSS’19), San Diego, California, Feb. 2019. [pdf] [bib]
FRESCO source code released!
Our FRESCO is upgraded to the Floodlight plaform. The FRESCO source code and module/app store are now released! Please check our project website here for details.