IEEE S&P
2023
Practical Program Modularization with Type-Based Dependence Analysis
TODO
WaVe: a verifiably secure WebAssembly sandboxing runtime
2022
Wobfuscator: Obfuscating JavaScript Malware via Opportunistic Translation to WebAssembly
WebAssembly provides attackers a new and so far unexplored opportunity for evading malware detectors.
Evaluation based on 3 RQ:
- RQ1: Effectiveness
- RQ2: Correctness
- RQ3: Efficiency
Mitigating Information Leakage Vulnerabilities with Type-based Data Isolation
2020
SEIMI: Efficient and Secure SMAP-Enabled Intra-process Memory Isolation
Motivation: user-mode hardware features are not fast.
SMAP requires 8.6 cycles, faster than MPK (18.9 cycles).
Seperate processes and kernel: targeted process at ring 0, place OS kernel at ring -1.
Challenges
- Distinguishing SMAP reads and writes. (shared memory based read/write separation)
- Preventing the leaking/manipulating of the privileged data structures. (redirect syscall to vmcall)
- Prevent the abusing of the privileged hardware features. (identify privileged instructions and sanitizes)
SEIMI is a kernel module, including 3 key components:
- memory management
- privileged instructions prevention
- events redirection
2019
Spectre Attacks: Exploiting Speculative Execution
2009
Native Client: A Sandbox for Portable, Untrusted x86 Native Code
TODO