https://www.usenix.org/conference/usenixsecurity24/presentation/qi System-level emulation and instrumentation is generally slow, but there’s a neat insight into when instrumentation *isn’t* necessary and what basic blocks to not instrument for QEMU-based system-level concolic execution in this work!

https://www.usenix.org/conference/usenixsecurity24/presentation/bulekov this hypervisor emulation and fuzzing tool also looks really interesting and I’m looking forward to trying it out

@kaoudis 👀 that looks fun

https://www.usenix.org/conference/usenixsecurity24/presentation/thompson a study of threat modeling practitioners and what they actually do! 🤩

@kaoudis I've had the pleasure of talking to a couple of the authors of that work - they're doing some good stuff for sure!

https://www.usenix.org/conference/usenixsecurity24/presentation/yang-fangfei I helped a bit with this one. I am amazed by and proud of the amount of solid work that Fangfei did for this ☺️

https://www.usenix.org/conference/usenixsecurity24/presentation/feng-siyue taint analysis across traces to see how well patches did at fixing vulns, but with a fancy Bloom filter to see if a particular code path has been hit before (I look forward to reading this)

https://www.usenix.org/conference/usenixsecurity24/presentation/gibbs 1. mangoes are delicious 2. this static tainted data flow analysis paper looks like a good read (I'm looking forward to learning more about this on friday but my first impression is it'll be neat)

@kaoudis@infosec.exchange Hey nice, I just implemented bloom filter path coverage for libafl. I'll have to check out what they did here.

@addison I'll have to check out what *you* did *there*, that sounds pretty sweet!

https://www.usenix.org/conference/usenixsecurity24/presentation/schilling this looks like if viable for real world use, something that could make binary-only target thread sanitization checks possible. I love how accessible sanitizers are; they’re the gateway drug of llvm instrumentation. I am also looking forward to reading this~

@kaoudis@infosec.exchange Haha it's not really public, except a couple old prototypes.

@addison well if it ever does become public, then lmk :D

https://www.usenix.org/conference/usenixsecurity24/presentation/tu the grammar extraction (via automata-based ML) and the differential analysis pieces of this protocol analysis work are neat! grammar extraction is a hard problem.

https://www.usenix.org/conference/usenixsecurity24/presentation/ginesin the lead author is an undergrad and this is a super cool protocol analysis! and their threat model is well articulated in the presentation and I look forward to reading this :D

@kaoudis oh wow, grammar extraction is v much something i hope to work on

@kaoudis didn't realize it was applicable to stuff like this

@hipsterelectron yup yup :D

https://www.usenix.org/conference/usenixsecurity24/presentation/yu-feiyang static taint analysis over chunks of the CFG for side channel detection in transport layer protocols is pretty wild

I really liked the use of dynamic taint analysis on JavaScript engines for prototype pollution detection in this https://www.usenix.org/conference/usenixsecurity24/presentation/cornelissen

@kaoudis I'm such a kid... I giggle every time I read the phrase "taint analysis"

@catsalad I like DIFT (dynamic information flow tracing) better for exactly that reason but nobody knows what it means and taint analysis seems to have stuck as the jargon 🤣

https://www.usenix.org/conference/usenixsecurity24/presentation/schl%C3%BCter the threat model (not the written out one in the paper, which is seemingly to me at least somewhat disjoint from what I understand from what I am hearing) that underlies this work is interesting; it points out that blindly trusting the hypervisor as part of trusting the cloud provider may not be in the best interest of operators of a VM (or a confidential VM using a TEE)

https://www.usenix.org/conference/usenixsecurity24/presentation/cao-leo I am excited about anything that wants to make OAuth less terrible, and this not only seems to do that but has a nice clear threat model!

@kaoudis thanks a lot for adding a bunch of new papers to read!

@petrillic for sure, happy to add to the pile heh! I’m mainly trying to make sure I bookmark what *I* want to read and then realized other folks might be interested so started posting them

https://www.usenix.org/conference/usenixsecurity24/presentation/virkud I am less of a fan of ATT&CK than CWE generally, but I find it’s great for having Windows horror stories in your back pocket. Seeing a clear study of how well ATT&CK maps to endpoint detection systems, and how well techniques in it can actually be detected by any of those products studied, is cool 🤩

https://www.usenix.org/conference/usenixsecurity24/presentation/brown some of my coworkers studied software debloating tools and how useful they are (not) at removing usable ROP gadgets from programs!

@kaoudis this is a very interesting study! Thank you for sharing.
It matches up with my own "IRL" experience of doing or leading threat modeling. I _definitely_ lead with by-component or at-interaction iteration then switch to use-case-like things ("what are the usual / most common / spiciest flows across this system?")

cc @adamshostack

I am not convinced that I understand what ChainReactor does yet, but from the talk the gist seems to be the user will write out target and objectives for an exploit chain in their DSL and it tells one what exploits one can run to get to the end goal https://www.usenix.org/conference/usenixsecurity24/presentation/de-pasquale

A preliminary study of a brand new CSP directive to prevent transient XSS, « trusted types » https://www.usenix.org/conference/usenixsecurity24/presentation/roth

https://www.usenix.org/conference/usenixsecurity24/presentation/kirchner these folks generated a *bunch* of blind XSS polyglots, tried them on the Google Firing Range to see how good they are, studied why they work, and then tried them in the real world

https://github.com/SAP/project-foxhound this was also mentioned in the XSS polyglots paper and looks cool