Who am I?
I am a software security researcher and program analysis enthusiast. Particularly I am interested in studying various techniques of performing program fuzzing and testing for COTS binaries.
In this regard, I have implemented multiple security testing frameworks, such as Tainer (for Java), RustFuzz (for Rust), and Etherolic (for Ethereum). The results of my research projects have been published in top-notch conferences and achieved the best paper awards.
I used to work for the University of Potsdam and CISPA. I am also the founder and CEO of
Hobby Small Projects
Sometimes, I like to work on some small ideas as a hobby and share their code on my Githubn. Here you can find some of thoese, you can always check out my GitHub for new things I release.
- IRIS - Input generator for smart contracts
- Coin Market Scrapper - Cryptocurrency price history scrapper (Python)
- Persimmon FileWip3r - A minimalistic and quick file wiper for Windows
- Java Research Ransomware - Educational ransomware using the AES encryption algorithm in Java for research purposes
- JavaDTA - Taint analyzer for finding vulnerabilities in the J2EE bytecodes.
- Flare - A JVM bytecode obfuscator targeting Java and Scala.
- RustyJVM - High-performance JVM written in Rust
- Jnock - A scalable bytecode instrumentation library for Java and Scala.
- Fingerist - A static-dynamic web analyzer for identifying sneaking device fingerprinters
- Scalayzer - A hybrid security analyzer for Scala.
- Face Recognition in OpenCV & Python - Face Detection in Python Using Webcam/Image files
Kaizen: An Effective Security Analyzer and Automatic Exploit Generation System for Scala
Scala is an open-source programming language created by Martin Odersky in 2001 and released under the BSD or Berkeley Soware Distribution license. The language consolidates object-oriented and functional programming in one high-level and robust language. Scala also maintains static types that help to reduce tricky errors during the execution time. In this paper, we introduce "Kaizen" as a practical security analysis tool that works based on concolic fuzzing for evaluating real-world Scala applications. To evaluated our approach, we have analyzed 1,000 popular Scala projects existing on GitHub. As a result, Kaizen could report and exploit 101 security issues; some of those have not been reported before. Furthermore, the outcome of our performance analysis on the ScalaBench test suite demonstrates 49% runtime overhead that proves the usefulness of Kaizen for security testing in the Scala ecosystem.
Asterisk: Secure Programming Language for Smart Contracts
In this research, I introduced Asterisk as a new statically-typed programming language that is built on top of the Scala compiler. This new programming language is particularly designed for building safe and reliable Ethereum smart contracts. Because the Ethereum platform supports the execution of decentralized programs (i.e., smart contracts), Asterisk can have broad applications in new domains of technology such as financial system, health care, and 5G networks. Moreover, Ethereum operates the second-largest cryptocurrency after Bitcoin, typically for holding and transferring digital assets on the blockchain platform. Consequently, the role of smart contract compilers is even more important in generating portable, secure, and predictable code under real-world circumstances in the blockchain network. Accordingly, Asterisk aims to empower the Ethereum community to deploy robust code for business-critical and high-value use cases. Asterisk’s compilation architecture leverages Scala, and therefore, the generated smart contracts by Asterisk are cross-platform in the sense that a compiled contract runs on all platforms for which there exists a Java Virtual Machine (JVM). The compiler structure also supports formal verification to guarantee the reliability and safety of the bytecode produced by Asterisk at runtime.
Unveiling Some Untold Facts Regarding Stuxnet a Decade After the Attack
Stuxnet is a computer worm, which emerged during the summer of 2010 to infiltrate numerous computer systems. The worm is a military-class cyberweapon that was used to launch a destructive attack against Iran nuclear centrifuges. Stuxnet operates in three main steps by analyzing the targeted networks and computer systems to gain access to the automated program logic controllers. Having infiltrated these machines, Stuxnet began to replicate itself continually. Although there have been a large number of public articles and talks regarding Stuxnet, during our analysis we have noticed some critical details about the virus’s code and its functionalities that have not been exposed before. In this talk, we share the result of our in-depth malware analysis by achieving the original source code of Stuxnet. Our analysis sheds light on some untold aspects of the worm that can provide new insights for security communities on a specific class of military super viruses.
Large-Scale Analysis on the Security and Performance of the Rust Compiler
Rust is a popular system programming language introduced by Mozilla in 2010 that provides strong compile-time correctness and high performance. The language has improved upon the ideas of other system languages, such as C++. For instance, the Rustcompiler provides a reliable memory protection mechanism by performing a robust control over the memory life cycle to eradicate common reliability issues (e.g. memory violation and data race) in system programming languages. Consequently, a wide range of programs, such as operating systems (e.g. RustOS), web frameworks (e.g. Rocket), and blockchain clients (e.g. Parity Ethereum Client) have been built in Rust.
JEX: A Straightforward, Portable and Scalable Framework for Automatic Exploit Generation for Java
Errors in the sanitization of user inputs lead to serious security vulnerabilities. Many applications contain such errors, making them vulnerable to input sanitization exploits. Therefore, internet worms, such as WannaCry, via exploiting vulnerabilities in applications infect hundreds of thousands of users in a matter of short time, causing hundreds of millions of dollars in damages. Undoubtedly the rapid spread of internet worms makes it impossible to manually protect the infection of a large number of hosts under attack. Hence, to successfully counter internet worms, we need automatic detection and defense mechanisms that can detect and block runtime attacks. An ideal mechanism should be simple to deploy, resulting in few false positives and few false negatives. In this presentation we introduce JEX, an automatic dynamic taint analysis framework to detect and generate exploits for sanitization based vulnerabilities for Java web applications. Our method works based on tracking the flow of taint information from untrusted input into the application sensitive methods (such as console, file, network, database or another program). Our proposed framework is portable, quick and accurate, and does not need the source code of applications. We demonstrate the usefulness of the framework by finding several zero-day vulnerabilities along with popular Java applications.
Etherolic: A Practical Security Analyzer for Smart Contracts
In recent years we have seen a great deal of attention to the topic of security analysis in smart contracts, especially those developed for the Ethereum blockchain. Hence, it seems there is an ever-growing demand for secure smart contracts to protect what could potentially be worth billions. In this work, I introduced Etherolic as a robust, scalable and efficient tool for performing precise security analysis on smart contracts. This tool works based on a successful combination of dynamic taint tracking (DTA) and concolic testing that allows users to analyze the bytecode of smart contracts being run on the Ethereum Virtual Machine. Therefore, Etherolic is not only able to identify a wide spectrum of vulnerabilities but also generates precise exploits to trigger unknown vulnerabilities in the contracts. In order to demonstrate the usefulness of the approach, I evaluated Etherolic on a crafted benchmark suite, comprising 13 real-world and synthetic contracts along with 98 safety features. The result of the evaluation reveals 204 hidden security violations in the benchmarks.
Security Bug Detection Through Fuzzing and Dynamic Taint Analysis in Scala
Scala language combines object-oriented andfunctional programming in one concise and high-level compiler.This language supports static types to help to avoid bugs incomplex programs. In this paper, we propose a dynamic taintanalyzer called ScalaTaint for Scala applications. Our analyzer traces the propagation of unchecked inputs from untrusted sources to sensitive sink methods during program execution in order to warn sanitization errors that can be exploited by adversaries. Moreover, we evaluated the accuracy of Scala Taint on a benchmark suite, including 7 real-world projects written in Scala. As a result, our analyzer could report 49 vulnerabilities within 753,372 lines of code. Furthermore, we measured theperformance of ScalaTaint on Scalabench, that shows 67%runtime overhead, which confirms the usefulness and efficientlyof our approach in comparison with related work. The result of this work has been presented and published in the The Seventh International Symposium on Computing and Networking IEEE 2019
Scalayzer: A Hybrid Approach for Vulnerability Finding in Scala
In this project, I have implemented the first dedicated vulnerability detector (which is called Scalayzer) for the Scala ecosystem. Scalayzer can identify complex security issues (e.g., XXE Injection, SSRF, Insecure Deserialization, Slick-Anorm Injection, etc.) stem from the lack of proper input sanitization in industrial projects. In addition to security analysis, this tool is the first practical dynamic taint tracker for Scala. In order to demonstrate the usefulness of the detection mechanism, I could find 49 undiscovered vulnerabilities within more than half a million lines code in several real-world Scala Projects (including Akka, Play Framework, and Lift).
Concolic Testing for Smart Contracts
Considering numerous projects using smart contracts based on the blockchain technology racing to market, there is an ever-growing necessity for secure contracts to protect what could potentially be worth billions. Ethereum smart contracts are small executable programs, used on a peer-to-peer network as part of a consensus protocol. In other words, a smart contract is a set of low-level instructions being run on the Ethereum Virtual Machine (EVM). This low-level representation of smart contracts is called the Ethereum bytecode, which is public, immutable and once used in the blockchain, cannot be patched anymore. In this ongoing work, we present Etherolic, as the first runtime analysis framework based on concolic execution that analyzes the smart contracts’ bytecode for detecting various vulnerabilities and attacks. In contrast to previous tools, Etherolic does not need any source code and combines symbolic execution of bytecode with a presentation of concrete values from the public Ethereum blockchain. We evaluated Etherolic with a real-world benchmark suite, including 16 programs, containing public libraries. The result of our analysis demonstrates the effectiveness and usefulness of Etherolic in the real-life applications.
LRC-256, an Efficient and Secure LFSR Based Stream Cipher
In this work we introduce LRC-256, a new hardware-based stream cipher that is designed based on an irregular clock-controlled combination generator with a unique mechanism of altering steps. Our proposed algorithm uses a 256-bit main key and a 32-bit message key. The most important measures we consider in designing LRC-256 are maximum period, high linear complexity, resistance to standard attacks, and secure statistical properties. The base component of our algorithm is a clock-controlled combination generator with a 1-bit memory. In order to demonstrate the usefulness and performance of our proposed stream cipher, we implemented LRC-256 on a standard FPGA simulator, and we compared it with 12 standard and well-known stream and block ciphers, such as RC4, RC6, AES, 3DES, W7, Snow 2.0 LILI-II, and Helix. The result of our comparison proves that LRC-256 has higher efficiency and better security. Hence, LRC-256 is a proper option for resource-constrained devices where efficiency and safety are the most important metrics.
A Large-Scale Analysis of Browser Fingerprinting via Chrome Instrumentation
In this work, we introduce FPTracker as a standalone, portable and practical browser that utilizes static and dynamic analysis to obtain concise results on a large set of websites. In contrast to the previous works, which rely on native code instrumentation that have low performance and high cost for monitoring each fingerprint Application programming interface (API), FPTracker is developed as an independent tool that does not need to interact with users' web browsers. In order to prove the usefulness of FPTracker, we have evaluated the top 10,000 European websites (according to Alexa.com) that comprise 1,393,426 links. We have chosen popular European websites to discern how these websites employ user tracking third parties concerning the EU General Data Protection Regulation (GDPR). Accordingly, we found that 117,012 links out of 1,393,426 use invisible user fingerprinting systems. For instance, one of the biggest European banks and a leading advertising website in Germany still fingerprints their visitors.
Practical Dynamic Taint Tracking for Exploiting Input Sanitization Error in Java Applications
Errors in the sanitization of user inputs lead to serious security vulnerabilities. Many applications contain such errors, making them vulnerable to input sanitization exploits. Therefore, internet worms via exploiting vulnerabilities in applications infect hundreds of thousands of users in a matter of short time, causing hundreds of millions of dollars in damages. To successfully counter internet worm attacks, we need automatic detection and defense mechanisms. First, we need automatic detection mechanisms that can detect runtime attacks for vulnerabilities. A disclosure mechanism should be simple to deploy, resulting in few false positives and few false negatives. In this paper we present Tainer, an automatic dynamic taint analysis framework to detect and generate exploits for sanitization based vulnerabilities for Java web applications. Particularly, our method is based on tracking the flow of taint information from untrusted input the application sensitive methods (such as console, file, network, database or another program). Our proposed framework is portable, quick, accurate, and does not need the source code of applications. We demonstrate the usefulness of the framework by detecting several zero-day actual vulnerabilities in popular Java applications.
Skills & Tools
- Unit Testing
PhD in Software SecurityUniversity of Potsdam2016 - 2020
- Program Analysis
- Smart Contract Analysis
- Symbolic & Concolic Testing
- JVM Internals
- Software Fuzzing