Hyntrospect: a fuzzer for Hyper-V devicesDiane Dubois[Slides] [Paper] [Code] [Video]Put an io_uring on it: Exploiting the Linux KernelValentina Palmiotti[Blog]The AMD Branch (Mis)predictor: Where No CPU has Gone BeforePawel Wieczorkiewicz[Blog part 1] [Blog part 2]Dynamic Process IsolationMartin Schwarzl, Pietro Borrello, Andreas Kogler, Kenton Varda, Thomas Schuster, Daniel Gruss, and Michael Schwarz[Paper]Another Brick in the Wall: Uncovering SMM Vulnerabilities in HP FirmwareItai Liba, and Assaf Carlsbad[Blog] [Code]Confidential Containers: Bringing Confidential Computing to the Kubernetes Workload MassesSamuel Ortiz[Video]Kubernetes Meets Confidential Computing - The Different Ways of Scaling Sensitive WorkloadsMoritz Eckert[Video]Implementing Post-quantum Cryptography for DevelopersJulius Hekkala, Kimmo Halunen, and Visa Vallivaara[Paper]CMUA-Watermark: A Cross-Model Universal Adversarial Watermark for Combating DeepfakesHao Huang, Yongtao Wang, Zhaoyu Chen, Yu Ze Zhang, Yuheng Li, Zhi Tang, Wei Chu, Jingdong Chen, Weisi Lin, and Kai-Kuang Ma[Paper] [Code]Leashing the Inner Demons: Self-Detoxification for Language ModelsCanwen Xu, Zexue He, Zhankui He, and Julian McAuley[Paper] [Code]Fooling the Eyes of Autonomous Vehicles: Robust Physical Adversarial Examples Against Traffic Sign Recognition SystemsWei Jia, Zhaojun Lu, Haichun Zhang, Zhenglin Liu, Jie Wang, and Gang Qu[Paper]Synthetic Disinformation Attacks on Automated Fact Verification SystemsYibing Du, Antoine Bosselut, Christopher D. Manning[Paper]Why No One Pwned Synology at Pwn2Own and Tianfu Cup in 2021Eugene Lim, and Loke Hui Yi[Slides]DRAWN APART: A Device Identification Technique based on Remote GPU FingerprintingTomer Laor, Naif Mehanna, Antonin Durey, Vitaly Dyadyuk, Pierre Laperdrix, Clémentine Maurice, Yossi Oren, Romain Rouvoy, Walter Rudametkin, and Yuval Yarom[Paper] [Code]Attacking JavaScript Engines in 2022Samuel Groß, and Amanda Burnett[Slides]Security Analysis of MTE Through ExamplesSaar Amar[Slides] [Video]An Armful of CHERIsSaar Amar, Nicholas Joly, David Chisnall, Manuel Costa, Sylvan Clebsch, Wes Filardo, Boris Köpf, Robert Norton-Wright, and Matthew Parkison[Blog]

Sponge Examples: Energy-Latency Attacks on Neural NetworksIlia Shumailov, Yiren Zhao, Daniel Bates, Nicolas Papernot, Robert Mullins, and Ross Anderson[Slides] [Paper] [Video]How to Use Cheated Cryptography to Overload a ServerSzilárd Pfeiffer[Slides]Bestie: Very Practical Searchable Encryption with Forward and Backward SecurityTuanyang Chen, Peng Xu, Wei Wang, Yubo Zheng, Willy Susilo, and Hai Jin[Paper]Symgrate: A Symbol Recovery Service for ARM FirmwareTravis Goodspeed & EVM[Site] From Graph Queries to Vulnerabilities in Binary Codeclaudiu, fabs, and niko[Slides]Fast verified post-quantum softwareDaniel J. Bernstein[Slides]AIModel-Mutator: Finding Vulnerabilities in TensorFlowQian Feng, Zhaofeng Chen, Zhenyu Zhong, Yakun Zhang, Ying Wang, Zheng Huang, Kang Li, Jie Hu and Heng Yin[Slides]DAMAS: Control-Data Isolation at Runtime through Dynamic Binary ModificationCamille Le Bon, Erven Rohou, Frederic Tronel, and Guillaume Hiet[Paper]Trojan Source: Invisible VulnerabilitiesNicholas Boucher and Ross Anderson[Paper] [Code]Who owns your hybrid Active Directory? Hunting for adversary techniques!Thirumalai Natarajan Muthiah & Anurag Khanna[Paper]Breaking Azure AD joined endpoints in zero-trust environmentsDirk-jan Mollema[Slides] [Video]Going Deeper into Schneider Modicon PAC SecurityGao Jian[Slides] [Video]New Ways of IPv6 ScanningShupeng Gao, Xingru Wu, and Jie Gao[Slides]DIY cheap gigabit data diodeMagnus[Code]Bridge your service mesh and AWSSantosh Ananthakrishnan & Harihara K Narayanan[Slides]GALILEO: In GPS We Trust?Áron Szabó, Levente Kovács, and Péter Ligeti[Slides]“We wait, because we know you.” Inside the ransomware negotiation economics.Pepijn Hack & Harihara K Narayanan[Paper]Privacy of DNS-over-HTTPS: Requiem for a dream?Levente Csikor, Himanshu Singh, Min Suk Kang, and Dinil Mon Divakaran[Slides] Sleight of ARM: Demystifying Intel HoudiniBrian Hong[Slides] [Video]

IntroductionEpisode 1 - 2021/Q3Thinkst Trends and Takeaways is a show released in conjunction with ThinkstScapes, a written quarterly review of information security research published in both industry and academic venues. Thinkst Labs allocates time to tracking industry research so you don’t have to, specifically looking for novel and unusual work that is impactful--this is not simply a report on bugs or vulnerabilities. Work covered here will include both offensive and defensive topics, and we explore academic publications with the same gusto as industry work. Our target listeners are primarily security practitioners in organizations who are tasked with defending their turf, but offensive-minded folks will also be exposed to new ideas and research we’ve come across.Full bibliography of referenced works:Embedded security researchPrecursor: Towards Evidence-Based Trust in HardwareAndrew ‘bunnie’ Huang[Video]Kernel Pwning with eBPF: a Love StoryValentina Palmiotti (@chompie1337)[Paper]InternalBlue / Frankenstein / SpectraJan Ruge, Jiska Classen, Francesco Gringoli, and Matthias Hollick[Slides] [Slides] [Video]HALucinator: Firmware Re-hosting Through Abstraction Layer EmulationAbraham Clements, Eric Gustafson, Tobias Scharnowski, Paul Grosen, David Fritz, Christopher Kruegel, Giovanni Vigna, Saurabh Bagchi, and Mathias Payer[Slides] [Paper] [Video]Device-agnostic Firmware Execution is Possible: A Concolic Execution Approach for Peripheral EmulationChen Cao, Le Guan, Jiang Ming, and Peng Liu[Paper]Remote Timing Attacks on TPMs, AKA TPM-FailDaniel Moghimi[Slides]Breaking VSM by Attacking SecureKernelSaar Amar and Daniel King[Slides]Whispers Among the Stars: Perpetrating (and Preventing) Satellite Eavesdropping AttacksJames Pavur[Slides] [Video]Exploiting 'Differences of opinion'HTTP/2: The Sequel is Always WorseJames Kettle[Paper]Differential Fuzzing of x86-64 Instruction DecodersWilliam Woodruff, Niki Carroll, and Sebastiaan Peters[Paper] [Video]EtherOops: Exploring Practical Methods to Exploit Ethernet Packet-in-Packet AttacksBen Seri, Gregory Vichnepolsky, and Yevgeny Yusepovsky[Slides] [Paper]Light Commands: Laser-Based Audio Injection on Voice-Controllable SystemsTakeshi Sugawara, Benjamin Cyr, Sara Rampazzi, Daniel Genkin, and Kevin Fu[Slides]Interpretable Deep Learning Under FireXinyang Zhang, Ningfei Wang, Hua Shen, Shouling Ji, Xiapu Luo, and Ting Wang[Slides] [Paper] [Video]Hiding Objects from Computer Vision by Exploiting Correlation BiasesYin Minn Pa Pa, Paul Ziegler, and Masaki Kamizono[Slides]Disrupting Continuity of Apple’s Wireless Ecosystem Security: New Tracking, DoS, and MitM Attacks on iOS and macOS Through Bluetooth Low Energy, AWDL and Wi-FiMilan Stute, Alexander Heinrich, Jannik Lorenz, and Matthias Hollick[Paper]DefenceEntangled Watermarks as a Defense Against Model ExtractionHengrui Jia, Christopher A. Choquette-Choo, Varun Chandrasekaran, Nicolas Papernot[Paper]Hopper: Modeling and Detecting Lateral MovementGrant Ho, Mayank Dhiman, Devdatta Akhawe, Vern Paxson, Stefan Savage, Geoffrey Voelker, and David Wagner[Paper]Faking a Factory: Creating and Operating a Realistic HoneypotCharles Perine[Slides] [Paper] [Video]Do You Speak My Language? Making Static Analysis Engines Understand Each OtherIbrahim Mohamed and Manuel Fahndrich[Slides]Practical Defenses Against Adversarial Machine LearningAriel Herbert-Voss[Video]Nifty sundriesRemote Side-Channel Attacks on Anonymous TransactionsFlorian Tramer, Dan Boneh, and Kenneth G. Paterson[Paper]An Observational Investigation of Reverse Engineers’ ProcessesDaniel Votipka, Seth Rabin, Kristopher Micinski, Jeffrey Foster, and Michelle Mazurek[Paper] [Video]On the Feasibility of Automating Stock Market ManipulationCarter Yagemann, Simon Chung, Erkam Uzun, Sai Ragam, Brendan Saltaformaggio, and Wenke Lee[Paper]IoT Skimmer: Energy Market Manipulation through High-Wattage IoT BotnetsTohid Shekari and Raheem Beyah[Slides]The Dark Age of Memory Corruption Mitigations in the Spectre EraAndrea Mambretti and Alexandra Sandulescu[Slides]Everything Old is New Again: Binary Security of WebAssemblyDaniel Mehmann, Johannes Kinder, and Michael Pradel[Slides] [Paper] [Video]ProxyLogon is Just the Tip of the Iceberg: A New Attack Surface on Microsoft Exchange Server!Orange Tsai[Slides]brought to you by Most companies find out way too late that they've been breached. Thinkst Canary changes this. Canaries deploy in under 4 minutes and require 0 ongoing admin overhead. They remain silent till they need to chirp, and then, you receive that single alert.When.it.matters.Find out why some of the smartest security teams in the world swear by Thinkst Canary https://canary.love