I am currently pursuing my PhD under the supervision of Prof. Lucas Davi at the University of Duisburg-Essen (My university site). My primary research interests include:
- Vulnerability Research and Hardening Mechanisms
- Program/Binary Analysis
- Secure Software Development
My research is always centered around applying program analysis techniques to identify security issues or detect attacks. To give a couple of examples, I worked on a project where we used taint tracking inside of the Ethereum Virtual Machine to identify attacks on Ethereum smart contracts. In my master thesis we leveraged a points-to analysis at compile time to introduce runtime security checks that verify that a memory write always targets an object that complies to the points-to analysis. While, most of my research has focused on attack detection (i.e., defense) I am also interested in vulnerability identification and security testing and try to stay up-to-date with the current techniques in this space (i.e., fuzzing, symbolic execution, static analyzers).
- Practical Mitigation of Smart Contract BugsJens-Rene Giesen, Sebastien Andreina, Michael Rodler, Ghassan O. Karame, Lucas Davi(under submission)
- Poster: Automated Evaluation of Fuzzers - Distinguished Technical Poster AwardSebastian Surminski, michael Rodler, Lucas DaviProceedings of the Network and Distributed System Security Symposium (NDSS'19)
- Enforcing Pointer Integrity Through Static AnalysisMichael RodlerMaster Thesis at TU Graz
While I try to keep things updated here, you might want to check out my profiles on dblp or scholar:
- "Sereum: Protecting Existing Smart Contracts Against Re-Entrancy Attacks"ACM Advances in Financial Technologies (AFT) 2019 (2019-10-21)
- "ROP CFI RAP XNR CPI WTF? – Navigating the Exploit Mitigation Jungle"at BsidesLjubljana 2017 (2017-03-10)
- "A CTF Hackers Toolbox - Competitive hacking for fun and (non-)profit"with Stefan Moreat Grazer Linuxtage 2016 (2016-04-30)
- "Weird Machines on Little Robots - Intro to binary exploitation on Android smartphones"at Hacking Night SS 2013 (2013-06-06)
- "evil maid on droids"at Hacking Night WS 2012 (2012-12-06)
- "Oh Noes, Another Android Malware Talk"with Thomas Ederat Insights Track at Security Forum 2012 (2012-04-18)
- "Downgrade Attacks by Example"at BSidesVienna 2012 (2012-01-21)
- "Downgrade Attacks: Compatibility Breaks Security"at Hacking Night WS 2011 (2011-12-14)
- "Tatort Internet: Wer geht mit mir phishen?"with Sebastian Neunerat Hacking Night WS 2010 (2010-11-25)
- "git for noobs"at Hackinggroup Workshop (2010-10-27)
EVMPatch Here we implemented a bytecode rewriter for Ethereum Virtual Machine bytecode. This is quite a low-level bytecode format, which is actually quite simple. However, this simplicity results in various gotchaes that make full analysis (correctly identifying pointers into the bytecode) and subsequent rewriting of Ethereum bytecode quite tricky. In this work we utilized a little trick that is well-known from x86 binary rewriting: using trampolines. This allows us to keep all addresses the same in the rewritten contract (except for the code we add). We then integrated this rewriter with some support code: a patch testing component based on differential testing with respect to the original (unpatched) contract, and some patch templates for standard vulnerabilities (such as integer overflows).
Teerex I supervised a Master thesis on symbolic execution of SGX enclaves. This master thesis turned out to have marvelous results. We identified a couple of vulnerabilities in production SGX enclaves and identified problematic code patterns that typically lead to vulnerabilities.
Sereum In a collaboration with NEC labs we built a dynamic analysis tool for Ethereum smart contracts. I implemented a taint tracking engine inside of the go-ethereum EVM bytecode interpreter. Based on this taint tracking engine we were able to build a dynamic detector for the infamous reentrancy attacks (this the DAO hack thing). The both fun and unfun part of this project was to evaluate on the vast dataset that is the Ethereum blockchain. You have all kinds of scalability issues when evaluating by re-executing basically the whole blockchain (the raw data can be found here). Interestingly we were also able to identify potential new attack patterns based on our analysis of the detected potential attacks, for which we introduced example attacks
Dynamic Analysis Projects I patched Taintdroid to contain taint sinks/sources/tags for cryptography APIs, which can result in insights how an android application uses cryptography to protect user data. We used it to analyze apps and how they are using hash functions and other KDFs.
I also started a small project that does compile time function call instrumentation in LLVM (you could call it aspect oriented programming). It's focused on analysis and fault injection though and does come with a significant overhead. The project is now dead/unmaintained. I guess nowadays you would use something more production ready.
LLWIT I did my master thesis at the IAIK Secure Systems groups, where I built upon the results of the Write Integrity Testing (WIT) paper, which I implemented within LLVM for Linux. This is am exploit mitigation primarily intended to thwart data-oriented attacks, but also covers many control data attacks. I then evaluated WIT on the CGC dataset (only somewhat successfully). However, this evaluation on the CGC dataset showed that there are many issues when implementing a security mitigation like WIT in practice: Arrays are hard, C++ is hard.
ANANAS Previously I worked on dynamic analysis of Android applications. In the malware-lab of the FH Hagenberg Secure Informations Systems we started a project that provides a dynamic analysis platform for Android applications. This resulted in my first publication. Here we built a dynamic analysis platform for analyzing android malware with all the nicities you would expect from a malware sandbox: system call logging, network traffic monitoring, preparing the environment with fake user data, simulating random user interaction and so on. We also used TaintDroid, but this was too much of a trouble and mostly not worth the effort.