Intel's Software Guard Extensions (SGX) promises an isolated execution environment,
protected from all software running on the machine. As such, numerous works have sought …

Least-privilege separation decomposes applications into compartments limited to accessing
only what they need. When compartmentalizing existing software, many approaches neglect …

The Linux kernel is the backbone of modern society. When a kernel error is discovered, a
quick remediation is needed. Whereas sanitizers greatly facilitate root cause diagnosis …

Information leaks are the most prevalent type of vulnerabilities among all known
vulnerabilities in Linux kernel. Many of them are caused by the use of uninitialized variables …

Kernel Address Sanitizer (KASAN), an invaluable tool for finding use-after-free and out-of-
bounds bugs in the Linux kernel, needs the kernel source for compile-time instrumentation …

Syscall interposition is crucial for tools that monitor/modify application behavior. Mainstream
OSes have, therefore, provided syscall interposition APIs for years, but these often incur …

Multi-variant execution (MVX) systems amplify the effectiveness of software diversity
techniques. The key idea is to run multiple diversified program variants in lockstep while …

Enterprise software updates depend on the interaction between user and developer
organizations. This interaction becomes especially complex when a single developer …

Microservices are the dominant architecture used to build internet-scale applications today.
Being internet-facing, their most critical attack surfaces are the OWASP top 10 Web …

Abstract N-Variant Execution (NVX) systems utilize artificial diversity techniques to enhance
software security. The general idea is to run multiple different variants of the same program …