17th IEEE Workshop on Offensive Technologies

Workshop Program

Room: Bayview A

Time (PDT)	Title & Authors
8:00 - 8:15	Welcome!, Sara Rampazzi & Yanick Fratantonio
8:15 - 9:00	Keynote - From Blue Boxes to Black Boxes: Adventures in Uncovering Mobile Device Functionality, Kevin Butler (University of Florida) [Slides PDF] Abstract: The history of hacking is intimately tied to telecommunications networks. While these networks have changed over the past 50 years and complexity has migrated outwards to devices, one enduring challenge has been a lack of accessibility. In this talk, we’ll discuss some of our recent efforts to better understand the phone side of smartphones through examining command sets and processors. We’ll discuss some of our recent efforts and point to exciting new areas that can help us gain better understanding of cellular telephony infrastructure. Biography: Kevin Butler is a Professor of Computer and Information Science and Engineering and Director of the Florida Institute for Cybersecurity Research at the University of Florida. His research aims to improve the security of computer systems and the people who use them. Recently his research has focused on mobile security, embedded and peripheral devices, trustworthy machine learning, and security and privacy for marginalized and vulnerable populations.
9:00 - 10:00	Session 1: Malware & Obfuscation (Session Chair: Zhenpeng Lin)
	Reflections on Trusting Docker: Invisible Malware in Continuous Integration Systems Florent Moriconi (EURECOM), Axel Ilmari Neergaard (EURECOM), Lucas Georget (EURECOM), Samuel Aubertin (EURECOM), Aurélien Francillon (EURECOM) [Paper PDF] [Slides PDF]
	ROPfuscator: Robust Obfuscation with ROP Giulio De Pasquale (King's College London), Fukutomo Nakanishi (Toshiba Corporation), Daniele Ferla (Università di Bologna), Lorenzo Cavallaro (University College London) [Paper PDF] [Slides PDF]
	GPThreats-3: Is Automatic Malware Generation a Threat? Marcus Botacin (Texas A&M University) [Paper PDF] [Slides PDF]
	Emoji shellcoding in RISC-V Hadrien Barral (Ecole Normale Supérieure), Georges-Axel Jaloyan (Ecole Normale Supérieure), David Naccache (Ecole Normale Supérieure) [Paper PDF]
10:00 - 10:30	Morning Break
10:30 - 12:00	Session 2: Hardware Security & Side Channels (Session Chair: Yuval Yarom)
	The Ghost Is The Machine: Weird Machines in Transient Execution - 🏆 BEST STUDENT PAPER AWARD Ping-Lun Wang (Carnegie Mellon University), Fraser Brown (Carnegie Mellon University), Riad S. Wahby (Carnegie Mellon University) [Paper PDF] [Slides pptx]
	Cryo-Mechanical RAM Content Extraction Against Modern Embedded Systems Yuanzhe Wu (Red Balloon Security), Grant Skipper (Red Balloon Security), Ang Cui (Red Balloon Security) [Paper PDF] [Slides PDF]
	CustomProcessingUnit: Reverse Engineering and Customization of Intel Microcode - 🏆 BEST PAPER AWARD Pietro Borrello (Sapienza University of Rome), Catherine Easdon (Dynatrace Research & Graz University of Technology), Martin Schwarzl (Graz University of Technology), Roland Czerny (Graz University of Technology), Michael Schwarz (CISPA Helmholtz Center for Information Security) [Paper PDF] [Slides PDF] [Video Recording mp4]
	The Little Seal Bug: Optical Sound Recovery from Lightweight Reflective Objects Ben Nassi (Ben-Gurion University of the Negev), Raz Swissa (Ben-Gurion University of the Negev), Jacob Shams (Ben-Gurion University of the Negev), Boris Zadov (Ben-Gurion University of the Negev), Yuval Elovici (Ben-Gurion University of the Negev) [Paper PDF] [Slides pptx] [Video Recording mp4]
	ESPwn32: Hacking with ESP32 System-on-Chips Romain Cayre (EURECOM), Damien Cauquil (Quarkslab), Aurélien Francillon (EURECOM) [Paper PDF] [Slides PDF]
12:00 - 13:00	Lunch Break
13:00 - 13:45	Keynote - Fuzzing: The Age of Vulnerability Discovery, Richard Johnson [Slides PDF] Abstract: In 2020, I discussed fuzzing in "Lightning in a Bottle" reviewing major milestones that led to the "fuzzing renaissance" that was kicked off by the creation of effective greybox mutational parser fuzzing with the release of American Fuzzy Lop. It is now 2023 and fuzzing continues to be one of the most effective approaches to vulnerability discovery, reaching an ever-wider range of attack surface in targets like browsers, kernels, trusted execution environments, smart contracts, mobile and embedded devices, managed languages and more. In this talk we will discover what the future trends and opportunities for fuzzing will look like. We will explore how the science of fuzzing has improved to augment early feedback methods, how the philosophy of fuzzing has evolved through benchmarking and empirical data, and how fuzzing tooling has become more flexible and adaptable to arbitrary targets. We will explore together what has happened since The Fuzzing Renaissance created a boom of research and began to mature as we shift into The Age of Vulnerability Discovery. Biography: Richard Johnson is a computer security specialist with a focus on fuzzing and software vulnerability analysis. Currently owner of FUZZING IO, a research and development company offering professional training and consulting services, Richard offers over 20 years of professional expertise and leadership in the information security industry including past positions as Director of Security Research at Oracle Cloud and Research Lead roles at Trellix, Cisco Talos, and Microsoft. Richard has delivered training and presented annually at top-tier industry conferences for over 15 years at Black Hat, Defcon, RECON, Hack in the Box, and many more.
13:45 - 14:45	Session 3: Fuzzing & Exploitation (Session Chair: Marius Muench)
	Fuzzing the Latest NTFS in Linux with Papora: An Empirical Study Edward Lo (Amber Group), Ningyu He (Peking University), Yuejie Shi (Amber Group), Jiajia Xu (Amber Group), Chiachih Wu (Amber Group), Ding Li (Peking University), Yao Guo (Peking University) [Paper PDF] [Slides PDF]
	Divergent Representations: When Compiler Optimizations Enable Exploitation Andreas D. Kellas (Columbia University), Alan Cao (Trail of Bits), Peter Goodman (Trail of Bits), Junfeng Yang (Columbia University) [Paper PDF] [Slides PDF]
	Go or No Go: Differential Fuzzing of Native and C Libraries Alessandro Sorniotti (IBM Research Europe - Zurich), Michael Weissbacher (Block, Inc.), Anil Kurmus (IBM Research Europe - Zurich) [Paper PDF]
	ASanity: On Bug Shadowing by Early ASan Exits Vincent Ulitzsch (Technische Universität Berlin), Dominik Maier (Technische Universität Berlin), Deniz Scholz (Technische Universität Berlin) [Paper PDF] [Slides PDF]
14:45 - 15:00	Afternoon Break
15:00 - 15:45	Session 4: Web & Network Security (Session Chair: Eyal Ronen)
	Scripted Henchmen: Leveraging XS-Leaks for Cross-Site Vulnerability Detection Tom Van Goethem (imec-DistriNet, KU Leuven), Iskander Sanchez-Rola (Norton Research Group), Wouter Joosen (imec-DistriNet, KU Leuven) [Paper PDF] [Slides PDF]
	Hakuin: Optimizing Blind SQL Injection with Probabilistic Language Models Jakub Pružinec (Nanyang Technological University, Singapore), Nguyen Anh Quynh (Nanyang Technological University, Singapore) [Paper PDF] [Slides PDF]
	Towards Simultaneous Attacks on Multiple Cellular Networks Alexander Ross (North Carolina State University), Bradley Reaves (North Carolina State University) [Paper PDF]
15:45 - 16:00	Awards Announcements & Closing Remarks, Sara Rampazzi & Yanick Fratantonio
16:00 - 17:00	Demo & Poster Session (Foyer area outside of Bayview A)

Call for Papers

Symposium Topics

Computer security exposes the differences between the actual mechanisms of everyday trusted technologies and their models used by developers, architects, academic researchers, owners, operators, and end users. While being inherently focused on practice, security also poses questions such as "what kind of computations are and aren't trusted systems capable of?" which harken back to fundamentals of computability. State-of-the-art offense explores these questions pragmatically, gathering material for generalizations that lead to better models and more trustworthy systems.

WOOT provides a forum for high-quality, peer-reviewed work discussing tools and techniques for attacks. Submissions should reflect the state of the art in offensive computer security technology, exposing poorly understood mechanisms, presenting novel attacks, highlighting the limitations of published attacks and defenses, or surveying the state of offensive operations at scale. WOOT '23 accepts papers in both an academic security context and more applied work that informs the field about the state of security practice in offensive techniques. The goal for these submissions is to produce published works that will guide future work in the field. Submissions will be peer-reviewed and shepherded as appropriate. Submission topics include, but are not limited to, attacks on and offensive research into:

• Hardware, including software-based exploitation of hardware vulnerabilities
• Virtualization and the cloud
• Network and distributed systems
• Operating systems
• Web security
• Browser and general client-side security (runtimes, JITs, sandboxing)
• Application security
• Analysis of mitigations and automating how they can be bypassed
• Automating software testing such as fuzzing for novel targets
• Internet of Things
• Machine Learning
• Cyber-physical systems
• Privacy
• Cryptographic systems (practical attacks on deployed systems)
• Malware design, implementation and analysis
• Offensive applications of formal methods (solvers, symbolic execution)

Workshop Format

The presenters will be authors of accepted papers. There will also be a keynote speaker and a selection of invited speakers.

Note that WOOT'23 and other IEEE S&P workshops are planned to be held in person, see the IEEE S&P website for details and updates.

Regular Submission

WOOT '23 welcomes submissions without restrictions of origin. Submissions from academia, independent researchers, students, hackers, and industry are welcome. Are you planning to give a cool talk at Black Hat in August? Got something interesting planned for other non-academic venues later this year? This is exactly the type of work we'd like to see at WOOT '23. Please submit—it will also give you a chance to have your work reviewed and to receive suggestions and comments from some of the best researchers in the world. More formal academic offensive security papers are also very welcome.

Systematization of Knowledge

Continuing the tradition of past years, WOOT '23 will be accepting "Systematization of Knowledge" (SoK) papers. The goal of an SoK paper is to encourage work that evaluates, systematizes, and contextualizes existing knowledge. These papers will prove highly valuable to our community but would not be accepted as refereed papers because they lack novel research contributions. Suitable papers include survey papers that provide useful perspectives on major research areas, papers that support or challenge long-held beliefs with compelling evidence, or papers that provide an extensive and realistic evaluation of competing approaches to solving specific problems. Be sure to select "Systematization of Knowledge paper" in the submissions system to distinguish it from other paper submissions.

Submission Requirements

• Paper submission deadline (extended!): Friday, January 27, 2023 Friday, February 10th, 2023, 23:59:59 AoE (Anywhere on Earth) (firm!)
• Notification date: Tuesday, March 7th, 2023
• Camera-ready paper deadline: Friday, March 31st, 2023
• Workshop date: Thursday, May 25, 2023

Paper Submissions for Woot 2023 are closed.

What to Submit

Submissions must be in PDF format. Papers should be succinct but thorough in presenting the work. The contribution needs to be well motivated, clearly exposed, and compared to the state of the art. Typical research papers are at least 4 pages, and maximum 10 pages long (not counting bibliography and appendix). Yet, papers whose lengths are incommensurate with their contributions will be rejected.

The submission should be formatted in 2-columns, using 10-point Times Roman type on 12-point leading, in a text block of 6.5” x 9”. Please number the pages. Authors must use the IEEE templates, for LaTeX papers this is IEEETran.cls version 1.8b.

Note that paper format rules may be clarified. Stay tuned.

Submissions are double blind: submissions should be anonymized and avoid obvious self-references (authors are allowed to release technical reports and present their work elsewhere such as at DefCon or BlackHat). Submit papers using the submission form.

Authors of accepted papers will have to provide a paper for the proceedings following the above guidelines. A shepherd may be assigned to ensure the quality of the proceedings version of the paper.

If your paper should not be published prior to the event, please notify the chairs. Submissions accompanied by non-disclosure agreement forms will not be considered. Accepted submissions will be treated as confidential prior to publication on the WOOT '23 website; rejected submissions will be permanently treated as confidential.

Policies and Contact Information

Simultaneous submission of the same work to multiple competing academic venues, submission of previously published work without substantial novel contributions, or plagiarism constitutes dishonesty or fraud. Note: Work presented by the authors at industry conferences, such as Black Hat, is not considered to have been "previously published" for the purposes of WOOT '23. We strongly encourage the submission of such work to WOOT '23, particularly work that is well suited to a more formal and complete treatment in a published, peer-reviewed setting. In your submission, please do note any previous presentations of the work.

Ethical Considerations

Note: WOOT '23 ethical guidelines are aligned with the guidelines discussed in the IEEE S&P '23 CFP. For convenience, we report them here verbatim.

Ethical Considerations for Vulnerability Disclosure

Where research identifies a vulnerability (e.g., software vulnerabilities in a given program, design weaknesses in a hardware system, or any other kind of vulnerability in deployed systems), we expect that researchers act in a way that avoids gratuitous harm to affected users and, where possible, affirmatively protects those users. In nearly every case, disclosing the vulnerability to vendors of affected systems, and other stakeholders, will help protect users. It is the committee’s sense that a disclosure window of 45 days https://vuls.cert.org/confluence/display/Wiki/Vulnerability+Disclosure+Policy to 90 days https://googleprojectzero.blogspot.com/p/vulnerability-disclosure-faq.html ahead of publication is consistent with authors’ ethical obligations.

Longer disclosure windows (which may keep vulnerabilities from the public for extended periods of time) should only be considered in exceptional situations, e.g., if the affected parties have provided convincing evidence the vulnerabilities were previously unknown and the full rollout of mitigations requires additional time. The authors are encouraged to consult with the PC chairs in case of questions or concerns.

The version of the paper submitted for review must discuss in detail the steps the authors have taken or plan to take to address these vulnerabilities; but, consistent with the timelines above, the authors do not have to disclose vulnerabilities ahead of submission. If a paper raises significant ethical and/or legal concerns, it will be checked by the chairs and it might be rejected based on these concerns. The PC chairs will be happy to consult with authors about how this policy applies to their submissions.

Ethical Considerations for Human Subjects Research

Submissions that describe experiments that could be viewed as involving human subjects, that analyze data derived from human subjects (even anonymized data), or that otherwise may put humans at risk should:

1. Disclose whether the research received an approval or waiver from each of the authors' institutional ethics review boards (IRB) if applicable.
2. Discuss steps taken to ensure that participants and others who might have been affected by an experiment were treated ethically and with respect.

If a submission deals with any kind of personal identifiable information (PII) or other kinds of sensitive data, the version of the paper submitted for review must discuss in detail the steps the authors have taken to mitigate harms to the persons identified. If a paper raises significant ethical and/or legal concerns, it will be checked by the chairs and it might be rejected based on these concerns. The PC chairs will be happy to consult with authors about how this policy applies to their submissions.

Registration for Authors

At least one author per paper has to register and present the paper.

Artifact Evaluation

All artifacts are here: https://secartifacts.github.io/woot2023/results!

We seek to include a broad cross-section of the WOOT community in the AEC. If you are interested in joining the AEC, or supervising PhD students who might be, please send your application using this form by February 12th, 2023.

Submission

• Artifact submission deadline: Thursday, March 16th 2023, 23:59:59 AoE (Anywhere on Earth)
• Discussion period: Friday, March 17th - Friday, March 24th 2023, AoE
• Decisions announced: Tuesday, March 28th 2023, AoE

Artifact Submissions for Woot 2023 are closed.

Authors of accepted papers are expected to submit the following:

• A PDF with an abstract for the artifact. The abstract should specify the core idea, the focus of the artifact, and what the evaluation should check
• A PDF of the most recent version of the accepted paper
• Documentation about the artifact (what to test and/or how to reproduce the contributions of the paper)
• A link to the artifact, accessible via a stable reference or DOI. For this purpose, we recommend Zenodo. Since the artifact can evolve during the evaluation to address feedback from the reviewers, another (potentially different) stable reference will be later collected for the final version of the artifact.

Submissions are single-blind, i.e., authors must ensure that the evaluation process preserves reviewers' anonymity. Please refer to Process and Artifact Details for additional details.

Overview

A scientific paper consists of a constellation of artifacts that extend beyond the document itself: software, hardware, evaluation data and documentation, raw survey results, mechanized proofs, models, test suites, benchmarks, and so on. In some cases, the quality of these artifacts is as important as that of the document itself, yet many of our conferences offer no formal means to submit and evaluate anything but the paper itself. To address this shortcoming, WOOT organizes an optional artifact evaluation process, inspired by similar efforts in software engineering and security conferences.

Benefits

We believe the dissemination of artifacts benefits our science and engineering as a whole, as well as the authors submitting them. Their availability improves replicability and reproducibility and enables authors to build on top of each other's work. It can also help more unambiguously resolve questions about cases not considered by the original authors. The authors receive recognition, leading to higher-impact papers, and also benefit themselves from making code reusable.

Badges

Authors can choose to have their artifact evaluated against the following badges:

• Open Research Objects (ORO): this badge indicates that the artifact is permanently archived in a public repository that assigns a global identifier and guarantees persistence, and is made available via standard open licenses that maximize artifact availability.
• Research Objects Reviewed (ROR): this badge indicates that all relevant artifacts used in the research (including data and code) were reviewed and conformed to the expectations set by the paper.

We expect artifacts to be:

• consistent with the paper
• as complete as possible
• documented well
• easy to reuse, facilitating further research

Notice that the two badges can be issued independently.

Process

Artifact evaluation is a separate process from paper reviews, and authors will be asked to submit their artifacts only after their papers have been (conditionally) accepted for publication at WOOT. After the artifact submission, at least one member of the AEC will download and install the artifact (where relevant) and evaluate it. Since we anticipate minor glitches with installation and usage, reviewers may communicate with authors to help resolve glitches while preserving reviewer anonymity. The AEC will complete its evaluation and notify the authors of the outcome.

For the camera-ready version, authors who have successfully passed the evaluation process will receive the awarded badges on their papers.

Artifact Details

To avoid excluding some papers, the AEC will try to accept any artifact that authors wish to submit. These can be software, hardware, data sets, survey results, test suites, mechanized proofs, etc. Given the experience in other communities, we decided to not accept paper proofs in the artifact evaluation process. The AEC lacks the time and often the expertise to carefully review paper proofs. Obviously, the better the artifact is packaged, the more likely the AEC can actually work with it during the evaluation process.

While we encourage open research, submission of an artifact does not contain tacit permission to make its content public. All AEC members will be instructed not to publicize any part of your artifact during or after the evaluation, nor retain any part after evaluation. Thus, you are free to include, e.g., models, data files, or proprietary binaries in your artifact. Also, note that participating in the AEC experiment does not require you to publish your artifacts unless you apply for the Open Research Objects (ORO) badge. Still, we strongly encourage you to do so.

We recognize that some artifacts may attempt to perform malicious operations by design. These cases should be boldly and explicitly flagged in detail in the readme so AEC members can take appropriate precautions before installing and running these artifacts. The evaluation of exploits and similar results might lead to additional hurdles where we still need to collect experience on how to handle this best. Please contact the AE chair if you have concerns, for example when evaluating bug-finding tools or other types of artifacts that need special requirements.

Committees

Program co-chairs (email: woot23chairs@gmail.com)

• Sara Rampazzi, University of Florida
• Yanick Fratantonio, Google

Program committee

• Adrian Dabrowski, CISPA Helmholtz Center for Information Security
• Andrea Continella, University of Twente
• Andrea Possemato
• Aravind Machiry, Purdue University
• Ben Nassi, Ben-Gurion University of the Negev
• Clémentine Maurice, CNRS, IRISA
• Collin Mulliner
• Daniel Andriesse, Intel Corporation
• Daniele Antonioli, EURECOM
• Dave (Jing) Tian, Purdue University
• Fabio Pagani, UC Santa Barbara
• Fangfei Liu, Intel Corporation
• Federico Maggi, AWS
• Kyle Zeng, Arizona State University
• Lucas Davi, University of Duisburg-Essen
• Manuel Egele, Boston University
• Marco Squarcina, TU Wien
• Mariano Graziano, JPMorgan Chase
• Marius Muench, Vrije Universiteit Amsterdam
• Mathias Payer, EPFL
• Mathy Vanhoef, imec-DistriNet, KU Leuven
• Michael Schwarz, CISPA Helmholtz Center for Information Security
• Natalie Silvanovich, Google
• Sofia Celi, Brave
• Takeshi Sugawara, The University of Electro-Communications
• Thomas Roth, Leveldown Security
• Travis Goodspeed
• Victor van der Veen, Qualcomm
• Xiali (Sharon) Hei, University of Louisiana at Lafayette
• Yongdae Kim, KAIST
• Yuval Yarom, Ruhr University Bochum
• Zhenpeng Lin, Northwestern University

Artifact Evaluation chair (email: woot23ae@secpriv.wien)

• Marco Squarcina, TU Wien

Artifact Evaluation committee

• Aakash Sharma, UiT The Arctic University of Norway
• Adrian Herrera, Defence Science and Technology Group (DSTG) and Australian National University (ANU)
• Amit Samanta, University of Utah
• Anunay Kulshrestha, Princeton University
• Giulio De Pasquale, King's College London
• Hadrien Barral, ENS
• Hyungsub Kim, Purdue University
• Jessy Ayala, UC Irvine
• Kazi Samin Mubasshir, Purdue University
• Lorenzo Cazzaro, Ca' Foscari University of Venice
• Marco Bonelli, Independent
• Matthew Revelle, Kudu Dynamics
• Michael Pucher, University of Vienna
• Mirza Masfiqur Rahman, Purdue University
• Muhammad Ibrahim, Purdue University
• Nathan Rutherford, "Royal Holloway,
• Pedro Bernardo, TU Wien
• Sachin Kumar Singh, University of Utah
• Xin Jin, The Ohio State University
• Yash Vekaria, University of California - Davis
• Zhibo Li, University of Edinburgh

Student Volunteers

• Sioli Tiafau O'Connell, University of Adelaide
• Yan Long, University of Michigan
• Robert Dumitru, University of Adelaide

Steering committee

• Aurélien Francillon, EURECOM
• Yuval Yarom, Ruhr University Bochum
• Clémentine Maurice, CNRS
• Sarah Zennou, Airbus
• Collin Mulliner, Cruise
• Fangfei Liu, Intel
• Mathias Payer, EPFL
• Colin O'Flynn, NewAE Technology and Dalhousie University
• Martina Lindorfer, TU Wien

Sponsors

Reach out to the chairs (woot23chairs@gmail.com) if you are interested to sponsor this event! Thank you!

Gold Sponsor	Gold Sponsor	Gold Sponsor

Silver Sponsor	Silver Sponsor

Special thanks for the exceptional support