TEST OF TIME AWARD! An honor to receive the IEEE CSF award with my awesome coauthors Gilles Barthe and Pedro R. D'Argenio for the work we did 20y ago on **Self Composition** for security verification wwwsop.inria.fr/members/Tamara…

An Assistant Professor position in the S3 group -(s3eurecom) at La Com EURECOM in vulnerability detection, analysis, exploitation, and/or remediation is still open. It is still time to send your applications! eurecom.fr/en/job/vulnera… Feel free to ask me any questions !

Become a PhD student with us at Chalmers Chalmers University of Technology Chalmers ICT and join the Chalmers Security & Privacy Lab cse.chalmers.se/research/group… Apply here: chalmers.se/en/about-chalm…

Today I sent my PhD thesis for printing! 🎉 In my research, I classified code-reuse attacks and wrote some curious JS examples to demonstrate them. I'd love to share my findings through a micro-CTF: try solving my vulnerable JS code snippets, or repost it if you're stumped 😄

Instead of researching how to make unsafe languages run faster, how about we focus on making type-safe and memory-safe languages faster? Benefits for security, energy use, CO2...

I have a postdoc position in my group to work on an exciting project at the intersection of program analysis and GenAI: srg.doc.ic.ac.uk/vacancies/post… Reposts appreciated, both here and elsewhere.

Interested in Kernel Safety, KASLR, or formal methods in the Spectre Era? Don't miss the talk by my student, Davide Davoli, at ACM CCS 2025 on October 15th, 16:15 in the Grand Ballroom, Salons A, B, C.

We are proud to sponsor the 1st edition of the HackHer Challenge, a CTF competition dedicated to female students and professionals, with the mission of promoting diversity. This Saturday October 19th 10:00 to 18:00 Details and registration here: hackher-challenge.com

Guess what? #IBPB (the speculation barrier) was broken in microcode for return instructions on the latest Intel CPUs. Linux also used it wrongly for AMD CPUs, so we could revive #Inception!

The first ever end-to-end cross-process Spectre exploit? I worked on this during an internship with grsecurity! An in-depth write-up here: grsecurity.net/cross_process_…

Excited to be part of the team receiving the ACM SIGSAC Distinguished Paper Award 🏆. Congrats Marco Guarnieri, @SCauligi, @YuvalYarom, Peter Schwabe, and w/o X handles: David Wu, David Romero, Chitchanok Cheungsatiansup, and Gilles Barthe!

Our paper with Hans Winderix, Lesly-Ann Daniel, and Frank Piessens received the distinguished paper award at ACM CCS 2025! If you are interested in mitigating control-flow leakage, read the paper mici.hu/papers/winderi… and check out the repository github.com/proteus-core/l…

Absolutely stunning work from pspaul on this CSS Injection - > text node exfil technique. blog.pspaul.de/posts/bench-pr…

Big congrats to Mikhail Shcherbakov ⁦Mikhail Shcherbakov⁩ on his PhD thesis defense. Mikhail did great work on code reuse attacks in the web. Thanks to the opponent Yinzhi Cao, and grading committee members Anders Møller, Ben Stock⁩, Emma Söderberg, and David Broman🍾🎉

The entire 3rd-edition of Ross Anderson's "Security Engineering" is available free as PDFs now! cl.cam.ac.uk/archive/rja14/…

KernelSnitch: Side-Channel Attacks on Kernel Data Structures Paper by Lukas Maar et al. about using a timing side-channel for leaking addresses of exploitation-relevant kernel structures. lukasmaar.github.io/papers/ndss25-…

Looking for a nice retreat in the French central mountains, speaking about formal methods and security, walking around and eating cheese and "truffade"? The 2025 Annual Meeting of the French WG on "Formal Methods and Security" will happen from March 17 to 21 at Le Mont-Dore. We

Today, we announced the official release of OSV-SCALIBR, Google's software composition analysis library. If you are working in vuln management / security scanning, SCALIBR is for you! SCALIBR is powering most of Google's vuln scanning. Please RT security.googleblog.com/2025/01/osv-sc…

The purpose of the secret-erasure checker is to ensure that it did not happen and that no secret data remains in memory after the function returns. Check our TOPS paper for more details binsec.github.io/assets/publica… with Tamara Rezk and Lesly-Ann Daniel

BREAKING. From a reliable source. MITRE support for the CVE program is due to expire tomorrow. The attached letter was sent out to CVE Board Members.