Dennis Andriesse

I’m a postdoctoral researcher in the System and Network Security Group at Vrije Universiteit Amsterdam, where I obtained my Ph.D. (cum laude) in June 2017 for my thesis entitled “Analyzing and Securing Binaries Through Static Disassembly.” My thesis won the Roger Needham Ph.D. Award at EuroSys 2018, and the ACM SIGSAC Doctoral Dissertation Award at CCS 2018. During my Ph.D., I interned with Cisco, where I developed fine-grained CFI implementations for embedded systems. I'm also the author of Practical Binary Analysis. You can download my CV here.

My research focuses on reverse engineering and binary-level security techniques. Some of my research on function detection has been integrated into Binary Ninja. Next to that, I am also interested in binary (de)obfuscation and advanced malware; particularly in targeted malware and in botnet C2 channels. I had a chance to delve further into that interest as one of the main reverse engineers and attack developers in Operation Tovar, the takedown of the notorious Gameover ZeuS P2P botnet. You can read more about that in our research papers or in the media.

Picture of me.

Practical Binary Analysis

Practical Binary Analysis covers all major binary analysis topics in an accessible way, from binary formats, disassembly, and basic analysis to advanced techniques like binary instrumentation, taint analysis, and symbolic execution. Download the accompanying virtual machine and example code here.

Cover of Practical Binary Analysis.

Publications

Peer-Reviewed Papers

2018

  • F. de Goër, S. Rawat, D. Andriesse, H. Bos, and R. Groz, “Now You See Me: Real-time Dynamic Function Call Detection”, in Proceedings of the 2018 Annual Computer Security Applications Conference (ACSAC'18), (San Juan, Puerto Rico, USA), December 2018. PDF BibTeX Source
    @inproceedings{acsac2018, author = {Franck de Go\"er and Sanjay Rawat and Dennis Andriesse and Herbert Bos and Roland Groz}, title = {{Now You See Me: Real-time Dynamic Function Call Detection}}, booktitle = {{Proceedings of the 2018 Annual Computer Security Applications Conference (ACSAC'18)}}, month = {December}, year = {2018} } × « Download citation »     « Close »
  • R. K. Konoth, M. Oliverio, A. Tatar, D. Andriesse, H. Bos, C. Giuffrida, and K. Razavi, “ZebRAM: Comprehensive and Compatible Software Protection Against Rowhammer Attacks”, in Proceedings of the 13th USENIX Symposium on Operating Systems Design and Implementation (OSDI'18), (Carlsbad, CA, USA), October 2018. PDF BibTeX
    @inproceedings{osdi2018, author = {Radhesh Krishnan Konoth and Marco Oliverio and Andrei Tatar and Dennis Andriesse and Herbert Bos and Cristiano Giuffrida and Kaveh Razavi}, title = {{ZebRAM: Comprehensive and Compatible Software Protection Against Rowhammer Attacks}}, booktitle = {{Proceedings of the 13th USENIX Symposium on Operating Systems Design and Implementation (OSDI'18)}}, publisher = {{USENIX}}, address = {{Carlsbad, CA, USA}}, month = {October}, year = {2018} } × « Download citation »     « Close »

2017

  • V. van der Veen, D. Andriesse, M. Stamatogiannakis, X. Chen, H. Bos, and C. Giuffrida, “The Dynamics of Innocent Flesh on the Bone: Code Reuse Ten Years Later”, in Proceedings of the 24th Conference on Computer and Communications Security (CCS'17), (Dallas, TX, USA), October 2017. PDF BibTeX
    @inproceedings{ccs2017, author = {Victor van der Veen and Dennis Andriesse and Manolis Stamatogiannakis and Xi Chen and Herbert Bos and Cristiano Giuffrida}, title = {{The Dynamics of Innocent Flesh on the Bone: Code Reuse Ten Years Later}}, booktitle = {{Proceedings of the 24th Conference on Computer and Communications Security (CCS'17)}}, publisher = {{ACM}}, address = {{Dallas, TX, USA}}, month = {October}, year = {2017} } × « Download citation »     « Close »
  • D. Andriesse, A. Slowinska, and H. Bos, “Compiler-Agnostic Function Detection in Binaries”, in Proceedings of the 2nd IEEE European Symposium on Security and Privacy (EuroS&P'17), (Paris, France), April 2017. (Best Paper Award) PDF BibTeX Source Slides
    @inproceedings{andriesse-eurosp-2017, author = {Dennis Andriesse and Asia Slowinska and Herbert Bos}, title = {{Compiler-Agnostic Function Detection in Binaries}}, booktitle = {{Proceedings of the 2nd IEEE European Symposium on Security and Privacy (EuroS\&P'17)}}, publisher = {{IEEE}}, address = {{Paris, France}}, month = {April}, year = {2017} } × « Download citation »     « Close »

2016

  • D. Andriesse, X. Chen, V. van der Veen, A. Slowinska, and H. Bos, “An In-Depth Analysis of Disassembly on Full-Scale x86/x64 Binaries”, in Proceedings of the 25th USENIX Security Symposium (USENIX Sec'16), (Austin, TX, USA), August 2016. PDF BibTeX Data set Slides
    @inproceedings{andriesse-sec-2016, author = {Dennis Andriesse and Xi Chen and Victor {van der Veen} and Asia Slowinska and Herbert Bos}, title = {{An In-Depth Analysis of Disassembly on Full-Scale x86/x64 Binaries}}, booktitle = {{Proceedings of the 25th USENIX Security Symposium (USENIX Sec'16)}}, publisher = {{USENIX}}, address = {{Austin, TX, USA}}, month = {August}, year = {2016} } × « Download citation »     « Close »

2015

  • D. Andriesse, V. van der Veen (joint first author), E. Göktaş, B. Gras, L. Sambuc, A. Slowinska, H. Bos, and C. Giuffrida, “Practical Context-Sensitive CFI”, in Proceedings of the 22nd Conference on Computer and Communications Security (CCS'15), (Denver, CO, USA), ACM, October 2015. PDF BibTeX Source Slides
    @inproceedings{andriesse-ccs-2015, author = {Dennis Andriesse and Victor {van der Veen} and Enes G{\"o}kta{\c s} and Ben Gras and Lionel Sambuc and Asia Slowinska and Herbert Bos and Cristiano Giuffrida}, title = {{Practical Context-Sensitive CFI}}, booktitle = {{Proceedings of the 22nd Conference on Computer and Communications Security (CCS'15)}}, publisher = {{ACM}}, address = {{Denver, CO, USA}}, month = {October}, year = {2015} } × « Download citation »     « Close »
  • D. Andriesse, C. Rossow, and H. Bos, “Reliable Recon in Adversarial Peer-to-Peer Botnets”, in Proceedings of the 15th Internet Measurement Conference (IMC'15), (Tokyo, Japan), ACM, October 2015. PDF BibTeX Addendum Slides
    @inproceedings{andriesse-imc-2015, author = {Dennis Andriesse and Christian Rossow and Herbert Bos}, title = {{Reliable Recon in Adversarial Peer-to-Peer Botnets}}, booktitle = {{Proceedings of the 15th Internet Measurement Conference (IMC'15)}}, publisher = {ACM}, address = {Tokyo, Japan}, month = {October}, year = {2015} } × « Download citation »     « Close »
  • D. Andriesse, H. Bos, and A. Slowinska, “Parallax: Implicit Code Integrity Verification Using Return-Oriented Programming”, in Proceedings of the 45th Conference on Dependable Systems and Networks (DSN'15), (Rio de Janeiro, Brazil), IEEE Computer Society, June 2015. PDF BibTeX Slides
    @inproceedings{andriesse-dsn-2015, author = {Dennis Andriesse and Herbert Bos and Asia Slowinska}, title = {{Parallax: Implicit Code Integrity Verification Using Return-Oriented Programming}}, booktitle = {{Proceedings of the 45th Conference on Dependable Systems and Networks (DSN'15)}}, publisher = {{IEEE Computer Society}}, address = {{Rio de Janeiro, Brazil}}, month = {June}, year = {2015}, } × « Download citation »     « Close »
  • X. Chen, A. Slowinska, D. Andriesse, H. Bos, and C. Giuffrida, “StackArmor: Comprehensive Protection from Stack-Based Memory Error Vulnerabilities for Binaries”, in Proceedings of the Network and Distributed System Security Symposium (NDSS’15), (San Diego, CA, USA), Internet Society, February 2015. PDF BibTeX
    @inproceedings{chen-ndss-2015, author = {Xi Chen and Asia Slowinska and Dennis Andriesse and Herbert Bos and Cristiano Giuffrida}, title = {{StackArmor: Comprehensive Protection from Stack-Based Memory Error Vulnerabilities for Binaries}}, booktitle = {{Proceedings of the Network and Distributed System Security Symposium (NDSS'15)}}, publisher = {{Internet Society}}, address = {{San Diego, CA, USA}}, month = {February}, year = {2015}, } × « Download citation »     « Close »

2014

  • D. Andriesse and H. Bos, “Instruction-Level Steganography for Covert Trigger-Based Malware (Extended Abstract)”, in Proceedings of the 11th Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA’14), (London, United Kingdom), Springer-Verlag, July 2014. PDF BibTeX Slides
    @inproceedings{andriesse-dimva-2014, author = {Dennis Andriesse and Herbert Bos}, title = {{Instruction-Level Steganography for Covert Trigger-Based Malware}}, booktitle = {{Proceedings of the 11th Conference on Detection of Intrusions and Malware \& Vulnerability Assessment (DIMVA'14)}}, publisher = {{Springer-Verlag}}, address = {{London, United Kingdom}}, month = {July}, year = {2014}, } × « Download citation »     « Close »

2013

  • D. Andriesse, C. Rossow, B. Stone-Gross, D. Plohmann, and H. Bos, “Highly Resilient Peer-to-Peer Botnets Are Here: An Analysis of Gameover Zeus”, in Proceedings of the 8th IEEE International Conference on Malicious and Unwanted Software (MALWARE’13), (Fajardo, Puerto Rico, USA), IEEE Computer Society, October 2013. PDF BibTeX
    @inproceedings{andriesse-malware-2013, author = {Dennis Andriesse and Christian Rossow and Brett {Stone-Gross} and Daniel Plohmann and Herbert Bos}, title = {{Highly Resilient Peer-to-Peer Botnets Are Here: An Analysis of Gameover Zeus}}, booktitle = {{Proceedings of the 8th IEEE International Conference on Malicious and Unwanted Software (MALWARE'13)}}, publisher = {{IEEE Computer Society}}, address = {{Fajardo, Puerto Rico, USA}}, month = {October}, year = {2013}, } × « Download citation »     « Close »
    Since the publication of our MALWARE’13 paper, P2P Zeus has seen several updates. Most notably, some recent variants use the DGA as the main C2 channel instead of the P2P proxy layer. For a technical reference, it is therefore best to refer to our periodically updated technical report.
  • C. Rossow, D. Andriesse, T. Werner, B. Stone-Gross, D. Plohmann, C. Dietrich, and H. Bos, “P2PWNED: Modeling and Evaluating the Resilience of Peer-to-Peer Botnets”, in Proceedings of the 34th IEEE Symposium on Security and Privacy (S&P’13), (San Francisco, CA, USA), IEEE Computer Society, May 2013. PDF BibTeX
    @inproceedings{rossow-oakland-2013, author = {Christian Rossow and Dennis Andriesse and Tillmann Werner and Brett {Stone-Gross} and Daniel Plohmann and Christian Dietrich and Herbert Bos}, title = {{P2PWNED: Modeling and Evaluating the Resilience of Peer-to-Peer Botnets}}, booktitle = {{Proceedings of the 34th IEEE Symposium on Security and Privacy (Oakland'13)}}, publisher = {{IEEE Computer Society}}, address = {{San Francisco, CA, USA}}, month = {May}, year = {2013}, } × « Download citation »     « Close »

Preprints

Technical Reports

  • D. Andriesse, C. Rossow and H. Bos, “Distributed Crawler Detection in Peer-to-Peer Botnets”, Technical Report IR-CS-77, VU University Amsterdam, October 2015. PDF BibTeX
    @techreport{andriesse-crawlers-2015, author = {Dennis Andriesse and Christian Rossow and Herbert Bos}, title = {{Distributed Crawler Detection in Peer-to-Peer Botnets}}, institution = {{VU University Amsterdam}}, number = {{IR-CS-77}}, year = {2015}, month = {October}, } × « Download citation »     « Close »
  • D. Andriesse and H. Bos, “An Analysis of the Zeus Peer-to-Peer Protocol”, Technical Report IR-CS-74, VU University Amsterdam, May 2013 (last revised April 2014). PDF BibTeX
    @techreport{andriesse-zeus-2013, author = {Dennis Andriesse and Herbert Bos}, title = {{An Analysis of the Zeus Peer-to-Peer Protocol}}, institution = {{VU University Amsterdam}}, number = {{IR-CS-74}}, year = {2013}, month = {May}, } × « Download citation »     « Close »

Theses

Reviewing and Organizing

EuroS&P’19
PC member

CCS’18
PC member

WOOT’18
PC member

ACM Computing Surveys (CSUR)
Reviewer (July’18)

ICDCS’18
PC member (short track)

EuroSys’18
Shadow PC member

Selected x86 Low-level Attacks and Mitigations
PhD thesis, University of Bergen, Norway
Evaluation committee member (Oct’17)

IEEE Security&Privacy Magazine
Reviewer (Aug’17)

Journal of Computer Security
Reviewer (May’17)

ASPLOS’17
External reviewer

MALCON’16
External reviewer

RAID’15
Session chair “Hardening”

Code

iCi

iCi is the first real-time on-the-fly dynamic function detection approach. It's based on Pin, and can efficiently and automatically instrument calls at runtime, including conventional calls and jmp-based calls such as tail-calls. iCi does not require source code, debug information, symbol tables or static analysis. See our paper for more details. 

git clone https://github.com/Frky/iCi

Nucleus

Nucleus is a compiler-agnostic function detector that can accurately perform both function start and function boundary detection in binaries, with only minimal assumptions on function or binary layout. It can naturally handle tough cases, such as non-contiguous and indirectly called functions, without any dependence on function signatures. The source is available at https://bitbucket.org/vusec/nucleus. 

git clone https://bitbucket.org/vusec/nucleus.git

Nucleus can also output an IDA Python script that can import the function detection results into IDA Pro. This allows easy integration into larger reverse engineering projects. 

nucleus -d linear -i idafuncs.py -e <binary>

PathArmor

PathArmor (published at CCS'15) is the first practical Context-sensitive Control-Flow Integrity (CFI) platform. Related work demonstrates that prior CFI implementations, which track control transfers individually, still leave sufficient leeway for powerful ROP attacks. Context-sensitive CFI improves security by validating control transfers to sensitive program states within the context of preceding edges, greatly reducing the number of exploitable program paths available to an attacker. PathArmor is available open-source at https://github.com/dennisaa/patharmor. 

git clone https://github.com/dennisaa/patharmor.git

Data Sets

Disassembly

We have released all ground truth files and disassembly results used in our paper “An In-Depth Analysis of Disassembly on Full-Scale x86/x64 Binaries” (main project page). We also provide a tutorial on how to parse and use our ground truth in your own evaluations. Some of our tests make use of the SPEC CPU2006 benchmark suite. Due to licensing issues, we cannot share those binaries directly. Instead, we release a virtual machine in which you can insert your own copy of SPEC, and then use our scripts to compile it and generate all necessary files. The VM (after running the required scripts) contains all ground truth and result files. We also offer a more lightweight tar file which contains everything except the SPEC binaries.

∴  Tar/gzip archive with all results and binaries, except the SPEC binaries (525 MB).
∴  Virtual Machine with all results, and scripts to generate binaries (5.9 GB). Instructions can be found in ~/disasm/README. 

Login (username/password): disasm/disasm

Contact

Dennis Andriesse
52%5D2%3F5C%3A6DD6o76H%5DGF%5D%3F%3Dda.andriesse‹ατ›few.vu.nl
[SSH key]   [PGP key]
A82C A27D 4A27 CF84 7C23
BC58 BAD7 CA8E F693 94DD
Department of Computer Science
VU University Faculty of Sciences
De Boelelaan 1081a
1081 HV Amsterdam
The Netherlands

Links

  dblp
  Google Scholar
  Semantic Scholar
  Blog

Mirrors

www.few.vu.nl/~da.andriesse
syssec.mistakenot.net

Copyright © 2018 Dennis Andriesse.