Daniel Andriesse
I’m a researcher at Intel. Before that, I was a postdoctoral researcher in the System and Network Security Group at Vrije Universiteit Amsterdam. I obtained my Ph.D. (cum laude) at Vrije Universiteit Amsterdam in June 2017 for my thesis entitled “Analyzing and Securing Binaries Through Static Disassembly,” winning the Roger Needham Ph.D. Award at EuroSys 2018, and the ACM SIGSAC Doctoral Dissertation Award at CCS 2018. I'm also the author of Practical Binary Analysis. You can download my CV here.
My research areas at Intel include CPU glitching and side channels. My academic research focused on reverse engineering, binary analysis, and binary-level security techniques including memory protection and control-flow integrity. Some of my research on function detection has been integrated into Binary Ninja. Next to that, I have also worked on binary (de)obfuscation and advanced malware; particularly targeted malware and botnet C2 channels. I was one of the main reverse engineers and attack developers in Operation Tovar, the takedown of the notorious Gameover ZeuS P2P botnet. You can read more about that in our research papers or in the media.

Practical Binary Analysis
Practical Binary Analysis covers all major binary analysis topics in an accessible way, from binary formats, disassembly, and basic analysis to advanced techniques like binary instrumentation, taint analysis, and symbolic execution. Download the accompanying virtual machine, example code, and a sample chapter here. Now available in Polish, Korean, Japanese, and Chinese (Mandarin)!

Publications
Peer-Reviewed Papers
2020
- M. Kurth, B. Gras, D. Andriesse, C. Giuffrida, H. Bos, and K. Razavi, “NetCAT: Practical Cache Attacks from the Network,” in Proceedings of the 41st IEEE Symposium on Security and Privacy (S&P'20), (San Francisco, CA, USA), May 2020. PDF BibTeX
2019
- A. Pawlowski, V. van der Veen, D. Andriesse, E. van der Kouwe, T. Holz, C. Giuffrida, and H. Bos, “VPS: Excavating High-Level C++ Constructs from Low-Level Binaries to Protect Dynamic Dispatching,” in Proceedings of the 35th Annual Computer Security Applications Conference (ACSAC'19), (San Juan, PR, USA), December 2019. PDF BibTeX
- E. van der Kouwe, G. Heiser, D. Andriesse, H. Bos, and C. Giuffrida, “SoK: Benchmarking Flaws in Systems Security,” in Proceedings of the 4th IEEE European Symposium on Security and Privacy (EuroS&P'19), (Stockholm, Sweden), June 2019. PDF BibTeX
2018
- F. de Goër, S. Rawat, D. Andriesse, H. Bos, and R. Groz, “Now You See Me: Real-time Dynamic Function Call Detection,” in Proceedings of the 2018 Annual Computer Security Applications Conference (ACSAC'18), (San Juan, Puerto Rico, USA), December 2018. PDF BibTeX Source
- R. K. Konoth, M. Oliverio, A. Tatar, D. Andriesse, H. Bos, C. Giuffrida, and K. Razavi, “ZebRAM: Comprehensive and Compatible Software Protection Against Rowhammer Attacks,” in Proceedings of the 13th USENIX Symposium on Operating Systems Design and Implementation (OSDI'18), (Carlsbad, CA, USA), October 2018. PDF BibTeX
2017
- V. van der Veen, D. Andriesse, M. Stamatogiannakis, X. Chen, H. Bos, and C. Giuffrida, “The Dynamics of Innocent Flesh on the Bone: Code Reuse Ten Years Later,” in Proceedings of the 24th Conference on Computer and Communications Security (CCS'17), (Dallas, TX, USA), October 2017. PDF BibTeX
- D. Andriesse, A. Slowinska, and H. Bos, “Compiler-Agnostic Function Detection in Binaries,” in Proceedings of the 2nd IEEE European Symposium on Security and Privacy (EuroS&P'17), (Paris, France), April 2017. (Best Paper Award) PDF BibTeX Source Slides
2016
- D. Andriesse, X. Chen, V. van der Veen, A. Slowinska, and H. Bos, “An In-Depth Analysis of Disassembly on Full-Scale x86/x64 Binaries,” in Proceedings of the 25th USENIX Security Symposium (USENIX Sec'16), (Austin, TX, USA), August 2016. PDF BibTeX Data set Slides
2015
- D. Andriesse, V. van der Veen (joint first author), E. Göktaş, B. Gras, L. Sambuc, A. Slowinska, H. Bos, and C. Giuffrida, “Practical Context-Sensitive CFI,” in Proceedings of the 22nd Conference on Computer and Communications Security (CCS'15), (Denver, CO, USA), ACM, October 2015. PDF BibTeX Source Slides
- D. Andriesse, C. Rossow, and H. Bos, “Reliable Recon in Adversarial Peer-to-Peer Botnets,” in Proceedings of the 15th Internet Measurement Conference (IMC'15), (Tokyo, Japan), ACM, October 2015. PDF BibTeX Addendum Slides
- D. Andriesse, H. Bos, and A. Slowinska, “Parallax: Implicit Code Integrity Verification Using Return-Oriented Programming,” in Proceedings of the 45th Conference on Dependable Systems and Networks (DSN'15), (Rio de Janeiro, Brazil), IEEE Computer Society, June 2015. PDF BibTeX Slides
- X. Chen, A. Slowinska, D. Andriesse, H. Bos, and C. Giuffrida, “StackArmor: Comprehensive Protection from Stack-Based Memory Error Vulnerabilities for Binaries,” in Proceedings of the Network and Distributed System Security Symposium (NDSS’15), (San Diego, CA, USA), Internet Society, February 2015. PDF BibTeX
2014
- D. Andriesse and H. Bos, “Instruction-Level Steganography for Covert Trigger-Based Malware (Extended Abstract),” in Proceedings of the 11th Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA’14), (London, United Kingdom), Springer-Verlag, July 2014. PDF BibTeX Slides
2013
-
D. Andriesse, C. Rossow, B. Stone-Gross, D. Plohmann, and H. Bos,
“Highly Resilient Peer-to-Peer Botnets Are Here: An Analysis of Gameover Zeus,”
in Proceedings of the 8th IEEE International Conference on Malicious and Unwanted Software (MALWARE’13), (Fajardo, Puerto Rico, USA), IEEE Computer Society, October 2013.
PDF BibTeX
Since the publication of our MALWARE’13 paper, P2P Zeus has seen several updates. Most notably, some recent variants use the DGA as the main C2 channel instead of the P2P proxy layer. For a technical reference, it is therefore best to refer to our periodically updated technical report.
- C. Rossow, D. Andriesse, T. Werner, B. Stone-Gross, D. Plohmann, C. Dietrich, and H. Bos, “P2PWNED: Modeling and Evaluating the Resilience of Peer-to-Peer Botnets,” in Proceedings of the 34th IEEE Symposium on Security and Privacy (S&P’13), (San Francisco, CA, USA), IEEE Computer Society, May 2013. PDF BibTeX
Preprints
- E. van der Kouwe, D. Andriesse, H. Bos, C. Giuffrida and G. Heiser, “Benchmarking Crimes: An Emerging Threat in Systems Security,” Preprint (arXiv:1801.02381), January 2018. PDF BibTeX
Technical Reports
- D. Andriesse, C. Rossow and H. Bos, “Distributed Crawler Detection in Peer-to-Peer Botnets,” Technical Report IR-CS-77, VU University Amsterdam, October 2015. PDF BibTeX
- D. Andriesse and H. Bos, “An Analysis of the Zeus Peer-to-Peer Protocol,” Technical Report IR-CS-74, VU University Amsterdam, May 2013 (last revised April 2014). PDF BibTeX
Theses
- D. Andriesse, “Analyzing and Securing Binaries Through Static Disassembly,” Ph.D. thesis (promotor Herbert Bos and copromotor Asia Slowinska), Vrije Universiteit Amsterdam, June 2017. (Roger Needham Ph.D. Award, ACM SIGSAC Doctoral Dissertation Award) PDF Cover BibTeX
- D. Andriesse, “A Comparative Analysis of the Resilience of Peer-to-Peer Botnets,” M.Sc. thesis (advisors Herbert Bos and Christian Rossow), Vrije Universiteit Amsterdam, August 2012. PDF BibTeX
- D. Andriesse, “Feasibility of the RFID Guardian as a Relay Attack Platform,” B.Sc. thesis (advisors Melanie Rieback and Rutger Hofman), Vrije Universiteit Amsterdam, June 2010. PDF BibTeX
Reviewing and Organizing
Transactions on Programming Languages and Systems
Reviewer (May’21)
BAR’20
PC member
IEEE Security&Privacy Magazine
Reviewer (Oct’19)
EuroS&P’19
PC member
CCS’18
PC member
WOOT’18
PC member
ACM Computing Surveys (CSUR)
Reviewer (July’18)
ICDCS’18
PC member (short track)
EuroSys’18
Shadow PC member
Selected x86 Low-level Attacks and Mitigations
PhD thesis, University of Bergen, Norway
Evaluation committee member (Oct’17)
IEEE Security&Privacy Magazine
Reviewer (Aug’17)
Journal of Computer Security
Reviewer (May’17)
ASPLOS’17
External reviewer
MALCON’16
External reviewer
RAID’15
Session chair “Hardening”
Code
iCi
iCi is the first real-time on-the-fly dynamic function detection approach. It's based on Pin, and can efficiently and automatically instrument calls at runtime, including conventional calls and jmp-based calls such as tail-calls. iCi does not require source code, debug information, symbol tables or static analysis. See our paper for more details.
git clone https://github.com/Frky/iCi
Nucleus
Nucleus is a compiler-agnostic function detector that can accurately perform both function start and function boundary detection in binaries, with only minimal assumptions on function or binary layout. It can naturally handle tough cases, such as non-contiguous and indirectly called functions, without any dependence on function signatures. The source is available at https://bitbucket.org/vusec/nucleus.
git clone https://bitbucket.org/vusec/nucleus.git
Nucleus can also output an IDA Python script that can import the function detection results into IDA Pro. This allows easy integration into larger reverse engineering projects.
nucleus -d linear -i idafuncs.py -e <binary>
PathArmor
PathArmor (published at CCS'15) is the first practical Context-sensitive Control-Flow Integrity (CFI) platform. Related work demonstrates that prior CFI implementations, which track control transfers individually, still leave sufficient leeway for powerful ROP attacks. Context-sensitive CFI improves security by validating control transfers to sensitive program states within the context of preceding edges, greatly reducing the number of exploitable program paths available to an attacker. PathArmor is available open-source at https://github.com/dennisaa/patharmor.
git clone https://github.com/dennisaa/patharmor.git
Data Sets
Disassembly
We have released all ground truth files and disassembly results used in our paper “An In-Depth Analysis of Disassembly on Full-Scale x86/x64 Binaries” (main project page). Some of our tests make use of the SPEC CPU2006 benchmark suite. Due to licensing issues, we cannot share those binaries directly. Instead, we release a virtual machine in which you can insert your own copy of SPEC, and then use our scripts to compile it and generate all necessary files. The VM (after running the required scripts) contains all ground truth and result files. We also offer a more lightweight tar file which contains everything except the SPEC binaries.
∴ Tar/gzip archive with all results and binaries, except the SPEC binaries (525 MB).
∴ Virtual Machine with all results, and scripts to generate binaries (5.9 GB). Instructions can be found in ~/disasm/README.
Login (username/password): disasm/disasm