Daniel Andriesse

I’m a researcher at Intel. Before that, I was a postdoctoral researcher in the System and Network Security Group at Vrije Universiteit Amsterdam. I obtained my Ph.D. (cum laude) at Vrije Universiteit Amsterdam in June 2017 for my thesis entitled “Analyzing and Securing Binaries Through Static Disassembly,” winning the Roger Needham Ph.D. Award at EuroSys 2018, and the ACM SIGSAC Doctoral Dissertation Award at CCS 2018. I'm also the author of Practical Binary Analysis. You can download my CV here.

My research areas at Intel include CPU glitching and side channels. My academic research focused on reverse engineering, binary analysis, and binary-level security techniques including memory protection and control-flow integrity. Some of my research on function detection has been integrated into Binary Ninja. Next to that, I have also worked on binary (de)obfuscation and advanced malware; particularly targeted malware and botnet C2 channels. I was one of the main reverse engineers and attack developers in Operation Tovar, the takedown of the notorious Gameover ZeuS P2P botnet. You can read more about that in our research papers or in the media.

Practical Binary Analysis

Practical Binary Analysis covers all major binary analysis topics in an accessible way, from binary formats, disassembly, and basic analysis to advanced techniques like binary instrumentation, taint analysis, and symbolic execution. Download the accompanying virtual machine, example code, and a sample chapter here. Now available in Polish, Korean, Japanese, and Chinese (Mandarin)!

Publications

Peer-Reviewed Papers

2020

M. Kurth, B. Gras, D. Andriesse, C. Giuffrida, H. Bos, and K. Razavi, “NetCAT: Practical Cache Attacks from the Network,” in Proceedings of the 41^st IEEE Symposium on Security and Privacy (S&P'20), (San Francisco, CA, USA), May 2020. PDF BibTeX
@inproceedings{netcat_sp2020, author = {Kurth, Michael and Gras, Ben and Andriesse, Dennis and Giuffrida, Cristiano and Bos, Herbert and Razavi, Kaveh}, title = {{NetCAT}: {Practical} {Cache} {Attacks} from the {Network}}, booktitle = {{Proceedings of the 41st IEEE Symposium on Security and Privacy (S\&P'20)}}, publisher = {{IEEE}}, address = {{San Francisco, CA, USA}}, month = {May}, year = {2020} } × « Download citation » « Close »

2019

A. Pawlowski, V. van der Veen, D. Andriesse, E. van der Kouwe, T. Holz, C. Giuffrida, and H. Bos, “VPS: Excavating High-Level C++ Constructs from Low-Level Binaries to Protect Dynamic Dispatching,” in Proceedings of the 35^th Annual Computer Security Applications Conference (ACSAC'19), (San Juan, PR, USA), December 2019. PDF BibTeX
@inproceedings{acsac2019, author = {A. Pawlowski and V. van der Veen and D. Andriesse and E. van der Kouwe and T. Holz and C. Giuffrida and H. Bos}, title = {{VPS: Excavating High-Level C++ Constructs from Low-Level Binaries to Protect Dynamic Dispatching}}, booktitle = {{Proceedings of the 2019 Annual Computer Security Applications Conference (ACSAC'19)}}, month = {December}, year = {2019} } × « Download citation » « Close »
E. van der Kouwe, G. Heiser, D. Andriesse, H. Bos, and C. Giuffrida, “SoK: Benchmarking Flaws in Systems Security,” in Proceedings of the 4^th IEEE European Symposium on Security and Privacy (EuroS&P'19), (Stockholm, Sweden), June 2019. PDF BibTeX
@inproceedings{benchcrimes-eurosp-2019, author = {Erik van der Kouwe and Gernot Heiser and Dennis Andriesse and Herbert Bos and Cristiano Giuffrida}, title = {{SoK: Benchmarking Flaws in Systems Security}}, booktitle = {{Proceedings of the 4th IEEE European Symposium on Security and Privacy (EuroS\&P'19)}}, publisher = {{IEEE}}, address = {{Stockholm, Sweden}}, month = {June}, year = {2019} } × « Download citation » « Close »

2018

F. de Goër, S. Rawat, D. Andriesse, H. Bos, and R. Groz, “Now You See Me: Real-time Dynamic Function Call Detection,” in Proceedings of the 2018 Annual Computer Security Applications Conference (ACSAC'18), (San Juan, Puerto Rico, USA), December 2018. PDF BibTeX Source
@inproceedings{acsac2018, author = {Franck de Go\"er and Sanjay Rawat and Dennis Andriesse and Herbert Bos and Roland Groz}, title = {{Now You See Me: Real-time Dynamic Function Call Detection}}, booktitle = {{Proceedings of the 2018 Annual Computer Security Applications Conference (ACSAC'18)}}, month = {December}, year = {2018} } × « Download citation » « Close »
R. K. Konoth, M. Oliverio, A. Tatar, D. Andriesse, H. Bos, C. Giuffrida, and K. Razavi, “ZebRAM: Comprehensive and Compatible Software Protection Against Rowhammer Attacks,” in Proceedings of the 13^th USENIX Symposium on Operating Systems Design and Implementation (OSDI'18), (Carlsbad, CA, USA), October 2018. PDF BibTeX
@inproceedings{osdi2018, author = {Radhesh Krishnan Konoth and Marco Oliverio and Andrei Tatar and Dennis Andriesse and Herbert Bos and Cristiano Giuffrida and Kaveh Razavi}, title = {{ZebRAM: Comprehensive and Compatible Software Protection Against Rowhammer Attacks}}, booktitle = {{Proceedings of the 13th USENIX Symposium on Operating Systems Design and Implementation (OSDI'18)}}, publisher = {{USENIX}}, address = {{Carlsbad, CA, USA}}, month = {October}, year = {2018} } × « Download citation » « Close »

2017

V. van der Veen, D. Andriesse, M. Stamatogiannakis, X. Chen, H. Bos, and C. Giuffrida, “The Dynamics of Innocent Flesh on the Bone: Code Reuse Ten Years Later,” in Proceedings of the 24^th Conference on Computer and Communications Security (CCS'17), (Dallas, TX, USA), October 2017. PDF BibTeX
@inproceedings{ccs2017, author = {Victor van der Veen and Dennis Andriesse and Manolis Stamatogiannakis and Xi Chen and Herbert Bos and Cristiano Giuffrida}, title = {{The Dynamics of Innocent Flesh on the Bone: Code Reuse Ten Years Later}}, booktitle = {{Proceedings of the 24th Conference on Computer and Communications Security (CCS'17)}}, publisher = {{ACM}}, address = {{Dallas, TX, USA}}, month = {October}, year = {2017} } × « Download citation » « Close »
D. Andriesse, A. Slowinska, and H. Bos, “Compiler-Agnostic Function Detection in Binaries,” in Proceedings of the 2^nd IEEE European Symposium on Security and Privacy (EuroS&P'17), (Paris, France), April 2017. (Best Paper Award) PDF BibTeX Source Slides
@inproceedings{andriesse-eurosp-2017, author = {Dennis Andriesse and Asia Slowinska and Herbert Bos}, title = {{Compiler-Agnostic Function Detection in Binaries}}, booktitle = {{Proceedings of the 2nd IEEE European Symposium on Security and Privacy (EuroS\&P'17)}}, publisher = {{IEEE}}, address = {{Paris, France}}, month = {April}, year = {2017} } × « Download citation » « Close »

2016

D. Andriesse, X. Chen, V. van der Veen, A. Slowinska, and H. Bos, “An In-Depth Analysis of Disassembly on Full-Scale x86/x64 Binaries,” in Proceedings of the 25^th USENIX Security Symposium (USENIX Sec'16), (Austin, TX, USA), August 2016. PDF BibTeX Data set Slides
@inproceedings{andriesse-sec-2016, author = {Dennis Andriesse and Xi Chen and Victor {van der Veen} and Asia Slowinska and Herbert Bos}, title = {{An In-Depth Analysis of Disassembly on Full-Scale x86/x64 Binaries}}, booktitle = {{Proceedings of the 25th USENIX Security Symposium (USENIX Sec'16)}}, publisher = {{USENIX}}, address = {{Austin, TX, USA}}, month = {August}, year = {2016} } × « Download citation » « Close »

2015

D. Andriesse, V. van der Veen (joint first author), E. Göktaş, B. Gras, L. Sambuc, A. Slowinska, H. Bos, and C. Giuffrida, “Practical Context-Sensitive CFI,” in Proceedings of the 22^nd Conference on Computer and Communications Security (CCS'15), (Denver, CO, USA), ACM, October 2015. PDF BibTeX Source Slides
@inproceedings{andriesse-ccs-2015, author = {Dennis Andriesse and Victor {van der Veen} and Enes G{\"o}kta{\c s} and Ben Gras and Lionel Sambuc and Asia Slowinska and Herbert Bos and Cristiano Giuffrida}, title = {{Practical Context-Sensitive CFI}}, booktitle = {{Proceedings of the 22nd Conference on Computer and Communications Security (CCS'15)}}, publisher = {{ACM}}, address = {{Denver, CO, USA}}, month = {October}, year = {2015} } × « Download citation » « Close »
D. Andriesse, C. Rossow, and H. Bos, “Reliable Recon in Adversarial Peer-to-Peer Botnets,” in Proceedings of the 15^th Internet Measurement Conference (IMC'15), (Tokyo, Japan), ACM, October 2015. PDF BibTeX Addendum Slides
@inproceedings{andriesse-imc-2015, author = {Dennis Andriesse and Christian Rossow and Herbert Bos}, title = {{Reliable Recon in Adversarial Peer-to-Peer Botnets}}, booktitle = {{Proceedings of the 15th Internet Measurement Conference (IMC'15)}}, publisher = {ACM}, address = {Tokyo, Japan}, month = {October}, year = {2015} } × « Download citation » « Close »
D. Andriesse, H. Bos, and A. Slowinska, “Parallax: Implicit Code Integrity Verification Using Return-Oriented Programming,” in Proceedings of the 45^th Conference on Dependable Systems and Networks (DSN'15), (Rio de Janeiro, Brazil), IEEE Computer Society, June 2015. PDF BibTeX Slides
@inproceedings{andriesse-dsn-2015, author = {Dennis Andriesse and Herbert Bos and Asia Slowinska}, title = {{Parallax: Implicit Code Integrity Verification Using Return-Oriented Programming}}, booktitle = {{Proceedings of the 45th Conference on Dependable Systems and Networks (DSN'15)}}, publisher = {{IEEE Computer Society}}, address = {{Rio de Janeiro, Brazil}}, month = {June}, year = {2015}, } × « Download citation » « Close »
X. Chen, A. Slowinska, D. Andriesse, H. Bos, and C. Giuffrida, “StackArmor: Comprehensive Protection from Stack-Based Memory Error Vulnerabilities for Binaries,” in Proceedings of the Network and Distributed System Security Symposium (NDSS’15), (San Diego, CA, USA), Internet Society, February 2015. PDF BibTeX
@inproceedings{chen-ndss-2015, author = {Xi Chen and Asia Slowinska and Dennis Andriesse and Herbert Bos and Cristiano Giuffrida}, title = {{StackArmor: Comprehensive Protection from Stack-Based Memory Error Vulnerabilities for Binaries}}, booktitle = {{Proceedings of the Network and Distributed System Security Symposium (NDSS'15)}}, publisher = {{Internet Society}}, address = {{San Diego, CA, USA}}, month = {February}, year = {2015}, } × « Download citation » « Close »

2014

D. Andriesse and H. Bos, “Instruction-Level Steganography for Covert Trigger-Based Malware (Extended Abstract),” in Proceedings of the 11^th Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA’14), (London, United Kingdom), Springer-Verlag, July 2014. PDF BibTeX Slides
@inproceedings{andriesse-dimva-2014, author = {Dennis Andriesse and Herbert Bos}, title = {{Instruction-Level Steganography for Covert Trigger-Based Malware}}, booktitle = {{Proceedings of the 11th Conference on Detection of Intrusions and Malware \& Vulnerability Assessment (DIMVA'14)}}, publisher = {{Springer-Verlag}}, address = {{London, United Kingdom}}, month = {July}, year = {2014}, } × « Download citation » « Close »

2013

D. Andriesse, C. Rossow, B. Stone-Gross, D. Plohmann, and H. Bos, “Highly Resilient Peer-to-Peer Botnets Are Here: An Analysis of Gameover Zeus,” in Proceedings of the 8^th IEEE International Conference on Malicious and Unwanted Software (MALWARE’13), (Fajardo, Puerto Rico, USA), IEEE Computer Society, October 2013. PDF BibTeX
@inproceedings{andriesse-malware-2013, author = {Dennis Andriesse and Christian Rossow and Brett {Stone-Gross} and Daniel Plohmann and Herbert Bos}, title = {{Highly Resilient Peer-to-Peer Botnets Are Here: An Analysis of Gameover Zeus}}, booktitle = {{Proceedings of the 8th IEEE International Conference on Malicious and Unwanted Software (MALWARE'13)}}, publisher = {{IEEE Computer Society}}, address = {{Fajardo, Puerto Rico, USA}}, month = {October}, year = {2013}, } × « Download citation » « Close »

Since the publication of our MALWARE’13 paper, P2P Zeus has seen several updates. Most notably, some recent variants use the DGA as the main C2 channel instead of the P2P proxy layer. For a technical reference, it is therefore best to refer to our periodically updated technical report.
C. Rossow, D. Andriesse, T. Werner, B. Stone-Gross, D. Plohmann, C. Dietrich, and H. Bos, “P2PWNED: Modeling and Evaluating the Resilience of Peer-to-Peer Botnets,” in Proceedings of the 34^th IEEE Symposium on Security and Privacy (S&P’13), (San Francisco, CA, USA), IEEE Computer Society, May 2013. PDF BibTeX
@inproceedings{rossow-oakland-2013, author = {Christian Rossow and Dennis Andriesse and Tillmann Werner and Brett {Stone-Gross} and Daniel Plohmann and Christian Dietrich and Herbert Bos}, title = {{P2PWNED: Modeling and Evaluating the Resilience of Peer-to-Peer Botnets}}, booktitle = {{Proceedings of the 34th IEEE Symposium on Security and Privacy (Oakland'13)}}, publisher = {{IEEE Computer Society}}, address = {{San Francisco, CA, USA}}, month = {May}, year = {2013}, } × « Download citation » « Close »

Preprints

E. van der Kouwe, D. Andriesse, H. Bos, C. Giuffrida and G. Heiser, “Benchmarking Crimes: An Emerging Threat in Systems Security,” Preprint (arXiv:1801.02381), January 2018. PDF BibTeX
@misc{benchcrimes-arxiv-1801.02381, author = {Erik van der Kouwe and Dennis Andriesse and Herbert Bos and Cristiano Giuffrida and Gernot Heiser}, title = {{Benchmarking Crimes: An Emerging Threat in Systems Security}}, year = {2018}, eprint = {arXiv:1801.02381}, } × « Download citation » « Close »

Technical Reports

D. Andriesse, C. Rossow and H. Bos, “Distributed Crawler Detection in Peer-to-Peer Botnets,” Technical Report IR-CS-77, VU University Amsterdam, October 2015. PDF BibTeX
@techreport{andriesse-crawlers-2015, author = {Dennis Andriesse and Christian Rossow and Herbert Bos}, title = {{Distributed Crawler Detection in Peer-to-Peer Botnets}}, institution = {{VU University Amsterdam}}, number = {{IR-CS-77}}, year = {2015}, month = {October}, } × « Download citation » « Close »
D. Andriesse and H. Bos, “An Analysis of the Zeus Peer-to-Peer Protocol,” Technical Report IR-CS-74, VU University Amsterdam, May 2013 (last revised April 2014). PDF BibTeX
@techreport{andriesse-zeus-2013, author = {Dennis Andriesse and Herbert Bos}, title = {{An Analysis of the Zeus Peer-to-Peer Protocol}}, institution = {{VU University Amsterdam}}, number = {{IR-CS-74}}, year = {2013}, month = {May}, } × « Download citation » « Close »

Theses

D. Andriesse, “Analyzing and Securing Binaries Through Static Disassembly,” Ph.D. thesis (promotor Herbert Bos and copromotor Asia Slowinska), Vrije Universiteit Amsterdam, June 2017. (Roger Needham Ph.D. Award, ACM SIGSAC Doctoral Dissertation Award) PDF Cover BibTeX
@phdthesis{andriesse-thesis-2017, author = {Dennis Andriesse}, title = {{Analyzing and Securing Binaries Through Static Disassembly}}, school = {{Vrije Universiteit Amsterdam}}, year = {2017}, month = {June} } × « Download citation » « Close »
D. Andriesse, “A Comparative Analysis of the Resilience of Peer-to-Peer Botnets,” M.Sc. thesis (advisors Herbert Bos and Christian Rossow), Vrije Universiteit Amsterdam, August 2012. PDF BibTeX
@mastersthesis{andriesse-thesis-2012, author = {Dennis Andriesse}, title = {{A Comparative Analysis of the Resilience of Peer-to-Peer Botnets}}, school = {{VU University Amsterdam}}, year = {2012}, month = {August}, type = {M.Sc. Thesis} } × « Download citation » « Close »
D. Andriesse, “Feasibility of the RFID Guardian as a Relay Attack Platform,” B.Sc. thesis (advisors Melanie Rieback and Rutger Hofman), Vrije Universiteit Amsterdam, June 2010. PDF BibTeX
@mastersthesis{andriesse-thesis-2010, author = {Dennis Andriesse}, title = {{Feasibility of the RFID Guardian as a relay attack platform}}, school = {{VU University Amsterdam}}, year = {2010}, month = {June}, type = {B.Sc. Thesis} } × « Download citation » « Close »

^*Note that much of my research was published as Dennis Andriesse.

Reviewing and Organizing

Transactions on Programming Languages and Systems
Reviewer (May’21)

BAR’20
PC member

IEEE Security&Privacy Magazine
Reviewer (Oct’19)

EuroS&P’19
PC member

CCS’18
PC member

WOOT’18
PC member

ACM Computing Surveys (CSUR)
Reviewer (July’18)

ICDCS’18
PC member (short track)

EuroSys’18
Shadow PC member

Selected x86 Low-level Attacks and Mitigations
PhD thesis, University of Bergen, Norway
Evaluation committee member (Oct’17)

IEEE Security&Privacy Magazine
Reviewer (Aug’17)

Journal of Computer Security
Reviewer (May’17)

ASPLOS’17
External reviewer

MALCON’16
External reviewer

RAID’15
Session chair “Hardening”

Code

iCi

iCi is the first real-time on-the-fly dynamic function detection approach. It's based on Pin, and can efficiently and automatically instrument calls at runtime, including conventional calls and jmp-based calls such as tail-calls. iCi does not require source code, debug information, symbol tables or static analysis. See our paper for more details.

git clone https://github.com/Frky/iCi

Nucleus

Nucleus is a compiler-agnostic function detector that can accurately perform both function start and function boundary detection in binaries, with only minimal assumptions on function or binary layout. It can naturally handle tough cases, such as non-contiguous and indirectly called functions, without any dependence on function signatures. The source is available at https://bitbucket.org/vusec/nucleus.

git clone https://bitbucket.org/vusec/nucleus.git

Nucleus can also output an IDA Python script that can import the function detection results into IDA Pro. This allows easy integration into larger reverse engineering projects.

nucleus -d linear -i idafuncs.py -e <binary>

PathArmor

PathArmor (published at CCS'15) is the first practical Context-sensitive Control-Flow Integrity (CFI) platform. Related work demonstrates that prior CFI implementations, which track control transfers individually, still leave sufficient leeway for powerful ROP attacks. Context-sensitive CFI improves security by validating control transfers to sensitive program states within the context of preceding edges, greatly reducing the number of exploitable program paths available to an attacker. PathArmor is available open-source at https://github.com/dennisaa/patharmor.

git clone https://github.com/dennisaa/patharmor.git

Data Sets

Disassembly

We have released all ground truth files and disassembly results used in our paper “An In-Depth Analysis of Disassembly on Full-Scale x86/x64 Binaries” (main project page). Some of our tests make use of the SPEC CPU2006 benchmark suite. Due to licensing issues, we cannot share those binaries directly. Instead, we release a virtual machine in which you can insert your own copy of SPEC, and then use our scripts to compile it and generate all necessary files. The VM (after running the required scripts) contains all ground truth and result files. We also offer a more lightweight tar file which contains everything except the SPEC binaries.

∴ Tar/gzip archive with all results and binaries, except the SPEC binaries (525 MB).
∴ Virtual Machine with all results, and scripts to generate binaries (5.9 GB). Instructions can be found in ~/disasm/README.

Login (username/password): disasm/disasm