Software Security

Flaws in a single line of code can result in data loss, unexpected or malicious software behavior, covert monitoring or even system failure. Examples of common software security attacks include buffer overflow, command injection and SQL injection attacks.

While secure software development techniques are at the heart of software security, incorporating techniques such as software diversity and sophisticated automated testing and assurance practices further fortify software. Excellence in software architecture is also critical.

Below, meet UCI’s software security researchers, and a selection of research completed and underway, at UCI today.

Research Faculty​
Alfred Chen

Assistant Professor of Computer Science

Brian Demsky

Professor Electrical Engineering & Computer Science

Michael Franz

Chancellor's Professor of Computer Science

Joshua Garcia

Assistant Professor of Informatics

Sam Malek

Associate Professor of Informatics

Gene Tsudik
Gene Tsudik

Chancellor's Professor of Computer Science

Selected Research & Publications

D.K. Song, J. Lettner, P. Rajasekaran, Y. Na, S. Volckaert, P. Larsen, and M. Franz; “SoK: Sanitizing for Security;” in 40th IEEE Symposium on Security and Privacy (IEEE S&P 2019), San Francisco, California; May 2019.

Kroes, A. Altinay, J. Nash, Y. Na, S. Volckaert, H. Bos, M. Franz, and Ch. Giuffrida; BinRec: Attack Surface Reduction Through Dynamic Binary Recovery;” in 2018 Workshop on Forming an Ecosystem Around Software Transformation (FEAST ’18),Toronto, Canada, pp. 8-13; October 2018.

Park, J. Lettner, Y. Na, S. Volckaert and M. Franz; Bytecode Corruption Attacks Are Real—And How To Defend Against Them;” in2018 Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA 2018),Paris, France; June 2018. (18 papers accepted out of 59 submissions = 30%)

Crane, A. Homescu, P. Larsen, H. Okhravi, and M. Franz; Diversity and Information Leaks;” in P. Larsen and A.-R. Sadeghi (Eds.), The Continuing Arms Race: Code-Reuse Attacks and Defenses, ACM Books, Vol. 18, Morgan & Claypool Publishers, ISBN 978-1-97000-183-9, pp. 61-81; 2018. doi:10.1145/3129743.3129747

Biswas, A. Di Federico, S.A. Carr, P. Rajasekaran, S. Volckaert, Y. Na, M. Franz, and M. Payer; Venerable Variadic Vulnerabilities Vanquished;” in USENIX Security 2017, Vancouver, British Columbia; August 2017. (85 papers accepted out of 522 submissions = 16%)

Burow, S.C. Carr, J. Nash, P. Larsen, M. Franz, S. Brunthaler, and M. Payer; Control-Flow Integrity P3: Protection, Precision, and Performance,” in ACM Computing Surveys (CSUR), Vol. 50, No. 1, Article No. 16; April 2017. doi:10.1145/3054924

Rudd, R. Skowyra, D. Bigelow, V. Dedhia, Th. Hobson, S. Crane, Ch. Liebchen, P. Larsen, L. Davi, M. Franz, A.-R. Sadeghi, and H. Okhravi; “Address Oblivious Code Reuse: On the Effectiveness of Leakage Resilient Diversity;” in 2017 Network and Distributed System Security Symposium (NDSS 2017),San Diego, California; February/March 2017. (68 papers accepted out of 423 submissions = 16%)

Lettner, D.K. Song, T. Park, S. Volckaert, P. Larsen, and M. Franz; PartiSan: Fast and Flexible Sanitization via Run-time Partitioning;” in 21st International Symposium on Research in Attacks, Intrusions, and Defenses (RAID 2018),Heraklion, Crete, Greece; September 2018. (33 papers accepted out of 145 submissions = 23%)

Volckaert, B. Coppens, A. Voulimeneas, A. Homescu, P. Larsen, B. De Sutter, and M. Franz; “Secure and Efficient Application Monitoring and Replication;” in 2016 USENIX Annual Technical Conference (ATC 2016),Denver, Colorado; June 2016. (47 papers accepted out of 266 submissions = 17.6%)

Lettner, B. Kollenda, A. Homescu, P. Larsen, F. Schuster, L. Davi, A.-R. Sadeghi, T. Holz, and M. Franz; “Subversive-C: Abusing and Protecting Dynamic Message Dispatch;” in 2016 USENIX Annual Technical Conference (ATC 2016),Denver, Colorado; June 2016. (47 papers accepted out of 266 submissions = 17.6%)

Crane, S. Volckaert, F. Schuster, Ch. Liebchen, P. Larsen, L. Davi, A.-R. Sadeghi, T. Holz, B. De Sutter, and M Franz; It’s a TRAP: Table Randomization and Protection against Function Reuse Attacks;” in 22nd ACM Conference on Computer and Communications Security (CCS 2015),Denver, Colorado; October 2015. (128 papers accepted out of 646 submissions = 19.4%)

Conti, S. Crane, L. Davi, M. Franz, P. Larsen, Ch. Liebchen, M. Negro, M. Qunaibit, and A.-R. Sadeghi; Losing Control: On the Effectiveness of Control-Flow Integrity under Stack Attacks;” in 22nd ACM Conference on Computer and Communications Security (CCS 2015),Denver, Colorado; October 2015. (128 papers accepted out of 646 submissions = 19.4%)

Stancu, Ch. Wimmer, S. Brunthaler, P. Larsen, and M. Franz;Safe and Efficient Hybrid Memory Management for Java;” in International Symposium on Memory Management 2015 (ISMM’15),Portland, Oregon; June 2015.

Homescu, T. Jackson, S. Crane, S. Brunthaler, P. Larsen, and M. Franz; Large-scale Automated Software Diversity–Program Evolution Redux;”accepted to appear in IEEE Transactions on Dependable and Secure Computing (TDSC),2015.

Crane, Ch. Liebchen, A. Homescu, L. Davi, P. Larsen, A.-R. Sadeghi, S. Brunthaler, and M Franz; Readactor: Practical Code Randomization Resilient to Memory Disclosure;” in 36th IEEE Symposium on Security and Privacy, San Jose, California; May 2015. (55 papers accepted out of 407 submissions = 13.5%)

Larsen, A. Homescu, S. Brunthaler, and M. Franz; Automatic Software Diversity;” in IEEE Security and Privacy, Vol. 13, No. 2, pp. 30-37; March 2015.

Crane, A. Homescu, S. Brunthaler, P. Larsen, and M. Franz;Thwarting Cache Side-Channel Attacks Through Dynamic Software Diversity;” in 2015 Network and Distributed System Security Symposium (NDSS 2015),San Diego, California; February 2015. (51 papers accepted out of 302 submissions = 16.9%)

Mohan, P. Larsen, S. Brunthaler, K. Hamlen, and M. Franz;” Opaque Control Flow Integrity in 2015 Network and Distributed System Security Symposium (NDSS 2015),San Diego, California; February 2015. (51 papers accepted out of 302 submissions = 16.9%)