Network and Distributed System Security (NDSS) Symposium 2026

February 23-27, 2026 · San Diego, California · 194 talks

The 33rd annual NDSS Symposium, a top-tier academic security conference hosted by the Internet Society, focusing on practical aspects of network and distributed system security.

→ See editor’s top picks at Network and Distributed System Security (NDSS) Symposium 2026

• A Hard-Label Black-Box Evasion Attack against ML-based Malicious Traffic Detection Systems — Zixuan Liu

  This talk introduces **NetMasquerade**, a practical hard-label black-box evasion attack against machine learning-based malicious traffic detection systems. The research addresses a critical gap in…

• Enhancing Website Fingerprinting Attacks against Traffic Drift — Xinhao Deng

  This talk introduces **Proteus**, the first adaptive website fingerprinting (WF) attack framework that continuously adapts to real-world **traffic drift** -- the systematic changes in traffic…

• NetRadar: Enabling Robust Carpet Bombing DDoS Detection — Junchen Pan
• WiFinger: Fingerprinting Noisy IoT Event Traffic Using Packet-level Sequence Matching — Ronghua Li

  This talk presents **WiFinger**, a non-machine-learning approach to fingerprinting IoT device events from encrypted Wi-Fi traffic captured by a passive sniffer. Unlike prior work that targets…

• ThinkTrap: Denial-of-Service Attacks against Black-box LLM Services via Infinite Thinking — Yunzhe Li

  This talk introduces **ThinkTrap**, a novel denial-of-service (DoS) attack against cloud-hosted large language model services that exploits the fundamental autoregressive nature of LLM inference. By…

• NeuroStrike: Neuron-Level Attacks on Aligned LLMs — Lichao Wu

  This talk presents **NeuroStrike**, a neuron-level attack that jailbreaks aligned large language models by identifying and pruning **safety neurons** -- the specific neurons responsible for the…

• In-Context Probing for Membership Inference in Fine-Tuned Language Models — Zhexi Lu

  This talk presents a novel **membership inference attack (MIA)** against fine-tuned language models that exploits a fundamental property of training dynamics called the **optimization gap**. The key…

• Characterizing the Implementation of Censorship Policies in Chinese LLM Services — Anna Ablove

  This talk presents a systematic study of how five major Chinese LLM services -- **DeepSeek**, **Kimi**, **Qwen**, **Doubao**, and **Baidu Chat (Wenxiaoyan)** -- implement censorship through…

• Idioms: A Simple and Effective Framework for Turbo-Charging Local Neural Decompilation with Well-Defined Types — Luke Dramko

  This talk presents **Idioms**, a framework for improving neural decompilation -- using locally-hosted LLMs to recover readable, type-rich source code from compiled executables. The key insight is…

• HoneySat: A Network-based Satellite Honeypot Framework — Efrén López-Morales

  This talk presents **HoneySat**, a high-interaction honeypot framework designed to detect and analyze network-based attacks against satellite ground infrastructure. The system creates believable…

• Pando: Extremely Scalable BFT Based on Committee Sampling — Xin Wang

  This talk presents **Pando**, a Byzantine Fault Tolerant (BFT) consensus protocol that achieves extreme scalability by **decoupling block data transmission from consensus ordering** and using…

• Janus: Enabling Expressive and Efficient ACLs in High-speed RDMA Clouds — Ziteng Chen

  As public cloud vendors increasingly deploy **RDMA (Remote Direct Memory Access)** networking for high-performance workloads such as AI training, inference, and distributed storage, a critical…

• SNPeek: Side-Channel Analysis for Privacy Applications on Confidential VMs — Ruiyi Zhang

  Confidential Virtual Machines (CVMs) built on technologies like **AMD SEV-SNP** promise hardware-enforced isolation that keeps data encrypted even from the cloud provider and hypervisor…

• Revisiting Differentially Private Hyper-parameter Tuning — Zihang Xiang

  When training machine learning models with **differential privacy (DP)**, practitioners do not simply train once -- they run the training process multiple times with different hyperparameters…

• Eviction Notice: Reviving and Advancing Page Cache Attacks — Sudheendra Raghav Neela

  Page cache side-channel attacks on Linux were considered mitigated since 2019 and impractical since 2023. This talk revives them and makes them **six orders of magnitude faster** than prior work…

• FLIPPYRAM: A Large-Scale Study of Rowhammer Prevalence — Martin Heckel

  How many real-world systems are actually vulnerable to **Rowhammer** attacks? This large-scale empirical study, which distributed bootable USB sticks at **38C3** and collected data from 106 systems…

• BLERP: BLE Re-Pairing Attacks and Defenses — Tommaso Sacchetti

  Bluetooth Low Energy (BLE) pairing security has been extensively studied, but every prior attack assumed the devices were pairing for the **first time**. This talk reveals that **re-pairing** --…

• Breaking Isolation: A New Perspective on Hypervisor Exploitation via Cross-Domain Attacks — Gaoning Pan

  Virtual machine escape from hypervisors like **QEMU** and **VirtualBox** is one of the most consequential exploit classes in cloud security. This talk introduces **cross-domain attacks**, a…

• Memory Band-Aid: A Principled Rowhammer Defense-in-Depth — Carina Fiedler
• Mirage: Private, Mobility-based Routing for Censorship Evasion — Zachary Ratliff

  When governments shut down the internet to suppress communication, **mobile ad hoc networks (MANETs)** offer a lifeline -- routing messages between people via Bluetooth or Wi-Fi Direct based on…

• Automated Code Annotation with LLMs for Establishing TEE Boundaries — Varun Gadey

  Deciding which code should run inside a **Trusted Execution Environment (TEE)** versus untrusted space is a critical security decision that has traditionally required manual analysis -- a process…

• SoK: Analysis of Accelerator TEE Designs — Chenxu Wang

  As AI workloads move to GPUs, TPUs, FPGAs, and other accelerators (collectively "XPUs"), the need to extend **Trusted Execution Environment (TEE)** protections beyond CPUs has become urgent. This…

• PrivCode: When Code Generation Meets Differential Privacy — Zheng Liu

  Fine-tuning large language models on proprietary or sensitive code datasets enables powerful domain-specific code generation, but it also creates **privacy risks** -- models can memorize and…

• UIEE: Secure and Efficient User-space Isolated Execution Environment for Embedded TEE Systems — Huaiyu Yan

  Current **ARM TrustZone-based Trusted Execution Environments (TEEs)** are designed for compact, security-focused operations like cryptographic computations, but they lack the runtime support needed…

• Select-Then-Compute: Encrypted Label Selection and Analytics over Distributed Datasets using FHE — Nirajan Koirala

  This talk presents a novel cryptographic protocol called **Select-Then-Compute** that enables privacy-preserving label selection and analytics across distributed, encrypted datasets using **Fully…

• cwPSU: Efficient Unbalanced Private Set Union via Constant-weight Codes — Qingwen Li

  This talk presents **cwPSU**, a novel protocol for **unbalanced Private Set Union (PSU)** that achieves dramatic efficiency improvements over prior work by leveraging **constant-weight encoding**…

• Robust Fraud Transaction Detection: A Two-Player Game Approach — Qi Tan

  This talk presents **Gamer**, a novel fraud detection system that models the adversarial interaction between fraudsters and detection systems as a **two-player game**. The core insight is that…

• Cirrus: Performant and Accountable Distributed SNARK — Wenhao Wang

  This talk introduces **Cirrus**, the first distributed SNARK (Succinct Non-interactive Argument of Knowledge) protocol that simultaneously achieves three critical properties: **linear scalability**…

• Paladin: Defending LLM-enabled Phishing Emails with a Trigger-Tag Paradigm — Yan Pang

  This talk presents **Paladin**, a proactive defense system against LLM-generated phishing emails that works by embedding **trigger-tag associations** directly into language models before they are…

• Beyond Jailbreak: Unveiling Risks in LLM Applications Arising from Blurred Capability Boundaries — Yunyi Zhang

  This talk presents a comprehensive evaluation of security risks in **LLM-based applications** that arise not from traditional jailbreaking but from poorly defined **capability boundaries**. While…

• Incident Response Planning Using a Lightweight Large Language Model with Reduced Hallucination — Kim Hammar

  This talk presents a novel method for automated incident response planning that uses a fine-tuned lightweight LLM combined with look-ahead optimization to generate response plans with **theoretical…

• IoTBec: An Accurate and Efficient Recurring Vulnerability Detection Framework for Black Box IoT devices — Haoran Yang
• FirmCross: Detecting Taint-style Vulnerabilities in Modern C-Lua Hybrid Web Services of Linux-based Firmware — Runhao Liu

  This talk presents **FirmCross**, a static analysis tool for detecting taint-style vulnerabilities in **C-Lua hybrid web services** found in Linux-based IoT firmware. The research addresses a…

• Trust Me, I Know This Function: Hijacking LLM Static Analysis using Bias — Shir Bernstein

  This talk presents a novel attack class called **Familiar Pattern Attacks (FPAs)** that exploits a fundamental weakness in how LLMs analyze code: **abstraction bias**. When LLMs encounter code…

• TranSPArent: Taint-style Vulnerability Detection in Generic Single Page Applications through Automated Framework Abstraction — Senapati Diwangkara

  This talk presents **TranSPArent**, a tool for detecting taint-style vulnerabilities (particularly **cross-site scripting**) in modern **Single Page Application (SPA)** frameworks like **React**…

• Chimera: Harnessing Multi-Agent LLMs for Automatic Insider Threat Simulation — Jiongchi Yu

  This talk introduces **Chimera**, the first multi-agent LLM framework for automated insider threat simulation. The system addresses a critical gap in insider threat detection: the lack of…

• Les Dissonances: Cross-Tool Harvesting and Polluting in Pool-of-Tools Empowered LLM Agents — Zichuan Li

  This talk presents **Cross-Tool Harvesting and Polluting (XTHP)** attacks, a new class of supply chain threats targeting **LLM agent development frameworks** like **LangChain** and **LlamaIndex**…

• Achieving Interpretable DL-based Web Attack Detection through Malicious Payload Localization — Peiyang Li

  This talk presents a novel **interpretability framework** for deep learning-based web attack detection that goes beyond binary classification (normal/abnormal) to identify the **exact location of…

• Attention is All You Need to Defend Against Indirect Prompt Injection Attacks in LLMs — Yinan Zhong

  This talk presents **Renovate**, a framework for detecting and sanitizing **Indirect Prompt Injection (IPI)** attacks in LLM-integrated applications. IPI attacks occur when adversaries embed…

• ACE: A Security Architecture for LLM-Integrated App Systems — Evan Li

  As AI agents become deeply embedded in products and infrastructure, the security implications of granting autonomous systems access to tools and sensitive data have become critical. This talk…

• Better Safe than Sorry: Uncovering the Insecure Resource Management in App-in-App Cloud Services — Yizhe Shi

  The "super app" ecosystem -- where platforms like **WeChat**, **TikTok**, **Alipay**, and **Baidu** host millions of mini apps -- has created a massive attack surface that most security researchers…

• Side-channel Inference of User Activities in AR/VR Using GPU Profiling — Seonghun Son

  As AR/VR headsets move beyond entertainment into medical, education, and industrial applications, the privacy implications of these always-on immersive devices become critical. This research reveals…

• MVPNalyzer: An Investigative Framework for Auditing the Security & Privacy of Mobile VPNs — Wayne Wang

  VPN providers promise absolute security and privacy with the click of a button, but a large-scale audit of **281 free mobile VPN apps** from the Google Play Store reveals that this promise is…

• HOUSTON: Real-Time Anomaly Detection of Attacks against Ethereum DeFi Protocols — Dongyu Meng

  With the DeFi ecosystem holding roughly **$100 billion in total value locked** and billions stolen annually through protocol hacks -- including by state-sponsored groups -- the need for real-time…

• Indicator of Benignity: An Industry View of False Positive in Malicious Domain Detection and its Mitigation — Daiping Liu

  For decades, cybersecurity has focused almost exclusively on hunting for bad indicators (IOCs). This talk flips that paradigm with a deceptively powerful concept: **Indicators of Benignity (IOBs)**…

• VDORAM: Towards a Random Access Machine with Both Public Verifiability and Distributed Obliviousness — Huayi Qi

  This talk addresses a fundamental gap at the intersection of zero-knowledge proofs (ZKP) and secure multi-party computation (MPC): how do you prove to the public that a collaborative computation…

• RoundRole: Unlocking the Efficiency of Multi-party Computation with Bandwidth-aware Execution — Xiaoyu Fan

  Secure multi-party computation (MPC) is fundamentally constrained by network communication: modern CPUs process data at **30-100 GB/s**, while typical wide-area networks offer only **100 Mbps to 1…

• When Focus Enhances Utility: Target Range LDP Frequency Estimation and Unknown Item Discovery — Bo Jiang

  Local differential privacy (LDP) is a cornerstone of privacy-preserving data collection, used by companies like Google and Apple to gather statistics without trusting any central server. However…

• Augmented Shuffle Differential Privacy Protocols for Large-Domain Categorical and Key-Value Data — Takao Murakami

  Shuffle differential privacy offers significantly better accuracy than local differential privacy by using a shuffler to anonymize the source of noisy data. However, existing shuffle DP protocols…

• PrivATE: Differentially Private Average Treatment Effect Estimation for Observational Data — Quan Yuan

  Causal inference -- determining whether a treatment or policy actually causes an observed effect -- is fundamental to medicine, economics, and education. When randomized controlled trials are…

• Convergent Privacy Framework for Multi-layer GNNs through Contractive Message Passing — Yu Zheng

  Graph Neural Networks (GNNs) are increasingly used for sensitive applications -- from predicting Alzheimer's disease to analyzing social networks and molecular structures -- but they are vulnerable…

• NetCap: Data-Plane Capability-Based Defense Against Token Theft in Network Access — Osama Bajaber

  Token theft remains one of the most exploited attack vectors in modern authentication systems, enabling attackers to impersonate legitimate users and bypass credential requirements entirely. This…

• On the Security Risks of Memory Adaptation and Augmentation in Data-plane DoS Mitigation — Hocheol Nam

  Programmable switches have transformed DoS defense by enabling real-time, line-rate detection and mitigation directly in the network data plane. But this talk reveals that the very optimizations…

• Beyond Conventional Triggers: Auto-Contextualized Covert Triggers for Android Logic Bombs — Ye Wang

  Logic bombs -- malicious code that remains dormant until specific trigger conditions are met -- have largely fallen off the security research radar as detection tools like static analysis and…

• SAGA: A Security Architecture for Governing AI Agentic Systems — Georgios Syros

  As AI agents proliferate across enterprise and consumer applications, their interactions remain **completely ungoverned and insecure**. Emerging protocols like Google's Agent-to-Agent (A2A) and…

• From Obfuscated to Obvious: A Comprehensive JavaScript Deobfuscation Tool for Security Analysis — Dongchao Zhou

  This talk presents **JSimplify**, a comprehensive JavaScript deobfuscation tool designed to handle the full spectrum of obfuscation techniques used by real-world malware. The researchers from…

• Cross-Boundary Mobile Tracking: Exploring Java-to-JavaScript Information Diffusion in WebViews — Sohom Datta

  This talk reveals a significant and largely undetected privacy abuse vector in the Android ecosystem: the exploitation of **WebView boundaries** to leak sensitive device information from Java/Kotlin…

• LLMBisect: Breaking Barriers in Bug Bisection with A Comparative Analysis Pipeline — Zheng Zhang
• Prompt Injection Attack to Tool Selection in LLM Agents — Jiawen Shi

  This talk presents a systematic attack against the **tool selection mechanism** in LLM agents -- the process by which an agent decides which tool to invoke for a given task. The researchers…

• Character-Level Perturbations Disrupt LLM Watermarks — Zhaoxi Zhang

  This talk presents a systematic study demonstrating that **character-level perturbations** are significantly more effective at removing LLM watermarks than the token-level and sentence-level attacks…

• Dataset Reduction and Watermark Removal via Self-supervised Learning for Model Extraction Attack — Hao Luan

  This talk presents **SSL Extraction**, a two-step attack pipeline that simultaneously achieves efficient model extraction and watermark removal against black-box ML models. The key innovation is…

• Unshaken by Weak Embedding: Robust Probabilistic Watermarking for Dataset Copyright Protection — Shang Wang

  This talk presents **DIP (Dataset Intelligence Probabilistic Watermarking)**, a method for protecting dataset copyright in the growing **data-as-a-service** marketplace. The core problem: when data…

• Benchmarking and Understanding Safety Risks in AI Character Platforms — Yiluo Wei

  This talk presents the first extensive safety evaluation of **AI character platforms** -- services like Character.AI where users create and interact with fictional or real-world AI personas. The…

• SACK: Systematic Generation of Function Substitution Attacks Against Control-Flow Integrity — Zhechang Zhang

  This talk presents **SACK**, the first systematic framework for automatically constructing **function substitution attacks** against programs protected by **fully precise static Control-Flow…

• DirtyFree: Simplified Data-Oriented Programming in the Linux Kernel — Yoochan Lee

  This talk presents **DirtyFree**, a simplified data-oriented programming (DOP) exploitation method for the Linux kernel that uses the **arbitrary free primitive** as its central building block…

• EXIA: Trusted Transitions for Enclaves via External-Input Attestation — Zhen Huang

  This talk presents **EXIA (External-Input Attestation)**, a lightweight framework that extends trusted execution environment (TEE) security guarantees from launch-time to runtime by measuring all…

• LinkGuard: A Lightweight State-Aware Runtime Guard Against Link Following Attacks in Windows File System — Bocheng Xiang

  This talk presents **LinkGuard**, the first dedicated runtime protection framework against **link following attacks** on Windows. Link following vulnerabilities -- where privileged programs are…

• ProtocolGuard: Detecting Protocol Non-compliance Bugs via LLM-guided Static Analysis and Dynamic Verification — Xiangpu Song

  This talk presents **ProtocolGuard**, a hybrid framework that detects **protocol non-compliance bugs** -- semantic errors where implementations deviate from protocol specifications (RFC documents)…

• Formal Analysis of BLE Secure Connection Pairing and Revelation of the PE Confusion Attack — Min Shi

  This talk presents the first fine-grained formal analysis of **Bluetooth Low Energy (BLE) Secure Connection pairing** that captures the host-controller separation architecture, and reveals the…

• An LLM-Driven Fuzzing Framework for Detecting Logic Instruction Bugs in PLCs — Jiaxing Cheng

  This talk presents **LogicFuzz**, an LLM-driven fuzzing framework designed to detect **logic instruction bugs** in Programmable Logic Controllers (PLCs) -- the core control devices in industrial…

• What Do They Fix? LLM-Aided Categorization of Security Patches for Critical Memory Bugs — Xingyu Li
• ViGText: Deepfake Image Detection with Vision-Language Model Explanations and Graph Neural Networks — Ahmad ALBarqawi

  This talk presents **ViGText**, a deepfake image detection system that combines **vision-language model (VLM) explanations** with **graph neural networks (GNNs)** to achieve state-of-the-art…

• Light2Lie: Detecting Deepfake Images Using Physical Reflectance Laws — Kavita Kumari

  This talk presents **Light2Lie**, a deepfake detection approach based on the insight that real images follow physical light reflectance laws while AI-generated images do not. By modeling each pixel…

• Rethinking Fake Speech Detection: A Generalized Framework Leveraging Spectrogram Magnitude — Zihao Liu

  This talk presents a novel approach to deepfake speech detection that leverages a previously overlooked signal: **spectrogram magnitude distributions** across different decibel ranges. The…

• CAT: Can Trust be Predicted with Context-Awareness in Dynamic Heterogeneous Networks? — Jie Wang

  This talk presents **CAT (Context-Aware Trust)**, a graph neural network-based trust prediction model designed for **dynamic heterogeneous networks**. Unlike existing trust prediction approaches…

• When Cache Poisoning Meets LLM Systems: Semantic Cache Poisoning and Its Countermeasures — Guanlong Wu

  As large language model (LLM) services face mounting pressure from high API costs and inference latency, **semantic caching** has emerged as a widely adopted optimization. The idea is simple: if a…

• Shadow in the Cache: Unveiling and Mitigating Privacy Risks of KV-cache in LLM Inference — Zhifan Luo

  Large language model inference relies on a critical optimization called the **key-value (KV) cache**, which stores intermediate key and value matrices to avoid redundant computation during…

• Should I Trust You? Rethinking the Principle of Zone-Based Isolation DNS Bailiwick Checking — Yuxiao Wu

  The **bailiwick checking** principle has served as a cornerstone of DNS security for over 20 years, preventing resolvers from accepting out-of-zone records in DNS responses. This talk presents a…

• Cross-Cache Attacks for the Linux Kernel via PCP Massaging — Claudio Migliorelli

  Kernel heap exploitation has become increasingly difficult as memory pools isolate vulnerable and target objects from each other. This talk introduces **PCP-Lost**, a novel cross-cache memory…

• Memory Backdoor Attacks on Neural Networks — Eden Luzon

  Federated learning is widely assumed to guarantee data privacy because training data never leaves client devices. This talk dismantles that assumption by presenting **memory backdoor attacks** -- a…

• AirSnitch: Demystifying and Breaking Client Isolation in Wi-Fi Networks — Xin'an Zhou

  Wi-Fi client isolation is widely assumed to prevent devices on the same network from intercepting each other's traffic. This talk introduces the **AirSnitch framework**, which demonstrates that…

• Entente: Cross-silo Intrusion Detection on Network Log Graphs with Federated Learning — Jiacen Xu

  Organizations operating across multiple regions face a fundamental tension: they need to collaborate on intrusion detection to catch cross-silo attacks, but regulations like **GDPR** prohibit…

• SVDefense: Effective Defense against Gradient Inversion Attacks via Singular Value Decomposition — Chenxiang Luo

  Federated learning promises privacy by keeping training data local and only sharing model gradients with the central server. However, **gradient inversion attacks (GIA)** can reconstruct raw user…

• Pitfalls for Security Isolation in Multi-CPU Systems — Simeon Hoffmann

  As IoT devices demand more computational power without increasing power consumption, manufacturers have turned to **multi-CPU architectures** -- multiple processors on a single chip, each running…

• HyperMirage: Direct State Manipulation in Hybrid Virtual CPU Fuzzing — Manuel Andreas

  Hypervisors form the cornerstone of cloud security, and while fuzzing has proven effective at finding bugs in device virtualization interfaces, the **virtual CPU (vCPU) component** -- typically…

• IsolatOS: Detecting Double Fetch Bugs in COTS RTOS by Re-enabling Kernel Isolation — Yingjie Cao

  Real-time operating systems (RTOS) are the invisible backbone of cyber-physical systems -- from automotive ECUs and aerospace systems to power plants and medical devices. With over **2.2 billion…

• PhantomMap: GPU-Assisted Kernel Exploitation — Jiayi Hu

  As CPU-side kernel exploitation has been increasingly hardened with mitigations like SLAB virtual, Samsung RKP, and KASLR, this talk introduces **PhantomMap** -- a GPU-assisted kernel exploitation…

• DNN Latency Sequencing: Extracting DNN Architectures from Intel SGX Enclaves with Single-Stepping Attacks — Minkyung Park

  Deep neural network architectures represent valuable intellectual property -- the result of extensive training, research, and computational investment. **Confidential AI** approaches using trusted…

• Peering Inside the Black-Box: Long-Range and Scalable Model Architecture Snooping via GPU Electromagnetic Side-Channel — Rui Xiao
• Achieving Zen: Combining Mathematical and Programmatic Deep Learning Model Representations for Attribution and Reuse — David Oygenblik

  When a self-driving car crashes because its sign recognition model was backdoored, how do investigators determine what happened? They need to recover the model's architecture, set up a testing…

• XR Devices Send WiFi Packets When They Should Not: Cross-Building Keylogging Attacks via Non-Cooperative Wireless Sensing — Christopher Vattheuer

  Presented by Justin from UCLA, this research introduces **TWIST** (Transition Web and Spring Tension Network), a novel keylogging attack against extended reality (XR) headsets that operates at…

• From Perception to Protection: A Developer-Centered Study of Security and Privacy Threats in Extended Reality (XR) — Kunlin Cai

  Kunlin Cai from USC presents a first-of-its-kind developer-centered study examining why XR (Extended Reality) applications remain riddled with security and privacy vulnerabilities despite growing…

• PhantomMotion: Laser-Based Motion Injection Attacks on Wireless Security Surveillance Systems — Yan He

  Yan He from the University of Oklahoma presents PhantomMotion, a novel attack that uses lasers to inject fake motion events into wireless security cameras, exploiting the passive infrared (PIR)…

• Unknown Target: Uncovering and Detecting Novel In-Flight Attacks to Collision Avoidance (TCAS) — Giacomo Longo

  Giacomo Longo presents groundbreaking research analyzing what may be the **first real-world cyber attack against aircraft collision avoidance systems (TCAS)**. On March 1, 2025, at Washington…

• CryptPEFT: Efficient and Private Neural Network Inference via Parameter-Efficient Fine-Tuning — Saisai Xia

  Saisai Xia presents CryptPEFT, a system that dramatically accelerates **private neural network inference** by redesigning parameter-efficient fine-tuning (PEFT) architectures specifically for…

• Kangaroo: A Private and Amortized Inference Framework over WAN for Large-Scale Decision Tree Evaluation — Wei Xu

  Wang (presenting on behalf of author Wei Xu, who faced visa issues) introduces Kangaroo, a novel framework for privacy-preserving decision tree inference that achieves **second-level latency** for…

• ANONYCALL: Enabling Native Private Calling in Mobile Networks — Hexuan Yu

  Hexuan Yu, a PhD candidate from Virginia Tech, presents ANONYCALL, a system that enables truly private phone calls within existing **5G cellular infrastructure** without requiring modifications to…

• CELLSHIFT: RTT-Aware Trace Transduction for Real-World Website Fingerprinting — Rob Jansen

  Rob Jansen from the **US Naval Research Laboratory** presents CellShift, a method for transforming Tor exit-side traffic traces into entry-side traces to improve website fingerprinting attack…

• Connecting the Dots: An Investigative Study on Linking Private User Data Across Messaging Apps — Junkyu Kang

  Presented by So Lee (on behalf of Junkyu Kang), this collaborative research between KAIST and the University of Maryland demonstrates how privacy attacks that seem minor on individual messaging…

• Hey there! You are using WhatsApp: Enumerating Three Billion Accounts for Security and Privacy — Gabriel K. Gegenhuber

  Gabriel K. Gegenhuber presents a staggering empirical study: the researchers enumerated **3.5 billion active WhatsApp accounts** -- a substantial share of the world's population -- by querying 63…

• Anchors of Trust: A Usability Study on User Awareness, Consent, and Control in Cross-Device Authentication — Xin Zhang

  Xin Zhang from Fenin University presents a systematic evaluation of **cross-device authentication (XDA)** across 27 major real-world services, revealing that none adequately protect all three…

• CHAMELEOSCAN: Demystifying and Detecting iOS Chameleon Apps via LLM-Powered UI Exploration — Hongyu Lin

  Hongyu Lin (presenting as co-first author) from Zhejiang University introduces ChameleoScan, the first **LLM-powered automated detection system** for iOS chameleon apps -- applications that appear…

• PIRANHAS: PrIvacy-Preserving Remote Attestation in Non-Hierarchical Asynchronous Swarms — Jonas Hofmann

  Philip (presenting for Jonas Hofmann) from CISPA introduces PIRANHAS, the first **fully anonymous swarm attestation scheme** that supports any network topology, is non-interactive, and publicly…

• Cryptobazaar: Private Sealed-bid Auctions at Scale — Andrija Novakovic
• MVP-ORAM: a Wait-free Concurrent ORAM for Confidential BFT Storage — Robin Vassantlal

  Bernardo Ferreira from the University of Lisbon (presenting for Robin Vassantlal) introduces **MVP-ORAM** (Multi-Version Path ORAM), the first **wait-free Byzantine fault-tolerant Oblivious RAM**…

• Enhancing Legal Document Security and Accessibility with TAF — Renata Vaderna

  Renata Vaderna, former lead developer of TAF (The Archive Framework), presents a system for **long-term security and preservation of digital legal documents** that combines **Git** (version control)…

• Learning from Leakage: Database Reconstruction from Just a Few Multidimensional Range Queries — Peijie Li
• Enhancing Semantic-Aware Binary Diffing with High-Confidence Dynamic Instruction Alignment — Chengfeng Ye

  Chengfeng Ye presents a technique for improving **binary diffing** accuracy by using **dynamic forced execution** to identify high-confidence instruction alignments (anchor points) between two…

• DUALBREACH: Efficient Dual-Jailbreaking via Target-Driven Initialization and Multi-Target Optimization — Xinzhe Huang

  Presented by Johnny on behalf of the authors, DualBreach is a jailbreaking framework designed to bypass **both external guardrails and internal LLM safety alignment** simultaneously -- addressing…

• Cease at the Ultimate Goodness: Towards Efficient Website Fingerprinting Defense via Iterative Mutual Information Minimization — Rong Wang

  Rong Wang presents **Frugal**, the first website fingerprinting defense framework that uses **mutual information minimization** as an explicit optimization objective rather than focusing on…

• KnowHow: Automatically Applying High-Level CTI Knowledge for Interpretable and Accurate Provenance Analysis — Yuhan Meng

  Advanced Persistent Threat (APT) attacks remain one of the most critical challenges facing governments and enterprises, distinguished by their advanced, stealthy, and persistent characteristics…

• From Noise to Signal: Precisely Identify Affected Packages of Known Vulnerabilities in npm Ecosystem — Yingyuan Pu

  The npm ecosystem contains over **3 million packages** with deeply nested dependency chains, and research shows approximately one quarter of all package versions depend on packages with known…

• Automating Function-Level TARA for Automotive Full-Lifecycle Security — Yuqiao Yang

  As connected vehicles are projected to represent **95% of new cars by 2030**, the automotive attack surface is expanding dramatically through autonomous driving, OTA updates, and ADAS systems. The…

• Beyond Raw Bytes: Towards Large Malware Language Models — Luke Kurlandski

  Can the foundation model paradigm that has transformed natural language processing be adapted for malware analysis? This talk investigates the feasibility of training **Large Malware Language Models…

• Anota: Identifying Business Logic Vulnerabilities via Annotation-Based Sanitization — Meng Wang

  Business logic vulnerabilities represent a critical blind spot in automated security testing. Unlike memory corruption or injection flaws, these bugs abuse legitimate functionality and are invisible…

• Discovering Blind-Trust Vulnerabilities in PLC Binaries via State Machine Recovery — Fangzhou Dong

  Programmable Logic Controllers (PLCs) are the industrial computers running critical infrastructure -- traffic lights, warehouse lifters, conveyor systems, water treatment plants. This talk…

• BunnyFinder: Finding Incentive Flaws for Ethereum Consensus — Rujia Li

  Ethereum's 2022 shift from Proof of Work to **Proof of Stake (PoS)** moved its security assumption from computational power to economic incentives -- validators are assumed to behave honestly…

• ReFuzz: Reusing Tests for Processor Fuzzing with Contextual Bandits — Chen Chen

  Hardware vulnerabilities are expensive and dangerous -- Intel spent **$475 million** recalling products due to hardware bugs, and the number of reported hardware vulnerabilities has grown from just…

• Was My Data Used for Training? Membership Inference in Open-Source LLMs via Neural Activations — Xue Tan

  As open-source LLMs proliferate with massive, opaque training datasets, verifying whether specific data was used for training has become critical for privacy evaluation, compliance auditing, and…

• Cascading and Proxy Membership Inference Attacks — Yuntao Du

  Membership inference attacks (MIA) determine whether specific data was used to train a machine learning model. This talk introduces two new attack strategies that fundamentally improve MIA…

• ExpShield: Safeguarding Web Text from Unauthorized Crawling and LLM Exploitation — Ruixuan Liu
• ObliInjection: Order-Oblivious Prompt Injection Attack to LLM Agents with Multi-source Data — Reachal Wang

  Most prompt injection attacks assume the attacker controls the entire data portion of an LLM's input. In real-world multi-source scenarios -- product review summarization, AI-powered search…

• Lightweight Internet Bandwidth Allocation and Isolation with Fractional Fair Shares — Marc Wyss

  Today's internet has no mechanism to enforce fair bandwidth allocation -- aggressive congestion control algorithms dominate quieter ones, and volumetric DDoS attackers disregard all congestion…

• Aliens Among Us: Observing Private or Reserved IPs on the Public Internet — Radu Anghel

  IP address spoofing remains a fundamental enabler of volumetric DDoS attacks, with nearly half of layer 3/4 attacks involving spoofed packets. While Source Address Validation (SAV) can solve this…

• Are your Sites Truly Isolated? Automatically Detecting Logic Bugs in Site Isolation Implementations — Jan Drescher

  **Site isolation** is a critical browser security architecture that enforces separation between web applications by placing cross-site content into separate sandboxed renderer processes. This talk…

• Pruning the Tree: Rethinking RPKI Architecture from the Ground up — Haya Schulmann

  The **Resource Public Key Infrastructure (RPKI)** is the security architecture for internet routing, enabling verification of BGP route announcements. With approximately **60%** of announced…

• Fuzzilicon: A Post-Silicon Microcode-Guided x86 CPU Fuzzer — Johannes Lenzen

  CPU vulnerabilities like **Downfall**, **Meltdown**, **Spectre**, **ZombieLoad**, and **RIDL** have caused enormous damage, with Intel spending hundreds of millions on recalls. This talk presents…

• GoldenFuzz: Generative Golden Reference Hardware Fuzzing — Lichao Wu

  Traditional hardware fuzzers rely on random mutation strategies that lack semantic understanding of processor behavior. This talk presents **GoldenFuzz**, a pre-silicon hardware fuzzer that uses a…

• ADGFUZZ: Assignment Dependency-Guided Fuzzing for Robotic Vehicles — Yuncheng Wang

  Robotic vehicles (RVs) -- UAVs, UGVs, and autonomous platforms -- are cyber-physical systems where software bugs don't just crash programs but can cause mission failure, loss of control, or physical…

• RTCON: Context-Adaptive Function-Level Fuzzing for RTOS Kernels — Eunkyu Lee

  Real-Time Operating System (RTOS) kernels power billions of IoT and embedded devices, providing Bluetooth stacks, Wi-Fi modules, and custom interfaces. Many lack security mitigations like ASLR…

• BINALIGNER: Aligning Binary Code for Cross-Compilation Environment Diffing — Yiran Zhu

  Binary diffing -- identifying corresponding code regions between two binaries compiled from related source -- is essential for vulnerability detection, patch verification, plagiarism detection, and…

• Cross-Consensus Reliable Broadcast and its Applications — Yue Huang

  Modern distributed infrastructures are moving beyond isolated consensus islands toward multi-group coordination architectures -- sharded blockchains, cross-chain bridges, and replicated state…

• vSim: Semantics-Aware Value Extraction for Efficient Binary Code Similarity Analysis — Huaijin Wang

  Binary code similarity analysis -- searching a database for functions similar to a given binary -- is fundamental for vulnerability detection, malware classification, and patch analysis. This talk…

• A Deep Dive into Function Inlining and its Security Implications for ML-based Binary Analysis — Omar Abusabha

  **Function inlining** -- replacing a function call with the callee's body -- is one of the most common compiler optimizations. In CoreUtils compiled at O3, **more than half of all functions are…

• Time and Time Again: Leveraging TCP Timestamps to Improve Remote Timing Attacks — Vik Vanderlinden

  Remote timing attacks are limited by network jitter, which adds noise to roundtrip time measurements and requires many observations to distinguish timing differences. This talk demonstrates that…

• Continuous User Behavior Monitoring using DNS Cache Timing Attacks — Hannes Weissteiner

  This paper presents a comprehensive **evict-and-reload style attack** on local DNS caches that enables continuous monitoring of a user's browsing activity. While prior work demonstrated that DNS…

• On Borrowed Time: Measurement-Informed Understanding of the NTP Pool's Robustness to Monopoly Attacks — Robert Beverly

  This research presents the first exhaustive characterization of the **NTP pool** -- the volunteer-based, crowdsourced time distribution system that serves as critical internet infrastructure for…

• Bit of a Close Talker: A Practical Guide to Serverless Cloud Co-Location Attacks — Wei Shao

  This research transforms serverless cloud co-location attacks from trial-and-error guesswork into a **systematic, repeatable methodology**. By developing a three-phase probing strategy that…

• PANDORA: Lightweight Adversarial Defense for Edge IoT using Uncertainty-Aware Metric Learning — Avinash Awasthi

  PANDORA is a lightweight intrusion detection system (IDS) framework designed for **resource-constrained edge IoT devices** that addresses three fundamental challenges in network security monitoring…

• Strategic Games and Zero Shot Attacks on Heavy-Hitter Network Flow Monitoring — Francesco Da Dalt

  This research applies **game-theoretic reinforcement learning** to the problem of configuring network flow monitoring systems against adaptive adversaries. The core insight is that both defenders…

• PhishLang: A Real-Time, Fully Client-Side Phishing Detection Framework Using MobileBERT — Sayak Saha Roy

  PhishLang is a **lightweight, fully client-side phishing detection framework** that uses **MobileBERT** to analyze website source code and detect phishing intent without relying on handcrafted…

• CoLD: Collaborative Label Denoising Framework for Network Intrusion Detection — Shuo Yang

  CoLD (Collaborative Label Denoising) is a framework that addresses a fundamental but often overlooked problem in network intrusion detection: **label noise** in training data. The researchers…

• Targeted Physical Evasion Attacks in the Near-Infrared Domain — Pascal Zimmer
• FlyTrap: Physical Distance-Pulling Attack Towards Camera-based Autonomous Target Tracking Systems — Shaoyuan Xie

  FlyTrap is the first **distance-pulling attack** against camera-based autonomous drone tracking systems. By printing adversarial patterns on an ordinary **umbrella** ($20 on Amazon), an attacker can…

• Understanding the Stealthy BGP Hijacking Risk in the ROV Era — Yihao Chen

  This research reveals a concerning side effect of partial **RPKI/ROV (Route Origin Validation)** deployment: **stealthy BGP hijacking**. While ROV effectively prevents direct hijacking at deployed…

• TBTrackerX: Fantastic Trigger Bots and Where to Find Malicious Campaigns on X — Mohammad Majid Akhtar

  This research presents a systematic measurement and detection study of **trigger bots** on Twitter/X -- automated accounts that activate only when specific keywords appear in user posts or tweets…

• CoordMail: Exploiting SMTP Timeout and Command Interaction to Coordinate Email Middleware for Convergence Amplification Attack — Ruixuan Li

  CoordMail is a novel **email amplification attack** that coordinates thousands of email middleware (bounce servers, open relays, and email forwarders) to deliver reflected emails to a victim…

• One Email, Many Faces: A Deep Dive into Identity Confusion in Email Aliases — Mengying Wu

  This research exposes a fundamental inconsistency in how the internet handles email identity: **email providers** treat alias addresses as the same identity (delivering them to one inbox), while…

• Fast Pointer Nullification for Use-After-Free Prevention — Yubo Du

  This research presents **FPN (Fast Pointer Nullification)**, a significantly more efficient approach to preventing **use-after-free (UAF) vulnerabilities** -- one of the most critical and…

• ropbot: Reimaging Code Reuse Attack Synthesis — Kyle Zeng

  ropbot is a next-generation **code reuse payload generation engine** that fundamentally reimagines how ROP chains are constructed. By introducing the concept of a **"rop block"** -- a self-contained…

• Token Time Bomb: Evaluating JWT Implementations for Vulnerability Discovery — Jingcheng Yang

  This research presents **JWTable**, the first systematic framework for automatically discovering vulnerabilities in JWT (JSON Web Token) implementations. By combining grammar-based fuzzing with…

• Vault Raider: Stealthy UI-based Attacks Against Password Managers in Desktop Environments — Andrea Infantino

  Vault Raider demonstrates that **desktop password managers** are vulnerable to stealthy phishing attacks through their **native autofill mechanisms**. While browser-based autofill uses URL-based…

• Targeted Password Guessing Using k-Nearest Neighbors — Zhen Li

  This research introduces **KPG (k-Nearest Neighbor Password Guessing)**, a novel non-parametric approach to targeted password guessing that addresses a previously overlooked password reuse behavior…

• Repairing Trust in Domain Name Disputes Practices: Insights from a Quarter-Century's Worth of Squabbles — Vinny Adjibi

  This research provides the first large-scale empirical analysis of the **UDRP (Uniform Domain Name Dispute Resolution Policy)**, the primary mechanism for resolving trademark-based domain name…

• DualStrike: Accurate, Real-time Eavesdropping and Injection of Keystrokes on Commodity Keyboards — Xiaomeng Chen

  DualStrike is the first attack system to achieve both **eavesdropping and injection** on commodity **hall effect keyboards** -- a rapidly growing keyboard technology used primarily in gaming but…

• Hiding an Ear in Plain Sight: On the Practicality and Implications of Acoustic Eavesdropping with Telecom Fiber Optic Cables — Youqian Zhang

  This research demonstrates that standard **telecom fiber optic cables** -- deployed in homes and offices as part of fiber-to-the-home (FTTH) infrastructure -- can be exploited as **acoustic…

• The Role of Privacy Guarantees in Voluntary Donation of Private Health Data for Altruistic Goals — Ruizhe Wang

  This user study examines whether presenting **privacy protection guarantees** (anonymization, access control, data expiration, purpose restriction) and **auditing guarantees** (expert auditing…

• Passive Multi-Target GUTI Identification via Visual-RF Correlation in LTE Networks — Byeongdo Hong

  This research demonstrates a **fully passive** method to identify users' **GUTI (Globally Unique Temporary Identifier)** in LTE networks by correlating **camera observations** with **RF signal…

• Preempt: Sanitizing Sensitive Prompts for LLMs — Amrita Roy Chowdhury

  Preempt is a **prompt sanitization system** that protects sensitive information in LLM prompts while preserving utility. It targets **prompt-invariant tasks** (translation, RAG, financial advice)…

• PrivORL: Differentially Private Synthetic Dataset for Offline Reinforcement Learning — Chen GONG

  PrivORL is the first framework for generating **differentially private synthetic datasets** for **offline reinforcement learning (RL)**. In domains where RL training data contains sensitive…

• There is No War in Ba Sing Se: A Global Analysis of Content Moderation in Large Language Models — Friedemann Lipphardt

  This research conducts the first large-scale global analysis of **LLM content moderation** across geographic locations, languages, and topics. By querying over **1,000 potentially unsafe prompts**…

• PACS: Privacy-Preserving Attribute-Driven Community Search over Attributed Graphs — Fangyuan Sun

  PACS enables **privacy-preserving community search** on attributed graphs outsourced to cloud servers. The system allows users to find structurally cohesive communities with the highest attribute…

• Chasing Shadows: Pitfalls in LLM Security Research — Jonathan Evertz

  This paper identifies **nine distinct pitfalls** that undermine the reproducibility, rigor, and soundness of security research using large language models. Analyzing **72 papers** across **eight…

• Decompiling the Synergy: An Empirical Study of Human-LLM Teaming in Software Reverse Engineering — Zion Leonahenahe Basque

  This large-scale empirical study examines how **LLMs impact software reverse engineering** performance through a controlled experiment with **48 practitioners** (24 experts, 24 novices) generating…

• DOM-XSS Detection via Webpage Interaction Fuzzing and URL Component Synthesis — Nuno Sabino

  This research significantly advances **DOM-based XSS detection** at scale by addressing the fundamental code coverage limitations of prior work. While previous studies relied on **passive…

• Small Cell, Big Risk: A Security Assessment of 4G LTE Femtocells in the Wild — Yaru Yang

  As mobile networks evolve and data demand surges, operators have turned to **femtocells** -- small, low-cost base stations designed for indoor deployment in homes and offices -- to extend cellular…

• VICTOR: Dataset Copyright Auditing in Video Recognition Systems — Quan Yuan

  As video recognition systems become integral to **autonomous driving**, **security surveillance**, and **healthcare monitoring**, the datasets used to train these models have become valuable…

• Revealing The Secret Power: How Algorithms Can Influence Content Visibility on Twitter/X — Alessandro Galeazzi

  Social media algorithms operate as opaque gatekeepers, deciding what content appears in users' timelines without transparent disclosure of their ranking criteria. This talk presents an empirical…

• CTng: Secure Certificate and Revocation Transparency — Jie Kong

  The **Web PKI** ecosystem that underpins secure internet communication relies on **Certificate Transparency (CT)** to detect maliciously or mistakenly issued certificates, and on revocation…

• Time will Tell: Large-scale De-anonymization of Hidden I2P Services via Live Behavior Alignment — Hongze Wang

  The **Invisible Internet Project (I2P)** is an anonymous communication network that protects the identity of both clients and servers through multi-layered encryption and tunnel-based routing…

• BACnet or "BADnet"? On the (In)Security of Implicitly Reserved Fields in BACnet — Qiguang Zhang

  **Building Automation Systems (BAS)** control heating, ventilation, air conditioning, lighting, security subsystems, and door locks in commercial buildings worldwide, with the **BACnet protocol**…

• Scalable Off-Chain Auctions — Mohsen Minaei

  Running sealed-bid auctions on public blockchains like **Ethereum** faces a fundamental scalability problem: every bid requires an on-chain transaction, causing gas costs to grow linearly with the…

• LOKI: Proactively Discovering Online Scam Websites by Mining Toxic Search Queries — Pujan Paudel

  Online scams cause mounting financial losses worldwide, yet the discovery pipeline for scam websites has a critical bottleneck: while sophisticated classifiers can identify scam sites once found…

• QNBAD: Quantum Noise-induced Backdoor Attacks against Zero Noise Extrapolation — Cheng Chu

  Current quantum computers operate in the **Noisy Intermediate-Scale Quantum (NISQ)** era, where qubit decoherence times are extremely short (hundreds of microseconds on IBM devices) and gate error…

• WCDCAnalyzer: Scalable Security Analysis of Wi-Fi Certified Device Connectivity Protocols — Zilin Shen

  The **Wi-Fi Alliance's device connectivity protocols** -- **Wi-Fi Direct**, **Wi-Fi Easy Connect**, and **Wi-Fi Easy Mesh** -- handle the critical initial pairing and connection setup for billions…

• PriSrv+: Privacy and Usability-Enhanced Wireless Service Discovery with Fast and Expressive Matchmaking Encryption — Yang Yang

  Wireless service discovery protocols -- used in **Wi-Fi**, **mDNS**, **DNS-SD**, **BLE advertisements**, and **AirDrop-like workflows** -- are fundamentally leaky by design. They rely on cleartext…

• Mapping the Cloud: A Mixed-Methods Study of Cloud Security and Privacy Configuration Challenges — Sumair Ijaz Hashmi

  Cloud misconfigurations have repeatedly been identified as the **leading cause of cloud security breaches**, from exposed **AWS S3 buckets** leaking 70 terabytes of customer data to **AT&T's…

• To Shuffle or not to Shuffle: Auditing DP-SGD with Shuffling — Meenatchi Sundaram Muthu Selva Annamalai

  **Differentially Private Stochastic Gradient Descent (DP-SGD)** is the standard approach for training machine learning models with formal privacy guarantees. A critical implementation detail is how…

• Icarus: Achieving Performant Asynchronous BFT with Only Optimistic Paths — Xiaohai Dai

  **Byzantine Fault Tolerant (BFT) consensus protocols** are foundational to distributed systems that must remain correct even when some nodes behave maliciously. Asynchronous BFT protocols offer the…

• SoK: Cryptographic Authenticated Dictionaries — Harjasleen Malvai

  **Cryptographic authenticated dictionaries** are data structures that provide not just key-value storage but also **proofs** about the correctness of lookup results -- proofs that a returned value…

• Action Required: A Mixed-Methods Study of Security Practices in GitHub Actions — Yusuke Kubo

  **GitHub Actions** has become the mainstream CI/CD platform for modern software development, and its popularity makes it a highly attractive target for attackers. The 2025 compromise of **TJ…

• Analysis of the Security Design, Engineering, and Implementation of the SecureDNA System — Alan T. Sherman

  The **SecureDNA system** enables DNA synthesizers to screen synthesis requests against a curated database of hazardous pathogen sequences, addressing the alarming convergence of **AI capabilities**…

• PathProb: Probabilistic Inference and Path Scoring for Enhanced and Flexible BGP Route Leak Detection — Yingqian Hao

  **BGP (Border Gateway Protocol)** remains the de facto inter-domain routing protocol for the global internet, yet it was designed without security mechanisms, leaving it vulnerable to **route…

• Demystifying RPKI-Invalid Prefixes: Hidden Causes and Security Risks — Weitong Li

  **RPKI (Resource Public Key Infrastructure)** is the primary mechanism for securing BGP routing, allowing resource owners to create cryptographically signed **Route Origin Authorizations (ROAs)**…

• Know Me by My Pulse: Toward Practical Continuous Authentication on Wearable Devices via Wrist-Worn PPG — Wei Shao

  Wearable devices store increasingly sensitive data -- health information, messages, and payment credentials -- yet their authentication systems only verify the user once (via PIN, fingerprint, or…

• The Heat is On: Understanding and Mitigating Vulnerabilities of Thermal Image Perception in Autonomous Systems — Sri Hrushikesh Varma Bhupathiraju

  **Thermal cameras** are increasingly integrated into autonomous systems -- robot taxis (**Waymo**, **Nuro**), robotic platforms (**RAS**), and drones (**DJI**, **Skydio**) -- to enhance perception…

• The Dark Side of Flexibility: Detecting Risky Permission Chaining Attacks in Serverless Applications — Xunqi Liu

  **Serverless computing** decomposes applications into small, event-driven functions that execute independently within their own permission boundaries. While IAM policies evaluate each function's…

• Breaking the Bulkhead: Demystifying Cross-Namespace Reference Vulnerabilities in Kubernetes Operators — Andong Chen

  **Kubernetes operators** automate lifecycle management of complex applications, accepting user input through namespace-scoped custom resources and performing privileged operations on the cluster…

• SIPConfusion: Exploiting SIP Semantic Ambiguities for Caller ID and SMS Spoofing — Qi Wang

  The **Session Initiation Protocol (SIP)** underpins modern voice, video, and messaging infrastructure -- from VoIP (projected at **$326 billion by 2032**) to **Rich Communication Services (RCS)**…

• Looma: A Low-Latency PQTLS Authentication Architecture for Cloud Applications — Xinshu Ma

  Cloud applications built from microservices create many internal network connections, each requiring **mutual TLS (mTLS)** authentication. As the industry transitions to **post-quantum…

• Unveiling BYOVD Threats: Malware's Use and Abuse of Kernel Drivers — Andrea Monzani

  **Bring Your Own Vulnerable Driver (BYOVD)** is an increasingly prevalent technique where attackers use legitimate, signed kernel drivers containing exploitable flaws to achieve kernel-level…

• Understanding the Status and Strategies of the Code Signing Abuse Ecosystem — Hanqing Zhao

  **Code signing** is the primary mechanism for verifying software authenticity and integrity, but attackers have systematically exploited weaknesses in the code signing PKI to sign malware with valid…

• SYSYPHUZZ: the Pressure of More Coverage — Zezhong Ren

  Coverage-centric kernel fuzzing has a blind spot: once a basic block is marked as "covered," fuzzers ignore it forever, even if it was executed only once or twice. This talk presents **SYSYPHUZZ**…

• Actively Understanding the Dynamics and Risks of the Threat Intelligence Ecosystem — Tillson Galloway

  The **threat intelligence (TI) ecosystem** is a multi-billion dollar industry where vendors ingest, analyze, and share malware samples and indicators of compromise (IoCs) through complex supply…