So many amazing papers at #IEEESSP Oakland'25 this year. Congratulations to all authors on your accepted papers and an amazing program overall.

This year, we had one paper "SoK: Challenges and Paths Toward Memory Safety for eBPF" where Kaiming Huang explores challenges in protecting the Linux kernel against bugs in the eBPF verifier. As it turns out, securing even a simple language is challenging and we need to carefully consider how optimizations are implemented. Check out the full paper for details: https://nebelwelt.net/files/25Oakland.pdf

Sadly, I could not make it to San Francisco this year. Luckily my alternative program to go hike with the kids was not too bad either!

Today Jesse De Meulemeester will present "BadRAM: Practical Memory Aliasing Attacks on Trusted Execution Environments" at IEEE SSP in San Francisco.
https://sp2025.ieee-security.org/program.html
#badram #ieeessp
BadRAM - Breaching Processor Security via Rogue Memory Modules: info and demo on https://badram.eu/

While we have been focusing on reducing false positives in vulnerability detection, my IEEE S&P'24 paper, in collaboration with Kevin Moran, Denys Poshyvanyk, and Adwait Nadkarni, shows the contrary: developers would rather have more false positives if the tool finds the vulnerabilities. FNs are of more concern to them. Key insights below:

1. While we found several insights that match existing literature, e.g., "Select situations can lead to the de-prioritization of software security," the rest challenge existing literature, identifying challenges that need attention from practitioners, SAST developers, and researchers.

2. For example, "Developer Happiness is Key" is the primary design goal of program analysis tools, thus focusing on reducing false positives in general. However, participants strongly favor reducing false negatives because "that one is going to kill you".

Further Key insights and the full paper are available below:

tags: #IEEESSP'24 #sp #security #sast #study #stem #WM