Bio:

David Paaßen is a research assistant at the chair for System Security at the University Duisburg-Essen.

Curriculum Vitae:

Year Position / Study Program

since 02/2019 Research Assistant at the chair for System Security at the University of Duisburg-Essen

03/2017 - 10/2018 Malwareanalyst at G DATA Software AG

11/2014 - 12/2016 Master's studies in IT Security/Information Engineering at the Ruhr-University Bochum (graduated with M. Sc.)

10/2011 - 11/2014 Bachelor's studies in IT Security/Information Engineering at the Ruhr-University Bochum (graduated with B. Sc.)

2011 Higher education entrance qualification at Heinz-Nixdorf-Berufskolleg Essen

Publications:

• Paaßen, David; Giesen, Jens-Rene; Davi, Lucas: Targeted Fuzzing for Unsafe Rust Code: Leveraging Selective Instrumentation. In: Proc. of 29th International Conference on Evaluation and Assessment in Software Engineering (EASE). Association for Computing Machinery (ACM), Istanbul, Turkiye , 2025. doi:10.1145/3756681.3756956Abstract Details Citation

  Rust is a promising programming language that focuses on concurrency, usability, and security. It is used in production code by major industry players and got recommended by government bodies. Rust provides strong security guarantees achieved by design utilizing the concepts of ownership and borrowing. However, Rust allows programmers to write unsafe code which is not subject to the strict Rust security policy. Empirical studies show that security issues in practice always involve code written in unsafe Rust.

  In this paper, we present the first approach that utilizes selective code coverage feedback to focus the fuzzing efforts on unsafe Rust code. Our approach significantly improves the efficiency when fuzzing Rust programs and does not require additional computational resources while fuzz testing the target. To quantify the impact of partial code instrumentation, we implement our approach by extending the capabilities of the Rust compiler toolchain. We present an automated approach to detect unsafe and safe code components to decide which parts of the program a fuzzer should focus on when running a fuzzing campaign to find vulnerabilities in Rust programs. Our approach is fully compatible with existing fuzzing implementations and does not require complex manual work, thus retaining the existing high usability standard. Focusing on unsafe code, our implementation allows us to generate inputs that trigger more unsafe code locations with statistical significance and therefore is able to detect potential vulnerabilities in a shorter time span while imposing no performance overhead during fuzzing itself.

• Rodler, Michael; Paaßen, David; Li, Wenting; Bernhard, Lukas; Holz, Thorsten; Karame, Ghassan; Davi, Lucas: EF/CF: High Performance Smart Contract Fuzzing for Exploit Generation. In: Proc. of 8th IEEE European Symposium on Security and Privacy (EuroSP). Institute of Electrical and Electronics Engineers (IEEE), Delft, Netherlands , 2023. doi:10.1109/EuroSP57164.2023.00034Abstract Details Citation

  Smart contracts are increasingly being used to manage large numbers of high-value cryptocurrency accounts. There is a strong demand for automated, efficient, and comprehensive methods to detect security vulnerabilities in a given contract. While the literature features a plethora of analysis methods for smart contracts, the existing proposals do not address the increasing complexity of contracts. Existing analysis tools suffer from false alarms and missed bugs in today’s smart contracts that are increasingly defined by complexity and interdependencies. To scale accurate analysis to modern smart contracts, we introduce EF↯CF, a high-performance fuzzer for Ethereum smart contracts. In contrast to previous work, EF↯CF efficiently and accurately models complex smart contract interactions, such as reentrancy and cross-contract interactions, at a very high fuzzing throughput rate. To achieve this, EF↯CF transpiles smart contract bytecode into native C++ code, thereby enabling the reuse of existing, optimized fuzzing toolchains. Furthermore, EF↯CF increases fuzzing efficiency by employing a structure-aware mutation engine for smart contract transaction sequences and using a contract’s ABI to generate valid transaction inputs. In a comprehensive evaluation, we show that EF↯CF scales better—without compromising accuracy—to complex contracts compared to state-of-the-art approaches, including other fuzzers, symbolic/concolic execution, and hybrid approaches. Moreover, we show that EF↯CF can automatically generate transaction sequences that exploit reentrancy bugs to steal Ether.

• Cloosters, Tobias; Paaßen, David; Wang, Jianqiang; Draissi, Oussama; Jauernig, Patrick; Stapf, Emmanuel; Davi, Lucas; Sadeghi, Ahmad-Reza: RiscyROP: Automated Return-Oriented Programming Attacks on RISC-V and ARM64. In: Proc. of the 25th International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2022). Association for Computing Machinery (ACM), Limassol, Cyprus, 2022. doi:10.1145/3545948.3545997AbstractPDF Details Citation

  Return-oriented programming (ROP) is a powerful run-time exploitation technique to attack vulnerable software. Modern RISC architectures like RISC-V and ARM64 pose new challenges for ROP execution due to the lack of a stack-based return instruction and strict instruction alignment. Further, the large number of caller-saved argument registers significantly reduces the gadget space available to the attacker. Consequently, existing ROP gadget tools for other processor architectures cannot be applied to these RISC architectures. Previous work on RISC-V provides only manual construction of ROP attacks against specially crafted programs, and no analysis of ROP attacks has been conducted for ARM64 yet.

  In this paper, we address these challenges and present RiscyROP, the first automated ROP gadget finding and chaining toolkit for RISC-V and ARM64. RiscyROP analyzes available gadgets utilizing symbolic execution, and automatically generates complex multi-stage chains to conduct arbitrary function calls. Our approach enables the first investigation of the gadget space on RISC-V and ARM64 real-world binaries. RiscyROP successfully builds ROP chains that enable an attacker to execute arbitrary function calls for the nginx web server as well as any binary that contains the libc library.

• Paaßen, David; Surminski, Sebastian; Rodler, Michael; Davi, Lucas: My Fuzzer Beats Them All! Developing a Framework for Fair Evaluation and Comparison of Fuzzers. In: Proc. of 26th European Symposium on Research in Computer Security. Springer Cham, Darmstadt, Germany, 2021. doi:10.1007/978-3-030-88418-5_9Abstract Details Citation

  Fuzzing has become one of the most popular techniques to identify bugs in software. To improve the fuzzing process, a plethora of techniques have recently appeared in academic literature. However, evaluating and comparing these techniques is challenging as fuzzers depend on randomness when generating test inputs. Commonly, existing evaluations only partially follow best practices for fuzzing evaluations. We argue that the reason for this are twofold. First, it is unclear if the proposed guidelines are necessary due to the lack of comprehensive empirical data in the case of fuzz testing. Second, there does not yet exist a framework that integrates statistical evaluation techniques to enable fair comparison of fuzzers.

  To address these limitations, we introduce a novel fuzzing evaluation framework called SENF (Statistical EvaluatioN of Fuzzers). We demonstrate the practical applicability of our framework by utilizing the most wide-spread fuzzer AFL as our baseline fuzzer and exploring the impact of different evaluation parameters (e.g., the number of repetitions or run-time), compilers, seeds, and fuzzing strategies. Using our evaluation framework, we show that supposedly small changes of the parameters can have a major influence on the measured performance of a fuzzer.