Bio:

Tobias Cloosters is a research assistant in the working group for Secure Software Systems at the University of Duisburg-Essen.

Curriculum Vitae:

Publications:

• Draissi, Oussama; Cloosters, Tobias; Klein, David; Rodler, Michael; Musch, Marius; Johns, Martin; Davi, Lucas: Wemby's Web: Hunting for Memory Corruption in WebAssembly. In: Proc. of the 34th International Symposium on Software Testing and Analysis (ISSTA). ACM, Trondheim, Norway 2025. CitationAbstractDetails

  WebAssembly enables fast execution of performance-critical in web applications utilizing native code.
  However, recent research has demonstrated the potential for memory corruption errors within WebAssembly modules to exploit web applications.
  In this work, we present the first systematic analysis of memory corruption in WebAssembly, unveiling the prevalence of a novel threat model where memory corruption enables code injection on a victim’s browser.
  Our large-scale analysis across 37 797 domains reveals that an alarming 29 411 (77.81 %) of those fully trust data coming from potentially attacker-controlled sources.
  As a result, an attacker can exploit memory errors to manipulate the WebAssembly memory, where the data is implicitly trusted and frequently passed into security-sensitive functions such as eval or directly into the DOM via innerHTML.
  Thus, an attacker can abuse this trust to gain JavaScript code execution, i.e., Cross-Site Scripting (XSS).

  To tackle this issue, we present Wemby, the first viable approach to efficiently analyze WebAssembly-powered websites holistically.
  We demonstrate that Wemby is proficient at detecting remotely exposed memory corruption errors in web applications through fuzzing.
  For this purpose, we implement binary-only WebAssembly instrumentation that provides fine-grained memory corruption oracles.
  We applied Wemby to different websites, uncovering several security-critical functions and memory corruption bugs, including one on the Zoom platform.
  In terms of performance, our ablation study demonstrates that Wemby outperforms cuurent WebAssembly fuzzers.
  Specifically, Wemby achieves an average speed improvement of 232 times and delivers 46% greater code coverage compared to the state-of-the-art.

• Andreina, Sebastien; Cloosters, Tobias; Davi, Lucas; Giesen, Jens-Rene; Gutfleisch, Marco; Karame, Ghassan; Naiakshina, Alena; Naji, Houda: Defying the Odds: Solana’s Unexpected Resilience in Spite of the Security Challenges Faced by Developers. In: Proc. of the 31th ACM SIGSAC Conference on Computer & Communications Security (CCS). ACM, Salt Lake City, USA 2024. CitationAbstractDetails

  Solana gained considerable attention as one of the most popular blockchain platforms for deploying decentralized applications. Compared to Ethereum, however, we observe a lack of research on how Solana smart contract developers handle security, what challenges they encounter, and how this affects the overall security of the ecosystem.

  To address this, we conducted the first comprehensive study on the Solana platform. Our study shows, quite alarmingly, that none of the participants could detect all important security vulnerabilities in a code review task and that 83% of the participants are likely to release vulnerable smart contracts. Our study also sheds light on the root causes of developers' challenges with Solana smart contract development, suggesting the need for better security guidance and resources. In spite of these challenges, our automated analysis on currently deployed Solana smart contracts surprisingly suggests that the prevalence of vulnerabilities - especially those pointed out as the most challenging in our developer study - is below 0.3%. We explore the causes of this counter-intuitive resilience and show that frameworks, such as Anchor, are positively aiding Solana developers - even those unmindful of security - in deploying secure contracts.

• Cloosters, Tobias; Draissi, Oussama; Willbold, Johannes; Holz, Thorsten; Davi, Lucas: Memory Corruption at the Border of Trusted Execution. In: IEEE Security & Privacy, Vol 2024 (2024), p. 2-11. doi:10.1109/MSEC.2024.3381439CitationAbstractDetails

  Trusted execution environments provide strong security guarantees, like isolation and confidentiality, but are not immune from memory-safety violations. Our investigation of public trusted execution environment code based on symbolic execution and fuzzing reveals subtle memory safety issues.

• Cloosters, Tobias; Paaßen, David; Wang, Jianqiang; Draissi, Oussama; Jauernig, Patrick; Stapf, Emmanuel; Davi, Lucas; Sadeghi, Ahmad-Reza: RiscyROP: Automated Return-Oriented Programming Attacks on RISC-V and ARM64. In: Proc. of the 25th International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2022). Limassol, Cyprus 2022. doi:10.1145/3545948.3545997PDFCitationDetails
• Cloosters, Tobias; Surminski, Sebastian; Sangel, Gerrit; Davi, Lucas: SALSA: SGX Attestation for Live Streaming Applications. In: Proc. of 7th IEEE Secure Development Conference (SecDev). IEEE, 2022. doi:10.1109/SecDev53368.2022.00019Full textCitationAbstractDetails

  Intel SGX is a security feature of processors that allows running software in enclaves, isolated from the operating system. Even an attacker with full control of the computer system cannot inspect these enclaves. This makes SGX enclaves an
  adequate solution to store and process highly sensitive data like encryption keys. However, these enclaves are still vulnerable to standard software attacks. While SGX allows static attestation, i.e., validating the integrity of the program code and data in the enclave, static attestation cannot detect run-time attacks.
  We present SALSA , the first solution to allow run-time attestation of SGX enclaves. To show its applicability, we use SALSA to implement a video streaming service that uses an SGX enclave to decode the video stream. When a compromise of the SGX enclave is detected, the streaming of the video instantaneously stops. This shows a practical use-case for runtime attestation of SGX enclaves. In the evaluation, we show that the performance of this setup is sufficient to attest a live video streaming service.

• Cloosters, Tobias; Willbold, Johannes; Holz, Thorsten; Davi, Lucas: SGXFuzz: Efficiently Synthesizing Nested Structures for SGX Enclave Fuzzing. In: Proc. of 31st USENIX Security Symposium. 2022. PDFCitationDetails
• Cloosters, Tobias; Rodler, Michael; Davi, Lucas: TeeRex: Discovery and Exploitation of Memory Corruption Vulnerabilities in SGX Enclaves. In: Proc. of 29th USENIX Security Symposium. 2020. Full textCitationAbstractDetails

  Intel's Software Guard Extensions (SGX) introduced new instructions to switch the processor to enclave mode which protects it from introspection. While the enclave mode strongly protects the memory and the state of the processor, it cannot withstand memory corruption errors inside the enclave code. In this paper, we show that the attack surface of SGX enclaves provides new challenges for enclave developers as exploitable memory corruption vulnerabilities are easily introduced into enclave code. We develop TeeRex to automatically analyze enclave binary code for vulnerabilities introduced at the host-to-enclave boundary by means of symbolic execution. Our evaluation on public enclave binaries reveal that many of them suffer from memory corruption errors allowing an attacker to corrupt function pointers or perform arbitrary memory writes. As we will show, TeeRex features a specifically tailored framework for SGX enclaves that allows simple proof-of-concept exploit construction to assess the discovered vulnerabilities. Our findings reveal vulnerabilities in multiple enclaves, including enclaves developed by Intel, Baidu, and WolfSSL, as well as biometric fingerprint software deployed on popular laptop brands.

  Full TextSlidesPresentation Video