Herbert Bos


Contact details:

Computer Systems Section
Vrije Universiteit Amsterdam
De Boelelaan 1081, room R4.29
1081 HV Amsterdam
email: HerbertB «@» cs.vu.nl
phone: +31-20 598 7746
fax : +31-20 598 7653
How to get here

Quick links

publications projects
course info Program Committees
software how to write papers

I am a full professor at the Vrije Universiteit Amsterdam (or 'VU University' as it is supposed to be called in English, nowadays). I moved here after approximately four years at the Universiteit Leiden. Before that I obtained my Ph.D. from the Cambridge University Computer Laboratory, followed by a (very) brief stint at KPN Research (now TNO Telecom). At the VU I am heading a group of people working mostly on System Security (e.g., the Argos, Minemu, and Rosetta projects) and OS design for networking (e.g., the Streamline/FFPF project). In addition, I am involved in the development of the Minix3 Operating System. The work on the Open Kernel Environment (OKE) has now ceased.

Thanks to an ERC Starting Grant, I am now able to work on a project on Reverse Engineering of stripped binaries, known as Rosetta. An NWO VICI grant allows me to work on a project to find vulnerabilities in binary software.

Vacancies: if you are (a) really good, and (b) interested in a PhD in system security, send me an email. There may (or may not) be positions any time of the year.

Scholarships: if you are from the EU and you want to do a research project in my group (or in one of 6 other universities), you may want to apply for a SysSec Scholarship (see also FAQ).

Mixed blessings: some of the things we do get picked up by the popular media.

System Security Course Material: We have a large collection of slides, handouts, assignments, etc. on topics related to system security (e.g., memory corruption, malware analysis, reverse engineering, network security, etc.). All of this is available for free to instructors at bona fide schools. Just sign up for an account on the gforge machine and email me your username.

Ph.D Students: some Ph.D. students I supervised.

Announcements

15/06/2014
Some news on the GameOver Zeus takedown on KrebsOnSecurity and some more on Geek.com.
27/01/2014
I have won a VICI grant to work on finding security holes in binary software.
20/01/2014
We have finally (after more than a year of dilly dallying) pre-released Argos 0.7. As it is based on Qemu 1.1.0, it supports Windows 7.
29/10/2013
We had two papers at WCRE this year: MemBrush (on detecting and classifying custom memory allocators in binaries) and MemPick (on detecting pointer structures like trees and lists in binaries). MemBrush won the best paper award!
15/07/2013
Last year, we published a paper at RAID about memory errors (Memory Errors: The Past, the Present, and the Future). We are still tracking this. Have a look at Victor's Trends in Memory Errors.
20/04/2013
Very proud of my (ex-)student Asia Slowinska who won the Roger Needham Award for best Ph.D. thesis in Systems in Europe. The prize of 2000 euro and a certificate was awarded last week at the banquet of Eurosys in Prague. After Willem de Bruijn and Jorrit Herder, this is the third time we have won this award!
29/1/2013
Our paper on P2P botnet resilience was accepted by Security & Privacy (Oakland).
22/11/2012
Anyone considering a masters in computer science with a focus on systems should check out our top masters pdcs. Also have a look at this somewhat older and (to me) amusing video made by Andy Tanenbaum.
26/05/2012
One of the VUBar teams participating in the Hack-in-the-Box CTF came on Dutch TV
23/03/2012
Our BinArmour paper was accepted for publication by USENIX.
01/02/2012
Our paper "Prudent Practices for Designing Malare Experiments: Status Quo and outlook" was accepted for publication by Oakland (Security & Privacy).
01/02/2012
The university made me full professor!
02/09/2011
Do submit papers to EuroSys 2012.
01/09/2011
We developed Minemu, an emulator for very fast taint tracking. The code is available for download and a corresponding paper was accepted for RAID.
08/07/2011
DIMVA is over and IMHO it was quite a success. We had several co-located event (chief among which the very popular SysSec workshop and dCTF Capture-the-Flag competition). Some pictures of the social event.
12/04/2011
Jorrit Herder just won the EuroSys Roger Needham Ph.D. Award for best Ph.D. thesis in Systems in Europe. See the full press release here. Safe to say, I am very proud! Especially since this is the second consecutive time that one of our (and one of my) students won the award. Last year, Willem de Bruijn won the award.
12/04/2011
We finally released a new version of Argos---with shellcode tracking. After detecting an attack, Argos can keep executing the attackers' code to distinguish the code's actions and to separate shellcode from nop-sled, and unpacker(s).
10/04/2011
With if(is) and U. Erlangen, we developed Sandnet, an environment to run and analyse malware.
01/04/2011
Scholarships available!. System security researchers (including students) interested in short term research visits to top research centers in the field should consider applying for a SysSec scholarship.
23/03/2011
The Streamline paper -- submitted years ago -- was formally accepted for publication in ACM Transactions on Computer Systems (TOCS). It should appear in May.
16/12/2010
An article in the Intermediair on Stuxnet (Dutch and not technical).
13/12/2010
Radio interview: Hoe?Zo! Radio on Wikileaks (Dutch and not technical).
12/10/2010
Our paper on dynamic data excavation was accepted by NDSS'2011.
15/09/2010
Our paper on Paranoid Android was accepted by ACSAC'2010.
02/08/2010
Very happy: I was awarded an ERC Grant for a project on reverse engineering. :-)
02/07/2010
With students from various other universities, six of my students did battle in the Capture The Flag competition at the Hack-In-The-Box conference in Amsterdam this week. When the dust settled, they ranked 1, 2, 3, 4, 5, and 6! Overall winner was Jozef Svec. Here is a picture of the competition and here is a picture of the celebratory beers.
01/07/2010
Our Streamline paper -- which we submitted two years ago -- was accepted with minor revisions ACM Transactions on Computer Systems (TOCS). Currently working on the revisions!
25/05/2010
In the Paranoid Android project, we detect attacks on smart phones by running security checks on a remote server in the cloud (see also last year's announcement). Update on this project: we now have multiple methods for detecting attacks running on our servers (such as standard antivirus scanners and taint analysis). Moreover, we are finishing a kernel implementation that is expected to improve performance. We have registered an updated TR (the original report from Sept 2009 is still available here).
15/04/2010
I am proud of all my students, but these days I am extremely proud of Willem de Bruijn, who was awarded the ACM SIGOPS EuroSys Roger Needham PhD Award for best PhD in Europe. The topic of his PhD thesis is, of course, Streamline.
31/02/2010
Our new version of Argos is capable of analysing exploits by executing and analyzing unpackers and shellcode.
23/10/2009
Note: EUROSEC 2010, the European Systems Security venue is approaching.
15/10/2009
We released Streamline version 1.7.4.5: bug fix release, mainly for PipesFS.
23/09/2009
I have started writing a more complete version of the tutorial on kernel writing. So far I only have a chapter on building and booting the most basic kernel, but if I find time, I will try to make it more interesting in the future.
16/09/2008
New version of shelia: bug fixes mostly.
15/09/2009
Smartphones are vulnerable and hard to protect. In the Paranoid Android project, we show how we can offload all security checks to a server running a replica in the Cloud. We now have this working and we made available a technical report on our implementation.
15/08/2008
We now released Streamline 1.7.4.4: bug fixes, performance improvements, support for newer kernels.
09/07/2008
We released Streamline 1.7.4 which adds PipesFS: a Linux virtual filesystem for I/O. PipesFS presents kernel I/O operations as directories and exports live streams through Unix pipes. The FS allows users to quickly construct kernel tasks using the 40+ Streamline operations using mkdir, ln, etc. and to interact with kernel I/O using cat, grep, gzip, etc.
22/05/2008
We released Argos v0.4.1. It fixes an annoying bug that has been bothering us for a while now and causes false positives.
22/05/2008
Anyone interested in writing their own kernels: here is a tutorial on how to write a simple kernel and get it to boot in Qemu. It is a shameless rip-off of Brandon F.'s tutorial, but for ELF format rather than a.out, and with info about making a bootable Grub image.
03/03/2008
The ACM SIGOPS EUROSEC European Workshop on System Security was held in Glasgow.
03/03/2008
We have released Argos version 0.4.0 which is based upon QEMU v0.9.1. QEMO 0.9.x boasts many new features over the older 0.8.x versions. Besides benefitting from these, Argos itself also has a few new features. Argos 0.4.0 was also released as a debian package.
26/02/2008
A debian package of the latest Argos release is now available. You can get it here.
26/02/2008
We released Streamline version 1.7.3. It is more robust and stress-tested in real application benchmarks (e.g., bind and mplayer). New: UDP sockets API, network driver interface and Intel pro/1000 driver, mulktithreading, x86_64 support.
05/02/2008
EUROSEC, the ACM SIGOPS Workshop for System Security is now open for submissions.
07/01/2008
The paper on Eudaemon was accepted for publication at ACM SIGOPS Eurosys 2008.
04/11/2007
For students interested in buffer overflows, I wrote a technical tutorial that explains a two-phase buffer-overflow attack that works in the presence of address space randomization: a two-phase buffer overflow .
01/11/2007
A paper on the buffering system in Streamline ("Beltway buffers: avoiding the OS traffic jam")was accepted for INFOCOM'08. See also the Streamline website.
01/10/2007
A paper on the implementation of Ruler on Intel IXP2xxx network processors ("Ruler: easy packet matching and rewriting on network processors") was accepted for ANCS'07. See also the Ruler website.
18/09/2007
We released Rulerproxy: an efficient, userspace application for Linux that allows one to apply Ruler filters at application level (e.g., after TCP reassembly).
29/08/2007
Niels Provos and Thorsten Holz have written a book about Honeypots Virtual Honeypots: From Botnet Tracking to Intrusion Detection which writes in some detail about Argos. There is also a Safari online version.
23/08/2007
We released Streamline version 1.7.2. An important new feature is a virtual filesystem (like sysfs) interface to streamline. With this netmonfs you can inspect live datastreams as if you're reading local files. Setting up streams and filters is easily accomplished through mkdir, open and other well-known core utilities. In addition, it should be more stabile.
11/07/2007
No code available yet, but we managed to speed up the Argos Honeypot by making it switch between Xen and Argos when needed (by using the techniques described in Ho et al.'s paper in Eurosys 2006).
01/05/2007
We released Streamline version 1.7.0. Many fixes and changes!
11/02/2007
Shelia, a new client-side honeypot for windows is now available.
11/02/2007
We recently released Streamline version 1.6.3. Many fixes and changes!
08/12/2006
The technical report about the Beltway Buffers in Streamline is now online.
08/12/2006
The technical report about the Ruler language for network pattern matching and rewriting is now online. See also the Ruler website.
04/12/2006
The new release of Argos (version 0.2.3) is now out. itcorrects a bug in previous versions that would cause a crash in instances compiled with the --enable-net-tracker option.
01/09/2006
Check out the new release (version 0.3) of the Ruler language for traffic pattern matching and rewriting.
No date
Check out our new 'top-masters program'
No date
Current students should check out the courses and projects section and the Open MSc projects page.
June 2006
Version 0.1.4 of Argos has been released (also: the mailing list is finally working!)
June 2006
Version 1.6.2 of Streamline / FFPF has been released
November 2005
Here is a layman's introduction to computer worms (in Dutch, contains mini-tutorial on buffer overflow exploits).

(Some of my) Current projects

Rosetta is an ERC Starting Grant project on reverse engineering of complex binaries.
→ Re-Cover is an NWO project to probe the strength of modern data obfuscation.
→ OpenSesame is an NWO project on finding backdoors in embedded devices.
The EU FP7 SYSSEC project is a a Network of Excellence in the field of Systems Security.
We have released the Argos intrusion detection system - it is based on an instrumented x86 emulator that uses taint analysis to detect attacks.
Besides the above projects, I am involved in various other projects to do with network monitoring. Most notable among these is known as FFPF/Streamline.

MORE PROJECTS...


Course info:

Always:
January 2010:


$Id: index.html,v 1.199 2013/05/16 13:07:20 herbertb Exp $