This page is quickly becoming obsolete as I am switching to my new page at the VUSec group site.

Herbert Bos

Contact details:

Computer Systems Section
Vrije Universiteit Amsterdam
De Boelelaan 1081, room P4.16
1081 HV Amsterdam
email: HerbertB «@»
phone: +31-20 598 7746
fax : +31-20 598 7653
How to get here

Quick links

publications projects
course info Program Committees
software how to write papers

I am a full professor at the Vrije Universiteit Amsterdam (or 'VU University' as it is supposed to be called in English, nowadays). I moved here after approximately four years at the Universiteit Leiden. Before that I obtained my Ph.D. from the Cambridge University Computer Laboratory, followed by a (very) brief stint at KPN Research (now TNO Telecom). At the VU I am heading a group of people working mostly on System Security (e.g., the Argos, Minemu, and Rosetta projects) and OS design for networking (e.g., the Streamline/FFPF project). In addition, I am involved in the development of the Minix3 Operating System. The work on the Open Kernel Environment (OKE) has now ceased.

Thanks to an ERC Starting Grant, I am now able to work on a project on Reverse Engineering of stripped binaries, known as Rosetta. An NWO VICI grant allows me to work on a project to find vulnerabilities in binary software.

Vacancies: if you are (a) really good, and (b) interested in a PhD in system security, send me an email. There may (or may not) be positions any time of the year.

Mixed blessings: some of the things we do get picked up by the popular media.

System Security Course Material: We have a large collection of slides, handouts, assignments, etc. on topics related to system security (e.g., memory corruption, malware analysis, reverse engineering, network security, etc.). All of this is available for free to instructors at bona fide schools. Just sign up for an account on the gforge machine and email me your username.

Ph.D Students: some Ph.D. students I supervised.


Four of our NDSS 2017.
Two of our papers were accepted for papers were accepted for CCS 2016.
Four of our papers were accepted for USENIX Security 2016.
Our work on the BAndroid Vulnerability appeared in The Register: Academics claim Google Android two-factor authentication is breakable. This was slashdotted twice: here and here.
Our Dedup Est Machina: Memory Deduplication as an Advanced Exploitation Vector and our Tough Call: Mitigating Advanced Code-Reuse Attacks At The Binary Level were accepted for Oakland.
SROP (SigReturn-Oriented Programming) features in LWN. See also the new patch.
Best student paper award at ACSAC'2016 for ShrinkWrap: VTable protection without loose ends.
More about the BAndroid vulnerability. This time an article in NRC: Pas op. Google geeft je een gevaarlijke overdosis gebruiksgemak.
And even more ado about the BAndroid vulnerability in the Volkskrant (Dutch) Hoe flikken ze dat: inbreken op onze mobiele telefoons?.
Much ado about a security problem we found in Android.
Proud to have won the Senior Lecturer Award of the Faculty of Sciences.
Years ago, I gave an (inaugural) speech about systems security which uses the term Red Queen Effect to refer to the arms race between attackers and defenders. I completely forgot about it, but recently stumbled on it while cleaning up my hard drive. It is intended for a lay audience (explain my view on security research), but also discusses buffer overflows, code reuse attacks, and the beauty of hacking. Also, cleverly hidden in the text is a piece of malicious shellcode.
Earlier today, the paper Out of control: Overcoming Control Flow Integrity, of which Enes Goktas was the first author, was awarded the Dutch Cyber Security Research Award (for best paper in security research in the Netherlands).
Two of our papers (the "Out-of-Control" oakland paper by Enes Goktas and the " Framing Signals" S&P paper by Erik Bosman) were among 5 papers selected as Highlights of Dutch Cyber Security Research.
Recent keynotes: SBESC (Manaus, Brazil), ICISS (Hyderabad, India), and ESSOS (Milan, Italy)
RAID 2015 will be held in Kyoto, Japan. Gear up now to send in your best work!
Anyone teaching security, C programming, operating systems, etc., should consider the 10K Students Challenge which explains buffer overflows, targetting different audiences: students without any background in computer science, computer scientists, and students enrolled in a security course. It comes with test questions, slides in different formats, and simple video presentations.
Some news on the GameOver Zeus takedown on KrebsOnSecurity and some more on
I have won a VICI grant to work on finding security holes in binary software.
We have finally (after more than a year of dilly dallying) pre-released Argos 0.7. As it is based on Qemu 1.1.0, it supports Windows 7.
We had two papers at WCRE this year: MemBrush (on detecting and classifying custom memory allocators in binaries) and MemPick (on detecting pointer structures like trees and lists in binaries). MemBrush won the best paper award!
Last year, we published a paper at RAID about memory errors (Memory Errors: The Past, the Present, and the Future). We are still tracking this. Have a look at Victor's Trends in Memory Errors.
Very proud of my (ex-)student Asia Slowinska who won the Roger Needham Award for best Ph.D. thesis in Systems in Europe. The prize of 2000 euro and a certificate was awarded last week at the banquet of Eurosys in Prague. After Willem de Bruijn and Jorrit Herder, this is the third time we have won this award!
Our paper on P2P botnet resilience was accepted by Security & Privacy (Oakland).
Anyone considering a masters in computer science with a focus on systems should check out our top masters pdcs. Also have a look at this somewhat older and (to me) amusing video made by Andy Tanenbaum.
One of the VUBar teams participating in the Hack-in-the-Box CTF came on Dutch TV
Our BinArmour paper was accepted for publication by USENIX.
Our paper "Prudent Practices for Designing Malare Experiments: Status Quo and outlook" was accepted for publication by Oakland (Security & Privacy).
The university made me full professor!
Do submit papers to EuroSys 2012.
We developed Minemu, an emulator for very fast taint tracking. The code is available for download and a corresponding paper was accepted for RAID.
DIMVA is over and IMHO it was quite a success. We had several co-located event (chief among which the very popular SysSec workshop and dCTF Capture-the-Flag competition). Some pictures of the social event.
Jorrit Herder just won the EuroSys Roger Needham Ph.D. Award for best Ph.D. thesis in Systems in Europe. See the full press release here. Safe to say, I am very proud! Especially since this is the second consecutive time that one of our (and one of my) students won the award. Last year, Willem de Bruijn won the award.
We finally released a new version of Argos---with shellcode tracking. After detecting an attack, Argos can keep executing the attackers' code to distinguish the code's actions and to separate shellcode from nop-sled, and unpacker(s).
With if(is) and U. Erlangen, we developed Sandnet, an environment to run and analyse malware.
Scholarships available!. System security researchers (including students) interested in short term research visits to top research centers in the field should consider applying for a SysSec scholarship.
The Streamline paper -- submitted years ago -- was formally accepted for publication in ACM Transactions on Computer Systems (TOCS). It should appear in May.
An article in the Intermediair on Stuxnet (Dutch and not technical).
Radio interview: Hoe?Zo! Radio on Wikileaks (Dutch and not technical).
Our paper on dynamic data excavation was accepted by NDSS'2011.
Our paper on Paranoid Android was accepted by ACSAC'2010.
Very happy: I was awarded an ERC Grant for a project on reverse engineering. :-)
With students from various other universities, six of my students did battle in the Capture The Flag competition at the Hack-In-The-Box conference in Amsterdam this week. When the dust settled, they ranked 1, 2, 3, 4, 5, and 6! Overall winner was Jozef Svec. Here is a picture of the competition and here is a picture of the celebratory beers.
Our Streamline paper -- which we submitted two years ago -- was accepted with minor revisions ACM Transactions on Computer Systems (TOCS). Currently working on the revisions!
In the Paranoid Android project, we detect attacks on smart phones by running security checks on a remote server in the cloud (see also last year's announcement). Update on this project: we now have multiple methods for detecting attacks running on our servers (such as standard antivirus scanners and taint analysis). Moreover, we are finishing a kernel implementation that is expected to improve performance. We have registered an updated TR (the original report from Sept 2009 is still available here).
I am proud of all my students, but these days I am extremely proud of Willem de Bruijn, who was awarded the ACM SIGOPS EuroSys Roger Needham PhD Award for best PhD in Europe. The topic of his PhD thesis is, of course, Streamline.
Our new version of Argos is capable of analysing exploits by executing and analyzing unpackers and shellcode.
Note: EUROSEC 2010, the European Systems Security venue is approaching.
We released Streamline version bug fix release, mainly for PipesFS.
I have started writing a more complete version of the tutorial on kernel writing. So far I only have a chapter on building and booting the most basic kernel, but if I find time, I will try to make it more interesting in the future.
New version of shelia: bug fixes mostly.
Smartphones are vulnerable and hard to protect. In the Paranoid Android project, we show how we can offload all security checks to a server running a replica in the Cloud. We now have this working and we made available a technical report on our implementation.
We now released Streamline bug fixes, performance improvements, support for newer kernels.
We released Streamline 1.7.4 which adds PipesFS: a Linux virtual filesystem for I/O. PipesFS presents kernel I/O operations as directories and exports live streams through Unix pipes. The FS allows users to quickly construct kernel tasks using the 40+ Streamline operations using mkdir, ln, etc. and to interact with kernel I/O using cat, grep, gzip, etc.
We released Argos v0.4.1. It fixes an annoying bug that has been bothering us for a while now and causes false positives.
Anyone interested in writing their own kernels: here is a tutorial on how to write a simple kernel and get it to boot in Qemu. It is a shameless rip-off of Brandon F.'s tutorial, but for ELF format rather than a.out, and with info about making a bootable Grub image.
The ACM SIGOPS EUROSEC European Workshop on System Security was held in Glasgow.
We have released Argos version 0.4.0 which is based upon QEMU v0.9.1. QEMO 0.9.x boasts many new features over the older 0.8.x versions. Besides benefitting from these, Argos itself also has a few new features. Argos 0.4.0 was also released as a debian package.
A debian package of the latest Argos release is now available. You can get it here.
We released Streamline version 1.7.3. It is more robust and stress-tested in real application benchmarks (e.g., bind and mplayer). New: UDP sockets API, network driver interface and Intel pro/1000 driver, mulktithreading, x86_64 support.
EUROSEC, the ACM SIGOPS Workshop for System Security is now open for submissions.
The paper on Eudaemon was accepted for publication at ACM SIGOPS Eurosys 2008.
For students interested in buffer overflows, I wrote a technical tutorial that explains a two-phase buffer-overflow attack that works in the presence of address space randomization: a two-phase buffer overflow .
A paper on the buffering system in Streamline ("Beltway buffers: avoiding the OS traffic jam")was accepted for INFOCOM'08. See also the Streamline website.
A paper on the implementation of Ruler on Intel IXP2xxx network processors ("Ruler: easy packet matching and rewriting on network processors") was accepted for ANCS'07. See also the Ruler website.
We released Rulerproxy: an efficient, userspace application for Linux that allows one to apply Ruler filters at application level (e.g., after TCP reassembly).
Niels Provos and Thorsten Holz have written a book about Honeypots Virtual Honeypots: From Botnet Tracking to Intrusion Detection which writes in some detail about Argos. There is also a Safari online version.
We released Streamline version 1.7.2. An important new feature is a virtual filesystem (like sysfs) interface to streamline. With this netmonfs you can inspect live datastreams as if you're reading local files. Setting up streams and filters is easily accomplished through mkdir, open and other well-known core utilities. In addition, it should be more stabile.
No code available yet, but we managed to speed up the Argos Honeypot by making it switch between Xen and Argos when needed (by using the techniques described in Ho et al.'s paper in Eurosys 2006).
We released Streamline version 1.7.0. Many fixes and changes!
Shelia, a new client-side honeypot for windows is now available.
We recently released Streamline version 1.6.3. Many fixes and changes!
The technical report about the Beltway Buffers in Streamline is now online.
The technical report about the Ruler language for network pattern matching and rewriting is now online. See also the Ruler website.
The new release of Argos (version 0.2.3) is now out. itcorrects a bug in previous versions that would cause a crash in instances compiled with the --enable-net-tracker option.
Check out the new release (version 0.3) of the Ruler language for traffic pattern matching and rewriting.
No date
Check out our new 'top-masters program'
No date
Current students should check out the courses and projects section and the Open MSc projects page.
June 2006
Version 0.1.4 of Argos has been released (also: the mailing list is finally working!)
June 2006
Version 1.6.2 of Streamline / FFPF has been released
November 2005
Here is a layman's introduction to computer worms (in Dutch, contains mini-tutorial on buffer overflow exploits).

(Some of my) Current projects

→ Dowser is an NWO VICI project to detect vulnerabilities using reverse engineering.
→ Re-Cover is an NWO project to probe the strength of modern data obfuscation.
→ OpenSesame is an NWO project on finding backdoors in embedded devices.
We have released the Argos intrusion detection system - it is based on an instrumented x86 emulator that uses taint analysis to detect attacks.
Besides the above projects, I am involved in various other projects to do with network monitoring. Most notable among these is known as FFPF/Streamline.


Course info:

January 2010:

$Id: index.html,v 1.199 2013/05/16 13:07:20 herbertb Exp $