Atropos: Effective Fuzzing of Web Applications for Server-Side Vulnerabilities
Emre Güler, Sergej Schumilo, Moritz Schloegel, Nils Bars, Philipp Görz, Xinyi Xu, and Thorsten Holz
USENIX Security Symposium (USENIX)
[pdf]
[code]
Moritz Schloegel
Profile
I'm a security researcher and last year PhD student in Thorsten Holz' group at CISPA Helmholtz Center for Information Security. Before switching to CISPA in early 2023, I was located at Ruhr University Bochum.
My research interests focus on automating the pipeline of finding bugs in programs, understanding them, and exploiting them. Currently, I spend most of my time on improving fuzzing, such that we can find more bugs in less time.
Beyond working with bugs, I have a strong interest in (de-)obfuscation, especially focusing on automated deobfuscation attacks and how to break them.
I like sharing our research and have spoken at various conferences, for example at REcon'22 Montreal together with Tim Blazytko about the future of VM-based obfuscation.
Besides my research, I have helped shaping and teaching courses on Systems Security and Operating Systems Security at Ruhr University Bochum, where I also obtained my B.Sc. and M.Sc. in Computer Security from.
For questions, discussion or collaboration, feel free to reach out via Twitter or email.
Publications
2024
2023
Instructions Unclear: Undefined Behavior in Cellular Network Specifications
Daniel Klischies, Moritz Schloegel, Tobias Scharnowski, Mikhail Bogodukhov, David Rupprecht, and Veelasha Moonsamy
USENIX Security Symposium (USENIX)
[pdf] [website] [data]
Daniel Klischies, Moritz Schloegel, Tobias Scharnowski, Mikhail Bogodukhov, David Rupprecht, and Veelasha Moonsamy
USENIX Security Symposium (USENIX)
[pdf] [website] [data]
Hoedur: Embedded Firmware Fuzzing using Multi-Stream Inputs
Tobias Scharnowski, Simon Wörner, Felix Buchmann, Nils Bars, Moritz Schloegel, and Thorsten Holz
USENIX Security Symposium (USENIX)
[pdf] [website] [code] [experiments]
Tobias Scharnowski, Simon Wörner, Felix Buchmann, Nils Bars, Moritz Schloegel, and Thorsten Holz
USENIX Security Symposium (USENIX)
[pdf] [website] [code] [experiments]
Fuzztruction: Using Fault Injection-based Fuzzing to Leverage Implicit Domain Knowledge
Nils Bars, Moritz Schloegel, Tobias Scharnowski, Nico Schiller, and Thorsten Holz
USENIX Security Symposium (USENIX)
Distinguished Paper Award
Internet Defense Prize Runner-up
[pdf] [website] [code]
Nils Bars, Moritz Schloegel, Tobias Scharnowski, Nico Schiller, and Thorsten Holz
USENIX Security Symposium (USENIX)
Distinguished Paper Award
Internet Defense Prize Runner-up
[pdf] [website] [code]
Novelty Not Found: Adaptive Fuzzer Restarts to Improve Input Space Coverage (Registered Report)
Nico Schiller, Xinyi Xu, Lukas Bernhard, Nils Bars, Moritz Schloegel, and Thorsten Holz
International Fuzzing Workshop (FUZZING)
[pdf] [website]
Nico Schiller, Xinyi Xu, Lukas Bernhard, Nils Bars, Moritz Schloegel, and Thorsten Holz
International Fuzzing Workshop (FUZZING)
[pdf] [website]
Space Odyssey: An Experimental Software Security Analysis of Satellites
Johannes Willbold, Moritz Schloegel, Manuel Vögele, Maximilian Gerhardt, Thorsten Holz, and Ali Abbasi
IEEE Symposium on Security and Privacy (S&P)
Distinguished Paper Award
[pdf] [slides] [code]
Johannes Willbold, Moritz Schloegel, Manuel Vögele, Maximilian Gerhardt, Thorsten Holz, and Ali Abbasi
IEEE Symposium on Security and Privacy (S&P)
Distinguished Paper Award
[pdf] [slides] [code]
Drone Security and the Mysterious Case of DJI's DroneID
Nico Schiller, Merlin Chlosta, Moritz Schloegel, Nils Bars, Thorsten Eisenhofer, Tobias Scharnowski, Felix Domke, Lea Schönherr, and Thorsten Holz
Network and Distributed System Security Symposium (NDSS)
[pdf] [website] [code]
Nico Schiller, Merlin Chlosta, Moritz Schloegel, Nils Bars, Thorsten Eisenhofer, Tobias Scharnowski, Felix Domke, Lea Schönherr, and Thorsten Holz
Network and Distributed System Security Symposium (NDSS)
[pdf] [website] [code]
2022
Jit-Picking: Differential Fuzzing of JavaScript Engines
Lukas Bernhard, Tobias Scharnowski, Moritz Schloegel, Tim Blazytko, and Thorsten Holz
ACM Conference on Computer and Communications Security (CCS)
[pdf] [website] [code]
Lukas Bernhard, Tobias Scharnowski, Moritz Schloegel, Tim Blazytko, and Thorsten Holz
ACM Conference on Computer and Communications Security (CCS)
[pdf] [website] [code]
Fuzzware: Using Precise MMIO Modeling for Effective Firmware Fuzzing
Tobias Scharnowski, Nils Bars, Moritz Schloegel, Eric Gustafson, Marius Muench, Giovanni Vigna, Christopher Kruegel, Thorsten Holz, and Ali Abbasi
USENIX Security Symposium (USENIX)
Distinguished Artifact Award
[pdf] [website] [video] [code]
Tobias Scharnowski, Nils Bars, Moritz Schloegel, Eric Gustafson, Marius Muench, Giovanni Vigna, Christopher Kruegel, Thorsten Holz, and Ali Abbasi
USENIX Security Symposium (USENIX)
Distinguished Artifact Award
[pdf] [website] [video] [code]
2021
Towards Automating Code-Reuse Attacks Using Synthesized Gadget Chains
Moritz Schloegel, Tim Blazytko, Julius Basler, Fabian Hemmer, and Thorsten Holz
European Symposium on Research in Computer Security (ESORICS)
[pdf] [website] [slides] [code]
Moritz Schloegel, Tim Blazytko, Julius Basler, Fabian Hemmer, and Thorsten Holz
European Symposium on Research in Computer Security (ESORICS)
[pdf] [website] [slides] [code]
2020
2019
2017
A Look at the Dark Side of Hardware Reverse Engineering -- A Case Study
Sebastian Wallat, Marc Fyrbiak, Moritz Schloegel, and Christof Paar
IEEE International Verification and Security Workshop (IVSW)
[pdf] [website]
Sebastian Wallat, Marc Fyrbiak, Moritz Schloegel, and Christof Paar
IEEE International Verification and Security Workshop (IVSW)
[pdf] [website]
Public Talks
2023
2022
Loki: Hardening Code Obfuscation against Automated Attacks
USENIX Security Symposium (USENIX)
[website] [slides] [video]
USENIX Security Symposium (USENIX)
[website] [slides] [video]
2019
Grimoire: Synthesizing Structure while Fuzzing
USENIX Security Symposium (USENIX)
[website] [slides] [video]
USENIX Security Symposium (USENIX)
[website] [slides] [video]