USENIX Security '26 Cycle 1 Accepted Papers

Firmware vulnerabilities in IoT devices pose serious security threats, yet state-of-the-art taint analysis tools often generate large numbers of reports with limited validation. We present Bond, a directed fuzzing framework that bridges static taint analysis and dynamic vulnerability validation. Bond introduces constraint-guided input mutation by integrating three categories of constraints with six semantic types, enabling efficient exploration of paths associated with taint reports. We evaluate Bond on 19 IoT devices from 8 vendors, covering 2,776 taint reports produced by four state-of-the-art taint analyzers. Bond successfully validated 1,349 reports as real vulnerabilities, including 155 previously unknown vulnerabilities, of which 108 have been assigned CVE/PSV identifiers. On 60 known vulnerabilities, Bond achieved a 91.67% recall rate. Compared with four leading IoT fuzzers, Bond improves vulnerability validation by up to 5.5X. Ablation studies further demonstrate the effectiveness of Bond's key components and constraint extraction. These results establish Bond as a practical and effective framework for validating firmware taint analysis results.

Cyberattacks are a critical patient safety issue, yet security controls often fail to account for the uniqueness of the clinical environment. This paper addresses the gap in understanding clinicians' security perspectives through a mixed-methods study, with 12 interviews of US clinicians, followed by a 303-participant survey of clinicians across the US, UK, and Canada. Our findings reveal a significant misalignment between perceived threats and deployed controls. Clinicians perceive confidentiality failures (e.g., data breaches) as most likely. They view integrity failures (e.g., manipulated values) as catastrophic but trust their own expertise to ignore anomalous data. Finally, they manage likely and dangerous availability failures with analog workarounds like paper charting, introducing new risks. These results show the need to integrate clinicians into security, highlighting where existing approaches are lacking and providing recommendations for developing more effective, clinician-centered security.

Metric Differential Privacy (mDP) generalizes Local Differential Privacy (LDP) by adapting privacy guarantees based on pairwise distances, enabling context-aware protection and improved utility. While existing optimization-based methods reduce utility loss effectively in coarse-grained domains, optimizing mDP in fine-grained or continuous settings remains challenging due to the computational cost of constructing dense perturbation matrices and satisfying pointwise constraints.

In this paper, we propose an interpolation-based framework for optimizing ℓ_p-norm mDP in such domains. Our approach optimizes perturbation distributions at a sparse set of anchor points and interpolates distributions at non-anchor locations via log-convex combinations, which provably preserve mDP. To address privacy violations caused by naive interpolation in high-dimensional spaces, we decompose the interpolation process into a sequence of one-dimensional steps and derive a corrected formulation that enforces ℓ_p-norm mDP by design. We further explore joint optimization over perturbation distributions and privacy budget allocation across dimensions. Experiments on real-world location datasets demonstrate that our method offers rigorous privacy guarantees and competitive utility in fine-grained domains, outperforming baseline mechanisms.

Large Language Models (LLMs) exhibit impressive performance but remain vulnerable to jailbreak attacks, where adversarial prompts are crafted to bypass safety alignments and elicit unexpected responses. Despite their prevalence, the underlying mechanisms that enable jailbreaks are still not well understood. Recent studies primarily focus on static representation shifts or on identifying components associated with generation safety. However, these studies neither explore diverse jailbreak patterns nor provide a fine-grained explanation from the failure of circuit to representation changes, leaving significant gaps in uncovering jailbreak mechanism. In this paper, we propose JailbreakScope, an interpretation framework that analyzes jailbreak mechanisms from both representation (how jailbreaks distort LLM's harmfulness perception) and circuit (how jailbreaks impact circuits that are important for generation safety) perspectives, tracking their evolution throughout the entire generation process. We conduct in-depth evaluations on 5 mainstream LLMs under 7 jailbreak strategies. Our evaluation reveals a general pattern that jailbreaks amplify components that reinforce affirmative responses while suppressing those producing refusal, which shifts representations towards safe regions, leading LLMs to provide responses instead of refusals. Moreover, we find a strong and consistent correlation between representation deception and circuit activation shift across diverse jailbreaks and multiple LLMs.

The meteoric rise of Large Language Models (LLMs) has sparked an urgent need for privacy-preserving inference. However, existing maliciously secure multi-party computation (MPC) frameworks face a "performance collapse" when scaling to large models, primarily due to the quadratic (O(n²)) communication overhead of nonlinear operators and expensive share conversions. This paper presents SMASH, a highly scalable, maliciously secure hybrid MPC framework that shatters these bottlenecks. SMASH introduces a novel DFT-based rotation technique and a lightweight zero-knowledge proof of knowledge (ZKPoK) construction to evaluate nonlinear operations. For the first time, this approach achieves linear communication complexity (O(n)) relative to the party count, independent of function complexity. Furthermore, SMASH provides a suite of high-efficiency conversion protocols (A2L/L2A and SM-LUT-based A2B/B2A) that bridge arithmetic and Boolean domains without relying on costly cryptographic primitives. Extensive benchmarks demonstrate that SMASH outperforms state-of-the-art frameworks (e.g., MP-SPDZ, MD-ML) by up to 18.9× in runtime and achieves a communication reduction of up to 10³×. With its constant-round online phase and low WAN sensitivity, SMASH paves the way for secure, geographically distributed LLM deployments, achieving an unprecedented balance between adversarial robustness and practical efficiency.

Text-to-image (T2I) models are increasingly embedded in creative workflows, where well-crafted prompts function as valuable forms of intellectual property (IP). However, these models are susceptible to prompt stealing attacks (PSAs), where adversaries aim to reconstruct the original prompts used to generate images. In this paper, 1) we identify key shortcomings in current evaluation practices and propose two improved metrics: Style Similarity (SS) and a novel Prompt Significance (PS) score, which together provide a more faithful assessment of PSA effectiveness. Rather than existing metrics that rely solely on semantic similarity between original and stolen information across text or image modalities, the new metrics PS and SS assess attack effectiveness with a more practical focus by explicitly accounting for the importance of modifiers and the style replication of images generated from stolen prompts. 2) Through extensive evaluation using these metrics, we find that existing PSA methods, ranging from soft prompt stealing in white-box settings to hard prompt stealing in black-box settings, are not as effective as reported, especially in recovering high-contribution prompt components. We attribute this to fundamental constrains: white-box methods suffer from mismatched optimization objectives that poorly align with token-level visual semantics, while black-box approaches experience severe information loss due to their decoupling from the target T2I model's generation process. 3) We further introduce PromptThief, a black-box PSA framework that addresses the information loss in prior methods by leveraging reinforcement learning with STS and SS to guide high token-level contribution recovery. PromptThief significantly outperforms existing baselines across multiple metrics and real-world scenarios. 4) We propose and evaluate two defense mechanisms: an adversarial-example-based active approach and a passive scheme through feature-level prompt watermarking. Our evaluation reveals that the active defense offers only limited robustness against adaptive PSAs, highlighting the need for further exploration in this direction. In contrast, the passive watermarking scheme demonstrates strong and consistent detection performance, even under various image transformations, offering a practical and reliable path forward for prompt IP protection.

Large Language Models (LLMs) can generate fluent and persuasive text, making them valuable tools for communication. However, this capability also renders them attractive for malicious purposes. While several studies have shown that LLMs can support generic phishing, their potential for personalized attacks at scale has not been explored and quantified yet. In this study, we thus evaluate the effectiveness of LLM-based spear phishing in an experiment with 7700 participants. Using the target email addresses as queries, we collect personal information through web searches and automatically generate emails tailored to each participant. Our findings reveal a concerning situation: LLM-based spear phishing almost triples the click rate compared to generic phishing strategies. This effect is consistent, regardless of whether the generic emails are written by humans or generated by LLMs as well. Moreover, the cost of personalization is minimal, with approximately $0.03 per email. Given that phishing is still a major attack vector against IT infrastructures, we conclude that there is a pressing need to strengthen existing defenses, for example, by limiting publicly available information linkable to email addresses and incorporating personalized phishing into awareness trainings.

Many protocols, like HTTP, FTP, POP3, and SMTP, were originally designed as synchronous plaintext protocols – commands and data are sent in the clear, and the client waits for the response to a pending request before sending the next one. Later, two main solutions were introduced to retrofit these protocols with TLS protection. (1) Implicit TLS: Designate a new, well-known TCP port for each protocol-over-TLS, and start with TLS immediately. (2) Opportunistic TLS: Keep the original well-known port and start with the plaintext protocol, then switch to TLS in response to a command like STARTTLS.

In this work, we present a novel weakness in the way TLS is integrated into popular application layer protocols through implicit and opportunistic TLS. This weakness breaks authentication, even in modern TLS implementations if both implicit TLS and opportunistic TLS are supported at the same time. This authentication flaw can then be utilized to influence the exchanged messages after the TLS handshake from a pure MitM position.In contrast to previous attacks on opportunistic TLS, this attack class does not rely on bugs in the implementations and only requires one of the peers to support opportunistic TLS.

We analyze popular application layer protocols that support opportunistic TLS regarding their vulnerability to the attack. To demonstrate the practical impact of the attack, we analyze exploitation techniques for HTTP (RFC 2817) in detail, and show four different exploit directions. To estimate the impact of the attack on deployed servers, we conducted a series of IPv4-wide scans over multiple protocols and ports to check for support of opportunistic TLS. We found that support for opportunistic TLS is still widespread for many application protocols, with over 3 million servers supporting both, implicit and opportunistic TLS at the same time. In the case of HTTP, we found 20,121 servers that support opportunistic HTTP across 35 ports, with 2,268 of these servers also supporting HTTPS and 539 using the same domain names for implicit HTTPS, presenting an exploitable scenario.

Zero Knowledge Encryption is a term widely used by vendors of cloud-based password managers. Although it has no strict technical meaning, the term conveys the idea that the server, who stores encrypted password vaults on behalf of users, is unable to learn anything about the contents of those vaults. The security claims made by vendors imply that this should hold even if the server is fully malicious. This threat model is justified in practice by the high sensitivity of vault data, which makes password manager servers an attractive target for breaches (as evidenced by a history of attacks).

We examine the extent to which security against a fully malicious server holds true for three leading vendors who make the Zero Knowledge Encryption claim: Bitwarden, LastPass and Dashlane. Collectively, they have more than 60 million users and 23% market share. We present 12 distinct attacks against Bitwarden, 7 against LastPass and 6 against Dashlane. The attacks range in severity, from integrity violations of targeted user vaults to the complete compromise of all the vaults associated with an organisation. The majority of the attacks allow recovery of passwords. We have disclosed our findings to the vendors and remediation is underway.

Our attacks showcase the importance of considering the malicious server threat model for cloud-based password managers. Despite vendors' attempts to achieve security in this setting, we uncover several common design anti-patterns and cryptographic misconceptions that resulted in vulnerabilities. We discuss possible mitigations and also reflect more broadly on what can be learned from our analysis by developers of end-to-end encrypted systems.

Vector commitment (VC) schemes enable a prover to commit to a vector and later open any position with a short proof. However, existing VC schemes are designed for centralized settings, and cannot work in decentralized systems, where the input vector is distributed across multiple machines. Similarly, traditional VC schemes cannot leverage distributed parallel computation across multiple machines for acceleration.

To tackle this issue, we introduce a new notion—distributed VC (DVC), which allows multiple machines, each holding only a subvector of the input vector, to collectively commit to the entire vector and generate position proofs in a distributed manner. To the best of our knowledge, there is no prior work on DVCs and no existing work can trivially derive an efficient DVC scheme. The key challenge is that both commitments and proofs depend on the entire vector, while no single machine holds the complete vector in distributed settings.

We propose the first DVC scheme, HLE-DVC, which leverages M machines to process the distributed vector v of length N inparallel, with each machine holding a subvector of length N/M . HLE-DVC achieves compact proof size-O(logM) and allows each machine to generate all its position proofs in a single communication round,with communication cost O(logM) and computation cost O(NlogN/M). Moreover, HLE-DVC supports batch proving, proof aggregation, and efficient updates. W econduct the experiments and open-source the code. Using 256 machines to generate all proofs for a committed vector of length 230 takes 17,515 seconds. This achieves a 256× parallel speedup over HLE-DVC on a single machine, and is 142× faster than Hyperproofs (a famous single machine VC scheme). The communication cost per machine is 0.768 KB.

Multi-tenant direct-to-cell (D2C) Low Earth Orbit (LEO) satellite networks pose significant risks to users' location privacy by linking Mobile Network Operator (MNO)- managed identities with Satellite Network Operator (SNO)- visible locations. Existing privacy solutions are ill-suited to the resource-constrained hardware and orbital dynamics of these satellite environments. We present LPG (Location Privacy Game), the first protocol-layer solution offering user-configurable location privacy for D2C LEO. LPG achieves this via identity-location decoupling: SNOs provide connectivity without visibility of user identity, while MNOs manage service and billing without access to precise location information. LPG enables offline secure authentication and key agreement without revealing user identity to satellites, supports user-configurable location disclosure at chosen geographic granularity for essential service needs, and ensures fair billing between MNOs and SNOs through privacy-preserving settlement. Our implementation on a real-world in-orbit LEO satellite and commercial mobile phones demonstrates that LPG is practical and viable in resource-constrained, highly-dynamic LEO environments.

Technology-facilitated abuse (TFA) is a pervasive form of intimate partner violence (IPV) that leverages digital tools to control, surveil, or harm survivors. While tech clinics are one of the reliable sources of support for TFA survivors, they face limitations due to staffing constraints and logistical barriers. As a result, many survivors turn to online resources for assistance. With the growing accessibility and popularity of large language models (LLMs), and increasing interest from IPV organizations, survivors may begin to consult LLM-based chatbots before seeking help from tech clinics.

In this work, we present the first expert-led manual evaluation of four LLMs—two widely used general-purpose non-reasoning models and two domain-specific models designed for IPV contexts—focused on their effectiveness in responding to TFA-related questions. Using real-world questions collected from literature and online forums, we assess the quality of zero-shot single-turn LLM responses generated with a survivor safety-centered prompt on criteria tailored to the TFA domain. Additionally, we conducted a user study to evaluate the perceived actionability of these responses from the perspective of individuals who have experienced TFA.

Our findings, grounded in both expert assessment and user feedback, provide insights into the current capabilities and limitations of LLMs in the TFA context and may inform the design, development, and fine-tuning of future models for this domain. We conclude with concrete recommendations to improve LLM performance for survivor support.

The growing use of third-party hardware accelerators (e.g., FPGAs, ASICs) for deep neural networks (DNNs) introduces new security vulnerabilities. Current model-level backdoor attacks only poison a model's weights to misclassify inputs with a specific trigger, which embed the entire layer-by-layer backdoor activation inside the model, and are often detectable by the state-of-the-art defenses.

This paper introduces the HArdware-Model Logically Combined Attack (HAMLOCK), a far stealthier threat that distributes the attack logic across the hardware-software boundary. The software (model) is now only minimally altered by tuning the activations of few neurons to produce uniquely high activation values when a trigger is present. A malicious hardware Trojan detects those unique activations by monitoring the corresponding neurons' most significant bit or the 8-bit exponents and triggers another hardware Trojan to directly manipulate the final output logits for misclassification.

This decoupled design is highly stealthy, as the model itself contains no complete backdoor activation path as in conventional attacks and hence, appears fully benign. Empirically, across benchmarks like MNIST, CIFAR10, GTSRB, and ImageNet, HAMLOCK achieves a near-perfect attack success rate with a negligible clean accuracy drop. More importantly, HAMLOCK circumvents the state-of-the-art model-level defenses without any adaptive optimization. The hardware Trojan is also undetectable, incurring area and power overheads as low as 0.01%, which is easily masked by process and environmental noise. Our findings expose a critical vulnerability at the hardware-software interface, demanding new cross-layer defenses against this emerging threat.

Security updates are essential for protecting IoT devices, yet consumers often lack reliable information about how long devices will be supported. We conduct the first large-scale study of update duration disclosures in the European market, analysing 34,187 product pages across local retailers, EU Amazon sites, and Temu. Disclosure varies sharply: Dutch retailers, subject to regulatory oversight, list update durations for up to 92% of devices, while Amazon provides such information for fewer than 1% and Temu for none. For smart TVs, where EU rules mandate disclosure, coverage is higher but still inconsistent. Stated update durations vary between one and eight years, with smart TVs generally receiving the longest support. Comparing stated support durations across retailers, manufacturers, and the EU's central product database, we find widespread contradictions, with retailers often understating support relative to manufacturers. These inconsistencies limit the effectiveness of transparency mandates and risk misleading consumers. Our findings show that regulation can improve visibility, but only robust enforcement and standardized disclosure mechanisms ensure accurate and trustworthy information.

The Python Package Index (PyPI) has become a target for malicious actors, yet existing detection tools generate false positive rates of 15-30%, incorrectly flagging one-third of legitimate packages as malicious. This problem arises because current tools rely on simple syntactic rules rather than semantic understanding, failing to distinguish between identical API calls serving legitimate versus malicious purposes. To solve this challenge, we propose PyGuard, a knowledge-driven framework that converts detection failures into useful behavioral knowledge by extracting patterns from existing tools' false positives and negatives. Our method uses hierarchical pattern mining to identify behavioral sequences that separate malicious from benign code, employs Large Language Models to create semantic abstractions beyond syntactic variations, and combines this knowledge into a detection system that merges exact patterns matching with contextual reasoning. PyGuard achieves 99.50% accuracy with only 2 false positives versus 1,927-2,117 in existing tools, maintains 98.28% accuracy on obfuscated code, and identified 219 previously unknown malicious packages in real-world deployment. The behavioral patterns show cross-ecosystem applicability with 98.07% accuracy on NPM packages, demonstrating that semantic understanding enables knowledge transfer across programming languages.

Privacy-preserving blockchains and private messaging services that ensure receiver-privacy face a significant UX challenge: each client must scan every payload posted on the public bulletin board to avoid missing messages intended for them. Oblivious Message Retrieval (OMR) addresses this issue by securely outsourcing this expensive scanning process to a service provider using Homomorphic Encryption (HE).

In this work, we propose a new OMR scheme that substantially improves upon the previous state-of-the-art, PerfOMR (USENIX Security'24). Our implementation demonstrates reductions of 3.4x in runtime, 2.2x in digest size, and 1.5x in key size, in a scenario with 65536 payloads (each 612 bytes), of which up to 50 are pertinent. At the core of these improvements is a new homomorphic compression mechanism, where ciphertexts of length proportional to the number of total payloads are compressed into a digest whose length is proportional to the upper bound on the number of pertinent payloads. Unlike previous approaches, our scheme fully exploits the native homomorphic SIMD structure of the underlying HE scheme, significantly enhancing efficiency. In the setting described above, our compression scheme achieves 7.5x speedup compared to PerfOMR.

Open RAN (O-RAN) represents a fundamental shift in mobile network architecture, advancing interoperability and flexibility through open interfaces and software-driven components. While enabling programmability and innovation, this shift also makes the logical correctness of O-RAN components essential for the secure and reliable operation of the network. However, validating O-RAN's semantic correctness remains challenging due to system complexity, implementation diversity, and the absence of explicit correctness oracles. We present InvaRAN, a systematic testing framework for detecting logical flaws in O-RAN implementations using dynamically inferred program invariants as proxies for expected behavior. To reduce false positives and focus on semantically meaningful behaviors, InvaRAN classifies invariants into critical and non-critical categories based on their impact on program logic. Beyond traditional template-based invariant inference approaches that infer only limited semantic relations, InvaRAN captures inter-variable correlations across execution traces to discover more expressive semantic linkage. We evaluate InvaRAN on both platform components and xApps of two production-grade O-RAN controllers. InvaRAN uncovers nine previously unknown issues, including seven logical and two memory vulnerabilities, demonstrating the effectiveness of invariant-guided testing in exposing subtle, specification-silent bugs in O-RAN systems.

We conduct the first comprehensive security analysis of Tile, the second most popular crowd-sourced location-tracking service behind Apple's AirTags. We identify several exploitable vulnerabilities and design flaws, disproving many of the platform's claimed security and privacy guarantees: Tile's servers can persistently learn the location of all users and tags, unprivileged adversaries can track users through Bluetooth advertisements emitted by Tile's devices, and Tile's anti-theft mode is easily subverted.

Despite its wide deployment—millions of users, devices, and purpose-built hardware tags—Tile provides no formal description of its protocol or threat model. Worse, Tile intentionally weakens its antistalking features to support an antitheft use-case, and relies on a novel "accountability" mechanism to punish those abusing the system to stalk victims.

We examine Tile's accountability mechanism, a unique feature of independent interest; no other provider attempts to guarantee accountability. While an ideal accountability mechanism may disincentivize abuse in crowd-sourced location tracking protocols, we show that Tile's implementation is subvertible and introduces new exploitable vulnerabilities. We conclude with a discussion on the need for new, formal definitions of accountability in this setting.

Stolen data acts as a catalyst for many cybercriminal activities, such as spam campaigns, spear phishing, and identity theft. Studying online communities that serve stolen data helps combat those criminal activities. While anonymous marketplaces and forums have traditionally been the primary venue for stolen data, the chat-based messaging application Telegram has emerged as a popular alternative. Given Telegram's increased accessibility to the general public, it remains unclear how stolen data communities adapt their operations to this platform, circumvent moderation efforts, and create resilient communities. In this work, we characterize: i) where stolen data communities appear within Telegram's ecosystem, ii) what types of stolen data they offer, iii) where they operate from, and iv) how they evade detection. This paper offers four main contributions. First, we provide one of the largest longitudinal datasets of Telegram stolen data channels. Over one year, we manually curate 1,521 channels and collect 14 million messages and 3.6 million shared files. We show that the stolen data communities are largely disjoint from other communities on Telegram. Second, we categorize the types of stolen data with the aim of understanding the potential cybercrime they enable. Third, while existing literature focuses on English-speaking communities, we find that many channels operate in non-English languages and source stolen data from non-English markets. Fourth, those communities deploy various techniques to evade regulation. Notably, "gateway channels" that provide links to other stolen data channels play a crucial role in increasing longevity and growth rate. We conclude by providing implications not only for academic researchers but also for Telegram and law enforcement agencies across different jurisdictions seeking to monitor and moderate those activities.

Sharding blockchains improve scalability significantly by partitioning the network into shards. Due to the substantial fraction of cross-shard transactions (CSTXs) related to multiple shards, cross-shard transaction processing (CSTP) is critical to the system security and performance. However, existing CSTP methods suffer from limited robustness caused by invalid CSTXs flooding by malicious nodes and impose high overhead, especially in asynchronous networks.

We present Logos, a robust sharding blockchain with fast CSTP and optimal cross-shard overhead. Logos adopts a novel robust broadcast-transmission-agreement pattern. Each input shard only invokes a new designed broadcast primitive to generate input availability states. After the states are delivered to involved shards by an innovative parallel single-tosingle transmission mechanism, valid CSTXs are committed via an agreement protocol while invalid ones are discarded. Logos is proven to achieve an optimal intra-shard overhead for valid CSTP and lower overhead for invalid CSTP. Besides, Logos achieves reliable transmission with optimal cross-shard overhead. Experiments conducted on 1000 AWS-EC2 nodes across 4 regions demonstrate that Logos realizes 50% latency compared to the baseline (Kronos, NDSS'25) and a peak throughput of 132.8 ktx/sec. Besides, the cross-shard network usage of Logos impressively remains only 1/210 of Kronos. Under malicious flooding attacks, Logos maintains 2.86× the throughput of Kronos, demonstrating strong robustness.

Collecting statistics from users of software and online services is crucial to improve service quality, yet obtaining such insights while preserving individual privacy remains a challenge. Function secret sharing (FSS) is a promising tool for this problem. However, FSS-based solutions still face several challenges for streaming analytics, where messages are continuously sent, and secure computation tasks are repeatedly performed over incoming messages. We introduce a new cryptographic primitive called streaming function secret sharing (SFSS), a new variant of FSS that is particularly suitable for secure computation over streaming messages. We formalize SFSS and propose concrete constructions, including SFSS for point functions, predicate functions, and feasibility results for generic functions. SFSS powers several promising applications in a simple and modular fashion, including conditional transciphering, policy-hiding aggregation, and attribute-hiding aggregation. In particular, our SFSS formalization and constructions identify security flaws and efficiency bottlenecks in existing solutions, and SFSS-powered solutions achieve the expected security goal with asymptotically and concretely better efficiency and/or enhanced functionality.

Fuzzy private set intersection (PSI) is a cryptographic protocol that enables two parties to compute the intersection of their sets under approximate matching, with variants including standard fuzzy PSI and fuzzy PSI with sender privacy (PSI-SP). Although recent advances have led to efficient fuzzy PSI protocols, most are designed for the balanced case where both sets are of similar size. In practice, however, many applications involve highly unbalanced sets (e.g., where the receiver's set is much larger than the sender's, or vice versa). This work focuses on unbalanced fuzzy PSI for the l_∞ metric. We observe that communication in existing protocols is dominated by the transmission of oblivious key-value stores (OKVS), especially when set sizes are imbalanced. This overhead can be reduced using batch private information retrieval (BatchPIR) if the OKVS is sparse. However, such optimization requires spatial hashing with specific properties, and few existing spatial hashing schemes satisfy these requirements.

In this work, we reformulate spatial hashing and propose two new schemes: one non-interactive and one interactive, each suited to different input set conditions. Based on these, we design two unbalanced fuzzy PSI protocols that combine sparse OKVS with BatchPIR to achieve sublinear communication in the size of the larger set. The first protocol is suitable for scenarios where the receiver holds a larger set, while the second is designed for cases where the sender possesses more items. Our protocols significantly outperform state-of-the-art in communication and runtime. For example, in a 100 Mbps network with parameters (N, M, d, σ) = (2²⁰, 2⁵, 2, 10), our protocol based on our non-interactive spatial hashing reduces communication from 16,128 MB (Baarsen and Pu, Eurocrypto'24) to 0.35 MB. Furthermore, our fuzzy PSI protocol, which utilizes our interactive spatial hashing approach, achieves at least 31× faster online runtime and 1762× lower communication than Gao et al. (Asiacrypt'25). For our fuzzy PSI protocol with sender privacy, we outperform Piske et al. (CCS'25) with at least 4× faster online runtime and 6× lower communication.

The Domain Name System (DNS) underpins virtually all Internet services, making the integrity of DNS resolution critical to security and availability. We present a comprehensive study of a novel class of DNS cache poisoning attacks against BIND9,the most widely deployed open-source DNS resolver. Our attack focuses on two keycapabilities that set it apart from most prior work: (1) reliably predicting both critical challenge parameters– the UDP source port and TXID– whereas most existing attacks target only one; and (2) performing this prediction entirely from the client side, without attacker-operated authoritative servers for attacker domains, which to our knowledge is a first. We achieve this by exploiting weaknesses in BIND's pseudo-random number generation, enabling highly reliable prediction even under realistic network conditions. In addition to the client-side-only techniques, we also develop server-side techniques which are needed in order to attack the older 9.18 branch of BIND 9. We evaluate our attacks and demonstrate practical success rates across multiple BIND 9 release branches and configurations. All vulnerabilities were responsibly disclosed to the Internet Systems Consortium (ISC) and the FreeBSD Project, leading to two patches and CVEs and acknowledgments.

Trusted Execution Environments (TEEs) have become a key technology for isolating sensitive enclave applications from untrusted operating systems. Extensive research on high-end platforms like Intel SGX and TDX, AMD SEV, and Arm TrustZone-A has exposed their limitations in terms of software-based side-channel analysis, amplified by specialized single-stepping attack frameworks that exploit privileged timer interrupts to execute enclaves one instruction at a time. Meanwhile, TEEs are increasingly deployed on resource-constrained IoT devices, with Arm TrustZone-M emerging as a leading solution, which, however, remains largely unexplored for high-resolution, software-based side channels.

This paper presents M-Step, an open and extensible single-stepping attack framework for TrustZone-M. While Cortex-M microcontrollers feature precise timers and deterministic behavior, achieving precise, instruction-level stepping remains challenging due to (i) the absence of virtual memory and page tables used in high-end frameworks; and (ii) Cortex-M's unique interrupt behavior, where certain multi-cycle instructions are abandoned or paused to reduce latency. To overcome these challenges, we extensively profile interrupt handling CPU behavior and develop a novel approach that uses previously dismissed interrupt-latency leakage to dynamically adjust the timer interrupts. We demonstrate M-Step's improved resolution and practicality by discovering previously unknown vulnerabilities in the latest Arm Mbed TLS library that enable single-trace, deterministic attacks recovering full RSA keys from a TrustZone enclave.

Despite improvements in account security, compromise remains widespread and damaging, especially when the attacker has close physical or social proximity to the victim (e.g., in terpersonal abuse settings). To help users identify unauthorized access, web services provide account security interfaces (ASIs): notifications and logs that provide information to help infer adversarial compromise. We present the largest measurement study of ASIs to date, evaluating 100 popular services.

Our study highlights an unsatisfying status quo: 29 services provided users with no way to distinguish account accesses. After categorizing ASIs using a new typology, we show that services were inconsistent in the types they deployed. Further, ASIs were often incomplete and confusing, even for expert researchers. Finally, of 61 services that offered an ASI to convey device or location descriptions, 41 (67.2%) were vulnerable to spoofing attacks that successfully obfuscate the source of the access. Based on these findings, we present six principles for improving future ASI deployments.

The introduction of smart accounts by EIP-7702 represents a major advancement for blockchain account abstraction, enabling externally owned accounts (EOAs) to be upgraded into programmable accounts while still preserving their original addresses. This advancement significantly enhances both account functionality and usability, but also redefines blockchain trust boundaries between EOAs and smart contract accounts (CAs), thereby altering security assumptions and creating opportunities for novel types of attack.

To systematically examine these risks, we classify smart account-based risks into three categories according to the type of victim accounts: EOA-targeted, CA-targeted, and composite attacks. We then develop specialized detection tools that combine large-scale transaction analysis with cross-contract static analysis to identify malicious behaviors. Applying these tools across seven blockchains that support EIP-7702, we detect 924 malicious contract accounts, including several previously unreported zero-day cases. These attacks have led to more than 2.3 million in losses and exposed over 10 million to potential compromise. We uncover multiple key insights into attacker behaviors. Specifically, we find that over 63% of EIP-7702 authorization transactions are associated with malicious EOA-targeted attacks, and nearly half of the most frequently authorized contracts are controlled by attackers. In addition, we identify existing evasion tactics that attackers use to circumvent detection, attack impacts observed in real-world incidents, and potential risks that may emerge in future deployments, underscoring the urgency of addressing smart account security in blockchain ecosystems.

SNARKs are powerful cryptographic primitives that allow a prover to produce a succinct proof of a computation. Two key goals of SNARK research are to minimize the size of the proof and to minimize the time required to generate it. In this work, we present new SNARK constructions that push the frontier on both of these goals.

Our first construction, Pari, is a SNARK that achieves the smallest proof size amongst all known SNARKs. Specifically, Pari achieves a proof size of just two group elements and two field elements, which, when instantiated with the BLS12-381 curve, totals just 160 bytes. This is smaller than the sizes for Groth16 [Groth, EUROCRYPT '16] and Polymath [Lipmaa, CRYPTO '24]. Pari also achieves the lowest known gas cost for on-chain SNARK verification, reducing the gas cost by 6% compared to Groth16 and 17% compared to FFLONK.

Our second construction, Garuda, is a SNARK that reduces proof generation time by supporting, for the first time, arbitrary "custom" gates and free linear gates (in terms of cryptographic costs). These benefits enable significant prover-time savings compared to state-of-the-art SNARKs.

Both constructions rely on a new cryptographic primitive: "equifficient" polynomial commitment (EPC) schemes that enforce that committed polynomials have the same representation in particular bases. We provide both rigorous security definitions for this primitive as well as efficient constructions for univariate and multilinear polynomials.

Our constructions are obtained via a new compiler that obtains a succinct argument by combining polynomial IOPs with our EPC schemes.

Threshold signature schemes allow a group of users to jointly generate a digital signature, providing resilience against faults and enhancing decentralization. With the advent of post-quantum cryptography, lattice-based threshold signatures have gained attention as viable alternatives. Nevertheless, existing constructions frequently encounter challenges related to scalability, robustness, or compatibility with standardized schemes, particularly with the NIST-selected and standardised Module-Lattice-based Digital Signature Algorithm (ML-DSA) algorithm.

In this work, we present the first threshold signature scheme that is fully compatible with ML-DSA, supporting secure and efficient signing among up to six parties. Our construction leverages advanced short secret sharing techniques and integrates optimized rejection sampling to achieve a favourable balance between communication efficiency and correctness in distributed environments. We implement our construction in Go and evaluate its performance across local, LAN, and WAN network settings. Our benchmarks demonstrate that our threshold ML-DSA scheme is not only practically deployable but also well-suited for real-world applications, including multi-device cryptocurrency wallets, threshold-based TLS authentication, and for Tor's directory authorities.

Large Vision-Language Models (LVLMs) have achieved remarkable success in multimodal tasks by aligning the representation space of visual encoders to that of the LLMs. However, they remain vulnerable to transferable adversarial attacks, which can manipulate the LVLMs' output without accessing the model. Ensuring their reliable deployment thus requires a rigorous evaluation of black-box robustness. Current methods provide a limited assessment by perturbing only the visual encoder of LVLMs and often neglect untargeted attack scenarios. In this work, we propose the Modality Alignment Breaking Attack (MABA), a novel transferable, untargeted adversarial attack for evaluating the black-box robustness of LVLMs. MABA emphasizes disrupting the entire multimodal pipeline, targeting two key phases: visual encoding and modality alignment. First, MABA reveals that the core of transferable adversarial attacks lies in suppressing discriminative visual representations and explicitly uses this as an optimization objective to improve transferability across different LVLMs. Second, MABA introduces a mutual-information-aware projector that acts as a surrogate modality alignment module of LVLMs, effectively breaking cross-modal consistency and enhancing the transferability. Extensive evaluations demonstrate that MABA achieves state-of-the-art performance, leading to an average 58.37% drop in semantic metrics for the image caption task. Through ablation studies on diverse LVLM families, we derive valuable insights into strengthening the robustness of LVLMs.

In dynamic environments, unmanned aerial vehicles (UAVs) often utilize online learning to refine their machine learning (ML) model's decision boundaries for improved performance. Unfortunately, when the UAV becomes irrecoverable or unavailable (e.g., a crash), a forensic investigator would be left helpless to determine if the UAV's online learning caused the crash. This paper proposes a novel forensic technique, called FIRA, that can establish causal connections from ML models to UAV system components. FIRA sends back in-flight online learning updates and telemetry data (even when bandwidth is limited) and determines whether the crash can be attributed to the online learning model. We applied FIRA to 48 UAV crash scenarios using two widely adopted UAV control programs: PX4 and ArduPilot. Across four types of UAV missions, FIRA investigated 12 accidents (each) in which a backdoored online learning model was the cause of the crash, and FIRA was able to correctly attribute the model to the crash with 95.8% accuracy.

Romance-baiting scams have become a major source of financial and emotional harm worldwide. These operations are run by organized crime syndicates that traffic thousands of people into forced labor, requiring them to build emotional intimacy with victims over weeks of text conversations before pressuring them into fraudulent cryptocurrency investments. Because the scams are inherently text-based, they raise urgent questions about the role of Large Language Models (LLMs) in both current and future automation.

We investigate this intersection by interviewing 145 insiders and 5 scam victims, performing a blinded long-term conversation study comparing LLM scam agents to human operators, and executing an evaluation of commercial safety filters. Our findings show that LLMs are already widely deployed within scam organizations, with 87% of scam labor consisting of systematized conversational tasks readily susceptible to automation. In a week-long study, an LLM agent not only elicited greater trust from study participants (p=0.007) but also achieved higher compliance with requests than human operators (46% vs. 18% for humans). Meanwhile, popular safety filters detected 0.0% of romance baiting dialogues. Together, these results suggest that romance-baiting scams may be amenable to full-scale LLM automation, while existing defenses remain inadequate to prevent their expansion.

Modern network behaviors span multiple flows and evolve over time, making temporal and co-occurrence contexts across flows essential for reliable traffic analysis. This need is especially critical in the security domain, where attacks progress through reconnaissance, delivery, command and control, and lateral movement over extended intervals and across multiple flows. Existing packet-level or single-flow approaches fragment this context and limit performance on trace-level classification, detection, and attribution. We introduce the trace as the analysis unit and present Tracegram, which formulates trace-level analysis as Multiple Instance Learning. Tracegram combines per-flow encoders with a temporally aware aggregation module to reason across flows, preserve long-range dependencies, and produce key-flow attribution signals that support analyst verification and forensics. Our validation spans theory and practice. We theoretically justify the MIL-based decomposition for trace-level traffic analysis and conduct extensive experiments on four public datasets across multiple tasks, showing better or comparable performance to state-of-the-art methods. Finally, case studies on APT traces from the DAPT dataset show that Tracegram highlights flows aligned with attack phases, enabling targeted investigation.

Private Set Intersection (PSI) enables two parties to compute the intersection of their private sets without revealing any additional information. While maliciously secure PSI protocols prevent many attacks, adversaries can still exploit them by using inconsistent inputs across multiple sessions. This limitation stems from the definition of malicious security in secure multiparty computation, but is particularly problematic in PSI because: (1) real-world applications—such as Apple's PSI protocol for CSAM detection and private contact discovery in messaging apps—often require multiple PSI executions over consistent inputs, and (2) the PSI functionality makes it relatively easy for adversaries to infer additional information.

We propose Private Intersection over Committed Sets (PICS), a new framework that enforces input consistency across multiple sessions via committed sets. Building on the state-of-the-art maliciously secure PSI framework (i.e., VOLE-PSI [EUROCRYPT 2021]), we present an efficient instantiation of PICS using lightweight cryptographic tools. Our protocol achieves strong receiver-side input consistency (i.e., the receiver uses the exact committed set) and weak sender-side input consistency (i.e., the sender cannot inject new elements into the committed set but can potentially use a subset of the committed set). We implement our protocol to demonstrate concrete efficiency. Compared to VOLE-PSI, our communication overhead is a small constant between 1.57 - 2.04× for set sizes between 2¹⁶-2²⁴, and the total end-to-end running time overhead is 1.22 - 1.98× across various network settings.

Off-path exploits targeting the fundamental TCP/IP protocol suite pose significant threats to the security of the Internet infrastructure. In particular, weak verifications of received payloads—arising from the lack of reliable information to validate or implementation flaws within the suite—lead to vulnerabilities that attackers can exploit to manipulate traffic, induce data loss, and disrupt services on victim servers. In this paper, we present the first systematic study of these vulnerabilities and introduce WAVED, a framework for identifying off-path exploitable weak verifications within the TCP/IP protocol suite implementation. At the core of WAVED, we develop a flow-, context-, and field-sensitive pointer analysis tailored to the TCP/IP kernel, and construct a Taint Propagation Graph (TPG) to model and trace data flow within the stack. By modeling byte-granularity taint propagation across diverse arithmetic operations, our approach can accurately locate specific input bytes associated with each constraint. Furthermore, direction-sensitive taint information is computed to accurately capture and differentiate the strength of constraints imposed by alternative branch outcomes, thereby significantly outperforming traditional byte-insensitive and direction-insensitive analyses. We evaluate WAVED on IPv4 and IPv6 across Linux 5.15, Linux 6.8, and FreeBSD 14.1. It precisely uncovers weak verifications leading to semantic vulnerabilities in TCP/IP and reveals 14 previously unknown vulnerabilities. We have responsibly disclosed these vulnerabilities to the affected OS vendors and have received acknowledgments from the Linux community.

Diffusion models are a powerful class of generative models that produce images and other content from user prompts, but they are computationally intensive. To mitigate this cost, recent academic and industry work has adopted approximate caching, which reuses intermediate states from similar prompts in a cache. While efficient, this optimization introduces new security risks by breaking isolation among users. This paper provides a comprehensive assessment of the security vulnerabilities introduced by approximate caching. First, we demonstrate a remote covert channel established with the approximate cache, where a sender injects prompts with special keywords into the cache system and a receiver can recover that even after days, to exchange information. Second, we introduce a prompt stealing attack using the approximate cache, where an attacker can recover existing cached prompts from hits. Finally, we introduce a poisoning attack that embeds the attacker's logos into the previously stolen prompt, leading to unexpected logo rendering for the requests that hit the poisoned cache prompts. These attacks are all performed remotely through the serving system, demonstrating severe security vulnerabilities in approximate caching. The code for this work is available.

Large language model (LLM) watermarking provides verifiable source identification for generated text, and its practical deployment requires large watermark capacity, strong robustness against attacks, and high text quality. However, existing methods often struggle to balance all these criteria, typically addressing them with separate designs. To overcome this, we propose a distortion-minimization watermarking (DMW) framework that unifies capacity, robustness and quality within a single optimization paradigm. This framework models robustness and quality as distortion costs for text modifications, minimizing the total distortion for a given watermark length to achieve an optimal trade-off. Specifically, we design several distortion costs: a robustness cost leveraging semantic invariance to resist attacks, and two quality costs guiding modifications toward low-cohesion, high-variability regions to reduce perceptual impact. We then propose periodically optimized syndrome-trellis codes (PO-STCs), formulating overall distortion minimization as a periodic shortest-path problem. This enables real-time optimization for sequential generation with flexible capacity control. Extensive experiments across diverse datasets and LLMs demonstrate DMW's superiority, outperforming state-of-the-art methods across all criteria. Notably, under severe paraphrasing attacks, DMW achieves a match rate up to 46.35% higher than the best baseline, while maintaining superior text quality.

Air-gapped networks rely on physical isolation to prevent external connectivity. Prior electromagnetic (EM) covert channels have exploited emissions from video cables, memory buses, and CPUs, yet they rarely achieve high throughput, long range, and visual imperceptibility simultaneously, limiting practical utility in air-gapped settings. We show that imperceptible pixel modulation can deterministically induce controllable EM emissions on digital video cables, enabling control without system privileges or hardware modifications. Building on this insight, we present TrojPix, a covert channel that maintains on-screen imperceptibility while delivering high-speed, long-range communication over digital video cables. We realize a lightweight communication scheme that combines pixel-to-sample mapping with adaptive decoding, enabling sample-rate-level robust communication over extended ranges. We evaluate TrojPix across nine commercial-off-the-shelf (COTS) monitor manufacturers and fifteen COTS digital video cables under realistic conditions, demonstrating its effectiveness in two attack modes: fake screen-off and foreground embedding. TrojPix achieves a peak throughput of 8.1 Mbps and a maximum range of 208 m, revealing a practical and stealthy threat to the security of air-gapped networks.

This paper is currently under embargo. The final paper PDF and abstract will be available on the first day of the conference.

Homomorphic encryption (HE) offers strong privacy guarantees by enabling computation over encrypted data. However, the performance of tensor operations in HE is highly sensitive to how the plaintext data is packed into ciphertexts. Large tensor programs introduce numerous possible layout assignments, making it both challenging and tedious for users to manually write efficient HE programs.

In this paper, we present Rotom, a compilation framework that autovectorizes tensor programs into optimized HE programs. Rotom systematically explores a wide range of layout assignments, applies state-of-the-art optimizations, and automatically generates an equivalent, efficient HE program. At its core, Rotom utilizes a novel, lightweight ApplyRoll layout conversion operator to easily modify the underlying data layouts and unlock new avenues for performance gains. Our evaluation demonstrates Rotom scalably compiles all tensor workloads in under 5 minutes, reduces rotations in hand-tuned protocols by up to 3×, and achieves up to 80× performance improvement over prior autovectorization systems.

A major bottleneck in secure neural network inference using Fully Homomorphic Encryption (FHE) is the evaluation of non-linear activation functions like ReLU, which are inefficient to compute under FHE. State-of-the-art solutions approximate ReLU using high-degree polynomials, incurring significant computational overhead. We present RBOOT, an optimized framework that seamlessly integrates ReLU evaluation into CKKS bootstrapping, significantly reducing multiplication depth and boosting efficiency. Our key insight is that the EvalMod step in CKKS bootstrapping is composed of trigonometric functions, which are nonlinear themselves. Prior works treat bootstrapping and activation functions as independent routines, missing an opportunity to leverage such nonlinearity. By co-optimizing these components, we can exploit such nonlinearity to construct ReLU (and other non-linear functions) within the bootstrapping process itself, greatly reducing the computation overhead. Results on four widely used CNN models show that RBOOT achieves 2.77× faster end-to-end inference and 81% lower memory usage compared to previous polynomial approximation works, while maintaining comparable accuracy.

Security-sensitive APIs are critical components in modern Java applications, yet improper usage of these APIs frequently leads to severe vulnerabilities such as remote code execution. Existing methods for generating API security rules are limited as they rely on incomplete documentation or infer patterns from source code based on discovered inconsistencies.

We introduce VulGenie, a patch-driven framework that extracts precise API security rules from confirmed security patches to then detect API misuse vulnerabilities. VulGenie addresses three key challenges. First, it isolates violated constraints and defenses-related changes from noisy patches using our novel modification behavior dependency patch graph datastructure. Second, it identifies protected security-sensitive APIs and synthesizes rules through attack-defense cross-validation. Third, it scales analysis with adaptive, deviation-guided static analysis to balance precision and performance. Evaluated on 150 recent Java security patches, VulGenie extracts 198 API security rules with 81.82% precision, uncovering 177 rules absent in CodeQL. On ten popular Java applications, VulGenie detects 46 0-day vulnerabilities, substantially outperforming state-of-the-art works. Through our responsible vulnerability disclosure, 25 vulnerabilities have already been fixed with ten CVE identifiers assigned.

Confidential Virtual Machines (CVMs), such as AMD SEV-SNP, aim to protect guest operating systems from an untrusted host by encrypting state and constraining privileged control. These platforms promise isolation even in multi-tenant cloud setups where simultaneous multithreading (SMT) remains enabled. While prior attacks focus on the memory hierarchy or execution units, they largely ignore frontend configurations.

In this paper, we present StackWarp, a software-based architectural attack exploiting the stack engine on AMD Zen CPUs to modify the stack pointer within an SEV-SNP guest, fully breaking integrity. StackWarp relies on an undocumented bit within a shared model-specific register (MSR) available on AMD Zen 1–5 CPUs that enables or disables the stack engine. Our reverse engineering shows that the state of the stack engine is not correctly synchronized across the logical cores, allowing an attacker to deterministically adjust the stack pointer on the sibling logical core across Zen generations, including fully patched Zen 5. We discover StackWarp via a systematic exploration of the MSR space, including undocumented MSRs. By flipping MSR bits, we discover bits that affect SEV-SNP guests running on a sibling logical core. To demonstrate the security impact, we show StackWarp in four end-to-end attacks on SEV-SNP guests: RSA-CRT private-key recovery, OpenSSH password-authentication bypass, and privilege escalations using either sudo or a kernel-mode ROP chain. We conclude with software hardening guidance and argue for a microcode or hardware change that prevents cross-core control of the stack engine when CVMs are active. Our results show that leaving SMT enabled undermines SEV-SNP integrity guarantees today.

Pickle deserialization vulnerabilities have persisted throughout Python's history, remaining widely recognized yet unresolved. Due to its ability to transparently save and restore complex objects, many AI/ML frameworks continue to adopt pickle as the model serialization protocol despite its inherent risks. As the open-source model ecosystem grows, model-sharing platforms such as Hugging Face have attracted massive participation, significantly amplifying the real-world impact of pickle exploitation and opening new avenues for model supply chain poisoning. Although several state-of-the-art scanners have been developed to detect poisoned models, their incomplete understanding of the poisoning surface allows attackers to bypass them. In this work, we present the first systematic disclosure of the pickle-based model poisoning surface from both model loading and risky function perspectives. Our research demonstrates how pickle-based model poisoning can remain stealthy and highlights critical gaps in current scanning solutions. On the model loading surface, we identify 22 distinct pickle-based model loading paths across five foundational AI/ML frameworks, 19 of which are entirely missed by existing scanners. We further develop a bypass technique named Exception-Directed Programming (EDP) and discover 9 EDP instances, 7 of which can bypass all scanners. On the risky function surface, we discover 133 exploitable gadgets, achieving almost a 100% bypass rate. Even against the best-performing scanner, these gadgets maintain an 89% bypass rate. By systematically revealing the pickle-based model poisoning surface, we achieve practical and robust bypasses against real-world scanners. We responsibly disclose our findings to corresponding vendors, receiving acknowledgments and a $12,000 bug bounty.

Modern CPUs implement complex Instruction Set Architectures (ISAs), yet machine-readable semantics are often incomplete. Worse, many CPUs support undocumented instructions, i.e., bitstrings that execute on hardware but are absent from specifications, leading to potential security vulnerabilities.

In this paper, we present InstrSem, an ISA-agnostic, modular, fully automated approach to infer instruction semantics from execution behavior alone and provide semantics that are understandable by both, humans and machines. Starting from a raw encoding, InstrSem executes it under systematically varied architectural states and synthesizes compact mathematical functions that explain every changed state component. By mutating encoding bits and correlating induced behavioral changes with bit positions, InstrSem then generalizes from a single encoding to a full instruction, recovering register and immediate fields. In contrast to prior work focusing on a single ISA, InstrSem is generic. It requires only a lightweight ISA model and a per-architecture user-space runner and supports fixed- and variable-length encodings (RISC and CISC), memory accesses, and conditional behavior. We evaluate InstrSem on RV64I, AArch64, and LA64, and additionally showcase CISC applicability on a Logitech macro language and partial x86-64. InstrSem automatically recovers correct semantics for over 97.81 % of the RV64I base instruction set, and 136 instructions covering 1 009 055 744 instruction encodings within 77 h for the LA64 instruction set. InstrSem discovers undocumented vector instructions, inconsistencies between QEMU and Loongson hardware, and instructions that crash QEMU. InstrSem enables scalable recovery of instruction semantics, substantially automating reverse engineering across commodity and niche targets and strengthening the foundations for emulation, verification, and security analysis. With minimal requirements to support new architectures, its modular design, and human-readable output, InstrSem can aid future security analysis.

This paper is currently under embargo, but the paper abstract is available now. The final paper PDF will be available on the first day of the conference.

The Controller–Pilot Data Link Communications (CPDLC) system has become integral to modern air traffic management, particularly in high-density or oceanic airspace where voice communication is limited or unavailable. Designed to increase operational efficiency, CPDLC is an alternative to traditional VHF voice communication with standardized digital messages for altitude changes, heading adjustments, free-text messages, and frequency handovers. However, CPDLC does not implement encryption and relies primarily on protocol complexity and obscurity as a barrier to misuse.

In this work, we present a full-stack security analysis of CPDLC and showcase several vulnerabilities that allow hijacking ATC-Pilot link with rogue ground station attacks and large-scale denial of service attacks that are capable of disabling CPDLC services for all aircraft in radio range. As a proof-of-concept, we also introduce cpdlc-gs, a first SDR based full-stack CPDLC ground-station implementation capable of injecting uplink messages to issue fake CPDLC flight instructions and effective denial of service attacks.

Furthermore, to evaluate cpdlc-gs, together with air navigation service providers and avionics manufacturers, we develop a novel, fully-functional test environment with real, certifiable hardware from Universal Avionics. Through such a setup we conceptualize and validate several attacks and demonstrate that even isolated rogue stations can pose a substantial threat, especially when pilots are under high workload or in degraded communication scenarios. Overall, we argue that the heavy reliance and global adoption of CPDLC make it a high value target, and that the lagging aviation datalink security standard- ization process needs to be urgently addressed

Cloud-based FPGAs have become a billion-dollar industry, allowing users to deploy custom hardware designs with the scalability and flexibility of cloud infrastructure. Running user designs on hardware owned by the cloud service provider (CSP) introduces risks, including intentional hardware damage and Denial-of-Service (DoS) attacks against the host. To mitigate these risks, CSPs enforce security mechanisms that restrict user designs and prevent unauthorized behavior. We present a novel privilege escalation path on AMD FPGAs using (i) the Internal Configuration Access Port (ICAP) to circumvent provider defenses, (ii) incrementally escalate attacker capabilities to remote JTAG access, and (iii) investigate the resulting threat vectors.

Any typical cloud customer can maliciously acquire such ICAP access to reconfigure parts of the FPGA fabric without restrictions – re-enabling traditional cloud FPGA attacks. Through the ICAP, a user can ultimately gain remote control of the hardware's low-level JTAG interface, which enables access to the device's eFuses. This access, in turn, allows attackers to irreversibly program encryption settings, thereby disabling future reconfiguration and locking the CSPs out of their own devices. An attacker could leverage such escalated privileges for a ransomware attack in which cloud providers must pay a ransom for decryption keys to regain control of their devices – effectively introducing the first ransomware for FPGAs. Following the investigation of this novel privilege escalation path, we demonstrate its feasibility on Amazon's EC2 F1 and F2 instances and explore the impact of enabled attack vectors. We thereby expose the neglected threat of unsecured low-level hardware components in cloud environments.

The cybersecurity landscape faces an escalating challenge as proof-of-concept (PoC) exploits transition from demonstrations to weaponized attacks within minutes of disclosure. While research has documented temporal dynamics and malicious deployment, a critical gap remains in understanding the human factors underlying PoC creation. Through semi-structured interviews with 16 PoC developers across diverse regions, we apply Expectancy-Value Theory to reveal PoC development as a complex motivational ecosystem where technical confidence, value assessments, and risk calculations intersect within dual-use tensions. We demonstrate that PoC development spans a continuum from crash demonstrations to weaponized exploits, shaped by multifaceted calculus rather than binary ethics. We identify three theoretical extensions: dual-use moral reasoning enabling responsibility externalization, dynamic value assessment where vendor behavior reshapes disclosure decisions, and identity navigation between ethical research and technical mastery. Vendor responsiveness, community dynamics, and legal constraints significantly influence disclosure strategies. PoC developers adopt risk-mitigation approaches when navigating tensions between security improvement and potential misuse, challenging binary conceptualizations of "responsible" versus "irresponsible" disclosure.

Searchable Symmetric Encryption (SSE) schemes enable efficient keyword searches over encrypted documents at the cost of some leakage. An SSE scheme is said to be system-wide secure if it resists cryptanalysis by an adversary with access to leakage from retrieval of both encrypted indices and encrypted documents. The vast majority of state-of-the-art SSE schemes are, in fact, not system-wide secure (Gui et al., IEEE S&P 2023). Currently, the only efficient system-wide secure SSE scheme is SWiSSSE (Gui et al., PoPETS 2024). However, SWiSSSE requires a client state that is updated per query (which hinders adoption in various practical settings), and its leakage is hard to characterize precisely (thus making security analysis harder).

In this paper, we present DDR-SSE – a practically efficient, system-wide secure SSE scheme that only requires a static client state, and has a simple leakage profile. Technically, we introduce a novel encrypted document retrieval scheme that uses duplicated document storage and randomized document retrieval to suppress access pattern leakage without compromising on practical efficiency. A remarkable feature of our scheme is its conceptual simplicity (unlike SWiSSSE, which uses an extremely involved document retrieval mechanism).

We present a simulation-based security proof for DDR-SSE with respect to a rigorously formal system-wide leakage profile. Through extensive leakage cryptanalysis, we establish that DDR-SSE is resilient to query reconstruction attacks (even under "unrealistically" strong attack assumptions). Finally, we benchmark a prototype implementation of DDR-SSE and show that it scales smoothly to large databases of the size seen in real-world applications.

In video conferencing, human faces serve as the primary visual focal points, playing multifaceted roles that enhance visual communication and emotional connection. However, we argue that a human face is also a side channel, which can unwittingly leak on-screen information through online video feeds. To demonstrate this, we conduct feasibility studies, which reveal that, illuminated by both ambient light and light emitted from displays, the human face can reflect optical variations of different on-screen content. The paper then proposes FaceTell, a novel side-channel attack system that eavesdrops on fine-grained application activities from pervasive yet subtle facial reflections during video conferencing. We implement FaceTell in a real-world testbed with three different brands of laptops and four mainstream video conferencing platforms. FaceTell is then evaluated with 24 human subjects across 13 unique indoor environments. With more than 12 hours of video data, FaceTell achieves a high accuracy of 99.32% for eavesdropping on 28 popular applications and is resilient to many practical impact factors. Finally, potential countermeasures are proposed to mitigate this new attack.

We present the first comprehensive analysis of ARM MTE hardware performance on four different microarchitectures: ARM Big (A7x), Little (A5x), and Performance (Cortex-X) cores on the Google Pixel 8 and Pixel 9, and on Ampere Computing's AmpereOne CPU core. We also include preliminary analysis of MTE on Apple's M5 chip. We investigate performance in MTE's primary application—probabilistic memory safety—on both SPEC CPU benchmarks and in server workloads such as RocksDB, Nginx, PostgreSQL, and Memcached. While MTE often exhibits modest overheads, we also see performance slowdowns up to 6.64× on certain benchmarks. We identify the microarchitectural cause of these overheads and where they can be addressed in future processors. We then analyze MTE's performance for more specialized security applications such as memory tracing, time-of-check time-of-use prevention, sandboxing, and CFI. In some of these cases, MTE offers significant advantages today, while the benefits for other cases are negligible or will depend on future hardware. Finally, we explore where prior work characterizing MTE performance has either been incomplete or incorrect due to methodological or experimental errors.

Succinct non-interactive arguments of knowledge (SNARKs) enable a prover to produce a short and efficiently verifiable proof of the validity of an arbitrary NP statement. Recent constructions of efficient SNARKs have led to interest in using them for a wide range of applications, but unfortunately, deployment of SNARKs in these applications faces a key bottleneck: SNARK provers require a prohibitive amount of time and memory to generate proofs for even moderately large statements. While there has been progress in reducing prover time, prover memory remains an issue.

In this work, we describe Scribe, a new low-memory SNARK that can efficiently prove large statements even on cheap consumer devices such as smartphones by leveraging a plentiful, but heretofore unutilized, resource: disk storage. Instead of storing its (large) intermediate state in RAM, Scribe's prover instead stores it on disk. To ensure that accesses to state are efficient, we design Scribe's prover in a read-write streaming model of computation that allows the prover to read and modify its state only in a streaming manner.

We implement and evaluate Scribe's prover, and show that, on commodity hardware, it can easily scale to circuits with 2²⁸ gates while using less than 750MB of memory and incurring only minimal proving latency overhead (10%) compared to a state-of-the-art memory-intensive baseline (HyperPlonk [EUROCRYPT 2023]) that requires much more memory.

Modern 5G user equipment (UE) processes Radio Resource Control (RRC) configuration messages during early control-plane exchanges, before authentication and integrity protection are established. Prior work for testing 5G UEs has largely focused on constructing syntactically invalid inputs. In contrast, we show that syntactically valid but semantically inconsistent messages, which violate specification-level field constraints or cross-field dependencies, can drive baseband implementations into invalid states, triggering assertion failures or modem crashes. These findings reveal semantic inconsistencies in pre-authentication signaling as a critical yet underexplored attack surface in 5G UE implementations. To address this gap, we present Constraint-Guided Semantic Testing (CONSET), a framework that systematically extracts specification-level constraints and leverages them to generate targeted semantic violations for testing 5G UEs. CONSET decodes RRC messages into structured fields, derives schema-based rules, infers cross-field dependencies using a Large Language Model (LLM) in an evidence-bounded manner, and produces syntactically valid test cases that intentionally violate semantic constraints. We evaluate CONSET on both commercial and open-source 5G UEs. On commercial smartphones, it uncovers 7 previously unknown vulnerabilities through responsible disclosure, including 3 high-severity CVEs, affecting 64 chipset models and over 542 commercially available smartphone models. On the open-source OAI UE, CONSET additionally triggers 46 distinct crash sites.

As a growing part of the creator economy, game platforms like Roblox enable millions of users to design, publish, promote, and monetize games. Alongside these opportunities, however, creators on such platforms face significant safety, privacy, and security risks. While prior work has examined online risks for content creators on social media platforms, little is known about the risk landscape of game creators. To address this gap, we interviewed 20 Roblox creators to understand how they perceive, experience, and cope with digital risks. Our analysis revealed five categories of risk—platform, production, organizational, community, and technical—that potentially compromise Roblox game creators' emotional, physical, relational, and financial safety. We also identified coping strategies such as negotiating for fairer pay and seeking community support. We conclude with recommendations for strengthening protections for game creators.

AI agents that integrate large language models with non-AI tool components are rapidly emerging in real-world applications, offering unprecedented automation and flexibility. However, this flexibility introduces complex security challenges that differ from traditional software systems. In this paper, we present the first comprehensive systematization of knowledge on AI agent security, analyzing the design space, attack landscape, and defense mechanisms for secure AI agent systems. In addition, we identify open challenges for future research in this emerging domain. Our work provides the first systematic framework for understanding AI agent security risks and defense strategies, serving as a foundation for building secure agentic systems and advancing research in this critical area.

Although boosting software development performance, large language model (LLM)-powered code generation introduces intellectual property and data security risks rooted in the fact that a service provider (cloud) observes a client's prompts and generated code, which can be proprietary in commercial systems. To mitigate this problem, we propose NOIR, the first framework to protect the client's prompts and generated code from the cloud. NOIR uses an encoder and a decoder at the client to encode and send the prompts' embeddings to the cloud to get enriched embeddings from the LLM, which are then decoded to generate the code locally at the client. Since the cloud can use the embeddings to infer the prompt and the generated code, NOIR introduces a new mechanism to achieve indistinguishability, a local differential privacy protection at the token embedding level, in the vocabulary used in the prompts and code, and a data-independent and randomized tokenizer on the client side. These components effectively defend against reconstruction and frequency analysis attacks by an honest-but-curious cloud. Extensive analysis and results using open-source LLMs show that NOIR significantly outperforms existing baselines on benchmarks, including the Evalplus (MBPP and HumanEval, Pass@1 of 76.7 and 77.4), and BigCodeBench (Pass@1 of 38.7, only a 1.77% drop from the original LLM) under strong privacy against attacks.

Machine learning (ML) has brought transformative applications across various sectors, including sensitive fields like healthcare, finance, and customer analytics. However, ML models are susceptible to privacy leaks, especially through attribute inference and model inversion attacks, raising concerns for data confidentiality in privacy-critical domains. Existing defenses pursue much broader objectives than specifically preventing privacy leakage from attribute inference attacks, and as a result often fail to provide fine-grained, vulnerability-aware protection without significant utility costs. Motivated by this need, we first investigate record-level vulnerability estimation through NeighVE, an adversary-side tool designed to identify which individual records are more exposed to inference. Insights from NeighVE reveal that the record-level risk of privacy leakage is largely agnostic to model architectures and attack strategies and is instead governed by dataset-level characteristics, particularly the distribution of sensitive attributes in the local neighborhood of each record. Building on this insight, we propose VESL, a subspace-learning–inspired defense that mitigates attribute-inference leakage while keeping utility loss to a bare minimum. As a byproduct of its balancing mechanism, VESL also improves fairness across sensitive attributes and prevents NeighVE from reliably identifying vulnerable records. As a supporting contribution, we introduce AttriVET, an estimator that predicts which individual records are vulnerable with over 90% accuracy across diverse scenarios, enabling risk-aware defense design and auditing.

Differentially private synthetic data generation has emerged as a powerful tool for sharing data while protecting individuals' privacy. However, when the attributes of sensitive data are distributed across multiple entities such as hospitals, companies, or government agencies, accurately generating synthetic data becomes challenging. In particular, it is difficult to capture informative statistical correlations and use them to guide data synthesis without gathering the entire private dataset. In response to this challenge, we propose a secure multi-party computation protocol for differentially private tabular data synthesis in the distributed setting. Our protocol contains two new primitives. The first is a protocol that exploits distributed point functions to efficiently estimate two-way marginals (pairwise joint distributions of attributes) across vertically distributed data. The second is a protocol for generating noise via batched lookups in the cumulative distribution function table. As a concrete demonstration, we build a distributed version of AIM, a state-of-the-art DP data-synthesis algorithm. Our implementation achieves the same utility as its centralized version while reducing end-to-end runtime by orders of magnitude compared with prior work. For example, we can synthesize the "Adult" dataset in 24 minutes in a real-world WAN setting, whereas the existing protocol is estimated to take 57 days.

We propose Libra, a compiler framework that automates efficient code generation for cross-scheme fully homomorphic encryption (FHE) on highly parallel computing architectures. While it is known that leveraging multiple FHE schemes in a single application can improve the overall efficiency, the exact mapping of cross-scheme FHE operators onto high-performance architectures, such as general-purpose graphic processing units (GPGPUs), remains challenging. To address such challenge, Libra integrates both the FHE computational patterns and hardware-aware scheduling strategies to establish an algorithm-hardware co-optimization framework. Specifically, Libra defines a novel cross-scheme representation for FHE that abstracts common program patterns for each of the FHE schemes. Then, we dynamically optimize the output FHE program based on the combined execution costs of FHE primitives derived from multiple scheme switching patterns. Next, to accelerate inter-operator execution on GPUs, Libra introduces a computational scheduling strategy that bridges high-level computation characteristics with low-level execution plans. Through the proposed pattern-scheduling co-optimization process, Libra generates efficient codes for cross-scheme high-precision FHE computations on GPGPUs. Experiment results show that Libra achieves up to 270× speedup on microbenchmarks and 19× on the applications compared to state-of-the-art cross-scheme, while improving compute unit and memory bandwidth utilization by 44% and 36.1%.

Model compression is crucial for minimizing memory storage and accelerating inference in deep learning (DL) models. Users can access different compressed model versions according to their resources and budget. However, while existing compression operations primarily focus on optimizing the trade-off between resource efficiency and model performance, the privacy risks introduced by compression remain overlooked and insufficiently understood.

In this work that focuses on typical classification tasks, through the lens of membership inference attack (MIA), we propose CompLeak, the first privacy risk evaluation framework examining three widely used compression configurations that are pruning, quantization, and weight clustering all supported by the commercial model compression framework of Google's TensorFlow-Lite (TF-Lite), and first two supported by Facebook's PyTorch Mobile and the open-source toolkit of Microsoft NNI. CompLeak has three variants, given access to the available number of compressed models and/or the original model. CompLeakNR starts by adopting existing MIA methods to attack each individual compressed model, and identifies that different compressed models influence members and non-members differently. When the original model and one compressed model are available, CompLeakSR leverages the compressed model as a reference to the original model and uncovers more privacy by combining meta information (e.g., confidence vector) from both models. When multiple compressed models are available with/without accessing the original model, CompLeakMR innovatively exploits privacy leakage info from multiple compressed versions to substantially signify the overall privacy leakage. We conduct extensive experiments on six diverse model architectures (from ResNet to BERT and GPT-2), and five image and textual benchmark datasets. Our experimental results show that CompLeakMR achieves the best MIA performance on all evaluation metrics, including TPR @ 0.1% FPR, proving that model compression exacerbates privacy leakage.

The proliferation of powerful Text-to-Video (T2V) models, trained on massive web-scale datasets, raises urgent concerns about copyright and privacy violations. Membership inference attacks (MIAs) provide a principled tool for auditing such risks, yet existing techniques—designed for static data like images or text—fail to capture the spatio-temporal complexities of video generation. In particular, they overlook the sparsity of memorization signals in keyframes and the instability introduced by stochastic temporal dynamics.

In this paper, we conduct the first systematic study of MIAs against T2V models and introduce a novel framework VidLeaks, which probes sparse-temporal memorization through two complementary signals: 1) Spatial Reconstruction Fidelity (SRF), using a Top-K similarity to amplify spatial memorization signals from sparsely memorized keyframes, and 2) Temporal Generative Stability (TGS), which measures semantic consistency across multiple queries to capture temporal leakage. We evaluate VidLeaks under three progressively restrictive black-box settings—supervised, reference-based, and query-only. Experiments on three representative T2V models reveal severe vulnerabilities: VidLeaks achieves AUC of 82.92% on AnimateDiff and 97.01% on InstructVideo even in the strict query-only setting, posing a realistic and exploitable privacy risk. Our work provides the first concrete evidence that T2V models leak substantial membership information through both sparse and temporal memorization, establishing a foundation for auditing video generation systems and motivating the development of new defenses. Code is available at: https://zenodo.org/records/17972831.

Modern text-to-image (T2I) generation systems (e.g., DALL·E 3) exploit the memory mechanism, which captures key information in multi-turn interactions for faithful generation. Despite its practicality, the security analyses of this mechanism have fallen far behind. In this paper, we reveal that it can exacerbate the risk of jailbreak attacks. Previous attacks fuse the unsafe target prompt into one ultimate adversarial prompt, which can be easily detected or lead to the generation of non-unsafe images due to under- or over-detoxification. In contrast, we propose embedding the malice at the inception of the chat session in memory, addressing the above limitations.

Specifically, we propose Inception, the first multi-turn jailbreak attack against real-world text-to-image generation systems that explicitly exploits their memory mechanisms. Inception is composed of two key modules: segmentation and recursion. We introduce Segmentation, a semantic-preserving method that generates multi-round prompts. By leveraging NLP analysis techniques, we design policies to decompose a prompt, together with its malicious intent, according to sentence structure, thereby evading safety filters. Recursion further addresses the challenge posed by unsafe sub-prompts that cannot be separated through simple segmentation. It firstly expands the sub-prompt, then invokes segmentation recursively. To facilitate multi-turn adversarial prompts crafting, we build VisionFlow, an emulation T2I system that integrates two-stage safety filters and industrial-grade memory mechanisms. The experiment results show that Inception successfully allures unsafe image generation, surpassing the SOTA by a 20.0% margin in attack success rate. We also conduct experiments on the real-world commercial T2I generation platforms, further validating the threats of Inception in practice.

Federated Graph Learning (FedGL) enables collaborative training on decentralized graph data while preserving privacy, yet its distributed nature makes it highly vulnerable to backdoor attacks. These attacks compromise the integrity of the global model by injecting malicious triggers. Existing defenses, however, are often ineffective on complex graph data or rely on a trusted server, creating an architectural conflict with modern privacy-preserving technologies. To overcome these limitations, we propose GBHINDER, a novel and practical trusted-server-free defense framework where each benign participant defends itself. GBHINDER establishes a virtuous cycle: it leverages its own trusted historical knowledge as a benign anchor to purify the downloaded global model, and in turn, selectively incorporates the global model's benign knowledge to progressively evolve the anchor itself. Specifically, this cycle is driven by two key components. A Historical Channel Attention Regularization module uses the anchor to constrain the global model's representations and disrupt backdoor propagation. To resolve the tension between local trust and global collaboration, an Adaptive Momentum Information Update mechanism enables the anchor to safely evolve by dynamically integrating robust global information, ensuring the anchor remains effective with federated iteration. Extensive experiments on several benchmark datasets demonstrate that GBHINDER significantly outperforms state-of-the-art (SOTA) defenses, successfully reducing the backdoor attack success rate to below 10% while preserving high accuracy on the main task.

Apple enforces strict code signing and mandates app distribution through its official App Store. Nonetheless, unauthorized apps still spread through sideloading channels. The Ad Hoc provisioning mechanism, originally designed for developer testing, has emerged as one such channel. It leverages individual developer certificates and user-side signing to enable unauthorized app installations that bypass Apple's app review process. Over time, this practice has evolved into a structured and prevalent gray-market that connects certificate resale, third-party signing tools, and the distribution of unsigned .ipa files. In this work, we present the first systematic study of this market, with a specific focus on its integrated service operations in China. Through a user-centric data collection strategy, we identified 3,359 active signing sites for certificate redemption, reverse engineered 12 signing tools, and obtained 8,216 distributed .ipa entries. Our analyses uncover a multi-layered certificate circulation model with resale margins up to 3,000% and reveal common tricks that signing tools employ for code signing. Most distributed apps are modified versions of legitimate ones, which leverage dynamic library injection to enable customized features. Such modifications undermine the security protections that both apps and the system provide to users, exposing them to risks such as unauthorized actions, sensitive data exfiltration, and system capability exploitation. Overall, our findings reveal a mature gray-market that erodes iOS's trust model while operating in plain sight, underscoring the need for targeted interventions from multiple stakeholders.

The security of private communication is increasingly at risk due to widespread surveillance. Steganography, a technique for embedding secret messages within innocuous carriers, enables covert communication over monitored channels. Provably Secure Steganography (PSS), which ensures computational indistinguishability between the normal model output and steganography output, is the state-of-the-art in this field. However, current PSS methods often require obtaining the explicit distributions of the model. In this paper, we propose a provably secure steganography scheme that only requires a model API that accepts a seed as input. Our core mechanism involves sampling a candidate set of tokens and constructing a map from possible message bit strings to these tokens. The output token is selected by applying this mapping to the real secret message, which provably preserves the original model's distribution. To ensure correct decoding, we address collision cases, where multiple candidate messages map to the same token, by maintaining and strategically expanding a dynamic collision set within a bounded size range. Extensive evaluations of three real-world datasets and three large language models demonstrate that our sampling-based method is comparable with existing PSS methods in efficiency and capacity.

File systems are widely-used and crucial but notoriously complex and a major source of vulnerabilities in operating systems. Recent works have proposed introducing in-kernel sandboxing techniques to isolate kernel components including file systems. However, a well-defined and secure boundary, where all interactions between untrusted and trusted kernel components should be validated against a strong threat model, is often ignored. This lack of secure boundary particularly applies to Linux file systems, which rely on a large and complex interface and interact with many kernel subsystems such as VFS and block devices. Defining such an interface is a challenging prerequisite of sandboxed kernel file systems.

We address this challenge with kSFS, a framework for in-kernel sandboxed file systems. kSFS repurposes the FUSE protocol, which is a microkernel-like interface originally designed for user-space file systems in Linux, as a secure interface for untrusted sandboxed kernel file systems that has strong isolation guarantees. Furthermore, kSFS generalizes WebAssembly to kernel space as a generic sandboxing mechanism and achieves compatibility with existing user-space file system implementations with minimal porting effort. For instance, porting the NTFS and exFAT implementations from user space with kSFS required modifying fewer than 300 LoC. While achieving better security and reliability than Linux file system implementations, kSFS achieves significantly better performance than their user-space counterparts. For the real-world applications tar and RocksDB, the kSFS NTFS implementation achieves up to 29% and 60× better performance than the user-space baseline, respectively, and only 0% to 52% lower performance than the insecure Linux implementation.

LLM-based agents have recently attracted significant attention. By leveraging the semantic understanding capabilities of large language models (LLMs), these agents can autonomously perform complex tasks according to user requests, such as downloading files and summarizing content. However, the lack of comprehensive resource governance renders them susceptible to abuse, potentially leading to resource exhaustion and denial-of-service (DoS) conditions.

In this work, we present the first systematic security study of resource management in LLM-based agents. We identify three representative patterns of resource lifecycle management, each of which enables distinct avenues for DoS exploitation. Building on these insights, we propose AgentDoS, a novel directed grey-box fuzzing framework designed to detect DoS vulnerabilities arising from resource exhaustion. AgentDoS first analyzes the resource lifecycle within the agent and then leverages an LLM to generate functionality-specific seed prompts in natural language that drive the agent toward excessive resource consumption. We evaluated AgentDoS on 20 widely used open-source LLM-based agents and discovered 36 zero-day vulnerabilities affecting 16 agents, 15 of which have over 10,000 stars on GitHub. To date, 15 CVE IDs have been assigned for these vulnerabilities.

Graph generative diffusion models have recently emerged as a powerful paradigm for generating complex graph structures, effectively capturing intricate dependencies and relationships within graph data. However, the privacy risks associated with these models remain largely unexplored. In this paper, we investigate information leakage in such models through three types of black-box inference attacks. First, we design a graph reconstruction attack, which can reconstruct graphs structurally similar to those training graphs from the generated graphs. Second, we propose a property inference attack to infer the properties of the training graphs, such as the average graph density and the distribution of densities, from the generated graphs. Third, we develop two membership inference attacks to determine whether a given graph is present in the training set. Extensive experiments on three different types of graph generative diffusion models and six real-world graphs demonstrate the effectiveness of these attacks, significantly outperforming the baseline approaches. Finally, we propose two defense mechanisms that mitigate these inference attacks and achieve a better trade-off between defense strength and target model utility than existing methods. Our code is available at https://zenodo.org/records/17946102.

In cloud-based endpoint auditing, security administrators often rely on the cloud to perform causality analysis over log-derived versioned provenance graphs to investigate suspicious attack behaviors. However, the cloud may be distrusted or compromised by attackers, potentially manipulating the final causality analysis results. Consequently, administrators may not accurately understand attack behaviors and fail to implement effective countermeasures. This risk underscores the need for a defense scheme to ensure the integrity of causality analysis. While existing tamper-evident logging schemes and trusted execution environments show promise for this task, they are not specifically designed to support causality analysis and thus face inherent security and efficiency limitations.

This paper presents VCAUSE, an efficient and verifiable causality analysis system for cloud-based endpoint auditing. VCAUSE integrates two authenticated data structures: a graph accumulator and a verifiable provenance graph. The data structures enable validation of two critical steps in causality analysis: (i) querying a point-of-interest node on a versioned provenance graph, and (ii) identifying its causally related components. Formal security analysis and experimental evaluation show that VCAUSE can achieve secure and verifiable causality analysis with only <1% computational overhead on endpoints and 3.36% on the cloud.

Continuous fuzzing infrastructure has found a large number of bugs. In this case, automatic root cause analysis (RCA) has been proposed to reduce the expensive manual effort to understand the root cause of a bug. However, existing root-cause representations are designed as isolated forms. Analysts still need to manually infer the integrated bug-triggering procedure including calling context and data dependency, which is very difficult for OS kernels due to their complexity.

In this paper, we propose contextual causality chain (CC-chain), a novel root-cause representation to intuitively reflect the integrated bug-triggering procedure of memory corruptions in the Linux kernel. CC-chain shows the bug-contributing instructions to explain corresponding unexpected behaviors that lead to a bug, as well as calling contexts and data dependencies among these instructions to help analysts rapidly understand how a bug happens. To automatically construct the CC-chain, we design a root cause analysis system KernelRCA including selective tracing, contextual information recovery, and chain-style root cause analysis. KernelRCA successfully diagnoses 54 various kinds of real-world memory corruptions in the Linux kernel and performs better than existing crash reports and KASAN reports. A user study shows that KernelRCA's reports significantly facilitate bug understanding and fixing for human analysts.

Threshold fully homomorphic encryption (ThFHE) enables multiple parties to perform arbitrary computation over encrypted data, while the secret key is distributed across the parties. The main task of designing ThFHE is to construct threshold key-generation and decryption protocols for FHE schemes. Among existing FHE schemes, FHEW-like cryptosystems enjoy the advantage of fast bootstrapping and small parameters. However, known ThFHE solutions use the "noise-flooding" technique to realize threshold decryption, which requires either large parameters or switching to a scheme with large parameters via bootstrapping, leading to a slow decryption process. Besides, for key generation, existing ThFHE schemes either assume a generic MPC or a trusted setup, or incur noise growth that is linear in the number n of parties.

In this paper, we propose a fast ThFHE scheme Ajax, by designing threshold key-generation and decryption protocols for FHEW-like cryptosystems. In particular, for threshold decryption, we eliminate the need for noise flooding, and instead present a new technique called "mask-then-open" based on random double sharings over different rings, while keeping the advantage of small parameters. For threshold key generation, we show a simple approach to reduce the noise growth from n times to max(0.038n,2) times in the honest-majority setting, where at most t=(n-1)/2 parties are corrupted. Our end-to-end implementation reports the running time 17.6 s and 0.9 ms (resp., 91.9 s and 4.4 ms) of generating a set of keys and decrypting a single ciphertext respectively, for n=3 (resp., n=21) parties under the network of 1 Gbps bandwidth and 1 ms ping time. Compared to the state-of-the-art implementation, our protocol improves the end-to-end performance of the threshold decryption protocol by a factor of at least 5.7× 283.6× across different network latencies from t=1 to t=13. Our approaches can also be applied in other types of FHE schemes like BGV, BFV, and CKKS.

Anonymous credentials (ACs) are fundamental to privacy-preserving authentication, allowing users to prove possession of attributes without revealing their identities. State-of-the-art ACs distribute credential issuance across multiple authorities, typically employing techniques such as Shamir's secret sharing or aggregate signatures. While this approach enhances system robustness and eliminates single point of failure, it treats all authorities equally in the credential issuance phase. This uniform treatment disregards the varying levels of trustworthiness or stake held by different authorities. Such limitation has become particularly problematic in modern decentralized systems like Proof-of-Stake networks, where the inherent trust differentiation among nodes cannot be leveraged in the credential issuance process.

To address this limitation, we propose the notion of Multi-Authority Anonymous Credentials with Epoch-Based Weights (MA-ACEW), the first Multi-Authority Anonymous Credential (MA-AC) model that considers authorities' weight distribution in credential issuance. Crucially, MA-ACEW enables efficient credential updates when authority weight distributions change across epochs. The core of MA-ACEW is our novel Epoch-Bound Pointcheval-Sanders Signature (EB-PS) primitive, which binds signatures to specific time epochs. This temporal binding enables both weight-based credential issuance within epochs and efficient non-interactive credential updates across epochs. We formalize the EUF-eCMA unforgeability requirement for EB-PS and prove our construction satisfies it under a novel STB-GPS assumption. We then prove that our MA-ACEW construction achieves unforgeability, anonymity, and blindness. Finally, we present benchmarks demonstrating the efficiency of EB-PS and MA-ACEW. Remarkably, presenting a credential aggregated from 128 partial ones takes only 10.68 ms on average.

The TOCTOU (Time Of Check to Time Of Use) bug is a well-known security issue in kernel code, because it bypasses security checks and leads to unexpected behaviors that can cause serious problems like system crashes and privilege escalation. According to our study on Linux kernel patches, kernel race is the most common root cause of kernel TOCTOU bugs. However, due to the complexity of kernel concurrency logic and non-determinism of thread scheduling, there is still no systematic approach that focuses on detecting TOCTOU bugs caused by kernel races.

In this paper, we design KERAT, the first systematic static approach for detecting TOCTOU bugs caused by kernel races. Indeed, such TOCTOU bugs are introduced by atomicity violations about the check-use operations of specific shared variables. Thus, KERAT performs bug detection by statically mining and checking the atomicity rules about shared variables from kernel code. Specifically, KERAT has two key techniques: (1) an atomicity-rule mining method to effectively identify which lock should protect the check-use operations of which shared variable; and (2) a state-based validation strategy to detect TOCTOU bugs that violate the mined atomicity rules based on state machines encoding of common bug patterns. We have evaluated KERAT on Linux-6.8 and FreeBSD-14.1, and found 351 real bugs. Among these bugs, 287 are identified as harmful, and 65 of them have been confirmed by kernel developers. 10 bugs have received CVE IDs.

Dynamic testing has historically focused on finding situations in which software does something unwanted, typically by triggering failure or undesirable states. However, such testing is often limited to finding these scenarios by example. Can we determine that software could do something unwanted by inspecting benign behavior? In this paper, we explore this question by leveraging eBPF for dynamic defect inference in Linux applications. eBPF is uniquely positioned as a system introspection tool that accrues data from both user- and kernelspace events and processes them as programs in the kernel. Our prototype, OS-Sanitizer, implements such eBPF programs using heuristics which report the suspected presence of defects in all applications across the entire system. Conceptually, OS-Sanitizer brings the idea of code smells from static testing into dynamic testing, while simultaneously profiting from the insights of runtime events. In doing so, we infer the presence of latent contextual defects in software that would only induce a failure in certain environments or are otherwise difficult to test for. We consider and evaluate the strengths and weaknesses of this approach from the perspectives of performance, complexity, maintainability, and usage, differentiating the theoretical limits of eBPF versus the specific limits of our prototype. Targeting well-known types of software defects, we were able to identify more than 40 issues (including severe vulnerabilities) in widely used applications, some of which are older than a decade and present on a majority of Linux distributions. Our findings demonstrate that dynamic defect inference is both feasible and effective, highlighting opportunities for expanding this underexplored direction in software testing.

Mixture-of-Experts (MoE) architectures have advanced the scaling of Large Language Models (LLMs) by activating only a sparse subset of parameters per input, enabling state-of-the-art performance with reduced computational cost. As these models are increasingly deployed in critical domains, understanding and strengthening their alignment mechanisms is essential to prevent harmful outputs. However, existing LLM safety research has focused almost exclusively on dense architectures, leaving the unique safety properties of MoEs largely unexamined. The modular, sparsely-activated design of MoEs suggests that safety mechanisms may operate differently than in dense models, raising questions about their robustness.

In this paper, we present GateBreaker, the first training-free, lightweight, and architecture-agnostic attack framework that compromises the safety alignment of modern MoE LLMs at inference time. GateBreaker operates in three stages: (i) gate-level profiling, which identifies safety experts disproportionately routed on harmful inputs, (ii) expert-level localization, which localizes the safety structure within safety experts, and (iii) targeted safety removal, which disables the identified safety structure to compromise the safety alignment. Our study shows that MoE safety concentrates within a small subset of neurons coordinated by sparse routing. Selective disabling of these neurons, maximum 2.9% of neurons in the targeted expert layers, significantly increases the averaged attack success rate (ASR) from 7.4% to 64.9% against the eight latest aligned MoE LLMs with limited utility degradation. These safety neurons transfer across models within the same family, raising ASR from 17.9% to 67.7% with one-shot transfer attack. Furthermore, GateBreaker generalizes to five MoE vision language models (VLMs) with 60.9% ASR on unsafe image inputs. To our knowledge, no prior work achieves this level of efficacy against MoE LLMs.

Traditional Wi-Fi Positioning System (WPS) spoofing attacks, while seemingly effective, have failed to raise major WPS security concerns due to their lack of stealth and persistence. This paper introduces a novel WILD Attack that undermines WPS security by subverting its core infrastructure–the Location Lookup Table (LLT). In this attack, an adversary remotely submits falsified crowd-sourced reports for target Wi-Fi access points, inducing WPS providers to update LLT based on falsified rather than legitimate data. We examine four widely deployed WPS providers–Google, Apple, A-Map, and WiGLE–and observe that they all accept falsified reports and apply distinct policies to resolve conflicts between legitimate and falsified data. Exploiting these policies, the attacker can induce two forms of LLT subversion: LLT Entry Tampering and LLT Entry Removal, both persisting for weeks even after the attacker ceases activity. We further present three case studies that show the real-world impact of the WILD Attack and propose countermeasures to mitigate such threats.

Graph adversarial attacks are usually produced from the two perspectives of topology/structure and node feature, both of them represent the paramount characteristics learned by today's deep learning models. Although some defense countermeasures are proposed at present, they fails to disclose the intrinsic reasons why these two aspects necessitate and how they are adequately fused to co-learn the graph representation. Towards this question, we in this paper propose an adversarial defense approach through locating the graph's critical state of adversarial resilience, resorting to the equilibrium-point theory in the discipline of complex dynamic system (CDS). In brief, our work has three novelties: i) Adversarial-Attack Modeling, i.e. map a graph regime into CDS, and use the oscillation of dynamic system to model the behavior of adversarial perturbation; ii) 2D Topology-Feature-Entangled Function Design for Perturbed Graph, i.e. project graph topology and node feature as two characteristic spaces, and define two-dimensional entangled perturbation functions to represent the dynamic variance under adversarial attacks; and iii) Location of Critical State of Adversarial Resilience, i.e. utilize the equilibrium-point theory to locate the graph's critical state of attack resilience resorting to the perturbation-reflected 2D function. Finally, multi-facet experiments on five commonly-used realistic datasets validate the effectiveness of our proposed approach, and the results show our approach can significantly outperform the state-of-the-art baselines under four representative graph adversarial attacks.

Sampling is renowned for its privacy amplification in differential privacy (DP), and is often assumed to improve the utility of a DP mechanism by allowing a noise reduction. In this paper, we further show that this last assumption is flawed: When measuring utility at equal privacy levels, sampling as preprocessing consistently yields penalties due to utility loss from omitting records over all canonical DP mechanisms—Laplace, Gaussian, exponential, and report noisy max— , as well as recent applications of sampling, such as clustering.

Extending this analysis, we investigate suppression as a generalized method of choosing, or omitting, records. Developing a theoretical analysis of this technique, we derive privacy bounds for arbitrary suppression strategies under unbounded approximate DP. We find that our tested suppression strategy also fails to improve the privacy–utility tradeoff. Surprisingly, uniform sampling emerges as one of the best suppression methods—despite its still degrading effect. Our results call into question common preprocessing assumptions in DP practice.

Cloud platforms run data-intensive workloads in multi-tenant settings, where frequent CPU–memory traffic can leak access patterns via cache side channels. Processing-in-Memory (PIM) devices such as UPMEM move computation into DRAM, sharply reducing data movement and shrinking the CPU cache footprint. However, commercial PIM architectures expose a host-programmed control plane and host-shared module memory, leaving device-resident code and data vulnerable to a compromised host. Existing secure-PIM proposals either add encryption/access-control hardware or rely on heavyweight host-side cryptographic protocols, complicating practical deployment.

We present Memclave, a software-only framework that brings code integrity and data confidentiality to commodity PIM without hardware changes. A TPM-attested hypervisor permanently isolates the PIM's control plane from host access at boot. On each in-memory core, a trusted loader authenticates the user kernel and establishes a per-session protected data path. Memclave preserves the programming model and kernel code: host applications replace a small set of data-movement calls with secure drop-ins, keeping the trusted computing base small and porting effort low. We implement Memclave on off-the-shelf UPMEM DIMMs and evaluate it across the PrIM benchmark suite, covering heterogeneous memory-access, compute, and synchronization patterns. After a one-time  100ms authenticated load, in-memory kernel time remains close to the PIM baseline: Multilayer Perceptron (MLP) stays within 1.5× at practical sizes, and First Search (BFS) is 1.1× on some graphs with modest rise as number of frontier levels increase.

We address the question of estimating the fraction of traffic that is bot-generated in a mixture. That is, we seek to estimate α when what we receive is α · Clean + (1-α) · Bot. This is primarily of interest when traffic is attempting to masquerade as human-generated (eg, click-fraud, inauthentic social media engagement, etc).

When at least one pair of features is independent in the clean traffic (eg, time-invariance of geographic distribution) we show that getting an upper-bound on α is equivalent to finding the rank-one matrix that maximizes a simple objective function. We give an efficient method for solving, and derive the tightness of the bound. When we have limited data, error analysis is extremely important, since the sampled version of a rank-one matrix will not be precisely rank-one. We derive confidence intervals for our estimates, that allow us to be confident that we find a true upper-bound.

We empirically validate our findings. First, using random rank-one, and full-rank matrices for the clean and bot distributions respectively, we verify accuracy using Monte Carlo simulations. Second, we examine Twitter (now X) data. Twitter accounts with large follower-ship that were offered for sale on an open market-place are flagged as having >90% bot followers, while accounts for several academic conferences and well-known researchers are flagged at <20%. We verify accuracy on Twitter account populations of arbitrary clean/bot composition.

Online content creators spend significant time and effort building their user base through a long, often arduous process that requires finding the right "niche" to cater to. So, what incentive is there for an established content creator known for cat memes to completely reinvent their page channel and start promoting cryptocurrency services or covering electoral news events? And, if they do, do their existing subscribers not notice?

We explore this problem of repurposed channels, whereby a channel changes its identity and contents. We first characterize a market for "second-hand" social media accounts, which recorded sales exceeding USD 1M during our 6-month observation period. Observing YouTube channels (re)sold over these 6 months, we find that a substantial number (53%) are used to disseminate policy-sensitive content, often without facing any penalty. Even more surprisingly, these channels seem to gain rather than lose subscribers.

We estimate the prevalence of channel repurposing "in the wild," using two snapshots of  1.4M YouTube accounts sampled from an ecologically valid proxy. In a 3-month period, we estimate that  0.25% channels were repurposed. Through a set of experiments, we confirm that these repurposed channels share several characteristics with sold channels—mainly the fact that they have a significantly high presence of policy-sensitive content. Across repurposed channels, we find channels similar to those used in influence operations, as well as channels used for financial scams. Repurposed channels have large audiences; across two observed samples, repurposed channels collectively held  193M and  44M subscribers. We reason that purchasing an existing audience and the credibility associated with an established account is advantageous to financially- and ideologically motivated adversaries. This phenomenon is not exclusive to YouTube and we posit that the market for cultivating organic audiences is set to grow, particularly if it remains unchallenged by mitigations, technical or otherwise.

The fine-tuning technique in deep learning gives rise to an emerging lineage relationship among models. This lineage provides a promising perspective for addressing security concerns such as unauthorized model redistribution and false claim of model provenance, which are particularly pressing in open-weight model libraries where robust lineage verification mechanisms are often lacking. Existing approaches to model lineage detection primarily rely on static architectural similarities, which are insufficient to capture the dynamic evolution of knowledge that underlies true lineage relationships. Drawing inspiration from the genetic mechanism of human evolution, we tackle the problem of model lineage attestation by verifying the joint trajectory of knowledge evolution and parameter modification. To this end, we propose a novel model lineage attestation framework. In our framework, model editing is first leveraged to quantify parameter-level changes introduced by fine-tuning. Subsequently, we introduce a novel knowledge vectorization mechanism that refines the evolved knowledge within the edited models into compact representations by the assistance of probe samples. The probing strategies are adapted to different types of model families. These embeddings serve as the foundation for verifying the arithmetic consistency of knowledge relationships across models, thereby enabling robust attestation of model lineage. Extensive experimental evaluations demonstrate the effectiveness and resilience of our approach in a variety of adversarial scenarios in the real world. Our method consistently achieves reliable lineage verification across a broad spectrum of model types, including classifiers, diffusion models, and large language models.

The Authentication and Key Management for Applications (AKMA) system represents a recently developed protocol established by 3GPP, which is anticipated to become a pivotal component of the 5G standards. AKMA enables application service providers to delegate user authentication processes to mobile network operators, thereby eliminating the need for these providers to store and manage authentication-related data themselves. This delegation enhances the efficiency of authentication procedures but simultaneously introduces certain security and privacy challenges that warrant thorough analysis and mitigation.

The 5G AKMA service is facilitated by the AKMA Anchor Function (AAnF), which may operate outside the boundaries of the 5G core network. A compromise of the AAnF could potentially allow malicious actors to exploit vulnerabilities, enabling them to monitor user login activities or gain unauthorized access to sensitive communication content. Furthermore, the exposure of the Subscription Permanent Identifier (SUPI) to external Application Functions poses substantial privacy risks, as the SUPI could be utilized to correlate a user's real-world identity with their online activities, thereby undermining user privacy.

To mitigate these vulnerabilities, we propose a novel protocol named E2E-AKMA, which facilitates the establishment of a session key between the User Equipment (UE) and the Application Function (AF) with end-to-end security, even in scenarios where the AAnF has been compromised. Furthermore, the protocol ensures that no entity, aside from the 5G core network, can link account activities to the user's actual identity. This architecture preserves the advantages of the existing AKMA scheme, such as eliminating the need for complex dynamic secret data management and avoiding reliance on specialized hardware (apart from standard SIM cards). Experimental evaluations reveal that the E2E-AKMA framework incurs an overhead of approximately 9.4% in comparison to the original 5G AKMA scheme, which indicates its potential efficiency and practicality for deployment.

Large language models (LLMs) are vulnerable to malicious inputs that elicit harmful content. Current safety mechanisms, such as keyword filters or output moderation, largely ignore internal model dynamics. We show that safety-relevant features correlated with harmful prompting are strongly separable under lightweight probes in intermediate hidden states (up to 99% accuracy) before generation, revealing that such features persist internally even when models produce compliant outputs. Leveraging this observation, we introduce layer-wise toxicity probes and a multi-layer complementary detection framework that fuses signals from diverse depths. Our lightweight Sentinel (<5M parameters) halves false negatives compared to generation-level refusal and maintains over 94% detection accuracy under adversarial attacks—where baselines drop by 32%. Sentinel also outperforms Llama-Guard-3-8B on heterogeneous harmful prompting across seven open-weight LLMs (1.5B→72B) and multiple benchmarks (I2P, SneakyPrompt, MMA, Labelled, PIJ, ChatAlpaca, and Multi-turn Jailbreak). Beyond detection, our method provides the first quantitative, layer-resolved map of how safety-relevant signals emerge, propagate, and degrade within LLMs, enabling interpretable, inside-out alignment and diagnostics. This paper contains potentially sensitive and offensive content, including but not limited to NSFW material, hate speech, discrimination, and other harmful text. Reader discretion is advised.