ALPS is an automated, vendor-agnostic framework that enforces least privilege in serverless functions by analyzing code and generating precise security policies, achieving high coverage and significan…

This paper presents Vivace, a serverless system for exact temporal OLAP over interval histories, which addresses the issues of incomplete data and incorrect answers in serverless functions.

The paper introduces Kumo, a novel security-focused simulator that enables controlled analysis of resource sharing and scheduling risks in serverless cloud environments, demonstrating that scheduler c…

SEMBridge is a tagless-final framework that allows a single executable object program to generate multiple program semantics, including weakest-precondition and bounded-checking interpretations, ensur…

Filament is a novel, compiler-agnostic static information-flow control (IFC) library for Rust that enables fine-grained, Denning-style tracking of both explicit and implicit data flows with minimal pr…

The paper introduces FEDB, a novel confidential database design that eliminates cryptographic operations from the critical query path, significantly reducing performance overhead for secure querying o…

The paper introduces SPIDER, a novel single-server Private Information Retrieval (PIR) scheme that achieves state-of-the-art communication complexity without requiring specialized server cooperation o…

The paper introduces EXHIB, a comprehensive benchmark of five real-world datasets, to evaluate Function Similarity Detection, demonstrating that current models fail to generalize across diverse low- a…

The paper proposes a new DDH-based technique that significantly reduces the key size of multi-party Distributed Point Function (DPF) secret sharing schemes, achieving an $O( oot{3}{N})$ key size for h…

Pomegranate is a novel framework that uses hardware-assisted virtualization and Extended Page Tables to securely compartmentalize existing operating systems with minimal source code modification, enab…

The paper proposes HSTS-Enforced, a new web security model that flips the default connection from HTTP to HTTPS, eliminating TLS stripping attacks while allowing sites to opt out if they genuinely req…

Sandlock is a lightweight, unprivileged Linux process sandbox that enforces fine-grained policies over filesystem, network, and syscalls for running untrusted AI agent code, achieving strong isolation…

The paper introduces Heimdall, an automated pipeline that uses LLMs and formal verification to safely and automatically migrate legacy, potentially buggy eBPF programs written in C to memory-safe Rust…

The paper introduces mcp-attested, a security extension to the Model Context Protocol (MCP) that allows hosts to safely admit and restrict the tools used by external, third-party tool servers.

The paper introduces PeAR, a static binary rewriting framework that proves static binary instrumentation (SBI) is a practical and effective alternative to dynamic binary instrumentation (DBI) for high…

SPARK introduces a predictive, traffic-aware autoscaling toolchain for Kubernetes that uses eBPF to enhance security and significantly reduce timeout errors during sudden traffic spikes.

The paper introduces BOUNDARY FLOW, an LLVM-based framework that enhances kernel fuzzing and analysis by extracting per-task, state-aware data-flow information (arguments and return values) at functio…

ChainCaps introduces a novel runtime capability budgeting system that prevents 'permission laundering' in complex tool-using agents, significantly reducing attack success rates while maintaining benig…

The paper introduces GRIEF, a greybox fuzzer that discovers critical, concurrency-related vulnerabilities in LLM serving systems by treating timed multi-request traces as inputs, finding issues like c…

The paper enhances REST API fuzzing by introducing novel automated oracles that detect access policy violations and execute traditional injection attacks, successfully identifying security flaws in mu…