About me
Mathias Payer Mathias Payer is a security researcher and associate professor at the EPFL school of computer and communication sciences (IC), leading the HexHive group. His research focuses on protecting applications in the presence of vulnerabilities, with a focus on memory corruption and type violations. He is interested in software security, system security, binary exploitation, effective mitigations, fault isolation/privilege separation, strong sanitization, and software testing (fuzzing) using a combination of binary analysis and compiler-based techniques. All prototype implementations are open-source.

Mathias joined EPFL in 2018 and received tenure in 2021. Before EPFL, he spent 4 years as assistant professor at Purdue University and 2 years as PostDoc in Dawn Song's BitBlaze group at UC Berkeley. He graduated from ETH Zurich with a Dr. sc. ETH in 2012. In 2018, he co-founded the EPFL polygl0ts CTF team and in 2014, he founded the Purdue b01lers CTF team.

Check out his blog on random ramblings on security-related topics, our group home page, the overview of the systems security circus, and our teaching page. His Curriculum Vitae is available as well.

Contact and Social
              Address: BC 160, Station 14, CH-1015 Lausanne, Switzerland.

Interested in the HexHive research group? Read this advice for prospective students and send me an email afterwards.

Conference Proceedings

Truman: Constructing Device Behavior Models from OS Drivers to Fuzz Virtual Devices2025
Zheyu Ma, Qiang Liu, Zheming Li, Tingting Yin, Wende Tan, Chao Zhang, and Mathias Payer.
In NDSS'25: Network and Distributed System Security Symposium, 2025 (source, DOI)

QMSan: Efficiently Detecting Uninitialized Memory Errors During Fuzzing
Matteo Marini, Daniele Cono D'Elia, Mathias Payer, and Leonardo Querzoni.
In NDSS'25: Network and Distributed System Security Symposium, 2025 (source, DOI)

DUMPLING: Fine-grained Differential JavaScript Engine Fuzzing
Liam Wachter, Julian Gremminger, Christian Wressnegger, Mathias Payer, and Flavio Toffalini.
In NDSS'25: Network and Distributed System Security Symposium, 2025 (source, DOI)

type++: Prohibiting Type Confusion with Inline Type Information
Nicolas Badoux, Flavio Toffalini, Yuseok Jeon, and Mathias Payer.
In NDSS'25: Network and Distributed System Security Symposium, 2025 (source, DOI)

Fuzzing JavaScript Engines with a Graph-based IR2024
Haoran Xu, Zhiyuan Jiang, Yongjun Wang, Shuhui Fan, Shenglin Xu, Peidai Xie, Shaojing Fu, and Mathias Payer.
In CCS'24: ACM Conference on Computer and Communication Security, 2024 (presentation, DOI)

Top of the Heap: Efficient Memory Error Protection of Safe Heap Objects
Kaiming Huang, Mathias Payer, Zhiyun Qian, Jack Sampson, Gang Tan, and Trent Jaeger.
In CCS'24: ACM Conference on Computer and Communication Security, 2024 (DOI)

Gradient: Gradual Compartmentalization via Object Capabilities Tracked in Types
Aleksander Boruch-Gruszecki, Adrien Ghosn, Mathias Payer, and Clément Pit-Claudel.
In OOPSLA'24: Object-Oriented Programming, Systems, Languages, and Applications, 2024 (presentation, DOI)

Tango: Extracting Higher-Order Feedback through State Inference
Ahmad Hazimeh, Duo Xu, Qiang Liu, Yan Wang, and Mathias Payer.
In RAID'24: Recent Advances in Intrusion Detection, 2024 (best paper award, source, DOI)

Monarch: A Fuzzing Framework for Distributed File Systems
Tao Lyu, Liyi Zhang, Zhiyao Feng, Yueyang Pan, Yujie Ren, Meng Xu, Mathias Payer, and Sanidhya Kashyap.
In ATC'24: Usenix Annual Technical Conference, 2024

Exploiting Android's Hardened Memory Allocator
Philipp Mao, Elias Valentin Boschung, Marcel Busch, and Mathias Payer.
In WOOT'24: Usenix Workshop on Offensive Technologies, 2024 (presentation, best paper award)

GlobalConfusion: TrustZone Trusted Application 0-Days by Design
Marcel Busch, Philipp Mao, and Mathias Payer.
In SEC'24: Usenix Security Symposium, 2024 (presentation)

HyperPill: Fuzzing for Hypervisor-bugs by leveraging the Hardware Virtualization Interface
Alexander Bulekov, Qiang Liu, Manuel Egele, and Mathias Payer.
In SEC'24: Usenix Security Symposium, 2024 (presentation, distinguished paper award, source)

EL3XIR: Fuzzing COTS Secure Monitors
Christian Lindenmeier, Mathias Payer, and Marcel Busch.
In SEC'24: Usenix Security Symposium, 2024 (presentation, source)

Spill the TeA: An Empirical Study of Trusted Application Rollback Prevention on Android
Marcel Busch, Philipp Mao, and Mathias Payer.
In SEC'24: Usenix Security Symposium, 2024 (presentation)

SyzRisk: A Change-Pattern-Based Continuous Kernel Regression Fuzzer
Gwangmu Lee, Duo Xu, Solmaz Salimi, Byoungyoung Lee, and Mathias Payer.
In AsiaCCS'24: ACM Symp. on InformAtion, Computer and Communications Security, 2024 (presentation, source, DOI)

Everything is Good for Something: Counterexample-Guided Directed Fuzzing via Likely Invariant Inference
Heqing Huang, Anshunkang Zhou, Mathias Payer, and Charles Zhang.
In Oakland'24: IEEE International Symposium on Security and Privacy, 2024 (presentation, DOI)

SyzTrust: State-aware Fuzzing on Trusted OS Designed for IoT Devices
Qinying Wang, Boyu Chang, Shouling Ji, Yuan Tian, Xuhong Zhang, Binbin Zhao, Gaoning Pan, Chenyang Lyu, Mathias Payer, Wenhai Wang, and Raheem Beyah.
In Oakland'24: IEEE International Symposium on Security and Privacy, 2024 (presentation, source, DOI)

Crystallizer: A Hybrid Path Analysis Framework To Aid in Uncovering Deserialization Vulnerabilities2023
Prashast Srivastava, Flavio Toffalini, Kostyantyn Vorobyov, Francois Gauthier, Antonio Bianchi, and Mathias Payer.
In FSE'23: ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering, 2023 (source, DOI)

ACTOR: Action-Guided Kernel Fuzzing
Marius Fleischer, Dipanjan Das, Priyanka Bose, Weiheng Bai, Kangjie Lu, Mathias Payer, Christopher Kruegel, and Giovanni Vigna.
In SEC'23: Usenix Security Symposium, 2023

FishFuzz: Catch Deeper Bugs by Throwing Larger Nets
Han Zheng, Jiayuan Zhang, Yuhang Huang, Zezhong Ren, He Wang, Chunjie Cao, Yuqing Zhang, Flavio Toffalini, and Mathias Payer.
In SEC'23: Usenix Security Symposium, 2023 (source, artifact)

Silent Bugs Matter: A Study of Compiler-Introduced Security Bugs
Jianhao Xu, Kangjie Lu, Zhengjie Du, Zhu Ding, Linke Li, Qiushi Wu, Mathias Payer, and Bing Mao.
In SEC'23: Usenix Security Symposium, 2023

ARMore: Pushing Love Back Into Binaries
Luca Di Bartolomeo, Hossein Moghaddas, and Mathias Payer.
In SEC'23: Usenix Security Symposium, 2023 (source)

AIFORE: Smart Fuzzing Based on Automatic Input Format Reverse Engineering
Ji Shi, Zhun Wang, Zhiyao Feng, Yang Lan, Shisong Qin, Wei You, Wei Zou, Mathias Payer, and Chao Zhang.
In SEC'23: Usenix Security Symposium, 2023

GLeeFuzz: Fuzzing WebGL Through Error-Message-Guided Mutation
Hui Peng, Zhihao Yao, Ardalan Amiri Sani, Dave (Jing) Tian, and Mathias Payer.
In SEC'23: Usenix Security Symposium, 2023 (source)

Imprecise Store Exceptions
Siddharth Gupta, Yuanlong Li, Qingxuan Kang, Abhishek Bhattacharjee, Babak Falsafi, Yunho Oh, and Mathias Payer.
In ISCA'23: International Symposium on Computer Architecture, 2023 (DOI)

ViDeZZo: Dependency-aware Virtual Device Fuzzing
Qiang Liu, Flavio Toffalini, Yajin Zhou, and Mathias Payer.
In Oakland'23: IEEE International Symposium on Security and Privacy, 2023 (source, DOI)

WarpAttack: Bypassing CFI through Compiler-Introduced Double-Fetches
Jianhao Xu, Luca Di Bartolomeo, Flavio Toffalini, Bing Mao, and Mathias Payer.
In Oakland'23: IEEE International Symposium on Security and Privacy, 2023 (presentation, source, DOI)

SecureCells: A Secure Compartmentalized Architecture
Atri Bhattacharyya, Florian Hofhammer, Yuanlong Li, Siddharth Gupta, Andres Sanchez, Babak Falsafi, and Mathias Payer.
In Oakland'23: IEEE International Symposium on Security and Privacy, 2023 (presentation, project, DOI)

TEEzz: Fuzzing Trusted Applications on COTS Android Devices
Marcel Busch, Mathias Payer, Aravind Machiry, Christopher Kruegel, Giovanni Vigna, and Chad Spensky.
In Oakland'23: IEEE International Symposium on Security and Privacy, 2023 (presentation, source, DOI)

Arvin: Greybox Fuzzing Using Approximate Dynamic CFG Analysis
Sirus Shahini, Robert Ricci, Mu Zhang, and Mathias Payer.
In AsiaCCS'23: ACM Symp. on InformAtion, Computer and Communications Security, 2023 (DOI)

Temperature Impact on Remote Power Side-Channel Attacks on Shared FPGAs
Ognjen Glamocanin, Hajira Bazaz, Mathias Payer, and Mirjana Stojilovic.
In DATE'23: Design, Automation and Test in Europe Conference, 2023

One Fuzz Doesn't Fit All: Optimizing Directed Fuzzing via Target-tailored Program State Restriction2022
Prashast Srivastava, Stefan Nagy, Matthew Hicks, Antonio Bianchi, and Mathias Payer.
In ACSAC'22: Annual Computer Security Applications Conference, 2022 (presentation, best poster award, source, DOI)

Designing a Provenance Analysis for SGX Enclaves
Flavio Toffalini, Mathias Payer, Jianying Zhou, and Lorenzo Cavallaro.
In ACSAC'22: Annual Computer Security Applications Conference, 2022 (DOI)

Evocatio: Conjuring Bug Capabilities from a Single PoC
Zhiyuan Jiang, Shuitao Gan, Adrian Herrera, Flavio Toffalini, Lucio Romerio, Chaojing Tang, Manuel Egele, Chao Zhang, and Mathias Payer.
In CCS'22: ACM Conference on Computer and Communication Security, 2022 (presentation, source, DOI)

PACMem: Enforcing Spatial and Temporal Memory Safety via ARM Pointer Authentication
Yuan Li, Wende Tan, Zhizheng Lv, Songtao Yang, Mathias Payer, Ying Liu, and Chao Zhang.
In CCS'22: ACM Conference on Computer and Communication Security, 2022 (DOI)

Minerva: Browser API Fuzzing with Dynamic Mod-Ref Analysis
Chijin Zhou, Quan Zhang, Mingzhe Wang, Lihua Guo, Jie Liang, Zhe Liu, Mathias Payer, and Yu Jiang.
In FSE'22: ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering, 2022 (distinguished paper award, DOI)

BreakMi: Reversing, Exploiting and Fixing Xiaomi Fitness Tracking Ecosystem
Marco Casagrande, Eleonora Losiouk, Mauro Conti, Mathias Payer, and Daniele Antonioli.
In CHES'22: IACR Conference on Crypotographic Hardware and Embedded Systems, 2022 (source)

BLURtooth: Exploiting Cross-Transport Key Derivation in Bluetooth Classic and Bluetooth Low Energy
Daniele Antonioli, Nils Tippenhauer, Kasper Rasmussen, and Mathias Payer.
In AsiaCCS'22: ACM Symp. on InformAtion, Computer and Communications Security, 2022 (project, video, DOI)

ProFactory: Improving IoT Security via Formalized Protocol Customization
Fei Wang, Jianliang Wu, Yuhong Nan, Yousra Aafer, Xiangyu Zhang, Dongyan Xu, and Mathias Payer.
In SEC'22: Usenix Security Symposium, 2022 (source)

Midas: Systematic Kernel TOCTTOU Protection
Atri Bhattacharyya, Uros Tesic, and Mathias Payer.
In SEC'22: Usenix Security Symposium, 2022 (presentation, source, talk)

Preventing Kernel Hacks with HAKCs
Derrick McKee, Yianni Giannaris, Carolina Ortega Perez, Howard Shrobe, Mathias Payer, Hamed Okhravi, and Nathan Burow.
In NDSS'22: Network and Distributed System Security Symposium, 2022 (presentation, distinguished paper award, source, DOI)

The Taming of the Stack: Isolating Stack Data from Memory Errors
Kaiming Huang, Yongzhe Huang, Mathias Payer, Zhiyun Qian, Jack Sampson, Gang Tan, and Trent Jaeger.
In NDSS'22: Network and Distributed System Security Symposium, 2022 (DOI)

Igor: Crash Deduplication Through root-Cause Clustering2021
Zhiyuan Jiang, Xiyue Jiang, Ahmad Hazimeh, Chaojing Tang, Chao Zhang, and Mathias Payer.
In CCS'21: ACM Conference on Computer and Communication Security, 2021 (source, DOI)

Principal Kernel Analysis: A Tractable Methodology to Simulate Scaled GPU Workloads
Cesar Avalos Baddouh, Mahmoud Khairy, Roland N. Green, Mathias Payer, and Timothy G. Rogers.
In MICRO'21: International Symposium on Microarchitecture, 2021 (DOI)

uSCOPE: A Methodology for Analyzing Least-Privilege Compartmentalization in Large Software Artifacts
Nick Roessler, Lucas Atayde, Imani Palmer, Derrick McKee, Jai Pandey, Vasileios P. Kemerlis, Mathias Payer, Adam Bates, Andre DeHon, Jonathan M. Smith, and Nathan Dautenhahn.
In RAID'21: Recent Advances in Intrusion Detection, 2021

Seed Selection for Successful Fuzzing
Adrian Herrera, Hendra Gunadi, Shane Magrath, Michael Norrish, Mathias Payer, and Tony Hosking.
In ISSTA'21: ACM SIGSOFT International Symposium on Software Testing and Analysis, 2021 (DOI)

Gramatron: Effective Grammar-aware Fuzzing
Prashast Srivastava, and Mathias Payer.
In ISSTA'21: ACM SIGSOFT International Symposium on Software Testing and Analysis, 2021 (source, DOI)

Rebooting Virtual Memory with Midgard
Siddharth Gupta, Atri Bhattacharyya, Yunho Oh, Abhishek Bhattacharjee, Babak Falsafi, and Mathias Payer.
In ISCA'21: International Symposium on Computer Architecture, 2021 (DOI)

Code Specialization through Dynamic Feature Observation
Priyam Biswas, Nathan Burow, and Mathias Payer.
In CODASPY'21: ACM Conference on Data and Application Security and Privacy, 2021 (source, DOI)

Too Quiet in the Library: An Empirical Study of Security Updates in Android Apps' Native Code
Sumaya Almanee, Arda Unal, Mathias Payer, and Joshua Garcia.
In ICSE'21: International Conference on Software Engineering, 2021 (video, source, DOI)

LIGHTBLUE: Automatic Profile-Aware Debloating of Bluetooth
Jianliang Wu, Ruoyu Wu, Daniele Antonioli, Mathias Payer, Nils Ole Tippenhauer, Dongyan Xu, Dave (Jing) Tian, and Antonio Bianchi.
In SEC'21: Usenix Security Symposium, 2021 (source)

Enclosure: language-based restriction of untrusted libraries
Adrien Ghosn, Marios Kogias, Mathias Payer, James R. Larus, and Edouard Bugnion.
In ASPLOS'21: International Conference on Architectural Support for Programming Languages and Operating Systems, 2021 (source, DOI)

MAGMA: A Ground-Truth Fuzzing Benchmark
Ahmad Hazimeh, Adrian Herrera, and Mathias Payer.
In SIGMETRICS'21: ACM SIGMETRICS, 2021 (source, DOI)

Evading Voltage-Based Intrusion Detection on Automotive CAN
Rohit Bhatia, Vireshwar Kumar, Khaled Serag, Z. Berkay Celik, Mathias Payer, and Dongyan Xu.
In NDSS'21: Network and Distributed System Security Symposium, 2021 (DOI)

SpecROP: Speculative Exploitation of ROP Chains2020
Atri Bhattacharyya, Andres Sanchez, Esmaeil Mohammmadian Koruyeh, Nael Abu-Ghazaleh, Chengyu Song, and Mathias Payer.
In RAID'20: Recent Advances in Intrusion Detection, 2020 (presentation)

BlueShield: Detecting Spoofing Attacks in Bluetooth Low Energy Networks
Jianliang Wu, Yuhong Nan, Vireshwar Kumar, Mathias Payer, and Dongyan Xu.
In RAID'20: Recent Advances in Intrusion Detection, 2020 (presentation)

USBFuzz: A Framework for Fuzzing USB Drivers by Device Emulation
Hui Peng, and Mathias Payer.
In SEC'20: Usenix Security Symposium, 2020 (source)

FuZZan: Efficient Sanitizer Metadata Design for Fuzzing
Yuseok Jeon, WookHyun Han, Nathan Burow, and Mathias Payer.
In ATC'20: Usenix Annual Technical Conference, 2020 (source)

uRAI: Securing Embedded Systems with Return Address Integrity
Naif Saleh Almakhdhub, Abraham A. Clements, Saurabh Bagchi, and Mathias Payer.
In NDSS'20: Network and Distributed System Security Symposium, 2020 (presentation, uRAI source, DOI)

HALucinator: Firmware Re-hosting Through Abstraction Layer Emulation
Abraham A. Clements, Eric Gustafson, Tobias Scharnowski, David Fritz, Christopher Kruegel, Giovanni Vigna, Saurabh Bagchi, and Mathias Payer.
In SEC'20: Usenix Security Symposium, 2020 (HALucinator source, HALfuzz source)

FuzzGen: Automatic Fuzzer Generation
Kyriakos Ispoglou, Daniel Austin, Vishwath Mohan, and Mathias Payer.
In SEC'20: Usenix Security Symposium, 2020 (source)

RetroWrite: Statically Instrumenting COTS Binaries for Fuzzing and Sanitization
Sushant Dinesh, Nathan Burow, Dongyan Xu, and Mathias Payer.
In Oakland'20: IEEE International Symposium on Security and Privacy, 2020 (source, DOI)

SMoTherSpectre: exploiting speculative execution through port contention2019
Atri Bhattacharyya, Alexandra Sandulescu, Matthias Neugschwandtner, Alessandro Sorniotti, Babak Falsafi, Mathias Payer, and Anil Kurmus.
In CCS'19: ACM Conference on Computer and Communication Security, 2019 (blog post, arXiv, source, DOI)

Butterfly Attack: Adversarial Manipulation of Temporal Properties of Cyber-Physical Systems
Rouhollah Mahfouzi, Amir Aminifar, Soheil Samii, Mathias Payer, Petru Eles, and Zebo Peng.
In RTSS'19: Real-Time Systems Symposium, 2019 (DOI)

Pythia: Remote Oracles for the Masses
Shin-Yeh Tsai, Mathias Payer, and Yiying Zhang.
In SEC'19: Usenix Security Symposium, 2019 (source)

BenchIoT: A Security Benchmark for the Internet of Things
Naif Saleh Almakhdhub, Abraham A. Clements, Mathias Payer, and Saurabh Bagchi.
In DSN'19: IEEE/IFIP International Conference on Dependable Systems and Networks, 2019 (presentation, source, DOI)

SoK: Shining Light on Shadow Stacks
Nathan Burow, Xingping Zhang, and Mathias Payer.
In Oakland'19: IEEE International Symposium on Security and Privacy, 2019 (presentation, source, DOI)

PoLPer: Process-Aware Restriction of Over-Privileged Setuid Calls in Legacy Applications
Yuseok Jeon, Junghwan Rhee, Chung Hwan Kim, Zhichun Li, Mathias Payer, Byoungyoung Lee, and Zhenyu Wu.
In CODASPY'19: ACM Conference on Data and Application Security and Privacy, 2019 (presentation, DOI)

Milkomeda: Safeguarding the Mobile GPU Interface Using WebGL Security Checks2018
Zhihao Yao, Saeed Mirzamohammadi, Ardalan Amiri Sani, and Mathias Payer.
In CCS'18: ACM Conference on Computer and Communication Security, 2018 (blog post, source, DOI)

Block Oriented Programming: Automating Data-Only Attacks
Kyriakos Ispoglou, Bader AlBassam, Trent Jaeger, and Mathias Payer.
In CCS'18: ACM Conference on Computer and Communication Security, 2018 (blog post, arXiv, source, DOI)

ACES: Automatic Compartments for Embedded Systems
Abraham A. Clements, Naif Saleh Almakhdhub, Saurabh Bagchi, and Mathias Payer.
In SEC'18: Usenix Security Symposium, 2018 (source)

T-Fuzz: fuzzing by program transformation
Hui Peng, Yan Shoshitaishvili, and Mathias Payer.
In Oakland'18: IEEE International Symposium on Security and Privacy, 2018 (presentation, source, DOI)

CUP: Comprehensive User-Space Protection for C/C++
Nathan Burow, Derrick McKee, Scott A. Carr, and Mathias Payer.
In AsiaCCS'18: ACM Symp. on InformAtion, Computer and Communications Security, 2018 (presentation, source, DOI)

CFIXX: Object Type Integrity for C++ Virtual Dispatch
Nathan Burow, Derrick McKee, Scott A. Carr, and Mathias Payer.
In NDSS'18: Network and Distributed System Security Symposium, 2018 (source, DOI)

HexType: Efficient Detection of Type Confusion Errors for C++2017
Yuseok Jeon, Priyam Biswas, Scott A. Carr, Byoungyoung Lee, and Mathias Payer.
In CCS'17: ACM Conference on Computer and Communication Security, 2017 (source, DOI)

Venerable Variadic Vulnerabilities Vanquished
Priyam Biswas, Alessandro Di Federico, Scott A. Carr, Prabhu Rajasekaran, Stijn Volckaert, Yeoul Na, Michael Franz, and Mathias Payer.
In SEC'17: Usenix Security Symposium, 2017 (presentation, source)

Protecting Bare-metal Embedded Systems with Privilege Overlays
Abraham A. Clements, Naif Saleh Almakhdhub, Khaled Saab, Prashast Srivastava, Jinkyu Koo, Saurabh Bagchi, and Mathias Payer.
In Oakland'17: IEEE International Symposium on Security and Privacy, 2017 (source, video, DOI)

One Process to Reap Them All: Garbage Collection As A Service
Ahmed Hussein, Mathias Payer, Antony L. Hosking, and Christopher A. Vick.
In VEE'17: ACM International Conference on Virtual Execution Environments, 2017 (DOI)

DataShield: Configurable Data Confidentiality and Integrity
Scott A. Carr, and Mathias Payer.
In AsiaCCS'17: ACM Symp. on InformAtion, Computer and Communications Security, 2017 (source, DOI)

Memory Safety for Embedded Devices with nesCheck
Daniele Midi, Mathias Payer, and Elisa Bertino.
In AsiaCCS'17: ACM Symp. on InformAtion, Computer and Communications Security, 2017 (presentation, source, DOI)

REV.NG: A Unified Binary Analysis Framework for CFG and Function Boundaries Recovery
Alessandro Di Federico, Mathias Payer, and Giovanni Agosta.
In CC'17: International Conference on Compiler Construction, 2017 (source, DOI)

An Evil Copy: How the Loader Betrays You
Xinyang Ge, Mathias Payer, and Trent Jaeger.
In NDSS'17: Network and Distributed System Security Symposium, 2017 (DOI)

Enforcing Least Privilege Memory Views for Multithreaded Applications2016
Terry Ching-Hsiang Hsu, Kevin Hoffman, Patrick Eugster, and Mathias Payer.
In CCS'16: ACM Conference on Computer and Communication Security, 2016 (source, DOI)

TypeSanitizer: Practical Type Confusion Detection
Istvan Haller, Yuseok Jeon, Hui Peng, Mathias Payer, Herbert Bos, Cristiano Giuffrida, and Erik van der Kouwe.
In CCS'16: ACM Conference on Computer and Communication Security, 2016 (source, DOI)

Forgery-Resistant Touch-based Authentication on Mobile Devices
Neil Zhenqiang Gong, Mathias Payer, Reza Moazzezi, and Mario Frank.
In AsiaCCS'16: ACM Symp. on InformAtion, Computer and Communications Security, 2016 (presentation, DOI)

HexPADS: a platform to detect "stealth" attacks
Mathias Payer.
In ESSoS'16: Int'l. Symp. on Eng. Secure Software and Systems, 2016 (presentation, artifact evaluation award, source, DOI)

VTrust: Regaining Trust on Your Virtual Calls
Chao Zhang, Scott A. Carr, Tongxin Li, Yu Ding, Chengyu Song, Mathias Payer, and Dawn Song.
In NDSS'16: Network and Distributed System Security Symposium, 2016 (DOI)

Fine-Grained Control-Flow Integrity for Kernel Software
Xinyang Ge, Nirupama Talele, Mathias Payer, and Trent Jaeger.
In EuroSP'16: IEEE European Symposium on Security and Privacy, 2016 (DOI)

Control-Flow Bending: On the Effectiveness of Control-Flow Integrity2015
Nicholas Carlini, Antonio Barresi, Mathias Payer, David Wagner, and Thomas R. Gross.
In SEC'15: Usenix Security Symposium, 2015 (source)

Fine-Grained Control-Flow Integrity through Binary Hardening
Mathias Payer, Antonio Barresi, and Thomas R. Gross.
In DIMVA'15: Conference on Detection of Intrusions and Malware and Vulnerability Assessment, 2015 (presentation, DOI)

Don't Race the Memory Bus: Taming the GC Leadfoot
Ahmed Hussein, Antony L. Hosking, Mathias Payer, and Christopher A. Vick.
In ISMM'15: ACM SIGPLAN International Symposium on Memory Management, 2015 (DOI)

Impact of GC Design on Power and Performance for Android
Ahmed Hussein, Mathias Payer, Antony L. Hosking, and Christopher A. Vick.
In SYSTOR'15: ACM International Systems and Storage Conference, 2015 (DOI)

On Cybersecurity of Freeway Control Systems: Analysis of Coordinated Ramp Metering Attacks2014
Jack Reilly, Sebastien Martin, Mathias Payer, and Alexandre Bayen.
In TRB'14: Transportation Research Board, 2014

Code-Pointer Integrity
Volodymyr Kuznetsov, Laszlo Szekeres, Mathias Payer, George Candea, Dawn Song, and R. Sekar.
In OSDI'14: Usenix Symposium on Operating Systems Design and Implementation, 2014 (source)

The Matter of Heartbleed
Zakir Durumeric, James Kasten, Frank Li, Nicolas Weaver, Vern Paxson, Michael Bailey, J. Alex Halderman, Jethro Beekman, Johanna Amann, Mathias Payer, and David Adrian.
In IMC'14: ACM Internet Measurement Conference, 2014 (best paper award, DOI)

JIGSAW: Protecting Resource Access by Inferring Programmer Intentions
Hayawardh Vijayakumar, Xinyang Ge, Mathias Payer, and Trent Jaeger.
In SEC'14: Usenix Security Symposium, 2014

HI-CFG: Construction by Binary Analysis, and Application to Attack Polymorphism2013
Dan Caselden, Alex Bazhanyuk, Mathias Payer, Stephen McCamant, and Dawn Song.
In ESORICS'13: European Symposium on Research in Computer Security, 2013 (presentation, source, DOI)

Hot-Patching a Web Server: a Case Study of ASAP Code Repair
Mathias Payer, and Thomas R. Gross.
In PST'13: IEEE Conference on Privacy, Security, and Trust, 2013 (presentation, best paper award, DOI)

Lightweight Memory Tracing
Mathias Payer, Enrico Kravina, and Thomas R. Gross.
In ATC'13: Usenix Annual Technical Conference, 2013 (presentation, source)

SoK: Eternal war in memory
Laszlo Szekeres, Mathias Payer, Tao Wei, and Dawn Song.
In Oakland'13: IEEE International Symposium on Security and Privacy, 2013 (DOI)

Protecting Applications Against TOCTTOU Races by User-Space Caching of File Metadata2012
Mathias Payer, and Thomas R. Gross.
In VEE'12: ACM International Conference on Virtual Execution Environments, 2012 (presentation, source, DOI)

Safe Loading - A Foundation for Secure Execution of Untrusted Programs
Mathias Payer, Tobias Hartmann, and Thomas R. Gross.
In Oakland'12: IEEE International Symposium on Security and Privacy, 2012 (presentation, source, DOI)

Fine-grained user-space security through virtualization2011
Mathias Payer, and Thomas R. Gross.
In VEE'11: ACM International Conference on Virtual Execution Environments, 2011 (presentation, source, DOI)

Performance evaluation of adaptivity in software transactional memory
Mathias Payer, and Thomas R. Gross.
In ISPASS'11: International Symposium on Performance Analysis of Systems and Software, 2011 (presentation, source, DOI)

Generating low-overhead dynamic binary translators2010
Mathias Payer, and Thomas R. Gross.
In SYSTOR'10: ACM International Systems and Storage Conference, 2010 (presentation, source, DOI)

Online optimization driven by hardware performance monitoring2007
Florian T. Schneider, Mathias Payer, and Thomas R. Gross.
In PLDI'07: ACM International Conference on Programming Language Design and Implementation, 2007 (DOI)

Journal and Magazine Publications

Comprehensive Memory Safety Validation: An Alternative Approach to Memory Safety2024
Kaiming Huang, Mathias Payer, Zhiyun Qian, Jack Sampson, Gang Tan, and Trent Jaeger.
In SP'24: IEEE Security and Privacy Magazine, 2024 (DOI)

DP-ACT: Decentralized Privacy-Preserving Asymmetric Digital Contact Tracing
Azra Abtahi Fahliani, Mathias Payer, and Amir Aminifar.
In PoPETs'24: Proceedings on Privacy Enhancing Technologies, 2024 (presentation, DOI)

Instruction-Level Power Side-Channel Leakage Evaluation of Soft-Core CPUs on Shared FPGAs2023
Ognjen Glamocanin, Shashwat Shrivastava, Jinwei Yao, Nour Ardo, Mathias Payer, and Mirjana Stojilovic.
In HaSS'23: Journal of Hardware and Systems Security, 2023 (source)

datAFLow: Toward a Data-Flow-Guided Fuzzer
Adrian Herrera, Mathias Payer, and Antony Hosking.
In TOSEM'23: ACM Transactions on Software Engineering and Methodology, 2023 (source, DOI)

Lessons from a Pandemic: Deploying Decentralized Privacy-Preserving Proximity Tracing2022
Carmela Troncoso, Dan Bogdanov, Edouard Bugnion, Sylvain Chatel, Cas Cremers, Seda Guerses, Jean-Pierre Hubaux, Dennis Jackson, James R. Larus, Wouter Lueks, Rui Oliveira, Mathias Payer, Bart Preneel, Apostolos Pyrgelis, Marcel Salathe, Theresa Stadler, and Michael Veale.
In CACM'22: Communications of the ACM, 2022 (DOI)

Secure Compilation (Dagstuhl Seminar 21481)2021
David Chisnall, Deepak Garg, Catalin Hritcu, and Mathias Payer.
In DAGSTUHL'21: Dagstuhl Reports, 2021 (DOI)

Early evidence of effectiveness of digital contact tracing for SARS-CoV-2 in Switzerland2020
Marcel Salathe, Christian Althaus, Nanina Anderegg, Daniele Antonioli, Talai Ballouz, Edouard Bugnion, Srdjan Capkun, Dennis Jackson, Sang-Il Kim, James Larus, Nicola Low, Wouter Lueks, Dominik Menges, Cederic Moullet, Mathias Payer, Julien Riou, Theresa Stadler, Carmela Troncoso, Effyj Vayena, and Viktor von Wyl.
In SMW'20: Swiss Medical Weekly, 2020 (DOI)

Decentralized Privacy-Preserving Proximity Tracing
Carmela Troncoso, Mathias Payer, Jean-Pierre Hubaux, Marcel Salathe, James R. Larus, Wouter Lueks, Theresa Stadler, Apostolos Pyrgelis, Daniele Antonioli, Ludovic Barman, Sylvain Chatel, Kenneth G. Paterson, Srdjan Capkun, David A. Basin, Jan Beutel, Dennis Jackson, Marc Roeschlin, Patrick Leu, Bart Preneel, Nigel P. Smart, Aysajan Abidin, Seda Guerses, Michael Veale, Cas Cremers, Michael Backes, Nils Ole Tippenhauer, Reuben Binns, Ciro Cattuto, Alain Barrat, Dario Fiore, Manuel Barbosa, Rui Oliveira, and Jose Pereira.
In DEB'20: IEEE Data Engineering Bulletin, 2020 (DP3T GitHub)

The Fuzzing Hype-Train: How Random Testing Triggers Thousands of Crashes2019
Mathias Payer.
In SP'19: IEEE Security and Privacy Magazine, 2019 (DOI)

Control-Flow Integrity: Precision, Security, and Performance2017
Nathan Burow, Scott A. Carr, Joseph Nash, Per Larsen, Michael Franz, Stefan Brunthaler, and Mathias Payer.
In CSUR'17: ACM Computing Surveys, 2017 (arXiv, DOI)

Automatic Contract Insertion with CCBot2016
Scott A. Carr, Francesco Logozzo, and Mathias Payer.
In TSE'16: IEEE Transactions on Software Engineering, 2016 (source, DOI)

Creating Complex Congestion Patterns via Multi-objective Optimal Freeway Traffic Control with Application to Cyber-Security
Jack Reilly, Sebastien Martin, Mathias Payer, and Alexandre M. Bayen.
In TRB'16: Transportation Research Board, 2016 (DOI)

What You Submit is Who You Are: A Multi-Modal Approach for Deanonymizing Scientific Publications2014
Mathias Payer, Ling Huang, Neil Zhenqiang Gong, Kevin Borgolte, and Mario Frank.
In TIFS'14: IEEE Transactions on Information Forensics and Security, 2014 (DOI)

Eternal War in Memory
Laszlo Szekeres, Mathias Payer, Tao Wei, and R. Sekar.
In SP'14: IEEE Security and Privacy Magazine, 2014 (DOI)

Workshop Proceedings

TuneFuzz: adaptively exploring target programs2024
Han Zheng, Flavio Toffalini, and Mathias Payer.
In SBFT'24: Workshop on Search-Based and Fuzz Testing, 2024 (source)

SURGEON: Performant, Flexible and Accurate Re-Hosting via Transplantation
Florian Hofhammer, Marcel Busch, Qinying Wang, Manuel Egele, and Mathias Payer.
In BAR'24: Workshop on Binary Analysis Research, 2024 (distinguished paper award, source, DOI)

Creating Trust by Abolishing Hierarchies2023
Charly Castes, Adrien Ghosn, Neelu S. Kalani, Yuchen Qian, Marios Kogias, Mathias Payer, and Edouard Bugnion.
In HotOS'23: Workshop on Hot Topics in Operating Systems, 2023

Accurate Compiler and Optimization Independent Function Identification Using Program State Transformations
Derrick McKee, Nathan Burow, and Mathias Payer.
In BAR'23: Workshop on Binary Analysis Research, 2023 (presentation, source, DOI)

Attacks on CAN Error Handling Mechanism (Demo)2022
Khaled Serag, Vireshwar Kumar, Z. Berkay Celik, Rohit Bhatia, Mathias Payer, and Dongyan Xu.
In AUTOSEC'22: Automotive and Autonomous Vehicle Security Workshop, 2022 (attack video, defense video, DOI)

DatAFLow: Towards a Data-Flow-Guided Fuzzer
Adrian Herrera, Mathias Payer, and Antony L. Hosking.
In FUZZING'22: International Fuzzing Workshop, 2022

On the Insecurity of Vehicles Against Protocol-Level Bluetooth Threats
Daniele Antonioli, and Mathias Payer.
In WOOT'22: Usenix Workshop on Offensive Technologies, 2022

BLESA: Spoofing Attacks against Reconnections in Bluetooth Low Energy2020
Jianliang Wu, Yuhong Nan, Vireshwar Kumar, Dave (Jing) Tian, Antonio Bianchi, Mathias Payer, and Dongyan Xu.
In WOOT'20: Usenix Workshop on Offensive Technologies, 2020 (best paper award)

FirmFuzz: Automated IoT Firmware Introspection and Analysis2019
Prashast Srivastava, Hui Peng, Jiahao Li, Hamed Okhravi, Howard Shrobe, and Mathias Payer.
In IOTSP'19: Workshop on the Internet of Things Security and Privacy, 2019 (presentation, source, DOI)

Employing Attack Graphs for Intrusion Detection
Frank Capobianco, Rahul George, Kaiming Huang, Trent Jaeger, Mathias Payer, Srikanth Krishnamurthy, Zhiyun Qian, and Paul Yu.
In NSPW'19: New Security Paradigms Workshop, 2019

libdetox: A Framework for Online Program Transformation2016
Mathias Payer.
In FEAST'16: Forming an Ecosystem Around Software Transformation, 2016

PSHAPE: Automatically Combining Gadgets for Arbitrary Method Execution
Andreas Follner, Alexandre Bartel, Hui Peng, Yu-Chen Chang, Kyriakos Ispoglou, Mathias Payer, and Eric Bodden.
In STM'16: International Workshop on Security and Trust Management, 2016 (source, DOI)

malWASH: Washing malware to evade dynamic analysis
Kyriakos Ispoglou, and Mathias Payer.
In WOOT'16: Usenix Workshop on Offensive Technologies, 2016

CAIN: Silently Breaking ASLR in the Cloud2015
Antonio Barresi, Kaveh Razavi, Mathias Payer, and Thomas R. Gross.
In WOOT'15: Usenix Workshop on Offensive Technologies, 2015 (advisory, blog post)

The Correctness-Security Gap in Compiler Optimization
Vijay D'Silva, Mathias Payer, and Dawn Song.
In LangSec'15: Language-theoretic Security IEEE Security and Privacy Workshop, 2015 (presentation, best paper award, DOI)

DynSec: On-the-fly Code Rewriting and Repair2013
Mathias Payer, Boris Bluntschli, and Thomas R. Gross.
In HotSWUp'13: Usenix Workshop on Hot Topics in Software Upgrades, 2013 (presentation)

String Oriented Programming: When ASLR is Not Enough
Mathias Payer, and Thomas R. Gross.
In PPREW'13: Program Protection and Reverse Engineering Workshop, 2013 (presentation, DOI)

LLDSAL: A Low-Level Domain-Specific Aspect Language for Dynamic Code-Generation and Program Modification2012
Mathias Payer, Boris Bluntschli, and Thomas R. Gross.
In DSAL'12: AOSD workshop on Domain-Specific Aspect Languages, 2012 (presentation, DOI)

Requirements for Fast Binary Translation2009
Mathias Payer, and Thomas R. Gross.
In AMAS-BT'09: Workshop on Architectural and Microarchitectural Support for Binary Translation, 2009 (presentation, source)

Books and Chapters

Software Security: Principles, Policies, and Protection (SS3P)2018
Mathias Payer.
In SS3P'18: Open Textbook, 2018 (book)

How Memory Safety Violations Enable Exploitation of Programs
Mathias Payer.
In ArmsRace'18: The Continuing Arms Race, 2018 (DOI)

Code-pointer Integrity
Volodymyr Kuznetzov, Laszlo Szekeres, Mathias Payer, George Candea, R. Sekar, and Dawn Song.
In ArmsRace'18: The Continuing Arms Race, 2018 (DOI)

Technical Reports and Hacker Conferences

DP3T - Decentralized Privacy-Preserving Proximity Tracing2020
Carmela Troncoso, Mathias Payer, Jean-Pierre Hubaux, Marcel Salathe, James R. Larus, Edouard Bugnion, Wouter Lueks, Theresa Stadler, Apostolos Pyrgelis, Daniele Antonioli, Ludovic Barman, Sylvain Chatel, Srdjan Capkun, Kenneth G. Paterson, David A. Basin, Jan Beutel, Dennis Jackson, Bart Preneel, Nigel Smart, Dave Singelee, Aysajan Abidin, Seda Guerses, Michael Veale, Cas Cremers, Michael Backes, Reuben Binns, Ciro Cattuto, Alain Barrat, Giuseppe Persiano, Dario Fiore, Manuel Barbosa, and Dan Boneh.
In TR'20: Technical Report, 2020 (DP3T GitHub)

From the Bluetooth Standard to Standard Compliant 0-days
Daniele Antonioli, and Mathias Payer.
In HardwearIO'20: Hardwear.IO Hardware Security Conference and Training, 2020

SMoTherSpectre: Exploiting speculative execution through port contention
Atri Bhattacharyya, and Mathias Payer.
In InsomniHack'20: InsomniHack Conference, 2020

No source, no problem! High speed binary fuzzing2019
Matteo Rizzo, and Mathias Payer.
In CCC'19: Chaos Communication Congress, 2019 (presentation, talk, source)

Type Confusion: Discovery, Abuse, Protection2018
Mathias Payer.
In SyScan360'18: Symposium on Security for Asia Network + 360, 2018 (presentation, source)

Type confusion: discovery, abuse, and protection2017
Mathias Payer.
In CCC'17: Chaos Communication Congress, 2017 (talk)

Protecting bare-metal smart devices with EPOXY
Mathias Payer.
In BalCCon'17: Balkan Computer Congress, 2017

Protecting bare-metal smart devices with EPOXY
Mathias Payer.
In SyScan360'17: Symposium on Security for Asia Network + 360, 2017 (presentation, source)

Control-Flow Hijacking: Are We Making Progress?
Mathias Payer.
In AsiaCCS'17: ACM Symp. on InformAtion, Computer and Communications Security, 2017 (presentation)

Memory Corruption: Why We Can't Have Nice Things2016
Mathias Payer.
In BalCCon'16: Balkan Computer Congress, 2016 (presentation, source)

New memory corruption attacks: why can't we have nice things?2015
Mathias Payer.
In CCC'15: Chaos Communication Congress, 2015 (presentation, source, talk)

Silently Breaking ASLR in the Cloud
Antonio Barresi, Kaveh Razavi, Mathias Payer, and Thomas R. Gross.
In BHEU'15: BlackHat Europe, 2015 (presentation)

Code-Pointer Integrity2014
Mathias Payer.
In CCC'14: Chaos Communication Congress, 2014 (presentation, talk)

Similarity-based matching meets Malware Diversity
Mathias Payer, Stephen Crane, Per Larsen, Stefan Brunthaler, Richard Wartell, and Michael Franz.
In arXiv'14: arXiv Technical Report, 2014 (arXiv Technical Report 2014)

Lockdown: Dynamic Control-Flow Integrity
Mathias Payer, Antonio Barresi, and Thomas R. Gross.
In TR'14: Technical Report, 2014 (DOI)

Embracing the New Threat: Towards Automatically Self-Diversifying Malware
Mathias Payer.
In SyScan360'14: Symposium on Security for Asia Network + 360, 2014 (presentation, source, first blog post, second blog post)

WarGames in Memory2013
Mathias Payer.
In CCC'13: Chaos Communication Congress, 2013 (presentation, talk)

Triggering Deep Vulnerabilities Using Symbolic Execution
Mathias Payer.
In CCC'13: Chaos Communication Congress, 2013 (presentation, talk, blog post)

Transformation-Aware Symbolic Execution for System Test Generation
Stephen McCamant, Mathias Payer, Dan Caselden, Alex Bazhanyuk, and Dawn Song.
In TR'13: Technical Report, 2013

Transformation-aware Exploit Generation using a HI-CFG
Dan Caselden, Alex Bazhanyuk, Mathias Payer, Stephen McCamant, and Dawn Song.
In TR'13: Technical Report, 2013

Too much PIE is bad for performance2012
Mathias Payer.
In TR'12: Technical Report, 2012

String Oriented Programming - Circumventing ASLR, DEP, and Other Guards2011
Mathias Payer.
In CCC'11: Chaos Communication Congress, 2011 (presentation, talk)

I Control Your Code - Attack Vectors Through the Exes of Software-based Fault Isolation2010
Mathias Payer.
In CCC'10: Chaos Communication Congress, 2010 (presentation, talk)

adaptSTM - An Online Fine-Grained Adaptive STM System
Mathias Payer, and Thomas R. Gross.
In TR'10: Technical Report, 2010 (source)

secuBT: Hacking the Hackers with User-Space Virtualization2009
Mathias Payer.
In CCC'09: Chaos Communication Congress, 2009 (presentation, source)

Theses

Safe Loading and Efficient Runtime Confinement: A Foundation for Secure Execution2012
Mathias Payer.
In ETH Zurich Dr. sc. Thesis (DOI)

Adaptive Optimization Using Hardware Performance Monitors2006
Mathias Payer.
In ETH Zurich Master Thesis (presentation)

Building a client/server multimedia-kiosk using pxe, root-over-nfs, mozilla, and a CMS a.k.a. Multimedia Kiosk revisited2005
Mathias Payer.
In ETH Zurich Term project report

Implementation of a Bluetooth Stack for BTnodes and Nut/OS Version 0.92004
Mathias Payer.
In ETH Zurich Term project report