Hector Marco, PhD

Lecturer and CyberSecurity researcher

Hector Marco is an associate professor and cybersecurity researcher at the University of the West of Scotland, UK. He holds a PhD in Computer Science, Cybersecurity, from Universitat Politecnica de Valencia, Spain. Hector is senior member of the Institute of Electrical and Electronics (IEEE), and member of the Engineering and Physical Sciences Research Council (EPSRC) in UK. Previously, he was research associate at the Universitat Politecnica de Valencia where he co-founded the "cybersecurity research group". Hector was part of the team developing the multi-processor version of the XtratuM hypervisor to be used by the European Space Agency in its space crafts. He participated in multiple research projects as Principal Investigator and Co-Investigator. Hector is author of many papers of computer security and cloud computing. He has been invited multiple times to reputed cybersecurity conferences such as Black Hat and DeepSec. Hector has published more than 10 Common Vulnerabilities and Exposures (CVE) affecting important software such as the Linux kernel. He has received honors and awards from Google, Packet Storm Security and IBM for his security contributions to the design and implementation of the Linux ASLR. Hector's professional interests include low level cybersecurity, kernel and userland security, virtualization security and applied cryptography.


Education


2015 PhD in Computer Science, CyberSecurity UPV
2010 Master's degree, Industrial Computing and Control Systems UPV
2009 Bachelor of Science in Computer Science UPV

Dissertation


Title :   CyberSecurity protection techniques to mitigate memory errors exploitation
Advisor :   Prof. Ismael Ripoll Ripoll

My thesis proposes practical and effective protection techniques that have been tested in real systems. I have developed RenewSSP, a modified SSP which prevents brute force attacks against the SSP on forking servers. Also I have showed multiple weaknesses regarding current SSP design in Android, which enabled me to design a new SSP named SSPMD. My proposal addresses all security issues caused by the Android architecture.

Regarding the ASLR, I have questioned the classic memory process memory model, and a new memory layout model has been proposed, which in turn allowed me to redesign the existing ASLR technique. ASLR Next Generation (ASLR-NG) is optimal in the sense that it provides maximum entropy for the memory layout that the MMU supports and includes a novel solution to solve fragmentation.

Professional background


2016 - present Lecturer and CyberSecurity researcher at UWS, United Kingdom
2009 - 2016 CyberSecurity Researcher at UPV, Spain
2014 - 2014 Researcher visitor at Czech Technical University at CVUT, Prague
2007 - 2009 Researcher fellow at UPV, Spain

Honors and awards

Date Rewarded by Description
Jul. 2016 IBM Corp. ASLR for Linux S390
Mar. 2016 Google Inc. ASLR improvement - Unlimiting the stack not longer disables ASLR
Sep. 2015 Google Inc. ASLR improvement - Fix of the offset2lib weakness
Aug. 2015 Google Inc. ASLR x86_64 improvement - Stack randomization
Jul. 2015 Google Inc. AMD Bulldozer ASLR improvement - Per boot randomization
Apr. 2014 Packet Storm Security Offset2lib: Bypassing Full ASLR On 64bit Linux

Patents


Title :   Renew Stack Smashing Protector (RenewSSP)
Inventors :   Hector Marco & Ismael Ripoll
Date :   August 2013
Status :   Patentability analysis


Publications


return-to-csu: A New Method to Bypass 64-bit Linux ASLR [HTML]
Héctor Marco and Ismael Ripoll.
Black Hat Asia 2018, March 2018.

Abusing LUKS to Hack the System [+info]
Héctor Marco and Ismael Ripoll.
In-depth security conference 2016 europe, (DEEPSEC 2016).

Exploiting Linux and PaX ASLR's Weaknesses on 32-bit and 64-bit Systems [HTML]
Héctor Marco and Ismael Ripoll.
Black Hat Asia 2016, March-April 2016.

Bypassing Trusted Code: Hacking GRUB [HTML]
Héctor Marco and Ismael Ripoll.
IX Jornadas STIC CCN-CERT, November 2015.

On the Effectiveness of Full-ASLR on 64-bit Linux [+info]
Héctor Marco and Ismael Ripoll.
In-depth security conference 2014 europe, (DEEPSEC 2014).

On the effectiveness of NX, SSP, RenewSSP and ASLR against stack buffer overflows [PDF]
Héctor Marco and Ismael Ripoll.
The 13th IEEE International Symposium on Network Computing and Applications (IEEE NCA14)

Preventing Memory Error Exploitation Through Emulation-based Processor Diversification [Book]
Héctor Marco, Ismael Ripoll, Juan-Carlos Ruiz and David De Andrés.
Emerging Trends in ICT Security, 1st Edition (ICT 2013)

Preventing brute force attacks against stack canary protection on networking servers [PDF]
Héctor Marco and Ismael Ripoll.
The 12th IEEE International Symposium on Network Computing and Applications (IEEE NCA13)

Preventing Memory Errors in Networked Vehicle Services Through Diversification [PDF]
Héctor Marco, Juan-Carlos Ruiz, David De Andrés and Ismael Ripoll.
Proceedings of Workshop CARS (2nd Workshop on Critical Automotive applications: Robustness & Safety) of the 32nd International Conference on Computer Safety, Reliability and Security. (Safecomp 2013)





Code Vulnerability Analysis


Published Attacks

Date Attack Name Description Platform
2018 return-to-csu Exploit and ropper patch soon. [Black Hat white paper] 32/64-bit Linux
2014 Offset2lib Bypass 64-bit ASLR in < 1 second 32/64-bit Linux
To be pub. Jmp2non-ssp Bypass the SSP 32/64-bit Linux

Published Protection techniques

Date Name Description Attack mitigated
2016 ASLR-NG Address Space Layout Next Generation Offset2lib attack
2013 RenewSSP A modification of the Stack Smashing Protector SSP brute force attacks

Published exploits

Date Vendor Description Platform Download
2015 Glibc <= 2.22.90 Bypass Pointer Mangle protection. Linux [PoC]
2015 Email Android 4.2 Remote Denial of service in Android Email app. Android [exploit]
2014 Linux <= 3.18 Offset2lib: Bypass 64-bit ASLR in < 1 second Linux [exploit]
2014 Sniffit <= 0.3.7 Sniffit Stack buffer overflow - root shell Linux [exploit]
2013 Glibc <= 2.17 Glibc PTR Mangle encryption useless - PoC Linux [PoC]

Other Vulnerabilities

Date Vendor Description Vulnerability type
2014 Bash <= 4.3 Root shell Bash drop privileges failed
2014 Bash <= 4.3 Crash Bash improper input handling
2014 Irssi <= 8.16 Root shell Irssi drop privileges failed
to be pub. Konica printer To be pub. To be pub.

Published CVE's

Date CVE # Product Description Vulnerability type
2015 CVE-2019-9019 To be disclosed British Airways Entertainment System Chat App. Crash To be disclosed
2016 CVE-2016-4484 cryptsetup <= 2:1.7.3-2 Initrd root Shell Not failing securely
2016 CVE-2016-3672 Linux <= 4.5 Disable ASLR ASLR Weakness
2015 CVE-2015-8370 Grub2 <= 2.02 Authentication Bypass Integer Underflow
2015 CVE (pending) Glibc <= 2.22.90 Bypass Pointer guard Dynamic loader weakness
2015 CVE (pending) Linux ASLR <= 4.0 AMD Linux ASLR weakness Improper alignment
2015 CVE (pending) Linux ASLR <= 3.18 Reduced mmap entropy Improper mask manipulation
2015 CVE-2015-1593 Linux ASLR <= 3.19 Reduced stack entropy Integer overflow
2015 CVE-2015-1574 Google Email 4.2.2 Denial of Service Incorrect headers handling
2015 CVE (pending) Android To be disclosed To be disclosed
2014 CVE-2014-5439 sniffit <= 0.3.7 Root shell Stack buffer overflow
2014 CVE-2013-6825 DCMTK <= 3.6.1 Root Privilege escalation Drop privileges failed
2014 CVE-2014-1226 s3dvt <= 0.2.2 Root shell (II) Drop privileges failed
2013 CVE-2013-6876 s3dvt <= 0.2.2 Root shell (I) Drop privileges failed
2013 CVE-2013-4788 Glibc <= 2.17 Bypass pointer guard No pointer protection

Projects with active participation (most relevant)


2017 - 2020 Slicenet - H2020-ICT-2016-2 NATS
2017 - 2020 5G Video Lab NATS
2014 - 2015 Virtualisation Techniques applied to Computing Security ITI
2012 - 2015 High Integrity Partitioned Embedded Systems UPV
2010 - 2012 System Impact of Distributed Multicore systems (EADS) UPV
2009 - 2011 Securization of embedded systems UPV
2008 - 2009 TECOM: Trusted Embedded Computing UPV
2008 - 2009 Securization of distributed embedded systems UPV

Technical Program Committee


Date Journal/Conference Activity Website
2018 DSS Committee member DSS 2018
2018 JCICE Committee member JCICE 2018
2017 CYBCONF Committee member CYBCONF 2017
2017 ISNCC Committee member ISNCC 2017
2017 SECUREWARE Committee member SECUREWARE 2017
2015 JNIC Committee member JNIC 2015
2014 ETACMOS Committee member ETACMOS 2014
2014 20th IEEE RTAS Committee member RTAS 2014
2012 6th LADC Committee member LADC 2013

Past personal projects


Title: NEXX: an hypervisor for ARM
Description: A tiny (and incomplete) ARM hypervisor which enables you to run both bare and Linux partitions. I developed NEXX to learn operating systems internals and hardware programming.
Title: STP: A Secure Trusted Partition
Description: Research prototype to merge TPM (Trusted Platform Modules) concepts into a MILS (Multiple Interdependent Levels of Security/Safety) in a partitioned architecture implemented by means of hypervisor technology.