Written by: Sharla Horton November 12, 2024 Micah Flack (Dakota State University), Dr. Bramwell Brizendine (UAH), Shiva Shashank Kusuma (UAH), Sriabhinay Kusuma (UAH) Bramwell Brizendine, an Assistant Professor in the Computer Science Department in the College of Science at the University of Alabama in Huntsville, recently presented at DEF CON and Black Hat Arsenal, two of the top cybersecurity conferences in the world. Shiva Shashank Kusuma, who graduated with a Master's in Computer Science in May 2024, joined Brizendine at DEF CON and co-presented with him. Brizendine has presented five times at DEF CON, and Kusuma has co-presented twice. The conferences draw tens of thousands of attendees from around the globe and are held simultaneously in Las Vegas. While thousands of individuals apply to present at DEF CON, only a select few are chosen. While not an academic conference or a traditional venue for publishing academic research, academic speakers often showcase their work at the conference and later find a formal academic venue for publication. Brizendine explained the highly competitive process for presenting research at DEF CON. “As DEF CON routinely attracts up to 30,000 people each year, you might be speaking in a room with up to a 1000 people or more,” he says. “So if your research is high quality, but too niche or esoteric to attract an audience, it likely wouldn't be selected for DEF CON. As DEF CON attracts thousands of submissions, the review process is extremely competitive, often more so than top academic journals. While DEF CON is not a traditional venue for publishing academic research, academics often showcase their work there and later find a formal academic venue for publication." “For someone working in cybersecurity, it is always an aspiration to be at Black Hat and DEF CON, to be present and engage with the dissemination of cutting-edge research in the community,” states Brizendine. Brizendine and Kusuma presented on "Techniques for Creating Process Injection Attacks with Advanced Return-Oriented Programming." This presentation was related to their on-going research with code-reuse attacks and Return-Oriented Programming (ROP), a computer security exploit technique. “Much of my work has focused on code-reuse attacks,”explains Brizendine. “Think of it like a stereotypical ransom note, where each letter is cut from different pages of magazines or newspapers to compose a message. In code-reuse attacks, the goal is typically to achieve arbitrary code execution and perform unintended actions by repurposing small snippets of existing code.” Brizendine explained that ROP is commonly used to bypass security measures, particularly in Microsoft Windows environments. “In our research,” he says, “We aimed to push the boundaries of what can be done via ROP, by performing a highly complex set of actions involving numerous Windows API (WinAPI) calls to achieve highly sophisticated, malicious functionality.” Specifically, the research leveraged more than 30 distinct WinAPI functions to explore multiple methods of process injection, a technique that injects code into a running program to execute it. “For instance, an attacker could compromise Microsoft Word and use it to inject malicious code into another process, such as Discord,” says Brizendine. The research focused on software exploitation introduced a practical methodology for achieving process injection through a range of innovative techniques. Operating at a low level, every possible way to invoke each Windows API (WinAPI) function using Return-Oriented Programming (ROP) was mapped out. For some WinAPIs, there were as many as a dozen distinct methods for invocation, many of which had never been previously discovered or documented. This contributed to highly novel offensive security research, filling significant gaps in the field. “The outcome is that if someone wants to attempt process injection via ROP, much of the previously undocumented process has now been established,” explains Brizendine. Brizendine says he pioneered a method to effectively create custom ROP gadgets, enabling much more complex operations and making process injection achievable via ROP. “In short, we pushed the boundaries of what is feasible to be done purely via ROP in a highly protected, Windows environment. Ordinarly, one might simply try to bypass DEP, allowing shellcode to be executed. We eliminated the need for shellcode or to bypass DEP, allowing for advanced arbitrary functionality to be performed.” When asked how students benefit from the conference, Brizendine explained that students who watch the conference videos online may develop a stronger interest in cybersecurity courses, potentially more so than they would have without the exposure. “I sometimes bring my cutting-edge research into the classroom, which students get very excited about, though much of my research is fairly advanced and not always easy or practical to incorporate.” “This work also benefits UAH students like Shiva, who participate in the research and then go on to present at these top conferences themselves. This can significantly enhance a student's profile. For example, many people in Las Vegas at Black Hat and DEF CON were very interested in what Shiva had accomplished by presenting at two DEF CON conferences, providing him with a network of contacts to pursue opportunities after graduation." Having presented 18 times at top cybersecurity conferences around the world, Brizendine says he believes it’s very important to participate in the top conferences. He has also presented at Hack in the Box and Virus Bulletin. “I have continuously tried to push the limits of what is possible with software exploitation—some of which is publicly known and some not—and to introduce new innovations and techniques in reverse engineering,” he says. “I strive to bring this excitement to students—both those who work with me and those in the classroom—to instill a sense of wonder and encourage them to go significantly beyond the boundaries of traditional coursework. Historically, this has led to my students presenting their own work at Black Hat, with or without my assistance, or pursuing a Ph.D. they would not have otherwise considered without my encouragement.”