Fabian Yamaguchi

Chief Scientist

ShiftLeft Inc

About me

I am the Chief Scientist and a founding team member at ShiftLeft since January 2017. Prior to taking this position, I worked as a PostDoc at the Institute of Systems Security, TU Braunschweig, and the Computer Security Group at the University of Goettingen. Before joining University of Goettingen, I worked as a Security Consultant and Vulnerability Researcher for Recurity Labs GmbH, Berlin.

My research interests revolve around program analysis, large-scale data processing, and machine learning. At ShiftLeft, my team works on vulnerability discovery at scale, by combining static and dynamic program analysis and bringing these techniques from single machines to clusters.

Interests

Computer security
Program analysis
Machine learning

Education

PhD in Computer Science, 2015

Georg-August Universitaet Goettingen
Dipl.-Ing. in Computer Engineering, 2011

Technische Universitaet Berlin

Selected Publications

Twice the Bits, Twice the Trouble: Vulnerabilities Induced by Migrating to 64-bit Platforms

Christian Wressnegger, Fabian Yamaguchi, Alwin Maier, Konrad Rieck

ACM Conference on Computer and Communications Security (CCS), 2016

PDF

Pattern-Based Vulnerability Discovery

Fabian Yamaguchi - CAST/GI Dissertation Award

Dissertation, 2015

PDF

Automatic Inference of Search Patterns for Taint-Style Vulnerabilities

Fabian Yamaguchi, Alwin Maier, Hugo Gascon, Konrad Rieck

IEEE Symposium on Security and Privacy (S&P), 2015

PDF

Modeling and Discovering Vulnerabilities with Code Property Graphs

Fabian Yamaguchi, Nico Golde, Daniel Arp, Konrad Rieck

IEEE Symposium on Security and Privacy (S&P), 2014

PDF

Generalized Vulnerability Extrapolation using Abstract Syntax Trees

Fabian Yamaguchi, Markus Lottmann, Konrad Rieck - Outstanding Paper Award

Annual Computer Security Applications Conference (ACSAC), 2012

PDF

All Publications

Aylin Caliskan, Fabian Yamaguchi, Edwin Tauber, Richard Harang, Konrad Rieck, Rachel Greenstadt, Arvind Narayanan. When Coding Style Survives Compilation: De-anonymizing Programmers from Executable Binaries.. Network and Distributed System Security Symposium (NDSS), 2018.

Bhargava Shastry, Markus Leutner, Tobias Fiebig, Kashyap Thimmaraju, Fabian Yamaguchi, Konrad Rieck, Stefan Schmid, Jean-Pierre Seifert, Anja Feldmann. Static Program Analysis as a Fuzzing Aid. Symposium on Research in Attacks, Intrusions, and Defenses (RAID), 2017.

Tommi Unruh, Bhargava Shastry, Malte Skoruppa, Federico Maggi, Konrad Rieck, Jean-Pierre Seifert, Fabian Yamaguchi. Leveraging Flawed Tutorials for Seeding Large-Scale Web Vulnerability Discovery. USENIX Workshop on Offensive Technologies (WOOT), 2017.

Bhargava Shastry, Federico Maggi, Fabian Yamaguchi, Konrad Rieck, Jean-Pierre Seifert. Static Exploration of Taint-Style Vulnerabilities Found by Fuzzing. USENIX Workshop on Offensive Technologies (WOOT), 2017.

Christian Wressnegger, Kevin Freeman, Fabian Yamaguchi, Konrad Rieck. Automatically Inferring Malware Signatures for Anti-Virus Assisted Attacks. ACM Asia Conference on Computer and Communications Security (ASIACCS), 2017.

Michael Backes, Konrad Rieck, Malte Skoruppa, Ben Stock, Fabian Yamaguchi. Efficient and Flexible Discovery of PHP Application Vulnerabilities. IEEE European Symposium on Security and Privacy (EuroS&P), 2017.

Christian Wressnegger, Fabian Yamaguchi, Alwin Maier, Konrad Rieck. Twice the Bits, Twice the Trouble: Vulnerabilities Induced by Migrating to 64-bit Platforms. ACM Conference on Computer and Communications Security (CCS), 2016.

Christian Wressnegger, Fabian Yamaguchi, Daniel Arp, Konrad Rieck - Best Paper Award. Comprehensive Analysis and Detection of Flash-based Malware. Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), 2016.

Bhargava Shastry, Fabian Yamaguchi, Konrad Rieck, Jean-Pierre Seifert. Towards Vulnerability Discovery Using Staged Program Analysis. Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), 2016.

Fabian Yamaguchi - CAST/GI Dissertation Award. Pattern-Based Vulnerability Discovery. Dissertation, 2015.

Hugo Gascon, Christian Wressnegger, Fabian Yamaguchi, Daniel Arp, Konrad Rieck. Pulsar: Stateful Black-Box Fuzzing of Proprietary Network Protocols. International Conference on Security and Privacy in Communication Networks (SECURECOMM), 2015.

Henning Perl, Daniel Arp, Sergey Dechand, Sascha Fahl, Yasemin Acar, Fabian Yamaguchi, Konrad Rieck, Matthew Smith. VCCFinder: Finding Potential Vulnerabilities in Open-Source Projects to Assist Code Audits. ACM Conference on Computer and Communications Security (CCS), 2015.

Aylin Caliskan-Islam, Richard Harang, Andrew Liu, Arvind Narayanan, Clare Foss, Fabian Yamaguchi, Rachel Greenstadt. De-anonymizing Programmers via Code Stylometry. USENIX Security Symposium (SEC), 2015.

Fabian Yamaguchi, Alwin Maier, Hugo Gascon, Konrad Rieck. Automatic Inference of Search Patterns for Taint-Style Vulnerabilities. IEEE Symposium on Security and Privacy (S&P), 2015.

Daniel Arp, Fabian Yamaguchi, Konrad Rieck. Torben: A Practical Side-Channel Attack for Deanonymizing Tor Communication. ACM Symposium on Information, Computer and Communications Security (ASIACCS), 2015.

Fabian Yamaguchi, Nico Golde, Daniel Arp, Konrad Rieck. Modeling and Discovering Vulnerabilities with Code Property Graphs. IEEE Symposium on Security and Privacy (S&P), 2014.

Fabian Yamaguchi, Christian Wressnegger, Hugo Gascon, Konrad Rieck. Chucky: Exposing Missing Checks in Source Code for Vulnerability Discovery. ACM Conference on Computer and Communications Security (CCS), 2013.

Hugo Gascon, Fabian Yamaguchi, Daniel Arp, Konrad Rieck. Structural Detection of Android Malware using Embedded Call Graphs. Workshop on Artificial Intelligence and Security (AISEC), 2013.

Fabian Yamaguchi, Markus Lottmann, Konrad Rieck - Outstanding Paper Award. Generalized Vulnerability Extrapolation using Abstract Syntax Trees. Annual Computer Security Applications Conference (ACSAC), 2012.

Fabian Yamaguchi, Felix Lindner, Konrad Rieck. Vulnerability Extrapolation: Assisted Discovery of Vulnerabilities using Machine Learning. USENIX Workshop on Offensive Technologies (WOOT), 2011.

Recent Talks

A Practical Introduction to the Code Analysis Platform Joern

Nov 16, 2019 9:00 AM

Huawei Bug Bounty Conference

PDF

Elegant and Scalable Code Querying with Code Property Graphs

Oct 4, 2019 9:00 AM

Connected Data London

PDF Video

The interactive vulnerability hunting shell Ocular

Dec 20, 2018 9:00 AM

ShiftLeft Webinar

PDF Video

Large-scale pattern-based vulnerability discovery (invited talk)

Jul 25, 2018 9:00 AM

Trend Micro AI Camp

Code Property Graphs - A modern queryable representation for code

May 5, 2018 3:30 PM

O’Reilly Strata

PDF

Field Report on a Zero-Day Machine

Feb 5, 2018 12:00 PM

Offensive Con

Video

How machine learning can be used to write more secure computer programs

Jan 18, 2018 3:30 PM

O’Reilly Data Show Podcast

Video

Mining for bugs with graph database queries

Dec 28, 2014 9:00 AM

31C3

PDF Video

Awards

2016: CAST/GI Dissertation Award
2016: German Prize for IT Security 2016 (2nd place)
2016: Best Paper Award at DIMVA
2012: Outstanding Paper Award at ACSAC
2001: Ars Digita Prize

Services

2018: PC Member - ACSAC, GreHack, ICIMP
2017: PC Member - ACSAC, ROOTS
2016: PC Member - ARES, IMPS, STM
2015: PC Member - ARES, ECTCM
2015: Publicity Co-Chair: SECURECOMM
2014: PC Member - WOOT, ECTCM

Contact

fabs@phenoelit.de
fabianyamaguchi
Albrechtstr. 19, 10117 Berlin