Moritz Schloegel

Profile

I'm a security researcher and postdoctoral researcher in Thorsten Holz' group at CISPA Helmholtz Center for Information Security. I've completed my PhD in May 2024. Before switching to CISPA in early 2023, I was located at Ruhr University Bochum.

My research interests focus on automating the pipeline of finding bugs in programs, understanding them, and exploiting them. Currently, I spend most of my time on improving fuzzing, such that we can find more bugs in less time.

Beyond working with bugs, I'm interested in (de-)obfuscation, especially focusing on automated deobfuscation attacks and how to break them.

I like sharing our research and have spoken at various conferences, for example, at REcon'22 Montreal together with Tim Blazytko about the future of VM-based obfuscation.

Besides my research, I have helped shaping and teaching courses on Systems Security and Operating Systems Security at Ruhr University Bochum, where I also obtained my B.Sc. and M.Sc. in Computer Security from.

To help secure space systems, I'm the vice chair of the integration subgroup in the IEEE SA - P3349 - Standard for Space System Cybersecurity (S2CY). Our subgroup's goal is to facilitate secure interaction between segments (for example, a satellite and a ground station) and ensure proper testing.

For questions, discussion or collaboration, feel free to reach out via Twitter or email.

[publications] [talks] [media coverage]

Publications

2024

DarthShader: Fuzzing WebGPU Shader Translators & Compilers
Lukas Bernhard, Nico Schiller, Moritz Schloegel, Nils Bars, and Thorsten Holz
ACM Conference on Computer and Communications Security (CCS)
Distinguished Artifact Award
[pdf] [code] [artifact]

No Peer, no Cry: Network Application Fuzzing via Fault Injection
Nils Bars, Moritz Schloegel, Nico Schiller, Lukas Bernhard, and Thorsten Holz
ACM Conference on Computer and Communications Security (CCS)
[pdf] [code] [artifact]

Novelty Not Found: Adaptive Fuzzer Restarts to Improve Input Space Coverage
Nico Schiller, Xinyi Xu, Lukas Bernhard, Nils Bars, Moritz Schloegel, and Thorsten Holz
ACM Transactions on Software Engineering and Methodology
[pdf] [code]

Automated Program Analysis: Reproducibility, Flexibility Requirements, and Risks
Moritz Schloegel
Dissertation
[pdf]

SoK: Where to Fuzz? Assessing Target Selection Methods in Directed Fuzzing
Felix Weißberg, Jonas Möller, Tom Ganz, Erik Imgrund, Lukas Pirch, Lukas Seidel, Moritz Schloegel, Thorsten Eisenhofer, and Konrad Rieck
ACM ASIA Conference on Computer and Communications Security (AsiaCCS)
[pdf] [code]

VSAsTer: Uncovering Inherent Security Issues in Current VSAT System Practices
Johannes Willbold, Moritz Schloegel, Robin Bisping, Martin Strohmeier, Thorsten Holz, and Vincent Lenders
ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec)
[pdf] [website]

A Binary-level Thread Sanitizer or Why Sanitizing on the Binary Level is Hard
Joschua Schilling, Andreas Wendler, Philipp Görz, Nils Bars, Moritz Schloegel, and Thorsten Holz
USENIX Security Symposium (USENIX)
[pdf] [website] [code]

Atropos: Effective Fuzzing of Web Applications for Server-Side Vulnerabilities
Emre Güler, Sergej Schumilo, Moritz Schloegel, Nils Bars, Philipp Görz, Xinyi Xu, and Thorsten Holz
USENIX Security Symposium (USENIX)
[pdf] [website] [code]

SoK: Prudent Evaluation Practices for Fuzzing
Moritz Schloegel, Nils Bars, Nico Schiller, Lukas Bernhard, Tobias Scharnowski, Addison Crump, Arash Ale Ebrahim, Nicolai Bissantz, Marius Muench, and Thorsten Holz
IEEE Symposium on Security and Privacy (S&P)
Distinguished Paper Award
[pdf] [website] [slides] [video] [code]

Scaling Software Security Analysis to Satellites: Automated Fuzz Testing and Its Unique Challenges
Johannes Willbold, Moritz Schloegel, Florian Göhler, Tobias Scharnowski, Nils Bars, Simon Wörner, Nico Schiller, and Thorsten Holz
IEEE Aerospace Conference
[pdf] [website]

2023

Instructions Unclear: Undefined Behavior in Cellular Network Specifications
Daniel Klischies, Moritz Schloegel, Tobias Scharnowski, Mikhail Bogodukhov, David Rupprecht, and Veelasha Moonsamy
USENIX Security Symposium (USENIX)
[pdf] [website] [data]

Hoedur: Embedded Firmware Fuzzing using Multi-Stream Inputs
Tobias Scharnowski, Simon Wörner, Felix Buchmann, Nils Bars, Moritz Schloegel, and Thorsten Holz
USENIX Security Symposium (USENIX)
[pdf] [website] [teaser] [code] [experiments]

Fuzztruction: Using Fault Injection-based Fuzzing to Leverage Implicit Domain Knowledge
Nils Bars, Moritz Schloegel, Tobias Scharnowski, Nico Schiller, and Thorsten Holz
USENIX Security Symposium (USENIX)
Distinguished Paper Award
Internet Defense Prize Runner-up
[pdf] [website] [video] [code]

Novelty Not Found: Adaptive Fuzzer Restarts to Improve Input Space Coverage (Registered Report)
Nico Schiller, Xinyi Xu, Lukas Bernhard, Nils Bars, Moritz Schloegel, and Thorsten Holz
International Fuzzing Workshop (FUZZING)
[pdf] [website] [code]

Space Odyssey: An Experimental Software Security Analysis of Satellites
Johannes Willbold, Moritz Schloegel, Manuel Vögele, Maximilian Gerhardt, Thorsten Holz, and Ali Abbasi
IEEE Symposium on Security and Privacy (S&P)
Distinguished Paper Award
[pdf] [slides] [code]

Drone Security and the Mysterious Case of DJI's DroneID
Nico Schiller, Merlin Chlosta, Moritz Schloegel, Nils Bars, Thorsten Eisenhofer, Tobias Scharnowski, Felix Domke, Lea Schönherr, and Thorsten Holz
Network and Distributed System Security Symposium (NDSS)
[pdf] [website] [code]

2022

Jit-Picking: Differential Fuzzing of JavaScript Engines
Lukas Bernhard, Tobias Scharnowski, Moritz Schloegel, Tim Blazytko, and Thorsten Holz
ACM Conference on Computer and Communications Security (CCS)
[pdf] [website] [code]

Fuzzware: Using Precise MMIO Modeling for Effective Firmware Fuzzing
Tobias Scharnowski, Nils Bars, Moritz Schloegel, Eric Gustafson, Marius Muench, Giovanni Vigna, Christopher Kruegel, Thorsten Holz, and Ali Abbasi
USENIX Security Symposium (USENIX)
Distinguished Artifact Award
[pdf] [website] [video] [code]

Loki: Hardening Code Obfuscation against Automated Attacks
Moritz Schloegel, Tim Blazytko, Moritz Contag, Cornelius Aschermann, Julius Basler, Thorsten Holz, and Ali Abbasi
USENIX Security Symposium (USENIX)
3rd place at CSAW Applied Research Competition 2022
[pdf] [website] [slides] [video] [code]

2021

Towards Automating Code-Reuse Attacks Using Synthesized Gadget Chains
Moritz Schloegel, Tim Blazytko, Julius Basler, Fabian Hemmer, and Thorsten Holz
European Symposium on Research in Computer Security (ESORICS)
[pdf] [website] [slides] [code]

2020

Aurora: Statistical Crash Analysis for Automated Root Cause Explanation
Tim Blazytko, Moritz Schloegel, Cornelius Aschermann, Ali Abbasi, Joel Frank, Simon Wörner, and Thorsten Holz
USENIX Security Symposium (USENIX)
[pdf] [website] [slides] [video] [code]

2019

Grimoire: Synthesizing Structure while Fuzzing
Tim Blazytko, Cornelius Aschermann, Moritz Schloegel, Ali Abbasi, Sergej Schumilo, Simon Wörner, and Thorsten Holz
USENIX Security Symposium (USENIX)
[pdf] [website] [slides] [video] [code]

2017

A Look at the Dark Side of Hardware Reverse Engineering -- A Case Study
Sebastian Wallat, Marc Fyrbiak, Moritz Schloegel, and Christof Paar
IEEE International Verification and Security Workshop (IVSW)
[pdf] [website]

Public Talks

2024

The Future of Reverse Engineering with Large Language Models
REcon Montreal
[website] [slides]

SoK: Prudent Evaluation Practices for Fuzzing
IEEE Symposium on Security and Privacy (S&P)
[slides] [video]

2023

Unchained Skies: A Deep Dive into Reverse Engineering and Exploitation of Drones
REcon Montreal
[website] [slides]

The Next Generation of Virtualization-based Obfuscators
HITBSecConf Amsterdam
[website] [slides] [video]

2022

Loki: Hardening Code Obfuscation against Automated Attacks
USENIX Security Symposium (USENIX)
[website] [slides] [video]

The Next Generation of Virtualization-based Obfuscators
REcon Montreal
[website] [slides] [video]

2019

Grimoire: Synthesizing Structure while Fuzzing
USENIX Security Symposium (USENIX)
[website] [slides] [video]