Carter Yagemann

Assistant Professor of Computer Science and Engineering at the Ohio State University with interests in automated vulnerability discovery, root cause analysis, exploit prevention, and cyber-physical security.

Security Articles


Paper Accepted to ACM CCS 2018

A paper I co-authored has been accepted to the 25th ACM Conference on Computer and Communications Security (CCS'18) being held in Toronto, Canada from October 15, 2018 to October 19, 2018. Title: Enforcing Unique Code Target Property for Control-Flow Integrity Authors: Hong Hu, Chenxiong Qian, Carter Yagemann, Simon Pak Ho …

Weird Things Are Afoot In The Honeypot

Here's something you don't see every day. The logs from my SSH honeypot show someone brute-forcing the password for root and then executing: ls /data/data/com.android.providers.telephony/databases This is a strange directory to look for because it's where Android devices store the SQLite databases for SMS …

EFF and EFAIL: An Example of Hype Culture Gone Awry

I usually try to keep my blog posts technical and free of politics, but I can't hide my frustration over EFF's response to today's release of the EFAIL vulnerability. If you haven't heard by now, EFAIL is the name of a vulnerability having to do with how email clients like …

How ASLR Helps Enable Exploits (CVE-2013-2028)

The other day I was playing around with CVE-2013-2028 along with my peer Hong Hu when we came across something odd: CVE-2013-2028 is only exploitable on 64-bit GNU/Linux when ASLR is enabled. After confirming this observation multiple times, we were left very surprised. How could ASLR possibly worsen the …

Windows _EX_FAST_REF Pointers and Virtual Machine Introspection

Last week I was working on a VMI-based malware unpacker for Linux and Windows when I came across an interesting problem. I was trying to implement a method that would, given a virtual address and process ID, return the address range of the memory segment it belongs to using VMI …

Of Fancy Bears and Men: Attribution in Cybersecurity

I wrote a guest blog post for Georgia Tech's Internet Governance Project (IGP) on the topic of attack attribution. You can read the post here: http://www.internetgovernance.org/2017/03/09/of-fancy-bears-and-men-attribution-in-cybersecurity/

Apple vs. the FBI

Originally written for the Syracuse University College of Engineering blog. In the wake of the tragic shooting in San Bernardino, many questions remain and people want answers. It seemed like a breakthrough in the investigation was imminent when the FBI got their hands on one of the shooters’ iPhone, only …

Understanding Dell’s Root Certificate Problem

Originally written for the Syracuse University College of Engineering blog. A recent discovery in the security community has researchers concerned about Dell devices. Some of these devices have been found to contain something known as a self signed root certificate. Installed by the manufacturer for advertising purposes, these certificates pose …

Students Compete in RIT Cybersecurity Competition

Originally written for the Syracuse University College of Engineering blog. Last weekend, I had the opportunity to compete in the first-ever Collegiate Pentesting Competition along with five other members from the iSchool's Information Security Club. Hosted by RIT, this competition places competing university teams in the role of security consulting …