Memory sanitizers are powerful tools to detect spatial and temporal memory errors, such as buffer overflows and use-after-frees. Fuzzers and software testers often rely on these tools to discover the presence of bugs. Sanitizers, however, struggle with high runtime overhead as a result of having to perform expensive checks to validate memory accesses. These checks involve at least a memory lookup, a comparison, and a conditional branch instruction.
In this talk, we introduce FloatZone, a compiler-based sanitizer to detect spatial and temporal memory errors in C/C++ programs using lightweight checks that leverage the Floating PointUnit (FPU). With FloatZone, we show that the combined effects of “lookup, compare, and branch” can be achieved with a single floating point addition that triggers an underflow exception in the case of a memory violation.
This novel method to detect illegal accesses greatly improves performance by avoiding the drawbacks of traditional comparisons: it prevents branch mispredictions, enables higher instruction-level parallelism due to offloading to the FPU, and also reduces the cache miss rate due to the lack of shadow memory.

Cookies have a long history of vulnerabilities targeting their confidentiality and integrity. To address these issues, new mechanisms have been proposed and implemented in browsers and server-side applications. Notably, the updated cookie standard RFC6265bis improved the Secure attribute and introduced cookie prefixes to strengthen cookie integrity against network and same-site attackers, whereas the SameSite attribute has been touted as the solution to CSRF. On the server, token-based protections are considered an effective defense for CSRF in the synchronizer token pattern variant.
In this talk, we will focus on real-world security implications of cookie integrity issues and show how security mechanisms previously considered robust can be bypassed, exposing Web applications to session integrity attacks such as session fixation and cross-origin request forgery (CORF). Our research contributed to updates to the cookies standard, 12 CVEs, and 30 vulnerability disclosures affecting browsers (Firefox and Chrome), major Web development frameworks (Express, lask, Symfony, Fastify, etc.), and server-side programming languages and middlewares (PHP, Werkzeug). We will show how these vulnerabilities can be exploited by introducing novel cookie tossing techniques, and present our new CORF token fixation attack, which bypasses common implementations of the synchronizer token pattern CSRF protection mechanism. We will conclude by discussing the mitigations adopted after our coordinated disclosure with the affected vendors.

CTF (Capture The Flag) is often criticized as having no practical application. However, we believe that the skills and techniques learned in CTF competitions can, in fact, play a critical role in real-world software security. In this presentation, we will introduce several real-world PyJail cases that we've discovered. In CTF, PyJail refers to a restricted Python environment, and participants aim to bypass these restrictions to obtain a "flag." Similar scenarios exist in the real world.
We will categorize the PyJail cases we encounter into two major types. The first is the "code execution jail," where users can provide code, but it runs in a restricted environment to prevent abuse of malicious code. The second type is the "deserialization jail." In some Python serialization formats, deserialization may involve specific operational behaviors, and we need to execute arbitrary code or perform other dangerous actions within limited operations.
We will delve deep into these implementation types and share the real-world cases we've found, as well as how we successfully bypassed these restrictions. This presentation will help participants better understand how CTF techniques can translate into practical software security practices in the real world.