TUM Logo

Fatih Kilic

Dr. Fatih Kilic


now at dormakaba Holding AG

My CV can be seen on XING.

Research Interests

I am interested in application security and security in games. Over the last years I focused on the topcis reverse engineering, web application security, format string attacks, binary exploiting techniques and countermeasures. In my dissertation I build a solution for security investigations in an encrypted environment. Proof of concepts are build for the x86 and ARM architecture, and the supported operating systems are Microsoft Windows and Linux. For my research regarding virtual machine introspection (VMI) I used the hypervisors KVM and XEN.


iDeFEND: Intrusion Detection Framework for Encrypted Network Data

Network Intrusion Detection Systems have been used for many years to inspect network data and to detect intruders. Nowadays, more and more often encryption is used to protect the confidentiality of network data. When end-to-end encryption is applied, Network Intrusion Detection Systems are blind and can not protect against attacks. iDeFEND is a framework for inspecting encrypted network data without breaking the security model of end-to-end encryption. It does not require any source code of the involved applications and thereby also protects closed source applications. This framework works independently of the utilized encryption key.

iDeFEND is working a level above the encryption and hence does not require information on the underlying algorithm, key or even source code. The framework focuses on detecting and hooking functions. It is based on the assumption that a wrapper function for encrypting and sending and a wrapper function recieving and decrypting exists. Knowing these functions allows to simply extract the plain text before the encryption and after the decryption. A detector module is responsible for detecting the wrapper functions in memory. Afterwards a collector module extracts the plain text data at every function call and passes the data to the monitor module.

X-TIER: Kernel Module Injection

X-TIER enables security applications residing within the hypervisor to inject kernel modules, also referred to as kernel drivers, into a running virtual machine (VM). An injected module will thereby, similar to a module that was loaded by the operating system (OS), be able to access all exported guest OS data structures and functions. In contrast to a normally loaded module, however, an injected module will be inaccessible to any other code residing within the VM. Even in the case that the injected module invokes a guest OS function, the function will neither be aware of the existence of the module nor be able to access any data of the module besides its function arguments. In fact, if a module constrains itself to only reading state information, its execution leaves no detectable traces within the VM (with the exception of timing attacks). A module may, however, apply selective changes to the state, for example, to remove a rootkit from a compromised system. Consequently, X-TIER provides a secure and elegant way for hypervisor-based security applications to bridge the semantic gap.

X-TIER is published as an open source project on Google Code. For additional information you may also consider reading our paper about X-TIER.

BinProtect: Retrospective Protection utilizing Binary Rewriting

BinProtect presents a tool capable of transforming programs in binary form (ELF32) to retrospectively incorporate security mechanisms, which have not been integrated at compile-time. Inspired by compile-time protection mechanisms, BinProtect integrates four security hardening measures that are shortly described in the following: First, BinProtect hardens calls to unsafe standard C library functions (e.g. strcpy(), gets(), sprintf(), ...). For this, binaries are transformed in such a way that calls to both statically or dynamically linked standard C library are intercepted and replaced by hardened wrapper implementations (the wrapper implementations are not part of our project). Second, BinProtect transforms binary objects so that they become able to detect potential buffer overflows. Therefore, prologue and epilogue information of functions is extended. The extended functionality causes the prologue to dynamically store functions' return addresses in a dedicated memory region (the shadow stack). Whereas, the functions epilogue takes over responsibility to detect potential buffer overflows by matching the return address with its associated copy on the shadow stack. Third, BinProtect integrates a special ELF program header into binaries so that the Linux kernel will mark pages associated with the stack region as non-executable. Finally, fourth, to eliminate malicious manipulation of the Global Offset Table (GOT), BinProtect enforces full RELRO (RELocation Read-Only) behavior. Therefore, the lazy binding mechanism of the linker is deactivated so that all relocations are performed at load-time. Then, parts of the GOT are relocated within the binary itself so that they can be marked as read-only after performing load-time relocations. Finally, additional functionality is injected into binary objects so that the particular memory regions containing the GOT can be marked as read-only.

BinProtect is published as an open source project on Github. For additional information you may also consider reading our paper about BinProtect.


Supervised Theses

  • Function Matching using Call Graph Heuristics on Binaries
  • Enhancing Function Identification by Processing Call Traces
  • Identification of Data Structures using Dynamic Binary Analysis
  • Binary Instrumentation of Games using PIN
  • Improving the performance of data capturing in closed source binaries by reducing the traffic to the database
  • Application Debugging using Virtual Machine Introspection
  • Client side cheat detection in games using machine learning
  • Evaluation des iOS-Sicherheitskonzepts mit Fokus auf Codesignierung
  • Vergleich von Funktionen mittels statischer Binärcodeanalyse basierend auf Datenstrukturen
  • Evaluation von Browsertechnologien im Hinblick auf die Sicherheit des Endanwenders
  • HTML5 securiy evaluation with focus on the new features
  • Analyse von neuartigen Bedrohungen der Android-Plattform durch Schadsoftware und ihrer Auswirkungen


2017 Security Testing over Encrypted Channels on the ARM Platform
2016 Interactive Function Identification Decreasing the Effort of Reverse Engineering
2015 iDeFEND: Intrusion Detection Framework for Encrypted Network Data
iDeFEND: Intrusion Detection Framework for Encrypted Network Data
Retrospective Protection utilizing Binary Rewriting
Blind Format String Attacks
2013 X-TIER: Kernel Module Injection