Full publication list

Conference Articles

  1. Willy R. Vasquez, Stephen Checkoway, and Hovav Shacham. The Most Dangerous Codec in the World: Finding and Exploiting Vulnerabilities in H.264 Decoders, in Proceedings of the USENIX Security Symposium 2023. USENIX, Aug. 2023. [Details, PDF]
  2. Evan Johnson, Maxwell Bland, YiFei Zhu, Joshua Mason, Stephen Checkoway, Stefan Savage, and Kirill Levchenko. Jetset: Targeted Firmware Rehosting for Embedded Systems, in Proceedings of the USENIX Security Symposium 2021. USENIX, Aug. 2021. [Details, PDF]
  3. Sam Crow, Brown Farinholt, Brian Johannesmeyer, Karl Koscher, Stephen Checkoway, Stefan Savage, Aaron Schulman, Alex Snoeren, and Kirill Levchenko. Triton: A Software-Reconfigurable Federated Avionics Testbed, in Proceedings of the USENIX Workshop on Cyber Security Experimentation and Test 2019. USENIX, Aug. 2019. [Details, PDF]
  4. Mohammad Ghasemisharif, Amrutha Ramesh, Stephen Checkoway, Chris Kanich, and Jason Polakis. O Single Sign-Off, Where Art Thou? An Empirical Analysis of Single Sign-On Account Hijacking and Session Management on the Web, in Proceedings of USENIX Security 2018. USENIX, Aug. 2018. [Details, PDF]
  5. Paul D. Martin, David Russel, Malek Ben Salem, Stephen Checkoway, and Avi Rubin. Sentinel: Secure Mode Profiling and Enforcement for Embedded Systems, in Proceedings of the ACM/IEEE International Conference on Internet of Things Design and Implementation, 2018. ACM/IEEE, Apr. 2018. [Details, PDF]
  6. Stephen Checkoway, Jacob Maskiewicz, Christina Garman, Joshua Fried, Shaanan Cohney, Matthew Green, Nadia Heninger, Ralf-Philipp Weinmann, Eric Rescorla, and Hovav Shacham. A Systematic Analysis of the Juniper Dual EC Incident, in Proceedings of the ACM Conference on Computer and Communications Security 2016, pp. 468–479. ACM Press, Oct. 2016. Best paper award. [Details, PDF]
  7. Michael Rushanan and Stephen Checkoway. Run-DMA, in Proceedings of the USENIX Workshop on Offensive Technologies. USENIX, Aug. 2015. [Details, PDF]
  8. Devin Lundberg, Brown Farinholt, Edward Sullivan, Ryan Mast, Stephen Checkoway, Stefan Savage, Alex C. Snoeren, and Kirill Levchenko. On the Security of Mobile Cockpit Information Systems, in Proceedings of the ACM Conference on Computer and Communication Security 2014. ACM Press, Nov. 2014. [Details, PDF]
  9. Stephen Checkoway, Matthew Fredrikson, Ruben Niederhagen, Adam Everspaugh, Matthew Green, Tanja Lange, Thomas Ristenpart, Daniel J. Bernstein, Jake Maskiewicz, and Hovav Shacham. On the Practical Exploitability of Dual EC in TLS Implementations, in Proceedings of the USENIX Security Symposium 2014. USENIX, Aug. 2014. [Details, PDF]
  10. Matthew Brocker and Stephen Checkoway. iSeeYou: Disabling the MacBook Webcam Indicator LED, in Proceedings of the USENIX Security Symposium 2014. USENIX, Aug. 2014. [Details, PDF]
  11. Keaton Mowery, Eric Wustrow, Tom Wypych, Corey Singleton, Chris Comfort, Eric Rescorla, Stephen Checkoway, J. Alex Halderman, and Hovav Shacham. Security Analysis of a Full-Body Scanner, in Proceedings of the USENIX Security Symposium 2014. USENIX, Aug. 2014. [Details, PDF]
  12. Caroline Tice, Tom Roeder, Peter Collingbourne, Stephen Checkoway, Úlfar Erlingsson, Luis Lozano, and Geoff Pike. Enforcing Forward-Edge Control-Flow Integrity in GCC & LLVM, in Proceedings of the USENIX Security Symposium 2014. USENIX, Aug. 2014. [Details, PDF]
  13. Stephen Checkoway and Hovav Shacham. Iago Attacks: Why the System Call API is a Bad Untrusted RPC Interface, in Proceedings of the International Conference on Architectural Support for Programming Languages and Operating Systems 2013. ACM Press, Mar. 2013. [Details, PDF]
  14. Stephen Checkoway, Damon McCoy, Danny Anderson, Brian Kantor, Hovav Shacham, Stefan Savage, Karl Koscher, Alexei Czeskis, Franziska Roesner, and Tadayoshi Kohno. Comprehensive Experimental Analyses of Automotive Attack Surfaces, in Proceedings of the USENIX Security Symposium 2011. USENIX, Aug. 2011. Finalist for the 2011 NYU-Poly AT&T Best Applied Security Paper Award. [Details, PDF]
  15. Chris Kanich, Stephen Checkoway, and Keaton Mowery. Putting Out a HIT: Crowdsourcing Malware Installs, in Proceedings of the USENIX Workshop on Offensive Technologies 2011. USENIX, Aug. 2011. [Details, PDF]
  16. Sarah Meiklejohn, Keaton Mowery, Stephen Checkoway, and Hovav Shacham. The Phantom Tollbooth: Privacy-Preserving Electronic Toll Collection in the Presence of Driver Collusion, in Proceedings of the USENIX Security Symposium 2011. USENIX, Aug. 2011. [Details, PDF]
  17. Stephen Checkoway, Lucas Davi, Alexandra Dmitrienko, Ahmad-Reza Sadeghi, Hovav Shacham, and Marcel Winandy. Return-Oriented Programming without Returns, in Proceedings of the ACM Conference on Computer and Communications Security 2010, pp. 559–572. ACM Press, Oct. 2010. [Details, PDF]
  18. Stephen Checkoway, Anand Sarwate, and Hovav Shacham. Single-Ballot Risk-Limiting Audits Using Convex Optimization, in Proceedings of the Electronic Voting Technology Workshop/Workshop on Trustworthy Elections 2010. USENIX/ACCURATE/IAVoSS, Aug. 2010. [Details, PDF]
  19. Karl Koscher, Alexei Czeskis, Franziska Roesner, Shwetak Patel, Tadayoshi Kohno, Stephen Checkoway, Damon McCoy, Brian Kantor, Danny Anderson, Hovav Shacham, and Stefan Savage. Experimental Security Analysis of a Modern Automobile, in Proceedings of the IEEE Symposium on Security and Privacy 2010, pp. 447–462. IEEE Computer Society, May 2010. [Details, PDF]
  20. Stephen Checkoway, Hovav Shacham, and Eric Rescorla. Are Text-Only Data Formats Safe? Or, Use This LaTeX Class File to Pwn Your Computer, in Proceedings of the USENIX Workshop on Large-Scale Exploits and Emergent Threats 2010. USENIX, Apr. 2010. [Details, PDF]
  21. Stephen Checkoway, Ariel J. Feldman, Brian Kantor, J. Alex Halderman, Edward W. Felten, and Hovav Shacham. Can DREs Provide Long-Lasting Security? The Case of Return-Oriented Programming and the AVC Advantage, in Proceedings of the Electronic Voting Technologies Workshop/Workshop on Trustworthy Elections 2009. USENIX/ACCURATE/IAVoSS, Aug. 2009. [Details, PDF]
  22. Weifeng Zhang, Steve Checkoway, Brad Calder, and Dean M. Tullsen. Dynamic Code Value Specialization Using the Trace Cache Fill Unit, in Proceedings of the IEEE International Conference on Computer Design 2006, pp. 10–16. IEEE Computer Society, Oct. 2006. [Details, PDF]

Journal Articles

  1. Stephen Checkoway, Jacob Maskiewicz, Christina Garman, Joshua Fried, Shaanan Cohney, Matthew Green, Nadia Heninger, Ralf-Philipp Weinmann, Eric Rescorla, and Hovav Shacham. Where Did I Leave My Keys? Lessons from the Juniper Dual EC Incident, Communications of the ACM, vol. 61, no. 11, pp. 148–155, ACM, Oct. 2018. [Details, PDF]
  2. Anand Sarwate, Stephen Checkoway, and Hovav Shacham. Risk-Limiting Audits and the Margin of Victory in Nonplurality Elections, Statistics, Politics and Policy, vol. 4, no. 1, pp. 29–64, Jan. 2013. [Details, PDF]
  3. Stephen Checkoway. Portably solving the access(2)/open(2) race, Tiny Transactions on Computer Science, vol. 1, Sep. 2012. [Details, PDF]
  4. Stephen Checkoway, Hovav Shacham, and Eric Rescorla. Don’t take LaTeX files from strangers, ;login: The USENIX Magazine, vol. 35, no. 4, pp. 17–22, Aug. 2010. [Details, PDF]

Technical Reports

  1. Paul D. Martin, Michael Rushanan, Stephen Checkoway, Aviel D. Rubin, and Matthew D. Green. Classifying Network Protocol Implementation Versions: An OpenSSL Case Study, Johns Hopkins University Department of Computer Science, 13-01, Dec. 2013. [Details, PDF]
  2. Anand Sarwate, Stephen Checkoway, and Hovav Shacham. Risk-limiting Audits for Nonplurality Elections, UC San Diego, CS2011-0967, Jun. 2011. [Details, PDF]
  3. Stephen Checkoway and Hovav Shacham. Escape From Return-Oriented Programming: Return-oriented Programming without Returns (on the x86), UC San Diego, CS2010-0954, Feb. 2010. [Details, PDF]

Theses

  1. Stephen Checkoway. Low-Level Software Security: Exploiting Memory Safety Vulnerabilities and Assumptions, PhD thesis, University of California, San Diego, Jun. 2012. [Details, PDF]

Unpublished

  1. Stephen Checkoway. Methods of Post-election Confidence-level Auditing, Sep-2008. [Details, PDF]