Gokulkrishna Menon

7151 Gateway Blvd

Newark

San Francisco, CA

I currently work at Lucid Motors as a Security Engineer, where I focus on identifying vulnerabilities in arm-based systems using static and dynamic analysis, crafting proof of concepts, and conducting threat analysis.

I graduated from Arizona State University in the summer of 2023 with a Master’s degree in Computer Security. During my time at ASU, I was involved with SEFCOM, primarily collaborating with Dr. Tiffany Bao, as well as Dr. Yan Shoshitaishvili, Dr. Ruoyu (Fish) Wang, and Dr. Adam Doupe.

My research at ASU focused on automated vulnerability analysis in application software, with a particular emphasis on fuzzing and dynamic patching.

Before graduating from ASU, I interned at SEFCOM under Dr. Tiffany Bao.

I also participated in CTF competitions with Shellphish, where I concentrated on challenges related to Web Security and Reverse Engineering. Prior to joining Shellphish, I was a core member of Team bi0s.

latest posts

Mar 16, 2019	CONFidence CTF 2019 'The Admin Panel' Writeup
Mar 15, 2019	iCTF 2019 Echodoor
Sep 14, 2018	SECT 2018 EzDOS Reversing Challenge

selected publications

Arbiter: Bridging the Static and Dynamic Divide in Vulnerability Discovery on Binary Programs

Jayakrishna Vadayath, Moritz Eckert, Kyle Zeng, and 9 more authors

In 31st USENIX Security Symposium (USENIX Security 22), Aug 2022

Abs

In spite of their effectiveness in the context of vulnerability discovery, current state-of-the-art binary program analysis approaches are limited by inherent trade-offs between accuracy and scalability. In this paper, we identify a set of vulnerability properties that can aid both static and dynamic vulnerability detection techniques, improving the precision of the former and the scalability of the latter. By carefully integrating static and dynamic techniques, we detect vulnerabilities that exhibit these properties in real-world programs at a large scale. We implemented our technique, making several advancements in the analysis of binary code, and created a prototype called ARBITER. We demonstrate the effectiveness of our approach with a large-scale evaluation on four common vulnerability classes: CWE-131 (Incorrect Calculation of Buffer Size), CWE-252 (Unchecked Return Value), CWE-134 (Uncontrolled Format String), and CWE-337 (Predictable Seed in Pseudo-Random Number Generator). We evaluated our approach on more than 76,516 x86-64 binaries in the Ubuntu repositories and discovered new vulnerabilities, including a flaw inserted into programs during compilation.