Daniel Klischies

Security Research

My primary research objective is to understand and improve the security properties of firmware and operating systems. I like to think about complex, interconnected systems, and attempt to understand security vulnerabilities in the context in which they occur.
I think that, rather than focusing on a certain type of vulnerability, mitigation, or technique, security vulnerabilities should be seen as the result of systematic issues. This motivates my research.


Accepted papers

GDMA: Fully Automated DMA Rehosting via Iterative Type Overlays

Authors: Tobias Scharnowski , Simeon Hoffmann, Moritz Bley, Simon Wörner , Daniel Klischies, Felix Buchmann, Nils Ole Tippenhauer , Thorsten Holz , Marius Muench Accepted at USENIX Security Symposium 2025 In this work, we introduce GDMA, a comprehensive solution for fully automated DMA rehosting. GDMA successfully emulates all six DMA configuration mechanisms by analyzing emulation traces to identify the two critical DMA usage steps: DMA configuration and DMA buffer usage. We evaluate GDMA on a total of 114 firmware images. Compared to the state of the art, GDMA is the first to successfully emulate all samples of the state-of-the-art benchmark, reaching 3x the DMA mechanism coverage. We also introduce a fully reproducible data set to systematically evaluate DMA rehosting of all six mechanisms → Read more

Confusing Value with Enumeration: Studying the Use of CVEs in Academia

Authors: Moritz Schloegel , Daniel Klischies, Simon Koch , David Klein , Lukas Gerlach , Malte Wessels , Leon Trampert , Martin Johns , Mathy Vanhoef , Michael Schwarz , Thorsten Holz , Jo Van Bulck Accepted at USENIX Security Symposium 2025 We systematically study the use of CVEs in academic papers to better understand the correlation of academic CVEs with real-world implications. To this end, we present the trends we identified through quantitative analysis, qualitative review of published papers, and a user survey. → Read more

BaseBridge: Bridging the Gap between Emulation and Over-The-Air Testing for Cellular Baseband Firmware

Authors: Daniel Klischies, Dyon Goos , David Hirsch, Alyssa Milburn , Marius Muench , Veelasha Moonsamy Appeared at 2025 IEEE Symposium on Security and Privacy (SP) Existing baseband emulators struggle to match over-the-air testing due to missing emulation of complex peripherals like DSPs, SIM cards, and RF frontends. This limits fuzzing to only shallow-level bugs. BaseBridge, an extension to FirmWire, boosts emulation accuracy by restoring relevant connection state from memory dumps, obtained from physical phones. Supporting MediaTek and Samsung firmware, BaseBridge greatly expands fuzzing coverage — by a factor of up to 5x for MediaTek. It also passes LTE conformance tests and enables deeper, faster bug discovery, uncovering 5 new vulnerabilities in the process. → Read more

Vulnerability, Where Art Thou? An Investigation of Vulnerability Management in Android Smartphone Chipsets

Authors: Daniel Klischies, Philipp Mackensen , Veelasha Moonsamy Appeared at Network and Distributed System Security (NDSS) Symposium 2025 Vulnerabilities in Android smartphone chipsets can lead to severe consequences like arbitrary code execution or data theft. Our study reveals that vulnerabilities are inherited across chipset generations and the 90-day disclosure period is rarely followed. A single vulnerability can impact thousands of smartphone models, with updates often delayed. Discover more in our ever-evolving knowledge base at https://chipsets.org! → Read more

Instructions Unclear: Undefined Behaviour in Cellular Network Specifications

Authors: Daniel Klischies, Moritz Schloegel , Tobias Scharnowski , Mikhail Bogodukhov, David Rupprecht , Veelasha Moonsamy Appeared at USENIX Security Symposium 2023 In this paper, we investigate the presence and impact of undefined behavior in cellular network specifications on modems used in smartphones. In doing so, we found multiple gaps in the LTE specifications that lead to insecure implementations resulting in three high-severity CVEs. → Read more