sergey bratus

One of my favorite newer, and lesser known paper from Tony Hoare: Concurrent Kleene Algebra — opus.bibliothek.uni-augsburg.de/opus4/frontdoo… — this paper inspired me to study the algebraic approach to program and network verification. (KATs, NetKATs, algebras of incorrectness, etc.)

POV: You are a security researcher looking to advance the state of the art and science in offensive security. Submit to WOOT and show us all the hacks you're cooking up 🧑‍🍳

A curious example of misaligned defense: a recipe site aggressively profiles browsers, likely to avoid LLM crawlers. Frustrated users give up and go to ask an LLM for the recipe. So it goes.

Velvet, our automated Dafny-style verifier embedded into Lean, has moved to a new repository as a standalone Lean library: github.com/verse-lab/velv… Give it a try!

I must be getting old because I see people taking about “skills” and how they can be malicious and how some people are building “skill scanners” and I have a hard time understanding how we messed up so bad we made text files dangerous

The damage done by fictional descriptions of cyber attack, in taking up decisionmakers mindshare without real substance, is an incalculable cost to the employment of instruments of national power. Even moreso where these fictions are spun by those purporting to some journalist proximity. All of which downplays real effects and the hard necessary business of campaigning.

A reminder that the Twelfth Language-theoretic IEEE Security & Privacy workshop's call for papers is open through Feb 13, langsec.org/spw26/ Please submit your work and join us at IEEE S&P Workshops day, May 21, 2026, in San Francisco!

One thing my team learned in the past two years of building pragmatic program verifiers is that their performance matters at least as much if not more than expressivity, both for humans and AI automation. As most of programs/specs are broken initially, fast turnaround is a must.

@HostileSpectrum Some papers are long overdue :)

@sergeybratus If you put that evil on me, one is certain you might be cursed to be the peer review. And one expects it would be painful in comparison to your usual standard.

What is the tipping point to novel failure modes when a sufficient percentage of the bureaucracy is nothing more than mid level paper pushers with no substantive experiences of their own, trading AI generated slop back and forth ad infinitium, each desperately hoping to avoid being caught anywhere near a real decision that might have consequences?

The quality of reasoning/logic progressed so quickly over the last year that things are becoming possible in many directions I was previously quite skeptical about. The only thing that matters now is context (domain-specific expertise) and the velocity of access to knowledge of new attack classes. Exploit development has always been manual, human-centric work because it requires specific expertise not frequently accessible to the public. Now, AI can figure it out independently based on existing knowledge.

Really hoping to see formal verification act as the security guardrails for AI-generated code this year.

@matrosov A panel on combining AI and formal methods for a breakthrough much greater than the sum of the parts would be very timely! Now would be a great time to submit a proposal for one :)

The LangSec'26 IEEE Security & Privacy workshop call for papers will remain open until February 13. Please submit your work & join us on May 21, 2026 in San Francisco! langsec.org/spw26/

How about a runnable Lean implementation of a memory allocator automatically verified in Velvet via a combination of SMT and Aristotle?

Looking at UX developments such as noheger.at/blog/2026/01/1… (via news.ycombinator.com/item?id=465798…) I wonder: is this an example of a craft getting disconnected from the people it thinks it serves? Is there a theory of it? Or am I just getting old? :)

The Conscience of a Hacker, also known as The Hacker Manifesto, turns 40 today! Written by Loyd "The Mentor" Blankenship, its spirit still resonates with hackers and makers everywhere. A cornerstone of hacker culture. "My crime is that of curiosity." Read it here: phrack.org/issues/7/3 #HackThePlanet #HackerManifesto

Submit your work to the Twelfth LangSec IEEE Security & Privacy workshop, langsec.org/spw26/ . The current deadline for full papers is January 20, langsec.org/spw26/importan…

I wrote up a little post about OPSEC and how to learn from other people’s failures. buttondown.com/grugq/archive/… #OPSEC

Chat LLMs should have a warning that you can't control the settings via chat even if chat says that you can, as per this crazy interaction GPT had with my sister