NYU OSIRIS Lab

About The Lab

We are the Offensive Security, Incident Response, and Internet Security (OSIRIS) Lab: A student-run cyber security research lab part of the NYU Center for Cyber Security.

We're located at 370 Jay Street, Room 1066.

What We Do

CTF Competitions

Our team NYUSEC competes in Capture The Flag competitions every weekend.

We play most of the CTFs listed on ctftime. We compete both virtually and in-person.

We’re currently 6th in the US and 51st in the world with a total of 209.854689393 points on CTFTime!

Hack Nights

Weekly workshops teaching cyber security topics, tools, and skills run by our sister organization and club, hackers@nyu.

Topics range from basic forensics and code analysis skills to advanced reverse engineering and exploits that are currently relevant and applicable in industry or academia.

Check out some of our previously recorded talks, and accompanying material in this repository.

CSAW

OSIRIS runs CSAW CTF, one of the largest student-run cybersecurity events & competitions in the world.

We take part in writing challenges, interacting with sponsors, and facilitating the actual competition, which comprises both an online qualifying and in-person finals round. In 2024, over 6000 students participated in the event.

Industry Engagement

Researchers and industry professionals collaborate with us on projects, research, and events. We work with our partners to bring new opportunities to lab members and to help solve real-world problems. If you are interested in collaborations, please contact us.

How to Join

We offer different pathways to join the lab, based on the levels of skill and experience. Undergraduate freshmen, sophomores, and non-technical majors, please apply here. For all others, please complete Recruit CTF.

How to Engage

Join our discord. All communications related to the lab and club happens here.
Come to Hack Nights by hackers@NYU (formerly Cyber Security Club). Events are hosted every Thursday at 4pm EST in Room 1013, 370 Jay St. You can join over discord too if you can't be here in person!

Projects

Spring 2025

Router Hacking

Routers are vulnerable, let’s take advantage of this to break them. We are going to take the firmware from a router, poke and prod at it until we know how it works, and finally break it so that the router does what we want and not what the user wants.

LLM Package Hallucination

Package Hallucination Detection System: Build a system that analyzes code generated by LLMs to detect and catalog hallucinated packages. The system would: Parse generated code to extract package/library references, cross-reference these against known package repositories, flag potentially hallucinated packages, and track hallucination patterns across different LLMs. Comparative Analysis Framework: Create a framework to systematically compare hallucination rates across different LLMs: Test multiple popular LLMs (GPT-3.5/4, Gemini, Cohere, etc.), use standardized prompts across models, track persistence of hallucinated package names, measure hallucination rates and repetition patterns.

Side Channel Attacks

ESP32C6 is a low-power consumption microcontroller developed by Espressif Systems primarily for IOT applications. In addition to the traditional ESP32 series' feature, it carries functions such as Wi-Fi6 and BLE5 for wireless support. The processor is designed based on RISC-V architecture. Side-channel attacks are cyber attacks that exploit the physical characteristics of the device. This project intends to utilize ESP32C6 with probes that could detect and collect physical information about computing devices and transmit the data remotely for further security analysis.

Linux authentication system with ZKP

The current paradigm of linux login procedure is very weak and insecure, a passive key logger could easily record your password. The idea is that we could utilize an interactive ZKP protocol with an external usb device to authenticate a user. The communication between the usb device and computer will not reveal any information on the password itself. A cool feature of this authentication method is that it is compatible with biometric authentication, given that there’s a biometric recognition device that outputs the same value for the same biometric. The security advantage of this method over the traditional password paradigm is that it prevents man in the middle attack, and this provides some sort of security given that once the physical key is destroyed, no one can recover the password.

Disassembler

Disassemblers are programs that take a binary or executable program and translate it back into assembly code. Running a disassembler is often one of the earliest and most critical steps of reverse engineering a program. With tools like IDA, Ghidra, and objdump, it is easy to take disassemblers for granted. The primary goal of this project is to write a disassembler to better understand the translation from machine language to assembly code.

Honeypot

I aim to create a modified, low-interaction honeypot designed specifically to capture botnet malware. My plan is to run common services on open ports to lure threat actors into sending malicious payloads to my honeypot. After collecting sufficient data, I will write an analysis of my findings.

Mitre eCTF

NYUSEC competed in the MITRE Embedded Capture the Flag (eCTF) 2025, tackling a satellite TV system challenge. The competition tasked teams with designing a secure encoder and decoder to protect TV frame traffic. The event progressed in two phases. In the design phase, NYUSEC crafted a solution using ChaCha20-Poly1305 for encryption and authentication, enhanced by features like hashing, a monotonic counter, and random delays to meet security requirements and bolster resilience. In the attack phase, the team targeted vulnerabilities in other schools’ designs, exploiting software flaws, weak cryptographic implementations, and authentication oversights in critical decoding steps.