We are the Offensive Security, Incident Response, and Internet Security (OSIRIS) Lab: A student-run cyber security research lab part of the NYU Center for Cyber Security.
We're located at 370 Jay Street, Room 1066.
Weekly workshops teaching cyber security topics, tools, and skills run by our sister organization and club, hackers@nyu.
Topics range from basic forensics and code analysis skills to advanced reverse engineering and exploits that are currently relevant and applicable in industry or academia.
Check out some of our previously recorded talks, and accompanying material in this repository.
OSIRIS runs CSAW CTF, one of the largest student-run cybersecurity events & competitions in the world.
We take part in writing challenges, interacting with sponsors, and facilitating the actual competition, which comprises both an online qualifying and in-person finals round. In 2024, over 6000 students participated in the event.
Researchers and industry professionals collaborate with us on projects, research, and events. We work with our partners to bring new opportunities to lab members and to help solve real-world problems. If you are interested in collaborations, please contact us.
We offer different pathways to join the lab, based on the levels of skill and experience. Undergraduate freshmen, sophomores, and non-technical majors, please apply here. For all others, please complete Recruit CTF.
Routers are vulnerable, let’s take advantage of this to break them. We are going to take the firmware from a router, poke and prod at it until we know how it works, and finally break it so that the router does what we want and not what the user wants.
Package Hallucination Detection System: Build a system that analyzes code generated by LLMs to detect and catalog hallucinated packages. The system would: Parse generated code to extract package/library references, cross-reference these against known package repositories, flag potentially hallucinated packages, and track hallucination patterns across different LLMs. Comparative Analysis Framework: Create a framework to systematically compare hallucination rates across different LLMs: Test multiple popular LLMs (GPT-3.5/4, Gemini, Cohere, etc.), use standardized prompts across models, track persistence of hallucinated package names, measure hallucination rates and repetition patterns.
ESP32C6 is a low-power consumption microcontroller developed by Espressif Systems primarily for IOT applications. In addition to the traditional ESP32 series' feature, it carries functions such as Wi-Fi6 and BLE5 for wireless support. The processor is designed based on RISC-V architecture. Side-channel attacks are cyber attacks that exploit the physical characteristics of the device. This project intends to utilize ESP32C6 with probes that could detect and collect physical information about computing devices and transmit the data remotely for further security analysis.
The current paradigm of linux login procedure is very weak and insecure, a passive key logger could easily record your password. The idea is that we could utilize an interactive ZKP protocol with an external usb device to authenticate a user. The communication between the usb device and computer will not reveal any information on the password itself. A cool feature of this authentication method is that it is compatible with biometric authentication, given that there’s a biometric recognition device that outputs the same value for the same biometric. The security advantage of this method over the traditional password paradigm is that it prevents man in the middle attack, and this provides some sort of security given that once the physical key is destroyed, no one can recover the password.
Disassemblers are programs that take a binary or executable program and translate it back into assembly code. Running a disassembler is often one of the earliest and most critical steps of reverse engineering a program. With tools like IDA, Ghidra, and objdump, it is easy to take disassemblers for granted. The primary goal of this project is to write a disassembler to better understand the translation from machine language to assembly code.
I aim to create a modified, low-interaction honeypot designed specifically to capture botnet malware. My plan is to run common services on open ports to lure threat actors into sending malicious payloads to my honeypot. After collecting sufficient data, I will write an analysis of my findings.
NYUSEC competed in the MITRE Embedded Capture the Flag (eCTF) 2025, tackling a satellite TV system challenge. The competition tasked teams with designing a secure encoder and decoder to protect TV frame traffic. The event progressed in two phases. In the design phase, NYUSEC crafted a solution using ChaCha20-Poly1305 for encryption and authentication, enhanced by features like hashing, a monotonic counter, and random delays to meet security requirements and bolster resilience. In the attack phase, the team targeted vulnerabilities in other schools’ designs, exploiting software flaws, weak cryptographic implementations, and authentication oversights in critical decoding steps.
Founder
Program Lead
CTF Captain
Design & Outreach Team Lead
hackers@NYU Club President