As a researcher, I am primarily interested in cyber security with a focus on the boundaries between hardware and software. This stems from my long-term exposure to assembly, binary exploitation, and reverse engineering — all of which I learned on my own and through Capture the Flag competitions and wargames.

My research interests began in 2014 as an undergraduate at the University of Central Florida. There I joined the Security in Silicon Lab (SSL), a hardware and software security lab. There I lead a security analysis of the brand new Google Nest thermostat, in which we discovered a way to gain root access. We disseminated these findings to Black Hat USA that same year. Propelled from the success of this work, my UCF advisor Dr. Yier Jin continued investigating other Internet of Things devices after I graduated.

For graduate school, I joined the University of Florida to pursue my Ph.D in August 2015. I found a new home in the newly formed Florida Institute of Cyber Security Research (FICS). There I found a new advisor, Dr. Kevin Butler and joined him as a research assistant. Over the last three years I have been exposed to his background on systems security and USB research and continue to develop my own direction. Currently, my focus lies on embedded firmware analysis and how to instrument exotic embedded platforms.


Education

University of Florida, Research Assistant with FICS

  • Advisor: Dr. Kevin R. B. Butler
  • Area: Systems security
  • Designing a framework to analyse USB firmware, determine functionality, and communicate the impact
  • Implementing a learning tool that is able to automatically recover firewall rulesets for censorship avoidance
  • Utilized Intel SGX to improve Secure Function Evaluation (SFE) performance
  • Working to improve TLS security through server-side enhancements

University of Central Florida, Undergraduate Research Assistant

  • Advisor: Dr. Yier Jin
  • Area: Internet of Things security
  • Discovered a USB entry point into Google’s Nest Thermostat allowing full-root access
  • Published findings at Black Hat USA 2014 entitled “Smart Nest Thermostat: A Smart Spy in your Home”

University of Central Florida, EXCEL Undergraduate Research

  • Advisor: Dr. Mingjie Lin
  • Area: FPGAs
  • Learned Verilog through working with a HDL Huffman decoder

Publications & Academic Work

Academic Conferences

  1. G. Hernandez, F. Fowze, D. Tian, T. Yavuz, and K. Butler. FirmUSB: Vetting USB Device Firmware using Domain Informed Symbolic Execution. ACM CCS, 2017.
  2. S. Etigowni, D. Tian, G. Hernandez, S. Zonouz, and K. Butler. CPAC: Securing Critical Infrastructure with Cyber-Physical Access Control. ACSAC, 2016.

Industry Conferences

  1. G. Hernandez, O. Arias, D. Buentello, and Y. Jin. Smart Nest Thermostat: A Smart Spy in your Home. Black Hat USA, 2014.

Journals

  1. A. Bates, D. Tian, G. Hernandez, T. Moyer, K. Butler, and T. Jaeger. Taming the Costs of Trustworthy Provenance through Policy. Transactions on Internet Technology (TOIT), 2016.

Posters

  1. G. Hernandez, F. Fowze, D. Tian, C. Metcalf, T. Yavuz, and K. Butler. FirmUSB: Vetting USB Device Firmware using Domain Informed Symbolic Execution. FICS Conference, Mar. 2017. (Best Poster)
  2. G. Hernandez, A. Bates, and K. Butler. SSL Certificate Verification Enhancements for the Server. FICS Conference, 2016
  3. G. Hernandez and Y. Jin. Smart Nest Thermostat: A Smart Spy in your Home. UCF Showcase for Undergraduate Research, 2015

Workshops

  1. S. Deshmukh, H. Carter, G. Hernandez, P. Traynor, and K. Butler. Efficient and Secure Template Blinding for Biometric Authentication. Proceedings of the IEEE Workshop on Security and Privacy in the Cloud (SPC), 2016.

Academic Service

External Reviewer

  • IEEE Symposium on Security & Privacy (Oakland, S&P) - 2017
  • ACM Conference on Computer and Communications Security (CCS) - 2016
  • ACM Asia Conference on Computer and Communications Security (AsiaCCS) - 2017
  • Network & Distributed System Security Symposium (NDSS) - 2017
  • USENIX Symposium on Operating Systems Design and Implementation (OSDI) - 2016
  • USENIX Workshop on Offensive Technologies Workshop on Offensive Technologies (WOOT) - 2017

Professional Services

  • Advising and training the University of Florida’s Collegiate Cyber Defense Team (UFCCDC) under UF’s Registered Student Organization (RSO) the Student InfoSec Team (UFSIT) (2016-2017). Reference: Dr. Joseph Wilson (jnw@cise.ufl.edu)

Honors & Awards

University Florida

  • Graduate School Fellowship Award (2015 - 2019, $151,316)
  • Appointed as Florida Institute of National Security (FINS) Fellow (2015, $6,000)
  • Harris Communication Fellowship (2015, $3,000)
  • Best poster award for “FirmUSB: Vetting USB Device Firmware using Domain Informed Symbolic Execution.” at the FICS Conference
  • 3rd place at the Southeast Regional Collegiate Cyber Defense Competition (SECCDC) (2017)
  • CISE Graduate Scholarship (2017, $1,000)

University of Central Florida

  • ICubed (I3) Fellow - presented Nest security research to an Advanced Painting class, inspiring their work (2015)
  • Winner of the National Collegiate Cyber Defense Competition (NCCDC) out of 180 schools (April 2014)
  • 1st place at the Southeast Regional Collegiate Cyber Defense Competition (SECCDC) (2013 and 2014)
  • 2nd place at the UCONN CyberSEED Buffer Overflow competition (2014, $1,375)
  • 6th place and 5th place at CSAW CTF finals (2013 and 2014 respectively)
  • EXCEL Student
  • NSF STEM only education program with guaranteed Sophomore year research (2011 - 2013)
  • 1st place at UCF’s 25th annual High School Programming Tournament
  • UCF President’s Honor Role (3 semesters)

Speaking

  1. A Journey into Fuzzing with American Fuzzy Lop. Hack@UCF (2015)
  2. Smart Nest Thermostat: Smart Spy in your Home. Black Hat USA (2015)

Press

  1. “CISE Students Win at 2017 FICS Research Conference on Cybersecurity” Computer & Information Science & Engineering News, University of Florida
    (Quoted, April 3rd, 2017)
  2. “Students Advance in Cyber Defense Competition” Computer & Information Science & Engineering News, University of Florida
    (Interviewed, March 8th, 2017)
  3. “17 ways the Internet of Things can go horribly wrong” ZDNet
    (Mentioned, March 21st, 2016)
  4. “UCF Cyber Defense Turns Smart Thermostat Into Potential Spy” UCF Today
    (Mentioned, August 11th, 2014)
  5. “A used thermostat could hack your house” CNN Money
    (Interviewed (video), August 7th, 2014)
  6. “Is your Watch or Thermostat a Spy? Cybersecurity Firms are on it” NPR - All Things Considered
    (Interviewed (voice), August 6th, 2014)
  7. “Nest Hackers Will Offer Tool To Keep The Google-Owned Company From Getting Users’ Data” Forbes Tech
    (Interviewed, July 16th, 2014)
  8. “UCF wins Raytheon cyber defense contest” Orlando Sentinel (Mentioned, April 28th, 2014)

Bonus

  • I’m a licensed amateur radio operator – KK4QIS