As a researcher, I am primarily interested in cyber security focusing on the boundary between hardware and software.

This stems from my long-term exposure to assembly, binary exploitation, and reverse engineering - all of which I learned on my own and through Capture the Flag competitions and wargames.

My reseach interests started in 2014 as an undergrad when I joined the hardware and software security lab at the University of Central Florida. There I lead the security analysis of the Nest thermostat, in which we discovered a way to gain root access. We disseminated these findings at the BlackHat USA conference. Propelled from the success of this work, my previous advisor Dr. Yier Jin continued investigating other Internet of Things devices, while I graduated and joined the University of Florida as a PhD graduate student in August 2015. I found a home in a newly formed lab, the Florida Institute of Cyber Security Research (FICS), and a new advisor Dr. Kevin Butler. There I was exposed to his background on systems security and USB research. Currently I am exploring symbolic execution on USB firmware in order to determine the firmware’s intent.

Below you will find a textual version of my CV. If you’d prefer, you can read the PDF instead.

University of Florida, Research Assistant with FICS

  • Advisor: Dr. Kevin R. B. Butler
  • Area: Systems security
  • Designing a framework to analyse USB firmware, determine functionality, and communicate the impact
  • Implementing a learning tool that is able to automatically recover firewall rulesets for censorship avoidance
  • Utilized Intel SGX to improve Secure Function Evaluation (SFE) performance
  • Working to improve TLS security through server-side enhancements

University of Central Florida, Undergraduate Research Assistant

  • Advisor: Dr. Yier Jin
  • Area: Internet of Things security
  • Discovered a USB entry point into Google’s Nest Thermostat allowing full-root access
  • Published findings at Black Hat USA 2014 entitled “Smart Nest Thermostat: A Smart Spy in your Home”

University of Central Florida, EXCEL Undergraduate Research

  • Advisor: Dr. Mingjie Lin
  • Area: FPGAs
  • Learned Verilog through working with a HDL Huffman decoder

Publications & Academic Work

Academic Conferences

  1. G. Hernandez, F. Fowze, D. Tian, T. Yavuz, and K. Butler. FirmUSB: Vetting USB Device Firmware using Domain Informed Symbolic Execution. ACM CCS, 2017.
  2. S. Etigowni, D. Tian, G. Hernandez, S. Zonouz, and K. Butler. CPAC: Securing Critical Infrastructure with Cyber-Physical Access Control. ACSAC, 2016.

Industry Conferences

  1. G. Hernandez, O. Arias, D. Buentello, and Y. Jin. Smart Nest Thermostat: A Smart Spy in your Home. Black Hat USA, 2014.

Journals

  1. A. Bates, D. Tian, G. Hernandez, T. Moyer, K. Butler, and T. Jaeger. Taming the Costs of Trustworthy Provenance through Policy. Transactions on Internet Technology (TOIT), 2016.

Posters

  1. G. Hernandez, F. Fowze, D. Tian, C. Metcalf, T. Yavuz, and K. Butler. FirmUSB: Vetting USB Device Firmware using Domain Informed Symbolic Execution. FICS Conference, Mar. 2017. (Best Poster)
  2. G. Hernandez, A. Bates, and K. Butler. SSL Certificate Verification Enhancements for the Server. FICS Conference, 2016
  3. G. Hernandez and Y. Jin. Smart Nest Thermostat: A Smart Spy in your Home. UCF Showcase for Undergraduate Research, 2015

Workshops

  1. S. Deshmukh, H. Carter, G. Hernandez, P. Traynor, and K. Butler. Efficient and Secure Template Blinding for Biometric Authentication. Proceedings of the IEEE Workshop on Security and Privacy in the Cloud (SPC), 2016.

Academic Service

External Reviewer

  • IEEE Symposium on Security & Privacy (Oakland, S&P) - 2017
  • ACM Conference on Computer and Communications Security (CCS) - 2016
  • ACM Asia Conference on Computer and Communications Security (AsiaCCS) - 2017
  • Network & Distributed System Security Symposium (NDSS) - 2017
  • USENIX Symposium on Operating Systems Design and Implementation (OSDI) - 2016
  • USENIX Workshop on Offensive Technologies Workshop on Offensive Technologies (WOOT) - 2017

Professional Services

  • Advising and training the University of Florida’s Collegiate Cyber Defense Team (UFCCDC) under UF’s Registered Student Organization (RSO) the Student InfoSec Team (UFSIT) (2016-2017). Reference: Dr. Joseph Wilson (jnw@cise.ufl.edu)

Honors & Awards

University Florida

  • Graduate School Fellowship Award (2015 - 2019, $151,316)
  • Appointed as Florida Institute of National Security (FINS) Fellow (2015, $6,000)
  • Harris Communication Fellowship (2015, $3,000)
  • Best poster award for “FirmUSB: Vetting USB Device Firmware using Domain Informed Symbolic Execution.” at the FICS Conference
  • 3rd place at the Southeast Regional Collegiate Cyber Defense Competition (SECCDC) (2017)
  • CISE Graduate Scholarship (2017, $1,000)

University of Central Florida

  • ICubed (I3) Fellow - presented Nest security research to an Advanced Painting class, inspiring their work (2015)
  • Winner of the National Collegiate Cyber Defense Competition (NCCDC) out of 180 schools (April 2014)
  • 1st place at the Southeast Regional Collegiate Cyber Defense Competition (SECCDC) (2013 and 2014)
  • 2nd place at the UCONN CyberSEED Buffer Overflow competition (2014, $1,375)
  • 6th place and 5th place at CSAW CTF finals (2013 and 2014 respectively)
  • EXCEL Student
  • NSF STEM only education program with guaranteed Sophomore year research (2011 - 2013)
  • 1st place at UCF’s 25th annual High School Programming Tournament
  • UCF President’s Honor Role (3 semesters)

Speaking

  1. A Journey into Fuzzing with American Fuzzy Lop. Hack@UCF (2015)
  2. Smart Nest Thermostat: Smart Spy in your Home. Black Hat USA (2015)

Press

  1. “CISE Students Win at 2017 FICS Research Conference on Cybersecurity” Computer & Information Science & Engineering News, University of Florida
    (Quoted, April 3rd, 2017)
  2. “Students Advance in Cyber Defense Competition” Computer & Information Science & Engineering News, University of Florida
    (Interviewed, March 8th, 2017)
  3. “17 ways the Internet of Things can go horribly wrong” ZDNet
    (Mentioned, March 21st, 2016)
  4. “UCF Cyber Defense Turns Smart Thermostat Into Potential Spy” UCF Today
    (Mentioned, August 11th, 2014)
  5. “A used thermostat could hack your house” CNN Money
    (Interviewed (video), August 7th, 2014)
  6. “Is your Watch or Thermostat a Spy? Cybersecurity Firms are on it” NPR - All Things Considered
    (Interviewed (voice), August 6th, 2014)
  7. “Nest Hackers Will Offer Tool To Keep The Google-Owned Company From Getting Users’ Data” Forbes Tech
    (Interviewed, July 16th, 2014)
  8. “UCF wins Raytheon cyber defense contest” Orlando Sentinel (Mentioned, April 28th, 2014)

Bonus

  • I’m a licensed amateur radio operator – KK4QIS