A security engineer focusing on fuzzers, exploits, and mitigations for Linux and Android kernels.


  • 🗡 Exploiting the Linux Kernel [4 days]

    A 4-day Linux kernel exploitation frenzy!

    This training guides researchers through the field of Linux kernel exploitation. In a series of practical labs, the training explores the process of exploiting kernel bugs in a modern Linux distribution on the x86-64 architecture.

    The training starts with the beginner topics but proceeds into advanced areas as well. The beginner chapters include learning the techniques to escalate privileges and bypass foundational mitigations in x86-64 kernels. The advanced chapters are dedicated to slab (heap) exploitation, including an in-depth analysis of the kernel allocators’ internals.

  • 📸 Lights Out: Covertly turning off the ThinkPad webcam LED indicator

    A talk that shows how malicious software can turn off the webcam LED indicator of a ThinkPad X230 laptop while keeping the camera recording.

    Demonstrating this required finding a way to reprogram the camera’s 8051-based controller flash firmware over USB, leaking and reverse engineering the controller Boot ROM, and infecting the camera firmware to add custom USB commands for controlling the LED indicator.

    The summary and the tooling for this talk can be found on GitHub.

  • 🧱 SLUB Internals for Exploit Developers

    A talk that covers the SLUB allocator internals and explains how common Slab shaping approaches work for exploiting Slab memory corruption bugs.

  • 🔍 Looking for Remote Code Execution bugs in the Linux kernel

    How would an attacker remotely take over a personal Linux or Android device? Send a malicious link and get code execution through the browser? Or target a messenger or an email client? Well, how about sending a series of network packets and owning the kernel directly 😋

    This article covers my experience with fuzzing the Linux kernel externally over the network. I’ll explain how I extended a kernel fuzzer called syzkaller for this purpose and show off the found bugs. The article also includes an introduction to syzkaller and its advanced feature — pseudo-syscalls.

    Sadly, to find that one bug to take over the Internet — I failed. But I did manage to find a one-shot RCE in a non-public kernel flavor.