A security engineer focusing on fuzzers, exploits, and mitigations for Linux and Android kernels.


  • 🧰 Fuzzing the Linux Kernel [2 days]

    This training guides researchers through the field of Linux kernel fuzzing. In a series of practical labs, the training explores using syzkaller and KASAN for finding kernel memory corruption bugs and analyzing their security impact.

    The training starts with an introduction to Linux kernel fuzzing. This part covers making kernel-specific fuzzing harnesses for finding bugs, evaluating the harness effectiveness, and using KASAN to analyze the security impact of discovered vulnerabilities.

    The second part of the training focuses on syzkaller — the most widely used production-grade Linux kernel fuzzer. This part covers setting up and running syzkaller in its default configuration and also customizing syzkaller for targeted fuzzing of specific kernel subsystems.

  • 🔍 Looking for Remote Code Execution bugs in the Linux kernel

    How would an attacker remotely take over a personal Linux or Android device? Send a malicious link and get code execution through the browser? Or target a messenger or an email client? Well, how about sending a series of network packets and owning the kernel directly 😋

    This article covers my experience with fuzzing the Linux kernel externally over the network. I’ll explain how I extended a kernel fuzzer called syzkaller for this purpose and show off the found bugs. The article also includes an introduction to syzkaller and its advanced feature — pseudo-syscalls.

    Sadly, to find that one bug to take over the Internet — I failed. But I did manage to find a one-shot RCE in a non-public kernel flavor.