A security engineer focusing on fuzzers, exploits, and mitigations for Linux and Android kernels.

  • 🔍 Looking for Remote Code Execution bugs in the Linux kernel

    How would an attacker remotely take over a personal Linux or Android device? Send a malicious link and get code execution through the browser? Or target a messenger or an email client? Well, how about sending a series of network packets and owning the kernel directly 😋

    This article covers my experience with fuzzing the Linux kernel externally over the network. I’ll explain how I extended a kernel fuzzer called syzkaller for this purpose and show off the found bugs. The article also includes an introduction to syzkaller and its advanced feature — pseudo-syscalls.

    Sadly, to find that one bug to take over the Internet — I failed. But I did manage to find a one-shot RCE in a non-public kernel flavor.

  • 🤖 Fuzzing USB with Raw Gadget

    A talk about fuzzing Linux kernel USB drivers via Raw Gadget — a new interface for the Linux USB Gadget subsystem. Compared to other interfaces like GadgetFS, Raw Gadget provides more control over USB communication allowing the fuzzer to explore unusual paths within USB drivers.

    The talk briefly covers the Linux kernel USB subsystem architecture, explains how Raw Gadget is integrated into the subsystem, and shows how Raw Gadget is used to fuzz USB drivers with the help of syzkaller — a production-grade kernel fuzzer.

  • 🛡 Mitigating Linux kernel memory corruptions with Arm Memory Tagging

    Memory tagging is coming to kill all of your favorite Linux kernel exploits!

    Memory Tagging Extension (MTE) is an ARM v8.5 feature that enables hardware-assisted validation of the correctness of memory accesses. In a nutshell, MTE allows assigning tags to memory allocations, as well as to pointers that refer to those allocations. When a pointer is accessed, the CPU performs a validity check that ensures that the memory tag matches the pointer tag.

    In this talk, I explain how MTE is used to assert the validity of kernel memory accesses. I describe the newly added Hardware Tag-Based KASAN mode, its weaknesses, and planned improvements.