A security engineer focusing on fuzzers, exploits, and mitigations for Linux and Android kernels.

  • 🗡 Attacking the Linux kernel

    A two-day training that guides researchers through the field of Linux kernel security. In a series of exercise-driven labs, the training explores the process of finding, assessing, and exploiting kernel bugs in modern Linux distributions on the x86-64 architecture.

    Besides providing a foundation for writing Linux kernel exploits, the training covers the no-less important areas of finding kernel bugs and evaluating their security impact. This includes chapters on using and extending dynamic bug-finding tools, writing custom fuzzers, and analyzing crashes.

    Targeted at beginners.

  • 🔍 Looking for Remote Code Execution bugs in the Linux kernel

    How would an attacker remotely take over a personal Linux or Android device? Send a malicious link and get code execution through the browser? Or target a messenger or an email client? Well, how about sending a series of network packets and owning the kernel directly 😋

    This article covers my experience with fuzzing the Linux kernel externally over the network. I’ll explain how I extended a kernel fuzzer called syzkaller for this purpose and show off the found bugs. The article also includes an introduction to syzkaller and its advanced feature — pseudo-syscalls.

    Sadly, to find that one bug to take over the Internet — I failed. But I did manage to find a one-shot RCE in a non-public kernel flavor.

  • 🤖 Fuzzing USB with Raw Gadget

    A talk about fuzzing Linux kernel USB drivers via Raw Gadget — a new interface for the Linux USB Gadget subsystem. Compared to other interfaces like GadgetFS, Raw Gadget provides more control over USB communication allowing the fuzzer to explore unusual paths within USB drivers.

    The talk briefly covers the Linux kernel USB subsystem architecture, explains how Raw Gadget is integrated into the subsystem, and shows how Raw Gadget is used to fuzz USB drivers with the help of syzkaller — a production-grade kernel fuzzer.

  • 🛡 Mitigating Linux kernel memory corruptions with Arm Memory Tagging

    Memory tagging is coming to kill all of your favorite Linux kernel exploits!

    Memory Tagging Extension (MTE) is an ARM v8.5 feature that enables hardware-assisted validation of the correctness of memory accesses. In a nutshell, MTE allows assigning tags to memory allocations, as well as to pointers that refer to those allocations. When a pointer is accessed, the CPU performs a validity check that ensures that the memory tag matches the pointer tag.

    In this talk, I explain how MTE is used to assert the validity of kernel memory accesses. I describe the newly added Hardware Tag-Based KASAN mode, its weaknesses, and planned improvements.