Talks
πΈ Lights Out: Covertly turning off the ThinkPad webcam LED indicator
A talk that shows how malicious software can turn off the webcam LED indicator of a ThinkPad X230 laptop while keeping the camera recording.
Demonstrating this required finding a way to reprogram the cameraβs 8051-based controller flash firmware over USB, leaking and reverse engineering the controller Boot ROM, and infecting the camera firmware to add custom USB commands for controlling the LED indicator.
The summary and the tooling for this talk can be found on GitHub.
𧱠SLUB Internals for Exploit Developers
A talk that covers the SLUB allocator internals and explains how common Slab shaping approaches work for exploiting Slab memory corruption bugs.
π Sanitizing the Linux kernel
A talk about Sanitizers β the go-to tools for detecting bugs in the Linux kernel. Focuses on the implementation of the Generic KASAN mode. Briefly covers other Sanitizers and suggests approaches to improving KASAN and KMSAN to make them find more bugs.
[LWN published a write-up of this talk.]
π€ Fuzzing USB with Raw Gadget
A talk about fuzzing Linux kernel USB drivers via Raw Gadget β a new interface for the Linux USB Gadget subsystem. Compared to other interfaces like GadgetFS, Raw Gadget provides more control over USB communication allowing the fuzzer to explore unusual paths within USB drivers.
The talk briefly covers the Linux kernel USB subsystem architecture, explains how Raw Gadget is integrated into the subsystem, and shows how Raw Gadget is used to fuzz USB drivers with the help of syzkaller β a production-grade kernel fuzzer.
π‘ Mitigating Linux kernel memory corruptions with Arm Memory Tagging
Memory tagging is coming to kill all of your favorite Linux kernel exploits!
Memory Tagging Extension (MTE) is an ARM v8.5 feature that enables hardware-assisted validation of the correctness of memory accesses. In a nutshell, MTE allows assigning tags to memory allocations, as well as to pointers that refer to those allocations. When a pointer is accessed, the CPU performs a validity check that ensures that the memory tag matches the pointer tag.
In this talk, I explain how MTE is used to assert the validity of kernel memory accesses. I describe the newly added Hardware Tag-Based KASAN mode, its weaknesses, and planned improvements.
πͺ On passwords
A talk about the dangers of password reuse that I gave to high-school tech students.
π Fuzzing the Linux kernel
[There is an English-dubbed recording of this talk as well.]
A talk about using fuzzing for finding vulnerabilities in the Linux kernel. I briefly cover ready-to-use fuzzers such as Trinity and syzkaller but mainly focus on the underlying parts: writing fuzzing harnesses, generating inputs, and collecting coverage.
This is an extended version of the talk I gave as a part of the Linux Foundation Mentorship Series.
π Fuzzing the Linux kernel
A talk about using fuzzing for finding vulnerabilities in the Linux kernel. I briefly cover ready-to-use fuzzers such as Trinity and syzkaller but mainly focus on the underlying parts: writing fuzzing harnesses, generating inputs, and collecting coverage.
𧱠Memory Tagging for the kernel: Tag-Based KASAN
Memory Tagging Extension (MTE) is an ARM v8.5 extension that enables hardware-assisted validation of the correctness of memory accesses. MTE is a new feature that is not yet available in any released CPUs. In the future, MTE will hopefully be used as a kernel memory corruption mitigation.
While the new CPUs are being developed, I implemented an MTE-like software-only memory bug detector for the Linux kernel β Software Tag-Based KASAN. Instead of relying on hardware, the detector uses compiler instrumentation to perform tag validity checks.
In this talk, I describe how MTE and the new KASAN mode work.
π Introduction to USB hacking
A 5-hour online talk about the USB bus with a showreel of tools that can be used to attack USB.
Materials for the talk can be found on my GitHub.
π» Introduction to PCIe and DMA attacks
A talk about the PCIe bus with a showreel of tools that can be used to perform DMA attacks.
Materials for the talk can be found on my GitHub.
πͺ£ Coverage-guided USB fuzzing with syzkaller
A talk about creating a syzkaller extension for finding Linux kernel vulnerabilities that can be exploited externally by a malicious USB device. I show how I used the USB Gadget subsystem for emulating USB devices and extended KCOV to collect coverage from USB packet parsing paths.
π§° syzkaller: a coverage-guided fuzzer for the Linux kernel
An overview talk about syzkaller β a state-of-the-art kernel fuzzer.
π‘ How to find zero-days in the Linux kernel
A lighting talk where I describe a high-level approach to finding zero-days bugs in the Linux kernel with syzkaller β a state-of-the-art kernel fuzzer.
π KernelThreadSanitizer (KTSAN) β a data race detector for the Linux kernel
A talk about a prototype of KTSAN β a dynamic data-race detector for the Linux kernel.
π KernelAddressSanitizer (KASAN) β a fast memory error detector for the Linux kernel
The first public talk about KASAN β a dynamic bug detector for the Linux kernel. KASAN finds out-of-bounds, use-after-free, and other kinds of harmful memory accesses. Nowadays, KASAN is the go-to tool for detecting memory bugs in testing and fuzzing.