Talks

  • Mitigating Linux kernel memory corruptions with Arm Memory Tagging

    Memory tagging is coming to kill all of your favorite Linux kernel exploits!

    Memory Tagging Extension (MTE) is an ARM v8.5 feature that enables hardware-assisted validation of the correctness of memory accesses. In a nutshell, MTE allows assigning tags to memory allocations, as well as to pointers that refer to those allocations. When a pointer is accessed, the CPU performs a validity check that ensures that the memory tag matches the pointer tag.

    In this talk, I explain how MTE is used to assert the validity of kernel memory accesses. I describe the newly added Hardware Tag-Based KASAN mode, its weaknesses, and planned improvements.

  • On passwords

    A talk about the dangers of password reuse that I gave to high-school tech students.

  • Fuzzing the Linux kernel

    [There is an English-dubbed recording of this talk as well.]

    A talk about using fuzzing for finding vulnerabilities in the Linux kernel. I briefly cover ready-to-use fuzzers such as Trinity and Syzkaller but mainly focus on the underlying parts: writing fuzzing harnesses, generating inputs, and collecting coverage.

    This is an extended version of the talk I gave as a part of the Linux Foundation Mentorship Series.

  • Fuzzing the Linux kernel

    A talk about using fuzzing for finding vulnerabilities in the Linux kernel. I briefly cover ready-to-use fuzzers such as Trinity and Syzkaller but mainly focus on the underlying parts: writing fuzzing harnesses, generating inputs, and collecting coverage.

  • Memory Tagging for the kernel: Tag-Based KASAN

    Memory Tagging Extension (MTE) is an ARM v8.5 extension that enables hardware-assisted validation of the correctness of memory accesses. MTE is a new feature that is not yet available in any released CPUs. In the future, MTE will hopefully be used as a kernel memory corruption mitigation.

    While the new CPUs are being developed, I implemented an MTE-like software-only memory bug detector for the Linux kernel — Software Tag-Based KASAN. Instead of relying on hardware, the detector uses compiler instrumentation to perform tag validity checks.

    In this talk, I describe how MTE and the new KASAN mode work.

  • Introduction to USB hacking

    A 5-hour online talk about the USB bus with a showreel of tools that can be used to attack USB.

    Materials for the talk can be found on my GitHub.

  • Introduction to PCIe and DMA attacks

    A talk about the PCIe bus with a showreel of tools that can be used to perform DMA attacks.

    Materials for the talk can be found on my GitHub.

  • Coverage-guided USB fuzzing with Syzkaller

    A talk about creating a Syzkaller extension for finding Linux kernel vulnerabilities that can be exploited externally by a malicious USB device. I show how I used the USB Gadget subsystem for emulating USB devices and extended KCOV to collect coverage from USB packet parsing paths.

  • Syzkaller: coverage-guided fuzzer for the Linux kernel

    An overview talk about Syzkaller — a state-of-the-art production-grade kernel fuzzer.

  • How to find zero-days in the Linux kernel

    A lighting talk where I describe a high-level approach to finding zero-days bugs in the Linux kernel with Syzkaller — a state-of-the-art production-grade kernel fuzzer.

  • KernelThreadSanitizer (KTSAN) — a data race detector for the Linux kernel

    A talk about a prototype of KTSAN — a dynamic data-race detector for the Linux kernel.

  • KernelAddressSanitizer (KASAN) — a fast memory error detector for the Linux kernel

    The first public talk about KASAN — a dynamic bug detector for the Linux kernel. KASAN finds out-of-bounds, use-after-free, and other kinds of harmful memory accesses. Nowadays, KASAN is the go-to tool for detecting memory bugs in testing and fuzzing.

  • Автоматический поиск состояний гонок в ядре ОС Linux

    Доклад про прототип KTSAN — детектор состояний гонок для ядра Linux.

  • AddressSanitizer for the Linux kernel

    A talk about an early prototype of KASAN — a dynamic memory corruption detector for the Linux kernel.