DPR3

I recently left my position and I'm looking for consulting work. (Not looking for a full-time position.) Particularly interested in low-level security and development work, e.g. code audits, reverse engineering, exploit mitigations, LLVM development, etc.

In those CET times: It's possible to return in unwinding to any address in the SSP, causing a "type confusion" between stack frames ;) I really like the different variants of this concept https://twitter.com/AmarSaar/status/1211565530286632960 …:) Type confusions are on fire! (stack frames, objc for PAC bypass)https://twitter.com/yarden_shafir/status/1217728223355817986 …

New blogpost: Sanitized Emulation with QEMU-AddressSanitizer https://andreafioraldi.github.io/articles/2019/12/20/sanitized-emulation-with-qasan.html … I just open-sourced my QEMU patches to fuzz binaries with ASan, QASan. You can also use it with ARM targets on Linux, a thing that you can't do with LLVM ASan!

Seems some people do read this feed at least :) https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=91cbf01178c37086b32148c53e24b04cb77557cf …https://twitter.com/grsecurity/status/1180609139359277056 …

Huge weekend ahead for VIPs. #ncaab #nba tonight. Big #ncaaf play tomorrow then we cash Sunday with #nfl. Going for +30U this week Dm to grab a package and start cashing

Maersk didn't have a single backup up their 100 global domain controllers. Designed to backup to each other, they could lose 1 or 25 DCs & be fine. They just couldn't lose all of them. Miraculously, @a_greenberg said at #CYBERWARCON, a serendipitous blackout in Ghana saved 1 DC.

A random bit of trivia I remembered recently. Got a DOS box with a password protected BIOS and no tools handy? Corrupt CMOS checksum with this simple command and get inside after reboot: echo “dummy” > CLOCK$

Static analysis to determine object sizes allocated by various syscalls to perform kernel SLAB/SLUB layout manipulation, enabling exploitation. 30 new N-day exploits coming, abstract includes link to a sample set of exploits. https://twitter.com/blackhatevents/status/1189333619229233153 …

Kernel privilege escalation bug in Android affecting fully patched Pixel 2 & others. Reported under 7 day deadline due to evidence of in-the-wild exploit. @tehjh and I quickly wrote a POC to get arbitrary kernel r/w using this bug, released in tracker. https://bugs.chromium.org/p/project-zero/issues/detail?id=1942 …

Apparently Apple kernel 0day (I don’t have a test machine for Apple). thread_set_state() is called on current thread (illegal according to docs) in 32bit process with all registers set to 0xffffffff other than gs=23. Exploit bypasses SMEPhttps://twitter.com/piedpiper1616/status/1174132817690628097 …