Monday 12 October 2020

Security Analysis of CHERI ISA

The CHERI ISA extension provides memory-protection features which allow historically memory-unsafe programming languages such as C and C++ to be adapted to provide strong, compatible, and efficient protection against many currently widely exploited vulnerabilities.

we evaluate attacks against the pure-capability mode of CHERI since non-capability code in CHERI’s hybrid mode could be attacked as-is today. The CHERI system assessed for this research is the CheriBSD operating system running under QEMU as it is the largest CHERI adapted software available today

Thursday 12 April 2018

 HITB AMS, OPCDE Dubai: The life and Death of Kernel GDI object Abuse

Building on top the previous GDI objects kernel exploitation techniques, this talk was the result of work put into mitigating such attacks, it walks through what these techniques are, and how we went about mitigating them at Microsoft.

Monday 9 October 2017

 Macro-less Code Exec in MSWord

This blog post was to release first public information about abusing DDE in Microsoft Word to gain remote code execution, without the need of macros.

Saturday 29 July 2017

 DefCon 25: Demystifying Windows Kernel Exploitation by Abusing GDI Objects

The talk is about Windows kernel exploitation by abusing GDI objects to gain Elevation of Privileges, and releasing a new GDI object abuse technique by using GDI Palettes. Specifically, MS16-098 affecting Windows 8.1 x64 bits, exploited by abusing Bitmap objects, and MS17-017 affecting Windows 7 SP1 x86, exploited by abusing GDI Palette objects.

Sunday 9 April 2017

 The TRITON Won’t Protect You From Our Punches

Abusing ForcePoint TRITON (DLP) to exfiltrate data and gain full C2C communications through its logic.

Friday 23 October 2015

DefCon 23: Extending Fuzzing Grammars to Exploit Unexplored Code Paths in Modern Web Browsers

The talk had two parts the first part was an introduction to fuzzing for the security practitioner. discussing the approaches, tool sets and integrations between tools we found to be most effective into a recipe for fuzzing various browsers and various platforms.

The second part was a description of the work and approach used to create, and extend, browser fuzzing grammars based on w3c specifications to discover new and unexplored code paths, and find new browser security bugs. In particular, example of real bugs found in the Chrome and MS Edge browser were demonstrated.