Research and Publications

Selected Presentations

• Instrument and Find Out: Writing Parasitic Tracers for High(-Level) Languages (DEF CON 29)
• dRuby Security Internals (NorthSec 2021)
• Evil eBPF In-Depth: Practical Abuses of an In-Kernel Bytecode Runtime (DEF CON 27)
• Kernel Tracing With eBPF: Unlocking God Mode on Linux (35th Chaos Communication Congress)
• Unikernel Apocalypse: Big Trouble in Ring 0 (ToorCon San Diego XX, 2018)
• Tracing Struct Accesses with Struct Stalker: A Foray Into the Darkness of LLDB Scripting (REcon 2018)
• Instrumenting the JVM for Fun and Profit (AsiaSecWest 2018 HKG)
• Ghost in the Droid: Possessing Android Applications with ParaSpectre (DEF CON 25)

Whitepapers

• Assessing Unikernel Security (2019), with S. Michaels
• Security Chasms of WASM (2018), with B. McFadden, T. Lukasiewicz, and J. Engler for BHUSA

Open Source Tools

• insject: A Linux namespace injector (blog post)
• shouganaiyo-loader: A tool to force JVM attaches (blog post)
• log4j-jndi-be-gone: A simple mitigation for CVE-2021-44228 (blog post)
• unixdump: tcpdump for Unix domain sockets (blog post)
• cmakerer: Static cmake generator for untrusted codebases
• ruby-trace: Frida-based tracer for cRuby 2.6-3.x (blog post)
• drb-rb: Libraries for securely interacting with the dRuby wire protocol
• drab: Hardened dRuby implementation
• libshambles: Efficiently hooking established TCP connections (blog post)

Other Publications

• PoC||GTFO 0x19, 19:03 “On CSV Injection and RFC 5322”
• Public Audit of Kubernetes (2023, announcement)
• Public Audit of Istio (2020, announcement)
• Public Audit of Kolide TUF Client for Docker Notary (2017, announcement)
• Some Musings on Common (eBPF) Linux Tracing Bugs (2021)
• An Adventure in Contingency Debugging: Ruby IO#read/IO#write Considered Harmful (2020)
• ABSTRACT SHIMMER (CVE-2020-15257): Host Networking is root-Equivalent, Again (2020)
• eBPF Adventures: Fiddling with the Linux Kernel and Unix Domain Sockets (2019)

Security Advisories

• fapolicyd – fapolicyd wrongly prepares ld.so path (CVE-2022-1117)
• OpenJDK – Weak Parsing Logic in java.net.InetAddress and Related Classes (2022)
• containerd – containerd-shim API Exposed to Host Network Containers (CVE-2020-15257)
• Metasploit – Distributed Ruby Remote Code Execution Module (exploit/linux/misc/drb_remote_codeexec) Enables Remote Code Execution (CVE-2020-7385)
• MirageOS – TCP Sequence Number Generation Weaknesses, Insecure Random Number Generation, and Multiple Memory Hardening Weaknesses in Xen Platform Stack (2018)
• IBM/Eclipse OpenJ9 – Multiple Vulnerabilities in Attach API (CVE-2018-12539)
• Puppet Enterprise – Remote Code Execution in Puppet Enterprise Console (2016)
• Puppet Enterprise – Arbitrary URL Redirection in Puppet Enterprise Console (CVE-2016-5715)