Back in H2HC last week, Jordy Zomer and me presented this tool we've been working on (with Artem) we now call "🐧 Kernel Explorer". It's still early on, I'll work on FF and a11y next! storage.googleapis.com/kernelctf-dash… storage.googleapis.com/kernelctf-dash… Code is github.com/google/securit…

As usual I had a blast at H2HC. Thank you for having me. Slides for my talk are available now👇

Ticket shop is live. offensivecon.org/register.html

welp, it looks like an OEM leaked the patch for "AMD Microcode Signature Verification Vulnerability" 🔥 The patch is not in linux-firmware, so this is the only patch available😡

Analyzing and Exploiting Branch Mispredictions in Microcode arxiv.org/abs/2501.12890

An excellent undocumented instruction chase story. Must have been a lot of fun.

github.com/google/securit… Our newest research project is finally public! We can load malicious microcode on Zen1-Zen4 CPUs!

Blog post I wrote about an unexpectedly vulnerability we discovered in the TCP subsystem of the Linux kernel. This one is interesting because it can lead to a UAF even with the reference counter saturation mechanism present. I hope you enjoy it.

So reachable WARNs get auto-CVE'd by the Linux CNA purely from the possibility of panic_on_warn, a reachable BUG() reported by a researcher needs an essay on threat models before anyone does anything with it. 🤔

Proactively backporting bugs to be able to apply a fix. That’s Engineering with a capital E.

You can now jailbreak your AMD CPU! 🔥We've just released a full microcode toolchain, with source code and tutorials. bughunters.google.com/blog/542484235…

We are looking for a PhD student intern this summer to research optimal heuristics for a new feature of ours that provides finer-grained, context-aware control over fragmentation in the Linux buddy allocator. Fully remote, please email hiring@ if interested.

Our critical analysis of Intel CSME security architecture

So, what is Intel CSME full hack (without any recovery possibility) - it is manual calculation of Chipset Key

IEEE SecDev 2025 (Practitioner Session) CFP is open until May 30th. Submit papers up to 2 pages about perspectives/insights for secure systems: …cdev25-practitioner.ieee-security.org Questions: [email protected] More info: secdev.ieee.org/2025/practitio…

IEEE SecDev 2025 IEEE Secure Development (Practitioner Session) CFP is open until May 30th. This is the ideal mix between academic and industry session, with very short paper lenght requirements (2 pages) and a very pragmatic commitee. Work in progress projects and idea discussions are

Another small demo, using the gadget from download.vusec.net/papers/halfspe… I revert the upstream 2023 fix and show Respectre handling the half Spectre gadget:

Vulnerability introduced into the upstream 5.15 and 6.6 LTS (and maybe others), another instance of turning mitigations into no-ops :\

I really enjoy reading about all the hidden little gems that Macs from the ‘90s had. Good times.

I don’t understand what’s the fuss about. This looks like old news to me. I exploited hypervisors using this technique back in 2018/2019. Just use grsecurity KERNSEAL and forget about this kind of problems.