This time I'll look at CVE-2022-46395, an Arm Mali GPU driver UAF I found by analysing Jann Horn's CVE-2022-36449. I'll also use a technique of Jann Horn to win a very tight race to gain arbitrary kernel code execution and root from untrusted Android app. github.blog/2023-05-25-roo…

#OffensiveCon23 recordings are now live! Hope you enjoy :) youtube.com/playlist?list=…

The Old, The New and The Bypass - One-click/Open-redirect to own Samsung S22 at Pwn2Own 2022 written by Janggggg starlabs.sg/blog/2023/06-t… Thanks to Trend Zero Day Initiative for reviewing and inputs to the blog post. Greatly appreciate that.

I presented my Lockdown Mode research at 0x41con today and it was a dream come true ❤️ I started my iOS research journey ~5yrs ago & always dreamt of just attendin let alone presentin with such legends. This has been a tremendous honor! Thank u ~ & sferrini et al.

It was an honour to organize with ~ + sferrini + jndok this 🇪🇸 edition of 0x41con, arguably the world's best conference for research quality. Shoutout to ~ that made it possible, to all the speakers and to all the attendees who made it special 🫶🏼 #0x41con

If you squint hard enough, you'll see you were there! I hope you all had a great time. Till next time! 😎

The 0x41con lives on because of the hardcore diehard fans it gained over the years who offered to organize and keep it alive. It takes time, effort & money to give you the experience for free. Mad props sferrini, Filippo Roncari, jndok for hosting the 4th ed. It was amazing!

🎮PS5 enthusiasts! Specter's talk is here! ⚡Specter Specter presented the evolving attack surface, modern mitigations like Supervisor Mode Access Prevention (SMAP) etc + internal workings of the PS5's hypervisor ▶️youtu.be/HBFDjfmIUis #hw_ioUSA2023 #gamingconsole

qualys.com/2023/07/19/cve… SSH agent forwarding just became even more dangerous. 😂-- leave it to the creative minds at Qualys to turn a series of dlopen()+dlclose() calls (of unrelated/benign shared libraries) into arbitrary code exec, hats off!

Here are my slides from my 0x41con presentation on Apple’s Lockdown Mode: blacktop.github.io/presentations Enjoy 🎉 ⚠️ Ironically the slides won't load when you have Lockdown Mode enabled 💀 See README for more info here - github.com/blacktop/prese…

Sharing another V8 Sandbox design document more widely: docs.google.com/document/d/1CP… This one discusses how to protect code pointers - probably the most performance sensitive part touched by the sandbox - with (almost) no performance overhead.

"In mid-2022, Google Project Zero was provided with access to pre-production hardware implementing the ARM MTE specification. This blog post series is based on that review, and includes general conclusions about the effectiveness of MTE as implemented" googleprojectzero.blogspot.com/2023/08/summar…

Our very first blog post: “iOS 17, new version, new acronyms” #iOS17 #DFF #sptm #txm df-f.com/blog/ios17

The rounds are on us at the #HEXACON2023 Social Event! DM us your favorite cocktail and we'll do our best to have the top requests available

After 3 years, we finally managed to write our first blog post about a powerful XNU infoleak patched in 17.1 blog.dfsec.com/ios/2023/11/19…

Our in-depth exploration of #SPTM and #TXM continues df-f.com/blog/ios-17rou…

Will macOS merge with iOS? #iOS #macOS #DFF #DFFENDERS #Debugging df-f.com/blog/macosandi…

#POC2024 Ding-Dong 😎 Kicking off with @[email protected] with Keynote speech. We are fully packed

Our latest blog post: Tracing Back to the Source | #SPTM Round 3 #TXM #iOS #macOS #DFF df-f.com/blog/sptm3

Our new blog post is live: blog.dfsec.com/ios/2025/05/30…