Information
                                             _,.-----.,_
                                          ,-~           ~-.
                                        ,^___    pi3    ___^.
    Name: pi3 (pi3ki31ny)             ./~"   ~"   .   "~   "~\.
    Nationality: Polish               Y  ,--._    I    _.--.  Y
    Contact: pi3@itsec.pl             | Y     ~-. | ,-~     Y |
    Twitter: Adam_pi3                 | |   ***  }:{  ***   | |
                                      j l   *** / | \ ***   ! l
    My blog: pi3's blog            .-~  (__,.--" .^. "--.,__)  ~-.
                                  (           / / | \ \           )
                                   \.____,   ~  \/"\/  ~   .____,/
                                    ^.____                 ____.^
                                       | |T ~\  !   !  /~ T| |
                                       | |l   _ _ _ _ _   !| |
                                       | l \/V V V V V V\/ j |
       "Spojrz na czlowieka            \  \ \|_|_|_|_|_|/ /  /
        i zobacz czlowieka...           \  \[T T T T T TI/  /
        Ja nie zawsze potrafie..."       \  `^-^-^-^-^-^'  /
                                          \               /
                                           \.           ,/
                                             "^-.___,-^"
    
    
pi3 (pi3ki31ny)
     This is a personal website with some of my computer research...
... and hobby projects not related to IT.

Linux Kernel Runtime Guard (LKRG)

    pi3's Linux Kernel Runtime Guard

    
    I'm happy to announce that my moonlight project is finally released. Thanks to
    Alexander Peslyak (a.k.a. Solar Designer) it is available through LKRG.org and
    Openwall.
    
    Linux Kernel Runtime Guard (LKRG) performs runtime integrity checking of the
    Linux kernel (similar to PatchGuard technology from Microsoft) and detection
    of security vulnerability exploits against the kernel. LKRG is a kernel module
    (not a kernel patch), so it can be built for and loaded on top of a wide range
    of mainline and distros' kernels, without needing to patch those.
    
    Master's Thesis of Juho Junnila, entitled "Effectiveness of Linux Rootkit
    Detection Tools" (http://jultika.oulu.fi/files/nbnfioulu-202004201485.pdf)
    shows LKRG as the most effective kernel rootkit detector (of those tested).
    
    LKRG attempts to post-detect and promptly respond to unauthorized modifications
    to the running Linux kernel (system integrity) or to credentials such as user IDs
    of the running processes (task integrity). For process credentials, LKRG attempts
    to detect the exploit and take action before the kernel would grant access (such
    as open a file) based on the unauthorized credentials:
    

    • System integrity - Subsystem responsible for system integrity validates:
      1. Critical CPU metadata (e.g., IDTR register, IDT table, MSRs, CR, etc)
      2. Critical kernel variables (e.g., global state of SELinux, etc)
      3. Integrity of .text section for Linux kernel itself and all loaded modules
      4. Integrity of .rodata section for Linux kernel
      5. Integrity of exception table for Linux kernel
      
         
    • Task integrity - Subsystem responsible for task integrity has an ability to detect:
      1. Illegal Elevation of Privileges (EoP):
      2. Token / pointer swapping
      3. Illegal call to commit_creds()
      4. Overwriting the cred / real_cred structures
      5. Sandbox escapes (e.g., Chrome sandbox):
      6. Overwriting seccomp configuration
      7. Overwriting seccomp rules
      8. Various namespace escapes
      9. Various container escapes (e.g., Docker / Kubernetes / etc.)
      10. Illegal changes of:
      11. CPU state e.g., SMAP / SMEP / WP / MSR
      12. Any part of the kernel or modules
      13. Return-Oriented Programming (ROP)
      14. Illegal control flow:
      15. From non .text section pages
      16. From dynamically generated executable pages
      17. From pages not belonging to the kernel (e.g., user-mode pages)
      18. When attacker bypasses SMEP protection


    Linux Kernel Runtime Guard has overhead ~2.5%:
    1. https://github.com/openwall/lkrg/blob/main/PERFORMANCE
    2. https://www.phoronix.com/scan.php?page=article&item=lkrg-08-linux&num=1


    LKRG packages exist in ALT Linux, Arch Linux, Astra Linux, Funtoo, Gentoo, Guix,
    NixOS, Whonix, and Yocto (and thus also OpenBMC).
    Whonix's packaging is also usable for Debian and its other derived distributions
    (including Ubuntu).
    

    LKRG is an Open Source project distributed under GPLv2 License (so it's free). More information about LKRG you can get at homepage: https://lkrg.org LKRG has been in (re-)development for a couple of years, and built upon one of my prior's experience with a related project in 2011 (for CERN). On the LKRG's Github you can find the latest LKRG source-code which might include patches not visible in the official version yet. https://github.com/lkrg-org/lkrg If you would like to get more information about LKRG, feel free to contact me ;-)
Security Research
    Papers
    • Windows 7 TCP/IP hijacking (CVE-2023-34367) (link)

      1. The Pwnie Awards 2021 nominee for Most Under-Hyped Research (link)

    • The short story of broken KRETPROBES and OPTIMIZER in Linux Kernel (link)

    • CVE-2020-16898 - Exploiting "Bad Neighbor" vulnerability (link)

    • The short story of 1 Linux Kernel Use-After-Free bug and 2 CVEs (CVE-2020-14356 and CVE-2020-25220) (link)

    • Windows Internals 7th edition part 2 - Me and David Kaplan wrote a section about System Guard Runtime Attestation for Secure Kernel chapter. (link)

    • "Introducing Windows Defender System Guard Runtime Attestation (SGRA / SGRM)" - also known as project Octagon (link)

    • Linux kernel IPI problem - non-response to IPI kills wrong task (link)

    • Follow-up on Exploiting "BadIRET" vulnerability (CVE-2014-9322) (link)

    • My exploit and research was used in Playstation 4 (PS4) hack:
        
                
      1. FreeBSD Kernel code exec (link)
      2. Hacking the PS4, part 3: Kernel exploitation by CTurt (link)

    • Adventure with Stack Smashing Protector (SSP) (link)

    • Microsoft Security Research and Defence Blog (SRD) post: "The story of MS13-002: How incorrectly casting fat pointers can make your code explode" (link)

    • GCHQ Can you crack it - solving an interesting challenge (link)

    • Phrack 67 article: "Scraps of notes on remote stack overflow exploitation" (local copy) (link)

    • "Fake" format strings (in Polish) (link)

    • Advanced usage of system() function (in Polish) (link)

    • Advanced usage of system() function (in English) (link)

    • My VERY old paper (in PDF) about Buffer Overflow bugs (in Polish) (link)

    CVEs
    Some OLD exploits

    • [ PRIVATE ]


    • CVE-2023-28410 - Linux Kernel i915 Linear OOB read and write PoC (writeup + exp)

    • Windows 7/XP/2K/9x (not only Windows) Blind TCP/IP Hijacking exploit (CVE-2023-34367) (exp)

    • Windows TCP/IP Remote Code Execution Vulnerability - BSOD exploit for CVE-2020-16898 (exp)

    • BadIRET - Linux kernel (up to 3.17.5) exploit for CVE-2014-9322 (exp)

    • Lighttpd PoC code for CVE-2011-4362 (exp)

    • Remote globbing DoS exploit for wu-ftpd (exp)

    • Remote PoC exploit for Exim (exp)

    • Remote exploit for BeroFTPD (exp)

    • Local root exploit for eject (exp)

    • Remote exploit for atftpd (exp)

    • Local root exploit for atari800 (from adv) (exp)

    • Local exploit for ftpdctl (ProFTPD) (exp)

    • Local root exploit for atari800 (exp)

    • Local root exploit for XFree (exp)

    • Better local exploit for 0verkill (exp)

    • Local exploit for 0verkill (from adv) (exp)

    • Local root exploit for kon (exp)

    • Remote DoS exploit for Pi3 Web Server (exp)



    • My very old shellcode (x86) (shellcode)

    • My very old shellcode (x86) which bypasses safexec module by elceef (protects exec*() functions) (shellcode)

    • My very old shellcode (MIPS) for IRIX - tested on IRIX 6.5.26m with R12000 processor (shellcode)



    • My implementation of Virtual Machine for GCHQ 'canyoucrackit' challenge (details)

NVIDIA

    I'm currently working at NVIDIA as a Distinguished Engineer (Offensive Security) in GPU core team. Noteworthy projects:

  • Leading Offensive Security Research (OSR) team:

    1. The main goal of OSR is to work as a "3rd party" independent and unbiased security team providing critical services

    2. Proactively finding security problems (known and unknown) before external researchers do it

    3. Identifying new, novel and unknown attack techniques

    4. Closely cooperating with the security community regarding the new offensive research areas

    5. Additionally, to the various internal findings, NVIDIA OSR detected the following CVEs (53):

    6. CVE-2020-5983, CVE-2020-5986, CVE-2021-0144, CVE-2021-1057, CVE-2021-1058, CVE-2021-1059, CVE-2021-1062, CVE-2021-1081, CVE-2021-1083, CVE-2021-1103, CVE-2021-1104, CVE-2021-4157, CVE-2021-28216, CVE-2022-31599, CVE-2022-31600, CVE-2022-31601, CVE-2022-31602, CVE-2022-31603, CVE-2022-28200, CVE-2022-42271, CVE-2022-42272, CVE-2022-42273, CVE-2022-42274, CVE-2022-42275, CVE-2022-42276, CVE-2022-42277, CVE-2022-42278, CVE-2022-42279, CVE-2022-42280, CVE-2022-42281, CVE-2022-42282, CVE-2022-42283, CVE-2022-42284, CVE-2022-42285, CVE-2022-42286, CVE-2022-42287, CVE-2022-42288, CVE-2022-42289, CVE-2022-42290, CVE-2023-25531, CVE-2023-25532, CVE-2023-25533, CVE-2023-25534, CVE-2023-31008, CVE-2023-31009, CVE-2023-31010, CVE-2023-31011, CVE-2023-31012, CVE-2023-31013, CVE-2023-25527, CVE-2023-25528, CVE-2023-25529, CVE-2023-25530

  • RISC-V:

    1. Vice Chair of the J extension Task Group for RISC-V

    2. RISC-V embedded software and hardware security

    3. Member of RISC-V Runtime Integrity (previously TEE), CFI, Runtime Integrity and J Extension Task Groups

    4. Author of RISC-V Pointer Masking proposal extension:

    5. https://github.com/riscv/riscv-j-extension/blob/master/zjpm-spec.pdf

    6. I'm one of the contributors to the RISC-V Control Flow Integrity (CFI) extension:

    7. https://github.com/riscv/riscv-cfi/blob/main/riscv-cfi.pdf

    8. I help driving I/D consistency extension

    9. HWASAN and Memory Tagging (MTE) on RISC-V

    10. I found a critical bug in the RISC-V architecture (not in the implementation of a specific processor) that got CVE-2021-1104. Among other things, I talked about this vulnerability in 2021 at the DefCon 29 conference

  • Various offensive security research projects

  • GPU and next-generation NVIDIA products security architect

Conferences
    Public conferences
    • DefCon 31 - Breaking BMC: The Forgotten Key to the Kingdom (briefing) (video)

    • [PL] MSHP 2022 - Nominacja do PwnieAward za blad w kodzie referencyjnym Intel'a - retrospekcja (Sekurak) (video)

    • DefCon 30 - Exploitation in the era of formal verification: a peek at a new frontier with AdaCore/SPARK (briefing) (video)

    • [PL] MSHP 2021 - Glitching RISC-V chips: MTVEC corruption for hardening ISA (video)

    • DefCon 29 - Glitching RISC-V chips: MTVEC corruption for hardening ISA (briefing) (video)

    • BlackHat USA 2021 - Safeguarding UEFI Ecosystem: Firmware Supply Chain is Hard(coded) (briefing) (slides)

    • x33fcon 2021 - Windows 10 TCP/IP RCE - from the patch to the screen of death (blog) (video)

    • [PL] LSHP 2020 - Linux Kernel Runtime Guard w pigulce (Sekurak)

    • Open Source Tech Conference 2020 - LKRG in a nutshell (slides) (mirrored slides)

    • Confidence 2018 - Linux Kernel Runtime Guard (LKRG) under the hood (video) (slides)

    • Security BSides 2014 Warsaw - "Nigdy nic nie wiadomo" a.k.a. Modern attacks against x86/x64 architecture (like TLB-splitting, virtualization, AMT, SMM, ring -3, etc.). (link)

    • SECURE 2014 - The exploitation arm race between attackers and defenders (link)

    • Confidence 2013 - Crashdumps hunt 0days and rootkits (video)

    • [PL] i3 conference - Linux vs rootkits (slides)

    • [PL] SecDay 2010 - Linux vs rootkits (slides)

    • [PL] SecDay 2009 - Unusual bugs (slides)

    • [PL] Forum Informatyki Sledczej - Invisible hacking in practice (link)

    • [PL] SysDay 2009 - IP Spoofing is still alive... (slides)

    • [PL] SekIT 2008 - Wlamania do systemow Linux w architekturze x86 (slides)

    • [PL] Confidence 2007 - Shellcody a architektura MIPS - na systemach IRIX (slides)

    Internal conferences

    • European Organization for Nuclear Research (CERN) - White Area - pi3fuzz: an automatic test framework (blogpost)

    • European Organization for Nuclear Research (CERN) - Security: malware / root-kits / viruses (blogpost)

    • Wroclaw University of Technology (Microservers) (link)

    • Wroclaw University of Technology (OBD) (link)

    • Wroclaw University of Technology (Pentesting) (link)

    • Wroclaw University of Technology (Computure Architecture 2) (link)

    • Wroclaw University of Technology (Hacking) (link)

    • Wroclaw University of Technology (Computure Architecture 2) (link)


Microsoft

    I used to work at Microsoft as a member of Offensive Security Research (OSR) team. Previously, I was part of a Security Science Team (MSRC) and Detection and Defense Team (MSRC). I can't talk about all of my projects / work but the ones which I can, you can find below:

  • Windows Defender System Guard Runtime Attestation (SGRA / SGRM) a.k.a. Project Octagon - Together with David Kaplan I've fully designed it, and it is currently a part of every Windows. Additionally, as part of SGRM, I've fully implemented SgrmAgent.sys driver which is shipped since Windows 10 April 2018 Update (RS4) (link)

  • Return Flow Guard (RFG) - I was in the v-team for designing and developing this mitigation. I also own patent for it (link)

  • Win32k Iso heaps for NTUSER - I've designed and created PoC Windows build with that mitigation. It was used as a base for current implementation of win32k Iso Heaps mitigation for NTUSER

  • Windows Defender ATP (WDATP) - Together with David Kaplan, I've designed and implemented SENSE driver which is a subcomponent of WDATP for detecting kernel exploits (including 0days) (link)

  • Enhanced Mitigation Experience Toolkit (EMET) - I was part of the team developing and maintaining EMET (link)

  • SONAR - I was part of the team developing and maintaining system for automatic detonation of untrusted files and links. This tool was converted to the Office 365 Advanced Threat Protection (link)

  • SERA - I was working on non-public system for automated crashdump analysis. I was owning and developing tool for automatic triage of kernel-mode crashdumps. I gave a talk about this technology (and run my tool) on Confidence 2013 (Crashdumps hunt 0days and rootkits) [video]

Misc projects
DIY projects

    I like woodworking! Here are some of my projects:

  • I built from scratch a shed for my motorcycle. You can find more details with some photos here

  • Renovation of my attic (mounting ceiling stairs + new isolation + create floor). You can find more details with some photos here

  • I've recently played with water pipes soldering. Here are some of my projects:
  • Installing new main water shutoff valve + back-flow valve + water pressure regulator + 2 water pressure test gauge. You can find more details with some photos here

  • Installing automatic water sprinkler system in my front- and backyard. You can find more details with some photos here

  • Installing new hose outside the house. You can find more details with some photos here

Music
    I play piano and sometimes I feel the need to compose my own solo piano music. Maybe at some point I'll be comfortable enough to share some of them here:
  • Dark Fur Elise - my own interpretation of Fur Elise (listen)

  • Moj Ty Jasiulenku - my own interpretation of Polish folk song (listen)

  • Mrok (Dark) - one of my the solo piano music which I've created (listen)

  • Dream - one of my the solo piano music which I've created (music sheet) (listen)