Information 
                                             _,.-----.,_
                                      ,-~           ~-.
                                    ,^___    pi3    ___^.
Name: pi3 (pi3ki31ny)             ./~"   ~"   .   "~   "~\.
Nationality: Polish               Y  ,--._    I    _.--.  Y
Contact: pi3@itsec.pl             | Y     ~-. | ,-~     Y |
Twitter: Adam_pi3                 | |   ***  }:{  ***   | |
                                  j l   *** / | \ ***   ! l
My blog: pi3's blog            .-~  (__,.--" .^. "--.,__)  ~-.
                              (           / / | \ \           )
                               \.____,   ~  \/"\/  ~   .____,/
                                ^.____                 ____.^
                                   | |T ~\  !   !  /~ T| |
                                   | |l   _ _ _ _ _   !| |
                                   | l \/V V V V V V\/ j |
   "Spojrz na czlowieka            \  \ \|_|_|_|_|_|/ /  /
    i zobacz czlowieka...           \  \[T T T T T TI/  /
    Ja nie zawsze potrafie..."       \  `^-^-^-^-^-^'  /
                                      \               /
                                       \.           ,/
                                         "^-.___,-^"
pi3 (pi3ki31ny) 
     This is a personal website with some of my computer research...

                           ... and hobby projects not related to IT.

Linux Kernel Runtime Guard (LKRG)

    pi3's Linux Kernel Runtime Guard 

    
I'm happy to announce that my moonlight project is finally released. Thanks to
Alexander Peslyak (a.k.a. Solar Designer) it is available through Openwall.

Linux Kernel Runtime Guard (LKRG) is a loadable kernel module that performs
runtime integrity checking of the Linux kernel and detection of security
vulnerability exploits against the kernel. As controversial as this concept is,
LKRG attempts to post-detect and hopefully promptly respond to unauthorized
modifications to the running Linux kernel (integrity checking) or to
credentials (such as user IDs) of the running processes (exploit detection).
For process credentials, LKRG attempts to detect the exploit and take action
before the kernel would grant the process access (such as open a file) based on
the unauthorized credentials. More information about LKRG you can get at its
brand new homepage:

http://www.openwall.com/lkrg/

LKRG has been in (re-)development for a couple of years, and built upon one of
my prior's experience with a related project in 2011 (for CERN).

An official announcement was made by Openwall and it can be read here:
http://www.openwall.com/lists/announce/2018/01/29/1

A lot of useful technical information about LKRG can be found on Openwall wiki
page:
http://openwall.info/wiki/p_lkrg/Main

On the BitBucket website you can find the latest LKRG source-code which might
include patches not visible in the official version yet. Currently, LKRG has
two completely separate branches with the different thread models and goals.
Main branch is available here:

https://bitbucket.org/Adam_pi3/lkrg-main/

and experimental branch is available here:

https://bitbucket.org/Adam_pi3/lkrg-experimental/


If you would like to support LKRG, you are very welcome to do so ;-)
It can be done via Patreon website here:
https://www.patreon.com/p_lkrg
Security Research
    Papers

    • Windows 7 TCP/IP hijacking (link)

      • The Pwnie Awards 2021 nominee for Most Under-Hyped Research (link)

    • The short story of broken KRETPROBES and OPTIMIZER in Linux Kernel (link)

    • CVE-2020-16898 - Exploiting "Bad Neighbor" vulnerability (link)

    • The short story of 1 Linux Kernel Use-After-Free bug and 2 CVEs (CVE-2020-14356 and CVE-2020-25220) (link)

    • Windows Internals 7th edition part 2 - Me and David Kaplan wrote a section about System Guard Runtime Attestation for Secure Kernel chapter. (link)

    • "Introducing Windows Defender System Guard Runtime Attestation (SGRA / SGRM)" - also known as project Octagon (link)

    • Linux kernel IPI problem - non-response to IPI kills wrong task (link)

    • Follow-up on Exploiting "BadIRET" vulnerability (CVE-2014-9322) (link)
      My exploit and research was used in Playstation 4 (PS4) hack:

      • FreeBSD Kernel code exec (link)

      • Hacking the PS4, part 3: Kernel exploitation by CTurt (link)

    • Adventure with Stack Smashing Protector (SSP) (link)

    • Microsoft Security Research and Defence Blog (SRD) post: "The story of MS13-002: How incorrectly casting fat pointers can make your code explode" (link)

    • GCHQ Can you crack it - solving an interesting challenge (link)

    • Phrack 67 article: "Scraps of notes on remote stack overflow exploitation" (local copy) (link)

    • "Fake" format strings (in Polish) (link)

    • Advanced usage of system() function (in Polish) (link)

    • Advanced usage of system() function (in English) (link)

    • My VERY old paper (in PDF) about Buffer Overflow bugs (in Polish) (link)

    CVEs
    Some OLD exploits

    • [ PRIVATE ]


    • Windows 7/XP/2K/9x (not only Windows) Blind TCP/IP Hijacking exploit (exp)

    • Windows TCP/IP Remote Code Execution Vulnerability - BSOD exploit for CVE-2020-16898 (exp)

    • BadIRET - Linux kernel (up to 3.17.5) exploit for CVE-2014-9322 (exp)

    • Lighttpd PoC code for CVE-2011-4362 (exp)

    • Remote globbing DoS exploit for wu-ftpd (exp)

    • Remote PoC exploit for Exim (exp)

    • Remote exploit for BeroFTPD (exp)

    • Local root exploit for eject (exp)

    • Remote exploit for atftpd (exp)

    • Local root exploit for atari800 (from adv) (exp)

    • Local exploit for ftpdctl (ProFTPD) (exp)

    • Local root exploit for atari800 (exp)

    • Local root exploit for XFree (exp)

    • Better local exploit for 0verkill (exp)

    • Local exploit for 0verkill (from adv) (exp)

    • Local root exploit for kon (exp)

    • Remote DoS exploit for Pi3 Web Server (exp)



    • My very old shellcode (x86) (shellcode)

    • My very old shellcode (x86) which bypasses safexec module by elceef (protects exec*() functions) (shellcode)

    • My very old shellcode (MIPS) for IRIX - tested on IRIX 6.5.26m with R12000 processor (shellcode)



    • My implementation of Virtual Machine for GCHQ 'canyoucrackit' challenge (details)

NVIDIA

    I'm currently working at NVIDIA as a Principal System Software Engineer (Offensive Security) in GPU core team. Noteworthy projects:

  • RISC-V:

    • I'm part of RISC-V TEE and J Extension Task Groups

    • I'm driving RISC-V Pointer Masking proposal extension (link)

    • HWASAN on RISC-V

  • Various offensive security research projects

Conferences
    Public conferences

    • DefCon 29 - Glitching RISC-V chips: MTVEC corruption for hardening ISA (briefing) (video)

    • BlackHat USA 2021 - Safeguarding UEFI Ecosystem: Firmware Supply Chain is Hard(coded) (briefing) (slides)

    • x33fcon 2021 - Windows 10 TCP/IP RCE - from the patch to the screen of death (blog) (video)

    • Open Source Tech Conference 2020 - LKRG in a nutshell (slides) (mirrored slides)

    • Confidence 2018 - Linux Kernel Runtime Guard (LKRG) under the hood (video) (slides)

    • Security BSides 2014 Warsaw - "Nigdy nic nie wiadomo" a.k.a. Modern attacks against x86/x64 architecture (like TLB-splitting, virtualization, AMT, SMM, ring -3, etc.). (link)

    • SECURE 2014 - The exploitation arm race between attackers and defenders (link)

    • Confidence 2013 - Crashdumps hunt 0days and rootkits (video)

    • SecDay 2010 - Linux vs rootkits (slides)

    • SecDay 2009 - Unusual bugs (slides)

    • Forum Informatyki Sledczej - Invisible hacking in practice (link)

    • SysDay 2009 - IP Spoofing is still alive... (slides)

    • SekIT 2008 - Wlamania do systemow Linux w architekturze x86 (slides)

    • Confidence 2007 - Shellcody a architektura MIPS - na systemach IRIX (slides)
    Internal conferences

    • European Organization for Nuclear Research (CERN) - White Area - pi3fuzz: an automatic test framework (blogpost)

    • European Organization for Nuclear Research (CERN) - Security: malware / root-kits / viruses (blogpost)

    • Wroclaw University of Technology (Microservers) (link)

    • Wroclaw University of Technology (OBD) (link)

    • Wroclaw University of Technology (Pentesting) (link)

    • Wroclaw University of Technology (Computure Architecture 2) (link)

    • Wroclaw University of Technology (Hacking) (link)

    • Wroclaw University of Technology (Computure Architecture 2) (link)
Microsoft

    I used to work at Microsoft as a member of Offensive Security Research (OSR) team. Previously, I was part of a Security Science Team (MSRC) and Detection and Defense Team (MSRC). I can't talk about all of my projects / work but the ones which I can, you can find below:

  • Windows Defender System Guard Runtime Attestation (SGRA / SGRM) a.k.a. Project Octagon - Together with David Kaplan I've fully designed it, and it is currently a part of every Windows. Additionally, as part of SGRM, I've fully implemented SgrmAgent.sys driver which is shipped since Windows 10 April 2018 Update (RS4) (link)

  • Return Flow Guard (RFG) - I was in the v-team for designing and developing this mitigation. I also own patent for it (link)

  • Win32k Iso heaps for NTUSER - I've designed and created PoC Windows build with that mitigation. It was used as a base for current implementation of win32k Iso Heaps mitigation for NTUSER

  • Windows Defender ATP (WDATP) - Together with David Kaplan, I've designed and implemented SENSE driver which is a subcomponent of WDATP for detecting kernel exploits (including 0days) (link)

  • Enhanced Mitigation Experience Toolkit (EMET) - I was part of the team developing and maintaining EMET (link)

  • SONAR - I was part of the team developing and maintaining system for automatic detonation of untrusted files and links. This tool was converted to the Office 365 Advanced Threat Protection (link)

  • SERA - I was working on non-public system for automated crashdump analysis. I was owning and developing tool for automatic triage of kernel-mode crashdumps. I gave a talk about this technology (and run my tool) on Confidence 2013 (Crashdumps hunt 0days and rootkits) [video]

Misc projects
DIY projects

    I like woodworking! Here are some of my projects:

  • I built from scratch a shed for my motorcycle. You can find more details with some photos here

  • Renovation of my attic (mounting ceiling stairs + new isolation + create floor). You can find more details with some photos here

    • I've recently played with water pipes soldering. Here are some of my projects:

  • Installing new main water shutoff valve + back-flow valve + water pressure regulator + 2 water pressure test gauge. You can find more details with some photos here

  • Installing automatic water sprinkler system in my front- and backyard. You can find more details with some photos here

  • Installing new hose outside the house. You can find more details with some photos here
Music
    I play piano and sometimes I feel the need to compose my own solo piano music. Maybe at some point I'll be comfortable enough to share some of them here:

  • Dark Fur Elise - my own interpretation of Fur Elise (listen)

  • Moj Ty Jasiulenku - my own interpretation of Polish folk song (listen)

  • Mrok (Dark) - one of my the solo piano music which I've created (listen)

  • Dream - one of my the solo piano music which I've created (music sheet) (listen)