pi3's home page

Information

                                         _,.-----.,_
                                      ,-~           ~-.
                                    ,^___    pi3    ___^.
Name: pi3 (pi3ki31ny)             ./~"   ~"   .   "~   "~\.
Nationality: Polish               Y  ,--._    I    _.--.  Y
Contact: pi3@itsec.pl             | Y     ~-. | ,-~     Y |
Twitter: Adam_pi3                 | |   ***  }:{  ***   | |
                                  j l   *** / | \ ***   ! l
My blog: pi3's blog            .-~  (__,.--" .^. "--.,__)  ~-.
                              (           / / | \ \           )
                               \.____,   ~  \/"\/  ~   .____,/
                                ^.____                 ____.^
                                   | |T ~\  !   !  /~ T| |
                                   | |l   _ _ _ _ _   !| |
                                   | l \/V V V V V V\/ j |
   "Spojrz na czlowieka            \  \ \|_|_|_|_|_|/ /  /
    i zobacz czlowieka...           \  \[T T T T T TI/  /
    Ja nie zawsze potrafie..."       \  `^-^-^-^-^-^'  /
                                      \               /
                                       \.           ,/
                                         "^-.___,-^"

     This is a personal website with some of my computer research...

                           ... and hobby projects not related to IT.

Linux Kernel Runtime Guard (LKRG)

pi3's Linux Kernel Runtime Guard


I'm happy to announce that my moonlight project is finally released. Thanks to
Alexander Peslyak (a.k.a. Solar Designer) it is available through LKRG.org and
Openwall.

Linux Kernel Runtime Guard (LKRG) performs runtime integrity checking of the
Linux kernel (similar to PatchGuard technology from Microsoft) and detection
of security vulnerability exploits against the kernel. LKRG is a kernel module
(not a kernel patch), so it can be built for and loaded on top of a wide range
of mainline and distros' kernels, without needing to patch those.

Master's Thesis of Juho Junnila, entitled "Effectiveness of Linux Rootkit
Detection Tools" (http://jultika.oulu.fi/files/nbnfioulu-202004201485.pdf)
shows LKRG as the most effective kernel rootkit detector (of those tested).

LKRG attempts to post-detect and promptly respond to unauthorized modifications
to the running Linux kernel (system integrity) or to credentials such as user IDs
of the running processes (task integrity). For process credentials, LKRG attempts
to detect the exploit and take action before the kernel would grant access (such
as open a file) based on the unauthorized credentials:

System integrity - Subsystem responsible for system integrity validates:

Critical CPU metadata (e.g., IDTR register, IDT table, MSRs, CR, etc)
Critical kernel variables (e.g., global state of SELinux, etc)
Integrity of .text section for Linux kernel itself and all loaded modules
Integrity of .rodata section for Linux kernel
Integrity of exception table for Linux kernel

Task integrity - Subsystem responsible for task integrity has an ability to detect:

Illegal Elevation of Privileges (EoP):

Token / pointer swapping

Illegal call to commit_creds()

Overwriting the cred / real_cred structures

Sandbox escapes (e.g., Chrome sandbox):

Overwriting seccomp configuration

Overwriting seccomp rules

Various namespace escapes

Various container escapes (e.g., Docker / Kubernetes / etc.)

Illegal changes of:

CPU state e.g., SMAP / SMEP / WP / MSR

Any part of the kernel or modules

Return-Oriented Programming (ROP)

Illegal control flow:

From non .text section pages

From dynamically generated executable pages

From pages not belonging to the kernel (e.g., user-mode pages)

When attacker bypasses SMEP protection

LKRG packages exist in ALT Linux, Arch Linux, Astra Linux, Funtoo, Gentoo, Guix,
NixOS, Whonix, and Yocto (and thus also OpenBMC).
Whonix's packaging is also usable for Debian and its other derived distributions
(including Ubuntu).



LKRG is an Open Source project distributed under GPLv2 License (so it's free).
More information about LKRG you can get at homepage:
https://lkrg.org

LKRG has been in (re-)development for a couple of years, and built upon one of
my prior's experience with a related project in 2011 (for CERN).

On the LKRG's Github you can find the latest LKRG source-code which might
include patches not visible in the official version yet.
https://github.com/lkrg-org/lkrg

If you would like to get more information about LKRG, feel free to contact me ;-)

Security Research

Papers

Patents:

Verifying security for virtual machines in cloud streaming systems and applications (link)
Return Flow Guard Using Control Stack Identified By Processor Register (link)

Analyzing Baseboard Management Controllers to Secure Data Center Infrastructuru (blogpost) (paper)
Windows 7 TCP/IP hijacking (CVE-2023-34367) (link)

The Pwnie Awards 2021 nominee for Most Under-Hyped Research (link)

The short story of broken KRETPROBES and OPTIMIZER in Linux Kernel (link)
CVE-2020-16898 - Exploiting "Bad Neighbor" vulnerability (link)
The short story of 1 Linux Kernel Use-After-Free bug and 2 CVEs (CVE-2020-14356 and CVE-2020-25220) (link)
Windows Internals 7th edition part 2 - Me and David Kaplan wrote a section about System Guard Runtime Attestation for Secure Kernel chapter. (link)
"Introducing Windows Defender System Guard Runtime Attestation (SGRA / SGRM)" - also known as project Octagon (link)
Linux kernel IPI problem - non-response to IPI kills wrong task (link)
Follow-up on Exploiting "BadIRET" vulnerability (CVE-2014-9322) (link)

My exploit and research was used in Playstation 4 (PS4) hack:

FreeBSD Kernel code exec (link)
Hacking the PS4, part 3: Kernel exploitation by CTurt (link)

Adventure with Stack Smashing Protector (SSP) (link)
Microsoft Security Research and Defence Blog (SRD) post: "The story of MS13-002: How incorrectly casting fat pointers can make your code explode" (link)
GCHQ Can you crack it - solving an interesting challenge (link)
Phrack 67 article: "Scraps of notes on remote stack overflow exploitation" (local copy) (link)
"Fake" format strings (in Polish) (link)
Advanced usage of system() function (in Polish) (link)
Advanced usage of system() function (in English) (link)
My VERY old paper (in PDF) about Buffer Overflow bugs (in Polish) (link)

CVEs

CVE-XXXX-XXXX - [ PRIVATE ]
CVE-2023-34367 - Windows 7/XP/2K/9x (not only) full blind TCP/IP hijacking (blogpost)
1. The Pwnie Awards 2021 nominee for Most Under-Hyped Research (link)
CVE-2023-28410 / INTEL-SA-00886 - Linux Kernel i915 Linear Out-Of-Bound read and write access
1. Bug bounties are broken - the story of "i915" bug, ChromeOS + Intel bounty programs, and beyond (link)
CVE-2021-28216 - Tianocore EDK II: Insecure parsing of NVRAM in PEI phase (Tianocore)
CVE-2021-4157 - Linux kernel [pNFS]: Buffer overwrite in decode_nfs_fh() function (RedHat)
CVE-2021-1104 - RISC-V ISA contains a documented ambiguity for the MTVEC register that may lead to a vulnerability resulting in code-execution in the highest privilege level (M-mode) (RISC-V news)
CVE-2021-0144 / INTEL-SA-00525 - Intel BIOS Shared SW Architecture (BSSA) allows for loading arbitrary unsigned code in the PEI phase
1. The Pwnie Awards 2022 nominee for Most Under-Hyped Research (link)
CVE-2021-3411 - Linux kernel: broken KRETPROBES and OPTIMIZER (blogpost)
CVE-2020-27825 - Linux kernel: Use-After-Free in the ftrace ring buffer resizing logic due to a race condition (RedHat)
CVE-2020-5986 - NVIDIA vGPU plugin contains insufficient input data size validation which may lead to memory corruption on the host or denial of service (Security Bulletin)
CVE-2020-5983 - NVIDIA vGPU plugin and the host driver kernel module contains insufficient boundary validation of the frame buffer memory allocated to guest operating systems (Security Bulletin)
CVE-2020-25220 - Linux Kernel Use-After-Free in backported patch for CVE-2020-14356 (affected kernels: 4.9.x before 4.9.233, 4.14.x before 4.14.194, and 4.19.x before 4.19.140) (RedHat) (blogpost)
CVE-2020-14356 - Linux Kernel Use-After-Free in cgroup BPF component (affected kernels: since 4.5+ up to 5.7.10) (RedHat) (blogpost)
CVE-2020-12826 - Linux kernel prior to 5.6.5 does not sufficiently restrict exit signals (kernel-hardening list)
CVE-2019-16905 - OpenSSH Pre-Auth XMSS Integer Overflow (external adv)
CVE-2019-11085 / INTEL-SA-00249 - Intel's vGPU driver allows for mappinng of arbitrary physical page into the context of calling process via mmap()
CVE-2017-0181 - Hyper-V Remote Code Execution Vulnerability (adv)
CVE-2017-0182 - Hyper-V Denial of Service Vulnerability (adv)
CVE-2017-0186 - Hyper-V Denial of Service Vulnerability (adv)
CVE-2011-4970 / EGI-SVG-2012-2683 - Multiple SQL Injection vulnerabilities in Disk Pool Manager (DPM) (adv)
CVE-2011-5000 - OpenSSH resources exhausion bug via GSSAPI (adv)
CVE-2011-2193 - Torque Server Buffer Overflow Vulnerability (adv)
CVE-2010-1938 - FreeBSD OPIE '__opiereadrec()' Off By One Heap Memory Corruption Vulnerability (adv)
CVE-2010-0010 - Apache 1.3 mod_proxy HTTP Chunked Encoding Integer Overflow Vulnerability (adv)
CVE-2009-3604 - Xpdf Multiple Integer Overflow Vulnerabilities and Adobe Acrobat Reader for Linux overflow (adv)
CVE-2008-2357 - mtr Remote Stack Buffer Overflow Vulnerability caused by undocumented situation in 'libresolv' (adv)
CVE-2006-0539 - Convert-FCronTab Local Buffer Overflow (adv)
CVE-2005-0256 - WU-FTPD Remote Globbing Denial of Service Vulnerability (adv)
CVE-2005-2180 - GNATS Arbitrary File Overwrite bug (adv)
CVE-2004-1076 - Atari800 Emulator Multiple Local Buffer Overflow Vulnerabilities (adv)
CVE-2004-0238 - 0verkill Game Client Multiple Local and Remote Server on Windows Buffer Overflow Vulnerabilities (adv)
CVE-2003-1327 - Wu-Ftpd SockPrintf() Remote Stack-based Buffer Overrun Vulnerability (adv)

Some OLD exploits

[ PRIVATE ]
CVE-2023-28410 - Linux Kernel i915 Linear OOB read and write PoC (writeup + exp)
Windows 7/XP/2K/9x (not only Windows) Blind TCP/IP Hijacking exploit (CVE-2023-34367) (exp)
Windows TCP/IP Remote Code Execution Vulnerability - BSOD exploit for CVE-2020-16898 (exp)
BadIRET - Linux kernel (up to 3.17.5) exploit for CVE-2014-9322 (exp)
Lighttpd PoC code for CVE-2011-4362 (exp)
Remote globbing DoS exploit for wu-ftpd (exp)
Remote PoC exploit for Exim (exp)
Remote exploit for BeroFTPD (exp)
Local root exploit for eject (exp)
Remote exploit for atftpd (exp)
Local root exploit for atari800 (from adv) (exp)
Local exploit for ftpdctl (ProFTPD) (exp)
Local root exploit for atari800 (exp)
Local root exploit for XFree (exp)
Better local exploit for 0verkill (exp)
Local exploit for 0verkill (from adv) (exp)
Local root exploit for kon (exp)
Remote DoS exploit for Pi3 Web Server (exp)

My very old shellcode (x86) (shellcode)
My very old shellcode (x86) which bypasses safexec module by elceef (protects exec*() functions) (shellcode)
My very old shellcode (MIPS) for IRIX - tested on IRIX 6.5.26m with R12000 processor (shellcode)

My implementation of Virtual Machine for GCHQ 'canyoucrackit' challenge (details)

NVIDIA

I'm currently working as a Director of Offensive Security at NVIDIA (GPU core org). Noteworthy projects:

Publications:

Patent: Verifying security for virtual machines in cloud streaming systems and applications (link)

Leading Offensive Security Research (OSR) team:

The main goal of OSR is to work as a "3rd party" independent and unbiased security team providing critical services

Proactively finding security problems (known and unknown) before external researchers do it

Identifying new, novel and unknown attack techniques

Closely cooperating with the security community regarding the new offensive research areas

Additionally, to the various internal findings, NVIDIA OSR detected the following CVEs (53):

CVE-2020-5983, CVE-2020-5986, CVE-2021-0144, CVE-2021-1057, CVE-2021-1058, CVE-2021-1059, CVE-2021-1062, CVE-2021-1081, CVE-2021-1083, CVE-2021-1103, CVE-2021-1104, CVE-2021-4157, CVE-2021-28216, CVE-2022-31599, CVE-2022-31600, CVE-2022-31601, CVE-2022-31602, CVE-2022-31603, CVE-2022-28200, CVE-2022-42271, CVE-2022-42272, CVE-2022-42273, CVE-2022-42274, CVE-2022-42275, CVE-2022-42276, CVE-2022-42277, CVE-2022-42278, CVE-2022-42279, CVE-2022-42280, CVE-2022-42281, CVE-2022-42282, CVE-2022-42283, CVE-2022-42284, CVE-2022-42285, CVE-2022-42286, CVE-2022-42287, CVE-2022-42288, CVE-2022-42289, CVE-2022-42290, CVE-2023-25531, CVE-2023-25532, CVE-2023-25533, CVE-2023-25534, CVE-2023-31008, CVE-2023-31009, CVE-2023-31010, CVE-2023-31011, CVE-2023-31012, CVE-2023-31013, CVE-2023-25527, CVE-2023-25528, CVE-2023-25529, CVE-2023-25530

RISC-V:

Vice Chair of the J extension Task Group for RISC-V

RISC-V embedded software and hardware security

Member of RISC-V Runtime Integrity (previously TEE), Memory Tagging (MTE), CFI, Runtime Integrity and J Extension Task Groups

Author of RISC-V Pointer Masking proposal extension:

https://github.com/riscv/riscv-j-extension/blob/master/zjpm-spec.pdf

I'm one of the contributors to the RISC-V Control Flow Integrity (CFI) extension:

https://github.com/riscv/riscv-cfi/blob/main/riscv-cfi.pdf

I help driving I/D consistency extension

HWASAN and Memory Tagging (MTE) on RISC-V

I found a critical bug in the RISC-V architecture (not in the implementation of a specific processor) that got CVE-2021-1104. Among other things, I talked about this vulnerability in 2021 at the DefCon 29 conference

Various offensive security research projects

GPU and next-generation NVIDIA products security architect

Conferences

Public conferences

DefCon 31 - Breaking BMC: The Forgotten Key to the Kingdom (briefing) (video)
[PL] MSHP 2022 - Nominacja do PwnieAward za blad w kodzie referencyjnym Intel'a - retrospekcja (Sekurak) (video)
DefCon 30 - Exploitation in the era of formal verification: a peek at a new frontier with AdaCore/SPARK (briefing) (video)
[PL] MSHP 2021 - Glitching RISC-V chips: MTVEC corruption for hardening ISA (video)
DefCon 29 - Glitching RISC-V chips: MTVEC corruption for hardening ISA (briefing) (video)
BlackHat USA 2021 - Safeguarding UEFI Ecosystem: Firmware Supply Chain is Hard(coded) (briefing) (slides)
x33fcon 2021 - Windows 10 TCP/IP RCE - from the patch to the screen of death (blog) (video)
[PL] LSHP 2020 - Linux Kernel Runtime Guard w pigulce (Sekurak)
Open Source Tech Conference 2020 - LKRG in a nutshell (slides) (mirrored slides)
Confidence 2018 - Linux Kernel Runtime Guard (LKRG) under the hood (video) (slides)
Security BSides 2014 Warsaw - "Nigdy nic nie wiadomo" a.k.a. Modern attacks against x86/x64 architecture (like TLB-splitting, virtualization, AMT, SMM, ring -3, etc.). (link)
SECURE 2014 - The exploitation arm race between attackers and defenders (link)
Confidence 2013 - Crashdumps hunt 0days and rootkits (video)
[PL] i3 conference - Linux vs rootkits (slides)
[PL] SecDay 2010 - Linux vs rootkits (slides)
[PL] SecDay 2009 - Unusual bugs (slides)
[PL] Forum Informatyki Sledczej - Invisible hacking in practice (link)
[PL] SysDay 2009 - IP Spoofing is still alive... (slides)
[PL] SekIT 2008 - Wlamania do systemow Linux w architekturze x86 (slides)
[PL] Confidence 2007 - Shellcody a architektura MIPS - na systemach IRIX (slides)

Internal conferences

European Organization for Nuclear Research (CERN) - White Area - pi3fuzz: an automatic test framework (blogpost)
European Organization for Nuclear Research (CERN) - Security: malware / root-kits / viruses (blogpost)
Wroclaw University of Technology (Microservers) (link)
Wroclaw University of Technology (OBD) (link)
Wroclaw University of Technology (Pentesting) (link)
Wroclaw University of Technology (Computure Architecture 2) (link)
Wroclaw University of Technology (Hacking) (link)
Wroclaw University of Technology (Computure Architecture 2) (link)

Microsoft

Offensive Security Research (OSR)

Windows Defender System Guard Runtime Attestation (SGRA / SGRM) a.k.a. Project Octagon - Together with David Kaplan I've fully designed it, and it is currently a part of every Windows. Additionally, as part of SGRM, I've fully implemented SgrmAgent.sys driver which is shipped since Windows 10 April 2018 Update (RS4) (link)

Return Flow Guard (RFG) - I was in the v-team for designing and developing this mitigation. I also own patent for it (link)

Win32k Iso heaps for NTUSER - I've designed and created PoC Windows build with that mitigation. It was used as a base for current implementation of win32k Iso Heaps mitigation for NTUSER

Windows Defender ATP (WDATP) - Together with David Kaplan, I've designed and implemented SENSE driver which is a subcomponent of WDATP for detecting kernel exploits (including 0days) (link)

Enhanced Mitigation Experience Toolkit (EMET) - I was part of the team developing and maintaining EMET (link)

SONAR - I was part of the team developing and maintaining system for automatic detonation of untrusted files and links. This tool was converted to the Office 365 Advanced Threat Protection (link)

SERA - I was working on non-public system for automated crashdump analysis. I was owning and developing tool for automatic triage of kernel-mode crashdumps. I gave a talk about this technology (and run my tool) on Confidence 2013 (Crashdumps hunt 0days and rootkits) [video]

Misc projects

DIY projects

I like woodworking! Here are some of my projects:

I built from scratch a shed for my motorcycle. You can find more details with some photos here

Renovation of my attic (mounting ceiling stairs + new isolation + create floor). You can find more details with some photos here

Installing new main water shutoff valve + back-flow valve + water pressure regulator + 2 water pressure test gauge. You can find more details with some photos here

Installing automatic water sprinkler system in my front- and backyard. You can find more details with some photos here

Installing new hose outside the house. You can find more details with some photos here

Music

Dark Fur Elise - my own interpretation of Fur Elise (listen)

Moj Ty Jasiulenku - my own interpretation of Polish folk song (listen)

Mrok (Dark) - one of my the solo piano music which I've created (listen)

Dream - one of my the solo piano music which I've created (music sheet) (listen)