Twitter / X, Github, LinkedIn, Bluesky

Publications and speaking

• ⚔️ Offensive security publications
  • Analyzing CVE-2024-44243, a macOS System Integrity Protection bypass through kernel extensions
  • Android apps with millions of downloads exposed to high-severity vulnerabilities
  • Gatekeeper’s Achilles heel: Unearthing a macOS vulnerability
  • Microsoft finds new NETGEAR firmware vulnerabilities that could lead to identity theft and full system compromise
  • Microsoft finds new elevation of privilege Linux vulnerability, Nimbuspwn
  • Microsoft finds new macOS vulnerability, Shrootless, that could bypass System Integrity Protection
  • New macOS vulnerability, Migraine, could bypass System Integrity Protection
  • New macOS vulnerability, “HM Surf”, could lead to unauthorized data access
  • New macOS vulnerability, “powerdir,” could lead to unauthorized user data access
  • Uncovering a ChromeOS remote memory corruption vulnerability
  • Uncovering a macOS App Sandbox escape vulnerability: A deep dive into CVE-2022-26706
  • Uncursing the ncurses: Memory corruption vulnerabilities found in library
• 🛡️ Defensive security publications
  • Blue teams helping red teams: A tale of a process crash, PowerShell, and the MITRE ATT&CK evaluation
  • DynoRoot (CVE-2018-1111) exposed via Advanced Hunting
  • Guidance for preventing, detecting, and hunting for exploitation of the Log4j 2 vulnerability
  • Hunting down Dofoil with Windows Defender ATP
  • Inside Microsoft 365 Defender: Attack modeling for finding and stopping lateral movement
  • Living-Off-The-Land Command Detection Using Active Learning
  • Rise in XorDdos: A deeper look at the stealthy DDoS malware targeting Linux devices
• 🎤 Conferences and public speaking
  • DEFCON 30 VR village - Free phone got me critical vulns affecting millions Android
  • DEFCON 31 VR village - The curse of ncurses
  • DEFCON 31 - Getting a Migraine
  • DEFCON 32 VR village - The Sand Castle - the state of macOS sandbox escapes through the lens of Microsoft Office
  • DEFCON VR groups - The anatomy of UAC bypasses
  • DEFCON VR groups - A Very Dangerous Dave
  • Nullcon Berlin 2023 - The Achilles heel of the macOS Gatekeeper
  • Nullcon - macOS Security Features Bypasses by Example
  • BlueHat Israel 2022 - Learning macOS Security by Finding Vulns
  • BlueHat Israel 2017 - Defending the Defenders - tampering EDR solutions (not recorded)
  • Thotcon 0xC - The Achilles heel of the macOS Gatekeeper (not recorded)
  • B-sides Vancouver 2024 - The Sand Castle - the state of macOS sandbox escapes through the lens of Microsoft Office (not recorded)
  • The Hack Summit 2024 - The Sand Castle - the state of macOS sandbox escapes through the lens of Microsoft Office
  • HushCon Seattle 2024 - HM Surf - Having fun with Safari and other browsers (not recorded)
  • AVAR 2022 - Security mechanisms on macOS and bypassing them
  • Exploitcon 2023 (Bellvue) - The curse of ncurses (not recorded)
  • Exploitcon 2022 (Bellvue) - How getting a free phone got me vulns on millions of Android devices (not recorded)
  • SANS - Windows Defender ATPs Advanced Hunting: Using Flexible Queries to Hunt Across Your Endpoints
  • Security Unlocked - Discovering Router Vulnerabilities with Anomaly Detection
  • On Path Podcast - My Professional Journey

Writeups

• 🍎 Apple macOS
  • Introduction to macOS - TCC
  • Introduction to macOS - App structure
  • Introduction to macOS - The Gatekeeper
  • Introduction to macOS - The sandbox
  • Introduction to macOS - SIP
  • Introduction to macOS - Mach Ports
• 🪟 Microsoft Windows (and some DOS)
  • MBR payload analysis
  • Introduction to anti-debugging
  • Introduction to Windows injection and hooking
  • Metasploit Shellcode analysis
  • Coding a ransomware in a minute
  • Virtual Memory and KnownDlls
  • UAC bypasses
  • Reverse-engineering Dangerous Dave
  • Binary Golf 4 - COM files
  • Hotkey-based keylogger for Windows
  • Keylogging without conditions or loops
• 🐧 Linux (and some binary editing)
  • Coding a Linux userland rootkit
  • Binary Golf 5 - Linux shellcoding ideas
  • Binary Golf 5 - Java class format
  • Introduction to Linux pwn - the beginning
  • Introduction to Linux pwn - overriding the return address
  • Introduction to Linux pwn - ROP chains
  • Wordle CTF challenge
  • Dictiopwn - abusing unix_chkpwd
• 📚 Cryptography and math
  • Introduction to cryptography - terminology and first examples
  • Introduction to cryptography - basic modular arithmetics
  • Introduction to cryptography - Vigenère cipher
  • Introduction to cryptography - RSA
  • Introduction to cryptography - prime number generation
  • The relation between programming and mathematical formulae
• 👊 The Goonies CTF
  • ångstrom CTF 2021 - Oracle of Blair
  • ångstrom CTF 2021 - substitution
  • ångstrom CTF 2021 - I’m so random
  • UMass CTF 2021 - malware
  • Securinets CTF Quals 2021 - MiTM
  • Union CTF 2021 - Human server
  • justCTF 2020 - That’s not crypto
  • CrowdStrike CTF 2021 - Module Wow
  • CrowdStrike CTF 2021 - Matrix
• 🎭 Other publications
  • PagedOut! #5 - The art of Java class minimization
  • DigitalWhisper #152 - A very Dangerous Dave (Hebrew)
  • DigitalWhisper #154 - Getting a Migraine (Hebrew)

Miscellaneous

• 🎉 CVEs
  • CVE-2025-26721 - Barebox buffer overflow during file creation in the persistent storage
  • CVE-2025-26722 - Barebox buffer overflow during symbolic link handling due to an integer overflow in the SquashFS filesystem
  • CVE-2025-26723 - Barebox buffer overflow during symbolic link handling due to an integer overflow in the EXT4 filesystem
  • CVE-2025-26724 - Barebox buffer overflow during symbolic link handling due to an integer overflow in the CramFS filesystem
  • CVE-2025-26725 - Barebox buffer overflow during directory entry parsing in the JFFS2 filesystem
  • CVE-2025-26726 - U-boot buffer overflow during directory table parsing in the SquashFS filesystem
  • CVE-2025-26727 - U-boot buffer overflow during inode parsing in the SquashFS filesystem
  • CVE-2025-26728 - U-boot buffer overflow during file reading in the SquashFS filesystem
  • CVE-2025-26729 - U-boot buffer overflow during symbolic link handling due to an integer overflow in the EroFS filesystem
  • CVE-2025-0677 - GRUB2 buffer overflow during symbolic link handling due to an integer overflow in the UFS filesystem
  • CVE-2025-0678 - GRUB2 buffer overflow during file reads due to an integer overflow in the SquashFS filesystem
  • CVE-2025-0684 - GRUB2 buffer overflow during symbolic link handling due to an integer overflow in the ReiserFS filesystem
  • CVE-2025-0685 - GRUB2 buffer overflow during symbolic link handling due to an integer overflow in the JFS filesystem
  • CVE-2025-0686 - GRUB2 buffer overflow during symbolic link handling due to an integer overflow in the RomFS filesystem
  • CVE-2025-0689 - GRUB2 buffer overflow during block reads due to an out-of-bounds operation in the UDF filesystem
  • CVE-2025-0690 - GRUB2 buffer overflow due to an unsafe signed integer overflow in the read builtin command
  • CVE-2025-1118 - GRUB2 arbitrary memory read due to a misconfiguration of the dump command in Secure Boot environments
  • CVE-2025-1125 - GRUB2 buffer overflow during file opens due to an integer overflow in the HFS filesystem
  • CVE-2024-56738 - GRUB2 cryptographic side channel attack
  • CVE-2024-56737 - GRUB2 buffer overflow in filesystem mounting due to wild strcpy in the HFS filesystem
  • CVE-2024-44243 - macOS storagekitd-based SIP bypass
  • CVE-2024-44133 - macOS browser-based TCC bypass
  • CVE-2023-32369 - macOS migrationd-based SIP bypass
  • CVE-2023-29491 - Multiple memory corruption vulnerabilities in the ncurses library
  • CVE-2022-4499 - Cryptographic side-channel attack on TP-link routers httpd authentication method
  • CVE-2022-4498 - Buffer overflow in TP-link routers httpd
  • CVE-2022-42821 - macOS AppleDouble-based Gatekeeper bypass
  • CVE-2022-29800 - Linux networkd-dispatcher race condition (TOCTOU)
  • CVE-2022-29799 - Linux networkd-dispatcher directory traversal
  • CVE-2022-26706 - macOS stdin-based sandbox escape
  • CVE-2022-2587 - ChromeOS remote memory corruption vulnerability
  • CVE-2022-0987 - Linux Packagekit Information Disclosure
  • CVE-2021-42601 - Android mce SDK vulnerability
  • CVE-2021-42600 - Android mce SDK vulnerability
  • CVE-2021-42599 - Android mce SDK vulnerability
  • CVE-2021-42598 - Android mce SDK vulnerability
  • CVE-2021-35247 - SolarWinds Serv-U LDAP Injection
  • CVE-2021-30970 - macOS injection-based TCC bypass
  • CVE-2021-30892 - macOS system_installd-based SIP bypass
  • CVE-2020-35785 - NETGEAR DGN2200v1 authentication bypass
  • CVE-2017-0095 - Hyper-V vSMB Remote Code Execution
• 💡 Patents
  • Patent 408978-US-NP - Dysfunctional device detection tool
  • Patent 410415-US-NP - Command classification using active learning
  • Patent 412482-US-NP - Detecting a spoofed entity based on complexity of a distribution of events initiated by the spoofed entity
• 🚧 Other projects
  • Cicada Tools - A Cicada 3301 research utility.
  • Hotkeyz - Windows based keylogging capability using hotkeys.
  • HM-surf evaluator - An evaluator for CVE-2024-44133 for all common macOS browsers.
  • Miniclass-exec - Minimization of Java bytecode to execute a certain commandline.
  • Dangerous Dave level editor - a level editor to the 1990 Dangerous Dave DOS game.
  • Prog2Math - translates programming concepts to LaTeX formulae.
  • Dictiopwn - dictionary attack on Linux.