Security Engineer at Quarkslab by day; reversing, exploiting and tools development by night
My e-mail is firstname.lastname@example.org
My PGP key is there
Download my resume
GDB plug-in that makes it easier to develop Linux kernel exploits targeting the SLUB allocator. It displays the content of slab caches and allows to set breakpoints on allocation/free operations.Download
Python version of the Microcode Explorer plug-in created by Rolf Rolles. It allows to generate Hex-Rays's micro-code at different maturity levels, as well as listing and graphing it.Download
AMIE is a Python rework of FRIEND that focuses solely on the ARM architecture (both AArch32 and AArch64 are supported). It is lightweight and dependency-free, and provides relevant and up-to-date information about the ARM system registers and instructions.Download
IDArling is a collaborative reverse engineering plug-in for IDA Pro and Hex-Rays. It allows to synchronize in real-time the changes made to a database by multiple users, by connecting together different instances of IDA Pro (locally or remotely).Download
Talk given at BlackHat USA 2019
The increasing popularity of connected devices in recent years has led manufacturers to put a greater emphasis on security, finding themselves in need of robust designs that would protect their users.
From these requirements emerged the ARM TrustZone, a system-wide hardware isolation technology. It introduces a trusted Secure World that can process code and data while ensuring their integrity and confidentiality. This Secure World can also watch over the user-controlled (and therefore untrusted) Normal World to verify its integrity, similarly to the mechanism implemented in Samsung's TIMA.
It can also access hardware peripherals, such as keyboards, screens, or crypto-processors in a secure and isolated manner to create trusted UIs, implement DRMs, etc. All the sensitive data and the critical interruptions are directly handled by the Secure World without ever passing through the Normal World.
However, the usage of this technology comes at a cost. By widening the attack surface and exposing privileged components, TrustZone can potentially introduce a single point of failure that allows the compromission of the entire system.
Using Samsung's TrustZone implementation as a target, this presentation explains and demonstrates how this new attack surface can be leveraged to hijack and exploit trusted components. After explaining the internals and interactions of these components developed by Samsung, different vulnerabilities will be detailed and exploited to execute code at EL3, the highest privilege level on an ARM-based system.Download
Talk given at SSTIC 2019
At REcon 2016 was presented a collaborative Reverse Engineering plugin for IDA called Sol[IDA]rity. It looked awesome, so everyone was excited to try it out! But months passed, then years, without any release or source code.
Tired of waiting, IDArling's authors decided they wanted to develop this tool, see for themselves if it was really worth it, while open-sourcing the project from the very beginning. This process proved more difficult than expected.
This presentation aims to explain the plugin functionalities, the reasons behind the choices that were made, the major difficulties encountered, the workarounds that were found, and finally discuss when alternatives like the well-known YaCo plugin are more appropriate.Download
This website is a quine