site.pi3.com.pl
Open in
urlscan Pro
185.238.74.129
Public Scan
Submitted URL: http://pi3.com.pl/
Effective URL: http://site.pi3.com.pl/
Submission Tags: falconsandbox
Submission: On October 25 via api from US — Scanned from DE
Effective URL: http://site.pi3.com.pl/
Submission Tags: falconsandbox
Submission: On October 25 via api from US — Scanned from DE
Form analysis 0 forms found in the DOM
Text Content
Information
_,.-----.,_
,-~ ~-.
,^___ pi3 ___^.
Name: pi3 (pi3ki31ny) ./~" ~" . "~ "~\.
Nationality: Polish Y ,--._ I _.--. Y
Contact: pi3@itsec.pl | Y ~-. | ,-~ Y |
Twitter: Adam_pi3 | | *** }:{ *** | |
j l *** / | \ *** ! l
My blog: pi3's blog .-~ (__,.--" .^. "--.,__) ~-.
( / / | \ \ )
\.____, ~ \/"\/ ~ .____,/
^.____ ____.^
| |T ~\ ! ! /~ T| |
| |l _ _ _ _ _ !| |
| l \/V V V V V V\/ j |
"Spojrz na czlowieka \ \ \|_|_|_|_|_|/ / /
i zobacz czlowieka... \ \[T T T T T TI/ /
Ja nie zawsze potrafie..." \ `^-^-^-^-^-^' /
\ /
\. ,/
"^-.___,-^"
This is a personal website with some of my computer research...
... and hobby projects not related to IT.
Linux Kernel Runtime Guard (LKRG)
I'm happy to announce that my moonlight project is finally released. Thanks to
Alexander Peslyak (a.k.a. Solar Designer) it is available through Openwall.
Linux Kernel Runtime Guard (LKRG) is a loadable kernel module that performs
runtime integrity checking of the Linux kernel and detection of security
vulnerability exploits against the kernel. As controversial as this concept is,
LKRG attempts to post-detect and hopefully promptly respond to unauthorized
modifications to the running Linux kernel (integrity checking) or to
credentials (such as user IDs) of the running processes (exploit detection).
For process credentials, LKRG attempts to detect the exploit and take action
before the kernel would grant the process access (such as open a file) based on
the unauthorized credentials. More information about LKRG you can get at its
brand new homepage:
http://www.openwall.com/lkrg/
LKRG has been in (re-)development for a couple of years, and built upon one of
my prior's experience with a related project in 2011 (for CERN).
An official announcement was made by Openwall and it can be read here:
http://www.openwall.com/lists/announce/2018/01/29/1
A lot of useful technical information about LKRG can be found on Openwall wiki
page:
http://openwall.info/wiki/p_lkrg/Main
On the BitBucket website you can find the latest LKRG source-code which might
include patches not visible in the official version yet. Currently, LKRG has
two completely separate branches with the different thread models and goals.
Main branch is available here:
https://bitbucket.org/Adam_pi3/lkrg-main/
and experimental branch is available here:
https://bitbucket.org/Adam_pi3/lkrg-experimental/
If you would like to support LKRG, you are very welcome to do so ;-)
It can be done via Patreon website here:
https://www.patreon.com/p_lkrg
Security Research
Papers
* Windows 7 TCP/IP hijacking (link)
* The Pwnie Awards 2021 nominee for Most Under-Hyped Research (link)
* The short story of broken KRETPROBES and OPTIMIZER in Linux Kernel (link)
* CVE-2020-16898 - Exploiting "Bad Neighbor" vulnerability (link)
* The short story of 1 Linux Kernel Use-After-Free bug and 2 CVEs
(CVE-2020-14356 and CVE-2020-25220) (link)
* Windows Internals 7th edition part 2 - Me and David Kaplan wrote a section
about System Guard Runtime Attestation for Secure Kernel chapter. (link)
* "Introducing Windows Defender System Guard Runtime Attestation (SGRA / SGRM)"
- also known as project Octagon (link)
* Linux kernel IPI problem - non-response to IPI kills wrong task (link)
* Follow-up on Exploiting "BadIRET" vulnerability (CVE-2014-9322) (link)
My exploit and research was used in Playstation 4 (PS4) hack:
* FreeBSD Kernel code exec (link)
* Hacking the PS4, part 3: Kernel exploitation by CTurt (link)
* Adventure with Stack Smashing Protector (SSP) (link)
* Microsoft Security Research and Defence Blog (SRD) post: "The story of
MS13-002: How incorrectly casting fat pointers can make your code explode"
(link)
* GCHQ Can you crack it - solving an interesting challenge (link)
* Phrack 67 article: "Scraps of notes on remote stack overflow exploitation"
(local copy) (link)
* "Fake" format strings (in Polish) (link)
* Advanced usage of system() function (in Polish) (link)
* Advanced usage of system() function (in English) (link)
* My VERY old paper (in PDF) about Buffer Overflow bugs (in Polish) (link)
CVEs
* CVE-XXXX-XXXX - [ PRIVATE ]
* CVE-2021-1104 - RISC-V ISA contains a documented ambiguity for the MTVEC
register that may lead to a vulnerability resulting in code-execution in the
highest privilege level (M-mode) (RISC-V news)
* CVE-2021-0144 / INTEL-SA-00525 - Intel BIOS Shared SW Architecture (BSSA)
allows for loading arbitrary unsigned code in the PEI phase
* CVE-2021-3411 - Linux kernel: broken KRETPROBES and OPTIMIZER (blogpost)
* CVE-2020-27825 - Linux kernel: Use-After-Free in the ftrace ring buffer
resizing logic due to a race condition (RedHat)
* CVE-2020-5986 - NVIDIA vGPU plugin contains insufficient input data size
validation which may lead to memory corruption on the host or denial of
service (Security Bulletin)
* CVE-2020-5983 - NVIDIA vGPU plugin and the host driver kernel module contains
insufficient boundary validation of the frame buffer memory allocated to
guest operating systems (Security Bulletin)
* CVE-2020-25220 - Linux Kernel Use-After-Free in backported patch for
CVE-2020-14356 (affected kernels: 4.9.x before 4.9.233, 4.14.x before
4.14.194, and 4.19.x before 4.19.140) (RedHat) (blogpost)
* CVE-2020-14356 - Linux Kernel Use-After-Free in cgroup BPF component
(affected kernels: since 4.5+ up to 5.7.10) (RedHat) (blogpost)
* CVE-2020-12826 - Linux kernel prior to 5.6.5 does not sufficiently restrict
exit signals (kernel-hardening list)
* CVE-2019-16905 - OpenSSH Pre-Auth XMSS Integer Overflow (external adv)
* CVE-2019-11085 / INTEL-SA-00249 - Intel's vGPU driver allows for mappinng of
arbitrary physical page into the context of calling process via mmap()
* CVE-2017-0181 - Hyper-V Remote Code Execution Vulnerability (adv)
* CVE-2017-0182 - Hyper-V Denial of Service Vulnerability (adv)
* CVE-2017-0186 - Hyper-V Denial of Service Vulnerability (adv)
* CVE-2011-4970 / EGI-SVG-2012-2683 - Multiple SQL Injection vulnerabilities in
Disk Pool Manager (DPM) (adv)
* CVE-2011-5000 - OpenSSH resources exhausion bug via GSSAPI (adv)
* CVE-2011-2193 - Torque Server Buffer Overflow Vulnerability (adv)
* CVE-2010-1938 - FreeBSD OPIE '__opiereadrec()' Off By One Heap Memory
Corruption Vulnerability (adv)
* CVE-2010-0010 - Apache 1.3 mod_proxy HTTP Chunked Encoding Integer Overflow
Vulnerability (adv)
* CVE-2009-3604 - Xpdf Multiple Integer Overflow Vulnerabilities and Adobe
Acrobat Reader for Linux overflow (adv)
* CVE-2008-2357 - mtr Remote Stack Buffer Overflow Vulnerability caused by
undocumented situation in 'libresolv' (adv)
* CVE-2006-0539 - Convert-FCronTab Local Buffer Overflow (adv)
* CVE-2005-0256 - WU-FTPD Remote Globbing Denial of Service Vulnerability (adv)
* CVE-2005-2180 - GNATS Arbitrary File Overwrite bug (adv)
* CVE-2004-1076 - Atari800 Emulator Multiple Local Buffer Overflow
Vulnerabilities (adv)
* CVE-2004-0238 - 0verkill Game Client Multiple Local and Remote Server on
Windows Buffer Overflow Vulnerabilities (adv)
* CVE-2003-1327 - Wu-Ftpd SockPrintf() Remote Stack-based Buffer Overrun
Vulnerability (adv)
Some OLD exploits
* [ PRIVATE ]
* Windows 7/XP/2K/9x (not only Windows) Blind TCP/IP Hijacking exploit (exp)
* Windows TCP/IP Remote Code Execution Vulnerability - BSOD exploit for
CVE-2020-16898 (exp)
* BadIRET - Linux kernel (up to 3.17.5) exploit for CVE-2014-9322 (exp)
* Lighttpd PoC code for CVE-2011-4362 (exp)
* Remote globbing DoS exploit for wu-ftpd (exp)
* Remote PoC exploit for Exim (exp)
* Remote exploit for BeroFTPD (exp)
* Local root exploit for eject (exp)
* Remote exploit for atftpd (exp)
* Local root exploit for atari800 (from adv) (exp)
* Local exploit for ftpdctl (ProFTPD) (exp)
* Local root exploit for atari800 (exp)
* Local root exploit for XFree (exp)
* Better local exploit for 0verkill (exp)
* Local exploit for 0verkill (from adv) (exp)
* Local root exploit for kon (exp)
* Remote DoS exploit for Pi3 Web Server (exp)
* My very old shellcode (x86) (shellcode)
* My very old shellcode (x86) which bypasses safexec module by elceef (protects
exec*() functions) (shellcode)
* My very old shellcode (MIPS) for IRIX - tested on IRIX 6.5.26m with R12000
processor (shellcode)
* My implementation of Virtual Machine for GCHQ 'canyoucrackit' challenge
(details)
NVIDIA
I'm currently working at NVIDIA as a Principal System Software Engineer
(Offensive Security) in GPU core team. Noteworthy projects:
> RISC-V:
>
> * I'm part of RISC-V TEE and J Extension Task Groups
>
> * I'm driving RISC-V Pointer Masking proposal extension (link)
>
> * HWASAN on RISC-V
>
>
>
> Various offensive security research projects
Conferences
Public conferences
* DefCon 29 - Glitching RISC-V chips: MTVEC corruption for hardening ISA
(briefing) (video)
* BlackHat USA 2021 - Safeguarding UEFI Ecosystem: Firmware Supply Chain is
Hard(coded) (briefing) (slides)
* x33fcon 2021 - Windows 10 TCP/IP RCE - from the patch to the screen of death
(blog) (video)
* Open Source Tech Conference 2020 - LKRG in a nutshell (slides) (mirrored
slides)
* Confidence 2018 - Linux Kernel Runtime Guard (LKRG) under the hood (video)
(slides)
* Security BSides 2014 Warsaw - "Nigdy nic nie wiadomo" a.k.a. Modern attacks
against x86/x64 architecture (like TLB-splitting, virtualization, AMT, SMM,
ring -3, etc.). (link)
* SECURE 2014 - The exploitation arm race between attackers and defenders
(link)
* Confidence 2013 - Crashdumps hunt 0days and rootkits (video)
* SecDay 2010 - Linux vs rootkits (slides)
* SecDay 2009 - Unusual bugs (slides)
* Forum Informatyki Sledczej - Invisible hacking in practice (link)
* SysDay 2009 - IP Spoofing is still alive... (slides)
* SekIT 2008 - Wlamania do systemow Linux w architekturze x86 (slides)
* Confidence 2007 - Shellcody a architektura MIPS - na systemach IRIX (slides)
Internal conferences
* European Organization for Nuclear Research (CERN) - White Area - pi3fuzz: an
automatic test framework (blogpost)
* European Organization for Nuclear Research (CERN) - Security: malware /
root-kits / viruses (blogpost)
* Wroclaw University of Technology (Microservers) (link)
* Wroclaw University of Technology (OBD) (link)
* Wroclaw University of Technology (Pentesting) (link)
* Wroclaw University of Technology (Computure Architecture 2) (link)
* Wroclaw University of Technology (Hacking) (link)
* Wroclaw University of Technology (Computure Architecture 2) (link)
Microsoft
I used to work at Microsoft as a member of
Offensive Security Research (OSR)
team. Previously, I was part of a Security Science Team (MSRC) and Detection and
Defense Team (MSRC). I can't talk about all of my projects / work but the ones
which I can, you can find below:
> Windows Defender System Guard Runtime Attestation (SGRA / SGRM) a.k.a. Project
> Octagon - Together with David Kaplan I've fully designed it, and it is
> currently a part of every Windows. Additionally, as part of SGRM, I've fully
> implemented SgrmAgent.sys driver which is shipped since Windows 10 April 2018
> Update (RS4) (link)
>
>
>
> Return Flow Guard (RFG) - I was in the v-team for designing and developing
> this mitigation. I also own patent for it (link)
>
>
>
> Win32k Iso heaps for NTUSER - I've designed and created PoC Windows build with
> that mitigation. It was used as a base for current implementation of win32k
> Iso Heaps mitigation for NTUSER
>
> Windows Defender ATP (WDATP) - Together with David Kaplan, I've designed and
> implemented SENSE driver which is a subcomponent of WDATP for detecting kernel
> exploits (including 0days) (link)
>
>
>
> Enhanced Mitigation Experience Toolkit (EMET) - I was part of the team
> developing and maintaining EMET (link)
>
>
>
> SONAR - I was part of the team developing and maintaining system for automatic
> detonation of untrusted files and links. This tool was converted to the Office
> 365 Advanced Threat Protection (link)
>
>
>
> SERA - I was working on non-public system for automated crashdump analysis. I
> was owning and developing tool for automatic triage of kernel-mode crashdumps.
> I gave a talk about this technology (and run my tool) on Confidence 2013
> (Crashdumps hunt 0days and rootkits) [video]
Misc projects
DIY projects
I like woodworking! Here are some of my projects:
> I built from scratch a shed for my motorcycle. You can find more details with
> some photos here
>
> Renovation of my attic (mounting ceiling stairs + new isolation + create
> floor). You can find more details with some photos here
I've recently played with water pipes soldering. Here are some of my projects:
> Installing new main water shutoff valve + back-flow valve + water pressure
> regulator + 2 water pressure test gauge. You can find more details with some
> photos here
>
> Installing automatic water sprinkler system in my front- and backyard. You can
> find more details with some photos here
>
> Installing new hose outside the house. You can find more details with some
> photos here
Music
I play piano and sometimes I feel the need to compose my own solo piano music.
Maybe at some point I'll be comfortable enough to share some of them here:
> Dark Fur Elise - my own interpretation of Fur Elise (listen)
>
> Moj Ty Jasiulenku - my own interpretation of Polish folk song (listen)
>
> Mrok (Dark) - one of my the solo piano music which I've created (listen)
>
> Dream - one of my the solo piano music which I've created (music sheet)
> (listen)