The Linux kernel's SLOB allocator is primarily used on embedded systems. I developed a series of new attacks against SLOB that may be used to exploit progressively more constrained vulnerabilities, ranging from an arbitrary heap overflow to an off-by-one NULL byte. I also released libplayground, a simple framework I used to develop and test these techniques.
After studying every public example of remote kernel exploitation, I developed a fully working exploit for a remote kernel stack overflow in the Linux kernel's implementation of the ROSE amateur radio protocol. The exploit installs a kernel backdoor in the victim host, allowing the attacker to send and trigger arbitrary userland payloads at will. The exploit targets 32-bit PAE kernels, requiring the use of return-oriented programming (ROP) in kernel mode.
Jon Oberheide and I gave a presentation on exploitation techniques against Linux kernels hardened with the grsecurity patchset. By leveraging the leakage of uninitialized stack data in conjunction with an existing arbitrary kernel write vulnerability, we demonstrated two techniques that could be used to escalate privileges.
In addition to auditing the Linux kernel to find and fix vulnerabilities, I'm involved in an effort to implement proactive security features upstream. So far, I've implemented two sysctls, dmesg_restrict and kptr_restrict, both of which are designed to minimize leakage of potentially sensitive information that can be useful when developing kernel exploits.
Next on the list is to continue reducing information leakage, properly marking and enforcing certain structures as read-only, restricting unprivileged loading of kernel modules, and possibly randomizing kernel code on boot.
I created a tool called FuzzDiff to help make crash analysis during file format fuzzing easier. When provided with a fuzzed file, a corresponding original un-fuzzed file, and the path to the targeted program, FuzzDiff will selectively "un-fuzz" portions of the fuzzed file while re-launching the application to monitor for crashes. This will yield a file that still crashes the target application, but contains a minimum set of changes from the original, un-fuzzed file. This can be useful in pinning down the exact cause of a crash.
I completed my Masters research at Brown University with advisor Roberto Tamassia. My work involved developing solutions to provide proof of data integrity when using outsourced file storage, specifically Amazon S3 (paper). I developed a prototype that detects data tampering without any client-side storage requirements (no local checksums) and minimal performance overhead.