Mitigation bounty — 4 techniques to bypass mitigationsThis post discloses 4 techniques to bypass mitigations that were rejected by Microsoft as “by design” or “already known”. For each…Dec 19, 2016Dec 19, 2016
Mitigation bounty — From read-write anywhere to controllable callsThis post describes how a read-write anywhere primitive can be used to call valid CFG functions repeatedly while controlling all arguments…Dec 19, 2016Dec 19, 2016
Mitigation Bounty — IntroductionMore than a year ago, I joined Google Security after 7 years at Microsoft. It is fascinating to have the ability to compare how security is…Dec 19, 2016Dec 19, 2016
Randomizing the Linux kernel heap freelistsThis article discusses freelist randomization options that I added recently in the Linux kernel (v4.8). The option is available for the…Sep 8, 2016Sep 8, 2016
How bad design decisions created the least secure driver on WindowsThis driver is called win32k, it manages the user interface of Windows. This post will discuss the multiple bad ideas that are part of this…Aug 21, 2016Aug 21, 2016
Kernel memory randomization and trampoline page tablesIn the past few months, I have been working on adding memory randomization to the Linux kernel for x86_64. Coding low-level and early boot…Aug 14, 2016Aug 14, 2016