Articles and projects

XNU research

Lately I've mostly been focusing on iOS kernel exploitation, with Luca Todesco.

Amoung the bugs I've found was the fsevents double free race condition patched by Google Project Zero.

Details of the other bugs I've found may be disclosed at some point in the future.

FreeBSD kernel bugs

I've spent a lot of time auditing the FreeBSD kernel for vulnerabilities, (previously as a member of the HardenedBSD team), and have proved successful in finding and patching several.

Below is a list of the critical bugs I have reported and analysed.

A full list of bug reports, including the non-critical bugs, as well as the link to the accepted patch in FreeBSD, where applicable, can be found here.


I decided to research the Sony PlayStation 4 console, using a publicly available WebKit exploit to run my own ROP chains. I used this exploit to dump the available userland modules, and after some reverse engineering of how the JIT system calls were used, I was able to gain unsigned code execution under the WebKit process. Several months later, I developed a kernel exploit for the system using the BadIRET vulnerability. I used this exploit to dump the kernel, before analysing it to help exploit a vulnerability in the kernel's dynamic linker, which I had previously found by fuzzing. I've documented my experiences in the following articles:


Exploits and reverse engineering


The Nintendo DS was my first experience of programming; I've used the platform for many different projects!


Buffer overflow exploits in DS games are ridiculously common. Did you know that every single FIFA game on the DS can be used to run unsigned code?

While checking the FIFA games for buffer overflows, I also came across numerous other bugs, including format string vulnerabilities (however they are not exploitable since the official Nitro SDK doesn't appear to support the "%n" format).

IQ overflow

Just a funny vulnerability I found in the game EA Sports Football Academy DS.


I've also tried programming for the 3DS. It would be much easier to program for (more RAM, faster processors, less limited video modes), but since it is much newer than the DS, there is not nearly as much documentation or examples available yet.


Most articles written with RMD.