Security reseach articles

---

FreeBSD kernel exploits

• Analysis of CVE-2016-1886, SETFKEY FreeBSD kernel vulnerability
• Analysis of CVE-2016-1887, sendmsg FreeBSD kernel heap overflow
• Analysis of stack disclosure vulnerabilities in FreeBSD compatibility layers

A full list of bug reports, including the non-critical bugs, as well as the link to the accepted patch in FreeBSD, where applicable, can be found here.

PS4 research

A set of articles describing the entire process of exploiting the PS4 console to gain kernel code execution just from visiting a web page with the Internet Browser.

• Hacking the PS4, part 1 - Introduction to PS4's security, and userland ROP
• Hacking the PS4, part 2 - Userland code execution
• Hacking the PS4, part 3 - Kernel exploitation
• Analysis of sys_dynlib_prepare_dlclose PS4 kernel heap overflow

XNU research

Most recent research I've been doing has been focussed on the iOS kernel, with Luca Todesco.

just got reliable kernel pc control from this new iOS 10 jailbreak chain I’ve been working on with @CTurtE :)

— qwertyoruiop (@qwertyoruiopz) October 25, 2016

Amoung the bugs I've found was the fsevents double free race condition, which was also found and patched by Google Project Zero.

Had a bug collision with the fsevents double free race patched today (I found it 5 months ago): https://t.co/KgO27DIMKC

— CTurt (@CTurtE) April 3, 2017

Details of the other bugs I've found may be disclosed at some point in the future.

Misc

• Writing a Game Boy emulator
• Reverse Engineering and Modding Mario Pinball Land (GBA)