Anestis Bechtsoudis

Congratulations to my @census_labs colleague Zisis Sialveras (@_zisis) for being accepted to present his amazing work on VMware vulnerability research and exploit development at Black Hat USA 2024: #bugs-of-yore-a-bug-hunting-journey-on-vmwares-hypervisor-40085" target="_blank" rel="nofollow noopener">blackhat.com/us-24/briefing…

@dwizzzleMSFT @parityzero Thanks for sharing. Looking forward to adding stronger access control on top (AppContainer SID based?). Eliminating key lifting is a great first step, but protecting against unauthorised key usage from admin/system-level actor is also essential. Identity keys desperately need it.

I’m hiring to grow our confidential computing security eng. team (edge devices & cloud platforms). If hypervisors, virt, attestation, (v)TPM, KVM, crosvm, SGX/TDX/SEV-SNP/VMPL, dynamic passthrough & VirtIO tickle your brain, drop me a message to discuss potential opportunities.

CENSUS is a sponsor of the 6th Cybersecurity in Financial Services Summit 2023 taking place on November 21st in London. Our presentation titled “AI-Are we doomed?” will shed light to the fascinating yet scary world of AI and how it affects #Financial Institutions & Cybersecurity.

Introduction to runtime dynamic hooking in Go by @quarkslab blog.quarkslab.com/lets-go-into-t… #golang #infosec

If you enjoy working on software security assessments, please note that our "Application Security Engineer" position is now also open for remote working #cfase" target="_blank" rel="nofollow noopener">census-labs.com/openings/#cfase #infosec

Do you enjoy working on Trusted Boot, Trusted Execution Environments, Secure Elements, HSMs, CPU virtualization, hardware attestation, embedded architecture sec. reviews, hardening kernels, system components or bare metal firmware? This job is for you: #cfese2021a" target="_blank" rel="nofollow noopener">census-labs.com/openings/#cfes…

An opening for Embedded Security Engineers linkedin.com/jobs/view/2624… #hiring #infosec

Remote exploitation of a man-in-the-disk vulnerability in WhatsApp (CVE-2021-24027); epic logical exploitation writeup by huku: census-labs.com/news/2021/04/1…

Rust in the Android platform! We’re excited to announce that the Android Open Source Project (AOSP) now supports the Rust programming language for OS development! security.googleblog.com/2021/04/rust-i…

This was never meant to be released. bkerler.github.io/2020/08/03/bri… I once reported the xpu2/xpu3 0-day to qc, and they seem to have fixed it on the latest sdm platform, thus it's time to release this now. Enjoy getting full control. It's easiest using it on an unfused device :D

We're growing our hardware lab team at @census_labs. Now looking for a dedicated electronics engineer. For more information see: #cfee2020a" target="_blank" rel="nofollow noopener">census-labs.com/openings/#cfee…

@shawnwillden @phhusson @MishaalRahman @topjohnwu @DanielMicay My point is, DICE design assumes UDS access only from BootROM (pbl), but in QC stack qfprom is accessible from EL3 (xbl_sec), which is part of first stage bootloader. How is the original design not violated in the QC case?

@shawnwillden @phhusson @MishaalRahman @topjohnwu @DanielMicay Thanks for sharing. Curious how QC will impl. the UDS latch. Assume similar to SHK don’t want ODM to fuse so will be OEM burned at SecBoot enable stage. QFPROM r/w perm table in shadow mem is the main acl for fuses afaik, which with EL3 exec is modifyable. Any info you can share?

If you are curious how all this thing works, check out this wiki page for a brief intro. en.wikipedia.org/wiki/Trusted_e… As I said, if you manage to break into TEE, publish a paper, be famous (academically), and enjoy the bounty money 😉

@phhusson @MishaalRahman @topjohnwu @DanielMicay If you're not familiar with the DICE concept, here it is: Start with a device-unique secret fused into the SoC. The ROM uses this secret and a hash of the first bootloader stage to derive an EC key pair, then flips a switch that disables access to the fuses until next reboot.

[BLOG] A Deep Dive Into Samsung's TrustZone (Part 3) In which code execution at Exception Level 3 (EL3), the highest privileged, is achieved. Work by @patateQbool @NeatMonster_ @lyte__ presented at BlackHat Las Vegas 2019 * includes a new bug, now fixed. blog.quarkslab.com/a-deep-dive-in…

I repurposed @maddiestone's #BadBinder PoC for the S8/S8 Active Snapdragon. I bypass DAC + SELinux + Knox/RKP using a couple techniques I developed that I haven't seen used before. PoC here: github.com/chompie1337/s8…

VdexExtractor 0.6.0 released with Android 10 support. Seems that new 021 version has minor changes to support Vdex files generated from InMemoryDexClassLoader. To worry about perf there, G seems to invest a lot on it. | github.com/anestisb/vdexE…