• Creating a rogue CA certificate

    I was a member of an international team of researchers who successfully executed a practical MD5 collision attack and were able to create a rogue CA trusted by all common browsers. This allows us to perform transparent man-in-the-middle attacks against SSL connection.

  • Bypassing browser memory protections in Windows Vista

    An in-depth analysis of the exploitation mitigations in Windows Vista and multiple techniques for bypassing them using browser plugins.

  • Blackbox reversing of XSS filters

    Finding security vulnerabilities in XSS filters in web applications using an iterative model generation approach.

  • Heap Feng Shui in JavaScript

    A technique for precise manipulation of the browser heap using specific sequences of JavaScript allocations, allowing for the reliable exploitation of heap corruption vulnerabilities.

  • TinyPE

    Creating the smallest possible PE executable.

  • Third-party patches

    Using reverse engineering to create patches for critical vulnerabilities before the official vendor patches are released.

  • Automatic vulnerability detection using static source code analysis

    My thesis on a technique for static source code analysis for vulnerability detection and its implementation as an extension to GCC.

  • Honeynet reverse challenge

    I won fourth place in the the reverse engineering contest organized by the Honeynet Project in 2002.


Jan 8, 2008 OpenPegasus PAM authentication buffer overflow
Jun 12, 2007 Internet Explorer URLMON class factory uninitialized memory vulnerability
May 8, 2007 Exchange calendar MODPROPS denial of service
Mar 29, 2007 Windows ANI header buffer overflow
Jan 27, 2007 Internet Explorer ActiveX bgColor property denial of service [UNPATCHED]
Dec 15, 2006 Windows CSRSS message box double free
Jan 5, 2006 Windows Metafile infinite loop vulnerability [UNPATCHED]
Feb 8, 2005 Multiple vulnerabilities in Operator Shell
Aug 8, 2002 OpenLDAP KBIND authentication buffer overflow


Mar 26, 2004 Windows ASN.1 bitstring heap corruption
Oct 15, 2003 ProFTPd ASCII translation heap overflow
Sep 17, 2002 Apache OpenSSL heap overflow
Aug 7, 2002 OpenLDAP KBIND authentication buffer overflow
Oct 10, 2000 Solaris locale format string bug