quick.links
recent.news
2010-09-14 - the slides from my recent (re-)presentation (with lots of extra bits) at SEC-T 2010, will soon be online! exploit code [...]
2009-12-18 - The slides from my recent presentation at CRESTCon 2009, the 'replacement' for CHECKCon, are now online! exploit code for the demonstrations [...]
:.home.research3.141592..
basic research is what I am doing when I don't know what I am doing.pub.lications
- September 14-10
- SEC-T 2010: "Vulnerabilities in Full/Virtual Disk Encryption Products"
Neil Kettle
Rio theatre, Stockholm, Sweden
[ presentation (pdf) - abstract ] - December 22-09
- CRESTCon 2009: "[Win32] Full/Virtual Disk Encryption Vulnerabilities"
Neil Kettle
15th December, Royal Holloway College, University of London
[ presentation (pdf) - abstract ] - April 19-09
- CanSec 2009: "Bug classes we have found in *BSD, OS X and Solaris kernels"
Neil Kettle and Christer Oberg
Vancouver, Canada
[ presentation (odp) - presentation (pdf) - abstract ] - September 02-08
- Anytime Algorithms for ROBDD Symmetry Detection and Approximation
Neil Kettle
PhD thesis, Computing Laboratory, University of Kent, Canterbury, Kent, CT2 7NF.
[ thesis (pdf) - abstract ] - June 17-08
- Bit-Precise Reasoning with Affine Functions
Neil Kettle and Andy King
In 1st International Workshop on Bit-Precise Reasoning (BPR-2008)
Abstract: The class of affine Boolean functions is rich enough to express constant bits and dependencies between different bits of different words. For example, the function $(x_0)\wedge(\neg y_1)\wedge(x_4 iff y_7)\wedge(x_5 iff \neg y_9)$ is affine and expresses the invariant that the low bit (bit 0) of the variable $x$ is true, that bit 1 of $y$ is false, that the bits 4 and 7 of $x$ and $y$ coincide whereas bits 5 and 9 of $x$ and $y$ differ. This class of Boolean function is amenable to bit-precise reasoning since it satisfies strong chain properties which bound the number of times a system of semantic fixpoint equations need to be reapplied when reasoning about loops. This paper address the key problem of abstracting an arbitrary Boolean function to either a general affine function or a so-called affine function of width 2, when the function is represented as an ROBDD. Novel algorithms are presented for this task: one that manipulates Boolean vectors and another which is inspired by anti-unification. The speed and precision of both algorithms are compared on benchmark circuits, to draw conclusions on the tractability of affine abstraction.
[ paper (pdf) - link - no abstract ] - August 30-07
- An Anytime Algorithm for Generalized Symmetry Detection in ROBDDs
Neil Kettle and Andy King
IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems (TCAD), IEEE. (Note: Copyright held by IEEE 2007.)
[ paper (pdf) - link - abstract ] - August 10-06
- Proof of New Decompositional Results for Generalized Symmetries
Neil Kettle and Andy King
Technical Report 05-06, Computing Laboratory, University of Kent, Canterbury, Kent, CT2 7NF.
[ paper (ps) - abstract ] - March 20-06
- Widening ROBDDs with Prime Implicants
Neil Kettle, Andy King, and Tadeusz Strzemecki
In Holger Hermanns and Jens Palsberg, editors, 12th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS), volume 3920 of Lecture Notes in Computer Science, pages 105-119. Springer-Verlag. (Note: see http://www.springer.de/comp/lncs/index.html.)
[ paper (ps) - paper (pdf) - presentation (pdf) - link - abstract ] - February 16-06
- Proof of New Implicational Relationships between Generalized Symmetries
Neil Kettle and Andy King
Technical Report 13-05, Computing Laboratory, University of Kent, Canterbury, Kent, CT2 7NF.
[ paper (ps) - abstract ] - January 30-06
- An Anytime Symmetry Detection Algorithm for ROBDDs
Neil Kettle and Andy King
In Hidetoshi Onodera, editor, 11th Asia and South Pacific Design Automation Conference (ASPDAC), pages 243-248. IEEE. (Note: Copyright held by IEEE 2006.)
[ paper (ps) - paper (pdf) - presentation (pdf) - link - abstract ]
vuln.erabilities
- September 22-23
- NetIQ/Microfocus Performance Endpoint v5.1 - SIP Remote Denial of Service
[ endpoint-sip-dos.c ] - September 22-23
- NetIQ/Microfocus Performance Endpoint v5.1 - SIP Remote Heap Corruption
[ endpoint-sip-heap.c ] - July 27-23
- NetIQ/Microfocus Performance Endpoint v5.1 - remote root/SYSTEM
[ endpoint-pown.c - endpoint-pown-uni.c ] - April 23-21
- DblTek GoIP GSM Gateway backdoor remote root
[ goip-pown-v3.c - SecurityWeek ] - November 17-19
- ipsec-tools racoon isakmp-frag Remote Denial of Service
[ racoon-frag-dos.c - CVE-2016-10396 ] - October 01-19
- IBM/Trusteer Rapport macOS - Local Kernel ring0 overflow
[ rapport-smash.c - rapport-smash-v2.c - rapport-smash-v2.sh - Dark Reading - CVE-2018-1985 ] - September 13-18
- WebRoot SecureAnywhere macOS - Local Kernel Pointer Overwrite
[ securenowhere-write.c - ZDNet - The Register - CVE-2018-16962 ] - July 27-18
- Utimaco Safeware AG (Sophos) - SafeGuard PrivateDisk Local Kernel ring0 Code Execution
[ safeguard-pdisk-overflow.c - safeguard-pdisk-overflow-v2.c ] - July 24-18
- Oracle Solaris <= 11.3 AVS Local Kernel ring0 Code Execution
[ sdbc-testinit.c - sdbc-testinit-v2.c - ZDNet - The Register - ThreatPost -
Oracle Critical Patch Update Advisory - July 2018 - CVE-2018-2892 ] - July 23-18
- Silicon Graphics Inc (SGI) - IRIX - rpc.espd Remote File Read Vulnerability
[ irix-espd.c ] - April 13-15
- Apple Mac OS X < 10.9/10? Local Root Exploit
[ osx-irony-assist.m - Rootpipe (Wiki) ] - February 08-11
- DESLock+ <= 4.1.2 vdlptokn.sys Driver Local Kernel ring0 Code Execution
[ deslock-vdlptokn-v3.c ] - January 07-11
- Silicon Graphics Inc (SGI) - IRIX - Local Kernel Memory Disclosure/Denial of Service
[ irix-xlvattrget-dos.c ] - September 16-10
- Utimaco Safeware AG (Sophos) - SafeGuard PrivateDisk Local Kernel Device 'unmount' Exploit
[ safeguard-pdisk-unmount.c ] - September 16-10
- Utimaco Safeware AG (Sophos) - SafeGuard PrivateDisk Local Kernel Device header 'overwrite' Exploit
[ safeguard-pdisk-write-header.c ] - May 26-10
- SecurStar DriveCrypt <= 5.4 Local Kernel ring0 Code Execution
[ drivecrypt-dcr.c - BID-45750 ] - May 26-10
- SecurStar DriveCrypt <= 5.4 Local Kernel Arbitrary File Read/Write Exploit
[ drivecrypt-fopen.c ] - April 26-10
- NovaSTOR NovaNet <= 12.0 Remote Memory Read/Denial of Service
[ novanet-read.c - BID-39693 ] - April 26-10
- NovaSTOR NovaNet <= 12.0 Remote Code Execution
[ novanet-own.c - novanet-own-lnx.c - CVE-2009-0849 - BID-39693 ] - April 26-10
- NovaSTOR NovaNet/NovaBACKUP Network <= 13.0 Remote Denial of Service
[ novanet-dos.c - BID-39693 ] - January 15-10
- Authentium SafeCentral <= 2.6 shdrv.sys Local Kernel Denial of Service/ring0 Code Execution
[ safecentral-unharden.c - BID-37939 ] - January 15-10
- Authentium SafeCentral <= 2.6 shdrv.sys Local Kernel ring0 Code Execution
[ safecentral-unharden-v2.c - BID-37939 ] - October 02-09
- VMware Fusion <= 2.0.5 vmx86 kext Local Kernel Denial of Service
[ vmware-pop.c - CVE-2009-3282 - BID-36579 ] - October 02-09
- VMware Fusion <= 2.0.5 vmx86 kext Local Kernel Root Exploit
[ vmware-fission.c - CVE-2009-3281 - BID-36578 ] - August 10-09
- DESLock+ <= 4.0.2 dlpcrypt.sys Driver Local Kernel Denial of Service
[ deslock-dlpcrypt-v2.c ] - August 10-09
- DESLock+ <= 4.0.3 vdlptokn.sys Driver Local Kernel ring0 Code Execution
[ deslock-vdlptokn.c ] - August 10-09
- DESLock+ <= 4.0.3 vdlptokn.sys Driver Local Kernel Denial of Service
[ deslock-vdlptokn-v2.c - CVE-2008-4362 ] - June 23-09
- B-Labs Bopup Communication Server <= 3.2.26.5460 Remote Buffer Overflow
[ bopup-down.c - CVE-2009-2227 ] - June 18-09
- DESLock+ 4.0.2 dlpcrypt.sys Driver Local Kernel ring0 Code Execution
[ deslock-dlpcrypt.c - CVE-2009-4832 - BID-35432 ] - May 14-09
- Apple Mac OS X xnu <= 1228.x workqueue Index Validation Vulnerability
[ xnu-workq-v2-64.c - iDEFENSE-797 - Apple Mac OS X Security Update 2009-002 - CVE-2008-1517 - BID-34959 ] - May 13-09
- ipsec-tools racoon isakmp-frag Remote Denial of Service
[ racoon-isakmp-dos.c - CVE-2009-1574 - BID-34765 ] - May 02-09
- Sun Solaris 10/OpenSolaris <= snv_113 dtrace Local Kernel Denial of Service
[ solaris-dtrace-dos.c - CVE-2009-1478 - BID-34753 ] - May 02-09
- Sun Solaris 10/OpenSolaris <= snv_113 fasttrap Local Kernel Denial of Service
[ solaris-fasttrap-dos.c - CVE-2009-1478 - BID-34753 ] - March 30-09
- Apple Mac OS X xnu <= 1228.x hfs-fcntl Local Kernel Root Exploit
[ xnu-hfs-fcntl-v2.c - xnu-hfs-fcntl-v2.sh - CVE-2009-1235 - BID-34203 - informationweek.com -
Heise-Security ] - March 30-09
- Apple Mac OS X xnu <= 1228.x vfssysctl Local Kernel Denial of Service
[ xnu-vfssysctl-dos.c - CVE-2009-1238 - BID-34202 - informationweek.com - Heise-Security ] - March 30-09
- Apple Mac OS X xnu <= 1228.x profil Local Kernel Memory Leak/Denial of Service
[ xnu-profil-leak.c - CVE-2009-1237 - BID-34202 - informationweek.com - Heise-Security ] - March 30-09
- Apple Mac OS X xnu <= 1228.x macfsstat Local Kernel Memory Leak/Denial of Service
[ xnu-macfsstat-leak.c - CVE-2009-1237 - BID-34202 - informationweek.com - Heise-Security ] - March 30-09
- Apple Mac OS X xnu <= 1228.x appletalk zip-notify Remote Kernel Overflow
[ xnu-appletalk-zip.c - CVE-2009-1236 - BID-34201 - informationweek.com - Heise-Security ] - March 30-09
- FreeBSD >= 7.0 ktimer Local Kernel Root Exploit
[ bsd-ktimer.c - CVE-2009-1041 - BID-34196 - Heise-Security ] - February 26-09
- Apple Mac OS X xnu <= 1228.x get_ldt Local Kernel Memory Disclosure
[ xnu-get_ldt.c - CVE-2008-4218 ] - September 20-08
- DESLock+ <= 3.2.7 DLMFENC.sys Driver Local Kernel Vulnerabilities
[ deslock-overflow.c - deslock-probe-race.c - deslock-probe-read.c - CVE-2008-4363 - BID-31273 ] - June 17-08
- Deterministic Network Enhancer dne2000.sys Driver Local Kernel ring0 Code Execution
[ dne2000-call.c - CVE-2008-5121 - BID-29772 - CERT-858993 - Heise-Security ] - February 26-08
- Apple Mac OS X xnu <= 1228.3.13 ipv6-ipcomp Remote Kernel Denial of Service
[ xnu-ipv6-ipcomp.c - CVE-2008-0177 - BID-27642 - CERT-110947 - informationweek.com ] - February 18-08
- DESLock+ <= 3.2.6 DLMFENC.sys Driver Local Kernel ring0 Code Execution
[ deslock-list-zero.c - deslock-list-zero-v2.c - CVE-2008-1138 - CVE-2008-1139 - BID-27862 ] - February 18-08
- DESLock+ <= 3.2.6 DLMFDISK.sys Driver Local Kernel ring0 Code Execution
[ deslock-pown-v2.c - CVE-2008-1140 - BID-27862 ] - February 18-08
- DESLock+ <= 3.2.6 DLMFENC.sys Driver Local Kernel Memory Leak
[ deslock-list-leak.c - CVE-2008-1141 - BID-27862 ] - January 29-08
- SafeNET IPSecDrv.sys Driver Local Kernel ring0 Code Execution
[ safenet-ipsec-call.c - CVE-2008-0573 - BID-27496 ] - January 14-08
- Cisco Systems VPN Client IPSec Driver Local Kernel System Pool Corruption
[ cvpndrv-dos.c - CVE-2008-0324 - BID-27289 ] - December 12-07
- Apple Mac OS X xnu <= 1228.0 cs_validate_page Local Kernel Denial of Service
[ xnu-superblob-dos.c - CVE-2007-6359 - BID-26840 ] - December 05-07
- Apple Mac OS X xnu <= 1228.0 load_threadstack Local Kernel Denial of Service
[ xnu-macho-dos.c - CVE-2007-6261 - BID-26700 - Heise-Security ] - December 05-07
- Apple Mac OS X <= 10.5.1 vpnd Remote Denial of Service
[ vpnd-leopard-lb-dos.c - CVE-2007-6276 - BID-26699 - Heise-Security ] - October 16-07
- eXtremail <= 2.1.1 Multiple Remote Vulnerabilities
[ extremail-v3.pl - extremail-v4.c - extremail-v5.c - extremail-v6.c - extremail-v8.pl -
CVE-2007-5466 - CVE-2007-5467 - BID-26074 ] - September 25-07
- Linux Kernel ALSA snd_mem_proc_read Information Disclosure Vulnerability
[ iDEFENSE-600 - CVE-2007-4571 - BID-25807 ] - August 07-07
- Apple Mac OS X mDNSResponder HTTP Request Heap Overflow
[ iDEFENSE-573 - Apple Mac OS X Security Update 2007-007 - CVE-2007-3744 - BID-25159 ] - July 17-07
- tcpdump <= 3.9.6 BGP Remote Integer Overflow
[ tcpdump-bgp.c - print-bgp.c-diff - CVE-2007-3798 - BID-24965 - Gentoo Bug #184815 -
Heise-Security ] - June 08-07
- SafeNET IPSecDrv.sys Remote ring0 Denial of Service
[ safenet-dos.c - CVE-2007-3157 - BID-24385 ] - April 27-07
- mydns 1.1.0 Remote Heap Overflow
[ mydns-rr-smash.c - mydns-update.c-diff - CVE-2007-2362 - BID-23694 - Gentoo Bug #176130 ] - April 20-07
- eXtremail <= 2.1.1 Remote Buffer Overflow
[ extremail-v9.c - CVE-2007-2187 - BID-23577 ] - March 31-07
- dproxy-nexgen Remote Buffer Overflow
[ dproxy-v1.c - CVE-2007-1866 - BID-23243 ] - March 20-07
- Mercur SP4 5.00.14 Remote Buffer Overflow
[ mercur-v2.pl - CVE-2006-1255 - BID-17138 ] - March 20-07
- Mercur SP4 5.00.14 Remote Buffer Overflow
[ mercur-v1.pl - CVE-2007-1578 - BID-23058 ] - March 07-07
- Mercury IMAPD 4.01/(a,b) Remote Buffer Overflow
[ mercurypown-v1.pl - CVE-2007-1373 - SA24367 ] - March 02-07
- MailEnable <= v2.37 Remote Buffer Overflow
[ maildisable-v4.pl - mailenable_imap_append.pm - CVE-2007-1301 - BID-22792 ] - February 16-07
- MailEnable <= v2.35 Remote Buffer Overflow
[ maildisable-v6.pl - CVE-2006-6423 - SA23201 ] - February 16-07
- MailEnable <= v2.34 Remote Buffer Overflow
[ maildisable-v3.pl - SA23047 ] - February 14-07
- MailEnable <= v2.36 Remote Denial Of Service
[ maildisable-v5.pl - CVE-2007-0955 - SA24139 ] - February 14-07
- MailEnable <= v2.37 Remote Denial Of Service
[ maildisable-v7.pl - CVE-2007-0955 - SA24139 ] - February 07-07
- AXIGEN <= v2.0.0b1 Remote Denial Of Service
[ doaxigen.c - CVE-2007-0886 - BID-22473 ] - February 07-07
- AXIGEN <= v2.0.0b1 Remote Denial Of Service
[ doaxigen-v2.c - CVE-2007-0887 - BID-22473 ]