About me

Welcome to my little corner, I am Jonathan Salwan and I have a strong interest in low-level computing and program analysis. I works on tools development for vulnerabilities research and my researches are mostly focused on both static and dynamic program analysis. I also enjoy doing things in various fields like: OSdev, Linux Kernel, bugs exploitation and other low-level stuff. You will find the results of my different researches on this blog.

 

---

Short blog posts

Dynamic binary analysis and instrumentation
• 2013-10-14 - Stack and heap overflow detection at runtime via behavior analysis and Pin
• 2013-08-28 - Binary analysis: Concolic execution with Pin and z3
• 2013-08-17 - In-Memory fuzzing with Pin
• 2013-08-08 - Taint analysis and pattern matching with Pin
• 2013-06-10 - Concolic execution - Taint analysis with Valgrind and constraints path solver with Z3
• 2013-05-02 - A binary analysis, count me if you can
Linux Kernel
• 2013-05-26 - Trace and debug the Linux kernel functions
• 2013-03-25 - Linux Kernel runtime unpacker and binary signature
• 2013-01-29 - Linux process execution and the useless ELF header fields
CVE exploitation
• 2011-07-04 - Analysis of CVE-2011-1938 - ROP exploitation in PHP 5.3.6
MISC
• 2011-10-02 - Polymorphism and Return Oriented Programming
• 2011-04-12 - Return Oriented Programming and ROPgadget tool

 

---

Presentations

• Dynamic Behavior Analysis Using Binary Instrumentation
  St'Hack, Bordeaux, 2015. [slide]
  Abstract: This talk can be considered like the part 2 of my talk at SecurityDay. In the previous part, I talked about how it was possible to cover a targeted function in memory using the DSE (Dynamic Symbolic Execution) approach. Cover a function (or its states) doesn't mean find all vulnerabilities, some vulnerability doesn't crashes the program. That's why we must implement specific analysis to find specific bugs. These analysis are based on the binary instrumentation and the runtime behavior analysis of the program. In this talk, we will see how it's possible to find these following kind of bugs : off-by-one, stack / heap overflow, use-after-free, format string and {write, read}-what-where.
• Covering a function using a Dynamic Symbolic Execution approach
  Security Day, Lille, 2015. [slide]
  Abstract: This talk is about binary analysis and instrumentation. We will see how it's possible to target a specific function, snapshot the context memory/registers before the function, translate the instrumentation into an intermediate representation,apply a taint analysis based on this IR, build/keep formulas for a Dynamic Symbolic Execution (DSE), generate a concrete value to go through a specific path, restore the context memory/register and generate another concrete value to go through another path then repeat this operation until the target function is covered.
• An introduction to the Return Oriented Programming and ROP-chain generation
  Bordeaux University, 2014. [slide]
  Abstract: This talk is about an introduction to the return oriented programming and its variants like JOP, SOP... It also describes some techniques and active works about ROP-chain generation based on backtracking or symbolic execution.
• An introduction to the Return Oriented Programming
  MISC Magazine HS-09, 2014. [link]
  Abstract: This article is about an introduction to the return oriented programming. In this article we describe the Operating Systems' protections in detail and explains why the ROP exploitation is useful. We also provides a detailled step-by-step example of the ROP exploitation on the CVE-2011-1938 vulnerability.
• Software testing and concolic execution
  LSE Summer Week, Paris, 2013. [slide]
  Abstract: This talk is about an introduction to the concolic execution using Valgrind and Z3. Concolic execution is a technique that uses both symbolic and concrete execution. In this talk we introduce a little tool which breaks a dumb crackme.

 

---

Mini projects

• Kaminou-Kernel - Another (unfinished) mini Kernel from scratch, 2012-11-11
  Abstract: Just another (unfinished) kernel from scratch... At first I didn't plan on releasing this project, but it's dying in a directory. This project was just for understanding how the kernel works and contains these following features: Protected mode 32 bits, Multitasking, Paging, Memory Allocation, Interrupts, Exceptions, Syscalls.
• Useless emulator for fun (VMNDH-2k12), 2012-03-26
  Abstract: This emulator is totally useless, but it was created for the CTF NDH 2012. Some challenges was on the NDH architecture. The NDH architecture is a new architecture which look like a mix between ARM and x86. The project contains a compiler, a debugger and a virtual machine.
• ROPgadget - Gadgets finder and auto-roper, 2011-03-12
  Abstract: This tool lets you search your gadgets on your binaries to facilitate your ROP exploitation. ROPgadget supports the ELF, PE and Mach-O format on x86, x64, ARM, ARM64, PowerPC, SPARC and MIPS architectures. It also offers a dumb ROP-chain generation.

 

---

Vulnerabilities publicly disclosed

• CVE-2013-6392 - Kernel MSM < 3.10 - Kernel memory disclosure in the Genlock driver
• CVE-2013-6122 - Goodix gt915 Android touchscreen driver - Race condition
• CVE-2013-4740 - Goddix gt915 Android touchscreen driver - Multiple Kernel memory corruption
• CVE-2013-4739 - Android Kernel msm-3.4/jb_3* - Kernel memory disclosure in the Gemini JPEG/Jpeg1.0 engines
• CVE-2013-4738 - Android Kernel msm-3.4/jb_3* - Kernel Stack overflow in camera post processing driver (CPP)
• CVE-2013-2239 - OpenVZ kernel 2.6.32 (042stab080.1) - Multiple kernel memory disclosure
• CVE-2013-2164 - Linux Kernel 3.9.5 - Kernel memory disclosure in cdrom driver
• CVE-2009-4800 - Sysax FTP server 4.5 - DELE request handling Traversal arbitrary file deletion
• CVE-2009-1031 - Serv-U FTP server 7.4 - MKD request handling Traversal arbitrary directory creation