[lcamtuf.coredump.cx] Name.....Michal Zalewski
Age..1078940921 seconds
Life expectancy..2239056000 seconds
Height.....184 centimeters
Weight........80 kilograms
Nationality............. US, PL
Residence..........mine shaft
Security tools
NEW! AFL is a highly successful C/C++ code fuzzer that automatically injects closed-loop instrumentation into tested programs at compile time to magically generate interesting test cases. The performance impact is very modest, and the tool works in a plug-and-play fashion even with large codebases. You can check out a cool demo and a collection of synthesized test cases, too.
NEW! P0f v3 is a 100% passive fingerprinter capable of identifying operating systems and software on the other end of outgoing and incoming TCP connections. It can also detect NAT, connection sharing, and so forth. An earlier version is integrated in one shape or another with OpenBSD, Ettercap, pfsense, amavisd, postgrey, PRADS, milter, etc. Some useful companion articles: "Nmap's Silent Partner", "Dynamic Honeypots".
Skipfish is a ridiculously fast and sleek active web application security scanner. It is capable of reaching over 2000 requests per second and detecting tricky problems such as stored XSS, blind SQL injection, or XSRF flaws [Slashdot].
Ratproxy is a passive security testing proxy that observes user interactions with JavaScript-rich web applications, and automatically annotates it with security-relevant information [Slashdot]. A small companion bookmarklet, unlocker, is also available.
Tmin is a small, simple, and convenient fuzzing crash case minimizer. Unlike delta, it does not require the data format to be tokenized and then re-serialized, and integrates with typical fuzzing scenarios rather well.
Stompy is a fairly advanced entropy verifier for session cookies, XSRF tokens, OTPs, and other random data. It goes well beyond FIPS-140-2, performing n-dimensional spectral testing as well.
Fl0p is a passive, layer 7 flow fingerprinter that does not look at packet payloads, only at their relative sizes, direction, and timing. It can be used to peek into encrypted tunnels, automatically telling interactive typing from batch operations, GETs from POSTs, successful from failed login attempts, and much more. You can also out some sample signatures, or check out a related blog post.
Memfetch is a simple utility to dump all memory of a running process, either immediately or when a fault condition is discovered. It is an attractive alternative to the vastly inferior search capabilities of many debuggers and tracers - and a convenient way to grab "screenshots" from many types of text-based interactive utilities.
0trace is a traceroute tool that can be run within an existing, open TCP connection - therefore bypassing some types of stateful packet filters with ease. You probably want to use Jagger's improved version or Jon Oberheide's Python port, though.
Individual exploits and vulnerability demos: I used to showcase them here, but their (usually) transient nature makes it somewhat unproductive. If you want to stay in the loop on my recent work, head over to my blog, follow me on Twitter, or just watch BUGTRAQ or so. A random subset of my work tends to get picked up by Slashdot, too: say, link 1, link 2, link 3, link 4, link 5, link 6, link 7.
Various small fuzzers - these have a bit more of a lasting value, so here's a brief list of released tools: cross_fuzz for multiple documents - crashed every browser on the market [Slashdot]; ref_fuzz for DOM bindings - ditto; mangleme for HTML and image parsing routines - ditto, also won me the this spiffy title [Slashdot]; DOM Checker for validating SOP rules - found several UXSS bugs; Canvas fuzzer - crashed every browser that supports <canvas>; or transition fuzzer - exposed fun bugs in MSIE and Opera.
Tools of historical interest - these programs are ancient, and may no longer work, or be broken in other ways: Fenris - a cool annotating runtime tracer; fakebust - a step-by-step malware analyzer; snowdrop - watermarking for C code and text files; bugger - a fuzzer that tweaks client state instead of the exchanged data; therev - document change history spider; poink - nosuid TCP ping; ld-expl - world's best exploit (!); bunny - a predecessor of AFL.
Security writings
FABULOUS! The Tangled Web is my most recent book, a lovingly crafted guide to the world of browser security, offering a detailed and thoroughly enjoyable account of both the "how" and the "why" of the modern web. The page I set up includes ToC, sample chapters, and reviews, so check it out.
NEW! Artur Janc and I have recently released this write-up on web tracking. It's probably one of the most comprehensive and balanced reviews of the tracking & fingerprinting vectors in modern browsers, so have a look.
My blog is an up-to-date source for vulnerability research updates and industry-themed rants that would otherwise never see the light of day. Some of my posts get occasionally re-published at ZDnet, and then - no idea why - by Slashdot (1, 2, 3).
Notes from the post-XSS world is an attempt to predict the future of markup injection vulnerabilities once their "cross-site scripting" aspect is taken care of by Content Security Policy or other script-containment frameworks. The surprising conclusion is that not much will change: the consequences of the underlying bug would be about as grave.
Browser Security Handbook, published in 2008, was probably the first reasonably comprehensive attempt to examine and enumerate the security-relevant properties of modern browsers [Slashdot]. The 60-page long analysis served as a foundation for "The Tangled Web".
Silence on the Wire is my 2005 book: an illustrated guide through some of the more challenging and subtle problems in information security (no talk of buffer overflows and cross-site scripting, I promise). French, German, Italian, Polish, Chinese, and Russian translations are available.
Cracking safes with thermal imaging is a goofy experiment in using thermal cameras to read latent keypad patterns in real-world settings [Hack-a-Day, Schneier].
NEW! As it turns out, you can do Boolean algebra in CSS to exfiltrate one's browsing history. More of an exercise in futility than anything else, but probably an interesting read.
"Strike that out..." is a quirky after-hours project that amounted to spidering microsoft.com for change tracking data still embedded in the published Word documents. The findings are rather amusing, and demonstrate how tricky it is to get this functionality under control, even when dealing with your own products [Slashdot].
My 2001 TCP/IP ISN research (and a 2002 followup) is a detailed study of 3-dimensional attractor reconstruction as a method of defeating PRNGs used by TCP/IP stacks. These papers are widely cited in various literature, and inspired related work by Dan Kaminsky and Joe Stewart [Slashdot 1, Slashdot 2]. A chapter of SotW is dedicated to these problems.
IP fragmentation flaw: as it turns out, the way IP fragmentation interacts with TCP checksums permits attackers to blindly spoof portions of TCP/IP packets without the need to guess sequence numbers. There are some mitigating factors, but it's an interesting design glitch. A more general discussion of this problem can be, again, found in SotW.
Delivering signals for fun and profit is a 2001 paper describing a class of race conditions vulnerabilities triggered by asynchronous signal delivery to privileged applications (both locally and over the network). The problem plagued most of the software back then (Sendmail included), and isn't quite sorted out today.
The absence of fd-based unlink() causes an interesting range of /tmp-related issues on most unix systems, as explored in this 2002 paper. While several complex designs can be employed to work around this flaw, most implementations remain vulnerable to this day.
Writings of historical interest - I have published a couple of then-novel and now probably just embarassing papers and other investigative pieces in the late 90s and very early 2000s. It's probably time to let them slide down the memory hole, but what the hell: unicorns; network-based parasitic storage; Museum of Broken Packets; Rise of the robots... heck, there's even more dirt you can dig up on me, but I'm not helping you with your homework.
Robots and CNC
Concise Electronics for Geeks is my anatomically correct but reasonably accessible introduction to electronics for infosec and robotics geeks [Makezine].
UPDATED! Guerrilla guide to CNC machining and resin casting - this is my frequently updated, epic, two volume, 60,000 word account of everything I learned in the past 5 years when it comes to hobbyist CNC work. The guide is of interest to about five people in the world, but hey [Makezine, Hack-a-Day, HN]. Also check out this summary [Hack-a-Day again].
Omnibot mkII is my current robot project - painstakingly machined, cast, and assembled from scratch [Makezine, Hack-a-Day] (also check out this gearbox).
Tinybot mkIII is my earlier design, and probably one of the most practically useful devices I created so far [Makezine].
NEW! Geiger-Mueller mood lamp: prepare for doomsday in style! This lamp combines a high-voltage Russian military surplus radiation detector with soothing LED array color transitions; just what your living room might need [Makezine].
Simple 2.5D photography - this page documents an interesting experiment in laser-assisted scene acquisition for computational photography purposes [Makezine].
Shannon's Ultimate Machine - why not! My own take on the well-known theme: a machine that exists only to shut itself off.
DHS tribute threat level indicator - possibly one of the most ridiculous things ever done. But looks pretty [Makezine, Slashdot].
Configurable photographic light surfaces - an exceedingly simple project that requires no special equipment to complete, and can be quite useful to photographers.
NEW! Taking photos of drops of water - pretty self-explanatory [Hack-a-Day].
NEW! Notes on Intel Edison - building a Beowulf cluster, or something.
Perpetual robot works - just a confusing photo gallery of various prototypes and designs I experimented with.
Paper of historical interest: you can check out my old $50 robot building guide, documenting my very first take on a mobile robot (somewhere in 2001) - photo. The landscape has changed so significantly that following this advice makes little or no sense, though.
Photography and other diversions
Yes, I do photography. I started somewhere in 2001 (long before it became a prerequisite for all infosec people - so I'm still cool) - and that sort of continues to this day. I progressed through a black-and-white and color darkroom, but am now simply shooting digital. Of (extremely) topical interest, you can also have a peek at QE2 cruise photos and fishtank outtakes - but if that's not stalking, I'm not sure what is.
Pointless pursuits: I have a long history of ridiculous but amusing projects, including: The Wreck of Steamer Stella - poetry as an interpreted language; eProvisia - a laughable company that duped several mainstream media outlets and industry experts [ZDnet, Slashdot, Ars Technica]; Catty - a Google-based chatbot; blog generator - a Catty-based blogging entity; IMPROVED! evil finder - a handy proving tool [Fark]; and lost souls, a page logging outlandish search referrers in real time.
Other people: I have two kids, a wife, and several other pages to link to: taviso, scarybeasts, asirap, secret lives of numbers, 20q, counter-script.
Projects of historical interest: Argante, culture shock (defunct), who runs the alphabet (defunct), assembler hell, DIX, text-based JPEG viewer, and other assorted stuff in this directory.
You are a visitor number 16202112.