Publications

Saar Amar - Publications

Twitter, Github, @amarsaar@infosec.exchange

Public Conferences

BlueHatIL 2022 - Security Analysis of MTE Through Examples: slides, video, repo

Blackhat USA 2021 - Security Analysis of CHERI ISA: slides, video

Blackhat USA 2020 - Breaking VSM by Attacking SecureKernel: slides, video

35C3 - Modern Windows Userspace Exploitation: slides, video, repo

Recon BRX 2018 - Linux Vulnerabilities Windows Exploits: slides, repo

BlueHatIL 2018 - Linux Vulnerabilities Windows Exploits: slides, video, repo

Papers / projects

MICRO ‘23 CHERIoT: Complete Memory Safety for Embedded Devices

CHERIoT: Rethinking security for low-cost embedded systems

Security analysis of CHERI ISA

Evaluating the feasibility of enabling SMAP for the Windows kernel

LFH Internals and Exploitation (Hebrew)

Blogposts

Survey of security mitigations and architectures, December 2022

kmem_guard_t introduction

CHERIoT:

• What’s the smallest variety of CHERI?
• First steps in CHERIoT Security Research

ipc_kmsg_get_from_kernel vulnerability: iOS 15.4 - root cause analysis, part 2 - exploitation primitive, part 3 - more overlaps

iOS 16 beta:

• iOS 16 - restricted userclients
• IOUserClient2022 highlevel overview

iBoot Firebloom:

• Introduction to iBoot Firebloom
• Firebloom (iBoot) - the type descriptor

An Armful of CHERIs

Bindiff and POC for the IOMFB vulnerability, iOS 15.0.2

WebContent->EL1 LPE: OOBR in AppleCLCD / IOMobileFrameBuffer

Exhaust EL1 memory from the app sandbox

str::repeat - stable wildcopy exploit of CVE-2018-1000810

Attacking the VM Worker Process

First Steps in Hyper-V Research

VBS Internals

Deterministic LFH - bypass && mitigate LFH randomization

CTFs writeups

Warm up exercises: preparing for the Ubuntu 21.10 CTFs

echo pwn challenge, googlequals2020 - solution

emojidb pwn challenge, plaidctf2020 - writeup

tree pwn challenge, 32c3 ctf