Pinned
I'm very excited to share my blogpost series (including PoC code) about a remote, interactionless iPhone exploit over iMessage:
Samuel Groß
795 posts
Samuel Groß
@5aelo
Working on Project Zero, Big Sleep, and V8 Security. Personal account. Also @[email protected] and saelo.bsky.social
- Fuzzilli, my JavaScript engine fuzzer, is now open source: github.com/googleprojectz… \o/ Keep an eye on the Project Zero bugtracker in the next few weeks for some of the bugs found with it. Also let me know if you encounter any problems when using it! :)
- Slides + recording of my #36c3 talk: saelo.github.io/presentations/… media.ccc.de/v/36c3-10497-m… had to omit many details, but blogpost coming soon!
- I'm excited (and also a little sad) to announce that after 3 fantastic years with Project Zero, it's time for me to try something new. So starting this month, I'll be building up and leading a new V8 security team at Google!
- My #pwn2own exploit chain from this year, essentially 3 logic bugs to go from Safari to kernel on macOS up to 10.13.3, is now open source: github.com/saelo/pwn2own2…. The README also links to a few slide decks which contain some more background information :)
- Here are the slides from the "Attacking JavaScript Engines in 2022" talk by @itszn13 and myself @offensive_con. It's a high-level talk about JS, JIT, various bug classes, and typical exploitation flows but with lots of references for further digging! saelo.github.io/presentations/…
- New blogpost on some recent fuzzing work of mine (and 0click attack surfaces!):
- The in-the-wild zero-click iMessage exploit detected by @citizenlab last year apparently didn't affect iOS 14. I did some reverse engineering to see what had changed in that release and found lots of cool things!
- Here are the slides from my #OffensiveCon19 talk about my approach for JavaScript engine fuzzing: saelo.github.io/presentations/… My master's thesis (for which I developed the fuzzer) can be found here: saelo.github.io/papers/thesis.… Thanks for the great conference @offensive_con! =)
- After looking at iOS 12.4.1 I'm happy to say that Apple has hardened iMessage by no longer allowing child classes during its NSUnarchiving (context: googleprojectzero.blogspot.com/2019/08/the-fu…). This prevents almost all of the vulnerabilities @natashenka and I found from being remotely exploited :)
- Small blog post on how to run iOS code natively on Arm-based Macs. Enjoy :)
- Today is the 3rd anniversary of "Attacking JavaScript Engines". Not a lot has changed, but I tried to briefly summarize the things that did: gist.github.com/saelo/dd598a91… It's been a few month since my last interactions with JSC though, so any corrections/additions are very welcome :)
- My talk on iMessage exploitation (fahrplan.events.ccc.de/congress/2019/…) starts in two hours. You can watch it in room Ada or on streaming.media.ccc.de/36c3 #36c3
