Research & Publications

Heap Layout Optimisation for Exploitation (2017)

Given a trigger for a heap-based buffer overflow or underflow, automatically find a way to allocate a useful target object on the heap and place the vulnerability source buffer adjacent to this target object. The goal is to assist with manual exploitation by producing primitives, and as a component in an automatic exploit generation system for heap-based vulnerabilities.

BlackHat EU 2017 – Slides [pdf]
(Full paper is currently under review for an academic conference. If you’d like to see it, drop me a mail via my first name at

Automated Root Cause Identification for Crashing Executions (2016)

Given a crashing input, produce a program trace which correlates lines in a program and variable values with the crash occurring. The goal is to significantly speed up the amount of time taken to understand a crash and decide if it is likely to be security vulnerability or not.

Infiltrate 2016 – Slides [Google Docs] – Video [Vimeo]

Ghosts of Christmas Past: Fuzzing Language Interpreters using Regressions Tests (2014)

Fuzzing language interpreters using their regression tests to provide information on the available APIs, mechanisms of object construction and usage, and general structure of valid inputs.

Infiltrate 2014 – Slides [pdf]

Augmenting Vulnerability Analysis of Binary Code (2012)

Utilising run-time data tracking in binary applications to prioritise regions of the target for code review and then augment that code review with data source and sink information.

ACSAC 2012 – Paper [pdf]

SMT Solvers for Software Security (2012)

A survey and review of various SMT-based technologies in software security, including vulnerability detection, exploit generation and deobfuscation.

WOOT 2012 – Paper [pdf]

Vulnerability Detection Systems: Think Cyborg, Not Robot (2011)

Informal article arguing that by focusing on full automation all of the time we are missing opportunities to solve real-world problems with human/computer hybrid systems, and also missing research problems which arise when one attempts to build such systems.

IEEE Security & Privacy Magazine – Article [pdf]

Attacking the WebKit Heap (2011)

Internals of the tcmalloc allocator and exploitation strategies, along with techniques for manipulating the WebKit heap as found in Safari.

Infiltrate 2011 – Slides [pdf]

Code Analysis Carpentry (2010)

An introduction to SMT solvers, symbolic execution and symbolic execution engine found in Immunity Debugger.

Ruxcon/Kiwicon 2010 – Slides [pdf]

Applying Taint Analysis and Theorem Proving to Exploit Development (2010)

Using run-time data flow tracking and concolic execution to generate crafted inputs for use during exploit construction.

REcon 2010 – Slides [pdf]

Automatic Generation of Control Flow Hijacking Exploits for Software Vulnerabilities (2009)

University of Oxford – MSc Thesis [pdf]