https://sean.heelan.io/about-me/2026-01-19T22:57:12+00:00weekly0.6https://sean.heelan.io/2026/01/18/on-the-coming-industrialisation-of-exploit-generation-with-llms/2026-01-19T22:52:42+00:00monthlyhttps://sean.heelan.io/2025/05/22/how-i-used-o3-to-find-cve-2025-37899-a-remote-zeroday-vulnerability-in-the-linux-kernels-smb-implementation/https://sean.heelan.io/wp-content/uploads/2025/05/screenshot-from-2025-05-06-18-07-39.pngScreenshot from 2025-05-06 18-07-392025-06-05T17:27:44+00:00monthlyhttps://sean.heelan.io/2023/06/30/application-optimisation-with-llms-finding-faster-equivalent-software-libraries/2023-06-30T14:57:16+00:00monthlyhttps://sean.heelan.io/2023/03/01/finding-10x-performance-improvements-in-c-with-codeql-part-2-2-on-combining-dynamic-and-static-analysis-for-performance-optimisation/https://sean.heelan.io/wp-content/uploads/2023/02/screenshot-from-2023-02-21-19-40-38.pngscreenshot-from-2023-02-21-19-40-38https://sean.heelan.io/wp-content/uploads/2023/02/screenshot-from-2023-02-21-19-40-09-1.pngscreenshot-from-2023-02-21-19-40-09-1https://sean.heelan.io/wp-content/uploads/2023/02/screenshot-from-2023-02-21-19-40-09.pngscreenshot-from-2023-02-21-19-40-09https://sean.heelan.io/wp-content/uploads/2023/02/monero_graph1.pngmonero_graph1https://sean.heelan.io/wp-content/uploads/2023/02/monero_asm2.pngmonero_asm2https://sean.heelan.io/wp-content/uploads/2023/02/monero_asm1.pngmonero_asm1https://sean.heelan.io/wp-content/uploads/2023/02/bitcoin3.pngbitcoin3https://sean.heelan.io/wp-content/uploads/2023/02/bitcoin2.pngbitcoin2https://sean.heelan.io/wp-content/uploads/2023/02/asm2.pngasm2https://sean.heelan.io/wp-content/uploads/2023/02/asm1.pngasm12023-03-01T09:05:48+00:00monthlyhttps://sean.heelan.io/2023/02/14/combining-static-and-dynamic-analysis-in-performance-optimisation-part-1-60-improvements-with-continuous-profiling-and-library-matching/2023-02-14T10:37:18+00:00monthlyhttps://sean.heelan.io/2012/03/23/anatomy-of-a-symbolic-emulator-part-1-trace-generation/2023-02-13T18:03:05+00:00monthlyhttps://sean.heelan.io/posts/2023-02-13T17:57:47+00:00weekly0.6https://sean.heelan.io/2019/02/07/some-cool-projects-from-a-dagstuhl-seminar-on-sat-smt-and-cp/https://sean.heelan.io/wp-content/uploads/2023/02/19062.02.l.jpg19062.02.l2023-02-10T18:52:23+00:00monthlyhttps://sean.heelan.io/2023/02/10/optimising-an-ebpf-optimiser-with-prodfiler-repost/https://sean.heelan.io/wp-content/uploads/2023/02/default-mimalloc-simd-z3pgo-k2pgo.pngdefault-mimalloc-simd-z3pgo-k2pgohttps://sean.heelan.io/wp-content/uploads/2023/02/default-mimalloc-simd-z3pgo-speedup.pngdefault-mimalloc-simd-z3pgo-speeduphttps://sean.heelan.io/wp-content/uploads/2023/02/z3-flamegraph.pngz3-flamegraphhttps://sean.heelan.io/wp-content/uploads/2023/02/topn-mimalloc-simd.pngtopn-mimalloc-simdhttps://sean.heelan.io/wp-content/uploads/2023/02/default-mimalloc-simd-speedup.pngdefault-mimalloc-simd-speeduphttps://sean.heelan.io/wp-content/uploads/2023/02/char8-simd-copy.pngchar8-simd-copyhttps://sean.heelan.io/wp-content/uploads/2023/02/uint8-copy-loop.pnguint8-copy-loophttps://sean.heelan.io/wp-content/uploads/2023/02/stl-bitvector-h.pngstl-bitvector-hhttps://sean.heelan.io/wp-content/uploads/2023/02/vb-loop-disasm.pngvb-loop-disasmhttps://sean.heelan.io/wp-content/uploads/2023/02/init-safety-chk.pnginit-safety-chk2023-02-10T17:33:13+00:00monthlyhttps://sean.heelan.io/2020/11/18/phd-thesis-greybox-automatic-exploit-generation-for-heap-overflows-in-language-interpreters/2020-11-19T12:51:45+00:00monthlyhttps://sean.heelan.io/research/2020-11-02T22:23:49+00:00weekly0.6https://sean.heelan.io/2019/10/30/gollum-modular-and-greybox-exploit-generation-for-heap-overflows-in-interpreters/https://sean.heelan.io/wp-content/uploads/2019/10/results.pngExploit generation resultsExploit generation and primitive search resultshttps://sean.heelan.io/wp-content/uploads/2019/10/layouts_solved.pngHeap layout solution comparison% of heap layout benchmarks solved by random search (rand) versus the genetic algorithm (evo)https://sean.heelan.io/wp-content/uploads/2019/10/gollum.pngGollumWorkflow diagram showing how Gollum produces exploits and primitives2019-11-01T18:16:38+00:00monthlyhttps://sean.heelan.io/2019/03/05/automation-in-exploit-generation-with-exploit-templates/2019-03-12T12:59:14+00:00monthlyhttps://sean.heelan.io/heaplayout/2018-08-21T10:49:49+00:00weekly0.6https://sean.heelan.io/program-analysis-training/2017-12-05T16:11:17+00:00weekly0.6https://sean.heelan.io/2017/08/12/fuzzing-phps-unserialize-function/2017-08-14T13:05:07+00:00monthlyhttps://sean.heelan.io/2011/06/21/satsmt-summer-school-2011-summary-days-5-6/2017-08-13T11:59:02+00:00monthlyhttps://sean.heelan.io/2011/06/16/satsmt-summer-school-2011-summary-days-3-4/2017-08-13T11:58:42+00:00monthlyhttps://sean.heelan.io/2011/06/15/satsmt-summer-school-2011-summary-day-2/2017-08-13T11:58:25+00:00monthlyhttps://sean.heelan.io/2011/06/13/satsmt-summer-school-2011-summary/2017-08-13T11:58:08+00:00monthlyhttps://sean.heelan.io/2016/05/31/tracking-down-heap-overflows-with-rr/2017-08-13T11:56:47+00:00monthlyhttps://sean.heelan.io/2017/07/31/upcoming-public-training-4-days-of-advanced-tool-development-with-smt-solvers-london-nov-17/2017-07-31T11:59:38+00:00monthlyhttps://sean.heelan.io/2010/12/07/misleading-the-public-for-fun-and-profit/2016-05-27T15:52:13+00:00monthlyhttps://sean.heelan.io/2015/11/19/rust-compiler-plugins-a-simple-example/2016-05-26T17:21:23+00:00monthlyhttps://sean.heelan.io/2009/11/30/finding-bugs-with-static-analysis/https://sean.heelan.io/wp-content/uploads/2009/11/uaf_results3.jpgAnalysis resultsAnalysis resultshttps://sean.heelan.io/wp-content/uploads/2009/11/uaf_results2.jpgAnalysis ResultsAnalysis Resultshttps://sean.heelan.io/wp-content/uploads/2009/11/uaf_results1.jpgResults of static analysis for use-after-free bugshttps://sean.heelan.io/wp-content/uploads/2009/11/uaf_results.jpgResults of static analysis for use-after-free bugs2016-05-26T17:20:52+00:00monthlyhttps://sean.heelan.io/2016/04/26/fuzzing-language-interpreters-using-regression-tests/2016-05-26T17:20:10+00:00monthlyhttps://sean.heelan.io/2016/04/13/some-early-stage-work-on-statistical-crash-triage/2016-05-26T17:19:09+00:00monthlyhttps://sean.heelan.io/2011/05/08/finding-optimal-solutions-to-arithmetic-constraints/https://sean.heelan.io/wp-content/uploads/2011/05/max_val_sat.pngMaximising the productFinding the maximum product of height and widthhttps://sean.heelan.io/wp-content/uploads/2011/05/check_ovf.pngCheck OverflowUsing the solver to check if an overflow is possible on the argument to malloc2016-05-26T17:17:45+00:00monthlyhttps://sean.heelan.io/2010/11/05/augment-your-auditing-with-a-theorem-prover/2016-05-26T17:17:14+00:00monthlyhttps://sean.heelan.io/2012/03/23/anatomy-of-a-symbolic-emulator-part-3-processing-symbolic-data-generating-new-inputs/2016-05-26T17:16:12+00:00monthlyhttps://sean.heelan.io/2009/05/06/issa-ireland-seminar/2016-05-26T17:15:53+00:00monthlyhttps://sean.heelan.io/2012/03/23/anatomy-of-a-symbolic-emulator-part-2-introducing-symbolic-data/2016-05-26T17:14:33+00:00monthlyhttps://sean.heelan.io/2010/10/02/validity-satisfiability-and-instruction-semantics/https://sean.heelan.io/wp-content/uploads/2010/10/find_gadget_context.pngMultiple context specific gadgetsFinding multiple gadgets to achieve the same resulthttps://sean.heelan.io/wp-content/uploads/2010/10/find_gadget_arguments.pngfind_gadget.py argumentsArguments to find_gadget.pyhttps://sean.heelan.io/wp-content/uploads/2010/10/preserve_esi.pngEAX == 0x1, preserve ESIA generic gadget to set EAX to 1 while preserving ESIhttps://sean.heelan.io/wp-content/uploads/2010/10/eax_generic.pngEAX == 0x1A generic gadget to set EAX to 0x12016-05-26T17:13:52+00:00monthlyhttps://sean.heelan.io/2010/10/27/code-analysis-carpentry-ruxcon-2010/2016-05-26T17:13:03+00:00monthlyhttps://sean.heelan.io/2011/03/30/heap-scripts-for-tcmalloc-with-gdbs-python-api/https://sean.heelan.io/wp-content/uploads/2011/03/freelist_chunks.pngfreelist_chunksThe chunks in a given FreeListhttps://sean.heelan.io/wp-content/uploads/2011/03/freelist_dump1.pngfreelist_dumpTCMalloc FreeLists within Chrome on Linuxhttps://sean.heelan.io/wp-content/uploads/2011/03/freelist_dump.pngfreelist_dumpA dump of the FreeLists for TCMalloc within Chrome2016-05-26T17:12:00+00:00monthlyhttps://sean.heelan.io/2010/10/15/determining-variable-ranges-part-i/https://sean.heelan.io/wp-content/uploads/2010/10/other.pngAnother testConfirming our byte pattern holds for the other rangeshttps://sean.heelan.io/wp-content/uploads/2010/10/precise_final.pngPrecise resultsDiscovering the exact values that are possible within the range 0x400000:0x407fffhttps://sean.heelan.io/wp-content/uploads/2010/10/first_phase_spec_range.pngChecking a specific rangeHere we check the 0x0x400000:407fff rangehttps://sean.heelan.io/wp-content/uploads/2010/10/first_phase1.pngfirst_phasehttps://sean.heelan.io/wp-content/uploads/2010/10/first_phase.pngFirst phaseCoarse analysis searching for candidate rangeshttps://sean.heelan.io/wp-content/uploads/2010/10/ins_sequence.pngTest Instruction SequenceOur tests will be for the range 0x767920c6:767921862016-05-26T17:11:02+00:00monthlyhttps://sean.heelan.io/2011/04/14/exploit-necromancy-in-tcmalloc-reviving-the-4-to-n-byte-overflow-primitive-with-insert-to-freelistx/https://sean.heelan.io/wp-content/uploads/2011/03/freelist_ovf3.pngFreeList_ovf3A memory region of our choosing is handed back to the application https://sean.heelan.io/wp-content/uploads/2011/03/freelist_ovf2.pngFreeList_ovf2Allocation from a corrupted FreeListhttps://sean.heelan.io/wp-content/uploads/2011/03/freelist_ovf1.pngFreeList_ovf1Overflow of Chunk A into Chunk Bhttps://sean.heelan.io/wp-content/uploads/2011/03/freelist_allocate2.pngFreeList_allocate2FreeList allocationhttps://sean.heelan.io/wp-content/uploads/2011/03/freelist.pngFreeListExampleFreeList example2016-05-26T17:10:21+00:00monthlyhttps://sean.heelan.io/2011/05/10/infiltrate-2011-slides/2016-05-26T17:09:48+00:00monthlyhttps://sean.heelan.io/2012/07/10/better-interpreter-fuzzing-with-clang/2016-05-26T17:07:31+00:00monthlyhttps://sean.heelan.io/2012/07/27/smt-solvers-for-software-security-usenix-woot12/2016-05-26T17:07:12+00:00monthlyhttps://sean.heelan.io/2012/12/05/moving-location/2016-05-26T17:06:41+00:00monthlyhttps://sean.heelan.io/2010/07/17/applying-taint-analysis-and-theorem-proving-to-exploit-development/2016-05-26T17:04:39+00:00monthlyhttps://sean.heelan.io/2009/09/06/game-over-thank-you-for-playing-academia/2016-05-26T17:00:48+00:00monthlyhttps://sean.heelan.io/2009/06/21/extending-to-new-vulnerability-classes/2016-05-26T16:59:50+00:00monthlyhttps://sean.heelan.io/2009/06/19/gathering-constraints-from-conditional-branches/2016-05-26T16:59:22+00:00monthlyhttps://sean.heelan.io/2009/06/02/model-checking-smt-solving-and-morphing-shellcode/2016-05-26T16:57:59+00:00monthlyhttps://sean.heelan.io/2009/06/01/fun-uses-for-an-smt-solver/2016-05-26T16:57:26+00:00monthlyhttps://sean.heelan.io/2009/05/20/pin-problem-solved/2016-05-26T16:53:36+00:00monthlyhttps://sean.heelan.io/2009/05/15/the-romance-is-over/2016-05-26T16:53:11+00:00monthlyhttps://sean.heelan.io/2009/05/13/not-all-shellcode-locations-are-made-equal/https://sean.heelan.io/wp-content/uploads/2009/05/constraint_lattice21.jpgConstraint complexity latticeConstraint complexity lattice2016-05-26T16:52:18+00:00monthlyhttps://sean.heelan.io/2009/05/11/difficulties-in-taint-data-propagation-without-an-ir/2016-05-26T16:51:23+00:00monthlyhttps://sean.heelan.io/2009/05/11/granular-instrumentation-with-pin/2016-05-26T16:50:48+00:00monthlyhttps://sean.heelan.io/2009/05/06/blackhat-usa-paper/2016-05-26T16:50:02+00:00monthlyhttps://sean.heelan.io/2016/03/29/nyc-london-training-dates-a-contest-for-students/2016-04-30T10:33:04+00:00monthlyhttps://sean.heelan.io/2016/02/25/public-edition-of-advanced-tool-development-with-smt-solvers-coming-soon/2016-02-25T17:55:10+00:00monthlyhttps://sean.heelan.io/2009/07/05/automatic-exploit-generation-lessons-learned-so-far/2010-07-23T22:21:30+00:00monthlyhttps://sean.heelan.io/2009/09/06/exploit-generation-a-specialisation-of-testing/2009-09-06T15:21:30+00:00monthlyhttps://sean.heelan.iodaily1.02026-01-19T22:57:12+00:00