Welcome to my little corner, I am Jonathan Salwan and I
have a strong interest in low-level computing and program analysis. I works on tools development for vulnerabilities
research and my researches are mostly focused on both static and dynamic program analysis. I also enjoy doing things
in various fields like: OSdev, Linux Kernel, bugs exploitation and other low-level stuff. You will find the results
of my different researches on this blog.
Short blog posts
- Covering a function using a Dynamic Symbolic Execution approach
Security Day, Lille, 2015. [slide]
Description: This talk is about binary analysis and instrumentation. We will see how it's possible to
target a specific function, snapshot the context memory/registers before the function, translate the instrumentation
into an intermediate representation,apply a taint analysis based on this IR, build/keep formulas for a Dynamic
Symbolic Execution (DSE), generate a concrete value to go through a specific path, restore the context memory/register and
generate another concrete value to go through another path then repeat this operation until the target function is covered.
- An introduction to the Return Oriented Programming and ROP-chain generation
Bordeaux University, 2014. [slide]
Description: This talk is about an introduction to the return oriented programming and its variants
like JOP, SOP... It also describes some techniques and active works about ROP-chain generation
based on backtracking or symbolic execution.
- An introduction to the Return Oriented Programming
MISC Magazine HS-09, 2014. [link]
Description: This article is about an introduction to the return oriented programming. In this article
we describe the Operating Systems' protections in detail and explains why the ROP exploitation is
useful. We also provides a detailled step-by-step example of the ROP exploitation on the
- Software testing and concolic execution
LSE Summer Week, Paris, 2013. [slide]
Description: This talk is about an introduction to the concolic execution using Valgrind
and Z3. Concolic execution is a technique that uses both symbolic and concrete execution.
In this talk we introduce a little tool which breaks a dumb crackme.
- Kaminou-Kernel - Another (unfinished) mini Kernel from scratch, 2012-11-11
Description: Just another (unfinished) kernel from scratch... At first I didn't plan on releasing this project,
but it's dying in a directory. This project was just for understanding how the kernel works and contains these following features:
Protected mode 32 bits, Multitasking, Paging, Memory Allocation, Interrupts, Exceptions, Syscalls.
- Useless emulator for fun (VMNDH-2k12), 2012-03-26
Description: This emulator is totally useless, but it was created for the CTF NDH 2012. Some challenges
was on the NDH architecture. The NDH architecture is a new architecture which look like a mix between ARM and x86. The project contains
a compiler, a debugger and a virtual machine.
- ROPgadget - Gadgets finder and auto-roper, 2011-03-12
Description: This tool lets you search your gadgets on your binaries to facilitate your ROP exploitation. ROPgadget
supports the ELF, PE and Mach-O format on x86, x64, ARM, ARM64, PowerPC, SPARC and MIPS architectures.
It also offers a dumb ROP-chain generation.
Vulnerabilities publicly disclosed
- CVE-2013-6392 - Kernel MSM < 3.10 - Kernel memory disclosure in the Genlock driver
- CVE-2013-6122 - Goodix gt915 Android touchscreen driver - Race condition
- CVE-2013-4740 - Goddix gt915 Android touchscreen driver - Multiple Kernel memory corruption
- CVE-2013-4739 - Android Kernel msm-3.4/jb_3* - Kernel memory disclosure in the Gemini JPEG/Jpeg1.0 engines
- CVE-2013-4738 - Android Kernel msm-3.4/jb_3* - Kernel Stack overflow in camera post processing driver (CPP)
- CVE-2013-2239 - OpenVZ kernel 2.6.32 (042stab080.1) - Multiple kernel memory disclosure
- CVE-2013-2164 - Linux Kernel 3.9.5 - Kernel memory disclosure in cdrom driver
- CVE-2009-4800 - Sysax FTP server 4.5 - DELE request handling Traversal arbitrary file deletion
- CVE-2009-1031 - Serv-U FTP server 7.4 - MKD request handling Traversal arbitrary directory creation