I find and exploit 0day, develop OSes, hypervisors and emulators, design massively parallel data structures and code, and do precision machining! Optimization❤️

Seattle, WA
We did it, we used our exploit to snapshot a running Android device, and then brought it into QEMU where we can single step it, apply full symbols (since we build a binary identical to the release build), and of course... fuzz it in the future :)
12
73
593
I'm dropping a 10.0 CVSS Linux vulnerability in all Linuxes next week. Make sure your turn off your internet facing telnet servers
87
164
2,837
211,899
Feeling down? iOS jailbreak you've been working on for a year got patched? Fuzzer not finding any bugs? Miss the 90s where everything crashed? Change your time format on Windows to 90 characters! Watch everything fall over as they get 90 character formats from Windows APIs!
14
305
964
You are invited to Fuzz Week 2020! The week where I demonstrate some of the basics of fuzzers, all the way to my thoughts about cutting edge fuzzing. We'll write some of our own basic fuzzers, learn how to use AFL, read some papers, rant a lot, and more! gamozolabs.github.io/2020/07…
11
198
609
Tell me fun hacking/RE/low-level beginner projects. Go! My suggestion: Write a Windows DLL injector (something that injects a DLL into a foreign process so that you can add your own sauce to it)
31
90
445
What's it like to be inside AFL? We wrote a tool to find out! Much much more to come, but it generates random programs which report real-time information over shared memory, then over websockets to a visualization! github.com/gamozolabs/cookie…
13
106
435
High-performance QEMU tracing of all PCs and memory accesses (read/write + addr + size + value read/written). Capable of doing about 2 x86 cycles/MIPS instruction with full tracing. Here's a cool demo video of watching all memory accesses in real-time! piped.video/watch?v=dYyjc2qq…
5
78
418
Wooo! My first paper!
Definitely in my⚡Top3 best papers! My fuzzing conjecture 2020 has just been accepted @FSEconf (2xAccept, 1xAward Quality). Turns out there is no sudden road block; more like a frontier that is exponentially harder to push. 📄: mboehme.github.io/paper/FSE2… Collab w/ @gamozolabs!
15
52
409
It finally came. Will be doing some reverse engineering and hacking streams in a few weeks! 🧙‍♂️
23
20
393
Fuzz week day 1 is up on YouTube. All the others have uploaded and are pending processing by YouTube (probably ~12 hours). piped.video/watch?v=2xXt_q3F…
8
107
376
I'm excited to start a new Software Metrology team at Microsoft. Our focus is to develop and open source multiple tools for fuzzing, debugging, and reproducing bugs. I'm lucky to start off the team with a great group of people, providing for a great internal group and community!
6
59
364
Introducing the fzero fuzzer! A target-architecture-agnostic grammar-based fuzzer (inspired by F1). With no input size constraints, multi-thread support, and all Rust code for no corruption bugs. 5x faster than the worlds fastest grammar-based fuzzer ;D github.com/gamozolabs/fzero_…
4
105
338
Replying to @gf_256
Regardless of it not aging well or not, who the fuck simps for a big company like this. Do they think they're gonna get a raise? I mean, maybe they just really love it that much, in which case I envy their passion because it probably means they're happy, which is cute I guess.
7
1
305
12,463
Pro-tip to all security researchers. Never do this. This is exactly the shit that causes a big rift between developers and security researchers. It's simply insulting to developers time to drop such a useless list of bugs on them.
CITL just posted the ~7000 software defects/vulns they are making available to 3,243 Ubuntu-APT package maintainers. Blog post with full list of the target software, package, and faults is here: cyber-itl.org/2020/10/28/cit…
4
75
306
Today I am releasing one of my best Android fuzzers I've ever written. This single fuzzer successfully finds vulnerabilities on Android every time I have used it. Sadly it requires source, but here it is. Run it on your AOSP/kernel tree. `grep -rli Broadcom`
4
60
279
Pro-tip. Ever wonder what a structure _actually_ looks like in memory when it's full of unions, typedefs, etc? The `pahole` command (from the `dwarves` package) can take in an ELF with DWARF symbols and output the structures unrolled recursively. Example: gist.github.com/gamozolabs/0…
9
54
276
Replying to @h0mbre_
The function is marked hidden, you can’t see the code
3
254
20,375
Operation The Floor is Lava is finally complete. Not a single thing touching the floor except for my table legs. 100 GbE in, switches in, everything can be vacuumed. It’s beautiful.
14
8
253
64 full 2 GiB Windows 10 VMs fuzzing Word, 4.39 million unique coverage entries in seconds (full system coverage), 3.35 GiB memory use. No problem! Things are finally falling into place, and scaling is exactly as desired. So much memory/input sharing between cores :3
7
42
253
The results are in. About 5 billion fuzz cases, a few 10 hours streams, and we found 6 unique bugs in OpenBSD ctags. All with an absolutely garbage fuzzer. Some were pretty tricky (uninit stack use, global overflows), but vecemu was able to detect em! gist.github.com/gamozolabs/a…
6
70
252
If a few million dollars can buy you bugs to get into nearly every device in the world, maybe we should stop being so surprised it keeps happening.
3
18
228
Need binary code coverage on Windows without access to source or an ability to recompile code? Try out mesos! A simple, debugger-based code coverage and crash monitoring harness. This is what I use when not fuzzing things in emulators and hypervisors. github.com/gamozolabs/mesos
2
111
237
Miss you Sophia. We’re gonna do some amazing things for you and keep your dream alive. ❤️
2
9
233
24,269
I wrote a super simple ELF loader that converts ELFs (core, exec, shared, object, doesn't matter) into flat in-memory representations with things like BSS zero padded out. It's what I used to run MIPS Rust on NT 4.0 github.com/gamozolabs/elfloa… . Super useful for shellcode.
2
43
232
Had so much fun giving a talk on Vectorized Emulation at @reconmtl ! Here are the slides github.com/gamozolabs/vector… ! Of course always more info on my blog gamozolabs.github.io/fuzzing… and gamozolabs.github.io/fuzzing… . Thanks everyone for coming!
2
69
215
I added symbol support to my /proc/<pid>/mem IDA loader. Load up a running process into your system without having to attach a debugger, and get full symbols for all files in it (well, with DWARF symbols that is). Works great for WINE processes! github.com/gamozolabs/proc_m…
4
45
209
All of fuzz week is now on YouTube! piped.video/playlist?list=PL…
4
36
204
What percentage of collective CPU time worldwide is spent in strlen()?
10
24
200
We did it, we can now reset a VM 1 million times per second on a single core (E3-1240 v6 @ 4.1 GHz turbo). Assuming the VM has no dirty pages, but this is the "overhead" of a VM exit + register reset. Anything after this is just paying the memcpy cost to reset dirty mem...
2
26
192
Rust bootloader pushed up to GitHub! It's a small (20 KiB) PXE bootloader written in Rust, that can boot a relocated 64-bit PE for a kernel. Code is up github.com/gamozolabs/orange… . Next stream we will start work on the kernel. For those who missed the stream: piped.video/watch?v=okSUAlx_…
1
57
200
Here's a talk I gave a few years back at @EmpireHacking on 10 different binary code coverage mechanisms (specifically for use from hypervisor level) piped.video/watch?v=4nz-7ktd… . So many unique ways to gather coverage, all with their own tradeoffs!
3
51
194
Ever wondered what speculative execution looks like cycle-by-cycle? I just added cycle-level uarch introspection to my CPU research kernel. Here's a graph showing speculative loads occurring (that never retire as they are after a faulting instruction).
5
42
196
Replying to @MJHallenbeck
I thought these were pink but I'm color blind, but also the NSA hacked my eyes to not see colors, you can tell based on the way they are.
2
2
177
Giving my first conference talk ever at @reconmtl this year, so excited! What happens when you focus all your effort into making fuzzing faster? Can a bad fuzzer produce good results when running 1 trillion fuzz cases a week? Intro to the concept: gamozolabs.github.io/fuzzing…
3
38
188
Ever wanted to load an entire Linux process into IDA without having to attach/debug it? Well, fear no more, use my quality idapython script to load a file from `/proc/pid/mem` and `/proc/pid/maps` only! gist.github.com/gamozolabs/b…
1
38
185
I've now open sourced my latest hypervisor written in C. github.com/gamozolabs/falker… . See it in action piped.video/watch?v=AqFMSI8e… ! This is what I demoed to @brucedang way back at Recon 2016 and he thought it was pretty cool, so it must be.
2
101
187
Just landed in Vegas to this tweet. This is unreal! Thanks so much, y'all are amazing, what an incredible community! ❤ Can't wait to share more research soon!
W00t @gamozolabs most innovative research pwnie!
15
12
184
Hmm, it seems people really want some low-level OS/kernel dev educational content. Got a few requests for it in the past few days. I definitely am not a traditional OS kind of person, but I think I still could make some cool content on the topic!~
3
2
173
Can any school offer me a PhD program so I can claim that my research is somehow more relevant even though I haven't finished my PhD yet?
11
2
164
Some Windows DHCP remotes coming out from the team I work on at Microsoft! Patch yer stuff. portal.msrc.microsoft.com/en…
4
90
167
Yer a wizard Harry! Watch as I travel through time on a whole system with WinDbg! Fully deterministic, time-travelling, and mutable environment (you can change state when travelling in time and observe the results). Might make triaging bugs a joke. piped.video/watch?v=mB9LIztj…
3
58
167
New blog! Some random thoughts on fuzzing and benchmarking of them. Technically, this was a comment to a GitHub thread but it definitely warranted a blog! gamozolabs.github.io/2020/08…
5
45
170
Bug bounties are a scam. They reward low effort spray and pray researchers and punish those who go deep.
This is what I mean when I say working with MSRC is degrading. They want everything: write up, stack traces, PoC, exploit source, analysis, life advice, approval on anything you will ever publish. In return they will patch your bug whenever they feel like it and not tell you
11
22
168
28,326
As someone who wants to stay fully technical and continue doing research forever, being heavily signaled that going into management is the only way to go up and be rewarded is a great way for me to stop caring.
11
9
163
Mood. Running a teammates Windows kernel fuzzer in the new system fuzzing framework. Seems to work just fine!
2
29
163
Yesterday we found and exploited a bug on an old Android 2.3.5 phone. We used this bug to get arbitrary code running in the kernel, which trivially turns into root. We also dumped the kernel and built a bit-identical kernel to the official signed kernel. piped.video/watch?v=g62FXds2…
5
30
158
I wrote a really simple RISC-V (rv32i) JIT for x86_64 designed for gathering some stats for my upcoming Bluehat IL talk. It runs at about ~1 RISC-V instruction per 2 x86 cycles, and can create and run hello world ~8.6 million times per second on 96 cores! github.com/gamozolabs/rv32i_…
3
21
163
Check out my new blog and release on Cannoli. High performance tracing in QEMU!
There's always room for better performance. The fastest Qemu tracing tool by @gamozolabs. margin.re/blog/cannoli-the-f…
4
34
160
applepie: A hypervisor for Bochs. This will be a rapidly evolving project that currently is just a hypervisor but shortly will be an instrumentation and fuzzing framework. I've got like 8 Word 0-day from falkervisor I'll refind with this and blog about :D github.com/gamozolabs/applep…
3
92
163
What is the correct amount of times to hit ctrl+c to terminate a Python script?
39
1
151
25,412
0 to bootloader + multicore kernel in ~2 days. Hope y'all are enjoying the streams!
4
20
153
Had a new logo designed! Updated all my socials! They’re so awesome!!!
8
2
148
I really don't get why people complain so much about clang/LLVM build times.
5
9
148
Introducing Orange Slice. A new research kernel and hypervisor, with the end goal of getting a hardware-virtualization accelerated fully-deterministic emulator. I'll be starting development live on YouTube on Wednesday to kick things off. Read more github.com/gamozolabs/orange…
5
54
148
In about an hour I'm going to stream fuzzing calc.exe for bugs on Twitch. How do you fuzz calc.exe? No idea, lets listen to some music, ask me questions, and just have some fun! twitch.tv/gamozo
4
26
148
Are you scared of ptrace()? Come write a high-performance debugger for Linux which is designed for low-overhead debugging of many-threaded and multi-process applications twitch.tv/gamozo
3
17
140
19,191
Over the past 2 days we wrote a hypervisor capable of running a user-land application, took a snapshot of WinRAR while it was executing on Windows, and transplanted it into a VM. We then proceeded to fuzz it 40k times per second with coverage! Native speed binary coverage+fuzzin!
3
12
149
So. I've been thinking for a while to make a high-performance structure-aware memory analyzer. Think like, cheat engine, but it would be aware of common structures (eg, MSVC vectors, maps, glibc vectors, maps) and give you a structured view of memory rather than flat map.
9
8
140
Don't forget to catch my talk on MapleStory cheats at SSTIC on Friday! It's the first time I've edited and animated a video, it turned out amazing. It'll also be up on YouTube for archival shortly after. You're gonna love it. piped.video/watch?v=o9O3PjKg…
7
24
138
We dedicated ethernet now.
9
4
137
Replying to @MalwareTechBlog
Linux cannot get viruses because it’s open source
19
4
130
Tonight we do it big, we're gonna get an entire Windows instance running in Chocolate Milk so we can fuzz a full system, including apps, syscalls and drivers. Streamin in like ~60 min twitch.tv/gamozo
6
25
141
Chocolate Milk finds it's first 0day. Now I gotta add crash reporting, ugh.
4
7
139
I made a lot of new playlists for my YouTube videos, hopefully it helps find the content you need! piped.video/user/gamozolabs/… Don't forget to lycan subscribe.
8
17
138
Windows DHCP Server RCE found by the team I'm on, got patched today! Such a great group of people to work with 😊 Smash that update button! portal.msrc.microsoft.com/en…
2
47
134
All current VoDs from the printer hacking are up piped.video/playlist?list=PL… ! All the fun from picking a printer, desoldering and dumping flash, reversing the decompression, implanting with a backdoor, and shipping up Rust shellcode which forms a GDB stub! All in 5 easy days!
2
37
135
Pretty happy that after only 3 days of dev my IL can already optimize this
3
127
What's something about security research that you wish you knew more about?
34
17
129
Replying to @spendergrsec @tehjh
I wrote exploits for effectively every CPU bug which has come out, and spent a lot of time focusing on improving data rates and introspection with them. I got data rates well above the academic ones. gamozolabs.github.io/metrolo…
3
23
126
Looking to learn how hypervisors are written with Intel VT-x? I'm going to stream adding a hypervisor to Orange Slice using VT-x... all from scratch, so you'll see all the nitty-gritty details! Tune in on Tuesday at 1700 PST, piped.video/watch?v=WabeOICA…
38
129
Let's talk a bit about fuzzer benchmarking. I'll start off with some data directly from fuzzbench, of `aflfast` fuzzing `libjpeg-turbo`. Here's what the 20 runs of `aflfast` look like. fuzzbench.com/reports/2020-0…
6
40
123
I love new server day. 24x 1.92TiB PCIe 4 NVMe drives! In theory, this should saturate 100gbit with random 4K access! (6000 MB/s read, 4000 MB/s write, 1000k read, 180k write, per drive). Hopefully software doesn’t let me down!
7
5
116
Gonna start a new series on my Twitch (twitch.tv/gamozo) called "Paper Review". Tonight (undetermined stream time) we're gonna look through the "Building Fast Fuzzers" paper, which is the "worlds fastest grammar fuzzer" arxiv.org/pdf/1911.07707.pdf
3
14
124
People kinda always ask to just see my fuzzing process. Lets pick a target and write a fuzzer for it (probably some random project we find on GitHub). I'll show how I set up a debug environment, how I harness, how I start/make a fuzzer, etc. twitch.tv/gamozo
2
15
119
All IL development streams are now up on YouTube! Super fun stuff, mILkshake is turning out amazing! piped.video/playlist?list=PL…
4
21
117
Replying to @AmarSaar @rustlang
Heap disclosure in Windows libc for effectively forever. Reachable from some scripting languages too by using a similar code pattern: gist.github.com/gamozolabs/b…
1
41
117
S’mores! He’s my first ever puppy and I’m so excited to take him home in a few weeks!
6
1
113
9,870
My super high performance IL optimizer seems to be working great! I can't believe these results!!!!
2
1
111
I have hard time describing my job and what I do on a day to day basis but I think “weird machine mechanic” puts it succinctly
2
13
107
27,471
Nice, ran 1.3 trillion fuzz cases against an x509 parser overnight. I love vectorized emulation. Really cool target actually! No coverage increases from about 5 seconds into fuzzing, but there were new bugs (human-verified unique) hours into the run!
3
7
110
In last night's stream we were root causing a type confusion bug in calc.exe. Somebody in chat asked what I meant when I said "pointer offset". I went on a short little rant about memory layout, type confusion bugs, and why they are exploitable! piped.video/watch?v=jmgGPbfV…
1
23
111
So I've been working on a pretty complex mutator in Rust which is designed for fast deserialization and serialization of structured data. And it's hot. Over 2 GiB/sec of deserializing a `Vec<Box<u8>>`! About 1.5 cycles per allocation while deserializing!
6
5
101
FuzzOS? Is it time?
6
1
107
I've started the "So you're writing a fuzzing paper" blog. What do you want answered? The focus of the blog will be primarily going through how I judge and benchmark fuzzers/harnesses.
5
10
106
If you missed it, we implemented a system-level VT-x hypervisor capable of fuzzing Windows minidumps at millions of fuzz cases per second on a quad core! Since then, it now supports anything that runs in QEMU! piped.video/watch?v=oQiktfC3…
1
25
105
Tonight we're going to look at an Android Bluetooth chipset (ARM) to test out Ghidra, with emphasis of exploring the options/features and menus of Ghidra. I want to shellcode in a debugger to the chipset so I can GDB it. Stream scheduled here: piped.video/watch?v=UXEfmTE-…
1
38
98
I also uploaded the first Paper Review, on "Building Fast Fuzzers"! piped.video/watch?v=ZfuRDwEU…
2
10
106