Adrian Herrera
@adrianherrera.bsky.social
Security researcher with an interest in formal methods.
Building fuzzers @ Interrupt Labs |
Teaching @ Australian National University
https://adrian-herrera.com
Building fuzzers @ Interrupt Labs |
Teaching @ Australian National University
https://adrian-herrera.com
Reposted by Adrian Herrera
Check out the latest from our Labs! Gilbert, in our Browsers team, talks us through how he used one-click memory corruption to exploit a patch-gap in the UC Browser.
www.interruptlabs.co.uk/articles/one...
www.interruptlabs.co.uk/articles/one...
October 16, 2025 at 2:00 PM
Check out the latest from our Labs! Gilbert, in our Browsers team, talks us through how he used one-click memory corruption to exploit a patch-gap in the UC Browser.
www.interruptlabs.co.uk/articles/one...
www.interruptlabs.co.uk/articles/one...
Excited to be here with the Interrupt crew!
Excited to have touched down in Paris for @hexacon.bsky.social.
Come and chat to us - we are recruiting across a number of roles in our VR teams!
Come and chat to us - we are recruiting across a number of roles in our VR teams!
October 9, 2025 at 11:13 AM
Excited to be here with the Interrupt crew!
Reposted by Adrian Herrera
SURE is proud to announce that we have **9** epic works that have been accepted for presentation at SURE on October 13. Topics span decompilation, (de)obfuscation, debugging, fundamental benchmarks, and more!
sure-workshop.org/pa... (paper links out soon)
sure-workshop.org/pa... (paper links out soon)
Accepted Papers | SURE 2025
Papers and posters accepted for SURE 2025
sure-workshop.org
September 17, 2025 at 10:56 PM
SURE is proud to announce that we have **9** epic works that have been accepted for presentation at SURE on October 13. Topics span decompilation, (de)obfuscation, debugging, fundamental benchmarks, and more!
sure-workshop.org/pa... (paper links out soon)
sure-workshop.org/pa... (paper links out soon)
Reposted by Adrian Herrera
Created Go bindings for Apple's Hypervisor.framework.
Why? Because I wanted to test a Pure Go emulator I'm writing against and couldn't get unicorn2 to work on macOS 26. Plus what's going to be faster than Apple's OWN hypervisor 😎
Check it out! 🎉
github.com/blacktop/go-...
Why? Because I wanted to test a Pure Go emulator I'm writing against and couldn't get unicorn2 to work on macOS 26. Plus what's going to be faster than Apple's OWN hypervisor 😎
Check it out! 🎉
github.com/blacktop/go-...
GitHub - blacktop/go-hypervisor: Apple Hypervisor.framework bindings for Golang
Apple Hypervisor.framework bindings for Golang. Contribute to blacktop/go-hypervisor development by creating an account on GitHub.
github.com
August 23, 2025 at 2:11 AM
Created Go bindings for Apple's Hypervisor.framework.
Why? Because I wanted to test a Pure Go emulator I'm writing against and couldn't get unicorn2 to work on macOS 26. Plus what's going to be faster than Apple's OWN hypervisor 😎
Check it out! 🎉
github.com/blacktop/go-...
Why? Because I wanted to test a Pure Go emulator I'm writing against and couldn't get unicorn2 to work on macOS 26. Plus what's going to be faster than Apple's OWN hypervisor 😎
Check it out! 🎉
github.com/blacktop/go-...
Reposted by Adrian Herrera
Check out our latest blog post on modeling complex control flow with function-level basic block analysis in Binary Ninja 5.1. From DSPs to Brain***k, this update makes it easier to develop plugins for tricky architectures. binary.ninja/2025/08/12/f...
August 14, 2025 at 7:17 PM
Check out our latest blog post on modeling complex control flow with function-level basic block analysis in Binary Ninja 5.1. From DSPs to Brain***k, this update makes it easier to develop plugins for tricky architectures. binary.ninja/2025/08/12/f...
Reposted by Adrian Herrera
🛬 I'm at USENIX Security in Seattle this week, where on Friday at 2pm my former postdoc Tristan Benoit will be presenting our paper "BLens: Contrastive Captioning of Binary Functions using Ensemble Embedding," joint work with Yunru Wang and Moritz Dannehl from my group. Here's the gist:
August 11, 2025 at 12:56 PM
🛬 I'm at USENIX Security in Seattle this week, where on Friday at 2pm my former postdoc Tristan Benoit will be presenting our paper "BLens: Contrastive Captioning of Binary Functions using Ensemble Embedding," joint work with Yunru Wang and Moritz Dannehl from my group. Here's the gist:
Reposted by Adrian Herrera
WOOT 2025 schedule, all papers are now online open access:
usenix.org/conference/w...
Talks are recorded, and should be online in a few weeks.
usenix.org/conference/w...
Talks are recorded, and should be online in a few weeks.
WOOT '25 Technical Sessions
All sessions will be held in Room 611-612 unless otherwise noted.
usenix.org
August 11, 2025 at 8:56 PM
WOOT 2025 schedule, all papers are now online open access:
usenix.org/conference/w...
Talks are recorded, and should be online in a few weeks.
usenix.org/conference/w...
Talks are recorded, and should be online in a few weeks.
Reposted by Adrian Herrera
New blog post: Exploiting the Synology TC500 at Pwn2Own Ireland 2024
We built a format string exploit for the TC500 smart cam. It didn’t get used, but it made for a fun case study.
blog.infosectcbr.com.au/2025/08/01/e...
We built a format string exploit for the TC500 smart cam. It didn’t get used, but it made for a fun case study.
blog.infosectcbr.com.au/2025/08/01/e...
Exploiting the Synology TC500 at Pwn2Own Ireland 2024
Introduction In October 2024, InfoSect participated in Pwn2Own – a bug bounty competition against embedded devices such as cameras, NAS’, and smart speakers. In this blog, I’ll di…
blog.infosectcbr.com.au
August 1, 2025 at 5:18 AM
New blog post: Exploiting the Synology TC500 at Pwn2Own Ireland 2024
We built a format string exploit for the TC500 smart cam. It didn’t get used, but it made for a fun case study.
blog.infosectcbr.com.au/2025/08/01/e...
We built a format string exploit for the TC500 smart cam. It didn’t get used, but it made for a fun case study.
blog.infosectcbr.com.au/2025/08/01/e...
Reposted by Adrian Herrera
We released our Fuzzilli-based V8 Sandbox fuzzer: github.com/googleprojec...
It explores the heap to find interesting objects and corrupts them in a deterministic way using V8's memory corruption API. Happy fuzzing!
It explores the heap to find interesting objects and corrupts them in a deterministic way using V8's memory corruption API. Happy fuzzing!
Add V8SandboxFuzzer · googleprojectzero/fuzzilli@675eccd
This is a basic fuzzer for the V8 Sandbox. It uses the memory corruption
API to implement a random-but-deterministic (given a seed) traversal
through the V8 heap object graph and corrupts some obje...
github.com
August 1, 2025 at 7:21 AM
We released our Fuzzilli-based V8 Sandbox fuzzer: github.com/googleprojec...
It explores the heap to find interesting objects and corrupts them in a deterministic way using V8's memory corruption API. Happy fuzzing!
It explores the heap to find interesting objects and corrupts them in a deterministic way using V8's memory corruption API. Happy fuzzing!
Reposted by Adrian Herrera
Linux Kernel Hardening: Ten Years Deep
Talk by Kees Cook about the relevance of various Linux kernel vulnerability classes and the mitigations that address them.
Video: www.youtube.com/watch?v=c_Nx...
Slides: static.sched.com/hosted_files...
Talk by Kees Cook about the relevance of various Linux kernel vulnerability classes and the mitigations that address them.
Video: www.youtube.com/watch?v=c_Nx...
Slides: static.sched.com/hosted_files...
July 15, 2025 at 4:42 PM
Linux Kernel Hardening: Ten Years Deep
Talk by Kees Cook about the relevance of various Linux kernel vulnerability classes and the mitigations that address them.
Video: www.youtube.com/watch?v=c_Nx...
Slides: static.sched.com/hosted_files...
Talk by Kees Cook about the relevance of various Linux kernel vulnerability classes and the mitigations that address them.
Video: www.youtube.com/watch?v=c_Nx...
Slides: static.sched.com/hosted_files...
Reposted by Adrian Herrera
CVE-2023-52927: Turning a Forgotten #syzkaller Report into #kctf #exploit
https://qriousec.github.io/post/cve-2023-52927/
https://qriousec.github.io/post/cve-2023-52927/
CVE-2023-52927: Turning a Forgotten Syzkaller Report into kCTF Exploit
Table of Contents I. Introduction II. Netfilter hooks, nf_tables, nf_conntrack, nf_nat and nf_queue 2.1 Netfilter hooks 2.2 nf_tables 2.3 nf_conntrack 2.4 nf_nat 2.5 nf_queue III. The Forgotten Syzkaller Report IV. Root Cause Analysis of a “no reproducer” Syzkaller UAF Report 4.1 Allocation Backtrace 4.2 Free Backtrace 4.3 UAF Backtrace 4.4 Root Cause V. Crafting a Reproducer to Trigger the KASAN UAF 5.1 Allocate a template nf_conn by calling nft_ct_set_zone_eval() 5.2 Setup nf_nat_setup_info() function 5.
qriousec.github.io
July 10, 2025 at 8:05 PM
CVE-2023-52927: Turning a Forgotten #syzkaller Report into #kctf #exploit
https://qriousec.github.io/post/cve-2023-52927/
https://qriousec.github.io/post/cve-2023-52927/
CTADL - a Datalog-based interprocedural static taint analysis engine for Java/Android bytecode (via JADX) and Pcode (via Ghidra)
Code: github.com/sandialabs/c...
Talk (via @krismicinski.bsky.social): youtu.be/3ec9VfMUVa8?...
Code: github.com/sandialabs/c...
Talk (via @krismicinski.bsky.social): youtu.be/3ec9VfMUVa8?...
GitHub - sandialabs/ctadl: CTADL is a static taint analysis tool
CTADL is a static taint analysis tool. Contribute to sandialabs/ctadl development by creating an account on GitHub.
github.com
July 9, 2025 at 10:10 AM
CTADL - a Datalog-based interprocedural static taint analysis engine for Java/Android bytecode (via JADX) and Pcode (via Ghidra)
Code: github.com/sandialabs/c...
Talk (via @krismicinski.bsky.social): youtu.be/3ec9VfMUVa8?...
Code: github.com/sandialabs/c...
Talk (via @krismicinski.bsky.social): youtu.be/3ec9VfMUVa8?...
Reposted by Adrian Herrera
Ghidra, scripting, LLM, automagic automation. That should grab the attention for this thread. If you want to read the complete blog, you can do so here: www.trellix.com/blogs/resear...
1/n
1/n
July 1, 2025 at 12:35 PM
Ghidra, scripting, LLM, automagic automation. That should grab the attention for this thread. If you want to read the complete blog, you can do so here: www.trellix.com/blogs/resear...
1/n
1/n
Reposted by Adrian Herrera
Can we statistically estimate how likely an LLM-generated program is correct w/o knowing what is a correct program for that task?
Sounds impossible-but it's actually really simple. In fact, our measure of "correctness" called incoherence can be estimated (PAC guarantees).
arxiv.org/abs/2507.00057
Sounds impossible-but it's actually really simple. In fact, our measure of "correctness" called incoherence can be estimated (PAC guarantees).
arxiv.org/abs/2507.00057
Estimating Correctness Without Oracles in LLM-Based Code Generation
Generating code from natural language specifications is one of the most successful applications of Large Language Models (LLMs). Yet, they hallucinate: LLMs produce outputs that may be grammatically c...
arxiv.org
July 2, 2025 at 7:26 AM
Can we statistically estimate how likely an LLM-generated program is correct w/o knowing what is a correct program for that task?
Sounds impossible-but it's actually really simple. In fact, our measure of "correctness" called incoherence can be estimated (PAC guarantees).
arxiv.org/abs/2507.00057
Sounds impossible-but it's actually really simple. In fact, our measure of "correctness" called incoherence can be estimated (PAC guarantees).
arxiv.org/abs/2507.00057
Reposted by Adrian Herrera
Reposted by Adrian Herrera
Solo: A Pixel 6 Pro Story (When one #bug is all you need)
https://starlabs.sg/blog/2025/06-solo-a-pixel-6-pro-story-when-one-bug-is-all-you-need/
https://starlabs.sg/blog/2025/06-solo-a-pixel-6-pro-story-when-one-bug-is-all-you-need/
Solo: A Pixel 6 Pro Story (When one bug is all you need)
During my internship I was tasked to analyze a Mali GPU exploit on Pixel 7/8 devices and adapt it to make it work on another device: the Pixel 6 Pro. While the exploit process itself is relatively straightforward to reproduce (in theory we just need to find the correct symbol offsets and signatures for our target device), what’s interesting about Pixel 6 Pro is that it uses a different Mali GPU from the Pixel 7/8, which lacked support for a feature that one of the two vulnerabilities within the exploit relied on:
starlabs.sg
June 14, 2025 at 9:32 PM
Solo: A Pixel 6 Pro Story (When one #bug is all you need)
https://starlabs.sg/blog/2025/06-solo-a-pixel-6-pro-story-when-one-bug-is-all-you-need/
https://starlabs.sg/blog/2025/06-solo-a-pixel-6-pro-story-when-one-bug-is-all-you-need/
Reposted by Adrian Herrera
Just Accepted to ACM TOSEM!
The "Havoc Paradox" is about the relationship between byte-level fuzzer mutations and their effect on the inputs produced by generators for structured strings (e.g. XML/SQL). Can disruptive mutations be controlled? Should they be? Find out.
📄 dl.acm.org/doi/pdf/10.1...
The "Havoc Paradox" is about the relationship between byte-level fuzzer mutations and their effect on the inputs produced by generators for structured strings (e.g. XML/SQL). Can disruptive mutations be controlled? Should they be? Find out.
📄 dl.acm.org/doi/pdf/10.1...
June 6, 2025 at 7:02 PM
Just Accepted to ACM TOSEM!
The "Havoc Paradox" is about the relationship between byte-level fuzzer mutations and their effect on the inputs produced by generators for structured strings (e.g. XML/SQL). Can disruptive mutations be controlled? Should they be? Find out.
📄 dl.acm.org/doi/pdf/10.1...
The "Havoc Paradox" is about the relationship between byte-level fuzzer mutations and their effect on the inputs produced by generators for structured strings (e.g. XML/SQL). Can disruptive mutations be controlled? Should they be? Find out.
📄 dl.acm.org/doi/pdf/10.1...
Reposted by Adrian Herrera
[Blog Post] New high-level API in LIEF that allows the
creation of DWARF files. Additionally, I present two plugins designed to export
program information from Ghidra and BinaryNinja into a DWARF file.
lief.re/blog/2025-05...
(Bonus: DWARF file detailing my reverse engineering work on DroidGuard)
creation of DWARF files. Additionally, I present two plugins designed to export
program information from Ghidra and BinaryNinja into a DWARF file.
lief.re/blog/2025-05...
(Bonus: DWARF file detailing my reverse engineering work on DroidGuard)
DWARF as a Shared Reverse Engineering Format
This blog post introduces a new API in LIEF to create DWARF files
lief.re
May 27, 2025 at 1:51 PM
[Blog Post] New high-level API in LIEF that allows the
creation of DWARF files. Additionally, I present two plugins designed to export
program information from Ghidra and BinaryNinja into a DWARF file.
lief.re/blog/2025-05...
(Bonus: DWARF file detailing my reverse engineering work on DroidGuard)
creation of DWARF files. Additionally, I present two plugins designed to export
program information from Ghidra and BinaryNinja into a DWARF file.
lief.re/blog/2025-05...
(Bonus: DWARF file detailing my reverse engineering work on DroidGuard)
Reposted by Adrian Herrera
Our team member Man Yue Mo is back, showing a new way to bypass MTE protection on Android phones with CVE-2025-0072. github.blog/security/vul...
Bypassing MTE with CVE-2025-0072
See how a vulnerability in the Arm Mali GPU can be exploited to gain kernel code execution even when Memory Tagging Extension (MTE) is enabled.
github.blog
May 23, 2025 at 2:52 PM
Our team member Man Yue Mo is back, showing a new way to bypass MTE protection on Android phones with CVE-2025-0072. github.blog/security/vul...
Reposted by Adrian Herrera
Happy to share my upcoming #ATC25 paper w/ @snagycs.bsky.social: "BIN2WRONG: a Unified Fuzzing Framework for Uncovering Semantic Errors in Binary-to-C Decompilers"!
Bin2Wrong creates binaries by mutating source, compiler, optimizations, and format—revealing 48 new bugs in 7 decompilers! 💪
Bin2Wrong creates binaries by mutating source, compiler, optimizations, and format—revealing 48 new bugs in 7 decompilers! 💪
May 22, 2025 at 8:02 PM
Happy to share my upcoming #ATC25 paper w/ @snagycs.bsky.social: "BIN2WRONG: a Unified Fuzzing Framework for Uncovering Semantic Errors in Binary-to-C Decompilers"!
Bin2Wrong creates binaries by mutating source, compiler, optimizations, and format—revealing 48 new bugs in 7 decompilers! 💪
Bin2Wrong creates binaries by mutating source, compiler, optimizations, and format—revealing 48 new bugs in 7 decompilers! 💪
Reposted by Adrian Herrera
We're are happy to announce a new release of our #Rust bindings for idalib.
What's new:
- New APIs for working with IDBs, segments, and more
- Rust 2024 support
- New homepage: idalib.rs
H/T to our contributors @yeggor.bsky.social & @raptor.infosec.exchange.ap.brid.gy
github.com/binarly-io/i...
What's new:
- New APIs for working with IDBs, segments, and more
- Rust 2024 support
- New homepage: idalib.rs
H/T to our contributors @yeggor.bsky.social & @raptor.infosec.exchange.ap.brid.gy
github.com/binarly-io/i...
GitHub - binarly-io/idalib: Idiomatic Rust bindings for the IDA SDK, enabling the development of standalone analysis tools using IDA v9.x’s idalib
Idiomatic Rust bindings for the IDA SDK, enabling the development of standalone analysis tools using IDA v9.x’s idalib - binarly-io/idalib
github.com
May 21, 2025 at 10:28 PM
We're are happy to announce a new release of our #Rust bindings for idalib.
What's new:
- New APIs for working with IDBs, segments, and more
- Rust 2024 support
- New homepage: idalib.rs
H/T to our contributors @yeggor.bsky.social & @raptor.infosec.exchange.ap.brid.gy
github.com/binarly-io/i...
What's new:
- New APIs for working with IDBs, segments, and more
- Rust 2024 support
- New homepage: idalib.rs
H/T to our contributors @yeggor.bsky.social & @raptor.infosec.exchange.ap.brid.gy
github.com/binarly-io/i...
Reposted by Adrian Herrera
with offensivecon around the corner, i figured id write another post on linux kernel exploitation techniques - this time i cover the world of page table exploitation! enjoy 🤓
sam4k.com/page-table-k...
sam4k.com/page-table-k...
Kernel Exploitation Techniques: Turning The (Page) Tables
This post explores attacking page tables as a Linux kernel exploitation technique for gaining powerful read/write primitives.
sam4k.com
May 8, 2025 at 1:58 PM
with offensivecon around the corner, i figured id write another post on linux kernel exploitation techniques - this time i cover the world of page table exploitation! enjoy 🤓
sam4k.com/page-table-k...
sam4k.com/page-table-k...
Reposted by Adrian Herrera
Gave a talk on external fuzzing of Linux kernel USB drivers with syzkaller at SAFACon.
Includes a demonstration of how to rediscover CVE-2024-53104, an out-of-bounds bug in the USB Video Class driver.
Slides: docs.google.com/presentation...
Includes a demonstration of how to rediscover CVE-2024-53104, an out-of-bounds bug in the USB Video Class driver.
Slides: docs.google.com/presentation...
May 6, 2025 at 8:17 PM
Gave a talk on external fuzzing of Linux kernel USB drivers with syzkaller at SAFACon.
Includes a demonstration of how to rediscover CVE-2024-53104, an out-of-bounds bug in the USB Video Class driver.
Slides: docs.google.com/presentation...
Includes a demonstration of how to rediscover CVE-2024-53104, an out-of-bounds bug in the USB Video Class driver.
Slides: docs.google.com/presentation...
Reposted by Adrian Herrera
Wrote a lil' guide to help get people started with the 🆕 `ipsw` AI decompiler 📖
blacktop.github.io/ipsw/docs/gu...
blacktop.github.io/ipsw/docs/gu...
Decompiler | ipsw
Using the AI decompiler.
blacktop.github.io
May 5, 2025 at 10:28 PM
Wrote a lil' guide to help get people started with the 🆕 `ipsw` AI decompiler 📖
blacktop.github.io/ipsw/docs/gu...
blacktop.github.io/ipsw/docs/gu...
Can confirm the hardware lab is pretty cool 😎
We’re hiring Vulnerability Researchers at @infosectcbr.bsky.social that specialise in Linux, OS kernels, Android, and embedded/IoT. With a world class hardware lab, come join our friendly and collaborative team, focusing on research against leading technologies. DM for details.
April 30, 2025 at 11:05 PM
Can confirm the hardware lab is pretty cool 😎