Pawel Wieczorkiewicz
@wipawel
Low Level Security: CPUs, Kernels, Hypervisors and the like. I mostly break stuff. Offensive side of things.
I really enjoy reading about all the hidden little gems that Macs from the ‘90s had. Good times.
Finding a 27-year-old easter egg in the Power Mac G3 ROM downtowndougbrown.com/2025/06/findin…
Vulnerability introduced into the upstream 5.15 and 6.6 LTS (and maybe others), another instance of turning mitigations into no-ops :\
Another small demo, using the gadget from download.vusec.net/papers/halfspe… I revert the upstream 2023 fix and show Respectre handling the half Spectre gadget:
IEEE SecDev 2025 @ieeesecdev (Practitioner Session) CFP is open until May 30th. This is the ideal mix between academic and industry session, with very short paper lenght requirements (2 pages) and a very pragmatic commitee. Work in progress projects and idea discussions are…
IEEE SecDev 2025 (Practitioner Session) CFP is open until May 30th. Submit papers up to 2 pages about perspectives/insights for secure systems: …cdev25-practitioner.ieee-security.org Questions: [email protected] More info: secdev.ieee.org/2025/practitio…
So, what is Intel CSME full hack (without any recovery possibility) - it is manual calculation of Chipset Key
Our critical analysis of Intel CSME security architecture
🔥 Last barrier destroyed: The compromise of Fuse Encryption Key in Intel CPUs! Full story by our researcher @_markel___ swarm.ptsecurity.com/last-barrier-d…
We are looking for a PhD student intern this summer to research optimal heuristics for a new feature of ours that provides finer-grained, context-aware control over fragmentation in the Linux buddy allocator. Fully remote, please email hiring@ if interested.
You can now jailbreak your AMD CPU! 🔥We've just released a full microcode toolchain, with source code and tutorials. bughunters.google.com/blog/542484235…
Proactively backporting bugs to be able to apply a fix. That’s Engineering with a capital E.
These 6.6 backports today are funny. Backporting commits that weren't marked for stable and don't belong in stable, but because some AI picked up a crash fix, they backport multiple patches to backport the bug ("stable deps"), and then the fix for it.
So reachable WARNs get auto-CVE'd by the Linux CNA purely from the possibility of panic_on_warn, a reachable BUG() reported by a researcher needs an essay on threat models before anyone does anything with it. 🤔
Blog post I wrote about an unexpectedly vulnerability we discovered in the TCP subsystem of the Linux kernel. This one is interesting because it can lead to a UAF even with the reference counter saturation mechanism present. I hope you enjoy it.
While working on a nday vulnerability research project, we stumbled upon a vulnerability in the core of the TCP subsystem of the Linux kernel. We reported it upstream, which was fixed in May of last year. This blog post shares how we came across it and our vulnerability analysis.
github.com/google/securit… Our newest research project is finally public! We can load malicious microcode on Zen1-Zen4 CPUs!
An excellent undocumented instruction chase story. Must have been a lot of fun.
The invalid 68030 instruction that accidentally allowed the Mac Classic II to successfully boot up downtowndougbrown.com/2025/01/the-in…
Analyzing and Exploiting Branch Mispredictions in Microcode arxiv.org/abs/2501.12890
welp, it looks like an OEM leaked the patch for "AMD Microcode Signature Verification Vulnerability" 🔥 The patch is not in linux-firmware, so this is the only patch available😡
As usual I had a blast at @h2hconference. Thank you for having me. Slides for my talk are available now👇
Slides for @wipawel's H2HC presentation this month on the TLB are now available on grsecurity.net/papers If you've never heard of "paging-structure caches" before, check it out!
Back in @h2hconference last week, @pwningsystems and me presented this tool we've been working on (with Artem) we now call "🐧 Kernel Explorer". It's still early on, I'll work on FF and a11y next! storage.googleapis.com/kernelctf-dash… storage.googleapis.com/kernelctf-dash… Code is github.com/google/securit…
… right
What I said would happen just happened in today's LTS updates for the Xen XSA-466 from this week, check arch/x86/xen/xen-asm.S #grsecurity not affected: x.com/spendergrsec/s…