Zero Day Engineering
On April 3rd, 2025, I had presented my work on reverse-engineering the hardware internals of Qualcomm Hexagon ISDB JTAG at Black Hat Asia 2025, Singapore. Hexagon is a tightly restricted proprietary architecture which doesn't permit low-level debugging – a challenge which I was tasked to conquer under a private commercial R&D contract.
Read moreOn November 15th, 2024, I gave a workshop on browser exploitation at VXCON 2024 conference, Hong Kong. In this workshop I taught my full process of exploiting a non-trivial vulnerability in Google Chrome's v8 JavaScript engine, from zero-knowledge patch to novel exploit concept. The slide deck holds the skeleton of my methodology.
Read moreOn November 16th, 2024, I gave a keynote at VXCON 2024 conference, Hong Kong. I offered my insights on how AI is changing the art of vulnerability research.
Read moreOn September 14, 2024, I had participated in the Off By One Security Podcast by SANS. I presented my Probabilistic Theory of Fuzzing there for the first time – and explained how practical low-level fuzzing works through it. In this follow-up article I release the slides of my podcast - while tackling selected questions and comments from the livestream chat that didn’t make it into the live Q&A.
Read moreIn April 2021 I had participated in the Pwn2Own Vancouver competition as an independent solo entrant - and a female first. I successfully demonstrated a zero-day virtual machine escape against the Parallels hypervisor. This post documents the event, releases the exploit source code, and provides a full technical walkthrough video. But more importantly, it seals the historical record.
Read moreQuick analysis and research insights for the recently reported RCE vulnerability in Chromium WebRTC code and embedders.
Read moreI reverse engineered a bunch of recent zero-day bugs targeting Qualcomm Linux kernel & ARM Mali GPU. This technical deep-dive walks through the bugs after providing a background information on the target systems.
Read moreI analyzed the security patches of a recently disclosed Chrome 0-day attack to derive additional information about the vulnerability, and clarify practical threat impact.
Read moreI wrote an exploit for a JavaScript JIT Type Confusion vulnerability in Jscript9.dll. This writeup covers my technique and releases the source code. The exploit technique that I show here is universal, and it continues to be popular in the browser exploitation field. My specific implementation includes a fully dynamic ASLR bypass, plus state-of-the-art process continuation to avoid crash.
Read moreAt Pwn2Own Vancouver 2021 I have demonstrated an 0day VM escape exploit for Parallels Desktop hypervisor ($40,000 cash bounty). The exploit chain that I developed was based on logic issues. In this deep technical presentation I share the technical details of the exploit, as well as various preliminary and contextual knowledge related to it.
Read moreI reverse engineered a complex binary patch for a bug in VMware ESXi. In this article I outline my methodology, which is universal and can be applied beyond hypervisors.
Read moreA story of a trivial *no-bug, by-design* guest-to-host VM escape on latest Parallels Desktop for Mac with bonus persistence, as enabled by the software vendor's product design decisions and certain properties of the Unix interactive shells.
Read moreI found a security bug in Microsoft Hyper-V root partition kernel component ($15,000 cash bounty). This article analyzes the vulnerability.
Read moreI reverse engineered the core system internals of Microsoft Hyper-V hypercall interface by using the Linux Integration Services kernel drivers (LIS). This technical note documents my research output.
Read more