About
I'm specialized in secure software design and development, code review, and penetration testing. At times I give talks and trainings in security related topics to help people (mostly developers) improve their products.
Keywords to describe what I do and like are C, Java, Linux, OpenBSD, security, high scalability, privacy, free software.
CVE IDs
I performed various code reviews and the following CVE IDs have been assigned for me. I have written patches for these issues as well.
- CVE-2018-14600libX11
- CVE-2018-14599libX11
- CVE-2018-14598libX11
- CVE-2017-16612libXcursor
- CVE-2017-8073weechat
- CVE-2017-7875feh
- CVE-2017-2616shadow/util-linux
- CVE-2016-7953libXvMC
- CVE-2016-7952libXtst
- CVE-2016-7951libXtst
- CVE-2016-7950libXrender
- CVE-2016-7949libXrender
- CVE-2016-7948libXrandr
- CVE-2016-7947libXrandr
- CVE-2016-7946libXi
- CVE-2016-7945libXi
- CVE-2016-7944libXfixes
- CVE-2016-7943libX11
- CVE-2016-7942libX11
- CVE-2016-5434pacman
- CVE-2016-5407libXv
- CVE-2016-5384fontconfig
- CVE-2014-6060dhcpcd
- CVE-2007-6220typespeed
Bug Fixes
These patches were reported, but not approved yet. If you are a maintainer or want to push them to accept these fixes please move on.
- dwm: signal race
- e2fsprogs: NULL dereference
- ffmpeg: illegal unmap
- font-util: heap overflow
- gimp: heap overflow
- glibc: buffer overflow
- glibc: catopen issues
- kbd: overflow/division by zero
- kmod: OOB access
- libICE: OOB read
- libdrm: OOB read
- make: OOB read
- pacman: endless loop
- pacman: OOB read
- pacman: stack overflow
- tar: documentation typo
- sysklogd: heap overflow
- which: buffer overflow
- which: buffer overflow
- which: OOB access
- xcursorgen: NULL dereference
- xlsatoms: various fixes
Projects
Most of my open source code can be seen in the OpenBSD tree. It is scattered across various userland tools. Once I have added active PS/2 multiplexing to the pckbc device driver in the OpenBSD kernel. You can see the patch here. There is also xwallpaper which I wrote with a strong focus on minimalism and security after being disappointed with other available solutions.
My professional code has been developed closed source, so I cannot supply code samples. My first major project was the design and implementation of a modular, scalable multithreading CDI framework for Java SE. Improving a code base to better support multi-threading and the reduction of resource consumption was another cool project. I have also written a real-time RTAI/Linux module to operate industrial robots with my own scripting language while being a student.