Pietro Borrello

Pietro Borrello

Microarchitecture Security Researcher

Apple SEAR

Biography

I am a Microarchitecture Security Researcher at Apple SEAR.

I received my PhD at the Sapienza University of Rome, working on Systems Security with a focus on applying Fuzzing and Program Analysis techniques to find and mitigate architectural and microarchitectural vulnerabilities.

In my PhD Thesis, I contributed to find and mitigate over one hundred bugs in software, operating systems, and CPUs.

I am also a passionate CTF player focusing on exploitation and reverse-engineering with TRX and mhackeroni teams.

Co-founder of the DEFCON Group in Rome.

BlackHat & OffensiveCon speaker and Pwnie Award recipient:

  • Best Desktop Bug for “ÆPIC Leak: Architecturally Leaking Uninitialized Data from the Microarchitecture”
  • Most Innovative Research for “Custom Processing Unit: Tracing and Patching Intel Atom Microcode”
Interests
  • Systems Security
  • Microarchitectural Attacks & Defenses
  • Side-Channels
  • Program Analysis
  • Fuzzing
Education
  • PhD in Engineering in Computer Science, 2023

    Sapienza University of Rome

  • MSc in Engineering in Computer Science, 2019

    Sapienza University of Rome

  • BSc in Engineering in Computer Science, 2017

    Sapienza University of Rome

Projects

Custom Processing Unit

Custom Processing Unit

The first dynamic analysis framework for CPU microcode. Pwnie Award for Most Innovative Research

ÆPIC Leak

ÆPIC Leak

Architecturally Leaking Uninitialized Data from the Microarchitecture. Pwnie Award for Best Desktop Bug

Constantine

Constantine

A compiler-based system to automatically harden programs against microarchitectural side channels.

Intel Atom Microcode Decompiler

Intel Atom Microcode Decompiler

Ghidra Processor Module to disassemble and decompile x86 Intel Atom microcode.

raindrop

raindrop

A binary translator to transform program functions into obfuscated ROP chains.

Publications

(2024). Predictive Context-sensitive Fuzzing. NDSS.

PDF Cite Code

(2023). Uncontained: Uncovering Container Confusion in the Linux Kernel. USENIX Security.

PDF Cite Code

(2023). CustomProcessingUnit: Reverse Engineering and Customization of Intel Microcode. WOOT.

PDF Cite Code

(2023). Practical Timing Side-Channel Attacks on Memory Compression. Security & Privacy.

Cite

(2022). Robust and Scalable Process Isolation against Spectre in the Cloud. ESORICS.

PDF Cite Project DOI

(2022). ÆPIC Leak: Architecturally Leaking Uninitialized Data from the Microarchitecture. USENIX Security.

PDF Cite Code

(2019). The ROP needle: hiding trigger-based injection vectors via code reuse. ACM SAC.

PDF Cite DOI

(2018). Boosting Virtualization Obfuscation with Return Oriented Programming. Poster at ACM ACSAC.

(2018). Ropmate: Visually Assisting the Creation of ROP-Based Exploits. IEEE VizSec.

PDF Cite Code DOI

CVEs

CVE-2023-25012 use-after-free in HID:bigben in the Linux kernel
CVE-2023-1079 use-after-free in HID:asus in the Linux kernel
CVE-2023-1078 type confusion & heap OOB write in RDS in the Linux kernel
CVE-2023-1077 type confusion in Realtime Scheduler in the Linux kernel
CVE-2023-1076 type confusion in TUN/TAP in the Linux kernel
CVE-2023-1075 type confusion in TLS in the Linux kernel
CVE-2023-1074 type confusion in SCTP in the Linux kernel
CVE-2023-1073 type confusion & NULL ptr deref in HID in the Linux kernel
CVE-2022-21233 information disclosure in Intel CPUs (ÆPIC Leak)
CVE-2022-33070 undefined behavior in protobuf-c
CVE-2022-33069 DoS in solidity compiler
CVE-2022-33068 integer overflow vulnerability in Harfbuzz
CVE-2022-33067 undefined behavior in lzrip
CVE-2022-28049 DoS in njs
CVE-2022-28048 undefined behavior in stb
CVE-2022-28044 invalid free in lrzip
CVE-2022-28042 use-after-free in stb
CVE-2022-28041 integer overflow vulnerability in stb
CVE-2022-1515 DoS in matio
CVE-2022-1475 integer overflow vulnerability in FFmpeg
CVE-2020-11713 timing side-channel vulnerability in wolfSSL

[Linux kernel patches]