Presentations:

• Hardware Virtualization Rootkits
  BlackHat Briefings USA, August 2006, Las Vegas, NV.
  Microsoft BlueHat, October 2006, Redmond, WA.
  [ slides ]
• All Your Layers Are Belong To Us
  PacSec.JP 2004, November 2004, Tokyo, Japan.
  Microsoft BlueHat 2005, Redmond, WA.
  CanSecWest/core05, May 2005, Vancouver, Canada.
  IEEE Information Assurance Workshop, June 2005, West Point, NY.
  [ slides ]
• SPARC Buffer Overflows
  DEFCON 8, July 28, 2000, Las Vegas, NV.
  [ slides ] [ source ] [ errata ] [ video ] [ audio ]
  

Vulnerabilities:

Most of my bug hunting has been under NDA but I try to shake out some bugs in other things every now and then. Here are some of them:

• Apple QuickTime QTJava toQTPointer() Pointer Arithmetic Memory Overwrite Vulnerability
  [ ZDI-07-023 ] [ Apple QuickTime 7.1.6 Security Update ]
• Mac OS X 10.4 Mach Exception Server Privilege Escalation
  [ Matasano Security Advisory ]
• Mac OS X 10.3, 10.4 AFP Server Integer Overflow
  [ Apple Mac OS X Security Update 2006-004 ]
• Mac OS X 10.3 QTJava Java Applet Privilege Escalation
  [ Apple Mac OS X Security Update 2005-008 ]
• Mac OS X 10.4 Java update_sharing Local Privilege Escalation
  [ Apple Mac OS X Java 1.3.1 and 1.4.2 Release 2 ]
• Metasploit Framework 2.4 Msfweb "Refang" Command Execution
  [ Metasploit Advisory ]
• Mac OS X 10.3 AirPort Automatic Network Association Vulnerability
  [ Apple Mac OS X AirPort 4.2 Update ]
• Mac OS X 10.3 Mach Kernel Syscall Emulation Memory Corruption
  [ Apple Mac OS X 10.3.9 Update ]
• Mac OS X 10.3 Java LiveConnect Applet Privilege Escalation
  [ Apple Mac OS X Security Update 2005-002 ]
• Mac OS X 10.{2,3} AppleFileServer Remote Command Execution
  [ @stake advisory ]
• SAP DB NiServer Remote Buffer Overflow
  [ @stake advisory ]
• Sun AnswerBook2 DynaWeb httpd Format String and Unauthenticated Script Execution
  [ advisory ]
• Acme thttpd 2.19 (and earlier) server-side-includes directory traversal
  [ advisory ]