Publications

Publication Nov 18, 2025

AI Accelerated Exploiting: Compromising MTE Enabled Pixel from DSP Coprocessor

Using AI to accelerate exploit development against MTE-hardened Pixel devices, attacking via the DSP coprocessor.

By Pan Zhenpeng, Billy Jheng Bing-Jhong VenueCODE BLUE 2025 Slides →

Publication Nov 18, 2025

Dancing with Exynos Coprocessor: Pwning Samsung for Fun and "Profit"

Attacking Samsung devices through the Exynos coprocessor — a deep dive into an underexplored attack surface.

By Muhammad Alifa Ramdhan, Pan Zhenpeng, Billy Jheng Bing-Jhong VenueCODE BLUE 2025 Slides →

Publication Aug 15, 2025

Cracking the Pixel 8: Exploiting the Undocumented DSP to Bypass MTE

How an undocumented DSP attack surface on the Pixel 8 becomes a path to bypassing Memory Tagging Extension.

By Pan Zhenpeng, Billy Jheng Bing-Jhong VenueHITCON 2025 Slides →

Publication Nov 07, 2024

GPUAF: Two Ways of Rooting All Qualcomm-based Android Phones

GPUAF — two independent exploitation paths to root any Qualcomm-based Android device via the GPU attack surface.

By Pan Zhenpeng, Billy Jheng Bing-Jhong VenuePOC 2024 Slides →

Publication Nov 07, 2024

VMware Workstation: Escaping via a New Route - Virtual Bluetooth

A novel VM escape path in VMware Workstation through the virtual Bluetooth device implementation.

By Nguyễn Hoàng Thạch VenuePOC 2024 Slides →

Publication Oct 13, 2023

A Year Fuzzing XNU Mach IPC

A year's worth of targeted fuzzing against XNU's Mach IPC subsystem — methodology, findings, and lessons learned.

By Peter Nguyễn Vũ Hoàng VenueHexacon 2023 Slides →

Publication Aug 18, 2023

Ghosts of the Past: Classic PHP RCE Bugs in Trend Micro Enterprise Offerings

Classic PHP vulnerability classes revisited in modern enterprise security products — because old bugs never really die.

By Poh Jia Hao VenueHITCON CMT 2023 Slides →

Publication Aug 18, 2023

What You See IS NOT What You Get: Pwning Electron-based Markdown Note-taking Apps

Markdown rendering in Electron apps opens a surprising attack surface — what looks like plain text can become code execution.

By Li Jiantao VenueHITCON CMT 2023 Slides →

Publication May 19, 2023

Unearthing Vulnerabilities in the Apple Ecosystem: The Art of KidFuzzerV2.0

KidFuzzerV2.0 — a second-generation fuzzing framework targeting Apple's ecosystem — and the vulnerabilities it surfaced.

By Pan Zhenpeng VenueOffensivecon 2023 Slides →

Publication Nov 10, 2022

How to Backup and Pwn using Time Machine

macOS Time Machine's backup mechanism as an unexpected attack surface for privilege escalation.

By Nguyễn Hoàng Thạch VenuePOC 2022 Slides →

Publication Nov 10, 2022

The Journey To Hybrid Apple Driver Fuzzing

Combining coverage-guided and generational fuzzing to tackle Apple kernel drivers — design, implementation, and results.

By Pan Zhenpeng VenuePOC 2022 Slides →

Publication Aug 11, 2022

All Roads Lead to GKE's Host: 4+ Ways to Escape

Four distinct escape paths from Google Kubernetes Engine pods to the underlying host — a study in how container isolation assumptions break down.

By Billy Jheng Bing-Jhong, Muhammad Alifa Ramdhan VenueDEF CON 30 Slides →