Research and writeups
Long-form notes on engagements, methodology, and the patterns I keep finding. Filter by topic; chronological below.
A kiosk is not a boundary: threat-modeling Cage, Wayland, and Chromium
The PHP concat operator interruption — a bug I sat on for thirteen years
A first-person account of an unreported bypass of CVE-2010-2191 I found around 2010, never disclosed, and which lived on in shipped PHP until 8.3.0 in November 2023. What I did, what I didn't, and what the project did and didn't.
Defeating PHP's internal boundaries — a hardening guide for PHP 8.5
Why every PHP-internal security control collapses in front of FFI or a single memory-corruption primitive — including a practical answer to whether FFI escapes Docker — and what your hardening posture actually needs to look like in 2026.
Two audiences, one report: the structure I use for every engagement
The board wants to know whether you're a bigger or smaller problem than the last firm. The engineers want to know which line of code to change. A report that addresses only one of them is not finished.
PHP strrchr() userspace interruption — reference mutation during error handling
In PHP 5.2, strrchr() kept using a referenced haystack zval after attacker-controlled error-handler code could retype it during needle conversion, leaking heap memory across PHP-side hardening boundaries.