Who Am I?
(Updated 2023-08-06)
I’m Seunghun Han (a.k.a kkamagui) and a senior security researcher at the Affiliated Institute of ETRI. I also was an eMMC firmware developer at Samsung Electronics. My research interests are the root of trust, firmware, hypervisor, and kernel security. So I have made my own hypervisor and contributed various patches to the Linux kernel and TPM-based security software.
I’m also a Review Board member of Black Hat Asia and KimchiCon. If you have any questions about those conferences, feel free to contact me via Twitter: @kkamagui1, Facebook: Seunghun Han, and LinkedIn: Seunghun Han.
Recently, I became a Debian Linux Maintainer. I have maintaining hardware and firmware-releated packages.
I published two books and presented several papers. They are listed below.
Books
I was an author of books below:
- 64-bit multi-core OS principles and structure, volume 1 (ISBN-13: 978-8979148367). Amazon Store Yes24 Store
- 64-bit multi-core OS principles and structure, volume 2 (ISBN-13: 978-8979148374). Amazon Store Yes24 Store
Papers, Presentations, and Patents
I was an author and a speaker at several conferences below:
- “Alcatraz: A Practical Hypervisor Sandbox to Prevent Escapes from the KVM/QEMU and KVM-Based MicroVMs”, Black Hat USA 2021
- Publication: Presentation
- Videos: Alcatraz Demo
- “(Invited Talk) BitLeaker: Subverting BitLocker with One Vulnerability”, Black Hat Asia 2020
- Publication: Presentation
- Videos: BitLeaker Demo
- “BitLeaker: Subverting BitLocker with One Vulnerability”, Black Hat Europe 2019
- Publication: Presentation, (Article) Version2
- Videos: BitLeaker Demo
- “Finally, I Can Sleep Tonight: Catching Sleep Mode Vulnerabilities of the TPM with the Napper”, Black Hat Asia 2019
- Publication: Presentation
- Videos: Napper Demo
- “(Invited Talk) Betrayal of Reputation: Trusting the Untrustable Hardware and Software with Reputation”, Microsoft BlueHat Shanghai 2019
- Publication: Presentation
- “A Bad Dream: Subverting Trusted Platform Module while You Are Sleeping”, USENIX Security 2018
- Publications: Paper, Presentation, (Article) BleepingComputer
- Videos: USENIX Security Talk
- “I Don’t Want to Sleep Tonight: Subverting Intel TXT with S3 Sleep”, Black Hat Asia 2018
- Publications: Presentation, (Article) DarkReading, (Article) Security News
- Videos: Intel TXT Vulnerability Demo
- “Shadow-Box v2: The Practical and Omnipotent Sandbox for ARM”, Black Hat Asia 2018
- Publications: Presentation
- Videos: Shadow-Box v2 Demo
- Project Link: Shadow-Box for ARM
- “The Last Man Standing: The Only Practical, Lightweight and Hypervisor-Based Kernel Protector Struggling with the Real World Alone”, beVX 2018
- Publications: Presentation
- Videos: Gatekeeper Demo
- Project Link: Gatekeeper with Shadow-box
- “(Invited Talk) A Bad Dream: Subverting Trusted Platform Module While You Are Sleeping”, KIMCHICON 2018
- Publications: Presentation
- “Myth and Truth about Hypervisor-Based Kernel Protector: The Reason Why You Need Shadow-Box”, Black Hat Asia 2017
- Publications: Paper, Presentation, (Article) DailySecu
- Videos: Shadow-box Demo 1, Shadow-box Demo 2
- Project Link: Same as the upper link.
- “Shadow-Box: The Practical and Omnipotent Sandbox”, HITBSecConf 2017
- Publications: Paper, Presentation
- Videos: Shadow-box Demo 1, Shadow-box Demo 2
- Project Link: Shadow-Box for x86
- “IRON-HID: Create Your Own Bad USB”, HITBSecConf 2016
- Publications: Paper, Presentation, Patent, (Article) Forbes
- Project Link: IRON-HID
- Videos: IRON-HID Demo 1, IRON-HID Demo 2
Common Vulnerabilities and Exposures (CVEs)
I found security vulnerabilities in many kinds of software such as the Linux kernel, Trusted Boot (tBoot) and TPM2.0-TSS.
- CVE-2017-11472: The acpi_ns_terminate() function in drivers/acpi/acpica/nsutils.c in the Linux kernel before 4.12 does not flush the operand cache and causes a kernel stack dump, which allows local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism (in the kernel through 4.9) via a crafted ACPI table.
- CVE-2017-11473: Buffer overflow in the mp_override_legacy_irq() function in arch/x86/kernel/acpi/boot.c in the Linux kernel through 4.12.2 allows local users to gain privileges via a crafted ACPI table.
- CVE-2017-13693: The acpi_ds_create_operands() function in drivers/acpi/acpica/dsutils.c in the Linux kernel through 4.12.9 does not flush the operand cache and causes a kernel stack dump, which allows local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism (in the kernel through 4.9) via a crafted ACPI table.
- CVE-2017-13694: The acpi_ps_complete_final_op() function in drivers/acpi/acpica/psobject.c in the Linux kernel through 4.12.9 does not flush the node and node_ext caches and causes a kernel stack dump, which allows local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism (in the kernel through 4.9) via a crafted ACPI table.
- CVE-2017-13695: The acpi_ns_evaluate() function in drivers/acpi/acpica/nseval.c in the Linux kernel through 4.12.9 does not flush the operand cache and causes a kernel stack dump, which allows local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism (in the kernel through 4.9) via a crafted ACPI table.
- CVE-2017-16837: Certain function pointers in Trusted Boot (tboot) through 1.9.6 are not validated and can cause arbitrary code execution, which allows local users to overwrite dynamic PCRs of Trusted Platform Module (TPM) by hooking these function pointers.
- CVE-2018-6622: An issue was discovered that affects all producers of BIOS firmware who make a certain realistic interpretation of an obscure portion of the Trusted Computing Group (TCG) Trusted Platform Module (TPM) 2.0 specification. An abnormal case is not handled properly by this firmware while S3 sleep and can clear TPM 2.0. It allows local users to overwrite static PCRs of TPM and neutralize the security features of it, such as seal/unseal and remote attestation.
- CVE-2018-7995: DISPUTED Race condition in the store_int_with_restart() function in arch/x86/kernel/cpu/mcheck/mce.c in the Linux kernel through 4.15.7 allows local users to cause a denial of service (panic) by leveraging root access to write to the check_interval file in a /sys/devices/system/machinecheck/machinecheck\
directory. NOTE: a third party has indicated that this report is not security relevant.
- CVE-2020-0526: Improper input validation in firmware for Intel(R) NUC may allow a privileged user to potentially enable escalation of privilege via local access. The list of affected products is provided in intel-sa-00343: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00343.html
Open-Source Contributions
I contributed patches to open-source projects such as Linux kernel, Trusted Boot (tBoot) and TPM2.0-TSS.
- TPM2.0-TSS: Added codes for flushing loaded handles before the resource manager is started: The patch is to flush loaded handles. It is applied to over 1.0 version.
- Linux Kernel: ACPICA: Namespace: fix operand cache leak: The patch is to fix operand cache leak bug. It is applied to 4.12 version. CVE-2017-11472.
- Linux Kernel: x86/acpi: Prevent out of bound access caused by broken ACPI tables: The patch is to fix out of bound access bug. It is applied to 3.18, 4.4, 4.9, 4.12, and over 4.16 version. CVE-2017-11473.
- Linux Kernel: acpi: acpica: fix acpi operand cache leak in dsutils.c: The patch is to fix operand cache leak bug. It is waiting to be merged. CVE-2017-13693.
- Linux Kernel: acpi: acpica: fix acpi parse and parseext cache leaks: The patch is to fix parse and parseext cache leak bug. It is waiting to be merged. CVE-2017-13694.
- Linux Kernel: ACPICA: acpi: acpica: fix acpi operand cache leak in nseval.c: The patch is to fix operand cache leak bug. It is applied to over 4.16 version. CVE-2017-13695.
- Linux Kernel: x86/MCE: Serialize sysfs changes: The patch is to fix concurrency bug in MCE driver. It is applied to 3.18, 4.4, 4.9, 4.14, 4.15, and over 4.16 version. CVE-2018-7995.
- Linux Kernel: x86/ioapic: Pass the correct data to unmask_ioapic_irq(): The patch is to fix incorrect parameter passing bug. It is applied to 3.18, 4.4, 4.9, 4.12, and over 4.13 version.
- Linux Kernel: x86/pti: Fix a comment typo: The patch is to fix a comment typo in PTI. It is applied to over 4.16 version.
- Trusted Boot: Fix security vulnerabilities rooted in tpm_if structure and g_tpm variable: The patch is to fix unmeasured function pointers. It is applied to next version of 1.9.6. CVE-2017-16837.
- Trusted Boot: Fix TPM 1.2 locality selection issue: The patch is to fix TPM 1.2 locality selection bug. It is applied to next version of 1.9.6.