Who Am I?

(Updated 2023-08-06)

I’m Seunghun Han (a.k.a kkamagui) and a senior security researcher at the Affiliated Institute of ETRI. I also was an eMMC firmware developer at Samsung Electronics. My research interests are the root of trust, firmware, hypervisor, and kernel security. So I have made my own hypervisor and contributed various patches to the Linux kernel and TPM-based security software.

I’m also a Review Board member of Black Hat Asia and KimchiCon. If you have any questions about those conferences, feel free to contact me via Twitter: @kkamagui1, Facebook: Seunghun Han, and LinkedIn: Seunghun Han.

Recently, I became a Debian Linux Maintainer. I have maintaining hardware and firmware-releated packages.

I published two books and presented several papers. They are listed below.

Books

I was an author of books below:

Papers, Presentations, and Patents

I was an author and a speaker at several conferences below:

Common Vulnerabilities and Exposures (CVEs)

I found security vulnerabilities in many kinds of software such as the Linux kernel, Trusted Boot (tBoot) and TPM2.0-TSS.

  • CVE-2017-11472: The acpi_ns_terminate() function in drivers/acpi/acpica/nsutils.c in the Linux kernel before 4.12 does not flush the operand cache and causes a kernel stack dump, which allows local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism (in the kernel through 4.9) via a crafted ACPI table.
  • CVE-2017-11473: Buffer overflow in the mp_override_legacy_irq() function in arch/x86/kernel/acpi/boot.c in the Linux kernel through 4.12.2 allows local users to gain privileges via a crafted ACPI table.
  • CVE-2017-13693: The acpi_ds_create_operands() function in drivers/acpi/acpica/dsutils.c in the Linux kernel through 4.12.9 does not flush the operand cache and causes a kernel stack dump, which allows local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism (in the kernel through 4.9) via a crafted ACPI table.
  • CVE-2017-13694: The acpi_ps_complete_final_op() function in drivers/acpi/acpica/psobject.c in the Linux kernel through 4.12.9 does not flush the node and node_ext caches and causes a kernel stack dump, which allows local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism (in the kernel through 4.9) via a crafted ACPI table.
  • CVE-2017-13695: The acpi_ns_evaluate() function in drivers/acpi/acpica/nseval.c in the Linux kernel through 4.12.9 does not flush the operand cache and causes a kernel stack dump, which allows local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism (in the kernel through 4.9) via a crafted ACPI table.
  • CVE-2017-16837: Certain function pointers in Trusted Boot (tboot) through 1.9.6 are not validated and can cause arbitrary code execution, which allows local users to overwrite dynamic PCRs of Trusted Platform Module (TPM) by hooking these function pointers.
  • CVE-2018-6622: An issue was discovered that affects all producers of BIOS firmware who make a certain realistic interpretation of an obscure portion of the Trusted Computing Group (TCG) Trusted Platform Module (TPM) 2.0 specification. An abnormal case is not handled properly by this firmware while S3 sleep and can clear TPM 2.0. It allows local users to overwrite static PCRs of TPM and neutralize the security features of it, such as seal/unseal and remote attestation.
  • CVE-2018-7995: DISPUTED Race condition in the store_int_with_restart() function in arch/x86/kernel/cpu/mcheck/mce.c in the Linux kernel through 4.15.7 allows local users to cause a denial of service (panic) by leveraging root access to write to the check_interval file in a /sys/devices/system/machinecheck/machinecheck\ directory. NOTE: a third party has indicated that this report is not security relevant.

Open-Source Contributions

I contributed patches to open-source projects such as Linux kernel, Trusted Boot (tBoot) and TPM2.0-TSS.