My Work Experience

Zscaler

Security Researcher I

While working as a Security Researcher at Zscaler, I delved into the convoluted mechanisms behind Microsoft Visio, specifically focusing on how it interprets DWG files (a common file format for engineering designs). This involved reverse engineering Visio’s code, analyzing its core components, and identifying potential security weaknesses in how it handles file validation.

To enhance this analysis, I developed a tool using DynamoRIO, a framework that allows for detailed analysis and manipulation of a program’s execution, to streamline the reverse engineering process, and to gain deeper insights into the program’s behavior.

This led to the development of a specialized testing environment for Visio by creating a fuzzing harness. This harness simulated real-world usage by feeding Visio with various file inputs, including intentionally flawed or unexpected ones. This process, known as fuzzing, allows one to trigger crashes and errors within Visio and isolate their root causes. My findings were then shared with Microsoft, contributing to their efforts in patching software flaws and improving overall security.

Beyond this, I began exploring a new method for uncovering software vulnerabilities called snapshot fuzzing. This technique involves closely tracking how a program uses memory while it’s running, which can reveal “hidden flaws”. I’ve started building the foundational tools for this, including a basic debugger and components to monitor memory usage, which will lay the groundwork for more automated vulnerability discovery in the future.

Associate Security Researcher

Working as an Associate Security Researcher, I focused on finding critical security bugs in the COTS (Commercial Off-The-Shelf) software. To streamline this process, I developed vaious IDAPython scripts. These scripts analyzed code coverage logs, which track the parts of a program’s code that are executed during testing. By automating this analysis, I could quickly identify the areas of the code that were more likely to contain vulnerabilities.

Additionally, I created a file-format fuzzing framework, a tool for systematically testing software by feeding it with malformed or unexpected data. I focused on undocumented raw-image formats, such as the Canon Raw (CR2) format, developing a custom parser (a program that reads and interprets the file structure) and mutator (a program that introduces variations into the file) specifically for this purpose. This allowed for more targeted testing, increasing the chances of discovering vulnerabilities.

To enhance the effectiveness of fuzzing, I also delved into the inner workings of proprietary software components, specifically those responsible for parsing image and document files. By reverse engineering these components, I gained a deeper understanding of how they processed files and used this understanding to develop specialized fuzzing harnesses, which tailored the fuzzing process to these specific components.

I further explored the use of Intel Pin, a Dynamic Binary Instrumentation (DBI) framework, a powerful tool that allows for the insertion of code into a running program. In this case, I used it to capture code coverage information, which provided insights into how thoroughly my fuzzing tests were exercising the software’s code.

Finally, I optimized a WinAFL fuzzing environment, a popular tool for fuzzing Windows software. By utilizing RAM disks (virtual disks stored in memory for faster access) and parallelizing the fuzzing process across multiple CPU cores, I significantly increased the efficiency of the fuzzing process. I also conducted extensive research on file-format fuzzing, studying published literature and experimenting with various open-source tools like FormatFuzzer, Jackalope, and Peach Fuzzer. This research deepened my understanding of file-format fuzzing techniques, enabling me to effectively apply them in identifying and mitigating vulnerabilities within complex software systems.

SEAL Lab, IIT Kharagpur

Undergraduate Researcher

Through extensive study of research journals and conference presentations, I developed a strong foundation in cache side-channel attacks, focusing on techniques like Prime+Probe, Flush+Reload, and Evict+Reload. These attacks exploit the microarchitectural design of modern processors to infer sensitive information from the timing of cache interactions.

Based on this understanding, I developed an automated framework for collecting detailed data on cache hit/miss timings across all x86 instruction sets on Intel CPUs using Hardware Performance Counters. This involved executing individual instructions repeatedly and precisely measuring the time it took for the processor to access data from the cache or main memory. By analyzing this data, I was able to profile the behavior of different instructions and identify patterns that could be exploited in side-channel attacks.

To further analyze the collected data, I applied machine learning algorithms such as Gaussian Mixture Models (GMM) and K-Nearest Neighbors (KNN) to cluster instructions based on their cache timing behavior. This helped to identify groups of instructions with similar characteristics that could be potentially exploited. Additionally, I employed Least Squares (LSQ) template analysis to create models of instruction set behavior, which could be used to predict cache access patterns and assess the feasibility of potential side-channel attacks. The results of this research are available in my public GitHub repository.

In addition to cache-based attacks, I also conducted an in-depth literature review of micro-op cache side-channel attacks, focusing on key research papers such as UC-Check, I See Dead µops, and Osiris. These attacks target the micro-op cache, a smaller and faster cache that stores decoded instructions.

Further, I implemented and validated the UC-Check paper on target systems. This involved reproducing the steps outlined in the research paper and verifying the effectiveness of the attack in extracting sensitive information from the micro-op cache. This hands-on experience demonstrates my expertise in microarchitectural analysis and my ability to apply theoretical research to real-world scenarios.

Digital Security Research Center, TII

Security Engineer (Part-time)

As a Security Engineer, I conducted extensive fuzz testing on a variety of open-source libraries, parsers, and programs using AFLPlusPlus, an advanced fuzzing tool that intelligently generates test inputs to uncover vulnerabilities. To ensure isolation and reproducibility, each library was fuzzed within its own dedicated Docker container environment, configured with different sanitizers to detect memory errors and undefined behaviors.

In parallel, I delved into the inner workings of QEMU, a versatile emulator capable of running code for different architectures on various platforms. I studied the various components of QEMU’s emulation framework to understand how it could be leveraged for fuzzing purposes. Specifically, I explored emulation-based fuzzing, a technique that uses emulation to execute the code in a controlled environment, making it easier to identify vulnerabilities that might be difficult to trigger in a real-world scenario.

To expand my skillset of vulnerability discovery, I experimented with various symbolic and taint analysis tools. Symbolic execution tools like Angr analyze program behavior by systematically exploring different execution paths, while taint analysis tools like Kirenenko and Triton track the flow of data through a program to identify potential vulnerabilities. By working with these tools, I gained valuable insights into the strengths and weaknesses of different approaches to binary analysis and vulnerability discovery.

Security Engineer (Internship)

During my internship, I developed and optimized an automated tool to assess software vulnerabilities by generating proof-of-concept (PoC) exploits. This tool streamlines the process of validating a vulnerability by crafting and executing tailored code that demonstrates the exploitability of the flaw, providing tangible evidence for remediation.

Conducted firmware analysis of embedded and IoT devices to uncover potential security weaknesses. This process involved leveraging a suite of tools, including Binwalk for extracting firmware images, Firmwalker for identifying file systems and file types within firmware, and Ghidra for disassembling and analyzing the binary code of firmware components.

Utilized various emulation frameworks such as ARM-X, Qiling, and QEMU to partially emulate the firmware of IoT devices in a controlled environment. This enabled dynamic analysis of the firmware’s behavior, facilitating the identification of vulnerabilities and potential attack vectors without the need for physical access to the device itself.