Home

Markus Gaasedelen

Markus Gaasedelen

Twitter  |  CV  |  GitHub

I am a computer security researcher and co-founder of RET2 Systems. My work bridges systems-level research with HCI to create usable, interactive tooling in:

  • Software reverse engineering
  • Binary exploitation
  • Program analysis

I am currently researching new and innovative methods for developers to examine compiled software and the increasingly complex execution runtime.


Education

Rensselaer Polytechnic Institute – B.S. Computer Science (2011 - 2015)

I graduated cum laude from Rensselaer Polytechnic Institute (RPI) in 2015, majoring in Computer Science with a focus on Game and Simulation Arts and Sciences. My interest in computer security was built through independent and extra-curricular studies.


Work Experience

RET2 Systems – Co-founder, Senior Researcher (2017 - Present)

I co-founded the applied security research firm RET2 Systems in 2017 as a vessel for the curious self-directed nature of my interests. The RET2 blog has grown popular amongst industry researchers for its accessibility and transparency into a broad range of technical topics.

Microsoft – Security Software Engineer II (2015 - 2017)

As part of the Microsoft Security Response Center, I helped investigate and remedy hundreds of vulnerabilities in Microsoft software. I prototyped experimental debug automation and full-system execution tracing technology to reduce investigation costs for time-critical cases.

Trail of Bits – Security Research Intern (Winter 2014)

Over the course of a few weeks, I cleaned up and documented CodeReason (a semantic binary code analysis framework) for its public release to GitHub. CodeReason lifts binary code to Valgrind’s VEX IR and symbolically executes it using a custom execution engine.

Raytheon SI – Vulnerability Research Intern (Summer 2014)

I code reviewed and fuzzed the SSH protocol implementation of several open source projects for exploitable vulnerabilities. I later applied this knowledge to reverse engineer and evaluate the exploitability of custom SSH server implementations on commercial embedded devices.

MIT Lincoln Laboratory – Security Research Intern (Summer 2013)

I studied hundreds of PDF-based malware samples and developed a framework to excise malicious elements into a ‘patch’ file. These patches could be applied to any normal PDF file to create a new, malicious, sample for testing the detection robustness of anti-virus solutions.


Teaching Experience

RET2 WarGames – A Web Platform for Security Education (2017 - Present)

WarGames is a gamified educational platform I designed to teach the Fundamentals of Software Exploitation, a super-charged successor to Modern Binary Exploitation. I have used the platform to teach students in academic classrooms, industry trainings, and via virtual mentorship.

Modern Binary Exploitation – CSCI 4968 @ Rensselaer (2015)

At RPI I produced the curriculum for a semester-long college course to teach applied skills in binary exploitation and software reverse engineering. The class was officially sponsored by the computer science department for the spring 2015 semester, where I led many of the lectures.

The course materials were published to GitHub in 2015, amassing 4,600 stars and 30,000 downloads since its release. The curriculum was the first of its kind, directly inspiring new classes at several other universities including Georgia Tech, Brown, WCU, GMU and more.

RPISEC – The RPI Computer Security Club / CTF Team (2012 - 2015)

As the president of RPISEC, I conducted dozens of weekly hands-on seminars covering various topics of computer security. By regularly mentoring junior members over several years, I rallied a passionate student club into one of the most successful CTF teams in the USA.


Industry Presentations

The Layman’s Guide to Zero-Day Engineering – 35C3 (2018)

Exploits for consumer web browsers are among the most desirable capabilities in the digital arms-race. But where do they come from, and at what cost? This talk reflects on challenges and misconceptions, both human and technical, of the zero-day engineering lifecycle.

Building Cyber Armies at Scale – ANYCON (2018)

The swelling tempest of connected technology has left nations scrambling to control an evolving domain of risk and opportunity. We discuss the approach we’re taking at RET2 to create scalable education resources to meet the surging demand for proficient cybersecurity experts.

Sol[IDA]rity: Collaborative Reverse Engineering – REcon (2016)

Much like Google Docs, collaborative disassemblers can dramatically improve the productivity in reverse engineering tasks. Solidarity was an experimental integration I developed for IDA Pro to facilitate real-time synchronization of annotations and actions between reversers.


(Selected) Projects

Tenet – A Trace Explorer for Reverse Engineers (2021)

Tenet probes at how visualization can augment time-travel-debugging technologies to create more fluid controls for exploring the execution runtime. The basis of this work stems from the desire to research new methods of studying complex execution patterns in software.

Lucid – A Microcode Explorer for the Hex-Rays Decompiler (2020)

Lucid is a developer-oriented IDA Pro plugin for exploring the Hex-Rays microcode. It was designed to provide a seamless, interactive experience for studying microcode transformations while developing extensions (plugins) for the Hex-Rays Decompiler.

Lighthouse – A Code Coverage Explorer for Reverse Engineers (2017)

Lighthouse is a powerful coverage explorer used frequently in opaque binary-only fuzzing tasks, guiding countless researchers to discover hundreds of CVEs over several years. It has been cited in dozens of talks, papers, and blogposts across the applied security research industry.


(Selected) Research Writing

Fuzzing UDP Game Protocols With Snapshot-based Fuzzers (2021)

Leveraging a powerful new snapshot-based fuzzer, I walk through how it took only hours to discover several critical (and wormable) remote code execution vulnerabilities in one of 2021’s most popular online multiplayer games enjoyed by millions of active players.

7 Days to Lift: A Mission in Microcode (2020)

After encountering a binary making extensive use of Intel’s Advanced Vector Extensions (AVX) for physics based simulations, I showed how the industry-leading Hex-Rays Decompiler could be extended to lift new instructions, saving a team hundreds of hours spent reversing.

In Transactional Memory, No One Can Hear You Scream (2019)

During DEFCON CTF 2019 Quals, I identified a cache-coherency issue within Intel’s Transactional Synchronization Extensions (TSX). This blogpost discusses how I exploited the CPU-level asymmetry in competition as an unintended solution to a shellcoding challenge.

A Methodical Approach to Browser Exploitation (2018)

A six-part series of posts discussing the research behind an Apple Safari zero-day exploit chain I helped develop for Pwn2Own 2018. This series has become a staple for vulnerability researchers across the industry who are interested in entering the niche of browser exploitation.

Practical Decompilation of Ethereum Smart Contracts (2018)

I co-authored the first interactive decompiler for the EVM bytecode while researching the security of Ethereum smart contracts. At DEFCON CTF 2018, we demonstrated its versatility by beating out hundreds of other teams to reverse engineer and exploit a smart contract challenge.

Dangers of the Decompiler (2017)

Binary obfuscation is the most common approach to mask logic and harden software against reverse engineers. In this post, I proposed anti-decompilation as a new class of anti-reversing techniques intended to subtly deceive reverse engineers by abusing decompilation errors.

Solving FireEye’s FLARE On Six via Side Channels (2014)

As an undergrad, I demonstrated how instruction counting using dynamic binary instrumentation could be used as a side channel to automatically extract a ‘key’ from a heavily obfuscated binary. This same idea was later formalized as Differential Computation Analysis.

Depackaging the Nintendo 3DS CPU (2014)

After taking a class in hardware reverse engineering at RPI, I wrote about depackaging the CPU from a Nintendo 3DS to possibly extract its silicon-level bootrom through optical inspection. While the project went unfinished, it’s a fun peek at the lowest levels of computer hardware.


Awards and Honors