Home

Markus Gaasedelen

Markus Gaasedelen

LinkedIn  |  X  |  GitHub

I am a computer security researcher and co-founder of RET2 Systems. My technical work blends:

  • Software Exploitation – reverse engineering, binary exploitation, special emulation & debug tooling
  • Hardware & Platform Security – secure boot, fault injection, firmware & key extraction, side channels
  • Frontier AI – in-context adaptation, automated ISA recovery, re-hosting, reversing, and exploitation

I am currently exploring next-generation workflows to inspect, validate, or exploit the most hardened software and devices on the planet.

Professional Experience

RET2 Systems – Co-founder, Principal Security Researcher (2017 - Present)

I co-founded the applied security research firm RET2 Systems in 2017, delivering specialized security consulting and training to the commercial and defense industries, including Google, Apple, Epic Games, F5 Networks, Raytheon, Lockheed Martin, DARPA, and more.

Since 2020, my research expanded to hardware and firmware security, assessing platform trust architectures, silicon roots of trust, and fault injection. I demonstrated a culmination of these skills in my total compromise of the Xbox One’s “unhackable” measured, cryptographic boot.

In late 2022, I began integrating LLMs directly into my day-to-day research. RET2 was solicited to develop cybersecurity evaluations for AI safety and government programs (2023 - 2025), where we continue to harness and advise on the accelerating impact of frontier AI as of 2026.

Microsoft – Security Software Engineer II (2015 - 2017)

As part of the Microsoft Security Response Center, I investigated, triaged, and remediated high-impact vulnerabilities across Windows, Office, and web browser stacks. I helped triage major crises, including Shadow Brokers and WannaCry, which had global impact. This demanded close coordination with product teams, turning complex vulnerability reports into fixes, fast.

I also investigated finder-disclosed vulnerabilities, reverse-engineered in-the-wild Windows kernel zero-days, Windows secure boot issues, and Qualcomm SBL-based bootloader flaws in Microsoft Lumia devices, while prototyping debug automation and record-replay tracing for the Windows kernel by integrating Microsoft Time Travel Debugging into Hyper-V.

Prior Experience

Trail of Bits – Security Research Intern (Winter 2014)

Over the course of a few weeks, I cleaned up and documented CodeReason (a semantic binary code analysis framework) for its public release to GitHub. CodeReason lifts binary code to Valgrind’s VEX IR and symbolically executes it using a custom execution engine.

Raytheon SI – Vulnerability Research Intern (Summer 2014)

I reviewed and fuzzed the SSH protocol implementation of several open source projects for exploitable vulnerabilities. I later applied this knowledge to reverse engineer and evaluate the exploitability of custom SSH server implementations on commercial embedded devices.

MIT Lincoln Laboratory – Security Research Intern (Summer 2013)

I studied hundreds of PDF-based malware samples and developed a framework to excise malicious elements into a ‘patch’ file. These patches could be applied to any normal PDF file to create a new, malicious sample for testing the detection robustness of antivirus solutions.

(Selected) Presentations

Hacking the Xbox One – RE//verse (2026)

In 2020, Microsoft called the Xbox One “the most secure product Microsoft has ever produced.”

In this talk, I show how layered side channels and multi-fault glitching were used to compromise the console’s uniquely hardened AMD Platform Security Processor, overcoming randomized stalls and silicon-level countermeasures to break a root of trust many considered unhackable.

The hack drew broad coverage beyond the security industry, from articles in Tom’s Hardware, Windows Central, Schneier on Security, Kotaku, and the front page of Hacker News to videos by major YouTubers like Modern Vintage Gamer and Linus Tech Tips’ TechLinked.

Full-stack Reverse Engineering of the Original Xbox – RE//verse (2025)

A hardware odyssey spanning roughly 4,000 hours of dissecting every layer, trace, and digital signal of the original Microsoft Xbox. From kernel hacking and bespoke CPU interposers to bondwire attacks and signals-only firmware reconstruction.

This archeological dig spanning three years leaves no stone unturned, as success, failure, and steadfast passion converge to forge a software researcher into a full-stack reverse engineer.

The Many Cores of the Original Xbox – Dartmouth LRC (2025)

This low-resource computing tour of the original Xbox ignores its x86 CPU and dives into the exotic constellation of MCUs quietly powering its peripherals: the DVD drive, HDD, System Management Controller, and more. Firmware images spanning PIC16, 8051, MN103, ST10, and ARM7TDMI are reverse engineered to discover manufacturing secrets and vendor backdoors.

The Layman’s Guide to Zero-Day Engineering – 35C3 (2018)

Exploits for consumer web browsers are among the most desirable capabilities in the digital arms race. But where do they come from, and at what cost? This talk reflects on challenges and misconceptions, both human and technical, of the zero-day engineering lifecycle.

Sol[IDA]rity: Collaborative Reverse Engineering – REcon (2016)

Much like Google Docs, collaborative disassemblers can dramatically improve productivity in reverse engineering tasks. Solidarity was an experimental integration I developed for IDA Pro to facilitate real-time synchronization of annotations and actions between reversers.

(Selected) Research Writing

Streaming Zero-Fi Shells to Your Smart Speaker (2025)

A writeup of our Pwn2Own Ireland 2024 exploit against the Sonos Era 300. I established a research foothold via hardware, breaking the secure bootchain and extracting TrustZone-sealed keys from the device’s eFuses. We used our access to inspect the system services and develop a network-based memory corruption exploit targeting a bug in the device’s HLS audio codec.

JTAG ‘Hacking’ the Original Xbox (2023)

What does it take to gain physical JTAG access to a BGA-based Intel x86 CPU? Revisiting a fun theory once deemed impractical, I created a custom CPU interposer to slip between an Intel CPU and its motherboard, breaking a secure chain of trust at RESET to dump its deepest secrets.

Fuzzing UDP Game Protocols With Snapshot-based Fuzzers (2021)

Leveraging a powerful new snapshot-based fuzzer, I walk through how it took only hours to discover several critical (and wormable) remote code execution vulnerabilities in one of 2021’s most popular online multiplayer games, Apex Legends, enjoyed by millions of active players.

7 Days to Lift: A Mission in Microcode (2020)

After encountering a binary making extensive use of Intel’s Advanced Vector Extensions (AVX) for physics-based simulations, I showed how the industry-leading Hex-Rays Decompiler could be extended to lift new instructions, saving a team hundreds of hours spent reversing.

In Transactional Memory, No One Can Hear You Scream (2019)

During DEFCON CTF 2019 Quals, I identified a cache-coherency issue within Intel’s Transactional Synchronization Extensions (TSX). This blog post discusses how I exploited the CPU-level asymmetry in competition as an unintended solution to a shellcoding challenge.

A Methodical Approach to Browser Exploitation (2018)

A six-part series of posts discussing the research behind an Apple Safari zero-day exploit chain I helped develop for Pwn2Own 2018. This series has become a staple for vulnerability researchers across the industry who are interested in entering the niche of browser exploitation.

Practical Decompilation of Ethereum Smart Contracts (2018)

I co-authored the first interactive decompiler for the EVM bytecode while researching the security of Ethereum smart contracts. At DEFCON CTF 2018, we demonstrated its versatility by beating out hundreds of other teams to reverse engineer and exploit a smart contract challenge.

Dangers of the Decompiler (2017)

Binary obfuscation is the most common approach to mask logic and harden software against reverse engineers. In this post, I proposed anti-decompilation as a new class of anti-reversing techniques intended to subtly deceive reverse engineers by abusing decompilation errors.

Solving FireEye’s FLARE On Six via Side Channels (2014)

As an undergrad, I demonstrated how instruction counting using dynamic binary instrumentation could be used as a side channel to automatically extract a ‘key’ from a heavily obfuscated binary. This same idea was later formalized as Differential Computation Analysis.

Depackaging the Nintendo 3DS CPU (2014)

After taking a class in hardware reverse engineering at RPI, I wrote about depackaging the CPU from a Nintendo 3DS to possibly extract its silicon-level bootrom through optical inspection. While the project went unfinished, it’s a fun peek at the lowest levels of computer hardware.

(Selected) Open Source Projects

ENDGAME – A Universal Dashboard Exploit for the Original Xbox (2024)

ENDGAME achieves kernel code execution on the original Microsoft Xbox through targeted PTE corruption triggered when the dashboard parses crafted image data. The exploit is universal across all dashboard versions, requiring no prior modifications to the console.

Patching – Interactive Binary Patching for IDA Pro (2022)

Patching streamlines the process of modifying compiled x86, x64, ARM, and ARM64 binaries into a quick-turn, interactive experience within IDA Pro. It was designed to reduce the friction of common patching tasks that arise during reverse engineering and vulnerability research.

Tenet – A Trace Explorer for Reverse Engineers (2021)

Tenet explores how visualization can augment time-travel debugging technologies to create more fluid controls for exploring the execution runtime. The basis of this work stems from the desire to research new methods of studying complex execution patterns in software.

Lucid – A Microcode Explorer for the Hex-Rays Decompiler (2020)

Lucid is a developer-oriented IDA Pro plugin for exploring the Hex-Rays microcode. It was designed to provide a seamless, interactive experience for studying microcode transformations while developing extensions (plugins) for the Hex-Rays Decompiler.

Lighthouse – A Code Coverage Explorer for Reverse Engineers (2017)

Lighthouse is a powerful coverage explorer used frequently in opaque binary-only fuzzing tasks, guiding countless researchers to discover hundreds of CVEs over several years. It has been cited in dozens of talks, papers, and blog posts across the applied security research industry.

Teaching Experience

RET2 WarGames – A Web Platform for Security Education (2017 - Present)

WarGames is a gamified educational platform I designed to teach the Fundamentals of Software Exploitation, a supercharged successor to Modern Binary Exploitation. I have used the platform to teach students in academic classrooms, industry training, and via virtual mentorship.

Modern Binary Exploitation – CSCI 4968 @ Rensselaer (2015)

At RPI I produced the curriculum for a semester-long college course to teach applied skills in binary exploitation and software reverse engineering. The class was officially sponsored by the computer science department for the spring 2015 semester, where I led many of the lectures.

The course materials were published to GitHub in 2015, amassing 4,600 stars and 30,000 downloads since its release. The curriculum was the first of its kind, directly inspiring new classes at several other universities including Georgia Tech, Brown, WCU, GMU and more.

RPISEC – The RPI Computer Security Club / CTF Team (2012 - 2015)

As the president of RPISEC, I conducted dozens of weekly hands-on seminars covering various topics in computer security. By regularly mentoring junior members over several years, I rallied a passionate student club into one of the most successful CTF teams in the USA.

Education

Rensselaer Polytechnic Institute – B.S. Computer Science (2011 - 2015)

I graduated cum laude from Rensselaer Polytechnic Institute (RPI) in 2015, majoring in Computer Science with a focus on Game and Simulation Arts and Sciences. My interest in computer security was built through independent and extracurricular studies.

Awards & Honors