Abstract: The Android security model assumes applications behave predictably once the framework loads. But what happens if malware injects itself into the Zygote process before the UI is even allocated? This research explores Bootstrap Hijacking, analyzing the precise timing races between OS initialization and dynamic analysis tools like Frida.
Focuses on advanced evasion techniques used by modern Android Banking Trojans and the abuse of attachBaseContext().
- Banking Trojans (Anatsa 2024): Mapped the Android boot chain to analyze early payload unpacking techniques exploiting the lifecycle blindspot before UI allocation.
- Dynamic Binary Instrumentation: Defeating root detection, ptrace anti-debugging, and strict SSL pinning using custom Frida scripts.
- Timing Races: Engineered advanced Zygote Hooks and Spawn techniques to win the runtime injection race against the OS Dynamic Linker.
Finding: Identified a session-state desynchronization flaw in ChatGPT's backend that allows established in-flight API streams to persist and consume GPU/CPU resources after an account has been officially quota-locked at the UI layer.
- Impact: Bypass persisted for 40+ continuous minutes post-lock. Fully automatable via scripted cURL or browser orchestration — multiplying unauthorized compute consumption by N× sessions at zero marginal cost.
- Status: Report submitted to OpenAI via Bugcrowd. Triage in progress.
Abstract: A deep dive into the underlying logic of compilation pipelines. Utilizing AI-augmented semantic fuzzing, this research exposed critical scope isolation anomalies and memory crash conditions within the SBCL compiler. Disclosed to CERT-IL and MITRE.
🔬 View Compiler Fuzzing ShowcaseBuilt experimental workflows and secure infrastructure designs emphasizing zero-trust and execution isolation.
- WASM DLP Firewall: Custom Rust filter inside Envoy Proxy intercepting 5xx responses and stripping stack traces (CWE-209).
- AWS Resource Exhaustion Triage: RCA on a cascading Podman failure triggering an OOM-Killer event and 20,000 KMS/STS API calls via an infinite restart loop.