Program analysis. Reverse engineering. Backdoor detection.
Joined December 2017
- Tweets 711
- Following 634
- Followers 679
- Likes 2,850
5 Photos and videos
Sam Thomas retweeted
Spent the last 2 weeks working on a devirtualizer for VMProtect 3.5 and learning Remill. Idk yet if I will blog about it, but I at least wanted to publish the code:
github.com/eversinc33/MogVMP
The approach is different from my last blog, as it lifts the whole x86 code of the VM
17
92
406
17,867
Sam Thomas retweeted
May 31
Dyn Taintflow Analysis (DTA) - one of the main components of VUzzer (NDSS 2017) - finally got the re-engineering I'd been postponing for years.
Several ideas had been stuck in my notebook ever since. 1/n
1
4
21
2,488
Sam Thomas retweeted
May 31
One was, for example, the interned-label tag-map design I discussed with @c_giuffrida (thanks) back then, inspired by DFSan of LLVM.
This year, working with Claude, I finally (dared!) took the leap: a DynamoRIO-native LibDFT64 port, off Intel Pin entirely. v0.1 just shipped. 2/
1
1
4
304
Sam Thomas retweeted
May 31
Parser benchmarks (5 iters; methodology in repo):
• tiffcp: 4.54× faster than Pin LibDFT64
• xmllint: 4.20× faster
• pdfimages: 2.20× faster
Public C API ships 3 sink patterns — opcode-class / PC-range / function-entry — with 4 reference clients. 3/
1
1
3
281
Sam Thomas retweeted
May 31
This means it allows to implement typical taintflow related workflows.
Github: github.com/tosanjay/libdft-d…
For some technical details, DESIGN.md is the one you would like to read first.
Thanks 🙏 4/4
2
3
300
Sam Thomas retweeted
My second PhD student, Yihao Sun, will be doing his dissertation defense tomorrow at noon Eastern time. Yihao's work has been a true sight to behold. He has papers at ASPLOS, AAAI, NeurIPS, VLDB, among others. This Fall, he starts as faculty at Utah State University! (Zoom link.)
4
9
126
11,993
Sam Thomas retweeted
May 22
decompilers historically have poor support for language-specific constructs, beginning with C templates or classes, not even talking about Go or Rust.
this work is astonishingly high-quality, from my first little tests it makes Rust decompilations indeed way more approachable
May 20
For years, Rust binaries made reversing a nightmare. Modern decompilers only support C, lacking meaningful types, constructs, and language-specific functions. Led by @34r7hm4n, we're releasing our S&P work Oxidizer, the first deep Rust decompiler, built on angr!
Interested? 🧵👇
24
251
20,889
VulHunt by @binarly_io
github.com/vulhunt-re/vulhun…
Blog post series:
binarly.io/blog/vulhunt-intr…
binarly.io/blog/vulhunt-in-p…
binarly.io/blog/vulnerabilit…
binarly.io/blog/vulhunt-in-d…
binarly.io/blog/agentic-vuln…
#infosec
1
45
229
15,629
Sam Thomas retweeted
Apr 28
fresh desk and a new chair. for a new start.
2
1
30
1,301
Sam Thomas retweeted
🚨 Postdoc opening (24 months) in software security & fuzzing!
Join our @BinsecTool team @CEA_List to work on smarter fuzzing for supply‑chain security.
📍 Paris‑Saclay 🇫🇷
🔗 Apply: binsec.github.io/jobs/open/2…
#Postdoc #Cybersecurity #Fuzzing #BinaryAnalysis #SupplyChainSecurity
3
5
718
Sam Thomas retweeted
We are looking for a postdoc! ⬇️
🚨 Postdoc opening (24 months) in software security & fuzzing!
Join our @BinsecTool team @CEA_List to work on smarter fuzzing for supply‑chain security.
📍 Paris‑Saclay 🇫🇷
🔗 Apply: binsec.github.io/jobs/open/2…
#Postdoc #Cybersecurity #Fuzzing #BinaryAnalysis #SupplyChainSecurity
2
5
298
Apr 16
RT @uefitool: UEFITool / UEFIExtract / UEFIFind NE A74
- a lot of bugfixes for issues found by @binarly_io folks
- CSME version detection i…
16
Sam Thomas retweeted
Apr 16
I wrote a thing. if you are interested in obfuscation/de-obfuscation and compilers, but perhaps don't have a tangible experience with it, then i hope this story will be interesting to you and teach a few things along the way (-:
Apr 16
Obfuscation vs The Optimizer: A Battle in LLVM Middle End.
@yates82 shows us how the continuous improvement of the LLVM optimizer defeats naive code obfuscation, and how the obfuscator can fight back.
An eternal fight in which all victories are ephemeral
blog.quarkslab.com/obfuscati…
ALT Fight the LLVM!
21
57
8,954
Apr 15
We're pleased to announce a new release of our #Rust bindings for @HexRaysSA IDA Pro! This release adds compatibility with latest SDK, and introduces a Rust-native interface for developing plugins. github.com/idalib-rs/idalib
2
17
63
4,605
Apr 15
Writing Rust-based IDA plugins is as simple as implementing IDAPlugin and using an attribute macro to define metadata. The crate handles the rest!
4
20
1,158
Sam Thomas retweeted
Apr 14
🤔Ever wondered how your favorite tools work under the hood? During our work on SightHouse, we dug into BSIM, Ghidra's Binary function SIMilarity engine.
Many tools have been built around it, yet its internals remained undocumented. Until now 👇
blog.quarkslab.com/bsim-expl…
ALT Reverse all the things!
6
31
2,586
Sam Thomas retweeted
Apr 13
It’s finally here: radare2 Warp (warrp) ⚡️
This makes r2 the first tool outside of the binary ninja ecosystem to adopt the format. Huge thanks to Mason (from @vector35) and @trufae (@radareorg) for their invaluable feedback's during development.
github.com/radareorg/warrp
1
10
25
2,899
Sam Thomas retweeted
Apr 13
What sets BRS apart is its flexibility and transparency. It is configured through product-, organization-, or ecosystem-specific risk profiles and is built to incorporate a wide range of existing metrics.
4
5
436
Sam Thomas retweeted
Apr 13
Relying on a single metric like CVSS or EPSS can miss critical product or organizational context. BRS brings consistency to comparing different risks, such as a known high-severity vulnerability with a PoC versus a potential zero-day.
1
3
4
446
Sam Thomas retweeted
Apr 13
Why create another metric? Traditional scoring systems are often rigid, opaque, and narrow in scope. They may not reflect product-specific requirements, differences across ecosystems such as firmware and cloud containers, or the realities of an evolving threat landscape.
1
3
5
367