About me

I am Björn Ruytenberg, a security researcher specializing in hardware, firmware, and OS security. My research interests mainly include various aspects of x86-64 platform security, such as OS internals, BIOS (UEFI), hypervisors, and PCI Express, as well as sandboxing technology in widely deployed enterprise products. Part of my work includes Thunderspy, a collection of critical security vulnerabilities affecting Intel Thunderbolt technology. Outside of work, I enjoy sharing my findings as a speaker at Black Hat USA, Chaos Communication Congress, and other venues.

Currently, I am a PhD candidate at VUSec, Vrije Universiteit Amsterdam. In addition, I hold an MSc in Computer Science and Engineering (cum laude) from TU/e. My master thesis, entitled "When Lightning Strikes Thrice: Breaking Thunderbolt Security", received the Best Cybersecurity Master Thesis Award in The Netherlands. Before that, I obtained a BSc in Electrical Engineering and a BSc in Computer Science (cum laude) from Fontys.

Please feel free to contact me by email at bjornbjornwebnl (PGP), Twitter (@0Xiphorus), Mastodon (@0Xiphorus@infosec.exchange), or LinkedIn.

Talks

• When Lightning Strikes Thrice: Breaking Thunderbolt 3 Security
  • Black Hat USA 2020, peer-reviewed conference talk (08/2020) • Abstract - Slides - Live Recording
  • Dutch Design Week 2020, invited talk (10/2020) • Abstract - Slides - Live Recording
  • Chaos Communication Congress rC3, peer-reviewed conference talk (12/2020) • Abstract - Slides - Live Recording
  • 9th Annual CSng Workshop, invited talk, as part of BCMT award ceremony (11/2023) • Slides
• Playing in the Sandbox: Adobe Flash Exploitation Tales (updated)
  • CONFidence Krakow, peer-reviewed conference talk (06/2019) • Abstract - Slides - Live Recording
• Playing in the Sandbox: Adobe Flash Exploitation Tales
  • AsiaSecWest Hong Kong, peer-reviewed conference talk (06/2018) • Abstract
  • OWASP Netherlands Chapter Meeting, Radboud University Nijmegen, invited talk (10/2017) • Abstract - Slides
• On the Spectre of Meltdown: Analysing the Attacks and Mitigations
  • TU/e Department of Mathematics and Computer Science, seminar talk (05/2018) • Slides
  • TU/e Embedded Systems graduate course "Parallelization, Compilers and Platforms", guest lecture (03/2018)
• Scribbles: Dissecting the Vault7 Office Tracker Implant
  • TU/e Information Security seminar (06/2017) - Slides

Security vulnerabilities

I report security vulnerabilities whenever I find them. Some selected vulnerabilities are listed below:

• CAPEC-665 - Thunderspy: Intel Thunderbolt 1, 2 and 3 multiple critical vulnerabilities
• CVE-2018-12402 - Mozilla Firefox WebBrowserPersist uses incorrect origin information
• CVE-2017-4939 - VMware Workstation DLL Hijacking Arbitrary Code Execution
• SSD-3463 - Microsoft Office Host Machine Information and Windows User Credentials Disclosure
• CVE-2017-3085 - Adobe Flash Remote Sandbox Windows User Credentials Disclosure
• CVE-2016-4271 - Adobe Flash Local Data Exfiltration and Windows User Credentials Disclosure
• ZDI-16-395 - Foxit Reader Arbitrary Code Execution and Information Disclosure

Blog

My blog is a collection of writeups on some security vulnerabilities I've found. Here are the most recent entries:

• Playing in the Remote Sandbox: Adobe Flash Windows User Credentials Disclosure Vulnerability (CVE-2017-3085)
• Adobe Flash: Bypassing the local sandbox to exfiltrate data, obtain Windows user credentials (CVE-2016-4271)
• Foxit Reader: Bypassing the Safe Mode sandbox to execute arbitrary code, exfiltrate data (ZDI-16-395)

Projects

My profile on GitHub is where I publish projects I've been working on. Some projects you might find interesting:

• Spycheck - Verify whether your Thunderbolt-enabled system is vulnerable to the Thunderspy attacks.
• Thunderbolt Controller Firmware Patcher - PoC demonstrating one of the several Thunderspy attack methods.
• SPIblock - Configure SPI flash write protection.
• kDMAp-patcher - Patches Kernel DMA Protection onto unsupported Thunderbolt-powered systems.

Teaching

Previously, I have been a teaching assistant for the following courses:

• 2DMI20 - Software Security - Master course, CSE-IST program

As a mandatory part of the CSE-IST program, this course introduces software security, covering common security problems and underlying root causes, as well as techniques to find and mitigate such problems. My primary responsibilities included developing all course material on x86 platform security and microarchitectural side channels, as well as giving the corresponding lectures. A copy of these lectures is available here:

• Introduction to Platform Security • Slides - Recording
• Microarchitectural Side Channels • Slides - Recording
• 3USU0 - Networks and Security - Bachelor course, CSE/APS elective

This USE course introduces communication in networks, network security and related topics. As a TA, I was responsible for developing new course material on security protocols analysis. Topics include a basic introduction to security goals, symmetric and asymmetric encryption, digital signatures, PKI, threat models, designing communication protocols, and verifying protocol security. Additionally, I have created and reviewed homework assignments, lecture slides and exam questions.

• 5LIM0 - Parallelization, Compilers and Platforms - Master course, ES program

For the Embedded Systems master program, this course introduces modern compiler design, with a special focus on code parallelization and support for heterogeneous multi-core platforms. My contributions included reviewing and updating course materials, including graded assignments.

Please refer to the Canvas course pages to access the full course material.