About me

I am Björn Ruytenberg, a security researcher specializing in hardware, firmware, and OS security. My research interests mainly include various aspects of x86-64 platform security, such as OS internals, BIOS (UEFI), hypervisors, and PCI Express, as well as sandboxing technology in widely deployed enterprise products. Part of my work includes Thunderspy, a collection of critical security vulnerabilities affecting Intel Thunderbolt technology. Outside of work, I enjoy sharing my findings as a speaker at Black Hat USA, Chaos Communication Congress, and other venues. I also serve as a PC co-chair for HARRIS 2027. For some of my FOSS work, I have been awarded an NLnet grant as part of the European Commission's Next Generation Internet program.

Currently, I am a PhD candidate at VUSec, Vrije Universiteit Amsterdam. In addition, I hold an MSc in Computer Science and Engineering (cum laude) from TU/e. My master thesis, entitled "When Lightning Strikes Thrice: Breaking Thunderbolt Security", received the Best Cybersecurity Master Thesis Award in The Netherlands. Before that, I obtained a BSc in Electrical Engineering and a BSc in Computer Science (cum laude) from Fontys.

Please feel free to contact me by email at [email protected] (PGP), Twitter (@0Xiphorus), Mastodon (@0Xiphorus@infosec.exchange), or LinkedIn.

Publications

Talks

• MBEC, SLAT, and HyperDbg: Hypervisor-Based Kernel- and User-Mode Debugging
  • FOSDEM, conference talk (03/2026) • Abstract - Slides - Live Recording
• Invisible Hypervisors: Stealthy Malware Analysis with HyperDbg
  • FOSDEM, conference talk (03/2026) • Abstract - Slides - Live Recording
• From BIOS to UEFI: Understanding the Modern Firmware Attack Surface
  • Vrije Universiteit Amsterdam, Hardware Security guest lecture (12/2025) • Slides
• When Lightning Strikes Thrice: Breaking Thunderbolt 3 Security
  • 9th Annual CSng Workshop, invited talk, as part of BCMT award ceremony (11/2023) • Slides
  • Chaos Communication Congress rC3, conference talk (12/2020) • Abstract - Slides - Live Recording
  • Dutch Design Week 2020, invited talk (10/2020) • Abstract - Slides - Live Recording
  • Black Hat USA 2020, conference talk (08/2020) • Abstract - Slides - Live Recording
• Playing in the Sandbox: Adobe Flash Exploitation Tales (updated)
  • CONFidence Krakow, conference talk (06/2019) • Abstract - Slides - Live Recording
• Playing in the Sandbox: Adobe Flash Exploitation Tales
  • AsiaSecWest Hong Kong, peer-reviewed conference talk (06/2018) • Abstract
  • OWASP Netherlands Chapter Meeting, Radboud University Nijmegen, invited talk (10/2017) • Abstract - Slides
• On the Spectre of Meltdown: Analysing the Attacks and Mitigations
  • TU/e Department of Mathematics and Computer Science, seminar talk (05/2018) • Slides
  • TU/e Embedded Systems graduate course "Parallelization, Compilers and Platforms", guest lecture (03/2018)
• Scribbles: Dissecting the Vault7 Office Tracker Implant
  • TU/e Information Security seminar (06/2017) - Slides

Conference papers and theses

• Digital Hole: Bypassing Commercial Audio DRM Solutions with DReaMcatcher
  • EuroSys (04/2026) • Abstract - Fulltext PDF
• When Lightning Strikes Thrice: Breaking Thunderbolt 3 Security
  • MSc thesis; received Best Cybersecurity Master Thesis Award (02/2022) • Fulltext PDF - Slides - Live Recording

Blog articles

• Adobe Flash: Windows User Credentials Disclosure Vulnerability (CVE-2017-3085)
• Adobe Flash: Bypassing the local sandbox to exfiltrate data, obtain Windows user credentials (CVE-2016-4271)
• Foxit Reader: Bypassing the Safe Mode sandbox to execute arbitrary code, exfiltrate data (ZDI-16-395)

Security vulnerabilities

I report security vulnerabilities whenever I find them. Some selected vulnerabilities are listed below:

• CAPEC-665 - Thunderspy: Intel Thunderbolt 1, 2 and 3 multiple critical vulnerabilities
• CVE-2018-12402 - Mozilla Firefox WebBrowserPersist uses incorrect origin information
• CVE-2017-4939 - VMware Workstation DLL Hijacking Arbitrary Code Execution
• SSD-3463 - Microsoft Office Host Machine Information and Windows User Credentials Disclosure
• CVE-2017-3085 - Adobe Flash Remote Sandbox Windows User Credentials Disclosure
• CVE-2016-4271 - Adobe Flash Local Data Exfiltration and Windows User Credentials Disclosure
• ZDI-16-395 - Foxit Reader Arbitrary Code Execution and Information Disclosure

Projects

My profile on GitHub is where I publish projects I've been working on. Some projects you might find interesting:

• Spycheck - Verify whether your Thunderbolt-enabled system is vulnerable to the Thunderspy attacks.
• Thunderbolt Controller Firmware Patcher - PoC demonstrating one of the several Thunderspy attack methods.
• SPIblock - Configure SPI flash write protection.
• kDMAp-patcher - Patches Kernel DMA Protection onto unsupported Thunderbolt-powered systems.

Ancillary activities

I serve in the following roles:

• HARRIS - Hardware Reverse Engineering Workshop
  Program committee co-chair (2027)

• HyperDbg - a FOSS hypervisor-based debugger
  Lead maintainer (2025 - today)