Pietro Borrello

Pietro Borrello

Microarchitecture Security Researcher

Apple SEAR

Biography

I am a Microarchitecture Security Researcher at Apple SEAR.

I received my PhD at the Sapienza University of Rome, working on Systems Security with a focus on applying Fuzzing and Program Analysis techniques to find and mitigate architectural and microarchitectural vulnerabilities.

In my PhD Thesis, I contributed to find and mitigate over one hundred bugs in software, operating systems, and CPUs.

I am also a passionate CTF player focusing on exploitation and reverse-engineering with TRX and mhackeroni teams.

Co-founder of the DEFCON Group in Rome.

BlackHat & OffensiveCon speaker and Pwnie Award recipient:

  • Best Desktop Bug for “ÆPIC Leak: Architecturally Leaking Uninitialized Data from the Microarchitecture”
  • Most Innovative Research for “Custom Processing Unit: Tracing and Patching Intel Atom Microcode”
Interests
  • Systems Security
  • Microarchitectural Attacks & Defenses
  • Side-Channels
  • Program Analysis
  • Fuzzing
Education

  • PhD in Engineering in Computer Science, 2023

    Sapienza University of Rome

  • MSc in Engineering in Computer Science, 2019

    Sapienza University of Rome

  • BSc in Engineering in Computer Science, 2017

    Sapienza University of Rome

Projects

Custom Processing Unit

Custom Processing Unit

The first dynamic analysis framework for CPU microcode. Pwnie Award for Most Innovative Research

Code Slides
ÆPIC Leak

ÆPIC Leak

Architecturally Leaking Uninitialized Data from the Microarchitecture. Pwnie Award for Best Desktop Bug

PDF Code Slides
Constantine

Constantine

A compiler-based system to automatically harden programs against microarchitectural side channels.

PDF Code
Intel Atom Microcode Decompiler

Intel Atom Microcode Decompiler

Ghidra Processor Module to disassemble and decompile x86 Intel Atom microcode.

Code
raindrop

raindrop

A binary translator to transform program functions into obfuscated ROP chains.

PDF Code

Talks

Custom Processing Unit - OffensiveCon
Reverse Engineering and Customization of Intel Microcode.
May 20, 2023 12:00 AM — 12:00 AM OffensiveCon 2023
PDF Project
Custom Processing Unit - OffensiveCon
Custom Processing Unit - BlackHat USA
Tracing and Patching Intel Atom Microcode.
Aug 10, 2022 12:00 AM — 12:00 AM Black Hat USA 2022
PDF Project Video
Custom Processing Unit - BlackHat USA
ÆPIC Leak
Architecturally Leaking Uninitialized Data from the Microarchitecture.
Aug 9, 2022 12:00 AM — 12:00 AM Black Hat USA 2022
PDF Project Video
ÆPIC Leak
The Lord of the Ring0
Exploiting the Linux Kernel for Privilege Escalation.
Dec 10, 2021 12:00 PM — 1:00 PM TU Graz Online Talk
PDF
The Lord of the Ring0
Breaking the walls
CPU introspection through micro-architectural data sampling.
Jan 31, 2020 5:00 PM — 6:00 PM DEFCON Group Meeting
PDF Meeting
Breaking the walls
See all events

Publications

Pietro Borrello, A. Fioraldi, D.C. D'Elia, D. Balzarotti, L. Querzoni, C. Giuffrida (2024). Predictive Context-sensitive Fuzzing. NDSS.

PDF Cite Code

J. Koschel, Pietro Borrello, D.C. D'Elia, H. Bos, C. Giuffrida (2023). Uncontained: Uncovering Container Confusion in the Linux Kernel. USENIX Security.

PDF Cite Code

Pietro Borrello, Catherine Easdon, Martin Schwarzl, Roland Czerny, Michael Schwarz (2023). CustomProcessingUnit: Reverse Engineering and Customization of Intel Microcode. WOOT.

PDF Cite Code

M. Schwarzl, Pietro Borrello, G. Saileshwar, H. Mueller, D. Gruss, M. Schwarz (2023). Practical Timing Side-Channel Attacks on Memory Compression. Security & Privacy.

Cite

M. Schwarzl, Pietro Borrello, A. Kogler, T. Schuster, K. Varda, D. Gruss, M. Schwarz (2022). Robust and Scalable Process Isolation against Spectre in the Cloud. ESORICS.

PDF Cite Project DOI

Pietro Borrello, Andreas Kogler, Martin Schwarzl, Moritz Lipp, Daniel Gruss, Michael Schwarz (2022). ÆPIC Leak: Architecturally Leaking Uninitialized Data from the Microarchitecture. USENIX Security.

PDF Cite Code

Pietro Borrello, D.C. D'Elia, L. Querzoni, C. Giuffrida (2021). Constantine: Automatic Side-Channel Resistance Using Efficient Control and Data Flow Linearization. ACM CCS.

PDF Cite Code Slides DOI

Pietro Borrello, E. Coppa, D.C. D'Elia (2021). Hiding in the Particles: When Return-Oriented Programming Meets Program Obfuscation. ACM DSN.

PDF Cite Code DOI

Pietro Borrello, E. Coppa, D.C. D'Elia, C. Demetrescu (2019). The ROP needle: hiding trigger-based injection vectors via code reuse. ACM SAC.

PDF Cite DOI

Pietro Borrello, E. Coppa, D.C. D'Elia, C. Demetrescu (2018). Boosting Virtualization Obfuscation with Return Oriented Programming. Poster at ACM ACSAC.

M. Angelini, G. Blasilli, Pietro Borrello, E. Coppa, D.C. D'Elia, S. Ferracci, S. Lenti, G. Santucci (2018). Ropmate: Visually Assisting the Creation of ROP-Based Exploits. IEEE VizSec.

PDF Cite Code DOI

CVEs
CVE-2023-25012 use-after-free in HID:bigben in the Linux kernel
CVE-2023-1079 use-after-free in HID:asus in the Linux kernel
CVE-2023-1078 type confusion & heap OOB write in RDS in the Linux kernel
CVE-2023-1077 type confusion in Realtime Scheduler in the Linux kernel
CVE-2023-1076 type confusion in TUN/TAP in the Linux kernel
CVE-2023-1075 type confusion in TLS in the Linux kernel
CVE-2023-1074 type confusion in SCTP in the Linux kernel
CVE-2023-1073 type confusion & NULL ptr deref in HID in the Linux kernel
CVE-2022-21233 information disclosure in Intel CPUs (ÆPIC Leak)
CVE-2022-33070 undefined behavior in protobuf-c
CVE-2022-33069 DoS in solidity compiler
CVE-2022-33068 integer overflow vulnerability in Harfbuzz
CVE-2022-33067 undefined behavior in lzrip
CVE-2022-28049 DoS in njs
CVE-2022-28048 undefined behavior in stb
CVE-2022-28044 invalid free in lrzip
CVE-2022-28042 use-after-free in stb
CVE-2022-28041 integer overflow vulnerability in stb
CVE-2022-1515 DoS in matio
CVE-2022-1475 integer overflow vulnerability in FFmpeg
CVE-2020-11713 timing side-channel vulnerability in wolfSSL

[Linux kernel patches]