Profile
A security researcher in STARLABS Singapore who specializes in vulnerability research, N-days analysis, and exploit development. He is proficient across the entire lifecycle of exploit development that includes bug triaging, root cause analysis, reverse engineering, debugging, exploit writing and documentation. Besides his day job, he participates in Capture the Flag (gamified security competition) with his team, Rek4pig during the weekends to sharpen his skillsets and explore other domains of cybersecurity.
Work Experience
STARLabs Singapore
Security Researcher - ( Feb 2020 to Jul 2022 )
Discovered and exploited a 0-day heap buffer overflow vulnerability on Netgear Router (CVE-2021-27253) that led to remote code execution for a prestigious international competition, Pwn2Own 2020. Involved in end-to-end activities such as firmware dumping, reverse engineering, and exploit development
Analyzed and researched N-days vulnerabilities across different technologies and bug classes such as Chrome V8 Javascript Engine Bugs (Incorrect Optimizations, Type Confusion, Lack of Bounds Check), Windows Local Privilege Escalations and numerous routers (ASUS, DLINK, etc.)
Located differences between patched and vulnerable version of binaries via Binary Diffing with Diaphora and Bindiff6
Triaged vulnerabilities and performing root cause analysis via reverse engineering and/or code auditing (for open-sourced programs)
Developed exploits for various bug classes and vulnerabilities such as Buffer overflows, Command Injection, SSRF, Type Confusion and Integer Underflow
Wrote formal and informal(educational) reports for each vulnerability analysis
Developed a dumb fuzzer that led to the discover of command injection vulnerability, CVE-2021-22204
MWRInfoSecurity/FSecure
Consultant - ( Jul 2019 to Dec 2019 )
Automated deployment process of an internal tool in AWS via python boto3 API to reduce human errors
Documented the setup process and architecture of the internal tool for knowledge sharing and reduce duplicative work
Joined the team in tearing down hardware and dumping of decrypted firmware during the attempt to
Assisted in vulnerability research for Pwn2Own 2019 television category
Education
Nanyang Technological University Singapore
Attained a Bachelor’s Degree in Computer Science, specializing in Cyber Security
Security modules that were taken includes Malware Analysis, Cryptography and Software Security.
Skills
IDA Pro, Ghidra, DnSpy, x64DBG, WinDBG, GDB, experiences in Windows Kernel Debugging, python programming, javascript, C/C++, asm
Community Outreach
guest speaker for nus greyhats security wednesday – “a case study of an incorrect bitwise and (&) optimization in v8”, 2022 https://www.youtube.com/watch?v=Ihc9WbtruE8
ASUSWRT URL Processing Stack Buffer Overflow, 2020, https://starlabs.sg/blog/2020/08-asuswrt-url-processing-stack-buffer-overflow/
Analysis & Exploitation of a Recent TP-Link Archer A7 Vulnerability, 2020, https://starlabs.sg/blog/2020/10-analysis-and-exploitation-of-a-recent-tp-link-archer-a7-vulnerability/
Certification and Training
Offensive Security Advanced Web Attacks and Exploitation (AWAE), 2021
Windows Binary Exploitation 32 bits by CORELAN Team, 2019
Achievements
Pwn2Own Tokyo 2020 – First Entry (Authentication Bypass + Heap Buffer Overflow) https://www.youtube.com/watch?v=gAPeEsJX1xE&t=108s