Home / Research

This page is dedicated to my research activity

Last findings and contributions

• Virtual Machine DoS [CVE-2024-39279]
• Core privilege escalation [CVE-2023-23583].
• Firmware corruption [CVE-2022-43505].
• Cication in digital bus Common Vulnerability Exposure definition

Technical insights

Some technical details related to my present and past activities

• Bypassing DMAR
• Using DCI to hook SMM
• Debugging firmwares legacy bios mode using real mode hooks
• Adventures in solving a reverse security challenge
• Crawling Twitter to look for shadow banned accounts

Security tools

• Abyme : a bare metal recursive hypervisor library
• Eric : a PCI Express endpoint for security

Last publications

Offensive security research

• Jonathan Certes, Benoît Morgan, Attaque et sécurisation d’un schéma d’attestation à distance vérifié formellement (French), Symposium sur la sécurité des technologies de l’information et des communications 2022
• Benoît Morgan, Eric Alata, Vincent Nicomette, Mohamed Kaâniche - IOMMU protection against I/O attacks: a vulnerability and a proof of concept, Journal of the Brazilian Computer Society 2018
• Benoît Morgan, Eric Alata, Vincent Nicomette, Mohamed Kaâniche - Bypassing IOMMU protection against I/O attacks, 7^th Latin-American Symposium on Dependable Computing 2016
• Benoît Morgan, Éric Alata, Vincent Nicomette - Bypassing DMA remapping using DMA (French), Symposium sur la sécurité des technologies de l’information et des communications 2016

Defensive security research

• Benoît Morgan, Éric Alata, Vincent Nicomette, Mohamed Kâaniche, Guillaume Averlant - Design and Implementation of a Hardware Assisted Security Architecture for Software Integrity Monitoring, IEEE 21^st Pacific Rim International Symposium on Dependable Computing 2015
• Guillaume Averlant, Benoît Morgan, Éric Alata, Vincent Nicomette, Mohamed Kaâniche - An Abstraction Model and a Comparative Analysis of Intel and ARM Hardware Isolation Mechanisms, IEEE 22^st Pacific Rim International Symposium on Dependable Computing 2017
• Benoît Morgan, Éric Alata, Vincent Nicomette - Abyme, a travel down the heart of recursive hypervisors (French), Symposium sur la sécurité des technologies de l’information et des communications 2015
• Benoît Morgan, Éric Alata, Vincent Nicomette - Hardware assisted remote hypervisor integrity checks (French), Symposium sur la sécurité des technologies de l’information et des communications 2014

Verification of security hardware architectures

• Jonathan Certes, Benoit Morgan - Remote attestation of bare-metal microprocessor software: a formally verified security monitor, IWCFS 2021
• Jonathan Certes, Benoit Morgan - Formally verified remote attestation on microprocessors, RESSI 2020

Online social networks remote investigations

Is Twitter shadow banning policy a bug or something ? How about… no ?

• Erwan Le Merrer, Benoit Morgan and Gilles Tredan - Setting the Record Straighter on Shadow Banning, INFOCOM 2021 Arxiv
• Erwan Le Merrer, Benoit Morgan and Gilles Tredan - Bug ou ban? Une Perspective Topologique sur le Shadow Banning, AlgoTel 2020
• A topological perspective of Shadow Banning

Open archive : hal

Some recorded presentations

Those are French speaking conferences

• SSTIC 2022 : Attaque et sécurisation d’un schéma d’attestation à distance vérifié formellement
• THCON 2021 : Setting the Record Straighter on Shadow Banning
• SSTIC 2014 : protection d’hyperviseurs assistée par le matériel
• SSTIC 2015 : hyperviseurs récursifs
• SSTIC 2016 : attaques DMA avec IOMMU

Miscellaneous tools

Here is a list of some tools I have developed and released

• Whosban.org Website illustrating the topological effect of shadowbanning (Auteurs: Erwan Le-Merrer, Benoît Morgan, Gilles Trédan)
• Authenticated Code Module error code decoder for Intel TXT Back at the beginning of this project, no public decoder existed.
• VGA text mode plus video controller Soft-core for Xilinx Digilent Nexys 3 FPGA Contains a VGA-text-mode video memory controller, addressing a 80 per 25 characters text memory, along with a 640 per 320 pixels 8-bit VGA display controller.
• Timing channels : eviction set computing Some ring-0 and ring-3 x86 programs to compute cache lines LLC eviction sets. It proposes an implementation of Liu, F. et al paper.
• System on chip along with a Patterson’s MIPS 16 bits dumb processor soft-core written in Verilog for FPGA
• Compiler, assembler and disassembler for dumb 16-bits MIPS

Personal hobbies

Some misc projects

• 3D rendering engine relying on OpenGL only I’ve lost a few nights to have fun with my roomates. Orthogonal projection Voxel engine. Physical engine based on axis aline bounding box trees.
• Serious game relating MegaUpload service shutdown by FBI (JNLP) : MegaGame