Albin Eldstål-Ahrens

Offensive Security Certified Professional (OSCP)
Ph.D. of Computer Science and Engineering, Chalmers University of Technology, Gothenburg, Sweden.

Links

[ GitHub ] | [ LuftensHjältar ] | [ CTFTime ] | [ Mastodon ]

Projects

Security

MacDongler MacDongler

USB Skeleton Key

Some devices (tablet kiosks, buses, cars, air planes, advertising displays, …) expose a USB interface, either for user device charging or for development access or both. One way to lock these devices down is to limit the accepted USB devices, based on model or type or vendor ID. MacDongler is a scanner based on Linux USB Gadgets, which emulates a large number of USB devices and automatically determines which ones are accepted by a host. It can emulate network interfaces, serial ports, HID devices, and more!

strinvader strinvader

Unicode denormalizer

Unicode is quite complex. Since there are many different ways to encode the same text, applications may use normalization to preprocess it into a predictable form. Strinvader is a tool to find multiple text inputs which normalize to the same (given) text. This is useful in security research, because sometimes security features such as block lists are applied to text before normalization. When attacking such an application, strinvader can generate a text encoding such as www.exⓐmple.com which will pass the block list and be normalized to www.example.com before being used. Interestingly, normalization rules vary slightly between implementations. Unicode normalization differs from python’s str.lower() which differs from the URL parsing in node.js. For this reason, strinvader contains support for a number of different such normalization forms.

spike spike

Power glitch generator

Hardware devices with opaque or protected firmware may still be vulnerable to hardware faults. One such hardware fault is a power glitch, a transient drop in the power feed. This can have a variety of effects, ranging from device restarts to failure of individual executed instructions. Spike is a Zephyr project for the Nordic Semiconductor nRF52840 DK development board, which is able to control a target device and perform power glitch attacks against it.

DESYNK DESYNK

Clock glitch generator

Another hardware fault is caused by an unstable clock signal. Shortening individual clock cycles can have interesting effects on the instruction decoder/execution stages of a microprocessor, or adversely affect I/O. DESYNK is a work-in-progress project to explore this. It is based on the ICEbreaker development board, powered by the Lattice iCE40UP5k FPGA. DESYNK controls the clock signal driving the target device, and probes for the proper time and duration of clock inconsistency, in order to cause interesting software failures.

elnino elnino

Scripts for binary ninja

A collection of utilities for the binja reverse engineering tool.

mediafuzz mediafuzz

Fuzzer for the media metadata display of your car

A small web application which fuzzes the artist/title/album information of your “currently playing” notification. Run it on your phone and stream the audio by bluetooth to your target device. Hosted here for your convenience.

CTF Notes CTF Notes

It won’t be a surprise, the second time I see this.

Running notes on CTF techniques, methodology, little tricks we’ve learned along the way.

Other

Cardcinogen Cardcinogen

Deck generator for Tabletop Simulator

Cardcinogen is a templating system which allows you to create styles for playing cards and populate those cards with content from your own data. This is useful to make expansions for card-based games such as Concept or Fluxx.

Panel of Doom Panel of Doom

DIY USB joystick HID device

POD uses low-cost commodity components (an AVR ATMEGA-328 microcontroller with no USB hardware support) to implement a standard joystick. This lets you, for example, build the custom control panel of your tractor simulation dreams. By using the standard USB HID interface, no extra drivers or bindings are required to use it in typical PC games. The software USB stack used in POD is kindly provided by the V-USB library.

CTF CTF Terminal Frontend

Capture-The-Flag scoreboard visualization

This program queries a live CTF scoreboard and presents the data in your terminal. Some fun animations are implemented, for example when a team grabs the first blood of one of the challenges. Several popular serverside systems are supported, and the design is modular to allow for easy addition of new backends (i.e. support for new online CTF scoreboard systems such as CTFd).

Teksh Teksh

Command shell implemented in LaTeX

The LaTeX typesetting engine wasn’t intended for this.

Security

I am the holder of an Offensive Security Certified Professional (OSCP) certification.

I’ve found and reported the following vulnerabilities in software projects:

Reference Report CVSS3 Description
CVE-2023-30261 1 2 10.0 Multiple unauthenticated root RCEs in OpenWB
1 2 9.4 Unauthenticated RCE in ModBros mobro-raspberrypi
CVE-2023-30260 1 2 8.1 Multiple authenticated RCEs in RaspAP
CVE-2023-30258 1 9.4 Unauthenticated RCE in magnusbilling6 and magnusbilling7
CVE-2022-1215 1 7.1 Format string vulnerability in freedesktop's libinput
CVE-2022-0546 1 5.4 Multiple Out-of-bounds reads/writes in Blender (HDR loader)
CVE-2022-0545 1 7.1 Controlled out-of-bounds read/write in Blender (IMB_flipy)
CVE-2022-0544 1 4.6 Out-of-bounds read in Blender (DDS loader)
CVE-2022-0497 1 4.6 Out-of-bounds read in OpenSCAD (Comment parser)
CVE-2022-0496 1 4.6 Out-of-bounds read in OpenSCAD (DXF path)
CVE-2022-0699 1 Double-Free in shapelib (contrib/shpsort)
CVE-2023-30259 1 4.6 Out-of-bounds read in LibreCAD (importshp DBF parser)
CVE-2021-45847 1 2 3 5.3 Multiple NULL-pointer dereferences in Slic3r (3MF XML)
CVE-2021-45846 1 5.3 NULL-pointer dereference in Slic3r (AMF XML)
CVE-2021-45845 1 7.5 RCE in FreeCAD (Path Sanity Check script)
CVE-2021-45844 1 7.5 RCE in FreeCAD (ODA DWG import)
CVE-2021-45343 1 5.3 NULL-pointer dereference in LibreCAD (DXF HATCH 93)
CVE-2021-45342 1 7.8 RCE in LibreCAD (JWW CDataList)
CVE-2021-45341 1 7.8 RCE in LibreCAD (JWW CDataMoji)
CVE-2021-45340 1 2 5.7 NULL-pointer dereference in libSIXEL

Bugs for Charity

Via bug bounty programs, I’ve generated $500 for charity. By matching funds, Google VRP has generously provided an additional $500 of donations.

These donations have been made to the National Network of Abortion Funds.

Research and Education

Publications

The following is a list of my academic publications, to date:

[ PDF ] [ DOI ] FlatPack: Flexible Compaction of Compressed Memory
Albin Eldstål-Ahrens, Angelos Arelakis, Ioannis Sourdis
International Conference on Parallel Architectures and Compilation Techniques (PACT), 2022

[ PDF ] [ URL ] Lossy and Lossless Compression Techniques to Improve the Utilization of Memory Bandwidth and Capacity
Albin Eldstål-Ahrens
Doctoral Thesis, Chalmers University of Technology, 2022

[ PDF ] [ DOI ] L2C: Combining Lossy and Lossless Compression on Memory and I/O
Albin Eldstål-Ahrens, Angelos Arelakis, Ioannis Sourdis
ACM Transactions on Embedded Computing Systems (TECS), 2022

[ PDF ] [ URL ] Reducing Memory Traffic with Approximate Compression
Albin Eldstål-Ahrens
Licentiate Thesis, Chalmers University of Technology, 2020

[ PDF ] [ DOI ] MemSZ: Squeezing Memory Traffic with Lossy Compression
Albin Eldstål-Ahrens, Ioannis Sourdis
ACM Transactions on Architecture and Code Optimization (TACO), 2020

[ PDF ] [ DOI ] AVR: Reducing Memory Traffic with Approximate Value Reconstruction
Albin Eldstål-Damlin, Pedro Trancoso, Ioannis Sourdis
International Conference on Parallel Processing (ICPP), 2019

[ DOI ] [ IEEE ] An Improved Model of LTE Random Access Channel
Evgeny Osipov, Laurynas Riliskis, Albin Eldstål-Damlin, Michael Burakov, Mats Nordberg, Min Wang
IEEE 77th Vehicular Technology Conference, 2013

[ PDF ] An LTE Random Access Channel Model for Wireless Sensor Network Applications
Mikael Burakov, Albin Eldstål-Damlin
Master’s Thesis, Luleå University of Technology, 2012

[ PDF ] A comparison of two modes for AEAD services in wireless sensor networks
Albin Eldstål-Damlin, Laurynas Riliskis
Technical Report, Luleå University of Technology, 2011

Supervision

I’ve had the pleasure of being the advisor for the following Bachelor’s thesis work:

[ PDF ] [ URL ] Augmented Reality
Johan Yngvesson, Johannes Magnusson
Bachelor’s Thesis, Chalmers University of Technology, 2019

Peer Review

I’ve served as a reviewer for paper(s) for the following publications and conferences:

Computing Frontiers (CF) 2021

Design, Automation and Test in Europe (DATE) 2021

International Conference on Embedded Computer Systems: Architectures, Modeling and Simulation (SAMOS) 2021

Design, Automation and Test in Europe (DATE) 2020

Defect and Fault Tolerance in VLSI and Nanotechnology Systems (DFTS) 2020

Latin American Symposium on Circuits and Systems (LASCAS) 2020

Design, Automation and Test in Europe (DATE) 2019

Transactions on Architecture and Code Optimization (TACO) 2018

Field-Programmable Logic and Applications (FPL) 2017

International Symposium on Computer Architecture (ISCA) 2016

Highly Efficient Accelerators and Reconfigurable Technologies (HEART) 2016

Design, Automation and Test in Europe (DATE) 2016