External publications

A list of publications external to this site (hence, excluding articles original to this blog). Most entries link to a meta-post containing the external link(s) with some context.

Conference talks

• Escaping a misleading “sandbox”: breaking the WebAssembly-JavaScript barrier (WHY2025)
• Payment terminals as general purpose (game-)computers (MCH2022)

Articles and papers

(in addition to original content on this blog itself)

• Article in Phrack 72
  • Popping an alert from a sandboxed WebAssembly module (Phrack 72, 2025)
• Write-ups for Codean Labs research
  • CVE-2025-47934 – Spoofing OpenPGP.js signature verification
  • Exploiting LibreOffice (CVE-2024-12425 and CVE-2024-12426)
  • CVE-2024-4367 – Arbitrary JS execution in PDF.js
  • CVE-2024-29510 – Exploiting Ghostscript using format strings
  • CVE-2024-29511 – Abusing Ghostscript’s OCR device
  • Ghostscript wrap-up: overflowing buffers
  • Vulnerability write-up: Dangerous Assumptions
• Academic writing
  • Automatic Library Version Identification, an Exploration of Techniques (research paper, 2017, arXiv)
  • Seeing through obfuscation: interactive detection and removal of opaque predicates (Master’s thesis, 2017, pdf)
  • University Card security (Bachelor’s thesis, 2015, pdf)