- System Security
- Binary Analysis
- Computer Architecture
- Vulnerability Research & Exploitation
- Ph.D. Student @ Carnegie Mellon University, Computer Science Department
- B.S. @ KAIST (2018.02. ~ 2024.02.), CS&EE double major
- Member of Plaid Parliament of Pwning (2024.08. ~)
- Member of KAIST GoN (2018.03. ~)
- Former leader of KAIST GoN (2020.03. ~ 2021.02.)
- Member of zer0pts (2022.03. ~)
- KAIST CERT Student Senior Member (2018.08. ~ 2021.02.)
🧑💻
- CVE-2024-12692: Type confusion in V8 in Google Chrome
- CVE-2024-54479: Type confusion in WebKit in Apple Safari
- CVE-2024-12381: Type confusion in V8 in Google Chrome
- CVE-2024-10231: Type confusion in V8 in Google Chrome, exploited on v8CTF
- CVE-2024-10230: Type confusion in V8 in Google Chrome, exploited on v8CTF
- CVE-2024-9602: Type confusion in V8 in Google Chrome, exploited on v8CTF
- CVE-2024-9122: Type confusion in V8 in Google Chrome, exploited on v8CTF
- CVE-2024-8194: Type confusion in V8 in Google Chrome, exploited on v8CTF
- CVE-2024-8385: Type confusion in Mozilla Firefox
- CVE-2024-6779: Out of bounds memory access in V8 in Google Chrome
- CVE-2024-9859 (1-day): Google Chrome v8CTF exploit
- CVE-2024-6100: Type confusion in V8 in Google Chrome (TyphoonPWN 2024)
- CVE-2024-40789: Out of bounds memory access in WebKit in Apple Safari
- CVE-2024-3914: Use after free in V8 in Google Chrome (Pwn2Own Vancouver 2024)
- CVE-2024-2886: Use after free in WebCodecs in Google Chrome (Pwn2Own Vancouver 2024)
- CVE-2023-3390 (1-day): Google kernelCTF exploit in all LTS/COS/Mitigation instances, with Dongok Kim
- CVE-2024-27934: Use after free in Deno to ACE
- CVE-2024-27933: Permission prompt bypass in Deno to ACE
- CVE-2023-29199, 30547, 37466, 37903: Sandbox escape in vm2
- CVE-2023-35926, GHSA-22rr-f3p8-5gf8: Directus, Backstage affected by vm2 sandbox escape
- CVE-2022-35951: Heap overflow in Redis
XAUTOCLAIM
to RCE - CVE-2022-35977: OOM DoS in Redis via single-parameter-controlled
SETRANGE
/SORT(_RO)
🏅
- Acknowledgements
- Security Competition / CTFs
- 2024
- 1st Place,
DEFCON 32 CTF
as MMM- Awarded Black Badge
- Winner of
TyphoonPWN 2024
- Winner of
Pwn2Own Vancouver 2024
- 1st Place,
- 2023
- Challenge author of
zer0pts CTF 2023
- 1st Place,
CODEGATE CTF 2023
University Div. as KAIST GoN - 1st Place,
Cyber Conflict Exercise 2023
(Overall Championship) as The Goose - 1st Place,
DEFCON 31 CTF
as MMM
- Challenge author of
- 2022
- Organized
2022 Spring / Fall GoN Open Qual CTF
- 2nd Place,
Cyber Conflict Exercise 2022
General Div. as The Goose - 1st Place,
WACON 2022
as The Goose - 2nd Place,
zer0pts CTF 2022
as Super HexaGoN
- Organized
- 2021
- 1st Place,
Whitehat Contest Korea 2021
Military Div. as ㅡㅡㅡ본선진출커트라인ㅡㅡㅡ - 2nd Place,
LINE CTF 2021
as KimchiSushi - 2nd Place,
zer0pts CTF 2021
as K-Students
- 1st Place,
- 2020
- Challenge author of
CODEGATE CTF 2020
- 1st Place,
Cyber Operations Challenge 2020
General Div. as KAIST GoN - 1st Place,
SECCON 2020 OnlineCTF
as HangulSarang - 1st Place,
TokyoWesterns CTF 6th 2020
as D0G$
- Challenge author of
- 2019
- Finalist,
DEFCON 27 CTF
as KaisHack GoN - 2nd Place,
Cyber Operations Challenge 2019
as GoN - 3rd Place,
CODEGATE CTF 2019
University Div. as KAIST GoN
- Finalist,
- 2018
- Participation Award,
2018 National Cryptography Contest
II-A Div.
- Participation Award,
- 2024
- Academic Awards / Scholarship
- Doctoral Research Fellowship, KFAS (Fall 2024 -)
- KAIST Presidential Fellowship, KAIST (Spring 2020 - Fall 2023)
- Presidential Science Scholarship, KOSAF (Spring 2020 - Fall 2023)
- Department Honors Scholarship, School of Computing, KAIST (Spring 2020)
- Honor Student Program, KAIST (Spring 2020)
- National Scholarship for Science and Engineering, KOSAF (Spring 2018 - Fall 2019)
- Dean's List
- Spring 2023, Fall 2020, Spring 2020, Fall 2019, College of Engineering, KAIST
- Fall 2018, Spring 2018, School of Freshman, KAIST
🗣️
- WebAssembly Is All You Need: Exploiting Chrome and the V8 Sandbox 10+ times with WASM (POC2024, CODE BLUE 2024)
- One shot, Triple kill: Pwning all three Google kernelCTF instances with a single 1-day Linux vulnerability (POC2023)
- Dongok Kim, Seunghyun Lee, Insu Yun
- How (Not) to Sandbox Node.js: A vm2 Postmortem (OpenTRS 2023)