Me
I am a Security Engineer. My expertise lies in many parts of binary and program analysis. In the past, I have done works on many technical aspect. I believe that most complex parts of Computer Science can be broken down into bytes and bits.
I also enjoy deep research. I have done a few research deeply on memory forensics and binary formats. I write papers about my research, but as an unexperienced researcher, I am still struggling to get them published.
I currently work at VerichainsA security company with renowned reputation., before that, I was working under BShieldA mobile protection platform.. BShield is now under Verichains, serving as the product of Verichains. My work including research for both Verichains and BShield, blockchain and mobile security.
I was an active member of EfiensCTF team of Ho Chi Minh University of Technology, Vietnam. Our team has won prizes in national and international competitions. Founded 2016, inactive since 2021, superceeded by BKISC.. While a member, I actively play CTF under the category Reverse Engineering. I became a leader in the later days of the team, guiding young members into CTF and Computer Security.
I also have strong interest in Programming Language Theory, and its related fields. I currently working my way through many resources to gain knowledge around these research areas. The field is absurbly big, which is why I keep my own resource here.
Projects
I have worked on multiple technologies in Computer Science, including compliers, memory forensics, Windows internal, Linux system, NFC card, cryptography, binary formats. Across the years, I have also read many big codebases of big projects. The following list shows my past projects over the yearsLLVM, Volatility, dyld3, objc4, QEMU.
TSSHOCK
I was a part of the team that helped unveiling the vulnerabilities in many implementations of ECDSA Threshold Signature Scheme protocol by Gennaro and GoldfederIn public key cryptosystem, signing messages usually involves one party with one private key. Threshold Signature Scheme allows more than one party to participate to the signing process while keeping only one private key used. Missing a signing party would be impossible to sign messages. Across the whole process, the private key is kept unknown to all parties. Gennaro and Goldfeder (GG18/GG20) proposed a protocol, which is now superceeded by MPC-CMP.. Our findings was publicly announced and published at two major security conventions, Black Hat USA 2023 and Hack In The Box Phuket 2023Duy Hieu Nguyen, Anh Khoa Nguyen, Huu Giap Nguyen, Thanh Nguyen and Anh Quynh Nguyen. TSSHOCK: Breaking MPC Wallets and Digital Custodians for $BILLION$ Profit. 2023.
Vietnam Citizen Card Audits
I was working on an application using our country citizen card when I realized that many (in production) NFC eKYC applications might not working properly because they lack the understanding of cryptographic protocols required for securely communication with the NFC card. My team and I built a simulation device for the ICAO 9303Doc 9303: Machine Readable Travel Documents. ICAO. and conducting security analysis of government applications. This work is the preliminary research for our BShield Secure-ID product, which helps secure the NFC scanning of citizen card, assuring genuine information.
Research Mach-O binary format
Mach-O is the binary format used exclusively in Apple devices. I started researching about this format when I first joined BShield. I had an idea back then about how we can simulate the loader to control imports. Years later, I build a Proof of Concept around the idea. Using loader simulation, we can build an obfuscator or a hooking tool. Details are disclosed in the paper.
LLVM based Obfuscation
I fork and built an obfuscator based on LLVM, first mentioned in Obfuscator-LLVMPascal Junod and Julien Rinaldini and Johan Wehrli and Julie Michielin. Obfuscator-LLVM -- Software Protection for the Masses. 2015.. With my team, we ported Mixed Boolean-ArithmeticYongxin Zhou, Alec Main, Yuan X. Gu, and Harold Johnson. Information Hiding in Software with Mixed Boolean-Arithmetic Transforms. In Proceedings of the 8th International Conference on Information Security Applications (WISA’07), 2007. to be used in the obfuscator, which has not been previously discussed in the original implementation of Obfuscator-LLVM. Other ideas were also implemented. We also update to use LLVM 14, with the support for new pass manager alongside the legacy pass manager. A CTF challenge was released obfuscated using this obfuscator in TetCTF 2022.
Windows Live Memory Forensics
My first research project started as a bachelor thesis. I built a memory forensics tool working on virtual memory. For the success of this project, I have learned Windows kernel driver, memory forensics techniques, and studied the Volatility source code. The prototype was capable of inspecting the kernel memory, viewing kernel global variables, and perform Pool Tag Quick ScanningJoe T. Sylve, Vico Marziale, Golden G. Richard. Pool tag quick scanning for windows memory analysis. 2016.. The work is later improved to search for code injection by my junior in Efiens.
Publications
Most of my publications are drafts and not reviewed paper. Because I am not in an academic environment so I do not know how to publish.
New Key Extraction Attackson Threshold ECDSA Implementations. Duy Hieu Nguyen, Anh Khoa Nguyen, Huu Giap Nguyen, Thanh Nguyen, Anh Quynh Nguyen. August 2023.
[website] [whitepaper] [Black Hat Recordings] [HITB Recordings]
Simulating Loader for Mach-O Binary Obfuscation and Hooking. Anh Khoa Nguyen, Thien Nhan Nguyen. Expecting 2024.
[preprint]
Live Memory Forensics on Virtual Memory. Anh Khoa Nguyen, Dung Vo Van Tien, Khuong Nguyen-An. Expecting 2024.
[preprint]
Dissertations
After I graduated, I often advise undergraduate students on their dissertations. The list below contains my dissertation and dissertations I advised.
Windows Memory Forensics: Finding hidden processes in a running machine.
Author: Anh Khoa Nguyen.
Advisors: An Khuong Nguyen, Le Thanh Nguyen, Quoc Bao Nguyen.
Year: 2020
[pdf]
Windows Memory Forensics: Detecting hidden injected code in a process.
Author: Vo Van Tien Dung.
Advisors: An Khuong Nguyen, Anh Khoa Nguyen.
Year: 2023
[pdf]
Sandboxing Powershell scripts for ransomware detection
Author: Do Dinh Phu Quy.
Advisors: An Khuong Nguyen, Anh Khoa Nguyen, Vo Van Tien Dung.
Year: 2024
[pdf]
Extras
This webpage is written in Elm, using the design inspired by Tufte. Elm is a frontend framework with the syntax of Haskell, inspired (probably) by Yew. Though, I do not write the whole webpage, the logic for parsing the Markdown and building a static site is provided by Elm Pages. Tufte presentation design is very easy to read and follow. I usually read papers and (PhD) thesis written traditionally and found out that the reading is hard to follow when references are introduced. When reading Ralf Jung's PhD thesisJung, Ralf. Understanding and evolving the Rust programming language. 2020., I amazed how clean the text was due to all the references are introduced at the right side. Later that I found out the format was based on Tufte design and began using it for this website.
I use Neovim, can't live without those Vim motions. Neovim GUI that I use is Neovide, which I also contributed to add the prompts on Windows right-click menu and copy pasting while on remote connection.
Linux distribution that I prefer is Artix Linux. I enjoy when everything is barebone and at the edge, most setup are mine and I can figure out things faster when I am the one doing the setup. I choose Artix over the vanila Arch Linux because does there is no systemd.
You might not see me active on Github, because I have my own Git server storing my projects (personal and job). I also run my own VPN server through Wireguard. I just like doing many things by myself.