Simon Gerst

Germany

Simon is a Computer Science student that loves tearing apart software to find security bugs. He wants to share his knowledge and also his CodeQL queries, to perform bug hunting at scale. He mostly finds bugs in OSS and contributes to the GitHub Security Lab Bug Bounty Program. In his free time he enjoys playing piano.

Community Contributions

Latest Blog posts Open source Speaking Event organization Forum Other

RealworldCTF 2024 – Protected-by-Java-SE – Writeup

I show how I solved a CTF challenge centered around GitHub's CodeQL software. Participants had to find an external entity injection (XXE) in CodeQL, but a friend and I found an unintended solution. Because it's fun, I then use CodeQL itself to find the bug in CodeQL.

Blogpost / 11-24-2024

ESBMC maintainer

ESBMC is a bounded model checker that can be used to find (security) bugs in single- and multithreaded C/C++, CUDA, CHERI, Kotlin, Python, and Solidity programs. Bugs be bounds checks, overflow, use-after-free, but also user-defined assertions. I contributed 42 PRs/issues fixing some longstanding bugs and hunted down tricky issues by extensively using `creduce` to reduce test cases. I mostly improved the C++ support by adding/improving lambda support, pseudo destructors, multiple inheritance, overloading in inheritance, variable templates, delegating & anonymous constructors and other minor things.

Open source project / 11-11-2024

Fix: Segfault on OpenBSD

I fixed an obscure segmentation fault that would only occur on the OpenBSD operating system and where the project maintainers had trouble reproducing it. The project devs initially suspected a miscompilation, but it turned out to be a self-induced alignment error. Fun bug (I don't work on Z3 nor do I use OpenBSD myself)^^

Open source project / 09-03-2024

[floats] missing sign of minus zero in listings view, truncated precision in decompiler view

I helped improve the correctness of the floating point support in the decompiler Ghidra by providing the Ghidra developers a detailed and actionable issue after encountering those issues in a security competition.

Open source project / 06-27-2024

CodeQL: Add query for insecure certificate validation

I added a CodeQL query that looks for insecure certificate validation issues in C#.

Open source project / 06-25-2024

GPN CTF 22

I co-organized the GPN CTF 22 event, wrote three challenges, worked on infrastructure stuff and was responsible for sponsoring and overall coordination.

Event organization / 05-31-2024

Introduction to binary exploitation

I gave an introduction about binary exploitation ("pwn") to university students together with a friend. Afterwards, students could test their newly gained knowledge against various challenges we provided them.

Speaking (conference/usergroups) / 05-16-2024

Using CodeQL To Find Security Vulnerabilities in C/C++

I spoke about finding vulnerabilities at scale by doing static analysis with CodeQL. Participants learned the basic structure of a CodeQL query and CodeQL libraries for Java. After that, we used use data flow analysis and taint tracking to find a real-world vulnerability in a C++ project!

Speaking (conference/usergroups) / 03-15-2024

Related Stars