Purple Team

KDE KWin and GNOME Mutter trust a claimable Orca D-Bus name for raw Wayland accessibility keyboard events, including password input.

Ubuntu's userns restriction patch checks a pointer, not a property. After one profile hop, the label is still functionally unconfined but it's not the sentinel the patch is looking for. Two aa-exec calls, chained into host root via dirtyfrag. Exploring SiCk's two-hop AppArmor bypass.

Porting CVE-2026-43284 exploit to aarch64. The rxrpc path kernel oopses on arm64. Ubuntu 24.04's AppArmor blocked exploitation over SSH, transitioning into existing complain-mode profile leads to success. Analysis of chmod o-r as a mitigation for SUID targets, FIM limitations, and page-cache persistence.

Creating Tetragon policies to catch malware - AF_INET raw sockets, AF_PACKET with manual Ethernet construction, and the combination-detection patterns that emerge. Working Tetragon policy additions, a custom event parser, and purple-team test binaries to verify detection coverage.

Building a C2 channel indistinguishable from package manager traffic, encoding tasking in Apache ETag microseconds, and surveying the surprising state of repository security on Fedora.

Building an offensive tool and the detection rules to catch it. The architecture behind Glimmer's dual-layer encryption, binary hardening from 1.4MB to 388K, and real-time YARA detection through Wazuh.