BMT Oct 2026 / 1D7X1 TrackBack to indexWindows Internals / Vulnerability Research / Secure Software
Research into Windows process architecture, runtime behavior, trust-boundary analysis, AI system integrity, and structured security documentation with clear assumptions and limits.
Filter by domain
Selected research notes
bxenc / Anonymous chat, encrypted vaults, and hybrid post-quantum private messaging
Darkroom layers an I2P-routed Rust chat relay with bxenc vault protection and private-message envelopes derived from a PQXDH-style handshake using X25519 plus ML-KEM-768.
Spark / Privacy control gap - static address disclosure
A static deposit address query can disclose wallet address data despite privacy settings being enabled.
Arc / Liveness failure - sync height mismatch causes infinite wait
The sync layer validates declared batch bounds and count but not whether embedded certificate heights match the declared contiguous range.
Arc / Signing oracle - conflicting votes, no double-sign guard
The signer service exposes raw signing without typed consensus validation, network domain binding, validator-address checks, or double-sign protection.
Arc / Certificate trust mismatch - consensus panic via liveness handler
Certificate verification can accept a valid quorum while skipping invalid known-validator signatures, then the liveness handler replays every entry into the driver.
Arc / Unauthenticated signing endpoint - arbitrary byte forwarding
The signer service accepts arbitrary non-empty bytes and forwards them to enclave signing without application-layer authentication or typed consensus validation.
Arc / Missing signing domain - cross-network replay potential
Vote and proposal sign bytes do not include network ID, chain ID, genesis hash, or fork version.
Arc / Codec malleability - unknown enum defaults to Prevote
Unknown protobuf enum integers default to the enum default, mapping unrecognized VoteType values to Prevote.
Arc / State guard mismatch - unstarted driver can receive round certificates
Votes and proposals are guarded while the driver is in an unstarted state, but round certificates pass this guard and can be processed before NewRound.
Arc / Audit notes - handler trust boundaries and negative results
Supporting notes mapping handler trust boundaries, signer boundaries, codec malleability, and sync and recovery paths across the Arc consensus implementation.
Lightspark / SDK policy hook - metadata authorized, payload signed
The JS SDK exposes reduced webhook metadata to the caller validator while the lower signing layer still processes the full remote-signing payload.
Lightspark / Replayable signed webhook - signer output re-disclosure
A valid signed remote-signing webhook can be replayed against the direct-response example because freshness and event-id deduplication are not enforced.
Netflix OSS / OSS API authenticity - forged subscriber-stream injection
The Atlas LWC evaluate endpoint may accept discoverable expression IDs in a way that enables forged subscriber-stream injection.
Portfolio signal
Distribution by ecosystem and proof maturity.
Research approach
Start where one component grants trust and another component performs the sensitive action. That gap is where meaningful security issues usually hide.
In the Go SDK validator, the destination check passed while the primary output remained unvalidated.
Reduce the issue to a deterministic test that captures the exact authorization decision, state transition, or parser behavior.
A single Go test proves HashValidator and DestinationValidator both accept the crafted transaction.
Show what the code proves, what deployment reachability would change, and where the claim should stop.
The report distinguishes source-level proof from deployment-dependent impact.
Align the asset, weakness, test output, and limitation notes into one argument. Every attachment should move the case forward.
Clean bundle: description, impact, PoC patch, test results, and limitation notes.
When the boundary is unclear, go beneath the abstraction: C internals, assembly output, memory layout, or hardware behavior.
High-level assumptions break at the ABI.
Availability