blog

Spass mit der Deutschen Bahn

03 June 2025 – updated on 18 June 2025 – in blog and random

Ich fahre regelmässig mit der Deutschen Bahn zwischen Schaffhausen und Saarbrücken, über Singen, Karlsruhe und Neustadt (Weinstr.). Diese Verbindungen sind so abenteuerlich und häufig verspätet, dass ich hier Statistiken führen und Geschichten aufschreiben möchte.

FTZ: A State-Inferring Fuzzer for the TCP/IP Stack of Zephyr

30 April 2025 – in blog and cybersecurity

For my master’s thesis, I wrote a state-inferring structure-aware coverage and state guided fuzzer for the TCP/IP stack of the open-source real-time operating system Zephyr based on LibAFL.

Using Transcripts

18 April 2025 – in blog and random

I much prefer listening to reading in general. It’s just easier for me to follow and learn that way. However, if you are working with dense material, such as nonfiction books, audio is not always the easiest to work with. I find myself seeking back a couple of seconds or manually transcribing a sentence or paragraph for my notes fairly often. This is annoying. However, there is a better way, using modern transcription engines and players. So here is my workflow:

Hack the Box University CTF 2024

18 December 2024 – in blog and ctf

I really enjoyed playing the Hack the Box University CTF 2024 with Team Frack at ZHAW. It was nice taking a break from working on my master’s thesis, open a decompiler, and have some fun.

Differential Fuzzing on coreutils Using LibAFL

25 June 2024 – in LibAFL, blog, coreutils,, cybersecurity, and fuzzing,

After reading about fuzzing and testing a fuzzer, I wanted to delve deeper into the inner workings. In discussions with my advisor, we found that there is a lot of work on some parts of fuzzers, such as advanced scheduling algorithms, but the oracle of what constitutes an illegal state has received comparably little attention.

Live Albums

13 May 2024 – in blog and random

I’m a big fan of well-done live recordings and over the past years, my mind has accumulated a list of great live albums, from all over the genre spectrum, in no particular order:

Running KLEE on GNU coreutils

13 February 2024 – in KLEE, blog, coreutils, cybersecurity, fuzzing, and symbex

While I read a lot about symbolic execution in fuzzing for a seminar, I wanted to actually do it. Since KLEE appeared to be one of the most influential fuzzing tool, I decided to attempt to reproduce the findings in their original paper. Additionally, I chose to compare different versions of GNU’s coreutils to investigate the quality of software over time.

Challenges and Mitigation Strategies in Symbolic Execution Based Fuzzing Through the Lens of Survey Papers

15 December 2023 – in blog, cybersecurity, fuzzing, review, and symbex

In a security seminar at MSE I surveyed existing review papers on symbolic execution-based fuzzing and wrote my own survey paper. I focused on fundamental challenges that symbex introduces in fuzzing and classified the approaches I found to mitigate them into several categories. The work is available here.

Undistractionate Instagram

12 December 2023 – in blog and random

Instagram is great at sucking as much time out of you as possible. While I enjoy seeing what people I know get up to, I find myself spending hours looking at random reels that add little value to my life. So I wrote a quick adblock list to block the app parts I don’t actually want to see. Specifically, it blocks:

The “Explore” tab
The “Reels” tab
Any suggested posts after you’ve seen all posts from accounts you follow

HTB 2023 – WindowsOfOpportunity

08 December 2023 – in blog, ctf, decompile, ghidra, and rev

Challenge

HTB 2023 – BioBundle

08 December 2023 – in blog, ctf, cyberchef, decompile, ghidra, and rev

Challenge

TCP1P 2023 – Lock the Lock

13 October 2023 – in blog, ctf, decompile, pyc, python, rev, and tree

Challenge

Three Step Plan to Security

02 October 2023 – in blog and cybersecurity

tl;dr: Properly use a password manager on an up-to-date, backed-up device.

Ghidrion

07 July 2023 – in Ghidra, blog, cybersecurity, rev, and symbex

For my bachelor’s thesis, Silvan Flum and I developed Ghidrion, a plugin for Ghidra that allows the use of Morion, a suite of tools to use symbolic execution.

picoCTF 2023 – who is it

28 March 2023 – in blog, ctf, email, forensics, and whois

Challenge

picoCTF 2023 – useless

28 March 2023 – in blog, ctf, grep, and man

Challenge

picoCTF 2023 – rotation

28 March 2023 – in blog, crypto, ctf, cyberchef, and rot13

Challenge

picoCTF 2023 – repetitions

28 March 2023 – in base64, blog, ctf, and python

Challenge

picoCTF 2023 – hideme

28 March 2023 – in binwalk, blog, ctf, forensics, and steg

Challenge

picoCTF 2023 – findme

28 March 2023 – in base64, blog, ctf, curl, cyberchef, and web

Challenge

picoCTF 2023 – Safe Opener 2

28 March 2023 – in blog, ctf, decompile, java, and rev

Challenge

picoCTF 2023 – SOAP

28 March 2023 – in blog, ctf, injection, web, and xxe

Challenge

picoCTF 2023 – Reverse

28 March 2023 – in blog, ctf, grep, rev, and strings

Challenge

picoCTF 2023 – ReadMyCert

28 March 2023 – in blog, cert, crypto, csr, ctf, and openssl

Challenge

picoCTF 2023 – PcapPoisoning

28 March 2023 – in blog, ctf, forensics, grep, pcap, and strings

Challenge

picoCTF 2023 – More SQLi

28 March 2023 – in blog, ctf, injection, sql, sqlmap, and web

Challenge

picoCTF 2023 – MSB

28 March 2023 – in blog, ctf, forensics, grep, steg, and stegonline

Challenge

picoCTF 2023 – HideToSee

28 March 2023 – in blog, crypto, ctf, forensics, python, steg, and steghide

Challenge

picoCTF 2023 – FindAndOpen

28 March 2023 – in base64, blog, ctf, cyberchef, forensics, pcap, and zip

Challenge

bsides2022 – Ninja 2

17 October 2022 – in blog, ctf, flask, injection, python, and web

Challenge

bsides2022 – Ninja 1

17 October 2022 – in blog, ctf, flask, injection, python, and web

Challenge

bsides2022 – Hinokuni

17 October 2022 – in blog, ctf, injection, sql, and web

Challenge

bsides2022 – Extreme

17 October 2022 – in blog, ctf, injection, web, and xxe

Challenge

bsides2022 – Crypto 3

17 October 2022 – in ascii, blog, crypto, and ctf

Challenge

bsides2022 – Confused

17 October 2022 – in audio, blog, ctf, forensics, mp3, and steg

Challenge

bsides2022 – Apples

17 October 2022 – in blog, ctf, php, and web

Challenge

Undistractionate YouTube

25 February 2022 – in blog and random

One thing I’ve done in the past is use a combination of hacks to hide certain distractions in YouTube to prevent me from falling down rabbit holes. Requirements (this is personal and might be different for you!):

13 minutes to the moon

30 January 2022 – in blog and random

“13 minutes to the moon” might just be the best podcast ever made. Produced by the BBC, with a soundtrack by Hans Zimmer, it explores two of NASAs Apollo missions to the moon.