Gwendal Patat

Office F401

IRISA

Rennes, France

I am an Enseignant-Chercheur at the University of Rennes and IRISA in the SPICY team, where I work on vulnerability research through reverse engineering. My work focuses on analyzing and understanding complex software systems to identify and address security flaws.

Previously, I was a Postdoc at Fraunhofer SIT in the SSE department directed by Steven Arzt, where I worked on binary lifting and native code analysis for security applications, and contributed my expertise to industry projects as a security researcher.

From October 2020 to December 2023, I completed my PhD in the SPICY team at IRISA in Rennes, France. My research focused on the security of cryptographic implementations in mobile devices. I employed various reverse engineering techniques to uncover cryptographic vulnerabilities, providing Proof-of-Concept exploits to ensure these issues are addressed in future implementations, with a specific focus on Digital Rights Management (DRM) systems with the Widevine DRM.

Beyond my professional interests, I enjoy training my bookbinding and lockpicking skills by creating custom tools and attempting to open various locks and padlocks (that I purchase first, of course). Additionally, I enjoy hacking retro games for fun.

news

Jun 14, 2024	I’ve received the 2nd prize PhD Thesis award from the University of Rennes Foundation.
Dec 15, 2023	I have defended my PhD! You can found my manuscript here.
Mar 01, 2023	Rewarded by Mozilla Bug Bounty program.
Apr 02, 2021	Rewarded by Netflix Bug Bounty program and Google BugHunter program. Related CVE and Android Security Bulletin have been published.

latest posts

Sep 17, 2024	Writing a keygen for a 20+ year old game
Apr 06, 2022	Breaking Widevine L3 in Android

selected publications

Formal Security Analysis of Widevine through the W3C EME Standard

Stéphanie Delaune, Joseph Lallemand, Gwendal Patat, Florian Roudot, and Mohamed Sabt

In 33rd USENIX Security Symposium (USENIX Security 24), Aug 2024

Bib PDF Slides

@inproceedings{299820,
  author = {Delaune, St{\'e}phanie and Lallemand, Joseph and Patat, Gwendal and Roudot, Florian and Sabt, Mohamed},
  title = {Formal Security Analysis of Widevine through the {W3C} {EME} Standard},
  booktitle = {33rd USENIX Security Symposium (USENIX Security 24)},
  year = {2024},
  isbn = {978-1-939133-44-1},
  address = {Philadelphia, PA},
  pages = {6399--6415},
  url = {https://www.usenix.org/conference/usenixsecurity24/presentation/delaune},
  publisher = {USENIX Association},
  month = aug,
}

Your DRM Can Watch You Too: Exploring the Privacy Implications of Browsers (mis)Implementations of Widevine EME

Gwendal Patat, Mohamed Sabt, and Pierre-Alain Fouque

In 23rd Proceedings on Privacy Enhancing Technologies, PETS 2023, Lausanne, Switzerland, July 10-15, Aug 2023

Mozilla Hall of Fame DOI Bib PDF Slides

We entered the Mozilla Security Bug Bounty Program Hall of Fame.

@inproceedings{conf/pets/PatatSF23,
  author = {Patat, Gwendal and Sabt, Mohamed and Fouque, Pierre{-}Alain},
  title = {Your DRM Can Watch You Too: Exploring the Privacy Implications of Browsers (mis)Implementations of Widevine EME},
  doi = {10.56553/popets-2023-0112},
  url = {https://doi.org/10.56553%2Fpopets-2023-0112},
  year = {2023},
  booktitle = {23rd Proceedings on Privacy Enhancing Technologies, {PETS} 2023, Lausanne, Switzerland, July 10-15},
  volume = {2023},
  number = {4},
  pages = {306--321},
}

Workshop

Exploring Widevine for Fun and Profit

Gwendal Patat, Mohamed Sabt, and Pierre-Alain Fouque

In 43rd IEEE Security and Privacy, SP Workshops 2022, San Francisco, CA, USA, May 22-26, Aug 2022

CVE & Google Hall of Fame DOI Bib PDF Slides

We received CVE-2021-0639 and entered the Google Vulnerability Reward Program (VRP) Hall of Fame.

@inproceedings{DBLP:conf/sp/PatatSF22,
  author = {Patat, Gwendal and Sabt, Mohamed and Fouque, Pierre{-}Alain},
  title = {Exploring Widevine for Fun and Profit},
  booktitle = {43rd {IEEE} Security and Privacy, {SP} Workshops 2022, San Francisco,
                 CA, USA, May 22-26},
  pages = {277--288},
  publisher = {{IEEE}},
  year = {2022},
  url = {https://doi.org/10.1109/SPW54247.2022.9833867},
  doi = {10.1109/SPW54247.2022.9833867},
  timestamp = {Fri, 29 Jul 2022 10:34:36 +0200},
  biburl = {https://dblp.org/rec/conf/sp/PatatSF22.bib},
  bibsource = {dblp computer science bibliography, https://dblp.org},
}