Gwendal Patat

Office B5.10

Fraunhofer SIT

Darmstadt, Germany

I am a Research Associate at Fraunhofer SIT in the SSE department directed by Steven Arzt, where I specialize in binary lifting, and native code analysis. I also contribute my expertise to industry projects as a security researcher. My work is primarily centered on analyzing and securing binary programs, ensuring robust and secure software systems.

Previously, I was a PhD student from October 2020 to December 2023 under the supervision of Pierre-Alain FOUQUE and Mohamed SABT in the SPICY team (former EMSEC) at IRISA in Rennes, France. My research focused on the security of cryptographic implementations in mobile devices. I employed various reverse engineering techniques to uncover cryptographic vulnerabilities, providing Proof-of-Concept exploits to ensure these issues are addressed in future implementations, with a specific focus on Digital Rights Management (DRM) systems.

Before my PhD, I graduated from the University of Rennes 1’s Cybersecurity Master program in 2019-2020.

Beyond my professional interests, I enjoy training my bookbinding and lockpicking skills by creating custom tools and attempting to open various locks and padlocks (that I purchase fisrt, of course).

news

Jun 14, 2024	I’ve received the 2nd prize PhD Thesis award from the University of Rennes Foundation.
Dec 15, 2023	I have defended my PhD! You can found my manuscript here.
Mar 01, 2023	Rewarded by Mozilla Bug Bounty program.
Apr 02, 2021	Rewarded by Netflix Bug Bounty program and Google BugHunter program. Related CVE and Android Security Bulletin have been published.

latest posts

Sep 17, 2024	Writing a keygen for a 20+ year old game
Apr 06, 2022	Breaking Widevine L3 in Android

selected publications

Formal Security Analysis of Widevine through the W3C EME Standard

Stéphanie Delaune, Joseph Lallemand, Gwendal Patat, Florian Roudot, and Mohamed Sabt

In 33rd USENIX Security Symposium (USENIX Security 24), Aug 2024

Bib PDF Slides

@inproceedings{299820,
  author = {Delaune, St{\'e}phanie and Lallemand, Joseph and Patat, Gwendal and Roudot, Florian and Sabt, Mohamed},
  title = {Formal Security Analysis of Widevine through the {W3C} {EME} Standard},
  booktitle = {33rd USENIX Security Symposium (USENIX Security 24)},
  year = {2024},
  isbn = {978-1-939133-44-1},
  address = {Philadelphia, PA},
  pages = {6399--6415},
  url = {https://www.usenix.org/conference/usenixsecurity24/presentation/delaune},
  publisher = {USENIX Association},
  month = aug,
}

Your DRM Can Watch You Too: Exploring the Privacy Implications of Browsers (mis)Implementations of Widevine EME

Gwendal Patat, Mohamed Sabt, and Pierre-Alain Fouque

In 23rd Proceedings on Privacy Enhancing Technologies, PETS 2023, Lausanne, Switzerland, July 10-15, Aug 2023

Mozilla Hall of Fame Bib PDF Slides

We entered the Mozilla Security Bug Bounty Program Hall of Fame.

@inproceedings{conf/pets/PatatSF23,
  author = {Patat, Gwendal and Sabt, Mohamed and Fouque, Pierre{-}Alain},
  title = {Your DRM Can Watch You Too: Exploring the Privacy Implications of Browsers (mis)Implementations of Widevine EME},
  doi = {10.56553/popets-2023-0112},
  url = {https://doi.org/10.56553%2Fpopets-2023-0112},
  year = {2023},
  booktitle = {23rd Proceedings on Privacy Enhancing Technologies, {PETS} 2023, Lausanne, Switzerland, July 10-15},
  volume = {2023},
  number = {4},
  pages = {306--321},
}

Workshop

Exploring Widevine for Fun and Profit

Gwendal Patat, Mohamed Sabt, and Pierre-Alain Fouque

In 43rd IEEE Security and Privacy, SP Workshops 2022, San Francisco, CA, USA, May 22-26, Aug 2022

CVE & Google Hall of Fame Bib PDF Slides

We received CVE-2021-0639 and entered the Google Vulnerability Reward Program (VRP) Hall of Fame.

@inproceedings{DBLP:conf/sp/PatatSF22,
  author = {Patat, Gwendal and Sabt, Mohamed and Fouque, Pierre{-}Alain},
  title = {Exploring Widevine for Fun and Profit},
  booktitle = {43rd {IEEE} Security and Privacy, {SP} Workshops 2022, San Francisco,
                 CA, USA, May 22-26},
  pages = {277--288},
  publisher = {{IEEE}},
  year = {2022},
  url = {https://doi.org/10.1109/SPW54247.2022.9833867},
  doi = {10.1109/SPW54247.2022.9833867},
  timestamp = {Fri, 29 Jul 2022 10:34:36 +0200},
  biburl = {https://dblp.org/rec/conf/sp/PatatSF22.bib},
  bibsource = {dblp computer science bibliography, https://dblp.org},
}