Behind the Binary by Google Cloud Security
Welcome to Behind the Binary, the podcast that introduces you to the fascinating people, technology, and tools driving the world of reverse engineering. Join your host, Josh Stroschein, a reverse engineer with the FLARE team at Google, and someone passionate about sharing knowledge and shedding light on the art of reverse engineering, as he sits down with intriguing guests to explore the human side of this profession.
Behind the Binary goes beyond the code, sharing the stories, motivations, and unique perspectives of the individuals who dedicate their lives to unraveling the complexities of technology. We'll hear about their journeys into the field, the challenges they face, and the impact their work has on securing our digital world.
Whether you're a seasoned malware analyst, a software developer, a security researcher, or just someone curious about the world of reverse engineering, Behind the Binary offers insightful and engaging conversations for everyone interested in this fascinating field.
Behind the Binary by Google Cloud Security
EP26 When AI Features Create Zero-Click Exploits: The Pixel 9 Chain with Seth Jenkins
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
Mobile security boundaries rely on isolating remote, untrusted inputs from highly privileged system components. However, when new automated features are introduced, the available attack surface can shift—sometimes exposing unexpected code paths to remote attackers.
In the latest episode of Behind the Binary, we sit down with Seth Jenkins from Google Project Zero to dissect a full two-bug, zero-click exploitation chain targeting the Pixel 9. By chaining a user-space decoder flaw with a kernel driver race condition and a kernel ASLR bypass, researchers achieved remote code execution and a device-wide SELinux sandbox escape.
Key takeaways from our technical breakdown:
- The AI Attack Surface Shift: How implementing automatic voice message transcription inadvertently exposed the Dolby audio decoder (EAC3) to remote inputs.
- Defeating Userland ASLR: The mechanics of an integer overflow in user space (CVE-2025-54957) and how a partial pointer overwrite bypassed ASLR.
- Rigging the Race Condition: A look inside the "Big Wave" kernel driver use-after-free (CVE-2025-36934), a single bug that allows an attacker to jump from the mediacodec sandbox to the kernel. .
- The Predictable KASLR Reality: How standard ARM64 linear mapping combined with static bootloader placements negated kernel randomization—allowing two arbitrary writes to escalate privileges to root with SELinux disabled.
Join the Community
- Research Hub: Threat research, training events and news:
https://cloud.google.com/security/flare - The FLARE Insider: Get community updates and announcements. To subscribe, email flare-external@google.com
FOLLOW THE SHOW:
- Subscribe: Apple Podcasts | Spotify | YouTube