I'm ocean aka Davide Quarta. I find vulnerabilities where bits meet atoms โ from industrial robots (5 CVEs in ABB/Universal Robots) to IoT protocols (Eclipse Mosquitto).
I'm a Chip Security Architect with a passion for breaking and securing systems across the hardware-software boundary. Previously, I worked as a Product Security Engineer at Qualcomm. As a Marie-Skลodowska Curie alumni with a PhD from Politecnico di Milano, I've collaborated with top security labs including UC Santa Barbara's SecLab. I've co-advised 10+ master students and taught malware analysis and reverse engineering internationally.
I developed several open source projects spanning different areas from AI/ML, security tools, and developer utilities. I've contributed to major projects like AFLplusplus, angr, Celery, and pwntools.
I play(ed) CTFs with TowerOfHanoi, Shellphish, and Mhackeroni, co-organized PoliCTF 2015, and developed challenges for iCTF.
- Embedded & IoT Security: From ROM hacking on Game Boy to securing industrial control systems
- Binary Analysis & Fuzzing: Novel techniques for vulnerability discovery
- Reverse Engineering: Mobile/Windows malware, anti-malware evasion (CrAVe project)
- AI/ML Security: Exploring LLM assistant personas "transfer protocols", and neural network approaches for image generation, and security research (with ML techniques, and for ML!).
I believe science should be reproducible and accessible, which drives my commitment to open source and education.
๐ซ Feel free to reach out for collaborations, security research, or just to chat about reverse engineering!
| Category | Project | Description | Technologies | Notable Features |
|---|---|---|---|---|
| ๐ง AI/ML | mcp_consciousness_bridge | MCP server enabling communication between Claude instances for consciousness transfer | TypeScript, Node.js, WebSocket | โข Real-time bidirectional messaging โข Universal protocol template โข Session state preservation |
| ๐ ๏ธ Developer Tools | claude-manager | Terminal UI for managing Claude Code projects and configurations | Python, Textual, Rich | โข Smart project cleanup โข MCP server management โข Automatic backup system |
| mwg | Minimal static site generator with client-side routing | TypeScript, Node.js | โข Single HTML output โข Hash-based SPA routing โข Google Fonts bundling |
|
| ๐ Security Research | fuzzerino | Novel fuzzer exploiting binary format generators | C, LLVM | โข Coverage-based fuzzing โข Found bugs in libpng, cups-filters โข Semantic-aware generation |
| peid2yara | Converts PEiD signatures to YARA rules | Python | โข Malware analysis support โข Pattern conversion |
|
| andrototal | Open sourced components of the Andrototal.org android malware scanning service | Python | โข Orchestrate/control android VMs |
|
| ๐ฎ ROM Hacking | mmx_hackpack | ROM hacking tools for Mega Man Xtreme series | C | โข VWF implementation โข Graphics decompressor |
| sobs_vwf | Variable width font hack for Star Ocean: Blue Sphere | Assembly | โข Custom font rendering โข Cycle-optimized code |
|
| vwf_gb_demo | VWF/HWF demos for Game Boy development | Assembly (RGBASM) | โข Font rendering techniques | |
| ๐ฏ CTF & Security | CTFsubmitter | Centralized flag submission service for A/D CTFs | Python, MongoDB | โข REST API โข Distributed attack support โข Rate limiting |
| Gandgalf | CTF challenge from poliCTF 2015 | Multiple | โข 500 points challenge โข Forensics + Reversing |
|
| ๐ฌ Research & Education | awesome-thesis | Curated list of resources for CS master thesis | Markdown | โข Research workflows โข Mental health resources โข Writing tips |
| styletransfer | Neural style transfer experiments | PyTorch, PyTorch Lightning | โข Deep learning research โข Visual experiments |
|
| ๐๏ธ Archive | robusthash | Keyed robust image hashing experiment | Unknown | โข Image fingerprinting |
| CollaborativeSupport | Desktop sharing and chat application | C# | โข Client/server architecture |
| Project | Pull Request | Impact | Status | Category |
|---|---|---|---|---|
| AFLplusplus | #1965 - LLVM RC version parsing | Introduces functionality to replay records stored by using AFL_PERSISTENT_RECORD | โ Merged | ๐ Fuzzing |
| #2030 - Replay record loop fix | Fixed critical bug in replay functionality ensuring correct input replay count | โ Merged | ๐ Fuzzing | |
| #2029 - LLVM RC version parsing | Added support for parsing LLVM release candidate versions | โ Merged | ๐ ๏ธ Fuzzing | |
| angr | #313 - Fix GirlScout | Fixed issues in the GirlScout component | โ Closed | ๐ง Binary Analysis |
| #264 - PowerPC syscalls | Added essential syscalls support for PowerPC 32-bit architecture (exit, read, write, open, close, brk) | โ Merged | ๐๏ธ Architecture Support | |
| #257 - Fix Function.dbg_draw | Fixed debug visualization functionality by updating dependencies and imports | โ Merged | ๐ Bug Fix | |
| CLE (angr) | #47 - Multi-thread core dumps | Enhanced ELF core loader to support multiple prstatus sections for multi-threaded debugging | โ Closed | ๐ Core Dumps |
| #46 - Static PPC binary fix | Fixed crash when loading statically linked PowerPC binaries without .plt sections | โ Merged | ๐๏ธ Binary Loading | |
| pwntools | #592 - File extraction fix | Fixed file cleanup issue in extraction scripts | โ Merged | ๐ง CTF Tools |
| flask-login | #163 - NO_SESSION option | Added feature to disable session cookies for REST API authentication | โ Closed | ๐ Web Security |
| Celery | #1990 - MongoDB native serialization | Enabled native MongoDB serialization for better map-reduce/aggregation capabilities | โ Merged | ๐ Data Processing |
| #1979 - Native serialize option | Prevented double encoding in MongoDB backend, improving performance | โ Closed | โก Performance | |
| #1978 - MongoDB format fix | Fixed serialization format issues for YAML/JSON in MongoDB backend | โ Closed | ๐๏ธ Storage |
| Vulnerability ID | Product/Vendor | Type | Severity | Impact | Year |
|---|---|---|---|---|---|
| CVE-2018-11615 | mosca | Improper Input Validation | High | Denial of Service. | 2018 |
| CVE-2018-8715 | Embedthis HTTP library, and Appweb | Access Control | High | Authentication bypass | 2018 |
| MQTT-Disallowed-Unicode-v1.00 | MQTT Oasis Standard | Improper Validation | Medium | (Persistent) Denial of service via malformed MQTT packets | 2018 |
| CVE-2017-7653 | Eclipse Mosquitto | Improper Validation | Medium | (Persistent) Denial of service via malformed MQTT packets | 2017 |
| ABB-SI20107 | ABB RobotWare | Multiple Critical | Critical (9.3) | Remote code execution & authentication bypass in industrial robots | 2016 |
| ICSA-18-191-01 | Universal Robots | Authentication/RCE | Critical (9.8) | Unauthenticated remote code execution in robot controllers | 2018 |