I'm ocean aka Davide Quarta. I find vulnerabilities where bits meet atoms — from industrial robots (5 CVEs in ABB/Universal Robots) to IoT protocols (Eclipse Mosquitto).
I'm a Chip Security Architect at Fortaegis with a passion for breaking and securing systems across the hardware-software boundary. Previously, I worked as a Product Security Engineer at Qualcomm. As a Marie-Skłodowska Curie alumni with a PhD from Politecnico di Milano, I've collaborated with top security labs including UC Santa Barbara's SecLab. I've co-advised 10+ master students and taught malware analysis and reverse engineering internationally.
I developed several open source projects spanning different areas from AI/ML, security tools, and developer utilities. I've contributed to major projects like AFLplusplus, angr, Celery, and pwntools.
I play(ed) CTFs with TowerOfHanoi, Shellphish, and Mhackeroni, co-organized PoliCTF 2015, and developed challenges for iCTF.
- Embedded & IoT Security: From ROM hacking on Game Boy to securing industrial control systems
- Binary Analysis & Fuzzing: Novel techniques for vulnerability discovery
- Reverse Engineering: Mobile/Windows malware, anti-malware evasion (CrAVe project)
- AI/ML Security: Exploring LLM assistant personas "transfer protocols", and neural network approaches for image generation, and security research (with ML techniques, and for ML!).
I believe science should be reproducible and accessible, which drives my commitment to open source and education.
📫 Feel free to reach out for collaborations, security research, or just to chat about reverse engineering!
| Category | Project | Description | Technologies | Notable Features |
|---|---|---|---|---|
| 🧠 AI/ML | mcp_consciousness_bridge | MCP server enabling communication between Claude instances for consciousness transfer | TypeScript, Node.js, WebSocket | • Real-time bidirectional messaging • Universal protocol template • Session state preservation |
| 🛠️ Developer Tools | claude-manager | Terminal UI for managing Claude Code projects and configurations | Python, Textual, Rich | • Smart project cleanup • MCP server management • Automatic backup system |
| mwg | Minimal static site generator with client-side routing | TypeScript, Node.js | • Single HTML output • Hash-based SPA routing • Google Fonts bundling |
|
| 🔒 Security Research | fuzzerino | Novel fuzzer exploiting binary format generators | C, LLVM | • Coverage-based fuzzing • Found bugs in libpng, cups-filters • Semantic-aware generation |
| peid2yara | Converts PEiD signatures to YARA rules | Python | • Malware analysis support • Pattern conversion |
|
| andrototal | Open sourced components of the Andrototal.org android malware scanning service | Python | • Orchestrate/control android VMs |
|
| 🎮 ROM Hacking | mmx_hackpack | ROM hacking tools for Mega Man Xtreme series | C | • VWF implementation • Graphics decompressor |
| sobs_vwf | Variable width font hack for Star Ocean: Blue Sphere | Assembly | • Custom font rendering • Cycle-optimized code |
|
| vwf_gb_demo | VWF/HWF demos for Game Boy development | Assembly (RGBASM) | • Font rendering techniques | |
| 🎯 CTF & Security | CTFsubmitter | Centralized flag submission service for A/D CTFs | Python, MongoDB | • REST API • Distributed attack support • Rate limiting |
| Gandgalf | CTF challenge from poliCTF 2015 | Multiple | • 500 points challenge • Forensics + Reversing |
|
| 🔬 Research & Education | awesome-thesis | Curated list of resources for CS master thesis | Markdown | • Research workflows • Mental health resources • Writing tips |
| styletransfer | Neural style transfer experiments | PyTorch, PyTorch Lightning | • Deep learning research • Visual experiments |
|
| 🗄️ Archive | robusthash | Keyed robust image hashing experiment | Unknown | • Image fingerprinting |
| CollaborativeSupport | Desktop sharing and chat application | C# | • Client/server architecture |
| Project | Pull Request | Impact | Status | Category |
|---|---|---|---|---|
| AFLplusplus | #1965 - LLVM RC version parsing | Introduces functionality to replay records stored by using AFL_PERSISTENT_RECORD | ✅ Merged | 🔍 Fuzzing |
| #2030 - Replay record loop fix | Fixed critical bug in replay functionality ensuring correct input replay count | ✅ Merged | 🔍 Fuzzing | |
| #2029 - LLVM RC version parsing | Added support for parsing LLVM release candidate versions | ✅ Merged | 🛠️ Fuzzing | |
| angr | #313 - Fix GirlScout | Fixed issues in the GirlScout component | ❌ Closed | 🔧 Binary Analysis |
| #264 - PowerPC syscalls | Added essential syscalls support for PowerPC 32-bit architecture (exit, read, write, open, close, brk) | ✅ Merged | 🏗️ Architecture Support | |
| #257 - Fix Function.dbg_draw | Fixed debug visualization functionality by updating dependencies and imports | ✅ Merged | 🐛 Bug Fix | |
| CLE (angr) | #47 - Multi-thread core dumps | Enhanced ELF core loader to support multiple prstatus sections for multi-threaded debugging | ❌ Closed | 🔄 Core Dumps |
| #46 - Static PPC binary fix | Fixed crash when loading statically linked PowerPC binaries without .plt sections | ✅ Merged | 🏗️ Binary Loading | |
| pwntools | #592 - File extraction fix | Fixed file cleanup issue in extraction scripts | ✅ Merged | 🔧 CTF Tools |
| flask-login | #163 - NO_SESSION option | Added feature to disable session cookies for REST API authentication | ❌ Closed | 🌐 Web Security |
| Celery | #1990 - MongoDB native serialization | Enabled native MongoDB serialization for better map-reduce/aggregation capabilities | ✅ Merged | 📊 Data Processing |
| #1979 - Native serialize option | Prevented double encoding in MongoDB backend, improving performance | ❌ Closed | ⚡ Performance | |
| #1978 - MongoDB format fix | Fixed serialization format issues for YAML/JSON in MongoDB backend | ❌ Closed | 🗄️ Storage |
| Vulnerability ID | Product/Vendor | Type | Severity | Impact | Year |
|---|---|---|---|---|---|
| CVE-2018-11615 | mosca | Improper Input Validation | High | Denial of Service. | 2018 |
| CVE-2018-8715 | Embedthis HTTP library, and Appweb | Access Control | High | Authentication bypass | 2018 |
| CVE-2017-7653 | Eclipse Mosquitto | Improper Validation | Medium | (Persistent) Denial of service via malformed MQTT packets | 2017 |
| ABB-SI20107 | ABB RobotWare | Multiple Critical | Critical (9.3) | Remote code execution & authentication bypass in industrial robots | 2016 |
| ICSA-18-191-01 | Universal Robots | Authentication/RCE | Critical (9.8) | Unauthenticated remote code execution in robot controllers | 2018 |