An Ode to Rabbit Holes: Writing a New Decompiler Just for a Security Audit


August 24, 2023




Track 1

When looking for vulnerabilities in products, we sometimes come across software running on seldom used technology without much documentation. We are then left with two choices: moving on, because going down this road will not offer a good return on investment of our time, or… ignore all common sense and dive down the rabbit hole to shed some light on that mysterious piece of tech.

Choosing the latter is how I crossed paths with JRuby. Unlike Scala, this Java Virtual Machine language isn’t very popular, but it is used by Elastic, RedHat, and eazyBI among others. It has even been labelled as a “high performance” alternative to the standard Ruby implementation. JRuby and its Intermediate Representation (IR) format provide ahead-of-time compilation that turns standard Ruby files into Java ones that contain a serialized IR of the original code.

In this talk, we will dive right down the rabbit hole of navigating through poorly documented software to turn black-box research to grey. We will look at vulnerabilities found during the audit of products that use JRuby thanks to this research and introduce YBurj, a new free and open-source JRuby IR decompiler released during the conference that allows the automated recovery of compiled source code.

Security Engineer


Dominic is a staff security engineer at GitLab, a weekend bug bounty hunter, and someone who generally loves exploring rabbit holes. While on the job he attempts to prevent vulnerabilities from making it to production and make it easier for developers to write secure code. On the other hand, some of his play time is dedicated to identifying holes where that same process wasn’t so successful in other companies. To contrast with all this screen time, Dominic can often be found in the forest or on top of a mountain in a place with no phone reception.