Alexander Sotirov

Career

Alexander Sotirov is a computer security researcher whose professional career has included positions at Determina and VMware. In 2012, he co-founded Trail of Bits, a New York-based security research and consulting firm, alongside Dino Dai Zovi and Dan Guido. He currently serves as co-CEO of the organization.

Notable Work

Sotirov is widely recognized for his discovery of the ANI browser vulnerability, a flaw that drew significant attention from the security community. He also developed the technique known as Heap Feng Shui, a method for exploiting heap buffer overflows in web browsers by carefully manipulating the layout of heap memory to enable reliable exploitation.

In 2008, Sotirov presented research at the Black Hat conference demonstrating methods to bypass memory protection safeguards built into Windows Vista, a presentation that contributed meaningfully to the understanding of operating system-level exploit mitigations.

Also in December 2008, Sotirov collaborated with a team of industry security researchers and academic cryptographers to publish research on the creation of a rogue certificate authority. The work exploited collision vulnerabilities in the MD5 cryptographic hash function, illustrating practical weaknesses in the public key infrastructure of the time and accelerating the deprecation of MD5 in certificate signing.

Community Involvement

Beyond his research output, Sotirov has been an active contributor to the security community in an organizational capacity. He is a founder and organizer of the Pwnie Awards, an annual recognition program within the information security industry. He served on the program committee of the 2008 Workshop on Offensive Technologies (WOOT '08) and has been a member of the Black Hat Review Board since 2011.

Recognition

Sotirov was ranked sixth on Violet Blue's list of The Top 10 Sexy Geeks of 2009.