What we build when we're not looking at validators

Most of what we publish is about validators: how close an attacker can get to your node, how a transport layer falls over under load, how we decide a finding is real before we tell you about it. That is the product. But the way we find those things is not validator-specific. It is a method, and a method travels.

The method, stated plainly: send the exact bytes you mean to send, measure before you claim anything, and look for the one implementation in a family that disagrees with its siblings. We built it auditing blockchain transports, the QUIC stacks and gossip protocols and framing layers where two nodes can disagree about where a message begins and ends. Lately we have been pointing it somewhere new, and that is what the recent posts about a tool called Keith have been circling. This post is the context underneath them.

There are two new targets, and neither has anything to do with crypto.

The first is the open-source HTTP ecosystem: the proxies, load balancers, and edges that sit in front of nearly every web service on earth. HAProxy, nginx, Envoy, Apache Traffic Server, Caddy, Pingora, and the QUIC libraries underneath HTTP/3. These are the plumbing. When two of them disagree about where one HTTP request ends and the next begins, you get request smuggling, and the move to HTTP/3 has opened a whole new seam, because the rules for "the request is over" now live in two different layers that can be made to disagree.

The second is the Linux kernel's packet receive path, the code that reassembles network packets before any application ever sees them. It is a parser family too: a dozen-odd handlers that all coalesce and re-segment traffic, all meant to honour the same length contract. The interesting question is the same one we ask about validator transports and HTTP proxies. Which handler omits the check the others enforce? We pursue this through Google's sanctioned kernel bug-bounty programs, where every finding is coordinated with maintainers and the output hardens upstream Linux.

Both of these are the same shape as the validator work. A parser family with a contract. A normalising tool that hides the bug by being too well-behaved. A verdict that is worthless unless it carries its evidence. And a hard rule that the only acceptable output is a fix landing upstream, not an exploit landing somewhere.

So over the next few posts I want to show the work in human terms, rather than the byte-level dispatches we have been posting:

• Keith, the tool we built because a conformant HTTP client is, paradoxically, the wrong instrument for finding HTTP bugs.
• How we hunt request smuggling without ever harming a third party: the recon, the lab, and the discipline that turns a timing hunch into byte-exact proof.
• The kernel track: why the packet path, what the parser-family lens finds there, and the honest answer we got when we measured our own opportunity.

The through-line is the same one that runs through everything we publish. The interesting bugs live where two implementations were supposed to agree and quietly do not. The hard part is not finding a hint. It is proving the disagreement is real before you say so out loud.

Simon Morley researches infrastructure security and is the founder of NullRabbit. About / contact.