Hi, my name is

Alexis.

Security Engineer

Security Engineer and Doctor in Cybersecurity. Interested in supply chain security, vulnerability detection, and static analysis.

Resume
Alexis Challande profile image

About Me

After completing a PhD in Computer Science at École Polytechnique focused on vulnerability detection using semantic patch signatures in closed-source binaries, I joined Trail of Bits to focus on security engineering for ecosystems. I have been part of the larger initiative to add package attestations to the Python Package Index, and authored core components of the sigstore timestamping infrastructure. I am also interested in using static analysis methods (e.g. CodeQL) to find security problems in the software supply chain and remediate them.

Based in Paris, France.

Areas of expertise:
  • Supply Chain Security
  • Binary Analysis
  • Reverse Engineering
  • Static Analysis
  • Vulnerability Detection

Work Experience

Security Engineer

Trail of Bits
Sep 2023 - Present
  • Designed and built the RFC3161 timestamping client that powers package attestations across the Python packaging ecosystem (PyPI, sigstore-python, pyca/cryptography).
  • Contributed to PEP 740 adoption in PyPI: attestation storage, trusted publishing hardening, and publisher verification for GitHub and GitLab.
  • Discovered 7 CVEs in widely-used projects (Elasticsearch, Google Protobuf, XStream, Wire) through systematic analysis of recursion-based DoS patterns. Presented findings at DistrictCon 2025.
  • Built CodeQL queries and Semgrep rules to enhance static analysis of codebases for security vulnerabilities.

Security Engineer

Quarkslab
Oct 2018 - Dec 2022

Part of the Automated Analysis team, working on:

  • Conducted a PhD on the detection of 1-day vulnerabilities in Android phones
  • Reverse-engineered Android applications for security audits
  • Developed Quokka, an IDA Pro plugin for fast binary exports
  • Created tools around the Android Open Source Project for security research

Master Internship

ANSSI
Mar 2018 - Aug 2018
Developed an IDA plugin to detect usage of cryptography in binary code using symbolic execution.

Apprentice in Cybersecurity

AXA CS
Sep 2015 - Aug 2016
Worked in the Cybersecurity Team on the implementation of ISO 2700X norms.

Education

PhD in Binary Analysis

Ecole Polytechnique
2019 - 2022

Master in Digital Security

Eurecom
2016 - 2018

BSc in Computer Science

University Pierre & Marie Curie
2012 - 2015

Projects

rfc3161-client
Python Rust Supply Chain
rfc3161-client
An opinionated RFC3161 timestamping client used in the sigstore ecosystem to power package attestations in PyPI.
Quokka
Reverse Engineering IDA Plugin
Quokka
A Fast and Accurate Binary Exporter. IDA Pro plugin for generating exports from arbitrary binaries.
BGraph
Binary Analysis Graph Theory Android
BGraph
A tool to generate dependency graphs from Android.bp soong files for security research.

Writing

Making PyPI's test suite 81% faster
Trail of Bits Blog, 2025
Don't recurse on untrusted input
Trail of Bits Blog, 2025
An Experimental Study of Different Binary Exporters
Quarkslab Blog, 2019

Talks & Publications

Low-Effort Denial of Service with Recursion
DistrictCon, Washington DC, 2025
Quokka: A Fast and Accurate Binary Exporter
GreHack, Grenoble, 2022
Commit Level Vulnerability Dataset
CODASPY, Baltimore, 2022
Towards 1-day Vulnerability Detection using Semantic Patch Signatures
PhD Thesis, École Polytechnique, 2022 — Manuscript · Slides
Exploitation du graphe de dépendance d'AOSP
SSTIC, Rennes, 2021

Disclosures

CVE-2026-23896
Privilege Escalation in Immich (2026)
CVE-2025-4565
Denial of Service in Google Protobuf (2025)
CVE-2024-52981 / CVE-2024-52980
Denial of Service in Elastic (2024)
CVE-2024-7254
Denial of Service in Google Protobuf (2024)
CVE-2024-47072
Denial of Service in XStream (2024)
RUSTSEC-2024-0437
Denial of Service in rust-protobuf (2024)
CVE-2024-58103
Vulnerability in Wire (2024)

Get in Touch

Feel free to reach out if you have questions or just want to say hi.
Mail me