Aaron James

Aaron James

The ramblings of a software engineer, with an emphasis on security.

© All rights reserved.


Chariot Complete

Chariot is a 3D, real-time networked game built from scratch in Rust. It was made as part of UC San Diego’s CSE 125 over the course of 10 weeks. Chariot is a “chair racing game” where the audience can vote with their phones during the game to change the rules of the game while the race is happening.

My primary contributions were to the overall project structure, realtime networking, and adding a string renderer for our custom engine.

You can watch a live demo here.

ctfbot Complete

Discord bot that facilitates an entire Capture the Flag hacking competition: managing teams, presenting challenges, handling flag submissions, tracking points, generating leaderboards, and doing so all within the confines of a Discord server with no external software.

Official CTF platform of San Diego CTF. If you want to see what this looked like in 2022, check out the server.

feather Complete

A minimalist LWJGL helper library mostly for 2D interfaces that makes render code extremely terse. Notable features are:

  • a string rendering engine
  • basic animation library
  • color format conversion
  • efficient tesselation with Vertex Buffer Objects

I wrote this one back when I was 16 so don’t go too hard on me.

gb.rs Work in Progress

Gameboy emulator in Rust. I don’t have a lot of time to work on this so there isn’t much. Current notable features are:

  • no heap allocation, trivial to run in embedded or kernel-level environments
  • game ROMs can be decoded at compile time and shipped with the binary (!!)

knox.codes Released

The site you’re currently reading is written from scratch using SvelteKit, TypeScript, TailwindCSS, and other popular web technologies.

This version is rewrite #4 in the grand history of the knox.codes blog.

lazy-scripts Released

I like writing self-contained scripts that do things for me. What I don’t like is manually handling adding the script to my path, adding a crafted desktop entry, remembering to give sudo privs if applicable, creating a shortcut for it, and managing scripting language specific quirks per script.

This small project allows you to just throw the script in a folder, run lazy-scripts, and it handles all that for you.

OWASP Zap's Blind Injection Detection Complete

I wrote the current algorithm used for OWASP Zap’s time-based blind command injection detection.

OWASP Zap is the world’s most widely used open source attack proxy for penetration testing. After identifying issues during a scan with the previous naive approach, I discussed the shortcomings with the Zap developer team, and we agreed on a proposal that I then implemented.

It uses a custom simple linear regression algorithm to statistically determine if an increment in payload delay correlates to an increment in actual delay. It has been optimized to ensure the fewest possible number of requests are sent, and is highly resistant to both false positives and negatives.

PAYME.yaml Work in Progress

An open source, standardized file format for open source projects to declare how to financially support their contributors.

I am passionate about the problem space of open source sustainability, but I find it hard to have the necessary time to spare. If you are interested in seeing this idea fleshed out, please get a hold of me.

pc-setup.sh Released

This is the set of scripts I use for post-installation setup of Debian 11 for personal computer use. By publishing this on GitHub, I can clone the repo from a new computer and just run it to get about 70% of the way set up.

This inadvertently has the effect of documenting the software I use. Feel free to poke around.

rank.py Released

This is a no-dependency python script that allows humans to interactively sort small-to-medium sized lists at maximum theoretical efficiency. I then used this to win an argument.

Normalize creating and publishing tiny dumb scripts that do one thing.

San Diego CTF Complete

In 2021, I founded and created San Diego CTF, the global-scale, 48-hour hacking competition hosted by UC San Diego.

Across SDCTF 2021 and 2022, I authored over 40 different hacking challenges across eight different categories such as Crypto, Web, and Forensics. I was also responsible for the deployment and management of said challenges and the organisation of the team that helped create them.

scoop-backup Complete

A PowerShell script that backs up all of your installed Scoop packages for easy reinstallation later.

This functionality has since been added into the main Scoop repository, so I don’t maintain this anymore.

Terraform CTF Challenge Module Released

A Terraform module that allows for a cloud-agnostic deployment of a dockerized CTF challenge to a Kubernetes cluster. Sounds made-up, but it’s easily the best way to deploy a CTF challenge to a k8s cluster with features that aren’t available in any other solution:

  • process and player isolation (via nsjail)
  • sandbox filesystems (via ssh tunnelling)
  • hardware resource restrictions
  • autoscaling to meet fluctuating demand
  • healthchecks (catch pod degradation)

This allows CTF challenge authors to adhere to build challenges that just work, then deploy to the cloud and get security for free.

wsl Complete

A scoop bucket for single-command installation of Window Subsystem for Linux distros, without Windows Store.

Since Microsoft has sort of added this to base Windows, I don’t maintain this anymore.