PaX Team @paxteam
pax.grsecurity.net/
Joined February 2010
  • Tweets 548
  • Following 2
  • Followers 2,766
Load newest
lkml.org/lkml/2021/5/5/1244 not only exposes a funny Tenet moment ("mostly 2020-11 through 2020-02") but also how many security fixes were covered up over the years. good job there, however unintended :).
1
2
PaX Team retweeted
grsecurity @grsecurity
29 Apr 2021
On April 15th, we directly reported a vulnerability in the Nitro Enclaves kernel driver: seclists.org/oss-sec/2021/q2… While the report correctly notes it doesn't affect the security of the enclaves, it is a kernel privesc vuln reachable by users who can create enclaves.
1
9
2
21
It's going to be fascinating seeing how many random out of tree binary modules get broken by git.kernel.org/pub/scm/linux…
7
5
1
36
more replies
If you're in a position where you can load arbitrary code into the kernel then, from a security perspective, you've already lost. This is supposed to discourage poor practices, not make it impossible to do bad things.
1
2
if that's the goal then it's a design fail. the only thing this will encourage (instead of discouraging anything) is to go around the technical 'hurdles'. seriously, is someone short on achievements for the quarterly review or what?
3
Replying to @mjg59
Oh well, what’s the point of this exercise when it’s so easy to bypass? 🤔
2
7
13
@paxteam in GCC plugin, do you know how to identify in the code if the condition in the gimple pass is coming from a loop statement (for/while) or from a real condition ("if") statement ? couldn't find examples how to work with PLUGIN_START_PARSE_FUNCTION pass ...
1
never used START_PARSE_FUNCTION so no idea about that, but gcc produces lots of loop related metadata, start with loop_optimizer_init to explore what you can do with them. loop->header/latch may be useful for your case?
1
congrats guys, some fine job by the look of it! extra lulz at marcan being butthurt about it, his copyright 'knowledge' has apparently not improved much since we crossed paths.
Corellium @CorelliumHQ
16 Jan 2021
We had some spare time today so we ported Linux to the M1. Releasing tomorrow #fridayfun
1
5
20y ago: seclists.org/bugtraq/2000/Oc… . didn't expect it to last this long, much less its influence. we'll see what the next 20y bring :).
2
28
4
76
i mentioned a terrible idea the other day. what do you know, a few days later kernel devs doubled down on it and managed to not fix the actual problem at all.... /o\
Brad Spengler @spendergrsec
27 Sep 2020
Replying to @paxteam @vegard_no
git.kernel.org/pub/scm/linux…
1
4
@paxteam say, do you know how to build a tmp variable in gcc plugin of "**" ? ptr_type only create "*" but i never found how to create "**" tmp var...
1
more replies
wanted the ref addresses for this to be made as GCC plugin experiment and not LLVM as the paper suggested: lifeasageek.github.io/papers…
2
uhm, dangnull doesn't deal with stack variables...?
1
today's quiz: why's 931b94145981e411bd2c934657649347ba8a9083 such an utterly broken idea?
1
1
2
Probably not what you're referring to, but it's a bit funny that the stated goal is to move code out of assembly, yet the new code is also written in assembly.
1
1
the presence of asm is not a problem per se (i've fixed this mess already by still having the asm parts). hint: look at the types and think 'security'...
1
2
Replying to @paxteam
Yea I was afraid of that... I'm going to hack another pass in RTL to inject a PUSh of LEA to scratch register of the pointer (x86) instead of the existing push of just a pointer (just lhs without converting)...
1
why do you even need the address of such ptrs? what if they never hit memory and are kept in registers? what if they spill to/reload from the stack at arbitrary points in the function?
2
Show this thread
Replying to @paxteam
since its a complex question on what i'm trying to do i have paste the entire background and code and work i have done here: justpaste.it/5kxo5 would appreciate the help since there is no resources / places that ppl help in regards to GCC plugins...
1
i'm afraid you can't do this as is. SSA_NAMEs are 'abstract' variables, you can't take their address, etc. what you need is a VAR_DECL and that implies a whole lot more transformations. also look into the pointer alias analysis parts of gcc.
1
Show this thread
if memory serves, the "PaX Team' was born about 20y ago. in other news, we've just said goodbye to kmalloc and friends. AUTOSLABs FTW, all 130k of them :).
7
15
3
69
What is AUTOSLAB? Per-struct slab cache?
1
that'd get you about 6k or so IIRC, so aim higher :).
1
today's food for thought: A New Doctrine for Hardware Security (arxiv.org/abs/2007.09537)

A New Doctrine for Hardware Security

In this paper, we promote the idea that recent woes in hardware security are not because of a lack of technical solutions but rather because market forces and incentives prevent those with the...

arxiv.org
1
2
12
I did some RDSEED benchmarks on my CPU, according to software.intel.com/security-… supposed to be unaffected by SRBDS... . . . In short, I hate all these performance killing mitigations -- especially when the software stack messes up and makes it worse for unaffected users, too! 🤬
1
10
1
19
A reminder regarding CET news making the rounds today: the forward edge of its CFI is the most coarse-grained possible, already well-studied in academic literature and deemed ineffective. We covered CET 4 years ago: grsecurity.net/effectiveness…
3
19
32
more replies
Fact is: There is no deployed in-browser JIT that implements anything like RAP, so my above statement holds :-). Do I believe that you could possibly implement it? Yes. Do I think you will? No. So I think my sweeping statement will hold true for the next couple years at least.
4
1
3
another fact is that 'technically feasible' != '(company) politics has yet to say yes ;)
1
3
Replying to @paxteam @halvarflake @ifsecure @Liran_Alon @grsecurity @lazytyped @spendergrsec
Are you saying kernel already follows this logic of marking of readonly and dirty (even after it made the page was CoWed and made anonymous) or you are saying that error on kernel part would allow such inadvertent effects?
1
there's no 'error', it's what happens after a specific sequence of syscalls/memory access.
Show this thread
Load more