A Systematic Evaluation of Transient Execution Attacks and Defenses:
arxiv.org/abs/1811.05441
1
4
9
Reminded during the 4.19 port the repeating theme of kernel devs still not understanding what they upstream from us: compare git.kernel.org/pub/scm/linux… to git.kernel.org/pub/scm/linux… . it cost the totally unnecessary realignment of a hundred lines of code in a core VM structure /o\.
2
9
Which always existed just by omitting MAP_FIXED, except on broken grsec nonsense that refused to honor the requested address when available.
2
'man 2 mmap' at your service if you don't understand writing portable code. and if you're into non-portable code, when are you going to add qsort_r? that'd be a whole lot more useful.
After yesterday's discussion about the use of Turing-Complete in exploitation papers, and realizing how commonly the other important term close to my heart, "weird machine", is misunderstood, I wrote a (rather unpolished) blog post about it. addxorrol.blogspot.com/2018/…
8
76
12
151
I don't disagree (I did remark that people just replace "Bcc & arb mem rw" with TC).
However, this is about a slightly different point: tape. A physical TM can escape its own *intended* definition: eg. machine+sw (as a whole) gets "weirded" yet it's still dealing with same tape.
1
1
so on the heels of nitter.vloup.ch/halvarflake/stat… we've just got another academic paper (sajjadium.github.io/files/ac…, on no less than RAP itself) that thinks that calling execve = arbitrary code exec. off to a bad start...
After yesterday's discussion about the use of Turing-Complete in exploitation papers, and realizing how commonly the other important term close to my heart, "weird machine", is misunderstood, I wrote a (rather unpolished) blog post about it. addxorrol.blogspot.com/2018/…
6
1
9
um, no. how does a TM work with no other part except the tape?
bonus q: altering the TM transition function gives a new machine or not? can that be considered a security boundary breach?
2
1
you were talking about 'breaking out of its own definition' and a TM cannot do that, all it can read/write is the tape, that's all. now that's the maths, physical implementations don't quite follow this abstraction but then that's the whole point made by Halvar ;).
1
1
define tape. security boundaries are breached when one finite TM breaks out of its own definition (not merely tape -- tape is just one part of the machine) into another (picture: bigger) finite TM. this differentiation is possible precisely because finite TMs are not at all equal
1
1
tape is what the TM defines as the tape ;). in practice that's *all* storage the given TM has access to. and no, there's no other part of the machine, it's just the tape, everything else lives in some abstract space.
1
1
Same tape vs subset is a slightly different argument (someone would argue that that subset can define a different TM and claim TC on it [infiniteness aside, because the larger tape isn't infinite either]). Ppl just replace "cond branching + ability to change arb memory" with TC
2
1
but if that same python script gains memory access to process memory that doesn't belong to scripts but the rest of the python process then we get a security problem (the practical term is 'sandbox escape' and the like).
1
1
arxiv.org/abs/1809.00821 is worth a read, esp. for those who are complaining about UB all the time.
2
6
I wonder who has already been doing per-cpu page tables for the past 8 years:
openwall.com/lists/kernel-ha… raw.githubusercontent.com/li…
1
7
13
Me: OpenSSH is one of the most secure apps ever written, even in C
C Haters: no it’s not! Several RCE bugs!
Me: prove it. Show me a working exploit.
*crickets*
FUD and Security pedanticism is unbecoming of our insustry, Pals.
20
81
9
308
careful with the last two 'stable' 4.14/4.16 kernels: bugzilla.kernel.org/show_bug… . workaround: enable CONFIG_HMM_MIRROR for now.
4
5
this will be fun to watch as it plays out, the blind leading the blind.... openwall.com/lists/kernel-ha…
4
10
ever seen a ROP chain against RAP? oh wait, i see it now, april's fool day, sorry for the noise ;)
1
opal_error_to_human shows how subtle and deep Spectre v1 can go. this one is probably not useful but it shows the evolving power of our Spectre v1 static analysis tool. only 2600+ instances to go through ;).
1
1
7
looks like Linus went crazy one too many times: openwall.com/lists/kernel-ha…
5
7