GWP-ASan: Sampling-Based Detection of Memory-Safety Bugs in Production
https://arxiv.org/abs/2311.09394v2 [arxiv.org]
2024-04-19 20:11
tags:
c
development
fuzzing
malloc
paper
pdf
programming
systems
Despite the recent advances in pre-production bug detection, heap-use-after-free and heap-buffer-overflow bugs remain the primary problem for security, reliability, and developer productivity for applications written in C or C++, across all major software ecosystems. Memory-safe languages solve this problem when they are used, but the existing code bases consisting of billions of lines of C and C++ continue to grow, and we need additional bug detection mechanisms.
This paper describes a family of tools that detect these two classes of memory-safety bugs, while running in production, at near-zero overhead. These tools combine page-granular guarded allocation and low-rate sampling. In other words, we added an “if” statement to a 36-year-old idea and made it work at scale.
Randar: A Minecraft exploit that uses LLL lattice reduction to crack server RNG
https://github.com/spawnmason/randar-explanation/blob/master/README.md [github.com]
2024-04-19 01:22
tags:
gaming
java
math
opsec
programming
random
Every time a block is broken in Minecraft versions Beta 1.8 through 1.12.2, the precise coordinates of the dropped item can reveal another player’s location. “Randar” is an exploit for Minecraft which uses LLL lattice reduction to crack the internal state of an incorrectly reused java.util.Random in the Minecraft server, then works backwards from that to locate other players currently loaded into the world.
source: HN
A Curious Phenomenon Called ‘Etak’
https://maphappenings.com/2024/04/11/story-of-etak/ [maphappenings.com]
2024-04-16 19:52
tags:
article
best
cars
hardware
maps
retro
tech
valley
Today, I’d like to tell you about the Etak Navigator, a truly revolutionary product and the world’s first practical vehicle navigation system.
Back in 1985 you used paper maps to navigate, like this one from a Thomas Brother’s map of Los Angeles: A Thomas Brother’s Map. As you can see, the maps weren’t always pretty. By today’s standards it was also supremely difficult and tedious to find locations and even more difficult to work out how to get there. So, when the Etak Navigator launched, it was like something from the future.
source: HN
PuTTY vulnerability vuln-p521-bias
https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-p521-bias.html [www.chiark.greenend.org.uk]
2024-04-15 20:42
tags:
crypto
hash
networking
security
In all of those cases except P521, the bias introduced by reducing a 512-bit number mod q is negligible. But in the case of P521, where q has 521 bits (i.e. more than 512), reducing a 512-bit number mod q has no effect at all – you get a value of k whose top 9 bits are always zero.
CVE-2024-31497
https://marc.info/?l=oss-security&m=171321011524021&w=2
Law
https://www.smbc-comics.com/comic/law-4 [www.smbc-comics.com]
2024-04-13 00:40
tags:
comic
hoipolloi
policy
If aliens come, [laws] are the first thing we should hide.
OpenBSD 7.5 released
https://marc.info/?l=openbsd-announce&m=171228270018970&w=2 [marc.info]
2024-04-12 22:42
tags:
openbsd
release
The history of computing, as told by the hallways of Microsoft Building 41
https://devblogs.microsoft.com/oldnewthing/20240402-00/?p=109604 [devblogs.microsoft.com]
2024-04-09 23:52
tags:
architecture
design
tech
valley
Each of the six floors of Building 41 is themed after a stage in the development of computing.
The V8 Sandbox
https://v8.dev/blog/sandbox [v8.dev]
2024-04-04 23:37
tags:
browser
javascript
jit
programming
security
After almost three years since the initial design document and hundreds of CLs in the meantime, the V8 Sandbox — a lightweight, in-process sandbox for V8 — has now progressed to the point where it is no longer considered an experimental security feature. Starting today, the V8 Sandbox is included in Chrome’s Vulnerability Reward Program (VRP). While there are still a number of issues to resolve before it becomes a strong security boundary, the VRP inclusion is an important step in that direction. Chrome 123 could therefore be considered to be a sort of “beta” release for the sandbox. This blog post uses this opportunity to discuss the motivation behind the sandbox, show how it prevents memory corruption in V8 from spreading within the host process, and ultimately explain why it is a necessary step towards memory safety.
source: HN
HTTP/2 CONTINUATION Flood: Technical Details
https://nowotarski.info/http2-continuation-flood-technical-details/ [nowotarski.info]
2024-04-04 23:35
tags:
networking
security
standard
web
Deep technical analysis of the CONTINUATION Flood: a class of vulnerabilities within numerous HTTP/2 protocol implementations. In many cases, it poses a more severe threat compared to the Rapid Reset: a single machine (and in certain instances, a mere single TCP connection or a handful of frames) has the potential to disrupt server availability, with consequences ranging from server crashes to substantial performance degradation. Remarkably, requests that constitute an attack are not visible in HTTP access logs.
source: HN
Anatomy of a credit card rewards program
https://www.bitsaboutmoney.com/archive/anatomy-of-credit-card-rewards-programs/ [www.bitsaboutmoney.com]
2024-04-04 23:34
tags:
business
finance
hoipolloi
life
Different regions have ended up with different equilibria in the rewards game. In the United States, card acceptance is expensive and the rewards economy is robust. In Japan, card acceptance is expensive and the rewards economy is fairly muted due to—ahem—effective collusion by issuers. In Europe, card acceptance is cheap by regulatory fiat and so rewards are far less common (or commonly lucrative) than in the U.S.
source: HN
Lights, Camera, Action Figures!
https://www.inquirer.com/sports/inq2/wrestlemania-40-wwe-rock-roman-reigns-becky-lynch-cody-rhodes-20240404.html [www.inquirer.com]
2024-04-04 16:23
tags:
art
sports
video
From The People’s Elbow to The Manhandle Slam, here are five finishing moves you might see at WrestleMania 40 — performed in stop motion.
Introducing Jpegli: A New JPEG Coding Library
https://opensource.googleblog.com/2024/04/introducing-jpegli-new-jpeg-coding-library.html [opensource.googleblog.com]
2024-04-03 19:55
tags:
compression
graphics
library
release
To improve on this, we are introducing Jpegli, an advanced JPEG coding library that maintains high backward compatibility while offering enhanced capabilities and a 35% compression ratio improvement at high quality compression settings. Jpegli is a new JPEG coding library that is designed to be faster, more efficient, and more visually pleasing than traditional JPEG.
source: HN
New York Takes Crucial Step Toward Making Congestion Pricing a Reality
https://www.nytimes.com/2024/03/27/nyregion/nyc-congestion-pricing-tolls-mta.html [www.nytimes.com]
2024-03-27 21:14
tags:
cars
policy
urban
The board of the Metropolitan Transportation Authority voted to approve a new $15 toll to drive into Manhattan. The plan still faces challenges from six lawsuits before it can begin in June.
Flipping Pages: An analysis of a new Linux vulnerability in nf_tables and hardened exploitation techniques
https://pwning.tech/nftables/ [pwning.tech]
2024-03-26 23:33
tags:
best
cpu
exploit
linux
malloc
paper
programming
security
systems
In this blogpost I present several novel techniques I used to exploit a 0-day double-free bug in hardened Linux kernels (i.e. KernelCTF mitigation instances) with 93%-99% success rate. The underlying bug is input sanitization failure of netfilter verdicts. Hence, the requirements for the exploit are that nf_tables is enabled and unprivileged user namespaces are enabled. The exploit is data-only and performs an kernel-space mirroring attack (KSMA) from userland with the novel Dirty Pagedirectory technique (pagetable confusion), where it is able to link any physical address (and its permissions) to virtual memory addresses by performing just read/writes to userland addresses.
Also: https://github.com/Notselwyn/CVE-2024-1086
source: HN
On Tech Debt: My Rust Library is now a CDO
https://lucumr.pocoo.org/2024/3/26/rust-cdo/ [lucumr.pocoo.org]
2024-03-26 20:59
tags:
development
library
rust
There is a joke that if there is tech debt, surely there must be derivatives to work with that debt? I’m happy to say that the Rust ecosystem has created an environment where it looks like one solution for tech debt is collateralization.
source: HN
Preventing Cross-Service UDP Loops in QUIC
https://bughunters.google.com/blog/5960150648750080/preventing-cross-service-udp-loops-in-quic [bughunters.google.com]
2024-03-26 19:09
tags:
networking
security
standard
turtles
Infinite loops between servers are something that must be carefully avoided to prevent performance degradation or network overload.
In light of the heightened awareness of this attack vector, now is a good time to discuss looping behavior which impacted our implementation of QUIC and review the postmortem action items that followed each event. Our experience diagnosing and mitigating attacks, as well as deploying fixes, may assist others attempting to address similar threats.
Antithesis of a One-in-a-Million Bug: Taming Demonic Nondeterminism
https://www.cockroachlabs.com/blog/demonic-nondeterminism/ [www.cockroachlabs.com]
2024-03-22 19:46
tags:
database
development
fuzzing
testing
Bugs are compounded by the number of distinct nodes operating in a distributed system, each providing their own sources of nondeterminism with thread timings, network conditions, hardware, and more. Finding and fixing these bugs requires new approaches to testing and debugging.
Like any emerging technology, the Antithesis platform is not without rough edges. Deterministic replay doesn’t immediately get you a reproduction, particularly across distinct code changes as you might see with a unit or integration test. In our experience, a significant amount of effort was invested in instrumenting the logs, as well as reasoning about injected failure states in order to recover the state machine which reproduces the bug. The rinse-and-repeat cycle means that a modified binary (with new instrumentation) may not always hit the same terminal state. Although, in practice determinism between runs is very high assuming the code changes are localized.
source: HN
Gaining kernel code execution on an MTE-enabled Pixel 8
https://github.blog/2024-03-18-gaining-kernel-code-execution-on-an-mte-enabled-pixel-8/ [github.blog]
2024-03-20 07:36
tags:
android
exploit
malloc
security
systems
In this post, I’ll look at CVE-2023-6241, a vulnerability in the Arm Mali GPU that I reported to Arm on November 15, 2023 and was fixed in the Arm Mali driver version r47p0, which was released publicly on December 14, 2023. It was fixed in Android in the March security update. When exploited, this vulnerability allows a malicious Android app to gain arbitrary kernel code execution and root on the device. The vulnerability affects devices with newer Arm Mali GPUs that use the Command Stream Frontend (CSF) feature, such as Google’s Pixel 7 and Pixel 8 phones. What is interesting about this vulnerability is that it is a logic bug in the memory management unit of the Arm Mali GPU and it is capable of bypassing Memory Tagging Extension (MTE), a new and powerful mitigation against memory corruption that was first supported in Pixel 8. In this post, I’ll show how to use this bug to gain arbitrary kernel code execution in the Pixel 8 from an untrusted user application. I have confirmed that the exploit works successfully even with kernel MTE enabled by following these instructions.
source: HN
Bending pause times to your will with Generational ZGC
https://netflixtechblog.com/bending-pause-times-to-your-will-with-generational-zgc-256629c9386b [netflixtechblog.com]
2024-03-16 00:20
tags:
garbage-collection
java
perf
The latest long term support release of the JDK delivers generational support for the Z Garbage Collector. Netflix has switched by default from G1 to Generational ZGC on JDK 21 and later, because of the significant benefits of concurrent garbage collection.
source: HN
UML: My Part in its Downfall
https://tratt.net/laurie/blog/2022/uml_my_part_in_its_downfall.html [tratt.net]
2024-03-15 23:15
tags:
development
standard
swtools
With the benefit of hindsight, I think UML had quite possibly reached not only its actual, but also its potential, peak in 2000: as a medium for software sketching, people only ever needed the basics from it. However, the standardisation community developed an ambitious vision for UML that far exceeded sketching. Whether or not that vision could ever be realised can be seen as a matter of genuine debate: what seems unarguable to me is that such a vision was deeply unsuited to any standardisation process.