Randar: A Minecraft exploit that uses LLL lattice reduction to crack server RNG
https://github.com/spawnmason/randar-explanation/blob/master/README.md [github.com]
2024-04-19 01:22
tags:
gaming
java
math
opsec
random
Every time a block is broken in Minecraft versions Beta 1.8 through 1.12.2, the precise coordinates of the dropped item can reveal another player’s location. “Randar” is an exploit for Minecraft which uses LLL lattice reduction to crack the internal state of an incorrectly reused java.util.Random in the Minecraft server, then works backwards from that to locate other players currently loaded into the world.
source: HN
A Curious Phenomenon Called ‘Etak’
https://maphappenings.com/2024/04/11/story-of-etak/ [maphappenings.com]
2024-04-16 19:52
tags:
article
best
cars
hardware
maps
retro
tech
valley
Today, I’d like to tell you about the Etak Navigator, a truly revolutionary product and the world’s first practical vehicle navigation system.
Back in 1985 you used paper maps to navigate, like this one from a Thomas Brother’s map of Los Angeles: A Thomas Brother’s Map. As you can see, the maps weren’t always pretty. By today’s standards it was also supremely difficult and tedious to find locations and even more difficult to work out how to get there. So, when the Etak Navigator launched, it was like something from the future.
source: HN
The V8 Sandbox
https://v8.dev/blog/sandbox [v8.dev]
2024-04-04 23:37
tags:
browser
javascript
jit
programming
security
After almost three years since the initial design document and hundreds of CLs in the meantime, the V8 Sandbox — a lightweight, in-process sandbox for V8 — has now progressed to the point where it is no longer considered an experimental security feature. Starting today, the V8 Sandbox is included in Chrome’s Vulnerability Reward Program (VRP). While there are still a number of issues to resolve before it becomes a strong security boundary, the VRP inclusion is an important step in that direction. Chrome 123 could therefore be considered to be a sort of “beta” release for the sandbox. This blog post uses this opportunity to discuss the motivation behind the sandbox, show how it prevents memory corruption in V8 from spreading within the host process, and ultimately explain why it is a necessary step towards memory safety.
source: HN
HTTP/2 CONTINUATION Flood: Technical Details
https://nowotarski.info/http2-continuation-flood-technical-details/ [nowotarski.info]
2024-04-04 23:35
tags:
networking
security
standard
web
Deep technical analysis of the CONTINUATION Flood: a class of vulnerabilities within numerous HTTP/2 protocol implementations. In many cases, it poses a more severe threat compared to the Rapid Reset: a single machine (and in certain instances, a mere single TCP connection or a handful of frames) has the potential to disrupt server availability, with consequences ranging from server crashes to substantial performance degradation. Remarkably, requests that constitute an attack are not visible in HTTP access logs.
source: HN
Anatomy of a credit card rewards program
https://www.bitsaboutmoney.com/archive/anatomy-of-credit-card-rewards-programs/ [www.bitsaboutmoney.com]
2024-04-04 23:34
tags:
business
finance
hoipolloi
life
Different regions have ended up with different equilibria in the rewards game. In the United States, card acceptance is expensive and the rewards economy is robust. In Japan, card acceptance is expensive and the rewards economy is fairly muted due to—ahem—effective collusion by issuers. In Europe, card acceptance is cheap by regulatory fiat and so rewards are far less common (or commonly lucrative) than in the U.S.
source: HN
Introducing Jpegli: A New JPEG Coding Library
https://opensource.googleblog.com/2024/04/introducing-jpegli-new-jpeg-coding-library.html [opensource.googleblog.com]
2024-04-03 19:55
tags:
compression
graphics
library
release
To improve on this, we are introducing Jpegli, an advanced JPEG coding library that maintains high backward compatibility while offering enhanced capabilities and a 35% compression ratio improvement at high quality compression settings. Jpegli is a new JPEG coding library that is designed to be faster, more efficient, and more visually pleasing than traditional JPEG.
source: HN
Flipping Pages: An analysis of a new Linux vulnerability in nf_tables and hardened exploitation techniques
https://pwning.tech/nftables/ [pwning.tech]
2024-03-26 23:33
tags:
best
cpu
exploit
linux
malloc
paper
programming
security
systems
In this blogpost I present several novel techniques I used to exploit a 0-day double-free bug in hardened Linux kernels (i.e. KernelCTF mitigation instances) with 93%-99% success rate. The underlying bug is input sanitization failure of netfilter verdicts. Hence, the requirements for the exploit are that nf_tables is enabled and unprivileged user namespaces are enabled. The exploit is data-only and performs an kernel-space mirroring attack (KSMA) from userland with the novel Dirty Pagedirectory technique (pagetable confusion), where it is able to link any physical address (and its permissions) to virtual memory addresses by performing just read/writes to userland addresses.
Also: https://github.com/Notselwyn/CVE-2024-1086
source: HN
On Tech Debt: My Rust Library is now a CDO
https://lucumr.pocoo.org/2024/3/26/rust-cdo/ [lucumr.pocoo.org]
2024-03-26 20:59
tags:
development
library
rust
There is a joke that if there is tech debt, surely there must be derivatives to work with that debt? I’m happy to say that the Rust ecosystem has created an environment where it looks like one solution for tech debt is collateralization.
source: HN
Antithesis of a One-in-a-Million Bug: Taming Demonic Nondeterminism
https://www.cockroachlabs.com/blog/demonic-nondeterminism/ [www.cockroachlabs.com]
2024-03-22 19:46
tags:
database
development
fuzzing
testing
Bugs are compounded by the number of distinct nodes operating in a distributed system, each providing their own sources of nondeterminism with thread timings, network conditions, hardware, and more. Finding and fixing these bugs requires new approaches to testing and debugging.
Like any emerging technology, the Antithesis platform is not without rough edges. Deterministic replay doesn’t immediately get you a reproduction, particularly across distinct code changes as you might see with a unit or integration test. In our experience, a significant amount of effort was invested in instrumenting the logs, as well as reasoning about injected failure states in order to recover the state machine which reproduces the bug. The rinse-and-repeat cycle means that a modified binary (with new instrumentation) may not always hit the same terminal state. Although, in practice determinism between runs is very high assuming the code changes are localized.
source: HN
Gaining kernel code execution on an MTE-enabled Pixel 8
https://github.blog/2024-03-18-gaining-kernel-code-execution-on-an-mte-enabled-pixel-8/ [github.blog]
2024-03-20 07:36
tags:
android
exploit
malloc
security
systems
In this post, I’ll look at CVE-2023-6241, a vulnerability in the Arm Mali GPU that I reported to Arm on November 15, 2023 and was fixed in the Arm Mali driver version r47p0, which was released publicly on December 14, 2023. It was fixed in Android in the March security update. When exploited, this vulnerability allows a malicious Android app to gain arbitrary kernel code execution and root on the device. The vulnerability affects devices with newer Arm Mali GPUs that use the Command Stream Frontend (CSF) feature, such as Google’s Pixel 7 and Pixel 8 phones. What is interesting about this vulnerability is that it is a logic bug in the memory management unit of the Arm Mali GPU and it is capable of bypassing Memory Tagging Extension (MTE), a new and powerful mitigation against memory corruption that was first supported in Pixel 8. In this post, I’ll show how to use this bug to gain arbitrary kernel code execution in the Pixel 8 from an untrusted user application. I have confirmed that the exploit works successfully even with kernel MTE enabled by following these instructions.
source: HN
Bending pause times to your will with Generational ZGC
https://netflixtechblog.com/bending-pause-times-to-your-will-with-generational-zgc-256629c9386b [netflixtechblog.com]
2024-03-16 00:20
tags:
garbage-collection
java
perf
The latest long term support release of the JDK delivers generational support for the Z Garbage Collector. Netflix has switched by default from G1 to Generational ZGC on JDK 21 and later, because of the significant benefits of concurrent garbage collection.
source: HN
Fonts are still a Helvetica of a Problem
https://www.canva.dev/blog/engineering/fonts-are-still-a-helvetica-of-a-problem/ [www.canva.dev]
2024-03-06 19:45
tags:
security
text
turtles
CVEs in three strange places and the unique problem of safely processing and handling fonts.
Although the previous research focused primarily on memory corruption bugs in font processing, we wondered what other kinds of security issues might occur when handling fonts.
source: HN
Supercharge compression efficiency with shared dictionaries
https://developer.chrome.com/blog/shared-dictionary-compression [developer.chrome.com]
2024-03-06 18:50
tags:
browser
compression
development
web
Shared dictionaries can supplement Brotli and ZStandard compression to deliver substantially higher compression ratios for websites that frequently ship updated code, and can—in some cases—deliver 90% or better compression ratios. This post goes into more detail on how shared dictionaries work, and how you can register for the origin trials to use them for Brotli and ZStandard on your website.
source: HN
Bugs I’ve filed on browsers
https://nolanlawson.com/2024/03/03/bugs-ive-filed-on-browsers/ [nolanlawson.com]
2024-03-04 05:28
tags:
browser
bugfix
development
web
As such, I’ve filed a lot of bugs on browsers over the years. For whatever reason – stubbornness, frustration, some highfalutin sense of serving the web at large – I’ve made a habit of nagging browser vendors about whatever roadblock I’m hitting that day. And they often fix it! So I thought it might be interesting to do an analysis of the bugs I’ve filed on the major browser engines – Chromium, Firefox, and WebKit – over my roughly 10-year web development career.
source: HN
How French Artists in 1899 Envisioned What Life Would Look Like in the Year 2000
https://www.openculture.com/2024/02/how-french-artists-in-1899-envisioned-what-life-would-look-like-in-the-year-2000.html [www.openculture.com]
2024-03-04 05:20
tags:
art
future
photos
retro
And yet it’s Asimov who apparently owned the only set of postcards of En L’An 2000, a set of 87 (or so) collectible artist cards that first appeared as inserts in cigar boxes in 1899, right in time for the 1900 World Exhibition in Paris. Translated as “France in the 21st Century,” the cards feature Jean-Marc Côté and other illustrators’ interpretations of the way we’d be living... well, 23 years ago.
https://publicdomainreview.org/collection/a-19th-century-vision-of-the-year-2000/
source: HN
In Nome, Where the Muskoxen Roam … Controversially
https://hakaimagazine.com/features/in-nome-where-the-muskoxen-roam-controversially/ [hakaimagazine.com]
2024-03-04 05:12
tags:
article
biology
history
hoipolloi
policy
In Alaska, residents are negotiating a contentious relationship with muskoxen, which were introduced to the area decades ago without local consent.
One Iñupiaq word for muskox is umiŋmak, a term that refers to the animal’s beard-like coat. The word’s existence speaks to the Iñupiat’s long relationship with muskoxen, which once roamed the Arctic. The decline of muskoxen is often attributed to climatic changes after the last ice age, along with predation and hunting. Around Nome, few, if any, Indigenous stories about the animals survive.
The average visitor to Nome today would never guess that muskoxen were ever ghosts on the landscape. The animals adorn guidebooks and artwork at gift shops and draw wildlife viewers and photographers. With their bulky coats, sloping shoulders, short legs, and upturned horns, it’s not hard to picture them roaming alongside saber-toothed cats, wooly mammoths, and other big-bodied beasts of the Pleistocene. But all the muskoxen around Nome today have ancestors that saw the inside of a train station in New Jersey. Their reintroduction to Alaska was the result of a decades-long campaign by early 20th-century settlers and promoters, one that followed a template used many times over before and since: it was a plan for developing the Arctic, drawn up without the consent of Indigenous people.
source: HN
Identifying Rust's collect::<Vec<_>>() memory leak footgun
https://blog.polybdenum.com/2024/01/17/identifying-the-collect-vec-memory-leak-footgun.html [blog.polybdenum.com]
2024-01-18 17:32
tags:
malloc
programming
rust
turtles
This is the story of how I identified the bug. (TLDR: collect::<Vec<_>>() will sometimes reuse allocations, resulting in Vecs with large excess capacity, even when the length is exactly known in advance, so you need to call shrink_to_fit if you want to free the extra memory.)
Ordinarily, that wouldn’t have been a problem, since the into_iter().map().collect() line used to pack them into (u32, u32)s would allocate a new vector with only the exact amount of space required. However, thanks to the allocation reuse optimization added in Rust 1.76, the new vec shared the backing store of the input vec, and hence had a capacity of 16560, meaning it was using 132480 bytes of memory to store only 16 bytes of data.
source: HN
When Random Isn't
https://orlp.net/blog/when-random-isnt/ [orlp.net]
2024-01-16 05:43
tags:
gaming
programming
random
security
So there were two environments: an insecure one where you can get all information but can’t act on it, and a secure one where you can act but can’t get the information needed for automation.
An evil idea came in my head: random number generators (RNGs) used in computers are almost always pseudorandom number generators with (hidden) internal state. If I can manipulate this state, perhaps I can use that to pass information into the secure environment.
source: HN
Operation Triangulation: What You Get When Attack iPhones of Researchers
https://securelist.com/operation-triangulation-the-last-hardware-mystery/111669/ [securelist.com]
2023-12-27 19:52
tags:
best
cpu
exploit
investigation
iphone
security
This presentation was also the first time we had publicly disclosed the details of all exploits and vulnerabilities that were used in the attack. We discover and analyze new exploits and attacks using these on a daily basis, and we have discovered and reported more than thirty in-the-wild zero-days in Adobe, Apple, Google, and Microsoft products, but this is definitely the most sophisticated attack chain we have ever seen.
source: HN
The hidden beauty of Berlin's indoor pools
https://www.bbc.com/travel/article/20231116-the-hidden-beauty-of-berlins-indoor-pools [www.bbc.com]
2023-11-19 05:53
tags:
photos
travel
The German capital is dotted with more than 60 public indoor swimming pools, and many of them are so stunning and tranquil they feel like you’re swimming in an ornate library.
source: HN