Collaborate Disseminate
In a rather heated mailing list thread, I read some information provided by one of the developers of mozjemalloc, the memory allocator in Firefox that was forked from jemalloc, that stated that the fork has significant security improvement… Continue reading What are the major security differences between jemalloc and mozjemalloc?
Several new hardware side-channels were discovered called MDS attacks, which allow reading arbitrary memory, like Meltdown. Many existing mitigations are useless against them. The relevant CVEs are:
CVE-2018-12126 – Microarchitectural Sto… Continue reading What are the new MDS attacks, and how can they be mitigated?
Leaking pointers from the kernel can be useful to an attacker. Normally, pointers are printed using a special identifier, %pK, which will sanitize them. However, there are times when a kernel pointer is unintentionally revealed, for exampl… Continue reading Identifying kernel pointer infoleaks via static analysis
ACPI tables contain ACPI Machine Language, or AML, which is executed by an interpreter in the kernel at boot. Certain ACPI tables, such as the DSDT, are necessary to support hardware ACPI events such as resuming a suspended system. To acce… Continue reading Can maliciously modified ACPI AML be executed without a reboot?
A new attack was discovered which allows cracking a WPA2 passphrase without needing to capture the 4-way handshake. While this doesn’t weaken the password itself, it does mean that an attacker can begin their cracking attempts without need… Continue reading Mitigating the new attack on WPA2 involving PMKID
According to a Google blog post from 2017, Google has been experimenting with providing raw access to PCIe devices in a remote environment. They set out to discover what Access Control Service features (ACS, see section 4.3 of the Intel pa… Continue reading Minimum set of ACS features to secure remote PCIe devices
Recently, a side-channel attack was discovered that exploits lazy FPU state switching to leak the contents of MMX, SSE, and AVX registers. The vulnerability can only be exploited when lazy FPU saves are used, as opposed to ea… Continue reading Is the Linux kernel vulnerable to LazyFP (CVE-2018-3665)?
Apparently, the open source router firmware OpenWrt has the option to isolate client traffic. I imagine this is simply a firewall rule which prevents individual IPs on the LAN from communicating with each other. On the face o… Continue reading Threat model for the OpenWrt client isolation feature
I stumbled across this image and something immediately stood out to me. This is a photograph of a discrete TPM card. That silver cylinder on the left is a crystal oscillator, used to tell time with very high precision. At fir… Continue reading What use does a TPM have for accurate timekeeping?
Is it possible for an unauthenticated bystander to force reassociation/reauthentication of a pair of Bluetooth 2.1 devices in a manner similar to IEEE 802.11i deauths? Bluetooth 2.1 (BR/EDR) uses Simple Secure Pairing (SSP) w… Continue reading Non-invasively forcing reauthentication in Bluetooth 2.1