The curious tale of a fake Carrier.app
https://googleprojectzero.blogspot.com/2022/06/curious-case-carrier-app.html [googleprojectzero.blogspot.com]
2022-06-23 22:55
tags:
cxx
exploit
investigation
iphone
security
turtles
Six privilege escalation exploits are bundled with this app. Five are well-known, publicly available N-day exploits for older iOS versions. The sixth is not like those others at all. This blog post is the story of the last exploit and the month-long journey to understand it.
How to Make Rust Leak Memory (Also: How to Make It Stop)
https://fly.io/blog/rust-memory-leak/ [fly.io]
2022-06-16 18:40
tags:
bugfix
investigation
malloc
programming
rust
Of course you can leak memory, even in Rust. For even medium-sized long-running applications, lots of graphs from a good memory profiler can make life better. And they’ll probably help you find the memory leak too.
CVE-2022-23088: Exploiting A Heap Overflow In The Freebsd Wi-Fi Stack
https://www.zerodayinitiative.com/blog/2022/6/15/cve-2022-23088-exploiting-a-heap-overflow-in-the-freebsd-wi-fi-stack [www.zerodayinitiative.com]
2022-06-16 18:38
tags:
exploit
freebsd
programming
security
wifi
In April of this year, FreeBSD patched a 13-year-old heap overflow in the Wi-Fi stack that could allow network-adjacent attackers to execute arbitrary code on affected installations of FreeBSD Kernel. This bug was originally reported to the ZDI program by a researcher known as m00nbsd and patched in April 2022 as FreeBSD-SA-22:07.wifi_meshid. The researcher has graciously provided this detailed write-up of the vulnerability and a proof-of-concept exploit demonstrating the bug.
source: L
Hertzbleed Attack
https://www.hertzbleed.com/ [www.hertzbleed.com]
2022-06-16 18:36
tags:
cpu
crypto
exploit
paper
security
sidechannel
Hertzbleed is a new family of side-channel attacks: frequency side channels. In the worst case, these attacks can allow an attacker to extract cryptographic keys from remote servers that were previously believed to be secure.
Hertzbleed takes advantage of our experiments showing that, under certain circumstances, the dynamic frequency scaling of modern x86 processors depends on the data being processed. This means that, on modern processors, the same program can run at a different CPU frequency (and therefore take a different wall time) when computing, for example, 2022 + 23823 compared to 2022 + 24436.
source: HN
How fast are Linux pipes anyway?
https://mazzo.li/posts/fast-pipes.html [mazzo.li]
2022-06-02 22:56
tags:
concurrency
linux
malloc
perf
programming
systems
In this post, we will explore how Unix pipes are implemented in Linux by iteratively optimizing a test program that writes and reads data through a pipe.
We will proceed as follows:
A first slow version of our pipe test bench;
How pipes are implemented internally, and why writing and reading from them is slow;
How the vmsplice and splice syscalls let us get around some (but not all!) of the slowness;
A description of Linux paging, leading up to a faster version using huge pages;
The final optimization, replacing polling with busy looping;
Some closing thoughts.
source: L
All About Libpas, Phil's Super Fast Malloc
https://github.com/WebKit/WebKit/blob/main/Source/bmalloc/libpas/Documentation.md [github.com]
2022-06-01 21:43
tags:
c
malloc
perf
programming
Libpas is a fast and memory-efficient memory allocation toolkit capable of supporting many heaps at once, engineered with the hopes that someday it’ll be used for comprehensive isoheaping of all malloc/new callsites in C/C++ programs.
source: HN
TVA Multifunctional Computer
https://www.behance.net/gallery/124646129/TVA-Multifunctional-Computer [www.behance.net]
2022-05-22 20:04
tags:
design
fiction
hardware
retro
Faster CRC32 on the Apple M1
https://dougallj.wordpress.com/2022/05/22/faster-crc32-on-the-apple-m1/ [dougallj.wordpress.com]
2022-05-22 19:25
tags:
cpu
hash
perf
programming
CRC32 is a checksum first proposed in 1961, and now used in a wide variety of performance sensitive contexts, from file formats (zip, png, gzip) to filesystems (ext4, btrfs) and protocols (like ethernet and SATA). So, naturally, a lot of effort has gone into optimising it over the years. However, I discovered a simple update to a widely used technique that makes it possible to run twice as fast as existing solutions on the Apple M1.
source: HN
Florida Woman Bites Camel
https://www.newyorker.com/magazine/2021/12/27/florida-woman-bites-camel [www.newyorker.com]
2022-05-22 17:41
tags:
essay
hoipolloi
language
media
Some thoughts on the art of the newspaper lede.
Lotus 1-2-3 For Linux
https://lock.cmpxchg8b.com/linux123.html [lock.cmpxchg8b.com]
2022-05-21 21:51
tags:
development
investigation
linux
programming
retro
unix
I’ll cut to the chase; through a combination of unlikely discoveries, crazy hacks and the 90s BBS warez scene I’ve been able to port Lotus 1-2-3 natively to Linux – an operating system that literally didn’t exist when 1-2-3 was released!
source: L
Speeding up sort performance in Postgres 15
https://www.citusdata.com/blog/2022/05/19/speeding-up-sort-performance-in-postgres-15/ [www.citusdata.com]
2022-05-20 23:02
tags:
database
perf
sorting
sql
update
Let’s explore each of the 4 improvements in PostgreSQL 15 that make sort performance go faster:
Change 1: Improvements sorting a single column
Change 2: Reduce memory consumption by using generation memory context
Change 3: Add specialized sort routines for common datatypes
Change 4: Replace polyphase merge algorithm with k-way merge
source: HN
Logging C Functions
https://justine.lol/ftrace/ [justine.lol]
2022-05-20 17:01
tags:
c
investigation
programming
systems
The Cosmopolitan Libc _start() function starts by intercepting the --ftrace flag. If it exists, then it opens and sorts of the symbol table from the elf binary. Then it changes the protection of memory so it’s able to iterate over the program’s memory to look for nop instructions it can mutate. Those NOPs were inserted by GCC. It’s easy to self-modify them in memory, since they have the same byte length as the CALL instruction. Think of it like a mini linker. It just relinks the profiling nops. Once they’ve been rewritten, functions will start calling ftrace_hook() which is an assembly function that saves the CPU state to the stack. That means ftrace kind of acts like an operating system kernel. Once the assembly saved the CPU it can call the ftracer() C code that acquires a reentrant mutex and unwinds the RBP backtrace pointer (via __builtin_frame_address(0)) to determine the address of the function that called it. Once it has the address of the function, it passes it along to kprintf() which has a special %t syntax for turning numbers into symbols.
source: HN
Porting Zelda Classic to the Web
https://hoten.cc/blog/porting-zelda-classic-to-the-web/ [hoten.cc]
2022-05-16 00:17
tags:
bugfix
development
gaming
retro
turtles
web
I spent the last two months (roughly ~150 hours) porting Zelda Classic to run in a web browser.
I hope my efforts result in Zelda Classic reaching a larger audience. It’s been challenging work, far outside my comfort zone of web development, and I’ve learned a lot about WebAssembly, CMake and multithreading. Along the way, I discovered bugs across multiple projects and did due diligence in fixing (or just reporting) them when I could, and even proposed a change to the HTML spec.
Weird how there’s bugs everywhere one looks.
A Tale Of A Trailing Dot
https://daniel.haxx.se/blog/2022/05/12/a-tale-of-a-trailing-dot/ [daniel.haxx.se]
2022-05-14 00:41
tags:
networking
security
standard
text
turtles
web
Trailing dots on host names in URLs is the gift that keeps on giving. Let me take you through a dwindling story of how the dot is handled differently in different places through the stack of an Internet client. The evil trailing dot.
source: L
Safer Enums in Go
https://npf.io/2022/05/safer-enums/ [npf.io]
2022-05-14 00:14
tags:
go
programming
There’s no size difference between a string and a struct{ string } and it’s just as easy to read as a straight string. Because of the String() method, you can pass these values to %s etc in format strings and they’ll print out the name with no extra code or work.
source: L
The Apple GPU and the Impossible Bug
https://rosenzweig.io/blog/asahi-gpu-part-5.html [rosenzweig.io]
2022-05-13 23:56
tags:
gl
graphics
hardware
investigation
mac
programming
In late 2020, Apple debuted the M1 with Apple’s GPU architecture, AGX, rumoured to be derived from Imagination’s PowerVR series. Since then, we’ve been reverse-engineering AGX and building open source graphics drivers. Last January, I rendered a triangle with my own code, but there has since been a heinous bug lurking: The driver fails to render large amounts of geometry.
source: HN
The Unreasonable Effectiveness of JPEG: A Signal Processing Approach
https://www.youtube.com/watch?v=0me3guauqOU [www.youtube.com]
2022-05-08 03:26
tags:
compression
compsci
graphics
math
video
The JPEG algorithm is rather complex and in this video, we break down the core parts of the algorithm, specifically color spaces, YCbCr, chroma subsampling, the discrete cosine transform, quantization, and lossless encoding. The majority of the focus is on the mathematical and signal processing insights that lead to advancements in image compression and the big themes in compression as a whole that we can take away from it.
Lend Me Your Ear: Passive Remote Physical Side Channels on PCs
https://www.usenix.org/system/files/sec22summer_genkin.pdf [www.usenix.org]
2022-05-06 00:55
tags:
crypto
exploit
opsec
paper
pdf
security
sidechannel
systems
We show that built-in sensors in commodity PCs, such as microphones, inadvertently capture electromagnetic side-channel leakage from ongoing computation. Moreover, this information is often conveyed by supposedly-benign channels such as audio recordings and common Voice-over-IP applications, even after lossy compression.
We analyze the computation-dependent leakage captured by internal microphones, and empirically demonstrate its efficacy for attacks. In one scenario, an attacker steals the secret ECDSA signing keys of the counterparty in a voice call. In another, the attacker detects what web page their counterparty is loading. In the third scenario, a player in the Counter-Strike online multiplayer game can detect a hidden opponent waiting in ambush, by analyzing how the 3D rendering done by the opponent’s computer induces faint but detectable signals into the opponent’s audio feed.
The case of the failed exchange of the vtable slot
https://devblogs.microsoft.com/oldnewthing/20220429-00/?p=106543 [devblogs.microsoft.com]
2022-05-04 20:24
tags:
bugfix
cxx
malloc
programming
windows
This shell extension is trying to detour the operating system, and it failed. (Note that Windows does not support apps detouring the operating system. This shell extension has exited into unsupported territory.)
NaN Gates and Flip FLOPS
https://www.youtube.com/watch?v=5TFDG-y-EHs [www.youtube.com]
2022-05-01 22:19
tags:
compsci
hardware
math
programming
solder
video
A new kind of computer architecture that’s more elegant than 1s and 0s, being based directly on Mathematics.