Binary symbolic execution with KLEE-Native
> KLEE is a symbolic execution tool that intelligently produces high-coverage test cases by emulating LLVM bitcode in a custom runtime environment. Yet, unlike simpler fuzzers, it’s not a go-to tool for automated bug discovery. Despite constant improvements by the academic community, KLEE remains difficult for bug hunters to adopt. We’re working to bridge this gap!
> My internship produced KLEE-Native; a version of KLEE that can concretely and symbolically execute binaries, model heap memory, reproduce CVEs, and accurately classify different heap bugs. The project is now positioned to explore applications made possible by KLEE-Native’s unique approaches to symbolic execution. We will also be looking into potential execution time speed-ups from different lifting strategies. As with all articles on symbolic execution, KLEE is both the problem and the solution.
A very deep dive into iOS Exploit chains found in the wild
> Earlier this year Google’s Threat Analysis Group (TAG) discovered a small collection of hacked websites. The hacked sites were being used in indiscriminate watering hole attacks against their visitors, using iPhone 0-day.
> There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant. We estimate that these sites receive thousands of visitors per week.
> TAG was able to collect five separate, complete and unique iPhone exploit chains, covering almost every version from iOS 10 through to the latest version of iOS 12. This indicated a group making a sustained effort to hack the users of iPhones in certain communities over a period of at least two years.
> I’ll investigate what I assess to be the root causes of the vulnerabilities and discuss some insights we can gain into Apple’s software development lifecycle. The root causes I highlight here are not novel and are often overlooked: we’ll see cases of code which seems to have never worked, code that likely skipped QA or likely had little testing or review before being shipped to users.
In Memoriam: J. C. R. Licklider
Two papers. Man-Computer Symbiosis and The Computer as a Communication Device.
The first argues for interactive systems. The computer can’t be an extension of our mind if it’s not responsive.
The second is a vision for networked communications. It sounds a lot like today, but more optimistic. Where did we go wrong?
> Let’s talk about files! Most developers seem to think that files are easy.
> In this talk, we’re going to look at how file systems differ from each other and other issues we might encounter when writing to files. We’re going to look at the file “stack“, starting at the top with the file API, moving down to the filesystem, and then moving down to disk.
Unraveling the JPEG
> JPEG images are everywhere in our digital lives, but behind the veil of familiarity lie algorithms that remove details that are imperceptible to the human eye. This produces the highest visual quality with the smallest file size—but what does that look like? Let’s see what our eyes can’t see!
> This article is about how to decode a JPEG image. In other words, it’s about what it takes to convert the compressed data stored on your computer to the image that appears on the screen. It’s worth learning about not just because it’s important to understand the technology we all use everyday, but also because, as we unravel the layers of compression, we learn a bit about perception and vision, and about what details our eyes are most sensitive to. It’s also just a lot of fun to play with images this way.
Reverse-engineering Broadcom wireless chipsets
> In this blogpost I provided an account of various activities during my 6 months as an intern at Quarkslab, my project involved understanding the Linux kernel drivers, analyzing Broadcom firmware, reproducing publicly known vulnerabilities, working on an emulator to run portions of firmware, fuzzing and finding 5 vulnerabilities (CVE-2019-8564, CVE-2019-9500, CVE-2019-9501, CVE-2019-9502, CVE-2019-9503). Two of those vulnerabilities are present both in the Linux kernel and firmware of affected Broadcom chips. The most common exploitation scenario leads to a remote denial of service. Although it is technically challenging to achieve, exploitation for remote code execution should not be discarded as the worst case scenario.
Don’t miss the disclosure timeline at the end.
Iconic consoles of the IBM System/360 mainframes, 55 years old
> The IBM System/360 was a groundbreaking family of mainframe computers announced on April 7, 1964. Designing the System/360 was an extremely risky “bet-the-company” project for IBM, costing over $5 billion. Although the project ran into severe problems, especially with the software, it was a huge success, one of the top three business accomplishments of all time. System/360 set the direction of the computer industry for decades and popularized features such as the byte, 32-bit words, microcode, and standardized interfaces. The S/360 architecture was so successful that it is still supported by IBM’s latest z/Architecture mainframes, 55 years later.
> The lower part of the Model 30 console was used for operator intervention. Note the binary-to-hexadecimal conversion chart below the hexadecimal dials.
While we’re looking: http://www.righto.com/2019/04/a-look-at-ibm-s360-core-memory-in-1960s.html
What has your microcode done for you lately?
> Did you ever wonder what is inside those microcode updates that get silently applied to your CPU via Windows update, BIOS upgrades, and various microcode packages on Linux? Well, you are in the wrong place, because this blog post won’t answer that question (you might like this though).
> In fact, the overwhelming majority of this this post is about the performance of scattered writes, and not very much at all about the details of CPU microcode. Where the microcode comes in, and what might make this more interesting than usual, is that performance on a purely CPU-bound benchmark can vary dramatically depending on microcode version. In particular, we will show that the most recent Intel microcode version can significantly slow down a store heavy workload when some stores hit in the L1 data cache, and some miss.
Reverse emulating the NES!
CGA in 1024 Colors - a New Mode: the Illustrated Guide
> One of our “hey, this hardware shouldn’t be doing that!“-moments was extending the CGA’s color palette by a cool order of magnitude or two. How’d we pull that off? - reenigne has already posted an excellent technical article answering that very question. To complement his writeup, I’ll take a bit of a different approach – here’s my ‘pictorial’ take on how we arrived at this:
The colors between the colors.
> Okay, so you’re a CS graduate and you did a hardware course as part of your degree, but perhaps that was a few years ago now and you haven’t really kept up with the details of processor designs since then. In particular, you might not be aware of some key topics that developed rapidly in recent times...
> pipelining (superscalar, OOO, VLIW, branch prediction, predication)
> multi-core and simultaneous multi-threading (SMT, hyper-threading)
> SIMD vector instructions (MMX/SSE/AVX, AltiVec, NEON)
> caches and the memory hierarchy
> Fear not! This article will get you up to speed fast. In no time, you’ll be discussing the finer points of in-order vs out-of-order, hyper-threading, multi-core and cache organization like a pro. But be prepared – this article is brief and to-the-point.
I would say all of that is accurate except the brief part. It’s quite long, but very dense. Excellent resource.
A Matter of Perspective
> What happens if you take the shoreline of a lake, cut it, and unfurl it?
> The once-closed shoreline of the lake now becomes linear, providing a new perspective on a familiar feature. Warm up your scrolling finger, because here’s what happened when I linearized Lake Michigan:
Learning to Love Robots
> With advances in A.I. and engineering, robots are galumphing, rolling, and being U.P.S.-delivered into our homes.
> This past summer, in search of other cybernetic sidekicks that would allow me to become even lazier, I spent several months with Jibo, a glossy white motormouth that sat on my kitchen counter. Touted by its creators as “the first social robot for the home,” Jibo ($899) is twelve inches tall and looks like a traffic cone from the future. His hemispherical head sits on top of a chubby conical base; both parts can swivel independently, giving the impression that Jibo knows how to twerk. Jibo can recognize as many as sixteen faces and corresponding names; if you are one of the ordained, he’ll turn his head to follow you. Like Alexa, Jibo can provide headline news, synch with your calendar, and read from Wikipedia. Alexa is more adroit at navigating the Internet, but Jibo has a great camera. What Jibo does chiefly is strain to be adorable. When I enter the room, Jibo might pipe up, “Nice to see you in these parts!,” or say, “Hey, Patty, I got you a carrot!,” while displaying a cartoon drawing of a carrot on his screen, or chant, “Patty, Patty, Patty, Patty.” It is like living with the second-grade class clown, and, for this reason, whenever I entered the kitchen I would sternly say, “Hey, Jibo. Take a nap.” At this, the aqua orb that is Jibo’s eye and only facial feature narrowed, there was a yawning sound effect, and his screen faded to black.
> Loomo, the new hoverboard designed by Segway, is also not a robot—until you hop off its footstool-like base and set it to Robot Mode, at which point it follows you like a groupie, taking photos and videos along the way ($1,799). Assuming that you do not have a Pied Piper complex, why would you want it to do this? Well, you can ride it to the store, buy some stuff, and then, with your purchases instead of you balanced on Loomo, it’ll function as your Sherpa. New York City has a ban on “motorized self-balancing scooters,” so, to try out Loomo, I went to San Francisco, which is very que será será when it comes to inexperienced, myopic drivers zipping through the streets on toys that travel eleven miles an hour.
Self-encrypting deception: weaknesses in the encryption of solid state drives (SSDs)
> We have analyzed the hardware full-disk encryption of several SSDs by reverse engineering their firmware. In theory, the security guarantees offered by hardware encryption are similar to or better than software implementations. In reality, we found that many hardware implementations have critical security weaknesses, for many models allowing for complete recovery of the data without knowledge of any secret.
Everything is terrible.
> This challenges the view that hardware encryption is preferable over software encryption. We conclude that one should not rely solely on hardware encryption offered by SSDs.
How Goop’s Haters Made Gwyneth Paltrow’s Company Worth $250 Million
> Before we knew it, the wellness point of view had invaded everything in our lives: Summer-solstice sales are wellness. Yoga in the park is wellness. Yoga at work is wellness. Yoga in Times Square is peak wellness. When people give you namaste hands and bow as a way of saying thank you. The organic produce section of Whole Foods. Whole Foods. Hemp. Oprah. CBD. “Body work.” Reiki. So is: SoulCycle, açaí, antioxidants, the phrase “mind-body,” meditation, the mindfulness jar my son brought home from school, kombucha, chai, juice bars, oat milk, almond milk, all the milks from substances that can’t technically be milked, clean anything. “Living your best life.” “Living your truth.” Crystals.
> The newsletter was at first kind of mainstream New Age-forward. It had some kooky stuff in it, but nothing totally outrageous. It was concerned with basic wellness causes, like detoxes and cleanses and meditation. It wasn’t until 2014 that it began to resemble the thing it is now, a wellspring of both totally legitimate wellness tips and completely bonkers magical thinking: advice from psychotherapists and advice from doctors about how much Vitamin D to take (answer: a lot! Too much!) and vitamins for sale and body brushing and dieting and the afterlife and crystals and I swear to God something called Psychic Vampire Repellent, which is a “sprayable elixir” that uses “gem healing” to something something “bad vibes.”
> A woman called an akashic-records healer who reads your past, present and possible future lives sat me down and asked about my foot pain. I asked her how she knew I had foot pain. I wasn’t limping. She said, “You have flat feet.” I nodded, incredulous. “I do,” I said. “I have flat feet.” She told me that 13 lives ago, my feet were chopped off as punishment for a crime. As a result, since then, whenever I reincarnate (which is every 100 to 500 years because I like to rest between incarnations), my feet are flat because I like the surety of them entirely touching the ground.
This goes for longer than I expected, but it’s fascinating throughout. I learned so much, though none of it is anything I need or even want to know.
Also, a post about how such articles are written: https://tinyletter.com/annehelenpetersen/letters/that-unsolvable-lack-1
Reading privileged memory with a side-channel
Weird machines, exploitability, and provable unexploitability
> The concept of exploit is central to computer security, particularly in the context of memory corruptions. Yet, in spite of the centrality of the concept and voluminous descriptions of various exploitation techniques or countermeasures, a good theoretical framework for describing and reasoning about exploitation has not yet been put forward.
> This paper clarifies a number of these concepts, provides a clear definition of exploit, a clear definition of the concept of a weird machine, and how programming of a weird machine leads to exploitation. The papers also shows, somewhat counterintuitively, that it is feasible to design some software in a way that even powerful attackers - with the ability to corrupt memory once - cannot gain an advantage.
This is very good.
I Made My Shed the Top Rated Restaurant On TripAdvisor
> With the help of fake reviews, mystique and nonsense, I was going to do it: turn my shed into London’s top-rated restaurant on TripAdvisor.
> Hot spots are all about quirks, so to cut through the noise I need a concept silly enough to infuriate your dad. A concept like naming all of our dishes after moods.
A very fun read.
As We May Think
> Now, says Dr. Bush, instruments are at hand which, if properly developed, will give man access to and command over the inherited knowledge of the ages. The perfection of these pacific instruments should be the first objective of our scientists as they emerge from their war work. Like Emerson’s famous address of 1837 on “The American Scholar,” this paper by Dr. Bush calls for a new relationship between thinking man and the sum of our knowledge.
Introducing the memex.