Blog

The Infoleak that (Mostly) Wasn't

A 13 year old information leak without a CVE allocated appears important at first, but an analysis uncovers limited impact.

Read More

Close, but No Cigar: On the Effectiveness of Intel's CET Against Code Reuse Attacks

Intel's recent announcement of their hardware support for a form of Control Flow Integrity (CFI) has raised a lot of interest among the expert as well as the popular press. As an interested party we've decided to look at some of the details and analyze the strengths and weaknesses of Intel's Control-flow Enforcement Technology (CET).

Read More

KASLR: An Exercise in Cargo Cult Security

This post provides an in-depth analysis of the flawed KASLR mitigation, through a history lesson of the origins of ASLR, security fundamentals, and threat modeling.

Read More

The Truth about Linux 4.6

This post is a teardown of a factually incorrect presentation by Linux kernel maintainer, Greg KH. It cuts through the hype and discusses the minimal security improvements to Linux 4.6 by the KSPP.

Read More

False Boundaries and Arbitrary Code Execution

This often-cited post provides a detailed reference to the Linux capability system, subjecting it to critical analysis through the lens of ambient authority, with the revelation that most capabilities are equivalent to full root access if an attacker has arbitrary ability to exercise the capability. It finishes with a discussion on how this plays into PaX's design and grsecurity's RBAC system.

Read More

Recent ARM Security Improvements

This post contains a detailed blueprint for the novel design and implementation of PaX KERNEXEC and UDEREF on ARM, preventing ambient direct userland access from the kernel as well as preventing arbitrary code execution in the kernel.

Read More

Assorted Notes on Defense and Exploitation

This post presents a defense of so-called "ad-hoc" memory corruption defenses, comparing their practicality and effectiveness to calls to rewrite all software in safe languages, as proposed by a cited presentation. It also drives home the message of seeking details instead of believing security buzzwords like "sandbox".

Read More

For more blog entries, please see our old blog forum.