"The Page-Fault Weird Machine: Lessons in Instruction-less Computation" Bangert, Bratus, Shapiro, Smith - https://www.usenix.org/system/files/conference/woot13/woot13-bangert.pdf
".. We demonstrate a Turing-complete execution environment driven solely by the IA32 architecture’s interrupt handling and memory translation tables, in which the processor is trapped in a series of page faults and double faults, without ever successfully dispatching any instructions .."
... found via a pretty decent blog post on the topic at http://www.pl-enthusiast.net/2017/10/23/what-is-soundness-in-static-analysis/
"DR. CHECKER: A Soundy Analysis for Linux Kernel Drivers" Machiry, Spensky, et al. https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-machiry.pd
.. we present DR. CHECKER, a soundy (i.e., mostly sound) bug-finding tool for Linux kernel drivers that is based on well-known program analysis techniques. We are able to overcome many of the inherent limitations .. we analyzed the drivers of nine production Linux kernels (3.1 million LOC), where it correctly identified 158 critical zero-day bugs with an overall precision of 78%."
Recently encouraged to apply for a job, involved a 5-day/40hr take-home test (negotiated more time; was travelling soon after telling me about the task). Turned out to be amazingly fun, but now realizing how lucky I am to be able to consider doing this at short notice; a lot of great people don't have the support/lack of responsibility to spend this kind of time at home. OTOH, point of it was helping them consider more diverse applicant pool (wrt ppl who hadn't done this exact work). Hmmm.
oh and literally all of Android and Fuchsia... lol
a lot of ppl think Android is good because it's got a license and you can read a bunch of code, but veiwed as an open-source project it's a complete failure to treat its userbase with respect, enfranchise them in the development process, and protect them from exploitation
it has a fucking *app store*!
"Breaking the x86 ISA" - Christopher Domas
"..we demonstrate how page fault analysis and some creative processor fuzzing can be used to exhaustively search the x86 instruction set and uncover the secrets buried in a chipset. The approach has revealed critical x86 hardware glitches, previously unknown machine instructions, ... and flaws in enterprise hypervisors"
Breaking the links: Exploiting the linker 
.. insecure library loading on the [Windows] provoked a significant amount of debate as to whether GNU/Linux and UNIX variants could be vulnerable to similar attacks.. general consensus .. appeared to be that this was just another example of Microsoft doing things wrong, I .. responded with a blog post that sought to highlight an example of where POSIX style
linkers get things wrong..
Hello from the Other Side: SSH over Robust Cache Covert Channels in the Cloud
DRAMA: Exploiting DRAM Addressing for Cross-CPU Attacks.
Malware Guard Extension: Using SGX to Conceal Cache Attacks
Drammer: Deterministic Rowhammer Attacks on Mobile Platforms
Prefetch Side-Channel Attacks: Bypassing SMAP and Kernel ASLR
Flush+Flush: A Fast and Stealthy Cache Attack
Cache Template Attacks: Automating Attacks on Inclusive Last-Level Caches.
ARMageddon: Cache Attacks on Mobile Devices
Strong and Efficient Cache Side-Channel Protection using Hardware Transactional Memory
KASLR is Dead: Long Live KASLR
"Software-based Microarchitectural Attacks" - Daniel Gruss https://gruss.cc/files/phd_thesis.pdf
In this thesis, we investigate software-based microarchitectural attacks. Software-based microarchitectural side-channel attacks exploit timing and behavior differences that are (partially) caused through microarchitectural optimizations, i.e., differences that are not architecturally documented. Software-based microarchitectural fault attacks induce faults through microarchitectural optimizations
"LETHE: Strengthening Fine Grained Address Space Layout Randomization with Computationally Inexpensive Memory Disclosure Tripwires" (Selifonov 2015) http://thyth.com/p/lethe/lethe-wp.pdf
"...Fine-grained ASLR pushes the exploit payload creation process into runtime, but it is not enough to prevent just-in-time discovery of return oriented programming gadgets. By incorporating new memory permission capabilities exposed through virtualization on the Intel platform..."
"Looking back at Grsecurity" - (Bijnen, Berkelaar 2014) https://www.edworks.info/papers/Looking_back_at_Grsecurity.pdf
.. We have gathered
an array of potentially system compromising exploits that have
been discovered in a five year time frame. Each of these ex-
ploits are tested on a vulnerable system that has yet to receive
a fix for the exploit, simulating a zero-day attack. We found
that Grsecurity offers considerable enhancements in the field of
kernel security and that from a historical..
Unleashing Use-Before-Initialization Vulnerabilities in the Linux Kernel Using Targeted Stack Spraying" (Lu, Walter, Pfaff, Nürnberger, Lee, Backes 2017) https://www.internetsociety.org/sites/default/files/ndss2017_09-2_Lu_paper.pdf
..automated targeted stack-spraying .. reliably facilitates the exploitation of uninitialized uses..
(1) .. combines tailored symbolic execution and guided fuzzing .. (2) .. exhaustive memory spraying .. reliably control more than 91% of the Linux kernel stack..
A Study of Overflow Vulnerabilities on GPUs  by Di, Sun, Chen
... In this paper, we explore security vulnerabilities of CUDA from multiple dimensions. In particular, we first present a study on GPU stack, and reveal that stack overflow of CUDA can affect the execution of other threads by manipulating different memory spaces. Then, we show that the heap of CUDA is organized in a way that allows threads from the same warp or..
PoC || GTFO 0x03:6, pp18: Prototyping an RDRAND Backdoor in Bochs [Taylor Hornby] - I just love it.
So it's decided: I'm gonna leave my current job. I just can't take any more of this toxic politicised environment with mob practices.
Anybody knows of any interesting openings for a system/embedded software engineer? I'm in the Silicon Valley and appreciate flexibility.
A boost would be very welcome! Thanks!
Towards an Architecture-Centric Approach to Security Analysis
..a DRSpace-based analysis approach to identify architectural design flaws and we show, via an empirical study of 10 open source projects, that areas of a software architecture that suffer from greater numbers of design flaws are highly correlated with security bugs, and high levels of churn associated with those security bugs
Natural Language Processing to Quantify Security Effort in the Software Development Lifecycle 
.. we propose a technique for performing topic detection on data commonly available in most software development projects: text artifacts from issue tracking and version control systems. We apply machine learning and natural language processing techniques to create classifiers capable of accurately ...