Paul Harvey is a user on mastodon.social. You can follow them or interact with them if you have an account anywhere in the fediverse. If you don't, you can sign up here.

Paul Harvey @csirac2@mastodon.social

Paul Harvey boosted

Would you believe that I've been writing L0phtCrack for the last twenty years? www.l0phtcrack.com
It's had a number of contributors, starting with Mudge, and Weld Pond, and a few other folks who may or may not want their names shared, but I've been the major architect of the project since 1998.

People keep buying it, and Microsoft keeps using the same dumb crypto, so why not keep writing the damn thing. :)

"Instructions and tools to boot Xen in UEFI mode with TPM measurements of Xen and dom0" Tamas K Lengyel - github.com/tklengyel/xen-uefi

> This repository contains tools and instructions for installing Xen and dom0 with UEFI/SecureBoot + Intel TXT such that all critical components of Xen and the dom0 kernel get SecureBoot verified and measured into the TPM. The setup described here combines a full SRTM chain with DRTM measurements at the end.

My BSidesCBR 2018 talk slides + notes: github.com/csirac2/presentatio

Bibliography: github.com/csirac2/presentatio

Due to a series of unfortunate events - each my own fault, amplifying the next due to escalating sleep deprivation - the actual talk I delivered wasn't what I had envisaged (even the slides I'm sharing here aren't what I had prepared).

I'll try to salvage it into an extended blog post of some kind.

On the bright side, the Hardware Hacking Village was a decent success - so not all was lost :)

Story of my life: the harder I try, the less I get done. Something something balance. Except for me that seems more like: "things I should be doing" vs "things I spontaneously explore". Cutting back on the latter doesn't help the former.

I'll probably struggle for too long fighting GCC to get a PoC to run on this thing, I'm a python/perl/ruby/js/bash hacker by day damnit, I haven't done in-line assembly since I was a teenager

Playing w/friend's 1997 Thinkpad 380D (150MHz Pentium MMX 80MB/2GB). OPENSTEP installation proclaims "WARNING: preposterous time in Real Time Clock - CHECK AND RESET THE DATE!"

Technically it boots from CD but I wasted a lot of CD-Rs figuring out I had to burn RAW mode, doesn't like TAO discs. Also had to go back to Debian Etch (4.9) to get working PCMCIA+3Com drivers, though Jessie (8.10) did boot.

I'm researching meltdown on older CPUs... this one is probably too old

Now I'm in an s390 rabbit hole learning about program status word, storage (memory?) protection keys, z/os interrupt prefixes... and intel reincarnated this as MPX?

"Proceedings of the Seminar on the DoD Computer Security Initiative Program" [1979] csrc.nist.gov/CSRC/media/Publi

This is a really amazing document to me, summarizing a lot of what I'd hoped to get from folks in conversation.

Now that I've had a few conversations with mainframe users, I realize the odds of finding folks who actively worked in security-conscious environments are probably few and far between. Anyway, this spawned a whole bunch of new source material searches for my BSidesCBR talk :)

It seems CTOS was a message-based microkernel thing, had P2P networking and could boot from the network. It "ran on Intel x86 computers, and could run concurrently with Windows NT on Unisys PC" - I sometimes wonder what it would've been like to be involved during this cambrian explosion of computing: en.wikipedia.org/wiki/Converge

I'm trying to talk to users/developers of older mainframe/minicomputer systems (to 1980s) to get a feel for what kinds of security threats folks were trying to deal with back then, particularly running untrusted code prior to PC revolution. Burroughs seems to have significant mentions in literature, so through friends I've found two (maybe 3) ex-users. Their stories are interesting, but light on security stuff. I did get solid recommendation to investigate CTOS though, which looks fun.

Microarchitectural attacks: reflecting on 45 years of research since "A note on the confinement problem" - my talk was accepted at BSidesCBR :-) Now, to achieve clarity on what "confinement" has meant, what was attempted, and what was achieved (or not achieved) over the decades...

"The Page-Fault Weird Machine: Lessons in Instruction-less Computation" Bangert, Bratus, Shapiro, Smith - usenix.org/system/files/confer

".. We demonstrate a Turing-complete execution environment driven solely by the IA32 architecture’s interrupt handling and memory translation tables, in which the processor is trapped in a series of page faults and double faults, without ever successfully dispatching any instructions .."

"DR. CHECKER: A Soundy Analysis for Linux Kernel Drivers" Machiry, Spensky, et al. usenix.org/system/files/confer

.. we present DR. CHECKER, a soundy (i.e., mostly sound) bug-finding tool for Linux kernel drivers that is based on well-known program analysis techniques. We are able to overcome many of the inherent limitations .. we analyzed the drivers of nine production Linux kernels (3.1 million LOC), where it correctly identified 158 critical zero-day bugs with an overall precision of 78%."

Recently encouraged to apply for a job, involved a 5-day/40hr take-home test (negotiated more time; was travelling soon after telling me about the task). Turned out to be amazingly fun, but now realizing how lucky I am to be able to consider doing this at short notice; a lot of great people don't have the support/lack of responsibility to spend this kind of time at home. OTOH, point of it was helping them consider more diverse applicant pool (wrt ppl who hadn't done this exact work). Hmmm.

Paul Harvey boosted

oh and literally all of Android and Fuchsia... lol

a lot of ppl think Android is good because it's got a license and you can read a bunch of code, but veiwed as an open-source project it's a complete failure to treat its userbase with respect, enfranchise them in the development process, and protect them from exploitation

it has a fucking *app store*!

"Breaking the x86 ISA" - Christopher Domas

github.com/xoreaxeaxeax/sandsi

"..we demonstrate how page fault analysis and some creative processor fuzzing can be used to exhaustively search the x86 instruction set and uncover the secrets buried in a chipset. The approach has revealed critical x86 hardware glitches, previously unknown machine instructions, ... and flaws in enterprise hypervisors"

Breaking the links: Exploiting the linker [2011]

Brown, Tim
nth-dimension.org.uk/pub/BTL.p

.. insecure library loading on the [Windows] provoked a significant amount of debate as to whether GNU/Linux and UNIX variants could be vulnerable to similar attacks.. general consensus .. appeared to be that this was just another example of Microsoft doing things wrong, I .. responded with a blog post[1] that sought to highlight an example of where POSIX style
linkers get things wrong..

Hello from the Other Side: SSH over Robust Cache Covert Channels in the Cloud
DRAMA: Exploiting DRAM Addressing for Cross-CPU Attacks.
Malware Guard Extension: Using SGX to Conceal Cache Attacks
Fantastic Timers and Where to Find Them: High-Resolution Microarchitectural Attacks in JavaScript
Drammer: Deterministic Rowhammer Attacks on Mobile Platforms

Practical Memory Deduplication Attacks in Sandboxed JavaScript
Rowhammer.js: A Remote Software-Induced Fault Attack in JavaScript
Prefetch Side-Channel Attacks: Bypassing SMAP and Kernel ASLR
Flush+Flush: A Fast and Stealthy Cache Attack
Cache Template Attacks: Automating Attacks on Inclusive Last-Level Caches.
ARMageddon: Cache Attacks on Mobile Devices
Strong and Efficient Cache Side-Channel Protection using Hardware Transactional Memory
KASLR is Dead: Long Live KASLR