donb @donb@mastodon.social

Cyber.

I wrote a TCP/IPv4 network stack sniffing/mangling library in Python3. It overloads python dicts to work, which makes parsing and editing packets very elegant. Check it out here, it's GPL'd:
https://github.com/securitymouse/moops-public

Introducing http://careful.is the 1st Open Source Healthcare think-tank intending to build ideas toward free & open insurance program.

Introducing http://careful.is the 1st Open Source Healthcare think-tank intending to build ideas toward a free & open insurance program.

On Princeton's discovery of security-impacting flaws in #RISC-V MCM: Don't rely on Linus' Law to secure CPU architectures!

http://blog.securitymouse.com/2017/04/the-risc-v-files-princeton-mcm-and.html

For anyone playing along at home, the SiFive E300 uC image running on an Arty FPGA can be interfaced with a JLink Segger JTAG device, rather than an Olimex ARM JTAG adapter.

The only adjustment is don't connect pin #2 as it's N/C on the JLink.

Then, in openocd, you can just comment out all the FTDI interface details and replace it with a single line:
interface jlink

Easy breezy. #RISC-V

A full technical explanation of, and sample code for, the RISC-V CPU-level privilege escalation flaw. This is exploitable in QEMU, and is vulnerable in the current stable implementation spec, though it is in the process of being solved by the RISC-V team:

http://blog.securitymouse.com/2017/04/the-risc-v-files-supervisor-machine.html

#HITB2017AMS

Wrote a more elegant for the RISC-V in-silicon System->Machine mode CPU privilege escalation bug.

The exploit allows a System-level kernel to inject an arbitrary payload of executable code into the Machine-level executive.

Full details in a blog tonight, along with sample code! #HITB2017AMS

Can anyone recommend some decent but cheap sandals? I'm sick of buying Birkenstocks. My dog has already eaten two pair. I need something cost effective but durable for biking that I won't feel bad about if Arthur attacks.

"But... but... but... the poncho!" - Homer

Is mastodon dead already?

Really enjoyed HITB this year but I'm very glad to be going home.

‪"There was to be a meeting at a house in Glendale, the Americans for America Party. Fenster was the campus representative. He walked off. Baldy leaned over and whispered into my ear, “They’re Nazis!”‬"
- Bukowski/Ham on Rye

Welcome to Buildroot
buildroot login: donb
Password:
$ /donb/hitb 8
trying fake rt_sigreturnx...
[ 228.530000] DONB(8): overwriting machine mode with illegal insn + ret
r = 0
$ /donb/hitb 6
trying fake rt_sigreturnx...
[ 256.520000] DONB mapping req to va = ffffffff78014e08
$ /donb/fakesyscall 9
trying fake rt_sigreturnx...
[ 321.710000] DONB(8): ok, now try the m-hook
/riscv/freedom-u-sdk/freedom-u-sdk/riscv-pk/machine/mtrap.c:18: machine mode: unhandlable trap 2 @ 0x0000000080000e08

Boom! Here's proof the current privilege model in #RISC-V is insecure. My malicious kernel breaks out of the Supervisor privilege, infecting highest level privilege (Machine Mode) with illegal instructions, causing panic.

Full details to be released tomorrow at #HITB2017AMS!

Here we go... last test... #HITB2017AMS

Adjust test harness.
Buildworld.
Test.
Repeat.

Hacking RISC-V kernels in my final prep run for tomorrow's #HITB2017AMS talk. Got Raekwon's new The Wild on blast in the background, keeping that motivation lit.