I wrote a TCP/IPv4 network stack sniffing/mangling library in Python3. It overloads python dicts to work, which makes parsing and editing packets very elegant. Check it out here, it's GPL'd:
github.com/securitymouse/moops

Introducing careful.is the 1st Open Source Healthcare think-tank intending to build ideas toward free & open insurance program.

Introducing careful.is the 1st Open Source Healthcare think-tank intending to build ideas toward a free & open insurance program.

RISC-V 

On Princeton's discovery of security-impacting flaws in -V MCM: Don't rely on Linus' Law to secure CPU architectures!

blog.securitymouse.com/2017/04

RISC-V 

For anyone playing along at home, the SiFive E300 uC image running on an Arty FPGA can be interfaced with a JLink Segger JTAG device, rather than an Olimex ARM JTAG adapter.

The only adjustment is don't connect pin #2 as it's N/C on the JLink.

Then, in openocd, you can just comment out all the FTDI interface details and replace it with a single line:
interface jlink

Easy breezy. -V

RISC-V 

A full technical explanation of, and sample code for, the RISC-V CPU-level privilege escalation flaw. This is exploitable in QEMU, and is vulnerable in the current stable implementation spec, though it is in the process of being solved by the RISC-V team:

blog.securitymouse.com/2017/04

RISC-V 

Wrote a more elegant for the RISC-V in-silicon System->Machine mode CPU privilege escalation bug.

The exploit allows a System-level kernel to inject an arbitrary payload of executable code into the Machine-level executive.

Full details in a blog tonight, along with sample code!

recommendations wanted 

Can anyone recommend some decent but cheap sandals? I'm sick of buying Birkenstocks. My dog has already eaten two pair. I need something cost effective but durable for biking that I won't feel bad about if Arthur attacks.

"But... but... but... the poncho!" - Homer

Really enjoyed HITB this year but I'm very glad to be going home.

‪"There was to be a meeting at a house in Glendale, the Americans for America Party. Fenster was the campus representative. He walked off. Baldy leaned over and whispered into my ear, “They’re Nazis!”‬"
- Bukowski/Ham on Rye

donb boosted

Not sure how many people have noticed, but the code that accompanies my Phrack paper on Firefox/jemalloc exploitation (phrack.com/issues/69/14.html#a) contains a way to trigger a full GC (DOM + minor) on demand.

And it still works.

RISC-V 

Welcome to Buildroot
buildroot login: donb
Password:
$ /donb/hitb 8
trying fake rt_sigreturnx...
[ 228.530000] DONB(8): overwriting machine mode with illegal insn + ret
r = 0
$ /donb/hitb 6
trying fake rt_sigreturnx...
[ 256.520000] DONB mapping req to va = ffffffff78014e08
$ /donb/fakesyscall 9
trying fake rt_sigreturnx...
[ 321.710000] DONB(8): ok, now try the m-hook
/riscv/freedom-u-sdk/freedom-u-sdk/riscv-pk/machine/mtrap.c:18: machine mode: unhandlable trap 2 @ 0x0000000080000e08

Show thread

RISC-V 

Boom! Here's proof the current privilege model in -V is insecure. My malicious kernel breaks out of the Supervisor privilege, infecting highest level privilege (Machine Mode) with illegal instructions, causing panic.

Full details to be released tomorrow at !

donb boosted
http://blog.plover.com/2017/04/02/
"A Unix system administrator of my acquaintance once got curious about what people were putting into /dev/null. I think he also may have had some notion that it would contain secrets or other interesting material that people wanted thrown away. Both of these ideas are stupid, but what he did next was even more stupid: he decided to replace /dev/null with a plain file so that he could examine its contents.

The root filesystem quickly filled up and the admin had to be called back from dinner to fix it. But he found that he couldn't fix it: to create a Unix device file you use the mknod command, and its arguments are the major and minor device numbers of the device to create. Our friend didn't remember the correct minor device number. The ls -l command will tell you the numbers of a device file but he had removed /dev/null so he couldn't use that.

Having no other system of the same type with an intact device file to check, he was forced to restore /dev/null from the tape backups."

HITB2017AMS 

Adjust test harness.
Buildworld.
Test.
Repeat.

HITB2017AMS 

Hacking RISC-V kernels in my final prep run for tomorrow's talk. Got Raekwon's new The Wild on blast in the background, keeping that motivation lit.

Show older
Mastodon

Server run by the main developers of the project 🐘 It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!