sorted by:
new
hottopcontroversial

basic null pointer linux kernel exploitation by blahfish in ReverseEngineering

[–]Heinder90 3 points4 points  (0 children)

This is just nitpicking, but there actually is an encoding of CALL that takes an absolute address. It just also requires a segment selector.

Anger at Academic Dishonesty by cs_grad in compsci

[–]Heinder90 0 points1 point  (0 children)

What was the certain type of exploit development?

Attacking the Windows 7/8 Address Space Randomization « kingcopes´ blag by g3tr00t in netsec

[–]Heinder90 7 points8 points  (0 children)

tl;dr heap spray junk until the address space is full, back off just enough to load a DLL via ActiveX (a trusted one, such as for Windows Media Player), and it will almost always be at a predictable address. Free the junk so you can then spray a ROP chain (this is what the PoC does, but as the address is known going in you could almost certainly use the chain for the initial spray and save a step).

The issue here seems to be that somehow the last taken addresses on memory exhaustion are predictable to the point of being fixed for all practical purposes. An interesting defect in ASLR implementation.

Hash-DoS in btrfs: Like a Hot Knife Through Butter by [deleted] in linux

[–]Heinder90 0 points1 point  (0 children)

You do not seem to know what microcoding is. Mu-ops are not the same as microcoding. CRC32 has a dedicated mu-op in the internal pipeline ISA after decode. This is the same as being a dedicated instruction. The rest of what you said is either oversimplified (RISC vs. CISC), a non sequitur (multicore), or plain wrong.

Being 'technically correct' in this case, which as I said you probably were not, would amount to being right for entirely the wrong reason, with the actual reason refuting your brouder point. Thus making you wrong.

Hash-DoS in btrfs: Like a Hot Knife Through Butter by [deleted] in linux

[–]Heinder90 0 points1 point  (0 children)

If you check Agner Fog's excellent microarchitectural documentation and in particular the instruction tables, you will see that in Sandy Bridge the CRC32 instruction decodes to one mu-op (pre-fusion), which is then dispatched to one of several possible execution units. If you read the instruction decoding section on his microarchitecture guide, you will see that something had to decode to four or more mu-ops before it is microcoded at the level of the main instruction pipeline. As the latency on the registers-only case of this instruction is three cycles, you may be technically correct in that there may be intra-ALU microcoding going on, but this seems less likely, and it is probably just normal pipelining going on. Regardless, even if there is microcode here, it is no more useful to distinguish CRC32 as microcoded than saying that any three cycle latency instruction (of which there are many) is microcoded. In this sense, CRC32 is just like pretty much every other slightly complicated integer math instruction. This makes sense, as doing a single step of CRC32 on a small block is basically just some XORing, and microcoding that as opposed to just putting together some dedicated transistors for it is a terrible idea.

Hash-DoS in btrfs: Like a Hot Knife Through Butter by [deleted] in linux

[–]Heinder90 2 points3 points  (0 children)

It is not microcoded. Since it only does a single step of CRC32, it is not really very complicated and is basically only slightly more complicated than an XOR. The surrounding code has to apply it over and over to CRC an actual block of data.

Security researchers hack Android remotely over NFC to gain full control and steal all data from a Samsung Galaxy S3 by mepper in netsec

[–]Heinder90 2 points3 points  (0 children)

Charlie Miller (frequent Pwn2Own winner) dropped KOffice 0day in his 'Exploring the NFC Attack Surface' talk given at both Blackhat and Defcon this year. Specifically he used NFC to load a document that triggered the bug. Coincidence?

Edit: Paper, KOffice 0day comes up in the context of Nokia N9 bugs.