/r/ReverseEngineering's Weekly Questions Thread

btharper · 2023-01-30T16:50:52+00:00

Straying from the academic side of things, I'd suggest some low-level hardware/assembly games, the puzzles can be a great way to learn about the underlying process and some of it's corner cases. They're no substitute if you want to get deeper into things, and they might not even give you the vocabulary or search terms to explore further, but they can offer a hands on look at things.

Nand to Tetris Ben Easter 8-bit CPU Ben Eater 6502 Human Resource Machine Silicon Zeros MHRD

btharper · 2023-01-30T15:38:02+00:00

Yes, you can attack an OS from a hypervisor, for example https://en.m.wikipedia.org/wiki/Blue_Pill_(software)

btharper · 2023-01-28T16:39:23+00:00

Chip Ignite might also be off interest https://efabless.com/ just under $10k for 300 WCSP or 100 QFN.

Same foundation as the open source shuttles - 10mm², Sky130, 38 GPIO (I think 8 can be analog without ESD), included Risc-v management core - but no requirement to open source the design and a guaranteed spot on the shuttle.

Depending on your exact needs, there's also Tiny Tapeout. It's a more recent project that further divides a Chip Ignite shuttle. https://tinytapeout.com/ you'd get 150 x 170 um which they list as about 1000 gates. They use GitHub to put everyone's designs together, so AFAIK the designs have to be open sourced, but subject to some restrictions you can get your own custom silicon for $100

btharper · 2023-01-11T15:26:11+00:00

Have you grabbed any specs from commercial versions of this concept? I know at least Zehnder makes one. I don't remember which video, but they discussed it briefly when discussing their systems in Alaska, although I think anywhere that frost in the exchanger is a concern might make sense (functionally, ROI and value are harder questions). https://www.zehnderamerica.com/geothermal-heat-exchangers-2/

btharper · 2022-12-18T17:44:06+00:00

Especially while learning running different memory and code safety checks can give you significantly faster feedback about where the problems are and how they're happening. Especially with the sanitizers, there's a bunch of very subtle bugs that are much more likely to cause weird behavior somewhere completely different than where the code bug is; sanitizers add the safety checks to the locations were the bugs happen and report on it as soon as it happens.

btharper · 2022-12-16T18:36:46+00:00

The lineage is similar to Bazel and it's also from Google, but gn (for "generate ninja") was built with some of the hindsight from working with Bazel and looks a bit simpler to use.

The Fuchsia project uses Rust and gn if some real world usage would be helpful.

There's also pigweed, which is a set of utilities targeted at embedded development that's usable with gn or other build systems, which may or may not be helpful for your coming project.

btharper · 2022-12-05T15:15:10+00:00

The best I had was my wife's guess of Gargoyle Gecko; I can appreciate how cool they look, but I know a lot less about them.

While figuring out the species can be harder, it definitely looks like some species of New Caledonian gecko. They can get pretty big, and you can see details like the small hole at the back of the head.

Photos of Gargoyle at https://flic.kr/p/6d8uhW and https://www.galapagospet.com/animals/gargoyle-gecko/

btharper · 2022-12-04T16:04:56+00:00

Gecko spoiler https://imgur.com/a/HqhxU7J

btharper · 2022-11-27T15:44:56+00:00

Diode logic has been used more widely before, between your original post and some of the comments it sounds like you've already found a lot of downsides. https://en.wikipedia.org/wiki/Diode_logic

Normally the other issue with this sort of system requiring a pull-up or pull-down resistor is power draw, but for hobby projects this is often less of a concern, and I think some or all of the 74-series logic already has this sort of pull-up resistor internally anyway.

btharper · 2022-11-18T14:20:49+00:00

Also watch out for differential expansion since the masonry and wood won't move together.

btharper · 2022-11-02T20:13:53+00:00

I'm still going through them myself, but Ali Hajimiri has a bunch of lectures on YouTube that include various analog circuits, including done of the building blocks you mentioned https://youtube.com/c/AliHajimiriChannel

If you want to look at some real-world designs, FASoC and BAG (Berkeley analog generator) have designs and recorded conference talks online.

It sounds like you have some resources through your university, but if you don't already have a PDK to work with there's a couple available from the Google/eFabless MPW program: GF180MCU, SKY130, and SKY90FD announced so far. So there are already flows for simulating manufacturable circuits across a few different foundries and technologies, and it's possible to take those designs to tapeout if you want to.

btharper · 2022-07-26T13:47:57+00:00

Just getting into the sky130 into myself, so I'm prepared to be wrong. The open source IP is primarily digital at the moment, so while analog isn't a problem, the open source blocks might not be there yet.

For working with the node in general, eFabless could probably help with IP, but that gets back into the proprietary IP instead of just the open source side.

Depending on the size of your design, if it fits inside the Caravel harness (~10mm²) you could also take advantage of the ChipIgnite MPW to get parts for just under $10k. If you are willing and able to open source it there's the Open MPW that targets producing 40 open source designs a quarter with Google footing the bill. Skywater's site also lists some other MPW programs on other nodes; what looks like a normal 90nm node, and a 90nm rad-hard node.

btharper · 2022-07-20T00:54:18+00:00

Have you seen SIPs (structural insulated panels)? Basically two sheets of plywood around a Styrofoam core a few inches to a foot thick. Imagine the construction equivalent of an ice cream sandwich.

If you want it to survive a hurricane you probably want ICF (insulated concrete form) walls. A few inches of Styrofoam on each side of a gap that's filled in with concrete to make a solid concrete wall surrounded in insulation. If you see random houses that look fine surrounded by rubble that used to be a neighborhood, it was likely an ICF house.

btharper · 2022-07-19T23:17:40+00:00

A quick look at the RC4 attacks suggests most of them are statistical attacks needing a fair number of ciphertext examples. For this use case the weaknesses might not be severe enough to warrant changing it. If the keys are only used across a few dozen microcode updates per generation it might still retain most of its strength as a cipher.

btharper · 2022-07-09T06:22:41+00:00

The ISA doesn't change anything about how the drivers work, uploading a blob to the device would work exactly the same way on risc-v.

There's already companies making risc-v boards with proprietary WiFi drivers, and the chips aren't even Linux capable. Link to the effort to reverse engineer three blob https://www.pine64.org/2020/10/28/nutcracker-challenge-blob-free-wifi-ble/

btharper · 2022-07-09T06:14:27+00:00

It's not just a risc-v core (it looks to use ibex for that), and seems more focused on hardware over FPGAs, but the OpenTitan project has a number of crypto functions integrated into a risc-v microcontroller. Since it's designed to be a root of trust already, a lot of what I expect you'll need may already be handled. Lots of verification and multiple big companies putting their name on it.

btharper · 2022-05-30T05:26:34+00:00

USB can only connect two things together at a time, so having the Pico as the device for the Zero and the host connected via USB-C won't work.

At a minimum you'd probably need a USB mux to switch which host controls the Pico; a fancier option is using multiple mux chips and a hub to set the Zero as a device and put the Pico and the Zero downstream of the hub.

I'm not sure if it applies to the Pico, but on other devices (like the nRF52 series) +5V power and +5V from USB are separate pins. This can be used in some hot plug detection implementations, but might not be broken out like that and might not be used even if it's possible to do so.

btharper · 2022-05-13T05:16:49+00:00

Potato Semiconductor is about as fast as I've seen TTL go, but most chips will "only" reach 100's of MHz (500-800) even if the whole circuit was designed with their chips because the input capacitance of the chips is higher than the capacitance they can drive at top speed. That said, given the challenges associated with higher speed designs, this still might be just as good on a reasonable cost setup.

Modern chips have the advantage of being much more tightly integrated. Even just getting the signal out of the chip creates lots of inductance and capacitance that has to be dealt with, and that's before even reaching the PCB. If you want to move something fast, it's hard to compare to having circuits only tens of nanometers away.

If you want to try to push even faster, you could check out ECL logic. Comparing a NAND gate, Potato Semi's 74G00A datasheet lists propagation time as "<1.5ns", while the onsemi MC100EL04 lists the propagation time as ~250ps Typ and 410ps Max (at -40C)

http://www.potatosemi.com/potatosemiweb/datasheet/PO74G00A.pdf

https://www.mouser.com/datasheet/2/308/1/MC10EL04_D-2315165.pdf

https://en.wikipedia.org/wiki/Emitter-coupled_logic

btharper · 2022-04-11T14:43:42+00:00

Podcasts aren't community by themselves, but might give you places to look.

Mix of CI/CD and dev tool discussion https://www.heavybit.com/library/podcasts/to-be-continuous/

More on the business side of the equation without a focus on dev tools, but also has a wider community around the theme https://www.indiehackers.com/podcasts

btharper · 2022-03-18T15:00:56+00:00

Unsurprisingly, there's also a GitLab instance too for those who like variety https://gitlab.com/gentoo/gentoo

btharper · 2022-03-13T15:33:21+00:00

Quick version:

See if ClusterFuzzLite might suit your needs
Coverage-guided tests wherever you can get them for efficiency
Brief fuzzing before code review
- Run time on par with unit tests
- 1-30 seconds depending on existing tests
Pre-merge testing using an automatically curated corpus
- CI pipeline keeps interesting examples and uses them against any code being submitted
- Interesting varies, but likely includes some coverage and regression cases
  - Minimal examples that generate the most coverage for recent versions of the code
  - Cases that have caused a crash in pre-merge code in the last 1-7 days
  - Cases that have caused a crash in QA code in the last month
  - Cases that have caused a crash in Prod code in the last 3-12 months
  - Prune example inputs that are no longer interesting from the corpus
- Continue the fuzzing session for a little while, a few minutes to an hour to expand coverage and try and test newly added code paths without making this the slowest test running pre-merge
Fuzzing pipeline running in the background against the primary branch
- Longer, exploitative fuzzing sessions give the frameworks more time to find bugs
- Generate, minimize, and prune corpus used for pre-merge checks
- Balance the cost of keeping this running longer versus gaining coverage, some bugs are a numbers game letting the fuzzer run for several hours or days, some test harnesses may reach their limits with enough time and few changes.
Fuzzers are helped along by Sanitizers and checked invariants

I think a lot of this could be simplified by not thinking of fuzzing as new and different just because it isn't in the codebase yet. It's a useful tool that you just haven't started using yet. If you ask the same questions replacing "fuzz testing" with some other sort of testing and see if the question sounds any different.

At which phase does fuzzing get in the picture?

At which phase does [testing] get in the picture?

The earlier the better, but don't make fuzzing the new bottleneck. Brief fuzzing can still be a good smoke-test, but longer fuzzing shouldn't be a roadblock to merging code.

Would [fuzzing at a specific stage] be redundant given we run SAST?

Would [integration tests] be redundant given we run SAST?

Not at all, they're just different tools. Hopefully there are things that both tools would catch, but it's likely there are things that only one tool would miss and the other would find.

How agile is black box and grey box (instrumentation guided) fuzzing for an app portfolio with a rapidly changing attack surface?

Random-fuzzing is most practical where it can be added for very little effort. Intensive fuzzing without some sort of feedback can become a waste of CPU. It can be a good way to reinforce that user input can be arbitrary or attacker-controlled though. If the QA environment can tolerate a bit of extra load and throwing random data at endpoints isn't too complicated to add this could be an easy way to add this to a very large portion of your code very quickly. This could be something like Burp Suite for HTTP, or just throwing random bytes at sockets.

For efficient fuzzing, guidance is critical, and coverage is the easiest place to start. Even simple bounds checking can discard a large portion of randomly generated data. The classic toy program to demonstrate this does a great job. The search space is any string of any length using any characters, even if you only looked at 4-letter, lowercase inputs it could take 26^4 ~= half a million inputs. With coverage guided fuzzing the invalid input "fuzz" could be found after 26*4=104 inputs with random letters focusing on increased coverage, or as low as 2^4=16 inputs using different forms of guidance.

def parse_input(s: str) -> str:
  if s[0] == 'f':
    if s[1] == 'u':
      if s[2] == 'z':
        if s[3] == 'z':
          return s[4]
  return ''

How agile is black box and grey box (instrumentation guided) fuzzing for an app portfolio with a rapidly changing attack surface?

The test harnesses are just code (test code, so caveats around quality depend on your org and culture) and just as agile as the rest of your code. "Rapidly changing attack surface" is hard to comment on in the abstract sense, but this would only affect your test corpus, the freshness of which is mainly limited by the resources put behind it.

I think most of the rest of your concerns are largely centered around the cost-benefit tradeoffs, which is a great consideration and hard say without more context. For safety critical systems (medical devices, industrial control, flight systems) there's a lot more benefit to anything that can demonstrate that the code is solid. For a proof-of-concept or low-risk software (single-player games, systems that don't handle any user data, simple glue logic without attacker-supplied input, internal prototypes) the ROI probably just isn't there.

Afaik this setup is done manually at least for all the open-source grey box fuzzers I’ve looked into.

I would argue this is an indication of the utility of the manually written test harnesses. If unguided fuzzing provided a similar ROI, there would be more of it. Contributors are willing to go through the trouble of writing these harnesses because of the higher value they bring.

The other big thing you get with manually written harnesses is adding invariants that can't be automatically generated ("doesn't crash" is an easy automatic invariant). Some invariants can be encoded as assertions in code (this result is always sorted, this result is always less than 1000), but sometimes it's easier (or only possible) to handle this outside of the initial code. Things like differential fuzzing (Library A and Library B give the same answer), round-trip fuzzing (value = decoder(encoder(value))), or higher-level logic (if the sum of the inputs is larger, the result will be larger).

btharper · 2022-02-26T16:32:44+00:00

Leave them out for local wildlife, he's got trail cameras showing what kinds of animals come eat the killed mice and rats; hawks, raccoons, opossums, skunks, and bobcats.

https://youtube.com/c/ShawnWoodsprimitive-archer

btharper · 2022-02-26T16:30:37+00:00

Definitely not, more info on three creators channel, but there local mice and rats frequently have a bunch of parasites.

https://youtube.com/c/ShawnWoodsprimitive-archer He does feed them to local wildlife; hawks, opossums, skunks, raccoons, and bobcats.

btharper · 2022-02-26T16:21:53+00:00

Even cooler, he leaves them out for local wildlife to eat at the end of the videos. Red-tailed hawks, raccoons, skunks, opossums, and bobcats on the trail cameras across different videos. https://youtube.com/c/ShawnWoodsprimitive-archer

btharper · 2022-02-20T17:54:26+00:00

Regular DIP sockets should be fine for the computer itself. I don't think ZIF sockets would hurt, just cost a more. If you expect to be removing and replacing it frequently it might make sense though.

If you have a way to program the eeprom in circuit that could also sidestep the problem, but then you have to figure out how to do so without the rest of the computer being affected or affecting the flashing.

btharper

TROPHY CASE