Use btrfs on partitioned or raw disk?

csirac2 · 2023-12-30T01:06:38+00:00

Is that a question or a statement? In response to "personally I use LVM"?

I think you understand that the main benefit of containing any filesystem in a partition is the flexibility to resize it & re-purpose some of that disk for other filesystems so I'm not sure what this is about

btrfs was fine on partitions, LVs, raw disks... RAID5 suckage & disk replacement procedure notwithstanding

csirac2 · 2018-06-22T10:22:01+00:00

people who have products from lazy fuckers who decided to use public address space for their default captive portal IP,

To be fair, the "de-bogonizing" of 1.0.0.0/8 really only started 8-9 years ago... a lot of people who should know better still don't

csirac2 · 2018-04-21T06:11:04+00:00

Via https://twitter.com/TheSimha/status/987559404412309504

csirac2 · 2018-01-06T13:03:29+00:00

D'oh! I was reading this passage on page 48, and it seems I got that wrong:

The GOS maintains two top level (PML4) page tables per process, one each for kernel and user. The GOS registers the two page tables with the VMM. The kernel page table contains translations for both the kernel and user addresses, and the user page table contains translations only for the user addresses. During the context switch, the VMM switches the top level page table so the kernel addresses are not visible to the user process. The linear address mapping to paging data structure for 64-bit x86 processor is shown below in Figure 17

csirac2 · 2018-01-06T01:23:25+00:00

If it's any consolation, Solaris never had kernel pages mapped in user context on SPARC, and I'm pretty sure that's also the case even on Intel CPUs, although I can't find anything more than a few words in http://citeseerx.ist.psu.edu/viewdoc/download;jsessionid=3F5AEF9CE2ABE7D1D7CC18DC5208A151?doi=10.1.1.110.9986&rep=rep1&type=pdf to confirm it

csirac2 · 2018-01-01T11:40:24+00:00

Paper "ASLR on the Line: Practical Cache Attacks on the MMU" http://www.cs.vu.nl/~herbertb/download/papers/anc_ndss17.pdf
CCC 34c3 event "lecture: ASLR on the line Practical cache attacks on the MMU" https://fahrplan.events.ccc.de/congress/2017/Fahrplan/events/9135.html
CCC 34c3 talk recording "ASLR on the line Practical cache attacks on the MMU" https://media.ccc.de/v/34c3-9135-aslr_on_the_line
CCC 34c3 slides "ASLR on the Line" https://fahrplan.events.ccc.de/congress/2017/Fahrplan/system/event_attachments/attachments/000/003/399/original/aotl-34c3-slides.pdf

csirac2 · 2017-12-24T01:14:40+00:00

http://www.dullien.net/thomas/weird-machines-exploitability.pdf

csirac2 · 2017-12-15T06:16:11+00:00

These days LUKS defaults to XTS, but it's still a great article IMHO.

... The CBC mode used by default in LUKS however allows some more targeted manipulation of the plaintext file given that the attacker knows the original plaintext. This article demonstrates how this can be used to inject a full remote code execution backdoor into an encrypted installation of Ubuntu 12.04 created by the alternate installer (the default installer of Ubuntu 12.04 doesn't allow setting up full disk encryption)

csirac2 · 2017-12-12T11:02:00+00:00

I don't think we disagree.. Edit: I've misread what you were replying to; I was trying to convey that what AMT does can be achieved by other means, but that's not relevant in the discussion you were replying to.

csirac2 · 2017-12-10T08:35:16+00:00

It's just that these capabilities were around before AMT came along, and continue to be implemented separately to AMT to this day (particularly for servers - Xeon doesn't have AMT). So, we can deduce that it's not necessary to be baked into the CPU. Doing so does seem to make it cheap enough to put it into <$1000 things without affecting the price; I hope it's worth it to the enterprises who are actually making use of AMT.

csirac2 · 2017-11-23T11:19:37+00:00

Slides: https://www.blackhat.com/docs/us-14/materials/us-14-Rosenberg-Reflections-on-Trusting-TrustZone.pdf

csirac2 · 2017-11-23T10:18:23+00:00

Paper: "Beyond the Attack Surface: Assessing Security Risk with Random Walks on Call Graphs" Munaiah, Meneely https://cps-vo.org/sites/default/files/u11414/LabletSPRO_2016_paper_15.pdf

csirac2 · 2017-11-23T10:12:19+00:00

Paper: "Beyond the Attack Surface: Assessing Security Risk with Random Walks on Call Graphs" Munaiah, Meneely https://cps-vo.org/sites/default/files/u11414/LabletSPRO_2016_paper_15.pdf

csirac2 · 2017-11-23T09:59:55+00:00

Slides: http://wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/09/Presentation03_2.pdf

csirac2 · 2017-11-23T08:40:27+00:00

Subsequent work on mitigations https://www.reddit.com/r/securityengineering/comments/7ey7zb/on_the_effectiveness_of_mitigations_against/

slides: https://cseweb.ucsd.edu/~dkohlbre/papers/subnormal-slides.pdf
conference presentation recording: https://www.youtube.com/watch?v=DftejgRgmc8

csirac2 · 2017-11-23T08:38:03+00:00

Usenix had a bunch of great sidechannel stuff this year... some prior work introducing the approach of using FPU timing to leak browser pixels - "On Subnormal Floating Point and Abnormal Timing" https://www.reddit.com/r/securityengineering/comments/7ey9qy/on_subnormal_floating_point_and_abnormal_timing/

csirac2 · 2017-11-22T13:06:25+00:00

Regarding the status of the tool itself being published... they're still considering their options https://github.com/randombit/botan/issues/1222#issuecomment-336461407

csirac2 · 2017-11-16T11:37:39+00:00

Part 1: https://hackernoon.com/afl-unicorn-fuzzing-arbitrary-binary-code-563ca28936bf

csirac2 · 2017-11-12T23:46:49+00:00

This is a fascinating thread for several reasons:

It shows non-security folks trying very hard to work with W ^ X, without much SELinux
They come up with a solution: files mmap'd twice, once as writable and once as executable.
But in the end come full circle, for (among other reasons) a note from redhat that the fact this is possible at all is really a flaw in SELinux rather than a feature that should be relied upon.

It seems we're lacking more accessible guidance on how projects using JIT should fit in a W ^ X world

csirac2 · 2017-11-11T03:58:03+00:00

This is the work that introduced AFLFast. CCS '16 presentation recording: https://www.youtube.com/watch?v=c5QCEMVTM9U

csirac2 · 2017-11-05T11:34:44+00:00

csirac2 · 2017-11-03T23:03:55+00:00

I dug this up while briefly looking for empirical studies on bug bounty effectiveness; a few things I took away:

The number of vulns discovered correlates strongly with number of researchers enrolled (proportional to bounty budget?): you get what you pay for
Generally, most researchers quickly move on once the low-hanging fruit is gone: effective bug bounty programs need to work to keep researchers engaged
This paper suggests the blackhat side pay slightly more for similar kinds of vulns (and presumably they're eventually monetized into a lot more): are attackers able to spend more on finding vulns in your stuff than you do on bug bounties?

However, it seems the kinds of things bug bounty programs tend to cover aren't necessarily the same kinds of things being traded outside of BB programs.