Security engineer, CTF player for @0rganizers. Mastodon: @nspace@infosec.exchange
Joined January 2018
- Tweets 579
- Following 589
- Followers 3,259
- Likes 1,362
Our new blog post is out! Check it out, I think we got some really cool results in this one.
Our latest post details how we exploited Retbleed (a CPU vulnerability) to compromise a machine from a sandboxed process and VM!
Curious? 👇
bughunters.google.com/blog/6…
EntrySign was nominated for two Pwnies (best crypto bug and best desktop bug)! 🥳
piped.video/live/TuKPA-CeDFA…
@__spq__ @sirdarckcat @taviso
The recording of our OffensiveCon presentation about EntrySign is live! piped.video/sUFDKTaCQEk
Slides at entrysign.top
@sirdarckcat @__spq__
As promised, more details!
TL;DR: AMD used CMAC with an example key from the standard as a hash function for the microcode update signatures. This let us create signatures that look valid to the CPU.
Here are the details about the AMD Signature verification vulnerability we worked on, Enjoy!
bughunters.google.com/blog/5…
No, it's a kernel mode virtual address, so it's 0xffffXXXXYYYYZZZZ but on 64-bit Linux unsigned long should be 64-bit wide. That code won't work as-is on other OSes or on 32-bit so it should be fine.
It's hacky research code :D
github.com/google/security-r…
Our newest research project is finally public! We can load malicious microcode on Zen1-Zen4 CPUs!
A bit late but here is a recording of the mix I did for the LakeCTF 2024 finals (lakectf.epfl.ch).
6 hours of my favorite peak time and minimal techno, enjoy!
soundcloud.com/nspace-877713…
Do you have any suggestions on what benchmarks to run? 🙂
I asked in the lkml thread but no one replied
Yeah. I don't want to call it type isolation because you can still have objects of two different types in the same cache and confuse between them.