Twitter | Search | |
Niklas B
0x10 engineer
2,803
Tweets
619
Following
12,339
Followers
Tweets
Niklas B Feb 7
Replying to @domenuk @bkth_
I mean, probably not?
Reply Retweet Like
Niklas B Feb 6
Replying to @bkth_
(except on MIPS, where no such mitigations are used) The full bug report is at
Reply Retweet Like
Niklas B Feb 6
just found that this writeup for CVE-2019-9793, a range analysis bug in Spidermonkey found by and analyzed by me is now unrestricted: I thought it was a cool bug, although unfortunately Spectre mitigations prevented exploitation as far as I know
Reply Retweet Like
Niklas B Feb 5
Replying to @s1guza
Imagine PR department telling eng to run it through a linter before release to avoid the public embarrassment
Reply Retweet Like
Niklas B Feb 4
Replying to @domenuk
.gov really needs to work on their exploit stability holy cow
Reply Retweet Like
Niklas B Jan 31
Replying to @matalaz @pati_gallardo
but they have the most modern ROP protections
Reply Retweet Like
Niklas B Jan 29
Replying to @bkth_ @farazsth98 and 2 others
It is a little known fact that this technique was already used to bypass CFI in ancient rome cc/
Reply Retweet Like
Niklas B Jan 29
as I said, it would "only" be an engineering problem to implement reliably and universally
Reply Retweet Like
Niklas B Jan 29
I mean, it might be an engineering effort, but that shouldn't be taken into account when designing a mitigation IMO also it has already been done
Reply Retweet Like
Niklas B Jan 29
To avoid the need for stack pivoting, a trivial method in the absence of back edge CFI would be to just write to the stack
Reply Retweet Like
Niklas B Jan 29
Plus, constructing arbitrary call gadgets in JIT seems very doable regardless of constant blinding, and that's all you really need
Reply Retweet Like
Niklas B Jan 29
The intended purpose of JIT constant blinding is that you cannot straight up inject shellcode into +X regions. With it present, you have to go the code reuse route, and let's be honest, there is plenty of code to reuse
Reply Retweet Like
Niklas B Jan 28
Replying to @s1guza
the don't usually assign CVE for internally discovered bugs AFAIK
Reply Retweet Like
Niklas B Jan 28
Replying to @dveditz
That‘s really good to know thanks!
Reply Retweet Like
Niklas B Jan 28
Replying to @dveditz
Ah good point. In this case the concern was a compromise of the host serving , DNS is maintained externally
Reply Retweet Like
Niklas B Jan 28
Replying to @kiqueNissim
Yeah exactly, that’s what I meant, in most practical cases all of the origins can „set“ cookies for any of the other origins
Reply Retweet Like
Niklas B Jan 28
Replying to @kiqueNissim
But can it not shadow over a cookie in the sub origin?
Reply Retweet Like
Niklas B Jan 28
Replying to @kiqueNissim
Oh ok that is good to know!
Reply Retweet Like
Niklas B Jan 28
Replying to @kiqueNissim
my understanding was that it works both ways
Reply Retweet Like
Niklas B Jan 28
Replying to @terjanq
Assume that the sub-origin is not cooperating in that fashion
Reply Retweet Like