URB Excalibur: The New VMware All-Platform VM Escapes [pdf]

https://static1.squarespace.com/static/5f3c7479f4b3c702571a047d/t/66254fd51f55767c1f60612a/1713721307086/CSW24--URB-Excalibur-The-New-VMware-All-Platform-VM-Escapes.pdf?s=09

Hexacon agenda is up!

https://www.hexacon.fr/conference/agenda/?s=09

Windows DWM Core Library Elevation of Privilege Vulnerability (CVE-2024-30051)

https://www.coresecurity.com/core-labs/articles/windows-dwm-core-library-elevation-privilege-vulnerability-cve-2024-30051?s=09

Deploying Rust in Existing Firmware Codebases by @dmnk et al.

https://security.googleblog.com/2024/09/deploying-rust-in-existing-firmware.html

‘Everything happens for a reason’ sounds less comforting when the reason is very fucking poor planning

We want your old GPUs that were destined to become e-waste.
We're repurposing outdated GPUs to tackle challenging computer security and program analysis problems. https://buff.ly/3XsbdgJ

In light of the Internet Archive losing its appeal to hachette, I just wanted to point out some websites you should avoid:

* https://annas-archive.li/
* https://downmagaz.net/
* https://ebook-hunter.org/
* https://forcoder.net/
* https://freemagazines.top/
* https://liber3.eth.limo/

If you were to download books from these websites, you might cut into hachette's more than three billion dollars of annual revenue. So make sure to avoid those websites and the following:

* https://libgen.is/
* https://oceanofpdf.com/
* https://pdfroom.com/
* https://pdfstop.com/
* https://pdfdrive.to/
* https://pdfmagazines.club/
* https://sci-hub.se/
* https://singlelogin.re/
* ... or any of the other sites listed at https://rentry.co/megathread-books

#internetarchive

Fucking @buherator trying to kill me with this home made Palinka

#JeSuisLampshade #AlligatorCon

Security mitigation for the Common Log Filesystem (CLFS)

https://techcommunity.microsoft.com/t5/security-compliance-and-identity/security-mitigation-for-the-common-log-filesystem-clfs/ba-p/4224041?s=09

#windows

"Today, the White House Office of the National Cyber Director (ONCD) released a Roadmap to Enhancing Internet Routing Security, which aims to address a key security vulnerability associated with the Border Gateway Protocol (#BGP) "

https://www.whitehouse.gov/oncd/briefing-room/2024/09/03/press-release-white-house-office-of-the-national-cyber-director-releases-roadmap-to-enhance-internet-routing-security/?s=09

⚡ Operator Fabric is an open source platform built by the LF Energy Foundation (https://lfenergy.org/) for use in electricity, water and other utility operations.

Last May we did a security audit sponsored by the Open Source Technology Improvement Fund (https://ostif.org) 🙏

Read a summary of our findings and find the full report here:

https://blog.quarkslab.com/audit-of-operator-fabric.html

Ongoing slab hardening efforts

Recently, there have been multiple efforts to make the exploitation of slab memory corruptions harder.

🧵[1/5]

I started a couple of forest fires to heat my burrito and I'm surprised by the results! It was still frozen in the middle by the end of the experiment, so it's far from perfect, but I think forest fires have a lot of potential and will revolutionize the burrito heating industry!

If you plan to meet some hackers in Krakow this week check your e-mail, esp. your spam folder!

#AlligatorCon

[RSS] Deep Dive into RCU Race Condition: Analysis of TCP-AO UAF (CVE-2024–27394)

https://blog.theori.io/deep-dive-into-rcu-race-condition-analysis-of-tcp-ao-uaf-cve-2024-27394-f40508b84c42?source=rss-4b564abdafa3------2

#linux

I’ll reiterate what many others have said about the yubikey story - unless you’re the target of super sophisticated actors who do not want you to know they’ve stolen your yubikey*, this is a bit of a non-event and highlights the importance of keeping track of your yubikeys. Please don’t toss them, but do keep an eye out for further developments. Once an issue like this is identified, it attracts a lot of attention from many smart people and there may will be other findings in the future, but for now, yubikeys are good enough for most of us.

* I know there are a bunch of people convinced you’re being pursued by these advanced adversaries. I worry about you. For many reasons.

Tired of using debuggers and manually exploring the program's state space? Too annoying to find the inputs you need to trigger the bug? Ever wanted to interactively see what your static analysis tool was really thinking?

With my collaborators from the University of Tartu (Karoliine Holter, Juhan-Oskar Hennoste, Simmo Saan, Vesal Vojdani), we have an Onward! paper about abstract debugging, where you can "step through" the abstract state of the program, as computed by a static analysis tool.

To appear at Onward! 2024: "Abstract Debuggers: Exploring Program Behaviors Using Static Analysis Results".

https://patricklam.ca/papers/24.onward.abs-debug.pdf

And a special thanks to the SIGPLAN-M mentoring program for matching me with these collaborators!

Hello, Fediverse! We're Kagi, and we're on a mission to create a friendlier, more human-centric internet that has the users' best interest in mind.

Our core product is a search engine that is ad-free, tracking-free, and fully supported by our users. We've worked hard to deliver a high-quality, fast, and reliable search experience without compromising user privacy: https://kagi.com/

Excited to engage with the community here.

#Search #Privacy #AdFree

s/middleware/dark matter/