Ben Hawkes

@[email protected]
821 Followers
66 Following
29 Posts
Ben HawkesAug 23, 2024
"OpenSSH Backdoors" -- a few thoughts on supply-chain attacks against OpenSSH, and what we can learn from both historical and modern events. https://blog.isosceles.com/openssh-backdoors/
OpenSSH Backdoors

Imagine this: an OpenSSH backdoor is discovered, maintainers rush to push out a fixed release package, security researchers trade technical details on mailing lists to analyze the backdoor code. Speculation abounds on the attribution and motives of the attacker, and the tech media pounces on the story. A near miss

Isosceles Blog
Ben HawkesMar 11, 2024
Robots Dream of Root Shells -- can AI be used to automatically discover security vulnerabilities? https://blog.isosceles.com/robots-dream-of-root-shells/
Robots Dream of Root Shells

It's been an incredible year for AI. Back in the early 2000s, there were AI posters up all over my local computer science department, and it was all genetic algorithms, genetic programming, and particle swarm optimization as far as you could see. They could figure out if a circle was

Isosceles Blog
Ben HawkesSep 21, 2023

"The WebP 0day" -- a full technical analysis the recently patched vulnerability in the WebP image library that was exploited in the wild (CVE-2023-4863).

https://blog.isosceles.com/the-webp-0day/

We suspect that this is the same bug that Citizen Lab reported to Apple after detecting an NSO Group exploit chain called "BLASTPASS" that was used to attack on a Washington DC-based civil society organization.

Many thanks to mistymntncop who made several key technical contributions to this analysis.

The WebP 0day

Early last week, Google released a new stable update for Chrome. The update included a single security fix that was reported by Apple's Security Engineering and Architecture (SEAR) team. The issue, CVE-2023-4863, was a heap buffer overflow in the WebP image library, and it had a familiar warning attached: "Google

Isosceles Blog
Ben HawkesSep 14, 2023
Phineas Fisher, Hacktivism, and Magic Tricks -- a brief look back at the hacking techniques and lasting impact of Phineas Fisher. https://blog.isosceles.com/phineas-fisher-hacktivism-and-magic-tricks/
Phineas Fisher, Hacktivism, and Magic Tricks

It's said that a good magician never reveals their secrets. Computer hacking is a particularly good type of magic trick, and for the most part, hackers don't reveal their secrets either. It's sometimes hard to reconcile this, because we read about hacking all the time -- in newspapers, at conferences,

Isosceles Blog
Ben HawkesAug 30, 2023

What is a "good" Linux Kernel bug?

"In the world of vulnerability research, we like to call bugs 'good' if they're bad, and 'bad' if they're either boring or completely catastrophic."

https://blog.isosceles.com/what-is-a-good-linux-kernel-bug/

What is a "good" Linux Kernel bug?

I found my first Linux kernel vulnerability in 2006, but it wasn't a particularly good one. At the time I was just copying everything that my colleague Ilja van Sprundel was doing, and that was good enough to find something. If you watch Ilja's video from CCC, Unusual Bugs (2006)

Isosceles Blog
Ben HawkesAug 23, 2023

How can you show that a bug is exploitable without actually writing an exploit? Exploit equivalence classes. https://blog.isosceles.com/exploit-equivalence-classes/

This post shares a model based on the set theory concept of "equivalence classes" that can help security researchers and vulnerability triage teams assess and communicate the exploitability of bugs in a consistent way.

Exploit Equivalence Classes

A long time ago I went to a small university in New Zealand to get a math degree. It was one of those things that happened mostly through inertia -- like most kids I knew, I wasn't super interested in studying. I signed up for a bunch of classes, but

Isosceles Blog
Ben HawkesAug 16, 2023

"How to Build a Fuzzing Corpus" introduces some of the basic theory behind using a seed corpus for fuzzing, and answers three key questions: what is a seed corpus, why are they useful, and how can we build one from scratch?

https://blog.isosceles.com/how-to-build-a-corpus-for-fuzzing/

How to Build a Fuzzing Corpus

Fuzzing for security vulnerabilities is a strange thing. Throwing randomly generated or mutated data at an application until it crashes sounds like an extremely primitive way to find vulnerabilities, and yet the last decade is full of fuzzing success stories. In many respects, it's still poorly understood why fuzzing works

Isosceles Blog
Ben HawkesAug 4, 2023
Show threadSamuel GroßAug 4, 2023
@hawkes Great post! One of the goals of the V8 Sandbox (https://docs.google.com/document/d/1FM4fQmIhEqPG8uGp5o9A-mnPB5BOeScZYpkHjo0KKA8/edit?usp=sharing) is to eventually force attackers to exploit a second, less reliable memory corruption bug to get out of the V8 sandbox after the initial, usually extremely reliable V8 exploit.
V8 Sandbox - High-Level Design Doc

V8 Sandbox Aka. “Ubercage” Author: saelo@ First Published: July 2021 Last Updated: July 2022 Status: Living Doc Visibility: PUBLIC This document is part of the V8 Sandbox Project and covers the high-level design of the sandbox. Summary Objective: build a low-overhead, in-process sandbox for V8. ...

Google Docs
Ben HawkesAug 2, 2023

New Isosceles blog: https://blog.isosceles.com/an-introduction-to-exploit-reliability/

"An Introduction to Exploit Reliability" is a short, high-level overview of exploit reliability from a defensive point-of-view. What is exploit reliability? What can defenders do to make writing a reliable exploit harder?

An Introduction to Exploit Reliability

Earlier this year I was invited to give a talk at University of California San Diego (UCSD) for Nadia Heninger's CSE 127 ("Intro to Computer Security"). I chose to talk about modern exploit development, stepping through the process of finding and exploiting some of the memory corruption bugs that the

Isosceles Blog
Ben HawkesJul 26, 2023
Show threadzerotypicJul 26, 2023
@hawkes Good read! Stagefright is one of my favourite bugs, and I also loved Mark Brand's followup research in "Return to libstagefright".