Ben Hawkes

@[email protected]
820 Followers
66 Following
29 Posts
Ben HawkesAug 23, 2024
"OpenSSH Backdoors" -- a few thoughts on supply-chain attacks against OpenSSH, and what we can learn from both historical and modern events. https://blog.isosceles.com/openssh-backdoors/
OpenSSH Backdoors

Imagine this: an OpenSSH backdoor is discovered, maintainers rush to push out a fixed release package, security researchers trade technical details on mailing lists to analyze the backdoor code. Speculation abounds on the attribution and motives of the attacker, and the tech media pounces on the story. A near miss

Isosceles Blog
Ben HawkesMar 18, 2024
@howelloneill Baseball has the "wins above replacement" stat to capture this idea (or fWAR seems to be most popular) , but I wasn't sure if the same thing existed in the NBA. It looks like they have something called "value over replacement player" (VORP) which is kind of similar. LeBron's VORP in 2003/2004 was 2.9. Wemby's VORP so far? Also 2.9.
Ben HawkesMar 11, 2024
Robots Dream of Root Shells -- can AI be used to automatically discover security vulnerabilities? https://blog.isosceles.com/robots-dream-of-root-shells/
Robots Dream of Root Shells

It's been an incredible year for AI. Back in the early 2000s, there were AI posters up all over my local computer science department, and it was all genetic algorithms, genetic programming, and particle swarm optimization as far as you could see. They could figure out if a circle was

Isosceles Blog
Show threadBen HawkesSep 21, 2023
@gbrls It's been very good overall! I'm not an expert, but for what I'm doing it seems to work well. The only thing I miss is a built-in counter for post visits, like it'd be good to know how many people viewed the post without having to use Google Analytics.
Ben HawkesSep 21, 2023

"The WebP 0day" -- a full technical analysis the recently patched vulnerability in the WebP image library that was exploited in the wild (CVE-2023-4863).

https://blog.isosceles.com/the-webp-0day/

We suspect that this is the same bug that Citizen Lab reported to Apple after detecting an NSO Group exploit chain called "BLASTPASS" that was used to attack on a Washington DC-based civil society organization.

Many thanks to mistymntncop who made several key technical contributions to this analysis.

The WebP 0day

Early last week, Google released a new stable update for Chrome. The update included a single security fix that was reported by Apple's Security Engineering and Architecture (SEAR) team. The issue, CVE-2023-4863, was a heap buffer overflow in the WebP image library, and it had a familiar warning attached: "Google

Isosceles Blog
Ben HawkesSep 14, 2023
Phineas Fisher, Hacktivism, and Magic Tricks -- a brief look back at the hacking techniques and lasting impact of Phineas Fisher. https://blog.isosceles.com/phineas-fisher-hacktivism-and-magic-tricks/
Phineas Fisher, Hacktivism, and Magic Tricks

It's said that a good magician never reveals their secrets. Computer hacking is a particularly good type of magic trick, and for the most part, hackers don't reveal their secrets either. It's sometimes hard to reconcile this, because we read about hacking all the time -- in newspapers, at conferences,

Isosceles Blog
Ben HawkesAug 30, 2023

What is a "good" Linux Kernel bug?

"In the world of vulnerability research, we like to call bugs 'good' if they're bad, and 'bad' if they're either boring or completely catastrophic."

https://blog.isosceles.com/what-is-a-good-linux-kernel-bug/

What is a "good" Linux Kernel bug?

I found my first Linux kernel vulnerability in 2006, but it wasn't a particularly good one. At the time I was just copying everything that my colleague Ilja van Sprundel was doing, and that was good enough to find something. If you watch Ilja's video from CCC, Unusual Bugs (2006)

Isosceles Blog
Show threadBen HawkesAug 23, 2023
@Lee_Holmes Yeah, I think the key is that different bugs in the same bug class can have quite different exploitation properties. Like you can have a UAF where all you get for the "use" is a super-benign read of a bit-field or something, but then others can be directly used to hijack control flow through a vtable or something. They're definitely not "equivalent" in terms of exploitability, despite being in the same bug class. I probably should have made that point clearer in the post now that I think about it...
Ben HawkesAug 23, 2023

How can you show that a bug is exploitable without actually writing an exploit? Exploit equivalence classes. https://blog.isosceles.com/exploit-equivalence-classes/

This post shares a model based on the set theory concept of "equivalence classes" that can help security researchers and vulnerability triage teams assess and communicate the exploitability of bugs in a consistent way.

Exploit Equivalence Classes

A long time ago I went to a small university in New Zealand to get a math degree. It was one of those things that happened mostly through inertia -- like most kids I knew, I wasn't super interested in studying. I signed up for a bunch of classes, but

Isosceles Blog
Show threadBen HawkesAug 16, 2023
@againsthimself Yeah, and my hypothesis is that if I crank all these dials up to 11 then some cool bugs will fall out. Science! Just waiting for my fuzzer to accidentally find the room-temperature superconductor...