Jann Horn

@[email protected]
2.5K Followers
141 Following
1.4K Posts

human borrow checker (but logic bugs are best bugs).
works at Google Project Zero.

The density of logic bugs (compared to memory corruption bugs) goes down as the privilege differential between attacker context and target context goes up.

homepagehttps://thejh.net
Jann Horn5d ago
greeeen  (injectable edition)5d ago
that's right, it goes in the ~/Downloads folder
Jann HornMar 17
oh, this sounds like an exciting Xen >=4.17 bug affecting HVM/PVH modes:
"Use after free of paging structures in EPT"
https://xenbits.xen.org/xsa/advisory-480.html
XSA-480 - Xen Security Advisories

Jann HornMar 11
from the Security Cryptography Whatever podcast, talking about openssl API design choices: https://youtu.be/jhdLja5mWbU
Obviously you have to do a string compare to do AES GCM in OpenSSL 3

YouTube
Jann HornMar 4
Gabriele SveltoMar 4
A few years ago I designed a way to detect bit-flips in Firefox crash reports and last year we deployed an actual memory tester that runs on user machines after the browser crashes. Today I was looking at the data that comes out of these tests and now I'm 100% positive that the heuristic is sound and a lot of the crashes we see are from users with bad memory or similarly flaky hardware. Here's a few numbers to give you an idea of how large the problem is. ๐Ÿงต 1/5
Jann HornMar 3

I find stack overflow security bugs fascinating; and on Linux, compilers still don't protect against stack overflows by default when stack frames are bigger than stack guard pages.

So I went looking around in Android, and thanks to how Android's RPC mechanism allows recursive synchronous callbacks in some cases, I managed to find a way to jump a thread guard page in system_server from shell context and (with very low success rate) get instruction pointer control:
https://project-zero.issues.chromium.org/issues/465827985

Project Zero

Jann HornMar 3
scyMar 2
๐Ÿซธ Bademeister am See
๐Ÿ‘‰ WeiherGuard
Jann HornFeb 28

randomly wondering: Are there file systems that support auto-freeing cache files on demand when disk space runs low? Like how, in memory management, there are ways to mark memory as "please discard these pages/mappings if the OS wants more RAM"?

In memory management, people say "free space is wasted space", and while I know SSDs and free space are a complicated topic, it kinda seems like the idea should also work for disks to some extent?

Jann HornFeb 27
Michael Kohl ๐Ÿ‡ฆ๐Ÿ‡น๐Ÿ‡น๐Ÿ‡ญFeb 26

A tale in 3 pictures. In which our hero wonders if he can and doesn't stop to ask if he should.

#c #programming

Jann HornFeb 27
ooh, I didn't realize that the playback speed adjustment that browsers have built-in allows you to disable pitch correction!
https://developer.mozilla.org/en-US/docs/Web/API/HTMLMediaElement/preservesPitch
I wonder if the primary motivation for adding that flag was nightcore
HTMLMediaElement: preservesPitch property - Web APIs | MDN

The HTMLMediaElement.preservesPitch property determines whether or not the browser should adjust the pitch of the audio to compensate for changes to the playback rate made by setting HTMLMediaElement.playbackRate.

MDN Web Docs
Show threadJann HornFeb 23
in rust it is apparently normal that you can create a vector, call functions on it that resize it and whatnot, and then later insert elements, and the element insertion implicitly provides the type and element size needed to compile preceding method calls