Jann Horn

@[email protected]
2.5K Followers
141 Following
1.4K Posts

human borrow checker (but logic bugs are best bugs).
works at Google Project Zero.

The density of logic bugs (compared to memory corruption bugs) goes down as the privilege differential between attacker context and target context goes up.

homepagehttps://thejh.net
Jann HornMar 19
greeeen  (injectable edition)Mar 19
that's right, it goes in the ~/Downloads folder
Show threadJann HornMar 17
@ljs very annoying that some CPUs have magic hardware fairies that just make it all coherent
Show threadJann HornMar 17
@ljs cache coherency issues are one of my favorite security bug types, it's like memory time travel, you can see past states of memory or make memory contents change out of nowhere
Jann HornMar 17
oh, this sounds like an exciting Xen >=4.17 bug affecting HVM/PVH modes:
"Use after free of paging structures in EPT"
https://xenbits.xen.org/xsa/advisory-480.html
XSA-480 - Xen Security Advisories

Jann HornMar 11
from the Security Cryptography Whatever podcast, talking about openssl API design choices: https://youtu.be/jhdLja5mWbU
Obviously you have to do a string compare to do AES GCM in OpenSSL 3

YouTube
Show threadJann HornMar 6
@chandlerc @DanielaKEngert @anteru posteo does have a thing where incoming email is cryptographically protected when being stored to disk, in a way that ties back to the user's password; https://posteo.de/en/site/encryption#cryptomailstorage documents this and Posteo's interpretation of what they can be compelled to do under german law.
Of course, something more comprehensive that also protects mail in transport would require protocol changes...
Email green, secure, simple and ad-free - posteo.de - Encryption

Posteo is an innovative email provider that is concerned with sustainability and privacy and is completely ad-free. Our email accounts, calendars and address books can be synchronised - we use comprehensive encryption.

Show threadJann HornMar 5
@jannic that MSPLIM thing you linked to seems to be specific to Cortex-M chips, probably for when you don't have an MMU?
When you have an MMU, I imagine explicit stack pointer limit checks probably cause unnecessary hardware overhead compared to relying on implicit bounding by guard pages?
Jann HornMar 4
Gabriele SveltoMar 4
A few years ago I designed a way to detect bit-flips in Firefox crash reports and last year we deployed an actual memory tester that runs on user machines after the browser crashes. Today I was looking at the data that comes out of these tests and now I'm 100% positive that the heuristic is sound and a lot of the crashes we see are from users with bad memory or similarly flaky hardware. Here's a few numbers to give you an idea of how large the problem is. 🧵 1/5
Show threadJann HornMar 3
@ljrk Yeah, stack overflows in particular feel to me like the programmer isn't really making a particular mistake that can be called a security bug, it just randomly happens in legitimate code... and the only thing that can reliably stop it is the compiler. So it kinda feels wrong to me to call it a hardening flag, it feels more like a... correctness flag?
Jann HornMar 3

I find stack overflow security bugs fascinating; and on Linux, compilers still don't protect against stack overflows by default when stack frames are bigger than stack guard pages.

So I went looking around in Android, and thanks to how Android's RPC mechanism allows recursive synchronous callbacks in some cases, I managed to find a way to jump a thread guard page in system_server from shell context and (with very low success rate) get instruction pointer control:
https://project-zero.issues.chromium.org/issues/465827985

Project Zero