I wrote up some internal guidelines about how we look into and evaluate health & quality of #RustLang crates at Embark:

https://gist.github.com/repi/d98bf9c202ec567fd67ef9e31152f43f

these are not exact rules but things to consider, esp. for adding dependencies for long term use in large Rust project in production.

our project is ~500k LoC and uses ~700 crates, so some care and active gardening is in needed. which is why we (read: @ca1ne) also built `cargo-deny` and `cargo-about` early on and use it heavily.

world reveals itself …

checking in on the citadel fence post #lichen

In 2022 I spent a reasonable amount of time researching #linux kernel exploitation. As we come towards the end of the year I thought I would look back at some of the resources which were super useful to me coming from a Windows/macOS background and why this was.

1. Understanding and Improving Linux Kernel Exploit Reliability https://usenix.org/system/files/sec22fall_zeng.pdf by ky1ebot. Developing memory corruption exploits is an art and the more complex an exploit, often the reliable goes down. This paper evaluate past methods and proposed a novel technique of context conservation.

My team actually used this within
https://research.nccgroup.com/2022/09/01/settlers-of-netlink-exploiting-a-limited-uaf-in-nf_tables-cve-2022-32250/ to help increase the reliability of exploiting multiple UAFs.

2. userfaultfd technique is dead on most Linux distros due to vm.unprivileged_userfaultfd. Fuse has come through as a good replacement for this technique. @jann mentions in 2016 and still applicable today. e.g https://graplsecurity.com/post/iou-ring-exploiting-the-linux-kernel by @chompie1337 and https://willsroot.io/2022/01/cve-2022-0185.html

3. Syzkaller is a game changer in kernel. There's a few things to say 1) Even existing publics grammars can find bugs when targeted at areas. 2) Extending coverage is a quick way to find bugs 3) N-day often sits around in https://syzkaller.appspot.com/upstream

4. So N-day often just sitting around.. KCTF encourages researchers to triage existing bugs and develop new techniques to bypass existing mitigations https://security.googleblog.com/2021/11/trick-treat-paying-leets-and-sweets-for.html both 0-day/N-day. As a researcher you can learn a lot from past bugs: https://docs.google.com/spreadsheets/d/e/2PACX-1vS1REdTA29OJftst8xN5B5x8iIUcxuK6bXdzF8G1UXCmRtoNsoQ9MbebdRdFnj6qZ0Yd7LwQfvYC2oF/pubhtml. There’s also another great write-up https://blog.kylebot.net/2022/10/16/CVE-2022-1786/ by ky1ebot for his win here. Awarau and pql also described a vuln they found in io_uring and exploited here https://ruia-ruia.github.io/2022/08/05/CVE-2022-29582-io-uring/

5. Keeping on top of mitigations in your head is hard. Especially if you are working on multiple platforms. My colleagues @saidelike and @fidgetingbits created https://github.com/nccgroup/exploit_mitigations to try to help track these. Really early days, but any contributions appreciated!

6. Finding the correct size structures with elements you want to control at certain offsets with them is tedious and time consuming. CodeQL massively helps speed up this process.
mmolgtm's article https://securitylab.github.com/research/one_day_short_of_a_fullchain_android/ shows a query which can be used for this. Again we used this within https://research.nccgroup.com/2022/09/01/settlers-of-netlink-exploiting-a-limited-uaf-in-nf_tables-cve-2022-32250/ to identify new exploit primitives

7. The msg_msg technique which has been a favourite by exploit writes used in https://willsroot.io/2022/01/cve-2022-0185.html / https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html / https://nickgregory.me/linux/security/2022/03/12/cve-2022-25636/ becomes less useful in 5.14 when GFP_KERNEL_ACCOUNT end up in kmalloc-cg-* caches and your vulnerable object is not.

8. Talking of kmalloc cache's, cross-cache attacks are a thing and can be used when its not possible to find an interesting object within your initial target cache. Markak describes this and other factors to consider when evaluating AUTOSLAB https://grsecurity.net/how_autoslab_changes_the_memory_unsafety_game

9. Finally a recent article by Awarau https://interruptlabs.co.uk/labs/pipe_buffer/ was posted about a technique which provides an intuitive way to gain arbitrary read/write by targeting the page pointer of a pipe buffer.

10. This list wouldn't be complete andreyknvl and a13xp0p0v with linkersec and https://github.com/xairy/linux-kernel-exploitation which goes into way more things going back over the years.

Apologies if I didn’t have some of your handles on here, I’m still getting to grips with who’s here now and who’s not :)