Exploit use-after-free bugs in dedicated cache This is just a demonstration. HOWTO free the target object spray and eat all available memory, take high memory usage, hope to have the freed object poisoned trigger the use-after-free NOTICE For each cache, the Slab allocator keeps three doubly-linked lists of slabs: full slabs: all objects of a slab are used (i.e. allocated) free slabs: all objects of a slab are free (i.e. the slab is empty) partial slabs: some objects of the slab are used and other are free We may need to make the target object in free slabs

by Shawn C[ a.k.a “citypw”] Meltdown/Spectre Google project zero’s write-up explains how the vulnerablities( meltdown, spectre v1/v2) work. More info about v3a and v4, check Google project zero’s bug tracker and INTEL-SA-00115. Vulnerablity Affect Kernel mitigation Compiler support v3 Meltdown( rogue data cache load (CVE-2017-5754)) < IceLake( 2018/2019) KPTI/ PAX_UDEREF N/A Spectre v1( bounds check bypass (CVE-2017-5753)) < IceLake( 2018/2019) Code hardening N/A Spectre v1.1 ( Bounds check bypass on stores( CVE-2018-3693)) < IceLake( 2018/2019) ?

For we wrestle not against flesh and blood, but against principalities, against powers, against the rulers of the darkness of this world, against spiritual wickedness in high places. — Ephesians 6:12 Original art design - The Fellowship of Libre firmware: Hunting the Shadow 最初の章：預言者の到来 Since the birth of the technology deity, the free software/firmware/hardware community has faced numerous adversaries, and Intel ME (Management Engine) stands as one of the most clandestine enemies.

Principle of OTR protocol Diffie–Hellman (DH) key exchange Diffie–Hellman key exchange is performed between integers and a finite cyclic group. Started here, integers are represented with lowercase letters, while elements of the cyclic group are represented with uppercase letters, and “==” is used to represent mathematical identity. Character of finite cyclic groups The number of the elements of a finite cyclic group is finite (as its name), and is called the order of the group.

=== Abstract perf is a complex system in linux kernel, and exists other vulnerabilities like CVE-2013-2094. Di Shen, a member of Keen Team, presetated a parper (Defeating Samsung KNOX with zero privilege)[1] that mentioned CVE-2016-6787[2]. Analysis of CVE-2016-6787 This is a double-free vulnerability. The vulnerable object is struct perf_event_context. Review below code firstly, the mainly bug is in the if(move_group) statement; thus set move_group to 1 is necessary. We will talk about how to set the variable move_group up in later section.

Install the prerequisite packages: Or if you are using PaX/Grsecurity 4.9.x: Install the CHIPSEC Firmware security checklist based on CHIPSEC According to the firmware security training from McAfee Advanced Threat Research. CHIPSEC modules perform a couple checks for the auditing purposes: Issue CHIPSEC Module References SMRAM Locking common.smm CanSecWest 2006 BIOS Keyboard Buffer Sanitization common.bios_kbrd_buffer DEFCON 16 SMRR Configuration common.smrr ITL 2009, CanSecWest 2009 BIOS Protection common.bios_wp BlackHat USA 2009, CanSecWest 2013, Black Hat 2013, NoSuchCon 2013 SPI Controller Locking common.