Earlier this week, security research firm FireEye published a finding about what is now known as the SolarWinds Orion supply chain attack. The threat actor group (dubbed UNC2452 for now) was observed to have carried out said supply chain attack to serve malicious updates with a backdoor via the SolarWinds Orion Platform software. The details […]
Author: Rayden Chia
(This article was written for the MIT 6.858 Computer Systems Security class to supplement lecture content, but is not intended to be a replacement for attending lectures. The 2020 lecture video can be found here.) What comes to mind when you hear the buzzword “containerization”? Perhaps you have heard of software packages such as Virtuozzo, […]
Zero Knowledge: SNARKs vs. STARKs
Introduction With the rise of cryptocurrencies like Ethereum, zero-knowledge proof technology is increasing in popularity due to the variety its applicable use cases, such as verifiable computation and privacy-preservation. In this article, we aim to review the class of zero-knowledge proof constructions by Ben-Sasson, Bentov, Horesh and Riabzev (BBHR18) in 2018 that overcomes the abovementioned […]
Introduction Mathematical programming (MP) is a very useful tool for solving complex problems that can be modeled as an objective function with a set of mathematical constraints. A wide variety of research disciplines currently use MP techniques to aid in complicated decision-making, from management science to engineering to the military. Since MP is concerned with […]
This month I was at Black Hat and there was a new buzzword being tossed around by security vendors in the business hall: Zero Trust. I always like to see what exciting new concepts the security industry tries to productize and incorporate into their product demos to convince budget decision makers to buy them, so […]
Although I didn’t have much time to do CTFs as of late, I sat down for part of the DEFCON 2018 Qualifiers with HATS_SG. Among the challenges solved, Mario was a rather peculiar (and somewhat amusing) one that involved multiple heap exploitation techniques along with some tricks to get an exploit working successfully. Overview We […]
tcache dup makes use of a double free (like fastbin dup). The fastbin dup makes use of the fastbin freelists, while tcache dup makes use of the tcache freelists. When we allocate a chunk and free it twice, the subsequent allocations will be duplicate and we can trick the allocator into returning a desired memory […]
(Update 05/2019: Made a note that this method is now patched in glibc>=2.29) The “House of Force” is a glibc heap overflow exploitation technique first named in the archived email “Malloc Maleficarum” by Phantasmal Phantasmagoria, and subsequently a PoC surfaced online in the Phrack magazine. Vector The House of Force technique overwrites the top chunk […]
Consider what happens if we allocate a fastbin-sized chunk and freed it multiple times. We know that free() pushes the freed chunk to the fastbin, but if freed multiple times, the same freed chunk would end up multiple times in the same fastbin, which makes reallocation of the same chunk to different allocation requests possible. This is […]
Update 06/2018: Added thread-local caching (tcache) Introduction to glibc malloc What is the heap? If you’ve taken an operating systems class before, you might recall that it is a free-floating region of memory that is managed by a memory allocator. When using a memory allocator to allocate memory, we call it dynamic memory allocation. In […]