Reviews and Comments

This paper predictably finds a lack of authentication and cryptographic protections in a legacy RF protocol that is designed to work around the world for life-saving signals. While they determine is it possible to spoof a signal in a lab environment, and call for improved authentication, etc. they fail to include the international legal framework surrounding these signals, and the fact that in a safety-critical environment, a signal discarded due to lack of nonce freshness is more risky than allowing bad actors with drones to send illegal signals.

This paper explored the weaknesses and risks associated with modern exception handlers (across all major OS and architectures) in unwinding attacker-controlled state. The most powerful example is a bypass of stack canaries where a function throws an exception after the overflow but before the function return; the exception handler would eventually execute attacker-controlled memory.

There is an attempt to quantify the overall impact of this mitigation bypass by looking at the Debian repos for code that uses exception handlers, but it is quite context sensitive. The paper concludes with three CVEs that would be exploitable with current mitigations (stack canaries, etc.) using the new technique.

Nice applied research on automatically searching for privesc weaknesses in signed Windows driver binaries. While they found a lot of initial drivers to test, the corpus was slimmed down by the sources and sinks they used to search for. Still managed to find a few dozen new vulnerabilities.

This book got me interested in what expressive types can do for software development, maintenance, etc. While I never built anything real with Idris, I did love the programming approach versus that of Coq; I was able to express some type declarations that not only enforced a semantic correctness property, but also a worst-case runtime for the implementation.

I hope to see languages like Idris become more real-world useful, and more popular languages improve the expressiveness of their type systems.

This talk covers such an important concept of market forces and complexity and the resulting security externalities. It does so in a clean manner that can be widely understood. It reminds me of a [paraphrased] quote of Mike Walker, "that software tells the CPU what it cannot do".

It is both an explanation for the current state of affairs, and a call to arms to improve and look for simplicity and concise definitions of the needed functionality. As a proponent of LangSec, I heartily agree!

This is required reading for every new Thinkst employee, and it was a treat to be exposed to it. It helps contextualize the process of getting stuff done, and how easy it is to build processes and offramps to not focusing on what is important.

Coming back to it periodically when I've had a bit of a lull in my own research helps to revive my interest in exploring and learning new things through research.

[Included in ThinkstScapes]

This paper explored using ML techniques to identify LTE devices streaming specific content via their bandwidth fingerprint. The authors identify that video streaming encodes a specific duration of video into a data-chunk, so each video has a unique sequence of transmitted chunk sizes, allowing for fingerprinting a media sample, and then classifying an encrypted network stream to determine if it is that video.

The experiment ran both open and closed world, and showed high accuracy, even with other device processes using data, and with other channel usage to increase channel capacity. In short, they were able to [with high confidence] determine what video every LTE device was watching in a cell (assuming it was seen prior).