Congratulations to my @census_labs colleague Zisis Sialveras (@_zisis) for being accepted to present his amazing work on VMware vulnerability research and exploit development at Black Hat USA 2024: https://t.co/74q3KL0CaI
@dwizzzleMSFT @parityzero Thanks for sharing. Looking forward to adding stronger access control on top (AppContainer SID based?). Eliminating key lifting is a great first step, but protecting against unauthorised key usage from admin/system-level actor is also essential. Identity keys desperately need it.
I’m hiring to grow our confidential computing security eng. team (edge devices & cloud platforms). If hypervisors, virt, attestation, (v)TPM, KVM, crosvm, SGX/TDX/SEV-SNP/VMPL, dynamic passthrough & VirtIO tickle your brain, drop me a message to discuss potential opportunities.
CENSUS is a sponsor of the 6th Cybersecurity in Financial Services Summit 2023 taking place on November 21st in London.
Our presentation titled “AI-Are we doomed?” will shed light to the fascinating yet scary world of AI and how it affects #Financial Institutions & Cybersecurity.
If you enjoy working on software security assessments, please note that our "Application Security Engineer" position is now also open for remote working https://t.co/vOgQDVMfRJ #infosec
Do you enjoy working on Trusted Boot, Trusted Execution Environments, Secure Elements, HSMs, CPU virtualization, hardware attestation, embedded architecture sec. reviews, hardening kernels, system components or bare metal firmware? This job is for you: https://t.co/FOrDRGHn71
Remote exploitation of a man-in-the-disk vulnerability in WhatsApp (CVE-2021-24027); epic logical exploitation writeup by huku: https://t.co/ZAc64X1SUj
Rust in the Android platform!
We’re excited to announce that the Android Open Source Project (AOSP) now supports the Rust programming language for OS development!
https://t.co/pY9R4rXIvr
This was never meant to be released. https://t.co/lWZvdV9K6t
I once reported the xpu2/xpu3 0-day to qc, and they seem to have fixed it on the latest sdm platform, thus it's time to release this now. Enjoy getting full control. It's easiest using it on an unfused device :D
We're growing our hardware lab team at @census_labs. Now looking for a dedicated electronics engineer. For more information see: https://t.co/aZpD6cddo8
@shawnwillden@phhusson@MishaalRahman@topjohnwu@DanielMicay My point is, DICE design assumes UDS access only from BootROM (pbl), but in QC stack qfprom is accessible from EL3 (xbl_sec), which is part of first stage bootloader. How is the original design not violated in the QC case?
@shawnwillden@phhusson@MishaalRahman@topjohnwu@DanielMicay Thanks for sharing. Curious how QC will impl. the UDS latch. Assume similar to SHK don’t want ODM to fuse so will be OEM burned at SecBoot enable stage. QFPROM r/w perm table in shadow mem is the main acl for fuses afaik, which with EL3 exec is modifyable. Any info you can share?
@phhusson@MishaalRahman@topjohnwu@DanielMicay If you're not familiar with the DICE concept, here it is: Start with a device-unique secret fused into the SoC. The ROM uses this secret and a hash of the first bootloader stage to derive an EC key pair, then flips a switch that disables access to the fuses until next reboot.
[BLOG] A Deep Dive Into Samsung's TrustZone (Part 3)
In which code execution at Exception Level 3 (EL3), the highest privileged, is achieved.
Work by @patateQbool@NeatMonster_@lyte__ presented at BlackHat Las Vegas 2019
* includes a new bug, now fixed.
https://t.co/gdvESyubiS
I repurposed @maddiestone's #BadBinder PoC for the S8/S8 Active Snapdragon. I bypass DAC + SELinux + Knox/RKP using a couple techniques I developed that I haven't seen used before. PoC here: https://t.co/bskvpBUlry
VdexExtractor 0.6.0 released with Android 10 support. Seems that new 021 version has minor changes to support Vdex files generated from InMemoryDexClassLoader. To worry about perf there, G seems to invest a lot on it. | https://t.co/MDsPFePWE6
@viperbjk@Qualcomm I see. Btw isn't Xiaomi the case that they release this mi flasher utility (wraps around sahara) that embeds fh loaders & has some sort of auth to use the tool? Since this was not backed from HW, SW-side was cracked easily (AFAIR). So from what you say seems they filled the gap.
@viperbjk@Qualcomm So my translation is that QC empowered OEMs to be more open with fh loader sharing, as edl actions are gated from VIP signed table bin. If they actually do it is a different story.
@viperbjk@Qualcomm Impact to research on the other hand is greatly affected. Last time I checked rx payloads were checked for valid sigs at the usb receive callbacks, so cannot speak at all with fh cmd handler without access to signing key.