DISQUS

nirva · 1 year ago

too late...

PARIS, April 9 /PRNewswire-FirstCall/ -- During the Go Tournament in
Paris, staged between 22 and 24 March 2008 by the French Go Federation
(FFG), the MoGo artificial intelligence (IA) engine developed by INRIA -
the French National Institute for Research in Computer Science and Control
- running on a Bull NovaScale supercomputer, won a 9x9 game of Go against
professional 5th DAN Catalin Taranu. This was the first ever officially
sanctioned 'non blitz' victory of a 'machine' over a Go Master.

Chris · 1 year ago

Only got about half way through the paper. Nice summary posts Thomas. I think everyone is waiting for the next 'bug class' but in reality its probably not going to happen. It's mostly likely going to be application specific 'attack classes' from now on. I don't think I'm gonna break out the water colors just yet...

Thomas Ptacek · 1 year ago

Danny, come on. That's a 9x9 game, and the problem with Go is the combinatorics. Real Go games are 19x19.

Ryan Russell · 1 year ago

I don't see how W^X and ASLR and ilk are supposed to help significantly when the target is a language interpreter...

Thomas Ptacek · 1 year ago

I think that's my point; they're assuming that the target of memory corruption is a function pointer for the native architecture.

Christian · 1 year ago

Glad to see that the Terminator comes from Australia :)

pepe · 1 year ago

So...people are going towards complex language interpreters and discover new unforseen consequences. But everybody knows that flash is crap, as is java. Isn't "complexity is evil" one of the main lessens here?

Wish W3C would have included videos in HTML..

Anyway, what about c++ exception handling? Without a handler for expected errors that can be handled, it should safely abort my program, right?
Or is it, in a way, the same problem: A lot of generated code that could be buggy and thus could be exploited during stack unwinding?

sigsegv · 1 year ago

That line about all of us being human beings and Mark Dowd being a remorseless killing machine made me grin.

Props to Mark for finding the vuln.

cyber globetrotter · 1 year ago

I agree that interpreters are likely an easier target for application-specific attacks due to the degree of control an attacker has on the target environment. However, I disagree with the claim that mitigations may offer little help for flaws found in an interpreted runtime. One will still need to have knowledge of the address space in most cases and there should never be a reason for interpreted bytecode to be stored in an executable memory region.

For example, if Adobe had compiled with dynamicbase and had marked the memory region containing the SWF file as NX (with appropriate hardware support), it would have been quite a bit more difficult to exploit this vulnerability. It would not have been possible to assume the address of the AS3_argmask array and it would not have been possible to execute native code embedded within the SWF file. Both of these things were pivotal requirements for Dowd's exploit.

Regardless, many props to Mark for his awesome work :)

mark · 1 year ago

@cyber globetrotter:
Another mitigation that would make this exploit hard (impossible?) would be to make the AS3_argmask table read-only. I presume the data in this table is static and could be put in a read-only section of the binary?

ivan · 1 year ago

@Tom: another item for your laundry list of security consideration for modern high-level languages is that their powerful executives and feature rich components don't make it even necessary to escape to run low level instructions on the CPU. If I've subverted the VM and I have complete control of all this I may not need to go further down.

Rosyna · 1 year ago

Stuff like this makes me hope I am never forced to go back in time and use a computer to browse the internets.

(Where stuff like this==any reproducible exploit found in the last 10 years)

press controls · 3 months ago

This is awesome, I have to try this on my own.