Breakpoints in gdb using int3
Here is a useful trick I discovered recently while debugging some changes to the seccomp sandbox. To trigger a breakpoint on x86, just do: __asm__("int3"); Then it is possible to inspect registers,...
View ArticleThe trouble with Buildbot
The trouble with Buildbot is that it encourages you to put rules into a Buildbot-specific build configuration that is separate from the normal configuration files that you might use to build a project...
View ArticleCVS's problems resurface in Git
Although modern version control systems have improved a lot on CVS, I get the feeling that there is a fundamental version control problem that the modern VCSes (Git, Mercurial, Bazaar, and I'll include...
View ArticleClik here to view.
My workflow with git-cl + Rietveld
Git's model of changes (which is shared by Mercurial, Bazaar and Monotone) makes it awkward to revise earlier patches. This can make things difficult when you are sending out multiple, dependent...
View ArticleProcess descriptors in FreeBSD-Capsicum
Capsicum is a set of new features for FreeBSD that adds better support for sandboxing, adding a capability mode in which the capabilities are Unix file descriptors (FDs). The features Capsicum adds are...
View ArticleAn introduction to FreeBSD-Capsicum
In my last blog post, I described one of the features in FreeBSD-Capsicum: process descriptors. Now it's time for an overview of Capsicum. Capsicum is a set of new features for FreeBSD that adds better...
View ArticleWhen printf debugging is a luxury
Inserting printf() calls is often considered to be a primitive fallback when other debugging tools are not available, such as stack backtraces with source line numbers. But there are some situations in...
View ArticleA common misconception about the Chrome sandbox
A common misconception about the Chrome web browser is that its sandbox protects one web site from another. For example, suppose you are logged into your e-mail account on mail.com in one tab, and have...
View ArticleCookies versus the Chrome sandbox
Although Chrome's sandbox does not protect one web site from another in general, it can provide such protection in some cases. Those cases are ones in which HTTP cookies are either reduced in scope or...
View ArticleFixing the trouble with Buildbot
Last year I wrote a blog post, "The trouble with Buildbot", about how Buildbot creates a dilemma for complex projects because it forces you to choose between two ways of describing a project's build...
View ArticleARM cache flushing & doubly-mapped pages
If you're familiar with the ARM architecture you'll probably know that self-modifying code has to be careful to flush the instruction cache on ARM. (Back in the 1990s, the introduction of the...
View ArticleStack unwinding risks on 64-bit Windows
Recently, I've been looking at how x86-64 Windows does stack unwinding in 64-bit processes, and I've found some odd behaviour. If the stack unwinder finds a return address on the stack that does not...
View ArticleNative Client's NTDLL patch on x86-64 Windows
Last year, I found a security hole in Native Client on 64-bit Windows that could be used to escape from the Native Client sandbox. Fortunately I found the hole before Native Client was enabled by...
View ArticleSimplifying LLVM IR for PNaCl
Lately I've been working on Portable Native Client ("PNaCl" for short). Native Client (NaCl) is a sandboxing system that allows safe execution of native code in a web browser -- typically C/C++ code...
View ArticleHandling crashes on Mac OS X: ordering of Mach exceptions versus POSIX signals
Mac OS X is a curious operating system because its kernel is derived from two kernel codebases -- the Mach kernel and a BSD kernel -- that have been glued together. From these two ancestors, OS X...
View ArticleHow to do history-sensitive merges in Git
Merging in Git is usually not history-sensitive. By this I mean: if you're merging branches A and B together, Git looks at the content at the tips of branches A and B, and the content of the common...
View ArticleImplementing fork() on the Mill CPU
The Mill is a new CPU architecture that claims to provide high performance but at a much better performance-per-watt than conventional CPUs that use out-of-order execution. The Mill achieves this by...
View ArticleConditionalising C/C++ code: "#ifdef FOO" vs. "#if FOO"
Is it better to use #ifdef PLATFORM or #if PLATFORM when writing code that needs to be conditionalised according to OS, CPU architecture, etc.? Chromium's codebase uses the former. For example, it...
View ArticleThe DRAM rowhammer bug is exploitable
I've been researching the DRAM rowhammer issue and its security implications for a while. We've finally published our findings on the Project Zero blog: Exploiting the DRAM rowhammer bug to gain kernel...
View ArticleClik here to view.
L3 cache mapping on Sandy Bridge CPUs
In 2013, some researchers reverse-engineered how Intel Sandy Bridge CPUs map physical addresses to cache sets in the L3 cache (the last-level cache). They were interested in the cache mapping because...
View ArticleHow physical addresses map to rows and banks in DRAM
In my previous blog post, I discussed how Intel Sandy Bridge CPUs map physical addresses to locations in the L3 cache. Now I'll discuss how these CPUs' memory controllers map physical addresses to...
View ArticleCan cached memory accesses do double-sided row hammering?
There are indications that it is possible to cause bit flips in memory by row hammering without using CLFLUSH, using normal cached memory accesses. This makes me wonder: Is it possible to do...
View ArticlePassing FDs/handles between processes on Unix and Windows -- a comparison
Handles on Windows are analogous to file descriptors (FDs) on Unix, and both can be passed between processes. However, the way in which handles/FDs can be passed between processes is quite different...
View ArticlePassMark received offer to not release rowhammer test
Here's an interesting report of skulduggery related to the rowhammer bug. PassMark say they received an offer to not release a rowhammer test in their MemTest86 tool, in return for payment: "We had...
View ArticleObserving interrupts from userland on x86
In 2016, I noticed a quirk of the x86 architecture that leads to an interesting side channel. On x86, it is possible for a userland process to detect when it has been interrupted by an interrupt...
View Article