A “WormHole” vulnerability on PC

The WormHole vulnerability that recently has raised security concerns actually comes from a series of inappropriate developing habits. Similar problems are very common on PC, but most of them are mitigated by Microsoft’s default firewall. I wish this post with a lot of discussion on WormHole could more or less enhance the security awareness of some developers.

Continue reading “A “WormHole” vulnerability on PC”

Poking a Hole in the Patch–Escaping from IE Sandbox with a Poorly Patched Vulnerability

James Forshaw reported a vulnerability to Microsoft regarding Windows Audio Service in November 2014. In our analysis, we discovered that the patch Microsoft release later did not completely solve the problem. With a combination of techniques, we successfully bypassed the patch and can exploit the vulnerability on patched system.
Continue reading “Poking a Hole in the Patch–Escaping from IE Sandbox with a Poorly Patched Vulnerability”

Research report on using JIT to trigger RowHammer

RowHammer is a problem with some DDR3 in which repeatedly accessing a row of memory can cause bit flips in adjacent rows. However it need to run the customized asm code on target machine to trigger RowHammer, so RowHammer is not easy to be used to attack. We have an idea that try to use script language to trigger RowHammer. If it works, RowHammer will be more dangerous. In order to verify our idea, we analyzed the Java Hotspot, Chrome V8, .NET CoreCLR and Firefox SpiderMonfey.
Continue reading “Research report on using JIT to trigger RowHammer”