TechPulseTechPulse
Back to News
Advertisement
Advertisement

⚡ Community Insights

Discussion Sentiment

57% Positive

Analyzed from 1288 words in the discussion.

Trending Topics

#more#security#overflow#rust#checks#still#android#check#bugs#things

Discussion (38 Comments)Read Original on HackerNews

revolvingthrowabout 1 hour ago
Semi-related: has the rate of published exploits picked up as if late, or is it simply the fact that there’s hype around ai as security tool (offense or defense) so it’s simply in the news more often?

Feels like there’s something new every other day - linux, windows, mobile, various commonplace tools used by everybody, the list goes on

rcxdudeabout 1 hour ago
There are reports from people who manage security bugs in OSS that there has been a big uptick in reports: initially low quality ones that were mostly bogus, but now many more legitimate ones as well.
Aachen34 minutes ago
A bit of both (it finds new things and news is hyped/blown up), and a third factor is that more people are trying to find things. The authors might have been able to do this already, like you still need to have a decent understanding to get useful work out of it and verify the results, but the shiny new toy factor makes people spend more hours on it that they'd have spent doing something else otherwise
imenaniabout 1 hour ago
https://lwn.net/Articles/1065620/
bbaylesabout 1 hour ago
I've reported a few very serious issues to vendors of widely used tools in recent weeks, and it's been even more difficult than usual to get them to be acknowledged - the teams that respond are reportedly swamped.
deatonabout 1 hour ago
This is pure guesswork, I am not a security researcher, but my guess would be that AI is increasing the amount of low quality exploitable attack surface available, while simultaneously providing security researchers with an accelerant for their work. Which is to say, its great if you use it well and really bad if you use it poorly.
seanieb39 minutes ago
Not low quality if it works!
worldsaviorabout 1 hour ago
I think AI helped researchers navigate better in the codebase, not necessarily the AI is succeeding in exploiting.
greesilabout 1 hour ago
"This is notably fast given that this is the first time that an Android driver bug I reported was patched within 90 days of the vendor first learning about the vulnerability."

This makes me feel better about Google, but also makes me kind of frightened of the rest of Android. I wonder what Apple's response time is?

yogorenapanabout 1 hour ago
I've reported security bugs to Apple before. Was a couple years back but I remember it taking around 6 months to patch (there was a couple back and forth for me to get a more reliable POC). Maybe 2 months from when I submitted a POC with 100% reproducibility
take9130 minutes ago
At least in the past there has been instances where Apple sat on security bugs for years until they were fixed, one example: https://jonbottarini.com/2021/12/09/dont-reply-a-clever-phis...

I've heard they cleaned up their program recently to respond much quicker nowadays

phuffabout 2 hours ago
This is a great bug report! I am not a kernel expert by any means even though I have read some about it... 10+ years ago. And I was able to follow along and see what was going on.

It does make me scared for what other dangers lurk since this was a really bad one and it was so little work to find.

Also of note: so many security issues lately have been done using AI. This report makes me think two things:

1. Expertise is still immensely valuable, the more niche, the more valuable.

2. There are lots of niches still where AI doesn't dominate...

a-dub13 minutes ago
hm. surprised there aren't idioms like copy_(to|from)_user for these kinds of kernel to userspace mappings for custom device nodes that ensure bounds are supplied...
rjsw37 minutes ago
There have been some V4L2 enhancements to support hardware video decoding pending a merge for a long time, they do seem to be in the mainline kernel now, I guess people didn't want to wait that long.
shay_kerabout 1 hour ago
Hmmm... I'd like someone to double check my thinking here. I posted this exact prompt for gpt 5.5 xhigh:

```

does this look right to you? don't do any searches or check memory, just think through first principles

static int vpu_mmap(struct file fp, struct vm_area_struct vm) { unsigned long pfn; struct vpu_core core = container_of(fp->f_inode->i_cdev, struct vpu_core, cdev); vm_flags_set(vm, VM_IO | VM_DONTEXPAND | VM_DONTDUMP); / This is a CSRs mapping, use pgprot_device */ vm->vm_page_prot = pgprot_device(vm->vm_page_prot); pfn = core->paddr >> PAGE_SHIFT; return remap_pfn_range(vm, vm->vm_start, pfn, vm->vm_end-vm->vm_start, vm->vm_page_prot) ? -EAGAIN : 0; }

```

And it correctly identified the issue at hand, without web searches. I'd love to try something more comprehensive, e.g. shoving whole chunks of the codebase into the prompt instead of just the specific function, but it seems the latent ability to catch security exploits is there.

So then.... I wonder how this got out in the first place. I know I'm using a toy example but would love to learn more!

akdev1l26 minutes ago
As an anecdote, I provided fragnesia.c and the subsequent proposed patch to fix the issue and while it was not able to discover an entirely new vulnerability, I think it was able to find 2 new ways of exploiting the same underlying bug.

This is quite impressive considering I’m just a dumbass with a Claude subscription.

thejokeisonme19 minutes ago
How do you know it didn't search the web?
lifisabout 1 hour ago
It's the usual problem of having no consequences for the person who wrote catastrophic code like this and the company who released it. If the person who wrote this were to be imprisoned for the rest of their life, for instance, or if the company were to be fined $1 million per user put at risk (which would probably mean a $1-10 trillion fine for Google -enough to trigger bankruptcy), then things would be very different
StilesCrisisabout 1 hour ago
If this rule were implemented, would you be walking free right now? Think it over.
ux26647839 minutes ago
I most definitely don't agree with him, and I find the idea absolutely repugnant. Devils advocate though, I would be much more careful with the code that I write if regulators passed some dogshit law like that.
akerstenabout 1 hour ago
> If the person who wrote this were to be imprisoned for the rest of their life [...] then things would be very different

Yes, they certainly would. You wouldn't have smartphones, for instance.

I can't tell if this is satirical or not. But there are so many takes like this recently (hold the website liable for user content, hold the corporate developer liable for zero days in a project they happened to touch) that would all result in the same outcome (no more product at all) that I can't help but wonder if there's some luddite psy-op trying desperately to bring us back to a pre-Internet era in any way they can...

XorNotabout 1 hour ago
Yes...no one would write any code.
codedokodeabout 1 hour ago
I read about Pixel 9 Dolby Decoder bug, and it is based on integer overflow. It was a mistake to allow "+" operator to overflow, and this must be fixed in new languages like Rust, but it is not.
tialaramex34 minutes ago
In Rust the decision about whether to pay for overflow checks or just wrap (because all modern hardware will just wrap if you don't check and that's cheaper) is a choice you can make when compiling software, by default you get checks except in release builds but you can choose checks everywhere, even in release builds or no checks even in debug.

By definition in Rust it's incorrect to overflow the non-overflowing integer types, and so if you intend say wrapping you should use the explicit wrapping operations such as wrapping_add or the Wrapping<T> types in which the default operators do wrap - but if you turn off checks then it's still safe to be wrong, just as if you'd call the wrapping operations by hand instead of using the non-wrapping operations.

That Dolby overflow code looks awkward enough that I can't imagine writing it in Rust even if the checking was off - but I wasn't there. However the reason it's on Project Zero is that it resulted in a bounds miss, and that Rust would have prevented anyway.

Asmod4n8 minutes ago
__builtin_add_overflow Exists and it’s basically free on most CPUs out there.
jerfabout 1 hour ago
I've been using this as a touchstone for whether or not we are actually going to take security seriously for a long time.

We've moved slightly closer to this, but in a world where we're still arguing over memory safety being necessary we've probably still got a ways to go before we notice that addition silently overflowing is a top-10 security issue. It's the silent top-10 security issue, I guess.

fyrn_34 minutes ago
Isn't it often combined with poor bounds checks to be exploitable? It's not as if rust or VM based languages don't help a lot with this
IshKebab34 minutes ago
It isn't because no ISA implements add like that, so there's always performance on the table if you check every time, and people would probably endlessly moan about how Rust is 20% slower than C on this add-heavy microbenchmark.

That said you can enable overflow checks in Rust's release mode. It's literally two lines:

  [profile.release]
  overflow-checks = true
I wonder if it would make sense for ISAs to have trapping versions of add and subtract. RISC-V's justification for not doing that is that it's only a couple more instructions to check afterwards. It would be interesting to see the performance difference of `overflow-check = true` on high performance RISC-V chips once they are available.
tialaramex19 minutes ago
It does seem like "What if we offer checked integer arithmetic operations?" is a cheaper experiment than CHERI's "What if we mechanically reify extent based provenance"?"
NooneAtAll3about 1 hour ago
fascinating how GrapheneOS achieves high security level on the same hardware where Google failed to even randomize android's kernel location
jnwatsonabout 1 hour ago
Randomizing the kernel location is of marginal utility at best. There are so many info leaks that KASLR ends up being only a small speed bump on the way to exploitation.

Here's a cool project that inventories all your KASLR info leaks: https://github.com/bcoles/kasld

StilesCrisisabout 1 hour ago
It's easy to be secure if you just remove features. There's obvious tension here.
jeffbee20 minutes ago
KASLR isn't an effective mitigation against anything, and to me this is part of GrapheneOS's catalog of superficial but meaningless claims.
icf80about 1 hour ago
google has lost its focus with pixel phones
jeffbee30 minutes ago
Project Zero has to report bugs to Android through the front door, and deal with Android VRP severity classification? I always assumed they could just walk over to the Android office and advocate for their bugs, face to face.