RoundofThree

Exploitation of AIxCC Nginx bugs: Part I

This blog post will analyse the exploitability of the temporal safety vulnerabilities in Nginx AIxCC. AIxCC is a DARPA competition to find vulnerabilities in codebases using AI. The competitors are not looking for 0-days but rather intentionally added vulnerabilities in existing codebases. One of them was Nginx in the semifinals, which already took place. In this blog post, I will have a different focus on whether these added vulnerabilities can be exploited to achieve more than just crashes. ...

February 5, 2025 · 27 min · RoundofThree

GEF for CheriBSD Morello

Why the need for this? Because having some handy commands to immediately generate a CLI visualization is very helpful when debugging a binary for exploit developers (or software development). For example, we can quickly get an idea of the state of the heap, which speeds up the process of debugging heap-based exploits. gef-cheri enables this for the CheriBSD platform in the Morello architecture (CHERI-enabled ARM64). You can still apply the same gef-cheri script to analyse non-CHERI binaries, in which case the behavior should be the same as the original gef. ...

March 15, 2024 · 8 min · RoundofThree

Exploring snmalloc internals

Note: this is an incomplete updating post. Introduction snmalloc is a memory allocator by Microsoft Research that uses a “message passing” scheme. You can find its source code here. It is designed to be performant in highly parallel workloads where memory allocated in one thread is typically deallocated in another thread. A nice catch is that snmalloc is highly customizable, and more to my interest, security mitigations can be customized. It also provides abstraction layers for different architectures (AAL) and platforms (PAL). ...

March 14, 2024 · 19 min · RoundofThree