Posts

All work stated in this blogpost, including the porting of AIxCC Nginx to CHERI and the analysis of CPVs were done solely by me, but I based my port on the existing Nginx CHERI port. I’d like to thank Prof Robert Watson for providing extensive reviews of the contents of this blogpost. I wrote this post a long time ago but I never had the chance to publish it. Someone pinged me and I decided to finally make this publicly available. This is a bit different to my other blogposts: it has a more academic tone and has a focus on CHERI. The analysis of temporal safety bugs is repeated in my other blogpost, the difference being that the focus of this blogpost is CHERI (a hardware memory safety mitigation, see more details at https://cheri-alliance.org/). ...

This blog post will analyse the exploitability of the temporal safety vulnerabilities in Nginx AIxCC. AIxCC is a DARPA competition to find vulnerabilities in codebases using AI. The competitors are not looking for 0-days but rather intentionally added vulnerabilities in existing codebases. One of them was Nginx in the semifinals, which already took place. In this blog post, I will have a different focus on whether these added vulnerabilities can be exploited to achieve more than just crashes. ...

Why the need for this? Because having some handy commands to immediately generate a CLI visualization is very helpful when debugging a binary for exploit developers (or software development). For example, we can quickly get an idea of the state of the heap, which speeds up the process of debugging heap-based exploits. gef-cheri enables this for the CheriBSD platform in the Morello architecture (CHERI-enabled ARM64). You can still apply the same gef-cheri script to analyse non-CHERI binaries, in which case the behavior should be the same as the original gef. ...

Note: this is an incomplete updating post. Introduction snmalloc is a memory allocator by Microsoft Research that uses a “message passing” scheme. You can find its source code here. It is designed to be performant in highly parallel workloads where memory allocated in one thread is typically deallocated in another thread. A nice catch is that snmalloc is highly customizable, and more to my interest, security mitigations can be customized. It also provides abstraction layers for different architectures (AAL) and platforms (PAL). ...