All: please don't post comments about the formatting of the presentation. It makes for tedious and off-topic discussion, and the HN guidelines specifically ask you not to:
From code comments, what I understood (most likely in an incorrect way) is:
- Use Metal shader code to make process page table accessible to shaders via page protection layer bug exploited using return oriented programming (ROP)
- Use Metal shader code to acquire read/write access to physical memory
- Use Metal shaders to access the kernel page table
- Deals with ASLR to find the kernel base address
- Obtains process user credentials data structure via the process data structure (from the kernel memory)
- Sets uid and gid to 0 (root) to the user credentials data structure, giving root privileges to the user
I'm genuinely concerned about the WebGPU attack vector. The possibilities are exciting, but we (everyone) has virtually no experience with securing them (compared to decades of securing x86 - which we still can't pull off). My biggest concern is fingerprinting.
Somehow I can’t resign myself to this brave new world of web apps with low level hardware access. I do not want web apps doing GPGPU work on my machine. If the browser engine implements high level functionality that way, fine, but I don’t want arbitrary websites using low level hardware directly.
They were so preoccupied with whether they could, the never stopped to consider whether they should.
I feel like fingerprinting is inevitable with any hardware access, including WebGL or WebGPU. It’s one of my big concerns about Chrome exposing more and more of the hardware it runs on in the goal of being a Web based OS.
That said, fingerprinting is not as big a risk as what I was thinking of, which is one process being able to peer into another’s on the GPU. There are various takes on isolation on the GPU but they tend to have strong caveats attached.
Fingerprinting is probably inevitable if it is enabled by default. Given game code themselves relies on exact device model to workaround gpu implementation bugs. Gpu compatibility is always a shit show history that relies on all sort of device specific workarounds. You may spoof it. But don't assume it would work perfectly for any moderate to big sized programs.
Any suggestions for how I can get to anywhere close to Lina's skills? It's just mad skills..
I don't believe simply putting in huge amount of time in front of the machine is adequate. Neither is simply being smart.
Is it just a combination of being smart, sinking in a lot of time, interests etc?
Any suggestions? I'll start with something that might be a good beginner friendly way to get familiar with some of the concepts: 'The Soul of a New Machine' by Tracy Kidder.
The CVE description for some context (I re-ordered the sentences)
"An app may be able to execute arbitrary code with kernel privileges. The issue was addressed with improved memory handling. This issue is fixed in iOS 16.1 and iPadOS 16, macOS Ventura 13, watchOS 9.1."
Just a note this isn't new: fixed in macOS last year (october 2022), and the japanese stream with the same slides is half a year old.
(The english content is new, so I guess this is still worth the front page as long as people are interested)
Once again, my respect for the work of the Asahi team and especially Linas GPU related efforts grows further. Great to see that she was officially recognized[0] and received a bounty for her efforts.
Lina is not a random emerging VTuber who randomly stumbled upon the bug and found an exploit technique that can be applied to exploit the bug; she is actually highly skilled at exploit things...
I don’t think that’s entirely true. When reading technical articles who the author is matters.
For example, this is the same person who’s working on Asahi Linux for ARM macs. This means that they probably know what their talking about and this is gonna be a good article.
This wasn't obvious to me from the appearance of the page (I guess my screen is large enough that I didn't see the arrows in the bottom-right corner), but this site is actually a presentation. So, a heads-up in case anyone else has the same experience: the page is interactive, and you can navigate with arrow keys.
> Please don't complain about tangential annoyances—e.g. article or website formats, name collisions, or back-button breakage. They're too common to be interesting.
Given that many are praising the formatting, I don't see how the rule applies.
I'd like to point out that the slides have source available and use the reveal js slides framework, but I'm not sure if this would be considered as breaking the rules?
I mean, this is the company where the only security certification advertised on their website for macOS [1][2] only achieved the lowest possible level of security, EAL1.
A level only fit for products where [3]: "some confidence in correct operation is required, but the threats to security are not viewed as serious" which is one level lower than "demonstrating resistance to penetration attackers with a basic attack potential" [4]. Which is four full levels below "demonstrating resistance to penetration attackers with a moderate attack potential" [5].
Apple has never once, over multiple decades of failed attempts, demonstrated "resistance to penetration attackers with a moderate attack potential" for any product. It should be no surprise that the systems, processes, and people who lack the knowledge, ability, technology, and experience to make a system resistant to moderate attackers, despite nearly unlimited resources, have the security of their systems completely defeated by moderate attacks like small groups of skilled researchers. Apple positively, absolutely, 100%, certifies they can not. Though, it would be nice if their marketing were restricted to what their engineering can prove.
EAL is not a measure of security but a measure of the depth of analysis. Looking at the complexity of monolithic-kernel-based operating systems, I don't much can be derived from certifications with an EAL < 5.
Evaluated assurance levels (EAL) are a bundle of security assurance requirements (SAR) that reasonably trace to varying levels of assurance that the target of evaluation (TOE) enforces the Security Functional Requirements (SFR) of the product. One of the core SARs being AVA (vulnerability assessment) which evaluates resistance to penetration attackers and the presence of vulnerabilities. It is only at EAL5 that you are required to demonstrate AVA_VAN.4 which is resistance to penetration attackers with a moderate attack potential.
What we derive from companies only able to achieve EAL < 5 is that their systems are not designed, nor capable of protecting against moderate attackers. This has been borne out by decades of experience where the security properties of these systems have been routinely defeated by attackers with moderate or lower attack potential. The certification process is both effective and accurate at identifying that these consumer operating systems are inadequate against attackers of moderate ability as an upper bound.
We further know from decades of experience that any system that attempts EAL5 certification and then fails has structural deficiencies that make it practically impossible for any configuration to ever be certified without a total redesign. As far as I know, nobody has ever achieved that despite decades of attempts and billions of dollars spent attempting to retrofit inherently insecure designs such as Windows, Linux, or macOS.
So, what we know is that macOS, iOS, Linux, Windows, BSDs, etc. are structurally insecure against moderate attacks such as those employed by commercial hackers and organized crime, let alone state-level actors, and that it is hopeless for them to ever be improved to reach such a level. Anything less than EAL5 is inadequate for the modern threat landscape of established commercial hackers and state actors as experienced by consumers, businesses, and governments. Therefore, the systems currently deployed are universally unfit for their usage in these connected systems and we have the certifications and continuous examples to prove it.
How do you define "penetration attackers with a moderate attack potential"?
No EAL>4 certification does not imply that something is insecure.
Judging something as "insecure" or "structurally insecure" is highly opinionated. Not everyone has the same tolerance of risk. For most users the common operating system is secure enough. Besides that security is not only depending on the kernel. Smartphone operating systems which are based on Linux practically provide more security through app isolation than most desktop-oriented Linux-based distributions.
Besides that a CC certification does not necessary certify the product as a whole which finally means you cannot even derive a state of security statement for the end user.
Another example was the genugate firewall which has been certified on EAL4+ (including ALC_FLR.2, ALC_PAM.1, ASE_TSS.2, AVA_VAN.5), so in the end it was certified against attack with a high attack potential. Yet, the product was vulnerable to a simple authentication bypass of the management interface resulting in a CVSS score of 9.8:
https://nvd.nist.gov/vuln/detail/CVE-2021-27215
“Moderate potential” is defined in the standard [1]. As we are generally discussing blackbox attacks on publicly accessible remote endpoints, basically the only relevant factors are “Elapsed Time”, “Expertise”. So, a “moderate attack potential” is: expert proficiency attacking team over four months. A “high attack potential” is expert proficiency attacking team over six months.
I know, the standard is embarrassingly low by modern attack standards. It really should be much stricter these days, but even at these embarrassingly low levels the standard commercial vendors such as Apple can not achieve them.
No, my statement on structural insecurity is quite objective. I said they are structurally insecure against commercial hackers and organized crime. That is a statement relative to a threat model and can be objectively verified.
Our objective verification is that their security properties get routinely invalidated by such attackers thousands of times a year. You would be hard pressed to find a professional hacker who would say something like: “Oh no, they are using a Mac, my plans are foiled.”
Commercial hackers and organized crime are expected threat actors. If you are running a commercial enterprise, you will be attacked by commercial hackers these days. If your systems are useless against them, then your security is objectively inadequate for your use case. Using systems certified to be inadequate for your use case is just engineering malpractice.
Yes, a Common Criteria certification does not mean the entire product is certified in much the same way that a nail certification does not mean your airplane is certified. You need to certify the entire product for the entire product to be certified. That should be obvious.
I do not know why you bring up uncertified composed products having problems in uncertified components. Yes, those components suck, we already know that. That in no way supports using composed products consisting entirely of inadequate components.
You seem to be confused about how you should use a Common Criteria certification to evaluate a product. EAL5 does not mean you are guaranteed to be protected against moderate attackers. It just provides some reasonable confidence that might be the case. What it really tells you is that you should have minimal or no confidence in systems not certified (or even worse failed certification) to EAL5.
A AVA_VAN.5 component might be vulnerable to moderate attacks. But a component that failed certification to AVA_VAN.3 is certainly vulnerable to moderate attacks.
The genugate firewall is EAL4. I do not see how this bolsters your point. There is a reason why we use EAL instead of just reporting the AVA_VAN requirement.
I do not have any particular insights into their product or that vulnerability. It is certainly possible they were over certified.
Looking at the PoC, it seems to indicate a administrator login authentication bypass. In the genugate firewall TOE [2] it indicates that the administrator network is assumed to be isolated and trusted. If an administrator login page is only meant to be accessible from the administrator network then the CVE would be out of scope of their certification. Though the CVE indicates other logins that might be affected, so I can not speculate any further. Certainly could be over-certified. But again, certification does not mean confidently secure, it is non-certification which means confidently insecure.
> But not for people with this level of applied skills.
Perhaps not for people with this level of applied skills who live in the US. But salaries vary drastically around the world, and remote jobs are not feasible for everyone.
I understand this is arbitrary code execution with root access. I'm imagining the potential of infecting a high status individual and I think a bad actor would pay millions for such an exploit.
That would be a fair question, we generally don't come to our impressions by random choice alone. My guess is the value of the vulnerability on the black market would be significantly higher and Apple could afford to compete with that better if they wanted. Only the GP could tell us the reasoning for their impression though.
Well deserved. By reading the code you can tell there is a lot of analysis and knowledge required to make that exploit happen.
OS development, security, shader programming, computer architecture, etc.
The code is clean and has plenty of comments explaining what is happening at each step.
And for the ones do not know, Asahi Lina is the same person who made it possible to run GPU-enabled Linux on Apple Silicon, among with other contributors.
How does this work anyway? I reported a password bug that went unfixed for months and didn't hear back from Apple. Do you need to be the first/only person to have reported something, or what?
Most bug bounty payouts go to the first person or group that report it, and only if the bug in question is novel to the company in question.
I.e if you report after someone else or report after it’s already been identified internally , you’re not likely to get a payout unless you have novel details
He hasn’t admitted it directly, but there is a large amount of circumstantial evidence. Asahi exclusively uses Marcan’s private infrastructure. They both name their systems after little girls from the anime “PreCure”. They are NEVER talking/streaming at the same moment, even when they appear together. In fact Marcan used to stream quite a bit on his personal channel, but once Asahi appeared he stopped almost entirely. They even have similar typing styles once you start comparing their long-form writings. Not to mention the fact that Asahi’s specialities just so happen to align with Hector’s to the point where they can interchangeably work on reverse engineering Apple Silicon. How many people in the world exist that can do that? And how many would share the exact same interests and peculiarities as Hector?
Finally, and my personal favorite: Asahi’s VTuber reveal was by “hacking” and hijacking one of Marcan’s streams. The introduction was literally replacing Hector.
The fact that the comment you replied to is buried shows that it's probably too close to be true and makes people uncomfortable. Are we supposed to believe the character is literally an animated humanoid with animal ears? Is it not ok to question who the human entity behind it is? In any case, it's super easy to spot when it's a man pretending to be a woman, in case that's the source of the controversy.
Honestly I loved the slide deck. I have little background in this, and I feel the author did a great job of breaking everything down. It clearly took aot of work. Bravo.
I clicked various times to the right, didn't make much sense.
I came back, started clicking it down, now it made sense, until couldn't, so I clicked right.
Then it clicked, took me something like ten seconds to figure it out, and I am not known to be quickest knife in the shed.
Yeah, I dislike comments on format but on mobile the site was just unusable for me. I couldn't figure out which slide was the "correct one" to move forward, and even the zooming gesture would move me to another slide. I think the video presentation would be a better link than the slides.
The reveal.js slide itself probably isn't the best way for readers. The reveal.js project actually provides a PDF export feature which can be more helpful.
Anyway, it's an asahilina.net page, not a cve.mitre.org page. That domain is for the Virtual YouTuber Lina-chan, so I would not expect it to be the most friendly for developers.
As a VTuber follower, I do really like the style :D
Apple doesn't have "way fewer CVEs for macOS/iOS". Apple ranks 5th overall, and 4th so far in 2023, by vendor. In 2015 they were #1. CVEs track closely with the number of users a platform has, and the incentives to comprise that platform.
"Please don't complain about tangential annoyances—e.g. article or website formats, name collisions, or back-button breakage. They're too common to be interesting."
"Please don't pick the most provocative thing in an article or post to complain about in the thread. Find something interesting to respond to instead."
It's a matter of whether someone is using HN as intended or not (as far as we can tell). For accounts that repeatedly go against the intended use of the site, we don't have much choice but to ban them, or else the site won't survive for its purpose. We do warn them first, often quite a few times and over a long period before banning—it depends on how much history the account has here. For accounts without much history, we sometimes ban straightaway, if the violation is egregious.
That doesn't seem excessively authoritarian to me and I don't see how we could do it differently without giving up on the site's mandate, which is not an option.
You're certainly welcome to disagree. I'd never claim we get all of this right; but we still have to moderate the site, decide which accounts to ban and when, which comments to mod-reply to, and so on. It's better to have some principles for this than not, and it's better to explain what they are than not. Then (at least some) people (hopefully) won't be (as) surprised if they get moderated or banned.
This form of slide deck has become a staple in the security research community for some reason. I don't like it either but they're just following form.
When presenting the reveal.js interaction model is to hit space or some other navigation key.
I’m not defending it, because I legitimately think their multidimensional view is horrible for post facto sharing, especially on mobile. But it does mean that you can quickly navigate between chunks of the deck if you need to backtrack as a presenter.
That's actually not a terrible idea... depending on if people ask questions or if you have extra time while presenting, the ability to take a small detour would be pretty cool
I can't even tell it's crappy. Just a blank screen with Javascript disabled. Sites aren't worth visiting if they don't care about usability and accessibility, and promptly get added to my shit-list of domains.
the whole vtuber thing is not really for me, but i appreciate the effort that went into this presentation—did you make it all the way to <https://asahilina.net/agx-exploit/#/demoslide>?
"Please don't complain about tangential annoyances—e.g. article or website formats, name collisions, or back-button breakage. They're too common to be interesting."
Respectfully: do you genuinely believe that guideline had this kind of presentation in mind, or the very common tedium of poorly built websites that occurs frequently on amateur tech posts. Even the examples provided by the rule you quoted lend to the latter.
The guideline is to prevent threads turning discussions of interesting things into discussions of boring things, like most of the other guidelines. Plus you can ask the person who came up with it, I'm sure they'll tell you something similar.
Ah, a question I can answer unambiguously! - since I wrote that guideline, I can tell you what was/is in my mind.
Internet threads have a tendency to get stuck on annoyances that aren't pertinent to the actual topic. It's a bit like a branch getting snagged at the edge of a creek: all sorts of detritus accumulates around the branch, clogging the flow. This isn't just about comments—arguably a bigger problem is that upvotes, since such subthreads invariably attract a lot of those.
On HN, we don't have any rule against going off topic per se, because offtopic tangents can sometimes be fun and interesting—usually when they're unpredictable, i.e. when they're about something specific that doesn't get talked about much, or maybe has never been talked about.
But threads about presentation errors, usability errors, and so on, are highly predictable because they happen a lot, and also because they're annoying and people tend to express annoyance in the same ways over and over. This becomes repetitive and repetition is the enemy of curiosity [1], so it follows from HN's primary principle [2] that we should try to avoid them.
One thing to understand about that guideline is that it's not denying the correctness of the annoyance! Of course you're right that formatting, presentation, usability, design, etc., are important. The issue is that discussions tend to get clogged by comments about these things, precisely because they are annoying. I'm as annoyed by them as anyone and I think most of us are.
Our challenge as a community is to experience those annoyances and process them however we process them but not to complain about them in the comments—rather to stay on topic (or at least on something unpredictable), not because crappy websites etc. deserve better, but because we want to prioritize interesting conversations about interesting things to read.
(I should add that when I say "crappy websites" I'm not talking about the OP - I only spent a couple seconds looking at it and didn't personally experience annoyance. I just mean we all have our triggers and they work more or less the same way in everyone.)
There are times when website styling and design really go beyond the pale, and this is one of those cases.
The content may be excellent. The packaging utterly frustrates accessing that, and flouts all standard conventions of design. The author took a risk. The author lost.
2. The communication requires numerous unnecessary click throughs to obtain the relevant information.
3. The division of the information into various panels and mediums does not enhance the communication, rather the messages are divided in a way that doesn't match a hierarchal introduction of detail. It often serves no purpose whatsoever.
Also this is not some personal attack on identity "who she wants to be", it's a commentary on poor communication - don't attempt to equate the two, it's incredibly poor taste, and flame baiting.
https://news.ycombinator.com/newsguidelines.html.