Readit News logoReadit News
jprx commented on MIT 6.5950 Secure Hardware Design – An open-source course on hardware attacks   shd.mit.edu/home/... · Posted by u/imakwana
stavros · a year ago
I have the same question, I'd love to watch the presentations in my own time, but I don't want to sign up for something that will have strict deadlines, as my schedule doesn't allow that.

Does anyone know which kind of the two above this course is? I couldn't find that info.

jprx · a year ago
You can find PDFs of the lectures as well as the reading list here:

https://shd.mit.edu/2025/calendar.html

https://shd.mit.edu/2025/lectureReadings.html

jprx commented on MIT 6.5950 Secure Hardware Design – An open-source course on hardware attacks   shd.mit.edu/home/... · Posted by u/imakwana
oytis · a year ago
Somewhat unrelated, but - is it just me or do other people notice too, that whenever a major university publishes course materials online, the instructors there are normally very young? It wasn't like that a while ago, e.g. when Coursera started, or it is not like that if you look at older MIT videos.

Does it reflect university teachers getting younger? Or younger teachers tend to give more effort to putting everything online? Or did my perception change with age?

jprx · a year ago
Personally, I learned programming when I was a kid by watching YouTube tutorials + reading random Internet sources. When helping build SHD, it was important to me that we "paid it forward" & made all our lab materials open for everyone to learn from.

Hopefully someone out there finds it useful!

jprx commented on MIT 6.5950 Secure Hardware Design – An open-source course on hardware attacks   shd.mit.edu/home/... · Posted by u/imakwana
brcmthrowaway · a year ago
Do you support arm64e?
jprx · a year ago
We teach using Intel X86_64 CPUs for a variety of reasons

- Most academic research has been done on Intel systems, so it's easier for students reading papers to relate to their experiences in the labs

- X86_64 provides convenient cache flush and cycle measurement instructions in userspace

- Intel's strongly ordered memory model and cache inclusion policy makes cross-core side channels simpler to reason about

- Practically, it's easier to scale up server infrastructure on Intel (you can do most of the labs on inexpensive Intel-based Linux systems)

- For Rowhammer, our students attack one particular kind of DRAM that we have profiled and know works well with our machines

- Note that AMD's cache inclusion policy differs from Intel's- we only support Intel chips for now

Down the road I could see us moving to ARM for a few labs (perhaps a future PACMAN attack lab...?)

jprx commented on MIT 6.5950 Secure Hardware Design – An open-source course on hardware attacks   shd.mit.edu/home/... · Posted by u/imakwana
brcmthrowaway · a year ago
Does this include Spectre?
jprx · a year ago
Yes!

Our labs include building your own real spectre attack against the kernel, bypassing ASLR and building ROP chains with various side channels, finding and exploiting backdoors in a RISC-V CPU by building a hardware fuzzer, and more.

(source: I designed the Spectre lab plus a few others)

All our labs are fully open source for anyone to try: https://github.com/MATCHA-MIT/SHD-StarterCode

If you give them a try, please do let us know what you think! We genuinely want these activities to be fun and approachable (we designed them like a big CTF) and welcome feedback from the community.

Posted by u/jprx a year ago
A wild race condition in the macOS kernel (CVE-2025-24118)jprx.io/cve-2025-24118/...
Posted by u/jprx a year ago
Susctl CVE-2024-54507: A particularly 'sus' sysctl in the XNU kerneljprx.io/cve-2024-54507/...
jprx commented on A buffer overflow in the XNU kernel   jprx.io/cve-2024-27815/... · Posted by u/jprx
lgdskhglsa · 2 years ago
In case people missed it, the name of the exploit is a blink 182 song released around the time it was discovered.
jprx · 2 years ago
You get it!!
Posted by u/jprx 2 years ago
A buffer overflow in the XNU kerneljprx.io/cve-2024-27815/...
jprx commented on MIT researchers uncover ‘unpatchable’ flaw in Apple M1 chips   techcrunch.com/2022/06/10... · Posted by u/markus_zhang
aaron_m04 · 4 years ago
Would it be possible instead to mitigate this by removing the side-channel: either don't leave any trace in the TLB of the speculative execution, or deny access to the TLB for user mode software?
jprx · 4 years ago
Unwinding changes to the TLB on every mispredict would have a significant overhead and hurt overall performance. Removing valid data you just cached (speculatively or otherwise) is generally a bad idea.

User mode software requires a TLB (unless you want to do a page walk for every single instruction!)

Even if you could remove the TLB entirely from the CPU somehow, the attacker could just use the cache or some other microarchitectural structure.

jprx commented on MIT researchers uncover ‘unpatchable’ flaw in Apple M1 chips   techcrunch.com/2022/06/10... · Posted by u/markus_zhang
bhj · 4 years ago
Enabling 3rd-party extensions is much more involved on AS Macs: https://support.apple.com/guide/mac-help/change-security-set...

Then the extension needs to be allowed in System Preferences > Security (this step has been required on Intel Macs too)

jprx · 4 years ago
Additionally, if can find a way to trick a user into installing a malicious kext, why even bother with PACMAN? You already have arbitrary kernel code execution!
j

u/jprx

KarmaCake day612June 10, 2022View Original