Rubiks Cube!

Sagi Kedmi

CVE-2016-2437: Untrusted App to Kernel Heap Overflow

05.05.2016, in { android, kernel, vuln }

The nvhost GPU driver for the Tegra kernel contains a heap overflow in the NVHOST_IOCTL_CTRLL_MODULE_REGRDWR ioctl command. The bug results from an integer overflow that makes the kernel allocate a small heap buffer, and eventually overruns it with an attacker controllable payload. The current SELinux sepolicy allows any untrusted_app to trigger it.

Android Dissection

Crypto Classics: Wiener's RSA Attack

18.04.2016, in { crypto, algo }

While reading on RSA I stumbled upon Dan Boneh’s Twenty Years of Attacks on the RSA Cryptosystem 1999 paper. In there, I found a trove of applied attacks against RSA; one of which, Wiener’s, employs continued fractions approximation to break RSA efficiently (under certain conditions).

The attack was interesting enough to make me want to learn about it and spread the word.

So, today we’re going to use simple math and Python to distill Wiener’s Attack :).

Professor P

Blackhat Europe: Attacking /dev/urandom on Android

20.10.2014, in { android, kernel, vuln }

Our paper was accepted to both Usenix WOOT and Blackhat Europe! So Nadja and I got to go to Amsterdam :) !

Dead Canary

We wanted to exploit CVE-2014-3100 - a stack based buffer overflow in Android’s Keystore. We needed to bypass the stack canary. Long story short, we devised probablistic attacks that enables an attacker to predict random bytes that are extracted from the underlying entropy pool of /dev/urandom during device boot, such as Keystore’s canary value.

Capabilities Playground

16.02.2013, in { test }

Latex with Katex

Given two sets $A$ and $B$ the Jacard simliarity coefficient is a commonly used indicator of the similarity the two.

$$Pr[h _{min} (A)= h _{min} (B)] = J(A,B)=\frac{|A\cap B|}{|A\cup B|}$$

Blockquotes are written like so

The individual has always had to struggle to keep from being overwhelmed by the tribe. If you try it, you will be lonely often, and sometimes frightened. But no price is too high to pay for the privilege of owning yourself.


They can span multiple paragraphs, if you like.