Niklas B

We at @dfsec_com are currently looking for a senior Linux kernel researcher, feel free to DM if you’re curious :)

Our newest @dfsec_com blog post is live, thanks to @tomitokics from @df_forensics for putting this together :-) blog.dfsec.com/ios/2025/10/14…

Our new blog post is live: blog.dfsec.com/ios/2025/05/30…

DMs were apparently disabled, but fixed now

@ETenal7 @dfsec_com yes, and DMs are open now, not sure why it was misconfigured

@_niklasb @dfsec_com Heyyy any chance this position is also available for US based person? BTW , your account can't be DM maybe due to privacy settings.

We at @dfsec_com are currently looking for a senior Linux kernel researcher, feel free to DM if you’re curious :)

AKA natural language CodeQL - it feels like the Code Browser approach from the blog post may be applicable here as a general concept

This is very cool work. Since I’m not super familiar with the domain, is there any published work around code understanding/querying? Is context size a limiting factor here for non trivial code bases?

@SinSinology @watchtowrcyber Congrats!

I'm super pumped 🥳 to announce I've joined @watchtowrcyber, where we continue casting spells with my fellow wizards 🔥🩸

@mistymntncop @maxpl0it surely they got rid of that after e10s

@maxpl0it I wonder how to deal with the "spectremaskindex" instruction tho...

@_manfp’s Firefox renderer bug is a beauty that takes advantage of an optimisation implemented just 3 months ago. Let’s break it down!

Pwn2Own lineup looks very impressive this year, good luck to everyone!

Software transactional memory is probably the one thing I miss the most from my Haskell developer times. IMO it is the most intuitive way to write concurrent code by far. It‘s wild to see it implemented in such a complex context as C++, amazing effort

@m40282845 @adhsec yeah that’s for sure, WPA and unencrypted networks are rejected, question is what else

Are there any details known about what makes a WiFi “unsafe to join” according to iOS Lockdown Mode and thus causes disconnects on each sleep/wake cycle of the phone? Seems like WPA support and TKIM are two such properties, but there are likely more.

@adhsec do you know what DoH servers iOS uses? I would assume it just uses normal DNS as provided by DHCP

@adhsec encrypted DNS? as in DoH/DoT?

I really wish Lockdown Mode had more granular settings

@jduck @5aelo @farazsth98 @adhsec @silviocesare @mboehme_ again, there is no bug here and the compiler produces correct output. FATAL is surely noreturn. UB is introduced in some unrelated place

@_niklasb @5aelo @farazsth98 @adhsec @silviocesare @mboehme_ Yeah I see. My guess is it's a compiler bug then. Perhaps it doesn't understand and is inventing UB. Or perhaps whatever happens in V8_Fatal is UB. What does UBSAN say?

How to write an open-source compiler that injects vulnerabilities: Stage 1: Write a compiler that compiles itself. Stage 2: Add code to inject a vuln. into the compiled binary. Recompile. Stage 3: Remove code. Recompile. Distribute. cs.cmu.edu/~rdriley/487/p…

@jduck @5aelo @farazsth98 @adhsec @silviocesare @mboehme_ There was/is no actual issue/bug in the code (the switch is exhaustive), what is being considered here are just ideas to nudge the compiler to reliably produce a compilation output that has the intended security properties (which are a superset of those provided by C++ itself)

@5aelo @_niklasb @farazsth98 @adhsec @silviocesare @mboehme_ I think the issue is the lack of a return statement in every switch block, right? If you have a return value but don't have a return statement, that's UB. Switch does not return anything. I would expect the actual behavior to "return" what's in the first GP register at the end

@5aelo @jduck @farazsth98 @adhsec @silviocesare @mboehme_ But of course you are likely heavily relying on this specific compiler behavior in countless other places in a similar fashion anyway

@5aelo @jduck @farazsth98 @adhsec @silviocesare @mboehme_ I see, so I assume the “sound” combination is where you tell the compiler that the value can be out of range (via `: int`), AND you make the switch exhaustive even in that case via an UNREACHABLE default case …