Zheng Yu

depthfirst has raised an $80M Series B at a $580M valuation. Attackers are using AI to break into systems faster than ever before. depthfirst is on a mission to stop this. RT + Comment “depthfirst” and I’ll send you a FREE vibe coding security agent.

🎉 Thrilled to announce our USENIX Security 25 paper: "PatchAgent: A Practical Program Repair Agent Mimicking Human Expertise"! 🔥 Real impact: Already fixed 10+ CVEs in projects like assimp (11.4k⭐), libssh2, Pcap++, and more! 🛠️ Fully open source: github.com/cla7aye15I4nd/…

I'm shocked to see racism happening in academia again, at the best AI conference @NeurIPSConf. Targeting specific ethnic groups to describe misconduct is inappropriate and unacceptable. @NeurIPSConf must take a stand. We call on Rosalind Picard @MIT @medialab to retract and apologize for her statement.

How a piece of paper changes your perspective.

Outrageous technique: barely legal use of x86 CPU instruction enables you to catch and 𝗰𝗮𝗻𝗰𝗲𝗹 impeding pagefault before it actually happens. ③: catch PAGE_GUARD or invalid access ⓪: do previously illegal reads at high IRQL, safely #vpgatherqq #vpscatterqq scatter/gather

Effective Fuzzing: A Dav1d Case Study googleprojectzero.blogspot.com/2024/10/effect…

Hypervisors are way more useful than you think. A great example is the AVF (Android Virtualization Framework). This recently-added feature allows code to execute inside it's own VM, with isolated memory space from the host. Imagine a banking app written with AVF in mind. Even a kernel-level rootkit would not be able to read the banking credentials stored in memory. Unlike traditional KVM, even if the host is compromised, it can't access guest memory; guest memory is completely unmapped from the host's physical address space.

On the difficulty of benchmarking "artificial intelligence". 👇

How does Google optimize its research and systems? We’ve revealed the secrets behind the Vizier Gaussian Process Bandit algorithm, the black-box optimizer that’s been run millions of times! Paper: arxiv.org/abs/2408.11527 Code: github.com/google/vizier Compared to other industry baselines (Ax/BoTorch, HEBO, Optuna, HyperOpt, SkOpt), Vizier is much more robust in many user scenarios (e.g. high dimensions, categorical parameters, batched queries, multi-objective problems). Authors: Xingyou Song, @QiuyiRichardZ, Chansoo Lee, Emily Fertig, Tzu-Kuo Huang, @belenkil, @gpk320, Setareh Ariafar, @SagiPerel, Daniel Golovin #BayesianOptimization #Optimization #GoogleResearch #GoogleDeepMind #Vizier Deep dive below 👇

First USENIX Sec! My current research focuses on LLM4Sec and memory defense. Feel free to reach out to discuss or collaborate!

We were able to fully emulate a Cortex-M7 MCU ROM code after dumping it… we used @qiling_io to do it. It’s interesting when you have almost full control without any hardware, allowing you to reverse and fuzz the binary! 0x01team.com/sw_security/sa…

Excellent guide for learning something new on Linux internals: page cache, memory management, mmap and cgroups Credits @brk0v biriukov.dev/docs/page-cach… #Linux #infosec

Very interesting reading on reverse engineering rail tickets eta.st/2023/01/31/rai… #reverseengineering #infosec

A simple puzzle GPTs will NEVER solve: As a good programmer, I like isolating issues in the simplest form. So, whenever you find yourself trying to explain why GPTs will never reach AGI - just show them this prompt. It is a braindead question that most children should be able to read, learn and solve in a minute; yet, all existing AIs fail miserably. Try it! It is also a great proof that GPTs have 0 reasoning capabilities outside of their training set, and that they'll will never develop new science. After all, if the average 15yo destroys you in any given intellectual task, I won't put much faith in you solving cancer. Before burning 7 trillions to train a GPT, remember: it will still not be able to solve this task. Maybe it is time to look for new algorithms.

Physics and art make for a powerful combination.

2024 is the year of the decompiler! Start your year off right by reading a post on the last 30 years of decompilation and one of its hardest problems: structuring! mahaloz.re/dec-history-pt1 Part 2 to be released next week.

Analysis of CVE-2023-25136: double-free vulnerability in OpenSSH server 9.1 jfrog.com/blog/openssh-p… seclists.org/oss-sec/2023/q… #openssh

I have never read so fast.

Awesome @MoMath1 presentation on the discovery of the Hat! A summary 🧵: This is Dave Smith, a mathematical artist. He spends *a lot* of time just messing around, seeing what shapes he can tile in usual ways. Nov 20, 2022, he emails @cs_kaplan to say: he can't figure out...