David Kohlbrenner

@stuntpants Any idea why hugepage support is in the M1 but not in macOS? Was surprised I couldn't even force it on from userspace...

I was relying on this app to publicize that I am defending in April! And looking for 2023 jobs! Guess I'll used...LinkedIn...now? TL;DR If you want to understand/improve security processes using data and research science methods, shoot me a note. I'll post more later if I can

Retpolines leaking is unfortunate, but its good that we have concrete examples of how. While there, read the addendum (and the timeline on addendum, oof). Looking forward to _that_ paper quite a bit!

Excited to share that our proposal for a @dagstuhl seminar on "Microarchitectural attacks and defenses" has been accepted! Organizers: yours truly, @BloodyTangerine, @dkohlbre, and Chris Fletcher

This project was wild. @YingchenWang96 and @ricpacca knocked it out the park at every step. Check it out! It is time to think about a different way of writing safe, timing-independent, code :)

Please help distribute: I am hiring a postdoc to join my lab at @dukecompsci. Email me (with your CV) if you are interested in human-centered security and privacy, especially when it relates to data from medical/robotic application domains, and/or marginalized populations. 🙂

We found a way to defeat pointer authentication (and forge kernel pointers from userspace) on the Apple M1 via a new hardware attack. Here’s how it works- pacmanattack.com

And now it is May 24th! At (or remotely at) IEEE S&P? Check out @jose_vicarte 's talk on "Augury: Using Data Memory-Dependent Prefetchers to Leak Data at Rest" coming up shortly in Session 7A.

For more information check out prefetchers.info and go see the talk at @IEEESSP 2022 by @jose_vicarte on May 24th

We found a way to leak data on Apple Silicon processors that is "at rest": that is, data the core never reads speculatively or non-speculatively. This will be an odd one, so stick around for the 🧵 and see prefetchers.info

Today, GPZ and Google Cloud are releasing a technical report on a security research project in collaboration with AMD on their Secure Processor and the Secure Encrypted Virtualization feature. It includes some interesting bugs we found. Read the blog at googleprojectzero.blogspot.com/2022/05/releas…

@kangadac For now it appears to be unique to Apple. AWS Graviton 2 (neoverse N1 iirc) didn't seem to have the AoP DMP or similar in our testing.

@dkohlbre Any idea if this is unique to Apple, or also present in the Neoverse ARM cores?

@cutesmilee__ @matteyeux Probably :) The challenge comes in finding an efficient way to recover the leaked pointer value via P+P or something. We didn't get it working but I wouldn't be surprised if someone can.

@dkohlbre @matteyeux it should be possible leak kernel pointers by abusing code which accesses an array of pointers (kernel code or an IOKit driver) right?

@joseph_h_garvin Completely agree on prefetching being speculative. We see the difference here because the DMP lives in the L2, not in the core. So, the core never speculatively reads the data, and never actually sees the line until it actually asks for it!

@dkohlbre Technically prefetchers are a form of speculation, they speculate on what the CPU will access next, but I'm guessing by speculatively here you mean specifically reads done due to branch prediction?