Daniel Moghimi

Dropping #Downfall, exploiting speculative forwarding of 'Gather' instruction to steal data from hardware registers. #MeltdownSequel - Practical to exploit (POC/Demo) - Defeat all isolation boundaries (OS, VM, SGX) - Bypass all Meltdown/MDS mitigations. downfall.page

Proud to be part of this impactful effort.

Trust matters, especially for technology like Intel TDX. See how Intel worked with our friends at @Google to improve platform security. ms.spr.ly/6014QPLHM

The new Rowhammer attack paper against SK Hynix DDR5 modules is very impressive! LPE to root in over 100 seconds, or disclosing RSA keys for SSH from adjacent VM, among other vectors. If the SK Hynix brand doesn't ring a bell, some models of ADATA, G.SKILL, Corsair, Dell, Lenovo and even some Cisco OEM modules are based on Hynix chips. Finding exact list of affected OEM vendors and module modules is a bit tricky. As part of the research effort Google has also partnered with Antmicro to build dedicated Rowhammer testing rig, which is also open-source! github.com/antmicro/rowha… Paper: comsec.ethz.ch/research/dram/… Google blog: security.googleblog.com/2025/09/suppor… PoC: github.com/comsec-group/p…

A new attack on DDR5 further demonstrates that current countermeasures against Rowhammer-style assaults aren't enough. tomshardware.com/tech-industry/…

🔥 New hardware hack ALERT: ETH Zürich + Google just broke SK Hynix DDR5 memory wide open. ➡️ “Phoenix” (CVE-2025-6202) gets ROOT in 109s on SK Hynix chips ➡️ ECC & TRR defenses? ❌ Bypassed ➡️ RSA keys + sudo at risk Full story → thehackernews.com/2025/09/phoeni… 💡 Only fix: crank DRAM refresh rate 3×.

@FFmpeg What does slow systems mean?

@flowyroll This is not correct. The patch in question disables the gather on slow systems.

FFmpeg folks are talking about performance degradation due to Downfall (downfall.page) vulnerability, and if they can disable it. Short blog post on the issue: moghimi.org/downfall_perfo…

Deploying mitigations at scale is hard. It has been a couple of years since I discovered downfall.page / GDS attack. The performance degradation due to mitigation is bad, which may cause folks to disable them :(

@socrates1024 Stealing young souls to push TEEism?

What would you call a labor organization mode like grad students in university research... "up AND out", where retention is explicitly not even an option? It's prosocial in an interesting way, where workers are trained with the goal of empowering them to leave firm and entirely

Follow me on flowyroll.bsky.social

@EarlenceF @socrates1024 And your APP1 can easily speculate and leak stuff from APP2 because they share the memory without you knowing about it. And because you have put it in the TEE, it means they hypervisor is malicious so the attack is even easier :-)

@flowyroll @socrates1024 not necessarily. WASM is just good to memory isolate stuff. Maybe your TEE is running multiple apps inside and you want something more lightweight than full-blown process isolation within the userspace of the TZ env.

worst thing ever put in a tee?

@EarlenceF @socrates1024 Because if you are putting wasm in a tee, it means the code is untrusted, and that's against the threat model for what TEEs are designed for. I know well why people want to do that, but it's also very hard to provide real privacy guarantees in that model.

@flowyroll @socrates1024 why is wasm a candidate for the worst thing put in a tee? i could see it being useful to get in-process sandboxing within an ARM tz env

@matthew_d_green @octal Well, commercials pay the bills for musicians to sustain themselves. Not everyone gets big but even the oneswho make it big start from playing bar gigs and commercials. I think music will be dead the way we know it, which is unfortunate.

@octal What is going to get eaten is: commercials. That whole industry is going to turn into automated AI video and audio all day long and probably effectiveness will go down but maybe only in relative terms.

It’s amazing to me that a couple of months ago someone showed me an AI site that can write any song you want in 20 seconds and after playing with it, I never thought about it again until now.

I wrote a piece on @sigarch blog about the state of hardware and architecture security. "Secure Computer Architecture in the Post-Meltdown World: A Long Road Ahead" sigarch.org/secure-compute…

@mccurley I have seen this happening in security and I'm not even that old.

Does cryptology suffer from this as well? arxiv.org/pdf/2401.03545

[Weekend read] Generalized Power Attacks against Crypto Hardware using Long-Range Deep Learning - elie.net/publication/ge… Thrilled to finally publish our GPAM model and high-quality ECC datasets after years of intense R&D. Compared to existing approaches, the GPAM model represents a generational leap because it is able to attack multiple algorithms (AES, ECC) and countermeasures without the need for human intervention and without the need to pre-process the input traces. Full disclosure each attack requires about automated hyper-tuning: ~700 GPU/h of automated hyper-tuning. @jmichel_p @invernizzi @flowyroll #AI #CyberSecurity #cryptography #crypto #ResearchPapers

@ChShersh A library is flexible, you can pick any book you want and read it however you want. A framework tells you what books to read and in which order. The line can be blurry depending on how limiting the library is and how flexible the framework is.

I’m a Senior SWE and I still don’t understand the difference between a library and a framework

@kaepora I am even more surprised that we are okay with the theory that a supposedly democratic government can arrest someone to send a message to the people.

@VarunChandrase3 Haha right. I know the game well :)

@flowyroll Not worth anything in the real world *today* :p

I didn't attend Usenix Security this year, but looking at the hardware security papers, only a small number solve real problems. This is unfortunate because I know that students put a lot of efforts into these papers. It looks like the gap between academia-industry is quite big.