Hacker News new | ask | show | jobs
by ahartmetz 157 days ago
Maybe we can remove mitigations. Every exploit you see is: First, find a vulnerability (the difficult part). Then, drill through five layers of ultimately ineffective "mitigations" (the tedious but almost always doable part).

Probabilistic mitigations work against probabilistic attacks, I guess - but exploit writers aren't random, they are directed, and they find the weaknesses.
2 comments
GaggiX 157 days ago
The vulnerability was found by Opus:

"This is true by definition as the QuickJS vulnerability was previously unknown until I found it (or, more correctly: my Opus 4.5 vulnerability discovery agent found it)."

link
atomic128 157 days ago
Number 6, explained 3 years ago:

https://github.com/nobodyisnobody/docs/blob/main/code.execut...

Original publication in 2017:

https://m101.github.io/binholic/2017/05/20/notes-on-abusing-...

link
ahartmetz 157 days ago
Makes little difference, whoever or whatever finds the initial exploit will also do the busywork of working around mitigations. (Techniques to work around mitigations are initially not busywork, but as soon as somehow has found a working principle, it seems to me that it becomes busywork)
link
staticassertion 156 days ago
Most mitigations just flat out do not attempt to help against "arbitrary read/write". The LLM didn't just find "a vuln" and then work through the mitigations, it found the most powerful possible vulnerability.

Lots of vulnerabilites get stopped dead by these mitigations. You almost always need multiple vulnerabilities tied together, which relies on a level of vulnerability density that's tractable. This is not just busywork.

link
ahartmetz 156 days ago
Maybe I've been fooled by survivorship bias? You don't read much about the the vulnerabilities that ultimately weren't exploitable.

Reports about the ones that are exploitable usually read to me like after finding an entry, the attacker reaches into the well-stocked toolbox of post-entry techniques (return-oriented programming, nop slides, return to libc...) to do the rest of the work.

link
staticassertion 154 days ago
Most people don't publish dead ends. Here's one that my company published: https://web.archive.org/web/20221001182026/http://graplsecur...
link