It's late March, thus time for TROOPERS; this year is the 10th anniversary edition of the fantastic conference in Heidelberg, Germany, so an extra special week to be a part of. As I spoke at a pre-conference workshop, the stress was off so I could reflect and re-cap on the content without worrying about an incomplete slide deck. Below . . .
Coding in a post-Rowhammer world
Earlier this year at TROOPERS I presented on how many tenets of the LangSec theories could be integrated into a modern SDLC through providing a framework for "verification-oriented programming". This idea revolved around the notion that "to err is human, to be caught at compile-time (or as close to it as possible) divine", and that developers . . .
Recently the buzzword-du-jour has shifted in some circles from "Threat Intelligence" to "Information Sharing", with policy being proposed or enacted to drive companies to share breach and breach attempts with other entities to hopefully assist in their network defenses. One challenge I see to free information sharing between willing and . . .
Accepting LangSec into your heart (or SDLC)
To err is human; to be caught at compile-time, divine— Jacob Torrey (@JacobTorrey) March 2, 2016
Next week at TROOPERS I am acting as a TA for Tamas on our VM Introspection training as well as giving a talk aimed at developers and their managers to augment their software development life-cycle (SDLC) with LangSec principles. . . .
Why we need to focus on capacity building
Watching the InfoSec industry change over the last few years leaves little doubt in my mind that the majority of players jump onto what is hot, either through a re-branding campaign, acquisition, or legitimate shift. At RSA this spring, the buzzword du jour was threat intelligence; of late however, the hype-machine has been focusing on bug . . .
Virtual memory break-out with PCIe
TL;DR After noticing a trend of conference talks with posted slides or videos being overlooked and hard to search through, I've decided to write an overview blog post for most of my conference talks in order to create a searchable and easy-to-skim jumping-off point. I will link to slides, video and paper if there is one at the end of each . . .
TL;DR Domas' "Memory Sinkhole" is a clever attack, but in today's OS landscape, can be mitigated via a small software update.
Yesterday at Black Hat USA, I watched as Christopher Domas shed some light on a very exciting/terrifying vulnerability. He discovered that SMRAM accesses can be duped to read/write from the LAPIC . . .
Posted in: x86