@Shiftreduce profile picture
Shift @Shiftreduce
Joined June 2011
  • Tweets 17,643
  • Following 1,609
  • Followers 2,569
292 Photos and videos
Shift retweeted
Gal Z@0xgalz
Jun 7
Looking forward to presenting our latest AI security research at @BlueHatIL on June 24th. We'll walk through the vulnerabilities we found in Chainlit and show how exploiting simple bugs can lead to significant security impact in AI applications. @ido__shani ๐Ÿ˜
BlueHat IL@BlueHatIL
Jun 4
Also joining BlueHatIL: @0xgalz & @ido__shani with ChainLeak: From AI Framework to Cloud Secrets - a fascinating behind-the-scenes look at the vulnerabilities they uncovered in Chainlit, and what we can learn from them. Don't miss. Register now: microsoftrnd.co.il/bluehatilโ€ฆ
1
4
22
4,573
Following my previous post, I wrote another blog on a futex bug that was patched not long ago. It allowed any attacker with an untrusted selinux context to elevate privileges given the right instruments.
1
7
24
2,725
The bug itself is esoteric, it's a UAF but there is no alloc or free at all. How is this possible? Simply put, the variable is allocated on the stack and freed by the OS itself whenever an esoteric condition happens by the OS. I hope you'd enjoy this one guysrd.github.io/futex-read-โ€ฆ

The futex READ_ONCE

A futex is a 32b integer in userspace memory. Uncontended operations are pure userspace atomic ops the kernel is only involved when someone needs to sleep or wake up. PI futexes add priority inheri...

guysrd.github.io
30
130
7,739
We live in interesting times. Last month Linux patched a core uaf in the epoll subsystem, we rarely see these kind of bugs. As i like these kind of bugs, i wrote a few words about it here: guysrd.github.io

Blog

guysrd.github.io
4
78
297
46,076
permalink: guysrd.github.io/epoll-uaf rss available too.

The epoll uaf

A couple of weeks ago Nicholas Carlini burned an epoll uaf race in fs/eventpoll.c. Commit 07712db80857 changed a kfree() to kfree_rcu(). The commit message says: โ€œeventpoll: defer struct eventpoll...

guysrd.github.io
2
14
1,036
The race itself is pretty tight, but with the right IPI interrupts and some magic it is possible to take control of ep->refs or a mutex_unlock slowpath (providing u an arbitrary kfree primitive), there are other paths available for exploitation.
1
6
947
I tried working on this bug only without an infoleak and tried to turn it into a one shot universal root primitive but I did not succeed, I never managed to leak data. You can read the blog and see my attempts at exploiting this, i encourage anyone to try too.
7
2,052
Shift retweeted
Josh Terrill@joshterrill
May 20
I broke Kindle's DRM protection tonight through a mix of static and dynamic analysis. AES key is derived from accountSecrets, kindle device ID, and voucher path. Book is decrypted in parts using OpenSSL from Ion blobs and then decompressed with LZMA.
26
219
2,298
86,403
Shift retweeted
Jay Little@computerality
May 15
In the last couple months, I have replaced so many scripts with prompts like "use idac to perform class recovery, rename variables and functions, set prototypes, make and apply types to make the decompilation output look like the original source" github.com/trailofbits/idac

GitHub - trailofbits/idac: idac - IDA Pro command line tool for agents and humans

idac - IDA Pro command line tool for agents and humans - trailofbits/idac

github.com
Alex Matrosov
@matrosov
May 12
Replying to @matrosov
One of the long-standing challenges in C RE has always been vtable REconstruction. AI now solves this, and you actually get richer context than you'd ever get from manual recovery. Previously, HexRaysCodeXplorer plugin was born to ease that pain back in the day, but now I need to rethink how to make it truly effective in this new reality.
5
24
10,412
Shift retweeted
metnew@v_metnew
May 9
150 researchers showing up to Pwn2Own Berlin 2026; 3 AC (After Claude);
3
6
67
5,060
Shift retweeted
mdowd@mdowd
May 5
CFP is open!! Submit your cool talks about AI hacking/defense/core tech. Gonna be awesome!! โ˜บ๏ธ
Unprompted AU@UnpromptedAU
May 5
The Unprompted.au CFP is officially OPEN! If you are doing cool stuff with AI in offense, defense, or working on core AI tech (from frontier models to open source LLMs), we'd love to hear from you! Submit here: unprompted.au/
1
14
52
19,790
Shift retweeted
Unprompted AU@UnpromptedAU
May 5
The Unprompted.au CFP is officially OPEN! If you are doing cool stuff with AI in offense, defense, or working on core AI tech (from frontier models to open source LLMs), we'd love to hear from you! Submit here: unprompted.au/

Unprompted.au

unprompted.au
3
36
71
57,851
aiight its not done yet but i really need to focus on my Actual Job so today i am publishing the web frontend of bin't: a new binary analysis framework (its literally just worse ghidra) its hopefully useful for some light reversing of x86, ARM, MIPS, PPC bint-disasm.github.io/?exampโ€ฆ
screenshot of bin't web frontend that shows a graph view of the main function of ais3_crackme, the decompilation, and the symbolic execution solution of the challenge

ALT screenshot of bin't web frontend that shows a graph view of the main function of ais3_crackme, the decompilation, and the symbolic execution solution of the challenge

12
22
297
16,746
Shift retweeted
littlelailo@littlelailo
May 2
Had a lot of fun reversing Coruna over the last couple weeks and decided it would be worth to write it all up before I forget - so enjoy :) littlelailo.github.io/writeuโ€ฆ

4
89
273
50,500
Load more