The levels of "being comfortable with low level programming" are over 9000 on this one. Very impressive, from even noticing from the start to later implementation, you basically imagined and implemented a way to have your own computer inside the Macbook to manage any host memory, while still keeping it stable and getting all the information you want from it.... in a week ( ok, yes, you are already working for years on Apple silicon, but still, this needs a lot of work no matter how much you know about a system ). If anyone else got hands on this information, I can only imagine the extremely broad use cases it could have against people's privacy and security. Really speaks a lot about how important it is to improve one's reverse engineering skills, and to how you can trust the right people to report things instead of using for their own benefit when there is a bug bounty program in place. You are the best ! Ethically, and Technically, please keep showing the way ( and making history while at it ) !
Bug bounty programs don't pay as well as shady actors. But I'd like to think I'd still report it upstream instead of selling the bug for exploitation if I ever found myself in a similar situation. It takes a special kind of person to be able to live with the conscience that they probably aided oppressive nation states commit human rights violations.
@@bantix9902 Do you mean using slave and child labor in China? That's not Apple's fault: the factories committed these, and Apple puts more effort than any other company to check and prevent these abuses at its manufacturing facilities. The slave labor part is probably with close cooperation with the CCP: the government detains the Uyghurs, and uses them as slave labor in various factories.
Thanks for the stream! The explanations were super clear, and while I'd read about it before, seeing the ROP chain in action in the demo really helped me understand how it works in practice. I'll definitely be keeping an eye out for any similar explanation videos you put out - it's great stuff!
1:53:02 The "pointer to a pointer to a pointer to the function" sounds like a virtual function call on a parameter object: You pass an object by passing it's address, so the first level points to the object itself. Inside, there is a vtable pointer (3rd level), which contains a pointer to the function. So 1st level: reg->object, 2nd level: object->vtbl, 3rd level: vtable->code, 4th level: code. 2:04:30 I wish Khronos took Apple's Metal API for Vulkan, instead of going with their own. It would be nice to be able to write a full game in almost all C++, and to have the same basic shader language available on all platforms.
This is like a summary of an advanced CS course about operating system design. No professor ever managed to keep my attention for longer than 10 minutes, but Lina kept me glued to my screen for an hour.
Not all super heros wear capes. Lina you're a true 🌟. You're an inspiration. First gpu driver written in rust ☑ First macOS gpu exploit ☑ Super happy to be a team lina member keep up the good work 👍
I know, I know... but there's no guarantee it would've worked and I had to get the my driver running in time for XDC!!! There's people who do this for a living but it's not for me, I don't know anything about hacking browsers... I just got lucky I found a fun bug and spent a week working on it as a special exception ^^
"I'm Asahi Lina, a Linux developer vtuber" - is the wildest vtuber lore I've witnessed in my 3 years in a rabbit hole) Jokes aside - it was an amazing presentation!
I'm not even halfway through but I must say watching with the chat replay was the best decision I made. Ridley Combs keeps dropping these banger jokes, I don't know where they pull them from.
3:16:00 She got US$150,000. I hope she opened a non-profit company or a foundation or for her GPU driver development project to avoid getting taken, at least, 50% of her prize money from the Japanese government. Source: Blog - Apple Security Bounty. Upgraded and news ycombinator
Question (at 2:20:41): you map 16GiB minus 32MiB, so the top huge-page on a 16GiB system, by directly writing the address to the fake PTE you're creating. What happens if you try to read from that entry if it's not backed by physical memory? (Rewriting this into x86 terms) Of course, the CPU must trust that the kernel will not do something that stupid. On the high level ("user mode"), you would get a page fault/segfault. Here we're running "kernel code" and trying to make it do stupid things. On a microcontroller if you read from a junk address, not backed by any component, you get junk data. What happens on a modern CPU in "real" mode?
My ears bleed heavy from the pseudo voices, but your vid gave me some interesting directions. Thanks so much for your work and views on hacking. Best regards.
Question (at 2:25:33): what is a stamp and what is a stamp index? Googling doesn't help, I can't find the proper keywords. It seems to be something related to the shader's internal state from the context, but i can't figure it out.
It’s an Apple thing! It’s basically a counter that increments every time a command is processed. It’s how the firmware keeps track of how many commands have completed and notifies the CPU.
Or, wait, a "command" is one execution of the shader, then it means that the "stamp" is the number of executions of the shader? So as you have to pretend to have executed the shader, you have to increment it by one?
It’s one whole job, which could be any number of shaders or draw calls. For a render, it would usually be a whole frame. We don’t increment it, the firmware does as part of command completion, but we have to set it up right for it not to crash since we’re replacing the micro sequence!
"Apple really cares about security" ... sure... but it costs them a lot less to release buggy products and pay bounties than it does to wait until products are secure before they release them. this is corporate behavior across the board coming out of Silicon Valley (and etc.). So I would agree, that they care about security - but they care about profit WAY WAY more....
The levels of "being comfortable with low level programming" are over 9000 on this one. Very impressive, from even noticing from the start to later implementation, you basically imagined and implemented a way to have your own computer inside the Macbook to manage any host memory, while still keeping it stable and getting all the information you want from it.... in a week ( ok, yes, you are already working for years on Apple silicon, but still, this needs a lot of work no matter how much you know about a system ).
If anyone else got hands on this information, I can only imagine the extremely broad use cases it could have against people's privacy and security. Really speaks a lot about how important it is to improve one's reverse engineering skills, and to how you can trust the right people to report things instead of using for their own benefit when there is a bug bounty program in place.
You are the best ! Ethically, and Technically, please keep showing the way ( and making history while at it ) !
Bug bounty programs don't pay as well as shady actors. But I'd like to think I'd still report it upstream instead of selling the bug for exploitation if I ever found myself in a similar situation. It takes a special kind of person to be able to live with the conscience that they probably aided oppressive nation states commit human rights violations.
... selling to shady actors ... pays 3 hots and a cot... for 3 years or more! lol... DOH!@@szaszm_
@@szaszm_ unlike apple inc. who never commited a human rights violation :)
@@bantix9902 Do you mean using slave and child labor in China? That's not Apple's fault: the factories committed these, and Apple puts more effort than any other company to check and prevent these abuses at its manufacturing facilities. The slave labor part is probably with close cooperation with the CCP: the government detains the Uyghurs, and uses them as slave labor in various factories.
dang.. I didn't expect the world's first RUST Linux driver developer is a vtuber. very refreshing and special lol. great to know!
Then you're not up the RUST and Linux memes
Ofcourse the guy writing rust is pretending to be a woman they're either trannies or this or both
The stream starts at 5:24
I love how Cyan Nyan was just existing hopelessly trying to understand what's going on
to be fair that's how i feel watching sailor moon talk about assembly language
she's just like me frfr
Thanks for the stream! The explanations were super clear, and while I'd read about it before, seeing the ROP chain in action in the demo really helped me understand how it works in practice. I'll definitely be keeping an eye out for any similar explanation videos you put out - it's great stuff!
1:53:02 The "pointer to a pointer to a pointer to the function" sounds like a virtual function call on a parameter object: You pass an object by passing it's address, so the first level points to the object itself. Inside, there is a vtable pointer (3rd level), which contains a pointer to the function. So 1st level: reg->object, 2nd level: object->vtbl, 3rd level: vtable->code, 4th level: code.
2:04:30 I wish Khronos took Apple's Metal API for Vulkan, instead of going with their own. It would be nice to be able to write a full game in almost all C++, and to have the same basic shader language available on all platforms.
Tech VTubers? What realm am I living in now? Holy crap 😳
cyan is just me after 3 hours long math class 😂
This is like a summary of an advanced CS course about operating system design. No professor ever managed to keep my attention for longer than 10 minutes, but Lina kept me glued to my screen for an hour.
Not all super heros wear capes.
Lina you're a true 🌟.
You're an inspiration.
First gpu driver written in rust ☑
First macOS gpu exploit ☑
Super happy to be a team lina member keep up the good work 👍
Thank you for tonight's stream Lina and Cyan :3
You should have invested the extra month Lina, 250k is very good for a month of work! :D
I know, I know... but there's no guarantee it would've worked and I had to get the my driver running in time for XDC!!!
There's people who do this for a living but it's not for me, I don't know anything about hacking browsers... I just got lucky I found a fun bug and spent a week working on it as a special exception ^^
@@AsahiLina Also imagine someone else finds and submits it before you got the webgl stuff working
@@AsahiLina Wait, you got 150k?! wow, amazing! nice payout for developing this driver :D I missed this and thought you got only 1k!
I don't know what is happening, 😂😂🎉🎉
@@AsahiLina🎉🎉🎉uwooow
This is such a cute! Congratulations on the zero day :D
I am so happy that apple indirectly finances this project. Or at least contributet to it.
"I'm Asahi Lina, a Linux developer vtuber" - is the wildest vtuber lore I've witnessed in my 3 years in a rabbit hole)
Jokes aside - it was an amazing presentation!
Thanks for this amazing and educational stream girls. Lina was very excited while Cyan was very lost. It was so funny.
But Cyan is still keeping saying “let’s go!!”🔥 which is funny😂
I'm not even halfway through but I must say watching with the chat replay was the best decision I made. Ridley Combs keeps dropping these banger jokes, I don't know where they pull them from.
Apple secretly likes Asahi Linux
3:16:00 She got US$150,000. I hope she opened a non-profit company or a foundation or for her GPU driver development project to avoid getting taken, at least, 50% of her prize money from the Japanese government. Source: Blog - Apple Security Bounty. Upgraded and news ycombinator
i can't believe were living in the year of 2023 and I'm watching a vtuber to learn about this exploit
Super interesting stuff! Although I'm not nearly enough into low level stuff like this to fully understand everything
This was an amazing presentation. Good work.
Amazing presentation!
i wanna see more like lina and cyan its adorable to watch
Amazing work
Nyaashell!
Got a Mac myself, gotta try this myself eventually
cute vtuber hacking content is my favourite hacking content
Question (at 2:20:41): you map 16GiB minus 32MiB, so the top huge-page on a 16GiB system, by directly writing the address to the fake PTE you're creating. What happens if you try to read from that entry if it's not backed by physical memory? (Rewriting this into x86 terms) Of course, the CPU must trust that the kernel will not do something that stupid. On the high level ("user mode"), you would get a page fault/segfault. Here we're running "kernel code" and trying to make it do stupid things. On a microcontroller if you read from a junk address, not backed by any component, you get junk data. What happens on a modern CPU in "real" mode?
Well, nevermind, thanks chat, just had to wait a minute more for my question to get answered 😅
We live in a world... an amazing one
My ears bleed heavy from the pseudo voices, but your vid gave me some interesting directions. Thanks so much for your work and views on hacking. Best regards.
Question (at 2:25:33): what is a stamp and what is a stamp index? Googling doesn't help, I can't find the proper keywords. It seems to be something related to the shader's internal state from the context, but i can't figure it out.
It’s an Apple thing! It’s basically a counter that increments every time a command is processed. It’s how the firmware keeps track of how many commands have completed and notifies the CPU.
So it is like a program counter, but for the microsequence?
Or, wait, a "command" is one execution of the shader, then it means that the "stamp" is the number of executions of the shader? So as you have to pretend to have executed the shader, you have to increment it by one?
It’s one whole job, which could be any number of shaders or draw calls. For a render, it would usually be a whole frame. We don’t increment it, the firmware does as part of command completion, but we have to set it up right for it not to crash since we’re replacing the micro sequence!
Ok! Thanks for the detailed answers! That helps.
This is inspiring, do you think even a novice coder can find exploits? A bounty reward could really assist me in life right now
really cool
This is my cybersecurity vtuber HALLO i am new fan,, but maybe big fan,,
Bordel tu es une malade mentale bravo c'est un delire, je ne vais pas mentir je suis pas mauvais pourtant mais j'ai pas compris la moitié!😍
It's the legit hack
This video is a "way to go" for nerds. Loved it
2024 be like
The video starts at 3:10:00
"Apple really cares about security" ... sure... but it costs them a lot less to release buggy products and pay bounties than it does to wait until products are secure before they release them. this is corporate behavior across the board coming out of Silicon Valley (and etc.). So I would agree, that they care about security - but they care about profit WAY WAY more....
I would disagree as a big vulnerability going mainstream would make for a lot of reputational damage which *is* likely to affect their bottom line