To get a better grasp of how QEMU (an open-source hypervisor) internals work for a research project, I decided to upsolve cloudinspect from Hack.lu 2021.
The challenge is simple in concept: an out-of-bounds write and read on the hypervisor heap, caused by a custom PCI device.
Happy new year! Recently DiceGang placed second in HackTM qualifiers, meaning we are invited to the finals in Romania in May. I worked on and solved two challenges, cs2100 (RISC emulator pwn) and dragon-slayer (blockchain). I wrote these up with clubby and AdnanSlef for required verification anyway, so here they are.
Given two \(n \times n\) upper triangular matrices \(A\) and \(B\), I show that \(A * B\) is also upper triangular without using induction.
For matrix \(A\) to be upper triangular, \(A_{ij} = 0\) for \(i > j\) by definition. Similar, this also is required of \(B\). We want to show that \(A * B\) also has this property.
First, letโs rewrite this property as \(A_{ij} = 0\) for \(i \geq j + 1\), as both \(i\) and \(j\) are integers (it does not make sense to have a non-integer entry in a matrix, at least as far as I know).
Rearranging \(i \geq j+1\), we get:
\[i - 1 - j \geq 0\] \[i - 1 - j + n \geq n\] \[(i - 1) + (n - j) \geq n\]This will be true for any entry in \(AB_{ij}\) whenever \({i \geq j+1}\), which is precisely the entries we want to check are zero!
In this post, I note a method to run any binary on a device without needing to use chmod or any other program to make the binary executable.
For my IoT security research project at UMDโs Breakerspace, I recently needed to compile a custom binary to run on smart devices for experimentation. Previous experimental setups (not designed by me) used a series of Bash scripts, but I discovered they were barely reaching the device max capacities.
Many IoT devices run embedded architectures like ARM or MIPS(EL), not x86. So I needed to cross-compile my C code to run on the right architectures. I thought I was clever for managing to install gcc-<arch>-linux-gnu on Ubuntu.
Until I tested my code on one particular MIPS device, which gave me a FATAL: kernel too old. What?
uname -r returned the kernel version as 2.6.36+. This kernel version was released in 2010 - talk about an ancient kernel! For reference, the current one is like 5.19. So, I set about trying to compile to target this kernel version for MIPS.
4 days later and 8+ builds of binutils / GCC / gLibc later, I decided nobody else should ever go through the same headaches I went through to compile just a hundred lines of C.