|
|
Subscribe / Log in / New account

Brief items

Security

ClusterFuzzLite: Continuous fuzzing for all (Google Security blog)

Over on the Google Security blog, Jonathan Metzman announced the release of ClusterFuzzLite, which is "a continuous fuzzing solution that runs as part of CI/CD workflows to find vulnerabilities faster than ever before". ClusterFuzzLite is a descendant of OSS-Fuzz, which we looked at in 2017.
Large projects including systemd and curl are already using ClusterFuzzLite during code review, with positive results. According to Daniel Stenberg, author of curl, “When the human reviewers nod and have approved the code and your static code analyzers and linters can't detect any more issues, fuzzing is what takes you to the next level of code maturity and robustness. OSS-Fuzz and ClusterFuzzLite help us maintain curl as a quality project, around the clock, every day and every commit.”

[...] To learn more, check out the ClusterFuzzLite documentation. ClusterFuzzLite currently supports GitHub Actions, Google Cloud Build and Prow. We built this with CI system extensibility in mind, and adding support for other CI systems is straightforward. Please contact us if you’re interested in contributing support, or have any questions, feedback or feature requests.

Comments (none posted)

Security quotes of the week

We demonstrate that it is possible to trigger Rowhammer bit flips on all DRAM devices today despite deployed mitigations on commodity off-the-shelf systems with little effort. This result has a significant impact on the system’s security as DRAM devices in the wild cannot easily be fixed, and previous work showed real-world Rowhammer attacks are practical, for example, in the browser using JavaScript, on smartphones, across VMs in the cloud, and even over the network.

Rowhammer is a vulnerability caused by leaking charges in DRAM cells that enables attackers to induce bit flips in DRAM memory. To stop Rowhammer, DRAM implements a mitigation known as Target Row Refresh (TRR). Our previous work showed that the new n-sided patterns can still trigger bit flips on 31% of today’s PC-DDR4 devices. We propose a new highly effective approach for crafting non-uniform and frequency-based Rowhammer access patterns that can bypass TRR from standard PCs. We implement these patterns in our Rowhammer fuzzer named Blacksmith and show that it can bypass TRR on 100% of the PC-DDR4 DRAM devices in our test pool. Further, our work provides new insights on the deployed mitigations.

COMSEC introduces Blacksmith

The capture of the regulatory state by capitalism is why companies spy on you: spying only makes money if all costs (breaches, loss of agency, etc) can be externalized onto society, and if companies can manufacture consent by cramming an "I agree" button down your throat. In other words, they spy on you because they can get away with it, because the state permits them. We don't have a federal privacy law with a private right of action, we don't have statutory limits on terms of service. Even where you do have some rights, we let companies take them away with "binding arbitration" waivers that confiscate your right to sue them and join class actions.

Which brings me to Vizio. Vizio is a surveillance company that incidentally manufactures TVs. A Vizio TV nonconsensually spies on you and shows you ads, and it does so despite the fact that you're paying for it. Vizio's latest financials show that the company makes more money from spying on you than it does from selling TVs.

Cory Doctorow

Comments (none posted)

Kernel development

Kernel release status

The current development kernel is 5.16-rc1, released on November 14. Linus said:

Anyway, it's not a huge release, although it's also not a remarkably small one like 5.15 was (ok, "remarkably small" is relative, when even such small releases have 10k+ commits).. There's a bit of everything in here, and you can look to the appended mergelog for some kind of flavor, but I guess the folio work is worth mentioning, since it's an unusually core thing that we don't tend to see most releases.

Stable updates: 5.15.2, 5.14.18, 5.10.79, 5.4.159, 4.19.217, 4.14.255, 4.9.290, and 4.4.292 were released on November 12. The massive 5.14.19 and 5.4.160 updates come out on November 17, while the equally large 5.15.3 and 5.10.80 updates remain in the review process; they are due at any time.

Comments (none posted)

Quote of the week

No one is appointed as a maintainer, you just have to start handing [out] reviewed-by tags until people start to respect your judgement and then you're a maintainer.
Dan Carpenter

Comments (6 posted)

Development

Git 2.34.0 released

Version 2.34.0 of the Git source-code management system is out. "It is comprised of 834 non-merge commits since v2.33.0, contributed by 109 people, 29 of which are new faces". See this GitHub blog post for a look at some of the more significant changes in this release:

ort does just that: it’s a full-blown rewrite of the merge strategy that aims to emulate the same concepts behind recursive while avoiding many of its long-standing performance and correctness problems. In a merge containing many renames, ort outperforms recursive by 500x. For a series of similar merges (like in a rebase operation), the speedup is over 9000x, in part due to ort's ability to cache and reuse results from previous merges.

Full Story (comments: 15)

Twelve Years of Go (The Go blog)

On November 10, the Go programming language community celebrated the 12th anniversary of its release as open-source software. The post covers a number of different topics, including the consolidation of web sites at go.dev, releases and their features over the last year, as well as a look to the future:
In February, the Go 1.18 release will expand the new register-based calling convention to non-x86 architectures, bringing dramatic performance improvements with it. It will include the new Go fuzzing support. And it will be the first release to include support for generics.

Generics will be one of our focuses for 2022. The initial release in Go 1.18 is only the beginning. We need to spend time using generics and learning what works and what doesn’t, so that we can write best practices and decide what should be added to the standard library and other libraries. We expect that Go 1.19 (expected in August 2022) and later releases will further refine the design and implementation of generics as well as integrating them further into the overall Go experience.

Comments (2 posted)

Development quotes of the week

This, fundamentally, is why I believe KDE can and will take over the world. We share the market leaders’ winning strategy and culture of flexibility, and we can supplant them by leveraging our advantages of being free and eternal, our resistance to turning evil because of our diverse stakeholders and decentralized leadership model, and our philosophy of keeping the user in control rather than exploiting them for ad or upgrade revenue.

So I think ultimately we will become the Windows or Android of the Free Open-Source Software world, with projects like GNOME and ElementaryOS competing to be the Apple of FOSS. I think there will absolutely be room for projects like theirs; in fact I think it’s highly likely that they’ll offer a better user experience than we do for people who fit within the usage paradigms they focus on–just like Apple does.

Nate Graham

Every time we dismiss performance, consider CPython good enough, or claim that Python users aren't demanding multithreading or fast execution and are happy with the plethora of heavyweight workarounds… we're collectively guilty of survivorship bias thinking. Users aren't demanding it because they've long since given up Python and rearchitected code in other languages or spent years engineering workarounds.
Gregory P. Smith (Thanks to Victor Stinner)

Comments (8 posted)

Page editor: Jake Edge
Next page: Announcements>>


Copyright © 2021, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds