A pretttyyyy slow week this week. Your friendly editor was finally given a few minutes to catch his breath from the crazy start to this year....annnnnnnyways 👇

In Case You Missed It...

• DistrictCON Live Stream - We mentioned it last week, but didn't realize that the DistrictCON livestreams are on YouTube. Check them out!
• March 2025 Security Update - Another month, another security update from ZDI. This one, includes 6 ITW Microsoft bugs though, so thats fun.
• Trail Of Bits LibAFL Update - Trail Of Bits added a new section to their Testing Handbook, this one focused on LibAFL. If you have been looking to learn the fuzzing framework a little better, this is a great place to start!

Resources And Write-Ups From This Week:

• On Apple Exclaves - Interested in XNU internals? Well this new post is sure to scratch that Apple itch. Specifically, it takes a look at Apple Exclaves - resources isolated from XNU. The post starts with a broad overview of previous isolation measures Apple has implemented into XNU over the years - Secure Enclaves (sensitive data store), Page Protected Layer and the Secure Page Table Monitor. It then presents a speculative review of the Exclaves and what they mean for the future of security in XNU. The Exclaves indicate a move towards a secure kernel, potentially supported by ARM TrustZone (although further speculation seems to indicate otherwise). The post then specifically looks at some code additions supporting this hypothesis, and digs deeper into the functionality.
• Reversing Samsung's H-Arx Hypervisor Framework - DayZeroSec podcast (one of our personal favorites, btw) published some of their own original research on the H-Arx Hypervisor Framework, "Samsung's exynos-implementation of their mobile hypervisor security platform". The post starts with a broad overview of the security model for most Android devices, outlining the execution levels and the separation between the secure and non-secure world. It then looks at the last decade of hypervisor development by Samsung, noting major changes such as the transition from a monolithic design to a modular architecture and the adoption of Rust for certain components. Finally, we get into reversing, which is the perfect mixture of methodology and info sharing. The blog walks through various functionalities of the hypervisor, including startup, plugin loading, and hypercall handling. It alsoooo alludes to a future part two detailing emulation, which we are quite excited to read.
• The ESP32 "backdoor" that wasn't - A quick response to the recent ESP32 "backdoor" research from Tarlogic. If you missed the original article, essentially Tarlogic noted a "backdoor" in the ESP32. The research community was quick to point out that perhaps the conclusion was a bit misguided - rather just undocumented HCI commands intended to be sent from the host to the controller's firmware to read and write memory. The rebuttal post does call out the fact that the researchers themselves depict this misconfiguration accurately, and the improper terminology seems to have been introduced only in the press release. It goes on to point out past research, other vendor examples, and some conclusions. Drama concluded.
• Vulnerability Reward Program: 2024 in Review - Another year, another year in review from Google VRP. The new post out of Google takes a look at 2024, highlighting some of the major events for the VRP program, such as the introduction of InternetCTF, the new reward structure, and the Bugcrowd payout option. It then takes a look at the Device, Chrome, Cloud, and AI programs, talking through the program changes and yearly metrics.
• Node is a loader - A short and sweet little post from Atredis Partners, discussing how require() in Node.js can be used to load addons as normal Node.js modules. The post shows how loading and registration can be done with napi_register_module_v1, using Zig as an example because...well because Zig is fun. From there, it takes a look at hijacking Electron apps by replacing existing .node files with a malicious addon.
• Representing type lattices compactly - @tekknolagi put together quite a fun post reviewing how Cinder JIT compiler represents types. The post highlights increasingly better representations of variable types - starting with enums and working all the way to semilatices and bitsets. The write-up explains how organizing types as bitsets within semilattices enables efficient type checks, reducing runtime overhead by precisely tracking type relationships. And best of all, it's well written and extremely approachable...even if you don't come from a theory or language design background.

Interesting Job Postings:

• Senior Vulnerability Researcher @ Research Innovations Incorporated (On-Site: St Pete Beach, FL)
• Security Engineer, Silicon @ Google (On-Site: Mountain View, CA)
• Senior Vulnerability Researcher @ STR (On-Site: Melbourne, FL)
• Reverse Engineer @ CrowdStrike (Remote)
• Reverse Engineer and Vulnerability Researcher @ MIT Lincoln Lab (On-Site: Lexington, MA)

Wrapping Up...

As always, thanks for stopping by. We here at the club are always trying to improve so if you have comments, questions, or suggestions, feel free to shoot us an email - info@exploits.club.

Follow us on X - we occasionally Tweet poor attempts at memes

Don't forget to check out https://bug.directory!

We sell mugs, and personally we have seen a drastic uptick in bugs since using ours. Get yours on at https://shop.exploits.club.

Feel free to join the exploits.club Discord server here 👉 https://discord.gg/2dxN2Gtgpx

Same time next week? See you then 🏴‍☠️