Notices by Pierre H. (madcoder@infosec.exchange)

Aaaaaahhh I had missed the smell of the Californian infrastructure straight from 1983.

Except this time I have a battery.

@rpaulo I come from a country where all power lines were buried between 1990 and 2000. I had not experienced any power outage of more than a few minutes (and maybe 3 times total) in my 15 years as an adult there.

(And I’ve stayed in the middle of storms in places quite more remote and more sparsely inhabited than the South Bay).

I was excited about Embedded Swift, knowing @rauhul was working on swift-MMIO making writing firmwares and drivers in Swift a reality. I’m psyched.

https://forums.swift.org/t/introducing-swift-mmio/68525

Via https://mastodon.social/@tkremenek/111428255698391290

https://x.com/kayseesee/status/1725587747279380831

For people not wanting to click Twitter links:

> I am proud to present you the pre-print of our paper on GWP-ASan. 5+ years of work by four companies, spanning Server, Desktop, and Mobile, running on billions of devices. Finding and fixing thousands of bugs and potential vulnerabilities.

https://arxiv.org/pdf/2311.09394.pdf

Quotes from the article around Apple platforms:

Apple’s variant of GWP-ASan, named Probabilistic Guard Malloc (PGM), is implemented in the standard user space allocator. It was first deployed to customer populations with iOS 14.5 and macOS 11.3 (April 2021) and deployment gradually expanded to additional platforms, including watchOS and tvOS. PGM is enabled for all Apple-owned user space processes (including apps) and integrates with the existing crash reporting pipeline. Crash reports are augmented with additional information about the guarded allocation, most notably the allocation and deallocation stack traces.

[…]

As of September 2023, a total of 3,748 PGM bugs have been filed of which 1,438 are marked fixed with an associated code change.

[…]

In summary, PGM has been an effective tool for finding and diagnosing memory errors at Apple. On average, 2.1 new bugs have been found every day since it was first deployed at scale in April 2021. The additional information in PGM crash reports (most notably, allocation and deallocation stack traces) makes them actionable even without a reproducer, resulting in a high 99% fix rate. In a handful of cases, a single PGM crash report made the difference for diagnosing a known high-impact bug. PGM even found bugs (now fixed) in code that had remained unchanged for over 20 years.

I get a Twitter notification. I’m curious. And it’s that, and I don’t follow the guy. Just wow.