
Sushi Roll: A CPU research kernel with minimal noise for microarch introspection - matt_d
https://gamozolabs.github.io/metrology/2019/08/19/sushi_roll.html
======
pentestercrab
Interesting comment from the author over on reddit[1] discussing using the
research kernel to "find 0-day in software and hardware for about 2 years".

[1]
[https://old.reddit.com/r/programming/comments/csfj53/sushi_r...](https://old.reddit.com/r/programming/comments/csfj53/sushi_roll_a_cpu_research_kernel_with_minimal/exftu2a/)

~~~
gamozolabs
This kernel is just kind of a playground for projects I have. Specifically
there were a few from this past year or so.

I used this kernel originally for my vectorized emulator, which is designed as
a high-performance fuzzer/harness to find bugs (more info
[https://gamozolabs.github.io/fuzzing/2018/10/14/vectorized_e...](https://gamozolabs.github.io/fuzzing/2018/10/14/vectorized_emulation.html)).
I used vectorized emulation on Windows DHCP to find multiple RCEs (which were
disclosed earlier this year), as well as one of the Intel MDS vulnerabilities
(such as RIDL and Fallout) disclosed earlier this year (specifically I found
"MLPDS",
[https://nvd.nist.gov/vuln/detail/CVE-2018-12127](https://nvd.nist.gov/vuln/detail/CVE-2018-12127)).

I do most of my work in a personal kernel as it really gives me an edge with
optimization. I'm able to use page tables directly (super fast fork()-like
behavior), and write hypervisors that don't have to go through crazy call
stacks to vmexit, use bleeding-edge CPU features, etc. Ultimately I just do it
because it's fun, but I've found ways to justify it from time to time.

~~~
bionsystem
Is it a pure hobby project on the side, or do you work for a company /
research lab ? That is really interesting btw.

~~~
gamozolabs
I currently work at Microsoft, however my work and my hobby are pretty much
the same at this point so I put a lot of time into it!

------
Fnoord
The exact URL/title was posted one hour earlier.
[https://news.ycombinator.com/item?id=20743260](https://news.ycombinator.com/item?id=20743260)

~~~
dang
No, matt_d's was earlier. The IDs tell all: 20736713 < 20743260.

The reason this was confusing is that we put the earlier post in the second-
chance queue (described at
[https://news.ycombinator.com/item?id=11662380](https://news.ycombinator.com/item?id=11662380)),
which temporarily modifies the timestamps as explained here:
[https://news.ycombinator.com/item?id=19774614](https://news.ycombinator.com/item?id=19774614).
This confusion comes up periodically but I don't know a globally better
solution than how we currently do it.

~~~
saagarjha
Would marking second chance submissions as such help?

~~~
dang
Maybe, but how would we do that in a minimal way that would still be self-
explanatory?

~~~
messe
The alt-text/hover text of the timestamp would be the perfect place for it.
That way it wouldn't bias anyone who doesn't go looking for it explicitly.

~~~
dang
But then the vast majority of users will never know about it, which is not
self-explanatory.

Also, out of curiosity, how does that work on mobile? I know it's a naive
question but I've never figured that out.

~~~
saagarjha
If you stick a title attribute on an image, it will show up when you long
press on it in Mobile Safari. This doesn't work with links, though, because
it'll show the destination instead. Might I suggest just putting the
submission time in parentheses, like "1 day ago (resubmitted 3 hours ago)"?

