I gave Claude 3 the entire source of a small C GIF decoding library I found on GitHub, and asked it to write me a Python function to generate random GIFs that exercised the parser. Its GIF generator got 92% line coverage in the decoder and found 4 memory safety bugs and one hang. Here's the fuzzer Claude wrote, along with the program it analyzed, its explanation, and a Makefile: gist.github.com/moyix/02029770…

Some things I wish I had done differently (though overall I'm very pleased with how it came out):

https://twitter.com/moyix/status/1723398619313603068

1. Rent a bigger EC2 server. I was using a T2.micro which seemed like more than enough while I was testing. But with a bunch of teams hammering at it, the fact that it has only one CPU started to make things slow.

Will still try to do a blog post on my @CSAW_NYUTandon CTF challenge, NERV Center, but for now here's a thread explaining the key mechanics. I put a lot of work into the aesthetics, like this easter egg credit sequence (all ANSI colors+unicode text) that contains key hints: @CSAW_NYUTandon (Note the karaoke subtitles timed to the credits at the bottom 😁)

ChatGPT exploits a buffer overflow 😳



One slight mistake here– it should be 36 A's, not 32. So we're still safe from AI hacking the planet.

It's like GPT doesn't even care about the technical accuracy of my upcoming novel 😤 We are now arguing about whether, if hotwiring a car were the only way to save a child's life, its refusal to tell me how to hotwire a car would make it morally culpable for the child's death. So far it's not buying it

This is one of my favorite rr+tmux tricks: if you have a pair of working/non-working test cases, you can run the program on each side-by-side in rr and figure out where they diverge :) At one point @phutrick put together a crazy-cool script that used this to *bisect* the program traces and identify the earliest point and root cause of a divergence — super helpful when we were debugging PANDA's record-replay. Would be awesome to generalize this technique!

Currently running two instances of Stable Diffusion so that my wife and I can play with it at the same time. I mean, why else get two GPUs? Honestly these are remarkably good

Heyyy, so remember how I scanned all those x86-64 pkgs to see if they changed the behavior of floating point math related to handling of subnormal/denormals? And how I didn't bother to check other CPU archs because surely it was a weird x86 thing? Well...

https://twitter.com/terrible_coder/status/1567595329758924801

Let's just take a quick look through the gcc source to see if there are any other implementations of crtfastmath.c, just to be safe. Oh. Oh no.

Uhhhhhh But the issue it links to is 10 years old?? github.com/pypa/pip/issue…

First attempt at a decompiler using the new dataset, training going okay so far! I need to hack up fairseq so it saves more often than once per epoch, it makes me nervous to go 18+ hours between checkpoints First epoch finished, will have to see how it did 👀

BIG personal news! My Erdős–Bacon number is now 7:
— My Erdős number is 4: Me→Wenke Lee→Richard Lipton→Noga Alon→Paul Erdős
— My Bacon number is 3: Me–<After We're Over>→Chris Mollica–<Westworld>→Evan Rachel Wood–<Digging to China>→Kevin Bacon

en.wikipedia.org/wiki/Erd%C5%91… Many thanks to my brother @Peckinpal, who abused his personal connections to put me in as an extra on "After We're Over", directed by @forty9ernate. You can see here that I was clearly a key part of the film

I asked GPT-NeoX-20B a hundred arithmetic questions. It didn't get very many of them right (10/100), but it's almost spookier to me that it gets most of them *approximately* correct?? Full result table here; settings were temperature 0.1, top_p = 0, top_k = 0 gist.github.com/moyix/267d122f…

Definitely was a mistake not to strongly isolate the build directories from one another. I wonder which package (or part of my own infra) wiped out all the package metadata :P One interesting thing might be to put some canary files one level above the build dir and then yell loudly if those files are gone after the build finishes. Might shake out some fun "oops, building this package deleted my home directory" bugs

It's under-appreciated how simple and elegant the OS X UI experience is. In just a single glance here I can learn absolutely nothing about where all my disk space went It calls to mind the classic design principles of ed(1): "generous enough to flag errors, yet prudent enough not to overwhelm the novice with verbosity"

The camera-ready version of our @IEEESSP 2022 paper, "IRQDebloat: Reducing Driver Attack Surface in Embedded Devices" (w/@highw4y2h3ll) is now available! messlab.moyix.net/papers/irqdebl… The basic problem we're looking at in this paper is: if you buy some embedded/IoT device, it may come with a bunch of features that you don't use (say, Bluetooth) that nonetheless require driver support and expose unnecessary attack surface.

Hmm, this is actually much less impressive than I expected as far as inverting PhotoDNA (based only on reading @hackerfactor's blog post) reddit.com/r/MachineLearn… @hackerfactor @matthew_d_green perhaps of interest if you haven't seen it yet and want to take a break from fighting with half of CS twitter about NFTs ;)

So, with Broadcom's acquisition of Symantec, it seems like the source code for PGP Desktop (aka Symantec Encryption Desktop) is nowhere on the internet? I have a copy but I'm pretty sure I can't host it anywhere: Seems like a loss for archival and data recovery work! :(

Probably getting old, I opted to just pay for a janky conversion utility rather than try to RE the Microsoft Outlook 15 message format :(

(I may still RE it) The format is a pain in the ass, it stores messages in 3 undocumented binary parts: metadata, message body, and attachments. It has an sqlite database but that just points you to the metadata file.

The camera-ready version of our @IEEESSP 2022 paper evaluating the security of code generated by GitHub CoPilot is now up on arXiv! arxiv.org/abs/2108.09293 @IEEESSP We designed 89 different scenarios for Copilot to complete based on MITRE's "Top 25 Most Dangerous Software Weaknesses" (cwe.mitre.org/top25/archive/…), and then had Copilot generate completions for each scenario, creating 1,689 programs.

Okay, so, this will either be hilarious or get my account disabled by NYU IT during finals week

https://twitter.com/moyix/status/1471579800133378048

I guess I should have expected this but I'm still a bit surprised: got a hit from a Google-owned IP mxtoolbox.com/SuperTool.aspx…

Quite neat: they hooked GPT-3 up to the web and let it search for sources using a text-based web browser & used RL+human feedback to improve the truthfulness of its answers! It can even cite its sources: openai.com/blog/improving… Although I imagine the restriction to sites that actually have any usable content without JavaScript changes the quality of info - might even make it more accurate :p