Hacker News new | past | comments | ask | show | jobs | submit login

>Very nice right up on how unfinished and insecure Fuchsia is as a result of it being so unfinished.

Did you even read the write up? The only bug found was the ability to read the kernel log. Everything else was manufactured.




You’re kidding right? Did you miss the parts about KASLR being broken and syscalls with TODOs for missing validations? And the CVEs created in relation to these?


I saw one CVE (CVE-2022-0882) for the innocuous kernel log bug. How many CVE's did you see? As for the KASLR, this was a known issue to the Fuchsia devs.

>This is a known-issue. KASLR support on the zircon kernel is just there so that it doesn't bit-rot. We are always picking up a static address instead of a dynamic one.

>Once physboot rollout is complete, that should make it easier to support kaslr.


KASLR is a pretty meh mitigation. But yeah, "todo" around capability checking probably should have been a higher priority fix.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: