undefined | Better HN

0 pointsrevelation8y ago0 comments

There aren't really any special Android ARM CPUs, maybe they are confident it doesn't really work on Android because it's very difficult to get the timing precision and low-level assembly sequences in Java/ART compiled code. Though I wonder how that squares up with JNI.

I think the key to the statement is in any case that you need to differentiate between what is possible on the processor architecture level when you have full software control, and what is possible on an operating system level, where 3rd party applications are further restricted in various arbitrary ways such as only allowed to use Java, limited access to high resolution timing primitives, etc. that can make practical exploitation impossible, even if the flaw is present.

It's difficult to reason about because it's hard to tell if you can manipulate a JIT runtime into generating the code you need for the exploit to work - and as the JavaScript implementations show, the answer is often "yes".

0 comments

mtanski8y ago

JIT engines (and compilers) often generate a familiar instruction patterns. Many JIT engines Target specific languages (like JS) and as result have "simpler" optimizers (less time to do this) and possibly more stable instruction patterns. So my money is on somebody fuzzing the required JS code.

bitmapbrother8y ago

You can develop Android applications in C/C++ using the NDK, thus, giving you full software control if needed.

j / k navigate · click thread line to collapse

0 pointsrevelation8y ago0 comments

0 comments

mtanski8y ago

bitmapbrother8y ago

You can develop Android applications in C/C++ using the NDK, thus, giving you full software control if needed.

j / k navigate · click thread line to collapse