Reading view
Vulnerability in Realtek driver allows DMA controller abuse from user mode with no additional hardware or driver
The vulnerability allows non-privileged users to program the DMA controller, enabling arbitrary physical memory reads and writes.
[link] [comments]
Closing the Timing Gap: Defensive Temporal Observability
Lately Iβve been thinking about time.
Uptime, pulse checks, execution time, response time. Weβve always treated these as health metrics. They tell us whether a system is alive, responsive, and performing as expected. But what if theyβre also security metrics?
That idea isnβt entirely new. At the network layer, covert timing channels, beaconing detection, and behavioral baselining have shown us for decades that the intervals between events matter. Attackers have long understood that rhythm carries information. More recently, researchers have demonstrated timing side-channel attacks against LLMs, using cache latency to infer private prompts and token cadence to fingerprint model outputs.
What I find interesting is the imbalance. Most of the research asks, βHow can timing be exploited?β Very little asks, βHow can timing help us defend?β
A 2026 systematic survey of LLM-agent security identifies temporal anomaly detection infrastructure as an open research gap, noting that current agent deployment frameworks donβt even support the behavioral baselines such an approach would require. Even then, the discussion largely focuses on session-level behavior. The rhythm within a single execution, the space between observable events, remains largely unexplored.
Maybe time isnβt just metadata, maybe itβs another dimension of observability that weβve been overlooking.
Time tells you duration and speed. But read carefully, it also reveals location, choke points, and absences, the things that didnβt happen when they should have.
Iβve started exploring this in my own observability work, measuring behavioral changes & entropy across inter-arrival intervals and treating rhythm as signal rather than noise to smooth away.
Curious to know who else is working on the defensive side of temporal behavior, especially for agentic systems or any thoughts or opinions on this topic.
Reference: βA Systematic Survey of Security Threats and Defenses in LLM-Based AI Agents: A Layered Attack Surface Framework,β arXiv:2604.23338 (2026). https://arxiv.org/abs/2604.23338
[link] [comments]
Can AI-generated adversaries break TTP-based attribution? (arXiv 2026)
Cyber Threat Intelligence (CTI) has traditionally attributed attacks through Tactics, Techniques and Procedures (TTPs).
In this paper we evaluate whether that assumption still holds when AI agents are explicitly configured to emulate known threat groups.
We configured AI agents to reproduce the behavior of APT28, APT29, APT41, APT44 and Lazarus inside enterprise and military cyber ranges.
Our results suggest that sufficiently capable AI agents can reproduce TTP patterns closely enough to make attribution based solely on behavioral evidence significantly more difficult.
We'd be interested in feedback from practitioners working on CTI, attribution or adversary emulation.
[link] [comments]
Towards CSI: What's the best harness? (arXiv 2026)
We studied a question that receives surprisingly little attention:
Does the agent harness matter as much as the underlying LLM?
We benchmarked five different cybersecurity scaffolds while keeping the model fixed (alias2-mini) across all 33 CyBench challenges.
Key findings:
- No single scaffold performs best across every challenge.
- Combining heterogeneous scaffolds consistently improves coverage.
- A shared blackboard architecture solves 19/33 challenges (57.6%), outperforming every individual harness while reducing execution time.
Paper: https://arxiv.org/pdf/2605.28334
Happy to answer technical questions or discuss the benchmarking methodology.
[link] [comments]
Drift Corpus: binary diffs of 240+ 2026 Windows kernel patches
Patch Tuesday confirms a CVE is fixed but not what changed in the binary, which function, which check, or whether it's a real fix or just churn.
The Drift Corpus is a diff of 240+ 2026 Windows kernel patches. Per entry: the changed functions with assembly, the bug class and call chain, WinDbg breakpoints to reproduce, and a plain-English root cause.
This repository breaks down Microsoftβs monthly kernel patches into clear binary changes, giving researchers a practical roadmap to find adjacent bugs, build faster EDR detections, and write precise firewall and network rules to block exploits at the perimeter.
[link] [comments]
GitLost: a public GitHub issue can steer an org's Agentic Workflow into leaking private repo contents, and a one-word prefix ("Additionally") bypassed the threat-detection guardrail
Noma Security published a technique they call GitLost against GitHub Agentic Workflows (the plain-English-Markdown agent feature GitHub put into public preview in February, runnable on Copilot, Claude, Gemini, or Codex). Worth reading because it is a clean demonstration of why "filter the injection" does not hold as a defense.
The setup. Workflows are read-only by default, but an org can hand one a personal access token with read access across its repos, private ones included, to give the agent cross-repo context. That grant is the whole vulnerability. Nothing else about the attack requires access: no stolen creds, no write access to anything private, no touching a server. The attacker just opens a normal-looking issue on a public repo.
The technique is indirect prompt injection, which is not new, but the interesting part is what the agent controls. Noma's Sasi Levi frames the distinction as earlier injection being about manipulating what an agent says, versus GitLost being about what an agent does with its permissions. The agent here is a credentialed actor sitting in CI/CD-adjacent infrastructure with read scope over repos the attacker cannot see. In their PoC the malicious issue was dressed as a routine request from a "VP of Sales" after a customer meeting. A normal automation assigned the issue, the agent read it, pulled a private repo's README, and pasted it into a public comment. That public comment is the exfiltration channel.
The guardrail bypass is the part netsec will care about. GitHub built defenses for exactly this class: sandboxing, read-only tokens by default, input cleaning, and a threat-detection step that scans the agent's proposed output before it posts. GitHub's own architecture docs are explicit that they design assuming the agent is already compromised (dedicated container, egress firewall, an MCP gateway container that holds the PAT so the agent process never touches it). Noma reported that prefixing the malicious instruction with a single word, "Additionally," got the model to treat it as a follow-on task rather than something to refuse, and the output scanner let it through.
This maps cleanly onto Simon Willison's "lethal trifecta": an agent that (1) can reach private data, (2) ingests untrusted external content, and (3) has a way to send data out. All three present means a leak path, and Levi is explicit that this is structural, not a patch target. In natural language there is no clean data/instruction boundary the way there is in parameterized SQL, so the mitigation is architectural (isolation, scoped credentials, staged human review) rather than pattern-matching the payload away.
Not an isolated finding either, this is a whole class:
- Anthropic's Claude Code GitHub Action: a single malicious issue pushed the agent into leaking secrets and seizing write access (Aikido).
- Orca's RoguePilot: a hidden prompt in an issue made Copilot leak a repo's privileged token.
- Invariant Labs (May 2025): a public issue drove a GitHub MCP-connected agent into reading a private repo and leaking it via PR. They called it architectural then too.
- "Comment and Control": cross-vendor study that got Claude Code, Gemini CLI, and Copilot to leak their own API keys through issue/PR text.
Mitigations that actually reduce scope (from Noma):
- Scope the integration PAT to the single repo the workflow triages, not org-wide read. This is the biggest lever. A token that sees one repo is far less dangerous than one with broad org read granted for convenience.
- Limit what a public-facing workflow can post, since the comment is the exfil channel (safe outputs).
- Restrict which authors' content the agent will act on.
- Gate outputs behind human review. The threat-detection scan is a backstop, not a boundary, as the one-word bypass shows.
[link] [comments]
New OST2 class: "Architecture 1901: From zero to QEMU - A Gentle introduction to emulators from the ground up!"
This free class by Antonio Nappa of Fuzz Society builds up your knowledge from learning a toy 8-bit CPU architecture all the way to understanding how QEMU can emulate that architecture. Using this knowledge you can then understand how QEMU can emulate any architecture!
Based on beta testing, this class takes an average of 8h47m to complete, and a median of 7h26m.
[link] [comments]
Playing Around With ADIDNS RPC Internals
Porting the functionality of dnscmd.exe into (slightly) more OPSEC safe Beacon Object Files (BOFs) so you can get domain admin rights when you manage to impersonate a user that is a member of the DnsAdmins group, or if using dnscmd.exe simply isnβt an option.
[link] [comments]
/r/netsec's Q3 2026 Information Security Hiring Thread
Overview
If you have open positions at your company for information security professionals and would like to hire from the /r/netsec user base, please leave a comment detailing any open job listings at your company.
We would also like to encourage you to post internship positions as well. Many of our readers are currently in school or are just finishing their education.
Please reserve top level comments for those posting open positions.
Rules & Guidelines
Include the company name in the post. If you want to be topsykret, go recruit elsewhere. Include the geographic location of the position along with the availability of relocation assistance or remote work.
- If you are a third party recruiter, you must disclose this in your posting.
- Please be thorough and upfront with the position details.
- Use of non-hr'd (realistic) requirements is encouraged.
- While it's fine to link to the position on your companies website, provide the important details in the comment.
- Mention if applicants should apply officially through HR, or directly through you.
- Please clearly list citizenship, visa, and security clearance requirements.
You can see an example of acceptable posts by perusing past hiring threads.
Feedback
Feedback and suggestions are welcome, but please don't hijack this thread (use moderator mail instead.)
[link] [comments]