Matthew Norman

Pei Zhang, M. Paul Laiu, Matthew Norman et al.

Accurate representation of the multiscale features in spatiotemporal physical systems using vision transformer (ViT) architectures requires extremely long, computationally prohibitive token sequences. To address this issue, we propose two adaptive tokenization schemes that dynamically adjust patch sizes based on local features: one ensures convergent behavior to uniform patch refinement, while the other offers better computational efficiency. Moreover, we present a set of spatiotemporal attention schemes, where the temporal or axial spatial dimensions are decoupled, and evaluate their computational and data efficiencies. We assess the performance of the proposed multiscale adaptive model, MATEY, in a sequence of experiments. The results show that adaptive tokenization schemes achieve improved accuracy without significantly increasing the length of the token sequence. Compared to a full spatiotemporal attention scheme or a scheme that decouples only the temporal dimension, we find that fully decoupled axial attention is less efficient and expressive, requiring more training time and model weights to achieve the same accuracy. Finally, we demonstrate in two fine-tuning tasks featuring different physics that models pretrained on PDEBench data outperform the ones trained from scratch, especially in the low data regime with frozen attention.

Michael Scire, Melissa Mears, Devon Maloney et al.

We demonstrate attacks on the boot ROMs of the Nintendo 3DS in order to exfiltrate secret information from normally protected areas of memory and gain persistent early code execution on devices which have not previously been compromised. The attack utilizes flaws in the RSA signature verification implementation of one of the boot ROMs in order to overflow ASN.1 length fields and cause invalid firmware images to appear valid to the signature parser. This is then used to load a custom firmware image which overwrites the data-abort vector with a custom data abort handler, then induces a data-abort exception in order to reliably redirect boot ROM code flow at boot time. This executes a payload which, due to its reliable early execution by a privileged processor, is able to function as a persistent exploit of the system in order to exfiltrate secret information (such as encryption keys) from normally protected areas of memory.

Matthew McClintic, Devon Maloney, Michael Scires et al.

We demonstrate an attack on the secure bootchain of the Nintendo 3DS in order to gain early code execution. The attack utilizes the block shuffling vulnerability of the ECB cipher mode to rearrange keys in the Nintendo 3DS's encrypted keystore. Because the shuffled keys will deterministically decrypt the encrypted firmware binary to incorrect plaintext data and execute it, and because the device's memory contents are kept between hard reboots, it is possible to reliably reach a branching instruction to a payload in memory. This payload, due to its execution by a privileged processor and its early execution, is able to extract the hash of hardware secrets necessary to decrypt the device's encrypted keystore and set up a persistent exploit of the system.