Wednesday, January 13, 2010
Myths of Security
I recently got myself a copy of Myths of Security written by John Viega, and am honestly impressed; so much so that I decided to blog about it. Not that I expected unimpressive work from John, I am just usually unhappy with books unless they break out they assembly and topsy krett 0dayz; although this book isn't super technical, it is definitely awesome. With short, entertaining chapters, John takes a head on approach to addressing the bullshit in the security industry (win!!!) by discussing it with language that is technical enough to be enjoyable by geeks, but non-technical enough to be understood by the masses. This is really a shining point of the book: by speaking to both audiences, he bridges and explains the frustrations from both sides in understandable terms. You can seriously recommend this book to your parents to help them understand why you have screaming fits whenever the local news mentions anything about hacking; he holds no punches calling out any part of the security industry, and the end-users it sells to. He calls out AV, HIPS, HTTPS, and even Apple fan boys (win+1!). After exposing all the snake oil, he then follows through with some sincere, candid suggestions that truly aim to secure users. Overall an awesome book.
Monday, August 10, 2009
I WON TEH PWNIE!
I WON THE PWNIE FOR BEST SONG @ BLACKHAT 2009!! WOOT!
I am very grateful! Thanks to my supporters, my friends, my fans and the Pwnie judges! I received a lot of positive feed back for the track throughout Blackhat and Defcon - I will be trying my very best to get some sort of recording setup out here to make more music.
I am very grateful! Thanks to my supporters, my friends, my fans and the Pwnie judges! I received a lot of positive feed back for the track throughout Blackhat and Defcon - I will be trying my very best to get some sort of recording setup out here to make more music.
Wednesday, July 22, 2009
Nice Report
I am nominated for the Pwnie Awards again this year for my song Nice Report. I'm really excited and hope I win, although not having a video to submit seems pretty detrimental after last years winner :(
Friday, July 10, 2009
time(), GCC, and the linker
While debugging some of my own crappy code I discovered a bug that I thought was interesting. If Kenshoto were to have hosted the game again this year, I think this may have been a fun bug to stage in a vulnerable CTF service. (Actually, I vaguely remember talking to someone who did this years quals who said that there were some "cute bugs that involved clever timing" -- it is very possible it was of the same nature.)
Long story short: if there is an implicit declaration of a function because a header file wasn't included, GCC will warn about the implicit use but allow it. Without the header, GCC doesn't know the expected arguments or return value of the function (logically, it has no prototypes to reference). If the linker can find the function being used, it is linked to during that step.
Consider this contrived and barely functional code sample:
There is no inclusion of time.h as required for the time function, but the code compiles and executes. If GCC is issuing warnings, during compilation it will say timebug.c:44: warning: implicit declaration of function ‘time’.
I was an idiot for not having warnings enabled while compiling the code I was working on, it would have saved me tons of time (u see wat i did there?)
The prototype for time() is:
And the action taken by time() is as follows:
Get the time from the system.
If the time_t pointer supplied as the only argument is not NULL,
dereference it and store the time there.
Return the time.
In the code sample, since the last value pushed to the stack is the value passed to setvalue(), and as it still resides on the stack when time() is called, it is taken as the argument to time(). If the atoi() call on the buffer returns anything that is not 0 (aka NULL), then time() will treat it as a valid pointer, dereference and write the time to it. This wreaked havoc on my code as in my case, the last value to the stack was a structure pointer full of linked lists and things, and the bug didn't trigger until free() happened on those lists. Serious pain.
Clever uses of this could be done to stage a fun CTF service. If an attacker had this vulnerable app to work with and a means of manipulating time (like a MITM of the Network Time Protocol), they could have a fun instant write-4-anywhere. Additionally, every 4.2 minutes the lower 8 bits of time rotates. Every 18.2 hours, the lower 16 bits rotates. By properly offsetting (say, only overwrite the high 16 bits of a function pointer/EIP) in conjunction with heap massaging or exploiting other application-specific traits, this bug could be fun ;]
Long story short: if there is an implicit declaration of a function because a header file wasn't included, GCC will warn about the implicit use but allow it. Without the header, GCC doesn't know the expected arguments or return value of the function (logically, it has no prototypes to reference). If the linker can find the function being used, it is linked to during that step.
Consider this contrived and barely functional code sample:
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <stdlib.h>
void (*fp)(void);
void handle_error(void)
{
printf("you're doing it wrong\n");
}
void handle200(void)
{
printf("you're still not doing it right\n");
}
void setvalue(int x)
{
if (x == 200)
{
fp = handle200;
}
else
{
fp = handle_error;
}
}
int main(int argc, char *argv[])
{
time_t mytime;
int x;
size_t bufsize = 65 * 1024;
char *buf;
buf = malloc(bufsize);
memset(buf, 0, sizeof(buf));
fgets(buf, bufsize-1, stdin);
x = atoi(buf);
setvalue(x);
mytime = time();
printf("my time is %u\n", mytime);
fp();
free(buf);
return 0;
}
There is no inclusion of time.h as required for the time function, but the code compiles and executes. If GCC is issuing warnings, during compilation it will say timebug.c:44: warning: implicit declaration of function ‘time’.
I was an idiot for not having warnings enabled while compiling the code I was working on, it would have saved me tons of time (u see wat i did there?)
The prototype for time() is:
time_t time(time_t *t);
And the action taken by time() is as follows:
Get the time from the system.
If the time_t pointer supplied as the only argument is not NULL,
dereference it and store the time there.
Return the time.
In the code sample, since the last value pushed to the stack is the value passed to setvalue(), and as it still resides on the stack when time() is called, it is taken as the argument to time(). If the atoi() call on the buffer returns anything that is not 0 (aka NULL), then time() will treat it as a valid pointer, dereference and write the time to it. This wreaked havoc on my code as in my case, the last value to the stack was a structure pointer full of linked lists and things, and the bug didn't trigger until free() happened on those lists. Serious pain.
Clever uses of this could be done to stage a fun CTF service. If an attacker had this vulnerable app to work with and a means of manipulating time (like a MITM of the Network Time Protocol), they could have a fun instant write-4-anywhere. Additionally, every 4.2 minutes the lower 8 bits of time rotates. Every 18.2 hours, the lower 16 bits rotates. By properly offsetting (say, only overwrite the high 16 bits of a function pointer/EIP) in conjunction with heap massaging or exploiting other application-specific traits, this bug could be fun ;]
Sunday, July 5, 2009
MOAR POSTS
So I caved in and joined Twitter with all the other techno-hipsters. Apparently the security industry has a hard-on for a broken down over simplified version of web text irc. Yet still, it is a fun and efficient way to keep in immediate touch with friends and other interesting people. With my time being occupied by getting prepared to move, and tweeting, I haven't spent any time posting blog updates. I promise something interesting soon.
For now, I'll just leave this here:
For now, I'll just leave this here:
Wednesday, April 1, 2009
This is what we needed.
My buddy Jeff said it best - this is what we needed: I TOLD YOU SO.
Why does the media hype things like Conficker into terms such as "an unthinkable disaster". How is it unthinkable? Is Conficker going to leverage the technology of its compromised machines to transcend reality and do something beyond the scope of human comprehension? Is it going to build Skynet and go back in time looking for Sarah Conner? Is it going to use PC speakers to generate vibrations that manifest doom spores in the air that infect us and turn us into zombies?
Sure it could fuck things up. It could delete everything on the infected machines. It could steal information. It could probably wreak DoS havoc in the internet. What's so special about this beyond any other worm of mass propagation? Nothing. It has some semi-clever components, it isn't as absolutely stupid as other worms, and it has an obsession with Rivest's aglorithms. OoOOoOo It must be the end of the world.
So to everyone out there: I told you so. We're still alive. Congratulations on reliving y2k over a worm. Again don't get me wrong: it could cause a bunch of stress and rain on some parades. In fact it might still do something after April 1st. Is it worthy of the hype? Is it an unthinkable disaster? Certainly not.
Why does the media hype things like Conficker into terms such as "an unthinkable disaster". How is it unthinkable? Is Conficker going to leverage the technology of its compromised machines to transcend reality and do something beyond the scope of human comprehension? Is it going to build Skynet and go back in time looking for Sarah Conner? Is it going to use PC speakers to generate vibrations that manifest doom spores in the air that infect us and turn us into zombies?
Sure it could fuck things up. It could delete everything on the infected machines. It could steal information. It could probably wreak DoS havoc in the internet. What's so special about this beyond any other worm of mass propagation? Nothing. It has some semi-clever components, it isn't as absolutely stupid as other worms, and it has an obsession with Rivest's aglorithms. OoOOoOo It must be the end of the world.
So to everyone out there: I told you so. We're still alive. Congratulations on reliving y2k over a worm. Again don't get me wrong: it could cause a bunch of stress and rain on some parades. In fact it might still do something after April 1st. Is it worthy of the hype? Is it an unthinkable disaster? Certainly not.
Thursday, March 26, 2009
No Moar Free Hugz
This last week at information security conference CraqPipeWest, security researchers Dr.Raid, Postmodern, CD and Pierce have all decided to make and live by the following mantra:
"NO MOAR FREE HUGZ"
This statement follows the annual conference's competition called Struggle2Snuggle, where in hackers compete to try and get as physically close as possible to girls who also attend the conferences. The contest works in 30 minute rounds, and at the end of each round the hacker who achieves the highest public display of physical interaction with a consenting female wins $50 cash for the round in addition to a free stick of AXE deodorant. The researchers were later quoted in interviews, after being asked about their views regarding the monetary value of hugs:
"No moar free hugz to me really means that these girls can't just expect to get a hug from me for free. I mean I spend time weaponizing my hugs - and I don't even really know what that means when I say it - but it sounds cool. This isn't something I do to make other people money, so they shouldn't be making money off of me. If we're going to be spending time hugging these beautiful women, they should be paying us" - Dr. Raid, Chief of Substance Abuse at Portland based SophSec Research Labs
"It's time that we recognize the effort that hackers have to put into being social like this. I don't smell good, and I bet you don't either. Do you think it's easy for us to hug women?" - Pierce, Manager of Useless Languages, SophSec Research Labs
"Women just don't like getting a beard rubbed in their face." - PostModern, another SophSec member stated before being escorted out of the conference by security for throwing a beer bottle at another attendee wearing a 'Got Root?' shirt.
"I'm actually not legally allowed to have contact with women who are not family, by court orders. This makes hugs really tough for me. Money is really the only thing that makes it worth the risk" - CD, Chief of Epic Lulz, SophSec Research Labs
These views were clearly not held solely by SophSec members, as demonstrated by the crowd who started to cheer on as the contest progressed. It would appear as though Information Security Industry as a whole has been making a collaborative move towards selling hugs to vendors. As time progresses this may open up entire new market places for vendors to exist, and may even spark hope for revitalizing a broken economy. Until next issue, this is Fail Nobra, reporting for Fired Magazine.
"NO MOAR FREE HUGZ"
This statement follows the annual conference's competition called Struggle2Snuggle, where in hackers compete to try and get as physically close as possible to girls who also attend the conferences. The contest works in 30 minute rounds, and at the end of each round the hacker who achieves the highest public display of physical interaction with a consenting female wins $50 cash for the round in addition to a free stick of AXE deodorant. The researchers were later quoted in interviews, after being asked about their views regarding the monetary value of hugs:
"No moar free hugz to me really means that these girls can't just expect to get a hug from me for free. I mean I spend time weaponizing my hugs - and I don't even really know what that means when I say it - but it sounds cool. This isn't something I do to make other people money, so they shouldn't be making money off of me. If we're going to be spending time hugging these beautiful women, they should be paying us" - Dr. Raid, Chief of Substance Abuse at Portland based SophSec Research Labs
"It's time that we recognize the effort that hackers have to put into being social like this. I don't smell good, and I bet you don't either. Do you think it's easy for us to hug women?" - Pierce, Manager of Useless Languages, SophSec Research Labs
"Women just don't like getting a beard rubbed in their face." - PostModern, another SophSec member stated before being escorted out of the conference by security for throwing a beer bottle at another attendee wearing a 'Got Root?' shirt.
"I'm actually not legally allowed to have contact with women who are not family, by court orders. This makes hugs really tough for me. Money is really the only thing that makes it worth the risk" - CD, Chief of Epic Lulz, SophSec Research Labs
These views were clearly not held solely by SophSec members, as demonstrated by the crowd who started to cheer on as the contest progressed. It would appear as though Information Security Industry as a whole has been making a collaborative move towards selling hugs to vendors. As time progresses this may open up entire new market places for vendors to exist, and may even spark hope for revitalizing a broken economy. Until next issue, this is Fail Nobra, reporting for Fired Magazine.
Subscribe to:
Posts (Atom)
