IT security / Privacy

Saturday, February 23 2008

Quelques nouvelles : système et sécu, programmation fonctionnelle, moteur de blog

By Greg on Saturday, February 23 2008, 10:46

Quelques nouvelles pour les quelques lecteurs de ce blog qui doivent se demander si j'ai perdu les clés de la cave dans laquelle je me suis enfermé. Première nouvelle, non je ne suis ni dans une cave ni enfermé mais je n'ai pas trouvé le temps d'écrire un billet avant aujourd'hui. Je me suis replongé dans le dev d'exploit sous linux en me donnant pour objectif de gérer la plupart des protections userland (heap hardening, -fstrack-protector-all, ...) et kernel (ASLR, NX, et autres, en commençant par les fonctionnalités de base du noyau 2.6, puis en continuant avec ExecShield et Pax). Dans le même temps, l'actualité récente m'a poussé à m'intéresser de plus près aux vulns kernel.

En parallèle, je garde toujours un oeil sur la programmation fonctionnelle, notamment Haskell. Je profite de mes travaux en exploitation de vuln userland et kernel pour écrire du code concret et je l'espère utile en Haskell. Pour l'instant c'est du python ou un peu de ruby (metasploit), langages très appréciés par la communauté sécurité à côté des chers dinos que sont le C et le perl. Néanmoins je pense que ces travaux autour de la sécurité se prête bien à la programmation fonctionnelle et l'écriture de DSLs. Un projet intéressant était mosvm présenté par Wes Brown au DefCon et au HITB de 2006.Il consistait en l'exécution distante de processus dans une VM Lisp. C'est dans la continuité :

de mosdef de Dave Aitel
du syscall proxying (kudos à Core Security)
des méthodes antiforensics de Grugq Remote Exec et Pluf et Ripe complétées par les travaux de Kad et Samuel
de meterpreter (et j'espère bientôt de meterpretux car meterpreter est windows only)
et d'autres projets.

Pas mal de choses intéressantes à faire en perspective :). Je vais d'abord continuer ce que j'ai commencé et saisir les opportunités d'écrire du haskell quand elles se présentent.

Pour finir, j'avais parlé du redesign de ce blog. Je me suis dit que c'était l'occasion de migrer vers un moteur de blog écrit en python et pourquoi pas - à tous hasard - reposant sur django. J'ai regardé ce qui se faisait, tenté de construire sur le django-blog de basic apps et au final je me suis rendu compte que j'avais besoin de vraiment comprendre chaque élément et de pouvoir facilement les modifier. Je m'en suis vraiment rendu compte quand j'ai commencé à écrire une classe et des outils pour importer ce blog depuis dotclear2. J'ai alors décidé de ré-écrire un moteur de blog pour mes besoins. Dans un sens, c'est dommage, car ça répartit les efforts au lieu de les concentrer sur quelques projets, mais je prend ça comme un projet perso sans ambition autre que répondre à mes besoins et sans vouloir faire un moteur de blog de plus comme dotclear ou wordpress.

31 comments no trackback

Thursday, November 22 2007

nvidia CUDA

By Greg on Thursday, November 22 2007, 09:36

Thanks to the Dr. Dobb's Report newsletter, I've learned about nvidia CUDA. It's a SDK that aims to use nvidia GPUs for computing. It includes a C compiler, hardware debugger based on gdb interface), and a profiler. It also includes standard FFT and BLAS libraries. For even more fun, it provides a low level assembly language layer and driver interface. CUDA is supported on Linux and Windows XP. As one may guess, nvidia only provides binary files.

A comprehensive FAQ is available.

Elcomsoft has already find a usage for CUDA, it recently made some buzz in the news (press release in pdf) by adding support for GPUs in their password recovery products. For an overview of password cracking check this except from the book Endpoint Security. Password cracking with FPGAs was presented at conferences (like Cracking Wifi... Faster! at layerone) mainly for wep and wpa cracking. But now there is a growing interest in commodity hardware (like Sony PS3 with ps3-wepcrack). In fact, why spending money and time in FPGAs if you can use commodity - almost cheap - hardware? I hope we'll see soon john the ripper using CUDA :).

64 comments no trackback 2 attachments

Thursday, November 8 2007

Hushmail and the feds

By Greg on Thursday, November 8 2007, 14:58

This morning I read the Wired's article, Encrypted E-Mail Company Hushmail Spills to Feds. In short, Hushmail - which is a canadian comparny - helped the feds to decrypt steroid dealers' mails who were using the non-java webmail service (see the comparison java/non-java configuration for details). Read also the mail thread between Kevin Poulsen and Hushmail CTO, Brian Smith. He stressed that "The key point, though, is that in the non-Java configuration, private key and passphrase operations are performed on the server- side. This requires that users place a higher level of trust in our servers as a trade off for the better usability they get from not having to install Java and load an applet.".

68 comments no trackback

Thursday, November 1 2007

Bunny the fuzzer

By Greg on Thursday, November 1 2007, 10:24

When Michal Zawleski does something, it's often worth seeing it. His last project, announced on Bugtraq, is Bunny the fuzzer. It is described as a "a closed loop, high-performance, general purpose protocol-blind fuzzer for C programs.". There is still a lot of buzz about fuzzers. They help to spot vulnerabilities in code with or without source code available. Combining tracing with a debugger and fuzzing can be a quick way to find the most superficial vulnerabilities. Need to find a target to give a try to Bunny,

11 comments no trackback

Wednesday, October 31 2007

Facebook and privacy

By Greg on Wednesday, October 31 2007, 17:43

I've just read Replace Facebook Using Open Social Tools a Wired article I found thanks to Breaking Open Facebook With FOSS on Slashdot. See also Breaking Open Facebook with Open Source Software and Breaking Open Facebook with Open Source Software (Part 2). To do a quick sum up, NewsCloud thinks Facebook owns too much information about every user and needs an opensource alternative. yes that's true Facebook knows people's interests, discussions and connexions with other people. That's a concern and it needs attention. But how breaking a single application into distributed one using different services can help to avoid privacy problem? In fact, you need to know how each service manage your personal information. The problem would be also distributed.

W3 started an initiative on privacy: P3P. But what could you do if the service doesn't provide the privacy you want? Would you not use the service? I have many doubt when I see what's happening with instant messaging. Most non technical people I know use MSN. So do I! I actually use kopete, and in addition to my jabber accounts, I have a MSN account. I believe the problem is not about having all your information centralized in one service databases, it's more about how to control what a provider do with you data. Nowadays, I must trust my service providers. How can I check what they do with my information? Even my ISP. Is it only a promise? Industry has brought compliance standards in quality and security (think SOX, ISO 27001). And in privacy? Are they any privacy compliance standard?

9 comments no trackback

Friday, October 26 2007

Scroogled

By Greg on Friday, October 26 2007, 12:58

I am reading Scroogled, a short novel by Cory Doctorow. French readers may like the translation. It tells the not so far story of a former Google employee who is tracked by data Google had stored about him.

I think it stressed the ubiquitous surveillance that is taking place nowadays, the difficulty of reliability processing this kind of data and how our privacy can be exposed. Sometimes privacy seems to be kept when we provide data to one application. But when all data from all the web applications we are using are correlated, it exposes hardly our whole public life. Ok, everybody already knows that. It's like contactless transportation cards, credit cards, etc... You can be tracked by so many means. But there, in countries like France you have the choice to manage the data that is stored about you. It is stated in the Loi Informatiques et libertes which application is monitored by the CNIL. It means you need to manage the data about yourself. In somewhat Google is now a bit something already well known, the current target is FaceBook.

Talking about surveillance, check AT&T Invents Programming Language for Mass Surveillance that quotes http://www.freedom-to-tinker.com/?p... from Andrew Appel (yes you actually read the man who wrote Modern Compiler Implementation.

To be continued...

6 comments no trackback

Wednesday, October 17 2007

The OpenSSL SSL_Get_Shared_Ciphers() case

By Greg on Wednesday, October 17 2007, 18:13

This bugtraq post needs further investigation. Ok it's not a fresh vulnerability (first publicly disclosed on 9/26/2006), but I wonder if it's actually exploitable. First thing to check, is it worth investigating ?

12 comments no trackback

Monday, October 8 2007

Exploit candidates: OpenSSL, libvorbis and QEmu

By Greg on Monday, October 8 2007, 13:13

Today after a quick review of recent vulnerabilities, I decided to focus on OpenSSL, libvorbis and QEmu. OpenSSL SSL_Get_Shared_Ciphers() is an update of a year-old buffer overflow vulnerability that was fixed but not fully :). It results in a off-by-one overflow. I didn't find any exploit for this vuln.

In the libvorbis side, DoS and Memory Corruption Vulnerabilities were discovered. No exploit neither. A for QEmu, the advisory says ''Multiple local vulnerabilities''.

I'll begin by working on the OpenSSL vuln. This is work-in-progress and I'll update the blog regularly.

I have also seen a interesting lighttpd fastcgi module vulnerability. Not enough time to do everything, I'll see it later.

7 comments no trackback

Thursday, April 12 2007

Exploiting with Javascript

By Greg on Thursday, April 12 2007, 20:00

These last days I've been reading some interesting docs about exploiting hosts with Javascript. As the common workstation is getting harder ^[1] to pwn with Vista protections (DEP + ASLR + SafeSEH + /GS + Character Filtering ^[2]) , it seems like alternative easier ways for exploiting clients are more and more interesting. Even more when a lot of applications and services are converging to the web with the Web 2.0 hype.

Notes

[1] See Client Side Exploits, a lot of Office bugs and Vista by Halvar Flake

[2] See Dailydave - Remotes and "remotes" by Dave Aitel

4 comments no trackback

Friday, April 6 2007

Ajax's hype, Cross-Site's fun!

By Greg on Friday, April 6 2007, 14:18

Hey, last week was happening Black Europe 2007 in Amsterdam. Conference materials are now online and there is some interesting stuff. You may probably like to read Kicking Down the Cross Domain Door (One XSS at a Time) which was covered by Darkreading.

If you like Ajax you may like JavaScript Hijacking ;).

7 comments no trackback

Greg's blog