Older blog entries for argp (starting at number 23)

exploiting the FreeBSD kernel memory allocator

The new Phrack issue is out at last ;)

My contribution to Phrack issue #66 is an article on exploiting FreeBSD's kernel memory allocator, or UMA - the universal memory allocator. The initial inspiration to work on this subject came to me from signedness.org challenge #3 by karl, therefore I felt it was the right thing to do to add karl as a co-author.

Issue #66 contains in total three articles by Greek authors, Exploiting DLmalloc frees in 2009 by huku and Exploiting TCP Persist Timer Infiniteness by ithilgore in addition to mine. And that's just amazing!

goodbye

Goodbye.

lastfm.pl

I have updated my last.fm irssi script:

kernel stack-smashing protection in freebsd-8.0-current-200811

Stack-smashing detection and protection for the kernel has been enabled by default in the latest snapshot of FreeBSD 8.0-CURRENT (200811). This was accomplished by utilizing the incorporation of SSP (also known as ProPolice) in gcc version 4.1 and later (the 200811 snapshot uses gcc 4.2.1).

Specifically, src/sys/kern/stack_protector.c, which is compiled with gcc's -fstack-protector option, registers an event handler that generates a random canary value (the ``guard'' variable in SSP terminology) placed between the local variables and the saved frame pointer of a kernel process's stack during a function's prologue. When the function exits, the canary is checked against its original value. If it has been altered the kernel calls panic(9) bringing down the whole system, but also stopping any execution flow redirection caused by manipulation of the function's saved frame pointer or saved return address.

In contrast to StackGuard and StackShield (or even Microsoft's /GS), SSP has been effective against attacks aiming to directly bypass it. This relates to research I have done in the near past on the subject of kernel stack-smashing attacks. However, SSP can be indirectly bypassed by several methods, for example heap overflows, integer and/or signedness vulnerabilities, and stack overflows on buffers smaller than 8 bytes, among others.

privilege vs. permission

The majority of published papers and articles on the area of information security use the terms privilege and permission interchangeably. Even Wikipedia's entry on privilege seems to follow this practice. However, one of the foundations of dynamic trust management is the clear distinction between an entity's privileges and its permissions.

A privilege is an authority given to an entity that approves a specific operation on a specific resource. For example, an entry in an Access Control List (ACL) specifies a privilege, not a permission. A permission, on the other hand, is a value reached when an entity's privileges, as well as other of its attributes, are evaluated. Therefore, the fact that an entity has been granted a privilege does not necessarily mean that it is able at a given time to perform the specified operation on the specified resource.

The dynamic trust management system æther I have designed and implemented as part of my Ph.D. provides an example of using this distinction between privilege and permission in practice.

linksys wrt54gl resurrection

Last week I was experimenting with various changes to OpenWrt Kamikaze version 7.09 on my Linksys WRT54GL wireless router. The objective was to modify the Kamikaze firmware for WRT54GL in order to implement a rogue access point for use in various penetration testing contracts. I decided to start the whole endeavor since the Airsnarf Rogue Squadron firmware only supports the WRT54G model. After a lot of successful firmware flashings during testing, I eventually (and perhaps unavoidably) flashed my router with a corrupted firmware. The result was a dead WRT54GL that was not replying to pings, not even after a hard reset.

To resurrect it I followed void main's WRT54G revival guide. Although the guide was written for the WRT54G model, it is mostly applicable to WRT54GL as well. One of the main differences is that I had to short pins 16 and 17, not 15 and 16 (see the photograph):

A rather important tip is that right after a successful flashing you should always enable the boot_wait NVRAM option in order to be able to use the TFTP bootloader. This will save you a lot of time if you are in the edit-compile-upload firmware-debug cycle.

Final note: I was triumphant and there was much rejoicing indeed.

ελληνικός ιστός εμπιστοσύνης (ενημέρωση)

διαγραμματική παράσταση του ελληνικού ιστού εμπιστοσύνης (ενημέρωση)

διαγραμματική παράσταση του ελληνικού ιστού εμπιστοσύνης

Μετά τη συνάντηση της 23 Απριλίου στη Θεσσαλονίκη αποφάσισα να δημιουργήσω (και να συντηρώ) τη διαγραμματική παράσταση του ελληνικού ιστού εμπιστοσύνης. Προφανώς το εγχείρημα αυτό απαιτεί μεγάλο όγκο αρχικών δεδομένων και αυτοματοποίηση της διαδικασίας δημιουργίας του γράφου. Τη δεύτερη απαίτηση την ικανοποίησα με ένα απλό Perl πρόγραμμα μεγέθους μερικών δεκάδων γραμμών το οποίο κάνει χρήση του προγράμματος sig2dot.pl ως βιβλιοθήκη.

Για την ικανοποίηση της πρώτης απαίτησης μπορείτε να συνεισφέρετε στέλνοντάς μου στη διεύθυνση argp at domain cs.tcd.ie το αποτέλεσμα της εντολής gpg --list-sigs > $USER.txt.

Κάποια πρώτα αποτελέσματα υπάρχουν παρακάτω. Η πρόσφατη συνάντηση στη Θεσσαλονίκη είναι εμφανής στο πάνω δεξιά μέρος του γράφου.

συνάντηση για συλλογή/ανταλλαγή υπογραφών σε pgp/gpg κλειδιά

Την Τετάρτη 23 Απριλίου του 2008 στη Θεσσαλονίκη θα διεξαχθεί συνάντηση για συλλογή/ανταλλαγή υπογραφών σε pgp/gpg κλειδιά. Για τη συμμετοχή σας θα χρειαστείτε κάποιο επίσημο έγγραφο που να πιστοποιεί την ταυτότητα που αντιστοιχεί στο κλειδί σας, και αρκετά αντίγραφα από το ψηφιακό δακτυλικό αποτύπωμα του κλειδιού σας και του ονόματός σας γραμμένα σε χαρτί.

Περισσότερες πληροφορίες για τη διαδικασία που θα ακολουθηθεί υπάρχουν εδώ.

Το ακριβές μέρος και η ώρα θα ανακοινωθούν μέσα τις επόμενες μέρες.