Thomas Ptacek | September 23rd, 2005 | Filed Under: Uncategorized
I’m saving this post, and keeping it handy to send to vendors who claim that heap overflows aren’t exploitable. It’s funnier if, about 2/3rds of the way in, you start imagining Wallace Shawn from the Princess Bride reciting it.
(A classy followup too, I have to say).
Thomas Ptacek | September 19th, 2005 | Filed Under: Uncategorized
Too busy to post. EOM.
Thomas Ptacek | September 8th, 2005 | Filed Under: Uncategorized
If you’re on a Mac (and if you aren’t, what the hell is wrong with you?):
alias cbuf '(echo "u_char buf[] = {" && hexdump -ve \'/1 "0x%.2x,"\' !* && echo && echo "};" )' cbuf binary.dump | pbcopy <switch to Emacs> <paste>
pbcopy and pbpaste are two tools that have changed my life over the past few months. I have a sad, sad little life.
Thomas Ptacek | September 8th, 2005 | Filed Under: Uncategorized
A little known (to me) trick with hexdump(1):
( echo ‘u_char buf[] = {’ && hexdump -ve ‘/1 “0x%.2x,”’ binary.dump && echo && echo ‘};’ ) > foo.c
Makes hexdump print a valid C-language representation of a binary file, suitable for inclusion into a program that, say, replays the the dump with minor (or major) modifications.
I learned something else new today using this trick, but it’ll have to wait for the advisory publication.
Thomas Ptacek | September 2nd, 2005 | Filed Under: Uncategorized
Nate points me to this interview with Stefan Savage. Savage is a personal hero (though so’s Nate, I guess). Some quick highlights:
Sting sends out-of-order overlapping TCP segments, generating a lock-step sequence of TCP data and ACKs, and uses it to distinguish TCP performance in both directions.
TCP Daytona individually ACK’s each byte of a whole TCP segment, predictively acknowledges TCP segments that have yet to be received, and spoofs duplicate ACKs to accelerate porn downloads and defeat TCP congestion control. This paper is required reading.
Stochastic Edge-Sampled Traceback (he didn’t give this one a cool name) probabilistically encodes router/nexthop records into the 16 bit fragment ID field in the IP header to trace spoofed packets back to their origin.
The SWAT 802.11 DDoS tool that introduced deauth, spoofed associations and power-sleep messages and exploited them using an undocumented debug port in 802.11 NICs to intercept and modify frames in the NIC’s SRAM buffer. (Metric for excellent security paper: the exploit methodology is at least as clever as the vulnerabilities discovered).
Earlybird, which introduces “scaled bitmap” hashing and applies flow-based top-talker detection techniques to content hashes to create a worm fingerprint generator. Cisco bought this technology in a startup transaction that seems to have set the land-speed record for startup to acquisition.
From the interview:
As I understand it, Stephanie Forrest of the University of New Mexico published the seminal paper on computer immunology. Why did this concept take root and how has the field changed?
Stephanie pointed out that the homogeneity of our software base is a key vulnerability —- that a single bug in a popular application can allow an attacker to compromise millions of computers. She proposed the idea of creating a kind of Internet immunity via “artificial heterogeneity” with each piece of software being subtly changed from the others so an attacker could find no common point of entry. Ten years ago people thought she was crazy, but the threat has become real and her proposed solution is now considered a very sexy research area.
This is a dumb idea, though not one in which I’ve noticed Savage’s team doing much work. Computers aren’t animals (you know I mean it when I cite Ranum). The “diversity” most people propose injecting into software addresses only one exploit of one vulnerability. The “diversity problem” in general (IE, the MSFT “monoculture”) could only be reduced at a drastic and unjustifiable cost to productivity.
Nate retorts by saying that he’s recommended “surgically” increasing diversity, by moving clients from general-purpose libraries to custom-built implementations of just the subset of the protocols they use. I buy that this helps Nate’s clients, but not that it’s an approach that will work for society in general.
The problem as I see it: everyone can’t custom-build everything. That defeats computer engineering and probably amplifies vulnerability. So the challenge is to identify the 1% of all code that must be secure, the same way we identify the 1% of code that benefits from hand-scheduled assembly code. But security concerns infect code in ways that performance bottlenecks don’t; vulnerabilities we find in software are rarely in the places we first look, and security can’t be profiled for.
And if the idea of bloatware is a myth, “simplifying” protocol implementations (or “diversifying them”) really doesn’t accomplish anything in the long run; eventually every aspect of the implementation has to be replicated, and if it isn’t coded securely, we’re just pushed the problem around.
Matasano is a team of internationally respected security experts who have led security efforts at @stake, Microsoft, ISS, Secure Computing, Arbor Networks, Secure Networks, Bloomberg, Sandia Labs, and others. Read more about our team and how we can help you today.
©2008 Matasano. All Rights Reserved.
