20.10.8: addx/what Intel calls
Control-flow Enforcement Technology:
10.8, 10.9, 10.14: addx/protecting the call stack:
[@] was addx/soa/getting more efficiency along with safety/protecting the call stack
Showing posts with label security. Show all posts
Showing posts with label security. Show all posts
2020-11-03
total formal verification is not possible in 2020
'20.11.3: co.quora/adds/cyb/sec/total formal verification is not possible in 2020:
current efforts at formal verification
cannot yet find all unknown vulnerabilities in software:
. as pointed out by the SeL4 team, in
“What is Proved and What is Assumed”
who used formal verification to debug a microkernel,
they are still vulnerable to inaccuracies of the hardware model;
ie, assuming the hardware acts a particular way
when under special conditions it actually does something else.
. some CPU chip instructions are reprogrammable by the manufacturer
with on-chip microcode; eg Intel Microcode
(https://en.wikipedia.org/wiki/Intel_Microcode);
this could either make the CPU more correct
or make it vulnerable to malicious modification?
. also, there was some of the SeL4 software
that was not practically verifiable yet:
"there may still be faults remaining in
specific low-level parts of the kernel
(TLB, cache handling, handwritten assembly, boot code)."
2017-08-08
Dr. Daniel Julius Bernstein
7.25: web.cs/sec/Dr. Daniel Julius Bernstein:
. Dr. Daniel Julius Bernstein
is an authority on computer security;
he's a big fan of extreme sandboxing
(where the app is cooperative)
and safe programming languages.
djb's main page, his papers
(and who they are cited by).
. Dr. Daniel Julius Bernstein
is an authority on computer security;
he's a big fan of extreme sandboxing
(where the app is cooperative)
and safe programming languages.
djb's main page, his papers
(and who they are cited by).
2017-03-01
git uses SHA-1 deprecated by NIST in 2011
2.25: news.cyb/dev/sec/git uses SHA-1 deprecated by NIST in 2011:
3.1: summary:
. git allows teams to concurrently work on software;
it uses SHA-1 hashing of versions,
to tell when files of a version have been modified
to help it merge versions of the software.
. SHA-1 has been cracked so you can modify a file
and yet have it result in the same SHA-1 hash,
thereby hiding the fact that it has been modified.
. the leader of git would like to replace SHA-1
with a more secure hash using more bits,
but would like to use a truncated version of that hash
so that git would only have to store and compare
the same number of bits as SHA-1.
. git is assumed by the leader of git, Linus Torvalds,
to be less vulnerable to the SHA-1 attack
because it includes not just the hash of a file
but also its size;
he gives no proof other than appeal to intuition:
can you imagine a way to add working malware to a file
while also keeping both the hash and the size the same?
3.1: summary:
. git allows teams to concurrently work on software;
it uses SHA-1 hashing of versions,
to tell when files of a version have been modified
to help it merge versions of the software.
. SHA-1 has been cracked so you can modify a file
and yet have it result in the same SHA-1 hash,
thereby hiding the fact that it has been modified.
. the leader of git would like to replace SHA-1
with a more secure hash using more bits,
but would like to use a truncated version of that hash
so that git would only have to store and compare
the same number of bits as SHA-1.
. git is assumed by the leader of git, Linus Torvalds,
to be less vulnerable to the SHA-1 attack
because it includes not just the hash of a file
but also its size;
he gives no proof other than appeal to intuition:
can you imagine a way to add working malware to a file
while also keeping both the hash and the size the same?
2016-03-26
reputation-based trust management
2.12: news.cyb/sec/reputation-based trust management:
2.14: summary:
. even if the NSA keeps vulnerabilities in place
so that they may continue accessing their backdoors;
they do not want you pawned by other nation states.
. they recommended "reputation management",
which I believe refers to
reputation-based trust management.
NSA`Tailored Access Operations`Rob Joyce:
. admins need to lock things down as far as possible;
whitelisting apps, locking down permissions,
patching as soon as possible,
and using reputation management.
. when up against a new piece of malware
it will be missed by Signature-based antivirus
but could still be caught by reputation.
2.14: summary:
. even if the NSA keeps vulnerabilities in place
so that they may continue accessing their backdoors;
they do not want you pawned by other nation states.
. they recommended "reputation management",
which I believe refers to
reputation-based trust management.
NSA`Tailored Access Operations`Rob Joyce:
. admins need to lock things down as far as possible;
whitelisting apps, locking down permissions,
patching as soon as possible,
and using reputation management.
. when up against a new piece of malware
it will be missed by Signature-based antivirus
but could still be caught by reputation.
2016-01-11
#robotics #AI heaven-or-hell-its-your-choice.com
1.10..11: news.cs/robotics/heaven-or-hell-its-your-choice.com:
summary:
. Alan Keeling` Heaven or Hell It's Your Choice;
is a book warning us about the coming robotics age.
. his idea of machine learning dangers is delusional
but he's onto something when he warns that
the current political systems will create killer robotics.
. robotics is a weaponizable technology
and it needs to be tightly controlled by a global government
in order to keep various military powers
from programming the robots to kill each other.
. the reason for capitalism is a sort of fascism
where good people take resources from the others
and good is defined by who's most profitable.
. let the free market decide who makes the money
and thus who can support unlimited breeding rates.
. it's civil war as each culture fights to expand;
and, free markets are the battleground;
but, robotics can be used to cheat capitalism
by sabotaging or killing competitors.
. we need to insist that all robotics are open sourced;
and prove that any robot unleashed in the real world
is following a constitution that hurts no humans.
summary:
. Alan Keeling` Heaven or Hell It's Your Choice;
is a book warning us about the coming robotics age.
. his idea of machine learning dangers is delusional
but he's onto something when he warns that
the current political systems will create killer robotics.
. robotics is a weaponizable technology
and it needs to be tightly controlled by a global government
in order to keep various military powers
from programming the robots to kill each other.
. the reason for capitalism is a sort of fascism
where good people take resources from the others
and good is defined by who's most profitable.
. let the free market decide who makes the money
and thus who can support unlimited breeding rates.
. it's civil war as each culture fights to expand;
and, free markets are the battleground;
but, robotics can be used to cheat capitalism
by sabotaging or killing competitors.
. we need to insist that all robotics are open sourced;
and prove that any robot unleashed in the real world
is following a constitution that hurts no humans.
2014-12-20
securing the virtual machine #addm
addm/sec/securing the virtual machine:
4.20: 12.20: summary:
. a virtual machine can provide security
along with some user freedom to develope code
by using a microkernel architecture
and learning from the Chrome browser team:
you can't build a secure app unless you
secure the underlying OS and firmware too .
4.20: 12.20: summary:
. a virtual machine can provide security
along with some user freedom to develope code
by using a microkernel architecture
and learning from the Chrome browser team:
you can't build a secure app unless you
secure the underlying OS and firmware too .
2013-12-28
safer C coding
9: news.cyb/dev.c/avoiding remote code execution:
leafsr:
– that implements strcpy_s and friends
as an open source library (MIT license).
19: news.cyb/dev.c/SAFECode updates secure dev guide:
. pubs from safecode.org .
scmagazine:
leafsr:
. some C library functions are often used incorrectly,. here's the safe C library
and that consequently result in
remote code execution vulnerabilities:
strcpy, sprintf, memcpy, CopyMemory,
RtlCopyMemory, strcat, alloca
and many more Win32 specific stuff.
. much of the legacy software that is
still critical to many enterprises
contains code that calls these vulnerable library functions.
Despite modern memory protections
like ASLR and DEP
the vulnerabilities these functions introduce
are still exploitable under the right conditions .
– that implements strcpy_s and friends
as an open source library (MIT license).
19: news.cyb/dev.c/SAFECode updates secure dev guide:
. pubs from safecode.org .
scmagazine:
The Software Assurance Forum for
Excellence in Code (SAFECode),
a nonprofit seeking to advance software assurance,
released an updated guidance document .
The free report includes verification methods and tools
that can be used to confirm whether
development teams have followed prescribed practices.
2013-12-25
Parython is a #ParaSail version based on #python
11.22: news.adda/co/Parython is a ParaSail version based on python:
. a recent ParaSail article mentions Parython, (sources)
more on that earlier? yes but just a mention:
. parasail is featured at recent oopsla:
# bringing value semantics to parallel oop,
# parallel tutorial with
decomposition and work-stealing .
. a recent ParaSail article mentions Parython, (sources)
more on that earlier? yes but just a mention:
Achieving parallelism and safety at the same timenews.adda/co/ParaSail at oopsla:
by eliminating rather than adding features
has worked out better than we originally expected.
One of the lessons of the process has been that
just a small number of key ideas are sufficient to
achieve safe and easy parallelism.
Probably the biggest is the elimination of pointers,
with the substitution of expandable objects.
The other big one is the elimination of
direct access to global variables,
instead requiring that a variable be
passed as a (var or in out) parameter
if a function is going to update it.
Other important ones include
the elimination of parameter aliasing,
and the replacement of exception handling
with a combination of more
pre-condition checking at compile time
and a more task-friendly
event handling mechanism at run time.
So the question now is whether
some of these same key ideas
can be applied to existing languages,
to produce something with much the same look and feel
of the original, while moving toward a much more
parallel-, multicore-, human-friendly semantics.
. parasail is featured at recent oopsla:
# bringing value semantics to parallel oop,
# parallel tutorial with
decomposition and work-stealing .
2013-07-31
reviewing the costs of SOA
31: addm/reviewing the costs of soa:
. when looking at SOA architecture,
how does that affect the
cross-module communications costs ?
there could be a devil in the details;
but, the bird's eye view is that
it could actually be quite minimal .
. when looking at SOA architecture,
how does that affect the
cross-module communications costs ?
there could be a devil in the details;
but, the bird's eye view is that
it could actually be quite minimal .
2013-04-29
security through instruction restrictions:
3.19: adda/exceptions/security through instruction restrictions:
. my style of exceptions has been
having the raiser call the caller's handler;
but, if the caller's code can be corrupted,
then the exception raiser could be exploited .
. it's fun to think about a perfect language,
one that's not corruptable;
but it's safer to have layers of security,
and not depend on a perfect language system .
. say the exception raiser is in ROM
(as it is a library routine)
but the exception handler has a jump instruction
that bypasses a safety guard;
what could save us is a VM that knows when it is
inside an exception handler,
and never executes a jump in such situations .
. my style of exceptions has been
having the raiser call the caller's handler;
but, if the caller's code can be corrupted,
then the exception raiser could be exploited .
. it's fun to think about a perfect language,
one that's not corruptable;
but it's safer to have layers of security,
and not depend on a perfect language system .
. say the exception raiser is in ROM
(as it is a library routine)
but the exception handler has a jump instruction
that bypasses a safety guard;
what could save us is a VM that knows when it is
inside an exception handler,
and never executes a jump in such situations .
2013-03-31
combined hardware-virtual isolation
addm/security/combined hardware-virtual isolation:
2.9: 3.31: intro:
. certain attributes of data are essential to security;
eg, by retagging arbitrary data so that it is
usable as a pointer to code,
we can treat malware data as instructions to follow .
. generally all data can be tagged
just as it is done by xml .
. there are 2 possible ways to enforce
process isolation and ROM attributes:
# HW (hardware) mem'mgt,
# VM (virtual machine) mem'mgt .
. hardware mem'mgt can enforce VM mem'mgt:
the VM's run-time exec never needs to change;
so, HW mem'mgt can see that code as const;
also, any file that the VM is trying to interpret
can be treated by the HW mem'mgt as
something that only the VM process can modify .
. finally, the VM has its own process space
and this should keep other processes
from corrupting its work space .
2.9: 3.31: intro:
. certain attributes of data are essential to security;
eg, by retagging arbitrary data so that it is
usable as a pointer to code,
we can treat malware data as instructions to follow .
. generally all data can be tagged
just as it is done by xml .
. there are 2 possible ways to enforce
process isolation and ROM attributes:
# HW (hardware) mem'mgt,
# VM (virtual machine) mem'mgt .
. hardware mem'mgt can enforce VM mem'mgt:
the VM's run-time exec never needs to change;
so, HW mem'mgt can see that code as const;
also, any file that the VM is trying to interpret
can be treated by the HW mem'mgt as
something that only the VM process can modify .
. finally, the VM has its own process space
and this should keep other processes
from corrupting its work space .
2013-03-09
platforms and requirements to target
1.23: addx/targets are {python, c, obj'c, parasail}:
. if parasail is not on all the needed platforms
the base lang should be obj'c not c;
because, obj'c has better programming-in-the-large features;
well, does it support concurrency?
. if parasail is not on all the needed platforms
the base lang should be obj'c not c;
because, obj'c has better programming-in-the-large features;
well, does it support concurrency?
2013-01-31
globalizing #SOA with web services
1.30: web: cs/soa/globalizing SOA with web services
Filtering to Inspect XML: an Operational Framework for
Service Oriented Architecture Network Security
www.tacoma.uw.edu ... rbunge.pdf
Robert Bunge1, Sam Chung1, Barbara Endicott-Popovsky2, Don McLane1
1 Computing & Software Systems; Institute of Technology
University of Washington, Tacoma
{rbunge, chungsa, dmclane}@u.washington.edu
2 Center for Information Assurance and Cybersecurity
University of Washington, Seattle
endicott@u.washington.edu
1.30: summary of this paper:
Filtering to Inspect XML: an Operational Framework for
Service Oriented Architecture Network Security
www.tacoma.uw.edu ... rbunge.pdf
Robert Bunge1, Sam Chung1, Barbara Endicott-Popovsky2, Don McLane1
1 Computing & Software Systems; Institute of Technology
University of Washington, Tacoma
{rbunge, chungsa, dmclane}@u.washington.edu
2 Center for Information Assurance and Cybersecurity
University of Washington, Seattle
endicott@u.washington.edu
1.30: summary of this paper:
#SOA -- where is #security today?
1.29: web.cs/soa/where is security today?:
. I was looking for updates on
how SOA is preventing malware;
instead, I find this claim about SOA's vulnerabilities:
it should have been subtitled
"exploits you can avoid by using SOA" .
. I was looking for updates on
how SOA is preventing malware;
instead, I find this claim about SOA's vulnerabilities:
"( Modern buffer overflows are more difficult to exploit. that had nothing to do with SOA;
than Aleph One's
smashing the stack for fun and profit.
You should look into modern bypasses to ASLR
such as heap spraying or heap feng shui.
Attacks like jmp2reg (jmp2esp jump2ebx ect...)
are also interesting for bypasses for ASLR.
Attacking ActiveX components is fun.
I used H.D. Moore's AxMan with great success.
Here is the remote code execution exploit I found
using AxMan .
. Here are more exploits that I have written .
. The best fuzzer is by far PeachFuzz,
and writing some pit files for it
can be very fruitful research.
Buffer overflows and sql injection
are the most talked about,
but there are a couple hundred categories for vulnerabilities
and they are identified by CWE numbers.
Its worth exploring, I think it will surprise you
what NIST thinks a vulnerability is.
it should have been subtitled
"exploits you can avoid by using SOA" .
2012-08-31
parasail is big win for reliable concurrency
12.7.2: news.adda/co/ParaSail
(Parallel Spec and Impl Lang) is by Ada's Tucker Taft:
first siting of parasail:
11/09/11 Language Lessons: Where New
Parallel Developments Fit Into Your Toolkit
(Parallel Spec and Impl Lang) is by Ada's Tucker Taft:
first siting of parasail:
11/09/11 Language Lessons: Where New
Parallel Developments Fit Into Your Toolkit
By John Moore for Intelligence In Software
The rise of multicore processors and programmable GPUs
has sparked a wave of developments in
parallel programming languages.
Developers seeking to exploit multicore and manycore systems
-- potentially thousands of processors --
now have more options at their disposal.
Parallel languages making moves of late
include the SEJITS of University of California, Berkeley;
The Khronos Group’s OpenCL;
the recently open-sourced Cilk Plus;
and the newly created ParaSail language.
Developers may encounter these languages directly,
though the wider community will most likely find them
embedded within higher-level languages.
. ParaSail incorporates formal methods such as
preconditions and post-conditions,
which are enforced by the compiler.
In another nod to secure, safety-critical systems,
2012-08-26
obj' messaging to clarify what's functional
7.28: adda/function/
oop's obj' messaging as a syntax for inout params:
[8.8: 8.16: intro:
. the usual way to manage objects is to
define their interface with a datatype declaration;
eg, t.type: ( ... ) -- that interface can include
both subprograms ( f( x.t ) )
and obj'messages ( x'f ).
. up to now, that interface declaration
was the only place where we could
define obj'messages;
whereas, subprogram could be defined anywhere:
. there are various declare blocks
( package, record, subprogram, etc).
that can instantiate objects of type t;
eg, (.int: ... )
-- that's a block that returns an integer;
and, anywhere an object can be declared,
we can also declare subprograms that are
local to the current declare block .]
declare blocks can declare obj'messaging:
. obj'messaging can be seen as
a special style of parameter,
where f(inout x) is instead written as ( x`f ).
. in the context of a type declaration,
( x`f ) is declared simply as ( `f );
because, x is assumed to be
any of the datatype's instantiations;
so, we know what x's type is,
but in a subprogram's declaration of ( x`f )
x's type would not be known;
so, the sub's declaration
would look like this: ( (x.type)`f );
and, a generalization of this would be
(x.type1, y.type2, etc)`f
which is useful for making it obvious that
x,y,etc are all inout parameters;
then we can reserve the syntax ( f(x) )
for functional uses of x,
ie, where ( f ) is not modifying x
nor modifying anything x can access;
ie, if you want to pass a pointer, p,
for the purposes of modifying p's target,
then the needed syntax is p`f, not f(p).
oop's obj' messaging as a syntax for inout params:
[8.8: 8.16: intro:
. the usual way to manage objects is to
define their interface with a datatype declaration;
eg, t.type: ( ... ) -- that interface can include
both subprograms ( f( x.t ) )
and obj'messages ( x'f ).
. up to now, that interface declaration
was the only place where we could
define obj'messages;
whereas, subprogram could be defined anywhere:
. there are various declare blocks
( package, record, subprogram, etc).
that can instantiate objects of type t;
eg, (.int: ... )
-- that's a block that returns an integer;
and, anywhere an object can be declared,
we can also declare subprograms that are
local to the current declare block .]
declare blocks can declare obj'messaging:
. obj'messaging can be seen as
a special style of parameter,
where f(inout x) is instead written as ( x`f ).
. in the context of a type declaration,
( x`f ) is declared simply as ( `f );
because, x is assumed to be
any of the datatype's instantiations;
so, we know what x's type is,
but in a subprogram's declaration of ( x`f )
x's type would not be known;
so, the sub's declaration
would look like this: ( (x.type)`f );
and, a generalization of this would be
(x.type1, y.type2, etc)`f
which is useful for making it obvious that
x,y,etc are all inout parameters;
then we can reserve the syntax ( f(x) )
for functional uses of x,
ie, where ( f ) is not modifying x
nor modifying anything x can access;
ie, if you want to pass a pointer, p,
for the purposes of modifying p's target,
then the needed syntax is p`f, not f(p).
2012-08-18
dynamic linking to video driver
7.11: bk.addm/Gordon Letwin`Inside OS#2:
[8.13: intro:
os/2 was microsoft's next big thing for 1998,
but it never happened despite being
a leap forward in security .
. in this reading session,
I was wondering how it dealt with the issue of
unstable drivers . intro's dynamic linking .]
p89: the familiar static linking:
. the linker handles static links by
noting which symbols are marked external
and hooking those up with similar symbols
to be found in accompanying .obj files .
p29: the new dynamic linking:
. dynamic linking is how operating systems can be
extended or patched by the user or the apps;
just like hardware can accept new circuit boards .
p13:
. because drivers needed protected mode
there would need to be a mode transition
with every write to the display
but we avoid this by having apps
not access device drivers directly;
rather they do so through dynamic linking .
[. how does that explain it?
is dyna'linking facilitating our ability to
run device drivers in user mode?]
p109:
. dyna'linking to the video display driver
is possible because it doesn't require
hardware interrupts;
drivers are generally located in the kernel
only because some are needing access to
hardware interrupts .
[8.13: intro:
os/2 was microsoft's next big thing for 1998,
but it never happened despite being
a leap forward in security .
. in this reading session,
I was wondering how it dealt with the issue of
unstable drivers . intro's dynamic linking .]
p89: the familiar static linking:
. the linker handles static links by
noting which symbols are marked external
and hooking those up with similar symbols
to be found in accompanying .obj files .
p29: the new dynamic linking:
. dynamic linking is how operating systems can be
extended or patched by the user or the apps;
just like hardware can accept new circuit boards .
p13:
. because drivers needed protected mode
there would need to be a mode transition
with every write to the display
but we avoid this by having apps
not access device drivers directly;
rather they do so through dynamic linking .
[. how does that explain it?
is dyna'linking facilitating our ability to
run device drivers in user mode?]
p109:
. dyna'linking to the video display driver
is possible because it doesn't require
hardware interrupts;
drivers are generally located in the kernel
only because some are needing access to
hardware interrupts .
2012-07-25
Mac gets some optional Sandboxing
6.2: news.cyb/dev.mac/sandboxes
Apple brings sandboxing to the desktop:
AppleScript is a programming language
meant to allow the user to reuse apps
by having scripts make calls to apps .
. if an app wants to reuse other apps,
then it too can use AppleScript
to make calls to other apps;
however, in sandboxing this can't be done,
because,
when an app is entitled to AppleScript
it's entitled to anything AppleScript can do
-- which is basically anything!
. if apps are instead designed to be
reused directly by other apps
then sandboxed apps can still be
entitled to use particular other apps
without having to give them access to
the wide world of AppleScript .]
could work like vmware's shared folders:
. vmware lets you run an OS in a sandbox
as a virtual machine (vm);
and then gives the vm {read, write} access
to just the folders the user requests
(Virtualbox has a similar feature).
. you can divide your file system by sensitivity levels;
eg, if the sandboxed app has access to the web,
then give it entitlements should be
read-only access to non-sensitives,
and write access to a downloads folder .
. letting sandboxes share folders
is important to generativity .]
Apple brings sandboxing to the desktop:
. most PCs have not been into sandboxing
[because backward compatability was an issue;
smartphone platforms are more recent inventions,
so sandboxing is an obvious good .]
. to access resources within a sandbox,
apps must request “entitlements” [aka, capabilities.]
Android apps must ask the user for permissions
and then the OS constrains the app
to the allowed permissions .
[ but Android apps may be all-or-nothing:
either the user accepts all the requests,
or else the app fails to be usable at all .]
Apple’s iOS sandboxing doesn’t involve the user,
as all permissions are handled by
Apple's App Store evaluators .
[7.25:. in order to be accepted into the app store,
developers must divide their app into modules
so as to more easily explain why each part
needs a particular set of entitlements .][7.20:
Apple decides for the user,
what entitlements are appropriate,
not only for the whole app,
but more smartly, for each of its modules .]
. iOS users can still control certain entitlements:[7.20:
(eg, opening a list of recent files
or saving documents elsewhere in the file system).
Concerns from Developers:
# no more AppleScript:
AppleScript is a programming language
meant to allow the user to reuse apps
by having scripts make calls to apps .
. if an app wants to reuse other apps,
then it too can use AppleScript
to make calls to other apps;
however, in sandboxing this can't be done,
because,
when an app is entitled to AppleScript
it's entitled to anything AppleScript can do
-- which is basically anything!
. if apps are instead designed to be
reused directly by other apps
then sandboxed apps can still be
entitled to use particular other apps
without having to give them access to
the wide world of AppleScript .]
# no more file system management: [7.20:
. Apple sandboxing asks the usernevertheless, sandboxing of the file system
for each and every file access;
so, apps that need access to many files
or that need to work in the background
are not considered sandboxable;
could work like vmware's shared folders:
. vmware lets you run an OS in a sandbox
as a virtual machine (vm);
and then gives the vm {read, write} access
to just the folders the user requests
(Virtualbox has a similar feature).
. you can divide your file system by sensitivity levels;
eg, if the sandboxed app has access to the web,
then give it entitlements should be
read-only access to non-sensitives,
and write access to a downloads folder .
. letting sandboxes share folders
is important to generativity .]
. see Jonathan Zittrain's Chapter 7 of
The Future of the Internet and How to Stop It .
2012-07-17
android vs iOS
6.13: news.cyb/dev.android/compared to iphone:
7.17: summary:
. suprised to learn that Android dev's
tend to rely on ad' trackers for revenue;
whereas, iphone dev's expect users to pay .
. both platforms have problems with
backward compatibility of apps,
but Android also has problems with
make- and model-specific apps .
7.17: summary:
. suprised to learn that Android dev's
tend to rely on ad' trackers for revenue;
whereas, iphone dev's expect users to pay .
. both platforms have problems with
backward compatibility of apps,
but Android also has problems with
make- and model-specific apps .
Subscribe to:
Posts (Atom)
