Panopticon 看起來頗不錯,可以直接解機械碼轉成 assembly,再把 flow 畫出來讓人理解:
不過還不知道遇到 dynamic self-decoding 的程式會怎麼處理,另外我記得好像有些商用的 solution 已經有提供了,不知道相比起來如何。
解譯機械碼的 Panopticon
Tag: code
美國政府應該已經取得大量原始程式碼,而且 CEO 不知情
從 Bruce Schneier 這邊看到的:「Companies Handing Source Code Over to Governments」。
直接對員工下法院命令,並且不得告知任何其他人有這個命令 (包括 CEO):
These orders are so highly classified that simply acknowledging an order's existence is illegal, even a company's chief executive or members of the board may not be told. Only those who are necessary to execute the order would know, and would be subject to the same secrecy provisions.
跟中國企業的情況類似。
GitHub 支援 HTTP Code 451 了...
GitHub 宣佈支援 HTTP Code 451 了:「The 451 status code is now supported」。也就是 RFC 7725 的「An HTTP Status Code to Report Legal Obstacles」。
目前會把因為 DMCA takedown notice 下架的內容以 HTTP Code 451 標出:
The GitHub API will now respond with a 451 status code for resources it has been asked to take down due to a DMCA notice.
HTTP Code 451 的點子出自「華氏 451 度」這本書,表示紙的燃點。
Git 的安全性問題
在「Remote Code Execution in all git versions (client + server) < 2.7.1: CVE-2016-2324, CVE-2016‑2315」這邊看到歡樂的 CVE-2016-2315 與 CVE-2016-2324,屬於 RCE 類漏洞。
Git 2.7.1 之前的所有版本都有問題,看起來由於問題過於大條,在 2016/02/06 發表的「Git v2.7.1 Release Notes」沒有標出這兩個 CVE,讓所有 vendor 有時間升級。
不過看起來 GitLab 不在被通知的 vendor 裡面,很無奈的在 CVE 公開後馬上推出新版,需要升級到最新版本:「GitLab 8.5.7 Released」。
四位數密碼的分佈
分析信用卡四位數密碼的分佈:「PIN number analysis」。
透過已經外洩的資料分析:
Obviously, I don’t have access to a credit card PIN number database. Instead I’m going to use a proxy. I’m going to use data condensed from released/exposed/discovered password tables and security breaches.
19xx 那邊特別高,拉出來看可以看到分佈:(很像是出生年 XDDD)
相同的 abab (前兩碼與後兩碼相同) 也可以看出特別高,而 aaaa (四碼都一樣) 的特別亮:
當不只四碼時,也有一些數據:
另外是特別高的 1004 的原因:
Many people also asked the significance of 1004 in the four character PIN table. This comes from Korean speakers. When spoken, "1004" is cheonsa (cheon = 1000, sa=4).
"Cheonsa" also happens to be the Korean word for Angel.
GitHub 提供更輕量的 Commit Reference SHA-1 API
GitHub 提供了新的 API 讓 client 可以更省網路資源,同時 GitHub 本身也可以省下 query。雖然是 Preview 期間,但已經有專案開始用了:「Commit Reference SHA-1 Preview Period」。
本來是這樣抓:
curl "https://api.github.com/repos/Homebrew/homebrew/commits/master" \ -H "Accept: application/vnd.github.chitauri-preview+sha"
現在則可以加上 If-None-Match:
curl "https://api.github.com/repos/Homebrew/homebrew/commits/master" \ -H "Accept: application/vnd.github.chitauri-preview+sha" \ -H "If-None-Match: \"814412cfbd631109df337e16c807207e78c0d24e\""
當本地與遠端的 SHA-1 值一樣時會收到 304,而且不會吃 rate limit quota:
If the remote and your local branch point to the same SHA-1 then this call will return a 304 Unmodified status code (and not use your rate limit).
尤其是當 commit reference 指到的 commit 特別大包時,可以省下很多資源...
CVE-2015-7547:getaddrinfo() 的 RCE (Remote Code Execution) 慘案
Google 寫了一篇關於 CVE-2015-7547 的安全性問題:「CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow」。
Google 的工程師在找 OpenSSH 連到某台特定主機就會 segfault 的通靈過程中,發現問題不在 OpenSSH,而是在更底層的 glibc 導致 segfault:
Recently a Google engineer noticed that their SSH client segfaulted every time they tried to connect to a specific host. That engineer filed a ticket to investigate the behavior and after an intense investigation we discovered the issue lay in glibc and not in SSH as we were expecting.
由於等級到了 glibc 這種每台 Linux 都有裝的情況,在不經意的情況下發生 segfault,表示在刻意攻擊的情況下可能會很糟糕,所以 Google 投入了人力研究,想知道這個漏洞到底可以做到什麼程度:
Thanks to this engineer’s keen observation, we were able determine that the issue could result in remote code execution. We immediately began an in-depth analysis of the issue to determine whether it could be exploited, and possible fixes. We saw this as a challenge, and after some intense hacking sessions, we were able to craft a full working exploit!
在研究過程中 Google 發現 Red Hat 的人也在研究同樣的問題:「(CVE-2015-7547) - In send_dg, the recvfrom function is NOT always using the buffer size of a newly created buffer (CVE-2015-7547)」:
In the course of our investigation, and to our surprise, we learned that the glibc maintainers had previously been alerted of the issue via their bug tracker in July, 2015. (bug). We couldn't immediately tell whether the bug fix was underway, so we worked hard to make sure we understood the issue and then reached out to the glibc maintainers. To our delight, Florian Weimer and Carlos O’Donell of Red Hat had also been studying the bug’s impact, albeit completely independently! Due to the sensitive nature of the issue, the investigation, patch creation, and regression tests performed primarily by Florian and Carlos had continued “off-bug.”
攻擊本身需要繞過反制機制 (像是 ASLR),但仍然是可行的,Google 的人已經成功寫出 exploit code:
Remote code execution is possible, but not straightforward. It requires bypassing the security mitigations present on the system, such as ASLR. We will not release our exploit code, but a non-weaponized Proof of Concept has been made available simultaneously with this blog post.
技術細節在 Google 的文章裡也有提到,buffer 大小固定為 2048 bytes,但取得時有可能超過 2048 bytes,於是造成 buffer overflow:
glibc reserves 2048 bytes in the stack through alloca() for the DNS answer at _nss_dns_gethostbyname4_r() for hosting responses to a DNS query.
Later on, at send_dg() and send_vc(), if the response is larger than 2048 bytes, a new buffer is allocated from the heap and all the information (buffer pointer, new buffer size and response size) is updated.
另外 glibc 官方的 mailing list 上也有說明:「[PATCH] CVE-2015-7547 --- glibc getaddrinfo() stack-based buffer overflow」。
Android NDK 宣佈向 Clang 靠攏...
在 Hacker News Daily 上看到 Android NDK 宣佈向 Clang 靠過去的消息:「Changelog for NDK Build 2490520」。
Android NDK 做為效能的加速手段而使用到 C 或是 C++,所以會使用對應的 compiler suite:
The NDK is a toolset that allows you to implement parts of your app using native-code languages such as C and C++. Typically, good use cases for the NDK are CPU-intensive applications such as game engines, signal processing, and physics simulation.
而粗體的兩段則說明了遷移:
PSA: Everyone should be switching to Clang.
以及:
GCC in the NDK is now deprecated.
HTTP Status Code 451
前陣子送出的 HTTP Status Code 451 要通過成為標準了:「Why 451?」。
Today, the IESG approved publication of "An HTTP Status Code to Report Legal Obstacles". It'll be an RFC after some work by the RFC Editor and a few more process bits, but effectively you can start using it now.
取自「華氏451度」這部講出版物言論自由的作品 (紙的燃點是華氏 451 度),在 Internet 時代,451 剛好在 HTTP Status Code 4xx 的範圍,被拿來用做「因法令限制而服法提供內容的 Status Code」。
在文件開頭說明了這個代碼的用途:
This document specifies a Hypertext Transfer Protocol (HTTP) status code for use when resource access is denied as a consequence of legal demands.
微軟的 CodePush
看到微軟推出的 CodePush,針對 Cordova 或 React Native 類透過 WebView 跑的程式提出的方案。原因是 Apple 的 App Store 審核都要很久,透過 CodePush 可以直接更新程式:
CodePush is a cloud service that enables Cordova and React Native developers to deploy mobile app updates directly to their users’ devices. It works by acting as a central repository that developers can publish certain updates to (e.g. JS, HTML, CSS and image changes), and that apps can query for updates from (using our provided client SDKs). This allows you to have a more deterministic and direct engagement model with your end-users, while addressing bugs and/or adding small features that don’t require you to re-build a binary and/or re-distribute it through any public app stores.
FAQ 文件裡提到了這點:(Frequently Asked Questions · CodePush)
Does the Apple App Store allow developers to perform these types of updates?
According to section 3.3.2 of Apple’s developer agreement, as long as you are using the CodePush service to release bug fixes and improvements/features that maintain the app’s original/presented purpose (i.e. don’t CodePush a calculator into a first-person shooter), then you will be fine, and your users will be happy. In order to provide a tangible example, our team published a (pretty cheesy!) CodePush-ified game to the Google Play Store and Apple App Store, and had no problems getting it through the review process.
Because Cordova apps are executed within a WebView, and React Native apps are executed within JavaScriptCore, from a technology perspective, these runtimes are unique in their ability to leverage dynamic code downloads according to the aforementioned Apple developer agreement.
同樣的想法如果真的可行,應該會有其他更開放的 open source 方案可以用 (而非綁定性的服務,而是可以掛到自己的 CDN 上下載更新),先觀察一陣子...