security

在圖片裡面放入圖片本身的 MD5 值

在 Hacker News Daily 上看到「The image in this post displays its own MD5 hash (retr0.id)」這篇，作者想要產生一張 PNG 圖，這張圖的 MD5 值就在圖片上呈現。然後作者本人有出現在 Hacker News 討論串上面，提到流量撐不住，所以丟到 Twitter 上面 (而很幸運的，Twitter 沒有壓這張圖，是保留原圖，所以可以驗證 MD5)：

The image in this tweet displays its own MD5 hash.

You can download and hash it yourself, and it should still match - 1337e2ef42b9bee8de06a4d223a51337

I think this is the first PNG/MD5 hashquine. https://t.co/khj8tnEYuF pic.twitter.com/3Aw8F823MZ

— David Buchanan (@David3141593) September 23, 2022

另外一個有趣的主題是同時撞出一樣的 MD5 與 CRC32 的方式，其中 CRC32 的部份還可以直接指定值，在「MD5 Collision with CRC32 Preimage (gist.github.com)」這邊。

算是很趣味的玩法啦，畢竟 MD5 已經被大家知道是個 broken cryptographic hash function...

iOS 12.5.6

早上發現 iPhone 6 Plus 被自動更新到 iOS 12.5.6，查了一下發現是八月底的時候 Apple 推了一版 WebKit 的 ACE，CVE-2022-32893：「About the security content of iOS 12.5.6」。

Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

Description: An out-of-bounds write issue was addressed with improved bounds checking.

上個更新的版本 12.5.5 是 2021/09/23 出的，本來大家都以為已經沒有任何更新了，沒想到居然回過頭來發了一包，照蘋果的敘述看起來是因為這個洞被廣泛使用的關係？

iPhone 5S (目前 iOS 12 支援列表裡最早出的手機) 是 2013 下半年出的，到現在也九年了...

cURL 的 TLS fingerprint

看到「curl's TLS fingerprint」這篇，cURL 的作者 Daniel Stenberg 提到 TLS fingerprint。

先前在「修正 Curl 的 TLS handshake，避開 bot 偵測機制」與「curl 的 TLS fingerprint 偽裝專案 curl-impersonate 支援 Chrome 了」這邊有提到 curl-impersonate 這個專案，試著在 cURL 裡模擬市面上常見的瀏覽器的 TLS fingerprint。

在 Daniel Stenberg 的文章裡面也有提到這件事情，另外也提到了對 curl-impersonate 的態度：

I cannot say right now if any of the changes done for curl-impersonate will get merged into the upstream curl project, but it will also depend on what users want and how the use of TLS fingerprinting spread or changes going forward.

看起來短期內他是沒打算整，跟當初 curl-impersonate 的預期差不多...

滲透測試的工具，各種搜尋引擎

在 Twitter 上看到的東西：

Good Search Engines for Pentesters#Pentesting #CyberSec #cyberawarness #cybersecuritytips #informationsecurity #infosec #ethicalhacking #bugbounty #bugbountytips #aws pic.twitter.com/NyN2ei76Dc

— Mr.programmer (@freeprogrammers) August 7, 2022

裡面是一張圖，整理一下這 24 個站台：

一堆 .io 網域...

裡面有蠻多服務是偶而會用到的，改拿來當作 pen test 的基礎工作也是蠻好用的，各種預先掃好的結果拿來搜...

Post-Quantum 的 KEM，SIDH/SIKE 確認死亡

似乎是這幾天 cryptography 領域裡面頗熱鬧的消息，SIDH 以及 SIKE 確認有嚴重的問題：「SIKE Broken」，論文在「An efficient key recovery attack on SIDH (preliminary version)」這邊可以取得。

這次的成果是 Key recovery attack，算是最暴力的幹法，直接把 key 解出來。

另外 SIKE 剛好也是先前 Cloudflare 在解釋 Hertzbleed 時被拿來打的目標：「Cloudflare 上的 Hertzbleed 解釋」，這樣看起來連 patch 也都不用繼續研究了...

論文裡面的攻擊對象中，第一個是 Microsoft 在 $IKE challenges 內所定義的 $IKEp182 與 $IKEp217，在只用 single core 的情況下，分別在四分鐘與六分鐘就解出來：

Ran on a single core, the appended Magma code breaks the Microsoft SIKE challenges $IKEp182 and $IKEp217 in about 4 minutes and 6 minutes, respectively.

接著是四個參與 NIST 標準選拔的參數，分別是 SIKEp434、SIKEp503、SIKEp610 以及 SIKEp751，也都被極短的時間解出來：

A run on the SIKEp434 parameters, previously believed to meet NIST’s quantum security level 1, took about 62 minutes, again on a single core.

We also ran the code on random instances of SIKEp503 (level 2), SIKEp610 (level 3) and SIKEp751 (level 5), which took about 2h19m, 8h15m and 20h37m, respectively.

在 Ars Technica 的採訪「Post-quantum encryption contender is taken out by single-core PC and 1 hour」裡面，有問到 SIKE 的共同發明人 David Jao 的看法，他主要是認為密碼學界的人對於數學界的「武器」了解程度不夠而導致這次的情況：

It's true that the attack uses mathematics which was published in the 1990s and 2000s. In a sense, the attack doesn't require new mathematics; it could have been noticed at any time. One unexpected facet of the attack is that it uses genus 2 curves to attack elliptic curves (which are genus 1 curves). A connection between the two types of curves is quite unexpected. To give an example illustrating what I mean, for decades people have been trying to attack regular elliptic curve cryptography, including some who have tried using approaches based on genus 2 curves. None of these attempts has succeeded. So for this attempt to succeed in the realm of isogenies is an unexpected development.

In general there is a lot of deep mathematics which has been published in the mathematical literature but which is not well understood by cryptographers. I lump myself into the category of those many researchers who work in cryptography but do not understand as much mathematics as we really should. So sometimes all it takes is someone who recognizes the applicability of existing theoretical math to these new cryptosystems. That is what happened here.

這樣第四輪的選拔只剩下三個了...

Let's Encrypt 更新了 ToS

在「Let's Encrypt’s subscriber agreement changes on Sept 21 (letsencrypt.org)」這邊看到的，Let's Encrypt 有提供 diff 的內容，在「LE-SA-v1.2-v1.3-diff.docx」這邊，你也可以用 Google Docs Viewer 看：「LE-SA-v1.2-v1.3-diff.docx」。

看起來主要是用語上的改變 (可能是律師的建議？)，除了 revoke 的章節外看起來沒什麼大變化。而 revoke 的章節部份增加了這兩段文字：

You warrant to ISRG and the public-at-large, and You agree, that before providing a reason for revoking Your Certificate, you will have reviewed the revocation guidelines found in the “Revoking Certificates” section of the Let’s Encrypt documentation available at https://letsencrypt.org/docs/ , and that you will provide Your corresponding revocation reason code with awareness of such guidelines.

You acknowledge and accept that ISRG may modify any revocation reason code provided by You if ISRG determines, in its sole discretion, that a different reason code for revocation is more appropriate or is required by industry standards.

不確定自動化的 client 需不需要重新再 accept 一次？

原來有專有名詞：TOCTOU (Time-of-check to time-of-use)

看「The trouble with symbolic links」這篇的時候看到的專有名詞：「TOCTOU (Time-of-check to time-of-use)」，直翻是「先檢查再使用」，算是一個常見的 security (hole) pattern，因為檢查完後有可能被其他人改變，接著使用的時候就有可能產生安全漏洞。

在資料庫這類環境下，有 isolation (ACID 裡的 I) 可以確保不會發生這類問題 (需要 REPEATABLE-READ 或是更高的 isolation level)。

但在檔案系統裡面看起來不太順利，2004 年的時候研究出來沒有 portable 的方式可以確保避免 TOCTOU 的問題發生：

In the context of file system TOCTOU race conditions, the fundamental challenge is ensuring that the file system cannot be changed between two system calls. In 2004, an impossibility result was published, showing that there was no portable, deterministic technique for avoiding TOCTOU race conditions.

其中一種 mitigation 是針對 fd 監控：

Since this impossibility result, libraries for tracking file descriptors and ensuring correctness have been proposed by researchers.

然後另外一種方式 (比較治本) 是檔案系統的 API 支援 transaction，但看起來不被主流接受？

An alternative solution proposed in the research community is for UNIX systems to adopt transactions in the file system or the OS kernel. Transactions provide a concurrency control abstraction for the OS, and can be used to prevent TOCTOU races. While no production UNIX kernel has yet adopted transactions, proof-of-concept research prototypes have been developed for Linux, including the Valor file system and the TxOS kernel. Microsoft Windows has added transactions to its NTFS file system, but Microsoft discourages their use, and has indicated that they may be removed in a future version of Windows.

目前看起來的問題是沒有一個讓 Linux community 能接受的 API 設計？

用 SATA 界面產生的電磁訊號突破 Air Gap 限制傳輸資料

在 Hacker News 首頁上看到「SATAn: Air-Gap Exfiltration Attack via Radio Signals From SATA Cables」這個，透過 SATA 界面產生的電磁訊號突破 Air Gap 限制傳輸資料，對應的討論在「SATAn: Air-Gap Exfiltration Attack via Radio Signals from SATA Cables (arxiv.org)」。

Although air-gap computers have no wireless connectivity, we show that attackers can use the SATA cable as a wireless antenna to transfer radio signals at the 6 GHz frequency band.

翻了一下論文裡面提到的距離，在 PC-1 上測試到 120cm，對應的 SNR 有 9db：

Table IV presents the signal-to-noise ratio (SNR) received with the three transmitting computers. The signal transmitted from PC-1 has a strength of 20 dB at 30 cm to 9 dB at 120 cm apart. The signal generated from PC-1 and PC-2 were significantly weaker, with 15 dB at 60 cm (PC-2) and 7 dB at 30 cm (PC-3).

另外大概是 PoC 的關係，只有簡單測一下是可行的 (對於真的有利用 air gap 的環境當作一種保護機制的威脅就夠大了)，看起來沒有測極限可以跑多快：

We transmitted the data with a bit rate of 1 bit/sec, which is shown to be the minimal time to generate a signal which is strong enough for modulation.

關於反制的部份，這類的技術 (透過電磁訊號) 之前在其他的裝置上都有發生過，目前的 air gap 標準應該都有電磁訊號洩漏的防範了，這篇主要還是在展示 SATA 也可以這樣搞 XD

Cloudflare 上的 Hertzbleed 解釋

除了 Hertzbleed 當初公佈時的論文與網頁外，Cloudflare 上也有一篇 Hertzbleed 的解釋：「Hertzbleed explained」。

會特別拿出來提是因為這篇是 Yingchen Wang 寫的，也就是 Hertzbleed 論文裡兩位第一作者之一 (另外一位是 Riccardo Paccagnella)，而從她的網站上也可以看到 Cloudflare intern 的資訊：

Graduate Research Intern at Cloudflare, 2022 Summer

Hertzbleed 也是一種 side-channel attack，利用 CPU 會依照電量與溫度，而動態調整頻率的特性來達到遠端攻擊，而不需要在機器旁邊有功率錶之類儀器。

傳統上針對這類執行時間的程式會用 constant-time programming 來保護，但 Hertzbleed 則是利用了 CPU 會動態調整頻率的特性鑽出一個洞。現在學界對這個攻擊方式還不熟悉，等熟悉了以後應該是會把洞鑽大...

依照原理來說，定頻應該會是一個解法... 像是大家現在都很喜歡搞「降壓超頻」，算是某種定頻的方式，而一般大家會設定在全速跑也不會過熱降頻的情況。

目前 Intel 跟 AMD 都決定不 patch，依照洞一向都是愈挖愈大，來期待洞大到 RSA 或是 ECC 被打的那天...

Apple 在 iOS 16、iPadOS 16 與 macOS Ventura 上推出 Lockdown Mode

Apple 在 iOS 16、iPadOS 16 與 macOS Ventura 上推出了 Lockdown Mode：「Apple expands industry-leading commitment to protect users from highly targeted mercenary spyware」。

Lockdown Mode 主要是透過降低被攻擊的面積以提昇安全性，依照 Apple 的預想，主要是針對被政府單位盯上的族群：

Apple is previewing a groundbreaking security capability that offers specialized additional protection to users who may be at risk of highly targeted cyberattacks from private companies developing state-sponsored mercenary spyware.

在 Lockdown Mode 下目前列出來的限制：

Messages: Most message attachment types other than images are blocked. Some features, like link previews, are disabled.
Web browsing: Certain complex web technologies, like just-in-time (JIT) JavaScript compilation, are disabled unless the user excludes a trusted site from Lockdown Mode.
Apple services: Incoming invitations and service requests, including FaceTime calls, are blocked if the user has not previously sent the initiator a call or request.
Wired connections with a computer or accessory are blocked when iPhone is locked.
Configuration profiles cannot be installed, and the device cannot enroll into mobile device management (MDM), while Lockdown Mode is turned on.

列出來的這些的確都是之前 0-day 常被拿來打的東西，把攻擊面積縮小的確會有不少幫助。

這應該是業界第一個大咖跳進來做這個 (也就兩個大咖？)，第一次搞未必會完美，但算是個開始，後面應該會有更多的面積被考慮進去...