Title: Distributed Computing without Surprises
1Distributed Computing without Surprises
- Denis A Nicole
- 30th November 2005
2The Sony Rootkit
- Its too easy to develop broken software
- From hacker to everybodys PC in six years.
3(No Transcript)
4Just call a hack sysfoo and nobody can find it
- World of Warcraft hackers using Sony BMG rootkit
- Published 2005-11-03
- Want to cheat in your online game and not get
caught? Just buy a Sony BMG copy protected CD. - World of Warcraft hackers have confirmed that the
hiding capabilities of Sony BMG's content
protection software can make tools made for
cheating in the online world impossible to
detect. The software--deemed a "rootkit" by many
security experts--is shipped with tens of
thousands of the record company's music titles. - Blizzard Entertainment, the maker of World of
Warcraft, has created a controversial program
that detects cheaters by scanning the processes
that are running at the time the game is played.
Called the Warden, the anti-cheating program
cannot detect any files that are hidden with Sony
BMG's content protection, which only requires
that the hacker add the prefix "sys" to file
names. - Despite making a patch available on Wednesday to
consumers to amend its copy protection software's
behavior, Sony BMG and First 4 Internet, the
maker of the content protection technology, have
both disputed claims that their system could harm
the security of a Windows system. Yet, other
software makers that rely on the integrity of the
operating system are finding that hidden code
makes security impossible. - Posted by Robert Lemos
5Writing to Sony
- Date Thu, 3 Nov 2005 075437 -0500 (EST)
- From contentprotectionhelp _at_info.sel.sony.com
- To D.A.Nicole1_at_soton.ac.uk
- Subject Re ContentProtectionHelp Email Form
(KMM15554001I21924L0KM) - The following text is in the "utf-8"
character set. - Your display is set for the "ISO-8859-1"
character set. - Some characters may be displayed
incorrectly. - Thank you for contacting Sony BMG Online.
- Sony BMG and First 4 Internet have just released
an update that will completely remove - the rootkit based DRM content protection software
and replace it with a non-rootkit - DRM technology that is compatible with all
current security protocols. - To ensure the security of your system, please
visit their software update website to - obtain and install Service Pack 2 at
- http//updates.xcp-aurora.com
6It just gets worse
- Date Mon, 28 Nov 2005 140104 -0500 (EST)
- From contentprotectionhelp _at_info.sel.sony.com
- To D.A.Nicole1_at_soton.ac.uk
- Subject Notification of potential security issue
(KMM15645015I21924L0KM) - Thank you for contacting Sony BMG Online.
- Our records indicate that you recently sent us an
email in connection with the purchase of a
content protected CD, requesting a program to
uninstall the XCP content protection software. We
are sending you this email because we have been
notified of a potential security issue that may
arise in connection with the uninstaller program
previously provided. - To be clear, the security issue is not raised by
the presence of XCP content protection technology
on the music CD you purchased. The security issue
may arise when a user downloads the program to
uninstall the XCP software files from a computer. - The likelihood that you have been exposed to any
security risk by using the program to uninstall
the XCP technology is minimal. Nevertheless, for
your protection, we are sending this notice to
provide you with instructions as to how you may
remove the XCP uninstaller files from your
computer, curing any associated security risk. - Follow these instructions to remove the original
uninstaller files
7And people laugh at you
- Analysis
- Sony BMG has made a prudent decision after more
than ten days of intense criticism from industry
observers and consumer advocates to end the use
of its highly controversial DRM technology. This
will help the company recover from what has
become a serious public-relations problem, but
Sony BMG still faces lawsuits filed by PC users
who allege that their PCs have been damaged by
the technology. - What makes the Sony BMG incident even more
unfortunate is that the DRM technology can be
defeated easily. Gartner has identified one
simple technique The user simply applies a
fingernail sized piece of opaque tape to the
outer edge of the disc, rendering session 2
which contains the self-loading DRM software
unreadable. The PC then treats the CD as an
ordinary single session music CD, and the
commonly used CD "rip" programs continue to work
as usual. (Note Gartner does not recommend or
endorse this technique.) Moreover, even without
the tape, common CD-copying programs readily
duplicate the copy-protected disc in its
entirety.
8- Subject Winsock 2 LSP Problems.
- From "Ceri Coburn" Dat
e Thu, 15 Aug 2002 121923 0100 - Hi, I am having problems with creating a winsock
LSP. I am going of the LSP example that's in the
Platform SDK. I can get the ws2_32.dll to call
WSPStartup but when debbuging an application that
uses winsock they fall over with the following
error- (558.55c) Access violation - code
c0000005 (first chance) First chance exceptions
are reported before any exception handling. This
exception may be expected and handled.
eax00000001 bx00000000 ecx00000202
dx00dfd740 esi0013eb08 edi00000202
eip77e777f8 esp0013ee64 ebp0019ae50 iopl0 nv
up ei pl zr na po nc cs001b ss0023 ds0023
es0023 fs0038 gs0000efl00010246kernel32!Inte
rlockedIncrement977e777f8 f00fc101 lock xadd
ecx,eax ds002300000202????????Anybody got
any ideas on why it's doing this? - http//www.osronline.com/lists_archive/ntfsd/th
read2716.html
9(No Transcript)
10I think I have the right man
Note If this seems rather personal, its here
because the seminar was combined with one by Hugh
Glaser on using the Semantic web to track
personal identity.
11XCP is not Sony BMGs only broken content
protection software
http//www.eff.org/IP/DRM/Sony-BMG/MediaMaxVulner
abilityReport.pdf
12And of course the patch is insecure
http//www.freedom-to-tinker.com/?p942
13Moral
- Where was driver signing in all this?
- Why do users need to install drivers?
- Why do you need to be an Administrator (Power
User) to do stuff. - Does anybody understand ACLs? Privileges?http//
www.microsoft.com/technet/community/columns/secmgm
t/default.mspxHow to Shoot Yourself in the
Foot with Security, Part 2
14Some stuff is just language design mistakes
- class Crash
- public static String wallop()
- return "Crash"
-
-
- class Bang extends Crash
- public static String wallop()
- return "Bang"
-
-
E\D1\Tempjavac prog.java E\D1\Tempjava
prog I'm a Crash
- public class prog
- public static void main (String arg)
- Crash b new Bang()
- System.out.println("I'm a " b.wallop())
-
-
15Good bedtime reading
16Some is just lazy interfaces
- WebMethod(Description"Shipping Status")
- public string GetShippingStatus(string Id)
- string Status "No"
- string sqlstring ""
- try
- SqlConnection sql new SqlConnection( _at_"data
sourcelocalhost" - "user idsapasswordpassword" "initial
catalogShipping") - sql.Open()
- sqlstring"SELECT HasShipped" " FROM detail
" - " WHERE ID'" Id "'"
- SqlCommand cmd new SqlCommand(sqlstring,sql)
- if ((int)cmd.ExecuteScalar() ! 0)
- Status "Yes"
- catch (SqlException se)
- Status sqlstring " failed\n\r"
- foreach (SqlError e in se.Errors)
- Status e.Message "\n\r"
- catch (Exception e)
- Status e.ToString()
17Bugs
- Connecting to the SQL database as sa, the
sysadmin account. - The sysadmin account has an easy-to-guess
password. - The code is susceptible to SQL injection
- If the SQL communication fails, the Web service
will send a great deal of data back to the
attacker, including the text that makes up the
SQL statement. - DoS An invalid SQL statement will cause SQL
classes will throw an exception. However, the
connection to SQL Server will not be closed.
Eventually, it will be garbage-collected. - This is an example from a how-to book
18A lot is bad lexical structure
- Messages to the TSI are delimited by
ENDOFMESSAGE\n. These messages are untainted
simply by removing the trailing ENDOFMESSAGE,
without attempting to parse their contents. This
is accompanied by the comment - I trust the source! and the setuid/setguid is
downgrading! - A particular case, when talking to a real NJS,
which frightened us was the possibility of a
malicious client generating an AJO that contains
file imports, where the filename has embedded
within it something like - ENDOFMESSAGE\nTSI_IDENTITY victim
- NONE\nENDOFMESSAGE\nTSI_EXECUTESCRIPT\n...hostile
- script...\nENDOFMESSAGE\n
- (all on one line)
19Modern OO Language security is far too complex
- It is well known that passing objects back to
trusted code from untrusted routines can be a
general source of difficulty. The key point is
that, if trusted code allows untrusted code to
handle one of its objects, then it is usually
essential that the object be final so that the
untrusted code cannot subclass it to introduce
misbehaving methods. - It turns out that the Bouncy Castle package (used
by Globus and Unicore) has just the above
vulnerability. This turns out to be useful. The
Interactive Job facility has to authenticate an
SSH, not SSL, channel. The protocols differ and
it does not seem to be possible to authenticate
an SSH channel without direct access to the
private key. This is achieved in InteractiveJob
using the following snippet of code - import org.bouncycastle.jce.X509V3CertificateGener
ator - / Class which impersonates a X.509 certificate
generator in order to retrieve a private key
from a X.509 certificate. / - class PrivateKeyExtractor extends
X509V3CertificateGenerator private
X509Certificate cert - private PrivateKey privateKey
- public X509Certificate generateX509Certificate
(PrivateKey privateKey)
this.privateKey privateKey - return null
- public PrivateKey getPrivateKey()
- return this.privateKey
- The code exploits the fact that
X509V3CertificateGenerator is not a final class
and simply subclasses it to introduce a
key-stealing method which, in this case, is used
only for SSH authentication.
These is a rather trivial (published) example,
based on a real operational code and a popular
open source library.
20OO Language security
- Some sources of complexity
- Class loaders.
- Managing class search order, especially for
callbacks. Thread.getContextClassLoader()? - Debugging
- Security configuration loading
- Backdoor constructors, eg deserialisers, clone
21Never mind distributed, concurrency still doesnt
work
- Java
- Infinite starvation Wot no Chickenshttp//www.c
s.kent.ac.uk/projects/ofa/java-threads/0.html - Efficient locks Specific Notificationhttp//www
.profcon.com/profcon/cargill/jgf/9809/SpecificNoti
fication.html - The memory modelhttp//www-128.ibm.com/developer
works/java/library/j-jtp02244.html - And the Inheritance Anomaly
22You can try to fix it with patterns
- java.util.concurrent
- Executors
- Queues
- Timing
- Synchronizers
23Or with Aspect Oriented Programming
- Does this just split out the bits that dont
inherit? - Microsoft XAML splits classes between
declarative (GUI, workflow) and code (business
logic). Is this usefully related to Aspects? - How does XAML relate to classic MVC?
- Can we deliver Aspects using (custom) attributes?
- What about Jeeg?
24Web Service Semantics are out of control
25Web Service Execution Environment(WSMX)
Michal Zaremba
26System Architecture
27System Architecture
Request to discoverWeb services. May be sent to
adapteror adapter may extract from backend app.
28System Architecture
Goal expressed in WSMLsent to WSMX System
Interface
29System Architecture
Comm Manager component implements the interface
to receive WSML goals
30System Architecture
Comm Manager tells coreGoal has been recieved
31System Architecture
Choreography wrapper Picks up event for
Choreography component
32System Architecture
A new choreography Instance is created
33System Architecture
Core is notified that choreography instance has
been created.
34System Architecture
Parser wrapper picks up event for Parser
component
35System Architecture
WSML goal is parsed to internal format
36System Architecture
37System Architecture
38System Architecture
Discovery is invoked for parsed goal
39System Architecture
40System Architecture
41System Architecture
Discovery component requires data mediation.
42System Architecture
43System Architecture
44System Architecture
After data mediation, discovery component
completes its task.
45System Architecture
46System Architecture
47System Architecture
After discovery, the choreography instance for
goal requester is checkedfor next step in
interaction.
48System Architecture
49System Architecture
50System Architecture
Next step in choreography is to return set of
discoveredWeb services to goal requester
51System Architecture
Set of Web Service descriptionsexpressed in WSML
sent to appropriate adapter
52System Architecture
Set of Web Service descriptionsexpressed in
requesters ownformat returned to goal requester
53A semantic grid needs
- Ontologies What side effects will happen?
Telescope or Missile? - Protocols WSDL gives only signatures
- Provenance Is it really a bank?
- Do we need reasoning/search?
- XPath?
- Relational query?
- Description logics?
- Frame logics?
- Monotonic?
Religious wars
54Security is in for a shake-up
- Globus GSI, Proxies
- Unicore signed AJOs
- OMII PBAC
- Public Key Infrastructure
- Triumph of the Librarians
- Shibboleth, SAMLhttp//shibboleth.internet2.edu/
55Computer Engineering
- Is about building artefacts
- Artefacts for people to use
Brian Reid, Scribe
56What do we remember?
Donald Knuth
Leslie Lamport
57Can we contribute to emergent systems?
- The most important unanswered question in
evolutionary biology, and more generally in the
social sciences, is how co-operative behaviour
evolved and can be maintained in human or other
animal groups and societies1. - At first sight, the answer may seem obvious if
you are a marmot, the small risk attendant on
giving an alarm call is outweighed by the larger
benefit you derive from alarm calls from other
group members. The problem is the vulnerability
of any such system to cheating enjoying the
defensive group benefit, but yourself never
incurring the risk of uttering an alarm call. - Such cheats prosper in evolutionary terms,
enjoying the group benefits without the costs
and, by so prospering, making it difficult for
the cooperative benefits to be maintained. - An example closer to home in recent years is the
decline in voluntary up-take of the MMR vaccine
in the UK (seeking to avoid any putative risk to
your children, whilst implicitly relying on
others to keep herd immunity high by
vaccinating their children), resulting in rising
incidence of measles2. - Lord May
- THREATS TO TOMORROWS WORLD
- http//www.royalsoc.ac.uk/downloaddoc.asp?id2414
- Podcast http//www.royalsoc.ac.uk/page.asp?id39
66
58So what do we do?
- No new languages no community.
- Dont expose theory to users.
- In the US, its bad taste to admit you are
numerate. - Simple tools for safe programming in the real
world (ie Visual Studio). eg, - security configuration analysis
- concurrency validation
- Aspects
- Make it easy to do the right thing.