Distributed Computing without Surprises

1
Distributed Computing without Surprises

• Denis A Nicole
• 30th November 2005

2
The Sony Rootkit

• Its too easy to develop broken software
• From hacker to everybodys PC in six years.

3
(No Transcript)
4
Just call a hack sysfoo and nobody can find it

• World of Warcraft hackers using Sony BMG rootkit
• Published 2005-11-03
• Want to cheat in your online game and not get
  caught? Just buy a Sony BMG copy protected CD.
• World of Warcraft hackers have confirmed that the
  hiding capabilities of Sony BMG's content
  protection software can make tools made for
  cheating in the online world impossible to
  detect. The software--deemed a "rootkit" by many
  security experts--is shipped with tens of
  thousands of the record company's music titles.
• Blizzard Entertainment, the maker of World of
  Warcraft, has created a controversial program
  that detects cheaters by scanning the processes
  that are running at the time the game is played.
  Called the Warden, the anti-cheating program
  cannot detect any files that are hidden with Sony
  BMG's content protection, which only requires
  that the hacker add the prefix "sys" to file
  names.
• Despite making a patch available on Wednesday to
  consumers to amend its copy protection software's
  behavior, Sony BMG and First 4 Internet, the
  maker of the content protection technology, have
  both disputed claims that their system could harm
  the security of a Windows system. Yet, other
  software makers that rely on the integrity of the
  operating system are finding that hidden code
  makes security impossible.
• Posted by Robert Lemos

5
Writing to Sony

• Date Thu, 3 Nov 2005 075437 -0500 (EST)
• From contentprotectionhelp _at_info.sel.sony.com
• To D.A.Nicole1_at_soton.ac.uk
• Subject Re ContentProtectionHelp Email Form
  (KMM15554001I21924L0KM)
• The following text is in the "utf-8"
  character set.
• Your display is set for the "ISO-8859-1"
  character set.
• Some characters may be displayed
  incorrectly.
• Thank you for contacting Sony BMG Online.
• Sony BMG and First 4 Internet have just released
  an update that will completely remove
• the rootkit based DRM content protection software
  and replace it with a non-rootkit
• DRM technology that is compatible with all
  current security protocols.
• To ensure the security of your system, please
  visit their software update website to
• obtain and install Service Pack 2 at
• http//updates.xcp-aurora.com

6
It just gets worse

• Date Mon, 28 Nov 2005 140104 -0500 (EST)
• From contentprotectionhelp _at_info.sel.sony.com
• To D.A.Nicole1_at_soton.ac.uk
• Subject Notification of potential security issue
  (KMM15645015I21924L0KM)
• Thank you for contacting Sony BMG Online.
• Our records indicate that you recently sent us an
  email in connection with the purchase of a
  content protected CD, requesting a program to
  uninstall the XCP content protection software. We
  are sending you this email because we have been
  notified of a potential security issue that may
  arise in connection with the uninstaller program
  previously provided.
• To be clear, the security issue is not raised by
  the presence of XCP content protection technology
  on the music CD you purchased. The security issue
  may arise when a user downloads the program to
  uninstall the XCP software files from a computer.
• The likelihood that you have been exposed to any
  security risk by using the program to uninstall
  the XCP technology is minimal. Nevertheless, for
  your protection, we are sending this notice to
  provide you with instructions as to how you may
  remove the XCP uninstaller files from your
  computer, curing any associated security risk.
• Follow these instructions to remove the original
  uninstaller files

7
And people laugh at you

• Analysis
• Sony BMG has made a prudent decision after more
  than ten days of intense criticism from industry
  observers and consumer advocates to end the use
  of its highly controversial DRM technology. This
  will help the company recover from what has
  become a serious public-relations problem, but
  Sony BMG still faces lawsuits filed by PC users
  who allege that their PCs have been damaged by
  the technology.
• What makes the Sony BMG incident even more
  unfortunate is that the DRM technology can be
  defeated easily. Gartner has identified one
  simple technique The user simply applies a
  fingernail sized piece of opaque tape to the
  outer edge of the disc, rendering session 2
  which contains the self-loading DRM software
  unreadable. The PC then treats the CD as an
  ordinary single session music CD, and the
  commonly used CD "rip" programs continue to work
  as usual. (Note Gartner does not recommend or
  endorse this technique.) Moreover, even without
  the tape, common CD-copying programs readily
  duplicate the copy-protected disc in its
  entirety.

8

• Subject Winsock 2 LSP Problems.
• From "Ceri Coburn" Dat
  e Thu, 15 Aug 2002 121923 0100
• Hi, I am having problems with creating a winsock
  LSP. I am going of the LSP example that's in the
  Platform SDK. I can get the ws2_32.dll to call
  WSPStartup but when debbuging an application that
  uses winsock they fall over with the following
  error- (558.55c) Access violation - code
  c0000005 (first chance) First chance exceptions
  are reported before any exception handling. This
  exception may be expected and handled.
  eax00000001 bx00000000 ecx00000202
  dx00dfd740 esi0013eb08 edi00000202
  eip77e777f8 esp0013ee64 ebp0019ae50 iopl0 nv
  up ei pl zr na po nc cs001b ss0023 ds0023
  es0023 fs0038 gs0000efl00010246kernel32!Inte
  rlockedIncrement977e777f8 f00fc101 lock xadd
  ecx,eax ds002300000202????????Anybody got
  any ideas on why it's doing this?
• http//www.osronline.com/lists_archive/ntfsd/th
  read2716.html

9
(No Transcript)
10
I think I have the right man
Note If this seems rather personal, its here
because the seminar was combined with one by Hugh
Glaser on using the Semantic web to track
personal identity.
11
XCP is not Sony BMGs only broken content
protection software
http//www.eff.org/IP/DRM/Sony-BMG/MediaMaxVulner
abilityReport.pdf
12
And of course the patch is insecure
http//www.freedom-to-tinker.com/?p942
13
Moral

• Where was driver signing in all this?
• Why do users need to install drivers?
• Why do you need to be an Administrator (Power
  User) to do stuff.
• Does anybody understand ACLs? Privileges?http//
  www.microsoft.com/technet/community/columns/secmgm
  t/default.mspxHow to Shoot Yourself in the
  Foot with Security, Part 2

14
Some stuff is just language design mistakes

• class Crash
• public static String wallop()
• return "Crash"
• class Bang extends Crash
• public static String wallop()
• return "Bang"

E\D1\Tempjavac prog.java E\D1\Tempjava
prog I'm a Crash

• public class prog
• public static void main (String arg)
• Crash b new Bang()
• System.out.println("I'm a " b.wallop())

15
Good bedtime reading
16
Some is just lazy interfaces

• WebMethod(Description"Shipping Status")
• public string GetShippingStatus(string Id)
• string Status "No"
• string sqlstring ""
• try
• SqlConnection sql new SqlConnection( _at_"data
  sourcelocalhost"
• "user idsapasswordpassword" "initial
  catalogShipping")
• sql.Open()
• sqlstring"SELECT HasShipped" " FROM detail
  "
• " WHERE ID'" Id "'"
• SqlCommand cmd new SqlCommand(sqlstring,sql)
  
• if ((int)cmd.ExecuteScalar() ! 0)
• Status "Yes"
• catch (SqlException se)
• Status sqlstring " failed\n\r"
• foreach (SqlError e in se.Errors)
• Status e.Message "\n\r"
• catch (Exception e)
• Status e.ToString()

17
Bugs

• Connecting to the SQL database as sa, the
  sysadmin account.
• The sysadmin account has an easy-to-guess
  password.
• The code is susceptible to SQL injection
• If the SQL communication fails, the Web service
  will send a great deal of data back to the
  attacker, including the text that makes up the
  SQL statement.
• DoS An invalid SQL statement will cause SQL
  classes will throw an exception. However, the
  connection to SQL Server will not be closed.
  Eventually, it will be garbage-collected.
• This is an example from a how-to book

18
A lot is bad lexical structure

• Messages to the TSI are delimited by
  ENDOFMESSAGE\n. These messages are untainted
  simply by removing the trailing ENDOFMESSAGE,
  without attempting to parse their contents. This
  is accompanied by the comment
• I trust the source! and the setuid/setguid is
  downgrading!
• A particular case, when talking to a real NJS,
  which frightened us was the possibility of a
  malicious client generating an AJO that contains
  file imports, where the filename has embedded
  within it something like
• ENDOFMESSAGE\nTSI_IDENTITY victim
• NONE\nENDOFMESSAGE\nTSI_EXECUTESCRIPT\n...hostile
  
• script...\nENDOFMESSAGE\n
• (all on one line)

19
Modern OO Language security is far too complex

• It is well known that passing objects back to
  trusted code from untrusted routines can be a
  general source of difficulty. The key point is
  that, if trusted code allows untrusted code to
  handle one of its objects, then it is usually
  essential that the object be final so that the
  untrusted code cannot subclass it to introduce
  misbehaving methods.
• It turns out that the Bouncy Castle package (used
  by Globus and Unicore) has just the above
  vulnerability. This turns out to be useful. The
  Interactive Job facility has to authenticate an
  SSH, not SSL, channel. The protocols differ and
  it does not seem to be possible to authenticate
  an SSH channel without direct access to the
  private key. This is achieved in InteractiveJob
  using the following snippet of code
• import org.bouncycastle.jce.X509V3CertificateGener
  ator
• / Class which impersonates a X.509 certificate
  generator in order to retrieve a private key
  from a X.509 certificate. /
• class PrivateKeyExtractor extends
  X509V3CertificateGenerator private
  X509Certificate cert
• private PrivateKey privateKey
• public X509Certificate generateX509Certificate
  (PrivateKey privateKey)
  this.privateKey privateKey
• return null
• public PrivateKey getPrivateKey()
• return this.privateKey
• The code exploits the fact that
  X509V3CertificateGenerator is not a final class
  and simply subclasses it to introduce a
  key-stealing method which, in this case, is used
  only for SSH authentication.

These is a rather trivial (published) example,
based on a real operational code and a popular
open source library.
20
OO Language security

• Some sources of complexity
• Class loaders.
• Managing class search order, especially for
  callbacks. Thread.getContextClassLoader()?
• Debugging
• Security configuration loading
• Backdoor constructors, eg deserialisers, clone

21
Never mind distributed, concurrency still doesnt
work

• Java
• Infinite starvation Wot no Chickenshttp//www.c
  s.kent.ac.uk/projects/ofa/java-threads/0.html
• Efficient locks Specific Notificationhttp//www
  .profcon.com/profcon/cargill/jgf/9809/SpecificNoti
  fication.html
• The memory modelhttp//www-128.ibm.com/developer
  works/java/library/j-jtp02244.html
• And the Inheritance Anomaly

22
You can try to fix it with patterns

• java.util.concurrent
• Executors
• Queues
• Timing
• Synchronizers

23
Or with Aspect Oriented Programming

• Does this just split out the bits that dont
  inherit?
• Microsoft XAML splits classes between
  declarative (GUI, workflow) and code (business
  logic). Is this usefully related to Aspects?
• How does XAML relate to classic MVC?
• Can we deliver Aspects using (custom) attributes?
• What about Jeeg?

24
Web Service Semantics are out of control
25
Web Service Execution Environment(WSMX)
Michal Zaremba
26
System Architecture
27
System Architecture
Request to discoverWeb services. May be sent to
adapteror adapter may extract from backend app.
28
System Architecture
Goal expressed in WSMLsent to WSMX System
Interface
29
System Architecture
Comm Manager component implements the interface
to receive WSML goals
30
System Architecture
Comm Manager tells coreGoal has been recieved
31
System Architecture
Choreography wrapper Picks up event for
Choreography component
32
System Architecture
A new choreography Instance is created
33
System Architecture
Core is notified that choreography instance has
been created.
34
System Architecture
Parser wrapper picks up event for Parser
component
35
System Architecture
WSML goal is parsed to internal format
36
System Architecture
37
System Architecture
38
System Architecture
Discovery is invoked for parsed goal
39
System Architecture
40
System Architecture
41
System Architecture
Discovery component requires data mediation.
42
System Architecture
43
System Architecture
44
System Architecture
After data mediation, discovery component
completes its task.
45
System Architecture
46
System Architecture
47
System Architecture
After discovery, the choreography instance for
goal requester is checkedfor next step in
interaction.
48
System Architecture
49
System Architecture
50
System Architecture
Next step in choreography is to return set of
discoveredWeb services to goal requester
51
System Architecture
Set of Web Service descriptionsexpressed in WSML
sent to appropriate adapter
52
System Architecture
Set of Web Service descriptionsexpressed in
requesters ownformat returned to goal requester
53
A semantic grid needs

• Ontologies What side effects will happen?
  Telescope or Missile?
• Protocols WSDL gives only signatures
• Provenance Is it really a bank?
• Do we need reasoning/search?
• XPath?
• Relational query?
• Description logics?
• Frame logics?
• Monotonic?

Religious wars
54
Security is in for a shake-up

• Globus GSI, Proxies
• Unicore signed AJOs
• OMII PBAC
• Public Key Infrastructure
• Triumph of the Librarians
• Shibboleth, SAMLhttp//shibboleth.internet2.edu/
  

55
Computer Engineering

• Is about building artefacts
• Artefacts for people to use

Brian Reid, Scribe
56
What do we remember?
Donald Knuth
Leslie Lamport
57
Can we contribute to emergent systems?

• The most important unanswered question in
  evolutionary biology, and more generally in the
  social sciences, is how co-operative behaviour
  evolved and can be maintained in human or other
  animal groups and societies1.
• At first sight, the answer may seem obvious if
  you are a marmot, the small risk attendant on
  giving an alarm call is outweighed by the larger
  benefit you derive from alarm calls from other
  group members. The problem is the vulnerability
  of any such system to cheating enjoying the
  defensive group benefit, but yourself never
  incurring the risk of uttering an alarm call.
• Such cheats prosper in evolutionary terms,
  enjoying the group benefits without the costs
  and, by so prospering, making it difficult for
  the cooperative benefits to be maintained.
• An example closer to home in recent years is the
  decline in voluntary up-take of the MMR vaccine
  in the UK (seeking to avoid any putative risk to
  your children, whilst implicitly relying on
  others to keep herd immunity high by
  vaccinating their children), resulting in rising
  incidence of measles2.
• Lord May
• THREATS TO TOMORROWS WORLD
• http//www.royalsoc.ac.uk/downloaddoc.asp?id2414
  
• Podcast http//www.royalsoc.ac.uk/page.asp?id39
  66

58
So what do we do?

• No new languages no community.
• Dont expose theory to users.
• In the US, its bad taste to admit you are
  numerate.
• Simple tools for safe programming in the real
  world (ie Visual Studio). eg,
• security configuration analysis
• concurrency validation
• Aspects
• Make it easy to do the right thing.