1 / 58

Distributed Computing without Surprises

Distributed Computing without Surprises. Denis A Nicole 30 th November 2005. The Sony Rootkit. It’s too easy to develop broken software From hacker to everybody’s PC in six years. Just call a hack $sys$foo and nobody can find it …. World of Warcraft hackers using Sony BMG rootkit

krikor
Télécharger la présentation

Distributed Computing without Surprises

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Distributed Computing without Surprises Denis A Nicole 30th November 2005

  2. The Sony Rootkit • It’s too easy to develop broken software • From hacker to everybody’s PC in six years.

  3. Just call a hack $sys$foo and nobody can find it… World of Warcraft hackers using Sony BMG rootkit Published: 2005-11-03 Want to cheat in your online game and not get caught? Just buy a Sony BMG copy protected CD. World of Warcraft hackers have confirmed that the hiding capabilities of Sony BMG's content protection software can make tools made for cheating in the online world impossible to detect. The software--deemed a "rootkit" by many security experts--is shipped with tens of thousands of the record company's music titles. Blizzard Entertainment, the maker of World of Warcraft, has created a controversial program that detects cheaters by scanning the processes that are running at the time the game is played. Called the Warden, the anti-cheating program cannot detect any files that are hidden with Sony BMG's content protection, which only requires that the hacker add the prefix "$sys$" to file names. Despite making a patch available on Wednesday to consumers to amend its copy protection software's behavior, Sony BMG and First 4 Internet, the maker of the content protection technology, have both disputed claims that their system could harm the security of a Windows system. Yet, other software makers that rely on the integrity of the operating system are finding that hidden code makes security impossible. Posted by: Robert Lemos

  4. Writing to Sony… Date: Thu, 3 Nov 2005 07:54:37 -0500 (EST) From: contentprotectionhelp <ContentProtectionHelp@info.sel.sony.com> To: D.A.Nicole1@soton.ac.uk Subject: Re: ContentProtectionHelp Email Form (KMM15554001I21924L0KM) [ The following text is in the "utf-8" character set. ] [ Your display is set for the "ISO-8859-1" character set. ] [ Some characters may be displayed incorrectly. ] Thank you for contacting Sony BMG Online. Sony BMG and First 4 Internet have just released an update that will completely remove the rootkit based DRM content protection software and replace it with a non-rootkit DRM technology that is compatible with all current security protocols. To ensure the security of your system, please visit their software update website to obtain and install Service Pack 2 at: http://updates.xcp-aurora.com If after this update, you still wish to uninstall our software, please visit the form below using the computer where the software is currently installed and you will be emailed an uninstall link within 1 business day (M-F). http://cp.sonybmg.com/xcp/english/form9.html Your "Case ID" is: 3372250. TIP: Our uninstall request form will require a small ActiveX plug-in (from First 4 Internet). Be sure to also temporarily turn off any pop-up blocker software. Although a non-ActiveX process is in development, currently, our online process is the only option. Should you prefer to wait for the next uninstallation version, one is due to be released later this month at: http://cp.sonybmg.com/xcp/english/updates.html Thank you for the opportunity to be of assistance. The Sony BMG Online Support Team CC2X John

  5. It just gets worse Date: Mon, 28 Nov 2005 14:01:04 -0500 (EST) From: contentprotectionhelp <ContentProtectionHelp@info.sel.sony.com> To: D.A.Nicole1@soton.ac.uk Subject: Notification of potential security issue (KMM15645015I21924L0KM) Thank you for contacting Sony BMG Online. Our records indicate that you recently sent us an email in connection with the purchase of a content protected CD, requesting a program to uninstall the XCP content protection software. We are sending you this email because we have been notified of a potential security issue that may arise in connection with the uninstaller program previously provided. To be clear, the security issue is not raised by the presence of XCP content protection technology on the music CD you purchased. The security issue may arise when a user downloads the program to uninstall the XCP software files from a computer. The likelihood that you have been exposed to any security risk by using the program to uninstall the XCP technology is minimal. Nevertheless, for your protection, we are sending this notice to provide you with instructions as to how you may remove the XCP uninstaller files from your computer, curing any associated security risk. Follow these instructions to remove the original uninstaller files:…

  6. And people laugh at you Analysis Sony BMG has made a prudent decision — after more than ten days of intense criticism from industry observers and consumer advocates — to end the use of its highly controversial DRM technology. This will help the company recover from what has become a serious public-relations problem, but Sony BMG still faces lawsuits filed by PC users who allege that their PCs have been damaged by the technology. What makes the Sony BMG incident even more unfortunate is that the DRM technology can be defeated easily. Gartner has identified one simple technique: The user simply applies a fingernail sized piece of opaque tape to the outer edge of the disc, rendering session 2 — which contains the self-loading DRM software — unreadable. The PC then treats the CD as an ordinary single session music CD, and the commonly used CD "rip" programs continue to work as usual. (Note: Gartner does not recommend or endorse this technique.) Moreover, even without the tape, common CD-copying programs readily duplicate the copy-protected disc in its entirety.

  7. Subject: Winsock 2 LSP Problems. From: "Ceri Coburn" <xxx@first4internet.co.uk>Date: Thu, 15 Aug 2002 12:19:23 +0100 Hi, I am having problems with creating a winsock LSP. I am going of the LSP example that's in the Platform SDK. I can get the ws2_32.dll to call WSPStartup but when debbuging an application that uses winsock they fall over with the following error:- (558.55c): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000001 bx=00000000 ecx=00000202 dx=00dfd740 esi=0013eb08 edi=00000202 eip=77e777f8 esp=0013ee64 ebp=0019ae50 iopl=0 nv up ei pl zr na po nc cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000efl=00010246kernel32!InterlockedIncrement+9:77e777f8 f00fc101 lock xadd [ecx],eax ds:0023:00000202=????????Anybody got any ideas on why it's doing this? [http://www.osronline.com/lists_archive/ntfsd/thread2716.html]

  8. I think I have the right man Note: If this seems rather personal, it’s here because the seminar was combined with one by Hugh Glaser on using the Semantic web to track personal identity.

  9. XCP is not Sony BMG’s only broken content protection software [http://www.eff.org/IP/DRM/Sony-BMG/MediaMaxVulnerabilityReport.pdf]

  10. And of course the patch is insecure [http://www.freedom-to-tinker.com/?p=942]

  11. Moral • Where was driver signing in all this? • Why do users need to install drivers? • Why do you need to be an Administrator (Power User) to do stuff. • Does anybody understand ACLs? Privileges?[http://www.microsoft.com/technet/community/columns/secmgmt/default.mspx]“How to Shoot Yourself in the Foot with Security, Part 2:”

  12. Some stuff is just language design mistakes public class prog { public static void main (String[] arg) { Crash b = new Bang(); System.out.println("I'm a " + b.wallop()); } } class Crash { public static String wallop() { return "Crash"; } } class Bang extends Crash { public static String wallop() { return "Bang"; } } E:\D1\Temp>javac prog.java E:\D1\Temp>java prog I'm a Crash

  13. Good bedtime reading

  14. Some is just lazy interfaces [WebMethod(Description="Shipping Status")] public string GetShippingStatus(string Id) { string Status = "No"; string sqlstring =""; try { SqlConnection sql= new SqlConnection( @"data source=localhost;" + "user id=sa;password=password;" + "initial catalog=Shipping"); sql.Open(); sqlstring="SELECT HasShipped" + " FROM detail " + " WHERE ID='" + Id + "'"; SqlCommand cmd = new SqlCommand(sqlstring,sql); if ((int)cmd.ExecuteScalar() != 0) Status = "Yes"; } catch (SqlException se) { Status = sqlstring + " failed\n\r"; foreach (SqlError e in se.Errors) { Status += e.Message + "\n\r"; } } catch (Exception e) { Status = e.ToString(); } return Status; }

  15. Bugs • Connecting to the SQL database as sa, the sysadmin account. • The sysadmin account has an easy-to-guess password. • The code is susceptible to SQL injection • If the SQL communication fails, the Web service will send a great deal of data back to the attacker, including the text that makes up the SQL statement. • DoS: An invalid SQL statement will cause SQL classes will throw an exception. However, the connection to SQL Server will not be closed. Eventually, it will be garbage-collected. This is an example from a how-to book…

  16. A lot is bad lexical structure Messages to the TSI are delimited by ENDOFMESSAGE\n. These messages are untainted simply by removing the trailing ENDOFMESSAGE, without attempting to parse their contents. This is accompanied by the comment: # I trust the source! and the setuid/setguid is downgrading! A particular case, when talking to a real NJS, which frightened us was the possibility of a malicious client generating an AJO that contains file imports, where the filename has embedded within it something like: ENDOFMESSAGE\n#TSI_IDENTITY victim NONE\nENDOFMESSAGE\n#TSI_EXECUTESCRIPT\n...hostile script...\nENDOFMESSAGE\n (all on one line)

  17. Modern OO Language security is far too complex It is well known that passing objects back to trusted code from untrusted routines can be a general source of difficulty. The key point is that, if trusted code allows untrusted code to “handle” one of its objects, then it is usually essential that the object be “final” so that the untrusted code cannot subclass it to introduce misbehaving methods. It turns out that the Bouncy Castle package (used by Globus and Unicore) has just the above vulnerability. This turns out to be useful. The Interactive Job facility has to authenticate an SSH, not SSL, channel. The protocols differ and it does not seem to be possible to authenticate an SSH channel without direct access to the private key. This is achieved in InteractiveJob using the following snippet of code: import org.bouncycastle.jce.X509V3CertificateGenerator; /** Class which impersonates a X.509 certificate generator in * order to retrieve a private key from a X.509 certificate. */ class PrivateKeyExtractor extends X509V3CertificateGenerator { private X509Certificate cert; private PrivateKey privateKey; public X509Certificate generateX509Certificate (PrivateKey privateKey) { this.privateKey = privateKey; return null; } public PrivateKey getPrivateKey() { return this.privateKey; } } The code exploits the fact that X509V3CertificateGenerator is not a final class and simply subclasses it to introduce a key-stealing method which, in this case, is used only for SSH authentication. These is a rather trivial (published) example, based on a real operational code and a popular open source library.

  18. OO Language security • Some sources of complexity: • Class loaders. • Managing class search order, especially for callbacks. Thread.getContextClassLoader()? • Debugging • Security configuration loading • Backdoor constructors, eg deserialisers, clone

  19. Never mind distributed, concurrency still doesn’t work • Java: • Infinite starvation: Wot no Chickens[http://www.cs.kent.ac.uk/projects/ofa/java-threads/0.html] • Efficient locks: Specific Notification[http://www.profcon.com/profcon/cargill/jgf/9809/SpecificNotification.html] • The memory model[http://www-128.ibm.com/developerworks/java/library/j-jtp02244.html] • And the Inheritance Anomaly:

  20. You can try to fix it with patterns • java.util.concurrent • Executors • Queues • Timing • Synchronizers

  21. Or with Aspect Oriented Programming • Does this just split out the bits that don’t inherit? • Microsoft XAML splits classes between “declarative” (GUI, workflow) and code (business logic). Is this usefully related to Aspects? • How does XAML relate to classic MVC? • Can we deliver Aspects using (custom) attributes? • What about Jeeg?

  22. Web Service Semantics are out of control

  23. Web Service Execution Environment(WSMX) Michal Zaremba

  24. System Architecture 2005 OASIS Symposium

  25. System Architecture Request to discoverWeb services. May be sent to adapteror adapter may extract from backend app. 2005 OASIS Symposium

  26. System Architecture Goal expressed in WSMLsent to WSMX System Interface 2005 OASIS Symposium

  27. System Architecture Comm Manager component implements the interface to receive WSML goals 2005 OASIS Symposium

  28. System Architecture Comm Manager tells coreGoal has been recieved 2005 OASIS Symposium

  29. System Architecture Choreography wrapper Picks up event for Choreography component 2005 OASIS Symposium

  30. System Architecture A new choreography Instance is created 2005 OASIS Symposium

  31. System Architecture Core is notified that choreography instance has been created. 2005 OASIS Symposium

  32. System Architecture Parser wrapper picks up event for Parser component 2005 OASIS Symposium

  33. System Architecture WSML goal is parsed to internal format 2005 OASIS Symposium

  34. System Architecture 2005 OASIS Symposium

  35. System Architecture 2005 OASIS Symposium

  36. System Architecture Discovery is invoked for parsed goal 2005 OASIS Symposium

  37. System Architecture 2005 OASIS Symposium

  38. System Architecture 2005 OASIS Symposium

  39. System Architecture Discovery component requires data mediation. 2005 OASIS Symposium

  40. System Architecture 2005 OASIS Symposium

  41. System Architecture 2005 OASIS Symposium

  42. System Architecture After data mediation, discovery component completes its task. 2005 OASIS Symposium

  43. System Architecture 2005 OASIS Symposium

  44. System Architecture 2005 OASIS Symposium

  45. System Architecture After discovery, the choreography instance for goal requester is checkedfor next step in interaction. 2005 OASIS Symposium

  46. System Architecture 2005 OASIS Symposium

  47. System Architecture 2005 OASIS Symposium

  48. System Architecture Next step in choreography is to return set of discoveredWeb services to goal requester 2005 OASIS Symposium

More Related