Skip to content

Category: Hackerterrorcybercyber

Spectre #2 Mitigation – Retpolines

Intel finally published a whitepaper about Spectre #2 Mitigation. The PDF is also featured on Hacker News. It’s a technical whitepaper, but you can see the footprints of lawyers all over the language.

For me, it basically says that, yes, Retpolines are indeed incompatible with Controlflow Enforcement Technology (CET) that Intel was planning for later CPUs (PDF, El Reg article).

CET introduces a shadow stack for return addresses only, and will fail your code into an exception if the normal stack return address and the shadow stack address disagree. Trying to touch and manipulate the shadow stack will also fail into an exception. That is, CET makes touching a return address on the stack toxic by having in effect separate argument and return address stacks, and your code explodes every time you try to do something funny with return addresses.

Which is what Retpolines depend on.

Leave a Comment

Plex and TLS vs. beA and failure

Filippo Valsorda wrote an article “How Plex is doing https for all its users” two years ago. In the article, Filippo explains how the self-hosted media server Plex can offer TLS to secure all connections, including those to the user’s servers.

Plex is a server software running on your machine, and a discovery service somewhere out on the internet. Using your login, you connect to the discovery service, and then connects directly to your server, using XHR.

The XHR part means you are on a page, and because that is a https page, the XHRs also need to be encrypted and trusted. That means your server needs to be able to do https, and that means your server needs to have a valid certificate to do this.

How does your server get this cert?



#define MH_PIE 0x200000                 /* When this bit is set, the OS will
                                           load the main executable at a
                                           random address.  Only used in
                                           MH_EXECUTE filetypes. */

If that flag is on, MacOS will enable ASLR and the binary will have different load addresses for code, data, heap and stack every time it is running.

$ sudo otool -h '/Library/Application Support/TrendMicro/TmccMac/iCoreService_tmsm'
Mach header
      magic cputype cpusubtype  caps    filetype ncmds sizeofcmds      flags
 0xfeedfacf 16777223          3  0x80           2    20       2656 0x00018085

Check the ‘flags’ for this. No 0x200000, no ASLR. Not here, and not on any other binary with “TrendMicro” in the pathname. And that is why you can’t have nice things.


So how badly is WPA2 broken?

It’s all over the news since yesterday: »WPA2 Wifi-Encryption is broken.« German news stations are asking people to not do online-banking via Wifi (that’s nonsense, but more about that later).

So what is WPA2? Wifi connections are connections over the air, radio signals in the 2.4 GHZ and 5 GHZ band. Because radio waves propagate everywhere around the antenna, they can be listened in by everybody. In order to give the over-the-air piece of the Internet connection some privacy, a simple encryption protocol had been cooked up, WEP. The WE in WEP stood for “Wire equivalent”, so the encryption wasn’t supposed to be milspec, it was supposed to give privacy comparable to a wire.

WEP was broken a long time ago, and it did not provide much of anything for a decade now. The successor protocols were WPA and later, WPA2. WPA2 was actually proven to be correct and secure, and that proof remarkably still stands.

So how is that possible?

1 Comment

The inherent Asymmetry of online attacks

Katie Moussouris explains teh Cyber and how it is asymmetric:

»”#Cassandra moment: Explaining that determining “cyber norms” in today’s world order misses emerging capabilities & motivations of new actors.

Forget “attribution”. Not what I mean. Deterrence, state responsibility, etc in existing state context assumes most want to keep stability.

Plenty of non-terrorist smaller states & non-state-non-criminal actors have or can acquire capabilities & would not be sanctionable, for example when we think through deterrence strategies, consider not just world order we have that prefers stability, but those who prefer destability.

We’re erroneously trying to defend against a magnetic power reversal of the N & S poles, but the cyberwar powers are everywhere & unaligned.

We miss the point if we think the answer is to contain those weapons/tools. We hurt defense when we limit their distribution for analysis.”«

1 Comment

A (sad) security user story

Here is a user story for implementors of security systems and platform hardening initiatives:

As any user,

I never want to get a “denied” message, but a “in order to do what you want you are missing the X permission” message in order to be able to track down the root cause and request the appropriate permissions more easily.

It’s not that hard, really.

GitLab: You are not allowed to push code to this project.

Well, it’s harder for some, apparently. That’s one hour of my life I am not getting back.

1 Comment

The Great DOM Fuzz-off of 2017

I generally recommend people use a current stable Chrome. It’s the most secure browser. Please also install uBO and use 1Password.

Turns out, that recommendation can also be backed up by data. Check the “Results” headline.

Note also how they did not test Safari on Apple, because that hurts too much:

Instead of fuzzing Safari directly, which would require Apple hardware, we instead used WebKitGTK+ which we could run on internal (Linux-based) infrastructure. We created an ASAN build of the release version of WebKitGTK+. Additionally, each crash was verified against a nightly ASAN WebKit build running on a Mac.

Yup, Apple development and testing happening on Linux.

Leave a Comment