Distributed computing without surprises
This presentation is the property of its rightful owner.
Sponsored Links
1 / 58

Distributed Computing without Surprises PowerPoint PPT Presentation


  • 79 Views
  • Uploaded on
  • Presentation posted in: General

Distributed Computing without Surprises. Denis A Nicole 30 th November 2005. The Sony Rootkit. It’s too easy to develop broken software From hacker to everybody’s PC in six years. Just call a hack $sys$foo and nobody can find it …. World of Warcraft hackers using Sony BMG rootkit

Download Presentation

Distributed Computing without Surprises

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Distributed computing without surprises

Distributed Computing without Surprises

Denis A Nicole

30th November 2005


The sony rootkit

The Sony Rootkit

  • It’s too easy to develop broken software

  • From hacker to everybody’s PC in six years.


Distributed computing without surprises

Just call a hack $sys$foo and nobody can find it…

World of Warcraft hackers using Sony BMG rootkit

Published: 2005-11-03

Want to cheat in your online game and not get caught? Just buy a Sony BMG copy protected CD.

World of Warcraft hackers have confirmed that the hiding capabilities of Sony BMG's content protection software can make tools made for cheating in the online world impossible to detect. The software--deemed a "rootkit" by many security experts--is shipped with tens of thousands of the record company's music titles.

Blizzard Entertainment, the maker of World of Warcraft, has created a controversial program that detects cheaters by scanning the processes that are running at the time the game is played. Called the Warden, the anti-cheating program cannot detect any files that are hidden with Sony BMG's content protection, which only requires that the hacker add the prefix "$sys$" to file names.

Despite making a patch available on Wednesday to consumers to amend its copy protection software's behavior, Sony BMG and First 4 Internet, the maker of the content protection technology, have both disputed claims that their system could harm the security of a Windows system. Yet, other software makers that rely on the integrity of the operating system are finding that hidden code makes security impossible.

Posted by: Robert Lemos


Writing to sony

Writing to Sony…

Date: Thu, 3 Nov 2005 07:54:37 -0500 (EST)

From: contentprotectionhelp <[email protected]>

To: [email protected]

Subject: Re: ContentProtectionHelp Email Form (KMM15554001I21924L0KM)

[ The following text is in the "utf-8" character set. ]

[ Your display is set for the "ISO-8859-1" character set. ]

[ Some characters may be displayed incorrectly. ]

Thank you for contacting Sony BMG Online.

Sony BMG and First 4 Internet have just released an update that will completely remove

the rootkit based DRM content protection software and replace it with a non-rootkit

DRM technology that is compatible with all current security protocols.

To ensure the security of your system, please visit their software update website to

obtain and install Service Pack 2 at:

http://updates.xcp-aurora.com

If after this update, you still wish to uninstall our software, please visit the

form below using the computer where the software is currently installed and you will

be emailed an uninstall link within 1 business day (M-F).

http://cp.sonybmg.com/xcp/english/form9.html

Your "Case ID" is: 3372250.

TIP: Our uninstall request form will require a small ActiveX plug-in

(from First 4 Internet). Be sure to also temporarily turn off any

pop-up blocker software. Although a non-ActiveX process is in

development, currently, our online process is the only option.

Should you prefer to wait for the next uninstallation version,

one is due to be released later this month at:

http://cp.sonybmg.com/xcp/english/updates.html

Thank you for the opportunity to be of assistance.

The Sony BMG Online Support Team

CC2X

John


It just gets worse

It just gets worse

Date: Mon, 28 Nov 2005 14:01:04 -0500 (EST)

From: contentprotectionhelp <[email protected]>

To: [email protected]

Subject: Notification of potential security issue (KMM15645015I21924L0KM)

Thank you for contacting Sony BMG Online.

Our records indicate that you recently sent us an email in connection with the purchase of a content protected CD, requesting a program to uninstall the XCP content protection software. We are sending you this email because we have been notified of a potential security issue that may arise in connection with the uninstaller program previously provided.

To be clear, the security issue is not raised by the presence of XCP content protection technology on the music CD you purchased. The security issue may arise when a user downloads the program to uninstall the XCP software files from a computer.

The likelihood that you have been exposed to any security risk by using the program to uninstall the XCP technology is minimal. Nevertheless, for your protection, we are sending this notice to provide you with instructions as to how you may remove the XCP uninstaller files from your computer, curing any associated security risk.

Follow these instructions to remove the original uninstaller files:…


Distributed computing without surprises

And people laugh at you

Analysis

Sony BMG has made a prudent decision — after more than ten days of intense criticism from industry observers and consumer advocates — to end the use of its highly controversial DRM technology. This will help the company recover from what has become a serious public-relations problem, but Sony BMG still faces lawsuits filed by PC users who allege that their PCs have been damaged by the technology.

What makes the Sony BMG incident even more unfortunate is that the DRM technology can be defeated easily. Gartner has identified one simple technique: The user simply applies a fingernail sized piece of opaque tape to the outer edge of the disc, rendering session 2 — which contains the self-loading DRM software — unreadable. The PC then treats the CD as an ordinary single session music CD, and the commonly used CD "rip" programs continue to work as usual. (Note: Gartner does not recommend or endorse this technique.) Moreover, even without the tape, common CD-copying programs readily duplicate the copy-protected disc in its entirety.


Distributed computing without surprises

Subject: Winsock 2 LSP Problems.

From: "Ceri Coburn" <[email protected]>Date: Thu, 15 Aug 2002 12:19:23 +0100

Hi, I am having problems with creating a winsock LSP. I am going of the LSP example that's in the Platform SDK. I can get the ws2_32.dll to call WSPStartup but when debbuging an application that uses winsock they fall over with the following error:- (558.55c): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000001 bx=00000000 ecx=00000202 dx=00dfd740 esi=0013eb08 edi=00000202 eip=77e777f8 esp=0013ee64 ebp=0019ae50 iopl=0 nv up ei pl zr na po nc cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000efl=00010246kernel32!InterlockedIncrement+9:77e777f8 f00fc101 lock xadd [ecx],eax ds:0023:00000202=????????Anybody got any ideas on why it's doing this?

[http://www.osronline.com/lists_archive/ntfsd/thread2716.html]


I think i have the right man

I think I have the right man

Note: If this seems rather personal, it’s here because the seminar was combined with one by Hugh Glaser on using the Semantic web to track personal identity.


Xcp is not sony bmg s only broken content protection software

XCP is not Sony BMG’s only broken content protection software

[http://www.eff.org/IP/DRM/Sony-BMG/MediaMaxVulnerabilityReport.pdf]


And of course the patch is insecure

And of course the patch is insecure

[http://www.freedom-to-tinker.com/?p=942]


Moral

Moral

  • Where was driver signing in all this?

  • Why do users need to install drivers?

  • Why do you need to be an Administrator (Power User) to do stuff.

  • Does anybody understand ACLs? Privileges?[http://www.microsoft.com/technet/community/columns/secmgmt/default.mspx]“How to Shoot Yourself in the Foot with Security, Part 2:”


Some stuff is just language design mistakes

Some stuff is just language design mistakes

public class prog {

public static void main (String[] arg) {

Crash b = new Bang();

System.out.println("I'm a " + b.wallop());

}

}

class Crash {

public static String wallop() {

return "Crash";

}

}

class Bang extends Crash {

public static String wallop() {

return "Bang";

}

}

E:\D1\Temp>javac prog.java

E:\D1\Temp>java prog

I'm a Crash


Good bedtime reading

Good bedtime reading


Some is just lazy interfaces

Some is just lazy interfaces

[WebMethod(Description="Shipping Status")]

public string GetShippingStatus(string Id) {

string Status = "No";

string sqlstring ="";

try {

SqlConnection sql= new SqlConnection( @"data source=localhost;" +

"user id=sa;password=password;" + "initial catalog=Shipping");

sql.Open();

sqlstring="SELECT HasShipped" + " FROM detail " +

" WHERE ID='" + Id + "'";

SqlCommand cmd = new SqlCommand(sqlstring,sql);

if ((int)cmd.ExecuteScalar() != 0)

Status = "Yes"; }

catch (SqlException se) {

Status = sqlstring + " failed\n\r";

foreach (SqlError e in se.Errors) {

Status += e.Message + "\n\r"; } }

catch (Exception e) {

Status = e.ToString(); }

return Status; }


Distributed computing without surprises

Bugs

  • Connecting to the SQL database as sa, the sysadmin account.

  • The sysadmin account has an easy-to-guess password.

  • The code is susceptible to SQL injection

  • If the SQL communication fails, the Web service will send a great deal of data back to the attacker, including the text that makes up the SQL statement.

  • DoS: An invalid SQL statement will cause SQL classes will throw an exception. However, the connection to SQL Server will not be closed. Eventually, it will be garbage-collected.

    This is an example from a how-to book…


A lot is bad lexical structure

A lot is bad lexical structure

Messages to the TSI are delimited by ENDOFMESSAGE\n. These messages are untainted simply by removing the trailing ENDOFMESSAGE, without attempting to parse their contents. This is accompanied by the comment:

# I trust the source! and the setuid/setguid is downgrading!

A particular case, when talking to a real NJS, which frightened us was the possibility of a malicious client generating an AJO that contains file imports, where the filename has embedded within it something like:

ENDOFMESSAGE\n#TSI_IDENTITY victim

NONE\nENDOFMESSAGE\n#TSI_EXECUTESCRIPT\n...hostile

script...\nENDOFMESSAGE\n

(all on one line)


Modern oo langua g e security is far too complex

Modern OO Language security is far too complex

It is well known that passing objects back to trusted code from untrusted routines can be a general source of difficulty. The key point is that, if trusted code allows untrusted code to “handle” one of its objects, then it is usually essential that the object be “final” so that the untrusted code cannot subclass it to introduce misbehaving methods.

It turns out that the Bouncy Castle package (used by Globus and Unicore) has just the above vulnerability. This turns out to be useful. The Interactive Job facility has to authenticate an SSH, not SSL, channel. The protocols differ and it does not seem to be possible to authenticate an SSH channel without direct access to the private key. This is achieved in InteractiveJob using the following snippet of code:

import org.bouncycastle.jce.X509V3CertificateGenerator;

/** Class which impersonates a X.509 certificate generator in * order to retrieve a private key from a X.509 certificate. */

class PrivateKeyExtractor extends X509V3CertificateGenerator { private X509Certificate cert;

private PrivateKey privateKey;

public X509Certificate generateX509Certificate (PrivateKey privateKey) { this.privateKey = privateKey;

return null; }

public PrivateKey getPrivateKey() {

return this.privateKey; } }

The code exploits the fact that X509V3CertificateGenerator is not a final class and simply subclasses it to introduce a key-stealing method which, in this case, is used only for SSH authentication.

These is a rather trivial (published) example, based on a real operational code and a popular open source library.


Oo language security

OO Language security

  • Some sources of complexity:

    • Class loaders.

    • Managing class search order, especially for callbacks. Thread.getContextClassLoader()?

    • Debugging

    • Security configuration loading

    • Backdoor constructors, eg deserialisers, clone


Never mind distributed concurrency still doesn t work

Never mind distributed, concurrency still doesn’t work

  • Java:

    • Infinite starvation: Wot no Chickens[http://www.cs.kent.ac.uk/projects/ofa/java-threads/0.html]

    • Efficient locks: Specific Notification[http://www.profcon.com/profcon/cargill/jgf/9809/SpecificNotification.html]

    • The memory model[http://www-128.ibm.com/developerworks/java/library/j-jtp02244.html]

    • And the Inheritance Anomaly:


You can try to fix it with patterns

You can try to fix it with patterns

  • java.util.concurrent

    • Executors

    • Queues

    • Timing

    • Synchronizers


Or with aspect oriented programming

Or with Aspect Oriented Programming

  • Does this just split out the bits that don’t inherit?

  • Microsoft XAML splits classes between “declarative” (GUI, workflow) and code (business logic). Is this usefully related to Aspects?

  • How does XAML relate to classic MVC?

  • Can we deliver Aspects using (custom) attributes?

  • What about Jeeg?


Web service semantics are out of control

Web Service Semantics are out of control


Distributed computing without surprises

Web Service Execution Environment(WSMX)

Michal Zaremba


System architecture

System Architecture

2005 OASIS Symposium


System architecture1

System Architecture

Request to discoverWeb services. May be sent to adapteror adapter may extract from backend app.

2005 OASIS Symposium


System architecture2

System Architecture

Goal expressed in WSMLsent to WSMX System Interface

2005 OASIS Symposium


System architecture3

System Architecture

Comm Manager component implements the interface to receive WSML goals

2005 OASIS Symposium


System architecture4

System Architecture

Comm Manager tells coreGoal has been recieved

2005 OASIS Symposium


System architecture5

System Architecture

Choreography wrapper

Picks up event for Choreography component

2005 OASIS Symposium


System architecture6

System Architecture

A new choreography

Instance is created

2005 OASIS Symposium


System architecture7

System Architecture

Core is notified that choreography instance has been created.

2005 OASIS Symposium


System architecture8

System Architecture

Parser wrapper picks up event for Parser component

2005 OASIS Symposium


System architecture9

System Architecture

WSML goal is parsed to internal format

2005 OASIS Symposium


System architecture10

System Architecture

2005 OASIS Symposium


System architecture11

System Architecture

2005 OASIS Symposium


System architecture12

System Architecture

Discovery is invoked

for parsed goal

2005 OASIS Symposium


System architecture13

System Architecture

2005 OASIS Symposium


System architecture14

System Architecture

2005 OASIS Symposium


System architecture15

System Architecture

Discovery component requires data mediation.

2005 OASIS Symposium


System architecture16

System Architecture

2005 OASIS Symposium


System architecture17

System Architecture

2005 OASIS Symposium


System architecture18

System Architecture

After data mediation, discovery component completes its task.

2005 OASIS Symposium


System architecture19

System Architecture

2005 OASIS Symposium


System architecture20

System Architecture

2005 OASIS Symposium


System architecture21

System Architecture

After discovery, the choreography instance for goal requester is checkedfor next step in interaction.

2005 OASIS Symposium


System architecture22

System Architecture

2005 OASIS Symposium


System architecture23

System Architecture

2005 OASIS Symposium


System architecture24

System Architecture

Next step in choreography is to return set of discoveredWeb services to goal requester

2005 OASIS Symposium


System architecture25

System Architecture

Set of Web Service descriptionsexpressed in WSML sent to appropriate adapter

2005 OASIS Symposium


System architecture26

System Architecture

Set of Web Service descriptionsexpressed in requester’s ownformat returned to goal requester

2005 OASIS Symposium


A semantic grid needs

A semantic grid needs

  • Ontologies: What side effects will happen? Telescope or Missile?

  • Protocols: WSDL gives only signatures

  • Provenance: Is it really a bank?

  • Do we need reasoning/search?

    • XPath?

    • Relational query?

    • Description logics?

    • Frame logics?

    • Monotonic?

Religious wars


Security is in for a shake up

Security is in for a shake-up

  • Globus GSI, Proxies

  • Unicore signed AJOs

  • OMII PBAC

  • Public Key Infrastructure

  • Triumph of the Librarians

  • Shibboleth, SAML[http://shibboleth.internet2.edu/]


Computer engineering

Computer Engineering

  • Is about building artefacts

  • Artefacts for people to use

Brian Reid, Scribe


What do we remember

What do we remember?

Donald Knuth

Leslie Lamport


Can we contribute to emergent systems

Can we contribute to emergent systems?

The most important unanswered question in evolutionary biology, and more generally in the social sciences, is how co-operative behaviour evolved and can be maintained in human or other animal groups and societies1.

At first sight, the answer may seem obvious: if you are a marmot, the small risk attendant on giving an alarm call is outweighed by the larger benefit you derive from alarm calls from other group members. The problem is the vulnerability of any such system to “cheating” —enjoying the defensive group benefit, but yourself never incurring the risk of uttering an alarm call.

Such “cheats” prosper in evolutionary terms, enjoying the group benefits without the costs and, by so prospering, making it difficult for the cooperative benefits to be maintained.

An example closer to home in recent years is the decline in voluntary up-take of the MMR vaccine in the UK (seeking to avoid any putative risk to your children, whilst implicitly relying on others to keep “herd immunity” high by vaccinating their children), resulting in rising incidence of measles2.

Lord May

THREATS TO TOMORROW’S WORLD

[http://www.royalsoc.ac.uk/downloaddoc.asp?id=2414]

[Podcast: http://www.royalsoc.ac.uk/page.asp?id=3966]


So what do we do

So what do we do?

  • No new languages: no community.

  • Don’t expose theory to users.

  • In the US, it’s bad taste to admit you are numerate.

  • Simple tools for safe programming in the real world (ie Visual Studio). eg,

    • security configuration analysis

    • concurrency validation

    • Aspects

  • Make it easy to do the right thing.


  • Login