Distributed computing without surprises
1 / 58

Distributed Computing without Surprises - PowerPoint PPT Presentation

  • Uploaded on

Distributed Computing without Surprises. Denis A Nicole 30 th November 2005. The Sony Rootkit. It’s too easy to develop broken software From hacker to everybody’s PC in six years. Just call a hack $sys$foo and nobody can find it …. World of Warcraft hackers using Sony BMG rootkit

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about ' Distributed Computing without Surprises' - krikor

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Distributed computing without surprises

Distributed Computing without Surprises

Denis A Nicole

30th November 2005

The sony rootkit
The Sony Rootkit

  • It’s too easy to develop broken software

  • From hacker to everybody’s PC in six years.

Just call a hack $sys$foo and nobody can find it

World of Warcraft hackers using Sony BMG rootkit

Published: 2005-11-03

Want to cheat in your online game and not get caught? Just buy a Sony BMG copy protected CD.

World of Warcraft hackers have confirmed that the hiding capabilities of Sony BMG's content protection software can make tools made for cheating in the online world impossible to detect. The software--deemed a "rootkit" by many security experts--is shipped with tens of thousands of the record company's music titles.

Blizzard Entertainment, the maker of World of Warcraft, has created a controversial program that detects cheaters by scanning the processes that are running at the time the game is played. Called the Warden, the anti-cheating program cannot detect any files that are hidden with Sony BMG's content protection, which only requires that the hacker add the prefix "$sys$" to file names.

Despite making a patch available on Wednesday to consumers to amend its copy protection software's behavior, Sony BMG and First 4 Internet, the maker of the content protection technology, have both disputed claims that their system could harm the security of a Windows system. Yet, other software makers that rely on the integrity of the operating system are finding that hidden code makes security impossible.

Posted by: Robert Lemos

Writing to sony
Writing to Sony

Date: Thu, 3 Nov 2005 07:54:37 -0500 (EST)

From: contentprotectionhelp <[email protected]>

To: [email protected]

Subject: Re: ContentProtectionHelp Email Form (KMM15554001I21924L0KM)

[ The following text is in the "utf-8" character set. ]

[ Your display is set for the "ISO-8859-1" character set. ]

[ Some characters may be displayed incorrectly. ]

Thank you for contacting Sony BMG Online.

Sony BMG and First 4 Internet have just released an update that will completely remove

the rootkit based DRM content protection software and replace it with a non-rootkit

DRM technology that is compatible with all current security protocols.

To ensure the security of your system, please visit their software update website to

obtain and install Service Pack 2 at:


If after this update, you still wish to uninstall our software, please visit the

form below using the computer where the software is currently installed and you will

be emailed an uninstall link within 1 business day (M-F).


Your "Case ID" is: 3372250.

TIP: Our uninstall request form will require a small ActiveX plug-in

(from First 4 Internet). Be sure to also temporarily turn off any

pop-up blocker software. Although a non-ActiveX process is in

development, currently, our online process is the only option.

Should you prefer to wait for the next uninstallation version,

one is due to be released later this month at:


Thank you for the opportunity to be of assistance.

The Sony BMG Online Support Team



It just gets worse
It just gets worse

Date: Mon, 28 Nov 2005 14:01:04 -0500 (EST)

From: contentprotectionhelp <[email protected]>

To: [email protected]

Subject: Notification of potential security issue (KMM15645015I21924L0KM)

Thank you for contacting Sony BMG Online.

Our records indicate that you recently sent us an email in connection with the purchase of a content protected CD, requesting a program to uninstall the XCP content protection software. We are sending you this email because we have been notified of a potential security issue that may arise in connection with the uninstaller program previously provided.

To be clear, the security issue is not raised by the presence of XCP content protection technology on the music CD you purchased. The security issue may arise when a user downloads the program to uninstall the XCP software files from a computer.

The likelihood that you have been exposed to any security risk by using the program to uninstall the XCP technology is minimal. Nevertheless, for your protection, we are sending this notice to provide you with instructions as to how you may remove the XCP uninstaller files from your computer, curing any associated security risk.

Follow these instructions to remove the original uninstaller files:…

And people laugh at you


Sony BMG has made a prudent decision — after more than ten days of intense criticism from industry observers and consumer advocates — to end the use of its highly controversial DRM technology. This will help the company recover from what has become a serious public-relations problem, but Sony BMG still faces lawsuits filed by PC users who allege that their PCs have been damaged by the technology.

What makes the Sony BMG incident even more unfortunate is that the DRM technology can be defeated easily. Gartner has identified one simple technique: The user simply applies a fingernail sized piece of opaque tape to the outer edge of the disc, rendering session 2 — which contains the self-loading DRM software — unreadable. The PC then treats the CD as an ordinary single session music CD, and the commonly used CD "rip" programs continue to work as usual. (Note: Gartner does not recommend or endorse this technique.) Moreover, even without the tape, common CD-copying programs readily duplicate the copy-protected disc in its entirety.

Subject: Winsock 2 LSP Problems.

From: "Ceri Coburn" <[email protected]>Date: Thu, 15 Aug 2002 12:19:23 +0100

Hi, I am having problems with creating a winsock LSP. I am going of the LSP example that's in the Platform SDK. I can get the ws2_32.dll to call WSPStartup but when debbuging an application that uses winsock they fall over with the following error:- (558.55c): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000001 bx=00000000 ecx=00000202 dx=00dfd740 esi=0013eb08 edi=00000202 eip=77e777f8 esp=0013ee64 ebp=0019ae50 iopl=0 nv up ei pl zr na po nc cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000efl=00010246kernel32!InterlockedIncrement+9:77e777f8 f00fc101 lock xadd [ecx],eax ds:0023:00000202=????????Anybody got any ideas on why it's doing this?


I think i have the right man
I think I have the right man

Note: If this seems rather personal, it’s here because the seminar was combined with one by Hugh Glaser on using the Semantic web to track personal identity.

Xcp is not sony bmg s only broken content protection software
XCP is not Sony BMG’s only broken content protection software


And of course the patch is insecure
And of course the patch is insecure software


Moral software

  • Where was driver signing in all this?

  • Why do users need to install drivers?

  • Why do you need to be an Administrator (Power User) to do stuff.

  • Does anybody understand ACLs? Privileges?[http://www.microsoft.com/technet/community/columns/secmgmt/default.mspx]“How to Shoot Yourself in the Foot with Security, Part 2:”

Some stuff is just language design mistakes
Some stuff is just language design mistakes software

public class prog {

public static void main (String[] arg) {

Crash b = new Bang();

System.out.println("I'm a " + b.wallop());



class Crash {

public static String wallop() {

return "Crash";



class Bang extends Crash {

public static String wallop() {

return "Bang";



E:\D1\Temp>javac prog.java

E:\D1\Temp>java prog

I'm a Crash

Some is just lazy interfaces
Some is just lazy interfaces software

[WebMethod(Description="Shipping Status")]

public string GetShippingStatus(string Id) {

string Status = "No";

string sqlstring ="";

try {

SqlConnection sql= new SqlConnection( @"data source=localhost;" +

"user id=sa;password=password;" + "initial catalog=Shipping");


sqlstring="SELECT HasShipped" + " FROM detail " +

" WHERE ID='" + Id + "'";

SqlCommand cmd = new SqlCommand(sqlstring,sql);

if ((int)cmd.ExecuteScalar() != 0)

Status = "Yes"; }

catch (SqlException se) {

Status = sqlstring + " failed\n\r";

foreach (SqlError e in se.Errors) {

Status += e.Message + "\n\r"; } }

catch (Exception e) {

Status = e.ToString(); }

return Status; }

Bugs software

  • Connecting to the SQL database as sa, the sysadmin account.

  • The sysadmin account has an easy-to-guess password.

  • The code is susceptible to SQL injection

  • If the SQL communication fails, the Web service will send a great deal of data back to the attacker, including the text that makes up the SQL statement.

  • DoS: An invalid SQL statement will cause SQL classes will throw an exception. However, the connection to SQL Server will not be closed. Eventually, it will be garbage-collected.

    This is an example from a how-to book…

A lot is bad lexical structure
A lot is bad lexical structure software

Messages to the TSI are delimited by ENDOFMESSAGE\n. These messages are untainted simply by removing the trailing ENDOFMESSAGE, without attempting to parse their contents. This is accompanied by the comment:

# I trust the source! and the setuid/setguid is downgrading!

A particular case, when talking to a real NJS, which frightened us was the possibility of a malicious client generating an AJO that contains file imports, where the filename has embedded within it something like:




(all on one line)

Modern oo langua g e security is far too complex
Modern OO Langua softwarege security is far too complex

It is well known that passing objects back to trusted code from untrusted routines can be a general source of difficulty. The key point is that, if trusted code allows untrusted code to “handle” one of its objects, then it is usually essential that the object be “final” so that the untrusted code cannot subclass it to introduce misbehaving methods.

It turns out that the Bouncy Castle package (used by Globus and Unicore) has just the above vulnerability. This turns out to be useful. The Interactive Job facility has to authenticate an SSH, not SSL, channel. The protocols differ and it does not seem to be possible to authenticate an SSH channel without direct access to the private key. This is achieved in InteractiveJob using the following snippet of code:

import org.bouncycastle.jce.X509V3CertificateGenerator;

/** Class which impersonates a X.509 certificate generator in * order to retrieve a private key from a X.509 certificate. */

class PrivateKeyExtractor extends X509V3CertificateGenerator { private X509Certificate cert;

private PrivateKey privateKey;

public X509Certificate generateX509Certificate (PrivateKey privateKey) { this.privateKey = privateKey;

return null; }

public PrivateKey getPrivateKey() {

return this.privateKey; } }

The code exploits the fact that X509V3CertificateGenerator is not a final class and simply subclasses it to introduce a key-stealing method which, in this case, is used only for SSH authentication.

These is a rather trivial (published) example, based on a real operational code and a popular open source library.

Oo language security
OO Language security software

  • Some sources of complexity:

    • Class loaders.

    • Managing class search order, especially for callbacks. Thread.getContextClassLoader()?

    • Debugging

    • Security configuration loading

    • Backdoor constructors, eg deserialisers, clone

Never mind distributed concurrency still doesn t work
Never mind distributed, concurrency still doesn’t work software

  • Java:

    • Infinite starvation: Wot no Chickens[http://www.cs.kent.ac.uk/projects/ofa/java-threads/0.html]

    • Efficient locks: Specific Notification[http://www.profcon.com/profcon/cargill/jgf/9809/SpecificNotification.html]

    • The memory model[http://www-128.ibm.com/developerworks/java/library/j-jtp02244.html]

    • And the Inheritance Anomaly:

You can try to fix it with patterns
You can try to fix it with patterns software

  • java.util.concurrent

    • Executors

    • Queues

    • Timing

    • Synchronizers

Or with aspect oriented programming
Or with Aspect Oriented Programming software

  • Does this just split out the bits that don’t inherit?

  • Microsoft XAML splits classes between “declarative” (GUI, workflow) and code (business logic). Is this usefully related to Aspects?

  • How does XAML relate to classic MVC?

  • Can we deliver Aspects using (custom) attributes?

  • What about Jeeg?

Web Service Execution Environment software(WSMX)

Michal Zaremba

System architecture
System Architecture software

2005 OASIS Symposium

System architecture1
System Architecture software

Request to discoverWeb services. May be sent to adapteror adapter may extract from backend app.

2005 OASIS Symposium

System architecture2
System Architecture software

Goal expressed in WSMLsent to WSMX System Interface

2005 OASIS Symposium

System architecture3
System Architecture software

Comm Manager component implements the interface to receive WSML goals

2005 OASIS Symposium

System architecture4
System Architecture software

Comm Manager tells coreGoal has been recieved

2005 OASIS Symposium

System architecture5
System Architecture software

Choreography wrapper

Picks up event for Choreography component

2005 OASIS Symposium

System architecture6
System Architecture software

A new choreography

Instance is created

2005 OASIS Symposium

System architecture7
System Architecture software

Core is notified that choreography instance has been created.

2005 OASIS Symposium

System architecture8
System Architecture software

Parser wrapper picks up event for Parser component

2005 OASIS Symposium

System architecture9
System Architecture software

WSML goal is parsed to internal format

2005 OASIS Symposium

System architecture10
System Architecture software

2005 OASIS Symposium

System architecture11
System Architecture software

2005 OASIS Symposium

System architecture12
System Architecture software

Discovery is invoked

for parsed goal

2005 OASIS Symposium

System architecture13
System Architecture software

2005 OASIS Symposium

System architecture14
System Architecture software

2005 OASIS Symposium

System architecture15
System Architecture software

Discovery component requires data mediation.

2005 OASIS Symposium

System architecture16
System Architecture software

2005 OASIS Symposium

System architecture17
System Architecture software

2005 OASIS Symposium

System architecture18
System Architecture software

After data mediation, discovery component completes its task.

2005 OASIS Symposium

System architecture19
System Architecture software

2005 OASIS Symposium

System architecture20
System Architecture software

2005 OASIS Symposium

System architecture21
System Architecture software

After discovery, the choreography instance for goal requester is checkedfor next step in interaction.

2005 OASIS Symposium

System architecture22
System Architecture software

2005 OASIS Symposium

System architecture23
System Architecture software

2005 OASIS Symposium

System architecture24
System Architecture software

Next step in choreography is to return set of discoveredWeb services to goal requester

2005 OASIS Symposium

System architecture25
System Architecture software

Set of Web Service descriptionsexpressed in WSML sent to appropriate adapter

2005 OASIS Symposium

System architecture26
System Architecture software

Set of Web Service descriptionsexpressed in requester’s ownformat returned to goal requester

2005 OASIS Symposium

A semantic grid needs
A semantic grid needs software

  • Ontologies: What side effects will happen? Telescope or Missile?

  • Protocols: WSDL gives only signatures

  • Provenance: Is it really a bank?

  • Do we need reasoning/search?

    • XPath?

    • Relational query?

    • Description logics?

    • Frame logics?

    • Monotonic?

Religious wars

Security is in for a shake up
Security is in for a shake-up software

  • Globus GSI, Proxies

  • Unicore signed AJOs


  • Public Key Infrastructure

  • Triumph of the Librarians

  • Shibboleth, SAML[http://shibboleth.internet2.edu/]

Computer engineering
Computer Engineering software

  • Is about building artefacts

  • Artefacts for people to use

Brian Reid, Scribe

What do we remember
What do we remember? software

Donald Knuth

Leslie Lamport

Can we contribute to emergent systems
Can we contribute to emergent systems? software

The most important unanswered question in evolutionary biology, and more generally in the social sciences, is how co-operative behaviour evolved and can be maintained in human or other animal groups and societies1.

At first sight, the answer may seem obvious: if you are a marmot, the small risk attendant on giving an alarm call is outweighed by the larger benefit you derive from alarm calls from other group members. The problem is the vulnerability of any such system to “cheating” —enjoying the defensive group benefit, but yourself never incurring the risk of uttering an alarm call.

Such “cheats” prosper in evolutionary terms, enjoying the group benefits without the costs and, by so prospering, making it difficult for the cooperative benefits to be maintained.

An example closer to home in recent years is the decline in voluntary up-take of the MMR vaccine in the UK (seeking to avoid any putative risk to your children, whilst implicitly relying on others to keep “herd immunity” high by vaccinating their children), resulting in rising incidence of measles2.

Lord May



[Podcast: http://www.royalsoc.ac.uk/page.asp?id=3966]

So what do we do
So what do we do? software

  • No new languages: no community.

  • Don’t expose theory to users.

  • In the US, it’s bad taste to admit you are numerate.

  • Simple tools for safe programming in the real world (ie Visual Studio). eg,

    • security configuration analysis

    • concurrency validation

    • Aspects

  • Make it easy to do the right thing.