lang:en – Page 15 – muellis blog

GUADEC 2010 – The Hague

I’ve been to GUADEC *yay*! I am going to summarize some of the talks I’ve attended and some of the many seriously interesting conversations I’ve during this week. But in short: This was one of the best GUADECs, progress wise. I met many people, brought my teams (bugsquad and membership-committee) forward, had new inspirations and fixed some bugs 🙂

But the week started with some work. Apparently, the network was not fully set up yet and we had to use a lot of duct tape to set everything up. After people saw me being “in charge” for the network, they started to complain why the network was not running properly 😉 The problem was, that the Uplink was kind of broken. Basically a big firewall blocked that many connections because it thought it was under attack. The solution then was to claim some of the universities IP addresses and do a big SNAT for the users.

Having said that, the network was up and running perfectly on Wednesday, making it a perfectly networked GUADEC 🙂 The last GUADECs usually had some troubles with the connection even after the event started (remember the broken uplink on Gran Canaria or the rather bad wireless situation in Birmingham?).

The Hotel’s wireless was ridiculously expensive. They wanted 10 quid for 24 hours. But I realized, that the default gateway is announced as being at 192.168.1.1 and if you visited that with a web browser, you’d find out that it was a Zyxel VSG-1200. Turns out, documentation is very verbose, including a default username and password… The rest is left as an exercise for the reader. If you didn’t want to go that route, you could easily claim an active MAC-Address and IP and reuse the authentification…

The talks were streamed and I hope recordings will be made available soon. Good summaries were already given in the official GUADEC blog and various others so I won’t go into too much detail, because .

I haven’t seen covered that Xan and Fernando mocked about the newly promulgated Speaker Guidelines which they didn’t respect either. It’s an interesting discussion though. It is obviously a shield for attacks from the outside so that we (as GNOME) can point to these guidelines if one of our speakers might have offended anyone. But do we, as GNOME, need such a thing in first place? And what happens if we refer to those guidelines over and over again but nobody complies with those? Probably nothing. But do we need to lie to ourselves then? Can’t we expect the people to have enough common sense? Do we want to be a community where we can’t assume enough common sense?

An issue that I didn’t really understand was that the usual picking on Canonical took place. Apparently, people expected Canoncial to contribute more since 1999 than they actually did. But they have been founded 2004… That comment summarizes that fact well. Also, I don’t really get why people expect a distributor to engineer stuff in, say, GNOME. I don’t hear anybody complaining about, say, Mandriva or Gentoo.

Bred Kuhn told us to save human lives by rolling out more crypto within GNOME. I couldn’t agree more. But sadly, we have a long way to go. For now, you can’t even handle your OpenPGP key in a sane way, i.e. rolling over to a new key. It strikes me that we still don’t have a concept encrypted end to end communication, i.e. with Telepathy (well, email is too broken to be tackled). Apparently XTLS should be used. But no PKI will be used, thus discouraging the enhancement of the OpenPGP Web of Trust. It would be absolutely brilliant if Telepathy used OpenPGP keys (maybe even create one if none existed). If then spoken with another entity via Telepathy, it could ask the user to verify the other persons identity via, say, a Videochat. That chat would use the public key material for encryption. The assumption is that the two parties know each other and that a man-in-the-middle cannot spoof valid data quick enough. The other persons key would then more or less automatically be signed. I talked a lot to Stef Walter and other people around GNOME-Keyring and Seahorse and we had good ideas. Let’s see how much we can get done.
But we’ll have a long way to go, since GNOME doesn’t even provide fundamental encryption for it’s webservices, i.e. live.gnome.org or even the RequestTracker 🙁

As for the teams I feel responsible for, I met with a few Bugsquad folks and we’ve discussed a few things. I am still in Post-GUADEC mode to get everything off my Todo-List that accumulated over GUADEC. The most immediate action is to get close bugs of deprecated modules and get rid of the products in Bugzilla. Other lower priority issues are to (finally!) organise a bugday and test a JetPack which helps dealing with Bugzilla…

I also had a few discussion related to the GNOME Foundation Membership process. We somehow have to think about the people that feel intimidated joining the GNOME Foundation. Also we will discuss our strategy and policy of evaluating non trivial contributions to GNOME.

Having said all that. I want to that the GNOME Foundation for paying my accommodation and making such a productive week possible.

Practicum Status Update Week 8

Over the weekend, I’ve talked at the ChaosBBQ in Dortmund, Germany. A nice and small conferency gathering.
This week I had only a few bugs (that I reported):
- Rhythmbox crashed again (hacking without music is dreadful)
- Weird SELinux problems after resuming from suspend
The filter stuff is actually more complex than I initially thought: I do indeed have to handle async USB URBs which makes the code look more ugly and taste more like spaghetti. Anyway, the filter stuff should fully work now *yay*.

I hope the video works. If it doesn’t, please download first. So we can replace packets on the fly, in and out. And of course, you could design a more complex scenario: Let the first read pass by unmodified but after that modify the packets.
Read a bit in “Essential Linux Device Drivers” which is an interesting to read book. I like the relaxed writing style. I haven’t gotten to the nitty gritty USB details yet though.
Wireshark can sniff USB communication, too. And it can save as a pcap file. And it dissects bits of the protocols. At least it shows the SCSI request for an USB Massstorage. I have to test whether it knows, say, webcams. First investigations show that it only supports USB Massstorage though. And it’d be interesting whether it can sniff the communication I’m filtering with QEmu.

Apparently, USB network magic for pcap is 0xdc:

typedef struct pcap_hdr_s {
        guint32 magic_number;   /* magic number */
        guint16 version_major;  /* major version number */
        guint16 version_minor;  /* minor version number */
        gint32  thiszone;       /* GMT to local correction */
        guint32 sigfigs;        /* accuracy of timestamps */
        guint32 snaplen;        /* max length of captured packets, in octets */
        guint32 network;        /* data link type */
} pcap_hdr_t;

Wirehsark dumps the following:

0000000: d4 c3 b2 a1 02 00 04 00 00 00 00 00 00 00 00 00  ................
0000010: ff ff 00 00 dc 00 00 00 43 8e 44 4c d7 96 05 00  ........C.DL....

So I might be able to implement saving to PCap at some stage.

Next week will be GUADEC! *yay* But that will also mean that I can’t work that much.
So my emulation seems to work now, too. I now need to speak the right protocol. So if you know a good resource that describes how a, say, USB Webcam behaves on the bus, drop me a line. Or anything that can dissect USB packets would be fine.

Chaos BBQ 2010

Over the weekend, I had the opportunity to attend ChaosBBQ in Dortmund, Germany. It’s a small yet interesting gathering of hackers and it is a very relaxed conferency happening. With a BBQ 😉

This years motto was “contruct, desctruct!” and I was more on the destructing side: I presented two topics: Security in Mobile Devices and a Magnetic Stripe Card workshop.

The Security in Mobile Devices talk went quite well and I think I encouraged people to start hacking their devices 🙂 It’s funny though: I almost see blood coming out of the people ears when I go through the very technical part about buffer overflows. 2/3 seems to be bored or overwhelmed. The other 1/3 seems to be very interested and crave for more details. But I get everybody back when I have more pictures and videos about funny exploits and when I’m able to slander about Apple 😉 Again, I talked about a mixture of Hardware and Platform security and gave examples of previous hacks and how to actually start breaking your gadget.

The magnet card workshop was interesting, too. I presented how magnetic stripe technology actually works. And because we were curious hackers, we explored how it’s been used and how we can hack stuff. I told a few warstories that will hopefully be able to expand on in the future (although I don’t know whether DCU will like it 😉 ). Since it was more of a workshop, people contributed with technical details (thx to the guys from das Labor 🙂 ) or other interesting facts.

I had a nice weekend in Dortmund and I can recommend attending the ChaosBBQ if you’re looking for a tiny yet open gathering of interested geeks and hackers.

Practicum Status Update Week 7

Read about Radare. Apparently, they have “USB support” but I could only see a USB communication sniffer. So Radare doesn’t dissect USB pakets 🙁
Installed GDB from git, because the GDB in Fedora 13 crashes way too often. I didn’t file as many new bugs this week though 😉 I seem to have worked around all my crashers…

Fought a lot with git 🙁 It’s incredibly hostile. I tried to rebase stuff and it keeps bugging me with old commits still being visible although I’ve changed them 🙁 I probably haven’t understood what it does yet. Tried to fix as much as possible using git reflog. Of course, the man page references options (–verbose in my case) that are not existant. Brilliant. I don’t know why I actually expected git to help me.
This is hilarious, too:

muelli@bigbox ~/git/qemu $ git rebase setup_fds 
First, rewinding head to replay your work on top of it...
Applying: Temporary migration to usb_packet_filter_setup_fds
Using index info to reconstruct a base tree...
Falling back to patching base and 3-way merge...
Auto-merging usb-linux.c
CONFLICT (content): Merge conflict in usb-linux.c
Failed to merge in the changes.
Patch failed at 0001 Temporary migration to usb_packet_filter_setup_fds

When you have resolved this problem run "git rebase --continue".
If you would prefer to skip this patch, instead run "git rebase --skip".
To restore the original branch and stop rebasing run "git rebase --abort".


muelli@bigbox ~/git/qemu $ nano usb-linux.c # hack hack hack
muelli@bigbox ~/git/qemu $ git add usb-linux.c
muelli@bigbox ~/git/qemu $ git rebase --continue
Applying: Temporary migration to usb_packet_filter_setup_fds
No changes - did you forget to use 'git add'?

When you have resolved this problem run "git rebase --continue".
If you would prefer to skip this patch, instead run "git rebase --skip".
To restore the original branch and stop rebasing run "git rebase --abort".

muelli@bigbox ~/git/qemu $

WTF?!

That one is brilliant, too:

muelli@bigbox ~/git/qemu $ git rebase -i setup_fds
# Stupid me: I selected "f" for the very first entry in that edit window
Cannot 'fixup' without a previous commit
# Fair enough, let me restart then:
muelli@bigbox ~/git/qemu $ git rebase setup_fds 
Interactive rebase already started
# O_o WTF? What else, besides aborting, could I possibly do anyway?!
muelli@bigbox ~/git/qemu $ git rebase --abort
muelli@bigbox ~/git/qemu $ git rebase setup_fds 
# Now it works...

Reimplemented host side USB filters to obtain valid USB communication. I have various simple filters: PassThrough, Logging and Replacing. The first one does nothing but return the data w/o any modification. The second one writes the bytes it reads and writes to files. The third one replaces 512 “A”s with 512 “B”s. Still need separate packets from the device in question to the host from packets from the host to the device to obtain valid device behaviour without reading all of the documentation. That will give me a good starting point to actually do the fuzzing.
That replace filter produced interesting results. I replaced every “A” transmitted by a “B”. On the host, I created a file on a mass storage with 4KB “A”s. When “cat”ting the file from the guest, I saw “A”s. But copying the file in the guest resulted in the new file having all “B”s. I expected the “cat” showing all “B”s, too. And as far as I can see, the “A”s are actually replaced for the “cat”.

Of course, Istanbul crashed while trying to make that screencast.
Note that the filter code actually changed by now, not only because I enhanced the protocol (in the version you’re seeing, only USB payload is exchanged. In the new version, also the PID, device address and device endpoint are filtered) but also because I refactored the communication bits into a USBPacket class.
I missed to show the pen drive from the host point of view after having copied the file in the guest, but the “bbbb” file is full of “B”s.
I’m on my way to emulating a USB device, i.e. make the guest think it has a USB device attached but the device is a program running on the guest. I basically copied the USB serial driver and the HID driver and modified them to get packets from a pipe and send them to a pipe. I had serious problems with QEmu: QEmu didn’t register my new “device”. Now I called the right function to initialize the USB device and voila, it attaches it like it should.
Now I need to obtain valid USB communication using the filter so that I can respond to incoming packets properly.
Dear lazyweb, I’m wondering whether I could make my OS load an application but then break on main() so that I can attach a debugger. I cannot run the application *with* GDB. Instead, I want to attach a GDB after the program is fully loaded. Maybe LD_PRELOADing on main() will work?

Practicum Status Update Week 5

Implemented adding and removal of a filter. It works via the monitor or command line. And it does indeed seem to work:

Sorry for that video being so poorly embedded in this wordpress instance. You might want to try to download the video directly.

So yeah, we can potentially filter USB packets by now, which allows us in-place fuzzing. But that’s cumbersome because we need to have a device attached to the host. So the goal must be to be able to do USB communication without a device being attached to the host but with a program that emulates the USB device in question.
Of course I had problems to build Istanbul, the software I created the screencast with. Other stuff, including my IDE 🙁 just crashes, too…
I used qemu to pass a usb device through to the guest. Hence the Linux on the host detached the device. I desperately tried make Linux reattach the device. I tried to use ioctl() with USBDEVFS_CLAIMINTERFACE but it didn’t really work. After spending many hours, I just unplugged and replugged the pendrive…
My code is pretty much
```
    int interface = atoi(argv[1]);
    fd = open("/dev/bus/usb/002/006", O_RDWR);
    result = ioctl(fd, USBDEVFS_RELEASEINTERFACE, &interface);
    //result = ioctl(fd, USBDEVFS_CLAIMINTERFACE, &interface);
    printf("Result: %d, errno: %d %s\n", result, errno, strerror(errno));
```
and fails with Invalid Argument for RELEASE or for CLAIM with -EINVAL (Invalid Argument) or -ENOENT (No such file or directory). I have no idea what I am doing wrong. So if you do, please tell me 😛
Oh, and these ioctls are not exported to Python I think. At least I couldn’t find the correct ioctl number for USBDEVFS_CLAIMINTERFACE without progamming a tiny C program to print it out for me.
Trying to test anything with QEmu is a pain though: It takes ages to boot anything with QEmu without KVM 🙁 It takes literally a whole night to boot into an Ubuntu installation CD.
trying to work with a minimal operating system created by the following command on my Ubuntu box:
sudo ubuntu-vm-builder kvm lucid --addpkg openssh-server --addpkg screen --addpkg acpid --addpkg htop --addpkg cheese --flavour generic
For the record: I build my QEmu with the following command ./configure --prefix=/opt/muelli/qemu/ --disable-strip --extra-cflags="-O0 -DDEBUG" --disable-docs --enable-io-thread --enable-attr --enable-kvm --disable-xen --target-list="i386-softmmu x86_64-softmmu" --enable-curses && make && make install

Key Rollover

I have deprecated my OpenPGP Key 0xAA208D9E in favour of a new key 0x059B598E. So please use this new key which you can find, i.e. here.

muelli@bigbox ~ $ gpg --fingerprint --list-key 0x059B598E
pub   1024D/059B598E 2010-06-23 [expires: 2015-06-22]
      Key fingerprint = 610C B252 37B3 70E9 EB21  08E8 9CEE 1B6B 059B 598E
uid                  Tobias Mueller
sub   4096g/C71F0BE4 2010-06-23 [expires: 2015-06-22]

muelli@bigbox ~ $

If you’ve signed my old key, you might as well sign my new one (verifying that it’s correctly signed with the old key), assuming that my identity hasn’t changed. I recommend using caff to do so.

Practicum Status Update Week 4

Again, a small summary of my last week.

Filed a couple of bugs that annoyed me. My favourite: My main monitor dies randomly. Let’s hope it’s not a hardware issue. That’d seriously put me back. In fact, it’s quite cumbersome to reanimate my monitor in the middle of a working session… Oh. And qemu crashes 🙁 That’s really unfortunate for me atm.
Subscribed and quickly unsubscribed qemu-devel mailinglist. Way too noisy. Those low-level people don’t seem to like using bug tracker or smth like ReviewPad to submit patches. Very stressful.
Enjoyed a long weekend in Hamburg including watching some Worldcup games
Read through Qemu code and tried to grasp how things play together.
Started to implement simple USB packet filter. spent ages resolving a logical error: I checked for retval != -23 whereas I should have checked for retval == -23 🙁
We can haz new commands

So I have exported a new command to the QEmu monitor. And we can even attach some logic to that new command:

Logic attached, nothing works yet though

Everything returns -1 at this stage though. So the actual implementation still needs to be done.
It literally takes a whole night for me to boot anything with qemu though 🙁 That’s a real pain and I cannot work that way. My CPU is one of the few modern Intel CPUs that does not support hardware virtualisation 🙁 I need to think of a solution.
I still don’t really have a timeline 😐
Our deadline is on 2010-08-20 and we are supposed to hand in 3 hard copies and one soft copy. I wondering whether I have to go back to Dublin to hand my hard copies in.

GNOME Foundation Board of Directors Elections 2010

I am happy to announce the results of this years Board of Directors Elections.

At first, we had too few candidates to actually fill the 7 seats in the board. But then the deadline for announcing a candidacy was pushed back and more people considered becoming a member of the Board. So we went into the voting phase with 11 candidates.

The voting itself worked well. I knew the system from last years elections but haven’t written the necessary steps down because I was mostly exploring and not knowing whether my attempts would result in anything next to useful. But this year I have taken notes along the way and I hope to be able to provide a good documentation.

The question period was a bit weird. Nobody really came up with questions for the candidates, as if nobody cared. I encouraged the peolpe to either send the questions directly, or better, send them to the Membershi p and Elections Commitee so thaat we can sort and sift through them. But nothing happened. I decided to not give any questions right away, because I sure wanted the Foundation members to participate. But if nobody asked a question, I’d have sooner or later released those questions:

Why are you running for Board of Directors? What will you do more or
better than previous years Boards have done?
What do you think is the most important item on the Board’s agenda
right now?
How do you manage your time and that of others? Are you good at
working with others including those who might have a differing opinion
than yours and try to reach consensus and agree on actions?
How are you going to manage your current contributions to GNOME once
you become a Board Member?
What are your plans to encourage and mentor contributions to GNOME
from Latin America, Africa and Asia? How would you increase community
participation?
Which parts of the GNOME project do you think work well and would like to encourage further?
What would you do to increase community participation in the GNOME community and GNOME elections?
Do you have any thoughts on how to expand the developer base?
How much familiar are you with the day-to-day happenings of GNOME? How much do you follow and participate in the main GNOME mailing lists?
Please rank your interests:
1. GNOME evangelizing to government, enterprise, small business, and individuals
2. GNOME marketing and merchandising of branded items nationally and internationally
3. GNOME legal issues like copyright and patents
4. GNOME finances and fund raising
5. Alliance with other organizations.

To count the votes, we used OpenSTV (r771). But to use it comfortably, I had to patch it. As we use Scottish STV this year, counting votes is as easy as opening OpenSTV, opening the Ballot file and pressing OK.

The people that are elected into the Board of Directors are:

Congrats and thanks for running.

Sadly, we had a few people showing up, who did not renew their membership in time and could thus not take part in the voting process. I wonder why that is. Is the renewal process not effective enough? If you have any suggestions, please leave them either in the comments or via mail.

Running the elections was challenging, because I was really busy with exams and other obligations. Fortunately, the Membership and Elections Committee was helpful and we managed to have a smooth election process, i.e. not like last year 😉 Anyway, I hope to see most of the Board members at GUADEC 🙂

Practicum Status Update Week 2 and 3

So I figured that we are supposed to write a blog during our practicum phase. Here I am.

I missed the first official week, which was right after the exams anyway. I doubt anybody was able to do anything after the Biometrics exam.
In the second week, I moved back to Germany. Slowly though: I attended LinuxTag and visited a friend…
The third week began with some administrative stuff (i.e. taxes and care about a grant). I also almost finished running GNOME Foundation Board of Directors elections: Preliminary Result.
More work related: I tried to updated from Fedora 12 to Fedora 13 (to get latest QEmu and tools). Didn’t work (as expected) out of the box. Encountered (and reported) a couple of annoying bugs. My favourite: The update tool tries to mount /boot and swap. But /boot is left unclean because the preupgrade tool apparently does a hard reboot (i.e. w/o unmounting the filesystems properly). And swap can’t be found by the upgrade tool (for whatever reason). In both cases the installer just stops working and reboots the machine (sic!), as opposed to just fsck /boot or continue w/o swap.
Began to set up working environment: LaTeX Template, cloned qemu repository, looked a bit at QEmu code.
Tried to install some Operating Systems to break. Microsoft didn’t let me.
Read some stuff
Filed two bugs against Zotero (my bibliography tool): One problem in fullscreen mode and one with proxied URLs.
Went to a regulars’ table (for the first time after 9 month) and found out that one of them runs a company and they do USB security assessment atm. They are trying to make QEmu emulate a mass storage that returns a good file on the first read and a bad file (i.e. virus) on the second read. Sounded interesting, we’ll keep in touch and exchange details.
Right now I’m missing kind of a plan for my work. I haven’t really structured my work or broken it up. So I’m trying to see how many weeks I actually have (I know that I’ll go at least to GUADEC, the annual GNOME conference, for one week. I might even be invited to GNOME.Asia in Taiwan…) and what I could possibly do in that time.
I do have a high level idea of what needs to be done, i.e.
- Patch QEmu to pipe USB communication in and out,
- write some backend that uses these pipes to communicate with the guest,
- find a smart algorithm to create/modify fishy USB packets (i.e. try to understand how a webcam communicates and set funny values for resolution on purpose),
- try to exploit an Operating System (probably best to start off with a self-broken USB driver or application)
I’ll try to have a roadmap by the beginning of the next week.

LinuxTag and Cream Desktop

I’ve been to LinuxTag in Berlin and meeting old and new people was quite nice. In fact, I had to opportunity to play Skat after a very long time 🙂

Unfortunately, there was no GNOME booth! (Well and no Fedora booth either) That’s a pity and I wonder what it takes to successfully run a booth next year. The Debian guys, however, rocked. They were well equipped and had enough people that care.

Again, I took part in the Hacking Contest. I couldn’t last year but made up my mind how to tackle that contest best. Sadly, it was a bit different this year. I didn’t really have a team and we were not prepared for German a keyboard layout or not having “netcat” installed. This got us quite confused and although we had a (bad) set of notes, we didn’t really follow them… So we got beaten up quite heavily 😉 Maybe I’ll invest more time for preparation next year.

I was amazed by Cream Desktop though! Sadly, their screenshots don’t work atm, but they basically want to revamp GNOME and make it better 😉 Sounds ambitious and it probably is. For now, they have “Melange”, a widget system for the desktop. (think desklets). It’s visually very appealing and I think it’d enhance the GNOME desktop (I could finally get rid of my gkrellm…).

Sadly, I didn’t meet the Cream guys on the LinuxNacht which kinda sucked. The location was awesome: A beach club facing the Spree. But the food was very disappointing. It was way better two years ago…