Practicum Status Update Week 5

  • Implemented adding and removal of a filter. It works via the monitor or command line. And it does indeed seem to work:


    Sorry for that video being so poorly embedded in this wordpress instance. You might want to try to download the video directly.

    So yeah, we can potentially filter USB packets by now, which allows us in-place fuzzing. But that’s cumbersome because we need to have a device attached to the host. So the goal must be to be able to do USB communication without a device being attached to the host but with a program that emulates the USB device in question.

  • Of course I had problems to build Istanbul, the software I created the screencast with. Other stuff, including my IDE 🙁 just crashes, too…
  • I used qemu to pass a usb device through to the guest. Hence the Linux on the host detached the device. I desperately tried make Linux reattach the device. I tried to use ioctl() with USBDEVFS_CLAIMINTERFACE but it didn’t really work. After spending many hours, I just unplugged and replugged the pendrive…
    My code is pretty much

        int interface = atoi(argv[1]);
    fd = open("/dev/bus/usb/002/006", O_RDWR);
    result = ioctl(fd, USBDEVFS_RELEASEINTERFACE, &interface);
    //result = ioctl(fd, USBDEVFS_CLAIMINTERFACE, &interface);
    printf("Result: %d, errno: %d %s\n", result, errno, strerror(errno));

    and fails with Invalid Argument for RELEASE or for CLAIM with -EINVAL (Invalid Argument) or -ENOENT (No such file or directory). I have no idea what I am doing wrong. So if you do, please tell me 😛
    Oh, and these ioctls are not exported to Python I think. At least I couldn’t find the correct ioctl number for USBDEVFS_CLAIMINTERFACE without progamming a tiny C program to print it out for me.

  • Trying to test anything with QEmu is a pain though: It takes ages to boot anything with QEmu without KVM 🙁 It takes literally a whole night to boot into an Ubuntu installation CD.
  • trying to work with a minimal operating system created by the following command on my Ubuntu box:
    sudo ubuntu-vm-builder kvm lucid --addpkg openssh-server --addpkg screen --addpkg acpid --addpkg htop --addpkg cheese --flavour generic
  • For the record: I build my QEmu with the following command ./configure --prefix=/opt/muelli/qemu/ --disable-strip --extra-cflags="-O0 -DDEBUG" --disable-docs --enable-io-thread --enable-attr --enable-kvm --disable-xen --target-list="i386-softmmu x86_64-softmmu" --enable-curses && make && make install

Key Rollover

I have deprecated my OpenPGP Key 0xAA208D9E in favour of a new key 0x059B598E. So please use this new key which you can find, i.e. here.

muelli@bigbox ~ $ gpg --fingerprint --list-key 0x059B598E
pub   1024D/059B598E 2010-06-23 [expires: 2015-06-22]
      Key fingerprint = 610C B252 37B3 70E9 EB21  08E8 9CEE 1B6B 059B 598E
uid                  Tobias Mueller
sub   4096g/C71F0BE4 2010-06-23 [expires: 2015-06-22]

muelli@bigbox ~ $

If you’ve signed my old key, you might as well sign my new one (verifying that it’s correctly signed with the old key), assuming that my identity hasn’t changed. I recommend using caff to do so.

Practicum Status Update Week 4

Again, a small summary of my last week.

  • Filed a couple of bugs that annoyed me. My favourite: My main monitor dies randomly. Let’s hope it’s not a hardware issue. That’d seriously put me back. In fact, it’s quite cumbersome to reanimate my monitor in the middle of a working session… Oh. And qemu crashes 🙁 That’s really unfortunate for me atm.
  • Subscribed and quickly unsubscribed qemu-devel mailinglist. Way too noisy. Those low-level people don’t seem to like using bug tracker or smth like ReviewPad to submit patches. Very stressful.
  • Enjoyed a long weekend in Hamburg including watching some Worldcup games
  • Read through Qemu code and tried to grasp how things play together.
  • Started to implement simple USB packet filter. spent ages resolving a logical error: I checked for retval != -23 whereas I should have checked for retval == -23 🙁
    We can haz new commands

    So I have exported a new command to the QEmu monitor. And we can even attach some logic to that new command:

    Logic attached, nothing works yet though

    Everything returns -1 at this stage though. So the actual implementation still needs to be done.

  • It literally takes a whole night for me to boot anything with qemu though 🙁 That’s a real pain and I cannot work that way. My CPU is one of the few modern Intel CPUs that does not support hardware virtualisation 🙁 I need to think of a solution.
  • I still don’t really have a timeline 😐
  • Our deadline is on 2010-08-20 and we are supposed to hand in 3 hard copies and one soft copy. I wondering whether I have to go back to Dublin to hand my hard copies in.

GNOME Foundation Board of Directors Elections 2010

I am happy to announce the results of this years Board of Directors Elections.

At first, we had too few candidates to actually fill the 7 seats in the board. But then the deadline for announcing a candidacy was pushed back and more people considered becoming a member of the Board. So we went into the voting phase with 11 candidates.

The voting itself worked well. I knew the system from last years elections but haven’t written the necessary steps down because I was mostly exploring and not knowing whether my attempts would result in anything next to useful. But this year I have taken notes along the way and I hope to be able to provide a good documentation.

The question period was a bit weird. Nobody really came up with questions for the candidates, as if nobody cared. I encouraged the peolpe to either send the questions directly, or better, send them to the Membershi p and Elections Commitee so thaat we can sort and sift through them. But nothing happened. I decided to not give any questions right away, because I sure wanted the Foundation members to participate. But if nobody asked a question, I’d have sooner or later released those questions:

  1. Why are you running for Board of Directors? What will you do more or
    better than previous years Boards have done?
  2. What do you think is the most important item on the Board’s agenda
    right now?
  3. How do you manage your time and that of others? Are you good at
    working with others including those who might have a differing opinion
    than yours and try to reach consensus and agree on actions?
  4. How are you going to manage your current contributions to GNOME once
    you become a Board Member?
  5. What are your plans to encourage and mentor contributions to GNOME
    from Latin America, Africa and Asia? How would you increase community
    participation?
  6. Which parts of the GNOME project do you think work well and would like to encourage further?
  7. What would you do to increase community participation in the GNOME community and GNOME elections?
  8. Do you have any thoughts on how to expand the developer base?
  9. How much familiar are you with the day-to-day happenings of GNOME? How much do you follow and participate in the main GNOME mailing lists?
  10. Please rank your interests:
    1. GNOME evangelizing to government, enterprise, small business, and individuals
    2. GNOME marketing and merchandising of branded items nationally and internationally
    3. GNOME legal issues like copyright and patents
    4. GNOME finances and fund raising
    5. Alliance with other organizations.

To count the votes, we used OpenSTV (r771). But to use it comfortably, I had to patch it. As we use Scottish STV this year, counting votes is as easy as opening OpenSTV, opening the Ballot file and pressing OK.

The people that are elected into the Board of Directors are:

Congrats and thanks for running.

Sadly, we had a few people showing up, who did not renew their membership in time and could thus not take part in the voting process. I wonder why that is. Is the renewal process not effective enough? If you have any suggestions, please leave them either in the comments or via mail.

Running the elections was challenging, because I was really busy with exams and other obligations. Fortunately, the Membership and Elections Committee was helpful and we managed to have a smooth election process, i.e. not like last year 😉 Anyway, I hope to see most of the Board members at GUADEC 🙂

Practicum Status Update Week 2 and 3

So I figured that we are supposed to write a blog during our practicum phase. Here I am.

  • I missed the first official week, which was right after the exams anyway. I doubt anybody was able to do anything after the Biometrics exam.
  • In the second week, I moved back to Germany. Slowly though: I attended LinuxTag and visited a friend…
  • The third week began with some administrative stuff (i.e. taxes and care about a grant). I also almost finished running GNOME Foundation Board of Directors elections: Preliminary Result.
  • More work related: I tried to updated from Fedora 12 to Fedora 13 (to get latest QEmu and tools). Didn’t work (as expected) out of the box. Encountered (and reported) a couple of annoying bugs. My favourite: The update tool tries to mount /boot and swap. But /boot is left unclean because the preupgrade tool apparently does a hard reboot (i.e. w/o unmounting the filesystems properly). And swap can’t be found by the upgrade tool (for whatever reason). In both cases the installer just stops working and reboots the machine (sic!), as opposed to just fsck /boot or continue w/o swap.
  • Began to set up working environment: LaTeX Template, cloned qemu repository, looked a bit at QEmu code.
  • Tried to install some Operating Systems to break. Microsoft didn’t let me.
  • Read some stuff
  • Filed two bugs against Zotero (my bibliography tool): One problem in fullscreen mode and one with proxied URLs.
  • Went to a regulars’ table (for the first time after 9 month) and found out that one of them runs a company and they do USB security assessment atm. They are trying to make QEmu emulate a mass storage that returns a good file on the first read and a bad file (i.e. virus) on the second read. Sounded interesting, we’ll keep in touch and exchange details.
  • Right now I’m missing kind of a plan for my work. I haven’t really structured my work or broken it up. So I’m trying to see how many weeks I actually have (I know that I’ll go at least to GUADEC, the annual GNOME conference, for one week. I might even be invited to GNOME.Asia in Taiwan…) and what I could possibly do in that time.
  • I do have a high level idea of what needs to be done, i.e.
    • Patch QEmu to pipe USB communication in and out,
    • write some backend that uses these pipes to communicate with the guest,
    • find a smart algorithm to create/modify fishy USB packets (i.e. try to understand how a webcam communicates and set funny values for resolution on purpose),
    • try to exploit an Operating System (probably best to start off with a self-broken USB driver or application)
  • I’ll try to have a roadmap by the beginning of the next week.

LinuxTag and Cream Desktop

I’ve been to LinuxTag in Berlin and meeting old and new people was quite nice. In fact, I had to opportunity to play Skat after a very long time 🙂

Unfortunately, there was no GNOME booth! (Well and no Fedora booth either) That’s a pity and I wonder what it takes to successfully run a booth next year. The Debian guys, however, rocked. They were well equipped and had enough people that care.

from last years LinuxTag though

Again, I took part in the Hacking Contest. I couldn’t last year but made up my mind how to tackle that contest best. Sadly, it was a bit different this year. I didn’t really have a team and we were not prepared for German a keyboard layout or not having “netcat” installed. This got us quite confused and although we had a (bad) set of notes, we didn’t really follow them… So we got beaten up quite heavily 😉 Maybe I’ll invest more time for preparation next year.

I was amazed by Cream Desktop though! Sadly, their screenshots don’t work atm, but they basically want to revamp GNOME and make it better 😉 Sounds ambitious and it probably is. For now, they have “Melange”, a widget system for the desktop. (think desklets). It’s visually very appealing and I think it’d enhance the GNOME desktop (I could finally get rid of my gkrellm…).

Sadly, I didn’t meet the Cream guys on the LinuxNacht which kinda sucked. The location was awesome: A beach club facing the Spree. But the food was very disappointing. It was way better two years ago…

Trying to download from MSDN-AA: Annoying Secure Digital Container

I thought I’d give Windows technology a try (actually, I just need something to break) and tried to download Microsoft Operating Systems via e-academy.com (MSDN-AA). But instead of an ISO, you get a Portable Executable *facepalm*. Turns out that this binary downloads “Secure Digital Containers” from, i.e. here or here. These SDCs contain the ISO and are, according to this site, encrypted. The key is supposed to be in that downloader binary. However, no tool exists to decrypt those SDC files 🙁

I burnt half a day on that. Now going to look for Torrents of the ISOs… Are there official SHA1sums of the ISOs?

Or, dear lazyweb, do you know anybody that reverse engineered the downloader and is able to provide a free tool that unpacks the ISO from the SDC? 🙂

Practicum: Virtualised USB Fuzzing

Alright, I finally decided on my practicum subject. Together with my supervisor, we came up with the following exposé. I either wanted to do that or to do something in Mobile (Phone) OS security.

USB is omnipresent and so far, mostly Operating System behaviour has been exploited, i.e. automatically run an application off a CDROM. USB-Stack, USB-Driver or application security has not yet been in the focus of security research, probably because it is infeasible to create many USB test devices.

If various USB behaviour could be implemented easily and cheaply, a great diversity of maliciously acting USB devices could be tested with little effort.

The goal is to implement a USB fuzzing framework using a virtualisation software that allows to automatically test different USB behaviour to stress-test USB-Stacks, drivers and applications.

While hardware approaches would be possible, a virtual approach using virtualisation software will be taken. That allows any guest Operating System, including Windows and Linux, to be tested, as well as cheap and quick creation of tests and reliable reproduction of the obtained results.

Ideally, this results in exploits for each of the three identified vulnerable layers:

  • USB Stack in the Operating System
  • USB Driver for the attached device (i.e. Webcam)
  • Application using data from the USB device

Thus following questions will be addressed:

  • How secure are USB stacks when it comes to weird devices?
  • How resistant are drivers when specially crafted payload is sent?
  • How good are applications that act upon a new USB device and read its data?

Critical Review of Tesseract

For CA640 we were supposed to pick a paper from International Conference of Software Engineering 2009 (ICSE 2009) and critically review it.

I chose to review Tesseract: Interactive Visual Exploration of Socio-Technical Relationships in Software Development.

You can find the review in PDF here. Its abstract reads:

This critical review of a paper, which presents Tesseract and was handed in for the ICSE 2009, focusses on
strength and weaknesses of the idea behind Tesseract: Visualising and exploring freely available and loosly coupled fragments (mailing lists, bug tracker or commits) of Free Software development.
Tesseract is thus a powerful data miner as well as a GUI to browse the obtained data.

This critique evaluates the usefulness of Tesseract by questioning the fundamental motivation it was built on, the data which it analyses and its general applicability.

Existing gaps in the original research are filled by conducting interviews with relevant developers as well as providing information about the internal structure of a Free Software project.

Tesseract is a program that builds and visualises a social network based on freely available data from a software project such as mailing lists, bug tracker or commits to a software repository. This network can be interactively explored with the Tesseract tool. This tool shows how communication among developers relates to changes in the actual code. The authors used a project under the GNOME umbrella named Rhythmbox to show their data mining and the program in operation. GNOME is a Free/Libre Software Desktop used as default by many Linux distributions including the most popular ones, i.e. Ubuntu and Fedora. To assess Tesseracts usability and usefulness, the authors interviewed people not related to Rhythmbox asking whether Tesseract was usable and provided useful information.

The paper was particularly interesting for me because the authors analysed data from the GNOME project. As I am a member of that development community, I wanted to see how their approach can or cannot increase the quality of the project. Another focus was to help their attempt to improve GNOME by highlighting where they may have gaps in their knowledge of its internals.

During this critique, I will show that some assumptions were made that do not hold for Free/Libre and Open Source Software (FLOSS) in general and for GNOME in particular either because the authors simply did not have the internal knowledge or did not research carefully enough. Also I will show that the used data is not necessarily meaningful and I will attempt to complement the lacking data by presenting the results of interviews I conducted with actual GNOME developers. This will show how to further improve Tesseract by identifying new usage scenarios. Lastly, this text will question the general usefulness of Tesseract for the majority of Free Software projects.

Klingon Language Support

From Documentation/unicode.txt:

Klingon language support
————————

In 1996, Linux was the first operating system in the world to add support for the artificial language Klingon, created by Marc Okrand for the “Star Trek” television series.  This encoding was later adopted by the ConScript Unicode Registry and proposed (but ultimately rejected) for inclusion in Unicode Plane 1.  Thus, it remains as a Linux/CSUR private assignment in the Linux Zone.

This encoding has been endorsed by the Klingon Language Institute. For more information, contact them at:

http://www.kli.org/

Maybe Linux isn’t ready to take over the world yet, but at least it’s ready to take over the universe…

Creative Commons Attribution-ShareAlike 3.0 Unported
This work by Muelli is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported.