Threads for lattera

  1. 1

    On Saturday, I plan to play all day with our puppy and dog. On Sunday, I’m going to head into the datacenter to perform some much-needed maintenance on the HardenedBSD build infrastructure.

    1. 5

      FYI, there’s a surplus “/“ at the end of the URL that’s causing the server to reject it. Removing it takes you to the home page.

      1. 1

        Whoops! Sorry about that. I must’ve made a typo just as I submitted it.

      1. 5

        For ${DAYJOB}, I’m getting my feet wet with Windows-centric C++ development.

        For ${REAL_LIFE}, I’m volunteering as an election judge for the Maryland gubernatorial elections. The primaries are tomorrow (Tuesday), so I’ll be at my assigned polling place from 5:30am to at least 11pm. This is the first time I’ve served as an election judge. I’m excited for the experience and am hoping to learn a bit more about our democratic process.

        Last week, the missus stepped on a nail, so taking care of our new puppy is going to take a lot more time out of my day. Other than the election judge work, I just plan on working and taking care of the missus, our puppy, and our three-and-a-half-year-old dog.

        1. 3

          Ick. Stepping on a nail has been a low-key ~nightmare of mine since I was about 9, stepped on a board while wearing sandals, and had a long rusty nail come up right between my toes. Sorry she’s lived it!

          1. 2

            Sorry to hear about the nail.

            I’m so out of date with Win32 C++ dev - are you using any kind of a framework at all? Or is the state of the art still message crackers ?

            1. 2

              No framework (yet?) We’re using native Windows APIs. We’re working on old code that was hacked up in the weirdest of ways.

              1. 1

                Wow that sounds deeply unpleasant!

                Admittedly this was in the Win16 days but I remember memory corruption being a TERRIBLE bear to get around when working with low level Windows APIs.

                Back in the 90s I had to write a “Thunking layer” to proxy between WIN16 Visual Basic and Win32 DLLs.

                I’ll spare you the viewing of the scars :)

          1. 1

            At ${DAYJOB}, I’m going to make an attempt at deploying a MISP instance in a HardenedBSD VM. Unfortunately, all of their documentation and install scripts assume Linux, so I’m going to need to go manually sift through all their scripts. I suspect there’s a freakton of Linux-isms in their codebase (outside of just the install scripts.)

            For ${REAL_LIFE}, I’m hoping just to sleep. On Thursday of last week, we adopted an eight-week-old puppy. Having a mix of a really mentally-intensive job and taking care of an energetic little puppy is going to take a lot out of me (it already has.) I have a lot of respect for those with children. I don’t know how they have any energy or keep any semblance of sanity.

            For HardenedBSD, I mainly plan just to perform package builds. Due to the demands describe above, I’m probably going to lessen the amount of time I spend on my hobby project.

            1. 12

              My wife and I adopted a dog, who we named Ahsoka Tano. I’ll be taking care of her along with our existing three-and-a-half year old dog, Vader. I gotta work Sunday to make up for hours missed yesterday since we took the day yesterday going through the adoption process.

              1. 2

                OMG that dog is cute

              1. 1

                For HardenedBSD:

                1. Over the weekend, I got a working build of a HardenedBSD 13-STABLE-based fork of OPNsense. I need to get the public infrastructure set up to provide the ability to publish the package repo for this fork.
                2. The server which used to build our 12-STABLE package repo is now sitting unused (since we delegated support for 12-STABLE to the community and no longer provide official support). I’m going to get that prepared to do periodic builds of mfsBSD-based HardenedBSD, and LiveCD distro that one of our developers created, and the HardenedBSD OPNsense fork.

                For personal life:

                1. Try to hit my goal of biking 60 miles in a singular week. I’ve lost 25 pounds since I started biking regularly in March. My target weight is 170lbs and I’m at 177lbs now.
                2. Completely finish constructing our backyard fence.

                For work:

                1. Finish up the business logic code I’m writing in C (as a shared object).
                2. Integrate that new logic in our PHP extension and CPython module.
                3. Finish getting set up on CIRCL’s MISP instance.
                1. 1

                  Nearly impossible to detect on the running server. However, if you have something like a pihole looking for dns exfiltration attempts, this becomes much easier to detect. It does require multiple layers of protection though, I’ll give it that.

                  1. 2

                    Since I haven’t seen any mention of it tampering with the kernel or hooking actual syscalls (as opposed to userspace syscall wrappers), it sounds like its concealment mechanisms should be pretty simple to bypass using statically-linked executables? (A static busybox build, say.)

                    1. 1

                      This was my take. LD_PRELOAD wouldn’t work in the statically linked context

                    2. 1

                      Or if you’re running in AWS there’s also their guardduty alert which I hope would pick it up: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#backdoor-ec2-ccactivitybdns

                      1. 1

                        The grsecurity patchset includes a feature called Trusted Path Execution (TPE). It can integrate with the RTLD to completely mitigate LD_PRELOAD abuses. I’m working on implementing something similar in HardenedBSD this weekend. :-)

                      1. 3

                        Note that I had submitted the paper here originally, but the paper was removed. The original lobsters link: https://people.csail.mit.edu/weontaek/pubs/PACMAN_ISCA22.pdf

                        1. 3

                          On Wednesday, a huge storm hit my area. Our (luckily unfinished) basement flooded with one inch of standing water, two inches in a couple places (near corners). We have a lot of stuff stored in our basement, so we’re going through that. Using the opportunity to declutter by donating stuff that hasn’t seen the light of day in over a year.

                          1. 4

                            I wonder how well most braille terminals handle lines greater than 80 columns.

                            1. 2

                              Did this get taken down for some reason? I had to hit the wayback machine to read it.

                              It mainly seems useful as background for understanding future attacks, as opposed to being of immediate pragmatic interest, but it was a very interesting read from that perspective.

                              1. 1

                                The paper is scheduled to appear in ISCA ’22, which is not until June. I’m guessing publishing the paper on their site might conflict with the submission guidelines of the conference.

                              1. 2

                                For ${DAYJOB}:

                                My SQL database skills have rusted since I last did major SQL work back in 2007-2010. I used MS-SQL back then. I’ve started working with a MySQL database. I need to learn how to make things more performant.

                                For ${REAL_LIFE}:

                                I need to do some chores. I’m hoping to get some more biking in. I’ve gone 40.9 miles this week, so I’m hoping to finish off the week with an even 60.

                                I signed up to be an election judge for the Maryland 2022 gubernatorial election. The state released a bunch of training material that I need to go through.

                                I wish I had time for HardenedBSD, but I’ve got too much going on. Unfortunately, I wasn’t really able to accomplish the goals I wanted to for HardenedBSD for this month. Hopefully next month.

                                1. 6

                                  My employer has a PTO policy of “use it or lose it”, and my anniversary comes up this Monday. So, I took the past week-and-a-half off. My mom and step-dad flew out to help us renovate our bathroom. This weekend, I plan to completely finish the renovation. I need to seal a few cracks and install new moulding. My wife needs to paint. And then the renovation will be complete.

                                  I’m also hoping to spend some time with my new bike (of the pedal variety). Yesterday (Thursday), I biked a marathon distance in a singular ride for the first time in over a decade. Each time I ride, I try to go at least one mile further than the previous ride. So I’m hoping to get to 27-28 miles.

                                  On the HardenedBSD side of things, there’s a freakton of administrative work that I need to accomplish. We’re now going into the fifth month and I’ve yet to complete any financials for 2022. My focus has mostly been on code and infrastructure, so it’s time to get caught up in the administrative side of things.

                                  1. 2

                                    For ${DAYJOB}:

                                    1. I’m going to continue banging my head against the desk while writing custom PHP extensions.
                                    2. I’d like to spend some time open sourcing some of the work we’ve been doing behind-the-scenes.

                                    For HardenedBSD:

                                    1. Get caught up on the financials and updates to the site.
                                    2. Develop a 2022 roadmap, four months late. ;-)

                                    For ${REAL_LIFE}:

                                    1. Clock in forty miles on the bike (of the pedal variety), three of which with my dog Vader.
                                    2. Do the dishes and laundry.
                                    3. Rip up some of the tile in our bathroom in preparation for a full renovation towards the end of the month. I need to see if there’s any damage to the subfloor. This is the first renovation to the bathroom since the home was constructed in the 1980’s.
                                    1. 1

                                      I use two laptops, one for work and one for HardenedBSD development. I suppose, both end up being for HardenedBSD development. ;-)

                                      The HardenedBSD development laptop specs:

                                      • Dell Precision 7550
                                        • 64GB ECC RAM
                                        • 2x2TB NVMe
                                        • Intel Xeon 8c/16t
                                        • Integrated Intel graphics
                                        • OS: HardenedBSD 14-CURRENT

                                      Work laptop specs:

                                      • Dell Precision 7540
                                        • 64GB ECC RAM
                                        • 1x1TB NVMe
                                        • Intel Xeon 8c/16t
                                        • Discrete NVIDIA Quadro GPU
                                        • OS: HardenedBSD 14-CURRENT

                                      I also have a Lenovo Thinkpad T410 that I use when I’m sick in bed (I’ve got a number of health issues, migraines being a big one.) That runs HardenedBSD 13-STABLE. I mainly use it to ssh into my other systems to do actual work there.

                                      1. 1

                                        For cases in which native Yubikey support isn’t available, I use a Yubikey in static password mode. I append the static password to my normal password. Thus, I still get the benefits of hardware-based MFA even where no support officially exists.

                                        1. 1

                                          (I’ve seen a prior submission about this here with a non-existing link, so I’ve submitted the new one :) )

                                          1. 2

                                            Yup. It looks like Microsoft’s BlueHat IL YouTube channel might have deleted and re-uploaded the video, causing a new URL to be created.

                                            1. 2

                                              Thanks for posting it again, I must have missed the first one.

                                            1. 2

                                              I’ve gotta work this weekend, so this is what I’m planning on:

                                              1. I just started writing a permissively-licensed open source encrypted sockets library that enforces use of TLSv1.3 (and above, whenever that’ll happen) by using LibreSSL’s libtls. I plan to finish the core bits of that library.
                                              2. I’m going to integrate the above project into all our networked applications.

                                              For HardenedBSD:

                                              I’m working on forcing -ftrivial-auto-var-init=zero to be enabled by default in clang. I’ve got a candidate patch ready for testing, which is my next goal. I plan to expand testing to arm64 this weekend.

                                              For ${REAL_LIFE}:

                                              I haven’t biked (of the pedal variety) seriously for the past five years. 2018-2020 hit me hard, then I switched jobs and became incredibly busy. I’ve made it my goal to bike when running errands, only using my car for the occasional work commute up to Baltimore (around once or twice per month) and to take my dog to various state parks (like Patapsco). So I’m going to increase the distance I bike each day by at least a half mile. Today, I did 4.5 miles, so hopefully tomorrow will be a full five miles.

                                              I’m hoping to take my dog Vader on a little bike ride as well, perhaps a few times around our little neighborhood.

                                              1. 1

                                                I’m working on forcing -ftrivial-auto-var-init=zero to be enabled by default in clang. I’ve got a candidate patch ready for testing, which is my next goal. I plan to expand testing to arm64 this weekend.

                                                Be careful with default initialisation to zero. It’s usually a good idea but UNIX has one feature that makes it somewhat dangerous: the most powerful UID is zero. Most UIDs are unassigned and so there’s a high probability that an uninitialised UID field somewhere will contain random nonsense and generate an error, whereas zero initialisation will always hit root and allow things to run at the highest privilege level. There was one high-profile vulnerability last year that had exactly this root cause (initialising a structure with zeroes and forgetting to set the uid field).

                                                I’d love to make the root UID a random value determined on first boot but there’s enough *NIX code out there that does if (getuid() == 0) that it’s probably hard to deploy.

                                                1. 1

                                                  You also have the intdescriptors. In a similar vein and frequent offender:

                                                  ``if (-1 != mystruct.fd) close(mystruct.fd);

                                                  With default to zero you can end up accidentally hitting STDIN_FILENO and then have it quickly being filled with something else thanks to the sparse allocation requirement. That one have hurt me enough times through buggy libs and, worse, python like runtimes that it’s very high up on the troubleshooting list.

                                                  On personal / testing rigs I tend to run with patches that randomises file-descriptor allocation, and libc that remaps stdio descriptors to higher values, with a trap device mapped to 0,1.

                                                  1. 1

                                                    On personal / testing rigs I tend to run with patches that randomises file-descriptor allocation, and libc that remaps stdio descriptors to higher values, with a trap device mapped to 0,1.

                                                    That’s very interesting, does much stuff break? I’d expect a lot of stuff to have hard-coded file descriptors 0, 1, and 2. Since dup2, there’s very rarely a valid reason for closing stdin, so I guess you could have a test in the close function in libc that aborts if you try to do close(0) and do the raw syscall (or have a closestdin() wrapper) for the few cases if you actually need it.

                                                    1. 1

                                                      Quite a lot breaks, so allow-lists are necessary or going slightly less aggressive and do what you said and go for close(0), … Now I’m in the unusual position that much of the user space runs things I have written or at least patched, but even then it is tedious.

                                                      The worst offenders tend to be shell scripts (2>1 and so on) and eccentric TUIs - isatty(0) leading to SSH trying to grab /dev/tty raw for password prompt input or gdb injecting quit into its prompt. Many raw C applications do avoid working directly against the descriptor for stdio though, the FILE abstraction comes earlier in people’s programming journey than all the nuances of write et al.

                                                      It is also interesting how some kernels or libc tries to protect you a bit: forking, closing then execing tends to give you /dev/null mapped into the slots rather than having it propagate. I vaguely member this not always being the case, but that might be dementia talking - faint memories of closing then execing to a suid binary that opens argument controlled input files and corrupting by finding some fprintf(stderr, “caller controlled log go here”). A notable exception that I found by fooling around was Linux proc/sys/kernel/core_pattern. The process it can spawn is quite unlike any other, including (1,2) not being mapped.

                                                      For avoiding sandbox escape shenanigans having the first few opens being unpredictable is a nice party trick still – normally you can assume something like a d-bus or wayland socket getting mapped to something static (3 or so) when writing your shellcode as their idiomatic use tend to come like main: parse_arguments(); open_ipc() -> 3. Without such assumptions you suddenly need to probe, and that is a lot more annoying and error prone than write(3, payload, payload_sz).

                                                      1. 1

                                                        Do you have any idea how many things hard-code constants versus using STDIN_FILENO and friends? I wonder if redefining those to call a function that returned them (possibly a static inline function that calls a slow-path if some global is -1 and returns it otherwise) would help with compatibility. I’d love to be able to do this in production because there’s also a significant performance win from not requiring the first-open behaviour.

                                                        I’m not sure if there’s a good way of fixing 2>1 in the shell, though my initial thought with the standard file descriptors was to store them in ELF aux args. I wonder if it would be possible for the kernel to allow the parent to set up fds in fixed locations and then randomise their locations and provide their final locations via aux args so that libc could find them easily.

                                                        1. 1

                                                          Do you have any idea how many things hard-code constants versus using STDIN_FILENO and friends?

                                                          Alas no, only useless empirical knowledge. This feels like a job for CodeQL.

                                                          Redefining those to call a function that returned them (possibly a static inline function that calls a slow-path if some global is -1 and returns it otherwise) would help with compatibility.

                                                          Do I hear the sound of prctl/procctl taking another one for the team? :-)

                                                          The compromise of letting 0, 1, 2 stay intact and drop the sparse allocation requirement thereafter might be a slightly less broken possibility than the horrors that mentally unpacking ‘file descriptor relocations’ as a concept would entail. Otherwise having a translation table for this most evil of namespaces in aux seems like a lovely new footgun to the collection, and I do love footguns more than feet. I wonder how bad the closefrom() / close_range() situation would suddenly get.

                                                          1. 1

                                                            Do I hear the sound of prctl/procctl taking another one for the team? :-)

                                                            I think it would have to be.

                                                            The other thing on my to-do-eventually-hopefully list is a process-creation API that makes FD inheritance more explicit. If (for an example that probably isn’t quite what I want to build) execve took an array of file descriptor numbers, just as it took an array of arguments and an array of environment variables (the two other bits of state that are inherited from the parent) then it would be trivial for it to randomise their locations and then provide an aux args vector containing their new locations, which libc could then pick up. It would even be possible for rtld / csu to pick some of them up and write them into memory that’s read-only after the first user code is called, so variables like STDIN_FILENO could be initialised once and made read-only. This would also eliminate the need for closefrom to avoid inheriting FDs accidentally: if they’re not on the list, they’re not inherited past execve.

                                                            I haven’t really pushed on this because I presumed that the assumptions about file descriptors were entrenched in *NIX software, you’ve given me a bit more hope.

                                              1. 1

                                                AndrewG’s “Binary Protection Schemes” whitepaper (archived here) is what got me started down the path of learning ELF and specifically, tying runtime process infection and ELF together. His paper was what inspired me to start writing malware targeting both Linux and FreeBSD.

                                                It’s fun and inspiring to see others pick up the torch and do cool things with ELF research. If I can get motivated enough, I might write an article for their next edition on hacking ELF objects to play with the RTLD on FreeBSD.

                                                1. 7

                                                  Slackware was my second introduction to Linux. My first introduction was Red Hat 6, the Red Hat that came bundled with popular Linux magazines in your local Barnes and Noble. After Slackware, I found refuge in the BSD camp.

                                                  I still have fond memories of Slackware, the 90’s underground hacker Linux distro of choice. I’m glad to see they’re still around.