I’m building something old

I’m buying something new

I’m buying time and I’m selling it

to myself

at a higher price.

I will start posting again!

- Alexis.

Let's get topical for a bit. I haven't posted for a while and I have quite a few things to talk about, but a paper from this month's Black Hat security conference in Las Vegas made quite a buzz and caught many people's attention, including mine. As it was posted on OSNews and Slashdot as a method to completely circumvent Vista's security, it was only natural that people loved it.

My first reaction to such news is to trust the text and distrust the title. One would hope that computer people would know to be less affected by sensationalist headlines, but it seems that the higher skepticism is counterbalanced by the decreased attention span.

The paper is written by established security experts and is a little bit technical (not too bad though), so I thought I would talk about each section of it and explain in simple terms what the measure is, what went wrong, whose fault it is, whether you should lose sleep over it and what you can do to decrease your risk.

One thing to note that should actually be obvious: The mentioned exploits are NOT directly applicable to a Windows machine. They mean that if a bug is found in a program, and that bug allows remote code execution, the attacker has a way to avoid these measures which try to detect and prevent bug exploitation.

For the full deal and accuracy, read the paper itself:

Bypassing Browser Memory Protections - Alexander Sotirov , Mark Dowd

GS (stack guarding)

The Measure: The Visual C++ compiler can use a 'stack cookie' to make sure that a stack buffer overflow does not corrupt the return address of the function. This is a common attack vector, and it means that the attacker can set his own memory address for the program to jump to when the current function exits. With this measure, if the overflow occurs, the cookie will also be corrupted , and as soon as the cookie validation function realizes that, execution halts and the attack is prevented.

The Problems: The stack cookie check can have a very significant performance cost. To reduce this, the Visual C++ compiler checks for conditions where an overflow would be 'impossible', and in those conditions, refrains from adding the check to the function.

The first problem stems from that: these conditions are flawed, and there are ways to cause an overflow in some functions that get away with not having a check.

The second problem is that the aforementioned cookie validation is not run when an exception occurs, so an overflow can replace the exception handler record with another value, cause an exception, and have the attacker-provided handler executed.

Lesson: The blame for this one would go to the compiler team, but the biggest problem with compiler-provided security measures such as this one is that flaws are almost certainly discovered too late for a fix to be effective. Thousands of binaries have already been compiled using this feature (including most Microsoft programs), which means that all of them are suspect until the compiler is fixed and new versions of every single one of the vulnerable binaries are redistributed as a patch.

Impact: It's hard to tell, at least from my perspective, how important this hole is. The possibility of functions that are vulnerable to stack buffer overflows has been proven, but their numbers in Windows and other programs are up to more experienced security analysts to find.

What you can do: If you are a Windows developer, use the strict_gs_check option that has been added in Visual C++ 2005 SP1. This will take care of problem 1, but not problem 2. Other than that, there's not much that can be done other than wait for updates.

This is it for now. If there's interest, I'll go through the rest of the measures from the paper too. Next stop: SafeSEH!

Man, after 4 days of barely leaving the house so that I can finish a paper for the important-sounding Pacific Symposium on Biocomputing 2009, it felt amazing to actually bike over to the climbing gym and get up on the wall again! Also you wouldn't think it matters but something helped me be notably more agile and swift, and I'm pretty sure it was losing 3-4 lbs. during the past week.

Not saying I don't suck balls, of course. But my ol' pal Sarah said that they are going to Jack's Canyon (it has a website?) again this weekend which gives me a chance to get some lead-climb training from her and Josh and I need all the help I can get. I can only do outdoors climbing when someone else is (due to acute lack of the car) so I'm pretty excited.

I've set my mind on the first 'computer-is-your-friend' program I want to work on. Here's what's on the whiteboard (The 'Penis Sizes' histogram had to be erased, whiteboard fans. Sorry!):

Not going to get into it much but in a nutshell: Wouldn't it be nice if your desktop had icons for only things you're working on right now, instead of either nothing but a pretty background (the minimalist approach) or everything ever created (the not-so-minimalist approach). There's a little bit more into it, but if you think that'd be nice, you'll like this.

Hello inter-net! I hope the weather is okay in your area.

I would like to take this opportunity to announce that this web site is about you. Or at least, something that you care about. And what do YOU care about?

That's right! Me.

But what will I be writing about? Is it something that you, the reader, would be interested in?

DO PIGS LOVE SHIT?!?!? Of course it will!

That is, if you're passionate about things that I am. And because that is hard to tell, I decided that a good way to start is to post a short introductory post for each of the things that I would most often be talking about. So here goes:

uISVs/microISVs

For those that are not complete fucking nerds, ISV stands for 'Independent Software Vendor'. The prefix stands for 'really small' and the terms are used for people who decide they want to take a shot at being their own boss in the jungle that is the Computer World. Running your own business is a really rewarding experience whether it fails or not, which is good, because so far I'm failing. I'll talk about lessons learned in research, development, marketing, selling and supporting a product, which is only a subset of the roles that a microISV has to play. If you're planning on giving the finger to the Man with another kind of small business (that will still pay taxes to the Man so He will disregard the earlier Gesture), you'll still probably find a few things worth noting in what I write.

News item:

Following a common advice from more successful people at the Business of Software forum, including Mr. 'microISV autopsy blog' Patrick McKenzie, I'm offering something small, nice and free over at Gatehead. My Vista Volume Indicator is a dumb little gadget that actually has measurable demand, so a short-term target is to get people to see that it exists. That will help me analyze what is probably the most serious problem I have right now: Ridiculously low traffic.

Now, there can be tons of reasons for very low traffic, especially for a starting site. No links pointing to you is one of the most obvious, and another is that people can't find you when they're searching for what you're offering (these two reasons are, of course, heavily correlated). Well, I'm offering a background music and announcement player and searching for that shows no sign of my stuff. Hell, searching for MY PROGRAM doesn't even bring up my site in the first page of results. So obviously we need to get to why my site is not considered the Headquarters of Time2Play, and why Time2Play is not considered an option when looking for something like it. I'm already trying out some basic measures, and I will report on my findings.

Okay that's one thing. Next time: SHARKS! Or transhumanism.