Today, a pull-request I had made to an upstream software, the maintainer asked me to improve the test coverage, showing the (gcov) coverage report. OK, so as I start working on this, deja-vu comes over me (again). I’ve seen this type of report before. And then it hit me. Many years ago (~1991) I was a student @ HP here in Waterloo. One of the first things I worked on was adding ‘basic block analysis’ (coverage analysis) as a feature to HP Softbench for our X-Terminals. Now the X-Terminals were compiled (Intel i960) using an early gcc, and softbench was based on something for the PA, but I got it working, updated some of the Motif client, and was on my way in my testing career.

That early softbench and BBA coverage is immortalised here HPJ-1990-06 (June 1990 HP Journal). UI’s used to be so sexy all 3D like.
plus ça change, plus c’est la même chose

 

You remember outdoor kitty? The mooch? The one we installed a heated outdoor house and remote temperature sensing for? The same one that is much less friendly when its warm? Well, as we can see, he does not make much use of the house in this weather (~32C here today in sunny waterloo). And no, we are not installing kitty AC. The line must be drawn somewhere, may as well be at that!

Below you can see him sacked-out in the back yard, his house in the corner, and TC sacked out watching. Yeah, they are fine, no need for kitty AC.

iwr https://chocolatey.org/install.ps1 -UseBasicParsing | iex

I find this in the Vagrant file to bring up some Windows docker. Chocolatey? Its a package manager for Windows.

The script in question (https://chocolatey.org/install.ps1) is fetched (iwr) and the run (iex). Hmm.

Well, if someone gets our DNS, or MITM, we should get an HTTPS alert due to CA mismatch. So I guess that can be ok. The script itself has some authenticode signing. But, we are not using that.

PS C:\Users\vagrant> Get-ExecutionPolicy 
RemoteSigned

There exists some unsigned-copies of the install (e.g. here), referenced in the install docs (e.g. here).

Reading a bit more, it seems maybe:

Set-ExecutionPolicy RemoteSigned
$env:chocolateyVersion = '0.10.11'

iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))

is the ‘safe’ way? This means that we trust the signer (their process, their code, their control of the signing keys).

Comments?

So yesterday I wrote of my adventures in installing Windows 2016 Server (with Windows Server Containers) into Vagrant.

Of course the first think I want to do is try out this ‘docker on windows’ experience. So I open the default browser (edge), and type in ‘docker windows’. And lo, what sketchy site is blocked by the default settings? Picture to the right.

Colour me amused.

 

The ‘snoop thy neighbour’ train continues. Spectre, in the news for most of last year, is a method by which you can snoop on other process memory on the same box. And this in an age of ‘sharing is caring’ where you are running your high-value SSL eCommerce site on the same physical machine that, well, anyone is sharing.

So today’s the news came out about TLBleed. It uses hyper-thread occupancy (2 register sets share 1 pipeline and stall on memory operations) to snoop. And, they appear to have:

… calculating cryptographic signatures using the Curve 25519 EdDSA algorithm implemented in libgcrypt on one logical core and their attack program on the other logical core. The attack program could determine the 256-bit encryption key used to calculate the signature with a combination of two milliseconds of observation, followed by 17 seconds of machine-learning-driven guessing and a final fraction of a second of brute-force guessing.

So, this means you can find the ssh private key of your neighbour, in a different memory space, a different VM.

Now, a little bit of scheduling magic, and one could guarantee that hyper-thread pairs are never scheduled out of the same VM, that would be a sufficient workaround for the threat of ‘someone else’, but still allow local privilege escalation.

Trust. Inside out, outside in, left to right. Its getting harder to have that trust. Pretty soon someone will launch a ‘deterministic processor’. All instructions will take 1-second, no variation, and be in-order. it will have 1K of ram. It might say 6502 or z80 on the front. Maybe it doesn’t support branching or conditions!. And we’ll examine Amdahl’s law as we try to cluster them for security 🙂