/dev/stdout

No eXecute and Atom, the current MeeGo state

felipe — Mon, 16 Aug 2010 21:49:02 +0000

The security of your box goes over the firewall, or the fact that you are running a platform where all binaries are trusted. Even on that case, is still possible that vulnerabilities of some software or library could be exploited by a malicious party.

The idea behind the NX bit, No eXecute, is to segregate the areas of the memory in two (lets keep it simple ) big sets, the code execution area and the storage area. According to Wikipedia (http://en.wikipedia.org/wiki/List_of_Intel_Atom_microprocessors), the Atom family has the capability to handle such bit.

Adding this feature and a Linux kernel, is possible to avoid the execution of code in the data area, protecting the system against buffer overflows attack. However some marks should be placed on ELFs to archive such protection, these marks are made in the ELF construction and they can mark the ELF to have or not an executable stack. In the second case the executable flag has no effect, is useless.

The marking can also be made on a library (it is also an ELF, duh!) and when this happens, the software which loads that library will be also allowed to run code inside the data segment, disabling again the protection against buffer overflow.

To check the executable marks of your ELFs, you can use the pax-utils (http://www.gentoo.org/proj/en/hardened/pax-utils.xml). Running the tests on a daily MeeGo image (2010-22-07) the following results were archived:

[root@localhost ~]# scanelf -lpqeR RWX --- --- /usr/lib/libmono.so.0.0.0 RWX --- --- /usr/lib/paxtest/getmain2 RWX --- --- /usr/lib/paxtest/getheap2 RWX --- --- /usr/bin/mono

This means that libmono and mono, for some reason, are expected to run code on the data segment of the memory. In Fedora the mono is marked as RW, I dunno why it is marked as RWX in MeeGo, further investigation should be done.

Mono’s GNU_STACK on Fedora:
(zimmerle@burbs)-(~/core/meego)$ readelf -l /usr/bin/mono | grep GNU_STACK GNU_STACK 0x0000000000000000 0x0000000000000000 0x0000000000000000

Is acceptable to have some process without such kind of protecting, for example Java. Java depends on the executable stack to work. It is also acceptable to have some other binaries like: getmain2 and getheap2. These are used to test if the Machine is handling well the NX bit.

To check if your platform has handled well the support of the NX bit, you can use the pax-test, really nice utility that allows us to check the protection against various kinds of exploration. Tests were also made on the same release used above.

kidde mode:
PaXtest - Copyright(c) 2003,2004 by Peter Busser Released under the GNU Public Licence version 2 or later


Writing output to paxtest.log

It may take a while for the tests to complete

Test results:

PaXtest - Copyright(c) 2003,2004 by Peter Busser

Released under the GNU Public Licence version 2 or later
Mode: kiddie

Linux localhost.localdomain 2.6.35~rc6-131.2-netbook #1 SMP PREEMPT Tue Jul 27 14:34:50 UTC 2010 i686 i686 i386 GNU/Linux

Executable anonymous mapping : Killed Executable bss : Killed Executable data : Killed Executable heap : Killed Executable stack : Killed Executable anonymous mapping (mprotect) : Vulnerable Executable bss (mprotect) : Vulnerable Executable data (mprotect) : Vulnerable Executable heap (mprotect) : Vulnerable Executable shared library bss (mprotect) : Vulnerable Executable shared library data (mprotect): Vulnerable Executable stack (mprotect) : Vulnerable Anonymous mapping randomisation test : 12 bits (guessed) Heap randomisation test (ET_EXEC) : 13 bits (guessed) Heap randomisation test (ET_DYN) : 16 bits (guessed) Main executable randomisation (ET_EXEC) : No randomisation Main executable randomisation (ET_DYN) : 10 bits (guessed) Shared library randomisation test : No randomisation Stack randomisation test (SEGMEXEC) : 19 bits (guessed) Stack randomisation test (PAGEEXEC) : 19 bits (guessed) Return to function (strcpy) : Vulnerable Return to function (strcpy, RANDEXEC) : Vulnerable Return to function (memcpy) : Vulnerable Return to function (memcpy, RANDEXEC) : Vulnerable Executable shared library bss : Killed Executable shared library data : Killed Writable text segments : Vulnerable

blackhat mode:
PaXtest - Copyright(c) 2003,2004 by Peter Busser Released under the GNU Public Licence version 2 or later


Writing output to paxtest.log

It may take a while for the tests to complete

Test results:

PaXtest - Copyright(c) 2003,2004 by Peter Busser

Released under the GNU Public Licence version 2 or later
Mode: blackhat

Linux localhost.localdomain 2.6.35~rc6-131.2-netbook #1 SMP PREEMPT Tue Jul 27 14:34:50 UTC 2010 i686 i686 i386 GNU/Linux

As you can see, we are protected against code execution in any other area than that intended for this purpose. We don’t have randomization on libs due the fact that we are making use of the prelink, subject for another post

The pax-utils and pax-test pacakges can be found on my security MeeGo repostiory, at:

http://meego.zimmerle.org/repo/security/

If you are interested in testing it by yourself, you can download my ks file here.

That kind of protection is very important almost mandatory, modern system still been hacked by such kind of attack class, when they opt to not provide such protection, the case of Xbox, for example which is exposed to a vulnerability in the 007: Agent Under Fire (http://en.wikipedia.org/wiki/Agent_Under_Fire_(video_game)).

Poulsbo support on MeeGo, almost there

felipe — Wed, 28 Jul 2010 01:01:58 +0000

This is a continuation of my last post about Poulsbo support on MeeGo. A lot of people have asked me to continue this work, but I just had time today. In this post I will talk about the Xorg drivers. After some research/reading these sites:

http://svn.mandriva.com/cgi-bin/viewvc.cgi/packages/cooker/x11-driver-video-psb/

http://code.google.com/p/gma500/

http://www.happyassassin.net/2010/05/21/video-acceleration-and-poulsbo-news/ (again )

https://edge.launchpad.net/~gma500/+archive/fix

And after some work, I created/built the necessary packages to get the Poulsbo Xorg driver working on MeeGo. The performance differences are notable.

I got my netbook running MeeGo with the Xorg driver, but without 3D acceleration yet, meaning, it still slow. The Intel closed 3D driver is already packed and installed but for an unknown reason when I enable it the Xorg just crash. Further investigation is needed.

I had to place “suid” bit on Xorg to make the driver work correctly. All the necessary packages to make it work can be found on my megoo repo, and also there is an image available if you want to check it out.

You can download the image via torrent or directly from my site: iso image. The ks file goes here.

And here is a nice picture of my netbook running the MeeGo official UI

Since Adam Williamson published on rpmfusion the support of psb to F13, I just updated the older specs files to follow the Adam’s one for two main reasons: Adam’s packages are well done, and also using them we keep the same packages names in MeeGo and in Fedora.

Poulsbo @MeeGo

felipe — Thu, 01 Jul 2010 23:17:12 +0000

While I was trying to leave my MeeGo usable and secure, the need to put my video driver to work properly appeared because I was getting annoyed with the fact that I haven’t the “official” MeeGo Ui running yet.

The chipset is a Poulsbo. It is in the list of not supported hardwares on MeeGo (http://wiki.meego.com/Netbooks), but, somehow Mandriva and others distros make use of it, so I decide to take a look by my self.

The posts from Adam Williamson (http://www.happyassassin.net/2009/01/30/intel-gma-500-poulsbo-graphics-on-linux-a-precise-and-comprehensive-summary-as-to-why-youre-screwed/) were very useful and based on that I decided to take a look at Mandriva’s svn (http://svn.mandriva.com/cgi-bin/viewvc.cgi/packages/cooker/libdrm-psb/), just to try to port something that already exists to MeeGo platform.

Another good resource is: https://edge.launchpad.net/~gma500/+archive/fix

With all that information I started to port the packages to MeeGo, creating the rpm specs in order to generate the packages. I did not have time to finish all packages yet, the Xorg driver is still missing. The kernel driver and others required packages are available on my MeeGo repo. It means good framebuffer screen and cool Xfce session, but not MeeGo UI yet.

A new Kernel is required to be installed since happened a conflict or something like that with another module which was compiled built-in in the official Kernel. As I said, the Xorg driver is still missing. I will work on that as soon as I find some time to do it.

Here goes a picture of my device running with the psb drivers loaded (xfce):

The packages are available on my MeeGo repo, at: http://meego.zimmerle.org/repo/psb/packages/

The packages are:

psb-firmware

psb-kernel-modules

kernel-netbook-psb

psb-kernel-source

kernel-netbook-psb-devel

MeeGo: @SELinux on %packages.

felipe — Mon, 14 Jun 2010 19:45:53 +0000

I finally bought a netbook and since I am intending to use it with some work stuff (meaning data that requires confidentiality and integrity) I started to tuning my MeeGo to make it more protected before place my data

To make it more protected I think that it is interesting to confine some, let’s say, “untrusted applications”. Which basically means more restrictive control over the processes. Usually I use GRSecurity for that but this time I am using SELinux. Since I am dealing with RPM and Fedora use to be a reference (at least for me) in the support to the SELinux, most of the specs files were copied from Fedora including the policy. The policy should be well refined to fit my needs, but it will be the subject of another post.

Supporting SELinux involves to support not only the kernel part of SELinux (kernel-selinux-netbook), but to support a huge number of packages as you can see bellow:

selinux-policy-targeted

selinux-policy-doc

bwidget

selinux-policy

setools-libs-python

setools-libs

libsepol

kernel-selinux-netbook

libselinux-ruby

ustr-debug

policycoreutils

libprelude-python

libprelude-perl

policycoreutils-python

pax-utils

audispd-plugins

libselinux

perf

policycoreutils-newrole

libprelude-ruby

checkpolicy

ustr-debug-static

audit-libs-python

libsemanage-static

setools

libsemanage-python

ustr

libselinux-static

audit-libs

libsemanage

setools-libs-tcl

libsepol-static

setools-console

libselinux-python

ustr-static

libprelude

libselinux-utils

audit

Part of these packages are not needed to make the SELinux work, but they are used by auxiliary applications which make SELinux easy to deal with. As you can see, these packages provide dependencies on Ruby, Perl and Python for example. I think we just need the python dependency. The big difference between my packages and Fedora’s packages is the fact that I refuse myself to port the Java SELinux utilities

All the support to that packages (and also the devel version of them) are available at my MeeGo repo at:

http://meego.zimmerle.org/repo/security/packages/

To add SELinux to your image, you just need to add to your .ks file, the following repo:

repo   --name=security --baseurl=http://meego.zimmerle.org/repo/security/packages/

And you also need to place the SELinux package group in the package section:

@SELinux
kernel-selinux-notebook

An example of a kick start file can be downloaded here: http://meego.zimmerle.org/repo/security/build/meego-netbook-chromium-ia32-security-1.0.20100614.1459.ks

You can also download a SELinux MeeGo image at: http://meego.zimmerle.org/repo/security/build/

Here goes a picture of my netbook running selinux kernel:

The policy is not loaded automatically after the boot and the file system is not labeled yet. To load the policy just use load_policy tool.

4×4 inclinometer

felipe — Mon, 18 Jan 2010 12:12:14 +0000

For those who are interested in knowing how steep is your N900, or the
object that supports it. Meet the 4×4 inclinometer.

[youtubewd]wrhcm3Yo-7k[/youtubewd]

I developed it to use in my car, hence the name 4×4 inclinometer. Using this
application I can know the slope of the obstacles or the ground below my
car.

According to the manual of the car, it can be in an angle of heel of 45 degrees
with no problem, something higher than this is at my own risk. When I read
this information, just imagined the software for the N900:)

The current version depends on Qt 4.6 with the animation framework. The
animation is used to rotate the images of the car, smoothing the movement. I
am not an expert in gimp, so forgive me for the images poorly done. Next
version I will put a simple support for themes.

The intallations files are already in extras-devel, so you just need to
apt-get it.
And the sources are available at:

http://git.zimmerle.org/?p=inclinometer.git;a=summary

The car image and the application background are Trademark of Troller Veiculos
Especias S/A, http://www.troller.com.br

iptables on extras devel

felipe — Fri, 01 Jan 2010 22:13:32 +0000

The iptables package is on maemo extras devel. There is no support for connection state on the device Kernel consequently the NAT is not working. I tried to compile the modules, but I found myself in trouble trying to load them at the device. If you want to flash a kernel with support for connection state there is one available at my personal repository (read: mWall :: netfilter + ui for maemo for more information). Antoher discussion about that modules can be found at: http://forums.internettablettalk.com/showthread.php?t=30916&page=1

tcpdump && lipcap on extras-devel

felipe — Fri, 01 Jan 2010 13:52:11 +0000

For those who are playing with maemo and network, now are available at maemo
extras-devel {fremantle|diablo} the tcpdump package and its dependency (libpcap) working
like a charm

[youtubewd]GEQh6SbULLw[/youtubewd]

mWall :: netfilter + ui for maemo

felipe — Mon, 21 Dec 2009 03:16:47 +0000

Something that certainly bothers me is the fact that i am always online independent of the network. I walk with my n900 in the pocket and sometimes I am using 3g, sometimes using wifi. I am jumping from trusted to untrusted wifi spots, and I have the strange feeling that maybe once (or more…) I will be part of a honeypot, malicious network or something like that.

As part of this type of network my device can be easily identified as an N900. (e.g. MAC address). Once the device is identified a person or a malicious software can start to guess passwords (rootme?) and can try to exploit softwares that are under development.

Avoiding been hacked on that situation I decided to write a small firewall UI for the n900 (netfilter/iptables back end), that allows me to block any incoming connection that is not authorized.

This is just a very first version of the firewall, a lot to be done yet. To install it on your device, check for mWall at my personal repository.

You can install my repository by clicking here: zimmerle’s repo.

I also provide in my repository: the iptables package and a kernel with support to iptables state match. The iptables binary was marked with the suid bit, allowing its execution by users without super powers. But this should be fixed in the next release.

Let me advise you that the firewall rules are not permanent, I mean, you need to run the firewall in every boot. It is under development

The code is available at: http://git.zimmerle.org

Playing with Perl :P

felipe — Mon, 26 Jan 2009 23:04:35 +0000

I always had problems in reading my rss feeds because I never found any good rss reader (google things are not options, I don’t like them) they are too weird to me… The fact is: I’m not able to read my friends – or enemies – feeds, but I’m a good email reader (Usually I not reply, but I always read) so I decided to search a way to send the feeds to my email so, I will be able to read them.

I found a nice toy to do that, it is called: rss2email. Really nice toy. I just placed it to run on my server and it started to deliver my content

After one week using it, I saw that I didn´t subscribe any new feed. Imagine yourself logging in a server to add a new rss feed… nah too complicated. Too much work for me.

So I decided to create a new mail alias to receive commands and process them by its procmail rules . Well ok, what about the security? And if that MTFK friend decide to clean up my entire feeds? Thats why I decided to verify my gpg signature before process the commands and for that a combination of procmail rules and my cute Perl script is amazing

Here goes my Perl script and enjoy:
[sourcecode language='perl']
#!/usr/bin/perl
#
# Copyright (C) 2009 Felipe Zimmerle da N. Costa
#
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see .
#
#

# Config.
$config{‘trusted’} = ‘E8B11277′;
$config{‘debug’} = 1;
$config{‘rss2email’} = ‘/your/path/to/rss2email/rss2email.py’;
$config{‘dat’} = ‘/your/path/to/rss2email/feeds.dat’;
$config{‘mailto’} = ‘your@mail.something’;
$config{‘sendmail’} = ‘/usr/sbin/sendmail’;
$config{‘label’} = ‘/your/path/to/labels.txt’;
$config{‘mail’} =< To: $config{'mailto'}
From: RMO Report
Subject: rmo report

RMO Results:

RESULTS

EOT

# Do not edit above this line.
use IPC::Open3;
use IO::Handle;
use Encode;

undef $/;
my $mail = <>;
$mail =~ s/=(\n|\r|\n\r|\r\n)//gom;
$mail =~ s/=3D/=/gom;
$mail =~ s/=20/ /gom;

my ($IN,$OUT,$ERR) = (IO::Handle->new(), IO::Handle->new(),
IO::Handle->new());
open3($IN, $OUT, $ERR, “gpg”) || die “Unable to run: $!\n”;
print $IN $mail;
close($IN);

my $from,@cmd,$results,$pr,$ops;

# Parser the commands.
my $o = <$OUT>;
$o =~ s/^add (\”[A-z0-9_. -]+\”|[A-z0-9_.-]+) (.*)/@{[eval { $pr++ ; $cmd[@cmd] =
["add", "$2", "@{[eval {$a = $1; $a =~ s@^(\")(.*)(\"$)@$2@; $a;}]}”] }]}/gome;
$o =~ s/^(del|delete) ([0-9]+)/@{[eval { $pr++; $cmd[@cmd] = ["delete", "$2"] if $pr < 2;
$ops++ if $pr > 1 }]}/gome;
$o =~ s/^list/@{[$cmd[@cmd] = ["list"]]}/gome;
close($OUT);

# Check signature.
my $e = <$ERR>;
$from = $1 if $e =~ m/.*key ID ([A-z0-9]+)(\n|\r|\n\r|\r\n)gpg: Good signature from.*/m;
close($ERR);

die “Wow a hacker:\n$mail” if $from ne $config{‘trusted’};

foreach my $c (@cmd) {
my $c_ = $config{‘rss2email’} . ” ” . $config{‘dat’} .
” ” . $c->[0] . ” ” . $c->[1];
$results .= “Command: $c_\n” . `$c_` . “\n”;
`echo $c->[2],$c->[1] >> $config{‘label’}` if $c->[0] eq “add”;
}
$results .= “\nDelete request is just welcome if its come ” .
” alone. $ops delete” .
“s”?”":$ops>1 . ” ignored.\n” if ($ops > 0);

$config{‘mail’} =~ s/RESULTS/$results/;

open(S, “|$config{‘sendmail’} -t $config{‘mailto’}”) or die ” ” .
“Unable to run sendmail: $!\n”;
print S $config{‘mail’};
close(S);
[/sourcecode]

I really love Perl. Amazing, just few lines and my problem was solved ;P

WUSB Cable Association

felipe — Thu, 27 Mar 2008 03:50:11 +0000

This document explains the Cable Association (cba) between a MS Windows host and a IOGear HUB [1] using the WiMedia application [2]. The logs analized here have been generated by a usb sniffer, usbsnoop [3]. This analysis was made to clarify the cable association specification. It’s the result of one day’s work by me and my friend Alex.

The analized log can be downloaded here: usbsnoop-iogear-dwa.log

According to the specifications something like that should happen:

Our analisys is divided into blocks. Each block has a usb control message. They are:

Association information
Host information
Association request
Second association request
Setting association request