Distributed Computing
without Surprises
Denis A Nicole
30th November 2005
The Sony Rootkit
It’s too easy to develop broken
software
From hacker to everybody’s PC in six
years.
Just call a hack $sys$foo and nobody can find it…
World of Warcraft hackers using Sony BMG rootkit
Published: 2005-11-03
Want to cheat in your online game and not get caught? Just buy a Sony BMG copy protected
CD.
World of Warcraft hackers have confirmed that the hiding capabilities of Sony BMG's content
protection software can make tools made for cheating in the online world impossible to
detect. The software--deemed a "rootkit" by many security experts--is shipped with tens of
thousands of the record company's music titles.
Blizzard Entertainment, the maker of World of Warcraft, has created a controversial program
that detects cheaters by scanning the processes that are running at the time the game is
played. Called the Warden, the anti-cheating program cannot detect any files that are
hidden with Sony BMG's content protection, which only requires that the hacker add the
prefix "$sys$" to file names.
Despite making a patch available on Wednesday to consumers to amend its copy protection
software's behavior, Sony BMG and First 4 Internet, the maker of the content protection
technology, have both disputed claims that their system could harm the security of a
Windows system. Yet, other software makers that rely on the integrity of the operating
system are finding that hidden code makes security impossible.
Posted by: Robert Lemos
Writing to Sony…
Date: Thu, 3 Nov 2005 07:54:37 -0500 (EST)
From: contentprotectionhelp
To: D.A.Nicole1@soton.ac.uk
Subject: Re: ContentProtectionHelp Email Form (KMM15554001I21924L0KM)
[ The following text is in the "utf-8" character set. ]
[ Your display is set for the "ISO-8859-1" character set. ]
[ Some characters may be displayed incorrectly. ]
Thank you for contacting Sony BMG Online.
Sony BMG and First 4 Internet have just released an update that will completely remove
the rootkit based DRM content protection software and replace it with a non-rootkit
DRM technology that is compatible with all current security protocols.
To ensure the security of your system, please visit their software update website to
obtain and install Service Pack 2 at:
http://updates.xcp-aurora.com
If after this update, you still wish to uninstall our software, please visit the
form below using the computer where the software is currently installed and you will
be emailed an uninstall link within 1 business day (M-F).
http://cp.sonybmg.com/xcp/english/form9.html
Your "Case ID" is: 3372250.
TIP: Our uninstall request form will require a small ActiveX plug-in
(from First 4 Internet). Be sure to also temporarily turn off any
pop-up blocker software. Although a non-ActiveX process is in
development, currently, our online process is the only option.
Should you prefer to wait for the next uninstallation version,
one is due to be released later this month at:
http://cp.sonybmg.com/xcp/english/updates.html
Thank you for the opportunity to be of assistance.
The Sony BMG Online Support Team
CC2X
John
It just gets worse
Date: Mon, 28 Nov 2005 14:01:04 -0500 (EST)
From: contentprotectionhelp
To: D.A.Nicole1@soton.ac.uk
Subject: Notification of potential security issue (KMM15645015I21924L0KM)
Thank you for contacting Sony BMG Online.
Our records indicate that you recently sent us an email in connection with the
purchase of a content protected CD, requesting a program to uninstall the XCP
content protection software. We are sending you this email because we have
been notified of a potential security issue that may arise in connection with
the uninstaller program previously provided.
To be clear, the security issue is not raised by the presence of XCP content
protection technology on the music CD you purchased. The security issue may
arise when a user downloads the program to uninstall the XCP software files
from a computer.
The likelihood that you have been exposed to any security risk by using the
program to uninstall the XCP technology is minimal. Nevertheless, for your
protection, we are sending this notice to provide you with instructions as to
how you may remove the XCP uninstaller files from your computer, curing any
associated security risk.
Follow these instructions to remove the original uninstaller files:
…
And people
laugh at you
Analysis
Sony BMG has made a prudent decision — after more than ten days of intense
criticism from industry observers and consumer advocates — to end the use of
its highly controversial DRM technology. This will help the company recover
from what has become a serious public-relations problem, but Sony BMG still
faces lawsuits filed by PC users who allege that their PCs have been damaged
by the technology.
What makes the Sony BMG incident even more unfortunate is that the DRM
technology can be defeated easily. Gartner has identified one simple technique:
The user simply applies a fingernail sized piece of opaque tape to the outer
edge of the disc, rendering session 2 — which contains the self-loading DRM
software — unreadable. The PC then treats the CD as an ordinary single
session music CD, and the commonly used CD "rip" programs continue to work
as usual. (Note: Gartner does not recommend or endorse this technique.)
Moreover, even without the tape, common CD-copying programs readily
duplicate the copy-protected disc in its entirety.
Subject: Winsock 2 LSP Problems.
From: "Ceri Coburn"
Date: Thu, 15 Aug 2002 12:19:23 +0100
Hi, I am having problems with creating a winsock LSP. I am going of the LSP
example that's in the Platform SDK. I can get the ws2_32.dll to call
WSPStartup but when debbuging an application that uses winsock they fall
over with the following error:- (558.55c):
Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling. This
exception may be expected and handled.
eax=00000001 bx=00000000 ecx=00000202 dx=00dfd740 esi=0013eb08
edi=00000202
eip=77e777f8 esp=0013ee64 ebp=0019ae50 iopl=0 nv up ei pl zr na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000
efl=00010246
kernel32!InterlockedIncrement+9:
77e777f8 f00fc101 lock xadd [ecx],eax ds:0023:00000202=????????
Anybody got any ideas on why it's doing this?
[http://www.osronline.com/lists_archive/ntfsd/thread2716.html]
I think I have the right man
Note: If this seems rather personal, it’s here because the
seminar was combined with one by Hugh Glaser on using
the Semantic web to track personal identity.
XCP is not Sony BMG’s only
broken content protection
software
[http://www.eff.org/IP/DRM/Sony-BMG/MediaMaxVulnerabilityReport.pdf]
And of course the patch is
insecure
[http://www.freedom-to-tinker.com/?p=942]
Moral
Where was driver signing in all this?
Why do users need to install drivers?
Why do you need to be an
Administrator (Power User) to do stuff.
Does anybody understand ACLs?
Privileges?
[http://www.microsoft.com/technet/community/columns/secmgmt/default.mspx]
“How to Shoot Yourself in the Foot with Security, Part 2:”
Some stuff is just language
design mistakes
class Crash {
public static String wallop() {
return "Crash";
} E:\D1\Temp>javac prog.java
} E:\D1\Temp>java prog
class Bang extends Crash {
I'm a Crash
public static String wallop() {
return "Bang";
}
}
public class prog {
public static void main (String[] arg) {
Crash b = new Bang();
System.out.println("I'm a " + b.wallop());
}
}
Good bedtime reading
Some is just lazy interfaces
[WebMethod(Description="Shipping Status")]
public string GetShippingStatus(string Id) {
string Status = "No";
string sqlstring ="";
try {
SqlConnection sql= new SqlConnection( @"data source=localhost;" +
"user id=sa;password=password;" + "initial catalog=Shipping");
sql.Open();
sqlstring="SELECT HasShipped" + " FROM detail " +
" WHERE ID='" + Id + "'";
SqlCommand cmd = new SqlCommand(sqlstring,sql);
if ((int)cmd.ExecuteScalar() != 0)
Status = "Yes"; }
catch (SqlException se) {
Status = sqlstring + " failed\n\r";
foreach (SqlError e in se.Errors) {
Status += e.Message + "\n\r"; } }
catch (Exception e) {
Status = e.ToString(); }
return Status; }
Bugs
Connecting to the SQL database as sa, the sysadmin
account.
The sysadmin account has an easy-to-guess password.
The code is susceptible to SQL injection
If the SQL communication fails, the Web service will
send a great deal of data back to the attacker,
including the text that makes up the SQL statement.
DoS: An invalid SQL statement will cause SQL classes
will throw an exception. However, the connection to
SQL Server will not be closed. Eventually, it will be
garbage-collected.
This is an example from a how-to book…
A lot is bad lexical structure
Messages to the TSI are delimited by ENDOFMESSAGE\n.
These messages are untainted simply by removing the
trailing ENDOFMESSAGE, without attempting to parse their
contents. This is accompanied by the comment:
# I trust the source! and the setuid/setguid is downgrading!
A particular case, when talking to a real NJS, which
frightened us was the possibility of a malicious client
generating an AJO that contains file imports, where the
filename has embedded within it something like:
ENDOFMESSAGE\n#TSI_IDENTITY victim
NONE\nENDOFMESSAGE\n#TSI_EXECUTESCRIPT\n...hostile
script...\nENDOFMESSAGE\n
(all on one line)
Modern OO Language
security is far too complex
It is well known that passing objects back to trusted code from untrusted routines can be a
general source of difficulty. The key point is that, if trusted code allows untrusted code to
“handle” one of its objects, then it is usually essential that the object be “final” so that
the untrusted code cannot subclass it to introduce misbehaving methods.
It turns out that the Bouncy Castle package (used by Globus and Unicore) has just the above
vulnerability. This turns out to be useful. The Interactive Job facility has to authenticate
an SSH, not SSL, channel. The protocols differ and it does not seem to be possible to
authenticate an SSH channel without direct access to the private key. This is achieved in
InteractiveJob using the following snippet of code:
import org.bouncycastle.jce.X509V3CertificateGenerator;
/** Class which impersonates a X.509 certificate generator in
* order to retrieve a private key from a X.509 certificate. */
class PrivateKeyExtractor extends X509V3CertificateGenerator {
private X509Certificate cert;
private PrivateKey privateKey;
public X509Certificate generateX509Certificate
(PrivateKey privateKey) {
this.privateKey = privateKey;
return null; }
public PrivateKey getPrivateKey() {
return this.privateKey; } }
The code exploits the fact that X509V3CertificateGenerator is not a final class and simply
subclasses it to introduce a key-stealing method which, in this case, is used only for SSH
authentication.
These is a rather trivial (published) example, based
on a real operational code and a popular open source
library.
OO Language security
Some sources of complexity:
Class loaders.
Managing class search order, especially for
callbacks.
Thread.getContextClassLoader()?
Debugging
Security configuration loading
Backdoor constructors, eg deserialisers, clone
Never mind distributed,
concurrency still doesn’t work
Java:
Infinite starvation: Wot no Chickens
[http://www.cs.kent.ac.uk/projects/ofa/java-threads/0.html]
Efficient locks: Specific Notification
[http://www.profcon.com/profcon/cargill/jgf/9809/SpecificNotification.html]
The memory model
[http://www-128.ibm.com/developerworks/java/library/j-jtp02244.html]
And the Inheritance Anomaly:
You can try to fix it with
patterns
java.util.concurrent
Executors
Queues
Timing
Synchronizers
Or with Aspect Oriented
Programming
Does this just split out the bits that don’t
inherit?
Microsoft XAML splits classes between
“declarative” (GUI, workflow) and code
(business logic). Is this usefully related to
Aspects?
How does XAML relate to classic MVC?
Can we deliver Aspects using (custom)
attributes?
What about Jeeg?
Web Service Semantics are
out of control
Web Service Execution Environment
(WSMX)
Michal Zaremba
System Architecture
2005 OASIS Symposium
System Architecture
Request to discover
Web services.
May be sent to adapter
or adapter may extract
from backend app.
2005 OASIS Symposium
System Architecture
Goal expressed in WSML
sent to WSMX System Interface
2005 OASIS Symposium
System Architecture
Comm Manager component
implements the interface
to receive WSML goals
2005 OASIS Symposium
System Architecture
Comm Manager tells core
Goal has been recieved
2005 OASIS Symposium
System Architecture
Choreography wrapper
Picks up event for
Choreography component
2005 OASIS Symposium
System Architecture
A new choreography
Instance is created
2005 OASIS Symposium
System Architecture
Core is notified that
choreography instance
has been created.
2005 OASIS Symposium
System Architecture
Parser wrapper picks up
event for Parser component
2005 OASIS Symposium
System Architecture
WSML goal is parsed to
internal format
2005 OASIS Symposium
System Architecture
2005 OASIS Symposium
System Architecture
2005 OASIS Symposium
System Architecture
Discovery is invoked
for parsed goal
2005 OASIS Symposium
System Architecture
2005 OASIS Symposium
System Architecture
2005 OASIS Symposium
System Architecture
Discovery component
requires data mediation.
2005 OASIS Symposium
System Architecture
2005 OASIS Symposium
System Architecture
2005 OASIS Symposium
System Architecture
After data mediation,
discovery component
completes its task.
2005 OASIS Symposium
System Architecture
2005 OASIS Symposium
System Architecture
2005 OASIS Symposium
System Architecture
After discovery, the
choreography instance for
goal requester is checked
for next step in interaction.
2005 OASIS Symposium
System Architecture
2005 OASIS Symposium
System Architecture
2005 OASIS Symposium
System Architecture
Next step in choreography
is to return set of discovered
Web services to goal requester
2005 OASIS Symposium
System Architecture
Set of Web Service descriptions
expressed in WSML sent to
appropriate adapter
2005 OASIS Symposium
System Architecture
Set of Web Service descriptions
expressed in requester’s own
format returned to goal requester
2005 OASIS Symposium
A semantic grid needs
Ontologies: What side effects will happen?
Telescope or Missile?
Protocols: WSDL gives only signatures
Provenance: Is it really a bank?
Do we need reasoning/search?
XPath?
Relational query?
Description logics? Religious wars
Frame logics?
Monotonic?
Security is in for a shake-up
Globus GSI, Proxies
Unicore signed AJOs
OMII PBAC
Public Key Infrastructure
Triumph of the Librarians
Shibboleth, SAML
[http://shibboleth.internet2.edu/]
Computer Engineering
Is about building artefacts
Artefacts for people to use
Brian Reid, Scribe
What do we remember?
Donald Knuth
Leslie Lamport
Can we contribute to
emergent systems?
The most important unanswered question in evolutionary biology,
and more generally in the social sciences, is how co-operative
behaviour evolved and can be maintained in human or other
animal groups and societies1.
At first sight, the answer may seem obvious: if you are a marmot,
the small risk attendant on giving an alarm call is outweighed
by the larger benefit you derive from alarm calls from other
group members. The problem is the vulnerability of any such
system to “cheating” —enjoying the defensive group benefit,
but yourself never incurring the risk of uttering an alarm call.
Such “cheats” prosper in evolutionary terms, enjoying the group
benefits without the costs and, by so prospering, making it
difficult for the cooperative benefits to be maintained.
An example closer to home in recent years is the decline in
voluntary up-take of the MMR vaccine in the UK (seeking to
avoid any putative risk to your children, whilst implicitly relying
on others to keep “herd immunity” high by vaccinating their
children), resulting in rising incidence of measles2.
Lord May
THREATS TO TOMORROW’S WORLD
[http://www.royalsoc.ac.uk/downloaddoc.asp?id=2414]
[Podcast: http://www.royalsoc.ac.uk/page.asp?id=3966]
So what do we do?
No new languages: no community.
Don’t expose theory to users.
In the US, it’s bad taste to admit you are
numerate.
Simple tools for safe programming in the
real world (ie Visual Studio). eg,
security configuration analysis
concurrency validation
Aspects
Make it easy to do the right thing.