Saturday, December 17, 2005

Microsoft is moving the GUI code back out of the kernel in Vista according to this article. This is bad news: Finding local priviledge escalation bugs might become hard in the future.

The move of the GUI into the kernel (done with NT 4.0) was a misguided attempt at increasing performance in order to get people to switch from Win9x to NT - something that did not work until Windows 2000 / XP really. A lot of headaches (outside of the usual out-of-bounds-memory-access-bugs) were created by that move (shatter attacks etc). From the defender's standpoint, this totally makes sense. I have a feeling that security-wise the gulf between MS and all other closed-source vendors (which have to operate under market conditions and thus can't pump a few billion into security) is widening.

Coming back to audit "random" closed source code after having worked on MS binaries is a bit like auditing a "random" open-source project after having spent time on well-audited bits of OpenSSH. You're surprised that things can be so easy.

Tuesday, December 13, 2005

Blogging is strange. You write down a few lines of half-coherent something under the delusion that nobody is reading the blog, and out of a sudden you show up cross-referenced in blogs that you read yourself regularly. With such a large crew blogging at Matasano (what used to be Thomas Ptacek's blog) they have a blog-update-frequency that leads to their blog being about as productivity-destructive as slashdot.

I am seriously flattered to be mentioned there (and scared that my rants are actually read).

One of today's posts there mentions DJB's crypto algorithms, specifically Salsa20. Now, I am not a cryptographer, but I do not trust Salsa, for a variety of reasons:
  • It looks too much like MD4/MD5.
  • We have very limited understanding on why a wild mixture of ADD/XOR/ROL would produce equation systems that are hard to solve. Yes, nonlinearity over GF(2)^32 and over Z/2^32Z are given by mixing boolean functions and addition, but this paper gives some pretty neat insight into how just mixing ADD/XOR (without the ROL) is trivially solvable. I don't trust a single rotation that much.
  • Avoiding integer multiplication (whose representing BDD can grow exponentially with the number of bits and is thus hard to model using the methods in the paper) is something which I would not do - I know DJB cares a lot about timing, but given the choice of potentially leaking a few cycles and making the output of an operation ridiculously complicated (while at the same time tackling the problem of weak differential propagation in the high-order bits) I chose the latter.
  • DJB might be over-emphasizes timing. His AES S-Box stamps RDTSC output into packets, which is many orders of magnitudes more precise than any measurement you will get IMHO. True, caching issues (and cache alignment issues) can easily eat up 100 cycles, but that is still a lot less than a timer tick, the measure that in the most optimistic scenarios you'd be likely to get.
All in all, I do not trust systems built on just mixing ADD/XOR/ROL. There is a reason for the name of this blog.
Allright, I have 8 minutes of free time before I need to run to the computational algebra lecture, and I will spend it by dropping a few thoughts about Dan Geer's "login"-article advocating moving away from a monoculture.

My two points on his proposed 'artificial diversity':
1) It will increase resitence against total extinction. A worm will need more than one bug to wipe all harddisks.
2) It will also make sure that skilled attackers will get their hand on useful information.

So please do it. Listen to Dr. Geer.

The (brief) reasoning: Let's take the pool of computers in an organisation. Lets also take a useful piece of information (for example, a source tarball) and distribute it randomly on a small subset of the computers in the organisation. In the monoculture example, I would need an exploit for the monocultureOS. In the diversity example, I need an exploit for any of the OSs on which the information that I want is stored. Joy. Please diversify !

Saturday, December 10, 2005

One of the lectures I am attending, "Algebra and Algebraic Geometry from an algorithmic perspective", is, while often interesting, also insanely frustrating: The professors assistant poses the exercise problems, but does not synchronize progress with the professor (who lectures, but frequently drifts off on a tangent, leaving the students confused as to wether they are "on a tangent" or "on the lecture subject"). This puts us in the situation that we usually get the theoretical background needed to solve a given exercise sheet one to two weeks after the sheet had to be handed in. After some somewhat-fruitless long hours on the last sheet, I was advised that the proof I am looking for can be found in Grothendieck's "EGA IV". Trying to find EGA IV via google, I stumbled over Grothendieck's nonmathematical writings. They are surprisingly interesting to read:

http://acm.math.spbu.ru/RS/