AES comic

Posted on November 24, 2009 by Jorrit Kronjee
Filed Under Cryptography | Leave a Comment

I haven’t had a lot of spare time lately, which is why it’s been quiet here. I’m hoping I’ll have time this weekend to post something new (and wildly exciting), but for now, I’ll just post this link to a comic about AES.

low bandwidth DoS attacks and TCP (part IV)

Posted on September 13, 2009 by Jorrit Kronjee
Filed Under TCP/IP, in the media | Leave a Comment

Oh yes! Just when it started to seem unlikely, there’s news surrounding the bug Lee and Louis claim to have found. CERT-FI updated their advisory and multiple vendors have released software updates including Microsoft and Cisco. And Linux? Oh, that kernel was already safe since April 2008 (2.6.24 is the last vulnerable kernel on the list). Which makes me wonder even more: What is Red Hat doing? They posted the following puzzling statement about the issue:

These attacks target design limitations of the TCP protocol. Due to upstream’s decision not to release updates, Red Hat do not plan to release updates to resolve these issues; however, the effects of these attacks can be reduced.

And then it goes on to explain how the effects can be reduced by limiting connection rates. But what are they really saying? Are they blaming upstream for not releasing updates? Because in this case, their “upstream” has released updates. Just not for kernel 2.6.18 (Yes, apparently Red Hat still uses a kernel from 2006!).

Also, I wonder if their workaround is very effective, since nothing in the CERT-FI advisory really points to opening connections at a very fast rate. Or to put it in their exact words:

Sockstress is an user-land TCP socket stress testing framework that can open an arbitrary number of sockets. The attacks use different variations in terms of payloads, window sizes and stalling TCP states. The attacks take advantage of the exposed resources the target makes available post TCP handshake, namely kernel and system resource such as counters, timers, and memory pools. The attacks do not require significant bandwidth.

Should “arbitrary” be read as “large”? Is “opening many connections” “taking advantage of the exposed resources”? I honestly don’t know and I get the feeling that most people don’t either. One security blog I came across even stated that CERT-FI released sockstress to the public, which doesn’t seem like a thing a CERT would do. What sockstress is and does remains to be seen.

So I decided to take a stab at it and build two very crude Python scripts. One that sends SYN packets to a target host and one that responds to SYN/ACKs and TCP keepalives on the wire. It didn’t take me long to completely take up all the connections my webserver on the other side could handle.  It was interesting to see that the webserver did become unresponsive, but as soon as I turned my scripts off, it returned.

I don’t think this is all there is to it, though. There must be more to this story and now that there’s finally a response from multiple vendors, I’m sure of it. I guess we are just going to have to wait a little bit longer for a PoC.

HAR2009 and TARMAC

Posted on August 17, 2009 by Jorrit Kronjee
Filed Under conference, tarmac | Leave a Comment

Since I haven’t posted here in a while, I thought I should tell everyone that I’m still alive and the things I’ve been working on (but mostly, not working on).

HAR2009 wrist band

I just came back from HAR2009. Although I’m still a little sleep deprived (even though that doesn’t necessarily have to be bad), I can honestly say that it was an interesting four days of lectures and workshops.

On the other hand, not being able to fall asleep because of some French guys hacking away and playing music next to our tent and waking up too early because of some Germans looking for breakfast was a little bit of a nuisance. And hackers really don’t know how to party (who wouldn’t jump if someone plays House of Pain – Jump?).

But anyway, let’s not be petty. I had fun. I won’t talk about all the lectures, but I thought I should mention a couple that I think deserve some attention.

The first one is Dan Kaminsky’s presentation about the exploitable parsing problems with X.509. Although this particular bug he revealed was already presented by him a few weeks ago at Black Hat USA, he explained it again for us at HAR2009 and I must say, he does that pretty well. He drew enough attention for the whole tent to be packed (I suppose he was also the biggest celebrity at HAR2009) and managed to keep us all interested until the very end. He’s a very good presenter and is able to make a point, which is probably why he’s able to convince vendors to fix the bugs he finds. His drinking behavior (during the presentation, he regularly drank from a Jack Daniels bottle) tells a different story, though, and I wonder if that’s all the attention taking its toll. Stay sober, Dan!

The second one was a late evening presentation from Mike Brennan, which we almost didn’t go to. At first sight, it seemed like a rather boring presentation: honestly, who cares about stylometry? But when I finally saw it, I realized that it actually was something I had been working on (unsuccessfully) in the past. So what is stylometry? In short, it’s the study of linguistic style. All of us have a certain vocabulary that we pick words from. These preferences for certain words, together with grammar and sentence length make a style unique. This is why stylometry could be used to distinguish authorship for texts where the author tried to stay anonymous.

Brennan explained to us that with certain stylometry techniques he’s able to find the author of a text with an accuracy of 68-91% among a group of test subjects, which I thought was quite high. However, the same accuracy holds true if the subject is asked to imitate a style of a particular American author. So, if someone wants to, they can easily fool current stylometry techniques.

Although I’m not entirely sure what, I really feel that I should do some research on stylometry some day. I guess I will have to think about it.

The last presentation I’m going to mention is All Your Packets Are Belong To Us by Daniel Mende and Simon Rich. Although the presentation attracted quite a crowd, the actual result was a little bit disappointing. With a title like that and a description like this “We will continue down that road and discuss potential and real vulnerabilities in backbone technologies used in today’s carrier space (e.g. MPLS, Carrier Ethernet, QinQ and the like)”, I expected a little bit more than a few basic MitM-attacks. I mean, come on, we all know that MD5 is broken and we all know that once a peer sees you as trusted, you can do bad stuff, why do we need to recycle this over and over? Keep in mind that in the 90s people still used RIP as routing protocol on Internet Exchanges, so we’ve come a long way since then. But yes, routing is still a matter of trust and I don’t think that’s very likely to change in the foreseeable future.

So that was HAR2009 for me. I would also like to mention that my project (Pattern analysis of wireless communications) is actually starting to take shape. I got a small PoC working, but I still need to do some cleaning up and remove a few static references. I’ve decided to call it TARMAC (Traffic Analysis Revisited using MArkov Chains), which is – I discovered later – apparently also an Ubuntu project. Maybe I’ll just write my project with all capital letters to stay different or maybe the other tarmac will just disappear (their mailing list has only one e-mail, it’s doomed to fail!). I suppose I could always use Firebird as a name. Oh, wait, that has been taken already as well?! ;-) So stay tuned for more tarmac news! Uhm, TARMAC!

WiFi networks and malware epidemiology

Posted on April 5, 2009 by Jorrit Kronjee
Filed Under malware, router, wireless | 4 Comments

Reading up on security news, I found this paper about WiFi networks and malware epidemiology. Although I know jack all about epidemics and their infection rates, I do know a thing or two about wireless routers and their security, so I thought I should put my two cents in.

The paper states that malware could theoretically propagate from router to router using ad-hoc wireless networks. This is based on the following premises. Since most routers still use no or limited encryption (e.g. WEP), building an ad-hoc wireless network between two routers should be possible. Furthermore, most users don’t change the default administrator password, making the actual malware infection feasible.

The paper then goes on how a malware infection could spread in a densely populated area like Chicago, where many wireless networks overlap each other. It ends with the following conclusion:

“Based on this work, we note that there is a real concern about the wireless spread of WiFi based malware. This suggests that action needs to be taken to detect and prevent such outbreaks, as well as more thoughtful planning for the security of future wireless devices, so that such scenarios do not occur or worsen with future technology. (…) Lastly, it is highly likely that we will only see the proliferation of more wireless standards as time goes by, and all of these standards should consider the possibility of such epidemics.”

And this is where I disagree. Yes, it’s true that routers can be infected (I can’t disagree even if I would want to, not since the discovery of psyb0t) and yes, that might happen through an ad-hoc wireless connection. The practicality however is an extremely complex ordeal.

First of all, wireless routers can’t make ad-hoc connections. I’m sure their hardware supports it, but the firmware doesn’t and why would it? Your laptop/computer/Nintendo Wii is supposed to make the connection to the router, not the other way around.

So, the malware is going to have to be equipped with some code to make a connection. Maybe in some cases they left a few hooks available in the firmware that can be abused, but a lot of the times you’re going to have to write parts of the driver yourself. And not every wireless router uses the same chipset. Unless you’re targetting a specific regional ISP that has standardized on a certain type of wireless router (and don’t forget, the maximum level of encryption it’s allowed to use is WEP for this to work!), you might be out of luck.

Second, wireless routers don’t all use the same hardware. Sure, more and more routers are MIPS-based and run some form of Linux with busybox, but it’s certainly not standardized. You could fix this by making your malware statically compiled, but you can’t make your malware too big, since the available flash memory on a typical router is limited to a few MB’s.

Lastly, why would you use the wireless network as a point of entry? psyb0t certainly proves that using the Internet to infect routers is certainly feasible and it allows wireless routers that are not in the vicinity of each other to propagate the malware. Using the wireless connection just makes it harder without any benefits.

In conclusion, I believe that the epidemic as described is very unlikely to occur. More and more routers have WPA-encryption set as default. Those that don’t have no standards to rely on, making malware hard to program and therefor less dangerous and less contagious.  While I do believe that router infections will become more common in the future, I don’t think wireless networks will be used for propagation, at least, not anywhere in the foreseeable future.

These were my two cents.

phentropy revisited

Posted on February 17, 2009 by Jorrit Kronjee
Filed Under RNG, pattern analysis | 2 Comments

I’ll have to admit something. The title of this post is a little bit misleading. This won’t be exactly like Dan Kaminsky’s phentropy pictures, neither is it as awesome as Michal Zalewski’s research on TCP/IP sequence numbers. However, it is a study of RNGs. RNGs (Random Number Generators) – sometimes called PRNGs (Pseudo RNGs) to specify the non-randomness – are algorithms that create random numbers. These random numbers can be used for a multitude of things like shuffling your playlist or making the Tetris brick that looks like a hook appear, but also cryptography. In that case, random numbers are used to generate random keys.

Okay, so what did I do? Well, I didn’t quite study the RNGs used in popular encryption software nowadays. Instead I’ve decided to just look at general purpose RNGs and see what I could get. Hopefully this study will spur some ideas in the future.

To study them I took 50,000 samples from a few general purpose RNGs. For every RNG, this resulted in a sequence an. I then used the following equations to determine the xyz-coordinates and plotted these points in a 3D space with gnuplot.

x=a_{n-2}

y=a_{n-1}

z=a_{n}

The purpose of 3D plotting is to visualize how random a RNG can be without having to see the algorithm behind it. I realize that this is not all and that a lot more needs to be verified before someone can truly say that it’s cryptographically strong enough, but let’s save that for another post.

So first up is the Mersenne Twister. For this test, I’m using the PHP implementation of the twister, namely mt_rand(). This produced the following image.

Mersenne Twister (PHP mt_rand()) - 50,000 samples

The different colors specify the amount of clustering in a certain area. I used the following equation to group points together (I know this is essentially cheating a little):

a'_{n}=a_{n}-(a_{n}\bmod m)

(where m is an integer number)

Yellow means the most dense and red means the least dense. Anything in between is orange. As you can see, the twister produced an even distribution of points within the cube.

bash $RANDOM - 50,000 samples

Next one is bash’s $RANDOM variable. I don’t really know how $RANDOM gets its value, because I haven’t looked at bash’s code, but my guess is that $RANDOM gets filled by subsequent calls to rand(). Again, I retrieved 50,000 samples and plotted them in a cube. Although the scale is a lot smaller (maximum value is 32,767), it still shows a pretty even distribution of values. Nothing spectacular there.

So, hoping to get more interesting results, I tried Windows XP’s %RANDOM%, which can be used in batch scripts since Windows 2000.

Windows XP %RANDOM% - 50,000 samples

But again, an equal distribution of numbers, so no dice.

I got a little bit tired of looking at the same pictures over and over again, so I started looking for trouble and found a couple of RNGs that were known to be bad. One of them is John von Neumann’s Mid-square method. The method is pretty simple; take a seed, do seed2, take x number of digits from the middle and use that as the result. The new seed will be the current result. 50,000 samples later this picture came to life:

Mid-square method - 50,000 samples

Although the mid-square method does generate seemingly random numbers, it has one big flaw, once the seed reaches zero, the method will output zeros forever. This is why, in the cube above, you see only red dots and one big yellow dot at (0,0,0).

The last one I wanted to try was RANDU. RANDU was originally designed with simplicity in mind, which is why the following equation can be implemented using just a handful of bit manipulation operations:

V_{j+1}=65539\cdot V_{j}\bmod2^{31}

So, again, I generated 50,000 samples … yadiyadiyada, and then this picture appeared:

RANDU - 50,000 samples

At a first glance RANDU seems pretty random. An equal distribution of numbers and aside from there being a lot more yellow dots, I wouldn’t say it was flawed. But then, I turned the image around:

RANDU (slightly rotated) - 50,000 samples

As you can see, instead of being scattered RANDU generated 15 planes in a 3D space. Not surprisingly, RANDU is – to my knowledge – not used as a randomizer anymore as this is simply not random enough. Or as Donald Knuth puts it: “…its very name RANDU is enough to bring dismay into the eyes and stomachs of many computer scientists!” Oh, that Donald…

After having done all this, I feel this was all for naught. Although I have learnt a new way to look at RNGs, I was not really able to uncover anything we didn’t already know. During the tests I did find other new ways to test RNGs and perhaps next time I will apply these techniques to these RNGs, but for now this will be it.

keep looking »