Comments by "Mikko Rantalainen" (@MikkoRantalainen) on "Low Level" channel.

  1. I think this is the modern variant of "Reflections on Trusting Trust" by Ken Thompson.
    112
  2. Exploits like this could be described as attacking the bug in virtual hardware which allows taking control of the rest of the hardware (host environment). The reason this is possible is because technically the interface between the host machine and virtual machine is represented as hardware to the virtual machine and device drivers inside the virtual machine interface with this "hardware".
    8
  3. I think that if you don't use RAII and exceptions, you shouldn't bother with C++ at all. Just use modern C. Yes, that requires writing wrapper code for all incorrectly (that is, without RAII and exceptions) written C++ code.
    8
  4. I maintain multiple servers and my go-to rule with even throwaway shell scripts is that all input must be considered unsafe. Always encode data as data regardless of the programming language you use and all injection attacks immediately vanish everywhere.
    5
  5. I totally agree. VPN should be considered geo blocking circumvention method. If you need anonymity, use Tor instead. If you need to defend against MitM attacks, use TLS instead.
    5
  6. And TP-Link seems to actually support their products, unlike e.g. D-Link which tells their customers to purchase new hardware when they have built-in remote exploit due ridiculously poorly written firmware.
    5
  7. Since the bug is inside image stored in squashfs, you would need to first fix in the firmware image, then somehow get the firmware checksums to match to get the hardware to install the firmware and then it would be fixed. Squashfs is a read only filesystem started from an image delivered via firmware image. Doing permanent changes to that is far from simple.
    5
  8.  @BillAnt  I would argue that China is perfectly capable in producing high quality software and hardware. However, when work is outsourced to China, it's not made to increase quality but reduce costs. So the order from China is "make it as cheap as possible and then some" instead of "please, make high quality software". Apple outsources iPhone manufacturing to China, too. Most people seem to think that being quite high quality product.
    4
  9. 2:57 I don't know if it's because of my math background but I actually like single letter variable or pointer names within a single function but the public interface (function signature) shall not use single letter names. And the function implementation shall be short enough to only need use of 3–5 variables. The code ends up looking something like i = ... p = function_argument_x->public_function_name(i); return p->next; or something like that. Having long names for i and p will not improve readability when you only need to remember the name for the next line. And obviously you choose the single letter to match the function name that was used to set the value of said variable.
    3
  10. Just change consumer protection laws to force built-in software to be included in warranty. If the manufacturer refuses to fix a known vulnerability, you should be able to return the device for full refund. It shouldn't matter if the manufacturer is local or some foreign country.
    3
  11. C++ was first published in year 1985 and still it doesn't have standard stable ABI today. I would want to see faster progress to standard stable ABI for Rust, but it is definitely not needed to be successful on the market. With C++ you have somewhat stable ABI if you don't mix compilers and do not mix major versions of a single compiler either. I think code using STL should be stable since year 2017 or so, and as a result, you can have ABI stability if you don't use too complex features today.
    2
  12. It's 100% safe to say that CrowdStrike's is not doing mutation testing for their kernel mode driver and that's scary!
    2
  13. And even in countries with consumer protection laws, the manufacturer can get away with EULA saying that the software is delivered as-is. Consumer protection laws are often written in style that covers only manufacturing issues, not design issues, unfortunately.
    2
  14.  @mikaay4269  Sure but most non-developers fail to understand why the software as-is is not acceptable if the software cannot be easily replaced by the end user. I wish EU had consumer protection laws saying that if the software comes pre-installed in hardware, it must be covered by the warranty of said hardware.
    2
  15. I definitely don't agree with indenting code with spaces. My rule is simple: at the start of line, only tabs are allowed as the whitespace and after first non-tab character, no tabs are allowed at all. This allows every engineer to set their tab width just like they want it and the code still has identical logical indention for every engineer. If a line must be indented two levels, it has two tabs. And if the engineer wants to see it as 4, 6, 8, or 16 character wide indentation, they can adjust their editor as they like it.
    2
  16. I'm using gcc so I use flags -pedantic-errors -Wall -Wextra -Werror -fsanitize=undefined
    1
  17. The only reason this has CVSS base score 10/10 is because the "Security Researcher" that reported this issue wanted to have "Rust 10/10 CVE" in their CV. This is not a security vulnerability in Rust but in the piece of software that uses Rust to launch a .bat file and gives it the user input as parameter. If I write a piece of PHP code that executes "bash -c $escaped_userinput" where $escaped_userinput = escapeshellarg($userinput) call, it's not a security vulnerability in PHP nor bash but in my code only. Windows .bat files simply execute strings even without "-c" flag.
    1
  18.  @timewave02012  See some papers from BADA55 team. For example, " How to manipulate curve standards: a white paper for the black hat" which describes how contants such as cos(1) (a transcendental number) result in non-random encryption. Sure, creating test data from values such as pi, e, cos(1), sqrt(2) is much better than having opaque random data but it's not automatically safe either.
    1
  19. 23:40 I disagree that the code should not be visible. However, the data used to compute credentials should not be readable from the client.
    1
  20.  @nomore6167  The difference is that string handling is easy in PHP. It takes next to no time to verify all user input against expected syntax regex (e.g. preg_match("#^[A-Za-z0-9]+\$#", $name)) to verify that the user input for name contains only upper and lovercase letters or decimal digits). However, when you then try to make similar stuff in plain old C, even checking the length of user input given as string is an adventure itself: do you have the length of input somewhere or do you assume that it's safe to scan for next null byte and stop there?
    1
  21.  @THB192  XKCD 927 comes to mind. IT doesn't feel like standard ABI for me unless you mean that you can find some compilers that can agree on ABI.
    1
  22.  @THB192  True, there's some compatibility between some C++ compiler vendors but no standard as C++ spec in general.
    1
  23.  @THB192  It also helps that the operating system practically defines ABI for C programs.
    1
  24. You left out the most interesting question: if you run the same fuzzing against the latest version, will it still find crashes? Or is this the part that we're not supposed to talk while they are fixing the stuff that you reported?
    1
  25.  @eshark11  If you mean the part around 10:15 he demonstrates that the same crash no longer happens. However, what I would have expected to see would have been running the whole fuzzing process against the latest version. Around 4:16 we can see summary of the first fuzzing session that resulted in 32 saved crashes and 4222 total crashes. If I understood the end of the video correctly, only one of these was checked against the latest version.
    1
  26. 10. Avoid off-by-one errors.
    1
  27. I would argue that this is actually a security vulnerability in Windows .bat execution instead of vulnerability in Rust. Unlike in POSIX shells where the command line is parsed and executed by the shell and arg() correctly encodes the arguments, Windows .bat execution takes the correctly encoded user input as a single parameter and then internally make another interpretation of the arguments! The reason windows binaries do this is because their command line is too stupid to do any processing so all processing must be re-implemented by every program you run. And as usual, you MUST encode all untrusted user input in a way that's appropriate for the context and for this case, you need double encoding: encode once for .bat argument syntax and another time for the Rust Command syntax where the arg() is the correct solution. This is similar to having to encode a piece of user input as JavaScript string and add another encoding step to encode the JavaScript as part of HTML input. Failing to do either of the two required steps results in injection attack. Current Rust doesn't have a "bugfix" for this vulnerability. Instead they fixed the documentation to explain this to Windows developers that may not be aware of this Windows behavior: "On Windows use caution with untrusted inputs. Most applications use the standard convention for decoding arguments passed to them. These are safe to use with arg. However some applications, such as cmd.exe and .bat files, use a non-standard way of decoding arguments and are therefore vulnerable to malicious input. In the case of cmd.exe this is especially important because a malicious argument can potentially run arbitrary shell commands." On Windows, there are no generic safe way to encode command line arguments as data. The correct encoding depends on the command you execute. And as a result, arg() cannot be modified to have generic safe encoding for all commands.
    1
  28. Around year 1995 the CGI was literally command line executables forked and executed by the web server with stdin and stdout connected to the browser. And fork per incoming request! I guess the D-Link software quality has improved about zero since year 1995.
    1
  29. The complexity of this attack smells a lot like nation-state level stuff. The usual suspects for such things would be USA, Russia, China and North Korea.
    1
  30.  @hughcaldwell1034  I did CS major and maths minor but I think it makes sense that the end result is almost similar.
    1
  31. Even though I like C, I'd argue that it's impossible to practically write secure C programs. Linux kernel is written in C by elite programmers (let's face it, kernel mode programming is not for beginners) and all code is reviewed by other elite programmers before it is accepted in the Linux kernel. And yet we see a lot of security vulnerabilities in Linux kernel every year. If you write new C code, do you really think you can write much better code than Linux kernel developers? I think I'm pretty good with C but I don't pretend to be mistake-free. As a result, C shouldn't be used for programs that cannot contain memory safety issues or deadlocks – both of which are total non-issues if you're using Rust without unsafe blocks.
    1
  32.  @nomore6167  I agree. This serious security vulnerability has been in the product since day 1 and it would have been found earlier if somebody had ever bothered to do the same task that this video describes.
    1
  33. 27:15 Wow! I didn't expecte Cox to be able to hot-patch the vulnerability in day! With this big vulnerability, I was expecting the code to be outsourced and take at least a month to fix anything.
    1
  34. CVSS scores are interesting because recent XZ Utils backdoor was rated as 10/10, too, but it was 10 only for the attacker that knows the not-yet-published private key that matches the public key in the backdoor. For everybody else the CVSS score should have been maybe 3/10 because the backdoor can be used to increase CPU load and cause remote DoS because of consuming CPU resources.
    1
  35.  @arthurmoore9488  It's not eve a flaw in how cmd.exe parses arguments. It's a quirk of Windows .bat execution. Pretending that this is a Rust remote execution bug is like saying that if you write Rust code on Linux that looks like this Command::new("bash").arg("-c").arg(userinput).output().expect(); is a remote execution vulnerability! The fact that "bash -c" takes the rest of the arguments (given as text data!) as commands is not a vulnerability in Rust. The fact that Windows .bat files execute arguments without the "-c" flag is not a vulnerability of .bat files either. It's just a demonstration that the developer writing code that runs .bat file MUST understand the behavior of .bat files.
    1
  36. I'd argue that TP-Link is at least trying to improve their products because they take part in Pwn2Own and actually pay bounties for published vulnerabilities. As a result, their QA might suck but I don't think they are inserting known backdoors.
    1
  37. I still don't believe that we are forced to use this kind of crap services.
    1
  38.  @valizeth4073  C23 standard is being specified this year – what do you consider "modern"?
    1
  39. 11:08 I would argue that sprintf() may be actually safe here as long as there's nothing in the stack after the memory address they are running sprintf() output into. This is because OS takes care of extending the stack or killing the process if sprintf() tried to write too much output so there's no buffer overflow vulnerability for that part. Of course, passing the output to system() is definitely not okay. Zero error checking is also worth nothing here. Even without vulnerabilities, if e.g. adduser failed for any reason, this piece of crap would immediately proceed to blindly execute additional commands as root.
    1
  40.  @sousahenrique  I use assert()s to enforce the documented interface. Similar to Eiffel design by contract stuff. I don't like the Eiffel language but the design by contract idea should be embraced in any language.
    1
  41. I'd recommend learning Rust first and then C++ if you still feel like it. C++ is very complex language and doesn't provide much value over Rust in my opinion. C++ does allow writing high performing code but it also hands you invisible shotgun with a hair trigger which makes it really easy to blow your foot off. With C++ you can have identical looking code that fails to handle errors and code that does handle errors. With exceptions, the calling code may look identical (identical source code at binary level!) but one variant fails to handle errors correctly. With Zig and Rust, the error handling is always visible. With idiomatic Rust, you use Result<...> enums and mark possibly failing function call explicitly with single character "?" and otherwise the code can match the C++ version. This extra explicit "?" character makes all the difference. That clearly marks all the locations in the code that can potentially fail but do not pollute the code any further if you don't need extra processing but logically rethrow the error out of your function. However, Rust forces you to always handle data ownership and lifetimes which may be quite hard to get right at first, especially if you're trying to re-implement some algorithm that doesn't directly map to these concepts.
    1
  42.  @roiqk  I agree that learning is always good, too, but I'd recommend starting with Rust if you don't know C++ nor Rust. Historically C++ has been the language to know but it's really complex language and still cannot provide many of the nice features that Rust has and both have nearly identical runtime performance.
    1
  43.  @roiqk  My opinion is that you have to think about the same thing that Rust borrow system does automatically while you program in many other non-managed languages. When you understand how Rust works, you can understand the same idea in well written C and C++ programs, too. Except the compiler doesn't help even a bit in case of C and C++.
    1
  44. I personally use Allman-8 style with tabs for indentation and that's also the style most typically used to teach programming because it's the most clear style there is. Why would you want to use less clear style for "professional" code? I've been writing Allman-8 style for 20 years professionally and it's not a problem for "too wide" indentation. And I use tabs for indentation so colleagues that like less indentation can do that just fine. Just configure your editor to highlight any spaces at the start of the line in red or use a linter in your build routine to report and error if even a single space is used to indent any code.
    1
  45. I personally use Allman-8 style with tabs for indentation and that's also the style most typically used to teach programming because it's the most clear style there is. Why would you want to use less clear style for "professional" code? I've been writing Allman-8 style for 20 years professionally and it's not a problem for "too wide" indentation. And I use tabs for indentation so colleagues that like less indentation can do that just fine. Just configure your editor to highlight any spaces at the start of the line in red or use a linter in your build routine to report and error if even a single space is used to indent any code.
    1
  46. The rules seemed very reasonable. I'm basically following the same rules even for my hobby C projects so most definitely NASA should be doing this kind of stuff at minimum.
    1