Just Another Geek

In your second sentence, you have a spelling error...

2012-01-02T00:43:55.159+01:00

In your second sentence, you have a spelling error (should be 'platform').
I'm sorry, this is the only way I can contribute... I don't even know what a system call is :/

Just for the record, if your ssh-keygen's vers...

2011-11-03T14:57:33.506+01:00

Just for the record, if your ssh-keygen's version is 5.6+ and you have to sign 5.5's key, you have to force "-t v00" to ssh-keygen in order to generate 5.5 compatible certificates.

The approach of infecting the dynamic loader is ve...

2011-11-02T18:31:13.717+01:00

The approach of infecting the dynamic loader is very interesting to play with ELF format, and that can escape some detection methods relying on few known heuristics. But depending on the context (packages, exploit, simple download...), you'll be limited with user permissions if you try to "patch" this dynamic loader. So LD_PRELOAD is a good friend too, if you don't want to infect each ELF file.

Nice work :)

I don't understand what you mean by "Same...

2011-09-29T09:58:50.656+02:00

I don't understand what you mean by "Same thing at the same time"? I can still launch tabs or an Incognito Window if needed.

And what about when you want to use the same thing...

2011-09-27T15:09:59.892+02:00

And what about when you want to use the same things at the same time ?

Personally I use Firefox for connecting Gmail, social networks etc...
Things I don't want them to track ? I launch another browser (Chromium) and do them, simple. ;)

That's funny. You, being paranoid, continue to...

2011-09-27T13:51:33.389+02:00

That's funny.
You, being paranoid, continue to use Chrome. LOL.

Hello Christophe, Qubes OS is really interesting ...

2011-09-25T21:45:37.002+02:00

Hello Christophe,

Qubes OS is really interesting but I don't have try it yet because I don't have the required hardware.

Qubes is a little bit... overkill for my use. My current worry is privacy, not security bugs. For that matter, I have relative confidence in the SECCOMP sandbox (which you have to enable manually, see about:sandbox), even if the performance impact is not negligible.

see you

Nicolas, you change browser profile by Qubes isola...

2011-09-25T21:18:08.458+02:00

Nicolas, you change browser profile by Qubes isolation and you have the post of Johanna Rutkowska :) http://theinvisiblethings.blogspot.com/2011/03/partitioning-my-digital-life-into.html

PS : as asked by Pollux, have you tried Qubes ?

nice post !!

2011-08-09T18:32:00.025+02:00

nice post !!

Thanks ! nice feature :-)

2011-07-10T12:11:02.427+02:00

Thanks ! nice feature :-)

You can certifiy users too. There will be a talk a...

2011-07-07T11:03:49.447+02:00

You can certifiy users too. There will be a talk about ssh certificates in RMLL2011:
http://2011.rmll.info/spip.php?article95&lang=fr
In french: "Certificats Openssh : gérez les identités dans l’espace et dans le temps"

Certificates are very useful, but there's some limitations, go to RMLL and see what are they :-)

You are absolutely right, sorry for the typo and t...

2011-07-06T18:14:44.085+02:00

You are absolutely right, sorry for the typo and thanks :)

I agree. I'm just saying that the code above i...

2011-07-06T17:56:07.837+02:00

I agree. I'm just saying that the code above includes the CA private key "~/.ssh/cert_signer" ("begin rsa private key") instead of the CA public key ("ssh-rsa [...]") into the known_hosts file.

Nope, this is a classic known_hosts file, its form...

2011-07-06T17:31:44.376+02:00

Nope, this is a classic known_hosts file, its format is :

[optional_marker] [host_selector] [key]

And to specify a CA, you have to use the @cert-authority marker

Nice feature, I didn't know about it. Btw, sh...

2011-07-06T17:19:50.136+02:00

Nice feature, I didn't know about it.

Btw, shouldn't the client just own the CA public key? "cat ~/.ssh/cert_signer.pub"

super article

2011-04-27T15:10:11.067+02:00

super article

Great explanation on system calls on linux. Thanks...

2011-03-15T10:03:11.019+01:00

Great explanation on system calls on linux. Thanks

Hello Ivan, Thanks for making some publicity for ...

2011-03-11T23:55:37.388+01:00

Hello Ivan,

Thanks for making some publicity for seccomp-nurse :)

GNU Libc forces the usage of classics "int $0x80" for some functions indeed, like dlopen() and clone().

I don't have any good solution for the moment, the only one I think of is to overload theses symbols with LD_PRELOAD hack. But it sucks.

The other solution would be the same approach of Chrome by patching binary instructions in memory.

Maybe I should take a look at metasm to patch the ELF and replace every syscall instructions into a call to my handler.

Thanks for this interesting post, valuable also fo...

2011-03-11T20:59:13.183+01:00

Thanks for this interesting post, valuable also for the short and clear presentation of the technical details! (Before, I've read only the general presentation of the seccomp-sandboxing approach as used in Chromium.)

I'm not well-informed about the internals of Linux executables, so I have a question after reading your post:

Do all syscalls have the form "call *%gs:0x10"?

If not, then we'll get into troubles from time to time, when running one unusual program or another, won't we? If so, do you envision a solution for such troubles?

(I came across your work as I was trying to present the SECCOMP approach in an answer to ["How to “jail” a process without being root?"][1] on a Q&A site and hence looking around for some working general tools using this approach.

[1]: http://unix.stackexchange.com/q/6433/4319
)

> Marking kernel memory read only Kernel set ke...

2011-01-05T21:15:03.772+01:00

> Marking kernel memory read only
Kernel set kernel rodata (and kernel text) read only since some versions.

What's comming is module support and setting NX bit for kernel data : ie having etheir r-x or rw- but no rwx.

Thanks Dan for your corrections and all your work ...

2011-01-05T10:22:27.717+01:00

Thanks Dan for your corrections and all your work in the Linux kernel!

Nice article. Just a few minor corrections: Nels...

2011-01-03T23:41:18.940+01:00

Nice article. Just a few minor corrections:

Nelson Elhage's KERNEL_DS issue wasn't a bypass of mmap_min_addr. In certain circumstances, the kernel overrides its address limit via set_fs(KERNEL_DS). As you wrote, in these circumstances access_ok() will always return successfully. If you can manage to OOPS a thread while it's in this state (as my exploit did), this allows you to write a 0 to an arbitrary kernel address - not to be confused with a NULL pointer dereference.

Besides this minor point, I'd have to argue that despite a few small victories, the kernel is still a very soft target for attackers. Kees and I are doing our best, but a lot more needs to be done before I'd consider the kernel to be a difficult target.

The full-nelson exploit I wrote for Nelson Elhage's three vulnerabilities did leverage multiple issues to get root, but this was the exception, not the rule. In almost all other cases, only a single vulnerability was required to get root access. By my count, there were at least five other public vulnerabilities this year that allowed privilege escalation on a significant portion of distributions: a CAN heap overflow, RDS, compat syscall, compat_alloc_user_space, and the Econet stack expansion issue. We've still got a long way to go.

méchanisme -> mécanisme réélle -> réelle PS...

2010-12-29T21:42:04.770+01:00

méchanisme -> mécanisme
réélle -> réelle

PS. Tu nous fais la même pour la sécurité PHP ? ;)

Like

2010-12-29T14:07:39.103+01:00

Before compact in 7bits you should translate into ...

2010-09-11T05:51:45.849+02:00

Before compact in 7bits you should translate into gsm charset didnt you?

For example: 0 -> '@'