Friday, January 25, 2013

ast2dot - A script to help visualize the GCC AST

Recently I have been creating GCC plugins to automatically and transparently add security mechanisms to software at compile time. I enjoy the work tremendously. Part of the work requires an understanding of GCCs intermediate representations including the abstract syntax tree (AST).

The AST can be difficult to grok. Therefore, I created a simple utility that converts a GCC AST dump into the DOT graph description language. Once the tree is represented by the DOT format it can be visualized using various diagramming tools such as GraphViz, or my favorite for the Mac, OmniGraffle.

Following is an example. First the source code of a simple C program:

int main()
{
   int i;

   i = 2 + 2;
   return i;
}

During compilation with GCC, this simple C code gets transformed into the following (mildly pruned) AST:


The script has a few routines for pruning the tree. For example you can specify certain attributes to ignore and/or specify a starting node. I have found the script to be more useful for inspecting specific subtrees rather than an entire tree all at once.

The script is written in Ruby. It can be found on github: https://github.com/infinitesteps/ast2dot. Maybe it will be useful for others.

Thursday, December 15, 2011

Carrier IQ Subverts HTTPS Protections

There have been many recent news articles describing Carrier IQ. Carrier IQ is a piece of software that runs on mobile phones and collects information about user behaviors. According to the software manufacturer Carrier IQ does not collect sensitive data. Some have labelled Carrier IQ a "rootkit" because of its stealthy behavior ad level of access.

While watching the original demonstration of Carrier IQ, I noticed that many things were being written to the system log including web URLs (the author notes this as well). The collection of URLs may include those that use the HTTPS protocol (encrypted web traffic). The URLs may also include GET parameters (words after the question mark). GET parameters act as variables and are sent to the web server as a way to customize the resulting web page for the user. For example the following URL could be used to authenticate someone to a web service (think bank):

https://secure.foobar.com/baz?username=foo&password=bar

The intention of the HTTPS protocol is to provide transport-layer end-to-end encryption. The end points are supposed to be the web browser and the web server. HTTPS uses SSL/TLS to provide the encryption. Transport-layer encryption by nature does not protect the privacy of the source and destination ip addresses. It protects the privacy of everything in the application layer which includes GET parameters and all other HTTP data (web page contents, HTTP headers, POST parameters, etc). Once my HTTP request leaves my browser it is supposed to be encrypted until it is decrypted on the server (end-to-end!).

However, because Carrier IQ writes the URL, including parameters to the system log file they break the end-to-end encryption. This caught my attention. This is not a small matter. Now that the data is in the system log it is available to all other software on the phone! Not good.

I spent about one hour creating a proof of concept Android application that scrapes the system log and sends all HTTPS URLs, including parameters, to another computer connected to the Internet. My application also grabs the device ID and sends it along with the URL (for the demo below I used the Android emulator which has all zeros for its device ID).

The application had to request the Android "READ_LOGS" and "INTERNET" permissions. These permissions are very common. The "READ_LOGS" permission is often used by developers so that end users can send log files with bug reports. The "INTERNET" permission is used by all apps which need network access (many).

My app uses a giant user interface button to perform the log scraping. But imagine that the application ran as a service and ran without the user knowing (it is an easy change). The end result would be a hidden application that could be secretly spying on you. It could be installed as part of another seemingly legitimate application. Of course the private data being leaked isn't limited to HTTPS traffic, HTTPS is just the case that caught my attention.

I captured a screencast of my application scraping data from the logs and dumping it to an external server. This is not rocket science. For anyone with Android app development experience it would be trivial to write. My point wasn't to show off my mad hacking skills but to try to further emphasize the seriousness of this problem.

Note: I do not have a Carrier IQ plagued device. I injected similar log entries for testing my proof of concept application. I based my formatting of the log entries on the original demonstration.

Note: Quite surprisingly my log file had other HTTPS urls in it which were written by other applications. At least those applications were only leaking their own application information. For example I now have a Facebook developer key that I easily extracted from the log file. Not sure who the key belongs to. I don't think that I am supposed to have it. Come on developers, you are supposed to remove your debug messages before distributing your app!

Friday, April 9, 2010

Why the iPad is Good for Security

A few weeks ago a rather chatty fellow sat next to me at the coffee shop where I was working and said: "How do you like your Mac?" I replied. He then said "I hate Macs." I told him that I think people should use whatever computer operating system they find useful. I mentioned my area of research, computer security, which piqued his interest. He said "I don't have any antivirus software on my Windows PC and I don't have any viruses." He assumed that he had no viruses because there was no evidence (nothing crashed or disappeared). He went on to report that his computer runs pretty slowly (which I found quite humorous). I told him that he didn't have *a* virus, that he actually had *many* viruses. I explained a little about botnet zombies to which he replied "I just want to read email and watch videos." He didn't seem to care in the least bit that his privacy may be at stake or that his computer may be participating in computer crime.

A research project that I am part of, Poly^2, investigates the idea of increased security through the use of specialized operating systems. In short, the idea is that we could tailor make OS's for specific tasks. The idea isn't as simple as merely turning off unused network services (though that is a good idea in general). It goes further. It tries to restrict the primitive functions of the OS (such as memory access) to the bare minimum needed to carry out the specific task. Those who have studied information security may recognize this as the "principle of least privilege". General purpose OS's defy the principle of least privilege, especially in the context of consumer-grade computers.

The iPad isn't necessarily a realization of the full Poly^2 ideology. However, I think they are related. If Joe Blow just wants to "read email and watch videos." what options does he have? He could buy a standard PC (from here forward PC refers generally to personal computers, no OS is implied) and patch it every six days. However, the act of patching a computer is distinctly not reading email or watching videos. Should Joe be able to read email and watch videos without additional responsibilities? It seems like a reasonable desire to me. Joe isn't required to patch his car even though it likely uses a microprocessor.

Botnets are a huge problem. Some botnets, like Confickr, control millions of zombie PCs. The zombies are made up of unpatched PCs. Many of them are likely owned by people like Joe who just want to consume information. If all of those people, who don't require a general purpose OS, were to buy media consumption devices (MCDs) such as the iPad, instead of PCs then we would likely see a dramatic reduction in botnet zombies.

Most of the criticisms I have seen of the iPad revolve around the assumption that it is a PC. It is not a PC. If you are comparing it to a PC, then yes you will likely be disappointed. I heard someone say that they didn't like it because it wouldn't run MatLab. If you want to run MatLab or Photoshop you should not buy an iPad. Some have criticized the iPad and iPhone because of their closed nature. I haven't developed for either, I prefer Android myself, so I don't know first hand what is required. However, as far as I can tell their APIs are available and they allow you to program in open standards programming languages. Will the iPad have security vulnerabilities? Of course! However by carefully controlling what applications can be created with and how they can be distributed, Apple can strongly influence and remedy future vulnerabilities.

Is the iPad for me. Probably not, I am not Joe. It may however be a good media consumption device for my wife.

Saturday, September 5, 2009

OS X Bug : Problems connecting to WPA Enterprise with 10.5.8

I have recently had trouble connecting to Purdue's wifi network named PAL2.0 (which requires WPA Enterprise/TTLS/MSCHAPv2/PEAP). Purdue's technical support (ITAP) attempted to help me but was unsuccessful (it isn't their fault). I found my own fix and wanted to share it with others who may be having the same problem. Basically the problem was introduced by Apple with Mac OS X, update 10.5.8.

The problem:
- Can't connect to PAL2.0 (sporadic)

Symptoms:
- Repeatedly tries to perform MSCHAPv2 authentication, never gets IP address. I have captured a screencast demonstrating the problem.

Setup:
- Macbook Pro (maybe other models? mine is a 2007 model) running OS X 10.5.8

Fix:
- Revert to the wifi firmware to pre-10.5.8 version. I followed these instructions (proceed at your own risk)
- If you have the right model of mac (I did not), you may be able to apply this patch from Apple.

Friday, July 10, 2009

OS X Bug : 802.1x TTLS defaults to CHAP even if changed to PAP

While configuring freeradius I uncovered a nasty Mac OS X bug. My goal is/was to authenticate Mac OS X (leopard) to WPA2 using RADIUS configured to authenticate to LDAP (over EAP+TTLS+PAP).

Scenario #1 (broken)

When I get within range of a WPA2 EAP+TTLS+PAP WIFI connection I am prompted to login. If I try my login, it will fail because I have not configured 802.1x to use TTLS+PAP which is expected. If I then try to configure TTLS to use PAP using the 802.1x configuration dialogs, it will display "PAP" in the configuration dialog but it will not actually use PAP, it will continue to try to use its default CHAP authentication inside of TTLS. I am then never able to connect to this access point without deleting it and starting over (as below).

Scenario #2 (working)

However, if, with my wireless card turned off, I configure 802.1x authentication profile in advance of connecting to the same access point. Then turn on my wireless card. Then instead of entering my user/pass when prompted select "Join Other Network" and manually assign the new and correct 802.1x profile to the new wifi connection. It works as expected. It was nontrivial to track down this problem. I am using freeradius and found that despite having PAP listed under TTLS the following was logged:
MS-CHAP-Challenge = 0x...
MS-CHAP2-Response = 0x...
I have deliberately not enabled CHAP in my freeradius configuration so I knew something was up. After I finally got it working (using scenario #2), those two MS-CHAP log entries disappeared. A few of the freeradius log messages that were symptoms of the problem are as follows (in hopes that others may find this post):
pap No clear-text password in the request. Not performing PAP.
...
No authenticate method (Auth-Type) configuration found for the request: Rejecting the user
Failed to authenticate the user.

Thursday, June 4, 2009

Apache mod_rewrite and the HTTP Host Header

I am involved with a web project that bases some application logic on the hostname of the server. During the development phase we wanted to test host-specific logic without modifying hostname resolution (through /etc/hosts or DNS) or modifying the code with specific development hostname conditionals. To accomplish this task, I crafted some handy Apache mod_rewrite rules:

<VirtualHost>
...
# requires mod_rewrite and mod_headers
RewriteEngine On
RewriteCond %{REQUEST_URI} !^/set_site.html$
RewriteCond %{HTTP_COOKIE} ^.*choose_site=([^;]*).*$
RewriteRule ^(.*)$ $1 [E=SET_SITE:%1]
RequestHeader set Host %{SET_SITE}e
...
</VirtualHost>

The first condition matches anything but the form used to set the site cookie (choose_site). I am not entirely sure why, but if this conditional is omitted an infinite redirect happens. To keep the application code base clean I used mod_alias to alias this form to a location outside of the DOCUMENT_ROOT.

The second condition extracts the hostname from the cookie and places it in magic variable %1. The rule just passes through all requests and sets the apache environmental variable SET_SITE. This step is necessary because mod_headers can't use the mod_rewrite generated %1 variable.

Finally the last directive sets the Host header of the request, which if you're lucky, will get passed up to your scripting language for use in the logic.

Friday, May 29, 2009

Apple Address Book and IM Values

I have recently been working on centralized authentication using OpenLDAP. Beyond authentication, LDAP-based directories can be used as a shared address book. Most desktops being used by our organization are Apple computers. The system address book, known as "Address Book" may be configured to access an LDAP directory. Bingo! Unfortunately, the Address Book is only interested in a subset of attributes that are stored in the LDAP directory. Using wireshark, I found that it asks for the following attributes:

givenName
sn
cn
mail
telephoneNumber
facsimileTelephoneNumber
o
title
ou
buildingName
street
l
st
postalCode
c
jpegPhoto
mobile
co
pager
destinationIndicator
labeledURI
IMHandle

The Address Book works as expected with one exception. The last field it requests, and it receives from LDAP, is IMHandle. It would be nice if IMHandle was *actually* supported by the Address Book, however no matter how much brute force I used, I could not get IMHandle to show up in the Address Book. The application appears to receive the value for IMHandle but discards it. By the way, getting the Apple LDAP schema (which enables the storage of IMHandle) to cooperate with our other LDAP schemas was kind of ugly.

The solution? I figured out that we could use the labeledURI field to store IM information. Both Jabber and AIM have a protocol specification that works with the Mac and Firefox (and likely other software). The format is as follows:

Jabber (such as Google Talk)
im:ACCOUNT_NAME@gmail.com
AOL Instant Messenger
aim:goim?screenname=ACCOUNT_NAME

The Address Book then shows the first (and only the first) labeledURI. So if we set the first value of labeledURI to the user primary IM URI, it shows up in the Address Book and is even "clickable".

Hey Apple Developers, how about supporting IMHandle in Address Book? Or at least show multiple labeledURI values.