Author Archives: danieru

CPSC 527 or: How I Learned to Start Worrying and Write a Virus

14 Replies

Just over a decade ago my university started to offer a controversial course known as “CPSC 527 Computer Viruses and Malware”. Or as I refer to it: the Virus course.

The virus course has a reputation which proceeds it. I first heard of it in second year. Word was that there existed a course held in a locked and isolated lab. No internet and no electronics allowed. Only fourth year students could enrol and an essay was required.

So fast forward to late third year when I and a friend have set our minds on this mythical course. Said friend managed to uncover the controversy dating back to 2003 over the  introduction of our viruses course.

Most of the resulting articles and press releases can still be found through a quick search. Most notable were two press releases from the Anti-Virus Manufacturers: Sophos and F-Prot. Both give an insight into why the course was not received well by all:

I just wanted to make sure that you are aware of the effects that participation in the course may have on the students’ future career. Most anti-virus companies (including ours) have a policy against hiring former virus writers for anti-virus work. What this means is that in the event that the students actually learn something useful in the course, they will most likely not be able to obtain employment in the anti-virus industry due to their participation in the course, and thus not be able to contribute to actually solving the virus problem.– Fridrik Skulason of F-Prot

Sadly it seems the university is developing courses according to what it believes will be most attractive to potential students rather than focusing on skills that will be useful to them in the security industry. One wonders if the University will be held legally and financially responsible if any of the viruses written on their course break out and infect innocent computer users. — Graham Cluley of Sophos

What struck me is the assumption both responses hold: it is Anti-Virus companies which bring relief from viruses.

I disagree. Security, and thus relief from viruses, instead derives from your ecosystem and your operating system. Which gets to my interest in the course:

  1. Have fun
  2. Becoming a better systems programmer

I have no interest in becoming a researcher for the Anti-Virus industry. Instead I want to create systems which will minimize vulnerabilities and reduce any ground a virus can win in finding a vulnerability. Meanwhile all Anti-Virus software can do is slow down your computer, take your money, and tell you it is time to reinstall Windows

Now Mr. Cluley and Mr. Skulason do raise a good question: why should you create a new virus? To answer that let us look back to 2007 during my tenure at the local McDonalds. In our flashback I am a new employee and my boss has taken time out of her day to instruct me on proper method for cleaning dishes. You see the drive through is right across from the washing station and thus it is the task of order takers to clean dishes while waiting for cars. Now I wasn’t a patient lad and protested against a practical demonstration. I asked her if she could instead just tell me how to wash dishes. To this she said:

You’ll only learn something once you’ve done it. — My boss circa 2007

Which is thus the core reason why CPSC 527 must be about writing new viruses. Similar themed courses at other universities may teach virues the way Mr. Cluley and Mr. Skulason wish them to be taught: by dissecting existing viruses. Granted Mr. Cluley is correct, this approach would better serve students going into the Anti-Virus industry. Dissecting existing viruses is the major task when writing an Anti-Virus scanner.  Thus prospective job applicants to Sophos or F-Prot would be well served by practicing their new job while in school.

Except I have no interest in the Anti-Virus industry. Instead I want to learn to think like a virus writer. I want to look over a system’s design and notice “Hey, I can abuse that!”. Not for the purpose of abuse, but to bake security into what I create.

To that end I can say CPSC 527 was a fantastic course: I wrote a virus, an exploit for a buffer overflow vulnerability, and for the final assignment a virus scanner for the other 10 group’s viruses.

All virus work was done in the virus lab: a locked lab with no internet access on machines which required a second student to vouch for your identity before you could login. The machines themselves were linux boxes running FreeBSD in a locked down virtual machine. Even if a malicious student did brings the virsues out of the lab there would be no targets to infect!

The virsues we wrote were not complex or modern. My current value to the Russian Mafia is still about zero dollars.

With that said my virus did win the prize for best virus, which in this course means it was the worst and most annoying virus.

What my virus did was launch a rootkit into kernel space. This rootkit would then sit and count how many files a thread opened. Once the thread has opened N files it got marked as an anti-virus. Then instead of killing the undesirable scanner, we would deny all write requests. Thus a scanner would work for the files in /bin but any warnings of virsues in /sbin or /usr/bin would be silenced. The net effect was to make programmers think their scanner was broken!

The rootkit was so effective even I got caught by it! My scanner would find the infected files in /bin but not the ones I knew were in /usr/bin.

Beyond pride, writing the rootkit was enjoyable, fulfilling that goal. Spying on the scanners required hooking BSD’s system calls and stuffing data into unused fields of the thread’s task struct. I even booby trapped the system calls table: any attempt at unloading my rootkit would leave non-NULL yet invalid pointers in the system call table. Thus any calls to open or write to files would crash the kernel.

Towards the intangible goal of improving my systems programming I am now quite paranoid. My programs now enjoy user input escaping far beyond anything reasonable. I found myself escaping even the input I got from the kernel! The kernel being the program which runs my program and already controls the entire computer.

As for systems design, my fervour for mobile and Firefox OS has only increased. We need to replace the Win32 ecosystem with an ecosystem that can be sandboxed and we need to do it without throwing user freedom to the dogs. To that end the web is perfect. Web browsers have undergone years of security stress testing in the most hostile environments imaginable. The web represents an ecosystem developed from the begining to be sandboxed, it is not even possible to self modify binaries!

In general we need more programmers to take courses like 527. University students no longer write virsues for fun or to prove a point. Instead we have rogue governments attacking their own people. The risk in teaching students virus writing is now far outweighed by the benefits. We need programmers who will make security a priority. At Microsoft I learned that “UAC is not a security boundry“. What this means is that any vulnerability allowing bypassing of UAC will not get patched. They’ve resorted to this useless stance because there are already many unpatched vulnerabilities. The net effect is users are running under admin accounts which feel like regular non-all-powerful accounts.

So if you have a chance: please enrol in CPSC 527, or a similar course if your university offers one. If enough people take courses like these maybe the next UAC will not happen.

Just bought two cheap Androids for B2G surgery

Leave a reply

I’ve been mulling the idea of buying a cheap disposable Android with which to port B2G onto. These cheap Androids can be quite cheap. One I bought was $56, the other $77. Shipping was for both.

My selection algorithm was:

  1. Order by price
  2. Filter to Android 4 or greater
  3. Check out any orange (firefox) coloured phones
  4. Find two distinct phones with the same System-on-Chip (SoC)

My final selection was the “M1 Smartphone” by “htm” , and the “Tengda H10” and by “htm”.

M1 by "htm"

M1 by “htm”

 

Tengda M10 by "htm"

Tengda M10 by “htm”

 

My last experience with cheap Chinese origin Androids was one of the first generation Android tablets. The device was a clone of the iPad and featured a resistive touch screen. Calling it slow would have been a complement. From that baseline these devices have a good chance to impress.

These devices might look quite different but they are in fact almost the exact same. The variety in the cheap android market place is misleading. Under the hood most devices are quite similar. In our case these two phones have the same SoC and camera. By having two similar devices my hope is to create a B2G configuration which will work for all MTK6572W devices. The two devices are from the same manufacturer but do differ in RAM, flash, and baseband. This should give a workable sample of similar devices.

Or maybe they’ll become paperweights!

What is UCOSP?

Leave a reply

UCSOP stands for [U]ndergrad [C]apstone [O]pen [S]ource [P]roject. It is a good name as far names go but the details are what make UCOSP unique. UCOSP is a course ran twice per year at several Canadian universities. About 80 students participate per year and said students are supposed to be some of Canada’s best, but they let me in any.

For the kick off of the semester, the students meet together once as a team for a hackathon. Our hackathon was hosted by Mozilla in their Toronto office. All flights were even paid for by Google as part of the Google Open Source Programs Office. This is the same office which hosts the Google Summer of Code program.

Like a regular capstone project the course is results focused and hands on. Also like a regular capstone course you’ll have a professor watching your progress. The difference is in your team. UCOSP’s goal is to introduce students to distributed teams. In your classes you’ll have worked on centralized teams. My university classes had tons of these forced group work. Yet, none of my prior classes introduced distributed cooperation.

Why are Distributed Teams special?

A distributed team lets people live where they want. Instead of trying to move the whole world to Silicon Valley a distributed team may have members on every continent. Many of the world’s best engineers like living where they live, and they’ll sooner work for an organization which does not force them to move. Of course for others moving is not a problem, but if someone earlier in life has decided to move there is a good chance the reasons for that move have not changed. Nor may they change just because you want to hire them.

A distributed team also brings other more practical benefits. By staying out of the insane property market which is the Silicon Valley area, you’re increasing employee’s take home pay by tens of thousands of dollars per year, for free! And by cutting out the commute time, team members will be saving an hour or more per day.

When you're distributed you need to be more explicit in what you say. For example, this poster is not sugar coating the message.

When you’re distributed you need to be more explicit in what you say. For example, this poster is not sugar coating the message.

Challenges of Distributed Teams

Distributed teams bring their own challenges which may work against student’s weakest attributes: being self-driven and getting things done. Without supervisors or near due dates, many students find it a challenge to get work done. This is a problem for distributed work, you’ll have no one watching over your shoulder. You must know what a reasonable commitment is and have the will power to see the work to completion.

Communication also takes on a different form for distributed teams. For what it is worth: in person conversations are more effective than you might expect. A quick chat with a group member before class could get you unstuck on a nasty bug. Likewise centralized teams have an easy time of sharing progress, just talk about it over lunch. Instead distributed teams must leverage email or wikis. Documenting the project, the meta project, goal, reasoning, all take on extra weight. As does communication finesse. Online we lose non-verbal clues so you must watch how you say things and yet be more direct in saying them. Leaving details as implicit will generate confusion since there is little context for readers to read in between the lines.

In general, I think these skills come from practice, which is why UCOSP is special. The regular student might never contribute to a distributed project, open source or not, while in university. UCOSP is the rare course which gives students this experience while earning course credits.

If you’re a Canadian Computer Science student you should head over to ucosp.ca and see if your university offers UCOSP, or a similar course.

My semester in UCOSP

1 Reply

If you do not know what UCOSP is then you should consider reading my explanation post: What is UCOSP? Otherwise in short: UCOSP is a practical experience for Canadian Computer Science students to work on open source as a distributed team. For my UCOSP project I wrote a zip extraction library for BB10.

How I got enrolled

I found out about UCOSP in mid June while I was still at Microsoft for my internship. My self-assigned task that day was to arrange all my courses for the next school year. Many of the courses I wanted to take required pre-approval from professors which in turn required an essay, so planning ahead was vital.

While finishing up one of my essays I saw one of my friends online so I chatted with him. I tried to convince him to take one of the cool courses along with me. Meanwhile he asked if I had been invited to some course called “UCOSP”. In his words: “open source project course”. Little did he know that those words describe the perfect course ever! Imagine getting credits for doing open source projects!

Yet I had a stumbling block. Enrollment required an essay due the next day. Meanwhile said friend has one of the highest GPAs in our year and thus got invited. My own GPA is not bad per-say but it must not have been high enough for the invitations. Which makes sense since UCOSP is a new program at our university, they would want to run the pilot with our best students. Yet this means my work is just that much harder: I have to write an essay that qualifies for UCOSP but also one that convinces the professor to risk letting me in on his shiny new pilot course.

As if that was not hard enough my friend wasn’t sure he was allowed to give me the name of said university professor! So I sent an email off to the UCOSP steering commity asking for the contact. They replied the next morning with the professors name, and I sent off an essay email soon after. Five days later I got an email saying I was accepted.

Our Hackathon

At the beginning of every UCOSP semester all the students along with their project mentors are brought together for a hackathon. This semester the hackathon was in Toronto and hosted by Mozilla. Next semester I hear it will be in California hosted by facebook!

IMG_20130919_105120

Calgary’s Glenmore Reservoir from the airplane

Being on the wrong side of North America meant I had a long flight on the 19th of September. To make the trip more nerve-racking I’m far too cheap for a taxi. Instead, after my four hour flight I took the Airport express bus to the subway, after which I walked to the University of Toronto Campus for the evening meetup.

IMG_20130919_165118

View from the Univeristy of Toronto’s Computer Science’s upper meeting room.

While the hackathon wasn’t starting until the next day, we had an optional meet-and-greet at the University of Toronto. Somehow everyone from my team made it except our mentor. Which is okay since there were only one or two mentors there in total. Beyond some ice-breakers, we also met some of the professors organizing UCOSP. In all it was a nice low key event.

 

IMG_20130920_065936

Left half of Mozilla’s entrance way. I should have taken a fuller photo but I only even took this one for the banner’s sake.

The walk from our hotel to Mozilla was long and took us through Toronto’s banking district known through out Canada as Bay Street. We ate breakfast at First Canadian Place, I had eggs.

IMG_00000010

The hackathon in full swing! Look at that coding! The intensity! You can tell work is getting done because no one is talking.

At this point I have to apologise, I took almost no photos of the hackathon itself. I have a few but most are test photos from my developer phone. Speaking of which, our mentor gave us each a developer phone!

IMG_20130920_070913

Our BB10 developer phone!

I have far too many smartphones at this point but this is still the first phone someone has ever given me. The phone itself is a Blackberry Q10 with a different shell. Since matte black is my favourite color I have to admit that I prefer this dev phone over the Q10. Since the BB10 emulator requires VMware under linux, which I do not own, this dev phone was critical.

You might be curious at this, I have yet to tell you what we were even working on!

Our Project

My team’s project was to port popular Cordova plugins to BB10’s new Cordova based html5 platofrm. Cordova is a compatibility layer over a mobile platform’s app embedded web browser which exposes phone features as web APIs. In iOS terms is wraps the WebView and provides access to memory cards, cameras, and etc. Cordova is the offical open source name of PhoneGap after Adobe bought and open sourced PhoneGap. At the time of our hackathon, Blackberry’s offical html5 platform was proprietary and called WebWorks. Our work was to coincide with the development of WebWorks 2.0 which was based on Cordova. Plugins are extra APIs. For example the API I ported exposes extraction of zip files. Our mentor set a goal of four plugins, of course more would be welcomed.

Back to the Hackathon

IMG_00000018_hdr

I might have been playing with the phone’s built in instagram-like filters when I took this photo, or maybe the HDR. Otherwise I cannot explain the lighting.

For our part this hackathon. was spent setting up our development environments. Sad to say but the setup process is a PITA. Clocking in at 15 steps when I wrote it up, there is zero chance I would have figured it out without our mentor’s inside knowledge of BB10. At this point I should mention that our mentor works at Blackberry so in a way our project was an extension of BB10’s development.

In a far too real way, half our pain was rooted in BB10’s closed nature. We had to request keys from Blackberry and these keys were only batch generated every two hours. Once the server sent you a key, you had to setup two different processes for package signing. The dev phone themselves needed to be put into dev mode after every reboot or you would hit misleading error messages. By far, the most painful mobile dev environment I’ve ever setup and it stands it stark contrast to Firefox OS’s dead simple html5 environment.

IMG_20130921_155015

This may have been the morning of the 21st, or the evening. In either case we were all tired.

 

IMG_20130920_102218

Midway through the 20th, Mozilla gave a demo of asm.js. I’ve seen it before, but it was exciting to see a demo of the tech from Mozilla themselves.

IMG_20130922_090127

I’ve never been on a real tram before so it was nice to have the chance on my way back to the airport.

In prior years UCOSP tried to go right up until the offical end hour but this year they organized things to allow early departures. This gave me plenty of time for my airport commute.

IMG_20130922_171439

Somewhere over the prairies. Judging by the abundance of lakes, I’d guess Manitoba.

Rest of the Semester

Once home I met with my professor on Monday to plan how the work would go. He suggested writing a list of commitments for the week in our weekly monday meeting. Then during the next meeting I had something concrete to report on. For the first week I took it slow to catch up on missed school work. In the later weeks the goals were sub-milestones for my zip plugin.

At the semester’s end he had us UCOSP students give a presentation on our projects to each other and to the students in his other capstone course.

In the end we hit our goal at four plugins but there is a chance we were still the least successful this semester. We got the work done and I’m proud of that, but we didn’t act as a distributed team. We set out as two subgroups of two devs a group. Due to some hardware, failure my partner didn’t have a development environment setup until half-way through the semester. By this time I was deep into my zip extraction plugin so instead of joining me on the zip plugin, my partner decided to start out on his own plugin and salvage what was left of his semester. I regret not keeping in better contact with him. I had pinged him a few times but I held back checking too often for fear of being nosey.

Thus, I cannot report doing the fun distributed team things like code reviews or hanging out on irc. With that said, please don’t let my experience discourage you. Stuff happens and sometimes things go wrong, but in general they go right. The other UCOSP students from my university reported lots of code reviews, wikis, and even team blogs! Just imagine, next year you could be hanging out with team members from across Canada working on your own UCOSP project! Apply today!

Intro to Mozilla IRC Lingo

2 Replies

If you are new to Mozilla’s IRC channels, as I am, then you might have noticed some new and unknown words. All companies and communities have internal lingo built up over many years. Mozilla is different from a typical company because regular internal communication is done in the open. This means we get to hear said lingo used among employees who all know the terms by heart.

It can be intimidating coming to any community with such history and culture as Mozilla. This feeling is perfectly normal and will dissipate in time. To help the process let us explore some of the common terms unique to Mozilla. Thus you’ll know the terms the next time another Mozillian uses one.

R+

Mozilla has a healthy culture of code reviews. Real, concrete, effective code reviews mean approval is not trivial. An r+ means completing a code review and approving the commit. Some aspects of the patch may need changing but for the most part the patch is clear for commit. The wiki has more details on r+’s and their exact meaning if you want to get technical: https://wiki.mozilla.org/Firefox/Code_Review#What_does_r.2B_mean.3F

R-

The opposite of an r+ is the r-. Given when a patch is rejected, an r- does not mean the change cannot be fixed. Since r- can come across discouraging I suspect reviewers only use the term when talking to long term contributors.

CLOBBER

In all situations I’ve seen where CLOBBER gets mentioned it has been out of frustration. To clobber a tree causes a massive slowdown and annoys other developers but I do not understand the exact cause. The wiki provides some details but I’m not familiar with the build system: https://wiki.mozilla.org/Clobbering_the_Tree

ping

To get someone’s attention on IRC it is typical to mention their name in a message. This triggers highlighting of your message and triggers a bing sound on some IRC clients. If someone is on IRC but not active it is common for mozzilians to “ping” them. Such a ping takes the form, “<username>: ping”. For example when pinging me you would say “danieru: ping”. You’ll notice that this typical usage excludes any details about why the person is getting pinged. Instead it has been suggested that a ping should also contain a sentence mentioning the ping’s purpose. So going back to our example you might want to say “danieru: ping, I need help compiling fxos. I’m getting linking errors with example()”.

pong

In response to a ping the person pinged will often say “pong”. This means you may see “ping, pong” if both users are online at the same time. For any native English speakers reading the humour comes from the usage of “ping” which is a network tool used to check connectivity as a way to check for the attention of other Mozillians. Then in response “pong” interprets the ping as the “ping” in ping-pong, a sport also known as table tennis. Sorry if this ruins the humour.

++

In programming languages inspired by C the operator ++ is  the pre or post incrementor. It is used like thus: “var++”. This operator will make the incremented variable equal to the original value plus one. Thus on Mozilla IRC, ++ is another way of saying “+1”. In turn “+1” is an expression meaning “I like this” or “This is true”. So if someone says ++ it means they are agreeing with something said earlier.

And that completes my knowledge of Mozilla specific terminology. If you know any other terms please mention them or ping me.

land

Commit a patch to the inbound branch or repository after the patch has been reviewed with a R+. For Mozilla Central this would be mozilla-inbound or for Gaia the gaia/master branch.

Uplift

Merge or promote a patch from the inbound repository to the stable branch. For Mozilla Central this would be Mozilla Central or for Gaia this would be a tagged version branch such as 1.2.

Sec-Critical

When security bugs which cover normal browsing get found they are marked sec-critial. These bugs cannot be viewed by the general public until they have been fixed. Once a fixed version of our software has been shipped the sec-critical bug is made public. For example  see Bug #785967

Chemspill

When a security bug is found it may force our hand and require an early general release of our software. This early release is known as a chemspill.

Clownshoes

Bugs vary in scope and size yet in general a bug will only have one developer writing code to fix it. This can create a situation where the bug is larger than the person. Or as the analogy goes: the person is wearing oversized clownshoes.

TODO: No other terms I know of. Can you suggest any?