Hacker News: snnn

New comment by snnn in "Glibc Buffer Overflow in Iconv"

snnn — Mon, 22 Apr 2024 00:17:50 +0000

Most people in Tibet only speak Tibetan. They also need to use smart phones. They type texts on their phones to communicate with their friends. They simply cannot use Latin alphabet for doing that.

New comment by snnn in "Glibc Buffer Overflow in Iconv"

snnn — Sun, 21 Apr 2024 23:59:18 +0000

Kernel developers need to consider backwards compatibility. You won't want to see some users lose their data because they upgraded the kernel. Therefore it is very hard to "force" something.

New comment by snnn in "Glibc Buffer Overflow in Iconv"

snnn — Sun, 21 Apr 2024 23:52:28 +0000

Now every Windows 10/11 system comes with ICU. Even some standard C/C++ functions in VC++ runtime depend on ICU.

New comment by snnn in "Glibc Buffer Overflow in Iconv"

snnn — Sun, 21 Apr 2024 23:49:33 +0000

Because that's how "dirname(3)" is implemented in glibc, except it searches '/' instead of '\'. Here all character encodings share the same code.

New comment by snnn in "Glibc Buffer Overflow in Iconv"

snnn — Sun, 21 Apr 2024 20:08:29 +0000

But the reality is: most glibc functions like `dirname` could not handle non UTF-8 encodings, because some encodings (like GBK) have overlaps with ASCII, which means when you search an ASCII char(like '\') in a char array, you may accidentally hit a half of a non-English character. Therefore, people in Asia usually do not use the non UTF-8 locales.

New comment by snnn in "Glibc Buffer Overflow in Iconv"

snnn — Sun, 21 Apr 2024 16:45:54 +0000

Man, if English is the only human language in this world, who would need UTF-8? The other encodings exist because they are more efficient for the other languages. Especially, for the Chinese, Japanese, and Korean languages. UTF-8 takes 50% more space than the alternatives. To bad modern Linux systems only support UTF-8 locales.

New comment by snnn in "Xz: Can you spot the single character that disabled Linux landlock?"

snnn — Tue, 02 Apr 2024 03:32:58 +0000

A cmake option only has two values: ON or OFF. There is no unset. Because it is a boolean.

See: https://cmake.org/cmake/help/latest/command/option.html

New comment by snnn in "XZ backdoor: "It's RCE, not auth bypass, and gated/unreplayable.""

snnn — Sun, 31 Mar 2024 00:55:42 +0000

The vanilla python works fine but conda is definitely more popular among data scientists.

New comment by snnn in "XZ backdoor: "It's RCE, not auth bypass, and gated/unreplayable.""

snnn — Sun, 31 Mar 2024 00:44:54 +0000

Maybe we should consider moving more and more system process to webassembly. wasmtime has a nice sandbox. Surely it will decrease the performance, but performance is not always that important. For example, on my dev machine even if SSHD or apache's performance dropped 3x because of that, I wouldn't mind. If I really care, spend more money to get a more powerful CPU.

New comment by snnn in "XZ backdoor: "It's RCE, not auth bypass, and gated/unreplayable.""

snnn — Sun, 31 Mar 2024 00:39:58 +0000

ClamAV also has a lot of findings when scanning some open source project's source code. For example, LLVM project's test data. Because some of the test data are meant to check if a known security bug is fixed, from a antivirus software perspective these data files can be seen as exploits. ClamAV is commonly used. Or, I would suggest adding it to every CI build pipeline. Most time it wouldn't have any finding, but it is better than nothing. I would like to offer free help if an open source project has the need to harden their build pipelines and their release process.

New comment by snnn in "XZ backdoor: "It's RCE, not auth bypass, and gated/unreplayable.""

snnn — Sun, 31 Mar 2024 00:30:10 +0000

Does not have to be installed. See this: https://learn.microsoft.com/en-us/azure/defender-for-cloud/c...

A cloud provider can take snapshots of running VMs then run antivirus scan offline to minimize the impact to the customers.

Similarly, many applications are containerized and the containers are stateless, we can scan the docker images instead. This approach has been quite mature.

New comment by snnn in "Xz: Can you spot the single character that disabled Linux landlock?"

snnn — Sun, 31 Mar 2024 00:01:44 +0000

So for each optional feature we may need three build options:

1. Force enable 2. Enable if available 3. Force disable

Like,

   --enable_landlock=always
   --enable_landlock
   --disable_landlock

New comment by snnn in "XZ backdoor: "It's RCE, not auth bypass, and gated/unreplayable.""

snnn — Sat, 30 Mar 2024 22:26:12 +0000

> to try to overwrite symbols in other modules, to add LD audit hooks on startup, to try to resolve things manually by walking ELF structures

I want to name one thing: when Windows failed to load a DLL because a dependency was missing, it doesn't tell you what was missed. To get the information, you have to interact with the DLL loader with low level Windows APIs. In some circumstances Linux apps may also have the need. Like for printing a user friendly error message or recovery from a non-fatal error. For example, the patchelf tool that is used for building portable python packages.

> No one wants a Linux antivirus

It is not true. Actually these software are very popular in enterprise settings.

New comment by snnn in "XZ backdoor: "It's RCE, not auth bypass, and gated/unreplayable.""

snnn — Sat, 30 Mar 2024 22:00:56 +0000

That's the most interesting part. No, we don't know it yet. The backdoor is so sophisticated that none of us can fully understand it. It is not a “usual” security bug.

New comment by snnn in "XZ backdoor: "It's RCE, not auth bypass, and gated/unreplayable.""

snnn — Sat, 30 Mar 2024 21:51:38 +0000

Actually, the new architectures are a big source of concerns. As a maintainer of a large open source project, I often received pull requests for CPU architectures that I never had a chance to touch. Therefore I cannot build the code, cannot run the tests, and do not understand most of the code. C/C++ themselves are portable, but libs like xz needs to beat the other competitors on performance, which means you may need to use model specific SIMD instructions, query CPU cache size and topology, work at very low level. These code are not portable. When people add these code, they often need to add some tests, or disable some existing tests conditionally, or tweak the build scripts. So they are all risks.

No matter how smart you are, you cannot forecast the future. Now many CPUs have a heterogeneous configuration, which means they have big cores and little cores. But do all the cores have the same capabilities? Is possible that a CPU instruction only available on some of the CPU cores? What does it mean for a multithreaded application? Would it be possible that 64-bit CPUs may drop the support for 32-bit at hardware level? Tens years ago you cannot predict what's going to happen today.

Windows has a large compatibility layer, which allows you running old code on the latest hardware and latest Windows. It needs quite a lot efforts. Many applications would crash without the compatibility patches.

New comment by snnn in "XZ backdoor: "It's RCE, not auth bypass, and gated/unreplayable.""

snnn — Sat, 30 Mar 2024 20:19:22 +0000

I mostly agree with you, but I think your argument is wrong. Last month I found a tiny bug in Unix's fgrep program(the bug has no risk). The program implements Aho Corasick algorithm, which hasn't changed much over decades. However, at least when the code was released to 4.4BSD, the bug still existed. It is not much a concern as nowadays most fgrep progroms are just an alias of grep. They do not use the old Unix code anymore. The old Unix code, and much part of FreeBSD, really couldn't meet today's security standard.For example, many text processing programs are vulnerable to DoS attacks when processing well-crafted input strings. I agree with you that in many cases we really don't need to touch the old code. However, it is not just because the algorithm didn't change.

New comment by snnn in "Backdoor in upstream xz/liblzma leading to SSH server compromise"

snnn — Sat, 30 Mar 2024 06:06:17 +0000

Some USB keys have a LCD screen on it to prevent that. You can comprise the computer that the key was inserted to, but you cannot comprise the key. If you see the things messages shows up on your computer screen differs from the messages on the key, you reject the auth request.

New comment by snnn in "Backdoor in upstream xz/liblzma leading to SSH server compromise"

snnn — Sat, 30 Mar 2024 05:31:36 +0000

Not actually. Even if you enabled passkey, you still can login to their phone app via SMS. So it is not more secure. People who knows how to do SMS attacks certainly knows how to install a mobile app. And BofA gave their customers a fake assurance.

New comment by snnn in "Backdoor in upstream xz/liblzma leading to SSH server compromise"

snnn — Sat, 30 Mar 2024 05:25:54 +0000

I don't think it would help much. I work on machine learning frameworks. A lot of them(and math libraries) rely on just in time compilation. None of us has the time or expertise to inspect JIT-ed assembly code. Not even mentioning that much of the code deliberately read/write out of bound, which is not an issue if you always add some extra bytes at the end of each buffer, which could make most memory sanitizer tools useless. When you run their unit tests, you run the JIT code, then a lot of things could happen. Maybe we should ask all packaging systems splitting their build into compile and test two stages, to ensure that a testing code would not impact the binaries that are going to be published. I would rather to read and analysis the generated code instead of the code that generates it.

New comment by snnn in "Linkers and Loaders (1999) [pdf]"

snnn — Wed, 06 Mar 2024 21:06:48 +0000

The mechanisms for Windows DLLs have been changed a lot(like how thread local vars are handled). Besides, this book could not cover C++11's magic statics, or Windows' ARM64X format, or Apple's universal2, because these things are very new. Windows now has the apiset concept, which is very unique. Upon it there are direct forwarding and reverse forwarders.

I think for C/C++ programmers it is more practical to know that: 1. The construction/destruction order for global vars in DLLs(shared libs) are very different between Linux and Windows. It means the same code might work fine on one platform but no the other one. It imposes challenges on writing portable code. 2. On Linux it is hard to get a shared lib cleanly unloaded, and it might affect how global vars are destructed, and might cause unexpected crashes at exit. 3. Since Windows has a DLL loader lock, there are a lot of things you cannot do in C++ classes constructors/destructors if the classes could be used to define a global variable. For example, no thread synchronization is allowed. 4. It is difficult to cleanup a thread local variable if the variable lies in a DLL and the variable's destructor depends on another global object. 5. When one static lib depends on another, a linker wouldn't use this information to sort the initialization order of global vars. It means it could be the case that A.lib depends on B.lib but A.lib get initialized first. The best way to avoid this problem is using dynamic linking.

For Windows related topics I highly recommend the "Windows Internals" book.