Stephen Smith's Blog

Musings on Machine Learning…

Archive for the ‘Security’ Category

Ghidra

with one comment

Introduction

In my novel “Influence”, the lead character J@ck Tr@de searches for an easter egg in a server operating system. To do this he uses a disassembler which converts machine code back into source code. Normally you write computer programs in a programming language which a compiler (another program) reads through and converts to the bits and bytes that computers actually execute. In my novel, the disassembler uses AI to do an especially good job. I don’t know of any disassembler that uses AI yet, but a new really powerful disassembler has just been released by the NSA as open source. So I thought I’d spend a bit of time blogging on this, since it’s open source, perhaps someone will add some AI to it, so it is a powerful as the tool J@ck uses.

Most disassemblers either aren’t very good, or are quite expensive. This just changed when the NSA released their internally developed tool Ghidra as open source. I don’t know where the word Ghidra comes from, but the icon for the program is a dragon. I downloaded this and gave it a run. It was easy to install, ran well and looks really powerful. Why did the NSA do this? Don’t they usually guard their internal tools with their lives? They claim it’s to help security researchers at Universities and such do a better job discovering vulnerabilities in software, making us all safer as a result. I wonder if it’s the NSA trying to get some good publicity, since they are generally untrusted and most Americans got upset when it was revealed that the NSA could access any photo on any cell phones, including dick-pics. This really upset a lot of people, probably the only good thing a dick-pic has ever done.

For anyone interested, my novel, Influence, is available either as a paperback or as a Kindle download on Amazon.com:

Paperback – https://www.amazon.com/dp/1730927661
Kindle – https://www.amazon.com/dp/B07L477CF6

Installation

Ghidra is a Java program, so you need to have the Java 11 JDK installed first. I’m doing this on Ubuntu and didn’t already have Java installed. The Java that is installed by default apt-get is Java 10, so it didn’t work. To install Java 11, took a bit of Googling, but the following commands worked:

sudo add-apt-repository ppa:linuxuprising/java
sudo apt-get update
sudo apt-get install oracle-java11-installer

This adds an additional repository and then installs Java 11 from it. Then download Ghidra, uncompress it somewhere and run the shell script to start it.

Running

To play around with it, I created a new project and imported the executable file “head” from /usr/bin. This gave me some basic information on the executable:

It then takes a second to analyse the file and then I can launch the code browser and look through a split screen with the assembler code on the left and the generated C code on the right.

I can view a function call graph of the current function (the functions that call it and the functions that it calls).

I can view a function graph of the entire program that I can zoom in and out and browse around in.

I can annotate the program, add any insights I see. I can patch the program. All very powerful. Ghidra has full scripting support, the built in scripting language is Java, after all it is a Java program. But the API has support to add other scripting languages. There is a plug-in architecture so you can write extensions. It supports many executable formats and knows about many processor instruction sets.

Trust the NSA?

After I downloaded Ghidra, I watched a couple of YouTube videos on it. One of the presenters ran WireShark so he could see if Ghidra was making any network connections back to the NSA. After all, could this be a trojan horse that the NSA will use to find out what hackers are up to? At least this presenter didn’t see any network calls while he was running. But to a real hacker this could be major concern. As of this writing all the Java code has been open sourced, but some of the extra addons that are in other languages still need to be posted, so right now you can’t build Ghidra as it’s distributed, but the NSA say this should be remedied in a few weeks.

Summary

Although, perhaps not as powerful as what J@ck was using, this is a really powerful tool to reverse engineer programs and even operating systems. The generated source code isn’t great, but it’s helpful compared to just assembler. I think the expensive commercial disassembler vendors must be pretty upset as I really don’t see any reason for them to exist now? I think this will be a big boon to black and white hat hackers as well as to anyone that needs to reverse engineer some code (perhaps to figure out an undocumented API). Happy Hacking.

Written by smist08

March 6, 2019 at 9:19 pm

The Technology of “Influence” – Part 4 Kali Linux

with one comment

Introduction

In my novel “Influence”, the lead character J@ck Tr@de performs various hacking tasks. In the book he spends a lot of time securing his connections, hiding his identity and hiding his location. In this series of blog posts, I’m going to talk about the various technologies mentioned in the book like VPN, the Onion Browser, Kali Linux and using VHF radios. I’ve talked about HTTPS,  VPNs and the Onion Browser so far, now we’re going to discuss Kali Linux.

Linux is an operating system like Windows or MacOS. An operating system manages the hardware on your computer and manages running the applications that you use like a word processor or Internet browser. Linux is open source and free. There are many distributions of Linux, that are complete pre-built systems for you to install. The differences between the different distributions include things like how the desktop is configured to look, which other open source programs are bundled, when updates are installed, how updates are installed and how the system is configured. Kali Linux is one of these distributions that emphasizes security and comes with all the common open source security and hacking tools pre-installed.

Most hackers consider Linux better suited to their needs than Windows or MacOS. They don’t trust Microsoft or Apple to do a good enough job with security or worry about these big corporations spying on them. With Linux it’s easy to do things like change your MAC address and run the tools to keep you safe, secure and anonymous.

I blogged about Kali Linux for the Raspberry Pi last year here. J@ck would use this on the Raspberry Pi’s he has the homeless people plant in the garbage near coffee shops to tap into their wifi.

For anyone interested, my book is available either as a paperback or as a Kindle download on Amazon.com:

Paperback – https://www.amazon.com/dp/1730927661
Kindle – https://www.amazon.com/dp/B07L477CF6

 

Offensive Security

The philosophy behind Kali Linux is that for your network to be secure, you have to attack it like a hacker. You have to use all the tools in a hacker’s toolbox, to ensure hackers can’t break in. Setting up security isn’t just a matter of following a checklist of todo items. You have to think like a hacker and try to penetrate your security like a hacker. Or hire so called white hat hackers to do it for you. Generally it’s a good practice to get a second or third pair of eyes looking for holes and weaknesses. The good white hat hackers are in high demand, and don’t come cheap.

Kali Linux comes with all the common open source hacking tools pre-installed. So they are all there and ready to attack your network. Of course the advertising is all about white hat hackers using these for good. But, of course, this is the same Linux distribution and toolset used by most of the malicious black hat hackers.

Kali Linux is also fairly secure if you follow the various instructions during installation, about securing things with private/public keys and such. Kali Linux doesn’t install any application servers like web servers or database servers, since these are usually good targets for hackers to attack.

Kali Linux is based on Debian Linux, so you can do most of the things other Debian based distributions can do, like Ubuntu. Just without all the useful productivity applications pre-installed. Kali Linux has versions for small system on a chip (SoC) like the Raspberry Pi. In these versions, any tools that won’t run well on the more minimal hardware are left out.

Thinking Like a Hacker

You can find quite a few books on how to use all the tools installed with Kali Linux. These are all a good start, but like I said, setting up a recipe or checklist is insufficient. You have to learn to think like a hacker. You have to figure out how to find the weak points in a network and then how to keep poking at them from all sorts of angles until you can penetrate them. Remember the world of hacking isn’t static. Hackers are always discovering new techniques and new weaknesses to exploit. If you are serious about protecting your network’s security then you have to stay on top of the latest developments. Often the weak points aren’t in the software, but in the employees. Hackers will use so called social engineering attacks to trick you users into revealing their passwords or other key information. Perhaps the hacker will leave a few USB keys lying around, that contain viruses that will infect your network if plugged into a corporate computer. Perhaps the weakness is a third party piece of hardware like a network router or firewall. These are notorious for having backdoors or other security weaknesses. You have to ensure all these miscellaneous pieces of equipment are kept up to date, or replaced if a serious problem is discovered.

The Security Onion

A key metaphor in the security industry is that you want to design your security systems like an onion with multiple layers, and not like and egg with one shell, which once breached gives access to everything inside.

Perhaps at the outside of your network, there are secure firewalls, but then inside that there are products that detect malicious or suspect network traffic and set off alerts when discovered. Further all the servers on the networks have very few ports open for network traffic and all the ones that are open are configured to use quite strong forms of authentication. Its common to use two level authentication, where the user needs a code from their cell phone in addition to their password in order to logon. Perhaps the parts of the network aren’t connected, so if an intruder gets access to one server, he’s still isolated from all the others.

Designing secure systems is an art as well as a science. The good news is that there are many open source tools available to set up all these layers of security. So it doesn’t have to be expensive, except where you have to hire the people to put it all in place.

Summary

Kali Linux is the preferred Linux Distribution of hackers. It pre-installs all the common open source hacking tools and by default has a fairly secure configuration. Of course any hacker will further secure their system and install a few more specialty tools perhaps from the dark web or things they wrote themselves.

Written by smist08

January 2, 2019 at 11:47 pm

The Technology of “Influence” – Part 3 The Onion Browser

with 2 comments

Introduction

In my novel “Influence”, the lead character J@ck Tr@de performs various hacking tasks. In the book he spends a lot of time securing his connections, hiding his identity and hiding his location. In this series of blog posts, I’m going to talk about the various technologies mentioned in the book like VPN, the Onion Browser, Kali Linux and using VHF radios. I’ve talked about HTTPS and VPNs so far, now we’re going to discuss the Onion Browser and the Tor network.

For anyone interested, my book is available either as a paperback or as a Kindle download on Amazon.com:

Paperback – https://www.amazon.com/dp/1730927661
Kindle – https://www.amazon.com/dp/B07L477CF6

The Tor Network

Tor is an abbreviation for The Onion Router. You tend to see Tor and Onion used interchangeably. Nowadays Tor tends to refer to the Tor network and Onion to the open source browser that utilizes the Tor network to browse the web.

The Tor network and Onion Browser were developed by a group of people dedicated to security, privacy and anonymity. The Tor network depends on thousands of volunteers operating Tor network nodes (servers). When you use the Onion browser, each server connection that you use goes through a different random path through these Tor network nodes. Each node acts like a VPN, encrypting communications and hiding the location of the original request. To some degree using the Tor network is like using a set of different VPNs for each website you visit. This makes tracking you down very hard.

The Onion Browser is an open source Internet browser that performs all it’s requests through the Tor network.

The Dark Web

The dark web consist of a number of websites that aren’t linked to from the regular web. They only accept requests over the Tor network and you have to find out about them through means other than Googling. This so-called dark web has been know to host all sorts of “bad” e-commerce sites dealing in illegal drugs, human trafficking and child pornography. Whenever law enforcement tries to ban encryption or anonymity, they always use these sites as excuses to be able to track and spy on normal people’s web activity.

On the other hand in highly repressive states which block a lot of Internet traffic with the outside world, the Tor network and the dark web are the only way that dissidents can freely communicate, or that regular citizens can browse the web at all. Generally governments spend way more time tracking dissidents than they ever spend tracking down the illegal websites they claimed to be upset about.

How Safe Is It?

That all sounds pretty good, so why doesn’t J@ck just use the Onion browser and just not bother with all the other things he does? For one thing, government security services spend a lot of time trying to crack the Tor network. Many of the thousands of nodes in the Tor network are actually operated by government agencies. If one of these is your exit node, then they can get quite a bit of info on you. It’s a bit of a race between the developers of the Tor network and government departments like Homeland Security as to how safe the network is at any time.

Another problem is that even though, say Google can trace who you are from the network traffic, they can record things like your typing patterns and mouse movement patterns. These are apparently just like fingerprints and can be used to identify you. Other means are required to disguise these sort of things.

A general maxim in security is never trust anything entirely. The original name of the Onion browser was based on this idea of having many layers of security like the layers of an Onion. Tor provides several layers, but you can add more layers to be more secure.

Performance

Every server that you hit introduces a delay as that server receives, processes and then transmits your network packets of information. With the Tor network, you introduce a bunch of these delays to give you better security and privacy. Further, not all the Tor nodes have the greatest Internet bandwidth or server power. After all they are paid for and operated by volunteers. This all adds up to the Tor network being very slow. If you ever try to download a movie of the Tor network it will take forever. This is why people pay for VPNs with decent bandwidth and performance, rather than using Tor. If you aren’t downloading movies, and just doing small queries then it is usable. This is what J@ck tends to be doing.

Summary

The Tor network and Onion Browser are key tools used by every hacker. It provides great security and anonymity at the cost of access speed. If you want to check out the dark web then you need to use the Onion Browser.

Written by smist08

December 22, 2018 at 2:57 am

The Technology of “Influence” – Part 2 VPN

with 3 comments

Introduction

In my novel “Influence”, the lead character J@ck Tr@de performs various hacking tasks. In the book he spends a lot of time securing his connections, hiding his identity and hiding his location. In a series of blog posts, I’m going to talk about the various technologies mentioned in the book like VPN, the Onion Browser, Kali Linux and using VHF radios. I talked about HTTPS in my last post and in this article, we’re going to discuss Virtual Private Networks (VPNs).

For anyone interested, my book is available either as a paperback or as a Kindle download on Amazon.com:

Paperback – https://www.amazon.com/dp/1730927661
Kindle – https://www.amazon.com/dp/B07L477CF6

What is a VPN?

We talked about HTTPS last time as a way to secure the communications protocol that a Browser uses to talk to a Web Server. Now consider a corporate network. People at work have their computers hooked directly into the corporate network. They use this to access email, various internal corporate websites, shared network drives and other centrally deployed applications. All of these services have their own network protocols all different than HTTP. Some of these protocols have secure variants, some don’t. Some have heavy security, some light security. Now suppose you want to access these from home or from a hotel while on a business trip? You certainly can’t just do this over the Internet, because its a public network and anyone can see what you are doing. You need a way to secure all these protocols. This is the job of VPN. When you activate VPN on your laptop, it creates a secure tunnel from your laptop through the Internet to a server in your secure corporate data center. The security mechanisms VPN uses are largely the same as HTTPS and pretty secure. Using VPN then allows you to work securely from home or from remote locations while travelling.

Why Would J@ck Use VPN?

J@ck Tr@de doesn’t work for a corporation. Why does he use VPN? Whose VPN does he use? In the example above, if I’m connected to my corporate VPN, all my network traffic is tunnelled through the VPN to the corporate server. So if I browse the Internet while connected to VPN, my HTTPS requests are sent to the corporate server and then it sends them to the Internet. This extra step slows things down, but it has an interesting side-effect. If I’m not signed into Google and I Google something, Google will see my Internet Address as the corporate server rather than my laptop. That means Google won’t know who I am exactly. It also means my location shows up as the location of the corporate server. This then hides both my location and my identity, things J@ck is very interested in doing.

But J@ck doesn’t work for a corporation? Whose VPN does he use? This “feature” of hiding identity and location is sufficiently valuable that people like J@ck will pay for it. This has resulted in companies setting up VPNs just for this purpose. Their VPN server doesn’t connect to other corporate network programs, only the Internet. Using one of these VPN services will help hide your identity and location, or at least websites can’t determine these from the address fields in your web network packets.

VPNs are popular with non-hackers as well to get at geographically locked content. For instance if you live in Canada, then the content you can get from Netflix is different than the content you get in the USA. But if you are in Canada and connect to a US based VPN server then Netflix will see you as being located in the USA and will give you the US content while you are connected.

Downsides of VPN

Sounds good, so what’s the catch? One is that since these are usually paid services, so you need to pay a monthly fee. Further, you need to authenticate to the VPN service so they know who you are. The VPN knows your IP address so it can trace who and where you are.

So do you trust your VPN? Here you have to be careful. If the VPN provider is located in the USA, then its subject to the Patriot Act and law enforcement can get ahold of their info. If you want US Netflix content, then you have to use an US based VPN, but at the same time US law enforcement really doesn’t care that much about the vagaries of what Netflix allows where. If you are a hacker then you really care and probably want to use a VPN in a country with some protections. For instance in Europe, getting a warrant for this is very difficult. Or perhaps use a VPN in the Caribbean that tend to ignore external law enforcement agencies requests. A bit of Googling can help here. Some hackers use a two or three VPNs at once, located in wildly different jurisdictions to make it even harder to be traced.

Internet bandwidth is expensive, so feeding streaming movies through a VPN can require their delux expensive plan. Doing little bits of hacking doesn’t require that much bandwidth so can be a little cheaper.

There are free VPNs, but most of these are considered rather suspect since they must be supporting themselves somehow, perhaps by selling secrets. VPNs are illegal in some countries like Iraq or North Korea. VPNs are required to be run by the government in other countries like China and Russia. So be wary of these.

Summary

VPNs are a way to secure your general Internet communications. They have the desirable side-effect of hiding your Internet address and location. VPNs are absolutely necessary for corporate security and useful enough that lots of other people use them as well,

Notice that J@ck doesn’t just rely on an VPN by itself, rather its one layer in a series of protections to ensure his anonymity and privacy.

Written by smist08

December 13, 2018 at 12:34 am

The Technology of “Influence” – Part 1 HTTPS

with 5 comments

Introduction

In my novel “Influence”, the lead character J@ck Tr@de performs various hacking tasks. In the book he spends a lot of time securing his connections, hiding his identity and hiding his location. In a series of blog posts, I’m going to talk about the various technologies mentioned in the book like VPN, the Onion Browser, Kali Linux and using VHF radios. But first I need to talk about HTTPS which is the normal Internet security mechanism we all use to secure our bank and shopping transactions. I’ll look at what this does protect and what it doesn’t protect. Once we understand the limitations of HTTPS, we can go on to look at why J@ck goes to so much trouble to add so many extra levels of security and misdirection.

For anyone interested, my book is available either as a paperback or as a Kindle download on Amazon.com:

Paperback – https://www.amazon.com/dp/1730927661
Kindle – https://www.amazon.com/dp/B07L477CF6

What is HTTPS?

The communications protocol that Browsers use to communicate with Web servers is called HTTP (HyperText Transfer Protocol). This is the protocol that gets data for websites and downloads it to your browser to be displayed. The S added is for Secure and makes this process secure by encrypting the communications. In the early days of the Web doing all this encrypting/decrypting was expensive both for typical personal computers of the day and for web sites that have quite a high volume of traffic. These days computers are more powerful and can handle this encryption easily, and due to the prevalence of hackers and scammers, the current tendency is to just encrypt all Internet traffic. In fact most modern browsers will not let you use plain old HTTP and require the S for security.

HTTPS is actually quite secure. It is very difficult to decrypt with modern computer resources (even cloud based). It authenticates the server via a digital certificate which is provided by a certificate authority that validates the identity of who has the certificate. The protocol protects against man-in-the-middle attacks where someone impersonates one party and relays the information. It protects against data being tampered with in any way.

Sounds pretty good, and in fact it is pretty good. So why does J@ck feel a need to use VPNs or use the Tor network via the Onion Browser?

Weaknesses of HTTPS

J@ck’s main complaint is that: who he talks to knows who he is and what he is doing. For instance, all Google searches go through HTTPS, so no one can eavesdrop on what you are searching for. But, Google knows. Google logs all your searches and builds a detailed profile of you. Further Google is an American company and subject to the Patriot Act and other government programs to hand over your data if requested. Hence if, say you are Googling on hacking techniques, Google could turn that over to the FBI along with your IP address. Then the FBI can ask your ISP who owns this IP address and identify you and come to your door to ask you some questions. Of course if you are signed into your Google account, then they don’t need to bother with the IP address lookup. J@ck certainly doesn’t want that to happen.

HTTPS has some other weaknesses as well. The process of granting authentication certificates isn’t perfect. One of the most common Windows Updates is to alter the list of trusted certificate authorities, since they are often caught handing out fake certificates to shady operators. Along the same lines, most people don’t check the certificate of who they are talking to. This is how most phishing emails work. They send and email asking you to check your bank account, with a link that is similar to your banks, but not the same. The fake link goes to a page that looks like your bank’s login page, but it isn’t. If you click on the certificate icon in your browser you will see the certificate that that it isn’t your banks. But who does this? If you type in your username and password to this site, the bad actors can then use it to login to your real bank account and steal your money.

Hackers can learn a bit about the content of HTTPS traffic even though its encrypted. Perhaps the URI by comparing the lengths of the strings.

Another worry is that often more companies can see your data than you might think. For instance if you are talking to your bank, then you certainly expect you bank can understand your data. However your bank might use a third party web hosting company to host the web site and then that company can also see your data. Then the web hosting company might host the site on a cloud provider like AWS or Azure and then that group might be able to see your data. Then often websites protect themselves against DDoS attacks using a service like CloudFlare and part of that setup lets CloudFlare see the unencrypted data. So suddenly you aren’t just trusting one company, but four companies. This then provide many more vectors of attack and vulnerable points for hackers. Plus the bank might have hired outsourced programming to set up their website, and those contractors have enough credentials to see unencrypted data. These are actually the main causes for all the security breaches you read about at large Internet sites.

Summary

HTTPS is a pretty good way to secure Internet traffic and if you follow some basic good practices you should be ok. For instance never use a link in an email. Always goto the website through another means (like a favorite or use Google). For data you really care about, like your bank account, only access it from a network you trust, not the Wifi at a hotel or coffee shop.

Now that we understand the strength and weaknesses of HTTPS we can look at the extra layers that J@ck uses to stay anonymous and secure.

Written by smist08

December 11, 2018 at 2:33 am

Posted in Security, Writing

Tagged with , ,

Kali Linux on the Raspberry Pi

with one comment

Introduction

Raspbian is the main operating system for the Raspberry Pi, but there are quite a few alternatives. Raspbian is based on Debian Linux and there has been a good uptake on the Raspberry Pi which means that most Linux applications have ARM compiled packages available through the Debian APT package manager. As a consequence it’s quite easy to create a Raspberry Pi Linux distribution, so there are quite a few of them. Kali Linux is a specialist distribution that is oriented to hackers (both black and white hat). It comes with a large number of hacking tools for gaining access to networks, compromising computers, spying on communications and other fun things. One cool thing is that Kali Linux has a stripped down version for the Raspberry Pi that is oriented towards a number of specialized purposes. However with the apt-get package manager you can add pretty well anything that has been left out.

If you watch the TV show Mr. Robot (highly recommended) then you might notice that all the cool in-the-know people are running Kali Linux. If you want to get a taste of what it’s all about and you have a Raspberry Pi then all you need is a free micro-SD card to give it a try.

Are You a Black or White Hat?

If you are a black hat hacker looking to infiltrate or damage another computer system, then you probably aren’t reading this blog. Instead you are somewhere on the darknet reading much more malicious articles than this one. This article is oriented more to white hat hackers or to system administrators looking to secure their computing resources. The reason it’s important for system administrators to know about this stuff is that they need to know what they are really protecting against. Hackers are very clever and are always coming up with new hacks and techniques. So it’s important for the good guys to know a bit about how hackers think and to have defenses and protections against the imaginative attacks that might come their way. This now includes the things the bad guys might try to do with a Raspberry Pi.

Anyone that is responsible for securing a network or computer has to test their security and certainly one easy way to get started is to hit it with all the exploit tools included with Kali Linux.

Why Kali on the Pi?

A lot of hacking tasks like cracking WiFi passwords take a lot of processing power. Cracking WPA2 passwords is usually done on very powerful computers with multiple GPU cards and very large dictionary databases. Accomplishing this on a Raspberry Pi would pretty much take forever if it could actually do it. Many hacking tasks are of this nature, very compute intensive.

The Raspberry Pi is useful due to its low cost and small size. The low cost makes it disposable, if you lose it then it doesn’t matter so much and the small size means you can hide it easily. So for instance one use would be to hide a Raspberry Pi at the site you are trying to hack. Then the Raspberry Pi can monitor the Wifi traffic looking for useful data packets that can give away information. Or even leave the Pi somewhere hidden connected to a hardwired ethernet connection. Then Kali Linux has tools to get this information to external sources in a secretive way and allows you to remotely control it to direct various attacks.

Many companies build their security like eggs with a hard to penetrate shell and often locating a device on their premises can bypass their main security protections. You can then run repeated metasploit attacks looking for weaknesses from the inside. Remember your security should be more like an onion with multiple nested layers, so getting through one doesn’t give an attacker access to everything.

Installing Kali Linux

The Kali Linux web site includes a complete disk image of the Raspberry Pi version. You just need to burn this to a micro-SD card using a tool like ApplePi Baker. They you just put the micro-SD in your Raspberry Pi, turn it on and off you go. However there are a few necessary steps to take before you really start:

  1. The root password is toor, so change this first time you boot up.
  2. The Kali Linux instructions point out you need to refresh your SSH certificates since otherwise you get the ones included with the image. The download page has instructions on how to do this.
  3. The image is configured for 8Gig so if you have a larger SD card then you need to repartition it to get all the free space. I used the GParted program for this which I got via “apt-get install gparted”. Note that to use apt-get you need to connect to WiFi or the Internet. Another option is to get Raspbian’s configuration program and use that, it works with most variants of Debian Linux and allows you to do some other things like setup overclocking. You can Google for the wget command to get this.
  4. Update the various installed programs via “apt-get update” and “apt-get upgrade”. (If you aren’t still logged on as root you need to sudo these).

Now you are pretty much ready to play. Notice that you are in a nice graphical environment and that the application menu is full of hacking tools. These aren’t as many hacking tools as the full Kali distribution, but these are all ones that work well on the Raspberry Pi. They als limited the number so you can run off a really cheap 8 Gig micro-SD card.

I see people say you should stick to command line versions of the tools on the Pi due to its processing power and limited memory, but I found I could add the GUI versions and these worked fine. For instance the nmap tool is installed, but the zenmap graphical front end isn’t. Adding zenmap is easy via “apt-get install zenmap” and then this seems to work fine. I think the assumption is that most people will use the Raspberry version of Kali headless (meaning no screen or keyboard) so it needs to be accessed via remote control software like secure shell which means you want to avoid GUIs.

Summary

Installing Kali Linux on a micro-SD card for your Raspberry Pi si a great way to learn about the various tools that hackers can easily use to try and penetrate, spy on or interfere with people’s computers. There are quite a few books on this as well as many great resources on the Web. Kali’s website is a great starting point. Anyway I find it quite eye opening the variety of readily tools and how easy it is for anyone to use them.

Written by smist08

January 16, 2018 at 3:01 am

Spectre Attacks on ARM Devices

with one comment

Introduction

I predicted that 2018 would be a very bad year for data breaches and security problems, and we have already started the year with the Intel x86 specific Meltdown exploit and the Spectre exploit that works on all sorts of processors and even on some JavaScript systems (like Chrome). Since my last article was on Assembler programming and most of these type exploits are created in Assembler, I thought it might be fun to look at how Spectre works and get a feel for how hackers can retrieve useful data out of what seems like nowhere. Spectre is actually a large new family of exploits so patching them all is going to take quite a bit of time, and like the older buffer overrun exploits, are going to keep reappearing.

I’ve been writing quite a bit about the Raspberry Pi recently, so is the Raspberry Pi affected by Spectre? After all it affects all Android and Apple devices based on ARM processors. The main Raspberry Pi operating system is Raspbian which is variant of Debian Linux optimized for the Pi. A recent criticism of Raspbian is that it is still 32-Bit. It turns out that running the ARM in 32-bit mode eliminates a lot of the Spectre attack scenarios. We’ll discuss why this is in the article. If you are running 64-Bit software on the Pi (like running Android) then you are susceptible. You are also susceptible to the software versions of this attack like those in JavaScript interpreters that support branch prediction (like Chromium).

The Spectre hacks work by exploiting how processor branch prediction works coupled with how data is cached. The exploits use branch prediction to access data it shouldn’t and then use the processor cache to retrieve the data for use. The original article by the security researchers is really quite good and worth a read. Its available here. It has an appendix at the back with C code for Intel processors that is quite interesting.

Branch Prediction

In our last blog post we mentioned that all the data processing assembler instructions were conditionally executed. This was because if you perform a branch instruction then the instruction pipeline needs to be cleared and restarted. This will really stall the processor. The ARM 32-bit solution was good as long as compilers are good at generating code that efficiently utilize these. Remember that most code for ARM processors is compiled using GCC and GCC is a general purpose compiler that works on all sorts of processors and its optimizations tend to be general purpose rather than processor specific. When ARM evaluated adding 64-Bit instructions, they wanted to keep the instructions 32-Bit in length, but they wanted to add a bunch of instructions as well (like integer divide), so they made the decision to eliminate the bits used for conditionally executing instructions and have a bigger opcode instead (and hence lots more instructions). I think they also considered that their conditional instructions weren’t being used as much as they should be and weren’t earning their keep. Plus they now had more transistors to play with so they could do a couple of other things instead. One is that they lengthed the instruction pipeline to be much longer than the current three instructions and the other was to implement branch prediction. Here the processor had a table of 128 branches and the route they took last time through. The processor would then execute the most commonly chosen branch assuming that once the conditional was figured out, it would very rarely need to throw away the work and start over. Generally this larger pipeline with branch prediction lead to much better performance results. So what could go wrong?

Consider the branch statement:

 

if (x < array1_size)
    y = array2[array1[x] * 256];


This looks like a good bit of C code to test if an array is in range before accessing it. If it didn’t do this check then we could get a buffer overrun vulnerability by making x larger than the array size and accessing memory beyond the array. Hackers are very good at exploiting buffer overruns. But sadly (for hackers) programmers are getting better at putting these sort of checks in (or having automated or higher level languages do it for them).

Now consider branch prediction. Suppose we execute this code hundreds of times with legitimate values of x. The processor will see the conditional is usually true and the second line is usually executed. So now branch prediction will see this and when this code is executed it will just start execution of the second line right away and work out the first line in a second execution unit at the same time. But what if we enter a large value of x? Now branch prediction will execute the second line and y will get a piece of memory it shouldn’t. But so what, eventually the conditional in the first line will be evaluated and that value of y will be discarded. Some processors will even zero it out (after all they do security review these things). So how does that help the hacker? The trick turns out to be exploiting processor caching.

Processor Caching

No matter how fast memory companies claim their super fast DDR4 memory is, it really isn’t, at least compared to CPU registers. To get a bit of extra speed out of memory access all CPUs implement some sort of memory cache where recently used parts of main memory are cached in the CPU for faster access. Often CPUs have multiple levels of cache, a super fast one, a fast one and a not quite as fast one. The trick then to getting at the incorrectly calculated value of y above is to somehow figure out how to access it from the cache. No CPU has a read from cache assembler instruction, this would cause havoc and definitely be a security problem. This is really the CPU vulnerability, that the incorrectly calculated buffer overrun y is in the cache. Hackers figured out, not how to read this value but to infer it by timing memory accesses. They could clear the cache (this is generally supported and even if it isn’t you could read lots of zeros). Then time how long it takes to read various bytes. Basically a byte in cache will read much faster than a byte from main memory and this then reveals what the value of y was. Very tricky.

Recap

So to recap, the Spectre exploit works by:

  1. Clear the cache
  2. Execute the target branch code repeatedly with correct values
  3. Execute the target with an incorrect value
  4. Loop through possible values timing the read access to find the one in cache

This can then be put in a loop to read large portions of a programs private memory.

Summary

The Spectre attack is a very serious new technique for hackers to hack into our data. This will be like buffer overruns and there won’t be one quick fix, people are going to be patching systems for a long time on this one. As more hackers understand this attack, there will be all sorts of creative offshoots that will deal further havoc.

Some of the remedies like turning off branch prediction or memory caching will cause huge performance problems. Generally the real fixes need to be in the CPUs. Beyond this, systems like JavaScript interpreters, or even systems like the .Net runtime or Java VMs could have this vulnerability in their optimization systems. These can be fixed in software, but now you require a huge number of systems to be patched and we know from experience that this will take a very long time with all sorts of bad things happening along the way.

The good news for Raspberry Pi Raspbian users, is that the ARM in the older 32-Bit mode isn’t susceptible. It is only susceptible through software uses like JavaScript. Also as hackers develop these techniques going forwards perhaps they can find a combination that works for the Raspberry, so you can never be complacent.

 

Written by smist08

January 5, 2018 at 10:42 pm