This Week In Security: Chrome Speech Bug, UDP Fragmentation, And The Big Citrix Vulnerability

January 24, 2020 by 5 Comments

A critical security bug was fixed in Chrome recently, CVE-2020-6378. The CVE report is still marked private, as well as the bug report. All we have is “Use-after-free in speech recognizer”. Are we out of luck, trying to learn more about this vulnerability? If you look closely at the private bug report, you’ll notice it’s in the Chromium bug tracker. Chrome is based primarily on the Chromium project, with a few proprietary features added. Since Chromium is open source, we can go find the code change that fixed this bug, and possibly learn more about it.

Off to the Chromium source, mirrored on Github. We could look at every commit, and eventually find the one we’re looking for, but Chromium commit messages usually include a reference to the bug that is fixed by that commit. So, we can use Github’s search function to find a commit that mentions 1018677. Just like that, we’ve found a single commit and more information.

The shutdown mentioned in the commit message is possibly referring to the browser being closed, but could also refer to the tab doing the speech recognizing, or even the speech system itself. Because multiple parts are being unloaded in parallel, there is a race condition between calling the abort object, and that object being unloaded from memory. This race can result in a classic use-after-free, jumping code execution to a memory location that’s already been freed.

All interesting, but how does this warrant a Critical rating? Enter the Web Speech API. I’m speculating just a bit, but it’s likely that this API uses the speech recognizer code in question. It may even be interacting with the security prompt that triggers the crash. Imagine that an attacking page attempts to use the speech API, and then releases the API object before the user can respond to the prompt. That *might* be the scenario that was discovered, though we’re deep into speculation, now. Continue reading “This Week In Security: Chrome Speech Bug, UDP Fragmentation, And The Big Citrix Vulnerability”

Nuclear Fusion At 100: The Hidden Race For Energy Supremacy

January 23, 2020 by 83 Comments

It’s hardly a secret that nuclear fusion has had a rough time when it comes to its image in the media: the miracle power source that is always ‘just ten years away’.  Even if no self-respecting physicist would ever make such a statement, the arrival of commercial nuclear fusion power cannot come quickly enough for many. With the promise of virtually endless, clean energy with no waste, it does truly sound like something from a science-fiction story.

Meanwhile, in the world of non-fiction, generations of scientists have dedicated their careers to understanding better how plasma in a reactor behaves, how to contain it and what types of fuels would work best for a fusion reactor, especially one that has to run continuously, with a net positive energy output. In this regard, 2020 is an exciting year, with the German Wendelstein 7-X stellarator reaching its final configuration, and the Chinese HL-2M tokamak about to fire up.

Join me after the break as I look into what a century of progress in fusion research has brought us and where it will take us next.

Continue reading “Nuclear Fusion At 100: The Hidden Race For Energy Supremacy”

Building A Low-Tech Website For Energy Efficiency

January 10, 2020 by 38 Comments

In an age of flashy jQuery scripts and bulky JavaScript front-end frameworks, loading a “lite” website is like a breath of fresh air. When most of us think of lightweight sites, though, our mind goes to old-style pure HTML and CSS sites or the intentionally barebones websites of developers and academics. Low-tech Magazine, an intentionally low-tech and solar-powered website, manages to incorporate both modern web aesthetics and low-tech efficiency in one go.

Rather than hosting the site on data centers – even those running on renewable power sources – they have a self-hosted site that is run on solar power, causing the site to occasionally go off-line. Their model contrasts with the cloud computing model, which allows more energy efficiency at the user-side while increasing energy expense at data centers. Each page on the blog declares the page size, with an average page weight of 0.77 MB, less than half of the average page size of the top 500,000 most popular blogs in June 2018.

Some of the major choices that have limited the size of the website include building a static site as opposed to a dynamic site, “dithering” images, sparing a logo, staying with default typefaces, and eliminating all third-party tracking, advertising services, and cookies. Their GitHub repository details the front-end decisions  including using unicode characters for the site’s logo rather than embedding an SVG. While the latter may be scalable and lightweight in format it requires distribution to the end-user, which can involve a zipped package with eps, ai, png, and jpeg files in order to ensure the user is able to load the image.

As for the image dithering, the technique allows the website to maintain its characteristic appearance while still minimizing image quality and size. Luckily for Low-tech Magazine, the theme of the magazine allows for black and white images, suitable for dithering. Image sprites are also helpful for minimizing server requests by combining multiple small images into one. Storage-wise, the combined image will take up less memory and only load once.

There are also a few extraneous features that emphasize the website’s infrastructure. The background color indicates the capacity of the solar-charged battery for the website’s server, while other stats about the server’s location (time, sky conditions, forecast) also help with making the website availability in the near future more visible. Who knows, with the greater conscience on environmental impact, this may be a new trend in web design.

This Week In Security: Camera Feeds, Python 2, FPGAs

January 10, 2020 by 6 Comments

Networked cameras keep making the news, and not in the best of ways. First it was compromised Ring accounts used for creepy pranks, and now it’s Xiaomi’s stale cache sending camera images to strangers! It’s not hard to imagine how such a flaw could happen: Xiaomi does some video feed transcoding in order to integrate with Google’s Hub service. When a transcoding slot is re-purposed from one camera to another, the old data stays in the buffer until it is replaced by the new camera’s feed. The root cause is probably the same as the random images shown when starting some 3D games.

Python is Dead, Long Live Python

Python 2 has finally reached End of Life. While there are many repercussions to this change, the security considerations are important too. The Python 2 environment will no longer receive updates, even if a severe security vulnerability is found. How often is a security vulnerability found in a language? Perhaps not very often, but the impact can be far-reaching. Let’s take, for instance, this 2016 bug in zipimport. It failed to sanitize the header of a ZIP file being processed, causing all the problems one would expect.

It is quite possible that because of the continued popularity and usage of Python2, a third party will step in and take over maintenance of the language, essentially forking Python. Unless such an event happens, it’s definitely time to migrate away from Python2.
Continue reading “This Week In Security: Camera Feeds, Python 2, FPGAs”

Living At The Close Of The Multiway Era

January 9, 2020 by 97 Comments

After over a decade of laptop use, I made the move a couple of months ago back to a desktop computer. An ex-corporate compact PC and a large widescreen monitor on a stand, and alongside them a proper mouse and my trusty IBM Model M that has served me for decades. At a stroke, the ergonomics of my workspace changed for the better, as I no longer have to bend slightly to see the screen.

The previous desktop PC was from an earlier time. I think it had whatever the AMD competitor to a Pentium 4 was, and if I recall correctly, its 512 MB of memory was considered to be quite something. On the back it had an entirely different set of sockets to my new one, a brace of serial ports, a SCSI port, and a parallel printer port. Inside the case, its various drives were served by a set of ribbon cables. It even boasted a floppy drive. By contrast the cabling on its successor is a lot lighter, with much less bulky connectors. A few USB plugs and a network cable, and SATA for its disk drive. The days of bulky multiway interconnects are behind us, and probably most of us are heaving a sigh of relief. Continue reading “Living At The Close Of The Multiway Era”

The Barcode Revolution: Welcome To Our Automated World

January 8, 2020 by 25 Comments

Featured in many sci-fi stories as a quicker, more efficient way to record and transfer information, barcodes are both extremely commonplace today, and still amazingly poorly understood by many. Originally designed as a way to allow for increased automation by allowing computer systems to scan a code with information about the item it labels, its potential as an information carrier is becoming ever more popular.

Without the tagging ability of barcodes (and their close cousin: RFID tags), much of today’s modern world would grind to a halt. The automated sorting and delivery systems for mail and parcels, entire inventory management systems, the tracing of critical avionics and rocketry components around the globe, as well as seemingly mundane but widely utilized rapid checkout at the supermarket, all depends on some variety of barcodes.

Join me on a trip through the past, present and future of the humble barcode.

Continue reading “The Barcode Revolution: Welcome To Our Automated World”

36C3: Open Source Is Insufficient To Solve Trust Problems In Hardware

December 29, 2019 by 29 Comments

With open source software, we’ve grown accustomed to a certain level of trust that whatever we are running on our computers is what we expect it to actually be. Thanks to hashing and public key signatures in various parts in the development and deployment cycle, it’s hard for a third party to modify source code or executables without us being easily able to spot it, even if it travels through untrustworthy channels.

Unfortunately, when it comes to open source hardware, the number of steps and parties involved that are out of our control until we have a final product — production, logistics, distribution, even the customer — makes it substantially more difficult to achieve the same peace of mind. To make things worse, to actually validate the hardware on chip level, you’d ultimately have to destroy it.

On his talk this year at the 36C3, [bunnie] showed a detailed insight of several attack vectors we could face during manufacturing. Skipping the obvious ones like adding or substituting components, he’s focusing on highly ambitious and hard to detect modifications inside an IC’s package with wirebonded or through-silicon via (TSV) implants, down to modifying the netlist or mask of the integrated circuit itself. And these aren’t any theoretical or “what if” scenarios, but actual possible options — of course, some of them come with a certain price tag, but in the end, with the right motivation, money is only a detail.

Continue reading “36C3: Open Source Is Insufficient To Solve Trust Problems In Hardware”