MazeVM™: A new way of software security
Fri, 13 May 2011 10:21:20 GMT

The rising of virtualization technology really had a boost recently, especially as a way of securing software. Put your browser into a virtual machine to secure it. Put your PDF reader into a sandbox to secure it.

         +-- VM 1 -- virtual kernel 1 -- PDF reader
         |
kernel --+-- VM 2 -- virtual kernel 2 -- web browser
         |
         +-- VM 3 -- virtual kernel 3 -- online banking

This architecture is comparably inefficient, due to the virtualized kernels. As we are using virtual machines, we can make the virtual hardware homogeneous, thus we can put the device management into the processes themselves directly, gaining a smaller memory footprint:

         +-- VM 1 -- PDF reader
         |
kernel --+-- VM 2 -- web browser
         |
         +-- VM 3 -- online banking


The problem is that also virtualizers sometimes have security holes, too. This problem can be adressed by stacking various kinds of them, so a hacker must find out the kind of virtual machine and then use the right exploit to break out.

         +-- VMa 1 -- VMb 1 -- VMc 1 -- PDF reader
         |
kernel --+-- VMa 2 -- VMb 2 -- VMc 2 -- web browser
         |
         +-- VMa 3 -- VMb 3 -- VMc 3 -- online banking

To gain a little more security, though not much, we can shuffle the kinds of VMs, so the hacker must determine the kind and choose the right exploits.

         +-- VMa 1 -- VMc 1 -- VMb 1 -- PDF reader
         |
kernel --+-- VMb 2 -- VMa 2 -- VMc 2 -- web browser
         |
         +-- VMc 3 -- VMb 3 -- VMa 3 -- online banking

Of course, this is still not satisfactory, it is plausible to assume that all sorts of virtualizers have exploits and hackers will actively use them. Using multiple exploits to punch multiple VM layers may be harder than just one sandbox, but not that much.

Usually, we assume that distinct virtual machines have distinct bugs - this is of course only plausible when they do not use the same backend. Now, during exploits, mostly some unusual things are done, and mostly the aftermath is completely different from what one would expect in a system without the exploited bug. So one approach of increasing the security is just running the same application in two virtual machines with the same input, and compare the output and the memory pages. As long as no exploit is used, they should remain equal, and as soon as they are not equal, something has gone wrong and we can freeze the machines immediately to prevent them from doing bad stuff.

Of course, to put an additional difficulty onto it, we try to make the VM graph look "random".

         +-- VMa 1 -- spawn -- VMb 1 -- PDF reader
         |              |                 |
         |              + ---- VMc 1 -----+
         |
         |     +--------- VMb 2 ---------+
         |     |                         |
kernel --+-- spawn -- VMa 2 -- VMc 2 -- web browser
         |
         +-- spawn --VMa 3 -- online banking
               |                    |  |
               +-- spawn -- VMb 3 --+  |
                     |                 |
                     +----- VMc 3 -----+

This way is already very secure, as you need to have a lot of knowledge to actually find your way to the kernel. However, we rather expect to be a few mostly equal virtualizers than many completely different ones. Which means that even this concept can be broken easily with a sufficient knowledge of the internals of all VMs.

The spawn nodes all use the innovative RPM™ (Reasoning Processing Module) technology. The crucial innovation of MazeVM™ is the Circular™ RPM™ introduced to it. It allows circular connections between virtual machines and even with the kernel itself.:

         +-- VMa 1 -- VMc 1 -- VMb 1 -- spawn -- PDF reader
         |              |                 |
         |              +------CRPM-------+
         |
kernel --+-- VMb 2 -- VMa 2 -- VMc 2 -- web browser
  |      |
  |      +-- spawn -- VMb 3 -- VMa 3 -- online banking
  |            |
  +--CRPM----VMc 3

The kernel itself can easily be tarned as an own virtual machine, and thus, we can build a complicated graph of virtual machines monitoring each other, a "maze", hence the name. In such a maze, it can be extremely hard to find a way to the actual kernel of the computer, especially if you do not see which of the many machines is not virtual - thus, in a sufficiently large MazeVM™ graph, an attacker has no chance to ever come to your actual machine and do any harm to you.

MazeVM™ is compatible with most of the modern virtualizers, including but not limited to JPC, NestedVM and JSx86. The preferred virtualizer is Parrot under Linux, and CygwinVZ under Windows.

Notice that CygwinVZ is, however, still under heavy development, and the upstream releases may not be ready for production use. MazeVM™'s version for windows therefore contains a patched, well-tested, own version of CygwinVZ.
Show comments (Requires JavaScript, loads external content and cookies from Disqus.com)

Pril goes 4chan
Sun, 24 Apr 2011 14:10:45 GMT

Das Internet machte gerade mal wieder meinen Tag. Die bekannte Spülmittelmarke Pril veranstaltet einen Wettbewerb für das beste Design. Es ist klar, was passiert, wenn man das Internet Motive angeben lässt, und spiegelt sich in ihren Hinweisen wieder:

"Natürlich gehören auch humorvolle Beiträge unbedingt zu einem Design-Wettbewerb dazu. Leider hat aber inzwischen die Anzahl der Personen zugenommen, die unsere Aktion bewusst dazu nutzen, anstößige oder wirklich geschmacklose Designs zu erstellen. Hierzu zählen auch aus rechtlicher Sicht äußerst kritische oder sogar verbotene Designs. Ihr habt sicherlich Verständnis dafür, dass wir dies unterbinden müssen."

Freilich habe ich Verständnis dafür, ich möchte nicht wissen, wie viele Penisbilder und Hakenkreuze die in der Zwichenzeit bekommen haben. Leider ist das Internet an dieser Stelle noch nicht erwachsen geworden - meine Meinung dazu, dass das mit den jetzigen Gesetzen auch nie passieren wird, ist in diesem Fall unwesentlich.

Nun haben sie auch eine Auflistung der beliebtesten Designs. Und zumindest zum Moment wo ich diesen Satz schreibe ist dieses Bild weit vorne. Und das ist auch gut so, ich finde dieses Design sehr zeitgemäß. Für alle die es nicht kennen, selbiges Gesicht ist ein Meme, das man öfters mal sieht.

Wird es also bald die Prilflaschen zieren? Ich sähe durchaus Gründe, die dafür sprächen. Pril hat zur Blumenkraft-Zeit auf dieser Welle mitgeschwommen. Pril will sich offenbar mit dieser Aktion als Vertreter einer Jugendkultur darstellen. Sollte dieses Motiv auf die Prilflaschen kommen, würden höchstens ein paar Hausfrauen davon absehen, Pril zu kaufen, dafür würde die Marke aber ziemlich schnell an Bekanntheit gewinnen, mindestens innerhalb der Blogosphäre, aber sicher auch in einigen Zeitschriften.

Ich glaube aber nicht dass das passieren wird, denn in den Hinweisen steht auch:

"Wie euch bekannt ist, wählt eine Jury aus den beliebtesten Pril-Flaschen zwei Designs aus, die deutschlandweit in den Handel kommen. Die Jury wird bei ihrer Auswahl der beiden Designs besonders darauf achten, dass diese zur Marke Pril und zum Unternehmen Henkel passen, sowie die Attraktivität für den Verbraucher und die Akzeptanz beim Handel berücksichtigen."

Und wenn ich mir so anschaue woraus die Jury besteht, und schon diese Kriterien höre... Ob Designer und Brand Manager die Schönheit in einem solchen Entwurf wirklich verstehen? Ob sie verstehen, was das für sie als Marke bedeuten würde? Ob sie bereit sein werden, sich vom Image des Spülmittels für zarthändige Blumenkinder hin zum modernen Image des Spülmittels das sich auch für versiffte Studentenbuden eignet zu bewegen? Ich glaube es nicht.

Aber ich fände es nett, wenn ich mich hier irren würde.
Show comments (Requires JavaScript, loads external content and cookies from Disqus.com)

Security by Virtual Machines?
Sun, 24 Apr 2011 11:39:00 GMT

Thinking of user accounts in unix-like systems, a lot can be done to secure the several users one from another:

  • Limiting the network access
  • Limiting the number of processes
  • Limiting the amount of RAM
  • Limiting the amount of disk space using quotas
  • Limiting the access to files, especially device files
I can only speak of unix-like systems, but seems like the Windows-NT-Kernels have similar mechanisms, and therefore certainly similar problems.
Of course, from time to time there are privilege escalations, but bugs are not the major problem, in my humble opinion: There is quite a lot of software that breaks the barriers provided by the kernel. X11 would be an example of a possibility to break through this barrier: Let two X-Clients connect to the same X-Display, and they can send keystrokes, etc., and this is not limited to one machine either. On the other hand, of course, in the case of GUIs, there is no easy way to do it differently, if one wants to be able to take screenshots and send special events to other applications. And this is not limited to X11, as the Win-API gives a possibility to send keystrokes, take screenshots and even change some captions, and I think the Cocoa-API of OS/X allowes something similar. And while taking screenshots is hard to forbid, there are possibilities to create additional barriers, like Xnest in the case of X11.

On the other hand, there are things like DBus which form an RPC-Mechanism that also may break barriers between users. And of course, there are nice things like the setuid-bit.

Still, all of these mechanisms remain safe if used with caution. The worse thing comes from software that forces the user to remove barriers.

While it is generally a good thing to make user directories only readable, writable and executable by the current user, a common configuration of Apache, using mod-userdir, requires user directories to be +rx for at least the group, such that the user can put its content into a subdirectory www-public of his home directory. This setup is so annoying, especially in large computer pools where I do not want every other user to be able to read my local configuration. And it does something dangerous: It motivates users to be sloppy about access control. I would prefer a setup that has separated directories, maybe in /var/users, that can be symlinked into the user-directory (to make it easier for the users to handle), but are not read from there.

In general, when a user's access to system ressources is limited far enough, there should be no problem for him to run arbitrary executables, and in fact, the major problem mostly lies in the executables they want to run rather than the configuration. Thus, while I can remember that older hosting-providers gave user accounts, most modern providers give you a VPS. Ok, this is what the technical evolution brought us, and a VPS is easier to use and secure than multiple user accounts. It is simple to use multiple software distributions on the same machine, and have strong barriers between them. Often, technical progress evolves differently than intended at first.

The real question is whether the same will not happen to architectures with many virtual machines. A sufficiently cooperative operating system can already degenerate into a runtime library with the right virtualization environment. With the first companies giving up on securing their software and putting them in sandboxes, it might be just a matter of time until putting every larger application into a sandbox becomes common - which causes problems: Think of a webbrowser - with its own filesystem, you cannot easily download files and open them externally, without punching holes. But punching holes means breaking barriers, and breaking barriers usually means lowering security. The simplest configuration, and possibly the only one that unexpierienced users would accept, would be to give the virtual machine full access to your home directory (as far as I remember, that is what VMWare Fusion does, but VMWare Fusion is not meant to provide security) which makes the sandbox almost useless for security: The user will have most of his important files in his home directory.

I already wrote an article on that topic on my old blog (in German), which was, as I just noticed, inspired by an earlier article on Heise, about the same software as the one which inspired me to write this post.

I did not test the software yet: It needs at least 4 gig RAM, and it is not recommended to virtualize it -  I simply have no machine to run it currently. But I do not want to doubt the quality of this software, as it sounds like they knew what they did, and it also sounds useful, and using virtualization as one of many security precautions is ok.

I just do not like the idea of using virtual machines as a primary security precaution.
Show comments (Requires JavaScript, loads external content and cookies from Disqus.com)

Rationale ...
Sat, 23 Apr 2011 03:59:59 GMT

Panel 1: Person A and Person B in front of a computer. B: "I tried Linux, but it cannot render my videos flawless on this machine." A: "It is pretty old. Linux may be running on it, but that is a problem of the video codec. Have you already tried some of the recommended optimisations? I have seen people running it quite well after doing some configuration." -- Panel 2: B: "Nah. Seems like Linux is not mature yet. I think I will buy a new Windows-PC. Or maybe I will try a Mac. They are said to be very user friendly." A: "Mature? The reasonable versions of Windows will not even run on this machine, not to mention Mac OS X. And it costs you several hundred euros just for the software, not to mention a new computer." -- Panel 3: B: "Ok, listen. I only want software that works. And obviously, this is not the case for this Linux system. You are the expert - you have to convince me to use this software!" A: "If you wish to waste your money, feel free to do so..." -- Panel 4-5: Now A and B are standing in front of a nuclear power plant. A: "These nuclear power plants are just a procrastinated way of pollution. Besides the many hazardous chemicals involved with them, it is not clear what to do with the nuclear waste on the long term. It is not clear whether they are a threat to our health. And above that, they waste a lot of taxpayers' money that could be invested in new forms of energy production." B: "You are not an expert. The experts say it is safe and cheap. We should leave this decision to the experts."
Show comments (Requires JavaScript, loads external content and cookies from Disqus.com)

Equality of computable functions from boolean sequences to natural numbers is decidable
Sun, 17 Apr 2011 13:00:00 GMT

I was just told that the equality of computable functions of type \{0,1\}^\omega\rightarrow\omega is decidable. I was a bit confused about this at first, since trivially, the equality of functions \omega\rightarrow\omega is undecidable: Let [.] be the a complete enumeration of all proofs in our meta-theory T, then define g(n)=\left\{\begin{array}{l} 1 \mbox{ if } [n] \mbox{ proves }\bot \\ 0 \mbox{ otherwise}\end{array}\right., then by Gödel's second incompleteness theorem, we cannot decide whether g=\lambda_n0.

However, even though the question whether two computable functions \{0,1\}^\omega\rightarrow\omega are equal seems harder than the same question for \omega\rightarrow\omega, it is not. A first step in understanding why is maybe that every terminating algorithm is finite, and therefore can only use finitely many elements of a sequence in \{0,1\}^\omega.

Of course, having this information without any proofs I tried to prove it myself. I noticed that this should be strongly related to the compactness theorem. And here is the outcome:

Lemma 1: Let a computable f:\{0,1\}^\omega\rightarrow\omega be given, and a=(a_i)_i\in\{0,1\}^\omega. Then there is some initial subsequence b=(b_i)_{i<n} of a, such that for all sequences c, f(b*c)=f(a).
Proof: A terminating turing machine can, for every given sequence a, only read finitely many elements of a, thus, there is an upper bound m\in\omega such that the program is only dependent of elements a_{j<m}. Set n=m and (b_i)_{i<n} = (a_i)_{i<m}. Then f(b*c)=f(a) for all sequences c, since the program does not depend on an elements not in b. ‏
□‎


We say that a computable f depends only on a sequence a=(a_i)_{i<n} when for every c_1,c_2 we have f(a*c_1)=f(a*c_2), and it depends exactly on a=(a_i)_{i<n} when it depends only on (a_i)_{i<n} but this is not the case for subsequences (a_i)_{i<m},m<n.

By Lemma 1 it is trivial to proof that two functions f,g are not equal: Just find a sequence a on that both of them depend only, and for which f(a)\neq g(a). The more interesting part is the case when they are equal.

Using Lemma 1, we can encode such functions f in the following way: Let (A_i)_{i\in\omega} be predicate constants, and denote by PA the first-order Peano arithmetic. If f(a)=k where f depends only on (a_i)_{i<m}, then let M_{f,a,c}:=(\bigwedge\limits_{a_i=1,i<m} A_i \wedge \bigwedge\limits_{a_i=0,i<m} \lnot A_i)\leftrightarrow c=k, where c is a term constant, and k can be expressed in the form S(\ldots S(0)) as usual. Now define Mod_{f,c} := PA \cup \{ M_{f,a,c} | a \in \{0,1\}^\omega\}. Obviously, f(a)=k \Leftrightarrow (Mod_{f,c}[A_i:\Leftrightarrow(a_i=1)]\models c=k). Now, if two functions f,g are equal, we know that PA\cup Mod_{f,c}\cup Mod_{g,d}\cup \{c\neq d\} is not satisfiable, and therefore, PA\cup Mod_{f,c}\cup Mod_{g,d}\cup \{c\neq d\}\models\bot. By the completeness theorem, we therefore know that PA\cup Mod_{f,c}\cup Mod_{g,d}\cup \{c\neq d\}\vdash\bot, and hence, the equality f=g is provable.

Nice.
Show comments (Requires JavaScript, loads external content and cookies from Disqus.com)

My Herbarium
Fri, 15 Apr 2011 06:27:22 GMT

For nostalgia I still keep the scanned images of the old herbarium I had to make in my biology class ten years ago.

> http://uxul.de/blog/herbarium/

The scanner still works, and it is still in use. A Canon Lide 30. The old computer is broken, unfortunately. The herbarium is still somewhere in my closet.

Nostalgia ...
Show comments (Requires JavaScript, loads external content and cookies from Disqus.com)

Something I really missed under Windows
Mon, 11 Apr 2011 11:00:00 GMT

On The Old New Thing we are taught that Windows is not a .NET Framework delivery channel.
I have no problem with this, seems reasonable that the operating system is separated from the rest of the stuff, but in fact, this is nothing Windows is known for. In ancient times, Windows used to be just a graphical user interface, and even in the times of Windows 98 it is arguable whether it should really be considered as an operating system rather than as a desktop environment hooking on a DOS kernel. Even if one accepts that the strict separation of frontends and backends is something special to *n*x, while Windows is optimized for the stupid end user who is not interested in how his software works, still Windows 98 had the Internet Explorer and a JVM installed by default. And actually, that was one thing I liked, since I could write software for my friends without them having to install a lot of runtimes and stuff.

And at least under Windows, this has not really changed - when I write software for Windows, then I am trying to make it independent of as much as possible, or if I really have to add dependencies, I will try to make the software work inside Cygwin, which has a packaging system.

This is only true for Windows. In fact, for Linux, it is much easier, since most Linux distributions have a package manager for which I can simply supply a package that has the correct dependencies (as most larger environments are usually part of a distribution). Upgrades and version compatibility are managed automatically by the package manager.

On Windows, there seems to be a central package management (I think I have read about one in the past, but I cannot remember where), but I do not know whether it is only available to parts of the system, at least no other software I know uses it: Most software checks for updates when started. Some software even has background processes getting on my nerves (like the JVM).

Maybe that is due to the fact that commercial software likes message boxes blobbing onto your screen, telling you what software you use and why, even though that gets on your nerves - in the end, the user is there to pay money, his contentedness is just one way to make him do so, and advertising is another.
Show comments (Requires JavaScript, loads external content and cookies from Disqus.com)

First tomato begins to sprout
Sat, 09 Apr 2011 10:22:01 GMT

W00t, today I saw a first Sprout in one of my flower pots, where I seeded tomatoes.



Hopefully, the other ones will come soon, too.
Show comments (Requires JavaScript, loads external content and cookies from Disqus.com)