Alex Willmer
alex@moreati.org.uk
@moreati
Dock chief Susan Willmer
KIA: SOL-3 Harvest
Scout ship TLV-3495
Presumed destroyed
David Levinson Steven Hiller
'CABLE REPAIR' operatives
M-012: Harvest Coordination signal leaked into human communication bands
V-002: Trainee G.X. fired on human
'WELCOME WAGON'
V-078: Pilot Z.K. captured, taken to the Human leader & probed
V-164: IFF & docking regulations ignored on the command carrier
pumpmon held capabilities that were unnecessary to pump operation. These capabilities were implicitly granted by the OS architecture
SOL-3 enquiry, Ch 17
Exploitation of these ... lead directly to the SOL-3 defeat
SOL-3 enquiry, Ch 23
pumpmon Capability | Exploited to |
---|---|
Read global files | Gather addresses of nodes to attack Discover other vulnerable programs |
Monitor processes | Disguise its own activity Detect & evade audit routines |
Create network sockets | Map Fleet networks Attack other nodes Exfiltrate data Command & control |
SOL-3 enquiry, Appendix F
Broken APIs | strcpy() strtok() ...
|
Global namespaces | / /dev /var /home ...
getpid() getgid() getuid() ... |
Mutable shared state | setlocale() signal() setenv() ...
|
Resource acquisition | argv open() bind()
getaddrinfo() ... |
Implicit capabilities | stdin stdout stderr ... |
# ls.py
import os, sys
dirpath = str(sys.argv[1])
for entry in os.listdir(dirpath):
print(entry)
$ python ./ls.py /tmp/
foo.txt
bar
baz.v974hv
[...]
# ls.py
import os
dir_fd = 0
out_fd = 1
output = open(1, 'w')
for entry in os.listdir(dir_fd):
print(entry, file=output)
$ python ./ls.py < /tmp/
foo.txt
bar
baz.v974hv
[...]
# ls.py
import os, argdata
dir_fd = argdata.get_fd('dir')
out_fd = argdata.get_fd('output')
output = open(out_fd, 'w')
for entry in os.listdir(dir_fd):
print(entry, file=output)
$ cloudabi-run python < args.yaml
foo.txt
bar
baz.v974hv
[...]
# args.yaml
%TAG ! tag:nuxi.nl,2015:cloudabi/
---
dir: !file
path: /tmp/
output: !fd stdout
script: !file
path: ls.py
%TAG ! tag:nuxi.nl,2015:cloudabi/
---
concurrent_connections: 64
hostname: nuxi.nl
listen:
- !socket
bind: 148.251.50.69:80
logfile: !file
path: /var/log/httpd/nuxi.nl.access.log
rootdir: !file
path: /var/www/nuxi.nl
I'll give you my open() when you pry it
from my cold, dead hands
ALL THESE FILES ARE YOURS — EXCEPT /dev/europa
ATTEMPT NO open() THERE
I am altering libc, pray I don't alter it further
A novice once asked Master Foo
Is the way of UNIX weakly or strongly typed?
Master Foo considered her answer
Not weak. Not strong.
The way of UNIX is stringly typed.
The novice was enlightened.
Birmingham, UK