Alexey Smirnov's blog

A few days ago I went to Oulu, a city in the north of Finland to attend Linux Symposium which was featuring Bjarne Stroustrup, the inventor of C++.

I left Helsinki on Monday night and arrived to Oulu at 7:30 AM on the overnight train. It was so-o-o co-o-old in Oulu! We did not have such freezing temperatures during the whole winter in Helsinki. On that early spring day it was -20 centigrade. Because the train arrived early initially I planned to walk to the Oulu University which is located approximately 5km from the train station. I actually walked there but I froze like I have not frozen for a long time already. What was surprising to me was that local people were walking and even riding bikes normally. Apparently, they got used to such temperatures. In Finland there is a special word sisu which means persistence and stubbornness in a good sense of the word. Now I know that the city of Oulu is the city of sisu – sisu students, sisu workers, sisu everybody.

I barely had time to warm up in the university lobby before the conference began. It had a keynote speech dedicated to the looming C++ 0x standard as well as two tracks: business and technical. Before the conference I have spent lots of time studying the agenda trying to decide which track I want to go to. But there were interesting talks in both tracks. So I needed to remember the order in which I would visit the tracks. It turned out that there is a simple algorithm which tells you which track to go at any moment of time. The idea is that it is best to always switch the tracks, for example if you are listening to a talk in the technical track now then the next interesting talk is in the business track. So I followed this algorithm and I enjoyed every talk that I attended.

But the first was the keynote. Bjarne is a great speaker! He was describing his work in the standardization committee and the features that were selected in the new C++ 0x standard. He said that name of this new standard comes from the year in which they wanted to get it approved – anytime before year 2010, but at this moment the standard is in the Final Draft phase which means that it will get approved in year 2012 probably.

Bjarne pointed out several criteria that they used when selecting features for the standard. Basically, keep it simple was the main criterion. Any extra functionality should go to a library. Keep the run-time as small as possible. One of the goals was to make it possible to use C++ as the first language during teaching in a college. It is an ambitious goal as most of US universities are using Java as the first language. New set of features for writing parallel programs was described. Mostly, it was related to locks, semaphores, etc. and avoiding deadlocks and other problems, as well as inter-process communication. To me it sounds like a pretty low-level stuff. After his presentation I asked whether the committee thinks they’ve chosen the right level of abstraction. Nowadays there are a few interesting parallel programming frameworks such as Map-Reduce and transactional memory. Bjarne said that it is too early to standardize any of those which is probably true.

The funny thing is that the committee does not necessarily accept the features that Bjarne proposes even though he is the inventor of C++. For example, he was trying to get lexical_cast into the standard which is basically string tokenizer. But the committee voted against him because of possible problems with locale. On the picture above Bjarne is trying to persuade the audience that lexical_cast is a cool feature.

Here are the notes from a few other talks:

Sami Paihonen. Implementing cross-platform UI

The core of cross-platform UI is UI style.
Lots of research. Empty screen is the best place to start.
6 design principles: avoid clutter. Too many things on the screen. Two hands is not mobile usage.
IPhone open-source contacts has a better UI than official app.
UI style defines core UI identity
Smoothness and stability are most important. Steven Frei blog.
blog: dizzyhorizon.com

Mikko Välimäki, Tuxera. Open source and IP licensing

This is the guy who won Espoo half-marathon!

Tuxera – is company doing filesystems on non-Windows systems
GNU GPL – free of charge to everyone.
Is it possible to use Android UI on another hardware? Apple is suing HTC for Patent infringement.
Jonathan Schwartz blog. Bill asks royalty for every download of OO b/c of patent infringement.
Microsoft sued TomTom over usage of FAT file system.
Mixed, dual-licensed, open & proprietary models will win.

Alexander Bezprozvanny. Traditional vs agile/open source

different roles that a person takes in multiple team in agile.
key differences in OSS projects: no project managers. Project leaders are models.
Healthy community is the key.
Definition of healthy community, various paths that a project might take depending on how developers interact with users. Nice diagram.

Examples:

1) Too late means never. Affix and bluez bluetooth stacks. Commercial vs. open-source. A company that missed release.

2) High admission price: OpenBSD community. A success at a high price.

3) OSS contribution from software company: bureaucratic barrier too high. Disclaimer of rights is difficult to explain to management.

4) Maemo case: combining proprietary and OSS SW.

Ari Jaaksi’s speach and consequences in his blog.

Flash filesystem (FFS) specialist Datalight Inc. will soon release a commercial Linux FFS claimed to provide 400 percent faster write performance and 500 percent faster mount speed compared to JFFS2.

DeviceGuru

• Metasploitation
• Reverse Engineering Microsoft Binaries

I have downloaded Metasploit 2.6, although Metasploit 3.0 is already available. The idea was to port our test suite to Metasploit so that all the exploits are together. I found the 2.6 release frustrating. Its API is difficult to understand. I am also very critical of the design of the framework and its documentation. To me it looks like Metasploit is “attacker-oriented” instead of “victim-oriented”. This means that it introduces concepts of modules and events but does not say much of payloads. It was diffiult to translate the standard exploit representation nop-payload-retaddr into framework’s target and payload data structures. Let us go over each of these components in detail:

• nop: I wanted to use /x90 opcode but I was unable to do so in Metasploit. There are functions Initnops and Makenops but it was difficult to understand what was their effect as they did not generate /x90 sequence. I ended up with prepending /x90 bytes in the payload building function.
• payload: Metasploit has a great choice of payloads but they require encoders if there are prohibited terminating characters, for example ’\0’. Are there payloads that do not require an encoder? When planning the layout of the packet, I had to find out the length of the payload which Metasploit has. What is the length of the encoded payload?
• retaddr: if I would like a packet of a given length, how many bytes remain after nop landing pad and encoded payload?

I also had a concern with its exploitation mechanism: the idea is to redirect the victim into the landing pad. The brute-force attack steps over a specified number of bytes at each iteration based on the length of the landing pad. Can Metasploit compute the step automatically using its knowledge of the payload?

If I was to write this framework, I would use the nop-payload-retaddr design. That is, if you have the length of the packet and the payload, I would allow the framework to find the number of padding bytes and brute force attack step automatically. Finding the correct address might take a number of iterations if the range of the return addresses is wide. Therefore, parallel execution would speed up the exploitation.

Related work: How shellcodes work.

Shellcodes

We have got a number of Dell SC1425 computers in the lab with dual-core Xeon processors in them. Among those computers that ended up on our rack there was just one with a DVD drive. The remaining ones had a network interface and a hard drive with no OS pre-installed. I was charged with setting up the operating system. Network interface PXE boot was the appropriate technology to use.

The idea was to boot a light-weight Linux distribution over the net and install it on the harddrive. The next step was to place the images of Fedora Core to the hard drive and bootstrap it from there. I tried Knoppix as the light-weight OS but the boot process on the client machine ended up with a ”very limited shell” message. I crawled Internet trying to find other PXE-enabled distributions but found virtually nothing. So I thought it was time to build a Linux distribution on my own.

I used Fedora Core’s kernel and followed advice on How to build root file system. First I used ISOLINUX to burn bootable CDs. After my trash bin was full of used CDs I got something that was booting and bringing up the network. The OS was booting completely to RAM without relying on the presense of a hard drive or a CDROM. I gave it the name “ELinux” which stands for “ECSL Linux”. It is not available for download yet because it prints out ugly error messages during boot process but I will try to get rid of them sooner or later and will release it then.

I used PXELINUX to boot a client computer. There we go! The remaining part was straightforward: I used fdisk to partition the hard drive and tftp to save Feodora’s images on it. Then I installed Fedora using “install from hard drive” option.

It turned out that Fedora had a PXELINUX initrd image so I did not need a bootstrap linux. The experience was useful however as it gave me understanding of Linux boot process. ELinux is one of the few, if not a unique Linux distribution that boots to the RAM over a network interface.

Mind map of Linux distributions. ELinux should go to the Minimalist Distribution category.

Xen0 kernel 2.6.16-1.2080 from Fedora Core 5 does not boot when NVIDIA Geforce 6600 video card is installed in Dell Dimension 4700. BIOS has an option that specifies which card to use. When it is set to “on-board video card” xen0 does not boot either. The solution is to remove the video card. Bugzilla entry.

This release of Xen was installed successfully on Dell SC1425. But when the guest Fedora Core 4 OS boots up it is unable to find a network interface.

Another Xen release 2.6.12.6-xen3_7.1_fc4 available here works correctly on SC1425 and boots into runlevel 3 on Dimension 4700 with Geforce 6600 but the host kernel does not find a network interface in the latter case.

I gave up trying to make Xen work on Dimension 4700. There was a problem with Xen 2.6.12.6-xen3_7.1_fc4 because I did not have kernel headers for it and therefore was unable to add kernel modules. So I thought I should’ve worked with FC5 release of Xen.

The guest OS was unable to find a network interface when FC4 was used but when I used FC5 as the guest OS the interface was there. The remaining features I wanted were kernel modules and GUI. The kernel headers were downloaded yum kernel-devel. Linux has a build framework so that Makefiles have to specify the source files and flags. vncserver was installed to allow remote desktop on the virtual machine. The required packages were xorg-x11, vncserver, vncviewer, and xorg-tvm.

How else are people using this technology? Xen and the Art of Consolidation.

GNU libsigsegv allows to implement user-level page fault handlers. Dusk will use it to map kernel memory to user-level processes.

Segmentation fault is generated when mmap is used with MAP_FIXED.

Handling Interrupt Descriptor Table for fun and profit. It is very operating-system specific. The symbols that it uses are not exported in Linux. This means we implement a user-level page fault handler instead of that at the kernle-level.