Mohamed Iqbal Pallipurath is a Web Designer and Software Consultant.
Currently slaving as faculty at TKM College of Engineering.
A fundamentalist Muslim but not an extremist.
Pro Palestine but not anti any Country.
He has improved the quality of IIT Delhi and IIT Kharagpur just by studying at those places for M. Tech. (Thermal Engineering) and PhD (Cryogenic Engineering).
A chronic procrastinator. Now under throes of creating his Thecal Matter.
Interests: Amateur Astronomy, Judo
Saturday, October 29, 2016
Sunday, October 16, 2016
Wednesday, October 05, 2016
How to Crash Systemd in a 50 character command
How to Crash Systemd in One Tweet
The following command, when run as any user, will crash systemd:
NOTIFY_SOCKET=/run/systemd/notify systemd-notify ""
After running this command, PID 1 is hung in the pause system call. You can no longer start and stop daemons. inetd-style services no longer accept connections. You cannot cleanly reboot the system. The system feels generally unstable (e.g. ssh and su hang for 30 seconds since systemd is now integrated with the login system). All of this can be caused by a command that’s short enough to fit in a Tweet.
Edit (2016-09-28 21:34): Some people can only reproduce if they wrap the command in a while true loop. Yay non-determinism!
The bug is remarkably banal. The above systemd-notify command sends a zero-length message to the world-accessible UNIX domain socket located at /run/systemd/notify. PID 1 receives the message and fails an assertion that the message length is greater than zero. Despite the banality, the bug is serious, as it allows any local user to trivially perform a denial-of-service attack against a critical system component.
The immediate question raised by this bug is what kind of quality assurance process would allow such a simple bug to exist for over two years (it was introduced in systemd 209). Isn’t the empty string an obvious test case? One would hope that PID 1, the most important userspace process, would have better quality assurance than this. Unfortunately, it seems that crashes of PID 1 are not unusual, as a quick glance through the systemd commit log reveals commit messages such as:
- coredump: turn off coredump collection only when PID 1 crashes, not when journald crashes
- coredump: make sure to handle crashes of PID 1 and journald special
- coredump: turn off coredump collection entirely after journald or PID 1 crashed
Systemd’s problems run far deeper than this one bug. Systemd is defective by design. Writing bug-free software is extremely difficult. Even good programmers would inevitably introduce bugs into a project of the scale and complexity of systemd. However, good programmers recognize the difficulty of writing bug-free software and understand the importance of designing software in a way that minimizes the likelihood of bugs or at least reduces their impact. The systemd developers understand none of this, opting to cram an enormous amount of unnecessary complexity into PID 1, which runs as root and is written in a memory-unsafe language.
Some degree of complexity is to be expected, as systemd provides a number of useful and compelling features (although they did not invent them; they were just the first to aggressively market them). Whether or not systemd has made the right trade-off between features and complexity is a matter of debate. What is not debatable is that systemd’s complexity does not belong in PID 1. As Rich Felker explained, the only job of PID 1 is to execute the real init system and reap zombies. Furthermore, the real init system, even when running as a non-PID 1 process, should be structured in a modular way such that a failure in one of the riskier components does not bring down the more critical components. For instance, a failure in the daemon management code should not prevent the system from being cleanly rebooted.
In particular, any code that accepts messages from untrustworthy sources like systemd-notify should run in a dedicated process as a unprivileged user. The unprivileged process parses and validates messages before passing them along to the privileged process. This is called privilege separation and has been a best practice in security-aware software for over a decade. Systemd, by contrast, does text parsing on messages from untrusted sources, in C, running as root in PID 1. If you think systemd doesn’t need privilege separation because it only parses messages from local users, keep in mind that in the Internet era, local attacks tend to acquire remote vectors. Consider Shellshock, or the presentation at this year’s systemd conference which is titled “Talking to systemd from a Web Browser.”
Systemd’s “we don’t make mistakes” attitude towards security can be seen in other places, such as this code from the main() function of PID 1:
/* Disable the umask logic */ if (getpid() == 1) umask(0);
Setting a umask of 0 means that, by default, any file created by systemd will be world-readable and -writable. Systemd defines a macro called RUN_WITH_UMASK which is used to temporarily set a more restrictive umask when systemd needs to create a file with different permissions. This is backwards. The default umask should be restrictive, so forgetting to change the umask when creating a file would result in a file that obviously doesn’t work. This is called fail-safe design. Instead systemd is fail-open, so forgetting to change the umask (which has already happened twice) creates a file that works but is a potential security vulnerability.
The Linux ecosystem has fallen behind other operating systems in writing secure and robust software. While Microsoft was hardening Windows and Apple was developing iOS, open source software became complacent. However, I see improvement on the horizon. Heartbleed and Shellshock were wake-up calls that have led to increased scrutiny of open source software. Go and Rust are compelling, safe languages for writing the type of systems software that has traditionally been written in C. Systemd is dangerous not only because it is introducing hundreds of thousands of lines of complex C code without any regard to longstanding security practices like privilege separation or fail-safe design, but because it is setting itself up to be irreplaceable. Systemd is far more than an init system: it is becoming a secondary operating system kernel, providing a log server, a device manager, a container manager, a login manager, a DHCP client, a DNS resolver, and an NTP client. These services are largely interdependent and provide non-standard interfaces for other applications to use. This makes any one component of systemd hard to replace, which will prevent more secure alternatives from gaining adoption in the future.
Consider systemd’s DNS resolver. DNS is a complicated, security-sensitive protocol. In August 2014, Lennart Poettering declared that “systemd-resolved is now a pretty complete caching DNS and LLMNR stub resolver.” In reality, systemd-resolved failed to implement any of the documented best practices to protect against DNS cache poisoning. It was vulnerable to Dan Kaminsky’s cache poisoning attack which was fixed in every other DNS server during a massive coordinated response in 2008 (and which had been fixed in djbdns in 1999). Although systemd doesn’t force you to use systemd-resolved, it exposes a non-standard interface over DBUS which theyencourage applications to use instead of the standard DNS protocol over port 53. If applications follow this recommendation, it will become impossible to replace systemd-resolved with a more secure DNS resolver, unless that DNS resolver opts to emulate systemd’s non-standard DBUS API.
It is not too late to stop this. Although almost every Linux distribution now uses systemd for their init system, init was a soft target for systemd because the systems they replaced were so bad. That’s not true for the other services which systemd is trying to replace such as network management, DNS, and NTP. Systemd offers very few compelling features over existing implementations, but does carry a large amount of risk. If you’re a system administrator, resist the replacement of existing services and hold out for replacements that are more secure. If you’re an application developer, do not use systemd’s non-standard interfaces. There will be better alternatives in the future that are more secure than what we have now. But adopting them will only be possible if systemd has not destroyed the modularity and standards-compliance that make innovation possible.
Hi, I’m Andrew. I’m the founder of SSLMate, a service which automates your SSL certificate deployment. I also develop open source projects like git-crypt and titus.
I blog here about a variety of technology topics, including security, devops, IPv6, and reliable programming. If you liked this post, check out my other posts or subscribe to my Atom feed.
My email address is andrew@agwa.name. I’m AGWA at GitHub and @__agwa on Twitter.
Saturday, October 01, 2016
Clinton Email: We Must Destroy Syria For Israel
Posted on June 18, 2016 by Sean Adl-Tabatabai in News, US // Comments ()
Leaked Clinton email reveals that Clinton ordered war against Syria to benefit Israel
A leaked Hillary Clinton email confirms that the Obama administration, with Hillary at the helm, orchestrated a civil war in Syria to benefit Israel.
The new Wikileaks release shows the then Secretary of State ordering a war in Syria in order to overthrow the government and oust President Assad, claiming it was the “best way to help Israel”.
Newobserveronline.com reports:
The document was one of many unclassified by the US Department of State under case number F-2014-20439, Doc No. C05794498, following the uproar over Clinton’s private email server kept at her house while she served as Secretary of State from 2009 to 2013.
Although the Wikileaks transcript dates the email as December 31, 2000, this is an error on their part, as the contents of the email (in particular the reference to May 2012 talks between Iran and the west over its nuclear program in Istanbul) show that the email was in fact sent on December 31, 2012.
Arjun Kapoor Lost 25 Kg’s In 4 Weeks For…
Garcinia Forte
Business News You Can Use
Bloomberg Quint
The Latest Share Market And…
Bloomberg Quint
1 Proven Way To Make Rs. 8200/Day
CareerTimes
Revealed: See How Kollam Girl Got 5…
Fit Mom Daily
He Makes Over Rs. 6 000 Per Day!
CareerTimes
This Indian Dating Site Is Turning The…
Top Dating Sites India
Skin Gets 200% Whiter…
Indian Beauty Tips
When Plastic Surgery Goes Wrong
Safe or Dangerous
Indian Seniors: You Have To Visit This…
Senior Dating India
Ads by Revcontent
The email makes it clear that it has been US policy from the very beginning to violently overthrow the Syrian government—and specifically to do this because it is in Israel’s interests.
clinton-email-syria-israel
“The best way to help Israel deal with Iran’s growing nuclear capability is to help the people of Syria overthrow the regime of Bashar Assad,” Clinton forthrightly starts off by saying.
Even though all US intelligence reports had long dismissed Iran’s “atom bomb” program as a hoax (a conclusion supported by the International Atomic Energy Agency), Clinton continues to use these lies to “justify” destroying Syria in the name of Israel.
She specifically links Iran’s mythical atom bomb program to Syria because, she says, Iran’s “atom bomb” program threatens Israel’s “monopoly” on nuclear weapons in the Middle East.
If Iran were to acquire a nuclear weapon, Clinton asserts, this would allow Syria (and other “adversaries of Israel” such as Saudi Arabia and Egypt) to “go nuclear as well,” all of which would threaten Israel’s interests.
Therefore, Clinton, says, Syria has to be destroyed.
Iran’s nuclear program and Syria’s civil war may seem unconnected, but they are. What Israeli military leaders really worry about — but cannot talk about — is losing their nuclear monopoly.
An Iranian nuclear weapons capability would not only end that nuclear monopoly but could also prompt other adversaries, like Saudi Arabia and Egypt, to go nuclear as well. The result would be a precarious nuclear balance in which Israel could not respond to provocations with conventional military strikes on Syria and Lebanon, as it can today.
If Iran were to reach the threshold of a nuclear weapons state, Tehran would find it much easier to call on its allies in Syria and Hezbollah to strike Israel, knowing that its nuclear weapons would serve as a deterrent to Israel responding against Iran itself.
It is, Clinton continues, the “strategic relationship between Iran and the regime of Bashar Assad in Syria” that makes it possible for Iran to undermine Israel’s security.
This would not come about through a “direct attack,” Clinton admits, because “in the thirty years of hostility between Iran and Israel” this has never occurred, but through its alleged “proxies.”
The end of the Assad regime would end this dangerous alliance. Israel’s leadership understands well why defeating Assad is now in its interests.
Bringing down Assad would not only be a massive boon to Israel’s security, it would also ease Israel’s understandable fear of losing its nuclear monopoly.
Then, Israel and the United States might be able to develop a common view of when the Iranian program is so dangerous that military action could be warranted.
Clinton goes on to asset that directly threatening Bashar Assad “and his family” with violence is the “right thing” to do:
In short, the White House can ease the tension that has developed with Israel over Iran by doing the right thing in Syria.
With his life and his family at risk, only the threat or use of force will change the Syrian dictator Bashar Assad’s mind.
The email proves—as if any more proof was needed—that the US government has been the main sponsor of the growth of terrorism in the Middle East, and all in order to “protect” Israel.
It is also a sobering thought to consider that the “refugee” crisis which currently threatens to destroy Europe, was directly sparked off by this US government action as well, insofar as there are any genuine refugees fleeing the civil war in Syria.
In addition, over 250,000 people have been killed in the Syrian conflict, which has spread to Iraq—all thanks to Clinton and the Obama administration backing the “rebels” and stoking the fires of war in Syria.
The real and disturbing possibility that a psychopath like Clinton—whose policy has inflicted death and misery upon millions of people—could become the next president of America is the most deeply shocking thought of all.
Clinton’s public assertion that, if elected president, she would “take the relationship with Israel to the next level,” would definitively mark her, and Israel, as the enemy of not just some Arab states in the Middle East, but of all peace-loving people on earth.
About Latest Posts
Sean Adl-Tabatabai
Follow me
Sean Adl-Tabatabai
Editor-in-chief at Your News Wire