Nabble - Secure Programming

MULTICONF-08 Final call for papers

2008-01-16T11:13:41Z

MULTICONF-08 Final call for papers
The 2008 MULTICONF (website: www.PromoteResearch.org ) will be held during July 7-10 2008 in Orlando, FL, USA. We invite draft paper submissions and the deadline for paper submission is very close. The event consists of the following conferences.
• International Conference on Artificial Intelligence and Pattern Recognition (AIPR-08)
• International Conference on Automation, Robotics and Control Systems (ARCS-08)
• International Conference on Bioinformatics, Computational Biology, Genomics and Chemoinformatics (BCBGC-08)
• International Conference on Enterprise Information Systems and Web Technologies (EISWT-08)
• International Conference on High Performance Computing, Networking and Communication Systems (HPCNCS-08)
• International Conference on Software Engineering Theory and Practice (SETP-08)
• International Conference on Theoretical and Mathematical Foundations of Computer Science (TMFCS-08)

The website contains more details.

Sincerely
John Edward

Proxy List For You!

2007-10-16T10:17:37Z

NEW PROXY UPDATE EVERYDAY
http://www.boy.us.com/proxylist.php.

Fake IP Address
When you connect to a web site, it can see your IP address as the "Remote IP" or "Remote Address". When you surf through a proxy server, these fields contain the IP address of the proxy server instead of your own IP address. So the web site will see the address of the proxy instead of your actual address.But all non-anonymous proxies usually put the IP addresses of their clients (i.e. of the computers using those proxies) in either of the two following request headers (variables): "HTTP_CLIENT_IP" or "HTTP_X_FORWARDED_FOR_IP" There are no strict standards, so one proxy may be sending the IP with "Client_IP" variable and another with "X_Forwarded_For_IP".

There is not much difference between them but they are never used together - either one or the other.So, if the proxy you are using is not anonymous, the web site will be able to see you true IP address in one of these fields.Requests that are generated by anonymous servers do not have these fields (that's what makes them anonymous).The thing is that you can set A4Proxy to create these fields, and put there "fake" IP addresses (they are generated as random numbers, so they are different for each request).

As the result, the web site which you are visiting will "think" that you are visiting it through a non-anonymous proxy server (while in fact it is a truly anonymous server with an additional fake field generated by A4Proxy). Not all web sites will look for these fields (Client_IP or X_Forwarded_For_IP). However, those which do look for them will definitely be confused as the fake IP address will be different for each request.It may be a good idea to switch on one of these options (and it is not important which one).Finally, if you want a particular address to be sent to the web site in one of that field, you will need to create a modification for that field on the Browser Options tab, in addition to enabling the appropriate Simulate... option.

a new software

2007-09-29T22:30:15Z

Introduce a new software AyRecovery
1. AyRecovery is one-click software solution. You do not have to be equipped with sophisticated PC knowledge.
2. Enables as many as 1000 system snapshots. A snapshot contains 100% of Windows system settings, programs and user data at the time of the snapshot. You can restore your PC to any snapshot and load various system status.
3. It takes less than 5 seconds to take a snapshot for selected partitions or the whole disk drive and 20 seconds to restore system.
4. You can restore system bidirectionally, that is to say, restore system to any previous snapshot and restore back if you wish.
5. Restore system through subconsole even system fails to load. Just press the Home key to enter subconsole.
6. AyRecovery enables file-level recovery; you can recover the lost files or check the previous versions of one current file.

Re: Insecure Ajax Web App - Applying a sticky plaster

2007-07-22T13:00:43Z

Hi,

I have a particular problem that I need some help in attempting to solve. I have recently started with a new company as their chief architeract and was dumb-founded to discover that their entire product suite is insecure. I do not have the time or resources at the moment to completely address the issue so I am looking for any ideas that could help put some sticky plaster on the issue until I can get back to it.

The problem:
The applications are web based and ran on client's internal network, not on the www. The server after login completely trusts what is sent from the client (browser sending Ajax requests). The connection is over ssl with mutual authencation certs on both sides. The client uses JavaScript to build up a message and send to the server - the data comes back and is processed with JavaScript, Dom updated and the user is happy. However I have recently discovered that a user can sniff the https traffic using a locally installed sniffer (fiddler or blurp for example) and capture the http request change it and get data back from the server. Thus see other users account information. Very serious I know.

I have read quite a few articles in the area and none seem to provide much of a solution to the problem. The usual never trust the client, validate on both sides but I don;t have the time. What I was hoping to do was encrypted the message and unencrypt it on the server side. But in order to do this I would need to expose the client to the key used to encrypt the message thus compromise the message.

Can anyone shed some light on the issue or suggest articles that may help in identifying a solution?

Thanks in advance.

Network Monitor Sniffer

2007-06-14T08:20:00Z

1.Product Name:Network Monitor Sniffer V2.0
2.Development Language:C++ Builder
3.Database Support:MS SQL Server
4.System Requirement:Windows 2000,Windows XP,Windows 2003
5.Product Content:We provide our software's complete source or further-development and detailed using guide for it. Please Contact Us If you need the software(E-Mail:filtersoft@126.com)
E-Mail:filtersoft#126.com

6.Introducation:
The software can monitor employee's network behaviors. Prevent secret and vital data from being sent out. It just captures and records the communication data on network for reference but don't block the normal communications.The software's main functions and technical features: It adopts Sniffer architecture and TCP/IP Winpcap 3.1 package parsing technique to analyze the SMTP,POP3,FTP,WWW and other IM( Such as MSN,ICQ,Yahoo,AOL), It parses and saves the contents of packages sent from LAN to WAN, It records the employee's network behaviors. It also helps block the inner data from being illegally sent out.
7.System's Functions:
(1).It can monitor network according to different groups,The monitoring logs can be viewed according to different groups
(2).It fully records the chatting contents of MSN,Yahoo,ICQ,AOL and block the chatting contents, files or videos by "Keywords". You can view and export them at any moment.
(3).It fully records browsed Websites for the manager to learn employee's website behaviors at any moment.
(4).It records all the E-Mails (Including contents and attachments) transferred by POP3,SMTP.
(5).It can backup all the files transferred by FTP.
(6).You can view the network flux chart to learn the network's situation according to different groups
(7).It supports MS SQL Server Database, you can make more detailed analysis when necessary.
(8).It uses Sniffer architecture,Without client program installed in the PC, Without network architecture being changed,easy installation and configuration.The monitored PC can't stop or remove it.
(9)."Web Admin Tools" are freely provided to make you easily view the monitoring data on any PC .

Network Monitor Gateway

2007-06-14T08:19:23Z

1.Product Name:Network Monitor Gateway V2.1
2.Development Language:C++ Builder
3.Database Support:MS SQL Server
4.System Requirement: Windows 2000 Server/Windows 2003
5.Product Content:We provide the software's complete source or further-development and detailed using guide. Please Contact Us If you need the software(E-Mail:filtersoft@126.com)
E-Mail:filtersoft#126.com
6.Introducation:
The software can monitor and manage employees' network behaviors. Prevent secret and vital data from being sent out. It captures and records the communication data on network and block related protocol communications according to predefined rules.The software's main functions and technical features : Analyze and filter TCP/IP packages. With low level driver technology it uses windows route and remote gateway to analyze.capture and block packages sent from LAN to WAN; It analyzes and blocks the communication by "keywords" to IM.E-Mail.SMTP.HTTP etc; It can also analyze.record and manage SMTP.POP3.FTP.HTTP and MSN.ICQ.Yahoo.AOL etc and prevent illegal data or programs from sent outside.It helps block the inner data from being illegally sent out.
7.System's Functions:
(1)You can set different rules and view related logs according to different departments or groups
(2)It has high blocking ratio, much better than Sniffer which often lead to package Losses.
(3)It fully records the chatting contents of MSN.Yahoo.ICQ.AOL and block the chatting contents. files or videos by "Keywords". You can view and export them at any moment.
(4)It fully records browsed Websites and block their communication by "keywords",It can also prevent browsing committed websites.
(5)It records and checks all the E-Mails (Including contents and attachments) by POP3.SMTP protocols, block them by keywords and prevent committed type of attachment s.
(6)It can backup all the files transferred by FTP on network.
(7)You can view the network flux chart to understand the network's situation according to different groups and restrict its upper limitation by setting different rules in different time slice.
(8)You can set employee's internet time according to different group rules.
(9)It supports lock PC's MAC and IP Address, Prevent them from being arbitrarily changed.
(10)It supports MS SQL Server Database, you can make more detailed analysis when necessary.
(11)It adopts Gateway architecture to capture the packages on network(Like a firewall),whick can monitor all PCs in LAN.
(12)"Web Admin Tools" are freely provided to make you easily view the monitored data on any PC.

Cyber Data Recorder Client/Server

2007-06-14T08:18:36Z

1.Product Name:Cyber Data Recorder Client/Server V1.5
2.Development Language: VC++
3.Database Support:MS SQL Server
4.Required Environment For Server:Windows 2000/ XP/ 2003
5.Required Environment For Client:Windows 2000/ XP/ 2003
6.Product Content:We provide our software's complete source or further-development and detailed using guide for it. Please Contact Us If you need the software(E-Mail:filtersoft@126.com)
E-Mail:filtersoft#126.com

7.Introduction :
The system can monitor HTTP,E-mails(SMTP,POP3,Webmail),FTP,IM(MSN,Yahoo,ICQ,QQ,Skype),etc. It records browsed websites' contents(With HTTP),E-Mail's content and attachments,Files Transferred by FTP, IM chatting contents. The system includes: running programs logs , Logs of modifying,removing,deleting files. Terminate unnecessary programs forcely. Software and hardware management. Record remote desktop's video in real-time. Control remote desktop through mouse and keyboard. View active desktop in 1-9 minutes. Manage Employee's Internet time in different time section. Allow/Deny running committed programs. Allow/ Deny using the USB or other record devices. Network flux chart and related report. Website's black list. Allow/Deny uploading/downloading files. Block using IM (MSN,Yahoo,QQ). Allow/Deny using committed protocols. Allow/Deny using committed ports. Block browsing related websites by keywords. It uses Client/Server mode. Monitored data is sent to server immediately.
The system includes several components: client programs,Server programs,Web management programs ( B/S Mode ) . Distribution programs in AD Environment (For installing client's programs automatically). It can monitor all PCs in LAN or WAN, even a portable computer in WAN.
The system monitors and manages employee's Internet behaviors, For example, Who does he chat to? What ‘s the chatting content? What websites he browsed? What files he deleted or modified?You can view his desktop's video in real-time. It can also monitor the computers in different WAN.
8.System's Functions:
(1)The server can monitor the computers in local company or sub-companies in different areas. Even a portable computer.
(2)It supports monitoring and recording different data when different accounts are used in a computer. It can also monitor a terminal PC (without CPU or hard disk).
(3)It can define different groups and rules according to different departments. The same group can also define different rules for easy management.
(4)It records employee's browsed website's contents (through HTTP), You can search related browsing information and understand the browed website's lists of different time sections through the Web management tools.
(5)it records the IM(MSN,Yahoo,ICQ,QQ,Skype)chatting contents,related accounts and their transferring time.
(6)You can export the IM (MSN,Yahoo,ICQ,QQ,Skype) logs to TXT Files.
(7)You can view the logs of files transferred from WAN to LAN.
(8)You can view logs of executed programs to learn employee's detailed running information.
(9)It can record the logs of modifying,deleting ,moving,Adding the files in the computers.
(10)It can define different rules according to different accounts or define allowable using time or block using HTTP,POP3,SMTP,FTP,MSN,Yahoo,ICQ,QQ etc.
(11)"Deny Only" and "Allow Only" can be set in the website's black/white list. You can also block related websites according to the predefined URL keywords.
(12)It records all transferred E-Mails (POP3,SMTP,Webmail)and their attachments.
(13)It can save and backup all the files transferred by FTP.
(14)It records the remote desktop's video (From 15 seconds To 15 minutes) . For saving disk space it records the desktop image's data only when the mouse is moved or keyboard pressed.
(15)It runs in hidden mode (uneasy to be found). It can't be manually terminated or removed without permission.
(16)"Open Only" And "Allow Only" can be set to restrict using related ports (like a firewall).
(17)It can Allow/Deny "upload" or " download" related files for HTTP,FTP,MSN,Yahoo,ICQ etc. For example, Block downloading ZIP files，videos etc.
(18)Allow/Deny using USB or removable hard disk, recording devices, Floppy disk, CD-ROM. Compact Disc, For example, you can set to permit copying in but block coping out.
(19)You can forcedly terminate unauthorized running programs of monitored PCs from the server.
(20)It provides the clients' hardware and software's management function; you can build related report through the system for convenient management.
(21)New function: "Search Info" : You can search related client's information by keywords which can improve your work efficiency if you have many clients to monitor.
(22)"Rent IP Server" function. If your PC doesn't have a fixed IP Address, You may "rent" the function to monitor your computers in a WAN.
(23)Network Flow Stat. and chart function for quickly understand the PC's flow situations.
(24)Warning Appears if client PC is offline for more than three days.
(25)It provides nine video windows for monitoring client's desktop. You can set the refresh rate and configure the shortcut key to switch among the different windows.
(26)Main server's IP and spare server's IP groups function. When the main server stop running, The client programs can automatically switch to other servers according to the setting order for avoiding data losses.
(27)If all servers stop running, to avoid data losses, the client programs can automatically save all data into local computer. When the server resume running. The programs immediately transfer the data to the server.
(28)Web Management tool is also provided. Using different accounts, Managers in different departments can log in the system through the tool to manage and monitor the PCs.
29."Allow Only" and "Deny only" setting to restrict running programs at client PC. Which can prevent employee installing or running illegal programs.
30.You can select only part protocols and rules to monitor. For example, you can set to record only sending mails by SMTP but ignore received mails by POP3.
31.Auto-update function is provided. When the server is updated. All client programs will be auto-updated.
32.All monitored PCs can be forcedly installed the client program in AD domain server mode for easily management.
33.You can easily backup and resume the database in the server.
34.You can set to prevent transferring files/videos/literal contents in IM[MSN,Yahoo,ICQ,QQ,Skype).
35.You can restrict the specific accounts from being used in IM(MSN,Yahoo,ICQ,QQ,Skype].

Pandora FMS 1.2 released

2006-12-14T15:34:09Z

Pandora FMS is a Free Software project. Pandora FMS monitor systems,
network elements and applications in any operating systems.
It's published under GPL license.

Pandora FMS could detect a network interface down, a defacement in your website, a memory leak in one of your server, or the movement of any value of the NASDAQ new technology market. Also it could sent an SMS message when your systems fails... or when Google value low below US$ 33.

Development of stable version of Pandora FMS, the Free Monitoring
System, is over. Version 1.2 is now officially stable version. After a
long period of testing, Pandora FMS team has finished development for
this version that introduces great features from previous version.

Some changes from last version are.

-Network monitoring without need to install agents.
-SNMP console to receive traps
-Better alerts.
-Better user visualization
-Internal messages between teams and operators.
-Better usability.
-Pandora FMS also includes a new Windows Agent, with graphical
installer, that allows to monitor easily Windows hosts.
-Individual module interval for each module.
-On-demand agent polling (for network modules).
-Other minor features.

You can download Pandora FMS v1.2 from http://pandora.sourceforge.net

acid_lemon wrote:

Pandora v1.1 is released. This is a major release from 1.0 and
contains a lot of new features, improved stability and bugfixes from
version 1.0.

The new version is available at http://pandoramon.sourceforge.net

Pandora is a distributed system to monitor processes, performance,
status, application or operating parameter of almost any system (AIX,
Solaris, Linux, Windows, BSD and Nokia's IPSO). It has a
descentralized management system, based in flexible user profiles,
that allows to generate graphical reports, define alarms, and a full
incident management system to operate a 24x7 monitoring team.

A demo of the Web console is available in
http://pandora.genterara.com, user demo, password demo

Pandora has been published under GPL License. Queries, bug reports and
comments on Pandora can be sent to <pandora at genterara.com>. Please
feel free to send any comments to us!.

Pandora Features
----------------

* Web Interface for management and operation
* Native support for all major operating systems.
* Agent-based arquitecture
* Agents are fully customizable. Support to capture data from ANY
source (databases, operating system, files, network, applications,
logfiles)
* Agent-driven event reporting
* Alert generation
* Profile-based management
* Audit features
* Graphical reporting
* Multilanguage
* Relational Database Backend (MySQL)
* Asyncronous normalized Database
* Database Automatic Management
* Distributed, hardware independent, arquitecture
* Custom alert actions (mail, sms or whatever your need)
* Multilevel scalable architecture, with HA support
* All components are script-based (Perl, PHP, VSH, ShellScript)

Re: The biggest thing affecting software security? People, apparently.

2006-06-21T15:01:53Z

Technology is crucial in protecting people from their ignorance. Many people don't know exactly how car brakes work but they know how important they are and they know how to use them. If you had to remember to set the brake pressure before you actually applied the brakes, people wouldn't be using them effectively. If a system asks for a password and accepts "pass" or "bigboy", that's a technology failure. Developers should know better.

On the other hand, security can actually be anti-productive in some cases. Case in point is firewall/anti-virus software. My 2.8 ghz Athalon 64 with 2 gb of memory and ultra serial ata drives is slower than my 1979 Z80A 8 bit, 8 mhz, 64 kb, dual 768k floppy system. Why? Every operation that goes to the processor has to be authorized. Every file has to be scanned. Every setting change has to be authorized. And we're using dumb technologies that pay no attention to efficiency (like html and xml). We write bloated code and have no clue what actually ends up in machine code. ("We" includes "me".)

Contrast that with a unix system that doesn't have nearly as many holes. Works fine for somebody with an advanced degree but is useless for the average user.

I am constantly amazed at how ignorant coders and developers are. Some are still putting unencrypted passwords in text files and just naming the file something weird like 2ikeu2.ocx. It's like leaving your wallet in your shoe when you go for a swim. No one will think to look there;) We use advanced encryption like blowfish/twofish/aes then use a password based on our birthdate. My favorite password is the one from spaceballs: 1234567. Face it. "Reverse engineers" are smarter, more educated, and more creative than most of us developers.

For every lock, there's a lock picker. Technology can only take us so far. People have to decide whether to put everything including the "plastic spoons and paper cups" under lock and key. The conclusion that I have come to is the biggest problem is (are) *both*. People have to make informed decisions and technology needs to help them in the best way possible. It is our job as coders & developers to understand security and make it easier for the average person to use. In the process, we can educate the user as well.

Re: Detecting SoftICE ?

2006-06-17T19:58:56Z

The ASM code above will certainly work but many crackers have patched SoftIce & other disassemblers to "disappear" if another process calls this interrupt. Check out this link:

http://www.reteam.org/papers/e55.pdf

The "creativity" thing is the best approach. You should also throw a few "fakes" and make 'em think you're a dumb developer. When I'm checking for a process, I enumerate running processes and examine their associated exe's. This isn't a fast operation but if you do it once at the beginning of the program (and make it look innocent with some fake string data), you can quickly check for a number of signatures later. Feed them a fake keygen routine, then fail much later in the program due to licensing issues. I usually set up a random time to trigger an event on an API timer that checks for "licensing issues". I duplicate this routine in several places so a cracker won't have just one patch point to look for. I also make sure each routine has a different code signature so they can't just do a simple pattern search. It's not that they can't figure this out; it's just that you can waste a lot of their time and make it not worth cracking.

I also keep important data encrypted in memory until I actually need it. I put it in classes that automatically encrypt with a random key so that a cracker will have to develop a different hack for each copy of my software.

A final word about detecting SoftICE: play the cracker's game. Go on the offensive. Patch SoftICE so it won't debug your code. Disassemble SoftICE and find out how it does its thing.

Heap Fragmentation (timing test)

2006-04-23T15:59:01Z

Hi experts,
unfortunately I am still trying to write a sample code that badly
fragments the heap and measure the time it take to allocate memory.
But this heap does not fragment, ant the time to allocate memory does not
increase. I don't know why. I tried different orders of malloc() free()
but I can't measure any runtime differences. In contrary, the first
mallocs on an unused heap take longer and later after some 1000
malloc/free actions the time used stabilizes on a lower value.
if I then after some time free all my allocated objects and then start
reallocating, time goes up for the first 1000 allocs and drops to the old
value. I don't know why.
either I am measureing the wrong stuff or the heap in linux 2.6 with glibc
does not fragment for any obscure reason.....

Can anyone tell me where the flaw in my model is?

below is the whole application code (tabsize 4), some parts are commented
out for testing diffent patterns. please play around a bit and tell me
what is wrong - if you can show fragmentation in any combination of
free()/malloc() runs please tell me how!

here you can download the sourcefile below it isn't nicely formatted
http://www.ruschival.de/stuff/uni/heapfrag.c

Code follows: compile gcc -Wall -o heapfrag heapfrag.c

#include <stdlib.h>
#include <stdio.h>
#include <ctype.h>
#include <sys/time.h>

#define VARSIZE

/* number of objects to be created */
#ifndef NO_HEAPOBJS
#define NO_HEAPOBJS 500000
#endif
/* maximum size of each object in Byte */
#ifndef MAX_OBJSIZE
#define MAX_OBJSIZE 1021 // nice primenumber
#endif
/* how many objects should be allocated per cycle */
#ifndef OBJS_PER_CYCLE
#define OBJS_PER_CYCLE NO_HEAPOBJS/10
#endif

/** Types used */

/* redeclare size_t do be compliant with IAS coding guidelines */
typedef size_t Tsize;

/* Struct to keep track of allocations and pointers to memory returned by
malloc() */ typedef struct memchunk{
unsigned int allocated;
unsigned int size;
void* memory;
} Tmemchunk;

/* Testprogram to allocate and deallocate memory randomly to fragment the
heap */ /* measures the time used to allocate OBJS_PER_CYCLE on the heap
*/ int main(int argc, char** argv){
int i=0,j=0; // generic counter
variable Tsize size=MAX_OBJSIZE/2; // size of new memory chunk to
allocate Tmemchunk objs[NO_HEAPOBJS]; // array to keep pointers to memory
chunks

/* Variables for statistics */
struct timeval programstart;// timestamp for total runtime of
program struct timeval starttime; // timestamp before
allocation struct timeval stoptime; // timestamp after allocation
of objects double delta; // time elapsed
for malloc() double runtime; // total
program runtime long cycle = 0; // counter
for cycles long objs_allocated=0; // track how many objects
crrently allocated long alloc_actions=0; // count malloc()
operations long free_actions=0; // count free() operations
Tsize total_size=0; // track bytes
allocated; char *filename = "timings.dat";

/* write pointer for test results */
FILE *fp;

// initialize all heap objects as free
for(i=0; i< NO_HEAPOBJS ; i++){
objs[i].allocated = 0;
objs[i].size = 0;
objs[i].memory = NULL;
}

//open target file
fp = fopen(filename,"w");
if(fp == NULL){
printf("failed opening file\n");
exit(1);
}

/* start timing */
gettimeofday(&programstart,NULL);

/* printf("Allocating %d objects on the heap for initial usage
\n",NO_HEAPOBJS/2); */ /* // start timer */
/* gettimeofday(&starttime,NULL); */
/* /\* Initially fill the heap to 50% *\/ */
/* for(i=0; i< NO_HEAPOBJS/2 ; i++){ */
/* #ifdef VARSIZE */
/* size = (Tsize)(random() % MAX_OBJSIZE); // random size
*/ /* #endif */
/* if( ( objs[i].memory= malloc(size)) !=
NULL ){ */ /* objs[i].allocated = 1; */
/* objs[i].size = size; */
/* total_size+=size; */
/* alloc_actions++; */
/* } */
/* else{ */
/* printf("malloc() failed! \n"); */
/* objs_allocated= alloc_actions-free_actions; */
/* printf("alloc actions %ld objs_allocated:
%ld total_size: %d \n",alloc_actions, objs_allocated,total_size); */ /*
exit(1); */ /* } */
/* } */
/* //stop timer */
/* gettimeofday(&stoptime,NULL); */
/* // Timing calculations */
/* delta = (stoptime.tv_sec - starttime.tv_sec); */
/* delta += (stoptime.tv_usec -
starttime.tv_usec)/(double)1000000; */ /* runtime = (stoptime.tv_sec
- programstart.tv_sec); */ /* runtime += (stoptime.tv_usec -
programstart.tv_usec)/(double)1000000; */ /* objs_allocated=
alloc_actions-free_actions; */ /* // printf("allocs \tfrees
\tobjs \tsize \t\tdelta[s] \truntime[s] \tcycle\n"); */ /*
fprintf(fp,"%ld \t%ld \t%ld \t%d \t%lf \t%lf
\t%ld\n",alloc_actions,free_actions, objs_allocated, */ /*
total_size,delta,runtime,cycle); */

printf("Starting infinite run\n");
/* heap fragmenst so quickly 100 runs are more than enough*/
while(cycle < 1000){
cycle++;
alloc_actions=0;
free_actions=0;
// if too many objects allocated -> free some space
/* if(objs_allocated >= (NO_HEAPOBJS-OBJS_PER_CYCLE)){ */
/* // free randomly twice the memory we allocate
in a cycle */ /* for(i=0; i<(OBJS_PER_CYCLE);
i++){ */ /* // randomly pick allocated
space */ /* do{ */
/* j = random()%NO_HEAPOBJS; */
/* }while(objs[j].allocated == 0); */
/* // piece of memory found --> deallocate
*/ /* objs[j].allocated = 0; */
/* total_size -= objs[j].size; */
/* free(objs[j].memory); */
/* objs_allocated--; */
/* // printf("freeing memory \n"); */
/* } // end deallocation for */
/* }// end if not enough space left */

// start timer
gettimeofday(&starttime,NULL);
for(i=0; i<OBJS_PER_CYCLE; i++){
#ifdef VARSIZE
size = (Tsize)(random() % MAX_OBJSIZE); // random
size #endif
j = random()%NO_HEAPOBJS; // pick random
index if( objs[j].allocated == 1 ){ // if allocated -> free
// only every 2nd attempt we actually free
memory. // if( random()%2 == 0){
objs[j].allocated = 0;
total_size -= objs[j].size;
free(objs[j].memory);
free_actions++;
objs_allocated--;
// }
/* else{ // reallocate -> time goes up
because mem is copied */ /* objs[j].memory =
realloc(objs[j].memory,size); */ /*
total_size -= objs[j].size; */ /* total_size+=size; */
/* objs[j].size = size; */
/* } */
}
// else{ // try to allocate
if( (objs[j].memory = malloc(size)) !=
NULL ){ objs[j].allocated = 1;
objs[j].size = size;
total_size+=size;
objs_allocated++;
alloc_actions++;
}
else{
printf("malloc() failed! \n");
objs_allocated= alloc_actions-free_actions;
printf("alloc actions %ld objs_allocated: %ld
total_size: %d \n", alloc_actions, objs_allocated,total_size);
exit(1);
}// end if try to allocate
// }// end if allocated
}// end for
//stop timer
gettimeofday(&stoptime,NULL);
// Timing calculations
delta = (stoptime.tv_sec - starttime.tv_sec);
delta += (stoptime.tv_usec -
starttime.tv_usec)/(double)1000000; runtime = (stoptime.tv_sec -
programstart.tv_sec); runtime += (stoptime.tv_usec -
programstart.tv_usec)/(double)1000000;

fprintf(fp,"%ld \t%ld \t%ld \t%d \t%lf \t%lf
\t%ld\n",alloc_actions,free_actions, objs_allocated,
total_size,delta,runtime,cycle); // free all at once
if(objs_allocated == NO_HEAPOBJS){
for(i=0; i< NO_HEAPOBJS ; i++){
objs[i].allocated = 0;
objs[i].size = 0;
free(objs[i].memory);

}
total_size=0;
objs_allocated=0;
}
} // end infinite loop
return 0;
}

RE: Windows CE Address Book 2

2006-01-06T17:17:41Z

I think this is a sure off topic here but I am going to give you just a
hint on where to start :)

To access the contacts in pocket pc you need to use the POOM (The Pocket
Outlook Object Model)

"Applications access Pocket Outlook data through the Pocket Outlook Object
Model, or as it is more commonly referred to, POOM. This COM-based library
provides an object hierarchy that simplifies the process of creating,
modifying and displaying appointments, tasks and contacts."

For more details please check this link:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnppcgen/ht
ml/inthehandpoom.asp

(This link contains a POOM sample that demonstrates creating a DLL written
in eMbedded Visual C++. You learn how to call this DLL from a .NET Compact
Framework-based application. While somewhat limited in functionality as it
offer access to contacts only it does exactly what you want)

Or you can go for the complete library to help you access the poom directly
from .net compact frame work:
http://www.inthehand.com/PocketOutlook.aspx

Regards,
Peter

-----Original Message-----
From: joseandremorales@... [mailto:joseandremorales@...] On
Behalf Of Jose Andre Morales
Sent: Thursday, January 05, 2006 2:13 AM
To: SML-binary-analysis; SML-focus-virus; SML-secprog; SML-security-basics;
SML-vuln-dev; SML-wifisec
Subject: Windows CE Address Book 2

HI list memeber, does anyone know how to read/access/copy the contents of
the
address book also called Contacts on a pocketpc ??? Im doing a bit of
research in this area and cannot seem to read the address book
entries, Im thinking they are in some obscure file that i dont know
the name of or in memory which in that case i need the address of
where it is. thanks in advance

--
Yours in Success,

Jose Andre Morales

Windows CE Address Book 2

2006-01-04T16:13:11Z

HI list memeber, does anyone know how to read/access/copy the contents of the
address book also called Contacts on a pocketpc ??? Im doing a bit of
research in this area and cannot seem to read the address book
entries, Im thinking they are in some obscure file that i dont know
the name of or in memory which in that case i need the address of
where it is. thanks in advance

--
Yours in Success,

Jose Andre Morales

Password Management

2005-11-17T22:01:22Z

Hi all,

An application has been using PAM of unix till now for password authentication.
This is a client server model where server uses a database for its operations.
Now it has to manage the passwords by itself with following constraints.

--> Check if password is not the same as previous 5 passwords set
--> Check if the password differs from old password by alteast 3 characters.

So, can you please give me suggestions to manage this effectively ?
--> Do I encrypt and save the previous 5 and the current passwords in
database or how can the passwords be stored better?
--> Can symmetric keys be used or will assymetric key usage be better ?
--> How to decide upon the key values ?

Guess, Hashing will not be useful since we need to check for atleast 3
character change in passwords. Plz comment.

--
Thanks
Badhri

Trike threat modeling methodology v1 paper release

2005-07-20T17:35:50Z

Hi,

I'm happy to announce the release of a new paper detailing the current state
of a new conceptual framework and methodology for threat modeling, Trike.
Although Trike is a work in progress, this (draft) release is intended to
share the work we're doing with the larger community.

The paper is available at http://dymaxion.org/trike/ or
http://www.hhhh.org/trike/papers.

To subscribe to the announcements list for future work, send mail
with "subscribe trike-announce" in the body to majordomo@...

Paul Saitta

----

Abstract:

Trike is a unified conceptual framework for security auditing from a risk
management perspective through the generation of threat models in a reliable,
repeatable manner. A security auditing team can use it to completely and
accurately describe the security characteristics of a system from its high-
level architecture to its low-level implementation details. Trike also
enables communication among security team members and between security teams
and other stakeholders by providing a consistent conceptual framework. This
document describes the current version of the methodology (currently under
heavy de- velopment) in sufficient detail to allow its use. In addition to
detail on the threat model itself (including automatic threat generation and
attack graphs), we cover the two models used in its generation, namely the
requirements model and the implementation model, along with notes on risk
analysis and work flows. The final version of this paper will include a fully
worked example for the entire process. Trike is distinguished from other
threat modeling methodologies by the high levels of automation possible within
the system, the defensive perspective of the system, and the degree of
formalism present in the methodology. Portions of this methodology are
currently experimental; as they have not been fully tested against real
systems, care should be exercised when using them.

The methodology described in this document is copyright 2003-2005 Paul Saitta,
Brenda Larcom, and Michael Eddington, excluding those covered under other
copyrights, and the whole may be used under the MIT license
(http://www.opensource.org/licenses/mit-license. php), "Software" being
replaced with "methodology" throughout. This document is published under the
Creative Commons attribution-noncommercial-sharealike 2.0 license (http://
creativecommons.org/licenses/by-nc-sa/2.0/legalcode).

--
Ideas are my favorite toys.

attachment0 (194 bytes) Download Attachment

Re: The biggest thing affecting software security? People, apparently.

2005-06-30T11:52:19Z

On 6/30/05, PPowenski@... <PPowenski@...> wrote:
> Your final statement still focus's only on technology i.e. educate programmers.
> Yes I agree they can play a significant part in security applications
> but in my experience the common theme of making everything transparent
> for the users is utter nonesene.
>
> Ordinary users should be educated in security principles to assist in
> understanding the value of data and how their actions could implicate an
> exposure. Especially since we still need to setup users as power users
> or admins in order to operate many third party apps.

Ahh... But you see, with proper security education of programmers, you
wouldn't need to give end users "Power User" or "Administrator" access.
You would teach the programmers how to use the available security framework.

"The person is smart, people are dumb, stupid and panicky." - MIB

You train the ones that build the world, that the end user "lives" in, about
staying within a secure framework.

--
END OF LINE
-MCP

Re: The biggest thing affecting software security? People, apparently.

2005-06-30T10:04:13Z

The reason there is such a hugh investment in technology is because we
can't rely on people for security. No matter how much we try to
educate, the general populous disregard the significance of security.
In addition, trivial security implementation are met with trivial
exploits, something that will do the cracker just fine.

. . wrote:

>I wouldn't call 66 votes on your website Nick
>(http://www.mail-archive.com/sc-l%40securecoding.org/msg00758.html), a
>comprehensive tally. It would be interesting to get a larger audience
>involved in this type of question though.
>
>Regards,
>
>- webappsec
>
>
>On 6/29/05, Nick Murison <nick@...> wrote:
>
>
>>Hi all,
>>
>>www.threatsandcountermeasures.com just closed their poll on what people
>>thought was the biggest thing affecting software security. The results were:
>>
>>People: 80.3%
>>Process: 18.2%
>>Technology: 1.5%
>>
>>Results also available from www.threatsandcountermeasures.com/PastPolls.aspx.
>>
>>If this is the case, then why is there such a huge financial investment in
>>security technology? Is the human factor expected to magically improves once
>>we've got the "right" technology?
>>
>>For our new poll, Threats and Countermeasures are asking what people
>>consider to be the more secure web application development platform; JSP,
>>PHP, ColdFusion, ASP.NET or old-skool CGI.
>>
>>Best regards,
>>--
>>Nicholas John Murison
>>~~~~~~~~~~~~~~~~~~~~~
>>http://www.urgusabic.net
>>
>>
>>
>
>.
>
>
>

Re: The biggest thing affecting software security? People, apparently.

2005-06-30T08:29:20Z

I wouldn't call 66 votes on your website Nick
(http://www.mail-archive.com/sc-l%40securecoding.org/msg00758.html), a
comprehensive tally. It would be interesting to get a larger audience
involved in this type of question though.

Regards,

- webappsec

On 6/29/05, Nick Murison <nick@...> wrote:

> Hi all,
>
> www.threatsandcountermeasures.com just closed their poll on what people
> thought was the biggest thing affecting software security. The results were:
>
> People: 80.3%
> Process: 18.2%
> Technology: 1.5%
>
> Results also available from www.threatsandcountermeasures.com/PastPolls.aspx.
>
> If this is the case, then why is there such a huge financial investment in
> security technology? Is the human factor expected to magically improves once
> we've got the "right" technology?
>
> For our new poll, Threats and Countermeasures are asking what people
> consider to be the more secure web application development platform; JSP,
> PHP, ColdFusion, ASP.NET or old-skool CGI.
>
> Best regards,
> --
> Nicholas John Murison
> ~~~~~~~~~~~~~~~~~~~~~
> http://www.urgusabic.net
>

RE: The biggest thing affecting software security? People, apparently.

2005-06-30T02:14:01Z

Your final statement still focus's only on technology i.e. educate
programmers.
Yes I agree they can play a significant part in security applications
but in my experience
the common theme of making everything transparent for the users is utter
nonesene.
Ordinary users should be educated in security principles to assist in
understanding the value of data and how their actions could implicate an
exposure. Especially since we still need to setup users as power users
or admins in order to operate many third party apps.

Everyone receiving training appropriate for their role in informantion
management and security.

A balance for all responsible parties involved.

Cheers
paul powenski CISSP

-----Original Message-----
From: Irene Abezgauz [mailto:irene.abezgauz@...]
Sent: 30 June 2005 08:43
To: Nick Murison; webappsec@...; sc-l@...;
secprog@...
Subject: Re: The biggest thing affecting software security? People,
apparently.

Nick,

First of all, notice the results are based on the opinions of 66 people,
which hardly makes it a comprehensive survey.

Another thing, people and mistakes will always be there, but technology
improves to ensure people can make less mistakes and are given less
space and freedom to make such. Better technology provides means for
people to make less mistakes. It just seems less obvious that it's the
technology that is making the difference when it's working properly. If
the technology wasn't there people would make a lot more mistakes while
reinventing a less secure wheel.

Imagine a world with no commercial session management products. A world
dominated by home-grown session mechanisms. Oh, btw, that world also
does not have any cryptographic infrastructure. Wake up from the
nightmare, and realize technology *is* important, it is just easy to
overlook when it's there. It is the same as saying that people are the
biggest cause of road kills, indeed, they are. On the other hand,
imagine the same people driving bumpy roads with no traffic lights, no
stop signs, and no lane markings. It is easy to say "why are they
developing better roads and thinking of ways to improve, while people
are the largest factor". Because people *need* better infrastructures
and better technology to keep their mistakes in control.

Btw, technology is no good when not used properly, so yes, education is
very, very, very important. That is why I strongly believe programmers
should be educated for security.

Irene
-----------------------
Irene Abezgauz
Application Security Consultant
Hacktics Ltd.
Mobile: +972-54-6545405
Web: www.hacktics.com

On 6/29/05, Nick Murison <nick@...> wrote:
> Hi all,
>
> www.threatsandcountermeasures.com just closed their poll on what
> people thought was the biggest thing affecting software security. The

> results were:
>
> People: 80.3%
> Process: 18.2%
> Technology: 1.5%
>
> Results also available from
> www.threatsandcountermeasures.com/PastPolls.aspx.
>
> If this is the case, then why is there such a huge financial
> investment in security technology? Is the human factor expected to
> magically improves once we've got the "right" technology?
>
> For our new poll, Threats and Countermeasures are asking what people
> consider to be the more secure web application development platform;
> JSP, PHP, ColdFusion, ASP.NET or old-skool CGI.
>
> Best regards,
> --
> Nicholas John Murison
> ~~~~~~~~~~~~~~~~~~~~~
> http://www.urgusabic.net
>

NOTICE: This e-mail is intended for the named recipient(s). It may contain privileged and/or confidential information. If you are not one of the intended recipients, please notify the sender immediately and destroy this e-mail and attachment(s): you must not copy, distribute, retain or take any action in reliance upon the email or attachment(s). While all reasonable efforts are made to safeguard inbound and outbound e-mails, OAG Worldwide Ltd and its affiliate companies cannot guarantee that attachments are virus-free or are compatible with your systems, and does not accept liability in respect of viruses or computer problems experienced. Thank you.

Re: The biggest thing affecting software security? People, apparently.

2005-06-30T01:43:27Z

Nick,

First of all, notice the results are based on the opinions of 66
people, which hardly makes it a comprehensive survey.

Another thing, people and mistakes will always be there, but
technology improves to ensure people can make less mistakes and are
given less space and freedom to make such. Better technology provides
means for people to make less mistakes. It just seems less obvious
that it's the technology that is making the difference when it's
working properly. If the technology wasn't there people would make a
lot more mistakes while reinventing a less secure wheel.

Imagine a world with no commercial session management products. A
world dominated by home-grown session mechanisms. Oh, btw, that world
also does not have any cryptographic infrastructure. Wake up from the
nightmare, and realize technology *is* important, it is just easy to
overlook when it's there. It is the same as saying that people are the
biggest cause of road kills, indeed, they are. On the other hand,
imagine the same people driving bumpy roads with no traffic lights, no
stop signs, and no lane markings. It is easy to say "why are they
developing better roads and thinking of ways to improve, while people
are the largest factor". Because people *need* better infrastructures
and better technology to keep their mistakes in control.

Btw, technology is no good when not used properly, so yes, education
is very, very, very important.
That is why I strongly believe programmers should be educated for security.

Irene
-----------------------
Irene Abezgauz
Application Security Consultant
Hacktics Ltd.
Mobile: +972-54-6545405
Web: www.hacktics.com

On 6/29/05, Nick Murison <nick@...> wrote:

Re: The biggest thing affecting software security? People, apparently.

2005-06-29T20:38:40Z

On Wednesday 29 June 2005 10:09, Nick Murison wrote:

> Hi all,
>
> www.threatsandcountermeasures.com just closed their poll on what people
> thought was the biggest thing affecting software security. The results
> were:
>
> People: 80.3%
> Process: 18.2%
> Technology: 1.5%
>
> Results also available from
> www.threatsandcountermeasures.com/PastPolls.aspx.
>
> If this is the case, then why is there such a huge financial investment in
> security technology? Is the human factor expected to magically improves
> once we've got the "right" technology?
>
> For our new poll, Threats and Countermeasures are asking what people
> consider to be the more secure web application development platform; JSP,
> PHP, ColdFusion, ASP.NET or old-skool CGI.
>
> Best regards,

Ignorance can be fixed.
Software can be fixed.
Stupid is forever...

--
Clinton E. Troutman

RE: The biggest thing affecting software security? People, apparently.

2005-06-29T19:10:04Z

Imho, it is sometimes easier to use technology to 'cover up' and address
threats arsing from human mistakes and foibles via automation, rather than
try the 'educate and proceduralise everything' approaches. e.g.
- coding mistakes
- configuration mistakes
- lax patch management
- poor password choices
- opening/running malware
- exec/mamanegment directing poor environment security onto IT teams
- dis-affected employees and users/customers
- <insert your favourite security errors here>

Lyal

-----Original Message-----
From: Nick Murison [mailto:nick@...]
Sent: Thursday, 30 June 2005 1:09 AM
To: webappsec@...; sc-l@...;
secprog@...
Subject: The biggest thing affecting software security? People, apparently.

Hi all,

www.threatsandcountermeasures.com just closed their poll on what people
thought was the biggest thing affecting software security. The results
were:

People: 80.3%
Process: 18.2%
Technology: 1.5%

Results also available from
www.threatsandcountermeasures.com/PastPolls.aspx.

If this is the case, then why is there such a huge financial investment in
security technology? Is the human factor expected to magically improves
once we've got the "right" technology?

For our new poll, Threats and Countermeasures are asking what people
consider to be the more secure web application development platform; JSP,
PHP, ColdFusion, ASP.NET or old-skool CGI.

Best regards,
--
Nicholas John Murison
~~~~~~~~~~~~~~~~~~~~~
http://www.urgusabic.net

Re: The biggest thing affecting software security? People, apparently.

2005-06-29T17:26:27Z

Nick Murison wrote:

No, but people are the hardest thing to patch. You can inform them, you
can work with them, you can even threaten them to follow good security
practices but someone always constitutes for the weakest link in the chain.

Steve

The biggest thing affecting software security? People, apparently.

2005-06-29T09:09:27Z

Hi all,

www.threatsandcountermeasures.com just closed their poll on what people
thought was the biggest thing affecting software security. The results were:

People: 80.3%
Process: 18.2%
Technology: 1.5%

Results also available from www.threatsandcountermeasures.com/PastPolls.aspx.

If this is the case, then why is there such a huge financial investment in
security technology? Is the human factor expected to magically improves once
we've got the "right" technology?

For our new poll, Threats and Countermeasures are asking what people
consider to be the more secure web application development platform; JSP,
PHP, ColdFusion, ASP.NET or old-skool CGI.

Best regards,
--
Nicholas John Murison
~~~~~~~~~~~~~~~~~~~~~
http://www.urgusabic.net

RE: Java keystore password storage

2005-06-23T12:31:18Z

I have seen some architectures where machine certificates are used to gain access to a directory service to access resource information such as passwords to a keystore.

The different solutions to the same core problem doesn't really give a lot of protection, but each has their benefits. If the server is rooted, then the malicious user may well have access to such credentials/resources, if they have time to pay around.

Using an indexing to obtain the password such as LDAP et al allows for greater ease of maintenance if one has a large scale of machines to manage. On the other hand, storing passwords in property files, with correct ACL's makes system maintenance pretty easy - but the attack could quite easily grep this information.

IMHO - the best solution depends on your threat models.

Cheers,
R.

-----Original Message-----
From: Fredrik Hesse [mailto:fredrik.hesse@...]
Sent: Monday, April 25, 2005 12:53 PM
To: 'john bart '; 'comp.lang.java.security@... '; 'SC-L@... '; 'secprog@... '; 'vuln-dev@... '; 'webappsec@... '
Subject: Re: Java keystore password storage

Indeed a classic problem, unfortunately there are no platform-independant services for storing things like this.
But a config-file with proper access-restrictions goes a long way..
And I guess thats the solution you're leaning against if I read between the lines.
3 is good since it doesn't require storage of the password on disk, otoh it requires human intervention which you probably want to avoid.

I'm no expert on LDAP, but could anyone tell if you use a directory service to pull the password from?

Regards
Fredr!k

-----Ursprungligt meddelande-----
Från: john bart
Till: comp.lang.java.security@...; SC-L@...; secprog@...; vuln-dev@...; webappsec@...
Skickat: 2005-04-25 09:55
Ämne: Java keystore password storage

Hello to all the list.
I need some advice on where to store the keystore's password.
Right now, i have something like this in my code:

keystore = KeyStore.getInstance("JKS");
keystore.load(new FileInputStream("keystore.jks"),"PASSWORD");

the question is, where do i store the password string? all of the possibilities that i thought about are not good enough:
1) storing it in the code - obviously not.
2) storing it in a seperate config file is also not secure.
3) entering the password at runtime is not an option.
4) encrypting the password - famous chicken and egg problem (storing the

encryption key)

Any ideas?

_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today it's FREE!

http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/

Re: Credentials for Application use

2005-05-18T09:11:30Z

On Tue, 10 May 2005, Mikey wrote:
> This is a broad question around the current practices and recommendation of
> what not to do when it comes to credentials used by applications to gain
> access to a resource or data stored elsewhere.

As you can guess similar questions were discussed countless number
of times on securityfocus :-) The usual practice is to create an
account for your program and store the `secret' in the file which is
readable only by that account owner.

--
Regards,
ASK

Pandora 1.1 released!

2005-05-16T03:00:36Z

Pandora v1.1 is released. This is a major release from 1.0 and
contains a lot of new features, improved stability and bugfixes from
version 1.0.

The new version is available at http://pandoramon.sourceforge.net

Pandora is a distributed system to monitor processes, performance,
status, application or operating parameter of almost any system (AIX,
Solaris, Linux, Windows, BSD and Nokia's IPSO). It has a
descentralized management system, based in flexible user profiles,
that allows to generate graphical reports, define alarms, and a full
incident management system to operate a 24x7 monitoring team.

A demo of the Web console is available in
http://pandora.genterara.com, user demo, password demo

Pandora has been published under GPL License. Queries, bug reports and
comments on Pandora can be sent to <pandora at genterara.com>. Please
feel free to send any comments to us!.

Pandora Features
----------------

* Web Interface for management and operation
* Native support for all major operating systems.
* Agent-based arquitecture
* Agents are fully customizable. Support to capture data from ANY
source (databases, operating system, files, network, applications,
logfiles)
* Agent-driven event reporting
* Alert generation
* Profile-based management
* Audit features
* Graphical reporting
* Multilanguage
* Relational Database Backend (MySQL)
* Asyncronous normalized Database
* Database Automatic Management
* Distributed, hardware independent, arquitecture
* Custom alert actions (mail, sms or whatever your need)
* Multilevel scalable architecture, with HA support
* All components are script-based (Perl, PHP, VSH, ShellScript)

dll security

2005-05-13T00:36:33Z

Hi,

I followed the thread "Dll security". did any of you already evaluated some
of the following software protection to slow down hacking on legitimate
software:

- Obsidium (http://www.obsidium).
- Asprotect (http://www.aspack.com/)
- Cloakware: http://www.cloakware.com/products/suite.html#protection

Any feedback about the security of these tools and experience of their usage
in software deployed in the field would be more than welcome.

Thanks in advance.

Fred.

_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today it's FREE!
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/

Re: Detecting SoftICE ?

2005-05-11T09:41:05Z

Hi Bruce,

you may have a look at crackz's pages for usual tricks concerning Sice detection (http://www.woodmann.com/crackz/Tutorials/Protect.htm#detectsoftice)

However, please have a look at the following routines:

First, we can use int 68h to check the "magic" value 0x0F386 (= debugger present). Then, we may also check the interrupt descriptor table and see if there is a handler installed for INT 68h.

__inline bool IsSICELoaded() {
_asm {
mov ah, 0x43
int 0x68
cmp ax, 0x0F386 // Will be set by all system debuggers.
jz out_

xor ax, ax // check the IDT
mov es, ax
mov bx, word ptr es:[0x68*4]
mov es, word ptr es:[0x68*4+2]
mov eax, 0x0F43FC80
cmp eax, dword ptr es:[ebx]
jnz out_
jmp normal_
normal_:
xor eax, eax
leave
ret
out_:
mov eax, 0x1
leave
ret
}
return false;
}

If a debugger is not present AX will be 4300h.

Then, as you said, the CreateFile function may be used to check if the Sice device driver is loaded... It should be working with the latest versions anyway...

/*
Function: IsSoftIceNTLoaded
Description: Like the previous one but for use under Win NT only
Returns: true if SoftIce is loaded
*/

__inline BOOL IsSoftIceNTLoaded() {
HANDLE hFile=CreateFile( "\\\\.\\NTICE",
GENERIC_READ | GENERIC_WRITE,
FILE_SHARE_READ | FILE_SHARE_WRITE,
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);

if(hFile!=INVALID_HANDLE_VALUE) { CloseHandle(hFile); return true; }
return false;
}

Or maybe the dedicated function "IsDebuggerPresent" will detect it (I haven't tested it with Sice yet)
http://msdn.microsoft.com/library/en-us/debug/base/isdebuggerpresent.asp

BOOL IsDebuggerPresent(void);

But, if your Sice is patched, it may already include protections against those "anti-debugging" features. In this case, you should use your own imagination to detect it :)

--
_______________________________________
Thierry Haven - Xmco Partners
Consultant Sécurité / Test d'intrusion

web : http://www.xmcopartners.com

Bruce Klein wrote:

>
> Hello all,
>
> I am writing a Win32 DLL and am currently trying to detect if SoftICE is present.
>
> I am trying the "classic" detection methods and for my version of SoftICE (4.3.2) under Windows XP, so far no method has succeeded at detecting it.
>
> The methods I am trying are well described in Viega & Messier's "Secure Programming Cookbook" and all over the net. One is the "Meltice" technique that looks for a virtual device named "\.\\NTICE"; the other uses the "Boundschecker" method that uses int 3, with "BCHK"
> in a register.
>
> I am having no luck with either method. Perhaps because the methods are obsolete with the current version of SoftICE. Perhaps because I'm doing something stupid.
>
> Given the above, I have two questions I'm hoping someone can answer:
> - Does anyone know a method to detect today's SoftICE?
> - Do the other methods even work (and for what versions)?
>
> I'd be happy to post the small source or answer any further questions.
>
> Thanks in advance.
>

Re: Dll Security

2005-05-10T14:59:47Z

Hi,

Slavisa Dojcinovic wrote:
> Try UPX or ASPack.
> www.aspack.com
> http://upx.sourceforge.net/

There are a lot of UPX/AsPack decrypters around
(http://protools.reverse-engineering.net/unpackers.htm).
Hiding code is a very difficult task. You better run your sensible
algorithm on a remote server.

--
/root

RE: Dll Security

2005-05-10T12:03:42Z

Might I also suggest looking at why you are trying to "hide" the
algorithm? Perhaps attacking the problem from another angle might help.
For example, if your algorithm is indeed the "secret", you could
relocate that part on a remote server that you control. Changing the
problem may provide a better way of achieving what you want.

Not that this would work, but the idea is the important thing. Not ever
problem needs to be solved with complex math ;)

Cheers, and good luck!
Chris

-----Original Message-----
From: VP [mailto:pelasaco@...]
Sent: May 10, 2005 9:54 AM
To: secprog@...
Subject: Re: Dll Security

Thanks for all replies. i'm gonna take a look in upx, i must fix this
solution even if i just raise the bar.

Best Reguards,

VP

Detecting SoftICE ?

2005-05-10T10:12:24Z

Hello all,

I am writing a Win32 DLL and am currently trying to detect if SoftICE is present.

I am trying the "classic" detection methods and for my version of SoftICE (4.3.2) under Windows XP, so far no method has succeeded at detecting it.

The methods I am trying are well described in Viega & Messier's "Secure Programming Cookbook" and all over the net. One is the "Meltice" technique that looks for a virtual device named "\.\\NTICE"; the other uses the "Boundschecker" method that uses int 3, with "BCHK"
in a register.

I am having no luck with either method. Perhaps because the methods are obsolete with the current version of SoftICE. Perhaps because I'm doing something stupid.

Given the above, I have two questions I'm hoping someone can answer:
- Does anyone know a method to detect today's SoftICE?
- Do the other methods even work (and for what versions)?

I'd be happy to post the small source or answer any further questions.

Thanks in advance.

Re: Dll Security

2005-05-10T07:54:20Z

Thanks for all replies. i'm gonna take a look in upx, i must fix this
solution even if i just raise the bar.

Best Reguards,

VP

>On 5/7/05, Keith Oxenrider <koxenrider@...> wrote:
> The real question you should be asking is 'what is the point?' Any decent
> cracker will be able to look at your decrypted binary in RAM, even make a
> copy of it for later use. The very best you can do is raise the bar, but
> to have any real chance of making a difference you need to make your
> program detect that it is being run in a debugger (not a trivial task and
> probably one that is fundamentally impossible, as the hardware itself can
> be emulated) and continue to run, but with some subtle differences that
> make it unusable (if it just crashes, it tells the cracker just what she
> needs to know to bypass the check). Obscuring the code generally makes
> maintenance costs skyrocket; you should do an economic analysis to prove
> that the extra effort will be repaid. Keep in mind that legitimate users
> often need to run their code in debuggers as well, so be sure to factor in
> the ill will created when their attempts to debug their code that uses your
> DLL cause all sorts of nasty problems for them (not to mention the support
> calls!).
>
>
> Keith Oxenrider
> CISSP
>
> At 04:17 PM 5/6/2005 -0300, VP wrote:
> >Hi, i have a dll and i want to encrypt it to hide (obfuscate ??) an
> >important algorithm used here.
> >
> >Well today i'm using a following approach:
> >
> >I'm encrypting the dll with a program, then when i want to loadlibrary() it,
> >i decrypt it to a plain-text file, then i loadlibrary the plain-text file.
> >So i have my encrypted dll and i have a plain-text version either. To
> >mitigate this vulnerability, i'm using EFS to protect my plain-text dll.
> >
> >I'm wondering if using the PE format i can do some kind of "on-the-fly
> >encrypt and decrypt". Is it possible ? There is any example ? Is it a good
> >solution ?
> >
> >Thanks in advance,
> >
> >Victor
>
>

Credentials for Application use

2005-05-10T03:05:19Z

This is a broad question around the current practices and recommendation of
what not to do when it comes to credentials used by applications to gain
access to a resource or data stored elsewhere.

As an example, I have some middleware components that need to gain access
to a data repository that contains sensitive information. The middleware
components and data repository reside in separate, distinct security
boundaries protected by differing authentication and access control mechanisms.

Application developers insists the only way to gain access to the data
repository is to create a set of credentials for the repository that only
they can use. But because the middleware components are using it, there is
no requirement for a user to enter those credentials in order to
authenticate usage. I guess I wouldn't want the users to know the details
of this set of credentials either.

Short of creating a user credential for each user accessing the application
on the data repository side, they insist that they need to store the userid
and password in a static format somewhere on the middleware server. For
example, a configuration file or some part of the operating system.

Is there a best practice guideline for this scenario? What have other
people in the same situation been doing here?

RE: Dll Security

2005-05-09T01:55:04Z

Try UPX or ASPack.
www.aspack.com
http://upx.sourceforge.net/

-----Original Message-----
From: VP [mailto:pelasaco@...]
Sent: Friday, May 06, 2005 9:18 PM
To: secprog@...
Subject: Dll Security

Hi, i have a dll and i want to encrypt it to hide (obfuscate ??) an
important algorithm used here.

Well today i'm using a following approach:

I'm encrypting the dll with a program, then when i want to loadlibrary() it,
i decrypt it to a plain-text file, then i loadlibrary the plain-text file.
So i have my encrypted dll and i have a plain-text version either. To
mitigate this vulnerability, i'm using EFS to protect my plain-text dll.

I'm wondering if using the PE format i can do some kind of "on-the-fly
encrypt and decrypt". Is it possible ? There is any example ? Is it a good
solution ?

Thanks in advance,

Victor