How to make portable apps.

Portable applications are useful. You do not need to install them, carry them along with all the settings, forget about platforms, configurations, settings and most important liscencing.

There are a number of techniques to make portable apps. Thinstall uses an Application Virtualization Technique to achive that purpose. VMWare recently acquired it and the application is now available as freeware (for the time being atleast) under the name of Project North Star.

The application usage is as simple as running the installer of an application first. NorthStar will trace all the exe’s, dlls, registry changes, filesystem changes, policy changes and package them all into one installer or exe with optional separate configuration that you could then run directly into any other platform.

If you also have some applications that are incompatible with Vista, you could install them under XP and using NorthStar you could run them under Vista (since it is virtualization).

A nice beginner tutorial is on youtube here.
Another video for how to run different versions of Internet Explorer on the same desktop machine can be found here.

Blogged with the Flock Browser

The Hunt for Smart Card Readers

Trying to search for a decent smart card reader seemed to be a much difficult task than i originally anticipated. Online shops from Hongkong and China are full of a range of both contact and contactless (rfid) card readers. Most of them however do not support the wide range of ISO standards (14443 A / B) and only work with a specific set of cards. Not to mention the trouble of proprietary buggy drivers (that too provided only for windows).

It came to me, however, as a pleasant surprise a few “open” projects which I would like to mention below and might be of interest to people doing any project in the related area.

OpenPCD: a free hardware design for Proximity Coupling Devices (PCD) based on 13.56MHz communication. This device is able to screen informations from Proximity Integrated Circuit Cards (PICC) conforming to vendor-independent standards such as ISO 14443, ISO 15693 as well as proprietary protocols such as Mifare Classic (specifically what I wanted). Contactless cards like these are for example used in the new electronic passports in European countries like Belgium.

The intention of the OpenPCD project is to offer the users full hardware control of the RFID signal and to provide different output signals for screening the communication. For instance, it is possible to program and replace the firmware with your own and a lot of good help and beginner tutorials are provided.

Cost around 119 Euros.

You will offcourse need a few cards (or RFID tags / chips) to test and develop. Cards and Tags come in different shapes and sizes and buying different categories of tags from one place is quite difficult and ordering a lot of tags from different places could be quite expensive (specially if you are a poor student like me). OpenPICC, Open Proximity Integrated Circuit Cards (PICC) is the counterpart to OpenPCD. It is a device that emulates 13.56MHz based RFID transponders / smartcards. OpenPICC can be used to e.g. simulate ISO 14443 or ISO 15693 transponders, such as those being used in biometric passports, Oyster Cards and Football tickets in UK.

Like OpenPCD, the hardware design and software are available under Free Licenses from here.

The biggest advantage of using a device like OpenPICC as a card / tag is that:

1. It is also equipped with a USB interface, so you can trace in realtime what the card reader is emitting.

2. Since Radio waves travel in open, you can also trace (sniff) the traffic between another card and reader which makes your research more powerful and stealthy.

Not to mention like the OpenPCD, OpenPICC is completely programmable with open source software and since all the design and ICs are public, you can replace them if they get damaged. In other card readers even a small damage would mean a complete replacement for your card reader.

Open Beacon: is a free design for an active RFID device which operates in the 2.4GHz ISM band. The device contains a unique serial number, but may have other information. OpenBeacon can be used as a transceiver device and therefore both transmits and receives radio waves. The project is to offer a wide range of use cases such as visitor or item tracking and wireless remote control with a free self-contained and low-cost RFID design.

Cost: around 85 Euros.

Blogged with Flock

Tor Controller

Vidalia is a cross-platform controller for Tor (The Onion Router) for network anonymity, built using the Qt toolkit. It allows the user to start, stop, and view the status of Tor, monitor bandwidth usage, view, filter, and search log messages, and configure some aspects of Tor.

The most feature of Vidalia is its Tor network map, which lets the user see the geographic location of servers on the Tor network, as well as where the user’s application traffic is going.

You can even dynamically change your paths (hops) and create a new identity for each connection.

Vidalia is released under the GPL. It runs on any platform supported by Qt 4.1, including Windows, Mac OS X, and Linux or other Unix-like variants using the X11 window system.

Blogged with Flock

A talk on Open Source on Software Freedom Day

The world celebrated the Software Freedom Day on 15th September 2007. We had some 100+ countries and more than 300 groups covering the free software world in different form of activities, presentations and events. The webmasters of FAST-NU Karachi also organized an event and talk series on the day and I felt really honored and delighted when I got an invitation to speak before the undergraduates of what open source is and how it is used in the industry.

I chose the topic “Open Source in the enterprise” picking up the best open source projects I use frequently and have known to be used as solid, industry standard applications in different domains. It was a wonderful experience going back to my university and meeting with a bunch of brilliant future computer scientists.

The slides of the presentation can be found here.

Network Traffic Visualization

Rumint is a network and security visualization tool. It allows you to load packet capture files as well as perform live packet capture and visualize the results using a variety of visualization techniques. You can then filter the dataset and play back the data using a PVR interface. Version 1.92 adds the ability to directly load PCAP files.

It is the only tool on windows that looks promising in replaying traffic. The website desribes a sample ping trace between two systems and how to decode the generated visualization in detail.

Recording the Runtime State of a VM

As VMWare 6 Goes into beta 3, the most awaited feature and a tester dream comes to reality. To capture, record and replay EVERYTHING that happens to a VM. This is not a movie recording, but more of a runtime execution and state recording. You can play back a recorded instance (say a list of scripts or operations) any time and many times you like.

The only think i dislike about it is the amount of space it takes (a gigabyte for every two minutes of recording), but again this feature is very experimental and one can hope a more cleaner solution in the coming builds.

chipx86 describes the feature and its usage as:

“What is this good for? Well, have you ever tried testing a program only to encounter a bug that you just can’t reproduce? Maybe there was some memory corruption that happened under some specific case that you just can’t seem to diagnose. Or maybe it’s a network packet that came in in some form that your application didn’t expect. Under normal circumstances, you’d have to do a lot of guesswork in order to find out what exactly happened. Far too often, it’s just too hard to reproduce the bug and it goes unfixed for some time.

Now imagine instead that you’re testing the program in Workstation and, before your testing, you hit Record. You attempt the test and the program crashes in some weird manner. No problem. Hit Stop and replay the recording. Just before the crash occurs, stop the playback and attach a debugger. Messed up? Didn’t find the cause? Replay that recording again.”

The new beta also shows a virtual battery for laptops showing the battery life :). Im also found the introduction of VNC for remote control.

happy virtualising.

Public Vista 0day

Before the consumers worldwide get even the first hand on the most secure windows ever, a new public exploit is already on the rise and has been posted to the full fisclosure which describes a privilege escalation attack allowing a logged in user to elevate himself to SYSTEM.

I tested the PoC published code and it seems to work very well as advertised. This exploits seems to be the first for Vista platform though it effects all windows versions for 2000 and above, even my current fully patched XP SP2 installation.

More technical details can be found here.

Defeating anonymity by monitoring clock skew ?

A Cambridge University researcher Steven J Murdoch has a devised a novel attack on online anonymity systems in which he literally takes a computer’s temperature over the internet.

The attack uses a phenomenon called “clock skew” the tendency for the precise clocks in modern computers to drift off of the correct time at slightly different rates, which can be affected by heat.

“When a crystal is manufactured, it has a clock skew, and it’s different for each crystal (throughout its) lifetime,” he explains while discussing his work at the Chaos Communications Congress on Thursday.

Last year UCLA Ph.D. student Tadayoshi Kohno showed that clock skew can be used to identify computers on the internet, by charting the timestamps in a machine’s traffic. But the skew is a fairly weak identifier, providing at best 64 unique fingerprints. A network of a thousand computers would have 16 with an identical clock skew.

The research spawned a variety of theories on how clock skew could be used to attack anonymity online : from detecting daytime hours at a server located in an unknown country, to counting the number of hosts behind a NAT firewall. Murdoch was the first to make an attack work.

His victim is the Onion Router Network (TOR). Tor encrypts a user’s traffic, and bounces it through multiple servers, so the final destination doesn’t know where it came from.

Murdoch set up a Tor network at Cambridge to test his technique, which works like this: If an attacker wants to learn the IP address of a hidden server on the Tor network, he’ll suddenly request something difficult or intensive from that server. The added load will cause it to warm up.

Because temperature affects how fast most electronics operate, warming up the machine causes microscopic changes in clock skew over time. Now the attacker queries computers on the public internet that he suspects of being the Tor server, looking for the shift in skew over the course of hours.

When he finds a computer that has guilty change in its timestamps, he has a match.

“It’s actually quite hard to defend against,” says Murdoch. “(You can) lock the timestamp, but even without explicate timestamps, it’s conceivable.”

That doesn’t mean it’s time to give up on online anonymity: Murdoch points out that other attacks on Tor are currently easier and quicker.

Ironically it might be the most extremely hardened computers that would be most vulnerable to this style of attack. Murdoch theorizes that military computers with precise time reporting should be easier than more casual networks like Tor, in the long run.

Playing with VMWare 6

My favourite virtualisation product VMWare is now in the sixth generation with its public beta available for testing in the holiday season. The product is continously being transformed for being the preferred tool for software engineers and security reasearchers due to its noticable features for ease of development, debugging and tracing.

Integration with Visual Studio for Debugging:

The first beta (build 36983) sports the much acclaimed integration with Microsoft Visual Studio and
Eclipse: when a new program must be tested developers can invoke run
and debug directly inside a virtual machine, always assuring a brand
new, secure and polished environment.

Headless mode:

Virtual machines can now run in background, without the VMware interface running. You can control the running VMs from an icon in the taskbar.

VNC Remote Control

Virtual machine can now be
controlled through VNC instead of using guest OS remote management
tools (no need to install VNC server inside the guest OS)

Cross-Platform Drag-and-Drop:

Files can be copied between host and guest level independently from the installed OSes

Increased RAM support:

Allocable RAM for VM has been increased from 3.6GB to 8GB. No more limits for maximum RAM allocable for all VMs.

New physical hardware support:

Support for USB 2.0 devices, 64bits sound cards and multiple monitors

New OS Support for Guests:

Includes Vista 32 and 64 bit editions i still need to get a hand to.

The beta roadmap defines another future killer feature called Replay. Workstation will be now able to record every moment of the virtual
machine life and reproduce it on demand, like in a VCR. The
revolutionary thing is Replay will not simply record what happens on
the screen, generating a traditional video, but will also record
computations made on VM, allowing developers to exactly verify what
happens during a fault inside virtual hardware for debugging purposes.

This article describes how the whole company offering can simplify development, testing and delivery of new applications),
but the most interesting thing anyway is introduced support for
VMI-paravirtualized Linux: despite company fail in achieving VMI
integration inside kernel, VMware seems to continue on its own way,
probably hoping that showing a completed and working solution will
increase chances to reconsider the approach.
So after introducing such support in an experimental version of Player, the company is distribuiting it mainstream through Workstation.

The beta is available here.

powered by performancing firefox

Beyond the Win32 API (Part I)

The Win32 or simply the Windows API allows developers to exploit the deep power of the Windows OS internals and use them in there applications. WinAPI (and Platform SDK) provides functional interfaces to communicate directly with the OS and make system calls including base OS services, control libs, GDI, shell, network services and numerous others. With the advent of DotNET & other recent platforms high level interfaces with objects and classes to talk to WinAPI has definitely made life easier. However for anyone who wants to dig in deep, theres more to WinAPI: Something that Microsoft hasn’t documented and is termed as the “NATIVE API”. With only a limited number of functions exposed in generally accessible publications, the obfuscation has lead to a general belief that the Native API can provide phenomenal powers, perhaps even allowing an application to bypass the security measures implemented by the standard WinAPI. The concerns mainly developed are because Microsoft is keeping the API for themselves to whom some term as an unfair advantage.

The Native API Architecture

The native API is somewhat similar to the system call interface on in the *nix and bsd world since it serves one purpose: a means for calling OS services located in kernel mode in a controlled manner. Kernel mode is where the core of NT executes, and where components have direct access to hardware and services that perform management of the system resources including memory, devices and processes. Thus, whenever a program executing in user mode wants to perform I/O, allocate or deallocate virtual memory, start a thread or process, or interact with global resources, it must call upon one or more services that live in kernel mode.

NTDLL.DLL

The Native API is provided to usermode programs by the NTDLL.DLL which besides containing Native API user-mode entry points, has process startup and module loading code in it. The majority of it, though, are the Native API stubs that transfer control to kernel mode. This is mainly achieved by executing a software exception.

The Native API Catalogue

There are about 240 Native APIs in Windows. Currently, the only documentation on Native APIs is located in the Windows Device Driver Kit (DDK) and the Windows Installable File System Kit (IFS Kit). The DDK actually describes the parameters and usage of a around 25 Native APIs, and includes prototype and parameter information for a few others in NTDDK.H. The IFS Kit documents about 25 more APIS only by providing prototypes in header files that come as part of the kit, and sometimes through their use in sample code. Most of APIs included in the IFS Kit are in the file I/O and security categories. You can find prototypes and some minimal documentation for many Native APIs in the book Windows NT/2000 Native API Reference.

Further reference and a detailed analyses on native api can be found on sysinternals and google.

Blogged with Flock.