BosonQuest

Learn Physics or Get Bored Trying

Has buffer protection become second-nature?

I took a break from the physics recently to have a crack at the challenge that is now known to have been posted by GCHQ at http://canyoucrackit.co.uk. And it was really rather fun, once I got into it. My day job as a developer these days is almost exclusively based around the sort of high-level languages that almost seem divorced from the machine-code that they ultimately represent, so “getting my hands dirty” with assembly language and stack pointers was refreshing, if something of a busman’s holiday. A couple of nights ago I reached the end, and while the jobs being advertised weren’t of interest (wrong country, wrong pay-grade), it was still rather satisfying, if lacking in cake.

[Mild spoiler alert; I’ll try to avoid giving away anything too major, but some hints might be dropped.]

But having completed the challenge, and knowing that I’d almost certainly done much of it the “hard” way (for which, read blindly fumbling while flailing maniacally), I thought it would be instructive to peruse some of the solutions and walkthroughs that others have been posting lately. Indeed having not studied much cryptography at all, I hadn’t been aware that one of the stages was actually working through the RC4 algorithm to encrypt/decrypt that stage’s payload. As far as I could tell, it was a black box, turning gibberish into something slightly less gibberish. One of the stages required us to implement a simple virtual machine code in order to make sense of a data-dump, and it was interesting to compare my implementation (knocked together quite inexpertly in JavaScript: if anyone asks, I can see if I can still dig it out) with others written in C and Python for example.

The final part of the puzzle involved downloading an .exe file, and reverse-engineering it to figure out how to feed it a suitable “license” file to produce a URL that leads to the passphrase for the challenge page. And here I noticed something I thought quite interesting from reading other people’s solutions. It turns out from a brief inspection of the executable that it depends on the Cygwin “crypt” library, and what is quite clearly a hashed password appears in the file’s data block. So cracking that hash will give us something we can use somehow within the license file; examining the assembly code will clarify the “somehow” part. The code for loading the license file into memory turns out to be pretty straightforward, so what I did was to grab a password cracker (I used John the Ripper) and let it spin for a few hours. Eventually the password dropped into the vending slot, and I was good to go (once a few more details were cleared up).

And from what I’ve read, that seemed to have be most folks’ solution. A few noted in passing that one of the instructions in the code had a potential buffer-overflow problem, but no-one seemed to care. However, on one blog (containing videos explaining solutions for all parts), the author (who had commented on the buffer problem) noted that GCHQ subsequently contacted him to say that they were aware of the vulnerability, and that indeed it was deliberately placed there to allow people to skip the password hash check.

Well I’ll admit I felt kind of silly at this point. As soon as I read that, it not only became obvious how I could’ve avoided a few hours of password-grinding, but indeed it went some way to explaining the slightly quirky way in which the check was being performed by the code: it was laid out that way in order to make it easier to exploit the buffer overflow to get the desired result. But what I found really interesting was the fact that clearly a number of people spotted the dodgy code, but it didn’t occur to them to use it as part of a code-breaking and “hacking” challenge!

Of course this is all merely anecdotal, but it made me wonder whether, for some people at least, the security message might be sinking in—when unsafe code is so immediately recognisable to a developer that their inner alarm bells sound before they’ve even had time to process what’s wrong, perhaps we’re finally starting to outgrow the bad habits that the pre-Internet innocence fostered. Buffer overflows aren’t a major issue for the kinds of development we do at my current job, but if I could install a nervous tic in any developer who comes to work for us, at the merest hint of unsafe SQL parameter passing (there is no excuse), I’d like to think it would make the world just a little better.

At the same time, though, the message is only any use if people remember why it was written in the first place. Taking part in challenges such as this, or the various educational hacking sites (such as http://hackthissite.org) I think helps developers stay in touch with the reasons behind some of the do’s and don’ts of secure coding.

December 5, 2011 Posted by | Tech | , , | Leave a comment

iPhone 4 versus duct tape

There has been an awful lot of talk lately about the iPhone 4’s antenna troubles. And indeed, from having used one for a few weeks, it does indeed behave badly if held in a particular manner in a weak signal area. But one rumour has been following this story around like a bad smell—the legendary Duct Tape “Solution”.

It seems obvious enough—two antennae next to each other, separated by an insulated gap; fine until you “bridge” the gap by having your hand in contact with both sides, causing a short-circuit. Hey presto: no signal. So a small square of insulating tape over the gap, and problem solved! Alas, no.

Most people have heard of a capacitor, though perhaps don’t know what one is or does. Quite simply, it is two conductive “plates” separated by a thin dielectric, or insulating, layer. So an antenna with a layer of tape being held by a person such that an area of skin is in contact with the tape is basically a large capacitor. When a voltage is applied across a capacitor, charge builds up on the two conducting plates over time. As the charge builds up, the capacitor starts to resist more and more current from flowing, eventually stopping the flow altogether. The amount of charge that can accumulate is called the capacitance, and this varies directly with the area of the conducting plates (area of hand covering antenna), and inversely with the thickness of the dielectric layer (tape).

In an alternating, or oscillating, current, both the voltage across a component and the current flowing through it resemble a sine-wave. If you divide the amplitude (height) of the voltage wave by the amplitude of the current wave across a component, you get a number that is called the impedance of the component. Note the similarity with the resistance of a component in a DC circuit, which you might recall from school is equal to the (constant) voltage divided by the (also constant) current. The impedance of a component in an alternating current is essentially how much it… well… impedes the flow of current.

What this is leading up to is the fact that, across a capacitor in an alternating current, the impedance varies inversely with both the capacitance and the alternating frequency of the signal, which for mobile phone radio waves is pretty high—around 400-1800 Mhz. So the impedance of a piece of tape separating a radio antenna and your hand is negligible. You may as well be touching the antenna directly.

Roughly speaking, in an alternating current, rather than charge flowing round a circuit, it oscillates back and forth. With a capacitor in the way, charge builds up on the plates just as in a DC circuit, but at high frequencies, it turns round and goes the other way too fast for enough charge to build up on the plates to impact the current.

The good news for people whose phones work with a bit of duct tape on the antenna is that your phone works without it too. Trust me. The bad news is that if you have gone around saying your phone is unusable without tape, then you are fooling yourself. And the really bad news for people who have published damning reviews of the iPhone 4 while suggesting that duct tape will fix it, is that you are lying to your readers. Plain as. This is not to say that the phone doesn’t have an antenna problem—it does—but if you say your tests showed improvement with duct tape, you cast serious doubt on the validity of your tests.

As for solutions, well, with a bumper, or other case, you are increasing the thickness of the dielectric layer in the “capacitor” between your hand and the antenna, dropping the capacitance way down, and to the point that its impedance is too great to cause the antenna detuning issue, even at radio frequencies. You can also minimise the capacitance by altering your grasp of the phone—lower the contact area and you lower the capacitance. So Apple’s well-published suggestions “not to hold it that way” or “use a case” are scientifically the best ways to reduce the problem. But as many have pointed out, a phone for which the natural grip is the wrong one (all phones have bad areas, most aren’t right where you want to put your hand), or for which you need to spend additional cash to get a decent performance is a poorly designed phone. Apple should really address this somehow; right now it seems that the best course would be the free case, and iPhone users putting up with the fact that our phones are awesome at pretty much everything… except being phones. Or return it, of couse.

If you read the rest of my blog here you will see that I am but an amateur physicist, so it’s fair to say I could have this wrong. But the level of physics in this material is not particularly high, and since there’s no real way that I can be setting up experiments in the areas I’m currently studying, I jumped at the chance to test this theory out for myself. And while the results were more qualitative than quantitative (since I lack the means), I have tested duct tape, electrical tape, Sellotape and the plastic overlays that came off the phone when I unboxed it. No difference was noticeable with any of these materials entirely covering the parts of the antenna that were in contact with my hand. If you want a more credible source for these findings, there are a number of posts worth reading at www.antennasys.com/antennasys-blog.

Ain’t science a bitch?

Update: thanks to the nice folk at Anandtech, it seems I’m right and wrong. High impedance tape does exist, and can be applied to the phone. Even with such tape, the impedance is not enough to completely isolate you from the antenna, though perhaps it could do so enough to bring the phone into line with others. I would guess the tape must be made from a material with an impressively low dielectric constant; I still believe that the DIY fixes involving bog-standard tape are spurious, and if you want the best performance in a weak signal, a case would be a good idea. But it’s nice to think that there is a potential solution out there—also nice to know I was on the right tracks.

July 14, 2010 Posted by | Science in the media, Tech | , , , | 8 Comments

Replace the touchscreen with paper, and this could take off…

A while back I grabbed the Penultimate app for the iPad, just ‘cos it seemed fun at the time. I didn’t really envisage using it for studying—the fingertip control is pretty dicey to write anything small enough to fit more than two or three short lines of calculation. Besides, why bother when you can just grab a pad of paper and a pen(cil)? (if you’ve not seen Peter Serafinowicz’s iPad video, it’s worth a giggle).

That said, since the first road-test of the pad was taking it on holiday, I did actually find that I would occasionally drop from Kindle to Penultimate, to scratch out a determinant verification or the like. And with practice I became a little better at squeezing more in a page of scribbling. Not that I think anyone but me could have decyphered more than a character or two!

With that in mind, I decided to do some experimenting with a home-made stylus. Since the touchscreen is capacitance-based, it was going to have to conduct well enough to be more or less equipotential with my fingers. It was also going to need to be tapered to a flattish surface for the screen to register it. In the end, I sliced off the flat end of a pencil to leave the angle at the tip somewhere between 30 and 45 degrees, wrapped the whole thing in kitchen foil, and neatened up the ends.

Finding the right angle to write at takes a little practice. Also, though some people seem to have found the “wrist protection” feature in Penultimate to work well, I find it works some days but not others. Easily solved by just finding a thick enough insulator to rest your wrist on when writing. Results below (note: I have shocking handwriting at the best of times!)

I don’t think I’ll be totally giving up on pen+paper though.

June 14, 2010 Posted by | Tech | , , | 1 Comment