Can anyone explain the algorithm behind Aircrack-ng (a WPA2-PSK cracker)?
I know how to use it, but a detailed explanation (which I could not find in their documentation) about how it actually works would help me a lot.
Determining the WPA/WPA2 passphrase is totally dependent on finding a dictionary entry which matches the passphrase. So a quality dictionary is very important. You can search the Internet for dictionaries to be used. There are many available.
For a more detailed overview of WPA2 PSK weaknesses, please refer to http://www.hsc.fr/ressources/articles/hakin9_wifi/hakin9_wifi_EN.pdf page 13
and after that read the source code of aircrack-ng, if you are not familiar with the C programming language then I highly recommend you learn as then with any open source program you can simply read the source code for the most in depth description of how it works. Also if possible learn assembly/machine code as you will get a real in depth appreciation for what is really happening when you run a program. Al-Salam
Related
Is the encoding of risc-v instructions to opcode bits standardized? If so, where can I find the encoding table at least for the base 32I instructions?
I guess it is always a good idea to keep up to the specs on https://riscv.org/specifications/. There chapter 25 lists in details how to encode the instructions. I also liked http://riscvbook.com very much.
Regards Joachim
It looks like I found it in github.
https://github.com/riscv/riscv-opcodes/blob/master/opcodes
The tables in The RISC-V Reader book that Joachim mentioned are very good (https://riscvbook.com). Even if you don’t have the book, there’s a PDF version available for free in Spanish (and some other languages), which may be enough for your purposes.
Barring that, I find the PDFs from the rv8 project concise, and really useful: https://github.com/rv8-io/rv8/tree/master/doc/pdf. (It's information that of course is present in the specs, but I couldn't find a short, 10-page document there containing it all.) It’s generated from the riscv-meta project which has machine-parseable descriptions of the ISA, which may be useful as well depending what you’re trying to do.
How does Xcode's autocompletion algorithm work?
I am always amazed by how fast Xcode picks up the code blocks I want to write. I have looked at some different string matching algorithms but none seems to be working as the one Apple uses in Xcode. I would find it quite interesting what type of algorithm they are using.
Thanks in advance.
The image above shows Xcode "predicting" that UTV should be UITableView
It's not just a simple string searching algorithm. It uses nearest code to the scope, last code you picked with the same shortcut, precompiled codes, codes in frameworks, your own defined codes, and many other stuff sorted by some intelligent definition. Since it's private by apple, we may not know how exactly they achieve this. But this year, they open sourced their LSP repository to bring support for these kind of stuff to other editors, even the VIM in terminal! You can investigate on that if you are interested.
Also there are some projects out there like TabNine witch is the all-language autocompleter. It uses machine learning to provide responsive, reliable, and relevant suggestions trained with over 2million github repositories. You can check that out too if you are interested.
Who knows what exactly programming and tech lead companies are currently using while we are looking for algorithms? Maybe a lot of machine learnings is included and only machines knows the exact algorithms.
Hello i am new to Kernel Programming and i would you to answer me how and how much it could take me to get started with confidence to play with the code and the meanings.
I am listing some Questions that they are also my Goals.Please answer any of them if not all.
1.I would like to evaluate myself on "how much" C i know in order to be able to understand the code and general concepts of the source code.
How i could evaluate myself to find my skill level of programming in C?
I have read K&R but i don't yet have a serious understanding on pointers and structs. When i mean serious i mean i am not able to easily comprehend the source code,yet.
Where i could find puzzles,projects in order to gain real world experience?
What books do you suggest in order to solidfy my knowledge in C programming?
How long it could take me to be a Competent Programmer(if i am not already?)
Expert
Professional
Competent
Advanced Beginner
Novice
A path of books or links well explained in time&skill level order it would be great.
2.I would like to be able to play with the code and create some new in order to experiment with the Kernel.
A path of books or links, Kernel Oriented, well explained in time&skill level order it would be great help.
Some suggested mailing lists and communites in general ?
How long it could take me to be a Competent Kernel Programmer?
(see list above about skill levels)
3. Some general suggestion about
those subsjects?
These might help getting you there:
The C Programming Language
Understanding the Linux Kernel
Linux Device Drivers
Maybe you should start with something other than the kernel first. Take any open source project written in C, get the source, try to fix open bugs or implement missing features. That will teach you a lot about C, and you'll get feedback about the code you write.
Once you're fluent in C you can start diving into the kernel source.
I've heard a bit about using automated theorem provers in attempts to show that security vulnerabilities don't exist in a software system. In general this is fiendishly hard to do.
My question is has anyone done work on using similar tools to find vulnerabilities in existing or proposed systems?
Eidt: I'm NOT asking about proving that a software system is secure. I'm asking about finding (ideally previously unknown) vulnerabilities (or even classes of them). I'm thinking like (but an not) a black hat here: describe the formal semantics of the system, describe what I want to attack and then let the computer figure out what chain of actions I need to use to take over your system.
Yes, a lot of work has been done in this area. Satisfiability (SAT and SMT) solvers are regularly used to find security vulnerabilities.
For example, in Microsoft, a tool called SAGE is used to eradicate buffer overruns bugs from windows.
SAGE uses the Z3 theorem prover as its satisfiability checker.
If you search the internet using keywords such as “smart fuzzing” or “white-box fuzzing”, you will find several other projects using satisfiability checkers for finding security vulnerabilities.
The high-level idea is the following: collect execution paths in your program (that you didn't manage to exercise, that is, you didn't find an input that made the program execute it), convert these paths into mathematical formulas, and feed these formulas to a satisfiability solver.
The idea is to create a formula that is satisfiable/feasible only if there is an input that will make the program execute the given path.
If the produced formula is satisfiable (i.e., feasible), then the satisfiability solver will produce an assignment and the desired input values. White-box fuzzers use different strategies for selecting execution paths.
The main goal is to find an input that will make the program execute a path that leads to a crash.
So, at least in some meaningful sense, the opposite of proving something is secure is finding code paths for which it isn't.
Try Byron Cook's TERMINATOR project.
And at least two videos on Channel9. Here's one of them
His research is likely to be a good starting point for you to learn about this extremely interesting area of research.
Projects such as Spec# and Typed-Assembly-Language are related too. In their quest to move the possibility of safety checks from runtime back to compile-time, they allow the compiler to detect many bad code paths as compilation errors. Strictly, they don't help your stated intent, but the theory they exploit might be useful to you.
I'm currently writing a PDF parser in Coq together with someone else. While the goal in this case is to produce a secure piece of code, doing something like this can definitely help with finding fatal logic bugs.
Once you've familiarized yourself with the tool, most proof become easy. The harder proofs yield interesting test cases, that can sometimes trigger bugs in real, existing programs. (And for finding bugs, you can simply assume theorems as axioms once you're sure that there's no bug to find, no serious proving necessary.)
About a moth ago, we hit a problem parsing PDFs with multiple / older XREF tables. We could not prove that the parsing terminates. Thinking about this, I constructed a PDF with looping /Prev Pointers in the Trailer (who'd think of that? :-P), which naturally made some viewers loop forever. (Most notably, pretty much any poppler-based viewer on Ubuntu. Made me laugh and curse Gnome/evince-thumbnailer for eating all my CPU. I think they fixed it now, tho.)
Using Coq to find lower-level bugs will be difficult. In order to prove anything, you need a model of the program's behavior. For stack / heap problems, you'll probably have to model the CPU-level or at least C-level execution. While technically possible, I'd say this is not worth the effort.
Using SPLint for C or writing a custom checker in your language of choice should be more efficient.
STACK and KINT used constraint solvers to find vulnerabilities in many OSS projects, like the linux kernel and ffmpeg. The project pages point to papers and code.
It's not really related to theorem-proving, but fuzz testing is a common technique for finding vulnerabilities in an automated way.
There is the L4 verified kernel which is trying to do just that. However, if you look at the history of exploitation, completely new attack patterns are found and then a lot of software written up to that point is very vulnerable to attacks. For instance, format string vulnerabilities weren't discovered until 1999. About a month ago H.D. Moore released DLL Hijacking and literally everything under windows is vulnerable.
I don't think its possible to prove that a piece of software is secure against an unknown attack. At least not until a theorem is able to discover such an attack, and as far as I know this hasn't happened.
Disclaimer: I have little to no experience with automated theorem provers
A few observations
Things like cryptography are rarely ever "proven", just believed to be secure. If your program uses anything like that, it will only be as strong as the crypto.
Theorem provers can't analyze everything (or they would be able to solve the halting problem)
You would have to define very clearly what insecure means for the prover. This in itself is a huge challenge
Yes. Many theorem proving projects show the quality of their software by demonstrating holes or defects in software. To make it security related, just imagine finding a hole in a security protocol. Carlos Olarte's Ph.D. thesis under Ugo Montanari has one such example.
It is in the application. Not really the theorem prover itself that has anything to do with security or special knowledge thereof.
I understand the general idea of how vulnerabilities are exploited. Buffer overflows and stuff like that, but I guess I don't REALLY get it.
Are there useful sources of information that explain this area well? Maybe case studies about how particular vulnerabilities were exploited?
Even more interesting would be how projects you have worked on suffered from these kinds of issues.
I'm not trying to learn about currently existing vulnerabilities that I could exploit. I'm trying to get a feel for how this area could have an impact on any projects I may work on.
iss.net has articles on different examples of exploits, mainly explaining how to secure your system.
The corelancoder tutorial! A must read
https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/
Part 1 is a single BOF on windows, ... , Part 12 is ROP. It is hard, but the first one can be done in a day or two, and it should give you a real feeling on which difficulties one finds when writing an exploit, and on which countermeasures are useless/useful.
The problem with this area is that it is unclear until you try out something on your own, but that requires time. You could also check Metasploit to exploit problems directly (to have an idea of the impact) - you will find a list of exploit to fire to a target. If you need a target, use Metasploitable http://www.offensive-security.com/metasploit-unleashed/Requirements#Metasploitable
If you want practical examples of real life exploits, I totally recommend the book
"A Bug Hunter's Diary: A Guided Tour Through the Wilds of Software Security"
It's exactly what you want. It's full of case studies and real life examples of almost every type of exploits and it explains it from the finding to fully writing a working exploit.
Also there are some examples in the book "The shellcoders handbook" but it's not as comprehensive as "The bug hunter's diary" Also "The shellcoders handbook" is pretty big and I only use it as a reference when needed.
Also sometimes I keep reading exploits from "http://www.exploit-db.com" and it helped me a lot but keep in mind not everything can be taught so sometimes you will need to improvise based on what you have and what you can control it's hard at first but it will make you feel great when the exploit runs and you see that calc.exe :)
Of course corlan tutorials and other tutorials are a must to know the essentials but they only teach you the basic concepts and you have to see some real life exploits in action to really understand the possibilities.