Security Now 311

From The Official TWiT Wiki
Jump to: navigation, search
Security Now
Episode 311

Security Now 311: Anatomy of a Security Mistake

News & Errata

  • Apple iOS updated to v4.3.5, fixes a certificate issues.
  • a new Mac tool from Passware (cost $995), that gives access to the whole the Mac system through a firewire connection (Firewire has DMA access to ALL system resources).
  • Apple Battery Hack: default password in battery controller firmware can be used to change voltage data to kill batteries by blocking cell charging.

Spinrite Story

Happy but confused, SpinRite presented a Red screen with an error code, but rebooting and restarting SpinRite it went all OK

Anatomy of a Security Mistake

Introduction to Signed/Unsigned number representation in Binary

Positive numbers are represented as is in binary, for example, these numbers in decimal becomes

0 00000000
1 00000001
2 00000010
3 00000011

Negative numbers are represented by taking the positive number, inverting all bits, then adding one, like this:

1 00000001
inverted 11111110
add 1 00000001
-1 becomes 11111111

and so on

Introduction to blowfish encryption

Blowfish works 1 byte (8 bits) at a time, but the register used is a 32bit register, so the developer used 1 32bit register to store 4 bytes at a time. This is done by adding 1 byte/8 bits to the register, shifting left by 8 bits, then repeat another 3 times. Like this you end up by having 4 byte (32 bits) in 1 32 bit register, which is all correct. The adding by itself is done by doing an OR operation between the 32bit register and the byte contents.

Operation Data Register status
Empty the register 00000000 00000000 00000000 00000000
OR'ing first byte 01010101 00000000 00000000 00000000 01010101
shift left by 8 bits 00000000 00000000 01010101 00000000
OR'ing second byte 10101010 00000000 00000000 01010101 10101010
shift left by 8 bits 00000000 01010101 10101010 00000000
OR'ing third byte 11001100 00000000 01010101 10101010 11001100
shift left by 8 bits 01010101 10101010 11001100 00000000
OR'ing forth byte 00110011 01010101 10101010 11001100 00110011

Where is the problem?

The algorithm was coded in C language, and the register is defined as a 32bit unsigned, while the 1 byte is defined as just "char", and in C language the "char" is considered as a signed value.

When the compiler sees the OR operation between a 32 bit unsigned value and a 8 bit signed value, it "pads" the 8 bits value to make 32 bits, with an operation called sign extension. What Sign extension does is that it takes the highest bit (left-most) and pads its value to the rest of the bits. For example:

Decimal value 8 bit register 32 bit extended register
3 00000011 00000000 00000000 00000000 00000011
-3 11111101 11111111 11111111 11111111 11111101

This is all correct in normal use, EXCEPT that ORing 1 to the register, all the resulting register is wiped out with 1. In the Blowfish case, the first 3 bytes gets wiped out and only every 4th byte is maintained.

For example, the last step in the blowfish becomes:

Operation Data Register status
Initial Register status for step 4 01010101 10101010 11001100 00000000
1 Byte value, after extension 11010111 11111111 11111111 11111111 11010111
ORing char to register 11111111 11111111 11111111 11010111
Final register value 11111111 11111111 11111111 11010111

The fix of this bug in the C code of the algorithm was simply by defining the char as unsigned char

Sponsors

  • SqaureSpace, offer code: securitynow7 (10% off for 6 months)
  • Netflix, offer code: securitynow

Production Information

  • Edited by: Tech_Engineer
  • Notes:
Info.png This area is for use by TWiT staff only. Please do not add or edit any content within this section.