FUDCon will be in Pune this June!
Posted: Jan 24, 2015, 08:16We had to wait 4 years for this, but it is finally happening again. The 2015 APAC chapter of FUDCon will be in Pune this year and it will be from 26-28 June.
After a great event at COEP in 2011, this year our hosts will be MIT College of Engineering. MITCOE has offered us great infrastructure, which paired with their enthusiastic staff and eager students makes for a great place to have this years FUDCon. As in 2011, we will try our best to keep all our decisions and arrangements transparent. Amit has mentioned a list of channels we intend to use for our communication, so hop on if you have suggestions or even just want to lurk to find out how things are going.
And finally, if you’re interested in speaking at the event, make sure you plan your travel accordingly. The official CfP will be out real soon.
See y’all in Pune!
Fedora 21 Workstation DVDs
Posted: Dec 29, 2014, 20:30Fedora 21 was released on 9th December in a whole new packaging in the form of various products. Us APAC ambassadors had discussed earlier about the kind of media we would need to write and it was finally decided that APAC will get its DVDs from EMEA, who were getting a good deal on writing a large number of Fedora 21 Workstation DVDs. We found an even better deal in India though and for that we decided to write our own media locally.
The only problem was actually procuring quotes and deciding on the best (and not necessarily cheapest) one since almost all quotes we got were cheaper than the EMEA quotes. I narrowed the quote down to Gaiaka Media Works, who have good and affordable optical media solutions. I had a cheaper quote from a provider in Delhi, but they were not even close to being as responsive and had refused to provide any kind of samples. Gaiaka on the other hand were constantly in touch with me right up to the point of delivery, so the vendor decision was quite easy in the end.
Delivery however was complicated. I had initially asked for the shipment to be delivered to my place in Pune, but that would have made it by 22nd or 23rd. Pravin Satpute however announced the Fedora 21 release party in Mumbai for 21st and he wanted DVDs to distribute there. Thus started a complicated delivery dance. I was to go to Delhi via Mumbai on 20th, so I personally picked up the shipment from the Gaiaka office. This was a good decision for a different reason - I got to meet the owner personally and even gave him a server and workstation DVD to try out. I kept the boxes at a friend’s place and gave a couple of spindles to Rahul Bhalerao at the Dadar station, who then got those DVDs to the Mumbai release party. I then returned to Pune on 23rd, went back to Mumbai over the following weekend (for a friend’s wedding) and finally got the DVDs back home yesterday. Phew!
Along the way, I shipped a couple of DVDs to a 13 year old who emailed me (and pinged me repeatedly on IRC) for a Fedora DVD since he did not have enough bandwidth at home to download a DVD image.
The worst problem however was (and still is) the DVD sleeves. I have been pursuing printers around Pune for some time now but none of them seem to be interested enough to even call back. All of them seem to be too busy to want more business. The result is that none of the DVDs have sleeves now. We’re not considering it a bug problem though, since a lot of people I spoke to didn’t seem to care much for the sleeves. They are good to have (prettiness factor) but not absolutely necessary.
So to conclude, I am now a custodian of approximately 1700 Fedora 21 workstation DVDs and will be sending about half of them to the Bangalore Red Hat office this week. If you are hosting a release party or are a Fedora contributor or ambassador attending an event, let me know (through the fedora-india or ambassadors mailing list) how many DVDs you need and we can work out a way to get them to you. I also have about 1000 Server product DVDs, but we (i.e. APAC ambassadors) still need to decide how to distribute those around APAC. I would personally like to distribute multiboot DVDs in future, so hopefully we can come to some kind of consensus on that before F22.
Day 2: Fedora APAC Budget Planning FAD: Little Things
Posted: Nov 17, 2014, 08:43We reserved the second day for all of the little things, most importantly swag. Sirko passed around samples of swag that EMEA made, notably stickers, pins and buttons and also some balloons as examples of things we could do.
The main problem however was bulk production and distribution of the swag. Unlike EMEA, APAC was not one big region with few export controls. APAC was a lot more divided and given strict customs policies of some countries, we would have to produce a lot of swag locally, thus increasing cost of production. We have to figure out the cheapest way to do this and ambassadors agreed to get quotes by about January for production as well as shipping.
One of the most important problems from the budgeting viewpoints for APAC however was the charges for transactions that ambassadors had to pay for each reimbursement. The current charges are much too high for APAC at about 4.4% of the transaction amount. For example, for a $100 reimbursement, the ambassador tends to lose about $4, which is a significant amount of money in most APAC countries. In terms of McDonalds meals, one can have two McChicken meals in India with $5.
The other problem with Paypal was that all countries in the APAC region could not accept Paypal. Because of this, one would either have to use something like Western Union to transfer money, which is again riddled with steep charges.
Various approaches were discussed, from getting Paypal to waive those charges, to passing on the charges to Fedora somehow, to associating the APAC credit card with a US based Western Union account. We still need to discuss this with the Fedora leadership.
The other action item was to make an inventory of all material we had in APAC, i.e. banners, tablecloth, etc. so that we know what kind of material is available for conferences around. This would also help us plan production of any such material in future.
Finally, everyone seemed to like the idea of having smaller focussed contributor/user meetups like I had proposed for India and Izhar suggested making a brand name for such meetups so that everyone could standardize on them. I suggested Fedora Contributor Meetup and Fedora User Meetup. Tuan will bring this up at the FAMSCo meeting.
We ended the day with dinner at a restaurant at the Mekong riverfront. Greta joined us for this one and we had a great time. Somvannda and Nisa took us to the night market after that to buy stuff and we then headed back, but not before having another round of snacks and drinks at a local place near our hotel. I had a 4AM start but it was past midnight by the time we were done. Almost everyone stayed up chatting about various things till it was time for me to go.
This was my first trip to the East and perhaps one of the more interesting trips in recent times. We are geographically and politically divided but it was interesting to see that a lot of the problems we had were common and solutions to them could be quite common too. This is hopefully a beginning to an even closer association with ambassadors in APAC to bring Free and Open Source Software closer to people in the region through the Fedora project.
I have taken a few pictures, which I will hopefully be able to process and upload before the end of the week.
Day 1: Fedora APAC Budget Planning FAD: An Eventful Day
Posted: Nov 17, 2014, 08:42Prior to the FAD, Sirko made a table of events to fill in events happening in APAC that we thought we ought to ensure a Fedora presence for by allocating a budget for one or more people to travel to the event. Most of us sent out a communication to our respective smaller communities and got the table populated further. Sirko had already covered most of the bigger events, but there were additions to the list.
We went through the list of events, with one or more people arguing for or against representing an event. We agreed to discuss swag production and other issues on Sunday. This turned out to be a fairly exciting affair, with emotions sometimes running high over some events. It was great to see though, because it meant that people were really involved. My pet event was not really a single one, it was a group of small ($20-$50) events I plan for us to do in India over the whole financial year. These would be user and contributor meetups with a specific focus, similar to the Security FAD and Test Days we had earlier this year. The proposal did not get any opposition since we have enough contributors in India to pull this off. Now I only hope we get such a budget and we are indeed able to pull off such events and that they are successful.
Other than that it seemed odd that there weren’t a lot of large events in India that Fedora could focus on. I think we will have to look at this a bit deeper in the coming year to see if there are events we may have missed. Maybe smaller events just tend to be more productive due to which such meetups seem to be cropping up more frequently. Or maybe nobody wants to step up to do bigger events. I don’t know.
We ended the day at a local restaurant that Somvannda took us to. We had a great meal of various seafood dishes that I thoroughly enjoyed. Of course, I have yet to come across cuisine that I have not liked, so me enjoying Cambodian food was not surprising. Heck, I even enjoyed British food (which apparently is considered bland) when I was in Cambridge in July, even the blood sausages and haggis!
It turned out to be a very productive day and I was happy that we managed to finish discussing the entire set of events in that one day. The next day we would discuss a lot of the little things that seemingly make a big difference.
Day 0, Fedora APAC Budget Planning FAD: Pre-Release Party and a lot of Tom Yam Soup!
Posted: Nov 17, 2014, 08:22These months have been very busy for me on the Fedora front and for a change, my involvement in Fedora has been very non-technical. After years of shying away from it, I finally became a Fedora Ambassador and have been involving myself in a lot more non-technical things like organizing events and attending meetings. One such meeting I was looking forward to recently was the face to face meeting of some APAC ambassadors to plan for the budget for FY16 at Phnom Penh, Cambodia. This series of posts is a report of the event as I saw it.
My travel itinerary for Camboda was fairly packed; I was to fly in on Friday night and then fly out early morning on Monday. I would have ideally liked to conduct some workshops around systems programming but it seems like the aversion to any kind of low level programming is even worse in Cambodia than in India. Maybe the situation will be different in future. However, my packed schedule also meant that I would have missed the Fedora 21 release party (F21 is not out yet, but the party was already planned and the organizers did not want to shift it or rename it) on Friday.
But Somvannda would make sure I didn’t, at least not all of it.
I reached the hotel room in Phnon Penh at about 9PM and immediately, Somvannda had arranged for me to be taken to the DAI office for the Fedora Release Party. The cake, talks and a lot of the food was over, but the people and drinks were still there. I got a very warm welcome from Somvannda, Nisa, Tuan, Izhar, Danishka and Sirko and they also introduced me to Greta, the host of the party. After quick introductions, we had a few informal discussions about what we were going to talk about over the next two days, but we were mostly just drinking and eating whatever was left. I nibbled away even though I had been stuffing myself with food (Tom Yam soup FTW!) at the Bangkok airport while I had waited for 5 hours for my connection to Phnom Penh; the dry pastries were amazing!
The only remaining member of the party was Alick and he was not expected till about midnight. All of us waited up till he arrived, said our hellos and then turned in for the night. The next two days were going to see a lot of action, but we didn’t know it then.
Fedora Activity Day at Pune: Towards a more secure Fedora
Posted: Nov 02, 2014, 07:10Huzaifa had wanted to do a Security FAD in Pune for a while to tackle the really high number of open security bugs in Fedora. We had initially set a date for September but we pushed it forward since Huzaifa was not available. In the end, Huzaifa was not not available even on the rescheduled date, so PJP took over ownership of the event.
I wasn’t expecting a lot of people to attend given the nature of the activity and as it turned out, there were 14 signups with 7 showing up finally. We also had a few people joining remotely, which was awesome. We also had a Docker event running in parallel at the venue (the Red Hat Pune office), so we had more company at lunch.
Everyone barring PJP came in on India Standard Time, i.e. late by a few minutes to an hour or so. We started a bit late as a result, with a quick introduction to security in Fedora by PJP. After the talk and questions we didn’t waste any time and quickly got down to triaging security bugs. Our plan of action was to take ownership (by setting fst_owner= in the bugzilla whiteboard) of security bugs we understand and start working on driving them to conclusion. What this implied was that we would have to follow up after the FAD to ensure that the bugs were closed.
I started from the oldest bugs (dating back to 2011!) and managed to own 8 bugs by the end of the day. We had many a spirited discussion over what constituted a security bug (most of us understood OS security to a fair extent, but were not security experts) and my impression was that all of us went home a bit wiser. I learned that xen is a horrible horrible package - it bundles a bazillion projects into itself, due to which fixing flaws in the original project is not sufficient and xen would need to be checked and fixed separately.
Overall we had a pretty good day where 36 bugs got new owners - we managed to reduce the total backlog (of unowned bugs) from 370 to 334. Hopefully some of us will continue to work in our spare time (I know I’ll try) and bring that backlog down further.
Fedora Activity Day at Pune
Posted: Aug 23, 2014, 00:22We had a Fedora Activity Day at the Red Hat office today in Pune. The FUDCon at the College of Engineering, Pune was the last major Fedora event that I was part of in Pune, so I was looking forward to the FAD to finally reboot my active involvement in Fedora.
Most of the organizers were not very familiar with arranging Fedora events. Some of us had participated in them and even helped during FUDCon, but actually planning everything on our own seemed quite difficult. We also did not want an event where people came, attended talks and went away, which is why a FAD seemed like the best option. To make sure that we didn’t end up just meeting and getting to know each other, we decided on a single theme, which is testing the upcoming Fedora 21.
Given that we had no clue what to expect, we didn’t ask for any sponsorship, just a room and internet from the Red Hat Pune office. The other difference was that we also invited people to participate remotely over IRC and we got a decent response on that front too.
I had decided to run the F21 installer through the grinder, but changed my mind the previous day and decided to test glibc. On the day, I changed my mind again and started testing the KDE Live ISO. People started trickling in a little after 9 and soon we had almost everyone who had signed up to come. There were a lot of lively discussions over bugs and everyone cross-checking with each other on bugs before filing them. Prasad did a little session on DNSSEC to get more people to test DNSSEC on F21.
Lunch was ordered and as it turned out, I don’t have a clue how hungry hackers get after a session of serious testing. We ended up under-ordering thanks to my estimation skills and some of us had to supplement our diet with cup noodles. That wasn’t enough of a damper for anyone though, as people ploughed on after lunch. I managed to file 4 bugs, all against anaconda. Kashyap did a short session on virtual machine shapshots and had quite a few people actively trying it out, while others tested ON_QA bugs to give karma.
Towards the end of the day, I downloaded gnulib trunk to run its tests against F21 glibc. I found a few additional failures, but I couldn’t work through it because I had to leave for home. I need to close that one some day, hopefully sooner than later. In the end, we had a very fruitful day of testing with over 8 components covered and about 15 bugs filed, not including some that were already filed. I’m already looking forward to having another hackfest or bugfest.
FUDCon Notes on my Security Exploits Session
Posted: Nov 10, 2011, 10:17I was askedĀ by a couple of people for notes on the security exploits session that I conducted at FUDCon. I had posted the code samples on the talk page, but that is probably a little terse, so here’s a little write-up to support the code samples. To repeat what I had said multiple times earlier; I am not a security researcher, not even a security freak. This topic was suggested to me by Amit Shah, and I developed an interest in it due to my original interest, which is operating systems tools. The preparation of this talk got me interested in security, but only through the perspective of operating systems tools and programs, so I am still relatively indifferent to the subject of web-based security.
I started preparing for the session fairly late; i.e. 2 days before FUDCon. I am a little familiar with glibc code and with the way the compiler, linker, loader, etc. work on Linux, so that helped me understand a lot of the concepts behind exploits fairly easily. But concepts != working code and getting exploit code to work was the real challenge, especially when I had just about 3 evenings+nights for it. I had started with an idea of showing stack smashing and privilege escalation examples, but given the time constraint, audience level (college students) and also the constraint of my knowledge, I decided to restrict it to stack based attacks. All of the examples have a buffer which is being written to without checking for bounds of that buffer, typically with an strcpy.
The shellcode sample:
The shellcode sample as well as the final vulnerability demo (smash.c and vulnerable.c) were derived from the article Stack Smashing for Fun and Profit. That is a great article that explains in much more detail than I went into in my session, as to how the shellcode exploit can be developed.The core idea of this is:
- Obtain the binary equivalent of execve (name[0], name, NULL ) where name = {“/bin/sh”, NULL}
- Append additional data to the binary data and pass it to the buffer copy routine (strcpy) in such a way that, it writes the location of the first instruction in the above binary equivalent into the location of the return address
I spent a lot of time trying to figure out where this was set and finally found the -z option of the linker. So to write out a binary that sets up an executable stack, I had to call the linker with -z execstack. This finally enabled me to get the shellcode working.
The actual exploit
Once the shellcode was done, I could get the final vulnerability working and I immediately set about trying it. The exploit is based on the above shellcode example, except for one difference. The shellcode example is just that, an example. It is not an actual exploit; it is just a roundabout way to get a shell. The exploit I was about to do was a real crack. The idea now is to accept a string as input, which is then fed in to make a regular and buggy program provide you with a shell.
To imagine how this would work, think of the program that gives you a login prompt. In the context of this exploit, you should be able to input a crafted string into this login prompt and have it give you a shell without actually knowing the password! This is what the actual exploit ought to look like.
Again, writing the exploit was the easy part; getting it to run was quite another thing altogether. The exploit works as follows:
- Pages of memory are generally mapped at the same addresses for processes, so the top of stack for a process can be a good starting estimate for the top of stack for another process. From that point on, you need a finite number of guesses to get to the point in stack where the instructions have been injected
- The smash program records its own top of stack and prepares a string such that it the return address will be overwritten by the top of stack address. The string obviously begins with shell code. To improve the chances of hitting valid instructions in the code, the buffer is written over by a lot of single-byte NOP instructions just before the shellcode instructions
- The smash program executes a shell with an environment variable exported ($EGG). This environment variable can now be used to execute the vulnerable program within that shell. This could have been done differently too, like storing the output to a file and executing the vulnerable program with input from that file. So the way input is given doesn’t really matter here
echo 0 > /proc/sys/kernel/randomize_va_space
Even with this, my example would not execute by itself and would end with a SIGILL. I suspect this has something to do with the fact that my systm is x86_64 while the samples are all 32-bit. Our overflow string does not seem to agree with the instruction set on my system. In any case, it seems to run just fine inside a debugger. So if you run smash to get a shell, run gdb vulnerable and then run it with $EGG, you get the shell! At least I had a demo now.
Jump to libc
While I was trying out the shellcode example, I continued thinking about various other ways in which I could get a shell. One of the methods I thought of was to overwrite the return address with the address of the system() glibc call and pass the string via stack. I later found out via Huzaifa that this is in fact a documented way to exploit unchecked buffers on stack. Huzaifa also said that I may be missing out on something there and gave me some tips on finding the right resources for this. I still could not get this working, but at least I found out why the exploit did not work.
This exploit seemed attractive to me because it does not require an executable stack. The instructions I want to execute are already there in memory. So I only have to overwrite the return address and continue writing “/bin/sh” on the stack. I first tried with x86_64 in this case, because I was going by my own idea at that time. I soon figured out that the system() function on x86_64 did not take function arguments from stack. It took the argument from the %rdi register. My devious plan had been foiled! I did not give up however and looked at the system() implementation on i686. This retained the old behaviour of popping arguments from the stack, so my exploit was still possible here.
Not. My code was correct, but every time I run the program, the address of system() had just 3 bytes set. So it would always look something like: 0x00aabbcc. This was bad news because this meant that I cannot continue writing the shell string into the stack (strcpy stops copying when it encounters a 0x0). This means that I can call system() (like I was able to on x86_64 too), but I cannot pass it an argument. After trying enough number of times, I concluded that this must be a security feature. This was backed up by the tip Huzaifa had shared with me to (ironically) get the exploit to work. This was perhaps the first documentation of a return to libc exploit by Solar Designer. In his explanation, Solar designer mentioned that a way to fix this would be to ensure a 0x00 in the address, which is precisely what is happening here.
This obviously does not deny the fact that such an exploit can be carried out if you want to call functions that do not have arguments. Think for example, of a function that executes a shell ;)
Conclusion
The last modify example was a simple little trick I wrote on the last day to demonstrate how buffer overflows work and how they can be used to alter program flow. That again is not an exploit at all. At most, it can be called… a buffer overflow ;)
I had even more fun preparing for this session than actually presenting it because it taught me a lot more than I could ever have done by just reading literature. I hope those who attended my session at FUDCon enjoyed the session too.
FUDCon Pune 2011 Day 3: Hack and eat
Posted: Nov 07, 2011, 03:44The last day of FUDCon. I had not slept much the last couple of nights, so I slept in a little late. Due to this I reached the venue late too and found that a lot of the speakers had reached late and that seemed to have got the volunteers (understandably) a little annoyed. All of the action was to happen just in the auditorium and the seminar halls this time and I stuck mostly to the auditorium for most of the day. I had planned to work on the libgqpid library, but I had not decided what it is that I was going to do. I started off by writing my day 1 post. That was quickly followed by lunch, where we hogged on pizzas.
I told Kushal by that time that I will work on autotoolizing libgqpid since he was busy working on his book. I started working on that after lunch, quickly finding out that there are a few things that wouldn’t work very easily there.
libgqpid is a wrapper around the apache c++ client library and the library check for the qpid client library would have to be in c++. autotools does not have any macros for c++ library checks, so I had to write a check that looked like this:
AC_LANG_PUSH([C++])After this one little hurdle it was pretty much smooth sailing and the result was a pull request to Kushal for the patch. By early evening, everyone was done and ready to go. The volunteers, especially the girls were very excited about getting their pictures clicked and were calling all of the major organizers (Rahul, Amit, Satya, etc.) to get their pictures clicked with them. It was pretty entertaining to watch.AC_MSG_CHECKING([if qpid c++ client libraries are present]) AC_LINK_IFELSE( [AC_LANG_PROGRAM([#include <qpid/messaging/Connection.h>], [qpid::messaging::Connection con])], [QPID_LIBS=“$LIBS”], [AC_MSG_ERROR([qpid c++ client development libraries not found])])
AC_LANG_POP
This was followed by a cake, which was mostly eaten and the rest of it smeared on Rahul and Jared’s faces. To end the event, we had a feedback session with the volunteers and they gave us a few good tips on how we could have done some things better.
By the time we were back at Magarpatta City, everyone looked tired. Rahul had organized a parting dinner at the Cocoon for all the speakers and organizers, which was a lot of fun. I had a great time chatting with Heherson, Izhar, Arun S A G, Srishti Sethi, Anurag and Eugene Teo. After dinner it was time to head back home.
We did a lot of things right in this event and kudos to Rahul, Amit Shah and all of the core team for getting together a really great event. I hope that at least some of all of those college students make the transition from being users to being contributors, especially contributing code to Fedora and upstream projects.
FUDCon Pune 2011 Day 2: Me, followed by lunch, followed by me, followed by me...
Posted: Nov 07, 2011, 03:12The title pretty much summarizes what most of my day looked like on day 2 of FUDCon. Well, not exacly, but it comes quite close. I had three sessions lined up in a single day and I was worried that I might lose my voice by the end of it. Ankur Sinha had all of 4 talks in the single day, so I was definitely better off that him.
The day started with Harish Pillay’s keynote on the community architecture team. The turnout on day 2 was less than that on day 1, which was a little surprising. Most of them trickled later in the day, so it meant that a large number of the attendees in Harish’s talk were Red Hatters and the CoEP volunteers. We probably started a little too early for a Saturday.
Immediately following that was my session on qpid messaging. The attendance in the session was modest (about 8-10 people), but the best part was that they were very involved in the session and that made the session worthwhile. Mrugesh Karnik also joined the session mid-way and asked some really good questions that actually helped my session. We ended up doing a queue design for a fictitious stock trading system and I was able to show how the design could scale very easily with a qpid messaging broker in place. Unfortunately, most of the attendees did not have laptops, so I could not engage them in a hands-on session. In fact, that was my story of the day to a large extent. I had intended all my sessions to be hands-on, but most of it never really materialized because most of the audience did not have laptops.
After the qpid session, I spent some time chatting with Sankarshan, Mrugesh, Anurag and Nisha over lunch. After that I decided to double-check my exploit code samples because it was the one session that I had never done before and it was something that is not my area of expertise. The only aspect of the exploits that I was really comfortable with was how they worked and how I could explain that using the usual tools like gdb, objdump, etc.
I was sitting in the speakers lounge cleaning up my examples when Aditya Patawari came in and asked me about my session. That reminded me that I had to actually go into the session :D We quickly left for the classroom and found pjp finishing up his python session, which had a packed audience. Once he was done, a lot of people left, which led me to think that even this talk was going to have a modest audience. However, people trickled in as I was about to begin and by the time I did begin, the room was full.
The exploits session was probably one of the best sessions I have done so far, mainly because I personally enjoyed it. The audience also consisted of people who were interested (exploits are sexy, as someone said later) and I got a lot of questions during and after the session. The talk also seemed to give some people from the audience the impression that I am a security expert, which is flattering but incorrect.
Then came the awesome part where Pai and Yogesh Babar followed up my session with impromptu sessions, which the audience lapped up eagerly as well. Pai talked about extensibility of postgresql by making it call routines in perl (typical dinosaur stuff ;) ) and Yogesh did a talk on kdump. I learnt later that Rahul Sundaram did something similar in one of the seminar halls by asking the audience to “ask him anything about Fedora and Open Source”. Pretty cool stuff.
After Pai and Yogesh were done, it was again time for me to get on to the platform for another session, this time on autotools. This was something I had done multiple times with the same examples, so it was pretty uneventful.
Day 2 was probably awaited by a lot of people for another reason -- the FUDPub! We went to Park Estique near Vimaan Nagar for dinner. There was loud music and bling bling lights and food and drink. I enjoyed the food and drink; the lights gave my a headache and the loud music was, well, too loud. In any case it was fun chatting with people and having the really good food.
Like the first day, I did not get to attend any other sessions, this time for a different reason. I’ll probably submit less sessions in the next conference so that I actually get to attend other sessions and meet and talk to more people. I did meet a lot of interesting people on day 2, so all of that hectic schedule was completely worth it.