0 00:00:00,000 --> 00:00:30,000 Dear viewer, these subtitles were generated by a machine via the service Trint and therefore are (very) buggy. If you are capable, please help us to create good quality subtitles: https://c3subtitles.de/talk/144 Thanks! 1 00:00:09,970 --> 00:00:11,829 All right. I think we're about to get 2 00:00:11,830 --> 00:00:12,830 started. 3 00:00:13,540 --> 00:00:15,999 Let's take a seat and make sure that 4 00:00:16,000 --> 00:00:17,409 the usual announcements are there's 5 00:00:17,410 --> 00:00:19,209 nothing blocking the aisles. 6 00:00:19,210 --> 00:00:21,229 No cables, no bags. 7 00:00:21,230 --> 00:00:22,329 Nothing else. 8 00:00:22,330 --> 00:00:23,919 So nobody trips over and we can actually 9 00:00:23,920 --> 00:00:24,849 empty the room if they have to. 10 00:00:24,850 --> 00:00:27,039 In an emergency was that 11 00:00:27,040 --> 00:00:29,169 I would like to introduce Ilya. 12 00:00:29,170 --> 00:00:31,069 He's the director of up and testing it 13 00:00:31,070 --> 00:00:32,349 active. 14 00:00:32,350 --> 00:00:34,509 And most of you probably know him. 15 00:00:34,510 --> 00:00:37,089 He's been looking at the 16 00:00:37,090 --> 00:00:39,339 Exxaro code, the Examiner system code 17 00:00:39,340 --> 00:00:41,559 and things he found there. 18 00:00:41,560 --> 00:00:42,819 And I'm sure it's going to be very 19 00:00:42,820 --> 00:00:44,649 interesting. Had a few chats with him 20 00:00:44,650 --> 00:00:45,999 before. 21 00:00:46,000 --> 00:00:48,219 And yeah, please 22 00:00:48,220 --> 00:00:50,229 give him a warm welcome and let's hear 23 00:00:50,230 --> 00:00:51,230 what he has to say about it. 24 00:00:58,130 --> 00:01:00,189 Thank you. So my talk is going to be on 25 00:01:00,190 --> 00:01:02,329 ex-security, and the subtitle is 26 00:01:02,330 --> 00:01:03,919 It's Worse Than It Looks. 27 00:01:03,920 --> 00:01:04,920 Pun intended. 28 00:01:05,930 --> 00:01:07,609 So am I. As I was just introduced, I 29 00:01:07,610 --> 00:01:09,469 worked for a company called Selective. 30 00:01:09,470 --> 00:01:10,909 I am their director of penetration 31 00:01:10,910 --> 00:01:13,429 testing. I run penthouse 32 00:01:13,430 --> 00:01:14,989 and lead penthouse, and you quote reviews 33 00:01:14,990 --> 00:01:17,059 and basically break stuff for fun 34 00:01:17,060 --> 00:01:18,060 and profit. 35 00:01:18,710 --> 00:01:20,539 In short, my talk is going to be, I'm 36 00:01:20,540 --> 00:01:21,769 going to do small intro. 37 00:01:21,770 --> 00:01:24,029 I'm going to talk about security of X 38 00:01:24,030 --> 00:01:24,989 clients. I'm going to talk about the 39 00:01:24,990 --> 00:01:27,109 future of X servers and then we'll have a 40 00:01:27,110 --> 00:01:29,209 sort of slide 41 00:01:29,210 --> 00:01:30,409 at the end where I'll sort of be like, 42 00:01:30,410 --> 00:01:31,619 Well, how bad is it, really? 43 00:01:31,620 --> 00:01:34,159 Is there anything we can do about this? 44 00:01:34,160 --> 00:01:35,359 So what does this talk about? 45 00:01:35,360 --> 00:01:37,549 It's the importation of X work parsers, 46 00:01:37,550 --> 00:01:39,809 specifically how the data 47 00:01:39,810 --> 00:01:42,379 comes in either decline or server, 48 00:01:42,380 --> 00:01:44,509 how bad or how good that is. 49 00:01:44,510 --> 00:01:47,119 And also also say something about 50 00:01:47,120 --> 00:01:48,049 specific trust barriers. 51 00:01:48,050 --> 00:01:50,069 Entry points into either the exclusion in 52 00:01:50,070 --> 00:01:52,309 the X server, and 53 00:01:52,310 --> 00:01:53,929 I'll show some bugs and trends of bugs 54 00:01:53,930 --> 00:01:55,939 that sort of show up and vote decline on 55 00:01:55,940 --> 00:01:57,859 the server side and then a near general 56 00:01:57,860 --> 00:01:59,659 sort of have to slide where say, Well, 57 00:01:59,660 --> 00:02:00,679 how bad is it? 58 00:02:00,680 --> 00:02:02,389 What can we do about it? 59 00:02:02,390 --> 00:02:03,679 Specifically, what does this talk not 60 00:02:03,680 --> 00:02:04,639 about? 61 00:02:04,640 --> 00:02:06,439 It's not about the network operations 62 00:02:06,440 --> 00:02:08,239 site, right? We've known for a long time. 63 00:02:08,240 --> 00:02:10,309 Yes, if you have Network X 64 00:02:10,310 --> 00:02:12,769 and you don't tunnel little for six h, 65 00:02:12,770 --> 00:02:14,629 people can stay if they can do keylogger 66 00:02:14,630 --> 00:02:15,859 all that kind of stuff. This is well 67 00:02:15,860 --> 00:02:17,119 known stuff, so I'm not going to cover 68 00:02:17,120 --> 00:02:18,259 that. I'm going to talk about 69 00:02:18,260 --> 00:02:19,819 implementation and not network side of 70 00:02:19,820 --> 00:02:20,820 things. 71 00:02:22,190 --> 00:02:24,439 So as far as a deduction goes, I actually 72 00:02:24,440 --> 00:02:26,659 start looking at the stuff about a year 73 00:02:26,660 --> 00:02:27,660 and a week ago, 74 00:02:28,880 --> 00:02:31,189 right before the Congress last year, 75 00:02:31,190 --> 00:02:33,529 I decided to download the 76 00:02:33,530 --> 00:02:35,809 X11 client code and sort of 77 00:02:35,810 --> 00:02:37,999 look, I look for receipt function and 78 00:02:38,000 --> 00:02:39,889 then basically from there start looking 79 00:02:39,890 --> 00:02:41,419 at some of the parsing. 80 00:02:41,420 --> 00:02:43,969 The client code was fairly easy to grasp 81 00:02:43,970 --> 00:02:45,710 and sort of find the entry points 82 00:02:47,450 --> 00:02:49,429 within a week. I will run through all of 83 00:02:49,430 --> 00:02:50,989 it and sort of weeded out all the 84 00:02:50,990 --> 00:02:54,289 Low-Hanging Fruits report about 80 bugs. 85 00:02:54,290 --> 00:02:55,699 They all got fixed. 86 00:02:55,700 --> 00:02:57,229 Almost all of them. But all the bugs 87 00:02:57,230 --> 00:02:58,279 themselves got fixed. 88 00:02:59,450 --> 00:03:01,669 And then sort of as 89 00:03:01,670 --> 00:03:03,739 of May, June 90 00:03:03,740 --> 00:03:05,899 this year, I moved on to the server, 91 00:03:05,900 --> 00:03:07,189 and initially I was like, Oh, well, you 92 00:03:07,190 --> 00:03:09,439 know, it'll take me about a week, 93 00:03:09,440 --> 00:03:11,449 and it turns out it took me much longer. 94 00:03:11,450 --> 00:03:13,249 I haven't really finished yet. 95 00:03:13,250 --> 00:03:14,419 Service is enormous. 96 00:03:14,420 --> 00:03:16,219 There are so many extensions I've not 97 00:03:16,220 --> 00:03:17,629 finished yet. 98 00:03:17,630 --> 00:03:19,339 Thus far, I have reported hundred twenty 99 00:03:19,340 --> 00:03:21,469 bugs about 25 hours 100 00:03:21,470 --> 00:03:23,539 ago. So the server bugs 101 00:03:23,540 --> 00:03:24,590 have not been fixed yet. 102 00:03:26,510 --> 00:03:27,619 But before we're talking about server, 103 00:03:27,620 --> 00:03:28,789 let's move on to the clients. 104 00:03:29,900 --> 00:03:31,220 Some easy observations about 105 00:03:32,390 --> 00:03:34,549 X, in case you didn't know yet, is that 106 00:03:34,550 --> 00:03:36,289 it's a it's a client server protocol to 107 00:03:36,290 --> 00:03:38,209 be used for deGruy and pretty much 108 00:03:38,210 --> 00:03:39,680 anything that's Unix and has a gooey 109 00:03:40,790 --> 00:03:43,159 has X even on 110 00:03:43,160 --> 00:03:44,089 Mac OS. 111 00:03:44,090 --> 00:03:46,699 I guess it or Apple doesn't ship 112 00:03:46,700 --> 00:03:48,949 X courts anymore, but most people 113 00:03:48,950 --> 00:03:49,950 still install it. 114 00:03:50,750 --> 00:03:52,639 The server is networked or can be 115 00:03:52,640 --> 00:03:54,739 networked can be of 116 00:03:54,740 --> 00:03:57,049 GCP or IPC. 117 00:03:57,050 --> 00:03:58,399 It's a binary protocol. 118 00:04:00,550 --> 00:04:03,679 The client basically passes, 119 00:04:03,680 --> 00:04:05,479 or the client person becomes interesting 120 00:04:05,480 --> 00:04:07,429 when your client runs with high 121 00:04:07,430 --> 00:04:08,779 privileges. So if you have an Israeli 122 00:04:08,780 --> 00:04:10,909 binary, for example, that's 123 00:04:10,910 --> 00:04:12,739 interesting attack surface from the X 124 00:04:12,740 --> 00:04:14,029 client perspective. 125 00:04:14,030 --> 00:04:15,619 And the reason why is because if you have 126 00:04:15,620 --> 00:04:17,838 a privileged Australia 127 00:04:17,839 --> 00:04:19,669 application that uses X, you can 128 00:04:19,670 --> 00:04:21,739 basically say, Hey, connect to this 129 00:04:21,740 --> 00:04:23,779 malicious X server and will go there, and 130 00:04:23,780 --> 00:04:26,329 it will fetch all of this network data, 131 00:04:26,330 --> 00:04:27,979 which you can spoof and send in malicious 132 00:04:27,980 --> 00:04:30,259 data. And turns out getting it to crash 133 00:04:30,260 --> 00:04:31,519 is really, really easy. 134 00:04:32,900 --> 00:04:34,999 So in case you don't know what X looks 135 00:04:35,000 --> 00:04:37,069 like, kind of sort of looks 136 00:04:37,070 --> 00:04:39,259 like this or it looked like this 137 00:04:39,260 --> 00:04:40,260 30 years ago. 138 00:04:42,940 --> 00:04:45,249 So the excellent libraries are basically 139 00:04:45,250 --> 00:04:46,389 these acts of advice, if you look at this 140 00:04:46,390 --> 00:04:47,739 thing. 141 00:04:47,740 --> 00:04:50,139 They don't have a pointer, but 142 00:04:50,140 --> 00:04:52,599 so this thing is here 143 00:04:52,600 --> 00:04:54,339 that that's the attack surface, right? 144 00:04:56,660 --> 00:04:58,369 So I spent a week looking at all the 145 00:04:58,370 --> 00:05:00,109 libraries that sort of fit within ZLIB. 146 00:05:01,670 --> 00:05:03,329 There's also there's ex-hubby. 147 00:05:03,330 --> 00:05:04,579 And people have asking me, Have you 148 00:05:04,580 --> 00:05:05,989 looked ex-KGB yet? Have you looked there 149 00:05:05,990 --> 00:05:07,789 yet? I have not looked ex-KGB yet. 150 00:05:07,790 --> 00:05:09,799 It's on my to do list, but so are a 151 00:05:09,800 --> 00:05:11,869 hundred thousand other x related things. 152 00:05:11,870 --> 00:05:13,159 So I'll get to it at some point, but have 153 00:05:13,160 --> 00:05:14,689 not looked excited yet. 154 00:05:14,690 --> 00:05:16,759 Going back to sleep, but I can 155 00:05:16,760 --> 00:05:19,159 tell you that things are unbelievably 156 00:05:19,160 --> 00:05:20,509 bad. 157 00:05:20,510 --> 00:05:22,399 It's all by the protocol parser. 158 00:05:22,400 --> 00:05:24,889 See, it's all code is written in the 80s. 159 00:05:26,500 --> 00:05:28,699 The server, basically 160 00:05:28,700 --> 00:05:31,669 the delivery was written in 1984 161 00:05:31,670 --> 00:05:34,399 with the idea that the servers trusted, 162 00:05:34,400 --> 00:05:35,719 and so there was very, very little 163 00:05:35,720 --> 00:05:37,189 validation done. 164 00:05:37,190 --> 00:05:39,859 Yeah, as I said in a week, 165 00:05:39,860 --> 00:05:42,979 something like 75 bugs or something. 166 00:05:42,980 --> 00:05:45,199 So it was instantly obvious 167 00:05:45,200 --> 00:05:46,399 that that core was never written with a 168 00:05:46,400 --> 00:05:48,409 trust boundary in mind. 169 00:05:48,410 --> 00:05:50,509 And so with that, since since 170 00:05:50,510 --> 00:05:52,609 the bugs have 171 00:05:52,610 --> 00:05:55,519 been fixed, I can now 172 00:05:55,520 --> 00:05:57,739 talk about or show 173 00:05:57,740 --> 00:05:58,999 an example of some of these bugs. 174 00:06:00,490 --> 00:06:02,499 So here's I've got a set of examples, and 175 00:06:02,500 --> 00:06:03,489 here I'm not going to read through all of 176 00:06:03,490 --> 00:06:05,139 them, but I'll all sort of run over the 177 00:06:05,140 --> 00:06:06,999 first three or four and then I'll sort of 178 00:06:07,000 --> 00:06:08,259 skip through the rest of this court 179 00:06:08,260 --> 00:06:10,509 because spending entire hours 180 00:06:10,510 --> 00:06:12,639 looking at code is kind of boring, at 181 00:06:12,640 --> 00:06:14,319 least when you have an audience in front 182 00:06:14,320 --> 00:06:15,309 of you. 183 00:06:15,310 --> 00:06:16,629 So but just to give you an idea of how 184 00:06:16,630 --> 00:06:18,789 bad it was, these are things that sort of 185 00:06:18,790 --> 00:06:20,019 the first hour you look, you start 186 00:06:20,020 --> 00:06:21,279 looking at scored all this. The stuff 187 00:06:21,280 --> 00:06:22,889 just sort of falls out, right? 188 00:06:22,890 --> 00:06:24,999 So basically, the first 189 00:06:25,000 --> 00:06:27,069 thing I did is I downloaded all 190 00:06:27,070 --> 00:06:28,989 the exit code and I just grep for 191 00:06:28,990 --> 00:06:30,339 underscore x reply. 192 00:06:30,340 --> 00:06:31,989 And right there, that's all your entry 193 00:06:31,990 --> 00:06:33,039 points. 194 00:06:33,040 --> 00:06:34,449 And so there's this disrupt thing is 195 00:06:34,450 --> 00:06:35,589 basically, did you get back from the 196 00:06:35,590 --> 00:06:37,719 server? And then X returned 197 00:06:37,720 --> 00:06:39,039 to his basically reads more data from the 198 00:06:39,040 --> 00:06:41,109 server and it takes this link value, 199 00:06:41,110 --> 00:06:42,519 which to server gives the client and the 200 00:06:42,520 --> 00:06:44,199 client just blindly trust it. 201 00:06:44,200 --> 00:06:46,269 And so the client can say, Hey, I've got 202 00:06:46,270 --> 00:06:48,399 four gigabytes of data for you, and 203 00:06:48,400 --> 00:06:50,739 this pixel buffer is not as much smaller. 204 00:06:50,740 --> 00:06:52,509 So this these are trivial memory 205 00:06:52,510 --> 00:06:53,619 corruption bugs. 206 00:06:53,620 --> 00:06:54,620 Two of them, 207 00:06:55,990 --> 00:06:58,119 another very trivial bug, 208 00:06:58,120 --> 00:06:59,919 is basically, you know, you do x reply 209 00:06:59,920 --> 00:07:02,379 replies it. It comes back from server and 210 00:07:02,380 --> 00:07:03,699 there's basically a memory location on 211 00:07:03,700 --> 00:07:04,720 based on this data, 212 00:07:05,980 --> 00:07:08,139 trivial textbook intro flow right 213 00:07:08,140 --> 00:07:09,140 there. 214 00:07:10,290 --> 00:07:12,419 Another example is Disney that 215 00:07:12,420 --> 00:07:13,929 came from its reply. 216 00:07:13,930 --> 00:07:16,019 And then one of the elements who uses an 217 00:07:16,020 --> 00:07:17,459 index into an array without any kind of 218 00:07:17,460 --> 00:07:18,800 validation trivia. 219 00:07:20,430 --> 00:07:22,799 An index bug 220 00:07:22,800 --> 00:07:23,800 textbook example. 221 00:07:24,750 --> 00:07:25,890 Here's another one where. 222 00:07:27,660 --> 00:07:29,969 So this doesn't doesn't 223 00:07:29,970 --> 00:07:32,039 use underscore extra play, but uses 224 00:07:32,040 --> 00:07:33,869 to get window property, which is 225 00:07:33,870 --> 00:07:34,799 basically a wrapper. 226 00:07:34,800 --> 00:07:36,959 Earthquakes supply gets 227 00:07:36,960 --> 00:07:38,879 back a number of items from a server and 228 00:07:38,880 --> 00:07:40,379 basically just doesn't copy on those 229 00:07:40,380 --> 00:07:41,699 items. 230 00:07:41,700 --> 00:07:43,289 It does link checking, but it turns out 231 00:07:43,290 --> 00:07:44,669 these links have nothing to do with the 232 00:07:44,670 --> 00:07:45,959 length of the items. 233 00:07:45,960 --> 00:07:48,119 So it's it's a pretty stair 234 00:07:48,120 --> 00:07:50,459 step memory 235 00:07:50,460 --> 00:07:51,709 corruption bug. 236 00:07:51,710 --> 00:07:53,399 There's some puzzle I've got like 20 or 237 00:07:53,400 --> 00:07:55,619 so in here. So if you if you download 238 00:07:55,620 --> 00:07:56,939 the slides later and you want to look at 239 00:07:56,940 --> 00:07:58,889 this, you can see just how bad it really 240 00:07:58,890 --> 00:08:00,719 was. But just to give you grasp of the 241 00:08:00,720 --> 00:08:02,549 overall bugs, I found there's a there's 242 00:08:02,550 --> 00:08:04,979 been a set of these bugs that were found 243 00:08:04,980 --> 00:08:06,719 of OK. 244 00:08:06,720 --> 00:08:08,129 And that's just that. I think that's toe 245 00:08:08,130 --> 00:08:09,989 sitters like four times that many that 246 00:08:09,990 --> 00:08:10,990 were found 247 00:08:13,410 --> 00:08:14,939 so older, discovered bugs have been 248 00:08:14,940 --> 00:08:15,940 fixed. 249 00:08:16,920 --> 00:08:18,779 It was really cool when I submitted a 250 00:08:18,780 --> 00:08:20,429 book. So usually when you submit bugs, 251 00:08:20,430 --> 00:08:21,539 you never quite know what you're going to 252 00:08:21,540 --> 00:08:22,439 get. 253 00:08:22,440 --> 00:08:23,519 Sometimes you will ignore you. 254 00:08:23,520 --> 00:08:25,169 Sometimes people get very defensive, 255 00:08:25,170 --> 00:08:26,879 sometimes people will be lazy, and it'll 256 00:08:26,880 --> 00:08:29,129 take two years to fix a single bug. 257 00:08:29,130 --> 00:08:30,929 I was very pleasantly surprised when I 258 00:08:30,930 --> 00:08:33,209 submitted these bugs to 259 00:08:33,210 --> 00:08:35,639 ex-security security security expert. 260 00:08:37,110 --> 00:08:39,239 Within a couple of hours, I got 261 00:08:39,240 --> 00:08:41,099 a reply back from one of the developers, 262 00:08:41,100 --> 00:08:42,839 Kenyan Alan Coopersmith. 263 00:08:42,840 --> 00:08:44,789 This guy needs to shout out this guy 264 00:08:44,790 --> 00:08:45,790 fantastic. 265 00:08:46,800 --> 00:08:49,319 He fixed all the bugs within 266 00:08:49,320 --> 00:08:50,849 within a three month period, 80 bugs 267 00:08:50,850 --> 00:08:53,039 within a three month period has 268 00:08:53,040 --> 00:08:55,269 a very deep understanding of X, which not 269 00:08:55,270 --> 00:08:56,399 too surprising because he's one of the 270 00:08:56,400 --> 00:08:57,779 developers. 271 00:08:57,780 --> 00:08:59,149 But the good thing was usually when you 272 00:08:59,150 --> 00:09:01,349 use when you report bugs, 273 00:09:01,350 --> 00:09:03,119 people will they'll you might not 274 00:09:03,120 --> 00:09:04,439 understand it. I might have the security 275 00:09:04,440 --> 00:09:05,999 knowledge. And so you have sort of hold 276 00:09:06,000 --> 00:09:07,469 their hand and they'll say, Oh, that's 277 00:09:07,470 --> 00:09:08,699 not a bug, and you have to go back and 278 00:09:08,700 --> 00:09:10,389 say, actually, it is because of so and so 279 00:09:10,390 --> 00:09:12,539 and so didn't happen a single 280 00:09:12,540 --> 00:09:14,639 time and every single bug I send 281 00:09:14,640 --> 00:09:17,129 them. He instantly understood 282 00:09:17,130 --> 00:09:19,079 and saw what the consequences could be. 283 00:09:19,080 --> 00:09:21,059 There was no pushback, no hand-holding. 284 00:09:21,060 --> 00:09:22,949 It was fantastic. 285 00:09:22,950 --> 00:09:24,479 Allen worked tirelessly. 286 00:09:24,480 --> 00:09:26,009 I mean, to do this kind of 287 00:09:27,300 --> 00:09:29,639 looking over and understanding 80 bugs 288 00:09:29,640 --> 00:09:31,739 and then making fixes for 289 00:09:31,740 --> 00:09:34,339 those 80 bugs and reviewing 290 00:09:34,340 --> 00:09:36,119 the device and then doing all the testing 291 00:09:36,120 --> 00:09:38,369 within a three month period is pretty. 292 00:09:38,370 --> 00:09:39,929 I mean, that's like Superman, right? 293 00:09:39,930 --> 00:09:41,849 So that's really, really good. 294 00:09:41,850 --> 00:09:43,289 So. Yes, exactly. 295 00:09:43,290 --> 00:09:44,290 Yes. 296 00:09:49,600 --> 00:09:52,329 In the top of that, I also have to be 297 00:09:52,330 --> 00:09:53,799 in a conversation with him regarding the 298 00:09:53,800 --> 00:09:55,629 bugs that are found. And so Al had some 299 00:09:55,630 --> 00:09:57,159 interesting comments. 300 00:09:57,160 --> 00:09:58,569 This one is actually a serious one in the 301 00:09:58,570 --> 00:10:00,999 next one or sort of more funny notes, 302 00:10:01,000 --> 00:10:03,219 but I may not read the entire 303 00:10:03,220 --> 00:10:04,779 thing, but he sort of starts off saying, 304 00:10:04,780 --> 00:10:06,609 well, and this is this is where he shows 305 00:10:06,610 --> 00:10:08,200 how much, how good he grasps 306 00:10:09,470 --> 00:10:11,799 that, that that there's a trust boundary 307 00:10:11,800 --> 00:10:13,509 and a security element to the tight 308 00:10:13,510 --> 00:10:14,949 lipped who says, Well, I don't know how 309 00:10:14,950 --> 00:10:15,919 many set you had. 310 00:10:15,920 --> 00:10:17,319 And I never mentioned statuary to him. 311 00:10:17,320 --> 00:10:18,969 So he says, I don't know how many said 312 00:10:18,970 --> 00:10:20,589 you would still exist these days as 313 00:10:20,590 --> 00:10:22,599 extras around so and so and so. 314 00:10:22,600 --> 00:10:23,829 But since we know there's more xxxxxxx 315 00:10:23,830 --> 00:10:25,179 lines than we can keep track of, 316 00:10:25,180 --> 00:10:26,739 especially ones home grown ups and 317 00:10:26,740 --> 00:10:28,869 various companies and so forth, we have 318 00:10:28,870 --> 00:10:30,519 to assume there are still some. 319 00:10:30,520 --> 00:10:31,839 It would be good to put a reminder on our 320 00:10:31,840 --> 00:10:33,549 security advisory the best practices to 321 00:10:33,550 --> 00:10:35,019 separate out parts of the application 322 00:10:35,020 --> 00:10:36,459 that require elevated privileges from 323 00:10:36,460 --> 00:10:38,209 degree to avoid such issues. 324 00:10:38,210 --> 00:10:39,729 Cheetah care requires this, but not all 325 00:10:39,730 --> 00:10:41,529 toolkits do, and I'll get into that last 326 00:10:41,530 --> 00:10:42,530 part in a little bit. 327 00:10:45,830 --> 00:10:47,509 So these are other observations he made. 328 00:10:47,510 --> 00:10:49,249 These are less serious, but kind of 329 00:10:49,250 --> 00:10:51,139 funny. I think it was like, shoot me down 330 00:10:51,140 --> 00:10:53,049 and shoot this developer for not fixing 331 00:10:53,050 --> 00:10:55,189 ex-KGB and anybody else who touches 332 00:10:55,190 --> 00:10:57,649 KP because it'll be too late for them to. 333 00:10:57,650 --> 00:10:59,119 And it goes like, well, after my analysis 334 00:10:59,120 --> 00:11:02,179 of these first batch of 80 bugs, 335 00:11:02,180 --> 00:11:03,829 I got so tiny in my head start spitting, 336 00:11:03,830 --> 00:11:05,179 trying to figure these things out. 337 00:11:05,180 --> 00:11:06,829 And then one of his comments, one of bugs 338 00:11:06,830 --> 00:11:08,539 were, you know, if you have a windows 339 00:11:08,540 --> 00:11:11,719 shape of two to the 30 30 340 00:11:11,720 --> 00:11:13,549 second rectangles and what the hell are 341 00:11:13,550 --> 00:11:14,959 you doing? 342 00:11:14,960 --> 00:11:16,519 And there was an endless stream of this 343 00:11:16,520 --> 00:11:18,469 sort of kind of funny comments on them. 344 00:11:18,470 --> 00:11:20,539 These bugs where eggs allows for 345 00:11:20,540 --> 00:11:22,459 these very liberal things that no one 346 00:11:22,460 --> 00:11:24,079 would ever do. But it turns out, if you 347 00:11:24,080 --> 00:11:26,359 try to do, is going to blow up anyway. 348 00:11:26,360 --> 00:11:27,360 But they don't stop it. 349 00:11:29,360 --> 00:11:30,559 And then what was really cool is when his 350 00:11:30,560 --> 00:11:32,449 bucket fixed, there was no LW and read 351 00:11:32,450 --> 00:11:34,069 about it, and it was sort of the, you 352 00:11:34,070 --> 00:11:36,679 know, just LW and trolling. 353 00:11:36,680 --> 00:11:38,719 But among the comments, there was one 354 00:11:38,720 --> 00:11:40,609 that I thought was just perfect. 355 00:11:40,610 --> 00:11:42,229 One of the original X developers 356 00:11:42,230 --> 00:11:43,369 commented that he said, 357 00:11:44,630 --> 00:11:46,009 I just want to sort of read this the 358 00:11:46,010 --> 00:11:48,049 first part of it, because it's really 359 00:11:48,050 --> 00:11:50,269 sort of captures how 360 00:11:50,270 --> 00:11:52,579 bad the state of X still is today. 361 00:11:52,580 --> 00:11:54,079 He says, Well, all I can say is it was 362 00:11:54,080 --> 00:11:56,329 1984, and it was a very, very different 363 00:11:56,330 --> 00:11:58,399 world. We're talking over 25 years 364 00:11:58,400 --> 00:12:00,829 ago, many LW readers weren't born. 365 00:12:00,830 --> 00:12:03,289 Then there weren't 366 00:12:03,290 --> 00:12:04,309 many bad guys out there. 367 00:12:04,310 --> 00:12:06,169 I remember the worse Moore's sperm 368 00:12:06,170 --> 00:12:08,329 hitting, which was way beyond. 369 00:12:08,330 --> 00:12:10,489 It was after 84, when I was working 370 00:12:10,490 --> 00:12:11,929 on X 11 protocol bindings and Kevin 371 00:12:11,930 --> 00:12:13,279 Mitnick had just reared its head a year 372 00:12:13,280 --> 00:12:15,589 or two before super bugs. 373 00:12:15,590 --> 00:12:17,419 I clearly wrote in that period and others 374 00:12:17,420 --> 00:12:18,559 copied my mistakes. 375 00:12:20,600 --> 00:12:23,019 Others just utter 376 00:12:23,020 --> 00:12:25,009 and clearly made mistakes, Ryan says. 377 00:12:25,010 --> 00:12:26,449 Other bugs just couldn't happen in the 378 00:12:26,450 --> 00:12:28,039 practice of the machines that era. 379 00:12:28,040 --> 00:12:29,659 So you have to think about macro facts. 380 00:12:29,660 --> 00:12:30,769 And so some of the book just, I mean, it 381 00:12:30,770 --> 00:12:33,109 was like, Well, you have this four 382 00:12:33,110 --> 00:12:34,759 gigabyte text file. 383 00:12:34,760 --> 00:12:36,259 And if you parse that, then the thing 384 00:12:36,260 --> 00:12:38,869 blows up, which today is very easy to do. 385 00:12:38,870 --> 00:12:40,519 Thirty years ago, it was impossible 386 00:12:43,550 --> 00:12:44,989 to sort of fall out of when these bugs 387 00:12:44,990 --> 00:12:47,389 got fixed was interesting because so 388 00:12:47,390 --> 00:12:49,159 no shadows to Debian. 389 00:12:49,160 --> 00:12:50,689 So what happens is when you when you 390 00:12:50,690 --> 00:12:52,279 submit bugs to X, they say, Well, we'll 391 00:12:52,280 --> 00:12:53,809 go fix them and then they won't have this 392 00:12:53,810 --> 00:12:54,979 too. So after they have all their 393 00:12:54,980 --> 00:12:57,049 patches, an intricate repository to have 394 00:12:57,050 --> 00:12:58,459 this two week embargo where they go to 395 00:12:58,460 --> 00:13:00,079 all the vendors and say, Hey, listen, 396 00:13:00,080 --> 00:13:01,789 here's our fixes. We'll keep it silent 397 00:13:01,790 --> 00:13:03,289 for two weeks and you get two weeks to 398 00:13:03,290 --> 00:13:04,849 get your shit together and then we'll 399 00:13:04,850 --> 00:13:06,829 just release the whole thing. 400 00:13:06,830 --> 00:13:08,389 That works pretty well when you have one 401 00:13:08,390 --> 00:13:10,309 or two bugs, when you have 80 bugs. 402 00:13:10,310 --> 00:13:11,959 Not so much. 403 00:13:11,960 --> 00:13:14,599 Debian was the only one who would in the 404 00:13:14,600 --> 00:13:15,600 two week time frame, 405 00:13:17,660 --> 00:13:19,789 merging 104 patches, 406 00:13:19,790 --> 00:13:22,099 all within a two week embargo. 407 00:13:22,100 --> 00:13:24,229 Full reasons why On the day the embargo 408 00:13:24,230 --> 00:13:27,019 expired, no one else managed to do this 409 00:13:27,020 --> 00:13:29,239 and the guy mostly responsible on the 410 00:13:29,240 --> 00:13:30,739 Debian screen time. 411 00:13:30,740 --> 00:13:32,539 I hope I'm pronouncing his name 412 00:13:32,540 --> 00:13:34,849 correctly. Mauritz moonroof 413 00:13:34,850 --> 00:13:36,739 deserves a lot of the credit for this, so 414 00:13:36,740 --> 00:13:38,269 I think we should all just. 415 00:13:45,440 --> 00:13:47,509 So this is the silver 416 00:13:47,510 --> 00:13:49,399 nice, but nobody really uses Rolex 417 00:13:49,400 --> 00:13:51,739 anymore when you write 418 00:13:51,740 --> 00:13:53,959 a good program for that's 419 00:13:53,960 --> 00:13:54,979 going to work next. 420 00:13:54,980 --> 00:13:56,299 Nobody uses x slip, right? 421 00:13:56,300 --> 00:13:58,129 Everybody uses these frameworks that are 422 00:13:58,130 --> 00:13:59,269 built on top right. 423 00:13:59,270 --> 00:14:00,549 Sediqqi 424 00:14:02,000 --> 00:14:03,229 Kuti motives. 425 00:14:03,230 --> 00:14:04,309 There's a bunch of these, right? 426 00:14:04,310 --> 00:14:05,629 So I start looking at some of some of 427 00:14:05,630 --> 00:14:07,909 these and see, you know, 428 00:14:07,910 --> 00:14:09,169 is it better or is it worse? 429 00:14:10,490 --> 00:14:12,829 Solomone, Kata and Kuti 430 00:14:12,830 --> 00:14:14,989 and scrappiness is bang on 431 00:14:14,990 --> 00:14:17,689 par with excellent, trivial bugs 432 00:14:17,690 --> 00:14:19,909 like this one where basically you 433 00:14:19,910 --> 00:14:22,009 have an array of five elements 434 00:14:22,010 --> 00:14:24,079 and then you just take arbitrary data 435 00:14:24,080 --> 00:14:25,759 back from network and just start copying 436 00:14:25,760 --> 00:14:27,409 it in until you run to the end of the 437 00:14:27,410 --> 00:14:29,149 array of data. You got back without 438 00:14:29,150 --> 00:14:30,799 validating that if it's bigger than five, 439 00:14:30,800 --> 00:14:32,089 you should have build out. And they didn't. 440 00:14:32,090 --> 00:14:33,889 That's sort of the standard stack smash. 441 00:14:35,480 --> 00:14:36,799 This is cute in it. 442 00:14:36,800 --> 00:14:38,689 So any cuter application is vulnerable to 443 00:14:38,690 --> 00:14:41,029 this, where basically, if you give it a 444 00:14:41,030 --> 00:14:42,709 certain an app name in a certain 445 00:14:42,710 --> 00:14:44,809 circumstance, they'll they'll 446 00:14:44,810 --> 00:14:46,939 give you. They'll still 447 00:14:46,940 --> 00:14:49,129 app that name, global pointer 448 00:14:49,130 --> 00:14:51,259 and assign it your RV pointer, which 449 00:14:51,260 --> 00:14:53,119 comes from Maine and an adjudication of 450 00:14:53,120 --> 00:14:54,829 court, will assume that it's it's been 451 00:14:54,830 --> 00:14:56,929 new to C++ nude and they'll do a 452 00:14:56,930 --> 00:14:59,239 delete over a pointer that's R 453 00:14:59,240 --> 00:15:00,980 or V. Clearly that's going to blow up, 454 00:15:02,430 --> 00:15:03,739 and there were a bunch of these bugs, 455 00:15:03,740 --> 00:15:05,869 right surfboards to the the 456 00:15:05,870 --> 00:15:07,159 cute guys. 457 00:15:07,160 --> 00:15:09,769 And their response was just 458 00:15:09,770 --> 00:15:11,839 night and day difference compared 459 00:15:11,840 --> 00:15:14,599 to the skies guys 460 00:15:14,600 --> 00:15:16,279 into the courtroom x developer earlier on 461 00:15:16,280 --> 00:15:18,529 about the set up and the 462 00:15:18,530 --> 00:15:20,429 the all these frameworks not having 463 00:15:20,430 --> 00:15:22,789 separate checks before it is dead on. 464 00:15:22,790 --> 00:15:24,269 So cute doesn't really have those 465 00:15:24,270 --> 00:15:25,270 security checks. 466 00:15:26,870 --> 00:15:29,029 And so when I the bugs cute, 467 00:15:29,030 --> 00:15:30,889 the kudos. You guys did not agree with me 468 00:15:30,890 --> 00:15:31,890 at all. 469 00:15:32,480 --> 00:15:34,159 They said the mail back and say, Well, 470 00:15:34,160 --> 00:15:35,969 you know, Katy is trashy ones that you 471 00:15:35,970 --> 00:15:37,669 the application to check pass for this 472 00:15:37,670 --> 00:15:39,829 very reason. You know, I suspect some 473 00:15:39,830 --> 00:15:41,209 someone running sue at jury 474 00:15:42,250 --> 00:15:44,299 duty applications would fall to a huge 475 00:15:44,300 --> 00:15:45,529 number of problems. 476 00:15:45,530 --> 00:15:47,389 The most obvious of one being a malicious 477 00:15:47,390 --> 00:15:48,979 styles that would allow them to trivially 478 00:15:48,980 --> 00:15:50,599 execute code. 479 00:15:50,600 --> 00:15:53,059 So basically what I send them bugs. 480 00:15:53,060 --> 00:15:54,679 And their reply was, Oh, here's more all. 481 00:15:58,100 --> 00:16:00,109 Not the response I was looking for. 482 00:16:00,110 --> 00:16:01,549 So respond back and saying, well, you 483 00:16:01,550 --> 00:16:03,649 know, it's it's your library, 484 00:16:03,650 --> 00:16:06,079 you don't you shouldn't dictate policy 485 00:16:06,080 --> 00:16:07,759 and there are in fact, more CDs you 486 00:16:07,760 --> 00:16:10,009 ready. Binaries specifically mentions KP 487 00:16:10,010 --> 00:16:11,149 because I found bugs in there in the 488 00:16:11,150 --> 00:16:12,859 past, and I know it's still around and I 489 00:16:12,860 --> 00:16:14,659 know it's still at least being 490 00:16:14,660 --> 00:16:15,619 maintained. 491 00:16:15,620 --> 00:16:17,539 And so on top of that, I cringe doing the 492 00:16:17,540 --> 00:16:18,709 style things because I really want to 493 00:16:18,710 --> 00:16:20,389 know if there's actually executable 494 00:16:20,390 --> 00:16:22,099 coding there. Just to be sure they gave 495 00:16:22,100 --> 00:16:23,100 me a zero day. 496 00:16:25,220 --> 00:16:26,869 So they basically mill back and say, 497 00:16:26,870 --> 00:16:27,979 well, you know, that would be a security, 498 00:16:27,980 --> 00:16:30,289 all those applications rather than duty. 499 00:16:30,290 --> 00:16:31,399 There are many ways people could have 500 00:16:31,400 --> 00:16:32,479 used library to create unsafe 501 00:16:32,480 --> 00:16:33,499 applications. 502 00:16:33,500 --> 00:16:34,769 And then I go do styles. 503 00:16:34,770 --> 00:16:36,589 The issue was quote, and they say, Yes, 504 00:16:36,590 --> 00:16:37,590 they do. 505 00:16:38,720 --> 00:16:40,579 And then I asked, and, well, escape, you 506 00:16:40,580 --> 00:16:42,689 no longer run, 507 00:16:42,690 --> 00:16:44,119 as you said. 508 00:16:44,120 --> 00:16:45,419 And then this is this is beautiful, 509 00:16:45,420 --> 00:16:47,119 right? The quote from the frequently 510 00:16:47,120 --> 00:16:48,859 asked questions of KP. 511 00:16:48,860 --> 00:16:50,509 But they cut off the quote. 512 00:16:50,510 --> 00:16:51,469 It's an incomplete quote. 513 00:16:51,470 --> 00:16:53,059 Sort of quote they give me is there is no 514 00:16:53,060 --> 00:16:54,019 need for the set. You leave it. 515 00:16:54,020 --> 00:16:57,079 If you know a bit about you ministration, 516 00:16:57,080 --> 00:16:59,119 simply create a modem group adult users 517 00:16:59,120 --> 00:17:01,219 that you want to give it access to the 518 00:17:01,220 --> 00:17:02,509 one group to that group and make the 519 00:17:02,510 --> 00:17:03,799 modern device read write about for that 520 00:17:03,800 --> 00:17:05,959 group. Not that hard, but 521 00:17:05,960 --> 00:17:08,328 not all distributions come pre-configured 522 00:17:08,329 --> 00:17:09,379 like this. 523 00:17:09,380 --> 00:17:11,749 There are, in fact, still a bunch of 524 00:17:11,750 --> 00:17:13,818 cave piece that you had instead of doing 525 00:17:13,819 --> 00:17:15,049 this. 526 00:17:15,050 --> 00:17:16,909 So anyway, that's their partial quote. 527 00:17:16,910 --> 00:17:18,979 And they say then they sort of 528 00:17:18,980 --> 00:17:20,719 speculate I doubt any modern distribution 529 00:17:20,720 --> 00:17:22,159 when thoughts that you had. 530 00:17:22,160 --> 00:17:23,749 In fact, most are extremely careful about 531 00:17:23,750 --> 00:17:25,879 this. Yada yada yada yada. 532 00:17:25,880 --> 00:17:28,159 And then say, Look up the exact quote and 533 00:17:28,160 --> 00:17:29,539 this this thing is true. 534 00:17:29,540 --> 00:17:31,909 But it goes on to say the KP 535 00:17:31,910 --> 00:17:33,979 team has lately done a lot 536 00:17:33,980 --> 00:17:36,049 of work to make it 537 00:17:36,050 --> 00:17:38,209 you safe. But it is up to you to 538 00:17:38,210 --> 00:17:40,249 decide if you in any way you install it. 539 00:17:40,250 --> 00:17:41,869 But we put in a lot of work to make it 540 00:17:41,870 --> 00:17:43,339 say you are at least safe, which means 541 00:17:43,340 --> 00:17:44,569 they would be OK with having it set you 542 00:17:44,570 --> 00:17:45,469 ready. 543 00:17:45,470 --> 00:17:47,719 And in fact, I looked at Ubuntu, 544 00:17:47,720 --> 00:17:49,849 and if you install KP and Ubuntu by 545 00:17:49,850 --> 00:17:51,469 default, it set UAD route. 546 00:17:53,220 --> 00:17:54,649 But the more important issue is here is 547 00:17:54,650 --> 00:17:57,109 that their library Courtright, 548 00:17:57,110 --> 00:17:59,869 as long as you use their APIs correctly, 549 00:17:59,870 --> 00:18:01,729 they should allow for Israelis to call 550 00:18:01,730 --> 00:18:03,799 them or they you know that. 551 00:18:03,800 --> 00:18:05,839 So what's what's really bothering me is 552 00:18:05,840 --> 00:18:07,279 that they're sitting on the fence because 553 00:18:07,280 --> 00:18:08,749 it's easy, right? They're saying you 554 00:18:08,750 --> 00:18:10,429 shouldn't do this, but are not enforcing 555 00:18:10,430 --> 00:18:11,959 anything, right? 556 00:18:11,960 --> 00:18:14,119 So either defend it and shut up 557 00:18:14,120 --> 00:18:16,189 or do a security check and exit right? 558 00:18:16,190 --> 00:18:17,629 They're not doing it or just sort of 559 00:18:17,630 --> 00:18:18,829 sitting there and saying, Oh, not our 560 00:18:18,830 --> 00:18:19,830 problem. 561 00:18:21,350 --> 00:18:22,639 So none of the bugs are fixed. 562 00:18:22,640 --> 00:18:24,169 So the bugs I just gave you earlier, 563 00:18:24,170 --> 00:18:26,480 those two kutty bugs, those are zero-day. 564 00:18:27,830 --> 00:18:29,239 But the really cool part was, I got 565 00:18:29,240 --> 00:18:31,309 there, OK to give you the zero day. 566 00:18:31,310 --> 00:18:33,859 I asked them if they consider as serious 567 00:18:33,860 --> 00:18:35,479 as they're not considering a serious 568 00:18:35,480 --> 00:18:37,329 issue. Can I talk about this publicly? 569 00:18:37,330 --> 00:18:39,109 They go like, Yes, sure, go right ahead. 570 00:18:39,110 --> 00:18:40,549 So here you go. Two zero days. 571 00:18:49,920 --> 00:18:52,019 So that was sort of the cute part. 572 00:18:52,020 --> 00:18:53,129 I don't know if any. 573 00:18:53,130 --> 00:18:54,359 I don't know how well you guys know the 574 00:18:54,360 --> 00:18:55,709 Unix environment, but in Unix you have 575 00:18:55,710 --> 00:18:57,809 this sort of standard LDPRELOAD, which is 576 00:18:57,810 --> 00:18:59,609 you can sort of change the way change 577 00:18:59,610 --> 00:19:01,169 which libraries you load when you start 578 00:19:01,170 --> 00:19:03,529 an application that's been made. 579 00:19:03,530 --> 00:19:05,999 You say in the 80s, early 90s, 580 00:19:06,000 --> 00:19:07,179 there were problems with that for 581 00:19:07,180 --> 00:19:09,419 students. This has long been made 582 00:19:09,420 --> 00:19:11,609 safe. But of course, those frameworks 583 00:19:11,610 --> 00:19:13,709 Katie Kutty know they must have their 584 00:19:13,710 --> 00:19:15,299 own Elderfield equivalent, right? 585 00:19:15,300 --> 00:19:17,369 Kids, school or school suddenly called 586 00:19:17,370 --> 00:19:19,519 Kutty plug in pat enormous 587 00:19:19,520 --> 00:19:21,779 something called JDK modules. 588 00:19:21,780 --> 00:19:23,039 Neither of these are set. 589 00:19:23,040 --> 00:19:25,109 You would save at 590 00:19:25,110 --> 00:19:26,129 least two key modules. 591 00:19:26,130 --> 00:19:27,779 Things is somewhat known. 592 00:19:27,780 --> 00:19:28,780 And as you say, people 593 00:19:29,910 --> 00:19:31,079 seem to know what they're doing and 594 00:19:31,080 --> 00:19:32,699 they're aware of this problem. 595 00:19:32,700 --> 00:19:34,049 And so what they did is, or what they're 596 00:19:34,050 --> 00:19:36,419 saying is that they don't allow 597 00:19:36,420 --> 00:19:37,769 you to adjudicate applications and they 598 00:19:37,770 --> 00:19:39,959 have a website clearly explaining 599 00:19:39,960 --> 00:19:41,639 it. I'm not going to read all this. 600 00:19:41,640 --> 00:19:42,929 If you download slides, you can read 601 00:19:42,930 --> 00:19:44,729 royal thing or you can go to our website. 602 00:19:44,730 --> 00:19:47,099 It's adjudicate or exactly what 603 00:19:47,100 --> 00:19:49,619 HTML explains the whole thing. 604 00:19:49,620 --> 00:19:51,449 It's kind of dry and boring, but the gist 605 00:19:51,450 --> 00:19:53,159 of it is this quote, right? 606 00:19:53,160 --> 00:19:54,419 So if you read the whole thing, it's 607 00:19:54,420 --> 00:19:55,589 really beautiful. It's well thought out. 608 00:19:55,590 --> 00:19:57,809 It's saying whoever wrote that policy, 609 00:19:57,810 --> 00:19:59,729 it clearly knows what he's doing on the 610 00:19:59,730 --> 00:20:01,919 security side of things and sort 611 00:20:01,920 --> 00:20:03,659 of the cordon there is basically or sort 612 00:20:03,660 --> 00:20:05,909 of the the money shot is security 613 00:20:05,910 --> 00:20:07,679 of JDK plus requires the security of 614 00:20:07,680 --> 00:20:09,749 slip. Digital Key Plus team 615 00:20:09,750 --> 00:20:11,789 is not prepared to make that guarantee. 616 00:20:11,790 --> 00:20:13,079 That's a pretty good. That's a pretty 617 00:20:13,080 --> 00:20:14,789 good thing, right? I wouldn't make I've 618 00:20:14,790 --> 00:20:15,869 seen her code. I wouldn't make that 619 00:20:15,870 --> 00:20:16,870 guarantee either. 620 00:20:20,760 --> 00:20:22,289 But is it really true? 621 00:20:22,290 --> 00:20:24,169 So I go and look at their claim, and it 622 00:20:24,170 --> 00:20:26,549 has the right before they do the 623 00:20:26,550 --> 00:20:27,659 checks that you ready. They have a 624 00:20:27,660 --> 00:20:29,009 comment, explain the whole thing and say, 625 00:20:29,010 --> 00:20:31,169 Well, this check is there just 626 00:20:31,170 --> 00:20:33,329 to see if you had a USG at the current 627 00:20:33,330 --> 00:20:34,330 time. 628 00:20:34,710 --> 00:20:36,779 And so if it is that we we 629 00:20:36,780 --> 00:20:38,039 don't allow you to get to be initialized 630 00:20:38,040 --> 00:20:40,799 and we exit, and then they go on to say, 631 00:20:40,800 --> 00:20:42,459 but it's only meant to be a mild check. 632 00:20:42,460 --> 00:20:44,759 We only erode if we can prove the program 633 00:20:44,760 --> 00:20:46,289 is doing something really wrong. 634 00:20:46,290 --> 00:20:48,539 Not if they're probably doing something 635 00:20:48,540 --> 00:20:51,059 wrong. For this reason, we don't use 636 00:20:51,060 --> 00:20:53,279 is set up by DMP. 637 00:20:53,280 --> 00:20:55,499 As your PR CTO, get dumped 638 00:20:55,500 --> 00:20:57,509 on Linux, which is the proper way to do 639 00:20:57,510 --> 00:20:58,469 it. 640 00:20:58,470 --> 00:20:59,999 They didn't do that right? 641 00:21:00,000 --> 00:21:00,959 So what does that mean? 642 00:21:00,960 --> 00:21:03,029 It means you can still have supervisors 643 00:21:03,030 --> 00:21:04,590 adjudicate. Plus you just 644 00:21:05,760 --> 00:21:07,409 can only initialize you decay after you 645 00:21:07,410 --> 00:21:09,269 did a proof drop. 646 00:21:09,270 --> 00:21:11,549 So that means you have to you have to. 647 00:21:11,550 --> 00:21:13,079 When you write your program, you have to 648 00:21:13,080 --> 00:21:15,509 first acquire all the resources you want, 649 00:21:15,510 --> 00:21:17,729 drop your privileges and then run JDK, 650 00:21:17,730 --> 00:21:19,999 which means if you 651 00:21:20,000 --> 00:21:21,389 have a bug in it, you couldn't 652 00:21:21,390 --> 00:21:22,769 immediately escalate to root. 653 00:21:22,770 --> 00:21:24,299 But whatever privileges are still there, 654 00:21:24,300 --> 00:21:25,769 you know, secrets and memory file 655 00:21:25,770 --> 00:21:27,899 descriptors, IPC 656 00:21:27,900 --> 00:21:29,699 handles, all that kind of stuff. 657 00:21:29,700 --> 00:21:31,529 You would still get to see all of that if 658 00:21:31,530 --> 00:21:33,899 you if you if you get exposed to bug. 659 00:21:33,900 --> 00:21:36,059 So it still kinda sorta 660 00:21:36,060 --> 00:21:38,069 allows for the applications. 661 00:21:38,070 --> 00:21:39,809 It just becomes like a tad bit more 662 00:21:39,810 --> 00:21:40,810 difficult. 663 00:21:42,810 --> 00:21:43,979 Games are a great example for this, for 664 00:21:43,980 --> 00:21:46,229 example, right? So there there's a 665 00:21:46,230 --> 00:21:48,959 there's a bunch of gnome studio games 666 00:21:48,960 --> 00:21:50,669 and what they do is they share a high 667 00:21:50,670 --> 00:21:52,289 score database file. 668 00:21:52,290 --> 00:21:54,509 And so the reason it proves 669 00:21:54,510 --> 00:21:56,579 is to open a read handle to that 670 00:21:56,580 --> 00:21:57,899 high score database file. 671 00:21:57,900 --> 00:22:00,569 Once once they have that handle, 672 00:22:00,570 --> 00:22:02,069 they drop all privileges. 673 00:22:02,070 --> 00:22:04,589 And so now let's say there's there's 674 00:22:04,590 --> 00:22:05,969 there, there's a bug we could exploit or 675 00:22:05,970 --> 00:22:08,039 we would use the key modules, right? 676 00:22:08,040 --> 00:22:09,959 All sudden, we have code executing inside 677 00:22:09,960 --> 00:22:12,299 that set uad high score file, 678 00:22:12,300 --> 00:22:14,459 and the previous resource that we want is 679 00:22:14,460 --> 00:22:16,049 the handle to the highest score file 680 00:22:16,050 --> 00:22:16,979 right now. 681 00:22:16,980 --> 00:22:18,479 Let's let's say, for example, there's a 682 00:22:18,480 --> 00:22:20,189 secondary bug in the passing of the high 683 00:22:20,190 --> 00:22:22,319 score database because the database 684 00:22:22,320 --> 00:22:23,819 not considered trust boundary because 685 00:22:23,820 --> 00:22:25,289 it's it's it's a trust resource. 686 00:22:25,290 --> 00:22:26,609 Chances are that pass is going to be 687 00:22:26,610 --> 00:22:28,109 really weak. So let's say there's a bug 688 00:22:28,110 --> 00:22:29,639 and that we know how to exploit it, since 689 00:22:29,640 --> 00:22:30,869 we have that rewrite handle to the higher 690 00:22:30,870 --> 00:22:32,849 score file we write or, you know, our 691 00:22:32,850 --> 00:22:34,979 show code or whatnot properly into 692 00:22:34,980 --> 00:22:36,179 the high score file. 693 00:22:36,180 --> 00:22:38,429 And then when any user plays that games, 694 00:22:38,430 --> 00:22:40,559 they'll get owned by trying to 695 00:22:40,560 --> 00:22:41,579 discover file, right? 696 00:22:41,580 --> 00:22:43,559 This is just sort of a potential case 697 00:22:43,560 --> 00:22:45,420 where this can come up and be a problem 698 00:22:47,910 --> 00:22:49,199 by far. One of the most common bugs I saw 699 00:22:49,200 --> 00:22:51,419 when you slipped. So I said earlier that 700 00:22:51,420 --> 00:22:53,279 X get window property is basically just a 701 00:22:53,280 --> 00:22:55,409 wraparound underscore extra 702 00:22:55,410 --> 00:22:57,179 player, which basically is a wraparound 703 00:22:57,180 --> 00:22:59,249 receives, which takes raw bits 704 00:22:59,250 --> 00:23:00,250 from the network. 705 00:23:00,930 --> 00:23:03,359 This is the most common bug that I found 706 00:23:03,360 --> 00:23:04,589 when I was looking through people using 707 00:23:04,590 --> 00:23:06,629 it. Basically, the way I get window 708 00:23:06,630 --> 00:23:08,759 property works is that you hand 709 00:23:08,760 --> 00:23:10,649 it a pointer to a pointer, and when a 710 00:23:10,650 --> 00:23:12,659 thing succeeds, it fills in that pointer 711 00:23:12,660 --> 00:23:13,859 with something to locate it. 712 00:23:13,860 --> 00:23:15,179 And then when you're done, you call free 713 00:23:15,180 --> 00:23:16,619 on that pointer. 714 00:23:16,620 --> 00:23:18,419 But when you get window property fields, 715 00:23:18,420 --> 00:23:20,619 for example, to mark fields that 716 00:23:20,620 --> 00:23:22,319 put it never gets initialized to zero. 717 00:23:22,320 --> 00:23:23,609 So if you don't check retrieval, you 718 00:23:23,610 --> 00:23:25,979 always assume that the thing succeeds 719 00:23:25,980 --> 00:23:28,079 you. You're also ended up 720 00:23:28,080 --> 00:23:29,159 using a pointed out was never 721 00:23:29,160 --> 00:23:30,239 initialized, right? 722 00:23:30,240 --> 00:23:32,069 And so you end up freeing arbitrary stack 723 00:23:32,070 --> 00:23:34,179 memory, which is bad. 724 00:23:35,220 --> 00:23:37,289 The really good part is I sort of 725 00:23:37,290 --> 00:23:39,389 mentioned to Allah said, 726 00:23:39,390 --> 00:23:40,589 Hey, you know, this isn't really a problem, 727 00:23:40,590 --> 00:23:41,849 but it's a common Paterno sign. 728 00:23:41,850 --> 00:23:43,949 He says, Oh, we forgot to initialize this 729 00:23:43,950 --> 00:23:44,939 thing on failure. 730 00:23:44,940 --> 00:23:46,399 So he goes and puts an. 731 00:23:46,400 --> 00:23:48,079 And this is no longer this was a problem 732 00:23:48,080 --> 00:23:50,659 for 30 years in usage, 733 00:23:50,660 --> 00:23:52,099 but it was it wasn't it was never 734 00:23:52,100 --> 00:23:53,089 importation problem. 735 00:23:53,090 --> 00:23:54,919 Right. And so Alan winning anyway and 736 00:23:54,920 --> 00:23:56,299 said, Well, we're going to fix it anyway. 737 00:23:56,300 --> 00:23:57,799 So after two years, this problem is just 738 00:23:57,800 --> 00:23:59,180 gone. It's never going to happen again. 739 00:24:01,820 --> 00:24:04,009 And basically, so when I said that 740 00:24:04,010 --> 00:24:06,229 for the next get window properties, 741 00:24:06,230 --> 00:24:08,089 a wrap around extra ply, these are sort 742 00:24:08,090 --> 00:24:09,649 of the standard. All of these functions 743 00:24:09,650 --> 00:24:11,719 are sort of ex client wrappers 744 00:24:11,720 --> 00:24:13,249 and all of these basically take bits from 745 00:24:13,250 --> 00:24:14,929 network and sort of hand them off to a 746 00:24:14,930 --> 00:24:16,069 bunch of passers. 747 00:24:16,070 --> 00:24:18,049 So these are good things if you're if 748 00:24:18,050 --> 00:24:19,579 you're looking for X line bugs, which is 749 00:24:19,580 --> 00:24:20,749 great for these functions and those are 750 00:24:20,750 --> 00:24:21,750 all the entry points. 751 00:24:22,700 --> 00:24:24,709 And then there's a bunch of property 752 00:24:24,710 --> 00:24:26,419 wrappers. So these are basically all just 753 00:24:26,420 --> 00:24:27,709 sort of take a bunch of bits from that 754 00:24:27,710 --> 00:24:28,699 work and sort of hand them off to 755 00:24:28,700 --> 00:24:29,719 passers. 756 00:24:29,720 --> 00:24:30,859 And that's all I did, a grep for these 757 00:24:30,860 --> 00:24:32,539 functions and sort of sort of reading 758 00:24:32,540 --> 00:24:34,399 what they did with which data they came 759 00:24:34,400 --> 00:24:35,449 back in a week. 760 00:24:35,450 --> 00:24:36,680 There were about 80 bugs, 761 00:24:38,540 --> 00:24:40,489 conceptual leaders, basically. 762 00:24:40,490 --> 00:24:42,349 So the idea is that people. 763 00:24:42,350 --> 00:24:44,449 So one of the responses 764 00:24:44,450 --> 00:24:46,579 was on LW, for example, when these 765 00:24:46,580 --> 00:24:48,199 advisory came out was that, oh, well, 766 00:24:48,200 --> 00:24:49,519 this isn't really a problem because 767 00:24:49,520 --> 00:24:52,189 there's no actual applications around. 768 00:24:52,190 --> 00:24:53,269 Turns out it isn't true. 769 00:24:53,270 --> 00:24:55,009 You take any given standard Linux 770 00:24:55,010 --> 00:24:56,809 distribution or whatnot and just do a 771 00:24:56,810 --> 00:24:58,890 standard grep for suit apps. 772 00:25:00,440 --> 00:25:01,849 Half the time you're going to find at 773 00:25:01,850 --> 00:25:03,949 least one or two applications 774 00:25:03,950 --> 00:25:06,889 that are set you out of your set gedi 775 00:25:06,890 --> 00:25:08,809 that they'll use X in some way. 776 00:25:08,810 --> 00:25:10,249 And you can point of two lists X server, 777 00:25:10,250 --> 00:25:11,509 and getting them to crash is going to be 778 00:25:11,510 --> 00:25:12,799 really, really easy. 779 00:25:14,060 --> 00:25:15,439 But generally, conceptually, there's a 780 00:25:15,440 --> 00:25:17,669 set of X associated 781 00:25:17,670 --> 00:25:19,519 applications around configuration tools 782 00:25:19,520 --> 00:25:21,619 like AVP games, like 783 00:25:21,620 --> 00:25:23,389 a bunch of gnome games and screen locking 784 00:25:23,390 --> 00:25:24,649 tools. Your X Log X like more 785 00:25:24,650 --> 00:25:27,129 xscreensaver before they do early 786 00:25:27,130 --> 00:25:28,879 dropping, but they still have some, some 787 00:25:28,880 --> 00:25:31,069 interesting resources in memory. 788 00:25:31,070 --> 00:25:33,199 The good thing is that I mean, in in 789 00:25:33,200 --> 00:25:35,149 early in the late 90s, most of these 790 00:25:35,150 --> 00:25:37,189 things have still ran his route through 791 00:25:37,190 --> 00:25:38,629 the entire lifetime. 792 00:25:38,630 --> 00:25:40,489 Nowadays, though, they'll do that sort of 793 00:25:40,490 --> 00:25:42,469 the right thing or as right as they can 794 00:25:42,470 --> 00:25:43,999 to get older, privileged resources they 795 00:25:44,000 --> 00:25:45,799 need and then drop privileges, which 796 00:25:45,800 --> 00:25:47,899 means if you have a bug and they're 797 00:25:47,900 --> 00:25:49,969 doing a pivot to route is not going to be 798 00:25:49,970 --> 00:25:52,249 easy or not going to be instant, 799 00:25:52,250 --> 00:25:53,659 but you will still have access to all the 800 00:25:53,660 --> 00:25:55,489 privilege resources that those programs 801 00:25:55,490 --> 00:25:56,490 hold. 802 00:25:58,040 --> 00:25:59,060 So this is kind of my 803 00:26:00,170 --> 00:26:02,659 client summary, excluding 804 00:26:02,660 --> 00:26:04,129 this or this is a bad idea. 805 00:26:04,130 --> 00:26:06,349 People think there aren't any around. 806 00:26:06,350 --> 00:26:07,490 There's more than you think. 807 00:26:08,870 --> 00:26:10,579 Just, you know, take whatever little box 808 00:26:10,580 --> 00:26:12,799 you have, do a scan half 809 00:26:12,800 --> 00:26:15,019 half, there's a 50 percent chance you'll 810 00:26:15,020 --> 00:26:17,299 have at least one or two assorted 811 00:26:17,300 --> 00:26:18,319 binders that use 812 00:26:20,060 --> 00:26:21,499 that use. Excellent. 813 00:26:21,500 --> 00:26:23,659 So it's it's more happens more 814 00:26:23,660 --> 00:26:24,889 often, you think. 815 00:26:24,890 --> 00:26:26,419 But you do get a plus kind of sort of 816 00:26:26,420 --> 00:26:27,490 soulless asteroids. 817 00:26:28,880 --> 00:26:30,409 They're not the cases in the clear as 818 00:26:30,410 --> 00:26:32,929 they as a as they make it out to be. 819 00:26:32,930 --> 00:26:35,189 In the last part is that this 820 00:26:35,190 --> 00:26:37,339 this was so this this thing 821 00:26:37,340 --> 00:26:38,539 was really more a symptom of a bigger 822 00:26:38,540 --> 00:26:39,540 problem. 823 00:26:40,520 --> 00:26:42,409 But when you read applications that use, 824 00:26:42,410 --> 00:26:44,509 actually there's an enormous 825 00:26:44,510 --> 00:26:46,279 sloppiness when they use the APIs, I 826 00:26:46,280 --> 00:26:48,049 didn't really zoom into it that much. 827 00:26:48,050 --> 00:26:50,269 But if you just 828 00:26:50,270 --> 00:26:51,889 if you have some free time, just go 829 00:26:51,890 --> 00:26:54,029 download a bunch of budget apps that 830 00:26:54,030 --> 00:26:55,679 use actually and just start looking at 831 00:26:55,680 --> 00:26:58,009 the way to use the the actually 832 00:26:58,010 --> 00:27:00,169 APIs have time almost this 833 00:27:00,170 --> 00:27:02,059 calls or they're misinterpreted, or 834 00:27:02,060 --> 00:27:03,439 they'll do all sorts of very sloppy 835 00:27:03,440 --> 00:27:05,689 things that you know, it's just sort 836 00:27:05,690 --> 00:27:07,759 of if you if you were a developer in in 837 00:27:07,760 --> 00:27:09,859 the 80s or maybe even 90s, that was OK 838 00:27:09,860 --> 00:27:11,839 today, not so much. 839 00:27:11,840 --> 00:27:12,949 But then again, most of those apps are 840 00:27:12,950 --> 00:27:14,809 probably written in the 80s or 90s. 841 00:27:16,370 --> 00:27:18,089 So that was that was the client side. 842 00:27:18,090 --> 00:27:19,519 This is that stuff I did 843 00:27:21,590 --> 00:27:23,269 in December last year and I didn't punch 844 00:27:23,270 --> 00:27:24,739 prestation the client stuff. 845 00:27:24,740 --> 00:27:25,999 The server stuff is much newer. 846 00:27:27,260 --> 00:27:29,389 I've been reviewing it on going on 847 00:27:29,390 --> 00:27:30,529 and off in the weekends. 848 00:27:30,530 --> 00:27:33,139 And when I have time since May or June, 849 00:27:33,140 --> 00:27:35,059 I'd say June, July, August is what I did 850 00:27:35,060 --> 00:27:36,169 most of the time. 851 00:27:36,170 --> 00:27:37,669 And then there was sporadically a few 852 00:27:37,670 --> 00:27:40,310 days here and there, and then yesterday 853 00:27:41,450 --> 00:27:42,709 not finished. 854 00:27:42,710 --> 00:27:43,909 There's a lot of code. 855 00:27:43,910 --> 00:27:46,079 I'm lazy and then I know I don't forget 856 00:27:46,080 --> 00:27:47,959 those galaxies all zoom that later. 857 00:27:47,960 --> 00:27:50,119 But you are basically the shell bindings 858 00:27:50,120 --> 00:27:52,219 for X window system she 859 00:27:52,220 --> 00:27:53,299 likes. It's horrible. 860 00:27:53,300 --> 00:27:54,949 It's terrible, it's terrible. 861 00:27:54,950 --> 00:27:56,839 It's about eight hours lines of sheer 862 00:27:56,840 --> 00:27:58,309 terror. 863 00:27:58,310 --> 00:28:00,000 It has six or seven. 864 00:28:01,170 --> 00:28:02,170 No, seriously. 865 00:28:04,640 --> 00:28:06,829 It has about six or seven 866 00:28:06,830 --> 00:28:08,909 callback tables, and each 867 00:28:08,910 --> 00:28:11,179 table is anywhere in size of 868 00:28:11,180 --> 00:28:13,159 74 to 400 eight. 869 00:28:13,160 --> 00:28:15,169 There are several thousand callbacks 870 00:28:15,170 --> 00:28:16,879 there. Basically, all of them are attack 871 00:28:16,880 --> 00:28:19,309 surface. All of it takes data from 872 00:28:19,310 --> 00:28:21,769 from X, and most of them are broken 873 00:28:21,770 --> 00:28:23,689 beyond repair. It's really horrible. 874 00:28:23,690 --> 00:28:24,950 So just trying to sort of. 875 00:28:27,180 --> 00:28:28,259 Keep reading she likes quote, it's 876 00:28:28,260 --> 00:28:30,089 horrible, it's it's a terrible motivator. 877 00:28:30,090 --> 00:28:31,079 You know, it's one of these things, you know, 878 00:28:31,080 --> 00:28:32,849 when you read code and you find a bug and 879 00:28:32,850 --> 00:28:35,129 you copy paste into a text file because 880 00:28:35,130 --> 00:28:36,899 you want to do a formal write up this 881 00:28:36,900 --> 00:28:38,759 one, one of those rare occasions where 882 00:28:38,760 --> 00:28:40,379 you get tennis elbow from old copy 883 00:28:40,380 --> 00:28:41,380 pasting. 884 00:28:44,510 --> 00:28:46,179 So you remember this? 885 00:28:46,180 --> 00:28:47,899 No connection I showed earlier. 886 00:28:47,900 --> 00:28:49,969 Total lie, it x doesn't 887 00:28:49,970 --> 00:28:51,169 look like that anymore. 888 00:28:51,170 --> 00:28:53,209 Has it looked it looked like this in 889 00:28:53,210 --> 00:28:54,199 1984. 890 00:28:54,200 --> 00:28:55,849 It was designed to be this way. 891 00:28:55,850 --> 00:28:57,109 Doesn't look like it anymore. 892 00:28:57,110 --> 00:28:59,299 It hasn't looked like it for at least 15 893 00:28:59,300 --> 00:29:00,259 years. 894 00:29:00,260 --> 00:29:01,909 There's a talk. So there's a guy named 895 00:29:01,910 --> 00:29:03,439 Daniel Stone, who I referred to earlier 896 00:29:03,440 --> 00:29:05,719 one of the comments by Alan. 897 00:29:05,720 --> 00:29:07,579 He's he's one who used to be one of the 898 00:29:07,580 --> 00:29:09,409 developers. He moved on and sort of is 899 00:29:09,410 --> 00:29:11,749 now a fairly famous Wayland developer. 900 00:29:11,750 --> 00:29:13,339 So Whalen, sort of the next four are sort 901 00:29:13,340 --> 00:29:14,689 of the replacement for X. 902 00:29:14,690 --> 00:29:15,690 That's in the works. 903 00:29:16,880 --> 00:29:19,399 He did talk earlier this year at 904 00:29:19,400 --> 00:29:22,069 some Linux conference in Australia. 905 00:29:22,070 --> 00:29:23,359 I have a link there. 906 00:29:23,360 --> 00:29:25,579 That's if you have some free time or take 907 00:29:25,580 --> 00:29:27,019 a picture from that link or something, 908 00:29:27,020 --> 00:29:28,279 you should watch it. It's very, very 909 00:29:28,280 --> 00:29:29,329 informative. 910 00:29:29,330 --> 00:29:31,519 He sort of goes like, Yeah, X 911 00:29:31,520 --> 00:29:32,839 doesn't look like this at all. 912 00:29:32,840 --> 00:29:34,400 Actually, it looks more like this, 913 00:29:35,480 --> 00:29:36,679 which is fairly more complex. 914 00:29:36,680 --> 00:29:38,629 And so I don't want to do in this too 915 00:29:38,630 --> 00:29:40,189 much. But this is so this is basically 916 00:29:40,190 --> 00:29:41,899 your client stuff and it's still your 917 00:29:41,900 --> 00:29:42,859 server. 918 00:29:42,860 --> 00:29:44,329 But then there's a part in kernel and 919 00:29:44,330 --> 00:29:45,529 there's a part where you get direct 920 00:29:45,530 --> 00:29:47,059 memory access and there's a part where 921 00:29:47,060 --> 00:29:48,829 you get shared memory. 922 00:29:48,830 --> 00:29:50,539 And then there's basically you get memory 923 00:29:50,540 --> 00:29:52,579 Matteo and those kind of things. 924 00:29:52,580 --> 00:29:54,589 And so when I say server in my slides, 925 00:29:54,590 --> 00:29:56,029 technically this is just a server. 926 00:29:56,030 --> 00:29:58,159 But when I say server, I refer to sort of 927 00:29:58,160 --> 00:29:59,749 all of this, right? 928 00:29:59,750 --> 00:30:02,119 So it's a bit wider than just the server, 929 00:30:02,120 --> 00:30:03,619 but it's sort of the all the things the 930 00:30:03,620 --> 00:30:04,519 client talks to. 931 00:30:04,520 --> 00:30:05,520 I considered the server. 932 00:30:08,120 --> 00:30:09,619 So let's let's take a step back from that 933 00:30:09,620 --> 00:30:11,059 sort of go back to the initial and let's 934 00:30:11,060 --> 00:30:13,309 start with the beginning, which is 935 00:30:13,310 --> 00:30:14,359 what they designed. This thing that 936 00:30:14,360 --> 00:30:15,829 needed for the first thing they did is 937 00:30:15,830 --> 00:30:17,449 they they made a core protocol, right? 938 00:30:17,450 --> 00:30:18,739 It said, these are all things we're going 939 00:30:18,740 --> 00:30:19,729 to need. 940 00:30:19,730 --> 00:30:22,099 The court protocol is straight C code. 941 00:30:22,100 --> 00:30:24,499 But when you read it, it feels very 942 00:30:24,500 --> 00:30:25,669 it's one of those things where it feels 943 00:30:25,670 --> 00:30:27,259 very object oriented, scored. 944 00:30:28,430 --> 00:30:30,499 And so this was written in early 90s, if 945 00:30:30,500 --> 00:30:31,819 it was written 10 years later in the 946 00:30:31,820 --> 00:30:34,129 early 90s, would have probably 947 00:30:34,130 --> 00:30:36,439 been C++ code not saying it's it's 948 00:30:36,440 --> 00:30:38,179 better or worse, but it would have 949 00:30:38,180 --> 00:30:39,919 probably just been because of the way he 950 00:30:39,920 --> 00:30:41,089 designed or coded would have probably 951 00:30:41,090 --> 00:30:42,090 been C++. 952 00:30:43,550 --> 00:30:45,709 The code is fairly good from 953 00:30:45,710 --> 00:30:46,669 a security perspective. 954 00:30:46,670 --> 00:30:49,009 The core protocol is actually not bad. 955 00:30:49,010 --> 00:30:50,599 But I think that's I don't think it was 956 00:30:50,600 --> 00:30:51,979 initially like that. I think over the 957 00:30:51,980 --> 00:30:54,199 years people have found bugs 958 00:30:54,200 --> 00:30:55,309 and so you can see the things where they 959 00:30:55,310 --> 00:30:57,529 passenger overflows, right? 960 00:30:57,530 --> 00:30:58,849 That that concept of a buddy of mine 961 00:30:58,850 --> 00:31:00,079 calls it a polished turd. 962 00:31:01,910 --> 00:31:04,039 But X is certainly the X 963 00:31:04,040 --> 00:31:05,359 corporate protocol is a good example of 964 00:31:05,360 --> 00:31:06,469 that. 965 00:31:06,470 --> 00:31:08,869 So the core protocol itself has very 966 00:31:08,870 --> 00:31:11,089 few low hanging fruit standing 967 00:31:11,090 --> 00:31:12,889 thing has actually been looked at 968 00:31:12,890 --> 00:31:14,420 throughout the last 30 years. 969 00:31:16,530 --> 00:31:17,519 So what does the court protocol more or 970 00:31:17,520 --> 00:31:19,409 less looks like if you happen to have the 971 00:31:19,410 --> 00:31:21,799 court there, there's a call dispatch 972 00:31:21,800 --> 00:31:23,249 shot see which contains the mean 973 00:31:23,250 --> 00:31:25,259 dispatched dispatch loop where 974 00:31:25,260 --> 00:31:26,759 connections come into the X server from a 975 00:31:26,760 --> 00:31:28,559 client. And then initially, all the 976 00:31:28,560 --> 00:31:29,819 client can do is only call two 977 00:31:29,820 --> 00:31:31,679 procedures. One is to initialize the 978 00:31:31,680 --> 00:31:32,939 connection and wants to establish the 979 00:31:32,940 --> 00:31:34,199 connection. The initial connection 980 00:31:34,200 --> 00:31:36,389 basically just does set a set of very 981 00:31:36,390 --> 00:31:38,159 standard things like Hey, this is the 982 00:31:38,160 --> 00:31:40,409 byte order. Because X 983 00:31:40,410 --> 00:31:42,270 can do both 984 00:31:43,350 --> 00:31:45,029 little and big Indian, you have to give 985 00:31:45,030 --> 00:31:47,159 it a byte order and then X will take care 986 00:31:47,160 --> 00:31:50,009 of old Eddins for you behind your back. 987 00:31:50,010 --> 00:31:51,389 That's what initial connection does, and 988 00:31:51,390 --> 00:31:52,589 I'll get back to that in a minute. 989 00:31:55,860 --> 00:31:56,849 The other thing you have to sort of 990 00:31:56,850 --> 00:31:58,199 establish after you do that, you have to 991 00:31:58,200 --> 00:31:59,489 establish the connection, and that 992 00:31:59,490 --> 00:32:01,439 basically means authorization depending 993 00:32:01,440 --> 00:32:03,059 on the way you set up your X server. 994 00:32:03,060 --> 00:32:04,889 That can mean very little, or it can mean 995 00:32:04,890 --> 00:32:05,969 a lot, depending on the way you 996 00:32:05,970 --> 00:32:06,970 configured it. 997 00:32:07,710 --> 00:32:09,749 Once you get past initial and established 998 00:32:09,750 --> 00:32:11,909 connection, clients can 999 00:32:11,910 --> 00:32:14,349 now talk to full core protocol 1000 00:32:14,350 --> 00:32:16,499 to X, which which are about 80 1001 00:32:16,500 --> 00:32:17,580 or 90 procedures. 1002 00:32:18,690 --> 00:32:21,719 Requests are initially limited to 64K. 1003 00:32:21,720 --> 00:32:23,789 There's a big request 1004 00:32:23,790 --> 00:32:25,529 extension, which everybody uses it has 1005 00:32:25,530 --> 00:32:27,419 been using for a very long time, which 1006 00:32:27,420 --> 00:32:29,939 allows up to 60 megabytes 1007 00:32:29,940 --> 00:32:30,929 per request. 1008 00:32:30,930 --> 00:32:32,789 But initially 30 years ago, people, while 1009 00:32:32,790 --> 00:32:34,499 64 key, ought to be enough for everyone. 1010 00:32:34,500 --> 00:32:35,520 Turns out it wasn't. 1011 00:32:37,930 --> 00:32:38,930 I'm. 1012 00:32:40,990 --> 00:32:41,990 So 1013 00:32:43,120 --> 00:32:45,039 when a client sends a request to the 1014 00:32:45,040 --> 00:32:47,259 server, the contents sort of comes 1015 00:32:47,260 --> 00:32:49,329 into this fairly standard type 1016 00:32:49,330 --> 00:32:51,759 linked value header thing. 1017 00:32:51,760 --> 00:32:53,769 Any any any procedure you cause, it's 1018 00:32:53,770 --> 00:32:55,629 sort of on request, but every request 1019 00:32:55,630 --> 00:32:57,759 starts with the same basic three types, 1020 00:32:57,760 --> 00:32:59,889 which is the X request header type 1021 00:32:59,890 --> 00:33:02,139 thing, which is the first eight bits, 1022 00:33:02,140 --> 00:33:04,029 which is the type, the next eight bits, 1023 00:33:04,030 --> 00:33:06,339 which is called data, and then the 1024 00:33:06,340 --> 00:33:08,439 next 16 bits, which is the length, 1025 00:33:08,440 --> 00:33:10,779 right? And because that link 16 16 1026 00:33:10,780 --> 00:33:13,119 bit, initially you could only have 64 K 1027 00:33:13,120 --> 00:33:14,199 when you have. The bigger question is 1028 00:33:14,200 --> 00:33:16,599 sort of Mount Mount Mount a 32 1029 00:33:16,600 --> 00:33:18,489 bit length on top, but we won't get into 1030 00:33:18,490 --> 00:33:19,539 that. 1031 00:33:19,540 --> 00:33:21,039 So what does this mean? Is that when you 1032 00:33:21,040 --> 00:33:22,569 send something over, it's that shorter 1033 00:33:22,570 --> 00:33:23,709 than these four bytes, it will 1034 00:33:23,710 --> 00:33:25,059 automatically get rejected. 1035 00:33:25,060 --> 00:33:26,559 It will. It will never make it through to 1036 00:33:26,560 --> 00:33:28,209 X. X will just be like, this is too short 1037 00:33:28,210 --> 00:33:29,679 and throws it away. 1038 00:33:29,680 --> 00:33:31,899 So anything that comes into X 1039 00:33:31,900 --> 00:33:33,279 that gets accepted, it's going to be at 1040 00:33:33,280 --> 00:33:34,280 least four bytes long. 1041 00:33:35,710 --> 00:33:37,959 The type basically gets 1042 00:33:37,960 --> 00:33:40,809 validated in a sense that zero 227 1043 00:33:40,810 --> 00:33:42,649 is Core X protocol. 1044 00:33:42,650 --> 00:33:45,070 Anything above that are X extensions, 1045 00:33:46,240 --> 00:33:48,369 and basically so that basically 1046 00:33:48,370 --> 00:33:50,439 says like a type of hundred and 1047 00:33:50,440 --> 00:33:52,569 thirty two would be extension x y 1048 00:33:52,570 --> 00:33:54,279 z, and then that extension would need its 1049 00:33:54,280 --> 00:33:55,749 own subtype. 1050 00:33:55,750 --> 00:33:57,579 And then we got subtype is done. 1051 00:33:57,580 --> 00:33:59,489 There's no standard way are the 1052 00:33:59,490 --> 00:34:01,569 extensions get to pick out a subtype. 1053 00:34:01,570 --> 00:34:03,819 It just turns out that most extensions 1054 00:34:03,820 --> 00:34:05,709 will just take this data thing and use 1055 00:34:05,710 --> 00:34:07,389 that as their subtype, but they don't 1056 00:34:07,390 --> 00:34:09,039 have to dig into it any way they want to. 1057 00:34:12,980 --> 00:34:14,849 Right, so once you get there and the 1058 00:34:14,850 --> 00:34:16,319 clients get called any procedures they 1059 00:34:16,320 --> 00:34:18,479 want, there's 1060 00:34:18,480 --> 00:34:20,609 a to call back tables actually 1061 00:34:20,610 --> 00:34:23,009 a table start C, not surprisingly, 1062 00:34:23,010 --> 00:34:25,138 once called Proc Vector and once called 1063 00:34:25,139 --> 00:34:27,658 Swap Proc Vector, and they're essentially 1064 00:34:27,659 --> 00:34:29,729 exactly the same product, Vector 1065 00:34:29,730 --> 00:34:31,439 contains all the 80 or 90 procedures you 1066 00:34:31,440 --> 00:34:33,309 can call in a SWAT. 1067 00:34:33,310 --> 00:34:35,428 Proc Vector is the exact same thing, but 1068 00:34:35,429 --> 00:34:37,859 it does swapping for indigenous 1069 00:34:37,860 --> 00:34:40,349 and then once it did all the swapping, 1070 00:34:40,350 --> 00:34:42,719 it goes and calls into Proc Vector 1071 00:34:43,860 --> 00:34:45,539 and then the core protocol basically does 1072 00:34:45,540 --> 00:34:46,439 what the core protocol is. 1073 00:34:46,440 --> 00:34:48,029 There's a but I'm not going to get too 1074 00:34:48,030 --> 00:34:49,319 much into detail here, but there's a 1075 00:34:49,320 --> 00:34:51,059 bunch of really, really boring and old 1076 00:34:51,060 --> 00:34:53,069 specs about this and the basically out to 1077 00:34:53,070 --> 00:34:55,079 create destroy inquiry windows and atoms 1078 00:34:55,080 --> 00:34:56,609 and properties and images and text 1079 00:34:56,610 --> 00:34:58,829 strings and extensions and all sorts 1080 00:34:58,830 --> 00:35:00,959 of weird little things. 1081 00:35:00,960 --> 00:35:03,419 That's in nutshell, the 1082 00:35:03,420 --> 00:35:05,189 core protocol. 1083 00:35:05,190 --> 00:35:06,539 So now that we've sort of covered the 1084 00:35:06,540 --> 00:35:08,939 core protocol, let's 1085 00:35:08,940 --> 00:35:10,440 move on to extensions. 1086 00:35:11,670 --> 00:35:13,589 Extensions are basically so X11 is really 1087 00:35:13,590 --> 00:35:15,359 old, it's 30 years old, it's very old and 1088 00:35:15,360 --> 00:35:17,279 it's completely broken, and extensions 1089 00:35:17,280 --> 00:35:18,929 are the way to sort of keep it on life 1090 00:35:18,930 --> 00:35:21,329 support. And so the way it still works, 1091 00:35:21,330 --> 00:35:23,069 the reason it still works today to the 1092 00:35:23,070 --> 00:35:25,379 point where it's not super slow 1093 00:35:25,380 --> 00:35:27,780 is because we have on any given 1094 00:35:29,850 --> 00:35:31,679 XS solutions today, you'll have anywhere 1095 00:35:31,680 --> 00:35:33,749 between 20 and 30 extensions. 1096 00:35:33,750 --> 00:35:35,579 And without those extensions, you would 1097 00:35:35,580 --> 00:35:37,499 you would not you wouldn't want to use. 1098 00:35:37,500 --> 00:35:38,879 It's way too fucking slow. 1099 00:35:40,830 --> 00:35:42,899 So those extensions for input device now 1100 00:35:42,900 --> 00:35:45,329 devices and shared memory and using 1101 00:35:45,330 --> 00:35:47,729 OpenGL, using direct rendering 1102 00:35:47,730 --> 00:35:49,859 and having, you know, a 1103 00:35:49,860 --> 00:35:51,539 bunch of drivers not not newsletter, but 1104 00:35:51,540 --> 00:35:52,769 having vaccine kernel and all that kind 1105 00:35:52,770 --> 00:35:53,770 of stuff. 1106 00:35:54,840 --> 00:35:56,429 And the way you do that we had an 1107 00:35:56,430 --> 00:35:58,989 extension is by an exceptional 1108 00:35:58,990 --> 00:36:00,029 extension. 1109 00:36:00,030 --> 00:36:01,709 And basically you basically go there and 1110 00:36:01,710 --> 00:36:02,909 say, Well, this is the day of my 1111 00:36:02,910 --> 00:36:04,679 extension. This is my main 1112 00:36:05,700 --> 00:36:06,809 processing code. 1113 00:36:06,810 --> 00:36:09,029 This is my main processing code again, 1114 00:36:09,030 --> 00:36:11,519 but which does all Indian swapping 1115 00:36:11,520 --> 00:36:13,179 and then, yeah, that closed down 1116 00:36:13,180 --> 00:36:14,760 progress, not find half the time 1117 00:36:15,810 --> 00:36:17,309 and the minor up codes basically testing 1118 00:36:17,310 --> 00:36:19,499 where because I just 1119 00:36:19,500 --> 00:36:21,059 said that the exceptions get to sort of 1120 00:36:21,060 --> 00:36:23,639 picado won't do the old subtypes 1121 00:36:23,640 --> 00:36:25,589 that miner up code Proc gets to decide 1122 00:36:25,590 --> 00:36:26,729 what the subtype is. 1123 00:36:29,550 --> 00:36:30,809 We're talking about extensions as a sort 1124 00:36:30,810 --> 00:36:31,979 of one state that's a little thing 1125 00:36:31,980 --> 00:36:34,229 because there's a lot of tests for bugs 1126 00:36:34,230 --> 00:36:35,699 here, but this is sort of quite 1127 00:36:35,700 --> 00:36:36,840 complicated stuff. 1128 00:36:38,190 --> 00:36:40,229 So you can have all these sorts of weird 1129 00:36:40,230 --> 00:36:42,299 handles in extensions and then they 1130 00:36:42,300 --> 00:36:44,099 sort of it's it's feel a little bit like 1131 00:36:44,100 --> 00:36:45,719 Kurland, where you have a handle to a 1132 00:36:45,720 --> 00:36:47,909 data structure, which has is of some 1133 00:36:47,910 --> 00:36:49,889 type. And so extensions, you can have all 1134 00:36:49,890 --> 00:36:50,819 these sort of different types of 1135 00:36:50,820 --> 00:36:52,409 resources where you can have an outside 1136 00:36:52,410 --> 00:36:53,849 of your handle to a different type of 1137 00:36:53,850 --> 00:36:55,319 resource. 1138 00:36:55,320 --> 00:36:57,179 And there's a set of, I think, 15 or 20 1139 00:36:57,180 --> 00:36:59,369 standard resource types that 1140 00:36:59,370 --> 00:37:01,439 ECS has. But any extension can make its 1141 00:37:01,440 --> 00:37:03,269 own resource by calling. 1142 00:37:03,270 --> 00:37:04,379 Creating a resource type 1143 00:37:05,590 --> 00:37:07,529 by creating a research type basically 1144 00:37:07,530 --> 00:37:08,969 takes two arguments. 1145 00:37:08,970 --> 00:37:11,219 One is the name saying, Hey, this is 1146 00:37:11,220 --> 00:37:13,349 this is what my resource is called. 1147 00:37:13,350 --> 00:37:14,849 You know, resource x y z. 1148 00:37:14,850 --> 00:37:17,129 And then two is as a run down functions 1149 00:37:17,130 --> 00:37:19,829 delete function where basically 1150 00:37:19,830 --> 00:37:21,899 when you clean up this resource, 1151 00:37:21,900 --> 00:37:23,669 where all the thing it'll describe or 1152 00:37:23,670 --> 00:37:24,989 it'll do all the things that you have to 1153 00:37:24,990 --> 00:37:27,359 do to get rid of the resource 1154 00:37:27,360 --> 00:37:28,829 and that because you get this kind of 1155 00:37:28,830 --> 00:37:30,959 very comp, you can have this very 1156 00:37:30,960 --> 00:37:31,979 kind of depending on what kind of 1157 00:37:31,980 --> 00:37:32,999 resource you implement. 1158 00:37:33,000 --> 00:37:34,619 You can have this very complicated delete 1159 00:37:34,620 --> 00:37:36,029 logic. 1160 00:37:36,030 --> 00:37:38,549 I found one bug in there so far, 1161 00:37:38,550 --> 00:37:40,199 but this this is not trivial. 1162 00:37:40,200 --> 00:37:41,459 This is really complex stuff. 1163 00:37:41,460 --> 00:37:43,559 We sort of have to steer into 1164 00:37:43,560 --> 00:37:45,689 one way have this sort of weird things 1165 00:37:45,690 --> 00:37:47,819 where, you know, if this this offset, 1166 00:37:47,820 --> 00:37:49,529 but this one isn't, then you know, three 1167 00:37:49,530 --> 00:37:51,899 guys call this for this never happened. 1168 00:37:51,900 --> 00:37:53,129 Then this one bit gets said. 1169 00:37:53,130 --> 00:37:54,759 Otherwise it doesn't. And then it gets 1170 00:37:54,760 --> 00:37:56,039 set in the wrong way. 1171 00:37:56,040 --> 00:37:57,839 Then when you delete logic, something 1172 00:37:57,840 --> 00:38:00,199 would get free twice or wouldn't get free 1173 00:38:00,200 --> 00:38:02,039 or something like that. So again, very we 1174 00:38:02,040 --> 00:38:03,329 delete logic. 1175 00:38:03,330 --> 00:38:04,799 I suspect there's going to be a pile 1176 00:38:04,800 --> 00:38:05,729 more. 1177 00:38:05,730 --> 00:38:07,139 But because I was looking for low-hanging 1178 00:38:07,140 --> 00:38:09,209 fruits, I didn't really 1179 00:38:09,210 --> 00:38:11,369 look here. But once we get rid of all low 1180 00:38:11,370 --> 00:38:12,569 hanging fruit in the server, which is 1181 00:38:12,570 --> 00:38:14,699 going to take a long time, this should be 1182 00:38:14,700 --> 00:38:15,599 the next step. 1183 00:38:15,600 --> 00:38:16,769 This is, I think, there's a bunch of 1184 00:38:16,770 --> 00:38:19,199 complicated bugs just waiting to be found 1185 00:38:19,200 --> 00:38:20,910 in resource deletion. 1186 00:38:23,010 --> 00:38:25,289 So, yes, sir, extensions, 1187 00:38:25,290 --> 00:38:26,549 if you look at a court that's sort of 1188 00:38:26,550 --> 00:38:27,550 just grep for 1189 00:38:30,060 --> 00:38:31,709 add ad extension. 1190 00:38:31,710 --> 00:38:33,929 And these are basically all the the files 1191 00:38:33,930 --> 00:38:35,459 that add a bunch of extensions in X, 1192 00:38:35,460 --> 00:38:37,979 right? That's a pretty big list. 1193 00:38:37,980 --> 00:38:39,329 Some of are outdated. Some of her only 1194 00:38:39,330 --> 00:38:40,799 use certain circumstances. 1195 00:38:40,800 --> 00:38:43,109 But in any given recent machine that uses 1196 00:38:44,130 --> 00:38:46,199 Zork, you could have anywhere between 20 1197 00:38:46,200 --> 00:38:48,269 and 30 extensions if you want to see 1198 00:38:48,270 --> 00:38:49,259 what your extensions look like. 1199 00:38:49,260 --> 00:38:51,179 I wrote this very, very trivial piece of 1200 00:38:51,180 --> 00:38:52,109 code. 1201 00:38:52,110 --> 00:38:54,329 If you run that, it'll tell you exactly 1202 00:38:54,330 --> 00:38:56,369 what all your extensions are. 1203 00:38:56,370 --> 00:38:58,079 And if you if you don't, if you don't 1204 00:38:58,080 --> 00:38:59,369 want to read, if you don't write my code 1205 00:38:59,370 --> 00:39:00,370 because you don't trust me, 1206 00:39:01,440 --> 00:39:03,209 basically, there's an API called X list 1207 00:39:03,210 --> 00:39:05,040 extensions. Just call that thing. 1208 00:39:06,090 --> 00:39:07,079 And if you're allowed to use it, just 1209 00:39:07,080 --> 00:39:08,309 read the main page. 1210 00:39:08,310 --> 00:39:10,259 It's very easy to use, and it's very easy 1211 00:39:10,260 --> 00:39:11,459 to query all the extensions that your 1212 00:39:11,460 --> 00:39:12,460 server runs. 1213 00:39:14,160 --> 00:39:16,299 Clearly, this stuff is private acts of 1214 00:39:16,300 --> 00:39:18,059 right extensions where all the cool stuff 1215 00:39:18,060 --> 00:39:19,319 is, because as I mentioned before, the 1216 00:39:19,320 --> 00:39:20,939 core protocol has been ordered that 1217 00:39:20,940 --> 00:39:22,769 already there there's very few low 1218 00:39:22,770 --> 00:39:24,329 hanging fruit. Nobody's ever looked at 1219 00:39:24,330 --> 00:39:25,289 the extensions, the extensions. 1220 00:39:25,290 --> 00:39:27,269 It's just streams and streams of bugs, 1221 00:39:27,270 --> 00:39:28,709 right? For the past couple of months, 1222 00:39:28,710 --> 00:39:30,989 I've found 120 and I'm not close 1223 00:39:30,990 --> 00:39:33,779 to done so. 1224 00:39:33,780 --> 00:39:35,519 I reviewed a lot of extensions, but not 1225 00:39:35,520 --> 00:39:36,839 all of them yet. 1226 00:39:36,840 --> 00:39:38,759 Yeah, basically, I'm still to this very 1227 00:39:38,760 --> 00:39:40,709 day. I'm stuck on galaxies where it's 1228 00:39:40,710 --> 00:39:42,360 sort of a never ending stream of crap. 1229 00:39:45,060 --> 00:39:46,589 And so it's humongous. 1230 00:39:46,590 --> 00:39:47,759 It's horrible. 1231 00:39:47,760 --> 00:39:49,709 Every passing routine I've seen so far 1232 00:39:49,710 --> 00:39:51,239 has been broken beyond repair. 1233 00:39:52,530 --> 00:39:54,149 Once I get out of this hell hole that's 1234 00:39:54,150 --> 00:39:55,979 called chill exile, I'll be able to look 1235 00:39:55,980 --> 00:39:57,509 at other extensions. 1236 00:39:57,510 --> 00:39:59,309 But I'd like to believe I've reviewed a 1237 00:39:59,310 --> 00:40:00,329 fair amount of them by now 1238 00:40:01,950 --> 00:40:03,179 so that I've sort of covered that. 1239 00:40:03,180 --> 00:40:04,139 So what is a general? 1240 00:40:04,140 --> 00:40:05,639 So what does the general procedure look 1241 00:40:05,640 --> 00:40:07,739 like in an extension 1242 00:40:07,740 --> 00:40:09,719 that an ex client will call into, right? 1243 00:40:09,720 --> 00:40:12,029 And it's basically, yeah, my I'm 1244 00:40:12,030 --> 00:40:14,129 sorry. My slides kind of suck because I I 1245 00:40:14,130 --> 00:40:15,989 wrote them on a Mac on a different 1246 00:40:15,990 --> 00:40:17,489 version of PowerPoint that I sent them to 1247 00:40:17,490 --> 00:40:18,969 myself. And this is my Windows machine. 1248 00:40:18,970 --> 00:40:20,759 And of course, the layouts kind of 1249 00:40:20,760 --> 00:40:21,760 screwy. 1250 00:40:23,100 --> 00:40:24,690 Let me see if I can't fix that. 1251 00:40:30,730 --> 00:40:31,730 This is better. 1252 00:40:38,200 --> 00:40:39,759 So, yeah, so what does general procedure 1253 00:40:39,760 --> 00:40:41,469 look like? It's basically four or five 1254 00:40:41,470 --> 00:40:43,029 lines of code that is sort of a standard 1255 00:40:43,030 --> 00:40:44,049 template, right? 1256 00:40:44,050 --> 00:40:46,159 So this this would be your practice 1257 00:40:46,160 --> 00:40:48,339 that you get this sort of standard 1258 00:40:48,340 --> 00:40:50,559 client structure back. 1259 00:40:50,560 --> 00:40:52,239 And what you do is you call this macro 1260 00:40:52,240 --> 00:40:54,129 called request and request knows there's 1261 00:40:54,130 --> 00:40:55,299 something called client. 1262 00:40:55,300 --> 00:40:56,679 And what it does is it creates 1263 00:40:58,770 --> 00:41:01,029 a it creates a variable 1264 00:41:01,030 --> 00:41:02,530 on the stack called stuff. 1265 00:41:04,390 --> 00:41:06,569 Yeah, seriously. It's called stuff 1266 00:41:06,570 --> 00:41:08,589 of this data type, which is the structure 1267 00:41:08,590 --> 00:41:11,559 that defines the the 1268 00:41:11,560 --> 00:41:12,969 the request that's going to come in. 1269 00:41:12,970 --> 00:41:15,669 That's very specific to my my procedure. 1270 00:41:15,670 --> 00:41:17,019 And that's what request starts, right? 1271 00:41:17,020 --> 00:41:19,659 It says it basically declares access, 1272 00:41:19,660 --> 00:41:22,239 request stuff, equal 1273 00:41:22,240 --> 00:41:23,859 client user buffer semicolon, 1274 00:41:24,880 --> 00:41:26,659 and that basically defines all this stuff 1275 00:41:26,660 --> 00:41:28,809 behind your back and then request 1276 00:41:28,810 --> 00:41:31,569 size. Match basically does says, 1277 00:41:31,570 --> 00:41:33,489 Yeah, this is the size of the thing. 1278 00:41:33,490 --> 00:41:35,289 Make sure it is validated and or if it's 1279 00:41:35,290 --> 00:41:36,189 not, just bail out. 1280 00:41:36,190 --> 00:41:37,839 So this does limit validation behind your 1281 00:41:37,840 --> 00:41:39,219 back. 1282 00:41:39,220 --> 00:41:41,289 Once you have that in place, 1283 00:41:41,290 --> 00:41:42,429 basically what you do is you call this, 1284 00:41:43,720 --> 00:41:44,919 you basically just use this stuff 1285 00:41:44,920 --> 00:41:47,319 variable. And then that's I just 1286 00:41:47,320 --> 00:41:48,669 made up a ran a function called use 1287 00:41:48,670 --> 00:41:50,949 request data. But every time you touch 1288 00:41:50,950 --> 00:41:52,269 stuff, that's data that comes from 1289 00:41:52,270 --> 00:41:54,429 network from a 1290 00:41:54,430 --> 00:41:55,479 potentially untrusted 1291 00:41:56,870 --> 00:41:57,870 X client. 1292 00:42:00,400 --> 00:42:02,649 So there are several size 1293 00:42:02,650 --> 00:42:04,569 macros request size matters. 1294 00:42:04,570 --> 00:42:06,579 Basically, you give it a type, and it 1295 00:42:06,580 --> 00:42:08,619 means that the size of your request has 1296 00:42:08,620 --> 00:42:11,079 to match exactly the size of a struct. 1297 00:42:11,080 --> 00:42:13,509 If the size is off for some reason, 1298 00:42:13,510 --> 00:42:15,879 bails out request 1299 00:42:15,880 --> 00:42:18,459 at least size basically means 1300 00:42:18,460 --> 00:42:20,649 if the data you send me has to be at 1301 00:42:20,650 --> 00:42:23,139 least as big as a structure or bigger. 1302 00:42:23,140 --> 00:42:25,359 I mean, in the last one years requests, I 1303 00:42:25,360 --> 00:42:27,579 request fixed size, type, length. 1304 00:42:27,580 --> 00:42:29,739 And basically what that means is it's got 1305 00:42:29,740 --> 00:42:31,809 to be the data you send me has got 1306 00:42:31,810 --> 00:42:33,879 to be exactly the the the 1307 00:42:33,880 --> 00:42:35,649 length of the type plus the length that 1308 00:42:35,650 --> 00:42:36,819 was given. 1309 00:42:36,820 --> 00:42:38,199 What's interesting about request size 1310 00:42:38,200 --> 00:42:40,389 fixed is that it has an implicit integer 1311 00:42:40,390 --> 00:42:41,390 overflow. 1312 00:42:42,040 --> 00:42:44,589 Does this led thing right here if 1313 00:42:44,590 --> 00:42:45,999 it's user controlled and you can make it 1314 00:42:46,000 --> 00:42:48,279 about four gigabytes big 1315 00:42:48,280 --> 00:42:50,589 in the overflow internally, 1316 00:42:50,590 --> 00:42:51,699 and there's really no way to fix it 1317 00:42:51,700 --> 00:42:53,019 because you can't bail out of it. 1318 00:42:53,020 --> 00:42:54,639 It's a macro. It's not a function, right? 1319 00:42:56,500 --> 00:42:58,329 But if you use these macros correctly, 1320 00:42:58,330 --> 00:43:00,339 that's how you prevent a trivial 1321 00:43:00,340 --> 00:43:02,439 out-of-bounds read and writes 1322 00:43:02,440 --> 00:43:05,199 in any procedure 1323 00:43:05,200 --> 00:43:06,619 for extensions and even the core 1324 00:43:06,620 --> 00:43:07,620 protocol. 1325 00:43:08,530 --> 00:43:10,359 So now that we know that, let's sort of 1326 00:43:10,360 --> 00:43:11,919 go over to standard types of bug. 1327 00:43:11,920 --> 00:43:14,139 So because so the 1328 00:43:14,140 --> 00:43:16,329 100 bugs I found, I reported them about 1329 00:43:16,330 --> 00:43:18,399 25 and a half hours ago by now. 1330 00:43:18,400 --> 00:43:20,079 But because clearly they haven't been 1331 00:43:20,080 --> 00:43:22,179 fixed yet, I decided not to 1332 00:43:22,180 --> 00:43:24,279 talk about specific bugs yet because 1333 00:43:24,280 --> 00:43:25,959 I don't want to drop serially unless 1334 00:43:25,960 --> 00:43:26,960 people tell me I can't. 1335 00:43:28,510 --> 00:43:29,769 So what I'm going to do is I'm going to 1336 00:43:29,770 --> 00:43:31,989 give you tell you about the general types 1337 00:43:31,990 --> 00:43:32,990 of bugs I found 1338 00:43:35,020 --> 00:43:37,209 and that sort of the because 1339 00:43:37,210 --> 00:43:38,619 I've seen enough the code that I know 1340 00:43:38,620 --> 00:43:40,029 kind of have an idea what the trends are 1341 00:43:40,030 --> 00:43:41,439 among all of the extensions in the core 1342 00:43:41,440 --> 00:43:42,729 protocol. 1343 00:43:42,730 --> 00:43:44,439 This is obviously, you know, a very 1344 00:43:44,440 --> 00:43:46,359 common one. Certainly not specific. 1345 00:43:46,360 --> 00:43:47,959 But yeah, if you do remember your, then 1346 00:43:47,960 --> 00:43:49,899 you get a check return value. 1347 00:43:49,900 --> 00:43:51,819 You might crash on an open reference if 1348 00:43:51,820 --> 00:43:54,069 you're out of memory X has piles 1349 00:43:54,070 --> 00:43:55,070 of these bugs. 1350 00:43:56,180 --> 00:43:58,009 Obviously, natural flows, right? 1351 00:43:58,010 --> 00:43:59,479 Big one, certainly when you're passing 1352 00:43:59,480 --> 00:44:01,009 binary protocols, you're going to have 1353 00:44:01,010 --> 00:44:02,419 piles and piles of energy overflows 1354 00:44:03,470 --> 00:44:05,539 when there are three 1355 00:44:05,540 --> 00:44:07,939 cases that sort of where this happens. 1356 00:44:07,940 --> 00:44:10,069 One is when you pass large conflict 1357 00:44:10,070 --> 00:44:12,079 files like foreign files and so forth. 1358 00:44:12,080 --> 00:44:13,039 There have been a bunch of these where 1359 00:44:13,040 --> 00:44:15,289 you have very large config files with, 1360 00:44:15,290 --> 00:44:16,819 let's say, four billion entries or 1361 00:44:16,820 --> 00:44:18,439 something. Yeah, that's probably going to 1362 00:44:18,440 --> 00:44:20,509 overflow when parts of portable 1363 00:44:20,510 --> 00:44:21,510 data, obviously, right? 1364 00:44:22,580 --> 00:44:24,079 It's even going to be out of bounds reads 1365 00:44:24,080 --> 00:44:25,969 where you bypass some kind of link 1366 00:44:25,970 --> 00:44:27,589 validation or, you know, memory 1367 00:44:27,590 --> 00:44:28,879 corruption when you have an intro flow 1368 00:44:28,880 --> 00:44:30,829 and viewing buffering calculations 1369 00:44:30,830 --> 00:44:33,739 obviously seem to have similar wrappers. 1370 00:44:33,740 --> 00:44:35,989 And then when you have the implicit use 1371 00:44:35,990 --> 00:44:37,849 of request sites fixed that could have 1372 00:44:37,850 --> 00:44:38,850 been drove us to, 1373 00:44:39,980 --> 00:44:42,209 oh, this is sort of that, not an extra 1374 00:44:42,210 --> 00:44:43,819 bug, but it's sort of cute, this cute 1375 00:44:43,820 --> 00:44:46,159 little thing where if you do 1376 00:44:46,160 --> 00:44:48,319 heap allocations in C, you 1377 00:44:48,320 --> 00:44:50,719 have malloc, real callachan, free 1378 00:44:50,720 --> 00:44:52,429 and real access as it's really, really 1379 00:44:52,430 --> 00:44:54,529 cute corner case where if you give 1380 00:44:54,530 --> 00:44:56,689 it a pointer and a link to zero, a 1381 00:44:56,690 --> 00:44:58,939 real sort of short circuits, it says I'm 1382 00:44:58,940 --> 00:45:00,709 just going to free to data and hand back 1383 00:45:00,710 --> 00:45:03,079 another pointer that's by design. 1384 00:45:03,080 --> 00:45:04,519 All the manpages say it has to be that 1385 00:45:04,520 --> 00:45:06,649 way. But there's a large number of C 1386 00:45:06,650 --> 00:45:08,009 developers that don't quite know about 1387 00:45:08,010 --> 00:45:10,999 the corner case, including 1388 00:45:11,000 --> 00:45:13,009 some of the XT developers, because 1389 00:45:13,010 --> 00:45:15,119 there's a bunch of these bugs within 1390 00:45:15,120 --> 00:45:17,449 X obviously 1391 00:45:17,450 --> 00:45:19,099 invalid Lingfield indexes. 1392 00:45:19,100 --> 00:45:20,629 I actually did have some examples of that 1393 00:45:20,630 --> 00:45:21,709 in the client side. 1394 00:45:21,710 --> 00:45:23,299 The server side is not much better. 1395 00:45:23,300 --> 00:45:25,489 They have a bunch of these two out 1396 00:45:25,490 --> 00:45:27,169 of boundaries, right? You know, you you 1397 00:45:27,170 --> 00:45:28,969 have you take a structure. 1398 00:45:28,970 --> 00:45:30,409 You don't validate the link to just read 1399 00:45:30,410 --> 00:45:31,339 out a bunch of elements. 1400 00:45:31,340 --> 00:45:32,719 Yet that might be not about read. 1401 00:45:33,810 --> 00:45:34,810 Well, 1402 00:45:37,020 --> 00:45:39,539 the other thing is a byte order bugs. 1403 00:45:41,630 --> 00:45:43,730 So what I said earlier that 1404 00:45:45,410 --> 00:45:47,539 that X server can 1405 00:45:47,540 --> 00:45:49,429 take care of a bite or a for you. 1406 00:45:49,430 --> 00:45:50,569 It does that in a way it does. 1407 00:45:50,570 --> 00:45:52,039 That's because like they have the SWAT 1408 00:45:52,040 --> 00:45:54,089 vector, so they'll have before they call 1409 00:45:54,090 --> 00:45:55,399 real function, they call the swap 1410 00:45:55,400 --> 00:45:57,859 function, which does all the swapping 1411 00:45:57,860 --> 00:45:59,749 that the real functions generally are 1412 00:45:59,750 --> 00:46:01,009 written. At least the recent ones are 1413 00:46:01,010 --> 00:46:02,489 written by, you know, fairly common 1414 00:46:02,490 --> 00:46:04,129 people like they'll make mistakes, but 1415 00:46:04,130 --> 00:46:05,479 it'll at least know something is. 1416 00:46:05,480 --> 00:46:06,799 They'll know they'll have some kind of 1417 00:46:06,800 --> 00:46:08,149 checking or some kind of interval of 1418 00:46:08,150 --> 00:46:09,259 checking. 1419 00:46:09,260 --> 00:46:10,879 But when people write you the swapping 1420 00:46:10,880 --> 00:46:12,769 code, they they don't because it's this 1421 00:46:12,770 --> 00:46:14,389 tiny little piece of code that does fix 1422 00:46:14,390 --> 00:46:15,419 up. So nobody really cares. 1423 00:46:15,420 --> 00:46:16,999 Nobody. They just want to be done with 1424 00:46:17,000 --> 00:46:17,899 them. 1425 00:46:17,900 --> 00:46:20,029 So most of the swapping code is horrible. 1426 00:46:20,030 --> 00:46:22,129 They never double checks, and because 1427 00:46:22,130 --> 00:46:25,159 they actually swap bytes, 1428 00:46:25,160 --> 00:46:26,329 they're not just out about reads. 1429 00:46:26,330 --> 00:46:28,069 They're out of bounds rights because they 1430 00:46:28,070 --> 00:46:29,569 swap pieces of memory outside of a 1431 00:46:29,570 --> 00:46:31,039 buffer. So you get all these sort of 1432 00:46:31,040 --> 00:46:33,139 weird memory corruption bugs when people 1433 00:46:33,140 --> 00:46:34,819 do these byte order fix ups. 1434 00:46:36,760 --> 00:46:39,029 Oh, yeah, 1435 00:46:39,030 --> 00:46:40,030 OK. 1436 00:46:40,590 --> 00:46:41,760 Obviously, you know, memory leaks 1437 00:46:43,020 --> 00:46:45,149 are so not specific, 1438 00:46:45,150 --> 00:46:47,309 but it's had a bunch of these where 1439 00:46:47,310 --> 00:46:49,589 they'll do a bunch of Maalox or stood 1440 00:46:49,590 --> 00:46:50,590 ups or so for it. 1441 00:46:51,810 --> 00:46:53,519 And then there will be some corner case. 1442 00:46:53,520 --> 00:46:54,599 No, forget to free the data. 1443 00:46:55,860 --> 00:46:58,049 So this is pretty much as far as I've 1444 00:46:58,050 --> 00:46:59,129 come. 1445 00:46:59,130 --> 00:47:01,319 I had hoped to have gotten further. 1446 00:47:01,320 --> 00:47:03,389 There is an unbelievable amount of code 1447 00:47:03,390 --> 00:47:05,370 in there again, fucking chillax. 1448 00:47:07,020 --> 00:47:08,789 So the rest of the slides I had hoped to 1449 00:47:08,790 --> 00:47:10,949 sort of gotten there, but I 1450 00:47:10,950 --> 00:47:12,899 can give you some general pointers as to 1451 00:47:12,900 --> 00:47:14,639 like, I read some specs a little bit 1452 00:47:14,640 --> 00:47:15,929 about these things. 1453 00:47:15,930 --> 00:47:17,789 And there's a tiny bit at the end where I 1454 00:47:17,790 --> 00:47:19,589 know a little bit because I spent last 1455 00:47:19,590 --> 00:47:21,779 night reading up on this stuff, 1456 00:47:21,780 --> 00:47:24,149 but most of the rest sort of is 1457 00:47:24,150 --> 00:47:26,189 more hand-waving. 1458 00:47:26,190 --> 00:47:27,809 Yeah, there's obviously has a bunch of 1459 00:47:27,810 --> 00:47:29,819 drivers and drivers are drivers support, 1460 00:47:29,820 --> 00:47:31,529 blah blah blah blah. 1461 00:47:31,530 --> 00:47:32,909 I wanted to look at server side display. 1462 00:47:32,910 --> 00:47:34,799 Drivers haven't gotten to them yet. 1463 00:47:34,800 --> 00:47:36,689 This is interesting stuff, but this is 1464 00:47:36,690 --> 00:47:39,509 pretty direct rendering infrastructure. 1465 00:47:39,510 --> 00:47:42,119 These are sort of legacy drivers, I guess 1466 00:47:42,120 --> 00:47:43,319 the phone drivers actually did look at 1467 00:47:43,320 --> 00:47:45,509 because you can get to them to the core 1468 00:47:45,510 --> 00:47:46,769 protocol. So I looked at a bunch of 1469 00:47:46,770 --> 00:47:48,359 different drivers fundraiser. 1470 00:47:48,360 --> 00:47:49,319 Horrible, terrible. 1471 00:47:49,320 --> 00:47:51,780 This is old code written in the 80s. 1472 00:47:52,800 --> 00:47:55,099 Not used anymore, but it's still there. 1473 00:47:55,100 --> 00:47:57,329 Nope, nobody uses a sponsor for anymore. 1474 00:47:57,330 --> 00:47:58,769 But the way it works is that your X 1475 00:47:58,770 --> 00:48:00,539 server has a font clean in it, and you 1476 00:48:00,540 --> 00:48:01,909 can go there and say, Hey, connect to the 1477 00:48:01,910 --> 00:48:04,219 sponsor of the actual sponsor. 1478 00:48:05,340 --> 00:48:07,679 And the font portion, that client 1479 00:48:07,680 --> 00:48:09,449 is just terrible piles and piles of 1480 00:48:09,450 --> 00:48:10,450 books. 1481 00:48:10,830 --> 00:48:12,599 Yeah, OpenGL drivers haven't looked at 1482 00:48:12,600 --> 00:48:14,369 them yet. It's it's sort of my next step 1483 00:48:14,370 --> 00:48:15,419 because I feel excited. 1484 00:48:15,420 --> 00:48:17,399 Look, I have to eventually get OpenGL, 1485 00:48:17,400 --> 00:48:19,079 too. I suspect it's going to be an 1486 00:48:19,080 --> 00:48:20,080 enormous shit show 1487 00:48:21,330 --> 00:48:23,309 based on CLX. It's got to be terrible. 1488 00:48:23,310 --> 00:48:24,509 And it's one of these things where G6 1489 00:48:24,510 --> 00:48:26,609 calls into all these APIs or 1490 00:48:26,610 --> 00:48:28,260 that that the drivers expose. 1491 00:48:29,460 --> 00:48:31,229 And it's going to be long and tedious 1492 00:48:31,230 --> 00:48:33,349 work mapping sort of the the thing that 1493 00:48:33,350 --> 00:48:35,639 Felix talks into these drivers eventually 1494 00:48:35,640 --> 00:48:36,689 will get to this, but haven't gotten to 1495 00:48:36,690 --> 00:48:37,690 that part yet. 1496 00:48:38,870 --> 00:48:40,579 Yeah, Xserve has a bunch of dependencies 1497 00:48:40,580 --> 00:48:41,869 of libraries. 1498 00:48:41,870 --> 00:48:43,669 You initially always hardest thing, I 1499 00:48:43,670 --> 00:48:44,869 figured, Oh, server, that must be 1500 00:48:44,870 --> 00:48:46,819 self-contained. It turns out it's not 1501 00:48:46,820 --> 00:48:49,189 your and you see all these references to 1502 00:48:49,190 --> 00:48:50,359 Pix Man and so forth. 1503 00:48:50,360 --> 00:48:51,649 And it turns out that some third party 1504 00:48:51,650 --> 00:48:53,809 library so I had to go and download 1505 00:48:53,810 --> 00:48:55,159 those libraries and include them in my 1506 00:48:55,160 --> 00:48:56,160 auditing as well. 1507 00:48:56,990 --> 00:48:58,459 So there are some bugs and levers, too, 1508 00:48:58,460 --> 00:48:59,809 but since they're not part of X, I'm not 1509 00:48:59,810 --> 00:49:00,810 covering that here. 1510 00:49:01,670 --> 00:49:03,439 The last bit that I want to sort of 1511 00:49:03,440 --> 00:49:04,819 cover. 1512 00:49:04,820 --> 00:49:06,349 Hopefully I can do in two minutes is 1513 00:49:06,350 --> 00:49:07,879 zero, which is called direct rendering 1514 00:49:07,880 --> 00:49:08,779 infrastructure. 1515 00:49:08,780 --> 00:49:10,969 This is the thing that makes X really 1516 00:49:10,970 --> 00:49:12,019 fast, actually. 1517 00:49:12,020 --> 00:49:14,299 This is also the thing that makes X not 1518 00:49:14,300 --> 00:49:15,889 network transparent, right? 1519 00:49:15,890 --> 00:49:17,539 X, used to be transparent, has been a 1520 00:49:17,540 --> 00:49:19,759 long time in large 1521 00:49:19,760 --> 00:49:20,989 part due to dry. 1522 00:49:20,990 --> 00:49:22,639 Well, there does basically says, Well, 1523 00:49:22,640 --> 00:49:24,349 you know, yes, you'll have to keep all 1524 00:49:24,350 --> 00:49:25,459 these cool things that we're going to do 1525 00:49:25,460 --> 00:49:26,719 is we're going to move, we're going to 1526 00:49:26,720 --> 00:49:27,679 give you direct access. 1527 00:49:27,680 --> 00:49:28,879 We're going give you the client direct 1528 00:49:28,880 --> 00:49:31,039 access to the hardware and we'll 1529 00:49:31,040 --> 00:49:32,869 have some driver stuff in the kernel that 1530 00:49:32,870 --> 00:49:34,999 manages the stuff for you as you get all 1531 00:49:35,000 --> 00:49:36,919 this memory mapped. 1532 00:49:36,920 --> 00:49:38,659 Your stuff and a way that works is you 1533 00:49:38,660 --> 00:49:40,459 have this direct rendering manager and 1534 00:49:40,460 --> 00:49:42,619 that thing lives in kernel and it's kind 1535 00:49:42,620 --> 00:49:43,620 of looks like this. 1536 00:49:44,630 --> 00:49:46,789 So you have this X11 and an X server will 1537 00:49:46,790 --> 00:49:48,379 sort of do it for you, but you can sort 1538 00:49:48,380 --> 00:49:50,539 of make your own and then sort of you get 1539 00:49:50,540 --> 00:49:52,099 access to cheap stuff. 1540 00:49:52,100 --> 00:49:54,269 But then you have this DRM, 1541 00:49:54,270 --> 00:49:57,259 the direct rendering manager 1542 00:49:57,260 --> 00:49:59,239 that you see there, you'll see kernel. 1543 00:49:59,240 --> 00:50:01,519 And every time I see DRM, I get 1544 00:50:01,520 --> 00:50:03,299 it screws me up because when I see the, 1545 00:50:03,300 --> 00:50:05,239 erm, I think digital rights management 1546 00:50:05,240 --> 00:50:06,619 and then I go, like, No, it's not. 1547 00:50:06,620 --> 00:50:08,510 It's a direct rendering manager 1548 00:50:10,220 --> 00:50:12,199 anyway. So it's the last data speeds that 1549 00:50:12,200 --> 00:50:14,029 I look in the directory mentioned in the 1550 00:50:14,030 --> 00:50:15,739 Linux kernel, which is basically 1551 00:50:15,740 --> 00:50:18,049 implemented in Driver's GPU 1552 00:50:18,050 --> 00:50:19,609 Duran Duran Davi. 1553 00:50:19,610 --> 00:50:21,049 And that's basically a manager in this 1554 00:50:21,050 --> 00:50:22,369 framework. And so when you make your own 1555 00:50:22,370 --> 00:50:24,199 kernel drivers, they sort of pluck it, 1556 00:50:24,200 --> 00:50:26,299 plug it in below the DRM 1557 00:50:26,300 --> 00:50:28,549 thing during drivers, 1558 00:50:28,550 --> 00:50:30,229 expose our client faces 1559 00:50:32,270 --> 00:50:34,219 and basically they can have their own AI 1560 00:50:34,220 --> 00:50:35,719 actors and then they can also expose AI 1561 00:50:35,720 --> 00:50:36,739 across from their drivers 1562 00:50:38,480 --> 00:50:40,429 in Linux. So I actually live in BSD, 1563 00:50:40,430 --> 00:50:42,529 originally have some structure to them. 1564 00:50:42,530 --> 00:50:44,599 You can say it's input output and you see 1565 00:50:44,600 --> 00:50:46,819 the lengths initially when when 1566 00:50:46,820 --> 00:50:48,889 Linux had tools, they required 1567 00:50:48,890 --> 00:50:50,959 all of that structure. They said I was 1568 00:50:50,960 --> 00:50:51,979 just the No. 1569 00:50:51,980 --> 00:50:53,059 We don't care what it means. 1570 00:50:53,060 --> 00:50:54,409 We don't care. There's no one like stuff. 1571 00:50:54,410 --> 00:50:56,729 It's the no the DRM 1572 00:50:56,730 --> 00:50:59,149 IOK tools sort of mount 1573 00:50:59,150 --> 00:51:01,549 the B as the apples of Linux like tools, 1574 00:51:01,550 --> 00:51:02,989 whereas there are actual numbers that 1575 00:51:02,990 --> 00:51:05,089 actually do have bits that 1576 00:51:05,090 --> 00:51:06,329 contain this input as output. 1577 00:51:06,330 --> 00:51:08,389 This is a linked field and this 1578 00:51:08,390 --> 00:51:10,039 is kind of and they add a little bit more 1579 00:51:10,040 --> 00:51:11,509 on top of that. So the way it works is 1580 00:51:11,510 --> 00:51:13,789 when you create a driver, you use these 1581 00:51:13,790 --> 00:51:15,559 these macros and then you say, this is 1582 00:51:15,560 --> 00:51:17,719 the name this is, this is the AI 1583 00:51:17,720 --> 00:51:18,949 of my thing. 1584 00:51:18,950 --> 00:51:20,059 This is my callback for this. 1585 00:51:20,060 --> 00:51:22,519 I octal and then a bunch of flags 1586 00:51:22,520 --> 00:51:24,799 here. And those flags basically 1587 00:51:24,800 --> 00:51:26,239 validate where it says, well, if the 1588 00:51:26,240 --> 00:51:28,039 flexors route only, then if you have to 1589 00:51:28,040 --> 00:51:29,569 be corpse's admin. 1590 00:51:29,570 --> 00:51:31,309 If it's a DRM art, it means you have to 1591 00:51:31,310 --> 00:51:32,339 be applied it as that. 1592 00:51:32,340 --> 00:51:34,639 That has to be allowed to render stuff 1593 00:51:34,640 --> 00:51:36,829 and a bunch other things, right? 1594 00:51:36,830 --> 00:51:38,269 And this is all Open-Source Linux code. 1595 00:51:38,270 --> 00:51:39,919 You can you can go look at it if if you 1596 00:51:39,920 --> 00:51:42,169 find it interesting, yeah, 1597 00:51:42,170 --> 00:51:43,459 there's certain memory stuff, I'm out of 1598 00:51:43,460 --> 00:51:45,589 time, so I'm not going to cover that 1599 00:51:45,590 --> 00:51:47,689 last two slides, then I'll open 1600 00:51:47,690 --> 00:51:49,939 it up for four questions. 1601 00:51:51,050 --> 00:51:52,399 The whole X server runs as root. 1602 00:51:52,400 --> 00:51:55,519 It has certainly done this since 1984. 1603 00:51:55,520 --> 00:51:57,679 It we've known for over a decade. 1604 00:51:57,680 --> 00:51:58,680 It's a terrible idea. 1605 00:52:00,110 --> 00:52:02,149 As far as I know, X work still doesn't 1606 00:52:02,150 --> 00:52:04,249 offer a way to really do 1607 00:52:04,250 --> 00:52:06,319 good previous separation. 1608 00:52:06,320 --> 00:52:07,519 There's been talk about this. 1609 00:52:07,520 --> 00:52:09,979 I know some mild, 1610 00:52:09,980 --> 00:52:12,229 super mild, very 1611 00:52:12,230 --> 00:52:14,539 weak implementation has been done for 1612 00:52:14,540 --> 00:52:16,669 Solaris to one 1613 00:52:16,670 --> 00:52:17,989 domain because you guys did this 1614 00:52:19,490 --> 00:52:21,020 at least five years ago, maybe longer. 1615 00:52:22,340 --> 00:52:24,139 And the export has got to just steal your 1616 00:52:24,140 --> 00:52:26,249 music and just be done with it, right? 1617 00:52:26,250 --> 00:52:27,619 Know music, guys. Know how to do 1618 00:52:27,620 --> 00:52:28,759 separation. Just get their code. 1619 00:52:28,760 --> 00:52:29,760 Use it. 1620 00:52:34,290 --> 00:52:35,999 Yeah. The other thing is that X has this 1621 00:52:36,000 --> 00:52:38,069 thing called x axis control 1622 00:52:38,070 --> 00:52:39,809 extensions, which basically means for 1623 00:52:39,810 --> 00:52:42,659 every, every procedure you call X, 1624 00:52:42,660 --> 00:52:44,189 there's this thing called x x hooks. 1625 00:52:44,190 --> 00:52:46,319 And then you can make your own x ace 1626 00:52:46,320 --> 00:52:48,299 drivers, which allow you to map a 1627 00:52:48,300 --> 00:52:50,039 security model. On top of that. 1628 00:52:50,040 --> 00:52:51,719 This is the implements influenced by 1629 00:52:51,720 --> 00:52:53,729 Linux security modules, and it allows 1630 00:52:53,730 --> 00:52:55,439 drivers to implement security model. 1631 00:52:55,440 --> 00:52:56,549 It's hideously arcane. 1632 00:52:56,550 --> 00:52:57,659 You have to built these profiles. 1633 00:52:57,660 --> 00:52:59,669 It's a total pain. Yes, I've been told 1634 00:52:59,670 --> 00:53:01,739 nobody, even though the security module 1635 00:53:01,740 --> 00:53:03,869 to do this is there, nobody actually 1636 00:53:03,870 --> 00:53:06,029 uses this. Oh, and by the way, this 1637 00:53:06,030 --> 00:53:07,949 is an idea from the NSA, so I don't know 1638 00:53:07,950 --> 00:53:08,950 if I want to use this. 1639 00:53:11,430 --> 00:53:13,589 So, yeah, inclusion, how 1640 00:53:13,590 --> 00:53:15,789 bad is it? Can we do better? 1641 00:53:15,790 --> 00:53:18,059 Good news is I did finish the run 1642 00:53:18,060 --> 00:53:19,949 of the client side bugs. 1643 00:53:19,950 --> 00:53:22,229 I'd like to believe or I hope the trivial 1644 00:53:22,230 --> 00:53:24,269 bugs are going to clean side stuff. 1645 00:53:24,270 --> 00:53:25,709 Feel free to go. Look, maybe you'll find 1646 00:53:25,710 --> 00:53:26,710 some more. 1647 00:53:27,720 --> 00:53:29,309 Plenty. Plenty of bugs left in the 1648 00:53:29,310 --> 00:53:30,310 server, at least. 1649 00:53:32,010 --> 00:53:33,389 Yeah, it's going to be a couple hundred 1650 00:53:33,390 --> 00:53:34,859 bucks left, a trivial bucks left in the 1651 00:53:34,860 --> 00:53:36,779 server and extensions and drivers and so 1652 00:53:36,780 --> 00:53:37,780 forth. 1653 00:53:38,430 --> 00:53:40,559 Maybe, hopefully, when the advisory comes 1654 00:53:40,560 --> 00:53:42,319 out for the bugs, I report it. 1655 00:53:42,320 --> 00:53:43,379 24. I guess by now. 1656 00:53:43,380 --> 00:53:44,380 Twenty six hours ago, 1657 00:53:45,840 --> 00:53:47,879 maybe it'll scare people into adopting 1658 00:53:47,880 --> 00:53:50,099 Wayland faster and we can be done 1659 00:53:50,100 --> 00:53:51,300 with xorg. 1660 00:53:53,040 --> 00:53:54,339 Yes. 1661 00:53:54,340 --> 00:53:55,340 Uh. 1662 00:53:57,370 --> 00:53:59,349 But even so, even if Wayland becomes as 1663 00:53:59,350 --> 00:54:01,479 big head, which probably will only Wolf's 1664 00:54:01,480 --> 00:54:03,579 move back to Wayland, there's going to be 1665 00:54:03,580 --> 00:54:04,929 a bunch of legacy stuff and Exor is going 1666 00:54:04,930 --> 00:54:06,729 to be around at least not a decade, 1667 00:54:06,730 --> 00:54:08,169 probably too. 1668 00:54:08,170 --> 00:54:10,869 And so we'll have to fix these bugs to 1669 00:54:10,870 --> 00:54:13,179 good side. The good thing is that if 1670 00:54:13,180 --> 00:54:15,009 the clients had fixed rate, that four 1671 00:54:15,010 --> 00:54:16,829 from Allen, is there anything to go by 1672 00:54:16,830 --> 00:54:19,179 this? This is going to get fixed February 1673 00:54:19,180 --> 00:54:20,349 March if we're lucky. 1674 00:54:21,970 --> 00:54:23,829 But even so, what we need is a driving 1675 00:54:23,830 --> 00:54:25,869 force to go to some way to motivate 1676 00:54:25,870 --> 00:54:28,089 people to go in and really knock 1677 00:54:28,090 --> 00:54:30,249 the shit out of the server. 1678 00:54:30,250 --> 00:54:31,749 It's long and tedious work, and it's kind 1679 00:54:31,750 --> 00:54:33,879 of painful, but I think something needs 1680 00:54:33,880 --> 00:54:35,469 to be done. That hasn't been done for 30 1681 00:54:35,470 --> 00:54:37,329 years. Somebody just needs to do it. 1682 00:54:37,330 --> 00:54:40,359 And lastly, but certainly not least 1683 00:54:40,360 --> 00:54:42,459 somebody, some extra help 1684 00:54:42,460 --> 00:54:44,079 should get off their ass and just 1685 00:54:44,080 --> 00:54:45,849 implement previous separation. 1686 00:54:45,850 --> 00:54:47,709 You do it by yourself or take it will be 1687 00:54:47,710 --> 00:54:48,729 easy, but just do it. 1688 00:54:50,500 --> 00:54:52,869 Yeah, that's more or less on time. 1689 00:54:53,890 --> 00:54:55,989 With that, I guess I'll open it 1690 00:54:55,990 --> 00:54:56,990 up to questions. 1691 00:55:06,060 --> 00:55:07,649 Excellent, thanks, Sylvia. 1692 00:55:07,650 --> 00:55:09,419 So if there is any questions, I'll ask 1693 00:55:09,420 --> 00:55:11,699 for microphones one two, three four 1694 00:55:11,700 --> 00:55:13,739 and we might have questions on the 1695 00:55:13,740 --> 00:55:14,759 internet too. 1696 00:55:14,760 --> 00:55:16,829 So let's go ahead with microphone number 1697 00:55:16,830 --> 00:55:18,089 two there. 1698 00:55:18,090 --> 00:55:20,639 Thanks. Do you have any sense of how the 1699 00:55:20,640 --> 00:55:22,289 quality of Whelan's code compares to the 1700 00:55:22,290 --> 00:55:23,609 server? I do not. 1701 00:55:23,610 --> 00:55:26,669 I have not looked at Wayland yet beyond. 1702 00:55:26,670 --> 00:55:28,799 I see and I see Daniel's, and I've 1703 00:55:28,800 --> 00:55:31,799 been very interested and very piqued into 1704 00:55:31,800 --> 00:55:32,999 what Wayland does. 1705 00:55:33,000 --> 00:55:34,829 I have not looked at their code yet, but 1706 00:55:34,830 --> 00:55:36,599 for I understand from your model is that 1707 00:55:36,600 --> 00:55:38,249 it's very different. 1708 00:55:38,250 --> 00:55:39,959 So in X, everything goes through. 1709 00:55:39,960 --> 00:55:41,759 The server in servers is big, massive 1710 00:55:41,760 --> 00:55:43,529 blob of thing that has access to hardware 1711 00:55:43,530 --> 00:55:45,989 runs. His route from what I understand 1712 00:55:45,990 --> 00:55:47,429 in Wayland is different where the 1713 00:55:47,430 --> 00:55:48,629 composer owns everything, and they're 1714 00:55:48,630 --> 00:55:51,209 just sort of this IPC mechanism. 1715 00:55:51,210 --> 00:55:52,679 So I suspect the model is going to be 1716 00:55:52,680 --> 00:55:54,839 better than X. And I suspect they can, if 1717 00:55:54,840 --> 00:55:56,459 not already, can easily do promote 1718 00:55:56,460 --> 00:55:58,049 separation of performance dropping. 1719 00:55:58,050 --> 00:55:59,129 But it's all guessing. 1720 00:55:59,130 --> 00:56:00,329 I don't know. 1721 00:56:00,330 --> 00:56:01,619 Thanks. 1722 00:56:01,620 --> 00:56:03,749 All right. Microphone number one. 1723 00:56:03,750 --> 00:56:04,899 Hello. 1724 00:56:04,900 --> 00:56:06,809 Going to be annoying staff with by 1725 00:56:06,810 --> 00:56:09,069 saying, I do 1726 00:56:09,070 --> 00:56:11,549 do it. Use the zip code. 1727 00:56:11,550 --> 00:56:13,649 I do use the X1 server and 1728 00:56:13,650 --> 00:56:16,139 I do use it in network transparency file. 1729 00:56:16,140 --> 00:56:17,069 And it all works. 1730 00:56:17,070 --> 00:56:18,899 We have to use it sometimes for like 1731 00:56:18,900 --> 00:56:21,239 really low 1732 00:56:21,240 --> 00:56:23,459 capability terminal class. 1733 00:56:23,460 --> 00:56:25,679 It all still works and I don't 1734 00:56:25,680 --> 00:56:28,009 think you even need DRM because like if 1735 00:56:28,010 --> 00:56:29,699 if you're using it locally, yes, you 1736 00:56:29,700 --> 00:56:31,229 don't use the visa driver. 1737 00:56:31,230 --> 00:56:33,299 But my question is what you've said 1738 00:56:33,300 --> 00:56:35,459 seems to imply that 1739 00:56:35,460 --> 00:56:37,559 if you did that, if you kind of went back 1740 00:56:37,560 --> 00:56:39,749 to the 80s and 90s, you used 1741 00:56:39,750 --> 00:56:41,819 that code, which I must admit I 1742 00:56:41,820 --> 00:56:43,320 pretty much actually do. 1743 00:56:44,730 --> 00:56:46,379 Have you significantly lowered your 1744 00:56:46,380 --> 00:56:48,269 attack surface because you make it sound 1745 00:56:48,270 --> 00:56:49,439 like you have? 1746 00:56:49,440 --> 00:56:51,989 Because if most of the attacks 1747 00:56:51,990 --> 00:56:54,269 are in the extensions 1748 00:56:54,270 --> 00:56:56,489 you can actually run, if all you want 1749 00:56:56,490 --> 00:56:58,829 is yes, text on the screen, images 1750 00:56:58,830 --> 00:57:00,959 on the screen, maybe some video 1751 00:57:00,960 --> 00:57:02,639 you can achieve that. 1752 00:57:02,640 --> 00:57:04,289 You certainly don't need OpenGL. 1753 00:57:04,290 --> 00:57:05,999 You can get, yes, agreed. 1754 00:57:06,000 --> 00:57:07,889 I know you make a very good point. 1755 00:57:07,890 --> 00:57:10,439 If you do that, you significantly 1756 00:57:10,440 --> 00:57:12,299 decreased. I mean, there will be bugs, 1757 00:57:12,300 --> 00:57:13,799 but it'll be like an order of magnitude 1758 00:57:13,800 --> 00:57:15,689 less smoothly decrease your attack 1759 00:57:15,690 --> 00:57:17,789 surface if you're in that position to do 1760 00:57:17,790 --> 00:57:19,199 it. Certainly on. 1761 00:57:19,200 --> 00:57:20,249 You know, cheap terminals, that kind of 1762 00:57:20,250 --> 00:57:21,569 stuff, you can do it. 1763 00:57:21,570 --> 00:57:23,009 The problem is YouTube is not going to 1764 00:57:23,010 --> 00:57:24,419 work when you do this, a whole bunch of 1765 00:57:24,420 --> 00:57:25,559 graphics is going to work. 1766 00:57:25,560 --> 00:57:27,929 I watch YouTube and I don't use 1767 00:57:27,930 --> 00:57:30,839 OpenGL, and it works to do 1768 00:57:30,840 --> 00:57:32,999 really well because I've not 1769 00:57:33,000 --> 00:57:33,979 used I've not coming out. 1770 00:57:33,980 --> 00:57:36,369 I think it uses more of the CPU. 1771 00:57:36,370 --> 00:57:38,669 You know, if, if, if 1772 00:57:38,670 --> 00:57:38,819 it's 1773 00:57:38,820 --> 00:57:40,969 because it'll never use the CPU, right? 1774 00:57:40,970 --> 00:57:42,299 So technically, you're not using all 1775 00:57:42,300 --> 00:57:43,829 the all the graphics intensive stuff is 1776 00:57:43,830 --> 00:57:45,599 going to really interfere with other 1777 00:57:45,600 --> 00:57:47,579 things. You actually want to use a CPU. 1778 00:57:47,580 --> 00:57:48,809 So depending only when, depending on your 1779 00:57:48,810 --> 00:57:50,329 tradeoffs, everything else. 1780 00:57:50,330 --> 00:57:51,899 But yeah, so I don't know how bad it is, 1781 00:57:51,900 --> 00:57:53,339 I suspect, because you have all these 1782 00:57:53,340 --> 00:57:55,199 extensions with all the modern things 1783 00:57:55,200 --> 00:57:57,089 that people do nowadays. 1784 00:57:57,090 --> 00:57:58,649 It would have been bad. I don't know how 1785 00:57:58,650 --> 00:58:00,799 bad it is or what situations 1786 00:58:00,800 --> 00:58:02,039 you might. You might be right? 1787 00:58:02,040 --> 00:58:03,269 I don't know. 1788 00:58:03,270 --> 00:58:05,429 I just I just always suspected that 1789 00:58:05,430 --> 00:58:06,569 that's the way it is. 1790 00:58:06,570 --> 00:58:08,669 I don't know in what situations, in 1791 00:58:08,670 --> 00:58:10,379 what situations that's acceptable. 1792 00:58:10,380 --> 00:58:11,459 But you might be right. 1793 00:58:11,460 --> 00:58:13,769 Maybe for the average user, it would be 1794 00:58:13,770 --> 00:58:15,539 reasonable to do it. 1795 00:58:15,540 --> 00:58:16,689 It would certainly lower your attack 1796 00:58:16,690 --> 00:58:18,059 surface. I agree with you. 1797 00:58:18,060 --> 00:58:20,099 Okay, great. That's what I'll do. 1798 00:58:20,100 --> 00:58:21,539 Now, I think we had a question from the 1799 00:58:21,540 --> 00:58:22,769 internet. 1800 00:58:22,770 --> 00:58:26,009 Yeah, I'm always asking 1801 00:58:26,010 --> 00:58:28,349 if you encountered any significant design 1802 00:58:28,350 --> 00:58:30,539 flaws in the code that are 1803 00:58:30,540 --> 00:58:32,609 not easily fixable by a few patches 1804 00:58:33,690 --> 00:58:36,059 design flaws in the code. 1805 00:58:36,060 --> 00:58:38,129 I mean, the protocol has some, 1806 00:58:38,130 --> 00:58:39,179 I guess, and I didn't. 1807 00:58:39,180 --> 00:58:40,379 I said I was going to talk about it, but 1808 00:58:40,380 --> 00:58:41,759 I guess I can. 1809 00:58:41,760 --> 00:58:43,709 Since you asked, I can sort of say two 1810 00:58:43,710 --> 00:58:44,849 things about it. 1811 00:58:44,850 --> 00:58:45,869 Well, that's a lot of slides. 1812 00:58:47,370 --> 00:58:49,469 So I mean, yes, I mean, there have 1813 00:58:49,470 --> 00:58:51,629 been some design flaws, but this 1814 00:58:51,630 --> 00:58:53,669 isn't news. This is stuff we know. 1815 00:58:53,670 --> 00:58:56,009 I mean, it's that it doesn't have 1816 00:58:56,010 --> 00:58:58,169 any kind of network encryption. 1817 00:58:58,170 --> 00:59:00,989 So if you just use X over the network 1818 00:59:00,990 --> 00:59:03,209 as people used to, you 1819 00:59:03,210 --> 00:59:05,309 have, you know, our 1820 00:59:05,310 --> 00:59:06,299 openness, different key. 1821 00:59:06,300 --> 00:59:07,949 And yes, you can tell all our associates, 1822 00:59:07,950 --> 00:59:09,329 but it's still a shortcoming of X. 1823 00:59:09,330 --> 00:59:10,349 So there's a cell. 1824 00:59:10,350 --> 00:59:12,749 There's a set of these well known design 1825 00:59:12,750 --> 00:59:14,909 flaws with X as to whether 1826 00:59:14,910 --> 00:59:16,979 I specifically ran into design flaws in X 1827 00:59:16,980 --> 00:59:18,419 that were known. 1828 00:59:18,420 --> 00:59:20,039 No, I didn't. 1829 00:59:20,040 --> 00:59:21,719 There was nothing there that I 1830 00:59:21,720 --> 00:59:23,579 specifically found there might be some, 1831 00:59:23,580 --> 00:59:24,969 but I didn't run into any. 1832 00:59:24,970 --> 00:59:27,090 I hope that answers the question. 1833 00:59:28,120 --> 00:59:29,649 All right. Microphone numbers very place. 1834 00:59:31,150 --> 00:59:32,799 What happened, sweet, cute. 1835 00:59:32,800 --> 00:59:34,000 What's the future 1836 00:59:36,310 --> 00:59:37,899 for your guest? 1837 00:59:37,900 --> 00:59:40,119 As good as mine? I have no idea. 1838 00:59:42,720 --> 00:59:44,439 Are you talking in reference to the bugs 1839 00:59:44,440 --> 00:59:46,389 I reported or more general? 1840 00:59:46,390 --> 00:59:48,639 No, the reference to bugs, which 1841 00:59:48,640 --> 00:59:49,809 I don't know. 1842 00:59:49,810 --> 00:59:51,249 I reported the bugs. 1843 00:59:51,250 --> 00:59:53,379 They basically said they 1844 00:59:53,380 --> 00:59:54,579 weren't security bugs. 1845 00:59:54,580 --> 00:59:55,929 They said I could talk about it publicly. 1846 00:59:55,930 --> 00:59:58,179 That's all I know. I hope they will fix 1847 00:59:58,180 --> 01:00:00,369 the bugs, but they're not the agreed 1848 01:00:00,370 --> 01:00:01,659 security bug. 1849 01:00:01,660 --> 01:00:03,219 If you just get a bug fix, that's good 1850 01:00:03,220 --> 01:00:04,220 enough. 1851 01:00:05,200 --> 01:00:06,639 If it happens to be that it's better for 1852 01:00:06,640 --> 01:00:08,649 security, so be it. 1853 01:00:08,650 --> 01:00:10,689 So I hope you're still going to fix it, 1854 01:00:10,690 --> 01:00:11,709 but I have no idea. 1855 01:00:13,600 --> 01:00:14,919 Now we have another question from the 1856 01:00:14,920 --> 01:00:16,089 internet. 1857 01:00:16,090 --> 01:00:17,649 Yes. 1858 01:00:17,650 --> 01:00:19,389 Someone is asking if you're planning on 1859 01:00:19,390 --> 01:00:22,159 looking into desktop environments. 1860 01:00:22,160 --> 01:00:24,760 Oh, well, 1861 01:00:26,170 --> 01:00:28,019 maybe I might. 1862 01:00:28,020 --> 01:00:30,309 My time is limited and there's so much x 1863 01:00:30,310 --> 01:00:32,649 server stuff I still have to finish. 1864 01:00:32,650 --> 01:00:34,149 I put it at the bottom of my list and 1865 01:00:34,150 --> 01:00:35,769 maybe, you know, 10 or 20 years from now, 1866 01:00:35,770 --> 01:00:36,770 I'll get to it. 1867 01:00:39,340 --> 01:00:41,499 Now is that can I please ask 1868 01:00:41,500 --> 01:00:43,419 you to actually provide feedback for this 1869 01:00:43,420 --> 01:00:45,519 talk as if it's all the other talks that 1870 01:00:45,520 --> 01:00:47,049 you visited? You find it in the plan. 1871 01:00:47,050 --> 01:00:48,929 There's a little link because I'm sure 1872 01:00:48,930 --> 01:00:49,899 earlier appreciate it. 1873 01:00:49,900 --> 01:00:51,159 I certainly find the talk very 1874 01:00:51,160 --> 01:00:53,049 informative and entertaining as usual. 1875 01:00:53,050 --> 01:00:54,429 Saw another round of applause. 1876 01:00:54,430 --> 01:00:55,570 Finally, I thank you very much.