Feed aggregator

A Guide to JES3 to JES2 Migration

IBM Redbooks Site - Wed, 08/15/2018 - 09:30
Redbook, published: Wed, 15 Aug 2018

This IBM® Redbooks® publication provides information to help clients that have JES3 and want to migrate to JES2.

Categories: Technology

Move ring on Apple Watch barely moving? Check your weight.

iPhone J.D. - Wed, 08/15/2018 - 00:22

Here's a quick tip for all of you Apple Watch owners who keep track of your circles, just in case you make the same mistake that I did.  I noticed a few days ago that the red circle (the Move ring) on my Apple Watch was increasing far slower than normal.  Even after 30 minutes on a treadmill, it was logging less than half of the calories that I normally see, and my overall red circle activity at the end of the day was substantially lower than normal.  It took a long time for me to find the solution, but ultimately I discovered that I needed to check my weight in the Health app on my iPhone, which was far lower than it should have been.  Once I adjusted my weight up to the correct number, my Move ring started to count calories at the same rate that it usually does.

How did this happen in the first place?  The Health app on the iPhone has a place to store your weight.  if your weight doesn't change often, just manually enter the number once and then forget about it.  However, if you are manually tracking your weight as it changes over time, it can be a pain to manually enter it in the Health app every day.  For a long time now, my faster solution has been to use the Workflow app — which will soon be renamed the Shortcuts app in iOS 12.  I have a very short workflow that simply asks me to enter my weight and then puts that data into the Health app:

Because it is one of the first four workflows in my Workflow app, I can just 3D Touch on the Workflow app icon on my iPhone's home screen, select Log My Weight, type the number, and then I'm done.  The whole process takes maybe three seconds.  In iOS 12, I'll be able to assign a voice command to start this workflow, making it even faster to trigger.

Last week, however, I suppose I should have spent more than three seconds to avoid being careless.  It turns out that I had somehow tapped the wrong buttons and entered the wrong weight, and apparently my iPhone had no trouble accepting that I suddenly weighed half as much.  (Um, thanks?)  My Apple Watch also noticed, and as a result it decided that I must be burning far less calories for the same amount of activity.

Fortunately, this is an easy problem to fix.  When you are looking at any health data source in the Health app, you can always tap Show All Data to see a list of every single entry.  If you see an entry that is wrong, you can delete that entry.  So to fix my problem, I just removed the incorrect weight, and the problem was solved.

Categories: iPhone Web Sites

Windows Exploitation Tricks: Exploiting Arbitrary Object Directory Creation for Local Elevation of Privilege

Google Project Zero - Tue, 08/14/2018 - 13:00
Posted by James Forshaw, Project Zero
And we’re back again for another blog in my series on Windows Exploitation tricks. This time I’ll detail how I was able to exploit Issue 1550 which results in an arbitrary object directory being created by using a useful behavior of the CSRSS privileged process. Once again by detailing how I’d exploit a particular vulnerability I hope that readers get a better understanding of the complexity of the Windows operating system as well as giving Microsoft information on non-memory corruption exploitation techniques so that they can mitigate them in some way.Quick Overview of the VulnerabilityObject Manager directories are unrelated to normal file directories. The directories are created and manipulated using a separate set of system calls such as NtCreateDirectoryObject rather than NtCreateFile. Even though they’re not file directories they’re vulnerable to many of the same classes of issues as you’d find on a file system including privileged creation and symbolic link planting attacks.
Issue 1550 is a vulnerability that allows the creation of a directory inside a user-controllable location while running as SYSTEM. The root of the bug is in the creation of Desktop Bridge applications. The AppInfo service, which is responsible for creating the new application, calls the undocumented API CreateAppContainerToken to do some internal housekeeping. Unfortunately this API creates object directories under the user’s AppContainerNamedObjects object directory to support redirecting BaseNamedObjects and RPC endpoints by the OS.
As the API is called without impersonating the user (it’s normally called in CreateProcess where it typically isn’t as big an issue) the object directories are created with the identity of the service, which is SYSTEM. As the user can write arbitrary objects to their AppContainerNamedObjects directory they could drop an object manager symbolic link and redirect the directory creation to almost anywhere in the object manager namespace. As a bonus the directory is created with an explicit security descriptor which allows the user full access, this will become very important for exploitation.
One difficulty in exploiting this vulnerability is that if the object directory isn’t created under AppContainerNamedObjects because we’ve redirected its location then the underlying NtCreateLowBoxToken system call which performs the token creation and captures a handle to the directory as part of its operation will fail. The directory will be created but almost immediately deleted again. This behavior is actually due to an earlier issue I reported which changes the system call’s behavior. This is still exploitable by opening a handle to the created directory before it’s deleted, and in practice it seems winning this race is reliable as long as your system has multiple processors (which is basically any modern system). With an open handle the directory is kept alive as long as needed for exploitation.
This is the point where the original PoC I sent to MSRC stopped, all the PoC did was create an arbitrary object directory. You can find this PoC attached to the initial bug report in the issue tracker. Now let’s get into how we might exploit this vulnerability to go from a normal user account to a privileged SYSTEM account.ExploitationThe main problem for exploitation is finding a location in which we can create an object directory which can then be leveraged to elevate our privileges. This turns out to be harder than you might think. While almost all Windows applications use object directories under the hood, such as BaseNamedObjects, the applications typically interact with existing directories which the vulnerability can’t be used to modify.
An object directory that would be interesting to abuse is KnownDlls (which I mentioned briefly in the previous blog in this series). This object directory contains a list of named image section objects, of the form NAME.DLL. When an application calls LoadLibrary on a DLL inside the SYSTEM32 directory the loader first checks if an existing image section is present inside the KnownDlls object directory, if the section exists then that will be loaded instead of creating a new section object.

KnownDlls is restricted to only being writable by administrators (not strictly true as we’ll see) because if you could drop an arbitrary section object inside this directory you could force a system service to load the named DLL, for example using the Diagnostics Hub service I described in my last blog post, and it would map the section, not the file on disk. However the vulnerability can’t be used to modify the KnownDlls object directory other than adding a new child directory which doesn’t help in exploitation. Maybe we can target KnownDlls indirectly by abusing other functionality which our vulnerability can be used with?
Whenever I do research into particular areas of a product I will always note down interesting or unexpected behavior. One example of interesting behavior I discovered when I was researching Windows symbolic links. The Win32 APIs support a function called DefineDosDevice, the purpose of this API is to allow a user to define a new DOS drive letter. The API takes three parameters, a set of flags, the drive prefix (e.g. X:) to create and the target device to map that drive to. The API’s primary use is in things like the CMD SUBST command.
On modern versions of Windows this API creates an object manager symbolic link inside the user’s own DOS device object directory, a location which can be written to by a normal low privileged user account. However if you look at the implementation of DefineDosDevice you’ll find that it’s not implemented in the caller’s process. Instead the implementation calls an RPC method inside the current session’s CSRSS service, specifically the method BaseSrvDefineDosDevice inside BASESRV.DLL. The main reason for calling into a privileged service is it allows a user to create a permanent symbolic link which doesn’t get deleted when all handles to the symbolic link object are closed. Normally to create a permanent named kernel object you need the SeCreatePermanentPrivilege privilege, however a normal user does not have that privilege. On the other hand CSRSS does, so by calling into that service we can create the permanent symbolic link.
The ability to create a permanent symbolic link is certainly interesting, but if we were limited to only creating drive letters in the user’s DOS devices directory it wouldn’t be especially useful. I also noticed that the implementation never verified that the lpDeviceName parameter is a drive letter. For example you could specify a name of “GLOBALROOT\RPC Control\ABC” and it would actually create a symbolic link outside of the user’s DosDevices directory, specifically in this case the path “\RPC Control\ABC”. This is because the implementation prepends the DosDevice prefix “\??” to the device name and passes it to NtCreateSymbolicLink. The kernel would follow the full path, finding GLOBALROOT which is a special symbolic link to return to the root and then follow the path to creating the arbitrary object. It was unclear if this was intentional behavior so I looked in more depth at the implementation in CSRSS, which is shown in abbreviated form below.
NTSTATUS BaseSrvDefineDosDevice(DWORD dwFlags,
                               LPCWSTR lpDeviceName,
                               LPCWSTR lpTargetPath) {
   WCHAR device_name[];
   snwprintf_s(device_name, L"\\??\\%s", lpDeviceName);
   UNICODE_STRING device_name_ustr;
   RtlInitUnicodeString(&device_name_ustr, device_name);
   InitializeObjectAttributes(&objattr, &device_name_ustr,                               OBJ_CASE_INSENSITIVE);

   BOOLEAN enable_impersonation = TRUE;
   HANDLE handle;
   NTSTATUS status = NtOpenSymbolicLinkObject(&handle, DELETE, &objattr);①

   if (NT_SUCCESS(status)) {
       BOOLEAN is_global = FALSE;

       // Check if we opened a global symbolic link.
       IsGlobalSymbolicLink(handle, &is_global); ②
       if (is_global) {
           enable_impersonation = FALSE; ③
           snwprintf_s(device_name, L"\\GLOBAL??\\%s", lpDeviceName);
           RtlInitUnicodeString(&device_name_ustr, device_name);

       // Delete the existing symbolic link.

   if (enable_impersonation) { ④

   // Create the symbolic link.
   UNICODE_STRING target_name_ustr;
   RtlInitUnicodeString(&target_name_ustr, lpTargetPath);

   status = NtCreateSymbolicLinkObject(&handle, MAXIMUM_ALLOWED,                                objattr, target_name_ustr); ⑤

   if (enable_impersonation) { ⑥
   if (NT_SUCCESS(status)) {
       status = NtMakePermanentObject(handle); ⑦
   return status;
We can see the first thing the code does is build the device name path then try and open the symbolic link object for DELETE access ①. This is because the API supports redefining an existing symbolic link, so it must first try to delete the old link. If we follow the default path where the link doesn’t exist we’ll see the code impersonates the caller (the low privileged user in this case) ④ then creates the symbolic link object ⑤, reverts the impersonation ⑥ and makes the object permanent ⑦ before returning the status of the operation. Nothing too surprising, we can understand why we can create arbitrary symbolic links because all the code does is prefix the passed device name with “\??”. As the code impersonates the caller when doing any significant operation we can only create the link in a location that the user could already write to.
What’s more interesting is the middle conditional, where the target symbolic link is opened for DELETE access, which is needed to call NtMakeTemporaryObject. The opened handle is passed to another function ②, IsGlobalSymbolicLink, and based on the result of that function a flag disabling impersonation is set and the device name is recreated again with the global DOS device location \GLOBAL?? as the prefix ③. What is IsGlobalSymbolicLink doing? Again we can just RE the function and check.
void IsGlobalSymbolicLink(HANDLE handle, BOOLEAN* is_global) {
   BYTE buffer[0x1000];
   NtQueryObject(handle, ObjectNameInformation, buffer, sizeof(buffer));
   RtlInitUnicodeString(&prefix, L"\\GLOBAL??\\");
   // Check if object name starts with \GLOBAL??
   *is_global = RtlPrefixUnicodeString(&prefix, (PUNICODE_STRING)buffer);
The code checks if the opened object’s name starts with \GLOBAL??\. If so it sets the is_global flag to TRUE. This results in the flag enabling impersonation being cleared and the device name being rewritten. What this means is that if the caller has DELETE access to a symbolic link inside the global DOS device directory then the symbolic link will be recreated without any impersonation, which means it will be created as the SYSTEM user. This in itself doesn’t sound especially interesting as by default only an administrator could open one of the global symbolic links for DELETE access. However, what if we could create a child directory underneath the global DOS device directory which could be written to by a low privileged user? Any symbolic link in that directory could be opened for DELETE access as the low privileged user could specify any access they liked, the code would flag the link as being global, when in fact that’s not really the case, disable impersonation and recreate it as SYSTEM. And guess what, we have a vulnerability which would allow us to create an arbitrary object directory under the global DOS device directory.
Again this might not be very exploitable if it wasn’t for the rewriting of the path. We can abuse the fact that the path “\??\ABC” isn’t the same as “\GLOBAL??\ABC” to construct a mechanism to create an arbitrary symbolic link anywhere in the object manager namespace as SYSTEM. How does this help us? If you write a symbolic link to KnownDlls then it will be followed by the kernel when opening a section requested by DLL loader. Therefore even though we can’t directly create a new section object inside KnownDlls, we can create a symbolic link which points outside that directory to a place that the low-privileged user can create the section object. We can now abuse the hijack to load an arbitrary DLL into memory inside a privileged process and privilege elevation is achieved.
Pulling this all together we can exploit our vulnerability using the following steps:
  1. Use the vulnerability to create the directory “\GLOBAL??\KnownDlls”
  2. Create a symbolic link inside the new directory with the name of the DLL to hijack, such as TAPI32.DLL. The target of this link doesn’t matter.
  3. Inside the user’s DOS device directory create a new symbolic link called “GLOBALROOT” pointing to “\GLOBAL??”. This will override the real GLOBALROOT symbolic link object when a caller accesses it via the user’s DOS device directory.
  4. Call DefineDosDevice specifying a device name of “GLOBALROOT\KnownDlls\TAPI32.DLL” and a target path of a location that the user can create section objects inside. This will result in the following operations:
    1. CSRSS opens the symbolic link “\??\GLOBALROOT\KnownDlls\TAPI32.DLL” which results in opening “\GLOBAL??\KnownDlls\TAPI32.DLL”. As this is controlled by the user the open succeeds, and the link is considered global which disables impersonation.
    2. CSRSS rewrites the path to “\GLOBAL??\GLOBALROOT\KnownDlls\TAPI32.DLL” then calls NtCreateSymbolicLinkObject without impersonation. This results in following the real GLOBALROOT link, which results in creating the symbolic link “\KnownDlls\TAPI32.DLL” with an arbitrary target path.
  5. Create the image section object at the target location for an arbitrary DLL, then force it to be loaded into a privileged service such as the Diagnostics Hub by getting the service to call LoadLibrary with a path to TAPI32.DLL.
  6. Privilege escalation is achieved.

Abusing the DefineDosDevice API actually has a second use, it’s an Administrator to Protected Process Light (PPL) bypass. PPL processes still use KnownDlls, so if you can add a new entry you can inject code into the protected process. To prevent that attack vector Windows marks the KnownDlls directory with a Process Trust Label which blocks all but the highest level level PPL process from writing to it, as shown below.

How does our exploit work then? CSRSS actually runs as the highest level PPL so is allowed to write to the KnownDlls directory. Once the impersonation is dropped the identity of the process is used which will allow full access.
If you want to test this exploit I’ve attached the new PoC to the issue tracker here.Wrapping UpYou might wonder at this point if I reported the behavior of DefineDosDevice to MSRC? I didn’t, mainly because it’s not in itself a vulnerability. Even in the case of Administrator to PPL, MSRC do not consider that a serviceable security boundary (example). Of course the Windows developers might choose to try and change this behavior in the future, assuming it doesn’t cause a major regression in compatibility. This function has been around since the early days of Windows and the current behavior since at least Windows XP so there’s probably something which relies on it. By describing this exploit in detail, I want to give MS as much information as necessary to address the exploitation technique in the future.
I did report the vulnerability to MSRC and it was fixed in the June 2018 patches. How did Microsoft fix the vulnerability? The developers added a new API, CreateAppContainerTokenForUser which impersonates the token during creation of the new AppContainer token. By impersonating during token creation the code ensures that all objects are created only with the privileges of the user. As it’s a new API existing code would have to be changed to use it, therefore there’s a chance you could still find code which uses the old CreateAppContainerToken in a vulnerable pattern.
Exploiting vulnerabilities on any platform sometimes requires pretty in-depth knowledge about how different components interact. In this case while the initial vulnerability was clearly a security issue, it’s not clear how you could proceed to full exploitation. It’s always worth keeping a log of interesting behavior which you encounter during reverse engineering as even if something is not a security bug itself, it might be useful to exploit another vulnerability.
Categories: Security

Lawyer iPad stories: Paul Kiesel

iPhone J.D. - Sun, 08/12/2018 - 21:48

I love to hear how other attorneys are using an iPhone or iPad in their law practice, so I always appreciate it when one of you is willing to share what you are using with the rest of the readers of iPhone J.D.  Today I am happy to share a submission from Paul Kiesel of Kiesel Law LLP, a plaintiff trial attorney in Beverly Hills, California.  Paul is a co-author of two legal treatises:  California Pretrial Civil Procedure and California Civil Discovery.

Paul loves to use technology in his law practice, and the ABA Journal even named him one of the Techiest Lawyers.  Paul has had a number of paperless jury trials over the last few years thanks to his iPad.  In just a few days on August 16, 2018, Paul will be teaching a CLE Webinar hosted by the Federal Bar Association called How the iPad Can Be a Litigator's Best Friend.  It is a two-hour CLE and starts at 2:00 Eastern. 

Here is what Paul told me about some of the ways that he uses his iPad Pro in his law practice::

- - - - -

Ten years ago, as files began to overwhelm our firm's working space and as our offsite archive service costs exceeded thousands of dollars each month, I thought there has to be a better way.  Necessity being the mother of invention, our firm began its journey to being paperless.  We started to scan each and every correspondence, pleading, medical record and other piece of paper entering our front door.

Five years ago, as our building office space became limited, a decision was made to eliminate our file "room" and actually remove the paper files.  I was able to recapture 20% of our building’s usable space by removing file cabinets.  At the same time, each attorney at the firm was provided an iPad in lieu of case files.

Now, five years later, the iPad is the single vehicle, with the exception of one partner who is partial to his Surface Pro, we use to review and annotate all materials.  For years I traveled with both a laptop and an iPad but with the advent of the iPad Pro 12.0" and the Apple Pencil, this is the single device I use and travel with.  Whether it be at my home reading the morning NY Times, LA Times, Wall Street Journal, or reviewing pleadings, the iPad is the single device.

In order to use the iPad for this purpose, I originally used PDF Expert to review and annotate documents.  Today, my go-to annotation program is Liquid Text.  Prior to using the iPad Pro 12.9", my go-to tablet was the original 9.7" version of the iPad, but for using Liquid Text the 12.9" size is a must.  Why?  Liquid Text splits the screen in two sections, one for the document and the other for notes.  Using the split screen really requires the additional real estate (screen size) the 12.9" iPad Pro provides.  I tested the 10.5" iPad Pro but still found it wasn’t a big enough screen to do the job.  So, my first recommendation is Liquid Text.

My second recommendation is to purchase a virtual private network (VPN) application.  A VPN provides a secure "pipe" for you to access the internet when on a public WiFi without fear that bad guys or gals are hacking into your communications.  The VPN app that I use is called Encrypt.Me, and it works magically.  [Jeff notes:  I reviewed this app back when it was called Cloak, and I agree that it is a fantastic app.]  The cost is minimal and the benefits, potentially massive.  The only caveat is that several public WiFi networks will not allow you to use a VPN when accessing.  An example is the GoGo WiFi network on commercial flights.  The GoGo network will not allow you to access their system if you have the VPN active.  It took me hours to figure out why I couldn’t log on to the network until I tried disabling the VPN and then I was able to get on.  So, you need to make a trade, at times, between access and security.

The next app I would recommend is TripIt.  This is a fantastic program that allows you to aggregate all of your travel plans in one spot.  [Jeff adds:  I reviewed the free version of TripIt in 2013 and I reviewed TripIt Pro in 2017.  I continue to pay for TripIt Pro because I find it so valuable when I travel.]

My final use of the iPad, although a bit unconventional and a wee bit pricey, is to send each of my settlement demand packages by way of an iPad.  My firm creates, for about 90 percent of my cases, a settlement "brochure" including a video depicting our liability analysis, the client’s injuries and damages, along with attached medical records and other documentary evidence.  I typically send between one and six iPads depending on the number of counsel, adjusters, and decision makers involved.  I have been doing that since the iPad was first introduced. 

There are dozens of other applications and uses that I don’t have time to share here, but feel free to view my webinar on "using your iPad" in trial.  Here’s the link.  Enjoy.

- - - - -

Thanks again, Paul, for taking the time to share with us some of the ways that you use your iPad.  Sending an iPad as a digital settlement brochure is a very interesting approach!

If any of you are willing to share your own experiences using an iPhone or iPad in your law practice with other iPhone J.D. readers, I'd love to hear from you.  In case you missed any of them, here are stories that I previously shared from other attorneys:

Categories: iPhone Web Sites

In the news

iPhone J.D. - Thu, 08/09/2018 - 23:55

If you will be in the New Orleans area two weeks from today, I will be presenting a one hour CLE at Noon on Friday, August 24 with tips for using an iPad in your law practice.  The CLE is free if you are a member of the New Orleans Bar Association.  Click here for more information.  We still have about a month to go before mid-September, when I expect Apple to announce the 2018 versions of the iPhone and iPad Pro, and considering that it is also the end of Summer, things are pretty slow in the land of iOS right now.  But there have been a few interesting developments, and here is the news of note from the past week:

Categories: iPhone Web Sites

IBM Power System E980 Technical Overview and Introduction

IBM Redbooks Site - Mon, 08/06/2018 - 09:30
Draft Redpaper, last updated: Mon, 6 Aug 2018

This IBM® Redpaper™ publication gives a broad understanding of a new architecture of the IBM Power System E980 server that support IBM AIX®, IBM i, and Linux operating systems.

Categories: Technology

IBM Power System E950 Technical Overview and Introduction

IBM Redbooks Site - Mon, 08/06/2018 - 09:30
Draft Redpaper, last updated: Mon, 6 Aug 2018

This IBM® Redpaper™ publication gives a broad understanding of a new architecture of the IBM Power System E950 server that support IBM AIX®, and Linux operating systems.

Categories: Technology

Lawyer iPhone stories: Jay Brinker

iPhone J.D. - Sun, 08/05/2018 - 19:42

I love to hear how other attorneys are using an iPhone or iPad in their law practice, so I always appreciate it when one of you is willing to share what you are using with the rest of the readers of iPhone J.D.  Today I am happy to share a submission from Jay Brinker, an estate planning attorney in Cincinnati, OH.  Jay also has a blog, which he uses to share interesting estate planning-related stories.  When I first started talking to Jay about the apps that he uses, he told me that he didn't use anything special, and said that because he is not a litigator, he doesn't use many of the well-known legal apps.  But I find that I always learn something no matter what kind of law practice someone has, and I am sure that most of you would agree.  So with no further ado, take it away, Jay:

- - - - -

When Jeff asked me if I could share my iPhone experiences with his readers, I was hesitant to do so because my use of iOS apps is limited compared to the litigators who use apps in trial and for trial prep.  Jeff persuaded me that my more non-power user approach could be useful nonetheless.  So here goes.


I am a solo estate planning attorney who just passed the five year anniversary of my first iPhone purchase.  I was slow to adopt because my prior cell phone provider offered a stupidly low rate ($100 or so for three lines) but did not sell iPhones nor support them, so I suffered through with a BlackBerry until the limitations became untenable.  Expectedly, that carrier is now out of business.

I view my iPhone as a life convenience device rather than a work tool, although it does assist with the large part of my life that is my law practice.

Some Apps for Work

SugarSync is my preferred file syncing and file sharing service because it plays well with my file organization.  It has a nice app for iOS which allows me to easily access any document on my office PC from my phone.  Twice in a six month period, I was out of the office (Marco Island and Prague) when I received an email requesting a client’s living will.  I was able to send the document to the requesting person almost immediately from my phone.

Square is my credit card processing app.  I appreciate its simplicity and relatively low cost.  The customer satisfaction of a client paying with a credit card and getting airline miles is worth the 2.75% or haircut I take.  A quote from a client:  “You take credit cards?  This gets better all of the time.”  That is worth $50 in reduced fees.

Office Lens from Microsoft is a free scanning app that I have been using recently to scan documents on the go.  I can scan and send the document to a myriad of cloud based services.

OneDrive by Microsoft is my cloud storage provider of choice for miscellaneous documents like travel itineraries, tickets, reservations, and other personal documents I want to access quickly.  The iOS app is easy to use.

Apple Pay Cash.  I love Apple Pay.  If Kroger accepted Apple Pay, my grocery shopping experience would be sublime.  Apple Pay Cash allows you to transfer funds to friends and others via text without the privacy concerns of Venmo nor transaction costs of other methods.  A younger out of town client wished to pay an invoice expeditiously last year, so I gave her my cell phone number and she paid via Apple Pay Cash.  I then transferred the funds to my office checking account.

Other Apps I Like

Overcast is my preferred podcast app thanks to Jeff.  I can build playlists and skip ahead or rewind in time allotments of my choice.  You can use the app for free.

Spotify is my music streaming app of choice.  The $240 annual family plan allows my children and me to access nearly any album ever released, build playlists of favorites, and listen to new CDs the day they are released.  I can download playlists onto my phone for offline playback in my car while also controlling music on my PC from the phone.  I am not sure how sustainable this business model is long term, but I love it.  There is also a free version if you do not mind commercials every fourth song.

Key Ring allows me to keep my loyalty cards on my phone and avoid having to carry a “Costanza wallet."  This app is free.

Banking app.  I love the convenience of mobile banking.  I have greatly reduced the number of bank trips for personal check deposits due to the app for my bank.  If my business bank had a larger monthly mobile deposit limit, life would be really sweet.

I also use the Zelle app to send money directly to a family member’s bank account which easily beats writing a check. 

Most Indispensable App

Starbucks Mobile App with its order ahead feature saves me between five and ten minutes every time I visit Starbucks.  I also accumulate rewards points for free drinks.  The app is free.

Deleted Apps

To save space, I recently deleted all of the free Microsoft Office apps.  I never use my phone to edit documents so there was no point in having them.

Apps Never On My Phone (or iPad)

Any social media app.  Pox on all of their houses.


I have a home iPad and an office iPad.  The home iPad is primarily for newspaper and blog reading.  I take the office iPad into meetings so I can quickly answer a question such as how a house is titled or the status of an estate.  I also use it to schedule the follow up meeting for clients to sign their estate planning documents.  I find it less intrusive than having a laptop for the same purposes.

Thanks for reading and thanks to Jeff for asking me to write.  I hope there was something helpful here.

- - - - -

Thanks again, Jay, for taking the time to share some of your favorite apps!  I had never heard of the Key Ring app, so I'll have to check that one out.

If any of you are willing to share your own experiences using an iPhone or iPad in your law practice with other iPhone J.D. readers, I'd love to hear from you.  And no, you don't have to be a litigator!  In case you missed any of them, here are stories that I previously shared from other attorneys:

Categories: iPhone Web Sites

In the news

iPhone J.D. - Fri, 08/03/2018 - 01:11

The market capitalization or "market cap" of a company is simply the share price multiplied by the number of shares outstanding, and is one method of indicating the public's opinion of the net worth of the company.  Yesterday, Apple became the first company to ever have a market cap of over a trillion dollars.  When the market closed, Apple's market cap was $1.002 trillion.  I thought that this comment from John Gruber of Daring Fireball was interesting:  "That '.002' looks insignificant but represents $2 billion — about what the entire company was worth in 1996."  It was obvious for a while now that this day was coming, so a number of news sites had articles ready to run when the milestone was crossed.  I'll recommend two of them that were particularly good:  an article by Jack Nicas in the New York Times, and an article by Brad Stone of Bloomberg.  There are lots of reasons that Apple achieved this success, but there is no question that the number one reason was the iPhone.  And now, the news of note from this past week:

  • Illinois attorney Warren Freiberg wrote an article for TechnoLawyer recommending apps that are useful for attorneys.  I myself use recommend almost all of the apps identified in that article.  Click here to download the article in PDF format.
  • I went back and forth about whether to link to this article because the premise is so shaky.  In an article for the ABA's GP Solo, legal consultant Seth Rowland asked his son Samuel Rowland, a college student, to try to figure out what mobile apps lawyers might want to use.  The older Rowland explained that he did this because he hasn't practiced law in two decades and his primary focus is PC software, not mobile apps.  Um, okay, but asking a journalism major to pick the best apps for lawyers seems about as valuable as asking me to pick out the best apps for dentists.  The only qualification offered for the younger Rowland was that he is "an avid cell phone user."  Of course, that also accurately describes most of the kids at my son's middle school.  As you might guess, the article fails to mention a ton of useful (and obvious) apps.  But I'm linking to it anyway because it also names some truly good apps, and any time you look at a list of apps there is always the chance that you will come across an app that speaks to you.  So if you dare, click here to read Legal Apps for the Lawyer on the Go.  (And while I disagree with the premise of this article, kudos to Sam for giving it the old college try and finding some of the good apps.)
  • Earlier this week, I reported on Apple's 2018 fiscal third quarter.  In an article for Macworld, Jason Snell offered four interesting takeaways from the results.  And in an article for Six Colors, Snell digs a little deeper into the results.
  • Bradley Chambers of 9to5Mac recommends some of the best iPhone weather apps.
  • Vanity Fair has an interesting excerpt from an upcoming memoir by Lisa Brennan-Jobs, daughter of Steve Jobs, call Small Fry.  They had an awkward relationship, to say the least, and I enjoyed this excerpt.
  • And finally, this short 15-second video advertising the iPad does a good job of showing why I love my almost-completely paperless law practice, which wouldn't be possible without my iPad.  It is called Paperless Paperwork:

Categories: iPhone Web Sites

Adventures in vulnerability reporting

Google Project Zero - Thu, 08/02/2018 - 14:56
Posted by Natalie Silvanovich, Project Zero

At Project Zero, we spend a lot of time reporting security bugs to vendors. Most of the time, this is a fairly straightforward process, but we occasionally encounter challenges getting information about vulnerabilities into the hands of vendors. Since it is important to user security that software vendors fix reported vulnerabilities in a timely matter, and vendors need to actually receive the report for this to happen, we have decided to share some of our experiences. We hope to show that good practices by software vendors can avoid delays in vulnerability reporting.
Effective Vulnerability Reporting ProcessesThere are several aspects of a bug reporting process that make reporting vulnerabilities easier from the bug reporter’s perspective. To start off, it’s important for a bug reporting process to be easy to find and use. We sometimes have difficulty figuring out how to report a vulnerability in a piece of software if the vulnerability reporting process is not documented on the project or vendor’s website, or if outdated material is not removed and instructions for reporting vulnerabilities are inconsistent. This can lead to delays in reporting. Effective vulnerability reporting processes are clearly documented, and the documentation is easy to find.
We also appreciate when the process for reporting a vulnerability is short and straightforward. Occasionally, we report dozens of vulnerabilities in a vendor’s products, and it is helpful when reporting does not require a lot of clicks and reading. Reporting processes that use email or bug trackers are usually the easiest, though webforms can be easy if they are not excessively long. While Project Zero will always report a vulnerability, even if reporting it is very time consuming, this is not necessarily the case for other bug reporters. Long bug reporting processes can cause bug reporters to report bugs more slowly, spend less time working on a piece of software or even give up on reporting a bug. The easier a bug reporting process is, the more likely it is that someone will go through with it.
It’s also important for bug reporting processes to be well-tested. While the majority we encounter are, we’ve occasionally had bug reporting email addresses bounce, webforms reject necessary information (like the reporter’s name) and security issues go unnoticed in bug trackers for months despite following the documented process. Vendors with good processes usually test that their process and any systems it involves works correctly on a regular basis.
Mandatory legal agreements in the reporting process are another problem that we encounter every so often. If a legal agreement contains language about disclosure or any other subject we don’t feel comfortable entering an agreement about on behalf of our company, deciding whether to enter the agreement can require a lengthy discussion, delaying the bug report. While legal agreements are sometimes necessary for rewards programs and code contributions, good vulnerability reporting processes allow bug reporters to report bugs without them.
It is also helpful when vendors confirm that vulnerability reports have been received in a timely manner. Since bug reports can get lost for a number of reasons, including bugs in the reporting interface and human error, it is a good idea to let reporters know that their report has been received, even if it won’t be processed right away. This lets the reporter know that they’ve reported the bug correctly, and don’t need to spend any more time reporting it, and makes it more likely that bug reporters will reach out if a bug report gets lost, as they will be expecting a confirmation.
Finally, even if good practices are followed in creating the bug reporting process, it is still possible that a bug reporting process has problems, so it is very helpful if vendors provide a way to give feedback on the process. It’s very rare for vendors to intentionally make bug reporting difficult, but unexpected problems happen fairly frequently, so it is good to provide a way bug reporters can reach out for help as a last resort if a reporting a bug fails for any reason.
ExamplesOne example of a bug we had difficulty reporting due to a vendor not following the practices described above is CVE-2018-10751.  CVE-2018-10751 is a remote memory corruption vulnerability in OMACP affecting the Samsung S7 Edge. The issue can be triggered by sending a single SMS to the target device, and does not require any user interaction. The payload can be sent from an app on an Android device without root access or any special equipment. It is similar to CVE-2016-7990, which is described in detail here.
Samsung’s Vulnerability Reporting ProcessCVE-2018-10751 is a serious vulnerability, and I wanted to report it immediately. I started off by reading Samsung Mobile’s Security Reporting page. This page has a button to create a bug report.
https://security.samsungmobile.com/securityReporting.smsb Accessed February 22, 2018
Pressing the button led to a sign-up page. I didn’t have a Samsung account, so I tried to sign up. Unfortunately, it led to this page:
https://security.samsungmobile.com/securityReporting.smsb Accessed February 22, 2018
Not speaking Korean, I wasn’t sure what to do here. I eventually went back to the previous page and tried the ‘Sign-in’ button.
This brought me to an English sign-up page, which then brought me to the account creation page. According to this page, I had to read and agree to some terms. Clicking the links led to over twenty separate agreements, most of which had nothing to do with vulnerability reporting.https://account.samsung.com Accessed February 22, 2018
That’s a lot of text to read and review. Let’s just say I skimmed a bit. Once I clicked ‘Agree’, I was taken to a page where I could enter account information. The page required my birthdate and zip code, which I wasn’t thrilled to have to provide to report a vulnerability, but I wanted to get the issue reported, so I entered them. Finally, my account was created! I logged in, hoping to start reporting the bug, only to be greeted with more conditions.
https://account.samsung.com Accessed February 22, 2018
These ones were in Korean, and I couldn’t figure out how to change the language. Eventually, I just selected confirm. Finally, I got to the form where I could report bugs!
https://security.samsungmobile.com/securityReporting.smsb Accessed February 22, 2018
I filled out the vulnerability information, and scrolled down, and there was one more set of terms to agree to:https://security.samsungmobile.com/securityReporting.smsb Accessed February 22, 2018
These terms included:
- You MUST hold off disclosing the vulnerability in reasonable time, and you MUST get Samsung’s  consent or inform Samsung about the date before disclosing the vulnerability.- In some cases, Samsung may request not to disclose the vulnerability at all.
I was not able to submit this form without agreeing to allow Samsung some level of control over disclosure of reported vulnerability. I looked around Samsung’s security page to see if they provided an email address I could report the issue to, but they did not provide one. I was not comfortable reporting this bug through the mechanisms Samsung provides for vulnerability reporting on their website.
Problems with Vulnerability Reporting Processes
I encountered several problems while trying to report the above vulnerability—most of which have been since resolved by Samsung.
To start off, Samsung’s bug reporting process did not seem adequately tested. The many times that Korean text showed up while attempting to report this vulnerability suggests that it was not tested in English. As described above, is important for vendors to test vulnerability reporting processes, including for internationalization issues. The workflow is also excessively long, and requires the reporter to agree to a very large number of agreements, many of which have nothing to do with vulnerability reports. I suspect that the people testing this interface might have already had accounts, and not seen how long the process is for someone who just wants to report a bug.
This isn’t an uncommon problem. The Android security reporting template requires creating a GMail account, which can require clicking through many screens and verification via SMS in some circumstances. As a result of our feedback, the Android Security team has improved the documentation that vulnerability reports can be filed via email (security@android.com), although using the web form is still required to participate in the Android Security rewards program.
Another problem was that in order to report a bug, a reporter had to agree to the terms of the rewards program. This is an issue that Project Zero has been seeing increasingly often. When software vendors start rewards programs, they often remove existing mechanisms for reporting vulnerabilities, leaving bug reporters with no way to report vulnerabilities without entering into agreements.
This also occurred when Tavis Ormandy attempted to report the vulnerability he reluctantly dubbed CloudBleed. Cloudflare’s vulnerability reporting process is tied to its rewards program with HackerOne, and there is no clear way to report a vulnerability without creating a HackerOne account in their Vulnerability Disclosure Policy. The policy even states “We agree with their disclosure philosophy, and if you do too, please submit your vulnerability reports here” without providing an alternative for vulnerability reporters who don’t agree or don’t want to participate in the program for whatever reason. In Project Zero’s case, our disclosure deadline is 90 days meanwhile HackerOne’s deadline is 180 days. This vulnerability was also very urgent as it was actively leaking user data onto the Internet, and we didn’t want to delay reporting the issue while we read through HackerOne’s terms to determine whether they were compatible with our disclosure policy.
We find that vendors generally don’t intend to prevent bug reports from anyone who won’t agree to their disclosure rules, but this was the end result of Samsung and Cloudflare replacing their bug reporting process with a rewards program.
The specific terms of Samsung’s agreement were also fairly vague. In particular, it wasn’t clear what the consequences of breaking the terms would be. For example:
- You MUST hold off disclosing the vulnerability in reasonable time, and you MUST get Samsung’s  consent or inform Samsung about the date before disclosing the vulnerability.
Does this mean that if someone discloses a vulnerability without permission, they are not eligible for a reward? Does it mean that if someone discloses the vulnerability without permission, Samsung can take legal action against them? While requiring that bug reporters not disclose vulnerabilities to receive rewards is a policy with debatable benefit, I would have been much more comfortable agreeing to these terms if they had spelled out that violating them would simply mean I would not receive a reward, as opposed to other legal consequences. Overall, the issues of poorly tested bug reporting interfaces and requiring legal agreements to report vulnerabilities have come up multiple times, and led to delays of Project Zero reporting vulnerabilities. We recommend that vendors test their vulnerability reporting interfaces from the perspective of someone who’s never reported a bug from outside of their corporate network, and make sure to do localized testing. It is also important to allow bug reports without requiring the reporter to enter into excessive legal agreements.
While only accepting vulnerability reports via web forms can reduce the number of invalid reports, which is a major challenge for teams accepting vulnerability reports, they can also be unreliable and prevent vulnerability reporting in situations that were not expected by those designing them, unless they are very well tested. Having an alternate email address that vulnerability reporters can use to report bugs if they encounter problems is a good way to prevent this type of problem.
Reporting the BugI eventually contacted some members of the Knox security team at Samsung that I had worked with on previous bugs and they recommended reporting the issue to mobile.security@samsung.com. This email is not documented on the Samsung website, except for a single blog post from 2015.
The difficulty I encountered reporting this serious vulnerability delayed my report one week. It might have caused a longer delay if I did not have contacts at Samsung who could help.
Samsung started rolling out updates for CVE-2018-10751 (Samsung’s identifier SVE-2018-11463) in their April maintenance release.
Samsung has updated their account creation page so that it always displays English text if the language is set to English. Also, the vulnerability report form can now be submitted without agreeing to the terms for the Samsung’s rewards program, though the user still has to agree to two other agreements. They have also updated their bug reporting page to provide an email address as well as a webform. We appreciate the changes they have made to make reporting vulnerabilities in Samsung products easier for everyone.
ConclusionProject Zero has occasionally had difficulty reporting vulnerabilities, leading to delays in reporting the bug. Usually, these are due to problems in the reporting process that were not intended or expected by the vendor. A difficult vulnerability reporting process can have a negative impact on user security due to delays in vulnerability reports, lost vulnerability reports and even bug reporters choosing not to report a vulnerability. We appreciate when vendors do the following to make their bug reporting processes easier for bug reporters:
  • Vendors should regularly test their vulnerability reporting interfaces in all supported languages
  • Vendors should streamline their vulnerability reporting processing as much as possible, and remove excessive clicks and legal agreements
  • Vendors should regularly solicit feedback on their vulnerability reporting mechanisms from vulnerability reporters and people they think are likely to report vulnerabilities
Categories: Security

MacTrack / iTrack -- go to Disney World to learn more about using your iPhone and iPad in your law practice

iPhone J.D. - Wed, 08/01/2018 - 23:56

One of the best ways to learn more about getting more out of an iPhone or iPad in your law practice is to hear directly from other attorneys with expertise in this area.  This is one of the reasons that I enjoy going to ABA TECHSHOW in Chicago every Spring.  Having said that, the last few TECHSHOW conferences have not focused on mobile technology as much as I would have liked.  For years, I have heard great things about the MacTrack Legal conference.  The conference has traditionally been focused on helping solo and small firm lawyers who use Macs, but this year — the 10th year of the conference — it will be called MacTrack / iTrack Legal, and most of the conference will focus on using iPhones and iPads.  If you are looking to attend a conference to learn more about using your iOS device, I cannot think of a better place to go.

The conference is September 27 to 29, 2018, at Disney's Yacht & Beach Club at Walt Disney World in Orlando, FL.  It is easy to get flights to Orlando from most anywhere, and it may be easier to justify the trip if your family can join you and attend the parks while you are at the conference.  The conference occurs during the Epcot Food & Wine Festival.  Attendees can take advantage of a discounted hotel rate not only during the conference, but also for three days before and after the conference.

While the venue alone makes this conference attractive, the real reasons for you to go are the speakers and the attendees.  In past years, the speaker list has been fantastic, and the folks who are already identified on the conference website this year are fantastic.  Not only do they know a ton about using an iOS device (and a Mac), but they are also friendly folks and great teachers.  Just to mention a few, I'm big fans of Florida attorney Katie Floyd (of MacPowerUsers), legal tech consultant Brett Burney, New Jersey estate planning attorney Victor Medina (who is planning the conference), Canadian attorney Bjorn "Barney" Christianson, and Pennsylvania attorney Evan Kline.  I've seen all of them teach sessions on using iOS devices, and in some cases I've even co-presented with them.  In addition to the speakers, numerous attorneys have told me that they attend this conference again and again because of the great folks who were attending, which makes sense because this is a smaller and more intimate conference — the opposite of a mega-conference like TECHSHOW.

I had hoped to be able to speak at this conference this year given the focus on iOS, but unfortunately my schedule doesn't permit it.  But if your schedule does, I encourage you to give this one a look.  I know that it will be an enjoyable and incredibly informative conference.

Here is a video in which Victor explains what makes this conference so special:

Here is a link to a PDF file with more information on the individual sessions.

Click here for more information on MacTrack / iTrack Legal.

Categories: iPhone Web Sites

IBM Power Systems H922 and H924 Technical Overview and Introduction

IBM Redbooks Site - Wed, 08/01/2018 - 09:30
Redpaper, published: Wed, 1 Aug 2018

This IBM® Redpaper™ publication is a comprehensive guide that covers the IBM Power System H924 (9223-42H), and IBM Power System H922 (9223-22H) servers that support memory-intensive workloads such as SAP HANA, and deliver superior price/performance for mission-critical applications in IBM AIX®, IBM i, and Linux operating systems.

Categories: Technology

Apple 2018 fiscal third quarter -- the iPhone and iPad angle

iPhone J.D. - Tue, 07/31/2018 - 22:48

Yesterday, Apple released the results for its 2018 fiscal third quarter (which ran from April 1, 2018 to June 30, 2018) and held a call with analysts to discuss the results.  This is typically not a big fiscal quarter for Apple; the important quarter for Apple every year is the first fiscal quarter (containing the holiday sales season).  During the fiscal third quarter, most potential Apple customers — which for the most part means iPhone customers — are waiting to see what new products Apple will introduce in the Fall.  Even so, Apple had their best fiscal third quarter ever, with quarterly revenue of $53.3 billion.  Apple CEO Tim Cook attributed the impressive revenues to three factors:  iPhone sales, service revenue such as the App Store and Apple Music, and wearable product sales such as the Apple Watch and AirPods.  If you want to get all of the nitty gritty details, you can download the audio from the announcement conference call from iTunes, or you can read a transcript of the call prepared by Seeking Alpha, or a transcript prepared by Jason Snell of Six Colors.  Apple's official press release is here.  As always, I'm not as interested in the financial details as I am the statements of Apple executives during the call that are of interest to iPhone and iPad users.  Here are the items that stood out to me.


  • During the past quarter, Apple sold 41.3 million iPhones, just slightly more than the 41 million iPhones sold in 2017's third fiscal quarter. The all-time record for iPhone sales in a fiscal Q3 was in 2015, when Apple sold 47.5 million iPhones.
  • While the increase in the number of iPhones sold versus 2017 Q3 was modest, the increase in revenue from iPhone sales was more impressive thanks to sales of the more expensive iPhone X.  iPhone revenue was $24.8 million in 2017 Q3, but it rose to $29.9 million in 2018 Q3, a 20% increase.
  • By my count, Apple has sold 1.421 billion iPhones since they first went on sale in 2007.
  • What kinds of iPhones are people buying?  For the second quarter in a row, the top-of-the-line iPhone X was the best-seller.  The critics who predicted that few folks would want to pay more for a more powerful iPhone were clearly wrong.


  • Apple sold just over 11.5 million iPads in the fiscal third quarter, around 100,000 more iPads than Apple sold a year ago. 
  • I don't know if Apple will ever return to the larger iPad sales numbers that the company saw many years ago, including a high of 19.5 million iPads in 2013 Q2.  Nevertheless this is now the fifth quarter in a row that the average number of iPads sold has increased, if you look at a four quarter average.
  • By my count, Apple has sold over 415 million iPads since they first went on sale in 2010.
  • Apple CFO Luca Maestri said that almost half of iPad purchases in the past quarter were by customers new to iPad.


  • A relatively new area of revenue for Apple is app subscriptions, such as apps that are free to download but for which you pay a monthly or yearly subscription fee to access more advanced features.  Cook said that the App Store now includes almost 30,000 apps which offer subscriptions.
  • Because the App Store turned 10 years old last month, Cook spent some time noting its impressive numbers, and the App Store saw its largest ever quarterly revenue in 2018 Q3.  He did not disclose how much of that was spent on the game Fortnite.
  • Cook noted that this past quarter saw all-time highs for both the number of monthly active users of the Messages app and for the number of FaceTime calls made.  If my son is an accurate guidepost, then a lot of those text messages and FaceTime calls are the result of kids being on summer vacation.
  • In the first three quarters of fiscal 2018, there were over 100 billion Siri requests.
  • Here in New Orleans, the two major pharmacies are Walgreen's and CVS.  One of the reasons that I typically choose Walgreen's is that it works great with Apple Pay.  But Cook announced that this Fall, Apple Pay will start to be accepted at CVS (and 7-Eleven too).
  • Cook said that when iOS 12 comes out, the iPhone will be noticeably faster.  The camera on the iPhone will launch up to 70% faster, the keyboard will appear up to 50% faster, and apps will be able to launch up to twice as fast.
  • Cook discussed the impact of President Trump's recent trade war.  He said that tariffs are "a tax on the consumer and wind up resulting in lower economic growth."  Having said that, Cook said that none of Apple's products were directly affected by three recent tariffs, and that Apple was still evaluating another one.  Cook concluded by saying that he was "optimistic that the countries will get through this, and we are hoping that calm heads prevail."
  • Everyone knows that Apple is now developing TV shows and movies and that it will at some point have some service to announce.  Cook said that he wasn't yet ready to share the details, but that he "couldn't be more excited about what's going on there, and we've got great talent in the area that we've sourced from different places, and [we] feel really good about what we will eventually offer."
  • Over 50 million people are now using Apple Music, although an (undisclosed) number of those are in a free trial period.
Categories: iPhone Web Sites

IBM Power System L922 Technical Overview and Introduction

IBM Redbooks Site - Tue, 07/31/2018 - 09:30
Redpaper, published: Tue, 31 Jul 2018

This IBM® Redpaper™ publication is a comprehensive guide covering the IBM Power System L922 (9008-22L) server, which was designed for data-intensive workloads such as databases and analytics in the Linux operating system.

Categories: Technology

IBM Spectrum Scale Immutability Introduction, Configuration Guidance, and Use Cases

IBM Redbooks Site - Mon, 07/30/2018 - 09:30
Redpaper, published: Mon, 30 Jul 2018

This IBM Redpaper™ publication introduces the IBM Spectrum Scale immutability function.

Categories: Technology

Machine Learning with Business Rules on IBM Z: Acting on Your Insights

IBM Redbooks Site - Fri, 07/27/2018 - 09:30
Redpaper, published: Fri, 27 Jul 2018

This Redpaper introduces the integration between two IBM products that you might like to consider when implementing a modern agile solution on your Z systems.

Categories: Technology

IBM Z Integration Guide for the Hybrid Cloud and API Economy

IBM Redbooks Site - Fri, 07/27/2018 - 09:30
Redpaper, published: Fri, 27 Jul 2018

Today, organizations are responding to market demands and regulatory requirements faster than ever by extending their applications and data to new digital applications.

Categories: Technology

In the news

iPhone J.D. - Fri, 07/27/2018 - 01:48

As noted by Juli Clover of MacRumors, Google's Street View app for iOS was updated this week to support the larger screen of the iPhone X.  I've had this app for a while, but this update caused me to try it out again this week, and it is amazing how powerful it is.  Enter any address, hold up your iPhone and tap the street view image and then tap the compass button at the top right, and you can move your iPhone around and "see" the area almost as if you were standing there at the address.  For an even more immersive experience, place your iPhone in an inexpensive Google Cardboard device.  Choose some interesting locations like in front of the Eiffel Tower in Paris or in front of the Lincoln Memorial in Washington, DC for some free virtual reality tourism.  And now, the news of note from the past week:

  • Chicago attorney John Voorhees is also an app developer and an editor at MacStories, and he was recently interviewed by Filip Brož of the Czechoslovakian website iPure.
  • A post on the GoodNotes blog provides tips for taking electronic notes at a conference.
  • William Gallagher of AppleInsider provides an overview of all of the ways to create text on an iPad:  text editors, note-taking apps, and word processors.
  • If you want an app to help you remember things which is a little more powerful than the built-in Reminders app, Federico Viticci of MacStories reviews the GoodTasks app.
  • Rosemary Orchard discusses some useful apps which run within the Messages app.  To be honest, the idea of running a mini-app within Messages still seems a little strange to me, so I haven't really explored this very much.
  • Chance Miller of 9to5Mac notes that Carrot Weather, my favorite weather app, was recently updated to add the ability to provide hurricane tracker notifications.  Like most folks who live in the Gulf South, I'd rather not be thinking about hurricanes, but we are definitely getting closer to the peak season.  (Hurricane Katrina made landfall` on August 29, 2005.)
  • Ian Fuchs of Cult of Mac reviews Documents by Readdle, a very useful app.
  • Drew Coffman of The Sweet Setup reviews the Lutron Caseta dimmer switch, a HomeKit-compatible light switch that I use throughout my house and which I really like.  (My review.)  I also see that the Lutron Smart Bridge, which I bought for over $100, is now $79.95 on Amazon.
  • And finally, Apple released a new video advertisement for the iPhone X which shows off its computing prowess at running powerful games.  The ad is called Unleash.  As John Gruber of Daring Fireball noted, it seems strange for Apple to release a new ad for the iPhone X when, presumably, the successor to the iPhone X will be unveiled in two months.  Regardless, it's a neat video:

Categories: iPhone Web Sites

Drawing Outside the Box: Precision Issues in Graphic Libraries

Google Project Zero - Thu, 07/26/2018 - 12:47
By Mark Brand and Ivan Fratric, Google Project Zero
In this blog post, we are going to write about a seldom seen vulnerability class that typically affects graphic libraries (though it can also occur in other types of software). The root cause of such issues is using limited precision arithmetic in cases where a precision error would invalidate security assumptions made by the application.
While we could also call other classes of bugs precision issues, namely integer overflows, the major difference is: with integer overflows, we are dealing with arithmetic operations where the magnitude of the result is too large to be accurately represented in the given precision. With the issues described in this blog post, we are dealing with arithmetic operations where the magnitude of the result or a part of the result is too small to be accurately represented in the given precision.
These issues can occur when using floating-point arithmetic in operations where the result is security-sensitive, but, as we’ll demonstrate later, can also occur in integer arithmetic in some cases.
Let’s look at a trivial example:
 float a = 100000000;  float b = 1;  float c = a + b;
If we were making the computation with arbitrary precision, the result would be 100000001. However, since float typically only allows for 24 bits of precision, the result is actually going to be 100000000. If an application makes the normally reasonable assumption that a > 0 and b > 0 implies that a + b > a, then this could lead to issues.
In the example above, the difference between a and b is so significant that b completely vanishes in the result of the calculation, but precision errors also happen if the difference is smaller, for example
 float a = 1000;  float b = 1.1111111;  float c = a + b;
The result of the above computation is going to be 1001.111084 and not 1001.1111111 which would be the accurate result. Here, only a part of b is lost, but even such results can sometimes have interesting consequences.
While we used the float type in the above examples, and in these particular examples using double would result in more accurate computation, similar precision errors can happen with double as well.
In the remainder of this blog post, we are going to show several examples of precision issues with security impact. These issues were independently explored by two Project Zero members: Mark Brand, who looked at SwiftShader, a software OpenGL implementation used in Chrome, and Ivan Fratric, who looked at the Skia graphics library, used in Chrome and Firefox. SwiftShaderSwiftShader is “a high-performance CPU-based implementation of the OpenGL ES and Direct3D 9 graphics APIs”. It’s used in Chrome on all platforms as a fallback rendering option to work around limitations in graphics hardware or drivers, allowing universal use of WebGL and other advanced javascript rendering APIs on a far wider range of devices.
The code in SwiftShader needs to handle emulating a wide range of operations that would normally be performed by the GPU. One operation that we commonly think of as essentially “free” on a GPU is upscaling, or drawing from a small source texture to a larger area, for example on the screen. This requires computing memory indexes using non-integer values, which is where the vulnerability occurs.
As noted in the original bug report, the code that we’ll look at here is not quite the code which is actually run in practice - SwiftShader uses an LLVM-based JIT engine to optimize performance-critical code at runtime, but that code is more difficult to understand than their fallback implementation, and both contain the same bug, so we’ll discuss the fallback code. This code is the copy-loop used to copy pixels from one surface to another during rendering:
 source->lockInternal((int)sRect.x0, (int)sRect.y0, sRect.slice, sw::LOCK_READONLY, sw::PUBLIC);
 dest->lockInternal(dRect.x0, dRect.y0, dRect.slice, sw::LOCK_WRITEONLY, sw::PUBLIC);

 float w = sRect.width() / dRect.width();
 float h = sRect.height() / dRect.height();

 const float xStart = sRect.x0 + 0.5f * w;
 float y = sRect.y0 + 0.5f * h;
 float x = xStart;

 for(int j = dRect.y0; j < dRect.y1; j++)
   x = xStart;

   for(int i = dRect.x0; i < dRect.x1; i++)
     // FIXME: Support RGBA mask
     dest->copyInternal(source, i, j, x, y, options.filter);

     x += w;

   y += h;


So - what highlights this code as problematic? We know prior to entering this function that all the bounds-checking has already been performed, and that any call to copyInternal with (i, j) in dRect and (x, y) in sRect will be safe.
The examples in the introduction above show cases where the resulting precision error means that a rounding-down occurs - in this case that wouldn’t be enough to produce an interesting security bug. Can we cause floating-point imprecision to result in a larger-than-correct value, leading to (x, y) values that are larger than expected?
If we look at the code, the intention of the developers is to compute the following:
 for(int j = dRect.y0; j < dRect.y1; j++)
   for(int i = dRect.x0; i < dRect.x1; i++)
   {      x = xStart + (i * w);      Y = yStart + (j * h);
     dest->copyInternal(source, i, j, x, y, options.filter);
If this approach had been used instead, we’d still have precision errors - but without the iterative calculation, there’d be no propagation of the error, and we could expect the eventual magnitude of the precision error to be stable, and in direct proportion to the size of the operands. With the iterative calculation as performed in the code, the errors start to propagate/snowball into a larger and larger error.
There are ways to estimate the maximum error in floating point calculations; and if you really, really need to avoid having extra bounds checks, using this kind of approach and making sure that you have conservative safety margins around those maximum errors might be a complicated and error-prone way to solve this issue. It’s not a great approach to identifying the pathological values that we want here to demonstrate a vulnerability; so instead we’ll take a brute-force approach.
Instinctively, we’re fairly sure that the multiplicative implementation will be roughly correct, and that the implementation with iterative addition will be much less correct. Given that the space of possible inputs is small (Chrome disallows textures with width or height greater than 8192), we can just run a brute force over all ratios of source width to destination width, comparing the two algorithms, and seeing where the results are most different. (Note that SwiftShader also limits us to even numbers). This leads us to the values of 5828, 8132; and if we compare the computations in this case (left side is the iterative addition, right side is the multiplication):
0:    1.075012 1.075012
1:    1.791687 1.791687
1000: 717.749878 717.749878   Up to here (at the precision shown) the values are still identical
1001: 718.466553 718.466553
2046: 1467.391724 1467.391724 At this point, the first significant errors start to occur, but note
2047: 1468.108398 1468.108521 that the "incorrect" result is smaller than the more precise one.
2856: 2047.898315 2047.898438
2857: 2048.614990 2048.614990 Here our two computations coincide again, briefly, and from here onwards
2858: 2049.331787 2049.331787 the precision errors consistently favour a larger result than the more
2859: 2050.048584 2050.048340 precise calculation.
8129: 5827.567871 5826.924805
8130: 5828.284668 5827.641602
8131: 5829.001465 5828.358398 The last index is now sufficiently different that int conversion results in an oob index.

(Note also that there will also be error in the “safe” calculation; it’s just that the lack of error propagation means that that error will remain directly proportional to the size of the input error, which we expect to be “small.”)
We can indeed see that, the multiplicative algorithm would remain within bounds; but that the iterative algorithm can return an index that is outside the bounds of the input texture!
As a result, we read an entire row of pixels past the end of our texture allocation - and this can be easily leaked back to javascript using WebGL. Stay tuned for an upcoming blog post in which we’ll use this vulnerability together with another unrelated issue in SwiftShader to take control of the GPU process from javascript.SkiaSkia is a graphics library used, among other places, in Chrome, Firefox and Android. In the web browsers it is used for example when drawing to a canvas HTML element using CanvasRenderingContext2D or when drawing SVG images. Skia is also used when drawing various other HTML elements, but canvas element and SVG images are more interesting from the security perspective because they enable more direct control over the objects being drawn by the graphic library.
The most complex type of object (and therefore, most interesting from the security perspective) that Skia can draw is a path. A path is an object that consists of elements such as lines, but also more complex curves, in particular quadratic or cubic splines.
Due to the way software drawing algorithms work in Skia, the precision issues are very much possible and quite impactful when they happen, typically leading to out-of-bounds writes.
To understand why these issues can happen, let’s assume you have an image in memory (represented as a buffer with size = width x height x color size). Normally, when drawing a pixel with coordinates (x, y) and color c, you would want to make sure that the pixel actually falls within the space of the image, specifically that 0 <= x < width and 0 <= y < height. Failing to check this could result in attempting to write the pixel outside the bounds of the allocated buffer. In computer graphics, making sure that only the objects in the image region are being drawn is called clipping.
So, where is the problem? Making a clip check for every pixel is expensive in terms of CPU cycles and Skia prides itself on speed. So, instead of making a clip check for every pixel, what Skia does is, it first makes the clip check on an entire object (e.g. line, path or any other type of object being drawn). Depending on the clip check, there are three possible outcomes:
  1. The object is completely outside of the drawing area: The drawing function doesn’t draw anything and returns immediately.

  1. The object is partially inside the drawing area: The drawing function proceeds with per-pixel clip enabled (usually by relying on SkRectClipBlitter).

  1. The entire object is in the drawing area: The drawing function draws directly into the buffer without performing per-pixel clip checks.

The problematic scenario is c) where the clip check is performed only per-object and the more precise, per-pixel checks are disabled. This means, if there is a precision issue somewhere between the per-object clip check and the drawing of pixels and if the precision issue causes the pixel coordinates to go outside of the drawing area, this could result in a security vulnerability.
We can see per-object clip checks leading to dropping per-pixel checks in several places, for example:
  • In hair_path (function for drawing a path without filling), clip is initially set to null (which disables clip checks). The clip is only set if the bounds of the path, rounded up and extended by 1 or 2 depending on the drawing options don’t fit in the drawing area. Extending the path bounds by 1 seems like a pretty large safety margin, but it is actually the least possible safe value because drawing objects with antialiasing on will sometimes result in drawing to nearby pixels.

  • In SkScan::FillPath (function for filling a path with antialiasing turned off), the bounds of the path are first extended by kConservativeRoundBias and rounded to obtain the “conservative” path bounds. A SkScanClipper object is then created for the current path. As we can see in the definition of SkScanClipper, it will only use SkRectClipBlitter if the x coordinates of the path bounds are outside the drawing area or if irPreClipped is true (which only happens when path coordinates are very large).

Similar patterns can be seen in other drawing functions.
Before we take a closer look at the issues, it is useful to quickly go over various number formats used by Skia:
  • SkScalar is a 32-bit floating point number

  • SkFDot6 is defined as an integer, but it is actually a fixed-point number with 26 bits to the left and 6 bits to the right of the decimal point. For example, SkFDot6 value of 0x00000001 represents the number 1/64.

  • SkFixed is also a fixed-point number, this time with 16 bits to the left and 16 bits to the right of the decimal point. For example, SkFixed value of 0x00000001 represents 1/(2**16)

Precision error with integer to float conversion
We discovered the initial problem when doing DOM fuzzing against Firefox last year. This issue where Skia wrote out-of-bounds caught our eye so we investigated further. It turned out the root cause was a discrepancy in the way Skia converted floating point to ints in several places. When making the per-path clip check, the lower coordinates (left and top of the bounding box) were rounded using this function:
static inline int round_down_to_int(SkScalar x) {    double xx = x;    xx -= 0.5;    return (int)ceil(xx);}
Looking at the code you see that it will return a number greater or equal to zero (which is necessary for passing the path-level clip check) for numbers that are strictly larger than -0.5. However, in another part of the code, specifically SkEdge::setLine if SK_RASTERIZE_EVEN_ROUNDING is defined (which is the case in Firefox), floats are rounded to integers differently, using the following function:
inline SkFDot6 SkScalarRoundToFDot6(SkScalar x, int shift = 0){    union {        double fDouble;        int32_t fBits[2];    } tmp;    int fractionalBits = 6 + shift;    double magic = (1LL << (52 - (fractionalBits))) * 1.5;
   tmp.fDouble = SkScalarToDouble(x) + magic;#ifdef SK_CPU_BENDIAN    return tmp.fBits[1];#else    return tmp.fBits[0];#endif}
Now let’s take a look at what these two functions return for a number -0.499. For this number, round_down_to_int returns 0 (which always passes the clipping check) and SkScalarRoundToFDot6 returns -32 which corresponds to -0.5, so we actually end up with a number that is smaller than the one we started with.
That’s not the only problem, though, because there’s another place where a precision error occurs in SkEdge::setLine.
Precision error when multiplying fractions
SkEdge::setLine calls SkFixedMul which is defined as:
static inline SkFixed(SkFixed a, SkFixed b) {    return (SkFixed)((int64_t)a * b >> 16);}
This function is for multiplying two SkFixed numbers. An issue comes up when using this function to multiply negative numbers. Let’s look at a small example. Let’s assume a = -1/(2**16) and b = 1/(2**16). If we multiply these two numbers on paper, the result is -1/(2**32). However, due to the way SkFixedMul works, specifically because the right shift is used to convert the result back to SkFixed format, the result we actually end up with is 0xFFFFFFFF which is SkFixed for  -1/(2**16). Thus, we end up with a result with a magnitude much larger than expected.
As the result of this multiplication is used by SkEdge::setLine to adjust the x coordinate of the initial line point here, we can use the issue in SkFixedMul to cause an additional error up to 1/64 of a pixel to go outside of the drawing area bounds.
By combining the previous two issues, it was possible to get the x coordinate of a line sufficiently small (smaller than -0.5), so that, when a fractional representation was rounded to an integer here, Skia attempted to draw at coordinates with x = -1, which is clearly outside the image bounds. This then led to an out-of-bounds write as can be seen in the original bug report. This bug could be exploited in Firefox by drawing an SVG image with coordinates as described in the previous section.
Floating point precision error when converting splines to line segments
When drawing paths, Skia is going to convert all non-linear curves (conic shapes, quadratic and cubic splines) to line segments. Perhaps unsurprisingly, these conversions suffer from precision errors.
The conversion of splines into line segments happen in several places, but the most susceptible to floating-point precision errors are hair_quad (used for drawing quadratic curves) and hair_cubic (used for drawing cubic curves). Both of these functions are called from hair_path, which we already mentioned above. Because (unsurprisingly), larger precision errors occur when dealing with cubic splines, we’ll only consider the cubic case here.
When approximating the spline, first the cubic coefficients are computed in SkCubicCoeff. The most interesting part is:
fA = P3 + three * (P1 - P2) - P0;fB = three * (P2 - times_2(P1) + P0);fC = three * (P1 - P0);fD = P0;
Where P1, P2 and P3 are input points and fA, fB, fC and fD are output coefficients. The line segment points are then computed in hair_cubic using the following code
const Sk2s dt(SK_Scalar1 / lines);Sk2s t(0);
Sk2s A = coeff.fA;Sk2s B = coeff.fB;Sk2s C = coeff.fC;Sk2s D = coeff.fD;for (int i = 1; i < lines; ++i) {    t = t + dt;    Sk2s p = ((A * t + B) * t + C) * t + D;    p.store(&tmp[i]);}
Where p is the output point and lines is the number of line segments we are using to approximate the curve. Depending on the length of the spline, a cubic spline can be approximated with up to 512 lines.
It is obvious that the arithmetic here is not going to be precise. As identical computations happen for x and y coordinates, let’s just consider the x coordinate in the rest of the post.
Let’s assume the width of the drawing area is 1000 pixels. Because hair_path is used for drawing path with antialiasing turned on, it needs to make sure that all points of the path are between 1 and 999, which is done in the initial, path-level clip check. Let’s consider the following coordinates that all pass this check:
p0 = 1.501923p1 = 998.468811p2 = 998.998779p3 = 999.000000
For these points, the coefficients are as follows
a = 995.908203b = -2989.310547c = 2990.900879d = 1.501923
If you do the same computation in larger precision, you’re going to notice that the numbers here aren’t quite correct. Now let’s see what happens if we approximate the spline with 512 line segments. This results in 513 x coordinates:
0: 1.5019231: 7.3321302: 13.1395743: 18.9243014: 24.6863565: 30.425781...500: 998.986389501: 998.989563502: 998.992126503: 998.994141504: 998.995972505: 998.997314506: 998.998291507: 998.999084508: 998.999695509: 998.999878510: 999.000000511: 999.000244512: 999.000000
We can see that the x coordinate keeps growing and at point 511 clearly goes outside of the “safe” area and grows larger than 999.
As it happens, this isn’t sufficient to trigger an out-of-bounds write, because, due to how drawing antialiased lines works in Skia, we need to go at least 1/64 of a pixel outside of the clip area for it to become a security issue. However, an interesting thing about the precision errors in this case is that the larger the drawing area, the larger the error that can happen.
So let’s instead consider a drawing area of 32767 pixels (maximum canvas size in Chrome). The initial clipping check then checks that all path points are in the interval [1, 32766]. Now let’s consider the following points:
p0 = 1.7490234375p1 = 32765.9902343750p2 = 32766.000000p3 = 32766.000000
The corresponding coefficients
a = 32764.222656b = -98292.687500c = 98292.726562d = 1.749023
And the corresponding line approximation
0: 1.749023431: 193.3522952: 384.2071233: 574.3149414: 763.6772465: 952.295532…505: 32765.925781506: 32765.957031507: 32765.976562508: 32765.992188509: 32766.003906510: 32766.003906511: 32766.015625512: 32766.000000
You can see that we went out-of-bounds significantly more at index 511.
Fortunately for Skia and unfortunately for aspiring attackers, this bug can’t be used to trigger memory corruption, at least not in the up-to-date version of skia. The reason is SkDrawTiler. Whenever Skia draws using SkBitmapDevice (as opposed to using a GPU device) and the drawing area is larger than 8191 pixels in any dimension, instead of drawing the whole image at once, Skia is going to split it into tiles of size (at most) 8191x8191 pixels. This change was made in March, not for security reasons, but to be able to support larger drawing surfaces. However, it still effectively prevented us from exploiting this issue and will also prevent exploiting other cases where a surface larger than 8191 is required to reach the precision error of a sufficient magnitude.
Still, this bug was exploitable before March and we think it nicely demonstrates the concept of precision errors.
Integer precision error when converting splines to line segments
There is another place where splines are approximated as line segments when drawing (in this case: filling) paths that was also affected by a precision error, in this case an exploitable one. Interestingly, here the precision error wasn’t in floating-point but rather in fixed-point arithmetic.
The error happens in SkQuadraticEdge::setQuadraticWithoutUpdate and SkCubicEdge::setCubicWithoutUpdate. For simplicity, we are again going to concentrate just on the cubic spline version and, again, only on the x coordinate.
In SkCubicEdge::setCubicWithoutUpdate, the curve coordinates are first converted to SkFDot6 type (integer with 6 bits used for fraction). After that, parameters corresponding to the first, second and third derivative of the curve at the initial point are going to be computed:
SkFixed B = SkFDot6UpShift(3 * (x1 - x0), upShift);SkFixed C = SkFDot6UpShift(3 * (x0 - x1 - x1 + x2), upShift);SkFixed D = SkFDot6UpShift(x3 + 3 * (x1 - x2) - x0, upShift);
fCx     = SkFDot6ToFixed(x0);fCDx    = B + (C >> shift) + (D >> 2*shift);    // biased by shiftfCDDx   = 2*C + (3*D >> (shift - 1));           // biased by 2*shiftfCDDDx  = 3*D >> (shift - 1);                   // biased by 2*shift
Where x0, x1, x2 and x3 are x coordinates of the 4 points that define the cubic spline and shift and upShift depend on the length of the curve (this corresponds to the number of linear segments the curve is going to be approximated in). For simplicity, we can assume shift = upShift = 6 (maximum possible values).
Now let’s see what happens for some very simple input values:
x0 = -30x1 = -31x2 = -31x3 = -31
Note that x0, x1, x2 and x3 are of the type SkFDot6 so value -30 corresponds to -0.46875 and -31 to -0.484375. These are close to -0.5 but not quite and are thus perfectly safe when rounded. Now let’s examine the values of the computed parameters:
B = -192C = 192D = -64
fCx = -30720fCDx = -190fCDDx = 378fCDDDx = -6
Do you see where the issue is? Hint: it’s in the formula for fCDx.
When computing fCDx (first derivation of a curve), the value of D needs is right-shifted by 12. However, D is too small to do that precisely, and since D is negative, the right shift
D >> 2*shift
Is going to result in -1, which is larger in magnitude than the intended result. (Since D is of type SkFixed its actual value is -0.0009765625 and the shift, when interpreted as division by 4096, would result in -2.384185e-07). Because of this, the whole fCDx ends up as a larger negative value than it should (-190 vs. -189.015).
Afterwards, the value of fCDx gets used when calculating the x value of line segments. This happens in SkCubicEdge::updateCubic on this line:
newx    = oldx + (fCDx >> dshift);
The x values, when approximating the spline with 64 line segments (maximum for this algorithm), are going to be (expressed as index, integer SkFixed value and the corresponding floating point value):
index raw      interpretation0:    -30720   -0.468751:    -30768   -0.4694822:    -30815   -0.4702003:    -30860   -0.4708864:    -30904   -0.4715585:    -30947   -0.472214...31:   -31683   -0.48344432:   -31700   -0.48370433:   -31716   -0.48394834:   -31732   -0.48419235:   -31747   -0.48442136:   -31762   -0.48465037:   -31776   -0.48486338:   -31790   -0.485077...60:   -32005   -0.48835861:   -32013   -0.48848062:   -32021   -0.48860263:   -32029   -0.48872464:   -32037   -0.488846
You can see that for the 35th point, the x value (-0.484421) ends up being smaller than the smallest input point (-0.484375) and the trend continues for the later points. This value would still get rounded to 0 though, but there is another problem.
The x values computed in SkCubicEdge::updateCubic are passed to SkEdge::updateLine, where they are converted from SkFixed type to SkFDot6 on the following lines:
x0 >>= 10;x1 >>= 10;
Another right shift! And when, for example, SkFixed value -31747 gets shifted we end up with SkFDot6 value of -32 which represents -0.5.
At this point we can use the same trick described above in the “Precision error when multiplying fractions” section to go smaller than -0.5 and break out of the image bounds. In other words, we can make Skia draw to x = -1 when drawing a path.
But, what can we do with it?
In general, given that Skia allocates image pixels as a single allocation that is organized row by row (as most other software would allocate bitmaps), there are several cases of what can happen with precision issues. If we assume an width x height image and that we are only able to go one pixel out of bounds:
  1. Drawing to y = -1 or y = height immediately leads to heap out-of-bounds write
  2. Drawing to x = -1 with y = 0 immediately leads to a heap underflow of 1 pixel
  3. Drawing to x = width with y = height - 1 immediately leads to heap overflow of 1 pixel
  4. Drawing to x = -1 with y > 0 leads to a pixel “spilling” to the previous image row
  5. Drawing to x = height with y < height-1 leads to a pixel “spilling” to the next image row

What we have here is scenario d) - unfortunately we can’t draw to x = 1 with y = 0 because the precision error needs to accumulate over the growing values of y.
Let’s take a look at the following example SVG image:
<svg width="100" height="100" xmlns="http://www.w3.org/2000/svg"><style>body { margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px}</style><path d="M -0.46875 -0.484375 C -0.484375 -0.484375, -0.484375 -0.484375, -0.484375 100 L 1 100 L 1 -0.484375" fill="red" shape-rendering="crispEdges" /></svg>
If we render this in an unpatched version of Firefox what we see is shown in the following image. Notice how the SVG only contains coordinates on the left side of the screen, but some of the red pixels get drawn on the right. This is because, due to the way images are allocated, drawing to x = -1 and y = row is equal to drawing to x = width - 1 and y = row - 1.

Opening an SVG image that triggers a Skia precision issue in Firefox. If you look closely you’ll notice some red pixels on the right side of the image. How did those get there? :)
Note that we used Mozilla Firefox and not Google Chrome because, due to SVG drawing internals (specifically: Skia seems to draw the entire image at once, while Chrome uses additional tiling) it is easier to demonstrate the issue in Firefox. However, both Chrome and Firefox were equally affected by this issue.
But, other than drawing a funny image, is there real security impact to this issue? Here, SkARGB32_Shader_Blitter comes to the rescue (SkARGB32_Shader_Blitter is used whenever shader effects are applied to a color in Skia). What is specific about SkARGB32_Shader_Blitter is that it allocates a temporary buffer of the same size as a single image row. When SkARGB32_Shader_Blitter::blitH is used to draw an entire image row, if we can make it draw from x = -1 to x = width - 1 (alternately from x = 0 to x = width), it will need to write width + 1 pixels into a buffer that can only hold width pixels, leading to a buffer overflow as can be seen in the ASan log in the bug report.
Note how the PoCs for Chrome and Firefox contain SVG images with a linearGradient element - the linear gradient is used specifically to select SkARGB32_Shader_Blitter instead of drawing pixels to the image directly, which would only result in pixels spilling to the previous row.
Another specific of this issue is that it can only be reached when drawing (more specifically: filling) paths with antialiasing turned off. As it is not currently possible to draw paths to a HTML canvas elements with antialiasing off (there is an imageSmoothingEnabled property but it only applies to drawing images, not paths), an SVG image with shape-rendering="crispEdges" must be used to trigger the issue.
All precision issues we reported in Skia were fixed by increasing kConservativeRoundBias. While the current bias value is large enough to cover the maximum precision errors we know about, we should not dismiss the possibility of other places where precision issues can occur.ConclusionWhile precision issues, such as described in this blog post, won’t be present in most software products, where they are present they can have quite serious consequences. To prevent them from occurring:
  • Don’t use floating-point arithmetic in cases where the result is security-sensitive. If you absolutely have to, then you need to make sure that the maximum possible precision error cannot be larger than some safety margin. Potentially, interval arithmetic could be used to determine the maximum precision error in some cases. Alternately, perform security checks on the result rather than input.

  • With integer arithmetic, be wary of any operations that can reduce the precision of the result, such as divisions and right shifts.

When it comes to finding such issues, unfortunately, there doesn’t seem to be a great way to do it. When we started looking at Skia, initially we wanted to try using symbolic execution on the drawing algorithms to find input values that would lead to drawing out-of-bounds, as, on the surface, it seemed this is a problem symbolic execution would be well suited for. However, in practice, there were too many issues: most tools don’t support floating point symbolic variables and, even when running against just the integer parts of the simplest line drawing algorithm, we were unsuccessful in completing the run in a reasonable time (we were using KLEE with STP and Z3 backends).
In the end, what we ended up doing was a combination of the more old-school methods: manual source review, fuzzing (especially with values close to image boundaries) and, in some cases, when we already identified potentially problematic areas of code, even bruteforcing the range of all possible values.
Do you know of other instances where precision errors resulted in security issues? Let us know about them in the comments.
Categories: Security

Introduction to IBM Common Data Provider for z Systems

IBM Redbooks Site - Thu, 07/26/2018 - 09:30
Redpaper, published: Thu, 26 Jul 2018

IBM Common Data Provider for z Systems collects, filters, and formats IT operational data in near real-time and provides that data to target analytics solutions.

Categories: Technology


Subscribe to www.hdgonline.net aggregator