Discussion:
Some of what I'm reading...
Add Reply
Stephen Hoffman
2018-05-12 20:35:17 UTC
Reply
Permalink
FWIW... Some interesting topics, and some topics related to recent
discussions here in the comp.os.vms newsgroup. Some relevant to
OpenVMS. Some not.

An overview of some of open-source projects from a few years ago —
includes an overview of LLVM, which is being used by VSI for OpenVMS
http://www.aosabook.org/en/index.html

Work toward securing the boot path, akin to the existing work on x86-64
and on Arm.
https://www.securerf.com/path-secure-boot-solution-risc-v/

Approaches toward securing a key component of the system security
environment...

https://ronny.chevalier.io/files/coprocessor-based-behavior-monitoring-acsac-chevalier-2017.pdf


Approaches toward secure storage of sensitive information, and using
hardware and software features that OpenVMS lacks support for...

https://developer.apple.com/documentation/security/certificate_key_and_trust_services/keys/storing_keys_in_the_secure_enclave


Here's Rowhammer in the browser...
https://www.vusec.net/projects/glitch/

RISC-V development boards...
https://www.sifive.com

On younger folks and learning about computers and programming and
algorithms. These folks are rather past that earlier discussion of
which languages folks might first learn computing with, though...
http://aiweirdness.com/post/173797162852/ai-scream-for-ice-cream
--
Pure Personal Opinion | HoffmanLabs LLC
IanD
2018-05-20 13:28:01 UTC
Reply
Permalink
Post by Stephen Hoffman
FWIW... Some interesting topics, and some topics related to recent
discussions here in the comp.os.vms newsgroup. Some relevant to
OpenVMS. Some not.
An overview of some of open-source projects from a few years ago —
includes an overview of LLVM, which is being used by VSI for OpenVMS
http://www.aosabook.org/en/index.html
Work toward securing the boot path, akin to the existing work on x86-64
and on Arm.
https://www.securerf.com/path-secure-boot-solution-risc-v/
Approaches toward securing a key component of the system security
environment...
https://ronny.chevalier.io/files/coprocessor-based-behavior-monitoring-acsac-chevalier-2017.pdf
Approaches toward secure storage of sensitive information, and using
hardware and software features that OpenVMS lacks support for...
https://developer.apple.com/documentation/security/certificate_key_and_trust_services/keys/storing_keys_in_the_secure_enclave
Here's Rowhammer in the browser...
https://www.vusec.net/projects/glitch/
RISC-V development boards...
https://www.sifive.com
On younger folks and learning about computers and programming and
algorithms. These folks are rather past that earlier discussion of
which languages folks might first learn computing with, though...
http://aiweirdness.com/post/173797162852/ai-scream-for-ice-cream
--
Pure Personal Opinion | HoffmanLabs LLC
These are good :-)

Bit hard for VMS to support the secure key store when it's a function of the Apple chip. Didn't the Vax and Alpha have special parts to them that VMS exploited, although not security related. We are moving to commodity hardware I guess we have to put up with it's limitations?

Those kids who were learning about ai through neural nets use python to get at the cool stuff underneath which is tensorflow

For something similar although more comprehensive than poetry writing is the Wolfram Language

This video pretty much depicts what I think kids should be learning who need to churn out widgets (the majority of programmers. Those who do things like compiler design or OS design or real time are not under this model but I wonder if one day they could be)

(and this is 4 years ago)

It's still being enhanced today. The latest additions are around quantum computing
j***@yahoo.co.uk
2018-05-20 17:13:45 UTC
Reply
Permalink
Post by IanD
Post by Stephen Hoffman
FWIW... Some interesting topics, and some topics related to recent
discussions here in the comp.os.vms newsgroup. Some relevant to
OpenVMS. Some not.
An overview of some of open-source projects from a few years ago —
includes an overview of LLVM, which is being used by VSI for OpenVMS
http://www.aosabook.org/en/index.html
Work toward securing the boot path, akin to the existing work on x86-64
and on Arm.
https://www.securerf.com/path-secure-boot-solution-risc-v/
Approaches toward securing a key component of the system security
environment...
https://ronny.chevalier.io/files/coprocessor-based-behavior-monitoring-acsac-chevalier-2017.pdf
Approaches toward secure storage of sensitive information, and using
hardware and software features that OpenVMS lacks support for...
https://developer.apple.com/documentation/security/certificate_key_and_trust_services/keys/storing_keys_in_the_secure_enclave
Here's Rowhammer in the browser...
https://www.vusec.net/projects/glitch/
RISC-V development boards...
https://www.sifive.com
On younger folks and learning about computers and programming and
algorithms. These folks are rather past that earlier discussion of
which languages folks might first learn computing with, though...
http://aiweirdness.com/post/173797162852/ai-scream-for-ice-cream
--
Pure Personal Opinion | HoffmanLabs LLC
These are good :-)
Bit hard for VMS to support the secure key store when it's a function of the Apple chip. Didn't the Vax and Alpha have special parts to them that VMS exploited, although not security related. We are moving to commodity hardware I guess we have to put up with it's limitations?
Those kids who were learning about ai through neural nets use python to get at the cool stuff underneath which is tensorflow
For something similar although more comprehensive than poetry writing is the Wolfram Language
This video pretty much depicts what I think kids should be learning who need to churn out widgets (the majority of programmers. Those who do things like compiler design or OS design or real time are not under this model but I wonder if one day they could be)
http://youtu.be/_P9HqHVPeik (and this is 4 years ago)
It's still being enhanced today. The latest additions are around quantum computing
The link goes to a 2014 video of Stephen Wolfram talking
about The Wolfram Language. If you know (of) Mathematica
you may already be aware of this stuff. If you know that
a free (zero cost) version of Mathematica ships with the
Raspberry Pi flavour of Debian you may already be aware
of this stuff.

Wolfram/Mathematica has been around a few decades, but
not quite as many as VMS. For some of those decades,
VMS was a supported platform for Mathematica.

Further reading (which may be more helpful than YouTube
or may not; one size does not fit all) can be found via:
https://en.wikipedia.org/wiki/Wolfram_Mathematica

I defocused from the video once I realised what it
was, but left it running. I refocused on it when
Device Connection was mentioned.

As many readers will know, device connection in a
usable portable generic way would be great, wouldn't
it. And then I saw a Lytro camera and defocused again,
though it did prompt me to do a "where are they now",
which reveals that Lytro ceased trading earlier this
year:
https://en.wikipedia.org/wiki/Lytro


Share and enjoy.
Stephen Hoffman
2018-05-21 00:19:13 UTC
Reply
Permalink
Post by IanD
Bit hard for VMS to support the secure key store when it's a function
of the Apple chip.
The keychain store doesn't require the Apple T2 chip. The keychain
storage uses a set of APIs and AES encryption to maintain and protect
private keys and passwords. Various x86-64 processors do have AES
acceleration too, which is handy.

OpenVMS has no concept of protecting keys and private certificates.
It's all tossed over to the user to deal with. Or to not deal with, as
the case may be. Apache has its own certificate store, and so does the
upstream-deprecated-a-decade-ago CDMA, so does ssh, and so too does
OpenVMS, as do some apps. DECnet has its own password storage, as do
various apps. Etc. Everybody has implemented their own schemes. Some
are better than others.
Post by IanD
Didn't the Vax and Alpha have special parts to them that VMS exploited,
although not security related.
Sure. Some of which DEC and Compaq and HP/HPE and VSI have
incrementally removed with each port, and variously rolling pieces and
parts into Software Interrupt Services; SWIS. SWIS is the OpenVMS
Hardware Abstraction Layer.
Post by IanD
We are moving to commodity hardware I guess we have to put up with it's
limitations?
Have a look at the Intel Management Engine (ME) with Trusted Platform
Module (TPM) support that's available in Intel chipsets, for instance.
Not that the Apple keychain storage particularly uses the TPM for
security, either.

Apple T2 replaces various of what Intel ME provides, and adds some
other capabilities.

Related reading:
https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/security-technologies-4th-gen-core-retail-paper.pdf

https://hackaday.com/2016/01/22/the-trouble-with-intels-management-engine/
https://en.wikipedia.org/wiki/Trusted_Platform_Module
--
Pure Personal Opinion | HoffmanLabs LLC
Arne Vajhøj
2018-05-21 00:36:09 UTC
Reply
Permalink
Post by IanD
Bit hard for VMS to support the secure key store when it's a function
of the Apple chip.
The keychain store doesn't require the Apple T2 chip.  The keychain
storage uses a set of APIs and AES encryption to maintain and protect
private keys and passwords.  Various x86-64 processors do have AES
acceleration too, which is handy.
OpenVMS has no concept of protecting keys and private certificates. It's
all tossed over to the user to deal with.  Or to not deal with, as the
case may be.  Apache has its own certificate store, and so does the
upstream-deprecated-a-decade-ago CDMA, so does ssh, and so too does
OpenVMS, as do some apps.  DECnet has its own password storage, as do
various apps.  Etc.  Everybody has implemented their own schemes.  Some
are better than others.
PKCS#12 is a standard (RFC7292).

And I believe that both OpenSSL and Java can use PKCS#12 stores.

Arne
John E. Malmberg
2018-05-21 03:57:06 UTC
Reply
Permalink
Post by Arne Vajhøj
Post by Stephen Hoffman
OpenVMS has no concept of protecting keys and private certificates.
It's all tossed over to the user to deal with.  Or to not deal with,
as the case may be.  Apache has its own certificate store, and so does
the upstream-deprecated-a-decade-ago CDMA, so does ssh, and so too
does OpenVMS, as do some apps.  DECnet has its own password storage,
as do various apps.  Etc.  Everybody has implemented their own
schemes.  Some are better than others.
PKCS#12 is a standard (RFC7292).
And I believe that both OpenSSL and Java can use PKCS#12 stores.
But as Hoff pointed out:

1. No set of OS vendor supplied CA certificates for general use by all
applications.

2. No location for user supplied CA certificates for use by all
applications.

With Linux distros, there is a vendor supplied certificate package, and
that package contains a script that does:

a: Merges the vendor and user defined certificate into a single
directory that OpenSSL and other applications can just reference.

b: Looks for additional scripts that are optionally supplied by
applications that need other formats than the above, for example a Java
keystore, and then updates that keystore.

Private keys are generally restricted to an a specific application so
while there are some conventions, many application keep them in their
data directories, but suitably protected.

Regards,
-John
***@qsl.net_work
Arne Vajhøj
2018-05-21 10:58:15 UTC
Reply
Permalink
Post by John E. Malmberg
Post by Arne Vajhøj
Post by Stephen Hoffman
OpenVMS has no concept of protecting keys and private certificates.
It's all tossed over to the user to deal with.  Or to not deal with,
as the case may be.  Apache has its own certificate store, and so
does the upstream-deprecated-a-decade-ago CDMA, so does ssh, and so
too does OpenVMS, as do some apps.  DECnet has its own password
storage, as do various apps.  Etc.  Everybody has implemented their
own schemes.  Some are better than others.
PKCS#12 is a standard (RFC7292).
And I believe that both OpenSSL and Java can use PKCS#12 stores.
1. No set of OS vendor supplied CA certificates for general use by all
applications.
2. No location for user supplied CA certificates for use by all
applications.
With Linux distros, there is a vendor supplied certificate package, and
a: Merges the vendor and user defined certificate into a single
directory that OpenSSL and other applications can just reference.
b: Looks for additional scripts that are optionally supplied by
applications that need other formats than the above, for example a Java
keystore, and then updates that keystore.
Private keys are generally restricted to an a specific application so
while there are some conventions, many application keep them in their
data directories, but suitably protected.
That is true.

I think vendor supplied CA certificates is mostly a browser thing.

But a central/default location and some tools could definitely
be useful.

Arne
John E. Malmberg
2018-05-21 12:45:29 UTC
Reply
Permalink
Post by Arne Vajhøj
Post by John E. Malmberg
Post by Arne Vajhøj
Post by Stephen Hoffman
OpenVMS has no concept of protecting keys and private certificates.
It's all tossed over to the user to deal with.  Or to not deal with,
as the case may be.  Apache has its own certificate store, and so
does the upstream-deprecated-a-decade-ago CDMA, so does ssh, and so
too does OpenVMS, as do some apps.  DECnet has its own password
storage, as do various apps.  Etc.  Everybody has implemented their
own schemes.  Some are better than others.
PKCS#12 is a standard (RFC7292).
And I believe that both OpenSSL and Java can use PKCS#12 stores.
1. No set of OS vendor supplied CA certificates for general use by all
applications.
2. No location for user supplied CA certificates for use by all
applications.
With Linux distros, there is a vendor supplied certificate package,
a: Merges the vendor and user defined certificate into a single
directory that OpenSSL and other applications can just reference.
b: Looks for additional scripts that are optionally supplied by
applications that need other formats than the above, for example a
Java keystore, and then updates that keystore.
Private keys are generally restricted to an a specific application so
while there are some conventions, many application keep them in their
data directories, but suitably protected.
That is true.
I think vendor supplied CA certificates is mostly a browser thing.
But a central/default location and some tools could definitely
be useful.
Not just browsers. It is used for Java, curl, wget, and any application
that uses OpenSSL directly or indirectly through libcurl, like git,
pypi, etc.

Regards,
-John
***@qsl.net_work
Stephen Hoffman
2018-05-21 15:53:24 UTC
Reply
Permalink
Post by John E. Malmberg
Post by Arne Vajhøj
I think vendor supplied CA certificates is mostly a browser thing.
Not just browsers. It is used for Java, curl, wget, and any
application that uses OpenSSL directly or indirectly through libcurl,
like git, pypi, etc.
Correct. It's anything that needs a secure connection, and servers
need more than a few secure connections. It's less than desirable to
have critical security data scattered haphazardly around the file
system by OpenVMS and languages and apps, and with no set protections
and no set encryption and no set APIs for that data, and with no means
for updates beyond entirely manual and site-specific processes. That's
just a recipe for security problems.

This is part of where getting the security data identified and better
isolated and protected, and where related work such as the wholesale
integration with LDAP can help.

There's also that servers increasingly use HTTPS for server-to-server
communications. Those "browser things" are increasingly also "server
things".
--
Pure Personal Opinion | HoffmanLabs LLC
Arne Vajhøj
2018-05-21 18:42:52 UTC
Reply
Permalink
Post by Arne Vajhøj
I think vendor supplied CA certificates is mostly a browser thing.
Not just browsers.  It is used for Java, curl, wget, and any
application that uses OpenSSL directly or indirectly through libcurl,
like git, pypi, etc.
Correct.  It's anything that needs a secure connection, and servers need
more than a few secure connections.
There's also that servers increasingly use HTTPS for server-to-server
communications.  Those "browser things" are increasingly also "server
things".
Yes.

But it is really that common for trusted server applications to
use the traditional browser logic "I accept all certificates from
all CA's in my OS vendors list"?

I would have expected them to do a more custom check for a specific
certificate.

Arne
Stephen Hoffman
2018-05-26 00:34:34 UTC
Reply
Permalink
Post by Stephen Hoffman
FWIW... Some interesting topics, and some topics related to recent
discussions here in the comp.os.vms newsgroup. Some relevant to
OpenVMS. Some not.
A database running within SGX enclave:

https://www.microsoft.com/en-us/research/publication/enclavedb-a-secure-database-using-sgx/


Spectre variant 3a & variant 4 flaws have been disclosed, affecting
various Intel, AMD and Arm processors
https://bugs.chromium.org/p/project-zero/issues/detail?id=1528

https://www.redhat.com/en/blog/speculative-store-bypass-explained-what-it-how-it-works

CVE-2018-3639, CVE-2018-3640

PGP alternative with Perfect Forward Security (PFS) support:
https://github.com/stealth/opmsg

Fun with WireShark
http://chrissanders.org/2018/05/large-captures1-colorizing-wireshark/

Per Jess Telford, some words that should be avoided using when writing
documentation:
obviously, basically, simply, of course, clearly, just, everyone
knows, however, so, easy

Some Security Resources:
https://www.it-sec-catalog.info/analysis_and_exploitation_unprivileged.html

C Programming Resources
https://notabug.org/koz.ross/awesome-c

Second Factors... Overview of Security Keys (U2F, 2FA, TOTP/HOTP, etc)
https://www.imperialviolet.org/2018/03/27/webauthn.html

The UEFI bootstrap and security
https://trmm.net/LinuxBoot_34c3

RISC-V:
https://riscv.org/risc-v-foundation/

libtls SSL/TLS library application programming interface:
http://www.openbsd.org/papers/libtls-fsec-2015/mgp00001.html
https://www.openbsd.org/papers/linuxconfau2017-libtls

"GDPR Hysteria":
https://jacquesmattheij.com/gdpr-hysteria

Some DEC History, for those folks unfamiliar with the DEC NOD:

http://archive.computerhistory.org/resources/text/DEC/dec.bell.no_output_division_C-I_TF;productivity_review.1982.102630376.pdf
--
Pure Personal Opinion | HoffmanLabs LLC
Stephen Hoffman
2019-01-31 16:39:26 UTC
Reply
Permalink
Since there've been discussions of which platforms AdaCore is and is
not supporting, "AdaCore Joins the RISC-V Foundation to Provide C and
Ada Compilation Support"
https://www.design-reuse.com/news/45487/adacore-the-risc-v-foundation-c-ada-compilation.html


Given recent virtualization discussions, some recent Hyper-V
security-related links—including Microsoft docs on attacking Hyper-V
components:
https://blogs.technet.microsoft.com/srd/2019/01/28/fuzzing-para-virtualized-devices-in-hyper-v/

https://blogs.technet.microsoft.com/srd/2018/12/10/first-steps-in-hyper-v-research/

https://i.blackhat.com/us-18/Thu-August-9/us-18-Rabet-Hardening-Hyper-V-Through-Offensive-Security-Research.pdf

https://github.com/Microsoft/MSRC-Security-Research/raw/master/presentations/2018_08_BlackHatUSA/A%20Dive%20in%20to%20Hyper-V%20Architecture%20and%20Vulnerabilities.pdf


Prototypes toward low-configuration-effort encrypted IPv6 networking...
https://github.com/cjdelisle/cjdns
https://github.com/yggdrasil-network/yggdrasil-go

"Down the Rabbit Hole - Part I: A Journey into the UEFI Land" —
reverse-engineering Lenovo Thinkpad UEFI-based device support
https://erfur.github.io/down_the_rabbit_hole_pt1/

"Someone who says blockchain can be used to solve problem x, doesn't
understand the problem" — Nicholas Weaver, senior research at USB
International Computer Science Institute
http://www1.icsi.berkeley.edu/~nweaver/enigma_crypto_weaver.pdf

For those of you working on macOS...
http://orangejuiceliberationfront.com/sandboxed-macos-login-item-with-xpc/
https://github.com/travisjeffery/ClangFormat-Xcode

Learning about what your organization has exposed to the 'net...
https://github.com/kpcyrd/sn0int
https://www.hardenize.com and https://www.ssllabs.com/ssltest/ for testing

Linux, given the recent discussion:
https://help.ubuntu.com/community/BurningIsoHowto
https://elementary.io

How a lack of HTTPS can nail you:
https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-3462.html

"Scaling Down Inequality - Rating Scales, Gender Bias, and the
Architecture of Evaluation" — how performance evaluations and common
evaluation scales can get (some of) us in trouble.
https://osf.io/preprints/socarxiv/j2tw9/

Software Dependencies and the Maintenance of Microsoft Windows—managing
compatibility and complexity, and trying to herd developers.
https://static1.squarespace.com/static/56a8e2fca12f446482d67a7a/t/5701df86746fb963479246b9/1459740551306/GOTOHELL.DLL%281%29.pdf


Algorithms, for those of us slinging code and that haven't looked at a
text in a decade or two...
http://jeffe.cs.illinois.edu/teaching/algorithms/book/Algorithms-JeffE.pdf

For folks looking at security and that are pondering what's changed
since OpenVMS was designed and created some forty years ago, operating
systems including Genode, Haiku and seL4 will be interesting. "The
Genode OS Framework is a tool kit for building highly secure
special-purpose operating systems. It scales from embedded systems with
as little as 4 MB of memory to highly dynamic general-purpose
workloads."
https://genode.org
https://www.haiku-os.org
https://sel4.systems
--
Pure Personal Opinion | HoffmanLabs LLC
Stephen Hoffman
2019-03-04 18:26:41 UTC
Reply
Permalink
Practical Enclave Malware with Intel SGX; how to hide some malware in a
hard-to-access spot...
https://arxiv.org/abs/1902.03256
https://github.com/sgxrop/sgxrop

Message Layer Security (IETF working group, draft)
https://messaginglayersecurity.rocks

"Firecracker is an open source virtualization technology that is
purpose-built for creating and managing secure, multi-tenant container
and function-based services."
https://firecracker-microvm.github.io

"Attack of the week: searchable encryption and the ever-expanding
leakage function"
https://blog.cryptographyengineering.com/2019/02/11/attack-of-the-week-searchable-encryption-and-the-ever-expanding-leakage-function/


A technical history of IPsec
https://www.cs.columbia.edu/~smb/talks/why-ipsec.pdf

List of pointers to C and C++ standards:
https://stackoverflow.com/a/83763/94997

Mesh: Compacting Memory Management for C/C++ Applications (good speed
and lower memory usage)
https://arxiv.org/abs/1902.04738

clang & rust UEFI binaries, for when you need to write UEFI application code...
https://dvdhrm.github.io/2019/01/31/goodbye-gnuefi/
https://github.com/rust-osdev/uefi-rs
https://github.com/r-util/r-efi
https://c-util.github.io/c-efi/
(Yes, you could bury some code here, even on OpenVMS.)

About Wasm overhead; "Analyzing the Performance of WebAssembly vs.
Native Code".
https://arxiv.org/pdf/1901.09056.pdf

For those of you using macOS:
https://github.com/Netflix-Skunkworks/stethoscope-app

Computer (Hardware) Architecture class, caches and cache coherence,
DRAM, flash & SSDs, etc
https://safari.ethz.ch/architecture/fall2018/doku.php?id=schedule

GPU SQL:
https://blog.blazingdb.com/blazingsql-the-gpu-sql-engine-now-runs-over-20x-faster-than-apache-spark-1b0bffc990a9


More on eBPF:
https://sysdig.com/blog/sysdig-and-falco-now-powered-by-ebpf/
https://sysdig.com/blog/the-art-of-writing-ebpf-programs-a-primer/

"Millions of Binaries Later: a Look Into Linux Hardening in the Wild"
https://capsule8.com/blog/millions-of-binaries-later-a-look-into-linux-hardening-in-the-wild/

ps: "Is the number of CVEs per distribution indicative of the fact that
one distribution might be more vulnerable than another? The answer is
no."

Any NTLM password of 8 and fewer characters can now be brute-forced in
a few hours, and for $75 or less using AWS. And there are better and
faster options to using an AWS Tesla for this.
--
Pure Personal Opinion | HoffmanLabs LLC
Stephen Hoffman
2019-05-21 18:10:47 UTC
Reply
Permalink
Some more of what's been on the recent reading list...

There's been the occasional porting-related discussions around the
Apple Rosetta as an image translation tool that was used for
application migration from PPC to Intel processors on OS X / macOS, but
that's clearly not the only path that's available:
https://www.highcaffeinecontent.com/blog/20190518-Translating-an-ARM-iOS-App-to-Intel-macOS-Using-Bitcode


Chocolatey, a package manager for Microsoft Windows:
https://chocolatey.org

As was mentioned in an earlier posting of mine, "PCSI lacks
capabilities around maintaining and managing and upgrading
dependencies, requiring end-users and developers to hand-roll their own
unique solutions to API dependencies.   Of these, I happen to like the
approach Oracle Rdb uses, but it's one of many.   For an approach
around dependency management used elsewhere, see the nix package
manager and NixOS", and also see the Gentoo "Slotting" scheme. This to
allow multiple versions and multiple disparate APIs to coexist. Yeah,
I don't like that, but that is increasingly part of the world we're now
in and—like the increasing need to keep applying updates and
upgrades—we can only choose to ignore it, or we can choose to take
steps to better deal with what we're increasingly encountering.
https://nixos.org/nix/
https://nixos.org/
https://devmanual.gentoo.org/general-concepts/slotting/index.html

An experimental LLVM JIT-like code generator:
https://github.com/pdziepak/codegen

From Google Research, "New research: How effective is basic account
hygiene at preventing hijacking"
https://security.googleblog.com/2019/05/new-research-how-effective-is-basic.html


An ELF format introduction and ELF is used on OpenVMS, and a prototype
of Linux ELF Universal Binaries that "lets you pack binaries into one
file, seperated [sic] by OS ABI, OS ABI version, byte order and word
size, and most importantly, CPU architecture."
https://linux-audit.com/elf-binaries-on-linux-understanding-and-analysis/
https://icculus.org/fatelf/

Google is currently posting a list of security vulnerabilities that
were first detected through usage of an associated exploit:
https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/htmlview?sle=true


C++ error handling preferences — though various of this is not yet
available on OpenVMS:
https://hackernoon.com/error-handling-in-c-or-why-you-should-use-eithers-in-favor-of-exceptions-and-error-codes-f0640912eb45


A list of CPU-level security failures—Spectre, Meltdown, Fallout, etc:
https://cpu.fail
--
Pure Personal Opinion | HoffmanLabs LLC
Stephen Hoffman
2019-06-24 18:16:25 UTC
Reply
Permalink
Post by Stephen Hoffman
FWIW... Some interesting topics, and some topics related to recent
discussions here in the comp.os.vms newsgroup. Some relevant to
OpenVMS. Some not.
RAMbleed:
https://rambleed.com
The most recent OpenSSH has taken some steps to mitigate against
RAMbleed, Spectre, and ilk, by keeping the private keys encrypted when
not in immediate use.
https://marc.info/?l=thn&m=156109087822676

Hacking into a hardware security module (HSM):
https://cryptosense.com/blog/how-ledger-hacked-an-hsm/
In some organizations, HSMs are used as vaults for sensitive
information such as private keys and passwords.

Yet another supply-chain attack, this time against some Android devices:
https://arstechnica.com/information-technology/2019/06/google-confirms-2017-supply-chain-attack-that-sneaked-backdoor-on-android-devices/


"The Influence of Organizational Structure on Software Quality: an
Empirical Case Study"
https://www.microsoft.com/en-us/research/wp-content/uploads/2016/02/tr-2008-11.pdf

"the organizational metrics when applied to data from Windows Vista
were statistically significant predictors of failure-proneness."

x86 Rust-based OS paging intro—some background for how another
operating system implements virtual memory paging and memory protection
on x86, for those interested in details:
https://os.phil-opp.com/paging-introduction/

"Zanzibar: Google’s Consistent, Global Authorization System"
https://ai.google/research/pubs/pub48190
"Zanzibar scales to trillions of access control lists and millions of
authorization requests per second to support services used by billions
of people. It has maintained 95th-percentile latency of less than 10
milliseconds and availability of greater than 99.999% over 3 years of
production use."

Some cryptography source code programming examples:
http://www.herongyang.com/Cryptography/

C++11 and multi-threading, given a C++11 compiler implementation is
planned for VSI OpenVMS x86-64...
https://stackoverflow.com/questions/6319146/c11-introduced-a-standardized-memory-model-what-does-it-mean-and-how-is-it-g


KLEE, automated test coverage using LLVM compilers:
https://klee.github.io

"Netflix has identified several TCP networking vulnerabilities in
FreeBSD and Linux kernels."
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md

There's no reproducer/test available quite yet, but that'll undoubtedly
be posted online (somewhere) fairly soon...

"TaxDC: A Taxonomy of Non-Deterministic Concurrency Bugs in Datacenter
Distributed Systems"
"We present TaxDC, the largest and most comprehensive taxonomy of
non-deterministic concurrency bugs in distributed systems..."
https://ucare.cs.uchicago.edu/pdf/asplos16-TaxDC.pdf

Wanna learn vim?
https://github.com/jmoon018/PacVim

In addition to the existing MiTM Proxy, there's now PolarProxy:
https://www.netresec.com/?page=PolarProxy

VSI OpenVMS with VAFS is incompatible with host-based volume shadowing
(host-based RAID-1):
"The new file system will support disks > 2TB.  Shadowing doesn't, and
cannot without a lot of work."
https://groups.google.com/d/msg/comp.os.vms/Xgy7-vqgByc/v53aDpFhCAAJ
(The addressing limit here is technically 2 TiB, and not 2 TB.)

Cloud hosting for security-conscious customers is very big business.
This particular cloud-hosting contract process has been going for a
while for those that might have missed earlier discussions, too.
Oracle, Amazon AWS, Microsoft Azure, IBM, and US DoD contracts:
"Yesterday, I had a story taken down on Forbes for a post about Jedi DoD"
"Title: Modern Star Wars: JEDI, the Dark Side and the Fight for the
Future of the Military"
https://medium.com/@furrier/yesterday-i-had-a-story-taken-down-on-forbes-for-a-post-about-jedi-dod-33675fd89a01

Some other related reading:
https://www.lite1065.com/2019/06/19/amazon-pentagon-accused-of-swampy-dealings-over-10b-contract/

https://www.washingtonpost.com/business/2019/04/10/pentagon-cloud-contract-investigation-uncovers-potential-ethical-violations-narrows-competition-two/?utm_term=.d8115b7d3744

https://fcw.com/articles/2019/06/21/jedi-lawsuit-oracle-aws.aspx

ps: There's a nasty Firefox bug around, and one that's reportedly being
exploited in targeted attacks. Patch to current, if you're using
Firefox or Firefox ESR...
--
Pure Personal Opinion | HoffmanLabs LLC
IanD
2019-06-30 21:45:21 UTC
Reply
Permalink
There's so much good material in these posts, it's taking me a while to look at most of it

I just read the article regarding gpus and SQL, interesting and even more interesting how it outpaced Spark, although some of the comments made are saying the time scale used makes the speedup look better than it is, even so, pretty interesting to use gpus for SQL execution and to outpace Spark

The take away for me is that gpus cannot be ignored going forward, they are pivotal in anything machine learning related and applications lacking a machine learning component are starting to look a little tired, especially as we move into stream based learning models and workloads. Now SQL execution may start levering them

I went to an internal talk the other day and they were showing a continual modeling framework. Some of the stuff they wanted to do was still in its infancy but gpus featured in the list of near future offerings they were looking at
Scott Dorsey
2019-07-01 02:05:49 UTC
Reply
Permalink
The take away for me is that gpus cannot be ignored going forward, they are=
pivotal in anything machine learning related and applications lacking a ma=
chine learning component are starting to look a little tired, especially as=
we move into stream based learning models and workloads. Now SQL execution=
may start levering them
The problem here is that much of the internals on the GPUs are either
undocumented or poorly documented, so you need to be using the
GPU-vendor-provided programming environment and libraries and duplicating
that environment is difficult.

If a new operating system wishes GPU support, then, they need to get the
GPU vendor on board to provide these tools. This is nontrivial.

I will say that the environments where GPUs are a biggest win are those
where VMS is never going to be a big player again, such as for scientific
computing and dsp. This makes it difficult to convince the GPU vendors
that there is a market for them in porting to VMS.

You can think of the GPU as being just like the Floating Point Systems
and Mercury array processors for the vax, providing high speed vector
operations from a bag hanging off the side of the CPU's buss.
--scott
--
"C'est un Nagra. C'est suisse, et tres, tres precis."
Stephen Hoffman
2019-07-01 15:54:12 UTC
Reply
Permalink
Post by Scott Dorsey
Post by IanD
The take away for me is that gpus cannot be ignored going forward, they
are pivotal in anything machine learning related and applications
lacking a ma= chine learning component are starting to look a little
tired, especially as= we move into stream based learning models and
workloads. Now SQL execution may start levering them
The problem here is that much of the internals on the GPUs are either
undocumented or poorly documented, so you need to be using the
GPU-vendor-provided programming environment and libraries and
duplicating that environment is difficult.
I'll take that in reverse... Programming environments, and then
graphics hardware documentation...

Related APIs here include NVIDIA CUDA for NVIDIA hardware, and Vulkan.
Among others. Among the others, OpenCL is merging into Vulkan, though
it's still in wide use. OpenGL—which OpenVMS has had some support
for—is also being replaced by Vulkan.
https://01.org/compute-runtime
https://www.khronos.org/files/vulkan11-reference-guide.pdf

There's support for both CUDA and OpenCL in clang.

https://www.llvm.org/docs/CompileCudaWithLLVM.html
https://github.com/intel/opencl-clang

If you're interested in OpenCL and related computing topics, and with a
side-helping of why minimum password lengths are necessarily getting
longer, and why weak hashes are a problem, there's always hashcat:
https://hashcat.net/hashcat/

ATI AMD has piles of doc available, too:
https://gpuopen.com/professional-compute/

OpenCL isn't too bad to use, based on some experimentation with macOS
(just) prior to the OpenCL deprecation in macOS Mojave 10.14 and the
advent of Apple Metal. Clang and OpenCL allow embedding the GPGPU code
right in the main application source, and OpenCL takes care of
compiling that into SPIR-V and invoking it on the target hardware.
https://developer.apple.com/opencl/
https://github.com/KhronosGroup/MoltenVK

If you're doing a lot of same-or-very-similar changes over big arrays
of data and enough that you've gotten your apps CPU-bound—if you're not
wedged behind I/O or memory—then offloading some of those calculations
might help reduce run-time.

VSI has (many) other things on the schedule (well) ahead of adding
support for Vulkan, but they're undoubtedly aware of OpenCL and Vulkan.

Now the use of Clang and the x86-64 support for Intel HD and Iris
graphics that's all been discussed by VSI (eventually) means less work
to add OpenCL and/or Vulkan support, though. For whoever decides to
add it. The Intel graphics documentation is available too, which is
handy for anybody that wants to try this with the embedded Intel
graphics hardware.
https://01.org/linuxgraphics/documentation

And no, I wouldn't expect Intel or AMD or NVIDIA to be particularly
working with VSI around graphics and compute support here, either.
--
Pure Personal Opinion | HoffmanLabs LLC
Stephen Hoffman
2019-08-29 18:33:50 UTC
Reply
Permalink
Post by Stephen Hoffman
FWIW... Some interesting topics, and some topics related to recent
discussions here in the comp.os.vms newsgroup. Some relevant to
OpenVMS. Some not.
"Understanding modern UEFI-based platform boot"
https://depletionmode.com/uefi-boot.html

"Find and fix floating-point problems"
https://herbie.uwplse.org

SQLite performance, as compared to some file systems:
https://www.sqlite.org/fasterthanfs.html

RunBMC / OpenBMC:
https://blogs.dropbox.com/tech/2019/08/runbmc-ocp-hardware-spec-solves-data-center-bmc-pain-points/


NetFlix has added in-kernel support for TLS into FreeBSD:
https://svnweb.freebsd.org/base?view=revision&revision=351522

C security-related reading:
https://multun.net/obscure-c-features.html
https://github.com/git/git/blob/master/banned.h
https://github.com/leafsr/gcc-poison
https://www.openbsd.org/papers/portability.pdf

From a recent C99-support-additions posting from VSI, and information
from elsewhere:
fpclassify, isblankiswblankisgreater, isgreaterequal, isless,
islessequal, islessgreater, isunordered, llrint, llrintf, llrintl,
llround, llroundf, llroundl, nearbyint, nearbyintf, nearbyintl, round,
roundf, roundl, scalbln, scalblnf, scalblnl, scalbn, scalbnf, scalbnl,
strtof, strtold, wcstofwcstold, va_copy, wcstoll, wcstoull—various
C99-related headers were added, too.

Dublin Traceroute:
https://dublin-traceroute.net/README.md
Alas, this requires C++11, which eliminates OpenVMS.

A TLS library written in Rust:
https://github.com/ctz/rustls
Rust won't be available on OpenVMS for a while, and not until after the
port at the earliest.

Microsoft ExFAT file system documentation now has a less-constrained license:
https://cloudblogs.microsoft.com/opensource/2019/08/28/exfat-linux-kernel/
Using a FAT partition from EFI as OpenVMS does is apparently less than
common, too.

Apropos of nothing:
https://nextcloud.atypical.net/s/Z5ymZLkfjaAizsb#pdfviewer
--
Pure Personal Opinion | HoffmanLabs LLC
Stephen Hoffman
2020-02-27 15:40:06 UTC
Reply
Permalink
Post by Stephen Hoffman
FWIW... Some interesting topics, and some topics related to recent
discussions here in the comp.os.vms newsgroup. Some relevant to
OpenVMS. Some not.
Just dumping some more links here...

Security Book Bundle:
https://www.humblebundle.com/books/cybersecurity-2020-wiley-books

"A simple, modern and secure encryption tool with small explicit keys,
no config options...:
https://github.com/FiloSottile/age

"Minisign is a dead simple tool to sign files and verify signatures"
Uses Ed255519
https://jedisct1.github.io/minisign/

clang improvements:
https://developers.redhat.com/blog/2020/02/11/toward-_fortify_source-parity-between-clang-and-gcc/


ssh with FIDO/U2F two-factor authentication support:
https://www.openssh.com/releasenotes.html#8.2

Modern back-end server components, a roadmap:
https://roadmap.sh/backend

OS experimentation / research / hackery:
In Rust: https://robbertkrebbers.nl/research/articles/safe_programming_rust.pdf
In Go: https://labs.f-secure.com/blog/tamago/

For folks interested in C++:
https://github.com/abseil/abseil-cpp

The libc link mostly for the folks at VSI:
https://www.openwall.com/lists/libc-coord/2020/01/30/1
--
Pure Personal Opinion | HoffmanLabs LLC
John Reagan
2020-02-27 17:19:13 UTC
Reply
Permalink
Post by Stephen Hoffman
https://www.openwall.com/lists/libc-coord/2020/01/30/1
When I tried to go to that link, Malwarebytes blocked it as a trojan attach with an SSL record with an invalid length. Is that the message?
Stephen Hoffman
2020-02-27 18:14:29 UTC
Reply
Permalink
Post by John Reagan
Post by Stephen Hoffman
https://www.openwall.com/lists/libc-coord/2020/01/30/1
When I tried to go to that link, Malwarebytes blocked it as a trojan
attach with an SSL record with an invalid length. Is that the message?
Not what I'm getting.
You're seemingly using Google Groups, and Google has a habit of
insinuating itself into links.
Try a cut-and-paste of the URL, if that's not already how you're accessing it?
I get to the OpenWall libc mailing list server.
--
Pure Personal Opinion | HoffmanLabs LLC
Stephen Hoffman
2020-04-28 16:10:04 UTC
Reply
Permalink
Post by Stephen Hoffman
FWIW... Some interesting topics, and some topics related to recent
discussions here in the comp.os.vms newsgroup. Some relevant to
OpenVMS. Some not.
Building Secure and Reliable Systems book:
https://landing.google.com/sre/books/

Usenix presentations:
https://www.usenix.org/conferences/multimedia

One of many lists of security-related presentations:
https://mobile.twitter.com/shorttelegrams/status/1243919159617974274

Archive of vendor firmware—more for what VSI will be experiencing as
they start to contend with maintaining x86-64 hardware:
https://fwupd.org

HPE hardware EOSL dates:
https://www.parkplacetechnologies.com/end-of-service-life/hpe/

Understanding how security breaches work on HP Windows systems, and
which can help understand how to harden your own network-connected apps
on OpenVMS:
https://d4stiny.github.io/Several-Critical-Vulnerabilities-on-most-HP-machines-running-Windows/


MUST, SHOULD, DON'T CARE: TCP Conformance in the Wild:
https://arxiv.org/abs/2002.05400

How Does SSH Port Forwarding Work?
https://ophirharpaz.github.io/posts/how-does-ssh-port-forwarding-work/

A tool for reversing firmware images, binwalk is really handy:
https://github.com/ReFirmLabs/binwalk

wcc might be interesting to play with, particularly as OpenVMS x86-64
becomes available:
https://github.com/endrazine/wcc

Kernel lock-down; preventing root from making kernel modifications.
https://mjg59.dreamwidth.org/55105.html
VSI will probably be looking to address this for OpenVMS, though there
are presently many other security and isolation issues ahead of this.

TLSv1.3 and performance:
https://netflixtechblog.com/how-netflix-brings-safer-and-faster-streaming-experience-to-the-living-room-on-crowded-networks-78b8de7f758c


And US pandemic response data:
https://www.justsecurity.org/69650/timeline-of-the-coronavirus-pandemic-and-u-s-response/
--
Pure Personal Opinion | HoffmanLabs LLC
IanD
2020-05-08 22:58:31 UTC
Reply
Permalink
Another treasure trove of links, thank you
Stephen Hoffman
2020-09-22 22:02:41 UTC
Reply
Permalink
Post by Stephen Hoffman
FWIW... Some interesting topics, and some topics related to recent
discussions here in the comp.os.vms newsgroup. Some relevant to
OpenVMS. Some not.
Mostly not-OpenVMS topics, this trip...

Some recommendations on multi-factor authentication from the US
National Security Agency (NSA):
https://media.defense.gov/2020/Sep/22/2002502665/-1/-1/0/CSI_MULTIFACTOR_AUTHENTICATION_SOLUTIONS_UOO17091520.PDF

OpenVMS largely lacks multi-factor...

New velocity-focused Arm server cores:
https://www.anandtech.com/show/16073/arm-announces-neoverse-v1-n2
Things get ever-more interesting for the folks at Intel and AMD.

Operating systems and Big, Big, Big Servers—did I mention Big, like
really, really big?
http://addxorrol.blogspot.com/2020/07/the-missing-os.html

Persistent-memory file system discussion:
https://lkml.org/lkml/2020/9/15/517

Low-level x86 performance optimization, and the sorts of thing that
code generators get to deal with:
https://www.agner.org/optimize/microarchitecture.pdf

Attacks, mitigations, and increasing the difficulty of executing
unauthorized or unintended code, Arm, IoT, and otherwise:
https://azeria-labs.com/downloads/Keynote_ArmResearchSummit2020_Azeria.pdf

Some roadmaps for learning about some newer areas of tech, with more
areas being added.
https://roadmap.sh
No, I'm not planning on uploading an OpenVMS roadmap.

Good write-up on the difficulties of massive code-bases, issues
absolutely familiar to all that have worked in larger code-bases:
https://www.bungie.net/en/Explore/Detail/News/49189

Data decryption tooling:
https://github.com/Ciphey/Ciphey

Apple platform security presentation, for some background on modern
security mechanisms and mitigations:


Updates to an interesting documentation tool:
https://blog.jupyter.org/announcing-the-new-jupyter-book-cbf7aa8bc72e

Chip-level vulnerabilities in the Qualcomm’s Snapdragon DSP, as
hardware level "fun" continues to be identified:
https://blog.checkpoint.com/2020/08/06/achilles-small-chip-big-peril/

Sandboxing and Workload Isolation, with some parallels to writing and
securing OpenVMS apps:
https://fly.io/blog/sandboxing-and-workload-isolation/

From the world of ever-smaller features and fabs, a rumor that Apple
has booked the entirety of TSMC 5nm production:
https://www.extremetech.com/computing/315186-apple-books-tsmcs-entire-5nm-production-capability
--
Pure Personal Opinion | HoffmanLabs LLC
John Reagan
2020-09-23 15:01:21 UTC
Reply
Permalink
Post by Stephen Hoffman
Low-level x86 performance optimization, and the sorts of thing that
https://www.agner.org/optimize/microarchitecture.pdf
And people should keep this URL and not download the .PDF. The document is a living document. I've read it for a few years now.

Unlike Alpha and Itanium where there are just a handful of low-level microarchitectures, the x86 world is much larger. When people ask me about hand-optimizing x86 assembly, I point them to this manual. They go away and never come back.
IanD
2020-10-01 07:35:42 UTC
Reply
Permalink
Post by John Reagan
Post by Stephen Hoffman
Low-level x86 performance optimization, and the sorts of thing that
https://www.agner.org/optimize/microarchitecture.pdf
And people should keep this URL and not download the .PDF. The document is a living document. I've read it for a few years now.
Unlike Alpha and Itanium where there are just a handful of low-level microarchitectures, the x86 world is much larger. When people ask me about hand-optimizing x86 assembly, I point them to this manual. They go away and never come back.
I opened the document and started to have a look, then ran away myself!
Loading...