I have just published an article about Vulnerabily Engineering in Wintercore’s blog (spanish version in 48bits.com). It focuses in applying Software Engineering metrics to the world of Vulnerability Research which can give us an idea about how Reliable a Software Product is.
In this article I analyze five applications Microsoft’s Explorer, Sun’s Java JRE, Apple’s QuickTime, HP NodeManager and Adobe Reader. The conclusion I formulated after writing the article was that the reliability of Software Product is too low to be even bad.
QuickTime’s users are 99% of the time exposed to at least one unfixed vulnerability, which I think should ban this products for almost all computers.
I hope you enjoy the article.
Computer Security, Software Engineering, vulnerability engineering
A few post ago I wrote about integrating SQUID and Active Directory in order to allow/deny users to access specific webpages depeding on the groups a user belongs.
The windows package of Squid comes with several external programs which can be used as external ACLs which allow you to query the local Active Directory in order to obtain access or not. The one dealing with users and groups is called mswin_check_ad_group.exe which, as all the external ACLs, reads the standard input looking for a user and a group and return whether the user belongs to the given group.
This is fine and pretty straight forward it has a PROBLEM, it only works with Groups with scope set to “Domain Local”; which turn into a drawback when your users belong to Groups with Global Scope. I haven’t found any documentation explaining how to achive this so I have created a simple external ACL to peform this task in python.
You only need to download pywin32 and the active directory plugin for python. After installing just use the following code, which will return OK IFF the user belongs to the given group (non matter which scope):
Read the rest of this entry
Active Directory, Python, SQUID, windows
In this last post about NSIS I am going to describe how to use some of the most useful plugins which will allow you create a pretty decent and featurefull installer for windows.
- Checking for adminstrator privileges:
userInfo::getAccountType
Pop $0
StrCmp $0 “Admin” +3
MessageBox MB_OK “Debe tener privilegios de administrador para correr este programa de instalación: $0″
Return
StrCmp $0 “Admin” +3
MessageBox MB_OK “You need Administrator privileges: $0″
Return
This chunk of code will pop up a windows with the propoer notification. The StrCmp sentence compares the $0 variable poped from the stack against “Admin” and if they are equal continue the execution with the 3rd line of code, the one below Return.
- Downloading and Executing, e.g. an external installer:
NSISdl::download /TIMEOUT=30000 “http://www.advansen.com/this/is/a/test/advansen.msi” “$INSTDIR\advansen.msi”
Pop $R0 ;Get the return value
StrCmp $R0 “success” +3
MessageBox MB_OK “Download failed: $R0″
Quit
ExecWait ’”msiexec” /i “$INSTDIR\advansen.msi” /quiet’
Read the rest of this entry
NSIS, open source tools, windows
After playing for a few days with NSIS I have manage to create a full features installer which perform all the actions I needed. These are the following:
- Download files
- Unzip Files to a specific folder
- Execute external installers
- Modify Environment Variables
Since NSIS supports plug-ins there are quite a few available which provide extra functionalities such as the unzipping one.
Before going into these extra features, which will be subject of a new post, I prefer writing down how a more complex script is structure, just to keep in to the future.
NSIS is structured in pages (page == panels show each time a “next button” is clicked), most of them are predefined, where you can only change tittle or add extra text in them. Following are the pages definition using the MUI2 interface:
!insertmacro MUI_PAGE_LICENSE “path\to\license.txt”
!insertmacro MUI_PAGE_COMPONENTS
!insertmacro MUI_PAGE_DIRECTORY
!insertmacro MUI_PAGE_INSTFILES
Read the rest of this entry
NSIS, open source tools, windows
This post doesn’t mean I haven’t been working for the last two years! Just I haven’t been in the mood to post. I want to keep adding notes to this blog so I can remember those little easy-forgetable things I spend some time figuring out so I can get back to blog in the near future and do not waste time again.
These days I have been playing with SQUID and the external ACL feature which allow the user to add some amount of customization without too many work. The syntax for those external ACL is the following:
external_acl_type <type-name> %<PARAMETER> /path/to/external/program
That’s how you define an external acl to be used afterwards. There a bunch of allowed parameters, the external program can read from the stdin, as follow:
%LOGIN
%IDENT
%SRC
%DST
%PROTO
%PORT
%METHOD
%{Header}
The external program must return “ERR” or “OK” to the stdout and restricted reduced info such as “ERR error=\”Error message\”" or “OK user=username”. Squid doesn’t allow return any other parameter, which IMHO is terrible awful!! Enabling the return of arbitrary date would increase in an order of magnitude the power of SQUID.
Why have I been using these External ACL? Because I want to be able to check data against an Active Directory. I haven’t reach really far yet, I have just configured the AD
dcpromo
and that’s all.
Update: There are a few more return parameters, but still fixed and not enough IMHO.
When building distributed application sometimes you need to use some kind of protocol to allow your parts to communicate each other. In the simple example I have been using for a while where you have an embedded client asking to a centralized server for new firmware updates, you have to establish a way to log into the server and ask for the next available version you can upgrade.
Along with the Class and sequence diagrams you have to use the State Machine diagrams or Protocol State Machine diagrams. The main difference is in the second one you do not need to specify embedded states.
I will write a longer post with some diagrams and nifty stuff 
When building an infrastructure which require some kind of controlled extensibility one of the most common approaches is to consider a plug-in system. But how should it be considered in the requirements and design?
The best approach seems to be specify and close the interface with the plug-in subsystem in the main system and afterwards develop each new subsystem independently.
The bad point of this procedure is that it can lead of loads of documentation since you need requirements and design documentation for each new plug-in.
The good point is that the system is completely isolated by analysis, and obviously design, of each subsystem which increase cohesion and encapsulation, decrease coupling and produce a cleaner product.
When designing a new application you usually have in mind a big picture of the future application and maybe you know a given system should be decomposed as the client / server models dictates.
But when in the analysis this factor comes important? In which part of the document should you split the server and client functionalities?
I am not really sure what would be the best approach to solve this problem, for sure it depends on what the client wants you to design but what if other client is not that sure?
For the first kind of client I came across with a simple solution, just include the client/server model as a design constraint and go on with the analysis.
If instead of the client it’s you who finds out that the client/server model is the best one which fits the system architecture I think you shouldn’t consider the client/server model till the design stage.
