The process to create a secure system, requires the knowledge of almost every domain in periphery of the application you are making, and the conjunction of that every technology. For eg. working on a Blockchain systems requires you to have an idea about what goes on in the Distibuted networks, the data structures, the contract flow, the cryptographic key generation, and a lot more.
The most important thing to create a secure system is reaching out to the edges of the softwares use cases, the absolute critical thinking. This blog covers a few very basic challenges faced in making and checking the softwares build. Following blogs will then cover the terms, very important to create great security softwares. We'll also cover(at the end of this BIG blog), the working of a few good analysers and bug finders.
Let's get on ramp...
In this micro-blog
What am I talking about?
Why am I talking about it?
Have you heard before? (The "goto fail;", Heartbeat, Meltdown, Spectre)
What the world is upto against such ____ ?
Basic Challenges faced
Unimportant sounding complete terms
Motivation behind
Basic Challenges faced
It is really simple to understand how does a program analyser works? It is a pretty vague and straight approach. There is a code that you want to check and certain "specifications" for what you want to look into the program. These specifications are also known as invariants. In mathematics, invariants are the properties of any "object" that remains unchanged.
Leaving a very short note here as I have not discussed about Formal languages and methods, "In formal languages, the invariants can be used to prove, what is called as correctness".
Chuck the above line off for a while.
This is simply what a program analyser does.
Now what will a program analyser be exactly working on. As a simple guess, it will "detect" a certain inputs for the feeded program -> check the program for crashing -> show reports.
This works easily for a simple 10 line code, but, what if the program goes ~10,000 lines, and a variety of input cases and boundary conditions. And the biggest doubt, How will you make the analyser to "detect" the inputs?.
Machine Learning?
Nah, this is no Machine Learning. Though it could carry an application of Machine Learning.
understanding challenges
Look at the following code, this will help you comprehend the further blog.
Suppose, we try to analyse this program by finding various paths that can be generated by different sets of inputs. But,
How will we able to find different inputs that will take different various paths?
And, even we are able to write different inputs. Are we going to write those inputs manually?
No! not at all. These are the challenges, solved very gracefully.
Future blogs, will cover those techniques as well.
As you have already seen, how critical the small bugs could be. The fatal injury they can cause to your data privacy can't be overlooked.
Creating a fault free system, is extremely tough, and this is what the world or your own startup demands from you. There has been a boom in AI startups. As simple as that, create an AI application(not talking about a few very intellectual startups like GENOME) and make your startup. Well, what if I tell you, even that one particular startup at some stage have to go through a few critical checks regarding privacy and security.
Well, this blog will cover a few things regarding What the world is currently doing against these bugs and vulnerability things.
In this micro-blog
What am I talking about?
Why am I talking about it?
Have you heard before? (The "goto fail;", Heartbeat, Meltdown, Spectre)
What the world is upto against such ____ ?
Basic Challenges faced
Unimportant sounding complete terms
Motivation behind
What the world is upto against such ____ ?
Okay, turning over to my fav Blockchain, suppose you have created your very own Smart Contract, and ready to get into the business with quick trading of your Coins.
But, how would you ensure that your smart contract is "ACTUALLY" safe to trade coins? Or it doesn't leak the information to a people where it shouldn't.
Let me tell you about an interesting case, The DAO Attack. If you have a little knowledge about the smart contract[1], you might be knowing that they are the simple rules governing an application on Blockchain. If not, watch a video.
The Decentralised Autonomous Organisations(DAO) is considered to be the very first large-scale Ethereum Application(the most famous Blockchain Application building and deployment platform). Let me first tell you about this very error that the smart contract creator made:
In ethereum blockchain, as these so called smart contracts are "public" they can be called by any other smart contract, anytime. So when in contract(look at the flow), you call a function bankAddress.withdraw(), the flow goes to sender.call.value(), which actually sends some currency(ETHER - the crypto Ethereum works on), to the contract on right-side. The flow goes to the payable given below, which is a kind of Necessary for the contract to accept the payment. If you look closely, the right hand contract, has another withdraw function!!!!! This is called as the Reentrancy attack! Registered in the swcregistry (Smart Contract Weakness Classification and Test Cases).
Exciting, isn't it? This thing will actually make a loop of payments, without deducting the balance on the very next line of the left-contract.
This small bug actually drained of cryptocurrencies worth around $50 Million to the attacker's account before the maintainers could fix it.
A whole lot of research scientists are working on to preventing any such vulnerabilities and analsing the risks involved.
A small excerpt[2], to tell you people about the risk, vulnerabilities & bugs.
"Vulnerability (weakness) is a gap in the protection efforts of a system, a threat is an attacker who exploits that weakness. Risk is the measure of potential loss when that the vulnerability is exploited by the threat e.g. Default username and password for a server – An attacker can easily crack into this server and compromise it."
Now what the people are doing actually!
When the Modern Computer Science was actually developing(since 1980s or even earlier), there was a whole lot of research in defining standard definitions and notations, that is applicable to almost every computer science concepts. These notations involves the Formal Languages and the definitions of systems, states, properties, hyperproperties etc. are still followed to define secure systems standards.
The researchers usually rely on the program analysers, which actually look at he dark corners of the program and tell about the vulnarabilties, based on which the risk involved is decided.
There are always certain properties & conditions a program should follow and a program should not follow.
For Ex. in DAO Reentrancy, it was analysed to be deducting the amount more than one time, while calling the withdraw function. This condition, that the contract should never transfer more than withdrawn amount, is framed within the program analyser, and checked for the failure. Such framed conditions are called as SATISFIABILITY. Softwares called SAT-SMT solvers are build for that purpose.
There are certain techniques, which are followed to detect vulnarabilities and calculating risks involved with these systems.
Symbolic executions (looking for the flow of the program to check the failure points)(these are generally COMPUTATIONALLY expensive, so there are methods to make them more efficient)
Model Checking Techniques ()
Fuzzing systems , etc.
I have planned to write separate complete blogs for this(program analyser, formal methods, blockchain vulnerabilities) in the upcoming blogs(other than this very blog) in the upcoming days of this #20 Days series. Security tools available for Ethereum
At CEV, we basically focus on creating inquisitiveness rather than teaching a lot. After all we all are an autodidact, searching for motivation and peers around to learn, to what we call as "Classrooms".
Considering that, I am adding a subpart to the list below, which will be telling about a few very "well-known" CVE registered bugs.
Prerequisites
a basic flow with the text below
In this micro-blog
What am I talking about?
Why am I talking about it?
Have you heard before? (The "goto fail;", Heartbeat, Meltdown, Spectre)
What the world is upto against such ____ ?
Basic Challenges faced
Unimportant sounding complete terms
Motivation behind
Have you heard before? (The "goto fail;", Heartbeat, Meltdown, Spectre)
So this all came from around 6 years back, where the "STATUS" device manufactures, the APPLE was diasgoned with a severe bug, that could have caused(or possibly have caused!), the loss to personal information of millions of users. The bug, could be a mere mistake of the programmer(a simple command + c mistake), which actually left the SSL/TLS layer between the client and the server, that would have lead to a middle-man attacking the system to steal the sensitive information of OSx and iOS users. The bug is famously known as the goto fail; bug, registered as CVE-2014-1266[1] in the Common Vulnarabilities and Exposures[2] forum.
"CVE® is a list of entries—each containing an identification number, a
description, and at least one public reference—for publicly known cybersecurity vulnerabilities."
"CVE Entries are used in numerous cybersecurity products and services from around the world,
including the U.S. National Vulnerability Database (NVD)."
This came when, APPLE started rolling out an urgent security update in 2014, which caused a hot air among the security researchers. To make the stuff real clear, following is a code snippet from opensource.apple.com.
*Please ignore the random line no. I have put here, i have just put it for refering purpose in the follow up texts
if you look very closely, you can find something strange in lines 37-38, and if you are aware about a normal if-else procedure, the flow will never reach line 39 and following up lines of code, as it is struck at an extragoto fail;, which makes the program flow jump directly to line 87, and thus skipping the very crucial signature verfication required for secure connetion.
Thus, compromising with the SECURITY & SAFETY of the APPLE DEVICES..
This vulnerability can be spotted "iOS from some point prior to 7.0.6 (I confirmed on 7.0.4) and also OS X prior to 10.9.2 (confirmed on 10.9.1). It affects anything that uses SecureTransport, which is most software on those platforms although not Chrome and Firefox"[3]
What happens in a general communication between 2 devices, is called the HANDSHAKE, where Device-1 asks for something to Device-2 to ensure whether the other device is not-dead. This reciprocation of signals to assure the availabiilty of a device is called HEARTBEAT.
Now, this vulnerability, CVE-2014-0160[4], caused a major bug in usage of OpenSSL, which is usually an implementation to prevent MIDDLE-MAN Attackers from stealing the information between Device-1 & Device-2. In this, the signals are encrypted between the devices.
But during heartbeat suppose Device-1 says to Device-2Hey! If you are online, send me back the word "HAT" 3 letters, the device-2 reciprocates with the same "HAT"!. [clear excerption from the video above]
But here, what if an attacker comes in between and modifies the messages to Hey! If you are online, send me back the word "HAT" 500 letters, the Device-2 returns HAT but this time with the following texts in its memory chunk, that could be any one, two or all of the following:
• Primary key material: secret keys used for X.509 certificates
• Secondary key material: user names and passwords
• Protected content: personal and finance details like instant messages, emails and business critical documents.
• Collateral: other details in the leaked memory content such as memory addresses, etc.
Doesn't it look scary people?
Well I have a lot to talk about bugs, I will just list the other two here, and will write another sublog to this if required. These are even more scary and super-advanced! Just think about the ability of people exploiting them.
I came across these "super-critical vulnerabilties" , when working with Dr Pramod, IITK, at his lab.
These vulnerabilities works in conjuction to one another.
Their position of attack is the isolation between 2 application in your PC Processor. Whenever one app transmits data to another app, say browser to notepad, the information transferred goes through a transit, just where the MELTDOWN attack happens. (Since, already a very basic explanation is provided in the link above, I wish not to redundate the data.)
These bugs, are super-easy to make, but can have a catastrophic effects on the privacy of your sensitive data. Just as simple as they look(goto fail; bug), the higher vulnerability they carry!
Don't lose your heart, if you couldnt get the half of the content, just give it a re-read, with more focus, and if still not, wait more stuff to come.
Hey guys, I was just sitting an thinking to what else can be initiated in CEV, as an attempt to show my college people something “Cutting-Edge” and that can actually share with the undergrads here, to what is called as “The Road not taken!”
With that I came up with a thought to start a series of micro-blogs on “Why?” and “What in?” in Security? for the next 20-Days.
In this micro-blog
What am I talking about?
Why am I talking about it?
What the world is upto against such __ ?
Basic Challenges faced
Unimportant sounding complete terms
Motivation behind
What am I talking about?
Well, whenever a system does whatever it shouldn’t directs towards a clue that a system is not safe/secure. The smaller and mere the words they look the bigger the journey they carry. Imagine your system should not store your passwords in a file stored on the desktop, and it is! Find it scary y’all, right!
A system is secure whenever it withdraws itself from doing harms executed intentionally by an attacker, and safe when a system says no to an unintentional harm caused.
These harms could be anything, crashing of systems where it shouldn’t, leaking information, leaving traces for attackers, deadlocks, and most importantly it is not reaching a state “it should reach!” (that mean a system should reach a desired state without causing any harmful-trace behind).
In further text I’ll try to explain the keep my focus on so-called safety and security of the System to be general.
Why am I talking about it?
Recently, one of my one-year Junior teammate, Priyansh, reached out to me asking about the BACKDOORS, which very vaguely means whenver an attacker is able to find a way to bypass the normal authentication or login process, and gets an access to internal data!
I read additional information around to sudden-struck about an interesting case, when Edward Snowden, an Ethical Hacker and a CIA employee, turned into a whistleblower to National Security of Agency(NSA), revealing a highly classified information stored by United States! “They wanted me gone! - Edward Snowden”, after revealing about the greatest information burglary of history, where NSA secretly “backdoored” data of SKYPE calls of its citizens.
What could you do with that now? How if you are successful in stopping the backdoors, but find that, this is the very place SAFETY and SECURITY of a software/system/software-system comes in! Now, go back to the definition of SECURITY & SAFETY and relate how crucial it is!
I am not talking about a few benign functional bugs, but super sensitive SECURITY BUGS, which can even allow the attackers to takeover your machine.
A few bugs, which cost “he US in 2018 is approximately $2.84 trillion” in an year.[1]
Excited??? A lot of technical stuff is coming up, so gear up. Though I’ll take this coaster a bit slowly.
And since, my mind always boggles about applications and new technology, I’ll will take practical cases of my beloved tech,The BLOCKCHAINalso, due to a reason, as many wont attend the blog, until a “BUZZWORD” comes in
I will pickup examples of TENDERMINT(POS consensus), ETHEREUM, the techniques used to cover this up, and the special “Road not taken stuff”. I will tell about the motivation behind this stuff, in my very next part of this series. The series will also cover that the researchers has been doing since decades, and what has not gone old-school till date.
Reading Time: 8minutesSince the past few days, there has been a buzz around everywhere, Not only in India but the world around. For some, it’s a challenge for others its pride. So, what’s it all about? You are right, for every Indian, it’s a moment of great pride and honour to launch our next moon mission Chandrayaan-2. But before discussing it, let us brush up our knowledge on the whole series of Indian Lunar Mission “THE CHANDRAYAAN PROGRAMME”.
Why Moon?
Since childhood we have been witnessing the white round moon ‘our chandamama’ grow big and small daily. Many of us had dreamt to go to the moon and play with the stars. But growing up we realise that the moon is not our neighbour next window but yes somewhere closer to our childhood. So, let’s fulfil our childhood dream and fasten our seatbelts to go to moooooooon!!!!!!
Being Earth’s only natural satellite moon provides the best linkage to Earth’s early history. It had witnessed each and every moment of our existence. It offers a great historical record of the inner Solar system environment. Though there are a few explained models, the origin of the Moon still needs further explanations. Extensive mapping of the lunar surface, to study variations in lunar surface composition is essential to trace back the origin and evolution of the Moon and this can further be helpful to study the origin and evolution of solar system and universe.
Chandrayaan programme is India’s Lunar Exploration Program. It is a series of outer space missions under the Indian Space Research Organisation (ISRO). The program consists of different parts which are a lunar orbiter, impactor, future lunar lander and rover spacecraft.
The Chandrayaan project was announced on 15 August 2003 by then Prime Minister Atal Bihari Vajpayee. This program was launched to boost Indian space programs and embarking India’s name in history.
Chandrayaan is a multi-phase mission-
The first phase includes the launch of CHANDRAYAAN – 1 which was a lunar orbiter.
The second phase includes the launch of soft lander/Rover Vikram and Pragyan as CHANDRAYAAN-2.
The third phase is planned to be an in-situ sampling collection expected in 2024 as CHANDRAYAAN-3.
CHANDRAYAAN-1
Launched on 22 October 2008 Chandrayaan 1 was the first milestone for Indian lunar programme. It was launched by ISRO from Satish Dhawan Space Centre, Sriharikota. It was unique in its sense that it was researched and developed fully in India by Indian scientists and researchers. The vehicle was inserted in the lunar orbit on 8 November 2008. On 14 November 2008, the Moon Impact Probe (MIP) separated from the Chandrayaan orbiter at 14:36 UTC and struck the south pole in a controlled manner, making India the fourth country in the world to place its flag on the Moon. The probe hit near the crater Shackleton at 15:01 UTC (20:31 IST). The location of impact of the probe was named as Jawahar Point.
The estimated cost of the project was around ₹386 crore (USD 56 million). Along with other objectives, the area around polar regions was of high interest as it may contain ice and may result in the discovery of water on the moon. The lunar mission in total carried 11 payloads, five of them were ISRO payloads and six payloads from other space agencies including NASA, ESA, and the Bulgarian Aerospace Agency. The payloads form these agencies were carried free of cost.
The stated objectives of this mission were: –
perform high-resolution remote sensing of the moon in – visible, near-infrared (NIR), low energy X-rays and high-energy X-ray regions
survey the lunar surface to produce a complete map of its chemical characteristics
prepare a three-dimensional atlas of both near and far side of the moon
conduct chemical and mineralogical mapping of the entire lunar surface for distribution of mineral and chemical elements such as Magnesium, Aluminium, Silicon, Calcium, Iron and Titanium and also high atomic number elements such as Radon, Uranium & Thorium.
test the impact of a sub-satellite (Moon Impact Probe – MIP) on the surface of the Moon as a forerunner for future soft-landing missions
The mission carried five scientific payloads from India, according to the ISRO these were:
Terrain Mapping Camera (TMC), which provided a high-resolution map of the moon.
Hyper Spectral Imager (HySI), which performed the mineralogical mapping.
Lunar Laser Ranging Instrument (LLRI), which returned information about the moon’s topography (height of certain features).
High Energy X-ray Spectrometer (HEX), which examined radioactive elements on the surface.
Moon Impact Probe (MIP), which was intentionally crashed into the moon’s south pole. Its impact helped Chandrayaan-1 in its search for lunar water.
What happened when: Timeline of Chandrayaan – 1
15th August 2003: Chandrayaan programme was announced by Prime Minister Atal Bihari Vajpayee
22nd October 2008: Chandrayaan-1 takes off from the Satish Dhawan Space Centre, Sriharikota
8th November 2008: Chandrayaan-1 enters the Lunar Transfer Trajectory
14th November 2008: The Moon Impact Probe ejects from Chandrayaan 1 and crashes near the lunar South Pole — confirms the presence of water molecules on Moon’s surface
28th August 2009: Chandrayaan-1 programme ends
What we Achieved from this mission?
1. Water on the Moon
On 18 Nov 2008, the Moon Impact Probe was released from Chandrayaan at a height of 100km. During its descent to the moon surface, Chandra’s Altitudinal Composition Explorer (CHACE) recorded evidence of water on the moon. This discovery was later confirmed by JPL-Brown University payload – Moon Mineralogy Mapper (M3), a payload by NASA. M3 detected spectral lines near the wavelengths in the range of 2.8 – 3.0 microns, a property attributed to water and Hydroxyl ions. It is believed that the formation of Hydroxyl ions and water molecules on the lunar surface is an ongoing process.
According to European Space Agency (ESA) scientists, the lunar regolith (a loose collection of irregular dust grains making up the Moon’s surface) absorbs hydrogen nuclei from solar winds. The hydrogen nuclei and oxygen present in the dust grains interact and are expected to produce hydroxyl (HO−) and water (H2O).
2. Imaging of North and South Pole of the Moon
This was done by two different devices namely –
Terrain Mapping Camera (TMC)
Hyper Spectral Images (HySI)
3. 3-D profile of Clavius (one of the largest craters on moon)
Lunar Laser Ranging Instrument (LLRI) mapped Clavius, the third largest crater on the near side of the moon, a feature observable with little aid and even with the naked eye.
The mineral content on the lunar surface was mapped with the Moon Mineralogy Mapper (M3), a NASA instrument on board of the orbiter. The Oriental Basin region of the Moon was mapped, and it indicates an abundance of iron-bearing minerals.
Chandrayaan-1 Imaging X-ray Spectrometer: The purple arrow shows the spacecraft track over the Moon; the different coloured rectangles show the area of the Moon that C1XS was looking at. The yellow and red areas show strong X-ray signals that correspond to Silicon, Aluminium and Magnesium, at the right hand end the green/turquoise area shows X-rays due to Calcium.
4. Mapping of various minerals
The mineral content on the lunar surface was mapped with the Moon Mineralogy Mapper (M3), a NASA instrument on board of the orbiter. The Oriental Basin region of the Moon was mapped, and it indicates an abundance of iron-bearing minerals.
Chandrayaan-1 Imaging X-ray Spectrometer: The purple arrow shows the spacecraft track over the Moon; the different coloured rectangles show the area of the Moon that C1XS was looking at. The yellow and red areas show strong X-ray signals that correspond to Silicon, Aluminium and Magnesium, at the right hand end the green/turquoise area shows X-rays due to Calcium.
5. Mapping of Apollo landing sites
In January 2009, ISRO announced the completion of the mapping of the Apollo Moon missions landing sites by the orbiter. Six of the mapped sites included landing sites of Apollo 12, 14 and 16 (can be referred in the previous image).
6. Radiation environment around the Moon
Radiation Dose Monitor or RADOM-7 (a payload from the Bulgarian Academy of Sciences) examined the radiation environment around the moon.
End of the mission
The mission was launched on 22 October 2008 and was expected to operate for two years. However, around 20:00 UTC (11:00 IST) on 28 August 2009 communication with the spacecraft was suddenly lost. Chandrayaan-1 made 3,400 orbits of the moon and continued transmitting data until 28 August 2009, when controllers permanently lost communication with the spacecraft. The probe had operated for 312 days. Earlier it was expected that the craft crashed into the lunar surface but in 2016 it was found still to be in the orbit. Although the mission lasted less than its expected duration, but a team of scientists from ISRO stated the mission to be successful as it had achieved 95% of its desired objectives in this time duration.
Chandrayaan 1 was a major success not only for Indian fraternity but also to Space Science as a whole. It expanded India’s footprint in space and proposed a whole together new dimensions to space. Chandrayaan-1 was lauded with a number of awards and recognitions as below –
The American Institute of Aeronautics and Astronautics (AIAA) has selected ISRO’s Chandrayaan-1 mission as one of the recipients of its annual AIAA SPACE 2009 awards.
The International Lunar Exploration Working Group awarded the Chandrayaan-1 team the International Co-operation Award in 2008.
US-based National Space Society awarded ISRO the 2009 Space Pioneer Award in the science and engineering category.
So, this was the first Lunar mission of India, tricolour for the first time fluttered on the moon’s surface. Stay tuned for the upcoming section on Chandrayaan-2, which will surely set new heights to the Indian Space Research and fill us with immense pride and honour.
When you need your company to have a new website or if you venture on updating your old webpage with a new look and functionality, the choices are versatile. Assuming that you will go the easy way and choose a theme for your WordPress website, the overall number of characteristics that you will need to keep in mind narrows down significantly.
Touch base run it up the flag pole. Where do we stand on the latest client ask locked and loaded. When does this sunset? can I just chime in on that one reach out, nor great plan! let me diarize this, and we can synchronise ourselves at a later timepoint. Optimize for search enough to wash your face but meeting assassin. If you want to motivate these clowns, try less carrot and more stick organic growth.
All the themes that we have here have had a vast team of designers sketching, working and executing the ultimate visual look for it. With such a wide range of choices at hand, we strongly advise you to stick to the WordPress Theme that is based on your business’ or a closely related field.
I’ll book a meeting so we can solution this before the sprint is over anti-pattern and productize, so draw a line in the sand. Anti-pattern globalize blue money. Deliverables market-facing. Shotgun approach Bob called an all-hands this afternoon. We don’t want to boil the ocean. Low-hanging fruit not a hill to die on we need to future-proof this, nor if you want to motivate these clowns, try less carrot and more stick red flag.
Where do we stand on the latest client ask. What do you feel you would bring to the table if you were hired for this position drink the Kool-aid, for deploy, but hard stop, for pixel pushing close the loop. Bottleneck mice action item customer centric. Optimize for search.