This morning I was thinking about how much heat an automotive engine produces, which is just pumped uselessly out into the air through the radiator. It seems to me that there must be some way to make use of that excess heat to run some sort of electrical generator and charge a battery or something, gaining value at a negligible cost in gas mileage. I’m sure other people have thought of this, but I haven’t been able to find anything that they’ve done in this area that’s actually practical. If you know about anything like that, please let me know.
One of the nastiest kinds of computer security problems is the dreaded stack smashing attack. In a nutshell, this involves causing a program to write beyond the end of a buffer allocated on the stack in such a way that the return address for the current subroutine call is modified, diverting execution to a location of the attacker’s choosing. Most often, the chosen location is a snippet of malicious code which is also inserted on the stack immediately after the smashed return address as part of the same buffer overrun.
This kind of exploit relies on the fact that computer programs are very predictable. Usually, the code that reads (and overruns) the buffer will execute in an absolutely identical stack context every time. This allows the exploit code to predict the absolute address at which the malicious code will be inserted on the stack, which is important because return addresses are always absolute on pretty much every architecture…which leads to my real point in writing this. There are a lot of products out there which try to protect against stack-smashing attacks, and many of them are quite sophisticated, but my theory is that a very simple trick can reduce the severity of many stack-smashing attacks for almost zero cost.
My idea is this: replace the main() function in your program with an assembly-coded function that consumes a semi-random amount of stack space and then calls your real main() function. Ditto for your top-level function in any spawned threads. What this does is nullify the stack-smasher’s assumption that the stack state will be predictable when their code is called; their bogus return address will then point to somewhere other than where they thought. This will probably cause your program to crash, which seems bad except for two things:
- A crash is usually preferable to having your machine compromised, taken over, and used to launch further attacks.
- You’re more likely to notice a crash than the silent subversion of your machine, and more likely to do something about it.
This is absolutely not a comprehensive solution to stack-smashing attacks. Not even close. However, it should reduce the severity of a substantial subset of stack-smashing attacks, with a fairly simple implementation (achievable without special OS or library support) and zero runtime cost. If you disagree that it will work, or think it’s worthless, please feel free to say so on PlatSpot.
Zooko’s weblog entries for yesterday and today reminded me of a link that I, in turn, have had occasion to mention to many people in the past. The Ram I/O project at UMich is intended to be just the sort of crash-resistant memory that Zooko talks about. Their belief, explained in their paper and slides, is that power loss is that the real danger of losing in-memory buffers comes not from power loss – which is trivially addressable with a cheap UPS – but from things the OS (or BIOS, boot ROM, whatever) does to trash memory when it comes up. Accordingly, they designed the Rio File Cache to ensure that the memory containing unflushed disk buffers was in fact preserved through the boot cycle. The numbers they provide, both about failure probabilities and the performance implications of their work, should be food for thought.
Let’s say that I’m a large government or corporation, and I happen to notice that there’s content on Freenet that I want to suppress. Freenet is designed so that I can’t delete the content…or can I? What if I insert a bunch of garbage data, and then create lots of requests for that data? The requests could come from many sites all over the network, and don’t have to be sufficient to disable the network itself; they just have to be enough so that the “bad” content drops out of everyone’s cache, because – as we all know by now – Freenet does nothing to prevent that. What could Freenet do about it?
- It could start banning my nodes. Besides the fact that this is, in itself, a form of censorship, it might be difficult to achieve. Unless everyone is banning my node, I can just reconnect elsewhere and Freenet’s own anonymity would hide my requests’ origin after the first hop. Getting everyone to ban me at once requires that they all agree on who deserves banning, and achieving such agreement in a decentralized anonymous network might be just a teensy bit difficult.
- Another alternative would be to refuse to accept my “garbage” based on its content. This is another form of (internal censorship), and good luck finding heuristics that will reliably distinguish “garbage” from “legitimate” content.
- The last, and most obvious, answer would be to provide a data-availability guarantee. Once inserted, content will not “disappear” just because it’s not popular. If you can’t find room for new data because the system’s full of old data, insertion of the new data will fail, so that the person attempting insertion knows about it and can possibly do something about it.
I’m sure that some of the Freenetistas would try to find some rationalization for why censorship by the people who write the Freenet code is more acceptable than censorship from anywhere else, but it doesn’t matter. Even if the ethical quandaries of the first two approaches can be explained away, they’re very far from being implemented today and might not be implementable at all. The only way to make Freenet truly censorship-proof would be to provide a data-availability guarantee. Have fun, guys. Too bad your system was designed to drop data.
DNS updates finally seem to be occurring, directing people to the new site (this one). I’ll give it another day or so and then do a little bit of housekeeping to clean up the current ugly URL and undo some of the hacks that were made necessary by the original mishandling of the move by JTLnet.
Last night’s Olympic ladies’ figure skating raised some interesting lessons for many people. How, they ask, could it happen that Michelle Kwan was ahead of Sarah Hughes before Irina Slutskaya skated, and then behind after? How did one skater’s performance affect the relative placement of two others? These two questions actually boil down to two deeper ones:
- How did Sarah Hughes win the long program?
- How does her having won the long program translate into her winning the overall event, given that she had placed fourth in the short program?
Brian Cazeneuve of Sports Illustrated provides a pretty good answer to the second question so I’m going to leave it alone. In my opinion the first question is the more interesting of the two anyway.
I found the detailed results, including each judge’s score, on the official 2002 Winter Olympics website. What you should be looking at are the “ordinals” for the long program for the first three athletes, and then adjust them to show rankings only between those three. I’ve condensed the result into a small table for easier reference:
Figure-skating enthusiasts who check the full results will notice that in several cases a judge gave the same total score to two contestants (judges 1 and 5 for Slutskaya and Kwan, judge 2 for Hughes and Kwan, judge 7 for Hughes and Slutskaya). Those same fans would probably already know that ties are broken in favor of the skater with the highest presentation score; maybe one of them can tell me what happens if both scores are identical, which didn’t happen in any of those four cases.
So why is any of this interesting to anyone besides figure-skating fans? Why did I file this under “politics”? It’s because the question of how these numbers translate into a win for Hughes is a question of how to design a fair voting system. As it happens, Hughes had five out of nine first-place ordinals for a clear overall win. Imagine for a moment, though, that judge 8 had given Hughes a 5.7 instead of a 5.8 for presentation. This would have left her tied with Kwan for the top overall score according to that judge, with Kwan getting the nod based on the presentaion-score tiebreaker. Now nobody has a clean win, because the first-place votes would be split 4/4/1. What happens then?
This Voting Systems FAQ is a good source for background information about such issues. One common approach in these sorts of situations is runoff voting, but then we run into another problem. Each of the three contestants was judged, by a majority of the judges, to be in one of the top two spots. This can happen because there are eighteen total “first or second” votes, and each contestant only needs five to get the majority needed to qualify for a runoff. Runoff voting, therefore, does not help in this situation. It is (or, more precisely, would have been) a perfect illustration of runoff voting’s inadequacy for resolving certain types of conundrums.
An even more interesting situation would have occurred if we had combined the previous thought experiment with the arbitrary selection of only three judges – let’s say judges 2, 7, and 8. No, that was not a random choice. Let’s see what happens to the ordinals between these three contestants for these three judges, with the aforementioned change to judge 8′s presentation score for Ms. Hughes:
Look at that for a minute, and try to figure out how you’d determine a winner. Ha ha, gotcha. Troubling, isn’t it? As it turns out, two out of three judges placed Hughes ahead of Slutskaya, two out of three placed Slutskaya ahead of Kwan, and – here’s the kicker – two out of three placed Kwan ahead of Hughes! It’s a “Condorcet rule” cycle, and there’s really no solution within any system based on ordinals; the only reason we don’t run up against this more often in real life is mere statistics, not any guarantee within the system that it can’t happen. I’m not going to use all of this as a reason to suggest changes to the way figure skating is judged, by the way. I don’t really care much. I just thought this current event provided a good starting point for a timeless exploration of general ideas about voting. I hope you enjoyed taking the trip with me.
P.S. Even though I just said I didn’t care, I extend my hearfelt thanks and congratulations to all three of these ladies – most especially to Sarah Hughes – for a well contested exhibition of grace and athletic prowess.
I came up with something more difficult than a regular googlewhack: a googlewhack where both words start with the same letter. What makes it extra difficult is that there are a lot of word lists out there that will trip you up. It can be hard to find something that’s in Google’s dictionary but not in the $#@! word lists.
Nonetheless, I was able to find one that is fully legal and even includes my favorite word: preprandial platypus. Beat that.
February 23 update: Google crawled my previous whack already, invalidating it (now there are two hits), so I came up with inebriated monotreme to replace it. Not quite as cool, but since this page changes dynamically all of my invalidated whacks will regenerate eventually.
In the past, I have enthusiastically used and recommended NetCaptor as a Windows browser, despite the spyware that used to come bundled with the free version. As of version 7.0, though, I can no longer recommend it. I’m a software engineer, I know what “beta” means, and I still cannot recommend anything to the public even as a beta that (a) periodically sucks up all memory in the system and (b) is possessed by the minimize/exit popup menu from hell which turns every click anywhere on the Windows task bar into a game of Whack-A-Mole. The author’s response to my reports of these problems has only further eroded my confidence in the product’s direction.
As a result, NetCaptor has now been uninstalled on my systems, replaced by the almost functionally identical Crazy Browser. CB has its own eccentricities (links toolbar in reverse order, pages opened from favorites always open in a new tab regardless of how options are set) but so far it has not threatened to drive me into a homicidal rage like the latest versions of NC were doing…and the CB developers so far seem much more responsive to feedback. The king is dead; long live the king.
On a lighter note, this D&D personality test tells me I’m a chaotic good elf ranger bard. I think that’s actually a pretty good fit, except for the bard part. I’ve just never found music as interesting as the people around me seem to, and I also feel like I’m unusually devoid of any talent for making music either. On the other hand, bards weren’t only musicians, and I probably fit the rest of the description pretty well.
I found this Philosophical Health Check quite interesting. Considering that I’m a former philosophy major, hater of inconsistency, and generally introspective person, I was not surprised to get an unusually-low score of 7% for “philosophical tension”. The only source of such tension was a superficial inconsistency between my answers to questions 15 and 22. I’m quite satisfied with my resolution of that inconsistency, but it was certainly worthwhile to take the test and have it brought to my attention.