the Rust programming language promises "memory safety" that allows for a much higher degree of confidence in the correctness of high-performing low-level code compared to traditional systems programming languages like C or C++.

but what is "memory safety"? why is it important? in this infodump, let's find out!

1. What is Memory?

Memory, in computer terms, refers to somewhere data can live. While data can be in cache (on the CPU in L1, L2, and L3), in RAM (confusingly, also sometimes called memory) and on disk (via memory paging) programmers typically think of memory as a monolithic continuous chunk of space for data to live. You can put things there, and use them later. For example, consider the following pseudocode:

fn add(a: number, b: number) -> number {

return a + b;

}

let one = 1;

let two = 2;

let sum = add(1, 2);

the first thing that happens when this program is run (assuming it's an interpreted language, like python or javascript) is that the `add` function is placed into memory -- that is to say, the function is defined and tucked away for later use.

the next thing that happens is the variable `one` is created with the value 1. the `one` and `two` variables are also placed in memory, where we can access their values later by referencing them by name.

then, the interesting thing happens. we call our `add` function with the two variables (`one` and `two`) that we defined earlier. our program will go and grab the `add` function and the `one` and `two` variables, and run our function on them.

the value we get out (3) will be stored in memory, and we can access it by using the `sum` variable we created for that purpose.

As you can see, storing items in and retrieving them from memory is super important! But it seems so simple it's almost ludicrous that I've spent this many words talking about it. Why did I?

2. Well, it's really not that simple

In the previous example, I hand-waved away the actual process of allocating memory for our variables.

Allocation is when our program asks our computer for a piece of memory to store our data in -- remember, there's other things happening on the computer, so we don't get free reign!

When asked, the computer (more specifically, the operating system) will earmark some memory for our program and tell us where we can find it. The location of the piece of memory we've been given is called an address, and we use addresses when talking about the specific place we store and retrieve items from.

Just like before, we'll use variable names like "one" and "two" and "sum" to refer to things; but specifically, we'll be referring to their addresses. This is an important distinction! The address of some data tells us where the data lives, not what it contains.

To get to the actual contents of the data, we'll introduce the star operator (*). So when you see something like:

let contents_of_b = *b

you'll know that we're getting at the contents of the data, as opposed to its address.

This also works in reverse:

let some_memory = allocate_memory();

*some_memory = 420;

Here, we've allocated some memory and assigned 420 to its contents, rather than its address, by using the star operator.

Let's put some manual memory allocation into our fake program. We'll use a function called malloc (for Memory ALLOCation) that the operating system provides us when we need some memory.

fn add(a: number, b: number) {

return a + b;

}

// we've stored our add function!

// now let's store our variables,

// each of which are one byte in size

let one = malloc(1);

let two = malloc(1);

*one = 1;

*two = 2;

// make some space for our sum

let sum = malloc(1);

// and run it!

*sum = add(*one, *two);

Wow that was way worse, wasn't it? Of course it was. Memory management is horrible! Most programming languages completely avoid it, but unfortunately it's a necessity when performance is on the line. But even if it's so irritating, what's wrong with that? I mean, what can happen when you mess up?

3. What can happen if you mess up?

Everything on this list.

Many programming languages take great pains to avoid making these mistakes possible, usually with the help of a garbage collector -- a feature built into the language that manages the memory for you. But in the high performance space, languages like Rust make other guarantees that mean these sorts of things simply cannot happen.

If I had more time, I'd go into more detail about how these languages do that, but I've already spent like 30 minutes on this. So. Until then. Bye!

I absolutely love getting stuff like this in my ask box.

The best part of this was that they didn't realize I was a programmer and immediately apologized, it was cute as hell. I loved the message.

I'm helping my dad out with relocating his shed, and I had to cut a bunch of pieces of 2×4 out of varying lengths. Naturally, I pondered over how to best do this in a way that saves on the number of boards I use up. Very easily I'm sent back to my Operating Systems course in uni, namely our unit on memory allocation. Our assignment was to build our own heap manager (specifically recreate malloc/free from scratch—if you don't know what that is don't worry).

Early on, our professor proposes an issue. At the start, you'll have a continuous stretch of memory occupied, but as various parts of the heap are freed, you'll start to run into fragmentation. For the non-computer people, fragmentation is when you have a lot of open unused memory/storage, but they're scattered haphazardly between used up space, so you can't really use it. He advised us that "Best Fit" (memory allocated in the smallest chunk of free memory) is actually quite wasteful in the long term, and that "Worst Fit" (memory allocated in the largest possible chunk of free memory) or "Next Fit" (memory allocated in the first chunk of viable memory following the preceding allocation (so if you have something like [4,2,7,5,3,9], you store something 5kb in size turning it into [4,2,3,5,3,9] then you store something that's 2kb making it [4,2,3,3,3,9], modifying the fourth space even though it could have fit in the first through third)) are much more efficient in the long run.

For example, to use my board metaphor, let's say you have two boards, one 15 inches long and the other 20 inches long. The first board you need to cut is 10 inches. If you did best fit, you'll cut the first board, leaving you with 5 inches. If you did worst fit, then you'd cut the second board, leaving 10 inches. Next up is a cut demanding 14 inches. Best Fit would have you cutting the remaining 20 inch board leaving 6 inches. Worst Fit would have you cut the 15 inch board leaving 1 inch. Next again is another 10 inch board. Using Best Fit, you cannot git this board anywhere, having a scrap of 5 and 6 inches. Worst Fit meanwhile, has a 10 inch board scrap available.

Of course, with boards, Worst Fit would always have you pulling out the new pieces rather before touching scrap, but if you require using scrap first before touching new, it can still be pretty efficient. Big caveat, of course, is that these strategies are generally optimized for unpredictable allocation. You don't know how big your next one will be so you have to use the strategy that minimizes potential fragmentation. If you knew 100% of every allocation you'll need to make (like say, taking all of the measurements before cutting) you can much more easily optimize usage, but that's still a problem that's NP-Complete (iykyk) (it's officially called the Bin Packing Problem if you want to know more).

That said, if you're doing any woodworking and you want to burn through your scrap pile while maximizing projects but don't want to plan out your projects too much, Worst or Next Fit might stretch them out a bit better than grabbing the smallest possible piece available.

Advanced C Programming: Mastering the Language

Introduction

Advanced C programming is essential for developers looking to deepen their understanding of the language and tackle complex programming challenges. While the basics of C provide a solid foundation, mastering advanced concepts can significantly enhance your ability to write efficient, high-performance code.

1. Overview of Advanced C Programming

Advanced C programming builds on the fundamentals, introducing concepts that enhance efficiency, performance, and code organization. This stage of learning empowers programmers to write more sophisticated applications and prepares them for roles that demand a high level of proficiency in C.

2. Pointers and Memory Management

Mastering pointers and dynamic memory management is crucial for advanced C programming, as they allow for efficient use of resources. Pointers enable direct access to memory locations, which is essential for tasks such as dynamic array allocation and manipulating data structures. Understanding how to allocate, reallocate, and free memory using functions like malloc, calloc, realloc, and free can help avoid memory leaks and ensure optimal resource management.

3. Data Structures in C

Understanding advanced data structures, such as linked lists, trees, and hash tables, is key to optimizing algorithms and managing data effectively. These structures allow developers to store and manipulate data in ways that improve performance and scalability. For example, linked lists provide flexibility in data storage, while binary trees enable efficient searching and sorting operations.

4. File Handling Techniques

Advanced file handling techniques enable developers to manipulate data efficiently, allowing for the creation of robust applications that interact with the file system. Mastering functions like fopen, fread, fwrite, and fclose helps you read from and write to files, handle binary data, and manage different file modes. Understanding error handling during file operations is also critical for building resilient applications.

5. Multithreading and Concurrency

Implementing multithreading and managing concurrency are essential skills for developing high-performance applications in C. Utilizing libraries such as POSIX threads (pthreads) allows you to create and manage multiple threads within a single process. This capability can significantly enhance the performance of I/O-bound or CPU-bound applications by enabling parallel processing.

6. Advanced C Standard Library Functions

Leveraging advanced functions from the C Standard Library can simplify complex tasks and improve code efficiency. Functions for string manipulation, mathematical computations, and memory management are just a few examples. Familiarizing yourself with these functions not only saves time but also helps you write cleaner, more efficient code.

7. Debugging and Optimization Techniques

Effective debugging and optimization techniques are critical for refining code and enhancing performance in advanced C programming. Tools like GDB (GNU Debugger) help track down bugs and analyze program behavior. Additionally, understanding compiler optimizations and using profiling tools can identify bottlenecks in your code, leading to improved performance.

8. Best Practices in Advanced C Programming

Following best practices in coding and project organization helps maintain readability and manageability of complex C programs. This includes using consistent naming conventions, modularizing code through functions and header files, and documenting your code thoroughly. Such practices not only make your code easier to understand but also facilitate collaboration with other developers.

9. Conclusion

By exploring advanced C programming concepts, developers can elevate their skills and create more efficient, powerful, and scalable applications. Mastering these topics not only enhances your technical capabilities but also opens doors to advanced roles in software development, systems programming, and beyond. Embrace the challenge of advanced C programming, and take your coding skills to new heights!

Ok, this is a niche thing to complain about, but it insane to me that the situation with strict aliasing rules in C and C++ has such a monumental mismatch between the standard and what people actually want and need to do:

For a long time, there was no standard-compliant way to alias a piece of memory using two different types.[1] I mean, people did it anyway, but whether you got fucked over by the optimizer was dependent on how you did it, which things were in which translation unit (or I suppose whether someone did LTO), which compiler you used, which compiler-specific attributes or flags you used, and/or luck.

memcpy has (always?) been blessed as a way to bit-cast between types, but, as the name implies, it copies data--there's no way to just ask for a single memory location with two different views onto it, although the compiler may or may not be smart enough to avoid actually copying stuff.

It was only in C11--published in 2011!--, that the popular method of union-based type-punning was finally added to explicitly clarified to be in the standard. This is often good enough for what you want to do, but it's not enough--you can't write a standard-compliant implementation of malloc in C11 (or C17), as far as I can tell![2]

The union trick is not kosher in C++, but they added bit_cast (which is basically type-safe memcpy) in C++20, and they're adding start_lifetime_as in C++23, which I think actually makes it possible to write a standard-compliant malloc? Or do the type-punning you wanted to do to fucking begin with?

There aren't that many super great reasons to start a new project today in C or C++. But if you're writing an operating system or a language runtime or doing embedded programming or whatever, there weren't really any good alternatives for a long time. But these are exactly the situations where you want to alias the same memory via different types! I feel like I am taking crazy pills!

tl;dr -- regular C programmers talking with the people who write the language standard and the optimizers in compilers:

[1]: Someone is going to bring up the thing about char*. You are allowed to alias anything as a char*. This is sufficient if all you want to do is print out the underlying representation or twiddle the bits one at a time, but it's only one way! You can't start with a char* and then alias it as something else. This doesn't get you what you want with type-punning, and it's definitely not enough to make malloc work.

[2]: Yes, really. I think you could make some very trivial malloc implementations (no-op free or just delegating every malloc/free to a system call and never recycling memory) in a standard-compliant way, but otherwise no. I don't see anything C23 that's relevant to the situation. It ironically might be possible to write a standard-compliant malloc in C++ using the new C++23 features though, and I think someone is trying to do this in llvm's in-progress libc.

Algorithm Design and Programming II Lab 3 (15 Points)

Objectives: Review call-by-reference Review array operation Review for-loop operation Review File I/O Description: Given an array of integers, some elements appear more than once. Count the number of times k appears in the array where k is an integer between 1 to 10. Return count. *Note: The array must be malloced and free() after displaying result. Use the implementation of file I/O…

View On WordPress

No empire can't really get here too much but they are below is not true and the pseudo empire has to fight them off they're not that many here and the bugs are not coming this way for now and they plugged it off they're holding it off actually and the idiots want to pour in but they can only pour in down there and so it's going to lead the bugs down there and they have ideas to lead them to the bunkers but really nothing here is going to lead them here there's not enough death and if they came they wouldn't send any more that's one problem

-the pseudo empire is mounting an attack on the warlock globally and they are holding the blockade soon they won't be able to get in here our son will be stuck with a homogeneous group and one of them they'll probably go after and devour would be Ken and he's having a panic attack and he's saying don't call the empire and all the sudden there's this idea that I had to send in more troops and we did discuss it and we're going to use this as long as it lasts and force these imbeciles to defend our son he didn't seize imbeciles and those who are trying to break the blockade and there's going to be a bunch of it and forg minority more lock are going to lead the way. They're getting up and they saw it and he sees them and they have spirit and lots of it and they have gusto and attitude and it's good and they don't talk about all this stuff for the most part unless it was kept secret and he was telling them and they appreciate it but it's actually true they had to live a hard life and they had to survive all this these idiots over there foreigners over there also over there Max and then find what they're doing to be repulsive but very attractive. So if they're going to town and they're getting ready to do stuff and Hera would have had on last night was good I look decent. It looks like a big boy with that on and people are standing away from him somewhat and they also make some less permeable to knives and they thought they didn't get stuff it's one way to nail them but these people are on the way then how are they going to get through the blockade and they're more like as well so it doesn't really work out and they tried and they said they were trying

Foreigners can break through and the empire wants them to and they're going to break through with the minority morlock and have them go around taking stuff and area and so forth and it's going to go on in a moment and the idiots want bugs to come because of fighting we have a solution for that and it'll look like bugs doing it and other Tommy f no he's a pain in the ass but he gets beat up cuz people blame him. The foreigners are at it shortly and they're going to be assisting the minority malloc and they have a bigger fleet of course and minority monologue fleet is probably only 1/20th no it's 100th of the size of the pseudo empire fleet. So the foreigners are going to come in and the minority warlock and the minorities will fight the pseudo empire. And it's going on that Ken is seeing some of it they've been seeing it for weeks but it's a smattering and it's also these people eating them and it's gross and foreign has been trying it for weeks but now they have to because these pseudo empire is taking over and the blockade is going up however our son and daughter point out that they're not done yet they are being entertained in the park areas and at the ships huge numbers are dying and that's a pseudo empire bases but they are compiling a huge fleet and it happened for the past few days two days so when they blockade start going up and the fleet is trying to gigantic is huge okay it's got a lot of wood chips in it and they go together if they explode they kill everybody it's like shrapnel and they stay far apart make some harder to hit a mile apart each and it is a wondrous thing that they actually do work and they're sending in tons of them right now their fleet is gigantic it's like 200 million vessels and it is ridiculous used up half the forest. And they are trying to break through now no they have a schedule and it won't be for a few days they say and these people here can't stand it and they say it can't be a few days so they're grabbing everything they can and they'll probably try attacking tonight that's what we hear but that still does not fix the problem does but the foreigners in minority morlock are going to work together with the morlock to try and break the blockade and it is happening tonight it's a it's an event and it's a big one and the one in the Parks is much bigger because the empire is going to be under attack they're adjacent to the ships and devils and they will be attacked for trying to go after them and it will be a big war it's getting big right now and Trump's people are diminishing we think they'll be cut in half today fully

Thor Freya

Olympus

Zues

And Trump is digging down deep for hope that my husband doesn't hate him and it's ridiculous you got him to hate him and he hates him I mean the guy is a moron

Hera

7 lipca 2023

◢ #unknownews ◣

Zapraszam do lektury najnowszego zestawienia ciekawych treści z branży IT.

Pobierz mini-poradnik na temat Debugowania Aplikacji na Linuksie. Musisz jedynie podać swojego maila.

1) Zbudujmy prostą stronę, ale... mamy rok 1999 :) https://medium.com/@mihauco/how-to-create-a-personal-website-but-its-1999-48283b1f5be4 INFO: Autor podejmuje wyzwanie, aby stworzyć rozbudowaną stronę internetową korzystającą z JS i CSS, ale musi ona dobrze działać na Windows 98 z przeglądarkami Internet Explorer 5 i Netscape Navigator 4.51 oraz musi być napisana z użyciem edytorów/IDE z tamtych czasów. Ciekawy eksperyment uświadamiający jak bardzo zmienił się temat webdevelopmentu od tamtych czasów. 2) Kto zabił Google Readera? https://www.theverge.com/23778253/google-reader-death-2013-rss-social INFO: Minęło 10 lat od zamknięcia tego serwisu. Artykuł opowiada historię jego powstania, rozwoju, a także tego, jak wyglądał jego koniec. Co poszło nie tak? 3) Na czym, po co i ile zarabia Korea Północna? (film, 40 minut) https://www.youtube.com/watch?v=8NK0siegoTY INFO: Prezentacja Mateusza Ossowskiego z ubiegłorocznej konferencji 'Oh My Hack'. Autor opowiada głównie o cyberatakach realizowanych przez wspomniane państwo oraz dzieli się garścią interesujących ciekawostek. Przyjemne i momentami zabawne wystąpienie. 4) Upadające sieci społecznościowe - co poszło nie tak? https://gizmodo.com/why-these-social-networks-failed-so-badly-1836996164 INFO: Czego brakowało Google+, że przegrał z Facebookiem? Co zabiło MySpace? Dlaczego Vine musiało zniknąć? Artykuł omawia łącznie 11 ciekawych przypadków sieci społecznościowych, które już nie istnieją, a które albo dobrze się zapowiadały, albo nawet podbijały rynek. 5) Jedna linia kodu zniszczyła rakietę kosmiczną? - przypadek Ariane 5 https://jam.dev/blog/famous-bugs-rocket-launch INFO: Analiza buga programistycznego, który w roku 1996 doprowadził do eksplozjii (a dokładniej mówiąc: do samozniszczenia) wartej ponad pół miliona euro rakiety. 6) Na czym pracują developerzy? - soft, gadżety, konfiguracje https://uses.tech/ INFO: Strony "USES" nie są jeszcze zbyt popularne w Polsce, ale na świecie tworzy je wielu ludzi z branży IT. Są to kompilacje softu, konfiguracji, hardware, wyposażenia (np. jaki monitor, jakie biurko itp.) używanego przez daną osobę. Ta strona może Cię pochłonąć na dłuższą chwilę, ale być może też zainspiruje Cię do poznania jakiegoś nowego softu, czy gadżetu. Niektóre ze stron są bardzo ubogie, a inne skrajnie rozbudowane. Trzeba się naklikać, aby znaleźć coś wartościowego. 7) Powolny upadek StackOveflow, to NIE wina AI?! https://blog.gopenai.com/the-strange-death-of-stack-overflow-cda2921f37fb INFO: Od okolic 2014 roku, aktywność na portalu StackOverflow spada, pomimo zachowania stabilnego wzrostu liczby użytkowników. Skąd ta dziwna zależność? Ostatnio sporo mówiło się o tym, że AI stało się gwoździem do trumny tego serwisu, ale czy ich problemy nie zaczęły się 9-10 lat wcześniej? 8) Obliczenia 'Back of the Envelope' - czym są i dlaczego mogą Ci się przydać? https://systemdesign.one/back-of-the-envelope INFO: W branży IT przeważnie stosuje się bardzo dokładne obliczenia. Dlaczego więc miałbyś zacząć używać tych mniej dokładnych, szacunkowych i jak miałyby Ci one pomóc w projektowaniu systemów? Tego dowiesz się z artykułu. 9) Co się dzieje, gdy wpisujesz adres URL w przeglądarkę? https://systemdesign.one/what-happens-when-you-type-url-into-your-browser INFO: To popularne pytanie na rozmowach o pracę w branży IT, które pokazuje, jak dobrze rozumiesz technologie działające w Internecie. Ten artykuł rozkłada cały proces na kolejne kroki i wyjaśnia je. 10) Alokacja pamięci - jak działają malloc i free? https://samwho.dev/memory-allocation/ INFO: Interaktywne przedstawienie wspomnianych zagadnień. Idealne wyjaśnienie dla każdego, kto chce bardziej dogłębnie dowiedzieć się, jak działają aplikacje i języki programowania. 11) CSS o ograniczonym zasięgu - Scoped CSS https://keithjgrant.com/posts/2023/04/scoped-css-is-back/ INFO: Jednym z największych problemów przy stylowaniu elementów na stronie jest dziedziczenie atrybutów. Niekiedy ustawienia z elementu nadrzędnego wpadają do podrzędnego. Aż chciałoby się zaimplementować funkcję "nie dziedzicz tego!". Scoped CSS rozwiązuje ten problem. 12) DISCO - model AI generujący taniec na podstawie fotki osoby https://disco-dance.github.io/ INFO: Nowy model za pomocą AI potrafi wygenerować tańce podobne do tych rodem z TikToka. Nie wygląda to jeszcze tak super, jak można by się spodziewać (widać rozmycia, przeskoki w klatkach, liczne artefakty itp.), ale już i tak osiągnięto imponujący poziom zaawansowania. 13) Zainteresowanie ChatGPT zaczyna się stabilizować? https://www.similarweb.com/blog/insights/ai-news/chatgpt-traffic-drops/ INFO: W czerwcu ruch na stronie czatu spadł o niemal 10%, a liczba unikalnych użytkowników spadła o 5,7%. To pierwsze takie spadki. O ile strona z UI chatu zalicza spadki ruchu, to platforma dla developerów wręcz przeciwnie. 14) Co sprawia, że współczesne komputery działają tak wolno? https://jmmv.dev/2023/06/fast-machines-slow-machines.html INFO: Autor odwołuje się do swojego wiralowego wątku na Twitterze, na którym pokazał jak super płynnie działa interfejs użytkownika na wiekowym komputerze z Windows NT i jak wolno działa on na współczesnym sprzęcie z Windows 11. Co sprawia, że nowe, o wiele mocniejsze komputery stają się mniej responsywne i bardziej ociężałe? 15) Jak działa OAuth2 - proste wyjaśnienie (film, 5 minut) https://www.youtube.com/watch?v=ZV5yTm4pT8g INFO: W tym wideo autor stara się przedstawić protokół OAuth2 w możliwie prosty i przystępny sposób. Warto rzucić okiem i usystematyzować swoją wiedzę. 16) Drag and drop w aplikacjach webowych https://www.redblobgames.com/making-of/draggable/ INFO: Zaimplementowanie takiego zachowania może wydawać się dość proste (mnóstwo bibliotek to oferuje), ale po drodze można natknąć się na kilka przeszkód. Artykuł omawia jak poprawnie zaimplementować tego rodzaju zachowanie. 17) Alias Traversals w Nginx - jak wielką różnicę robi jeden slash? https://labs.hakaioffsec.com/nginx-alias-traversal/ INFO: Drobna (dosłownie jeden znak) literówka w konfiguracji serwera NGINX może doprowadzić do tego, że przypadkiem udostępnisz w internecie całą zawartość serwera webowego. Artykuł opisuję, na czym polega luka i jak ją wykorzystać. 18) Platforma HEY (poczta email) przeszła z chmury do klasycznych serwerów https://world.hey.com/dhh/we-have-left-the-cloud-251760fb INFO: David Heinemeier hansson (znany jakoi 'DHH') już rok temu zapowiadał wielką migrację na dedyki. W tym roku firma zrealizowała jego zapowiedzi. Warto rzucić okiem na powody wyjścia i przy okazji przeczytać poprzednie teksty, do których linkuje ten wpis. 19) Wyszukiwarka dokumentacji AWS napędzana przez AI https://www.awsdocsgpt.com/ INFO: Zamiast bezpośrednio czytać dokumentację, możesz po prostu zapytać AI o to, czego szukasz, a temat zostanie dla Ciebie możliwie szczegółowo opracowany. Może się przydać, gdy chcesz bardzo szybko odnaleźć jakąś drobnostkę, ale nie pamiętasz, gdzie o tym pisano. Wyszukiwarka poza opracowaniem odpowiedzi zwraca także linki do źródeł swojej wiedzy. 20) API do GPT-4 jest już publicznie dostępne (bez waitlisty) https://openai.com/blog/gpt-4-api-general-availability INFO: Dobra wiadomość dla programistów. Jeśli jesteś płatnym użytkownikiem API (czyli wydałeś na nie przynajmniej 1 centa), to masz już dostęp do GPT-4. Pojawiło się także kilka zmian programistycznych w związku z DALL-E, Whisperem i ze starymi modelami z kategorii 'completion'. Warto rzucić okiem. 21) Mofi - inteligentne narzędzie do wycinania fragmentów audio https://mofi.loud.red/ INFO: Prawdopodobnie znasz ten efekt z aplikacji graficznych, gdzie jesteś w stanie wymazać z fotki np. turystów, drzewa, czy samochody. Wyobraź sobie, że jesteś w stanie zrobić to samo z plikiem dźwiękowym. Na tym właśnie polega działanie Mofi. Uploadujesz np. piosenkę i zaznaczasz, które fragmenty są spoko, które Ci się nie podobają, a algorytm postara się wyciąć to, co nie pasuje, ukrywając przy tym wycięte dziury tak, aby były możliwie niewykrywalne. 22) Warp vs Fig - porównanie dwóch popularnych terminali (film, 14 minut) https://www.youtube.com/watch?v=GHKy8cTg1kA INFO: Nadal używasz tradycyjnego, dostępnego w systemie terminala? Może warto przesiąść się na wspieranego przez AI Warpa albo poznać Figa, który da Ci supermoce, podczas pracy w CLI? Który z nich wybrać i co tak naprawdę one oferują? 23) Funkcja detekcji wypadków samochodowych w iPhone jest super, ale nie na imprezie https://gizmodo.com/iphones-false-911-calls-bonnaroo-android-uk-999-1850576151 INFO: Na festiwalu muzycznym Bonnaroo, niektórzy z tańczących użytkowników iPhonów 14 i 14 Pro byli klasyfikowani jako ofiary wypadków samochodowych. Brzmi zabawnie, ale jednak generuje zbyteczny ruch na infolinii 911. 24) eruda - devtoolsy dla przeglądarek mobilnych https://github.com/liriliri/eruda INFO: Potrzebujesz podglądu konsoli JS na smartofonie? A może przydałaby Ci się opcja 'inspect element'? Eruda to załatwia. Po prostu osadź fragment kodu JS na stronie, nad którą pracujesz i gotowe - masz dostęp do namiastki DevToolsów znanych np. z Chrome. Jeśli chcesz zobaczyć, jak to wygląda w praktyce, to kliknij linka z sekcji 'about'. 25) Lista 25 narzędzi i taktyk do zabezpieczania aplikacji - e-book (90 stron) https://brightinventions.pl/blog/infrastructure-reconnaissance-tools-for-your-app-security/ INFO: Darmowy e-book przedstawiający popularne narzędzia open sourcowe, które mogą pomóc Ci podnieść poziom bezpieczeństwa w aplikacji webowej. Dodatkowo, w publikacji znajdziesz odwołania do dokumentów, które pomogą Ci usystematyzować metody testowania i zabezpieczania aplikacji. Aby pobrać e-booka, trzeba podać swój adres mailowy. 26) Micromorty - jak niebezpieczne są codzienne aktywności? https://micromorts.rip/ INFO: Micromort to jednostka określająca, z jak dużym prawdopodobieństwem (na milion prób) umrzesz, wykonując daną akcję. Ciekawe zestawienie zagrożenia śmiercią: wstawanie z łóżka po 45 roku życia vs. latanie na paralotni albo poród w szpitalu vs. base jumping. Czy ta wiedza Ci się do czegoś przyda? Nie ;) 27) VPN od Mozilli - już dostępny w Polsce https://www.mozilla.org/en-US/products/vpn/ INFO: Długo zapowiadany VPN od Mozilli jest już dostępny w naszym kraju i oferuje dostęp do serwerów z ponad 35 krajów za około 22zł/msc (przy płatności rocznej). Cena jest raczej przeciętna, a gdy doczyta się, że Mozilla jest w zasadzie tylko resellerem Mullvad VPN, to oferta wygląda raczej słabo. Na korzyść projektu przemawia dedykowana aplikacja, która dorzuca do standardowego 'mullavad-owego VPNa' nowe opcje. 28) CallToInspiration - inspiracje do projektów UX https://calltoinspiration.com/ INFO: Jak powinien wyglądać formularz logowania albo kalendarz, albo komunikat z błędem, albo... po prostu zainspiruj się, oglądając gotowe projekty z ciekawymi implementacjami popularnych elementów na stronie. 29) Wielka kolekcja instrukcji do klocków LEGO https://archive.org/details/lego-set-instructions INFO: Archiwum sieciowe zarchiwizowało ponad 6800 oryginalnych instrukcji z klocków LEGO. Wyszukiwarka (ta po lewej, nie ta górna) pomoże Ci znaleźć inspirację na budowle. Instrukcje mogą Ci się przydać, jeśli masz dzieci, albo... jeśli masz siebie i też lubisz bawić się klockami ;) 30) Melofi - odtwarzacz muzyki Lofi z dodatkowymi narzędziami https://melofi.app/ INFO: Być może znasz narzędzia poprawiające skupienie, takie jak Endel, czy BrainFM. Są fajne, ale i płatne. Melofi to darmowy projekt, który oferuje dostęp do muzyki, ale poza jej odtwarzaniem możesz w ustawieniach sceny dorzucić np. efekty takie jak kawiarniany gwar, odgłosy deszczu, czy odgłosy natury. Muzykę można zaciągać z bezpłatnej bazy projektu, jak i ze Spotify. Rzuć okiem także na narzędzia dodatkowe. 31) Biblioteka do usuwania tła ze zdjęć - w 100% frontendowa https://github.com/imgly/background-removal-js INFO: Wiem, że takich narzędzi istnieją już dziesiątki, ale to jest otwartoźródłowe i do tego na licencji GPL-3.0, więc dzięki niej, bez większych problemów możesz dorzucić funkcję usuwania tła do swojej aplikacji webowej, bez konieczności korzystania z płatnych API. 32) Alternatywa Scribehow dla Firefoxa (generator tutoriali point and click) https://what-to-click.com/ INFO: Chcesz pokazać komuś krok po kroku, jak działa Twoja aplikacja webowa i jak wykonać w niej pewne kroki? Najprościej jest zrobić to za pomocą dobrze opisanych zrzutów ekranu z zaznaczonymi miejscami, gdzie użytkownik powinien kliknąć. Dokładnie to realizuje rozszerzenie "What to click". To klon znanego Scribehow, tylko darmowi i otwartoźródłowy. == LINKI TYLKO DLA PATRONÓW == 33) Zbuduj prompta dla AI na podstawie obrazu https://uw7.org/un_8ad7d78d96605 INFO: Masz zdjęcie i chcesz wygenerować coś podobnego pod względem kompozycji, ale np. w Midjourney? Problem polega na tym, że nie umiesz napisać odpowiedniego prompta? To narzędzie przygotuje go dla Ciebie. Kliknij ikonę uploadu fotki, zamiast pisać opis. 34) Kurs online z projektowania systemów na dużą skalę (darmowy) https://uw7.org/un_a2626b49cebd7 INFO: Materiał jest w formie tekstowej i zawiera sporo porad na temat projektowania systemów. Ta wiedza może się przydać nie tylko do tworzenia skalowalnych rozwiązań, ale także jako materiał do przygotowania się na rozmowę techniczną np. na stanowisko architekta systemowego.

P.S. Nie wiem, czy wiesz, ale jestem wydawcą kilkunastu kursów online. Rzuć okiem na ich spis.

2023/05/12

生活

睡眠履歴

03:00 入眠

08:00 po

タスク

短期

[ ] 音楽データの整理

[ ] 部屋の掃除(快適な労働環境の構築)

調べもの

[ ] 積み立て

[ ] 確定拠出年金

[ ] 持ち株会

[ ] 人生における具体的な金銭の想定

研究回り

[ ] エラーを吐いた古い再実験周りの修正

[ ] 後輩から貰ったデータを自研究に適用

[ ] 過去の手法の再実験

[ ] 論文読み

やるだけ

[ ] 遅れている分の日報を読む(短期)

12/29から

[ ] Tumblrのカスタマイズ

習慣的

[ ] 運転

[ ] 筋トレ

労働

Cの勉強。与えられた簡単な課題から、本来意図していないであろう部分を突っつくことで丸一日を消費する。

Cの学び

文字列操作

fscanf()で1行ずつファイルを読み込む際に、改行の前で読み込みが止まるものの、次に読み込む際には次の行の前に普通に改行コードが入る

フォーマット文字列の末尾に改行コードを入れたり、スペースを入れることで次の行に回ることが回避できる

fscanf()で読み込む際、スペースや改行で区切られるが、","(カンマ)では区切られず、普通に読み込まれる

除去するためには"%[^,]"などとする

fscanf()で読み込む際のフォーマットは正規表現と捉えて概ね問題ないらしい

参考になりそうな記事https://qiita.com/Sankyuri/items/c7fb52658c45b8757b5c

今日はもうこの辺で寝るのであまり読み込めていないが、必要な時に思い出して読み返したい

文字列分割のstrtok()は1バイト文字のみに対応しており、日本語などのマルチバイトには対応していない

かといってchar型1つずつ文字コードを比較しようとしても、日本語の1文字はchar型の値1つに対応していない

メモリ周り

malloc()で動的に確保したメモリ領域を拡張しようとしたとき、sizeofは頼りにならない

(静的)配列は最初から大きさの情報を持っているからsizeofが使えるが、mallocした動的配列は大きさの情報を保持していないため、sizeofが使えない

動的配列の大きさによって拡張するかどうかを決定するためには、別の変数に大きさを記録しておく必要がある

ポインタ変数は、非ポインタ変数に紐づけるべき

ポインタのポインタなどはおいておく

ポインタ変数を初期化せず(どこかの変数のアドレスに紐づけず)に使用すると、謎のアドレスのデータが改変されていることになる

明示的に非ポインタ変数と紐づけよう

関数に渡す時にはダブルポインタにすることもできるが、ポインタ変数にして、通常の変数のアドレスを渡すこともできる

動的に確保した配列には大きさが保持されていないため、大きさを超過しても掻き込みができてしまう

サイズ1の配列の3番目の要素などにも、scanfから確保した以上の領域に変数を代入できてしまった

その後にreallocで要素数を大きくしようとしたところ、使おうとしたアドレスに値が入っていたためか、エラーが出た

インクリメントの位置

scanfの評価順

while(fscanf(file, "%[^,], %s\n", person[i++]->name, person[i]->position))などとしたとき、nameの参照に[i], positionの参照に[i++]とすると、nameとpositionのインデックスがズレ、nameがi+1番目で、positionがi番目とかになった

どうやらそういうものらしい。参考(https://programming-place.net/ppp/contents/c/appendix/reference/scanf.html)

細かい実行順はコン��イラ依存の可能性がある

「条件式の中でインクリメントするのは辞めろ」とちゃーんと言われた

Rust Settings For FPS Boost

Welcome to another Rust guide. In this article we share with you Rust Settings for FPS Boost. This guide is for users who are experiencing low FPS in the game or want more FPS.

Rust Graphic Settings For FPS Boost & Increase

Here is a few tips to increase your FPS and fix your overtime lag in Rust. Settings For FPS Boost in Rust Lowering graphics will of course give you more fps you can play around with the graphics settings and see what gives you good fps. These are the settings I use Please keep in mind I'm using a high end PC with good specs.

Rust Launch Options For FPS Now there is Launch options that you can use to help you get better FPS: For example this is my launch option. -gc.buffer 2048 -client.headlerp_inertia 0 effects.maxgibs -1 -physics.steps 60 -rate 144 -high - -malloc=system -force-feature-level-11-0 -force-d3d11-no-singlethreaded -window-mode exclusive -nolog -nopopupwindow To use launch options go to your game library right click on rust then click properties go to general and you should see it there just copy paste what I use or something else Now there is another option you can add to your launch options and I really recommend adding this it helps your Rust use more ram -maxMem=16384 add that to your launch options with everything else Keep in mind I have 16 ram so if you have something lower then that change -maxMem=(YOUR RAM) for example if you have 12 ram make it -maxMem=12288 and if you have 8 it should be -maxMem=8192 going over your PC's limit might cause game crashes It makes your game use more ram whenever it needs to. - 4 GB 4096 - 6 GB 6144 - 8 GB 8192 - 12 GB 12288 - 16 GB 16384 - 24 GB 24578 - 32 GB 32768 Another thing you should add is -cpuCount=8 and -exThreads=8 Before you add this and launch your game open Task Manager by clicking ( ctrl + alt + del ) on your keyboard or just typing it in the search bar then go to Performance and click on cpu Now if you have 4 cores and 4 Logical processors It should be -cpuCount=4 and -exThreads=4 this will make your Rust use as much CPU as possible If your over your PC's limit it will cause crashes and game freeze.

If none of this help you get better fps and you tried lowering graphics you should consider getting a better CPU or More Ram since rust barely uses any GPU. Now more ram doesn't mean more fps I've tested this I had 32 ram 1400 MHz and now I switched to 16 ram 3800 MHz which gives me around 20 more FPSThat means faster ram is better than more ram. FPS Lowers Overtime While Playing Now you might see that you start to lag more over time while playing Rust there is a few commands to fix that Open console using the f1 key and type the following command one by one. - pool.clear_assets - pool.clear_memory - pool.clear_prefabs Your game might freeze for a second but you should see a decent increase in FPS. You can also bind these commands to a key so you won't have to keep typing it. bind p gc.collect;pool.clear_assets;pool.clear_memory;pool.clear_prefabs You can change p to whatever you want. There is another option you can do which I dont know why it helps you fix your lag but it does to some people you can go in WINDOWED MODE and go back to EXCLUSIVE. Faster Loading In To Servers - Some people don't know why it takes them so LONG to load in to a server well there is a couple reasons why. - Your Rust isn't installed on your SSD which is your main driver (SSD is the main hard drive you should install rust on to) Your SSD is bad. Read the full article

🖊 jack or gabe!!! -v- or just draw ur zen actually i , , love zen,,

// porque no los dos

// off topic to anything but i was thinking about how malakh sounds like malik which means king and so does reyes so theres that

:0 !!!!!!!!!!!! I DIDN’T KNOW THAT !!!!!!!!

Tying It All Together - Pwning To Own on LG phones

Last year I detailed a secure EL3 vulnerability which affected (and still affects, for devices with discontinued updates) LG Android devices. However, this vulnerability alone isn't actually all that useful for a number of reasons, the more immediate being that many phones simply do not allow writing to eMMC without root or a custom recovery. Additionally, gaining full control over all privilege levels requires draining the battery to below 0%, which while it would be possible to create a modchip that facilitated this, is impractical. To finish off my exploit chain, I would like to detail two additional vulnerabilities that I have found and utilized in my coldboot process. It's worth noting though that these vulnerabilities were reported to LG and may be patched on updated units.

Live, LAF, Love

The first exploit is an obvious necessity: In order to write the rle888 payload into the eMMC's boot graphics, I need to be able to achieve an arbitrary partition write. While exploiting Android *is* an option for this (as are hardware methods), I instead opted to attack LAF, LG's recovery/flashing component. While many Android phones in the past have used fastboot in order to flash radios and other system components to eMMC, fastboot has been completely removed on the Q710/Q720. Some phones such as the Nexus 5 actually maintain both fastboot methods and LAF, but for maximum spread, LAF is the clear target.

LAF is designed to work with LGUP, a frequently-leaked LG-internal flashing tool that allows flashing KDZ update files. While LAF in the past was able to read and write eMMC partitions without any restriction, in recent years LG has opted to sign all of their KDZ files in order to make it more difficult for things like cross-carrier flashing, version mixing/matching between partitions and other modifications to occur. Flashing is done via USB, and most of the protocol has been documented at https://github.com/Lekensteyn/lglaf.

The LAF update process largely consists of an ioctl-over-USB shim: The OPEN command is able to open a partition block device, and READ/WRTE will seek into the file and write contents. However, reading and writing are explicitly blocked until a list of partitions, their eMMC offsets, their KDZ content offsets, and their content hashes is sent via the SIGN command, all of which is hashed and signed by LG. If the contents of the partitions in the KDZ are modified, the partition list hashes will fail to verify, and modifying the hashes in the partition list will make the SIGN check fail. The private key is not stored in LGUP; KDZs are downloaded from LG's servers, signed presumably by their build servers.

So, how can we manage to activate WRTE commands, with valid partition content hashes of our arbitrary contents, if we cannot sign our own? To start, I investigated how the WRTE commands actually handled hash checking--if the partition list is sent with SIGN, then at some point the WRTE command must be able to figure out which partition the current write is for, and the current partition's contents must be buffered in RAM somewhere along with an updating SHA context, because if the SHA check fails, then it shouldn't write at all. As it turns out, most of the checks in this area were fairly solid (the write must be in the range of a partition in the list, the entire transaction is one bulk packet of the hashed size, etc). However, this led me to realize: The partition list signature is only checked once, and there is nothing stopping me from, say, sending another SIGN command.

The SIGN verification process works as follows:

The partition information is sent along with a signature in one bulk transaction.

The partition information is copied into a global .bss array from the USB buffer with a fixed size.

The partition information hash buffer is prepared: An allocation is made for N partitions and an optional string, the string being the device model (to prevent cross-flashing). The number of partitions is determined by a signed portion of the header. If the allocation fails, an error is returned.

The partition information is copied again into this allocation along with the string, and the contents are hashed. The signature is crypted with the public key and the signature hash is verified against the partition info hash. If the check fails, the global .bss array is cleared and an error is returned. If the check passes, some write threads and structs are initialized and a success value is returned.

The .bss buffer storing partition info (used by other functions) is copied to before the packet is verified

The .bss buffer is cleared when the signature mismatches, but not with this malloc fail...?

The flaw here is subtle, but not terribly difficult to notice: The number of partitions is user-controlled even though it is signed, and the partition info was copied into a global variable before verification. In all other error conditions, LAF will memset the partition information before returning an error code, however if the hashing allocation fails (ie by setting the number of partitions to -1), then the allocation will fail and an error is returned without clearing the partition information. Thus, we can fakesign our own update KDZs by

Sending a valid SIGN command, which will start the write threads

Sending a fakesigned SIGN command with the number of partitions set to -1, and all partition information set however we want. The partition information in .bss is now set without a signature being checked.

While this fakesign has the potential to hang WRTE commands while due to the number of partitions being set much larger than the global partition array, all loops when WRTE checks the partition list hashes will break once a valid partition is found. So, as long as the hash contents of the WRTE command are existent in the first few entries, it will not hang, however any writes sent that do not match will hang lafd.

Another S-EL3 vuln to wrap it all up

This might seem a bit pointless given that the former vulnerability paired with 🔋 📱❄️🥾🔓 at aboot is more than enough to unlock bootloaders, since aboot is usually the code that handles bootloader unlocking/wiping/boot image signature verification, but the downside to unlocking your bootloader is that you lose SafetyNet. To most effectively mitigate SafetyNet issues you basically need an S-EL3 exploit in order to patch Qualcomm's TrustZone to spoof a locked bootloader. While 🔋 📱❄️🥾🔓 has a vector for S-EL3 code execution via SBL1 and its charging graphic, it only triggers at extremely low battery voltages and it would be more convenient to find an alternative means to gaining S-EL3 code execution via aboot, which runs at EL2/EL1.

One of the first things I noticed when I began to look for SBL vulnerabilities, and actually the reason I looked at SBL in the first place is its crash handler. Since at least the Nexus 5, LG has shipped its "Demigod Crash Handler" which can print registers and stack information and RAM console logs from EL1 kernel, S-EL3 SBL, TrustZone, etc. I first discovered it while trying to exploit a kernel stack overflow. It also allows the user to dump memory contents over USB via its Sahara protocol which also gets used in PBL for Firehose bootstrapping.

Naturally, SBL cannot know the exact details of every execution environment it displays stack dumps for, it requires the faulting environment to store that information before warm-resetting into SBL. Consequently, this means there are portions of RAM writable by EL1 which will be later parsed at an S-EL3 execution level, and of course to make matters worse it also expects EL1 to handle the memory allocation for both the RAM console as well as for the framebuffer. These structures are also plainly visible in LG's kernel sources available in their Android OSS zips.

Above roughly shows the arbitrary write which is possible with this ramconsole parsing. The ramconsole offset is not bounds checked, so we are able to achieve an arbitrary write to a limited set of addresses based on ramconsole_offs, the limit being that the offset factors both into what you write and where you write it. However, I found that since DRAM takes up such a significant portion of the address space, it was more than enough to specifically write a function pointer to the stack. To keep the exploit as simple as possible, I chose to force console_init_maybe to return to the missing battery graphic draw routine, which then triggered 🔋 📱❄️🥾🔓 without the need to drain the battery below 1% and made loading additional payloads significantly easier.

As an interesting sidenote, this vulnerability is extremely similar to hexkyz's Wii U boot1 exploit, which also abuses warmboot behavior to take over the secondary bootloader of the Wii U's ARM boot processor. In that case, however, the Wii U encrypted its PRSH/PRST structure in RAM, and rather than displaying syslogs, it uses the structure to store boot timings and other info between IOS reboots.

For most practical usecases, this vulnerability is a bit difficult to exploit, due to SBL's text and stack differing between devices. However, S-EL3 vulnerabilities aren't all that frequently documented on Android, so I hope that it will at least be useful for anyone interested in examining Qualcomm's TrustZone components or avoiding weird SafetyNet junk.

Code for both of these exploits can be seen at https://github.com/shinyquagsire23/Q710-SIGNhax-EL3-Warmboot

Backstory: Just back to work after my summer vacation, on Monday the 24th of August, I’m told I’m assigned to implement a Thing that lets customers call a specific part of the codebase through a public interface. I’ve got 2 weeks - will that be enough?

“Sure,” I say, “if that specific part is already ported from the old part of the code base to the new one.”

“It is.”

The monday after two weeks later:

The following Tuesday:

Spoiler: Malloc does not belong in parts that have been ported to the new part of the code base. It would seem somebody was slightly inaccurate about preconditions when telling me about this task -_-

Finally, Tuesday of this week - 1½ weeks over time - I’m ready for code review.

At that point, Tuesday, I felt pretty bad about how long I’d spent.

Yesterday, Thursday, at 3 in the afternoon, code review is finally over - no major changes, very few minor changes, it just took forever because code reviewing anything in the old code base always takes forever.

And, you know, that’s a lot of code review. But it felt really good to have external validation that, yes, the thing you were working on was such a tangled mess of spaghetti that even reviewing the changes requires time logging and it makes perfect sense it couldn’t be done in 2 weeks.

And hey, I did wind up finding a solution that didn’t require malloc.

Addendum to me bitching about prime printing, the most naive implementation, the one I’m willing to do, is only accurate to the 30th prime.

Using 2n+1 is better but I’m not willing to do more than brute force modulo checks since I can be simplistic with the printing and avoid malloc. It isn’t wrong, just inaccurate. Good enough for a toy program.

SmashTheTux - 0x05|0x06|0x07

So -after scratching my head over 0x08 for several days- I’ve decided to call it quits with SmashTheTux; I completed every challenge apart from the last (see my blog for earlier walkthroughs.)

Nonetheless, I really think SmashTheTux is a valuable experience for those interested in exploring virus and exploit development in the future (I say virus dev as the challenges force you to think more low-level.)

I’d also say -to a degree- it’s ideal for OSCP buffer overflow prep: not only is the first challenge a simple B/O similar to what you’ll encounter in the exam, but the experience of completing the 8 challenges (or 9; from the brief research I did, no one has managed to exploit 0x08) is also useful for building your confidence with using GDB and interacting with programs at a lower level.

Additionally, I found some of the challenges interesting as they required you to think independently of ways you  could change the control flow of the program to achieve the desired reuslt- for example, I completed 0x04 (integer overflow) in a way different to hinted at (this is why I don’t look at hints- encourage that creative thinking, man!) and I feel there would have been a few interesting ways to exploit 0x05 (will be below somewhere.)

All in all, I definitely recommend this machine to anyone intrigued by low-level exploit development or to those who want to build their confidence in the use of GDB.

Anyway, enough rambling, time for my last 3 exploits.

0x05

Well, it’s lucky I don’t look at hints! 0x05 was a very basic program- a call is made to system which executes the passed parameter as a terminal command, displaying the contents of /home/tux and then exiting.

The only input we have control over here is the files that appear within /home/tux; as the output of the command is not being placed in any sort of limited buffer or printf call, there’s little we can expect to achieve here.

So... What we need to do is hijack the call to ls which is actually pretty simple:

These are the commands I used to redirect the call to ls- first I created /tmp/ls and inserted the directory of /bin/sh before changing the permissions on /tmp/ls.

Finally, I added /tmp to the PATH environment variable- that’s it. Very simple but very effective.

When ls executes, the shell will look for a program file called ‘ls’ within the shell’s environment (aka: it will check each directory specified in the PATH environment variable for an executable file named ‘ls’)

Since /tmp is now the first directory within the variable, it will look there first and execute our modified /ls file as a result. It kind of acts like a symbolic link- when /tmp/ls is executed, the shell will execute the line ‘/bin/sh’.

This challenge could have potentially be completed by creating an alias for ‘ls’ also, to be honest there’s probably a few little tricks that could have been done here!

Although not directly related to C vulnerabilities, it does demonstrate the danger of loose access rights and permissions: it was my ability to change critical environment variables that made this possible.

0x06

Ah another hintless one, and here’s me feeling clever for not looking at the hints. xD

Here we have another format string vulnerability within sprintf (the same as printf but content is placed into the specified string as apposed to STDOUT); this time we are limited to input (not including the null) of 64 bytes.

Obviously this means EIP overwrite must occur within the first 64 bytes of input.

With some trial and error, I discovered that popping 10 addresses from the stack got us to the point of EBP/EIP overwrite- now to simply place our shellcode and jump to it.

I simply placed my shellcode at the end of the payload and -using GDB- found the rough location of the code.

From here I just played with the found address until I had execution outside of GDB.

0x07

0x07 was very interesting for me as it was my first encounter with malloc and heap overflow.

We have 3 declared pointers to member structs- m1, m2 and m3. M3 is never interacted with further from it’s declaration.

M1 and m2, however, are allocated a memory size of 8 bytes, given their own id values and a further 8 bytes allocation for their name properties.

The first two commandline arguments passed to the program are finally copied into the name properties of m1 and m2 respectively with no length checks on the provided arguments.

It took me a while to analyze my exploit for this- I understand everything so well at the time but then I find I’ve forgotten why it actually worked. (Note to self: work on organization!)

After looking into it again, however, I understand the logic behind this attack:

With the input provided to argv[1], we overwrite the value of m2 with the address of exit, occurring just 4 lines below the second strcpy- if our buffer is on the heap, any changes to the stack shouldn’t effect the value copied to exit. This is followed by basic shellcode starting at 0x804a030.

In the strcpy call to m2->name, we provide the start of our heap stored shellcode.

This will be the moment when our shellcode is actually copied into the value at 0x80497f4.

AI – Thoughts and Rants

This summer semester I decided to take Introduction to Artificial Intelligence, which the university I go to offers as an elective for CS majors. Which is awesome, I know! As a computer science student I had been curious for a while about the robots, talking computers that assist Iron Man, and even the “magic” behind things like Siri. Yes even I, someone who is in the “know” about a field like software engineering, which is intertwined with AI in more ways than one, fantasizes (or used to, maybe?) about a future where robots assist us on all kinds of tasks and make our lives better/easier, or in the case of I, Robot, a lot worse. All jokes and fiction aside, the fact is that AI exists already in our lives. In fact it is so infused with our day-to-day lives that we don’t even notice it. You ever look at the weather app on your phone? Do you ever go to Google Translate? Do you ever ask Google for directions? Do you ever ask Siri anything? All of these things use some technique that was born in the field of AI, or machine learning (which is a very close sibling to AI). I could go into all  kinds of impressive, and not-so-impressive, techniques that I learned about in the class. A-Star search; Informed Search; Probabilistic Reasoning; Markovian Models; Neural Nets, etc. But this is not the reason why I write this.

The reason why I write this essay/blog post is because a friend of mine, who is planning on taking the class next semester, asked me a very simple question, “How is AI?”. Well...the truth is that is not a simple question at all. It’s a tough question. Because I do have MANY reservations about AI. They range from the philosophical, technical and even reach out to my ethical concerns about Artificial Intelligence. Now, before I go on, I want to be clear about something: THIS IS A BIASED PIECE. As I go on, you’ll notice I have specific opinions about AI as a software engineer. I also want to state that this is NOT a piece meant to attack/offend anybody/anyone/ any organization that is researching AI or building products powered by AI/machine learning. I think you are all awesome people(a little crazy, but in a good way), and you have my utmost and sincere respect. Now that that is out of the way, let’s get down to business.

Before coming to this class I thought AI was an awesome/fascinating field(at the moment I still do). That with everyone—mainstream media, programmers, Google, Microsoft—hyping up AI, I thought to myself, there has to be reason for all the buzz and fuzz about this “AI thing” . And to be honest, MOST of it is undeniably granted. So...as a software engineer I was surprised by how mathematical AI really was. You’d think that a field that is, as stated before, so infused with our lives would be somewhere on the vicinity of software engineering in regards to practicality. But it’s truly not. The truth is that a lot of problems, rightfully so, have to be theorized/generalized in some way before they’re solved in an intelligent manner by a machine. And this makes sense. Think about it, if you want to talk about path-finding, “paths” aren’t simply cities A-F, and find the shortest path. This could be the surface of a new planet with a different landscape, New York, a colony in the moon or you might even have a case where you’re concerned about the cost of moving a piece on a chessboard. It’s also not just about making the algorithm fast. And it’s not that AI doesn’t welcome nice Big O notations like constant time and linear and logN—and these are becoming less central to any algorithm given all of the crazy-fast hardware we have today and the crazier-faster that is still to come. These are, like any algorithm, preferred over N^2 or something above that. However, AI’s top priority to my understanding(at least if I learned what I was supposed to learn), is to solve problems, or find answers, in an intelligent way.

But what the in the world does intelligent mean, anyway?

This is when AI becomes philosophical. And, if you ever take this class(or at least the specific AI class I took), you won’t be tested on the philosophical definitions of AI. But even though you won’t be tested on those when doing the projects, which is the most important part of the class, you won’t directly use anything philosophical, it’s worth keeping in mind that any algorithm in AI is trying to do things intelligently. This means that brute force is not welcome; that randomness, with some exceptions(like hill climbing), is not very welcome; most things that aren’t generalized(in an intelligent manner) are not very welcome. This is one of the reasons why AI is math-heavy: AI scientists need a way to generalize intelligence. But how general can intelligence really be? Can it really mimic the intelligence of a human to the point that it can compose songs, write an essay on the politics of the world and even make moral judgments? At the end of the day, not really. I mean you can take all of the songs recorded up to this day, and write a fancy neural net(don’t ask me how they work, they’re not super-complicated, but not a walk-in-the-park either) and it can classify and recognize some patterns and put something together….but it’s just re-mixing what we’ve already heard and listened to a million times. So no, AI is not that general. The AI of today is very narrow. This is not to say that it is useless. AI is very useful and will be in the future; speech recognition will get better; self-driving cars will improve; it will be able to write “better” songs. But AI won’t have a face; it won’t (and this is subjectively my opinion) have the ability to make moral judgments(and if we allow it to, then we are fools buying snake oil). As a software engineer I found the radical uses of Bayes Theorem somewhat interesting, but not very exciting. I found myself subscribing to the idea to program intelligence into the machine, rather than program it and tell it what to do. This, if I’m being frank, made me a little uncomfortable. As a software engineer I like tinkering with machines, I like to write programs that solve problems(rather than “program” intelligence and let It solve the problems for me). I felt as if I were being submissive to this idea—I know, it’s a stretch. And yes, I am probably romanticizing programming as a craft, but I’m sorry, I can’t help it. Speaking of programming machines, that reminds me, to the AI people(and I’m speaking about the specific people that guided me throughout the class—professors and TAs) the code did not matter. Which struck me as surprising, and a little unnerving. To them all that mattered was the theorems, excel charts and “report”. Which again, given the fact that the code itself in practice is the building block for the AI agent to do whatever it is that it needs to do, was unnerving—borderline frustrating. I don’t write code to plot charts, theorize formulas or see trends. That’s not to say, I write code without documentation. Documentation is not what we are talking about here. Indeed, self-documented code is a must. But to write code to satisfy Bayes Theorem? That itself is frustrating and, in my opinion, goes against the spirit of creativity in programming. It goes against the lemma I follow when I code—hack away. Hack the malloc calls to the point where all of the segments you allocate are continuous; trick the OS into caching at all levels only your processes; manipulate CPU priorities to make your process priority 1 because the game you’re building is over-bloated with physics calculations and unnecessary art, and that computer does not have a GPU. AI felt nothing like hacking computers. AI felt nothing like engineering solutions. It felt like forcing code to comply with some theorem—Bayes Theorem,  making informed decisions, Perceptron, etc. I seriously respect these techniques, because all of them are incredibly cool and quite impressive. And heck, software engineers do use these techniques today. But, in my humble opinion, an engineer doesn’t have to fully comply with a mathematical rule. They are nice because they make a bunch of assumptions that MOST of the time are true. But in engineering, when we have to directly sometimes interact with hardware and users, some of these assumptions are not very useful in practice. Sometimes as engineers, if we were building an OS, one might have to hard-code stuff with macros in C to make a specific architecture/piece of hardware faster. Sometimes in software engineering, one doesn’t have the luxury of just “throwing memory” at a problem—which is part of the idea of machine learning, along with some statistics. Throw memory at it, implement perceptron and you can classify pictures! Engineers have to keep in mind the cost of adding two gigs of ram—cost in terms of money and resources. As an engineer, when handling CPU scheduling, sometimes one doesn’t know what the best scheduling scheme is. Sometimes engineers have to wait till users actually use the software, and get a “feel” for what’s the best CPU scheduling scheme, given the different use cases. AI doesn’t like hard-coded macros, that’s not intelligent. AI doesn’t love edge-cases hacks, that’s not intelligent. AI doesn’t care about beautiful code that might be 10% faster because one follows good practices. AI, from the impression I got in this class, is almost programming-independent. One might even say it finds programming languages hindering because there isn’t a language that fully expresses how “great”(ahem, intelligent) It really is. I could be wrong about these assumptions. Because, heck, what do I know? I’m only a software engineer.

Despite my reservations about AI, I highly recommend taking the class as a CS major. Having said what I said, AI is not going away. For better or worse, it will stay in the lives of people, software engineers and not-software engineers. It is and will be a necessary evil of our present and future. Take the class, get a feel for what you think of it. And if you’re like me—you like to hack computers—you’ll survive in that jungle of probability and intelligence greatness. I honestly can’t tell you to stay or not, that’s your choice. In the meantime, I choose not to.