==Phrack Inc.== Volume 0x0d, Issue 0x42, Phile #0x02 of 0x11 |=----------------------------------------------------------------------=| |=------------------------=[ PHRACK PROPHILE ON ]=----------------------=| |=----------------------------------------------------------------------=| |=------------------------------=[ pipacs ]=----------------------------=| |=----------------------------------------------------------------------=| |=---=[ Specifications Handle: pipacs AKA: PaX Team Handle origin: your pick between P. Howard and images.google.com :) Produced in: .hu Urlz: pax.grsecurity.net Computers: always a generation behind... Creator of: PaX Member of: PaX Team :) Projects: PaX Codez: ntid Active since: 15+ years Inactive since: past few years |=---=[ Favorites Actors: Chaplin Films: Versus Authors: Gurdjieff Books: Fire from within Novel: Jonathan Livingston Seagull Meeting: eclipse'99 Music: Radioaktivitaet, The light of the spirit Alcohol: long island iced tea Cars: Maserati Foods: anything but 4 legs I like: good beer & wine I dislike: all that bitter 'beer' down under :P |=---=[ Your current life in a paragraph Working on some PHP/.net/js stuff for a SaaS startup, and generally tired of everything security related. Fortunately there's life beyond that :). |=---=[ First contact with computers Despite the early 80's behind the iron curtain and COCOM restrictions, I somehow managed to get my hands on an ABC-80 during a summer camp. It was Z-80 and BASIC, but one had to start somewhere ;). Afterwards came a ZX-81, a Spectrum, etc, the usual stuff in those days. |=---=[ Passions : What makes you tick Unsolved problems. Unsolvable problems. |=---=[ Entrance in the underground I'm not sure I was ever part of the underground but let's just say that many of the smart people I met in the mid-90's would later end up in computer security as a necessary outgrowth of skills they acquired in reverse engineering. To me they're still the friends of 10+ years and there's nothing particular about being part of the underground (ok, did i successfully ditch the question? :). |=---=[ Which research have you done or which one gave you the most fun? It's of course PaX, especially some 6 years ago when spender and me were porting it to new CPUs while solving unsolvable problems (where's that NX bit on ppc32 again? :). |=---=[ How you got started on low-level concepts? In the ZX Spectrum days I wanted to stop the clock in some game, so there I was learning Z-80 assembly and finding that pesky dec (hl). From then on it was lots of assembly coding for the Spectrum (still proud of my own turbo loader after all these years :) then later the Amiga (m68k) and finally the PC. Interestingly, I really hated the PC (x86) after the m68k but when I had to clean up after a virus infection (the first and only one I ever got :), I finally gave in and learned x86 as well and began to reverse engineer more stuff, particularly exe packers (ever since that virus incident I still have the habit of unpacking and looking at everything first). That then led to a never ending cat&mouse game between debuggers and anti-debugging techniques, so I had to eventually reverse engineer and fix my choice of a debugger, SoftICE. That was a major undertaking in hindsight but it taught me a lot about CPU details that proved very useful in later years. |=---=[ Thoughts on future of security enhancements? I think we'll see more of them as now there's very serious push in the commercial sector (mostly due to Microsoft) to research and develop practically useful techniques. There will be more tool chain enhancements and also more kernel and hypervisor level work to lock down various parts of the software stack and also to provide some level of self-protection. There will also be more work towards hardening parts of the client side userland that is both powerful and most exposed to attacks. Think web browsers, media players, etc, that all implement some form of programmable engines which represent the same kind of problems as runtime code generation (shellcode) did in the previous decades, just at a higher abstraction level. Whether techniques developed so far will be adaptable or not is an open question, but this problem needs to be addressed soon. |=---=[ Short history of PaX? At around the time when the Y2K panic was settling down I got into a startup to develop a HIPS for windows. That didn't work out in the end for several reasons, but the idea stuck into my head and while enjoying the summer between two jobs, I somehow remembered what I had read about a year ago on IA-32 TLB hacking and I was set on the path. I talked to a few friends about it and we decided to do a windows version as that's what we were familiar with (speaking of kernel internals). This is also the reason for the 'team' in the name, even if the other guys dropped out soon afterwards to pursue other interests. The summer passed and I got a new job where linux was everywhere and one October weekend I sat down and figured I'd give it a try. Turned out that the first cut wasn't that hard and I was surprised that the new kernel booted without a hitch and worked as expected. Then came public disclosure day, something I had debated for some time but decided I wasn't going to go down the patent road. I still think it was the right decision, even if many people thought and still think I was a bit crazy to let this out for free :). The following years saw slow but steady development of various ideas, limited by my free time, (un)fortunately (depending on which side of the fence you are :). For a more precise timeline just look at the wikipedia article, I think my years spent in (sometimes voluntary) unemployment will clearly stand out :). |=---=[ What future things are planned for PaX? I wish I could just even list them :), but having looked at my to-do list it seems I've got enough work left to fill more than a lifetime. So without any particular preference, here's a few ideas that I hope I can implement one of these days: Ret2libc prevention: this is something I'd written about 6 years ago but never got to implement it, and somewhat shamefully, the world at large failed to as well (save for MSR's Gleipnir project perhaps). I mean, all the effort people spent in the last decade on propolice/ssp could have equally been spent on solving this much more relevant and important problem... Kernel self-protection: the goal here is to solve the somewhat unsolvable problem of the kernel protecting itself from its own bugs. What is or isn't possible is something you'll have to wait and see :). More arch support: it would be nice if more CPU specific features could be ported to other archs beyond x86, in particular ARM (android, mobile phones) and MIPS (network gear) really need all the protection they can get. Virtualization support: whether it's a good idea or not from a security point of view, virtualization is here to stay and unfortunately quite a few of the existing kernel self-protection features are hard to handle in those environments. I'm not yet sure what concessions can be made here... |=---=[ Personal general opinion about the underground I don't know much about it given how many years ago I lost most of my interest in computer security, but I can't help but note that the barrier of entry is set a lot higher than in the previous century. Couple that with vested new interests (both commercial, governmental and criminal, with unclear boundaries at times :P) in siphoning off all the knowledge and people in security and I can see no bright future for the kind of underground that there was before... I just hope that the spirit of not taking anything at face value, looking behind and beyond of what is already known will not die out in the younger generations and some of them will keep their independence for long enough to nurture underground outlets as this one :). |=---=[ Memorable Experiences Meeting the internet in the early 90's when the whole country was connected on a 9.6 kbps line to Vienna. Downloading IDA 2.x in '94 and not knowing what to do with it at first (anyone remembers ReSource on the Amiga? :). Playing with SMM back in 1998, I keep wondering when Probe Mode gets 'discovered' and hyped up as well :). Eclipse'99. That ADMcon. Being told by several native (english) speakers that I have a french accent :P. Seeing the AMD 'anti virus protection' ad on the London tube in the summer of 2004 and realizing I may have had something to do with it. 2005, vomatron with a prince of Sri Lanka, you can blame PaX on him too. BAcon 06, the first and original one. Padocon. Teaching half the world to pronounce ege'szse'getekre (blame the lack of proper accents on Phrack mandated ASCII :P). Having to endure snoring from all kinds of people :). |=---=[ Memorable people you have met People who worked on icedump. The wonderful team of Q. People who helped with PaX. The Padocon folks who got a tad bit drunk on palinka. |=---=[ Memorable places you have been All over the world except Antarctica. |=---=[ Things you are proud of Reverse engineering SoftICE to the point that some NuMega folks reportedly thought their src got stolen or something. Learning amd64 and porting a pure asm kernel driver to XP 64 RC and reverse engineering and circumventing PatchGuard (a year before Uninformed had published anything on it) all in 4 weeks while also handling an lkml flamewar and being jetlagged down under... |=---=[ Things you are not proud of Some would say it's all the things I'm proud of :). Oh, and sorry for having held up this release, but life's just too busy... |=---=[ Opinion about security conferences Too much hype over too little content. But then there're exceptions. Fortunately most are organized enough that presentations are available online with many academic confs being the exception, shame on them. Nevertheless, it seems that I still managed to collect over 16 GB of (security) conference material over the years so I guess the situation is not that bad. I wish I had time to read all that though :). |=---=[ Opinion on Phrack Magazine 1985' ? 1995' ? 2005' ? '2009 ? 1985: I wish we had had a phone line to begin with :) 1995: the days when gopher was being taken over by http, and no encryption in sight... anyway, I think p47 was the first issue I got my hands on, and I didn't find it too interesting at the time, sorry :) 2005: that'd be p63 I guess (your version, that is :), a whole lot more stuff, and finally beyond the 100th how-to-backdoor-linux kind of article 2009: I have yet to see, it didn't leak so far (kudos for the new team :) |=---=[ What you would like to see published in Phrack ? More hardware related hacking, there're way too many gizmos out there these days to be ignored... More specific uses of computers, such as aviation, space, astronomy, particle physics, etc. There must be interesting things hiding there. More food-for-thought kind of articles, it's somehow got neglected... |=---=[ Shoutouts to specific (group of) peoples The old folks from UCF and other groups, all the Q people and those I met through them, and basically everyone I drank a beer with :). |=---=[ Flames to specific (group of) peoples It's all in the search engines already, for the better or worse :). |=---=[ Quotes On some sunny day in July 2002 (t: Theo de Raadt): why can't you just randomize the base that's what PaX does You've not been paying attention to what art's saying, or you don't understand yet, either case is one of think it through yourself. whatever Only to see poetic justice in August 2003 (ttt: Theo again): more exactly, we heard of pax when they started bitching miod, that was very well spoken. More recently, a student contemplating doing research related to PaX/grsecurity: So Dr. Spafford essentially told me that it's better to work on something simpler than to try to do research that will save the world |=---=[ Anything more you want to say While most of the readers are undoubtedly living a computer dominated life, let me remind everyone that you can't have beer over the internet. So go get out sometimes and maybe even invite the neighbour over. For this is what builds real relationships, not electronic substitutes. --------[ EOF