Well, the original paper about it is here (PDF here).
Quite an interesting read if you're into that sort of thing...they got much better performance than FFS - the paper says it could use 70% of the disk's bandwidth for writing, compared to 5-10% in FFS, and was only worse than FFS in sequentially reading a file that had been written randomly.
I think there was a follow-up paper improving that, too, but I can't find it.
There's a much nastier version of this: there is a message WM_TIMER which is meant for callbacks at regular intervals. One of its parameters is the address of a function to be called.
You can send this message to a window on your desktop and it will jump to any address you like! Straight away you could crash the process containing the window, or you could put some code to spawn a shell into an edit box in that program, then jump to that code. Hey presto! Instant shell running as Local System.
There doesn't seem to be any easy way to fix this, since security in Win32 messages is only meant to be at the desktop level and not the application level, and anything else would break lots and lots of applications.
Microsoft recommend stopping these attacks by never having a GUI in a service, instead having a separate GUI program that communicates with the service. But even they have made mistakes with this before - the pop-up Messenger windows (not MSN, the built-in Windows service) used to run in CSRSS, the Win32 server process. So you could get Local System access by sending yourself a message (which would cause the dialog to pop up) and then injecting code into CSRSS using that window.
According to http://security.tombom.co.uk/moreshatter.html, you don't even need a process with a window on the desktop - just find a system thread with a message queue and call PostThreadMessage on it.
You haven't? Funny, I got an invite from Google a few weeks ago now... but I've had a Gmail account for a while now, thanks to http://isnoop.net/gmail/. They have zillions of invites now, so that's the easiest way to get an account.
The attack uses the RDTSC instruction to find out how many clock cycles are taken to perform its operations.
There is a flag on x86 that can disable RDTSC for user-mode code. As far as I can see, it would be much, much harder to do a similar attack without a fairly accurate clock-counting instruction like this.
I'm not sure though - could someone who knows more about these things comment on how fine-grained the timing needs to be to detect cache misses? Can the bits be recovered slowly over a long period of time?
What his name is has little to do with how his name is reported, especially when it's reported inconsistently.
Both Google and Stanford report his name to be spelt Sergey. I consider these to be more authoritative than most sites on the name of the co-founder of Google, which started at Stanford.
As the other replies said, like a hard link.
But NT already has hard links (and symlinks)! There's even an API CreateHardLink to make them, so any Win32 program can do it.
This program is a nice GUI to create symlinks: http://www.rekenwonder.com/linkmagic.htm...and this one creates hard links: http://hermann.schinagl.tripod.com/nt/hardlinkshel lext/hardlinkshellext.html
So it shouldn't be too hard to get a native version of ln, by doing something like using MinGW and replacing link(2) with CreateHardLink, and symlink(2) with the necessary FSCTL to make a symbolic link (a.k.a. reparse point)
That doesn't change the fact that there's a creaky old dialog box not hidden away at all and which you are encouraged to use to install fonts. It shows a lack of attention to detail that this dialog has never been replaced.
Anyway, if you drag a font into the Fonts folder, the second half of the 3.x dialog appears to install it.
Incidentally, the font folder doesn't (now that I've played with it a bit) behave properly as a shell folder. For example, dragging fonts to the Recycle Bin is ignored. It should behave consistently when doing this.
And since when do you install apps by dragging them off a CD? Last time I checked the logo certification required you to use a.MSI file - definitely no drag and drop there.
One thing that never ceases to amuse me is the font folder.
Try bringing up c:\windows\fonts or Control Panel->Fonts.
Then File->Install New Font.
What appears? A genuine Windows 3.x dialog box. I kid you not. One with 16-colour icons and separate controls for choosing the drive and the directory. One which looked old in Windows 95 and is still in Windows 2003.
Moreover, Apple added a fair few features that weren't in Smalltalk. Drag and drop, the Finder, internationalisation (through resources) and menus are what I can think of off the top of my head.
Microsoft didn't take the TCP/IP stack from BSD. Not at all. Not one bit. Not in the slightest.
They used the NDIS stack, which IBM and Microsoft wrote for OS/2.
Some of the small userland programs (like ping and ftp) are from BSD, but none of the sockets implementation.
And Darwin (the UNIXy BSD server and assorted drivers running on top of Mach, which makes up the lower parts of OS X) is open source and can be downloaded from http://developer.apple.com/darwin/. Many people run servers on it.
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
Apparently the main difference is that BSD explicity forbids you from saying that you were endorsed by the original writer.
Some vendors do not release specifications of the hardware or provide a linux driver for their wireless network cards. This project provides a linux kernel module that loads and runs Ndis (Windows network driver API) drivers supplied by the vendors.
Project implements the first full read/write free access to NTFS disk drives. You can mount your Microsoft Windows NT, 200x or XP partition as a transparently accessible volume for your GNU/Linux.
This compatibility was achieved in the Wine way by using the original Microsoft Windows ntfs.sys driver. It emulates the required subsystems of the Microsoft Windows kernel by reusing one of the original ntoskrnl.exe, ReactOS parts, or this project's own reimplementations, on a case by case basis. Project includes the first open source MS-Windows kernel API for Free operating systems. Involvement of the original driver files was chosen to achieve the best and unprecedented filesystem compatibility and safety.
(you can use the FUSE LUFS wrapper to run this, as LUFS is now unmaintained).
Slashdot Mirror
Quite an interesting read if you're into that sort of thing...they got much better performance than FFS - the paper says it could use 70% of the disk's bandwidth for writing, compared to 5-10% in FFS, and was only worse than FFS in sequentially reading a file that had been written randomly.
I think there was a follow-up paper improving that, too, but I can't find it.
Informative?! :-)
Actually, if you don't watch any broadcasts (only DVD and so on) you don't need a licence: http://www.tvlicensing.co.uk/gethelp/faqs.jsp?ques tion=1#link1
There's a much nastier version of this: there is a message WM_TIMER which is meant for callbacks at regular intervals. One of its parameters is the address of a function to be called.
You can send this message to a window on your desktop and it will jump to any address you like! Straight away you could crash the process containing the window, or you could put some code to spawn a shell into an edit box in that program, then jump to that code. Hey presto! Instant shell running as Local System.
The attack is documented at http://security.tombom.co.uk/shatter.html, and can be used to inject code into any window on your desktop.
There doesn't seem to be any easy way to fix this, since security in Win32 messages is only meant to be at the desktop level and not the application level, and anything else would break lots and lots of applications.
Microsoft recommend stopping these attacks by never having a GUI in a service, instead having a separate GUI program that communicates with the service. But even they have made mistakes with this before - the pop-up Messenger windows (not MSN, the built-in Windows service) used to run in CSRSS, the Win32 server process. So you could get Local System access by sending yourself a message (which would cause the dialog to pop up) and then injecting code into CSRSS using that window.
According to http://security.tombom.co.uk/moreshatter.html, you don't even need a process with a window on the desktop - just find a system thread with a message queue and call PostThreadMessage on it.
You haven't? Funny, I got an invite from Google a few weeks ago now... but I've had a Gmail account for a while now, thanks to http://isnoop.net/gmail/. They have zillions of invites now, so that's the easiest way to get an account.
The attack uses the RDTSC instruction to find out how many clock cycles are taken to perform its operations.
There is a flag on x86 that can disable RDTSC for user-mode code. As far as I can see, it would be much, much harder to do a similar attack without a fairly accurate clock-counting instruction like this.
I'm not sure though - could someone who knows more about these things comment on how fine-grained the timing needs to be to detect cache misses? Can the bits be recovered slowly over a long period of time?
The shortest maths joke in the world:
:-)
BEGIN JOKE
Pick epsilon less than zero.
END JOKE
Thank you, I'll be here all week
Some user programs (like ftp and ping) are taken from BSD, but they're hardly big enough to be worth worrying about, IMO.
What his name is has little to do with how his name is reported, especially when it's reported inconsistently.
Both Google and Stanford report his name to be spelt Sergey. I consider these to be more authoritative than most sites on the name of the co-founder of Google, which started at Stanford.
No, it's not.
http://www.google.com/corporate/execs.html
Stop the presses! A Slashdot reader has discovered archive.org!
Damn, clicked Submit instead of Preview. Silly me.
As the other replies said, like a hard link. But NT already has hard links (and symlinks)! There's even an API CreateHardLink to make them, so any Win32 program can do it. This program is a nice GUI to create symlinks: http://www.rekenwonder.com/linkmagic.htm ...and this one creates hard links: http://hermann.schinagl.tripod.com/nt/hardlinkshel lext/hardlinkshellext.html
So it shouldn't be too hard to get a native version of ln, by doing something like using MinGW and replacing link(2) with CreateHardLink, and symlink(2) with the necessary FSCTL to make a symbolic link (a.k.a. reparse point)
That doesn't change the fact that there's a creaky old dialog box not hidden away at all and which you are encouraged to use to install fonts. It shows a lack of attention to detail that this dialog has never been replaced.
.MSI file - definitely no drag and drop there.
Anyway, if you drag a font into the Fonts folder, the second half of the 3.x dialog appears to install it.
Incidentally, the font folder doesn't (now that I've played with it a bit) behave properly as a shell folder. For example, dragging fonts to the Recycle Bin is ignored. It should behave consistently when doing this.
And since when do you install apps by dragging them off a CD? Last time I checked the logo certification required you to use a
One thing that never ceases to amuse me is the font folder.
d ows.html
Try bringing up c:\windows\fonts or Control Panel->Fonts.
Then File->Install New Font.
What appears? A genuine Windows 3.x dialog box. I kid you not. One with 16-colour icons and separate controls for choosing the drive and the directory. One which looked old in Windows 95 and is still in Windows 2003.
There's a picture of it in action at http://www.ascendercorp.com/fonthelp/fonthelp_win
These sorts of problems are really sloppy.
Moreover, Apple added a fair few features that weren't in Smalltalk. Drag and drop, the Finder, internationalisation (through resources) and menus are what I can think of off the top of my head.
Microsoft didn't take the TCP/IP stack from BSD. Not at all. Not one bit. Not in the slightest.
They used the NDIS stack, which IBM and Microsoft wrote for OS/2.
Some of the small userland programs (like ping and ftp) are from BSD, but none of the sockets implementation.
And Darwin (the UNIXy BSD server and assorted drivers running on top of Mach, which makes up the lower parts of OS X) is open source and can be downloaded from http://developer.apple.com/darwin/. Many people run servers on it.
They must be writing in Lisp again.
That's not even a haiku! Haikus have a syllable structure of 5-7-5 - i.e. 5 syllables in the first line, 7 in the second and 5 in the third.
for replying to a fictional character
Shh! Don't let the secret out!
Whoa, you still use Windows 1.0?! No wonder you don't see any updates - I didn't even know it had a TCP/IP stack! ;-)
Actually, no automatic updates have appeared for me either. Hopefully they'll come in the next few days.
Troll? He has a lower UID than the grandparent!
It's very similar to the BSD license in style:
t .html
Copyright (c) year copyright holders
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
Apparently the main difference is that BSD explicity forbids you from saying that you were endorsed by the original writer.
A good list of licenses is http://www.fsf.org/licensing/licenses/license-lis
http://ndiswrapper.sourceforge.net/
Some vendors do not release specifications of the hardware or provide a linux driver for their wireless network cards. This project provides a linux kernel module that loads and runs Ndis (Windows network driver API) drivers supplied by the vendors.
http://www.jankratochvil.net/project/captive/
Project implements the first full read/write free access to NTFS disk drives. You can mount your Microsoft Windows NT, 200x or XP partition as a transparently accessible volume for your GNU/Linux.
This compatibility was achieved in the Wine way by using the original Microsoft Windows ntfs.sys driver. It emulates the required subsystems of the Microsoft Windows kernel by reusing one of the original ntoskrnl.exe, ReactOS parts, or this project's own reimplementations, on a case by case basis. Project includes the first open source MS-Windows kernel API for Free operating systems. Involvement of the original driver files was chosen to achieve the best and unprecedented filesystem compatibility and safety.
(you can use the FUSE LUFS wrapper to run this, as LUFS is now unmaintained).