Category Archives: Uncategorized

WebAssembly from C++

My intention was to analyze, how C-pointer-arithmetic are translated to WASM code. Assuming you have got the a  C++ file foo.cpp like:

/// @file foo.cpp
#include <emscripten.h> // macro EMSCRIPTEN_KEEPALIVE
#include <stdint.h>

extern "C" {
void EMSCRIPTEN_KEEPALIVE myfunction(uint8_t *dst, uint8_t *src) {
 dst[0] = src[0];
 dst[1] = src[1];
}
} // extern "C"

The following code will produce  the output file foo.wasm wiht the the corresponding WASM code (file size arond 255 bytes):

emcc foo.cpp -v -O3 -s ONLY_MY_CODE=1 -s WASM=1 -s SIDE_MODULE=1 -o foo.wasm

Check the content of this file using the disassembler tool wasm-dis form project binaryen:

wasm-dis foo.wasm

The output of the disassembler looks like:

(module
 (type $0 (func (param i32 i32)))
 (type $1 (func))
 (import "env" "memoryBase" (global $import$0 i32))
 (import "env" "memory" (memory $0 256))
 (import "env" "table" (table 0 anyfunc))
 (import "env" "tableBase" (global $import$3 i32))
 (global $global$0 (mut i32) (i32.const 0))
 (global $global$1 (mut i32) (i32.const 0))
 (export "_myfunction" (func $0))
 (export "__post_instantiate" (func $2))
 (export "runPostSets" (func $1))
 (func $0 (type $0) (param $var$0 i32) (param $var$1 i32)
 (block $label$0
 (i32.store8
 (get_local $var$0)
 (i32.load8_s
 (get_local $var$1)
 )
 )
 (i32.store8 offset=1
 (get_local $var$0)
 (i32.load8_s offset=1
 (get_local $var$1)
 )
 )
 )
 )
 (func $1 (type $1)
 (nop)
 )
 (func $2 (type $1)
 (block $label$0
 (set_global $global$0
 (get_global $import$0)
 )
 (set_global $global$1
 (i32.add
 (get_global $global$0)
 (i32.const 5242880)
 )
 )
 (call $1)
 )
 )
 ;; custom section "dylink", size 5
)

The disassembled code shows, that no dependencies to JS or other runtimes exists. Still a number of functions can be identified in the  import and export section,  “myfunction” does not depend on actually.

Note: Just in case, please let me know how to eliminate the imports of “memoryBase”, “memory”, “table”, “tableBase”, and eliminating the exports of  “__post_instantiate”, “runPostSets”.

The following code shows the disassembled operations of ‘myfunction’ (function $0).  AFAICS, the pointer parameters are of type i32, and the index is translated to a bytewise store8/load8 using the offset feature, for example ‘offset=1’.

(func $0 (type $0) (param $var$0 i32) (param $var$1 i32)
 (block $label$0
 (i32.store8
 (get_local $var$0)
 (i32.load8_s
 (get_local $var$1)
 )
 )
 (i32.store8 offset=1
 (get_local $var$0)
 (i32.load8_s offset=1
 (get_local $var$1)
 )
 )
 )
 )

 

 

Android Emulator with Ubuntu 12.10

The Emulator of Android SDK expects 32bit GL graphics drivers and does not work out of the box with the 64bit GL libraries being installed by default with Ubuntu 12.10. You will get something like the following error message “libGL error: failed to load driver: i965”. You can solve the dependency installing the 32bit libraries (i386) manually the following way:

sudo apt-get install libgl1-mesa-dri:i386 libgl1-mesa-glx:i386

WordPress images unprotected

WordPress allows to publish  posts as private or password protected. The access control  seems to work for posts quiet well, but not for the images uploaded and linked from within the post. The images may be accessed using the corresponding URL directly, withouth any access control being enforced. So even if nobody has access to my post, anybody in the internet may get access to the  corresponding images, just by guessing the corresponding URLs of those images.  The private images are protected by wordpress by a mechanism called, security by obscurity.

You might say, that an attacker requires read-access to the private post first to get to know the corresponding URL of private pictures. Yes, but there is also a good chance to guess the URLs.  Let’s take a quick look at the URL of an image residing in wordpress library:

http://frehberg.files.wordpress.com/2010/03/dscf0553.jpg

It contains the blog domain, the date and the name of the image, as it has been uploaded by user that day.

Just imagine that someone has been on holiday, and the same day  publishing a number of public posts and private posts, the latter only for personal purpose, such as diary. If the corresponding images have been taken with the same camera, those holiday images will have sequence numbers within a narrow range. Some of those images ought to be kept private. But if uploading all images without changing the image-names, an attacker may get access to those private images guessing, using the publicly known image and its sequence number as base to start with. It may be sufficient to try sequence numbers within a range of +-30.

To avoid this kind of attack, one should not keep the image name assigned by the camera, but renaming all images being uploaded to wordpress library. Doing so, guessing would be much harder, and unauthorized access to non-public images  less likely.

In 2008 TechMixer documented something called a  Hotlink protection plugin which might be  related to this issue.

My recommendation is to take a closer look at this security issue. It might be a very bad experience for users discovering that the images of their very personal posts have been disclosed.