In a seminar today, we will unveil Rendezvous, a search engine for code. Built by Wei-Ming Khoo, it will analyse an unknown binary, parse it into functions, index them, and compare them with a library of code harvested from open-source projects.
As time goes on, the programs we need to reverse engineer get ever larger, so we need better tools. Yet most code nowadays is not written from scratch, but cut and pasted. Programmers are not an order of magnitude more efficient than a generation ago; it’s just that we have more and better libraries to draw on nowadays, and a growing shared heritage of open software. So our idea is to reframe the decompilation problem as a search problem, and harness search-engine technology to the task.
As with a text search engine, Rendezvous uses a number of different techniques to index a target binary, some of which are described in this paper, along with the main engineering problems. As well as reverse engineering suspicious binaries, code search engines could be used for many other purposes such as monitoring GPL compliance, plagiarism detection, and quality control. On the dark side, code search can be used to find new instances of disclosed vulnerabilities. Every responsible software vendor or security auditor should build one. If you’re curious, here is the demo.
May 14th, 2013 at 13:56 UTC
The Queen’s speech at today’s state opening of Parliament includes the prediction:
“In relation to the problem of matching Internet protocol addresses, my Government will bring forward proposals to enable the protection of the public and the investigation of crime in cyberspace”
This is all that remains of the Home Office’s ambition to bring forward a revised version of the Draft Communications Data Bill that two Parliamentary Select Committees were so unimpressed by, and which the Liberal Democrats have declined to support.
The sole issue on which there appears to be political consensus is that “something must be done” about the traceability failure that regularly occurs when the Internet is accessed from a smartphone. The shortage of IPv4 addresses means that the mobile companies cannot give each smartphone a unique IP address — so hundreds of users share the same IP address with only the TCP/UDP source port number distinguishing their traffic. Because this sharing is done very dynamically the mobile phone companies find it problematic to record the source port mapping, and they have argued that the way the EU Data Retention Directive is written they have no obligation to make and keep such records.
I wrote about this issue at some length on this blog in January 2010, although until very recently the Home Office considered it to be tantamount to a state secret and were extremely coy about discussing it in the public.
The Queen’s “bring forward proposals” phrase appears to cover a range of options:
- the mobile companies decide that they can manage to log the source port mapping data after all;
- the Home Office pays for new kit at the mobile companies that will allow source port mapping to be done;
- there is a short bill (or clause in another bill) that requires the logging to be done (this might avoid any question of payments being ultra vires, or would ensure compliance by companies (possibly broadband suppliers) that looked like becoming stragglers;
- there are discussions but nothing happens at all — perhaps because the tide turns against Data Retention as being a necessary and proportionate policy. A number of other EU countries have found it to be incompatible with fundamental human rights.
The Open Rights Group (ORG) have recently produced a pamphlet (available online here) setting out how surveillance might be better approached in this century. I contributed the chapter on the technical issues…
… if you don’t have time to read the whole thing then the New Statesman has an edited version of my chapter; and you can watch a short video of myself (and two other contributors) explaining the major issues.
May 8th, 2013 at 13:21 UTC
On Friday I went to a fascinating lobbying meeting on the new EU data protection regulation. Europe is by default the world’s privacy regulator, as America doesn’t care and no-one else is big enough to matter; so this is really important. Some 3000 amendments have been proposed and the regulation is in the final stages of the committee process; the rapporteurs of the various parties are negotiating compromise amendments which should be ready for a vote within weeks. So the pressure is really on.
Friday was extraordinary because all the lobbyists came together in one room to argue their cases. This is because the liberal shadow rapporteur Alexander Alvaro was injured in a car crash last month, so Sarah Ludford, a London MEP, took over at the last minute. Normally lobbyists see MEPs singly or in small groups, but as time was short Sarah called a mass meeting at Europa House in London. So we all got to hear what the others were pushing for. Campaigners for open government say we’d have better laws if more if the process was public; here’s an example where that happened (literally) by accident.
I am posting my notes of the meeting here, as it’s a good case history of how lobbying works, as well as of how our privacy is being lost. There were about 100 people present, of which only 5 were from civil society. Most were corporate lobbyists: good-looking, articulate and impressive, but pushing some jaw-dropping agendas. For example the lovely lady from the Association of British Insurers found it painful that the regulation might ban profiling that was unfair or discriminatory.
April 28th, 2013 at 17:45 UTC
I’m at the launch in London of the new campaign for medical privacy, MedConfidential.org. Sam Smith and I will be liveblogging the day’s events in comments below. For background, see here, here, here and here. Most of today’s audience are from groups for whom medical privacy is particularly important, such as charities dealing with rape victims, substance abuse, sexual health and child wefare.
April 24th, 2013 at 09:21 UTC
Those of us who love America and have many friends there were delighted at President Obama’s initial reaction to the Boston bombings. He said if whoever attacked the city sought to intimidate victims or shake American values, “it should be pretty clear by now that they picked the wrong city to do it.” It seemed that sanity had at last returned, after all the scaremongering of the “War on terror”, and the ghost of 9/11 was finally being laid to rest.
One day later, a million people were under virtual house arrest; the 19-year-old fugitive from justice happened to be a Muslim. Whatever happened to the doctrine that infringements of one liberty to protect another should be necessary and proportionate?
In the London bombings, four idiots killed themselves in the first incident with a few dozen bystanders, but the second four failed and ran for it when their bombs didn’t go off. It didn’t occur to anyone to lock down London. They were eventually tracked down and arrested, together with their support team. Digital forensics played a big role; the last bomber to be caught left the country and changed his SIM, but not his IMEI. It’s next to impossible for anyone to escape nowadays if the authorities try hard.
April 20th, 2013 at 08:51 UTC
With some delay here is the second and final part on our impressions of David Birch’s Tomorrow’s Transactions Forum (TTF13), which we attended thanks to Dave’s generosity (See full agenda and PowerPoint presentations here). See part 1 here.
NOTE: Although written in first person, what follows results from a combination of Laurent Simon’s and my notes.
The theme of day 2 at TTF13 was social inclusion. The kick off question was “How to develop tools to help people deal with money?” (people with no financial culture and based on a transactional account).
This was followed by presentations on “Comic Relief” (the day before ‘the big day’), “Universal Credit” and expert panel on financial inclusion.
April 15th, 2013 at 11:34 UTC
The CTSRD Project is advertising two posts in processor, operating system, and compiler security. The first is a research assistant position, suitable for candidates who may not have a research background, and the second is a post-doctoral research associate position suitable for candidates who have completed (or will shortly complete) a PhD in computer science or a related field.
The CTSRD Project is investigating fundamental improvements to CPU architecture, operating system (OS) design, and programming language structure in support of computer security. The project is a collaboration between the University of Cambridge and SRI International, and part of the DARPA CRASH research programme on clean-slate computer system design.
These positions will be integral parts of an international team of researchers spanning multiple institutions across academia and industry. Successful candidate will provide support for the larger research effort by contributing to low-level hardware and system-software implementation and experimentation. Responsibilities will include extending Bluespec-based CHERI processor designs, modifying operating system kernels and compiler suites, administering test and development systems, as well as performing performance measurements. The position will also support and engage with early adopter communities for our open-source research platform in the UK and abroad.
Candidates should have strong experience with at least one of Bluespec HDL, OS kernel development (FreeBSD preferred), or compiler internals (LLVM preferred); strong experience with the C programming language and use of revision control in large, collaborative projects is essential. Some experience with computer security and formal methods is also recommended.
Further details on the two posts may be found in job ads NR27772 and NR27782. E-mail queries may be sent directly to Dr Robert N. M. Watson.
Both posts are intended to start on 8 July 2013; applications must be received by 9 May 2013.
April 9th, 2013 at 11:57 UTC
The 3rd USENIX Workshop on Free and Open Communications on the Internet (FOCI ‘13) seeks to bring together researchers and practitioners from technology, law, and policy who are working on means to study, detect, or circumvent practices that inhibit free and open communications on the Internet. We invite two distinct tracks for papers: a technical track for technically-focused position papers or works-in-progress; and a social science track for papers focused on policy, law, regulation, economics or related fields of study.
FOCI will favor interesting and new ideas and early results that lead to well-founded position papers. We envision that work presented at FOCI will ultimately be published at relevant, high-quality conferences. Papers will be selected primarily based on originality, with additional consideration given to their potential to generate discussion at the workshop. Papers in the technical track will also be evaluated based on technical merit. As with other USENIX events, papers accepted for FOCI ‘13 will be made freely available on the USENIX website.
For further details, see the call for papers (PDF version). The submission deadline is 6 May 2013.
April 8th, 2013 at 16:33 UTC
Last weekend, my wife and I were in Milton Keynes where we bought a cradle as a present for our new granddaughter. They had only the demo model in the shop, but sold us one to pick up from their store in Cambridge. So yesterday I went into John Lewis with the receipt, to be told by the official that as I couldn’t show the card with which the purchase was made, they needed photo-id. I told him that along with over a million others I’d resisted the previous government’s ID card proposals, the last government had lost the election, and I didn’t carry ID on principle. The response was the usual nonsense: that I should have read the terms and conditions (but when I studied the receipt later it said nothing about ID) and that he was just doing his job (but John Lewis prides itself on being employee-owned, so in theory at least he is a partner in the firm). I won’t be shopping there again anytime soon.
We get harassed more and more by security theatre, by snooping and by bullying. What’s the best way to push back? Why can businesses be so pointlessly annoying?
Perhaps John Lewis are consciously pro-Labour given their history as a co-op; but it’s not prudent to advertise that in a three-way marginal like Cambridge, let alone in the leafy southern suburbs where they make most of their money. Or perhaps it’s just incompetence. When my wife phoned later to complain, the customer services people apologised and said we should have been told when we bought the thing that we’d need to show ID. She offered to post the cradle to our daughter, but then rung back later to say they’d lost the order and would need our paperwork. So that’s another 30-mile round-trip to their depot. But if they’re incompetent, why should I trust them enough to buy their food?
I invite the chairman, Charlie Mayfield, to explain by means of a follow-up to this post whether this was policy or cockup. Will he continue to demand photo-id even from customers who have a principled objection? Will he tell us who in the firm imposed this policy, and show us the training material that was prepared to ensure that counter staff would explain it properly to customers?
April 6th, 2013 at 13:58 UTC
In this first of a two or three part instalment. In them Laurent Simon and I comment on our impressions of David Birch’s Tomorrow’s Transactions Forum, which we attended thanks to Dave’s generosity.
NOTE: Although written in first person, what follows results from a combination of Laurent’s and my notes.
This was a two day event for a handful of guests to foster communication and networking. I appreciated the format.
After a brief introduction, the first day kicked off with my ever growing presentation on the origins of the cashless society (you can see it here ).
The following act was Tillman Bruett (UNCDF), who was involved in the drafting of The journey towards cash-lite (at least so say the acknowledgements).
March 28th, 2013 at 14:48 UTC