-
Data driven throughput maximization of iSCSI storage setup
I have run some tests on my iSCSI backend, with the intent of planning several upgrades, including whether I should route ethernet cables to the studio, as I am currently on a wireless network. This exercise forced me to try to produce a model that describes the throughput of iSCSI requests. What I eventually got seems to work and it enabled me to make data driven performance projections with different configurations that I then verified experimentally.
-
Reverse engineering Android 2FA OTP application
As part of my disaster recovery plan, I want to have offline backup of 2FA codes for online banking to generate OTPs without my phone in case of emergency. This required reverse engineering my bank’s Android OTP application, that I expected would reveal some kind of HMAC-based HOTP/TOTP calculation. I found instead an implementation which is significantly more complex, involving thousand of calls to
aes.Encrypt
. The work presented in this post is the result of reverse engineering smali code from the unpacked Android application, using mainlyvscodium
with APK lab extension. -
Reverse engineering MS-DOS binaries
I have recently reverse engineered some control paths of an old MS-DOS tool from Broadcom which came as a UPX compressed linear executable prepended with Protected Mode extender and required tools such as IDA 4.1, IDA 5.0, to be reverse engineered. This post is a collection of notes explaining how to get from binary to disassembled and decompiled code for applications packaged in a similar way.
-
Reverse enginering UEFI OptionROM layout on BCM575x NIC
I have been working on UEFI OptionROM malware research using a Broacdom BCM5751 1G Network Card and initially used the old
B57UDIAG.EXE
utility for MS-DOS environment to overwrite PXE ROM and enable or disable PXE boot. However, to iterate quickly during my experiments I needed to manipulate OptionROM directly under Linux. This required reverse engineering some control paths ofB57UDIAG.EXE
, putting together a specification for NVRAM layout, algorithms for integrity checks and other relevant information which was used to develop a tool to manipulate OptionROM in NVRAM without the requirement of a MS-DOS environment. -
Branch target prediction and performance
I was recently analyzing the performance of DIRACBenchmark after having seen a peculiar speed-up in the transition from Sandy Bridge/Ivy Bridge architecture to Haswell/Broadwell. This benchmark basically generates a long sequence of random numbers via Python random module and performs some multiply and accumulate operations. What stood out after some initial tests was a 50% improvement in runtime when switching from Xeon v2 to Xeon v3 processors. All the other benchmarks I was familiar with were showing a difference that was in the range 10%-20%, but this Python script was definitely an outlier.
-
C++ move semantics and rvalue reference
A collection of notes where I have recently tried to consolidate C++11 concepts such as move semantics, rvalue reference and forwarding, showing how these features affect compile time and runtime behavior of C++ programs.
-
Linux VFS internals: dentries
There is often a lot of counfusion around how directories are represented on the filesystem. This post tries to clarify how ext4 uses
dirent
structure to store directory information. -
Debugging a failed Openembedded build with devshell
devshell is a great feature implemented in Openembedded that allows to spawn a cross-compilation terminal session that replicates the build time environment used by bitbake. It allows to save a lot of time and headaches when packages fail to compile. Here I have collected some notes on how devshell helped debug a failure I came across when integrating lighttpd in my Raspberry Pi layer.
-
Network data corruption on Gigabyte R120-P31 - Part 2
This is the second part of an investigation to solve a data corruption issue encountered on a Gigabyte ARM64 R120-MP31 board. In the first part I had a look at application, transport and data link layer. In this second part I perform some tests to validate possible data corruption happening in system RAM
-
Lifecycle of a Python multiprocessing.Process
This post is a collection of notes on the mechanisms that regulate the creation and termination of a Python multiprocessing Process, investigating in particular what happens when the interpreter terminates.
-
Network data corruption on a Gigabyte R120-P31 - Part 1
This post covers a network data corruption issue encountered on a Gigabyte ARM64 R120-MP31. This first part is a summary of some initial tests I did at the transport layer (i.e. TCP checksums) and at the data link layer (i.e. Ethernet CRC32).
-
pxelinux 6.03 boot failure with Chelsio T520-LL-CR
This a collection of notes I have taken while debugging a regression of CERN PXE booting infrastructure, which followed the update to PXELINUX 6.03. This investigation brought me down the stack to the device firmware, reminding me of Eric Raymond’s “The Cathedral and the Bazaar” and the problem of closed hardware drivers. The devices I was working with were not at End of Life, however not having access to firmware code brought my turnaround time for finding a long term fix from 24 hours to days. In the widget frosting OSS model, Raymond advocates for an intermediate approach between open and closed source, where there is a closed source ROM and an open interface to the ROM. I was essentially in this configuration, working on top of Universal Network Device Interface (UNDI). Unfortunately, still not enough to enable me to effectively do my job.
-
Dumping LVM volumes for debugging purposes
This post covers a possible procedure to “snapshot” a Linux installation based on a boot partition and three LVM logical volumes for root, var and swap, which proves useful when an identical environment must be reproduced on a different machine sharing the same hardware configuration. One of the requirements is to obtain the smallest possible “image”, so that it can be easily transferred and rewritten on the second machine. Such a procedure does entail a number of issues: all the machine specific parameters (e.g. /etc/hostname, MAC addresses in /etc/sysconfig/network-scripts) are deployed to the second machine and need to be adapted accordingly (not covered in this post). Bearing this in mind, all the following commands have been executed from a live image based on RedHat Linux.
-
Exploiting CVE-2014-0160, also known as Heartbleed
This post presents a proof of concept of an exploit for the Heartbleed bug. With the exploit I attempted to steal the private keys from a local instance using a vulnerable version of OpenSSL. I was unsuccessful, but it has proven a very interesting experiment anyway.
-
Gentoo full disk encryption with dm-crypt/LUKS
This post covers the manual installation procedure of Gentoo Linux with encrypted root and swap partitions using LUKS and dm_crypt on a legacy BIOS system.