--> ap/xxxxx

__

References and ideas: (2007.06.11:4)

Regarding the operating system (OS) as that which is trusted - even so far as to trust the OS or kernel of an already compromised system to expose or disclose its own duplicity

duplicity in the OS and a relation to hacking (hacking and Gnosticism).

OS as reflecting the world interface

as modelling and reciprically modelled after (VALIS)

when it is out in the world (as micro-mirror-piece of the world with compilers/interpreters/system calls and the like)

the artistic operating system is precisely occupied with this question

scrying boards also - as being far from a functional device in the world a la Arduino - but rather as that putting of mobile code into the world as reflection - as language in the device // mobile in the city

References for this play:

Reflections on Trusting Trust. Ken Thompson: http://www.acm.org/classics/sep95/

Designing BSD Rootkits. Joseph Kong (No Starch Press)

Complete Linux Loadable Kernel Modules: http://thc.org/papers/LKM_HACKING.html

Linux on-the-fly kernel patching without LKM: http://phrack.org/archives/58/p58-0x07

http://www.l0t3k.org/security/docs/kernel/

promiscuOS at level of packets - frame - fragmentation to research (2007.03.14:1)

as a a kernel-level intervention...

have a look at:

/usr/src/linux/net/ipv4/ip_fragment.c

prmsnet.el (2007.02.09:1 emacs#26 promiscuOS_notes#16)

Changes to use princ and wrapper to send un-evaluated text

Also last eval was just one sexp...

The dangers of evaluating system commands!

(defun prm-sendregionastext() ;; works as long as we don't have any inverted commas (interactive) (save-excursion (save-restriction (narrow-to-region (region-beginning) (region-end)) (process-send-string "prm_client" (format "(princ \"%s\" (current-buffer))" (buffer-string)))))) (defun prm-serve (proc string) (let ((prm-process proc)) (setq temp_buffer (get-buffer-create "temp_buffer__")) (princ string temp_buffer) (switch-to-buffer the_buffer) (eval-buffer temp_buffer) (set-buffer temp_buffer) (erase-buffer))) ;;rest as before

GNU Emacs Lisp networking code for promiscuOS: (2007.02.08:4 emacs#25 promiscuOS_notes#15)

start server, start client, send regions or buffer as code for remote evaluation

;;client and server

;; server functions - receive incoming requests. eval code

(defvar prm-process nil)

(defvar prmclient-process nil)

(defvar the_buffer nil)

(defvar host nil)

(defvar port nil)

(defun prmserv-start (&optional port)
  (interactive (list (read-string "Serve requests on port: " "8080")))
  (if (null port)
      (setq port 8080)
    (if (stringp port)
        (setq port (string-to-number port))))
  (if prm-process
      (delete-process prm-process))
  (setq the_buffer (generate-new-buffer "prm"))
  (setq prm-process
	(make-network-process :name "prm"
			      :buffer the_buffer
			      :host 'local :service port
			      :server t :noquery t
			      :filter 'prm-serve)))

(defun prm-stop ()
  (interactive)
  (when prm-process
    (message "prmisc.el server on port %d has stopped"
	     (cadr (process-contact prm-process)))
    (delete-process prm-process)
    (setq prm-process nil)))

(defun prm-serve (proc string)
  (let ((prm-process proc))
    (switch-to-buffer-other-window the_buffer)
    (print (eval (read string)) the_buffer)))
	

;; client functions - initiate connection, send buffer, send region, send last sexp
;; how collab editing could work ??

(defun prmclient-start (&optional port host)
  (interactive (list (read-string "Send requests on port: " "8080")))
  (if (null port)
      (setq port 8080)
    (if (stringp port)
        (setq port (string-to-number port)))
  (if prmclient-process
      (delete-process prmclient-process))
  (setq prmclient-process
	(make-network-process :name "prm_client"
			      :host host :service port))))
			      

(defun prm-sendbufferascode()
  (interactive)
;;  (switch-to-buffer the_buffer)
  (process-send-string "prm_client" (buffer-string)))

(defun prm-sendregionascode()
  (interactive)
   (save-excursion
    (save-restriction
      (narrow-to-region (region-beginning) (region-end))
        (process-send-string "prm_client" (buffer-string)))))

;;(prmclient-start 8080 "127.0.0.1")

;;(prmserv-start 8080)

;;(prm-stop)

;;(prm-sendregionascode)






leak image: (2007.01.31:6)

latest code-base: (2007.01.31:5 gneve#7)

leaks.el and gneve.el

leak.el updated over last paste!

pipes leaking/pool buffer code for GNU Emacs (2007.01.31:4 promiscuOS_notes#12 emacs#19)

(defvar proclist nil)

(defconst number-regexp
 "-?\\([0-9]+\\.?\\|\\.\\)[0-9]*\\(e[0-9]+\\)?"

  "Regular expression for recognizing numbers.")


(defun lsof ()
  ;; perform lsof and grep for FIFO. start of line - process number. store in list if it is unique
  (let ((buffer (get-buffer-create "**leakprocess1**")))
    (setq proclist nil)
    (set-buffer buffer)
    (erase-buffer)
    (switch-to-buffer "**leakprocess1**")
    (call-process "lsof" nil t nil "-nFpt")
    (goto-char (point-min))
    (while (< (point) (point-max))
  ;;    (beginning-of-line)
      (forward-word 1)
      (re-search-forward "FIFO" nil t)
      (setq oldpoint (point))
      (re-search-backward "p" nil t)
      (forward-char 1)
      (setq proclist (cons (matcher) proclist))
      (goto-char oldpoint)
   ;;   (next-line 1)
)))
    
(lsof)

(defun leaker()
;; select drip FIFO from list. access FD in proc filesystem
    (setq string (nth (random (length proclist)) proclist))
  (switch-to-buffer "**pool**")
  ;;read list of file descriptors
  (setq filename (choose-fd string))
  (if (file-regular-p filename)
       (setq result filename)
   ;;drip read x characters and write to buffer
    (insert-file-contents result nil 0 500))) ;; change to randoms for length



  (let ((buffer (get-buffer-create "**pool**"))))

(while 1 (leaker));; update FIFO list and do this at random intervals

;;(insert (format "%s" proclist))

;;(print proclist)

(defun matcher ()
    (let (string)
      (if (looking-at number-regexp)
	  (goto-char (match-end 0)))
	(setq string (buffer-substring (match-beginning 0) (point)))
	(string-to-int string))) ;; should just be string??

(defun choose-fd (stringy)
  ;; choose from /proc/stringy/fd/n using random
  (setq attempt (concat "/proc/" (number-to-string stringy) "/fd/"))
  (if (file-readable-p attempt)
      (setq number (random (length (directory-files attempt))))
  (setq number 0))
    (concat "/proc/" (number-to-string stringy) "/fd/"  (number-to-string number)))

  

notes for promiscuOS: (2007.01.31:2)

1] that we need some kind of wider archictecture rather than just implementing, say, leaking pipes; at the same time still question of a patching of the existent (a typical GNU Linux system, a custom system) and the solely making visible of a promiscuOS toolset.

notion of a geographic filesystem promoted by leaks/pools ideas. data pools forming in specific neighbouring regions of a filesystem.

2] focusing on GNU Emacs as core to a system of pluggability - that leaks could be within buffers - creating pool buffers which can be visited or even piped (if we can wrap up, say, comint-send-region and the like - promiscuous becoming a system), that we can also leak buffers into these pool buffers - such leaks tied to a systematics of process.

example code: zone.el which makes use of timers, calling functions/actions randomly and operations on buffers.

3] also scsh would be nice but although emerges fine, www.scsh.net is not accessible.

4] In GNU Emacs:

a) Networked and environmentally active self display. Generation of code and data rather than response to input.

b) All process memory is readable and writable by any process or user. There is no hierarchy, no model of secure computing. Self display code will exploit this feature.

c) The ability to generate, disperse and run mobile code between machines.

d) Supreme pluggability - small apps can plug themselves together within a Unix model or a la Pd (but not in such graphic manner).

e) In relation to pluggability leaky streams rather than static segregated files - advance Unix model with new command line operations (spray, leak with level options specified).

promiscuOS quotes: (2007.01.31:1)

Information hiding. The kernel exports information (through /proc/pid/maps, for example) which can be highly useful to attackers... So restricting access to that information improves the security of the system.

/dev/mem is used primarily by root kits. About the only legitimate user is the X server, which uses /dev/mem for access to the frame buffer. Read access to /dev/mem is an information leak, and there is no reason for allowing write access to kernel memory at all.

From: Kernel Summit 2005: The ExecShield patches

http://lwn.net/Articles/194323/

eev.el: (2006.12.29:1 tech_notes#326 promiscuOS_notes#9)

Lets you place hyperlinks and shell/tcl/TeX/etc code inside plain text files.

from:

http://www.mat.puc-rio.br/~edrx/emacs.html

note also:

Emacs and eev, or: How to Automate Almost Everything

http://angg.twu.net/eev-article.html

with possible use for promiscuOS see:

http://angg.twu.net/eev-article.html#.channels

The way that we saw to send commands to a shell is in two steps: first we use M-x eev in Emacs to send a block of commands, and then we run `ee' at the shell to make it receive these commands. But there is also a way to create shells that listen not only to the keyboard for their input, but also to certain communication channels; by making Emacs send commands through these communication channels we can skip the step of going to the shell and typing `ee' --- the commands are received immediately.

(making use of netcat - netcat as key possible tool for promiscuOS)

two sides/faces

to promiscuOS project across range of instances:

ref: http://download.plt-scheme.org/mzscheme/mz-103p1-bin-i386-kernel-tgz.html

possibly also expressed as:

http://fresh.homeunix.net/~luke/shbuf/

[look into further for processes and networking in Emacs Lisp using Distel: http://fresh.homeunix.net/~luke/distel/]

where do we arrive? to specify an architecture of pipes, leaks and pools - shared, networked and promiscuous with intentional and automated data and code generation, network transport and sloughing off of neighbouring data. transparent, non-segmented memory as an option. how would this look and how far do we go in specifying the environment (see 0 above)

promiscuOS quotation: (2006.12.10:1 promiscuOS_notes#7 research#118)

/*
 * pipefs should _never_ be mounted by userland - too much of security hassle,
 * no real gain from having the whole whorehouse mounted. So we don't need
 * any operations on the root directory. However, we need a non-trivial
 * d_name - pipe: will go nicely and kill the special-casing in procfs.
 */

[from /usr/src/linux-2.6.11/fs/pipe.c]

notes/links for leaking pipes also regarding pipe.c:

http://www.linux.com/guides/lki-3.shtml

pipe_mnt = kern_mount(&pipe_fs_type);

pipe system call bridges user/kernel space:

http://db.ilug-bom.org.in/Documentation/lpg/node11.html

pipe buffers:

http://lwn.net/Articles/119682/

and some tee():

http://lwn.net/Articles/179434/

random promiscuOS notes:

Python - twisted framework

serialised or pickled objects

eval/parsing

leaks - pools / code reserves

local and remote function and environment repositories. continuation inspired frozen states for import and export.

[code object]text - interfacepools and paths between pools
leaksconnection/piping

[promiscuOS + CPU work] as: (2006.12.08:2 research#117 promiscuOS_notes#6 OS#1)

an active highly practical investigation of how the CPU and Operating System, those twin (Babel) towers of abstraction, map other domains (at the same time mapping each other - the x rings of processor privelege mapped under Linux kernel to two spaces: user and kernel space) - the domain of life coding.

notes:

---> here the fpga research, the switching of circuits UNDER

instruction and paper circuits pile

twin:

user ____ kernel

Kernel/OS definitions and related ideas

The kernel or operating system abstracts that which is uniform (the hardware-tagged space of memory cells) as that which is segmented according to process (PID - unique ID) and user. Shared memory space. Clone and fork of processes in a tree structure which mimes the filesystem hierarchy.

From Daniel. P Bovet et al. Understanding the Linux Kernel. 2005. O'Reilly:

The operating system must fulfill two main objectives:

[further...]

In a multiuser system, each user has a private space on the machine; typically, he owns some quota of the disk space to store files, receives private mail messages, and so on. The operating system must ensure that the private portion of a user space is visible only to its owner. In particular, it must ensure that no user can exploit a system application for the purpose of violating the private space of another user.

[further...]

Processes

All operating systems use one fundamental abstraction: the process. A process can be defined either as "an instance of a program in execution" or as the "execution context" of a running program. In traditional operating systems, a process executes a single sequence of instructions in an address space; the address space is the set of memory addresses that the process is allowed to reference. Modern operating systems allow processes with multiple execution flows that is, multiple sequences of instructions executed in the same address space.

[further...]

Unix-like operating systems adopt a process/kernel model . Each process has the illusion that it's the only process on the machine, and it has exclusive access to the operating system services. Whenever a process makes a system call (i.e., a request to the kernel, see Chapter 10), the hardware changes the privilege mode from User Mode to Kernel Mode, and the process starts the execution of a kernel procedure with a strictly limited purpose. In this way, the operating system acts within the execution context of the process in order to satisfy its request. Whenever the request is fully satisfied, the kernel procedure forces the hardware to return to User Mode and the process continues its execution from the instruction following the system call.

[Online ref: http://linux-security.cn/ebooks/ulk3-html/0596005652/understandlk-CHP-1-SECT-4.html]

for promiscuOS... some notes:

leaks across process memory (implemented beneath the process - within generic segmentation faultcode), filesystem, sockets+pipes (referred to as IPC): memory is context. segregation of memory is seperation of user and process.

address space of a process: all linear addresses that the process is allowed to use (see p.352 Understanding)

pipes p.776+ also the pipe code we found: lp-01 which copies file descriptors (pipe is only accessible to parent process). FIFO allows for arbitrary piping and is associated with a kernel buffer.

IPC shared memory. executable in shared memory?

http://user-mode-linux.sourceforge.net/projects.html - note DSM - distributed shared memory:

This can be done with UML because UML's physical memory is really virtual memory on the host, so it can be mapped and unmapped. So, the idea is to spread a single UML instance over multiple hosts by running a virtual processor on each host and partitioning UML physical memory between them. A page that's present on one node will be unmapped from the others. If one of the other nodes accesses it, it will fault, and a new low-level fault handler will figure out what node currently has it, and request that it be sent over. The other node will unmap it, and copy it over to the requesting node, which will map it in to the appropriate location and continue running.

In UML codebase we're also looking at:

linux-2.6.19/arch/um/sys-i386/signal.c:364: force_sig(SIGSEGV, current);

also:

int handle_page_fault(unsigned long address, unsigned long ip,... in:

linux-2.6.19/arch/um/kernel/trap.c:203: force_sig_info(SIGSEGV, &si, current);

xx___

how exactly does UML work with memory management?

"A page fault exception is raised when the addressed page is not present in memory, the corresponding page table entry is null or a violation of the paging protection mechanism has occurred." [ULK]. Linux handles a page fault exception with the page fault handler "do_page_fault()". This handler can be found in "arch/i386/mm/fault.c". You may also need to read related contents of Chapter 4 in LKP "The next most important piece of the port is the virtual memory emulation. An important job of the kernel is to maintain a separate memory context for each process, making it impossible for one process to access memory belonging to another. Native kernels accomplish this by allocating physical pages and doing hardware magic to map them into the appropriate location in a process virtual memory. UML emulates this first by creating a file that is the same size as the physical memory that UML has been told it has, and then by mapping this file as a whole into an area of its virtual memory that will be treated as its "physical" memory. When a process needs memory to be allocated, pages will be allocated from this area and the corresponding pages in the file will be mmapped() into the process virtual memory.

access to file?

UML must also emulate hardware faults and device interrupts. The most important fault that needs to be emulated is a page fault, which happens whenever a process does an invalid memory access. In UML this generates a SIGSEGV; the handler does the necessary checking to see if the access is valid and a new page needs to be mapped into the process (if it's invalid, the process is sent the SIGSEGV). Device interrupts are generally emulated with SIGIO on the file descriptor used to communicate with the virtual device. The timer is implemented by requesting a SIGVTALRM timer from the host kernel. SIGSEGV, SIGIO, and SIGVTALRM are the equivalent of hardware traps. Just as processes on a physical Linux machine aren't affected by hardware traps unless the kernel converts them into Linux signals, these signals don't affect any UML processes unless the UML kernel converts them into Linux signals. UML installs its own handlers for these signals, which run in UML kernel mode." ... Jeff Dike

from: http://lass.cs.umass.edu/~shenoy/courses/spring04/577/lab5.html

raw access to filesystem (/dev/hda1 for example)

path of execution. passed down through shell.

promiscuOS protocol: (2006.12.06:4)

Networking in Emacs Lisp (2006.12.06:1 tech_notes#315 promiscuOS_notes#4 emacs#11)

1] sans TCP:

see: httpd.el -- a web server in Emacs Lisp

at: http://www.chez.com/emarsden/downloads/

notes:

:: Since Emacs does not (yet!) provide server sockets, you ;; need a helper program to bind to the socket and forward requests. ;; There are two ways of doing this: use a service like inetd to ;; launch a fresh emacs instance for each incoming request, or use a ;; program which forwards requests via gnuserv. The second method ;; obviously provides better performance.

eg:

;; 8080 stream tcp nowait.10000 nobody /usr/bin/emacs emacs -batch \
;;    -l /path/to/httpd.el -f httpd-serve

or use httpd-serve Python script... (from where?)

or see:

muse-http.el file that can turn Emacs into a webserver, much like the emacs-wiki-httpd.el module, except that it doesn't need an external Python script.

muse-http handles requests by way of httpd.el later version:

http://sacha.free.net.ph/notebook/emacs/muse/httpd.el

with lines:

(defun httpd-start (&optional port)
  (interactive (list (read-input "Serve Web requests on port: " "8080")))
  (if (null port)
      (setq port 8080)
    (if (stringp port)
    (setq port (string-to-int port))))
  (if httpd-process
      (delete-process httpd-process))
  (setq httpd-process
  (open-network-stream-server "httpd" (generate-new-buffer "httpd")
  			      	      			       port nil 'httpd-serve))
  (if (eq (process-status httpd-process) 'listen)
      (message "httpd.el is listening on port %d" port)))
see also:

http://www.emacswiki.org/cgi-bin/wiki/rcirc.el

2] In GNU Emacs reference manual:

Emacs Lisp programs can open TCP network connections to other processes on the same machine or other machines. A network connection is handled by Lisp much like a subprocess, and is represented by a process object. However, the process you are communicating with is not a child of the Emacs process, so you can't kill it or send it signals. All you can do is send and receive data. delete-process closes the connection, but does not kill the process at the other end; that process must decide what to do about closure of the connection.

3] Gnuclient and gnuserv:

Gnuserv: It allows arbitrary Emacs Lisp commands to be sent to an Emacs process running either on the local machine or on another machine on the network.

http://linuxgazette.net/issue29/marsden.html

4] ebby - shared Emacs buffers for collaborative editing (no link)

(on this thread:

http://technomancy.us/blog/post/45 and:

http://bc.tech.coop/blog/060509.html)

and thus:

5] Distel: http://bc.tech.coop/blog/060111.html

PromiscuOS notes2: (2006.12.05:2 promiscuOS_notes#3 research#116)

1] Simple Grid Protocol (which certainly is simple) - runs on CLisp and consists of network code, querying, and eval.

/etc/services and then inetd start cpur.lisp. Tracking (server) and notify (process) maintain local list of IPs for code import/eval.

but eval doesn't give us a shared/promiscuous environment.

...for promiscuOS we need to maintain a list of local and otherwise promiscuOS'ers - exported to a central accessible list which can be downloaded regularly. zeroconf for local.

2] obvious differentiation between promiscuOS'ers and code environment of other machines/networks which equally well be probed and executed.

3] extent of VM layer if we modify kernel and strip down overlying OS

SBUML is an extension to User-mode Linux(UML) that can save complete Linux runtime states in mid-execution(including all hard disks, devices, processes, and kernel space). The same state can be restored at a later time on the same PC, or migrated to another PC. The states can be delta compressed to a few megabytes or less, making it practical to download running Linux machines from websites.

http://sbuml.sourceforge.net/

promiscuOS project update and notes: 06:00 (2006.11.26:1)

a) Networked and environmentally active self display. Generation of code and data rather than response to input.

also one could imagine say the Emacs on UML stuff with perhaps just clisp or mobile Emacs Lisp code:

http://www.informatimago.com/linux/emacs-on-user-mode-linux.html

emacs as code dispersal, arrival, edit, self-display and execution environment on patched Linux kernel.

b) All process memory is readable and writable by any process or user. There is no hierarchy, no model of secure computing. Self display code will exploit this feature.

c) The ability to generate, disperse and run mobile code between machines.

generate:

disperse:

run:

... or use RPyC/Remote Python Call http://rpyc.wikispaces.com/ ::

RPyC is a transparent, symmetrical python library for distributed-computing. Pronounced "are-pie-see", it began as an RPC library (hence the name), but grew into something much more comprehensive with many use cases. It basically works by giving you full control over a remote slave-interpreter (a separate process), which performs operations on your behalf.

also integrates with inetd: (see std_server.py)

-packet forth (PF): latest news:

http://permalink.gmane.org/gmane.comp.multimedia.packet-forth/407

from this:

The parser ('read' = ASCII -> internal data structure) can be combined with the serializer ('write' = data structure -> ASCII), which eliminates the need of creating ad-hoc protocols for communicating with PF.

would we run all of these across a range of ports?

also another question that if we run, say, a range of such platforms they would need to share memory - to elaborate a shared memory model which is essential to promiscuOS - at the same time this model should stretch outwards to encompass our other applications and embrace pluggability and streams and so on (an OS-wide shared memory model of un-partitioning - leaks of pipes collected in un-partitions. border breaks)

d) Supreme pluggability - small apps can plug themselves together within a Unix model or a la Pd (but not in such graphic manner).

[to research JACK architecture - low-level interface and higher-level client-server relations]

e) In relation to pluggability leaky streams rather than static segregated files - advance Unix model with new command line operations (spray, leak with level options specified).

see recent research:

http://www.vanheusden.com/listenpipe/

Listenpipe can be used to sit between 2 applications that are interfaced with pipes. It will pass through data as is but also store what is send/received in a logfile as well.

for leaking pipe code

leaking JACK?