Tuesday, July 21, 2015

Timing attacks

What are the timing attacks?

The timing attacks are the ones that are applicable when it takes different time for an application to compare the provided secret with the original one. When does it take the different time? When comparison is performed symbol by symbol and stops once the current symbols in the provided secret is different from the current symbol in the original one.

def compare_secrets(secret_original, secret_provided):
  if len(secret_original) != len(secret_provided):
    return False

  for x in secret_original:
    for y in secret_provided:
      if x != y:
        return False

  return True

It takes one amount of time to compare the same passwords or strings, for the different ones it takes another, less, amount.

One can, however, argue that the time difference is so negligible so that it's impossible to exploit this vulnerability. Against all the odds, it is possible. My code had this vulnerability https://github.com/GildedHonour/rust-jwt/issues/1

How to exploit it?

Try to brute-force the password and measure the time it takes for the application to respond. When the current attempt takes less time than the previous one, it implies that the current password partially matches the original one. That is, the less time is takes, the larger amount of symbols match. By keeping brute-forcing the password and analyzing the response time, you can eventually find the password.

How to protect your code?

Don't break the process when the symbols are different. When it comes to performance, it's, indeed, not efficient. However, from the point of view of security this code is safe.

 def compare_secrets(secret_original, secret_provided):
  res = True
  for x in secret_original:
    for y in secret_provided:
      if x != y and res == True:
        res = False

  return res

Thursday, July 9, 2015

Deploying a Rails 4 application on Heroku.com with the assets on Amazon S3

I had a task to deploy a Rails 4 application to heroku.com and make it serve the assets from Amazon S3. After a couple of days trying to do that through trial and error I eventually made it work. Here's how to do that:

1) Precompile the assets locally

rake asset:precompile

What this command does is:

a) Combines them into the single css and js files
b) Copies them to public/assets
c) Creates public/assets/manifest-.json

2) Upload them to S3 manually. I suggest avoid using gems when possible. The less gem and dependencies you use, the better it is. This is because using gems makes our job even more difficult: not only do they require us to learn their interfaces, they may have errors in them.

For example, the latest version of the most popular gem asset_sync for synchronizing assets was in the state "tests failed" when I was working on the task.

And in general, in order to better understand what's going on under the hood, you have to avoid using high-level stuff.

To upload assets to S3 you can use an utility called s3cmd. I think that's the only way to do it and there's no way to do it via a browser.

cd public

s3cmd . s3://your-bucket-name

where the "." denotes your current directory being public.

Sunday, June 21, 2015

When working on a website or application, it's better not to waste your time trying to make it perfect. Instead you should focus on making it work first, creating a simple demo. And the faster you go, the better it is.

Only after the first demo is finished, you can massage it by refactoring the code,
dealing with the performance, etc. But not at beginning, otherwise you'll never finish it.

Saturday, June 13, 2015

An awfully simple definition of a monad

Here's a definition of a monad from wikipidea which seems pretty simple

Formally, a monad consists of a type constructor M and two operations, bind and return (where return is often also called unit). The operations must fulfill several properties to allow the correct composition of monadic functions (i.e. functions that use values from the monad as their arguments or return value). The return operation takes a value from a plain type and puts it into a monadic container using the constructor, creating a monadic value. The bind operation performs the reverse process, extracting the original value from the container and passing it to the associated next function in the pipeline, possibly with additional checks and transformations.

That is, a monad is a type which is used by some functions (that accept monads) to combine them into a chain.

Tuesday, June 2, 2015

A simple javascript notification

If you want to show a simple notification on the page using javascript and don't want to use any third-party librariy because of their overhead, here's what you can do: you can create a div, show and then remove it automatically.

  function showAlert(msg) {
    var el = document.createElement("div");
    el.setAttribute('style', 'position:fixed; top:50%; left:40%; background-color:white;');
    el.innerHTML = msg;
    }, 1000);

That's a pretty light and easy solution which requires no third-party libraries.

Monday, May 18, 2015

false can be equal to True in Python

In Python 2.7 everything but an empty string and False itself evaluates to True. This also returns True:

(Pdb) bool('false')

(Pdb) bool(u'false')

Tuesday, April 28, 2015

has_many in Django 1.8

In Rails you can create a relationship between the models by has_many and belongs_to. Django has an analog of belongs_to which is ForeignKey but it seems it doesn't have something like has_many. Actually it does:

from django.db import models
class MyModel1(models.Model):
    field1 = models.CharField(max_length=255)
    # has_many MyModel2, implicitly

class MyModel2(models.Model):
    field1 = models.CharField(max_length=255)
    my_model1 = models.ForeignKey(MyModel1) # has_one MyModel1 

my_model1 = MyModel1.object.get(id=1)
my_model1.mymodel2_set.all() # has_many

Pay attention that there's no white-space in mymodel2_set between my and model2_set