Anyone taking part in the Cyber Security Challenge?

Tell them somebody stole your identity and entered you without your knowledge.

For the "treasure hunt" challenge, it might be worth practising with Google's Gruyere: "... a small yet full-featured microblogging application designed to contain lots of security bugs. The vulnerabilities covered by the lab include cross-site scripting (XSS), cross-site request forgery (XSRF) and cross-site script inclusion (XSSI), as well as client-state manipulation, path traversal and AJAX and configuration vulnerabilities. It also shows how simple bugs can lead to information disclosure, denial-of-service and remote code execution."

The only time I ever discovered a major vulnerability was in a mini OS called Primos, used by Prime Computer Inc, where I worked for a few years until the early 90s.

Its 32-bit virtual addressing was very much like Intel's today (not surprising, as I believe many hardware Primates went on to Intel around the time when the 286 and 386 were being developed).

To cut a long story short, when a system call was made from user address space (a user "segment" in Primos lingo), the hardware automatically "weakened" any pointers, so that a user-level program could not provide these, in a "memory copy" call for example, to read or even write areas in the core address space occupied by the OS itself or shared libraries etc.

However, among the huge set of system calls there were a few recently added ones that required pointers to structures which themselves contained pointers, and it seemed the developers of these were hazy about the extent to which this so-called "ring weakening" worked. The answer was that as it wasn't magic, it wasn't automatically applied to the pointers within the structures, and I found about half a dozen calls which by carefully setting the values of pointers in the input structure I could grab control of the whole system.

The odd thing was, when I emailed the head of the OS group, most of the holes I had clearly listed were filled; but one or two were left! I never followed up on this, because it seemed fairly obvious they had been left deliberately, for who knows what nefarious purposes.

P.S. I wouldn't be surprised if a few Windows API (AKA Win32) system calls had the same vulnerability today. If so, then all you need is a symbol table and a reasonable understanding of the Kernel and you're in business.

Just registered you Nick. This should be good fun as I know jack tulip about jack tulip.

I might be remotely interested if Churchill is taking part in it ...

Atw!