Black Hat and White Hat Hacking with Lisp
Sunday, November 19, 2006
Years ago, I used to have a really strong interest in issues related
to secure computing and
"cracking". In fact, in 1995, I wrote an article for NEWS/400 Magazine
titled "Hackers, Viruses, and Your AS/400" (still available online in
SystemiNetwork archives, although you have to pay for it) which exposed a number of security gaps in
the IBM AS/400, a computer that was being advertised as being fairly
secure from crackers. At the time, the article was one of the most
controversial articles that the magazine had ever published. In
addition, I was once contracted to set up a security system and security
several banks and financial organizations and, in the process, was
involved in detecting/catching a number of "unauthorized"
intrusions and transactions. However, I've also been very interested
in the technical challenges of both setting up secure systems and
compromising secure systems. So, in the past, I had spent a fair bit
of time looking at security from a number of different angles and I
still occasionally look around at what's happening in this field.
There's often a fine line between being a person with an interest in cracking and being a cracker. And, usually, the best security professionals are using the same tools that the better crackers are using. So, when I heard about Ephemeral Security's new lisp-based mosref product, I was really intrigued. Mosref is a "secure remote execution framework" (security-speak that means "tool for embedding bad stuff on another computer"). It was recently demo'ed at defcon 14 (the slides are available online) and has quite a few interesting features (the following was taken from Ephemeral Security's web site):
- combines high-grade cryptography and a small efficient virtual machine on both ends
- presents a dynamic environment on a target host that can be reprogrammed on the fly over a secure communications channel to fit the current situation
- cross-platform using ANSI C and GCC, currently running on OpenBSD, Darwin, Linux, and Win32 (compiled bytecode is portable between these platforms)
- has an in-memory database (included in the Mosquito VM) that allows developers to work with complex data models without using a relational database.
Mosquito Lisp (a lisp dialect that combines features of Scheme,
CL, and Erlang) for scripting with the following characteristics:
- Designed for network applications, Mosquito is highly concurrent and provides simple and efficient network and process APIs.
- Mosquito is highly portable, written in ANSI C, and is currently in active use on Darwin/PPC, Linux/x86, Windows 2000/XP, and OpenBSD/x86.
- Mosquito is compact, with the virtual machine weighing in at close to 128k on some platforms. (Note: when I generated a drone on my Mac PPC PowerBook, the object was about 1MB in size; however, this obviously differs depending on the target platform)
- Mosquito can be self-contained, applications may be linked on any Mosquito platform to run stand-alone on any other Mosquito platform.
- Bytecode generated by Mosquito's compiler may be employed on any host platform without recompilation.
- The Mosquito environment is rich, with over 300 primitive functions and 200 library functions in the standard library. (Not including additional libraries specific to MOSREF.)
- The Mosquito environment is available under the LPGL, and is obtainable from Sourceforge.
Basically, mosref is designed to work with a console (on the "attacking" machine) and one or more drones (on "target" machines). All of the drones are custom-generated for the task and talk with the console using an encrypted communications link (so that communication between the console and the drones can't easily be compromised). Drones can carry a "payload" or can be used to relay communications to other drones. Ephemeral Security originally developed mosref using other technologies but switched to Lisp to take advantage of some of the dynamic features of the language. A neat feature is the ability to dynamically change code on the drone when necessary over a secure, encrypted communications link (Lisp developers are familiar with this type of "hot code patching" already; conceptually, it is similar to a CL developer working locally on Emacs with SLIME and updating a running instance of CL on a remote box. I've written about this in the past here, here, here, here).
If you're interested in learning more about mosref and Mosquito Lisp, the following might be of interest:
- There is a short Flash demo, an introduction to Mosquito Lisp, some Mosquito Lisp articles, a mosref how-to, a short history of mosref/Mosquito, and a mailing list on the Ephemeral Security site.
- Lispmeister's post on the book The Shockwave Rider has a link to mosref and to other related material.
- There is a post on the #scheme IRC channel where Wes Brown (the founder of Ephemeral Security) posts a link to some code that provides a demonstration (using Mosquito Lisp) of a "Semi-Trivial Mosquito Lisp Application Server".
- A discussion on digg about mosref.
- Another blog post had a good summary of mosref.
Update-2008-08-09: Since my original post, Ephemeral Security has folded. However, Scott Dunlop (the original developer of Mosquito Lisp) has resumed work on the successor to Mosquito Lisp: Wasp Lisp. I recently received an email from him with links to the older Mosquito Lisp and MOSREF code/documentation as well as links to the new Wasp Lisp project - I've paraphrased his email here:
The best resource is a tarball of the original MOSREF documentation that is still available on SourceForge at:
While this is all out of date, it was a fairly comprehensive user-land view of Mosquito Lisp, MOSREF, and MOSVM.
The content of the Ephemeral Security blog can be found, thanks to Archive.Org at:
Unfortunately, the flash demo of using MOSREF is unavailable, but there were two MOSREF 2 demonstrations, one at DefCon, the other at Hack in the Box that can probably be found on YouTube these days.
Documentation on the implementation of the Mosquito and Wasp Virtual Machines is, as one would expect, sparse. There was a reference written for MOSVM's tiny instruction set and included in the MOSREF 2.0 source tarball at:
On the other hand, Scott is just getting started on the documentation of Wasp Lisp. Once Scott gets some fundamental tools written for generating and managing Wasp's documentation, he has indicated that he would love any assistance he could get from the community -- even if it is just bug reports and the occasional rotten tomato. Some notes on building WaspVM, and the latest WaspVM releases can be found at:
Finally, since SourceForge was a dog last summer, Scott decided to host the source tree with LaunchPad -- which supports a better version control system to boot: https://launchpad.net/waspvm
I'll look forward to following progress of WaspVM and Wasp Lisp in the future!