Didier Stevens

Monday 31 December 2007

How Can I Trust the BeID Runtime?

Filed under: Encryption — Didier Stevens @ 10:57

As a Belgian citizen, the federal government issued me an electronic ID (eID). It’s essentially a smart card with personal data, my picture (jpeg) and a couple of X.509 certificates for authentication and digital signing.

One of its applications is authentication on web sites. And this is already possible now, provided I’ve a smart card reader and I install the necessary software provided by the federal government.

Now take a look at the properties of the Windows setup file for the eID client software:


Now I expect to see something here, but it’s missing. Do you miss it too? Here’s a hint:


That’s right, the installation program is not digitally signed (AuthentiCode). Neither are any of the executables installed by the installation program.

I’m surprised that the government invests in a PKI to issue IDs to all its citizens, yet it doesn’t deem it necessary to invest in a delivery mechanism that certifies the origin and integrity of the client software.

Tuesday 25 December 2007

Building the Pocket EICAR Test File Server

Filed under: Hardware — Didier Stevens @ 9:11

As I promised last week, here are the technical details of the Pocket EICAR Test File Server.

I bought a mini AVR web server from Tuxgraphics, it’s an AVR microcontroller with an Ethernet controller on a small PCB. The goal is to integrate some sensors (like temperature) and actuators (central heating) into my home network, but my first project was to learn to program it and develop a small web server framework.

The board is ready for operation, I just had to solder 2 wires to provide power and a programming connector. You’ll need an AVR In-System Programmer to upload your compiled C program to the microcontroller. Tuxgraphics sells one that plugs in a USB port, and has the big advantage for me that it comes with a Linux Live-CD with all the programming tools on it. This way, I didn’t have to spend time to build my own developing environment. First I tested the web server, programmer and LiveCD on a real computer with an example from Tuxgraphics. After being satisfied that it worked, I created a virtual machine, booted from the LiveCD, configured networking and sshd and now I develop on that VM. But because it’s a LiveCD and settings are not persisted, I have to take a snapshot before shutting down the VM.

The board has an Ethernet controller, this means that you have to implement the IP functions you need in software on the AVR microcontroller. For example, to get a ping reply from the pocket server, you have to write code to identify the ICMP request, build the reply and transmit it, like this:


Likewise, you have to write code to handle ARP requests, which are essential for IP operation.

And for HTTP web serving, you have to implement TCP connections (e.g. SYN SYN-ACK ACK), parse the HTTP requests and send the corresponding replies. Building on Tuxgraphics’ example, I developed a simple framework to serve static and dynamic HTML pages. All is in the website array that is initialized in the InitWebsite function:


Use one entry per web page. The first pointer of each entry points to the URL you want to server, like /info.html. The second pointer is the content type, like HTML or plain text. And the third pointer points to the static content you want to serve. Set this pointer to NULL for dynamic content.

So if you just want to serve static pages for HTTP GET requests, modifying the code doesn’t require real programming skills. In the source code, just change the MAC address and IP address, redimension the website array and populate it with your pages.

But for dynamic pages, you’ll have to write a function that generates the dynamic content, and call that function when the dynamic page is requested:


In this example, we check if the index of the requested page (iHTTPURL) equals the index of the status.html page (URL_STATUS). If it does, we call the MakeStatusResponse function that will generate the web page displaying a counter.

You have to realize that this is a very basic HTTP server. It doesn’t keep state for the connections and it’s not multithreaded. If you need a more robust embedded web server, there are solutions like the FOX Board, it runs the BOA web server under Linux.


eicar.tar.gz (https)

MD5: A8D42CA6628A699C4C76A8412639CEDF

SHA256: 20760F7085830C73BBAE4C1D962D625429920079EFD9A5F38372953B1B5C7896

Untar and make. To program the mini AVR web server: make load_eicar

Sunday 23 December 2007

Quickpost: Retrieving an SSL Certificate

Filed under: Encryption,Quickpost — Didier Stevens @ 9:37

I recently had to inspect the SSL certificate of an e-mail provider (secure POP connection) . Here is a quick HOWTO using the Google Mail website as an example.

Issue this command on a box with openssl:

openssl s_client -connect mail.google.com:443 > google

Then cancel the command with CTRL-C.

A base64 representation of the web site’s certificate will be included in the output you redirected to the google file:


To inspect the certificate with openssl, use this command:

openssl x509 -in google -text


Or convert it to a certificate in DER format and open it on a Windows box:

openssl x509 -in google -outform DER -out google.der


Tuesday 18 December 2007

Pocket EICAR Test File Server

Filed under: Entertainment,Hardware,Malware — Didier Stevens @ 7:36

Like last year, I produced an anti-virus related Season’s Greetings movie.

The movie is hosted here on YouTube, and you can find a hires version (XviD) here.

Next week, you’ll get the technical details of this pocked web server.

Happy New Year!

Sunday 9 December 2007

Quickpost: Restoring Safe Mode with a .REG File for Windows 2000 SP4 Professional

Filed under: Uncategorized — Didier Stevens @ 11:00

I added the SafeBoot registry keys for Windows 2000 SP4 Professional to the zip file and updated the post.

Quickpost info

Monday 3 December 2007

Looking for N800 Beta Testers, No Voyeurs Please ;-)

Filed under: My Software,N800 — Didier Stevens @ 9:06

I’ve developed a new application for my N800, psurveil (Photo Surveillance). It automatically takes pictures with the N800’s build-in camera at regular intervals and stores them as jpeg files.


You can find the installation package here (unzip and copy the deb package to your N800) and the source code here. And be careful, it’s beta. On my N800, it takes about 30 seconds to start, and it doesn’t run as root.

So if you’ve got a baby and are looking for an excuse to get an N800, this turns your N800 in a baby monitor, kinda.

From the source code:

psurveil (Photo Surveillance) is a program for the Nokia N800.
It automatically takes pictures with the N800’s build-in camera at regular intervals
and stores them as jpeg files.

– Pop out the camera, and close all programs using the camera.
– Start psurveil. On my N800, it takes very long to start, sometimes a half minute.
– Use the menu to review the settings.
– Interval is the number of minutes between pictures.
– Repeats is the number of pictures to take, minus 1.
– Folder is the directory to store the pictures. The directory must exist.
Settings are stored with GConf, and there is no input validation.
– Click on the “Start surveillance” buttons to start the surveillance. A first picture
is immediately saved, and another picture every Interval minutes, and this Repeats times.
The filename of the jpeg is composed with the date & time when the picture was taken.
There is no monitoring of free diskspace.

The settings for this example are:
– Interval=1
– Repeats=3
– folder=/home/user/MyDocs/.images
These settings will take 4 pictures over a period of 4 minutes, starting when the button is clicked.
Pictures are stored in the Images folder:

I developed this program by merging the example_camera.c and example_alarm.c Maemo example programs.
There are some quirks in the real-time video display, they originate from the example_camera.c program.
If you know how to fix this, let me know.
I’m not an experienced Maemo developer (neither GTK developer), this is my first program for the N800,
so use this program at your own risk, and respect the privacy of others.

I put my code for this program in the Public Domain. For the code copy-pasted from the examples,
read the copyright below.

Todo (no guarantee that these ever get done):
– Input validation
– Folder creation
– Toggle to flip the picture

22/11/2007 example_camera and example_alarm merged
23/11/2007 jpeg filename is current date & time
25/11/2007 0.1.3 added menu & menu functions
26/11/2007 coded settings dialog
27/11/2007 0.2.0 code review
28/11/2007 0.2.1 input validation for numbers in settings dialog

Blog at WordPress.com.