Archive for the ‘puzzle’ Category

A Lot of Security

Tuesday, June 16th, 2009

I happened to drive through Cupertino, CA, USA last Wednesday and ended up in this situation:

Oh-oh, they got me. But they were not after me, they escorted two vans onto some company’s campus.


Five police cars, two police motorcycles, and lots of people with suits and sunglasses. For some reason, this outfit doesn’t have the same effect on me any more since “The Matrix”.



The people in the vans went into the building through a side door:




Here are some details:



A blonde woman in white, a woman with a red dress, a man in a brown uniform with a suitcase, and lots of more men in suits. The vans had license places from Maryland.

The question of today’s security puzzle is: Who is the very important person?

What Operating System Is This?

Thursday, November 20th, 2008

Unfortunately, I have not been able to successfully boot this up all the way on this machine – it hangs on this screen.

Edit: Thanks for the great comments. It is indeed Copland. See my followup post for details.

“ROR” in Microsoft BASIC for 6502

Thursday, October 16th, 2008

If you disassemble any version of Microsoft BASIC for 6502, you’ll find this code in a function that normalizes the (simulated) floating point accumulator:

NORMALIZE_FAC6:
	inc	FAC		; MANTISSA CARRIED, SO SHIFT RIGHT
	beq	OVERFLOW	; OVERFLOW IF EXPONENT TOO BIG
	ror	FAC+1
	ror	FAC+2
	ror	FAC+3
	ror	FAC+4
	ror	FACEXTENSION
	rts

Well, not any BASIC. All versions of

  • Commodore BASIC (all versions, since 1977)
  • AppleSoft BASIC (all versions, since 1977)
  • Microsoft BASIC for the OHIO Scientific (all versions, since 1977)
  • Microsoft BASIC for the rare Mattel Intellivision Keyboard Component (1980)

use this code, but if you look at the disassembly of

  • Microsoft BASIC for the MOS KIM-1 (1977)
  • Microsoft BASIC for the Tangerine Microtan 65 (1979)

you will see this code instead:

NORMALIZE_FAC6:
        inc     FAC
        beq     OVERFLOW
        lda     #$00
        bcc     @1
        lda     #$80
@1:
        lsr     FAC+1
        ora     FAC+1
        sta     FAC+1
        lda     #$00
        bcc     @2
        lda     #$80
@2:
        lsr     FAC+2
        ora     FAC+2
        sta     FAC+2
        lda     #$00
        bcc     @3
        lda     #$80
@3
        lsr     FAC+3
        ora     FAC+3
        sta     FAC+3
        lda     #$00
        bcc     @4
        lda     #$80
@4:
        lsr     FAC+4
        ora     FAC+4
        sta     FAC+4
        lda     #$00
        bcc     @5
        lda     #$80
@5:
        lsr     FACEXTENSION
        ora     FACEXTENSION
        sta     FACEXTENSION
        rts

(Actually, the OHIO Scientific and Intellivision versions work on a 3 byte (“6 digit”) instead of a 4 byte (“9 digit”) mantissa, so the “FAC+4″ part is missing.)

Similar replacement has happened in other parts of the floating point library. It seems to be a compile-time option of the assembly source code.

Todays puzzle is to find out why there are two versions of this code, and why the different computer vendors chose to use one version or another.

See comments for solution.

Puzzle: 1200 Baud Archeology

Monday, June 30th, 2008

This audio file is an important (previously unreleased) artifact of computer history. The aim of the puzzle is to decode and identify it correctly.

artifact.mp3 (589K)

(MD5 of the decoded data: bd7f5c5f0792a3c9a1e197ffb5d2c33f)

Switching modes with Style

Friday, February 2nd, 2007
	pushl $(0xcb<<24)|0x08
	call .-1

What does this instruction sequence do? (This was a collaborative effort by Chuck Gray, Myria and Michael.)

(The solution has been added to the comments.)

How retiring segmentation in AMD64 long mode broke VMware

Thursday, November 9th, 2006

UNIX, Windows NT, and all the operating systems in their class rely on virtual memory, or paging, in order to provide every process on the system a complete address space of its own. An easier way to protect processes from each other is segmentation: The 4 GB address space of a 32 bit CPU is divided into segments (consisting of a physical base address and a limit), one for each process, and every process may only access their own segment. This is what the 286 did.

The 386 then introduced virtual memory, but segmentation was still possible, either instead of, or on top of the paged virtual address space. Today, no modern operating system for the x86 uses segmentation any more, so for every process, the base for the code and data segments is set to 0, and the limit is set to 0xFFFFFFFF.

The AMD64 architecture, while still being fully compatible in 32 bit mode, retired a lot of legacy functionality in the new 64 bit long mode, including most of segmentation. The CS (code), DS (data 1), ES (data 2) and SS (stack) segment registers are practically gone, and the FS and GS segments still support a base (which can be used in tricks to quickly access data at a constant position, like the TCB), but the limit is no longer enforced. Now operating systems don’t have to save and restore most of these segment registers any more when switching contexts, making these switches faster.

But this broke VMware. While VMware could still virtualize 32 bit operating systems on AMD64 CPUs, they could not virtualize 64 bit operating systems, because they required segment limits.

In a nutshell, this is how VMware works: All user mode code of the guest runs in exactly the environment it expects; VMware makes sure the page mappings of the user mode address spaces are correct. All kernel mode code of the guest will be run in user mode, and again, VMware must layout memory as the guest kernel expects it to be. In both modes of operation, there can be exceptions, like system calls (by guest user mode code) or page table modifications (by guest kernel mode code). These have to be trapped by the virtual machine monitor, and the respective functionality has to be carried out in a modified way, so that they still seem to have the correct effect to the guest, but don’t interfere with the host operating system.

The virtual machine monitor’s trap handler must reside in the guest’s address space, because an exception cannot switch address spaces. So VMware’s trap handler sits at the very top of the every guest’s address space, which is unused by all major operating systems. According to Popek and Goldberg’s definition of virtualization, there must be no way for code inside a virtual machine to escape, and modify the host’s state in any way not directly controlled by the monitor. Therefore, it must be made sure that the guest code cannot write to the trap handler code. VMware does this using segment limits: The limits of all segment registers are set to something like 0xFFFFEFFF to protect the uppermost 4 KB of the address space where the trap handler resides.

With no segment limits any more for 64 bit code, this way to protect the trap handler was impossible. Unable to comply with Popek and Goldberg’s security requirement, VMware chose not to support 64 bit virtualization until AMD reintroduced (optional) segment limits on later models of their Opteron and Athlon 64 CPUs. Intel never implemented 64 bit segment limits on their EM64T/Intel64 CPUs, because their 64 bit processors soon implemented VT/Vanderpool, which also worked around the problem. So this is why VMware requires a certain model and stepping of the AMD CPU line or a VT-enabled Intel CPU in order to support 64 bit virtualization.

Now the question is: Why don’t they protect the uppermost page using the permission bits in the page table? This is how all operating systems protect themselves from user mode processes. If you have an answer on this, or otherwise have thoughts, please comment on this post. :-)

References: 1, 2, 3, 4, 5