Dev Blog - Bufferoverflow

February 12, 2022

Being bored and not wanting to study, I randomly checked up my Github repo and realized the static analyzer flagged a critical vulnerability in my code. For those of you not familiar with static analyzer, it is a security tool that reviews/analyzes code to determine if there are any obvious security vulnerabilities in your code. On Github, there is a pipeline workflow feature that allows you to execute specific scripts/actions for any code changes you push called Github Actions. Github has made it convenient to setup security analysis on your repo. The static analyzer I am using is called CodeQL, a tool created by Github. Here’s an example of the report that was flagged:

Read More

How to Check if an Application is PAM-Aware

February 6, 2022

PAM stands for Pluggable Authentication Module and its purpose from my understanding is to separate application developers from writing an authentication scheme into their program. Think of it as an authentication “API” for “privilege granting” applications but is flexible how each application authenticates the user. System administrators are given the control and decision to how each application authenticates a user by modifying PAM configs (policies) that could be found in locations such as /etc/pam.d (location may vary depending on the OS).

Read More

You shall not slay the client

January 31, 2022

Recently, I got the opportunity to attend a two-week-long training in Real-Time Programming For QNX Neutrino RTOS where I am learning the ins and outs of QNX, a real-time microkernel operating system that is a UNIX-like OS. On one of the demos, the trainer showed us a behavior that I thought was impossible. This shook the foundation of my understanding of IPC (Inter-Process Communication) and on signals. However, this is a feature in QNX that does not exist on Linux from my understanding.

Read More