[OLPC Security] AOL vs. OLPC

Benjamin M. Schwartz bmschwar at fas.harvard.edu
Sun Dec 23 23:31:38 EST 2007


I was a middle school script-kiddie during the days of AOHell and its
descendants (http://en.wikipedia.org/wiki/AOHell).  These programs used a
variety of tricks to "hack" AOL, mostly at the level of childish vandalism. 
Much of the focus was on DoS attacks, designed to disconnect another user by
killing his AOL session.

1. Punting
AOL:
Punting was the basic technique for disconnecting another user.  It worked by
sending maximum-length IM messages containing "<pre><pre><pre>..." or similar
to the target, as fast as possible.  This closed the recipient's AOL window,
possibly due to OOM from inefficient message parsing, or overflowing some data
structure within the parser.

AOL's Fix:
AOL reduced the maximum length of messages and rate-limited message sending. 
They may also have fixed the parser bug.

OLPC:
Thanks to Bitfrost, any attack that manages to do bad things to a Chat session
will succeed only in killing that instance of Chat.  The exception is OOM,
which can kill other processes as well, forcing a reboot.  We need much better
OOM handling.

2. Pinting
AOL:
Once AOL fixed the punting bug, we switched to pinting.  Pinting disconnected a
user by inviting him to a large number of chatrooms.  Each invitation appeared
as a separate window, eventually crashing AOL.  This may have been due to OOM,
or due to Windows' limit on the number of simultaneous windows displayed.

AOL's Fix:
AOL instituted a limit on the number of simultaneous invitations.  I recall a
limit of ~3 simultaneous invitations from one user to another.  There may also
have been some aggressive rate-limiting.

OLPC:
I believe that OLPC is currently vulnerable to this attack.  I could send a
large number of invitations to another user, and each would show up as a new
icon in the frame.  This would eventually lead to OOM.  Also, I am not aware of
any way to decline an invitation, so these invitations would remain until they
are joined and then quit.

OLPC should probably gain some sort of per-user invitation limit, if it is not
already in the spec.

3. Distributed pinting
AOL:
Once AOL blocked simple pinting, we went to the next level, with software that
allowed dozens of people to band together in order to harass our schoolmates. 
The process was DDoS by volunteer army.  All participants would run a piece of
software listening in a specific chat room.  When someone's screen name was
sent to the chat room, all listeners would send as many invitations to that
user as was allowed.

AOL's Fix:
I do not know if this approach still works on AIM.

OLPC:
OLPC may also need a total invitations limit.  However, it is not clear what
form this should take.  If invitations are simply turned away after N have been
received, then it is easy for N users to prevent any invitations from being
received by the target.  On the other hand, the same is true if new invitations
are allowed to push out old ones.

The invitation-based attacks are intimately tied into the UI for invitations,
which is about to be revamped.  These issues should be kept in mind when
discussing UI designs.

--Ben



More information about the Security mailing list