A look at PHP session write locks

Recently, I was working on a web application in which we were passing PHP session IDs around to emulate users.  As a result, the app experienced severe slowness on page load as well as in a few other places.  Upon investigation, it turned out this slowness was a result of the sessions blocking each other as they were passed around.  All of the following refers to PHP’s default session handling functionality.

PHP’s internal session handling mechanisms put a lock on the session file to prevent different scripts from overwriting session data.  Unless you are explicitly releasing these with session_write_close(), scripts accessing the same session are pushed onto a stack (in FIFO order) and must wait for all earlier scripts to terminate.  This becomes especially problematic when a script is calling the other with PHP cURL.  In this case, the first script waits for the second to return before releasing it’s lock, and the second won’t start until the first release it’s lock.  This results in pages that do very little.

After I found session_write_close(), and patched the code, I decided to dig in a bit deeper to how this function worked.  The comments on php.net [0] suggested you could have overwriting problems when not used correctly (read: trying to write to the session after closing the write), so I pulled together a bit of code to test those effects.

The following three files [1] are pulled together after my testing to best describe the situation involving session write locks and their interaction with session_write_close() and the effect on $_SESSION.

First is our main file, session_locker.php, which as the name suggests can lock the session when session_write_close() is commented out.  This is our work-horse, making the requests, outputting the results, and finally giving session_locker.php’s view of $_SESSION.

Our second file is session_user.php, which takes a session ID (with no validation :trollface: ) and becomes that ‘user.’  Since sessions are handled with cookies, this is an easy way to ‘proxy’ a user internally, tho not necessarily the recommended implementation.  Here we set the session up, output our intial view of $_SESSION, then make some modifications and output that $_SESSION again.

And our last file is very basic, just a stand alone $_SESSION viewer.  Hence the overly clever name, session_viewer.php.

When we visit session_locker.php, it sets a few $_SESSION variables, then closes the write lock, and sets one more before requesting that session_user.php be run.  The output order at the bottom is important in showcasing the overwriting issues, and is as follows:

We can see here that the ‘second file’ output, or session_user.php, being called by cURL sees the $_SESSION variables set by session_locker.php minus otest, as it was set after the write lock was closed.  It then sets it’s own variables including overwriting otest and returns.   We then let session_locker.php account for it’s actions and tell us what it thinks $_SESSION is.  It’s version of $_SESSION has the old otest value and is entirely missing stuff (the variable name, not random things.)  As a result of closing the the session write lock, session_locker.php ends up with an outdated and unbound version of $_SESSION (essentially moving the entire thing to the local scope, rather than super global.)  Using session_viewer.php, we can see what the true value of $_SESSION is and that it matches  session_user.php.

PHP won’t error out when you try to write to the session after closing it, nor will it simply ignore the call.  It will actually modify the $_SESSION variable and for the rest of that script’s iteration will work perfectly.  Other scripts, running concurrently or thereafter (anything outside of the script where that assignment was made) won’t see the update.  Based on this behavior, I’d assume the variable is only changed in memory, but never pushed to the session file for saved state.  This could certainly be a debugging gotcha , as your code would dump out the right value, but it wouldn’t persist anywhere else.


[0] http://php.net/manual/en/function.session-write-close.php

[1] https://gist.github.com/4300376


Posted in Articles, Hax | Tagged , , | 1 Comment

Introducing magikarp.psych0tik.net

Psych0tik would like to introduce everyone to our newest node in our IRC network, Magikarp.psych0tik.net. After frequent network instability we decided to discontinue using Natalya as our IRC hub, followed by Storm coming down temporarily due to changes in Samurai’s life. For the past few months we’ve been running on just Mudkipz but with this week’s development, we’re re-expanding the network with the addition of a new hub located in Amsterdam. In addition, Magikarp will also be hosting our IRC services daemon, they will be unavailable for a short period while the databases are transfered. This is all still somewhat in testing, so don’t be alarmed if things go up and down. Report it and a staffer should be on the problem shortly.

Magikarp will be accessible in the normal irc.psych0tik.net way, IPv6 or IPv4 and always SSL only on port 6697.

Posted in psych0tik News | Leave a comment

IRC Infrastructure change

The IRC network will be temporarily running off of mukipz.psych0tik.net while samurai makes some modifications to his infrastructure. The DNS name irc.psych0tik.net will be directed to mudkipz on the morning of Tuesday August 21, 2012.
This is part of a project to update the overall infrastructure of the psychotik IRC network. The new server is running an updated ircd and your existing IRC accounts are still valid. Mudkipz will be reachable over IPv4 and soon by IPv6 as soon as the firewall rules are amended to allow it.

Valid hostnames are:

Note: All psych0tik IRC servers are SSL only.

Posted in psych0tik News | Tagged , , , | 4 Comments

DefCon XX

This year’s DefCon may have been the most anticipated for me yet and it certainly lived up to expectations.  For the last few years, we’ve discussed the possibility of a psych0tik meet-up at DefCon, and with a little bit of luck this year we were able to make it happen.  In addition to being DefCon 20, we had all 3 core psych0tik members as well as a number of our oldest local members show up.  As expected, hacks and shenanigans ensued.

For me, the beginning of the trip to Vegas this year was extremely hectic, with work deadlines as well as life’s little problems looming I rushed to get to the airport.  There I met up with pr0phet9 and TheRainman and we just made it to our flight.  At the airport in Las Vegas we met up with richo, and managed to get a ride to a casino near our hotel.  Rather than heading to the hotel to unpack and set down our luggage, we simply went into the Rio and met with Purgatory and some other psych0tik members at a lobby bar, with excellent… talent.  We knocked back a few drinks there waiting (and worrying) for carbon’s arrival.  It wasn’t long until carbon arrived and finally the crew was all gathered together, and fun times could begin.

Along with the excellent camaraderie, this year’s DefCon itself was excellent.  The badge line took roughly 2 minutes, and we weren’t even early.  With the exception of one or two talks, things were easy to get into as long as you didn’t mind floor space in some cases.  Vendors brought their A-game and there was a great showing across the board.  While I’m still trying to get the Rio memorized as well as I had the Riveria, I’m certainly enjoying the change.

As the years have gone on, I’ve grown less interested in seeing every talk and instead focus on a few I’m particularly interested in, spending the rest enjoying the social/community aspect of DefCon.  I caught a couple excellent discussions this year including Bruce Schneier answering questions (and giving away copies of his new book [1].)  He’s an expert I really enjoy reading/listening to, as his years of experience and unique perspective allow him to respond even mundane questions with interesting and useful answers.  I also got to see (by accident as it turns out), the panel on Anonymous and hacktivism.  It was a bit of kismet that we stumbled into that talk while looking for richo and carbon, as I had wanted to see it when we did our original “what talks are there”, but had forgotten when and where it was.  The panel[2] contained a few lawyers, a journalist, a  anthropologist, and a member of the EFF[3].   The panel started with each member giving a short narrative about hacktivism, with a focus on Anonymous.  Afterwards, the audience was allowed to ask questions (myself included!)

This year’s badge was electronic again, making for some extra fun times.  I typically haven’t done much with the badges, but with richo around to motivate me a bit more we did some hacking.  He found a tool chain[4] for writing code to the device, and luckily I had remembered to bring a mini-USB cable.  The language, spin[5], was a bizzare mixture of programming styles, clearly aimed at allowing new programmers to use the device.  Once we sussed out the way it was meant to work, with some help from pr0phet9 and TheRainman’s EE background, we were off and writing code.  Mostly we played with changing the display, letting us write our names if we oscillated the badge, which was fairly simple. I’ve started to play with reading direct input from the USB port, to see if commands can be easily passed to the spin code uploaded.  The setup supposedly supports a full shell and when a VGA port is soldered on, has video output.  Sounds like with a bit of hardware hacking, again with the help of our resident EE experts, we might be able to turn this into a more simplistic version of the R-pi, with a much cooler look.

The number and variety of vendors this year was staggering.  Tons of shwag, technotoys, lockpicks and more.  The lockpicks where of particular interest to me this year as I finally discovered the brand of a particular pick I found years ago.  The SerePick[6] is by far the best pick I’ve ever used.  The small twist-and-bend along with the rake designs make for an easy job.  With a name in hand, I went to every booth, event and person who looked like they might know where to find them.  Finally I was directed to a booth that at least had patches with the logo.  I was informed they only had a few and they had to be asked for directly, which explained my difficulty finding them.  I got myself a set of two new SerePicks to compliment the one I already had.

A large part of the trip was a blur, as we moved quickly from spot to spot, activity to activity which frequently involved lots of walking in the heat.  As we’d stroll by things, one of us would pick up a nick-nack or t-shirt.  We’d take a glimpse at the “hack our robot” booth, or watch an Egg-bot[7] write my name on a ping-pong ball (misspelled, that adds value, right?)  We bumped into a number of people, most of whom we didn’t know, and had a number of enjoyable (and a few totally brutal) interactions.  Partly as the result of planning and partly from spontaneity, we ended up in a tattoo parlor within the Rio and the official psych0tik tattoo was birthed upon richo, pr0phet9 and myself.

With carbon around again, we decided we had to hit up the IOActive party like we did for DC18.  This year it was outside at the pool of the Rio with Infected Mushroom preforming.  They also had similarly bend-y girls doing acrobatics, just like before.  The party itself was a lot of fun.  Hackers for Charity were selling cigars for donations, and I happily took pleasure in those.  I did spill my beer all over the nice guy selling them (if you happen to read this, definitely get in touch with me and I’ll buy you a few rounds next year), but he took it in stride.  We got to talk with a bunch of people, some sober and some less sober.  Unfortunately, we had early-ish flights on Sunday, so we had to leave the party at a reasonable hour to ensure we didn’t sleep through our shuttle back (which I nearly did.)  Being the 2nd IOActive[8] party I’ve been to, I feel obligated to say that while I have no clue what they sell, you should all go buy at least one barrel of it.

Without a doubt, this years DefCon was the best yet.  DarkTangent put on an excellent conference, architected the best I’ve seen in years, and getting to wander around that hacker’s wonderland with some of my oldest, and hardest to see friends certainly added to the appeal.  I know I speak for most (if not all) of us, that we were beat by the time we got home.  Nights of little or no-sleep, very little solid food (I can get free scotch anywhere, but I can’t even find a freakin’ pretzel?), and constant activity wore me out, but the fun was totally worth it.

So with DefCon XX complete, it’s time to start planning for next year’s meet-up at DC21.  Definitely leave some notes in the comments or join one of our mailing lists if you want to link up with us next year!

— Pictures —

This year’s badge

Front and back of this year’s DefCon shirt, as well as the sweet EFF hat

On the top is my original SerePick, the bottom two are the new ones I picked up.  The picture isn’t super clear, but they’ve got a twist at the bend in them which I like a whole lot when picking.

The DefCon ball, made extremely valuable by the misspelling of my name.  Feel free to send me bids :P

Here’s a fuzzy, terrible picture of the “official” psych0tik tattoo.  Maybe someday I’ll get a better shot of it..

— Links —

[1] http://www.schneier.com/book-lo.html

[2] http://www.defcon.org/html/defcon-20/dc-20-speakers.html#Lyon

[3] https://www.eff.org

[4] http://www.fnarfbargle.com/bst.html

[5] http://www.parallax.com/propeller/

[6] http://www.serepick.com

[7] http://egg-bot.com

[8] http://www.ioactive.com


Posted in Articles, psych0tik News | Tagged , , , , | Leave a comment

Richo does DEF CON

This year was the first year that the core team were all in the same place, and it was about as monumental as you’d expect.

I met up with carbon and samurai at the airport on thursday night and headed straight to the rio. After not being let into the pool party for not having badges (that we missed by scant minutes) we headed back to the bar and met up with some more psych0tik peeps. I’ve gotta say that when samurai and I cooked up this hairbrained scheme all those years ago, the absolute last thing I expected was to be meeting a bunch of people in vegas as a result of it. I was blown away.

After more than a couple of beers we staggered back to our hotel, talked some shit and crashed for the evening. Friday morning we badged up and checked out some talks. I wasted a ton of time picking up swag too, because Fuck Logic (which I think had pretty much become my catch phrase by the end of the weekend. Despite DEF CON being almost entirely populated by people at the top of their game I saw some downright retarded shit go down).

The badges this year were an interesting beast, an 8 core creation from Parallax that runs a bytecode format derived from a strange amalgamation of python, C and ASM. I had a riot with the badge and in some ways was disappointed that I was keen to do other things with the con, as I could have quite happily spent the whole time on the badge puzzle.

On the talk front, I only caught a couple of truly inspirational ones, but the highlight for me was definitely Anch and Omega from DCG Dark, who are planning to build a Darknet of Things over 6LoWPAN, with a view to building a massively fault tolerant sensor network, but they seem interested in making this technology general enough that it can reasonably be bolted to anything.

Given my fondness for bolting things to other things, I bought a couple of their prototype McMotes and scurried away. I’m already concocting plans involving my motes and my raspberry pi’s. It’s probably also worth pointing out that their talk was in a smallish room, at a slightly awkward time, but they managed to not only fill but have people standing in the halls of their Q&A session. To say that they made a splash would be a massive understatement.

I also really enjoyed Rodrigo Branco, Sergey Bratus and James Oakley’s talk on exploting the eh stack of libdwarf’s exception handling implementation. It’s been something that I’ve thought about and heard talked about for a long time, but up until now I’ve not seen a robust proof of concept that really made it look like a usable attack vector. At time of writing it appears that their paper is still unpublished, but I’m looking forward to reading it.

Sadly this year we didn’t make it to Haufbraus, which is made worse by how awesome I’m told it is. It’s definitely on the cards for next year.

The afterparty was a unique beast, not least because I finally gave into all the people mistaking me for Moxie and ran with it. While I haven’t decided whether this constitutes man in the middle or social engineering, I know for sure that it makes for a good time. Thanks to all who bought me beers. From the freak show it was obviously time to not make it into a night club and instead go for a precarious jaunt through what was almost certainly the crypts underpinning a casino. Pants shittingly terrified doesn’t quite cover it.

Enough words though. On with the pictures

Posted in Reviews | Tagged , | Leave a comment

richo is now richo in one more place

My github username has changed, so if anyone is linking to my repos:

1. Tell me, I can fork the project to richoH to keep the links working for now
2. Fix the link! Just change richoH to richo

Posted in psych0tik News | Leave a comment