Merge remote-tracking branch 'refs/remotes/origin/main'
This commit is contained in:
trochas
65
sujet.md
65
sujet.md
@@ -13,7 +13,33 @@
|
||||
## Answers
|
||||
|
||||
1. Software bug :
|
||||
I found the article of Chromium that still exists today. It seems that fixed it in some of their application but still visible in Google Maps, Youtube,....
|
||||
Here is the link to the issue:
|
||||
https://issues.chromium.org/issues/391788835
|
||||
|
||||
And we can see the merge of this bug branch:
|
||||
https://chromium-review.googlesource.com/c/chromium/src/+/6227546/3/components/lookalikes/core/lookalike_url_util.cc#759
|
||||
|
||||
The bug talks about when we type some string, it will automatic convert into font ligatures, it normally let font designers special-case specific combinations of letters but it can be exploited for other things. For example it can change monospaced font like "<=" into "≤". That's the reason not to use in IDE, terminal, etc. when it could cause hazardousness levels of a safety pin.
|
||||
|
||||
These are the reason why this bug is a global one
|
||||
- This bug appears between many components like the interaction of web browser, application - font renderer - ligature's system - appeareance system domain.
|
||||
- Google wrote the good code but they wrongly assumed the behavior's font or ligature's system
|
||||
- Bug only starts where the domain has special characters.
|
||||
|
||||
Repercussion for Clients/Consumers
|
||||
Although the patch they merged didn't fix the font but only add rule to string contann a substring similiar and it doesn't prevent malicious code from replacing font with a version application doesn't have ligature.
|
||||
It could lead to a novel attack by replace fonts on victims devices to try to be google logo but hide the true address of that website and its malware like phishing attacks, credential theft, etc
|
||||
|
||||
It could also make the client/consumer lose trust in browser and lisread domain names
|
||||
|
||||
Repercussion for Google
|
||||
Reputation damage?
|
||||
Exploitation by hackers
|
||||
Liability concerns
|
||||
|
||||
Would Testing the Right Scenario Have Caught the Bug?
|
||||
Yes by security testing specially in visual spoofing but this bug is quite rare and it is normally being exploited in early 2006 era so it is understandable that it is hard to detect.
|
||||
|
||||
2. Apache Bug :
|
||||
COLLECTIONS-799: "UnmodifiableNavigableSet can be modified by pollFirst() and pollLast()"
|
||||
@@ -25,7 +51,46 @@ Il a ensuite commit la correction qui consiste simplement à override `pollFirst
|
||||
|
||||
|
||||
3. Chaos Engineering :
|
||||
Read the paper and briefly explain what are the concrete experiments they perform, what are the requirements for these experiments, what are the variables they observe and what are the main results they obtained. Speculate
|
||||
|
||||
The experiments they performed that they said the paper are
|
||||
- Chaos Monkey ( random select virtual machines that host their production serveices and terminates them )
|
||||
- Chaos Kong ( simulate the failure of an entire Amazon EC2 )
|
||||
- Failure Injection Testing or FIT ( cause requests between services to fail and verify the system degrades )
|
||||
- Inject latency into request between services
|
||||
- Failure an internal service
|
||||
- Automate experiments to run continously
|
||||
|
||||
Requirements of these experiments:
|
||||
- Define 'steady state' as some mesurable output of a system
|
||||
- Hypothesize that this steady state will continue in both the control group and the
|
||||
experimental group
|
||||
- Introduce variable reflect real world
|
||||
- Try to disprove the hypothesis by looking for a difference in steady state between control and experimental group
|
||||
|
||||
Variable of these experiments:
|
||||
- SPS ( steady-state behavior of the system )
|
||||
- Fine-grain metric like an increase in request latency or CPU utilization
|
||||
|
||||
Main result they obtained:
|
||||
- When they run experiments, they revealed some weak link that they fixed before could affect customers to fail or long time load.
|
||||
- We cannot fully reproduce all aspects of the system within a test context
|
||||
- Move from a few tests into automated, large-scale testing
|
||||
|
||||
Is Netflix the only company performing these experiments?
|
||||
No, many others use Chaos Engineering too like Microsoft, Google, Amazon, Facebook, etc
|
||||
|
||||
How these experiments could be carried in other organizations in terms of the kind of experiment that could be performed and the system variables to observe during the experiments.
|
||||
For example, tt depends on the system like
|
||||
-Web, API: kill service instances, add latency
|
||||
- E-commerce: number of completed purchased per second, ad-serving service use number of ads viewed by users per second.
|
||||
- Banking: peak traffic scenario, disconnect external API
|
||||
|
||||
Variables to observe:
|
||||
- User latency
|
||||
- Success rate
|
||||
- Data consistency metric
|
||||
- Error rate
|
||||
|
||||
4. Formal specification in Web Assembly :
|
||||
|
||||
|
||||
Reference in New Issue
Block a user