vuminh224/VV-ISTIC-TP1
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

correction

Browse Source
This commit is contained in:
Rochas
2025-12-19 22:00:40 +01:00
parent 3ee4cfc8b2
commit 638cec1219
1 changed files with 28 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

56
sujet.md
View File

@@ -14,23 +14,23 @@
### 1. Software bug : ### 1. Software bug :
I found the article of Chromium that still exists today. It seems that fixed it in some of their application but still visible in Google Maps, Youtube,.... I found the article on Chromium that still exists today. It seems that they fixed it in some of their applications, but it is still visible in Google Maps, YouTube,....
Here is the link to the issue: Here is the link to the issue:
https://issues.chromium.org/issues/391788835 https://issues.chromium.org/issues/391788835
And we can see the merge of this bug branch: And we can see the merge of this bug branch:
https://chromium-review.googlesource.com/c/chromium/src/+/6227546/3/components/lookalikes/core/lookalike_url_util.cc#759 https://chromium-review.googlesource.com/c/chromium/src/+/6227546/3/components/lookalikes/core/lookalike_url_util.cc#759
The bug talks about when we type some string, it will automatic convert into font ligatures, it normally let font designers special-case specific combinations of letters but it can be exploited for other things. For example it can change monospaced font like "<=" into "≤". That's the reason not to use in IDE, terminal, etc. when it could cause hazardousness levels of a safety pin. The bug talks about when we type some string, it will automatically convert into font ligatures; it normally lets font designers special-case specific combinations of letters, but it can be exploited for other things. For example, it can change monospaced font like "<=" into "≤". That's the reason not to use in IDE, terminal, etc. when it could cause hazardousness levels of a safety pin.
These are the reason why this bug is a global one These are the reasons why this bug is a global one
- This bug appears between many components like the interaction of web browser, application - font renderer - ligature's system - appeareance system domain. - This bug appears between many components like the interaction of web browser, application - font renderer - ligature's system - appearance system domain.
- Google wrote the good code but they wrongly assumed the behavior's font or ligature's system - Google wrote the good code but they wrongly assumed the behavior's font or ligature system
- Bug only starts where the domain has special characters. - Bug only starts where the domain has special characters.
Repercussion for Clients/Consumers Repercussion for Clients/Consumers
Although the patch they merged didn't fix the font but only add rule to string contann a substring similiar and it doesn't prevent malicious code from replacing font with a version application doesn't have ligature. Although the patch they merged didn't fix the font but only add a rule to strings containing a substring similar, and it doesn't prevent malicious code from replacing font with a version application that doesn't have ligature.
It could lead to a novel attack by replace fonts on victims devices to try to be google logo but hide the true address of that website and its malware like phishing attacks, credential theft, etc It could lead to a novel attack by replacing fonts on victims' devices to try to find the Google logo but hide the true address of that website and its malware like phishing attacks, credential theft, etc
It could also make the client/consumer lose trust in browser and lisread domain names It could also make the client/consumer lose trust in browser and lisread domain names
@@ -40,7 +40,7 @@ Exploitation by hackers
Liability concerns Liability concerns
Would Testing the Right Scenario Have Caught the Bug? Would Testing the Right Scenario Have Caught the Bug?
Yes by security testing specially in visual spoofing but this bug is quite rare and it is normally being exploited in early 2006 era so it is understandable that it is hard to detect. Yes, by security testing, especially in visual spoofing, this bug is quite rare and it is normally being exploited in the early 2006 era, so it is understandable that it is hard to detect.
### 2. Apache Bug : ### 2. Apache Bug :
@@ -54,39 +54,39 @@ Il a ensuite commit la correction qui consiste simplement à override `pollFirst
### 3. Chaos Engineering : ### 3. Chaos Engineering :
Read the paper and briefly explain what are the concrete experiments they perform, what are the requirements for these experiments, what are the variables they observe and what are the main results they obtained. Speculate Read the paper and briefly explain what the concrete experiments are that they perform, what the requirements for these experiments are, what the variables they observe are, and what the main results are that they obtained. Speculate
The experiments they performed that they said the paper are The experiments they performed that they said the paper is
- Chaos Monkey ( random select virtual machines that host their production serveices and terminates them ) - Chaos Monkey (randomly selects virtual machines that host their production services and terminates them)
- Chaos Kong ( simulate the failure of an entire Amazon EC2 ) - Chaos Kong ( simulate the failure of an entire Amazon EC2)
- Failure Injection Testing or FIT ( cause requests between services to fail and verify the system degrades ) - Failure Injection Testing or FIT ( cause requests between services to fail and verify the system degrades)
- Inject latency into request between services - Inject latency into requests between services
- Failure an internal service - Failure of an internal service
- Automate experiments to run continously - Automate experiments to run continuously
Requirements of these experiments: Requirements of these experiments:
- Define 'steady state' as some mesurable output of a system - Define 'steady state' as some measurable output of a system
- Hypothesize that this steady state will continue in both the control group and the - Hypothesize that this steady state will continue in both the control group and the
experimental group experimental group
- Introduce variable reflect real world - Introduce variable reflecting real world
- Try to disprove the hypothesis by looking for a difference in steady state between control and experimental group - Try to disprove the hypothesis by looking for a difference in steady state between the control and experimental group
Variable of these experiments: Variable of these experiments:
- SPS ( steady-state behavior of the system ) - SPS ( steady-state behavior of the system)
- Fine-grain metric like an increase in request latency or CPU utilization - Fine-grained metric like an increase in request latency or CPU utilization
Main result they obtained: Main result they obtained:
- When they run experiments, they revealed some weak link that they fixed before could affect customers to fail or long time load. - When they run experiments, they revealed some weak links that they fixed before that could affect customers' failure or long-time load.
- We cannot fully reproduce all aspects of the system within a test context - We cannot fully reproduce all aspects of the system within a test context
- Move from a few tests into automated, large-scale testing - Move from a few tests to automated, large-scale testing
Is Netflix the only company performing these experiments? Is Netflix the only company performing these experiments?
No, many others use Chaos Engineering too like Microsoft, Google, Amazon, Facebook, etc No, many others use Chaos Engineering too like Microsoft, Google, Amazon, Facebook, etc
How these experiments could be carried in other organizations in terms of the kind of experiment that could be performed and the system variables to observe during the experiments. How these experiments could be carried out in other organizations in terms of the kind of experiment that could be performed and the system variables to observe during the experiments.
For example, tt depends on the system like For example, it depends on the system like
-Web, API: kill service instances, add latency - Web, API: kill service instances, add latency
- E-commerce: number of completed purchased per second, ad-serving service use number of ads viewed by users per second. - E-commerce: number of completed purchases per second, ad-serving service use number of ads viewed by users per second.
- Banking: peak traffic scenario, disconnect external API - Banking: peak traffic scenario, disconnect external API
Variables to observe: Variables to observe:
@@ -102,7 +102,7 @@ WebAssembly est prouvable grâce à sa sémantique formelle, il évite les compo
L'interprète de référence utilise OCaml, il est utilisé pour tester l'implémentation et la spécification formelle. L'interprète de référence utilise OCaml, il est utilisé pour tester l'implémentation et la spécification formelle.
Le code peut être vérifié, compilé et transformé en format Automate en un seul passage grâce à un flux de contrôle structuré. Le code peut être vérifié, compilé et transformé en format Automate en un seul passage grâce à un flux de contrôle structuré.
Mais tout ceci ne remplace pas les tests. La sémantique formelle permet seulement de garantir que le comportement est défini et que l'exécution est sûre. Les tests eux vérifient que le programme respecte la spécification. Mais tout ceci ne remplace pas les tests. La sémantique formelle permet seulement de garantir que le comportement est défini et que l'exécution est sûre. Les tests vérifient que le programme respecte la spécification.
### 5. Mechanising and Verifying : ### 5. Mechanising and Verifying :