Search results
Top results related to what is a dictionary & how does it work free
Top Answer
Answered Dec 28, 2022 · 1875 votes
Cross-Site Request Forgery (CSRF) in simple words
- Assume you are currently logged into your online banking at www.mybank.com
- Assume a money transfer from mybank.com will result in a request of (conceptually) the form http://www.mybank.com/transfer?to=<SomeAccountnumber>;amount=<SomeAmount>. (Your account number is not needed, because it is implied by your login.)
- You visit www.cute-cat-pictures.org, not knowing that it is a malicious site.
- If the owner of that site knows the form of the above request (easy!) and correctly guesses you are logged into mybank.com (requires some luck!), they could include on their page a request like http://www.mybank.com/transfer?to=123456;amount=10000 (where 123456 is the number of their Cayman Islands account and 10000 is an amount that you previously thought you were glad to possess).
- You retrieved that www.cute-cat-pictures.org page, so your browser will make that request.
- Your bank cannot recognize this origin of the request: Your web browser will send the request along with your www.mybank.com cookie and it will look perfectly legitimate. There goes your money!
This is the world without CSRF tokens.
Now for the better one with CSRF tokens:
- The transfer request is extended with a third argument: http://www.mybank.com/transfer?to=123456;amount=10000;token=31415926535897932384626433832795028841971.
- That token is a huge, impossible-to-guess random number that mybank.com will include on their own web page when they serve it to you. It is different each time they serve any page to anybody.
- The attacker is not able to guess the token, is not able to convince your web browser to surrender it (if the browser works correctly...), and so the attacker will not be able to create a valid request, because requests with the wrong token (or no token) will be refused by www.mybank.com.
Result: You keep your 10000 monetary units.
(Your mileage may vary.)
EDIT from comment worth reading by SOFe:
It would be worthy to note that script from www.cute-cat-pictures.org normally does not have access to your anti-CSRF token from www.mybank.com because of HTTP access control. This note is important for some people who unreasonably send a header Access-Control-Allow-Origin: * for every website response without knowing what it is for, just because they can't use the API from another website.
1/5
Top Answer
Answered Jul 20, 2018 · 182 votes
The article mentioned by sgbj in the comments written by Google's Paul Turner explains the following in much more detail, but I'll give it a shot:
As far as I can piece this together from the limited information at the moment, a retpoline is a return trampoline that uses an infinite loop that is never executed to prevent the CPU from speculating on the target of an indirect jump.
The basic approach can be seen in Andi Kleen's kernel branch addressing this issue:
It introduces the new __x86.indirect_thunk
call that loads the call target whose memory address (which I'll call ADDR) is stored on top of the stack and executes the jump using a the RET instruction. The thunk itself is then called using the NOSPEC_JMP/CALL macro, which was used to replace many (if not all) indirect calls and jumps. The macro simply places the call target on the stack and sets the return address correctly, if necessary (note the non-linear control flow):
.macro NOSPEC_CALL target jmp 1221f /* jumps to the end of the macro */1222: push \target /* pushes ADDR to the stack */ jmp __x86.indirect_thunk /* executes the indirect jump */1221: call 1222b /* pushes the return address to the stack */.endm-
The placement of call in the end is necessary so that when the indirect call is finished, the control flow continues behind the use of the NOSPEC_CALL macro, so it can be used in place of a regular call
The thunk itself looks as follows:
call retpoline_call_target2: lfence /* stop speculation */ jmp 2bretpoline_call_target: lea 8(%rsp), %rsp ret-
The control flow can get a bit confusing here, so let me clarify:
- call pushes the current instruction pointer (label 2) to the stack.
- lea adds 8 to the stack pointer, effectively discarding the most recently pushed quadword, which is the last return address (to label 2). After this, the top of the stack points at the real return address ADDR again.
- ret jumps to *ADDR and resets the stack pointer to the beginning of the call stack.
In the end, this whole behaviour is practically equivalent to jumping directly to *ADDR. The one benefit we get is that the branch predictor used for return statements (Return Stack Buffer, RSB), when executing the call instruction, assumes that the corresponding ret statement will jump to the label 2.
The part after the label 2 actually never gets executed, it's simply an infinite loop that would in theory fill the instruction pipeline with JMP instructions. By using LFENCE,PAUSE or more generally an instruction causing the instruction pipeline to be stall stops the CPU from wasting any power and time on this speculative execution. This is because in case the call to retpoline_call_target would return normally, the LFENCE would be the next instruction to be executed. This is also what the branch predictor will predict based on the original return address (the label 2)
To quote from Intel's architecture manual:
Instructions following an LFENCE may be fetched from memory before the LFENCE, but they will not execute until the LFENCE completes.
Note however that the specification never mentions that LFENCE and PAUSE cause the pipeline to stall, so I'm reading a bit between the lines here.
Now back to your original question: The kernel memory information disclosure is possible because of the combination of two ideas:
- Even though speculative execution should be side-effect free when the speculation was wrong, speculative execution still affects the cache hierarchy. This means that when a memory load is executed speculatively, it may still have caused a cache line to be evicted. This change in the cache hierarchy can be identified by carefully measuring the access time to memory that is mapped onto the same cache set.You can even leak some bits of arbitrary memory when the source address of the memory read was itself read from kernel memory.
- The indirect branch predictor of Intel CPUs only uses the lowermost 12 bits of the source instruction, thus it is easy to poison all 2^12 possible prediction histories with user-controlled memory addresses. These can then, when the indirect jump is predicted within the kernel, be speculatively executed with kernel privileges. Using the cache-timing side-channel, you can thus leak arbitrary kernel memory.
UPDATE: On the kernel mailing list, there is an ongoing discussion that leads me to believe retpolines don't fully mitigate the branch prediction issues, as when the Return Stack Buffer (RSB) runs empty, more recent Intel architectures (Skylake+) fall back to the vulnerable Branch Target Buffer (BTB):
Retpoline as a mitigation strategy swaps indirect branches for returns, to avoid using predictions which come from the BTB, as they can be poisoned by an attacker. The problem with Skylake+ is that an RSB underflow falls back to using a BTB prediction, which allows the attacker to take control of speculation.
2/5
A predicate is a word that represents the action but not the subject. A subject can be a Noun or Pronoun. A predicate is a clause that may be dependent or independent. The predicate defines what the subject does in a given sentence. It means a predicate includes all other words like verbs, prepositions, and adverbs but not the subject who does the action. Predicates are the building blocks of a given sentence. Predicate defines the action itself.
For example, She ate something.
She is the subject and the rest is the predicate.
What is a Predicate?
What are the Types of Predicate?
The types of predicates are defined below :
a) Simple Predicate
A simple predicate is one that consists of only a verb. It can be a helping verb or a main verb. It doesn’t contain other words like adverbs, prepositions, or objects. These are the examples given below
1. She is sleeping
Here she is the subject and is sleeping is the predicate which has only the helping verb and the main verb
2. He started his own business
He is the subject and...
3/5
Top Answer
Answered Sep 21, 2016 · 7 votes
What is a multi-threading program and how does it work exactly?
Interesting part about this question is complete books are written on the topic, but still it is elusive to lot of people. I will try to explain in the order detailed underneath.
Please note this is just to provide a gist, an answer like this can never do justice to the depth and detail required. Regarding videos, best that I have come across are part of paid subscriptions (Wintellect and Pluralsight), check out if you can listen to them on trial basis, assuming you don't already have the subscription:
- Wintellect by Jeffery Ritcher (from his Book, CLR via C#, has same chapter on Thread Fundamentals)
- CLR Threading by Mike Woodring
Explanation Order
- What is a thread ?
- Why were threads introduced, main purpose ?
- Pitfalls and how to avoid them, using Synchronization constructs ?
- Thread Vs ThreadPool ?
- Evolution of Multi threaded programming API, like Parallel API, Task API
- Concurrent Collections, usage ?
- Async-Await, thread but no thread, why they are best for IO
What is a thread ?
It is software implementation, which is purely a Windows OS concept (multi-threaded architecture), it is bare minimum unit of work. Every process on windows OS has at least one thread, every method call is done on the thread. Each process can have multiple threads, to do multiple things in parallel (provided hardware support). Other Unix based OS are multi process architecture, in fact in Windows, even the most complex piece of software like Oracle.exe have single process with multiple threads for different critical background operations.
Why were threads introduced, main purpose ?
Contrary to the perception that concurrency is the main purpose, it was robustness that lead to the introduction of threads, imagine every process on Windows is running using same thread (in the initial 16 bit version) and out of them one process crash, that simply means system restart to recover in most of the cases. Usage of threads for concurrent operations, as multiple of them can be invoked in each process, came in picture down the line. In fact it is even important to utilize the processor with multiple cores to its full ability.
Pitfalls and how to avoid using Synchronization constructs ?
More threads means, more work completed concurrently, but issue comes, when same memory is accessed, especially for Write, as that's when it can lead to:
- Memory corruption
- Race condition
Also, another issue is thread is a very costly resource, each thread has a thread environment block, Kernel memory allocation. Also for scheduling each thread on a processor core, time is spent for context switching. It is quite possible that misuse can cause huge performance penalty, instead of improvement. To avoid Thread related corruption issues, its important to use the Synchronization constructs, like lock, mutex, semaphore, based on requirement. Read is always thread safe, but Write needs appropriate Synchronization.
Thread Vs ThreadPool ?
Real threads are not the ones, we use in C#.Net, that's just the managed wrapper to invoke Win32 threads. Challenge remain in user's ability to grossly misuse, like invoking lot more than required number of threads, assigning the processor affinity, so isn't it better that we request a standard pool to queue the work item and its windows which decide when the new thread is required, when an already existing thread can schedule the work item. Thread is a costly resource, which needs to be optimized in usage, else it can be bane not boon.
Evolution of Multi threaded programming, like Parallel API, Task API
From .Net 4.0 onward, variety of new APIs Parallel.For, Parallel.ForEach for data paralellization and Task Parallelization, have made it very simple to introduce concurrency in the system. These APIs again work using a Thread pool internally. Task is more like scheduling a work for sometime in the future. Now introducing concurrency is like a breeze, though still synchronization constructs are required to avoid memory corruption, race condition or thread safe collections can be used.
Concurrent Collections, usage ?
Implementations like ConcurrentBag, ConcurrentQueue, ConcurrentDictionary, part of System.Collections.Concurrent are inherent thread safe, using spin-wait and much easier and quicker than explicit Synchronization. Also much easier to manage and work. There's another set API like ImmutableList System.Collections.Immutable, available via nuget, which are thread safe by virtue of creating another copy of data structure internally.
Async-Await, thread but no thread, why they are best for IO
This is an important aspect of concurrency meant for IO calls (disk, network), other APIs discussed till now, are meant for compute based concurrency so threads are important and make it faster, but for IO calls thread has no use except waiting for the call to return, IO calls are processed on hardware based queue IO Completion ports
4/5
Top Answer
Answered May 07, 2011 · 3 votes
You can read all about the Plan9 network in the /sys/doc section (or online html, ps, pdf).
The high-level way that this works is similar to your understanding, the system has 17 protocol messages (stuff like open, create, walk and remove). There is an RPC mechanism that takes care of sending and receiving the messages from the server. Here's a quote from the paper:
A kernel data structure, the channel, is a handle to a file server. Operations on a channel generate the following 9P messages. The session and attach messages authenticate a connection, established by means external to 9P, and validate its user. The result is an authenticated channel referencing the root of the server. The clone message makes a new channel identical to an existing channel, much like the dup system call. A channel may be moved to a file on the server using a walk message to descend each level in the hierarchy. The stat and wstat messages read and write the attributes of the file referenced by a channel. The open message prepares a channel for subsequent read and write messages to access the contents of the file. Create and remove perform the actions implied by their names on the file referenced by the channel. The clunk message discards a channel without affecting the file.
What's neat about Plan9 is that this interface is ubiquitous in the operating system. Lots of things present this interface (a file server).
5/5
www.thetechedvocate.org › javascript-basics-how-toJavaScript Basics: How to Create and Use a Dictionary
www.thetechedvocate.org › javascript-basics-how-to3 days ago · A dictionary is simply an object that allows you to store and access key-value pairs of data. In this article, we will be covering how to create and use a dictionary in JavaScript, and the basic methods you can use to manipulate its data.
www.geeksforgeeks.org › how-to-create-a-dictionaryHow to Create a Dictionary in C++? - GeeksforGeeks
www.geeksforgeeks.org › how-to-create-a-dictionary3 days ago · Following is the algorithm we will follow to create a dictionary in C++, using maps: Algorithm. Initialize an empty std::map named dictionary and declare the data type of keys and values. Insert the key-value pairs into the dictionary using the subscript [] operator. You can also use the std::insert () method followed by the std::make_pair ...
wealthofgeeks.com › words-added-dictionary50 Words Added to the Dictionary in the Last Year - Wealth of ...
wealthofgeeks.com › words-added-dictionary1 day ago · Yes, “doggo” is now in the dictionary. People use the word to lovingly and playfully refer to dogs. It's a term that started on social media as a silly way to talk about a dog. This slang word is one of the simpler words added to the dictionary in the last year, and it's also one of our favorites. It's wholesome and adorable, reflecting the ...
www.webmonkey.com › is-freecash-legitIs Freecash Legit Or A Scam? (My Honest Review!)
www.webmonkey.com › is-freecash-legit4 days ago · Freecash is a GPT (get-paid-to) website that lets you earn money by completing surveys, testing apps, signing up for brand offers, placing bets, and completing several other online tasks. Freecash used to be called Freeskins.com, but the company rebranded in 2021. Nowadays, it's a fairly popular survey website that also has plenty of ways to earn.
www.analyticsvidhya.com › blog › 2021Analyzing Human Feelings with VADER Sentiment Analysis
www.analyticsvidhya.com › blog › 20213 days ago · VADER stands for Valence Aware Dictionary and Sentiment Reasoner. It’s a tool used for sentiment analysis, which is basically a way to figure out if a piece of text is expressing positive, negative, or neutral emotions [sentiment analysis ON Analytics Vidhya analyticsvidhya.com].
en.wikipedia.org › wiki › Google_TranslateGoogle Translate - Wikipedia
en.wikipedia.org › wiki › Google_Translate4 days ago · Google Translate is a web-based free-to-user translation service developed by Google in April 2006. [11] It translates multiple forms of texts and media such as words, phrases and webpages. Originally, Google Translate was released as a statistical machine translation service. [11] The input text had to be translated into English first before ...
www.vocabulary.com › word-of-the-dayWord of the day: fracas | Vocabulary.com
www.vocabulary.com › word-of-the-dayIf your marching band gets into a fight with another school's pep squad, your principal might say the fracas was uncalled for and undignified. A fracas is a noisy quarrel. Fracas comes from an Italian word meaning "uproar" or "crash."
Searches related to what is a dictionary & how does it work free
what is a dictionary & how does it work free download what is a dictionary & how does it work free printable what is a dictionary & how does it work free pdf
